- The paper introduces a hash-linked evidence graph that cryptographically binds benchmark results to their full measurement history, ensuring tamper-evidence.
- It employs device-calibrated probabilistic verification—using techniques like Freivalds' check—to detect and repair errors in linear and nonlinear benchmarks.
- The methodology enables efficient, independent auditing with linear-time checks while bridging verifiable computation and reproducibility standards.
Self-Verifying Measurement Records for Hardware Benchmarking: Hash-Linked Evidence Graphs
The credibility of hardware benchmarking is fundamentally limited by a lack of auditability and verification. Conventional reporting of performance numbers relies on the implicit trust that results are neither misreported nor affected by undetected silent hardware errors. Studies indicate that approximately 0.1% of CPU cores in production environments exhibit silent arithmetic errors, with accelerators equally affected. This paper directly addresses the absence of self-verifying, tamper-evident records for hardware measurements by introducing a cryptographically bound evidence model: every benchmark number is bound, via its content hash, to its full measurement and verification history. The objective is to enable downstream readers to reconstruct, verify, and audit measurements with no trust in the original producer, using only an archived record.
Hash-Linked Evidence Graph Construction
Central to the approach is the evidence graph, a directed acyclic structure wherein each node—measurement observation, reduction, claim, document—has an identifier derived from its SHA-256 hash over a canonical encoding. This structure binds values to measurement and verification stages through explicit hash links, forming a content-addressed transparency log analogous to those used in certificate transparency and tamper-evident logging. This not only ensures tamper-evidence but also enables verification in linear time over the archive size without access to original hardware or environment.
(Figure 1)
Figure 1: The hash-linked evidence graph structure forms the backbone for measurement and verification; each arrow encodes a content hash, ensuring tamper-evident tracking of claims and provenance.
Offline audits follow a deterministic sequence of hash checks and recomputation of pure reductions, guaranteeing that any unauthorized modification or inconsistency in the record is detected unless one finds a preimage or collision in SHA-256, an assertion backed by the practical collision resistance of the underlying hash function.
Probabilistic and Calibrated Verification of Linear Quantities
For linear algebraic operators such as matrix multiplication—a common kernel in benchmarking—the verification mechanism leverages the Freivalds identity check: For AB=C and a random probe X, the residual ρ(C)=∥A(BX)−CX∥∞/(∥CX∥∞+ε), computed in a higher-precision domain, detects incorrect products with probability 1−2−k over k probes. The critical improvement is the device-calibrated acceptance tolerance derived not from abstract floating point error bounds, but from empirical measurement of the minimum observed residual (the "residual floor") for each device, kernel, and precision.
This tolerance is explicitly calibrated by the largest correct-run residual at each shape and precision, making the detection power robust to both real arithmetic errors and legitimate low-precision effects. Verification is multi-staged, recording acquisition, witnessing, decision, and corrective recomputation in the evidence graph, enabling fine-grained post-hoc diagnosis and repair.
Key numerical results are provided: e.g., the detection threshold is 6.06×10−4 for FP16 at n=8192, and injected single-bit corruption or intentionally reduced precision (e.g., FP8 vs. FP16) are unambiguously flagged, repaired, and re-verified. The detection probability and error rates are mathematically guaranteed under these calibration schemes.
Verifying Nonlinear and Non-Associative Quantities
Benchmarks not amenable to simple identity checks (e.g., fused attention, atomic accumulations) receive a hybrid treatment. When run-to-run outputs differ due to inherent nondeterminism, the record encodes a measured reproducibility margin (bit-stable, bounded-divergence) as the validation criterion. For operations such as attention, an algebraic check is constructed around the softmax normalization and decomposition into two matrix products, validated in float32. Importantly, the evidence record demonstrates that algebraic checks detect injected consistent faults that would be invisible to reproducibility-only policies.
Device Validation, Portability, and Cross-Device Corroboration
Validation is further generalized across hardware by measuring cross-device residual floors, output agreement, and device-specific performance deltas. Two Blackwell-class accelerators are shown to agree to the last bit for deterministic kernels but diverge in throughput by a fixed, configuration-dependent proportion. Out-of-sample validation on RTX 5090 and RTX PRO 6000 Server shows class boundaries and residual floors invariant within a 1.26× range, even when throughput shifts significantly due to power and memory differences.
Benchmarks across various workload classes (dense GEMM, memory streaming, reductions, atomics, attention) are classified according to both performance and numerics: performance classes ({S1}: bounded, {S2}: clock-tracking), and numerical classes ({S0}: bit-stable, {Snd}: bounded divergence). This classification is empirically supported via observed run-to-run variability and clock/throughput correlations.

Figure 2: Throughput as a function of SM clock reveals flatness for bounded (S1) workloads and clock-slope dependence for clock-tracking (S2) workloads.
The mapping empirically confirms that numerically stable classes remain so under device and configuration changes, while clock-tracking throughput is inherently untransferable. Residual floors are measured at ≈2×10−4 (FP16), ≈1.7×10−3 (BF16/FP8), and are robust across thermal and stress testing.
Security and Threat Model
The adversary model encompasses malicious producers, hardware faults, and probe-aware adversaries. The record resists tampering, split-view (equivocation), and impersonation by virtue of hash-linking, cross-device cosignatures, and challenge-response attestation (deriving probes from Fiat-Shamir transforms over outputs). The regular use of committed seeds introduces an attack surface: an adversary targeting the nullspace of a committed probe can hide errors, but this is decisively closed by output-dependent (Fiat-Shamir) probes.
A coordinated fault across multiple devices is only blocked by employing a unique, output-derived probe on each witness, underscoring the limitations of redundancy in the face of adversarial collusion. The physical fault model is investigated—thermal soaking and power viruses on the latest NVIDIA GPUs yield no silent errors, asserting the practical integrity boundary to either defective devices or privileged attackers (e.g., management-plane or hardware root-of-trust breach).
Archive, Audit, and Reproducibility
The complete archive structure consists of the document sources, 240 observations, reduction results, verification transcripts, the evidence graph, a cross-device report, and manifest hashes. The archive can be fully audited with a single pass, using only standard software tools. Device-independent re-verification is feasible by regenerating inputs from seeds, tolerating floating-point noise via the calibrated acceptance threshold.
Computational scaling is considered—full audits are O(N) but claim-level checks are X0 via Merkle inclusion paths. For massive-scale jobs, sublinear interactive proofs are acknowledged, and integration is outlined for future work.
Implications and Future Directions
This methodology formalizes a cryptographic and operational framework for making hardware benchmark records self-verifiable, tamper-evident, and independently auditable. The strong empirical grounding of device-calibrated tolerances, together with algebraic guards and reproducibility metrics, enables precision benchmarking on accelerators—robust against honest mistakes and active subversion up to the boundary of privileged access or hardware compromise. The archival and chain-of-trust model provides a foundation for transferability and re-verification, as increasingly required by regulatory, security, and reproducibility standards (e.g., the EU AI Act).
Theoretically, this work bridges the gap between algorithm-based fault-tolerance, verifiable computation, and scientific repeatability. Practically, it delineates explicit trust boundaries and highlights the limitations of redundancy and reproducibility when adversaries are present.
Anticipated future developments include (1) integration with secure enclaves and hardware attestation for more robust witness guarantees, (2) expansion to cover more complex (especially stochastic) workloads, and (3) leveraging interactive proofs for verifying even longer computations at reasonable cost. The approach provides a minimum bar for evidence standards in hardware benchmarking and sets the expectation for future high-assurance reporting.
Conclusion
The proposed hash-linked evidence graph, with content-hash binding, device-calibrated probabilistic verification, and complete, linearly auditable archives, establishes a new foundation for self-verifying hardware benchmark reporting. The approach provides both rigorous soundness guarantees for linear claims and practical mechanisms for covering the full range of hardware workloads. The techniques generalize across architectures, support independent validation, and are robust against both accidental error and motivated adversaries, bounded only by fundamental cryptographic and hardware trust assumptions.