Unprivileged Topology Certificates for Cloud GPU Attestation

Computer Science > Cryptography and Security [Submitted on 22 Jun 2026] Unprivileged Topology Certificates for Cloud GPU Attestation Faruk Alpay, Taylan Alpay Cloud GPU tenants receive a model name and a region, but cannot directly inspect the physical accelerator that runs their job. We present a software-only attestation primitive for this setting. A CUDA probe measures an SM-by-memory-region latency matrix using physical SM labels and dependent global loads. A streaming reducer commits sufficient statistics, configuration, code hashes, network evidence, and a compressed raw data archive into a certificate that a verifier can check without a GPU. The certificate supports three claims. First, the per-SM latency map is a stable physical fingerprint. Over a six-hour full-load RTX 5090 run, its median temporal jitter is 0.09 cycles, while shape-only leave-one-out classification separates distinct Blackwell dies with 100.0% accuracy. Second, cache-bypassing HBM sweeps recover hardware-class topology across generations, including a unified Volta V100 memory domain, a two-way Hopper H200 L2 split, and a Blackwell B200 two-die NV-HBI package whose 74/74 SM partition carries a 30-cycle, 15.5 ns cross-die penalty. Third, public network landmarks bind the same certificate to a coarse location. In the B200 run, 169 RIPE Atlas probes place the server within 44 km of its claimed datacentre and reject all 11 decoy sites. Together, these measurements check cloud-GPU identity, class, and coarse location without privileged access or a vendor key. Comments: 12 pages, 2 figures, 4 tables. Source package includes code, certificates, JSON summaries, and a lossless SQLite ancillary payload for the full raw data tree with SHA-256 manifest Subjects: Cryptography and Security (cs.CR); Hardware Architecture (cs.AR) MSC classes: 68M25, 68M20, 68M10 Cite as: arXiv:2606.24934 [cs.CR]   (or arXiv:2606.24934v1 [cs.CR] for this version)   https://doi.org/10.48550/arXiv.2606.24934 Focus to learn more Submission history From: Taylan Alpay [view email] [v1] Mon, 22 Jun 2026 11:33:12 UTC (16,407 KB) Access Paper: HTML (experimental) view license Ancillary files (details): Makefile README.md artifact_manifest.json certificates/latest_stability_certificate.json config/b200_nv_hbi.json (52 additional files not shown) Current browse context: cs.CR < prev   |   next > new | recent | 2026-06 Change to browse by: cs cs.AR References & Citations NASA ADS Google Scholar Semantic Scholar Export BibTeX Citation Bookmark Bibliographic Tools Bibliographic and Citation Tools Bibliographic Explorer Toggle Bibliographic Explorer (What is the Explorer?) Connected Papers Toggle Connected Papers (What is Connected Papers?) Litmaps Toggle Litmaps (What is Litmaps?) scite.ai Toggle scite Smart Citations (What are Smart Citations?) Code, Data, Media Demos Related Papers About arXivLabs Which authors of this paper are endorsers? | Disable MathJax (What is MathJax?)