{"paper":{"title":"Efficient Preference Poisoning Attack on Offline RLHF","license":"http://creativecommons.org/licenses/by/4.0/","headline":"Flipping one preference label in log-linear DPO creates a parameter-independent gradient shift that turns targeted poisoning into a binary sparse approximation problem.","cross_cats":["cs.AI","stat.ML"],"primary_cat":"cs.LG","authors_text":"Chenye Yang, Lifeng Lai, Weiyu Xu","submitted_at":"2026-05-04T11:45:38Z","abstract_excerpt":"Offline Reinforcement Learning from Human Feedback (RLHF) pipelines such as Direct Preference Optimization (DPO) train on a pre-collected preference dataset, which makes them vulnerable to preference poisoning attack. We study label flip attacks against log-linear DPO. We first illustrate that flipping one preference label induces a parameter-independent shift in the DPO gradient. Using this key property, we can then convert the targeted poisoning problem into a structured binary sparse approximation problem. To solve this problem, we develop two attack methods: Binary-Aware Lattice Attack (BA"},"claims":{"count":4,"items":[{"kind":"strongest_claim","text":"Flipping one preference label induces a parameter-independent shift in the DPO gradient, converting the targeted poisoning problem into a structured binary sparse approximation problem that BAL-A and BMP-A solve with sufficient conditions and coherence-based guarantees.","source":"verdict.strongest_claim","status":"machine_extracted","claim_id":"C1","attestation":"unclaimed"},{"kind":"weakest_assumption","text":"The central reduction assumes that the DPO objective is strictly log-linear in the parameters so that the gradient shift from a single label flip remains independent of the current parameter vector; if this independence fails for realistic non-linear models or regularizers, the conversion to sparse approximation no longer holds.","source":"verdict.weakest_assumption","status":"machine_extracted","claim_id":"C2","attestation":"unclaimed"},{"kind":"one_line_summary","text":"Label-flip attacks on log-linear DPO reduce to binary sparse approximation problems that can be solved efficiently by lattice-based and binary matching pursuit methods with recovery guarantees.","source":"verdict.one_line_summary","status":"machine_extracted","claim_id":"C3","attestation":"unclaimed"},{"kind":"headline","text":"Flipping one preference label in log-linear DPO creates a parameter-independent gradient shift that turns targeted poisoning into a binary sparse approximation problem.","source":"verdict.pith_extraction.headline","status":"machine_extracted","claim_id":"C4","attestation":"unclaimed"}],"snapshot_sha256":"0fc296242b5d6b9b57bfa821b2bdaffbc309c1b3095021e6606ad1e709894733"},"source":{"id":"2605.02495","kind":"arxiv","version":2},"verdict":{"id":"4c853f26-0168-484b-a44f-1099298b1503","model_set":{"reader":"grok-4.3"},"created_at":"2026-05-08T19:25:48.070349Z","strongest_claim":"Flipping one preference label induces a parameter-independent shift in the DPO gradient, converting the targeted poisoning problem into a structured binary sparse approximation problem that BAL-A and BMP-A solve with sufficient conditions and coherence-based guarantees.","one_line_summary":"Label-flip attacks on log-linear DPO reduce to binary sparse approximation problems that can be solved efficiently by lattice-based and binary matching pursuit methods with recovery guarantees.","pipeline_version":"pith-pipeline@v0.9.0","weakest_assumption":"The central reduction assumes that the DPO objective is strictly log-linear in the parameters so that the gradient shift from a single label flip remains independent of the current parameter vector; if this independence fails for realistic non-linear models or regularizers, the conversion to sparse approximation no longer holds.","pith_extraction_headline":"Flipping one preference label in log-linear DPO creates a parameter-independent gradient shift that turns targeted poisoning into a binary sparse approximation problem."},"integrity":{"clean":true,"summary":{"advisory":0,"critical":0,"by_detector":{},"informational":0},"endpoint":"/pith/2605.02495/integrity.json","findings":[],"available":true,"detectors_run":[{"name":"ai_meta_artifact","ran_at":"2026-05-20T15:39:43.237812Z","status":"completed","version":"1.0.0","findings_count":0},{"name":"doi_title_agreement","ran_at":"2026-05-20T03:01:22.782107Z","status":"completed","version":"1.0.0","findings_count":0},{"name":"doi_compliance","ran_at":"2026-05-19T16:20:23.175153Z","status":"completed","version":"1.0.0","findings_count":0}],"snapshot_sha256":"e123e53f1d28080b036ab00e272a95fc00fabdab7e773726f4130eb401745d9b"},"references":{"count":0,"sample":[],"resolved_work":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","internal_anchors":0},"formal_canon":{"evidence_count":3,"snapshot_sha256":"3cab39d4d8f1f232287399b979029d5e29bbc975550da0d3ebcd421fd2e15205"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"}