The increasing compute demands of AI systems have led to the emergence of services that train models on behalf of clients lacking necessary resources. However, ensuring correctness of training and guarding against potential training-time attacks, such as data poisoning and backdoors, poses challenges. Existing works on verifiable training largely fall into two classes: proof-based systems, which are difficult to scale, and ``optimistic'' methods that consider a third-party auditor who can replicate the training process and contest the trainer. A key challenge with the latter is that nondeterminism between GPU types during training prevents exact replication of the training process, resulting in schemes that are non-robust. We propose a method that combines training in a higher precision than the target, rounding after intermediate computations, and sharing rounding decisions based on an adaptive thresholding procedure, to successfully control for nondeterminism. Across three different NVIDIA GPUs (A40, Titan XP, RTX 2080 Ti), we achieve exact training replication at FP32 precision for both full-training and fine-tuning of ResNet-50 (23M) and GPT-2 (117M) models. Our verifiable training scheme significantly decreases the storage and time costs compared to proof-based systems, and is publicly released at https://github.com/meghabyte/verifiable-training.

翻译：人工智能系统日益增长的计算需求催生了为缺乏必要资源的客户提供模型训练服务的业务。然而，确保训练的正确性并防范训练阶段的潜在攻击（如数据投毒和后门植入）仍面临挑战。现有可验证训练研究主要分为两类：基于证明的系统难以扩展，以及依赖第三方审计者（可复现训练过程并对训练者提出异议）的"乐观"方法。后者的关键挑战在于，不同GPU类型在训练过程中产生的非确定性会阻碍训练过程的精确复现，导致现有方案缺乏鲁棒性。我们提出一种综合方法：采用高于目标精度的训练模式，在中间计算后执行舍入操作，并基于自适应阈值程序共享舍入决策，从而有效控制非确定性。在三种不同的NVIDIA GPU（A40、Titan XP、RTX 2080 Ti）上，我们成功实现了ResNet-50（2300万参数）和GPT-2（1.17亿参数）模型在FP32精度下的全量训练与微调的精确复现。相比基于证明的系统，我们的可验证训练方案显著降低了存储和时间成本，相关代码已在https://github.com/meghabyte/verifiable-training开源发布。