Maximal Leakage: Worst-case Privacy Measure

Updated 3 May 2026

Maximal leakage is an operational measure defined as the worst-case multiplicative gain in guessing any function of a secret variable X after observing Y.
It admits closed-form expressions for both discrete and continuous systems, enabling precise quantification in adaptive data analysis and side-channel evaluations.
Its properties, including non-negativity, data processing inequality, and additivity, provide a robust framework for evaluating privacy risks and cryptographic security.

Maximal leakage is an operationally defined information-theoretic measure quantifying the worst-case multiplicative increase in the probability of correctly guessing any (possibly randomized) function of a sensitive variable $X$ after observing disclosed data $Y$ . Unlike mutual information, which captures average-case reduction in uncertainty, maximal leakage targets the adversary's single-shot, best-case advantage. The metric is central in robust privacy risk assessment, adaptive data analysis, information-theoretic cryptography, and quantification of side-channel and statistical disclosure risks in both classical and quantum settings.

1. Operational Definition and Closed-Form Expression

Maximal leakage $\mathcal{L}(X\!\to\!Y)$ is defined as the supremum, over all randomized functions $U$ of $X$ , of the logarithm of the multiplicative gain in the adversary’s probability of successfully guessing $U$ after observing $Y$ compared to before: $\mathcal{L}(X\!\to\!Y) = \sup_{U:U-X-Y} \log \frac{ \max_{\hat U(Y)}\Pr\bigl\{U = \hat U(Y)\bigr\} }{ \max_{u}\Pr\{U = u\} }$ This supremum is achieved by "shattering" constructions that align $U$ with the most distinguishable structures in the channel from $X$ to $Y$ 0 (Issa et al., 2018).

For finite or countable $Y$ 1, $Y$ 2 with $Y$ 3, maximal leakage admits the closed-form: $Y$ 4 This form reveals that maximal leakage depends only on the support structure of $Y$ 5 and not on $Y$ 6 except through support.

For general (possibly continuous) alphabets: $Y$ 7 where the essential supremum is with respect to the measure on $Y$ 8. This generalization preserves the operational meaning and key properties (Issa et al., 2018, Saeidian et al., 2023).

2. Properties and Structural Principles

Maximal leakage exhibits key information-theoretic properties enabling robust compositional privacy analysis:

Non-negativity: $Y$ 9, with equality if and only if $\mathcal{L}(X\!\to\!Y)$ 0 and $\mathcal{L}(X\!\to\!Y)$ 1 are independent.
Data processing inequality: For any Markov chain $\mathcal{L}(X\!\to\!Y)$ 2,

$\mathcal{L}(X\!\to\!Y)$ 3

— further (pre/post) processing never increases worst-case leakage (Gilani et al., 2022, Issa et al., 2018).

Additivity (composition): For independent pairs,

$\mathcal{L}(X\!\to\!Y)$ 4

Leakage sums over independent releases, enabling precise tracking in iterative or adaptive settings (Gilani et al., 2023, Esposito et al., 2019).

Supremum over input support: The leakage only considers those $\mathcal{L}(X\!\to\!Y)$ 5 for which $\mathcal{L}(X\!\to\!Y)$ 6.
Operational faithfulness: The metric quantifies the tight upper bound on adversarial one-shot guessing advantage for any function of the secret (Issa et al., 2018).

Maximal leakage is situated within a broader family of tunable privacy/risks metrics:

Mutual Information $\mathcal{L}(X\!\to\!Y)$ 7: Quantifies the average reduction in uncertainty about $\mathcal{L}(X\!\to\!Y)$ 8 given $\mathcal{L}(X\!\to\!Y)$ 9. Maximal leakage, being worst-case, always upper-bounds $U$ 0 (Gilani et al., 2023, Issa et al., 2018) and is strictly larger unless the guess is reliably decodable.
Differential Privacy (DP): For local or pure DP, the privacy parameter

$U$ 1

Maximal leakage is always upper-bounded by DP: $U$ 2, with DP taking a worst-case over inputs and outputs, whereas maximal leakage employs a sum-max over output distributions (Gilani et al., 2023).

Maximal $U$ 3-Leakage: Maximal leakage corresponds to the "corner" $U$ 4, $U$ 5 in the two-parameter family of leakage measures, interpolating between maximal $U$ 6-leakage, max-information, and local Rényi differential privacy (Gilani et al., 2023, Gilani et al., 2022).
$U$ 7-Divergences and Pointwise Leakage: Pointwise maximal leakage and related $U$ 8-divergence bounds allow fine-grained, statistical or event-level privacy guarantees (Saeidian et al., 2022, Saeidian et al., 2023).

The table below summarizes core distinctions:

Measure	Operates on	Adversary gain	Operational interpretation
Mutual information	Averages over $U$ 9	Average-case	Expected uncertainty reduction
Maximal leakage	Worst-case over $X$ 0	Max-case	Max multiplicative one-shot guessing advantage
Differential privacy	Max pointwise ratio	Max-case	Max log-ratio over input/output pairs

4. Computational Aspects and Examples

Maximal leakage is computationally tractable: for discrete finite $X$ 1, only the channel matrix $X$ 2 is needed:

For each $X$ 3, compute $X$ 4.
Sum over $X$ 5; take the log.

Examples:

Binary symmetric channel: No leakage when channel is fully random ( $X$ 6).
Binary erasure channel: Leakage interpolates between $X$ 7 (full erasure) and $X$ 8 (no erasure) as erasure probability decreases.
Randomized response, geometric/Laplace noise, and histogram perturbation: explicit leakage quantification guides privacy-utility tradeoffs.

In continuous or general-alphabet settings, computation relies on integrals of essential suprema over the noise kernel (Saeidian et al., 2023).

5. Applications to Adaptive Data Analysis, Cryptography, and Mechanism Design

Adaptive Data Analysis and Learning: Maximal leakage tightly characterizes the generalization error in adaptive settings, robustly composes across sequential or interactive algorithms, and operationalizes post-selection bounds (Esposito et al., 2019, Esposito et al., 2019, Issa et al., 2023). Generalization probability bounds take the form:

$X$ 9

with $U$ 0 directly controlling statistical penalties for adaptivity.

Side-Channel and Physical Leakage: Maximal leakage offers a stringent, operationally meaningful upper bound on side-channel vulnerability, outperforming mutual information or capacity in matching empirical guessing risks, and allowing cost/security tradeoff optimization via linear programming (Wu et al., 2020).
Privacy-Preserving Mechanism Design: Privacy-utility tradeoff optimization under maximal leakage constraint yields explicit mechanisms—often employing full (partial) release of high-probability symbols and suppression of rare outcomes (Saeidian et al., 2021).
Cryptography: Maximal leakage bounds (and minimizes) the adversary’s ability to recover secrets from encrypted or masked data, including in individual sequence settings and for universal ciphers using Lempel-Ziv compression and one-time pads (Merhav, 30 Apr 2025).

6. Quantum Extensions and Generalizations

The definition of maximal leakage extends naturally to quantum settings. Given a classical variable $U$ 1 encoded into quantum states $U$ 2 and a single quantum measurement, the maximal quantum leakage is (Farokhi, 2023): $U$ 3 This characterizes the maximal multiplicative gain achievable by any quantum measurement for any function of $U$ 4. Maximal quantum leakage preserves post-processing and independence properties, and bounds accessible information.

Pointwise Maximal Leakage and Statistical Guarantees: The pointwise framework treats leakage as a random variable $U$ 5 over $U$ 6, enabling distributional or (ε,δ)-type guarantees—crucial for high-probability privacy analysis and post-processing robustness (Saeidian et al., 2022, Saeidian et al., 2023, Saeidian, 13 Jan 2026).
Statistic Maximal Leakage: Considers leakage with respect to a fixed known secret, yielding a prior-independent and secret-specific privacy guarantee with efficient algorithms for deterministic mechanisms (Wang et al., 2024).
Generalized Gain Functions: Maximal $U$ 7-leakage and its α-, β-parameterized variants recover maximal leakage as the $U$ 8, $U$ 9, $Y$ 0 special case, unifying worst-case and average-case adversarial strategies (Kurri et al., 2022).
Robustness to Side Information: Maximal leakage is resilient under side information $Y$ 1 provided $Y$ 2; such information cannot increase leakage (Liao et al., 2019).

8. Bayesian Network Analysis and Coupling-Based Bounds

Recent advances provide tight coupling-based and sub-additivity bounds for maximal leakage in Bayesian networks, tightening naively loose union bounds through analysis of the structure of conditional distributions and minimal couplings (Makur et al., 4 Dec 2025). These bounds enable refined tracking of composite leakage in structured, graphical models.

In summary, maximal leakage provides an operationally meaningful, robust, and tractable measure of the worst-case privacy risk in one-shot adversarial settings. Its closed-form, compositional resilience, connections to classical and quantum information measures, and compatibility with a diverse spectrum of privacy notions make it foundational for principled information-theoretic privacy analysis, cryptographic system evaluation, and adaptive data analysis (Gilani et al., 2023, Gilani et al., 2022, Issa et al., 2018).