Part 2 of "Actually, hardware noise is useful for AI governance and verification" Here I go into the issue of "But now you need to use/match the prover's hardware, so how can you trust your replay device?".
Short answer: You don't.
TLDR of the idea: Use both a trusted (noisy), and an untrusted (precise) replay device (“TRD” and “URD”, respectively). Use the TRD to reduce the attack surface for communication with the untrusted device. Then, give the URD only the claimed inputs, and make sure there are only controlled information channels in and out of said device. A network tap on that controlled channel does the comparison of the replay with the Prover’s claimed outputs, without revealing sensitive secrets to the Verifier. The URD never knows what output the Prover claimed!
Part 2 of "Actually, hardware noise is useful for AI governance and verification" Here I go into the issue of "But now you need to use/match the prover's hardware, so how can you trust your replay device?".
Short answer: You don't.
TLDR of the idea:
Use both a trusted (noisy), and an untrusted (precise) replay device (“TRD” and “URD”, respectively). Use the TRD to reduce the attack surface for communication with the untrusted device. Then, give the URD only the claimed inputs, and make sure there are only controlled information channels in and out of said device. A network tap on that controlled channel does the comparison of the replay with the Prover’s claimed outputs, without revealing sensitive secrets to the Verifier. The URD never knows what output the Prover claimed!