Mistletoe: Stealthy Acceleration-Collapse Attacks on Speculative Decoding

Shuoyang Sun, Chang Da, Hao Fang, Kuofeng Gao, Xinhao Zhong, Yi Sun, Fan Mo, Shu-Tao Xia, Bin Chen

arXiv:2605.14005 · 2026-05-15 공개 · arXiv · PDF

llm-inference speculative-decoding semantic-preservation acceleration-collapse draft-acceptance null-space-projection model-mismatch stealthy-attack

Abstract

Speculative decoding has become a widely adopted technique for accelerating large language model (LLM) inference by drafting multiple candidate tokens and verifying them with a target model in parallel. Its efficiency, however, critically depends on the average accepted length $\tau$, i.e., how many draft tokens survive each verification step. In this work, we identify a new mechanism-level vulnerability in model-based speculative decoding: the drafter is trained to approximate the target model distribution, but this approximation is inevitably imperfect. Such a drafter-target mismatch creates a hidden attack surface where small perturbations can preserve the target model's visible behavior while substantially reducing draft-token acceptability. We propose Mistletoe, a stealthy acceleration-collapse attack against speculative decoding. Mistletoe directly targets the acceptance mechanism of speculative decoding. It jointly optimizes a degradation objective that decreases drafter-target agreement and a semantic-preservation objective that constrains the target model's output distribution. To resolve the conflict between these objectives, we introduce a null-space projection mechanism, where degradation gradients are projected away from the local semantic-preserving direction, suppressing draft acceptance while minimizing semantic drift. Experiments on various speculative decoding systems show that Mistletoe substantially reduces average accepted length $\tau$, collapses speedup, and lowers averaged token throughput, while preserving output quality and perplexity. Our work highlights that speculative decoding introduces a mechanism-level attack surface beyond existing output robustness, calling for more robust designs of LLM acceleration systems.

한국어 요약

📋 한 줄 요약

**[LLM 추론 보안 · 추측 디코딩]** 드래프터-타깃 불일치라는 메커니즘 수준 취약점을 이용해 출력 품질을 유지한 채 추측 디코딩 가속을 무력화하는 은밀한 공격 Mistletoe를 제안한다.

🎯 핵심 기여도

💡 핵심 아이디어

LLM 출력의 안전성/품질만 점검하는 기존 robust 평가로는 잡히지 않는, "보이는 출력은 그대로 두면서 속도 메커니즘만 무너뜨리는" 새로운 적대적 공간이 존재한다.

🔬 기술적 접근법

📊 주요 결과

💭 의의 및 한계

**의의**: LLM 추론 가속이 출력 robustness 너머의 새로운 적대적 표면을 가짐을 드러내며, 보다 강건한 가속 시스템 설계의 필요성을 환기한다. **한계**: 공격 자체가 제안되었으므로 방어 메커니즘은 후속 과제로 남으며, 본 논문이 직접 광범위한 방어책을 제시하지는 않는다.

🚀 실용적 활용