ASDP-based Customized Model Poisoning Attack
- The paper introduces ACuMPA, which leverages a delayed share disclosure to craft customized adversarial gradients that mislead selected victim participants.
- ACuMPA uses the Adaptive Share Delay Provision strategy to observe round information before generating malicious updates that bypass local VSS verification.
- Empirical results on MNIST, CIFAR-10, and Fashion-MNIST show that ACuMPA degrades model accuracy and slows convergence, while mitigation via EByFTVeS restores near-baseline performance.
ASDP-based Customized Model Poisoning Attack (ACuMPA) is a malicious training attack introduced in the context of verifiable secret-sharing-based distributed privacy-preserving machine learning (DPML). It exploits a timing weakness in ordinary VSS-based DPML systems: participants typically verify shares locally, but the protocol does not force all dealers to publish their commitments and shares within a fixed, globally enforced time window. Built on the Adaptive Share Delay Provision (ASDP) strategy, ACuMPA enables a malicious dealer to delay publication, observe sufficient round information, and then craft a share or gradient tailored to a chosen victim participant or subset of victims. The resulting share can still pass local verification while steering the victim’s model update in a harmful direction, including under conditions designed to evade cosine-similarity-based checks or norm-based filters (Li et al., 16 Sep 2025).
1. Definition and relation to Adaptive Share Delay Provision
The paper explicitly positions the attack as “an [A]SDP-based [Cu]stomized [M]odel [P]oisoning [A]ttack (ACuMPA) for certain victim participants using ASDP strategy” (Li et al., 16 Sep 2025). In that formulation, ASDP is the enabling strategy and ACuMPA is the instantiated attack. The strategy consists of delaying the delivery of malicious shares and commitments until the attacker has enough information to craft a precise adversarial update; the attack consists of computing a customized gradient or share and distributing it so that selected victims accept and incorporate it into training.
The paper’s informal explanation of ASDP states that malicious dealers can “aggregate the gradients at the start, and provide the commitment with the share at the very last moment” (Li et al., 16 Sep 2025). That timing asymmetry is the core exploit. The paper therefore distinguishes ACuMPA from generic model poisoning: the attack is customized poisoning, because the attacker uses delayed disclosure to tailor malicious updates for particular victims rather than merely injecting a globally harmful perturbation.
A common misconception addressed by the paper is that VSS verifiability is, by itself, sufficient to prevent poisoned contributions. The paper’s account suggests the opposite: verifiability can ensure that a received share is consistent with the commitment eventually provided, but it does not by itself ensure that all honest parties receive the same share set, nor that commitments are published early enough to prevent adaptive tailoring (Li et al., 16 Sep 2025).
2. Adversarial model, capabilities, and intended targets
The threat model allows up to compromised participants, with
These compromised participants are Byzantine faulty, meaning they can behave arbitrarily (Li et al., 16 Sep 2025).
The paper attributes the following capabilities to the adversary: it can deviate from the protocol arbitrarily, forward different shares to different participants, remain silent when acting as a dealer, eavesdrop on forwarded messages, control the arrival time of messages, delete messages when necessary, and collude with compromised participants. The paper states: “Apart from the compromised participants, an adversary can also eavesdrop on the forwarded messages, and control the arrival time of those messages, even delete the messages when necessary, for assisting the compromised participants to launch model poisoning attacks” (Li et al., 16 Sep 2025).
The intended targets are “certain victim participants” in the DPML system. The objective is not limited to disrupting global convergence. Instead, the attacker aims to customize malicious updates for selected victims so that those participants’ local training is poisoned while the attacker remains relatively unaffected. This target specificity is central to the paper’s characterization of the attack as customized poisoning rather than undifferentiated Byzantine interference (Li et al., 16 Sep 2025).
3. Operational workflow and attack construction
The attack is described in Algorithm $\ref{algo-miaf-framework}$, titled “The procedure of the ASCuMPA Scheme” (Li et al., 16 Sep 2025). For each training round , each participant trains a local model on . Honest participants send the shares of and the corresponding commitments, receive all participants’ shares, and verify each received share. Malicious participants reconstruct and aggregate the average of model parameters using the VSS-based DPML procedure and then generate bad gradients using the ASDP algorithm. Participants then aggregate and update model locally.
The paper’s concrete ASDP construction is given in Algorithm $\ref{algo-adlgg}$, “The procedure of the Adaptive Share Delay Provision Strategy.” The algorithm takes 0, 1, and 2 as input, initializes a zero-like vector 3, iterates through sorted indices of 4, assigns signs according to 5, accumulates an indicator and norm estimate, and stops once the cosine similarity condition is driven below the threshold. The intended effect is to construct a malicious update 6 with controlled similarity to the target gradient 7, stopping when
8
The data block notes that the pseudocode has formatting issues, but also states that its meaning is clear: construct a malicious update 9 with controlled similarity to $\ref{algo-miaf-framework}$0, until the cosine similarity is below the threshold $\ref{algo-miaf-framework}$1 (Li et al., 16 Sep 2025).
Operationally, the attack proceeds through a timing gap in the protocol. The malicious dealer observes the current round’s information, reconstructs or estimates the round’s gradient or parameter state, computes a malicious replacement gradient $\ref{algo-miaf-framework}$2, and delays delivery until late enough that the victim still accepts it. Because the victim verifies only against the commitments accompanying the share it receives, the malicious share can pass verification despite having been adversarially chosen (Li et al., 16 Sep 2025).
4. Why the attack works: verification, timing, and similarity evasion
The paper’s informal justification for ASDP is direct: “most of the existing distributed privacy-preserving machine learning schemes do not force the participants to only use those gradients of which the commitment is provided in a certain time period. Thus, a malicious user can aggregate the gradients at the start, and provide the commitment with the share at the very last moment” (Li et al., 16 Sep 2025). This delayed-disclosure property is the precise enabling condition for ACuMPA.
The VSS verification rule recalled in the paper is
$\ref{algo-miaf-framework}$3
If the relation holds, the share is accepted as valid. The standard threshold reconstruction formula is
$\ref{algo-miaf-framework}$4
Within the paper’s argument, these formulas illustrate that correctness of local VSS verification and threshold reconstruction does not prevent a malicious dealer from adaptively choosing what is shared and when it is shared (Li et al., 16 Sep 2025).
The attack is also designed to evade standard poisoning defenses. The paper states that malicious dealers can “meticulously elaborate their model parameters to resist against the common model poisoning prevention mechanisms, like cosine similarity-based or $\ref{algo-miaf-framework}$5 regularization-based gradient aggregation” (Li et al., 16 Sep 2025). The explicit threshold conditions mentioned are
$\ref{algo-miaf-framework}$6
and
$\ref{algo-miaf-framework}$7
The core claim is that the malicious gradient can satisfy these defense-oriented thresholds while still driving the victim’s model away from the correct update direction. The paper also states that “a malicious dealer can generate any shares as her wish to victim participants by observing the on-chain shares at the start. All of the victim participants are proven to accept the malicious dealer's shares in theory” (Li et al., 16 Sep 2025).
The significance of this analysis is that it reframes the vulnerability as a composition failure between cryptographic verifiability and protocol timing. A share can be valid in the VSS sense yet still be adversarially customized and selectively delivered. This suggests that, in the setting considered, verifiability without time-anchored consistency is insufficient.
5. Theoretical analysis and implications for distributed training
The paper includes a theorem titled “Existence of Common Substitute Vector” to justify the existence of an adversarial substitute direction that remains sufficiently aligned for many clients while still serving the attack (Li et al., 16 Sep 2025). It defines
$\ref{algo-miaf-framework}$8
and the lower bound
$\ref{algo-miaf-framework}$9
It then states that if
0
there exists a vector 1 with 2 such that
3
According to the data block, the proof uses Cauchy–Schwarz, gradient concentration under a Dirichlet model, and a covering-number argument.
The intended interpretation given in the data is that an attacker can find a sparse substitute direction that still has enough cosine similarity for many clients, helping the attack remain stealthy. This suggests that ACuMPA is not only an artifact of delayed messaging, but also a geometrically informed attack that leverages structure in the gradient distribution to maintain plausibility under similarity-based defenses (Li et al., 16 Sep 2025).
The effect on DPML training is described in several dimensions. By injecting tailored malicious gradients, the attack lowers classification accuracy, slows convergence, and increases the number of training rounds needed to reach a target accuracy. The paper further states that the attack can “delay the model divergence as long as possible,” which, in context, means that the poisoning can persist without necessarily triggering an immediate, obvious collapse. Because different participants may receive different maliciously crafted shares, consistency across participants is broken in a VSS-only setting. Verifiability therefore remains local, while agreement on the set of acceptable updates is no longer preserved (Li et al., 16 Sep 2025).
6. Mitigation through EByFTVeS and empirical evidence
The paper proposes EByFTVeS, “Efficient Byzantine Fault Tolerant-based Verifiable Secret-sharing,” as the principal defense (Li et al., 16 Sep 2025). Its central mitigation principle is stated explicitly: “we force all the dealers provide the shares with the commitments in a certain time period. Later, only the gradients from these shares are used to aggregate.” The scheme integrates a PBFT-style consensus layer, replaces plain broadcast and receive with broadcast_update and receiving_update, uses consensus so all honest participants see the same set of share-related messages, requires shares and verification results to go through the BFT system, and only aggregates shares whose commitments were provided in the required time window (Li et al., 16 Sep 2025).
The key security consequence is that if a commitment is not in the consensus system at the right time, it cannot be used later. That property removes the ASDP timing exploit. The data further states that ordinary BFT-based VSS schemes are still vulnerable if they ensure only eventual consistency rather than time-anchored consistency for share publication, and EByFTVeS is proposed specifically to close that gap (Li et al., 16 Sep 2025).
Experimental evaluation is reported on MNIST, Fashion-MNIST, and CIFAR-10 using CNN, ResNet, and AlexNet. The compared settings are FedAvg, ACuMPA, and ACuMPA + ByFTVeS. The main findings reported are that under ACuMPA, accuracy drops and convergence slows, whereas under ACuMPA + ByFTVeS, accuracy and convergence become nearly the same as plain FedAvg (Li et al., 16 Sep 2025).
Representative results included in the data are:
- CNN / CIFAR-10: FedAvg achieves 63.7% accuracy in 66 rounds; ACuMPA yields 60.8% accuracy in 115 rounds; ACuMPA + ByFTVeS yields 63.8% accuracy in 69 rounds.
- ResNet / Fashion-MNIST: FedAvg achieves 90.5% in 23 rounds; ACuMPA yields 89.4% in 48 rounds; ACuMPA + ByFTVeS yields 90.6% in 22 rounds.
- AlexNet / CIFAR-10: FedAvg achieves 68.5% in 79 rounds; ACuMPA yields 66.5% in 102 rounds; ACuMPA + ByFTVeS yields 68.8% in 79 rounds.
These results support the paper’s claim that ACuMPA degrades model quality, increases training time to target performance, and affects benign participants more than the malicious one, while EByFTVeS or ByFTVeS restores behavior to near-baseline levels. The paper also reports additional MPC evaluation and states that the proposed BFT-based design remains efficient relative to MASCOT, although that aspect is less directly about ACuMPA itself (Li et al., 16 Sep 2025).