Leakage-Guessing Proof System
- Leakage-Guessing Proof System is a framework that defines leakage as the improvement in an adversary’s ability to guess a secret after observing released data.
- It extends maximal leakage by introducing parameters α and β to interpolate between log-loss and worst-case scenarios, thus unifying different privacy measures.
- The framework underpins diverse applications in coding, program analysis, and side-channel attacks, ensuring robustness through axiomatic properties like data processing and additivity.
As an Editor’s term, Leakage-Guessing Proof System denotes a family of quantitative information-flow frameworks in which leakage is defined operationally by the improvement an adversary obtains in guessing a secret, or an arbitrary function of sensitive data, after observing a release. In the literature summarized here, the canonical form of this idea is the adversarial-guessing formulation of maximal leakage and its generalization to maximal -leakage, where the adversary may choose any finite-alphabet such that and compare optimal guessing performance with and without access to . This operational backbone recovers maximal -leakage, maximal leakage, local differential privacy, and local Rényi differential privacy, while also supporting extensions to side information, coding-theoretic converse arguments, source-level quantitative information flow, and non-stochastic brute-force models (Gilani et al., 2022).
1. Operational core: leakage as adversarial guessing
The modern leakage-guessing framework begins from the observation that an adversary is not necessarily trying to recover the raw private variable itself. Instead, the adversary may care about some discrete randomized function of , with , and the release should therefore be evaluated by how much it improves the adversary’s best guessing performance on that unknown target. In the finite-alphabet setting, maximal leakage is defined as
0
The denominator is the best prior guessing probability without observing 1; the numerator is the best posterior guessing probability after observing 2. The role of 3 is central: maximizing over all such 4 makes the measure robust to uncertainty about what secret the adversary actually cares about. For discrete alphabets, this yields the closed form
5
so maximal leakage is exactly Sibson mutual information of order 6 (Issa et al., 2018).
Maximal 7-leakage extends this operational picture by replacing the single-guess success probability with a generalized power-mean score. For 8 and 9,
0
Here 1 has the same alphabet as 2, the adversary may choose any estimator 3, and the supremum over 4 is included to enable recovery of worst-case notions. The same work proves a simplified computable expression,
5
where 6 ranges over distributions on the support of 7. This reduction is what turns the operational definition into a usable proof framework: the quantity depends only on the channel 8 and an auxiliary distribution 9 (Gilani et al., 2022).
2. The parameters 0 and 1 and the bridge between regimes
The parameter 2 controls the local guessing loss function, while 3 controls how the contributions from different outputs 4 are aggregated. In maximal 5-leakage, 6 interpolates from log-loss at 7 to the probability-of-error regime at 8; equivalently, 9 and 0 is the classical maximal leakage of Issa et al. (Liao et al., 2019). In maximal 1-leakage, 2 corresponds to simple averaging over outputs, whereas 3 turns the aggregation into a maximum over outputs, shifting the operational semantics from an average-case perspective toward a worst-case, local-privacy flavor (Gilani et al., 2022).
This interpolation is the precise mechanism by which a guessing-based framework spans multiple privacy notions that are often treated separately.
| Parameters | Recovered measure | Expression or characterization |
|---|---|---|
| 4 | maximal 5-leakage | 6 |
| 7 | maximal leakage | 8 |
| 9 | local Rényi differential privacy | 0 |
| 1 | local differential privacy | 2 |
| 3 arbitrary | variant of LRDP | 4 |
A recurrent misconception is that local differential privacy and guessing-based leakage belong to fundamentally different paradigms. The parameterization above shows otherwise: in this family, LDP appears as a corner point of the same operational construction that yields average-case maximal leakage. The paper explicitly interprets 5 as the average-case regime and 6 as the route to max-over-output worst-case privacy, with 7 recovering the classical maximum-ratio flavor of local privacy (Gilani et al., 2022).
3. Axioms, proof obligations, and proof-theoretic structure
The leakage-guessing literature treats a leakage measure not merely as a scalar quantity, but as an object required to satisfy a recognizable set of operational and axiomatic properties. For maximal 8-leakage, the framework establishes non-negativity,
9
with equality iff 0 and 1 are independent; monotonicity in 2 for fixed 3,
4
data processing inequalities for any Markov chain 5,
6
and additivity over independent releases,
7
The same work also notes a reparameterization 8 under which the leakage becomes non-increasing in 9 for fixed 0, and non-decreasing in 1 for fixed 2 (Gilani et al., 2022).
The paper frames these results as a general proof template. One first defines an adversary’s gain in guessing an arbitrary hidden function 3 of 4; then optimizes over all 5; then introduces a tunable power mean in which 6 governs guess quality and 7 governs output aggregation; and finally proves the resulting quantity satisfies non-negativity, zero iff independence, data processing, and additivity. In this sense, “proof system” refers not only to a formal logic, but also to a reusable operational schema for deriving leakage measures from guessing games (Gilani et al., 2022).
For classical maximal leakage, several additional properties sharpen the distinction from mutual-information-based reasoning. It is generally asymmetric, convex in 8 for fixed support of 9, and depends on 0 only through 1. It also satisfies
2
and no scalar multiple of mutual information can upper-bound it uniformly. These facts explain why maximal leakage is often used when worst-case guessing amplification, rather than average information transmission, is the relevant proof obligation (Issa et al., 2018).
4. Conditionalization and robustness to side information
A leakage-guessing proof system becomes substantially more realistic once side information is made explicit. Conditional maximal 3-leakage introduces a third variable 4, representing information already available to the adversary, and defines
5
under the conditional Markov structure
6
For 7, the resulting quantity is characterized as
8
while for 9 it reduces to 0. The paper interprets this as a supremum of conditional Arimoto channel capacities across side-information states (Liao et al., 2019).
The central robustness theorem states that if
1
then
2
The condition 3 means that the side information is conditionally independent of the release given the private data; in operational terms, the release mechanism depends only on 4 and private randomness, not on 5. Under that assumption, arbitrary side information cannot increase leakage beyond the unconditional maximal 6-leakage already quantified by the mechanism. A common misunderstanding is therefore corrected: side information does not automatically invalidate a leakage guarantee; it does so only when the release model itself breaks the required conditional independence (Liao et al., 2019).
5. Coding-theoretic and graph-theoretic realizations
The same guessing-based proof system appears in several coding problems, where the operational quantity becomes a leakage rate and the converse machinery becomes combinatorial or type-theoretic.
In zero-error source coding, the source symbols are constrained by a confusion graph 7, and the leakage to a guessing adversary is measured by the ratio of best post-observation and pre-observation guessing success probabilities. The optimal normalized leakage rate is
8
where 9 is the fractional chromatic number of the confusion graph. The paper further shows that this equals the optimal fixed-length zero-error compression rate,
00
and gives an optimum-achieving scalar stochastic mapping built from a fractional coloring (Liu et al., 2021).
In index coding, the adversary knows a subset 01 of the messages, wants to guess 02 for 03, and is allowed at most 04 guesses at blocklength 05. The leakage metric is
06
For vanishing-error and zero-error decoding, the paper derives lower and upper bounds controlled by the broadcast rate of the induced subproblem on 07; when the messages are independent and uniformly distributed, these bounds match: 08 This yields a direct equivalence between leakage minimization and an induced index-coding problem on the messages not already known to the adversary (Liu et al., 2022).
A related privacy-utility model, explicitly inspired by index coding, places several legitimate users and one adversary in a single-shot guessing framework. The adversary’s privacy metric is conditional maximal leakage
09
and the utility constraints imply converse lower bounds such as
10
where 11 is the clique number of the induced confusion graph. A second converse uses a polymatroid rank function
12
to obtain entropy-based lower bounds, and the constructive side of the paper proposes a greedy privacy-enhancing mechanism inspired by agglomerative clustering in the information bottleneck and privacy funnel problems (Liu et al., 2020).
In the successive-refinement Shannon cipher system, maximal leakage again supports a guessing-based converse. The eavesdropper observes public messages 13 and tries to infer a hidden random function 14 of the source. Under joint excess-distortion probability and expected distortion criteria, the paper characterizes inner and outer normalized maximal leakage regions; the achievability proof uses type-based coding, binning, and key masking, while the converse constructs a multi-stage guessing strategy in which Eve first guesses the keys and then applies source-sequence guessing functions derived from type arguments (Wu et al., 2023). This is an especially explicit illustration of the proof-system viewpoint: secrecy bounds are proved by lower-bounding the success of a carefully chosen guessing attack.
6. Source-level logics, non-stochastic variants, and empirical manifestations
One branch of the literature turns the leakage-guessing framework into an actual source-level proof system for programs. In quantitative information flow, a program is modeled as a channel from prior distributions to hyper-distributions, and an attacker is specified by a gain function
15
The source-level judgment
16
states that the attacker’s best expected post-execution gain is exactly represented by a pre-gain computed by backward transformation rules. The language includes assignment, sequencing, conditionals, while loops, and explicit leakage via Print, while also modeling implicit leakage through branch and loop observations. Gain expressions built from 17, 18, and 19 generalize “Guess the secret in one try” to more structured adversarial utilities (Chen et al., 2024). This formalism clarifies another recurrent misconception: explicit output is not the only leakage channel; branch-on-high control flow is itself observable in the semantics.
A different extension removes probability altogether. In the non-stochastic brute-force setting, random variables are replaced by uncertain variables, posterior uncertainty is represented by conditional ranges, and leakage is defined by the reduction in worst-case brute-force search complexity. For a sensitive attribute 20,
21
Maximizing over all attributes 22 gives a maximal non-stochastic brute-force guessing leakage
23
with data processing, nonnegativity, zero iff unrelated, and additivity for independent components. The same paper relates this quantity to maximin information and to stochastic maximal leakage, showing that the brute-force measure upper bounds the existing non-stochastic one-shot notion (Ding et al., 2021).
The small-leakage regime has also been analyzed directly in terms of guessing moments. For a secret alphabet of size 24, the guessing advantage is
25
and the leakage side is measured by
26
The resulting non-asymptotic theory gives exact parametric lower envelopes of 27 versus 28 and, near the no-leakage point, the square-root law
29
Operationally, this provides a direct way to upper-bound guessing advantage from a bound on conditional Rényi–Arimoto entropy (Béguinot et al., 2024).
Finally, the framework has concrete side-channel manifestations. The PILOT attack studies password and PIN leakage from videos of masked typing feedback, where the leakage source is inter-keystroke timing inferred from the frames in which masking symbols first appear. The paper reports that, by leveraging inter-keystroke timings, PILOT recovers 8-character alphanumeric passwords in as little as 19 attempts, and guesses about 3% of PINs within 10 attempts, corresponding to a 26-fold improvement compared to random guessing (Balagani et al., 2019). This empirical result is fully consistent with the operational definition of leakage used throughout the theory: even when the symbols themselves are obfuscated, the release can still substantially increase an adversary’s ranking or guessing success.
The resulting picture is coherent across probabilistic, program-logical, coding-theoretic, and non-stochastic settings. A leakage-guessing proof system specifies an adversarial objective, measures the improvement caused by observation, proves axiomatic properties such as data processing and additivity, and then uses those properties to derive guarantees or converses. What varies across the literature is the semantic substrate—channels, hyper-distributions, confusion graphs, type classes, or conditional ranges—rather than the underlying operational question of how much easier guessing becomes after the release.