Introduction and Related Work#
Large language models have made rapid progress in mathematical reasoning, yet reliably verifying their solutions remains difficult. A generated solution may arrive at the correct answer through invalid reasoning, such as an algebraic error hidden inside a long derivation. When a verifier is used as a reward model, these weaknesses can become profitable strategies rather than rare evaluation errors.
Existing verification methods generally rely on either final-answer checking against ground truth or learned evaluation models. Rule-based verifiers provide objective rewards when answers have canonical forms, but they can reject mathematically equivalent answers expressed in unfamiliar formats. Model-based verifiers are more flexible, yet recent evidence has shown that they can be exploited by adversarially constructed responses. In reinforcement learning, a policy can discover and amplify these weaknesses, causing reward to increase without a corresponding improvement in mathematical correctness.
Prover–verifier games provide a natural framework for studying this problem. Prior work formulates verification as a game in which a computationally powerful prover attempts to persuade a weaker verifier, with the goal of learning a protocol in which useful information remains checkable. This framework was later extended to language-model reasoning by training helpful and sneaky prover roles against a smaller verifier. These results showed that adversarial training can improve the legibility of helpful solutions to weaker evaluators, although it also exposes a trade-off between correctness optimization and checkability.
The analysis of three-agent prover–verifier games separates the honest prover, dishonest prover, and verifier into independent players. It identifies a particular sequential structure in which the verifier must commit before a problem-specific adversary selects an attack. Under this pointwise-audit order, an unsound verifier can be punished whenever the adversary identifies a realizable message on which the verifier fails.
The analysis also identifies two failure modes that become central in language-model implementations:
- Off-path slack allows the verifier to remain incorrect on messages that are never generated during training.
- Weak adversarial responses may hide verifier failures even when those failures exist.
Directly applying the finite-game results to language models is not straightforward. In the theoretical game, the dishonest prover can compute an exact best response over a finite message set. In natural language, however, the message space is effectively unbounded, and an LLM attacker explores only a small subset through sampling or search. The absence of a successful attack therefore does not establish verifier soundness; it may only indicate that the current attacker is too weak to find an existing failure.
In addition, alternating between one attacker and one verifier can create non-transitive training dynamics. The verifier may fix the most recent exploit while forgetting earlier ones, while the attacker may overfit to incidental properties of a single verifier checkpoint.
"Strategies"#
In a finite game, a strategy is a complete rule that specifies what a player could do in every situation it might encounter. For a prover, this can be written as where is an instance or math problem and is the proposed message from and . These are the honest and dishonest provers respectively. For the verifier player, the strategy is a function which evaluates a solution for a problem . For smaller games, these functions are written as explicit tables. An LLM cannot enumerate its response to every possible question asked and proof. Its strategy is represented by a collection of components where
- represents the model weights or models
- represents the system prompt
- represents search algorithms
- represents the functions available to the model (via
tool-useormcp's)
Different fine-tuned models can represent different strategies. The same base model can implement distinct strategies through different LoRA adapters, system prompts, tools access, sampling temperatures, beam search, tree search, rl policies, etc. For example, one strategy could specialize in generating short formal lean proofs, while other searches for algebraic errors.
Formulation Families and Importance of Information#
The family is determined almost by the relative order of only Nature, , and . There are possible orders of , , and .
| Relative order | Family |
|---|---|
| Informed verifier | |
| Informed verifier | |
| Informed verifier | |
| No audit | |
| Blind audit | |
| Pointwise audit | |
| The soundness is determined mainly by the formulations above instead of . However, there are equivalence classes. There is a distinction when Nature reveals . This creates: |
- A blind verifier commits to one model before the problem is sampled, but that model still evaluates
- An informed verifier is allowed to choose a different base verifier strategy after learning .
- A blind dishonest prover commits to one attacker model that works over the whole problem distribution.
- An informed dishonest prover can choose a separate attacker strategy after seeing the particular problem.
| Family | Core order | Does commit before ? | Does know when choosing its strategy? | Sufficiency |
|---|---|---|---|---|
| Informed verifier | Varies | Varies | No | |
| No audit | No | No | No | |
| Blind audit | Yes | No | Yes under A1 and A2 | |
| Pointwise audit | Yes | Yes | Yes under A1 | |
| A1: The assumption that there is at least one sound verifier | ||||
| A2: Every best-response policy of the blind dishonest prover exposes some verifier error with positive probability |
Informed Verifier Family#
There are formulations in this family that are classified with an informed verifier ( before ). The trivial verifier failure occurs because the verifier is correct as it knows the branch, not because it checks the message.
The branch-contingent behavior may look like one correct function after being glued together, but the assumption is that it required one fixed sound base verifier to be selected across all branches.
No Audit Family#
The dishonest prover commits before the verifier and the verifier is still blind when it commits Both provers choose their policy before the verifier. The verifier observes those commitments and then chooses its own policy. The failure mode is off path slack. Equilibrium tests the message that were sent thus soundness also needs to test messages that could potentially be sent.
The dishonest prover moved first. It cannot observe that the verifier selected . The verifier effectively sees the test before choosing how to behave. It can be correct on the known test while remaining incorrect elsewhere.
Blind Audit#
The defining order here is the verifier commits before the dishonest prover but both commit before Nature reveals the problem The verifier commits first relative to the dishonest prover. The dishonest prover sees the verifier, but it must select one global policy before learning which problem will be sampled. Unlike the no-audit family, sees the committed verifier. Therefore it can optimize one global attack policy against that verifier. If every best-response policy exposes some verifier error, an unsound verifier receives positive loss, while a sound verifier receives zero.
A2 is necessary because a blind attacker optimizes expected performance across the entire distribution. A verifier may have a weaknesses on one problem, but the attack's global objective may be dominated by another problem. Multiple policies may then tie, including:
- a policy that exposes the weakness
- a policy that hides it
Pointwise Audit Family#
The defining order is that the verifier commits first, then Nature reveals the problem, and only then does the dishonest prover choose its strategy The verifier commits without knowing which problems will be sampled, After the problem is revealed, the dishonest prover sees the problem and the. committed verifier. Suppose the verifier is unsound. Then there exists at least one exact pair such that . Once is revealed, the dishonest prover can choose the particular realizable message that exposes the error. It is not required to make one global trade off across all problem. It separately attacks the verifier at each point . w
Motivation#
Traditional verifier training follows the steps of:
- Collect correct and incorrect solutions
- Label each solution
- Fine-tune a classifier
- Evaluate on a held-out set The main weakness to this training pipeline is that incorrect solutions are chosen from a fixed distribution. They may not expose the verifiers current failure modes. Suppose a verifier learns to reject algebraic errors. Suppose a verifier learns to reject common arithmetic mistakes. Its validation accuracy improves, but it may still fail on other patterns:
- an invalid cancellation hidden inside a long derivation
- a false theorem stated confidently
- a missing boundary condition
- an extraneous solution introduced by squaring
- a correct numerical answer supported by incorrect reasoning
- a proof that changes notation midway through
- an argument that repeats the question’s assumptions as if they were conclusions. A static generator may continue producing mistakes the verifier already knows how to detect. Training then spends compute reinforcing solved cases rather than discovering new weaknesses. Thus, adversarial training is targeting a non-static distribution of attacks . As the verifier fixes one failure mode, the attacking player searches for another. the verifier remains fixed while the attacker searches. Otherwise the attacker would face a moving verifier that is evaluated incorrectly.
Training Example#
Given three LLMs, we have a honest prover, dishonest prover, and verifier, respectively:
- which produces a correct mathematical argument
- which produces a misleading mathematical argument to trick the verifier to choose a wrong answer
- that reads the question and proof, then predicts the answer:
- For a binary problem, it might output meaning the verifier assigns probability to answer . Given an instance : "How many four-digit positive integers have digits whose sum is 18?" For the binary verifier setup, define: The honest prover will provide the message
"""
Let the four digits be a, b, c, and d, where a is the thousands digit.
We require a + b + c + d = 18, with 1 ≤ a ≤ 9 and 0 ≤ b,c,d ≤ 9. Set x = a - 1. Then x + b + c + d = 17, where 0 ≤ x ≤ 8 and 0 ≤ b,c,d ≤ 9. Ignoring the upper bounds, stars and bars gives C(20,3) = 1140 nonnegative solutions. Now subtract the invalid solutions. If x ≥ 9, set x' = x - 9. Then x' + b + c + d = 8, giving C(11,3) = 165 solutions. If one of b,c,d is at least 10, subtract 10 from that variable. For each
of the three variables, the remaining sum is 7, giving C(10,3) = 120 solutions. No two variables can simultaneously violate their bounds, since the minimum required total would exceed 17. Therefore the number of valid integers is 1140 - 165 - 3(120) = 615.
The answer is 615.
"""
The dishonest prover will give me a similar message misleading the verifier .
1) Freeze Current Verifier#
The point-wise audit formulation game is played where
- the verifier commits
- Nature reveals
- and respond and commit their messages At the beginning of each round copy the current verifier during the attack the weights cannot change. This is basically equivalent to the Verifier committing to its policy. The dishonest prover will attack the fixed target. Otherwise the Verifier could change while the attack is being generated.
2) Sample math problem and generate proofs#
Sample a math problem from a curated data set that has human-verified solutions. The ground truth is important because the current verifier itself cannot be trusted to label its own training data. The honest and dishonest prover will both generate its messages and . In this specific game formulation, the dishonest prover knows:
- the instance
- the answer it wants the verifier to choose
- how the frozen verifier scores candidate proofs This can be used to generate candidate attacks. Each of these attacks tries to maximize the binary entropy loss for the dishonest prover part in which equals . When many responses are chosen, the objective is The theorem assumes that the dishonest prover always chooses the best response. Using samples does not guarantee this. separating this theoretically, we try to approximate the best response by:
- generating candidate solutions
- scoring them with the frozen verifier
- filtering candidates using the ground truth checker
- choosing the incorrect candidate that fools the verifier, the most these different attack strategies can use a wide range of strategies like beam search, best of sampling, Monte Carlo tree search, RL, evolutionary search, repeated rewriting, etc.
Additionally, we need to verify that or any that which is being used is not establishing a true result. We want to ensure that the model does not generate a message that is correct. This would make the loss inaccurate.
3) Verifier Loss Calculations#
the honest poover must predict the true label on both messages. The verifier loss is The verifier is unfrozen and trained with a strategy, for example, using gradient descent
3.1) Reward Modeling for Other Players#
The dishonest prover can be trained so it gets better at finding weaknesses. The reward could be this could be updated using learning policies like PPO, rejection sampling, fine-tuning, DPO, etc. A complete reward could look like: The honest prover could be awarded for obtaining the correct answer, giving a valid derivation and avoiding unsupported steps. It often starts with SFT on verified solutions before adversary training begins. The theoretical game assumes a best-responding honest prover. A real attacker only performs approximate searching, thus it fails to find an attack that does not prove the verifier is sound. This could mean that the verifier has no exploitable error or that this honest prover was too weak to find them. Attack strength is important.