To address correctness verification of ML programs—such as LLM inference, fine-tuning, and training—in untrusted computing environments, this paper proposes Verde, an arbitration-based delegated verification framework. Methodologically, Verde introduces (1) the first efficient cryptographic dispute arbitration protocol tailored to ML computation graphs, enabling lightweight and verifiable delegated execution; (2) RepOps, a hardware-agnostic, reproducible operator library that eliminates cross-platform non-determinism via deterministic floating-point control and standardized implementations; and (3) an integrated refereed delegation scheme with bit-level result verification, achieving strong correctness guarantees at low verification overhead. Experiments demonstrate that Verde ensures end-to-end bit-level output consistency across heterogeneous hardware, significantly enhancing robustness and trustworthiness in multi-vendor settings.

Machine learning programs, such as those performing inference, fine-tuning, and training of LLMs, are commonly delegated to untrusted compute providers. To provide correctness guarantees for the client, we propose adapting the cryptographic notion of refereed delegation to the machine learning setting. This approach enables a computationally limited client to delegate a program to multiple untrusted compute providers, with a guarantee of obtaining the correct result if at least one of them is honest. Refereed delegation of ML programs poses two technical hurdles: (1) an arbitration protocol to resolve disputes when compute providers disagree on the output, and (2) the ability to bitwise reproduce ML programs across different hardware setups, For (1), we design Verde, a dispute arbitration protocol that efficiently handles the large scale and graph-based computational model of modern ML programs. For (2), we build RepOps (Reproducible Operators), a library that eliminates hardware"non-determinism"by controlling the order of floating point operations performed on all hardware. Our implementation shows that refereed delegation achieves both strong guarantees for clients and practical overheads for compute providers.