Average Information Leakage Rate
- Average Information Leakage Rate is a metric that quantifies the expected disclosure of sensitive data per system use using information-theoretic measures.
- It leverages tools like mutual information, f-means, and divergence metrics to analyze privacy-utility trade-offs in distributed, quantum, and physical-layer systems.
- Applications span wiretap channels, distributed computing, quantum error benchmarking, and privacy in machine learning, guiding system design and performance analysis.
Average information leakage rate quantifies, per channel use or per system operation, the expected amount of information about a sensitive (private) variable that is disclosed to an adversary through observable system outputs. This metric is foundational in information-theoretic security, privacy-preserving computation, quantum system benchmarking, privacy in learning algorithms, and more. It serves as a rigorous operational tool for system design, performance analysis, and privacy-utility tradeoff characterization, exhibiting strong connections to generalized mutual information measures, guessing-advantage metrics, and rate regions in multiterminal settings.
1. Formal Definitions
The average information leakage rate is typically cast as the expected value of an information-theoretic leakage metric per system operation (e.g., per channel use, per file request, per quantum gate). Classical definitions include:
- Wiretap Channel (Physical-Layer Secrecy):
If is the confidential message and the eavesdropper’s observation, the average information leakage rate is often defined via variational distance, mutual information, or related divergences, averaged over fading and code realizations (Mamaghani et al., 2023, Huang et al., 2018).
- Function Computation (Distributed/Privacy-Preserving):
For users with private data and a fusion center that reconstructs , the per-symbol average leakage rate is
where are user messages (Chou et al., 2022).
- Index Coding and Active Guessing Adversaries:
Average information leakage is defined as the asymptotic per-symbol log increase in an adversary's expected success probability after observing the broadcast (Liu et al., 2022).
- Generalized -Mean and α-Leakage:
If is secret, is observed, and leakage is measured by a Kolmogorov–Nagumo 0-mean,
1
where 2 is a prior 3-vulnerability and 4 is the post-observation 5-vulnerability averaged over the channel (Zarrabian et al., 2024, Ding et al., 2024).
- Quantum Systems:
For a CPTP channel 6 with computational subspace projector 7, the average leakage rate is
8
with 9 the normalized projector onto the computational subspace (Wu et al., 2023).
2. Core Mathematical Frameworks
The leakage rate encompasses a spectrum of frameworks, unifying many operationally relevant scenarios:
- Kolmogorov–Nagumo 0-means: Average information leakage can be constructed as the logarithm (or difference) between pre- and post-observation generalized adversarial vulnerabilities, incorporating linear (Shannon), power (Rényi, Arimoto, Sibson), and maximum (min-entropy) means (Zarrabian et al., 2024).
- Rényi/Arimoto/Sibson 1-Leakage: Given 2, the Sibson mutual information 3 represents the 4-mean (quasi-arithmetic mean) of per-5 Rényi divergence gains, and thus operationalizes the average 6-leakage rate,
7
(Ding et al., 2024, Ding et al., 8 Oct 2025). For 8, this recovers classical mutual information; for 9, maximal leakage.
- Guessing-Advantage Metrics: In index coding and information retrieval, leakage is quantified by the per-block (or per-symbol) log-ratio of adversarial guessing success probabilities before and after seeing the observable(s) (Yakimenka et al., 2021, Liu et al., 2022). In private search and PIR, this is expressed as
0
with 1 the average server success probability (Yakimenka et al., 2021).
- Leakage in Finite Blocklength Regimes: For wiretap fading channels with finite codes, the average information leakage rate can be computed by integrating the instantaneous leakage probability (e.g., variational distance or error probability) over the randomness of channel gains (Mamaghani et al., 2023).
3. Operational and Application Domains
The average information leakage rate is central across diverse operational scenarios:
- Physical-Layer Security & Wiretap Channels:
The metric underpins security analysis for fading channels, facilitating trade-offs between throughput, secrecy, blocklength, and code design. Analytical and closed-form approximations—connected to secrecy-outage probability—enable tractable design for beamforming, artificial-noise power allocation, and adaptive strategies (Mamaghani et al., 2023, Huang et al., 2018).
- Distributed Computations and Privacy:
In multi-user function computation, it quantifies the privacy cost (leakage per use) as a function of codebooks and auxiliary randomizations, allowing exact characterization of privacy-communication rate regions, especially for independent sources (Chou et al., 2022).
- Index Coding and Adversarial Learning:
The average leakage rate—tied closely to graph-theoretical broadcast rates—enables quantification of the privacy-utility frontier, notably under vanishing or zero-error requirements, and is operationally distinct from mutual information (Liu et al., 2022).
- Quantum Error Benchmarking:
In randomized benchmarking, average leakage and seepage rates characterize the fraction of state population leaking out of computational subspaces, enabling robust diagnostics across gate sets and multi-qubit systems (Wu et al., 2023).
- Machine Learning and Generalization:
The average-case information leakage (mutual information between train data and algorithm output, averaged over concepts) yields tight compression/generalization bounds, especially in VC-theoretic learning (Nachum et al., 2018).
4. Connection to Generalized Entropy, Divergence, and Axiomatic Properties
Recent frameworks extend leakage analysis via Kolmogorov–Nagumo means, encompassing (and connecting) Shannon, Rényi, Sibson, Arimoto, maximal, and 2-leakages (Zarrabian et al., 2024, Ding et al., 2024, Ding et al., 8 Oct 2025):
- Generalization: The average leakage rate forms the core of a QIF framework unifying 3-leakage, 4-divergence, 5-leakage, local differential privacy, and related adversarial threat models.
- Axioms: Continuity, convexity, data-processing, monotonicity, and additivity are satisfied for both additive and multiplicative average leakage rates under suitable regularity and convexity of the 6-mean and gain functions.
- Capacity: The maximal average information leakage rate (capacity) is characterized as a double maximization over input priors and adversarial strategies, yielding closed-form optimization procedures (e.g., Blahut–Arimoto algorithms for Rényi/Sibson capacity) (Ding et al., 8 Oct 2025).
5. Trade-offs and Design Implications
The average information leakage rate enables explicit and analytic exploration of privacy-performance trade-offs:
| System | Fundamental Trade-off | Main Result/Insight |
|---|---|---|
| Wiretap | Throughput vs. leakage vs. blocklength | Saddle-point approx. links FBL AIL to SOP; explicit design |
| Function computation | Com. rate vs. average leakage | Every extra bit of rate yields extra leakage (Chou et al., 2022) |
| Index coding | Broadcast rate vs. adversary’s gain | Leakage equals induced subproblem broadcast rate (i.i.d. case) |
| QKD | Key rate vs. post-reconciliation leakage | Tighter multiphoton-aware bounds substantially boost SKR |
| Learning | Compression (leakage) vs. generalization | Average-case leakage 7; governs generalization error |
Allowing small (nonzero) average information leakage can lead to substantial improvements in reliability, throughput, or resource efficiency, and can be tuned precisely via system parameters (blocklength, code rate, noise power allocation).
6. Asymptotic and Composition Laws
Axiomatic studies of information-theoretic leakage metrics detail how average leakage rates behave under repeated system uses:
- Monotonicity and Saturation: For any reasonable pointwise/global leakage metric, the average leakage rate per sample increases with the number of i.i.d. samples, saturating at a maximal value determined by the prior (Taylor et al., 2024).
- Exponential Convergence: The rate at which average leakage approaches its limit is governed by the minimal Chernoff information between distinct conditional channel laws; the convergence is exponential in the number of samples (observations) (Taylor et al., 2024).
7. Illustrative Computation and Analytical Results
Several explicit formulas and protocols for average information leakage rates are available:
- Quantum Leakage Randomized Benchmarking: 8, with 9 a channel-contracted stochastic matrix (Wu et al., 2023).
- Wiretap Rayleigh Channel: Closed-form and low-complexity approximations using exponential-integral and rational formulas link SNR, rate, and leakage directly (Huang et al., 2018).
- PIR with Partial Privacy: Leakage 0 explicitly upper- and lower-bounds download rate as a function of permissible privacy leakage (Yakimenka et al., 2021).
References
- "Performance Analysis of Finite Blocklength Transmissions Over Wiretap Fading Channels: An Average Information Leakage Perspective" (Mamaghani et al., 2023)
- "Average-Case Information Complexity of Learning" (Nachum et al., 2018)
- "On Secure Transmission Design: An Information Leakage Perspective" (Huang et al., 2018)
- "1-leakage by Rényi Divergence and Sibson Mutual Information" (Ding et al., 2024)
- "Function Computation Without Secure Links: Information and Leakage Rates" (Chou et al., 2022)
- "Leakage Benchmarking for Universal Gate Sets" (Wu et al., 2023)
- "Optimal Rate-Distortion-Leakage Tradeoff for Single-Server Information Retrieval" (Yakimenka et al., 2021)
- "Information Leakage in Index Coding" (Liu et al., 2022)
- "The Asymptotic Behaviour of Information Leakage Metrics" (Taylor et al., 2024)
- "An Extension of the Adversarial Threat Model in Quantitative Information Flow" (Zarrabian et al., 2024)
- "2-leakage Interpretation of Rényi Capacity" (Ding et al., 8 Oct 2025)
- "Improving key rates by tighter information reconciliation leakage estimation for quantum key distribution" (Mao et al., 13 Jan 2025)