Most proof about AI stops at the software edge. You can show the prompt, the response, and a signature over both. That is real and useful. But it does not answer a harder question that matters in high-assurance settings: did this output really come from the model you think, running on hardware you can trust, and not from something quietly swapped underneath?
S2S, short for silicon-to-signature, is the tier that reaches down toward the hardware to close that gap. The name says the goal: carry a chain of evidence from the silicon all the way to a signature anyone can check.
What S2S is for
S2S is a compute-side, hardware-adjacent attestation tier. In plain terms, it is the part of the proof stack that lives next to the compute and, where the hardware supports it, binds an inference receipt to independent, silicon-rooted attestation. The aim is that a verifier can check, offline, that a specific output came from a specific model, at a specific setting, on a specific genuine and uncompromised GPU, in unbroken order.
The key phrase is where the hardware supports it. This kind of attestation depends on a GPU that can run in a confidential-computing mode and produce its own trustworthy evidence. S2S is designed to bind to that evidence when it is present. It does not invent hardware trust where none exists.
How it works: from hardware evidence to a signature
The idea is a chain, where each link ties to the one before it so the whole thing cannot be quietly rearranged:
- Start from hardware evidence. The GPU's confidential-computing mode produces attestation evidence about its own state. S2S binds the actual evidence bytes, not a simple yes or no flag, so the proof reflects what was really measured.
- Fix the compute state. The hardware state and its evidence define an attestation window. Every inference served under that state belongs to the same window.
- Chain each inference. Each inference is linked to the hardware evidence and to the previous link, so the order is fixed and a missing or reordered step is visible.
- Sign it independently. The result is signed with ML-DSA-65 (FIPS 204), a post-quantum signature, so the attestation can be verified on its own without trusting the operator.
Because the binding is over the real evidence and the chain, the classic trick of swapping the model or the hardware underneath a good-looking log is exactly what this tier is built to catch.
What S2S does not claim
This is the part that keeps the tier trustworthy. S2S does not claim universal silicon integration, and it does not claim hardware-rooted proof in production where that is not yet real. A simulated attestation is labeled as simulated. A real hardware receipt is only earned when the tests pass against genuine confidential-computing hardware, not before. The honesty is the feature: a proof tier that overstates its hardware roots would be worse than none, because it would invite trust it has not earned.
It is also worth saying what S2S is not trying to be. It does not judge whether an answer is correct, and it is not a general safety layer. It answers one narrow, valuable question about origin: did this output come from the hardware and model it claims.
Why this matters for buyers
Compute-side attestation is a high-assurance tier, and it earns its place in specific situations:
- Regulated or safety-critical inference, where "trust our infrastructure" is not an acceptable answer and origin has to be independently checkable.
- Multi-party or outsourced compute, where the party running the model is not the party that needs to trust the result.
- Model-swap and tamper concerns, where the risk is not a bad answer but a quietly substituted model or compromised device.
For most everyday work, a software-level receipt is the right and proportional amount of proof. S2S is the tier you reach for when the stakes justify tying the proof to the silicon itself. That choice is exactly the kind of thing a judgment layer like Carnac can make automatically, calling the heavier attestation only when the consequence is high enough to warrant it.
Software proof shows what was asked and answered. S2S aims to show what ran it, down to the specific, genuine GPU, and to say so only when real hardware backs the claim.
S2S is one primitive in the wider Hive Canon, the family of proof tools that scale from a light software receipt up to hardware-rooted attestation. It fits the same principle that runs through all of them: the proof is in the provenance, and the strongest provenance can be traced all the way back to the machine.
Explore the five bindings behind silicon-to-signature, the honest status of what is built versus pending, and how S2S fits the rest of the proof stack.