Variations and Extensions of Information Leakage Metrics with Applications to Privacy Problems with Imperfect Statistical Information

The conventional information leakage metrics assume that an adversary has complete knowledge of the distribution of the mechanism used to disclose information correlated with the sensitive attributes of a system. The only uncertainty arises from the specific realizations that are drawn from this distribution. This assumption does not hold in various practical scenarios where an adversary usually lacks complete information about the joint statistics of the private, utility, and the disclosed data. As a result, the typical information leakage metrics fail to measure the leakage appropriately. In this paper, we introduce multiple new versions of the traditional information-theoretic leakage metrics, that aptly represent information leakage for an adversary who lacks complete knowledge of the joint data statistics, and we provide insights into the potential uses of each. We experiment on a real-world dataset to further demonstrate how the introduced leakage metrics compare with the conventional notions of leakage. Finally, we show how privacy-utility optimization problems can be formulated in this context, such that their solutions result in the optimal information disclosure mechanisms, for various applications.


I. INTRODUCTION
Suppose a user, who wishes to remain anonymous, discloses "pop music" to be one's preferred music genre. Based on this information alone, it may be deduced that the anonymous user belongs to an age demographic of [16][17][18][19] as a 2018 statistical survey shows the preference of such music genre among that specific age group [1]. Disclosing an apparently harmless piece of information can hence be used to infer, either correctly or incorrectly, a potentially sensitive attribute of a user.
In general, the observation of a disclosed variable correlated with a secret is expected to leak information about the secret. The disclosure can be intentional (e.g., over social media platforms) or can be the consequence of system design flaw (e.g., improperly secured communications or databases). Consider an eavesdropper monitoring the channel that a user uses to log into their private account. Even though the password is usually encrypted while transferring over the network, it is nevertheless possible for the eavesdropper to reduce the search space of the password by analyzing the timing of the packets as the packets are correlated with the keystrokes. Zhang and Wang [2] have shown a method to reduce the password search space by a factor of at least 250 using the keystroke timing.
Therefore, it is possible for the users' information to extend beyond their expected privacy bound, essentially as a consequence of the platform design, even in the presence of various privacy safeguards. Such an extension leaks information regarding the sensitive attributes of a user. One of the fundamental topics of interest in computer security is how to quantify this privacy leakage. Various privacy measures have been proposed for quantifying the leakage previously, encompassing a broad range from information theory to data science. When using such metrics for providing security guarantees, it is essential to correctly specify their operational significance.
Various information leakage metrics have been proposed based on Shannon's entropy and mutual information [3], [4], [5], [6]. Authors in [7] defined different one-shot measures of information leakage, namely maximal leakage, maximal realizable leakage, maximal correlation, and local differential privacy leakage. Another notion in information theory, known as min-entropy, has been studied extensively to define the information leakage [8], [9], [10]. Each of these metrics will only provide operational meaning when it is assumed that the probabilistic mechanism used to disclose information associated with the private data is completely known. Even the recently proposed measures of information leakage based on both f -information [11] and χ 2 -information [12] also have the same assumption. For example, suppose the system utilizes Gaussian noise as a privacy measure. In that case, the metrics mentioned above assume that both the mean and variance of the noise are known, whereas only the samples drawn according to this distribution are not.
This assumption of complete knowledge of the joint distribution between the private and disclosed data (the end-toend joint distribution) does not hold in practice. In general, even if the attacker tries to solve the same optimization problem as the data owner solved when deriving their optimal disclosure mechanism, the attacker no longer has access to the same context that the data owner used to learn their statistics. Since this results in mismatches between the real and the attacker's computed statistics, the previous notions of information leakage do not provide an operational meaning. As the attacker only has an approximation of the joint distribution, 1 407 we need metrics to accurately determine the probability of correct guessing by the adversary or the adversary's belief about how correct their guess is. It is plausible that the adversary may act if they believe they have enough information to infer a conclusion. Observe that here the correctness of the inference is sometimes insignificant. As long as the adversary is confident in their inferred conclusion, they will carry out the action. It is important to note that there can be two different ways to measure the confidence of the adversary: one is a posterior evaluation, following the acquisition of the disclosed data, and the other is an even more subjective prior evaluation.
The most pertinent work to our framework was performed by Chatzikokolakis et al. [13]. In that paper, the authors also considered the scenario where an adversary approximates the joint distribution based on their collection of samples. The authors subsequently analyzed the distribution of the estimated mutual information between the private and disclosed information. Eventually, they provided an estimation of the channel capacity based on this estimated mutual information.
The rest of the paper is organized as follows. In Section II, we discuss different state-of-the-art information leakage metrics. The system setup is delineated in Section III. Section IV discusses how to evaluate the correct probability that the adversary has a correct guess after observing the disclosed information. The proper evaluation of the attacker's belief of success is explained in Section V. Section VI analyzes the metric to capture the subjective evaluation of the belief of the attacker's success. Several optimization problems have been formulated in Section VII. We solve the proposed optimization problem and compare the optimized worst-case leakage values with the conventional notions of information leakage in Section VIII. We review several prior works in Section IX. Finally, in Section X, we summarize our paper and present the concluding remarks.

II. ESTABLISHED MEASURES OF INFORMATION LEAKAGE
Numerous leakage metrics have been proposed to represent information leakage in various scenarios. However, while defining each metric, identifying the correct output is essential to provide a contextual meaning. In this section, we shall group different state-of-the-art leakage metrics by the properties of the output these metrics capture.

Measurements of Uncertainty
The most straightforward way to define a privacy metric is to measure the uncertainty of an adversary's guess, and for a secure system, such uncertainty will be high. Shannon entropy [14] is the information-theoretic notion of measuring uncertainty, and most information-theoretic metrics are developed on this notion of entropy. Rényi entropy [15] is a generalization of Shannon entropy, with an additional parameter α. Depending on the value of α, Rényi entropy can represent different measures. Shannon entropy is a special case of Rényi entropy with α → 1. When α = 0, we shall have Hartley (or max) entropy, and taking α → ∞ results in min-entropy.
Conditional entropy [16] is prevalent in communication networks, where data is transmitted over a noisy channel, and the receiver has to infer the transmitted data from the received data. The sender aims to keep the conditional entropy as small as possible, usually by using error-correction coding, to ensure that the receiver can have a better inference.
Cross entropy measures the average number of bits required to encode data originating from one distribution compared to encoding the same data with a different distribution [17]. For example, let us assume an event Z has been generated using the underlying probability distribution P , and an approximation of this distribution P is Q. The cross-entropy between P and Q, referred to as H(P, Q), thus represents the number of bits required to represent this event Z when the encoding is done using the probability distribution Q instead of P .

Quantification of Information Gain
In various privacy setups, an adversary eavesdrops on the communication channel between the legitimate users to collect information to compromise the users' privacy. Thus, it is important to quantify how much information the observation has leaked about the private variable. Relative entropy (also known as Kullback-Leibler divergence, D KL ) is one such metric [18]. Some applications rely on obfuscating data, for example in smart metering. For such cases, relative entropy indicates how far the distribution of distorted data is from the true distribution.
Similarly, mutual information computes how much information is shared between the random variable observed by the adversary and the random variable representing the private information. If mutual information between these two random variables is high, the system will leak a considerable amount of information. In a sense, the mutual information metric and Kullback-Leibler divergence provide the same measure. However, mutual information is symmetric, while Kullback-Leibler divergence does not maintain the symmetry.
Additionally, we can extend the notion of mutual information to the scenarios where an adversary possesses prior information regarding the private variable and the observed variable. Such an extension will result in conditional mutual information, and this metric computes the amount of information about the private variable gained by the attacker upon observing the disclosed information, conditioned on the prior information [19]. Minor modification of mutual information will result in maximal information leakage [20]. This metric indicates the maximum amount of information an adversary can gain upon obtaining only a single observation. Finally, Fisher information [21] is a method of measuring the amount of information that an observed variable contains regarding the parameter of interest that models the distribution of the observed variable.

Data Indistinguishability
Data Indistinguishability indicates if an adversary can distinguish between two separate objects of interest. Differential privacy [22], formulated around two databases that differ by a single entry, has emerged as the consensus definition of 2 408 publishing data in a privacy-preserving manner. This metric guarantees that the probability distributions of the result of a database query are approximately the same (within a small multiplicative factor of e ϵ ) for two neighboring databases. Even though differential privacy provides formal privacy guarantees, a no-free-lunch theorem shows that such guarantees degrade when data are correlated [23].
Relaxing the original notion of differential privacy, by using a small additive noise δ, results in an approximate differential privacy metric that allows a wider range of query types [24] than the original differential privacy metric, albeit in exchange for privacy. The usage of δ allows the analysis not to be overly-restrictive when evaluating two probability distributions on sets on which both distributions result in very small probabilities. For example, if one distribution's integral over a small set results in 10 −10 while the other distribution's integration over the same set results in 10 −15 , then their ratio is 10 5 . This ratio is a lot larger than e ϵ but still irrelevant as the integrals over both the distributions result in minimal values.
We can extend this approximate differential privacy to a framework where users consider the data aggregator untrusted and apply randomness to their own data before sending them to the central server [25]. Another possible extension of differential privacy can be done to a framework where the parameter controlling the generation of these datasets is protected instead of protecting the datasets themselves. Such an extension results in distributional privacy [26]. Finally, characterizing the distance between two datasets with distinguishability metrics d χ , instead of Hamming distance, results in d−χ-privacy [27].

III. SYSTEM SETUP
In this paper, we shall consider a setup where each user shares personal information in exchange for utility, such as gratifications that can be achieved by social interactions. In such a setup, each user will be comprised of several features. A user may wish to keep some of these features private while disclosing other feature values to get some form of utility. For example, a user might be reluctant to reveal their political affiliation. In contrast, they might be willing to let others know their food preferences so that they can get better restaurant recommendations. We shall refer to their political affiliation as a private feature, and to their food preferences as a utility feature. Additionally, we are also considering the existence of some other features that are neither utility nor private features.
Throughout the paper, we shall use random variable X p to represent private features, and utility features will be represented by the random variable X u . Note that no restrictions are imposed on the correlation between X u and X p . Additionally, we denote the rest of the features that are neither utility nor private by X and assume that X is correlated with both X p and X u . Finally, we denote the support of random variable X p as X p , and support of X u as X u .
Let us discuss an example to understand the correlation between X p , X u , and X. Consider the Netflix recommender system [28]. The utility of the platform is achieved by issuing a recommendation (X u ) for specific show to a user. However, as can be seen from [28], in addition to the show's features, the recommender considers a variety of user features, like the user interactions with the platform, the time of the day when the show is being watched, along with the device on which the user is watching the show, etc. These user features X are clearly related to the recommendation X u , but they may also be related to the user's political affiliation X p , which the user may expect to keep private. In fact, Narayanan et al. [29] showed that it is possible to infer users' political reference from their movie ratings. Therefore, instead of releasing either X u (which in this case the user does not even know) or X, the user's best option may be to release Y , a perturbed version of X.
In essence, (X p , X u ) → X → Y form a Markov chain. Here, privacy is inversely proportional to the leaked information about X p from Y , whereas utility is directly proportional to the gained information about X u from Y .
Due to the Markov property, we get the following conditional distribution of Y given X, X p , and X u : Particular instantiations of the Markov chain include the situations in which X = X u [30], when or X u ⊂ X [31] in which case When we have X = X u , X p → X u → Y forms the Markov chain whereas X u ⊂ X results in the X p → (X u , X) → Y Markov chain.
In this paper, we are considering an adversary who has bounded resources and lacks complete statistical information about the joint distribution of the private, utility, and disclosed variables. It is possible for the adversary to gain information regarding the joint distribution through some side-channels. For example, the adversary can collect several (X p , X u , X, Y ) tuples, possibly from some of their friends, and use these tuples to approximate the joint distribution.
Usually, the adversary approximates the true joint distribution between X p and Y , P (X p , Y ), as Q(X p , Y ) based on their collection of (X p , X u , X, Y ) tuples. We are assuming that the adversary knows the correct initial distribution of X p , P Xp . Thus, the uncertainty will arise due to the lack of the knowledge of P Y |Xp and consequently the adversary will approximate P Y |Xp as Q Y |Xp .
The adversary can learn Q Y |Xp in several ways. As a matter of fact, the uncertainty about Q Y |Xp arises from two sources. One of them is the privacy mechanism, P Y |X , while the other one is the likelihood of X given X p , P X|Xp . It is possible that the adversary may possess the complete knowledge of either one of them. However, in most cases, the adversary lacks the perfect knowledge of the statistics of both of these distributions. Therefore, depending on the application domain and the knowledge of the adversary, they can either learn 3 409 the privacy mechanism or the likelihood of X given X p or both of these distributions directly from the collected tuples. Note that the adversary learns each of the distributions with possibly different resolution approximations. Accordingly, the adversary can learn P Y |X with certain accuracy and P X|Xp with an accuracy that is most probably different from the accuracy of the learned P Y |X . Throughout the paper, we have assumed that the adversary only lacks the true knowledge of the privacy mechanism.
Once the adversary has Q Y |X , they can compute Q Xp|Y as follows: Note that, P Xp|Y can also be computed using the true privacy mechanism as follows: Similar to an adversary, a utility provider also lacks the perfect knowledge of the privacy mechanism. Consequently, the utility provider approximates the privacy mechanism as Q ′ Y |X . However, the utility provider is interested in inferring the correct value of X u from Y . Therefore, they utilize collected (X p , X u , X, Y ) tuples to approximate P Xu|Y as Xu|Y to infer X u . To summarize, in our proposed setup, each user has both private (X p ) and utility (X u ) features. Additionally, we have also considered other features that are neither private nor provide any utility (X) and disclosed a perturbed version of these other features (Y ). Both the adversary and the utility provider lack complete knowledge about the privacy mechanism. Thus, they get an approximation of the privacy mechanism based on their collected (X p , X u , X, Y ) tuples. Subsequently, the adversary utilizes Q Xp|Y to infer X p , whereas the utility provider employs Q ′ Xu|Y to guess X u . Table I presents the summary of the notations used throughout the paper.

IV. TRUE EVALUATION OF ATTACKER'S SUCCESS
We shall have several categories of the privacy measures in our setup as the information leakage, in the proposed setup, depends on the approximated mechanism Q Xp|Y . We shall begin by providing a measure to evaluate the true probability that the attacker made a correct guess regarding the value of X p after observing Y .
Let us analyze the definition of min-entropy leakage first. This metric provides a one-shot measure for guessing X p . For a blind guess, that is, without collecting any Y , the adversary will always choose such x ∈ X p that will maximize the prior probability of X p (i.e., P Xp ). This measure is known as minentropy and defined by (4): After observing Y , the adversary will believe that they can have a better guess than the blind guess, and the uncertainty Original joint distribution between Xp and Xu Original privacy mechanism Q Y |X Approximated privacy mechanism by adversary Q ′ Y |X Approximated privacy mechanism by utility provider Minimum utility of the system δ L Minimum distance between original and approximated privacy mechanism δ U Maximum distance between original and approximated privacy mechanism in guessing the correct value of X p is reduced. Therefore, the uncertainty in guessing X p now is represented by the conditional min-entropy H ∞ (X p |Y ). Finally, the min-entropy leakage, referred to as L(P Xp|Y ), is defined as the difference between these two measures of entropy. The mathematical representation of the metric is shown in (5) [10]. We denote the support of Y by Y, and we let x * 1 (y) = arg max x∈Xp P Xp|Y (x|y), Observe that the measure of min-entropy leakage does not consider the disclosure mechanism, approximated by the adversary (i.e., Q Xp|Y ), in any capacity. Consequently, this measure is not applicable for the adversary who lacks the perfect knowledge of the privacy mechanism. Therefore, we need to provide a measure to accurately compute the actual information leaked by any system when an adversary lacks the perfect knowledge of the privacy mechanism. We shall refer to this measure of actual information leakage as objective leakage. Depending on the application scenarios and the characteristics of the adversary, we can have several classes of objective leakage.

Average Objective Leakage
Let us begin by discussing how to compute, on average, how much information has been leaked by Y . Adopting the same approach of computing min-entropy leakage, we identify x ∈ X p that maximizes Q Xp|Y . We denote this index as x * 2 (y) =  (5), to compute the objective leakage. This measure gives the actual leakage of the system, averaged over all possible values of observations. Thus, we refer to this metric as average objective leakage (AOL). The mathematical formula for AOL is given by (6): Let us break down the definition to understand the meaning behind such a formulation. For each y ∈ Y, P Xp|Y (x * 2 (y)|y) represents the true probability that the adversary made a correct guess about the value of X p after observing Y . Multiplication with P Y (y) provides the properly scaled measurement of the true probability. Eventually, summing over all possible values of y gives us the average scaled measurement of the probability that the adversary's guess is correct.
Issa et al. [7] introduced a framework to allow an adversary to have multiple guesses instead of a single guess. The measure of average objective leakage can easily be extended to a multiple guessing framework. After observing Y , we shall let adversary have k independent guesses to predict X p , instead of a single guess. To measure the average value of objective leakage in this multiple guessing framework, we extend the notion of average objective leakage to k-average objective leakage (k-AOL).
Observe that H ∞ (X p ) provides a measure of initial uncertainty in guessing X p when the adversary is allowed to have a single-blind guess. For measuring the initial uncertainty in the multiple guessing framework, we need to extend the measure of min-entropy to k guesses. The adversary can exploit the knowledge of P Xp to construct the k blind guesses to maximize the probability of having the correct value of X p . The adversary can sort P Xp according to the probability of each value of X p and subsequently use the first k indices of X p as k independent guesses. For example, if P Xp is represented by Table II and the adversary makes k = 2 guesses, then they will guess X p = 3 and X p = 1 as these two values of X p have the highest two probabilities. The mathematical formulation of min-entropy in multiple guessing framework is shown in (7).
Here, x * 0 (i) is the value of X p corresponding to the i-th largest P Xp (x), such that x * 0 (1) = arg max x P Xp (x). Note that, for the rest of the paper, we shall use H ∞ (X p ) to indicate the initial uncertainty in guessing X p when we allow the adversary to have a single guess and H k ∞ (X p ) will indicate the initial uncertainty when we let the adversary make k independent guesses. Now we show how to measure AOL for k independent guesses. Initially, for a specific y, consider the probability of having a correct guess for the value of X p for each independent guess. Afterward, sum the probabilities for all the k guesses to get the un-scaled measurement of true probability that the adversary made a correct guess. Then, scale the value by multiplying with P Y (y). Finally, summing over all possible y's and adding the log of the summation with H k ∞ (X p ) gives the average objective leakage for k independent guesses. The formula for this measure is given by (8): Here, P Xp|Y (x * 2 (y, i)|y) indicates the true probability that the adversary has made a correct guess of X p for that specific y during their i th guessing attempt.

Maximum Objective Leakage
Average objective leakage provides an average guessing performance of the adversary. It is possible to have some realization of Y for which the probability of correct guessing is high, but averaging over all realizations reduces the weight of this leakage. However, if our X p is sensitive data (e.g., medical records of an individual), we must consider the maximum information that can be leaked by the system and accordingly, we get maximum objective leakage (MaxOL).
We know that for each y ∈ Y, P Xp|Y (x * 2 (y)|y) indicates the true probability of the attacker having a right guess regarding the value of X p . We are only interested in measuring the maximum leakage the adversary can realize for their guess. Thus, we only need to consider maximizing such true probabilities over all possible values of y. Summing the log 2 of such maximization with the initial uncertainty will result in the maximum objective leakage. The formula of maximum objective leakage for the one-shot measure is shown in (9), and (10) extends the one-shot measure to the multiple guessing framework:

Minimum Objective Leakage
Minimum objective leakage (MinOL) indicates the lowest possible leakage the adversary can attain for their guess. Thus, this metric represents the best-case information leakage for the system designer. Formulas for one-shot measure and k-shots 5 411 measure of minimum objective leakage are given by (11) and (12), respectively: Now we provide the operational meaning of the minimum objective leakage. While maximum objective leakage implies the worst-case information leakage for the designer, the minimum objective leakage indicates the best-case private information leakage scenario. However, if we substitute X u for X p , this becomes a measure of the worst-case utility gain for the utility provider. While designing the system, the designer does not know beforehand how much gain the utility provider will realize. Thus, the designer may consider the worst-case scenario, and accordingly, ensure that the minimum objective leakage of the system meets the utility requirement in this worst case.

V. TRUE EVALUATION OF ATTACKER'S BELIEF OF SUCCESS
Heretofore, we have introduced measures to compute the true probability that the attacker made a correct guess about X p after observing Y . However, those measures do not reflect the attacker's belief of being successful. Depending on the metric definition, it is possible to capture both true and subjective assessments of the attacker's belief of success. In this section, we shall discuss the measures to calculate the true estimation. We have termed the metrics that calculate this true evaluation of attacker's belief of success as confidence boost.
We already know that, based on the approximated mechanism Q Xp|Y , the adversary makes the guess x * 2 (y) for a particular y. Putting this x * 2 (y) in Q Xp|Y gives the subjective evaluation of the attacker's belief. This belief indicates the probability with which the adversary thinks they have made a correct guess regarding the value of X p for that specific value of y. Therefore, this metric is related to the confidence gain that the attacker believes they have achieved by observing Y . Now we shall present the operational meaning of the confidence boost metric. This metric will be important if the adversary decides to perform an action based on their confidence. Suppose an adversary plans to perform a harmful action on an entity if such an individual has performed a specific action. Consequently, the adversary observes the behavior of said entity for a limited amount of time. It is plausible that the behavior of that particular individual during that limited time may not represent the usual behavior. However, if the attacker gets a high confidence boost, they will most likely perform the harmful action. Note that the correctness of the inference is not of utmost importance in this case. The adversary acts as long as their confidence boost is significant. Let us provide an example to explain the application of the confidence boost metric. Consider a scenario where the police collect some public information that leaks several sensitive attributes of a specific user. This collected information supports the conclusion that this person is a criminal. Note here that the police are collecting public information through a mechanism that they do not know perfectly. Yet if they have high confidence in their decision, they will arrest that specific person irrespective of the correctness of their decision. In fact, having higher confidence in a wrong decision, in this scenario, can lead to potentially devastating consequences. Such an incorrect inference will not only cause a significant personal loss for that user but also cause considerable damage to the administration, probably in terms of several lawsuits. Now that we have shown the application of the confidence boost metric, we shall provide the mathematical formulation of the metric. Similarly to objective leakage, we can have several classes of confidence boost as well.

Average Confidence Boost
Suppose we are interested in measuring the average true confidence boost the adversary gets after observing Y . To perform such a measurement, at first, for each value of y ∈ Y, take the probability with which the adversary believes they have made a correct guess, and this belief is represented by Q Xp|Y (x * 2 (y)|y). Next, multiply the numeric value of the belief with the true marginal distribution of Y , P Y (y). Summing over all possible values of y and adding the final sum with the initial uncertainty of guessing X p will provide the measure of the average confidence boost (ACB) of the adversary. The mathematical formulation for this measure is given by (13), and (14) extends this one-shot measure to multiple guessing framework:

Maximum Confidence Boost
Recall from the previous section that when X p corresponds to sensitive information, the system designer will need to consider the maximum information leakage that the adversary can realize. Such consideration will result in maximum confidence boost (MaxCB) for one-shot measure and k-maximum confidence boost (k-MaxCB) for independent k guesses of the adversary. The mathematical formulation of MaxCB and k-MaxCB are given by (15) and (16), respectively. Here, max y∈Y Q Xp|Y (x * 2 (y)|y) indicates the maximum possible confidence boost the attacker can realize for any value of y. Observe that we are not multiplying this confidence boost with P Y , as we did in the average measurement. Thus, MaxCB is a function of only Q Xp|Y for the adversary:

Minimum Confidence Boost
Finally, we extend the notion of confidence boost metric to compute both one-shot measure of minimum confidence boost (MinCB) and minimum confidence boost for multiple guessing framework (k-MinCB). The mathematical formulations are shown in (17) and (18), respectively. Similar to MaxCB, MinCB is also a function of only Q Xp|Y : Interestingly, the minimum confidence boost, both the oneshot and k-shots measure, capture the characteristics of such an adversary who is not at all confident about their approximated mechanism and always considers the worst-case output. Thus, the minimum confidence boost measure represents the confidence boost that a pessimistic adversary will gain upon observing the disclosed variable Y .
VI. SUBJECTIVE EVALUATION OF ATTACKER'S BELIEF OF SUCCESS Formerly, we have defined the measures for both the proper evaluation of the attacker's success and the true evaluation of the attacker's belief of success. In this section, we shall extend the measures to reflect the confidence boost that an attacker expects to get by collecting additional Y .

Average Subjective Leakage
Recall that for each y ∈ Y, Q Xp|Y (x * 2 (y)|y) indicates the probability with which the adversary believes they have made a correct guess for the value of X p for that specific y. Multiplying this value of belief with the attacker's approximated marginal distribution Q Y will result in the attacker's expected confidence boost. The formula for one-shot measure of average subjective leakage (ASL) is shown in (19), and (20) extends this one-shot measure to the multiple guessing framework: To understand what aspect of the measure this subjective leakage portraits, observe that the definition of the metric relates the probability with which the attacker thinks they have made the correct guess for each y ∈ Y to the attacker's approximated distribution of Y , Q Y (y). Thus, this metric represents an apriori measurement of the confidence boost an adversary will expect to get if they decide to collect more Y . This measure will enable the adversary to decide if the cost incurred during the process of gathering the disclosed information is worth the effort.
Let us again consider the example where the police collect public information that leaks private information about a user. The collected public information is consistent with the conclusion that the user is a criminal. However, the police may believe they do not have enough information to infer the conclusion with high confidence. The question now arises how many more resources the police is willing to invest in collecting additional public information that leaks private information about the user.
The average subjective leakage metric will enable the police to answer the question. Let us assume that the police have collected information about the user's behavior for a week and want to analyze if further information collection for another week is worth the effort. Consequently, they compute the average value of the subjective leakage using the gathered information, and if the average subjective leakage is minimal for a further collection of information, the police may conclude that further information collection may not boost the confidence any higher and may decide not to allocate more time and resources for the information collection.
Observe that we do not have notions of maximum subjective leakage or minimum subjective leakage. Subjective leakage allows the adversary to make a decision through the utilization of Q Y . Recall that for measuring either the maximum or minimum of any proposed metrics, we have dropped the multiplication with the marginal distribution of Y as such multiplication does not have any operational meaning. Therefore, we do not have any mathematical formulation of either maximum subjective leakage or minimum subjective leakage.

Subjective Local Differential Privacy Leakage
The measures we have introduced heretofore deal with both the information gain and reduction in uncertainty of the adversary for guessing X p after observing Y . Now, we shall introduce measures to capture the data distinguishing ability of the adversary upon observing the disclosed variable Y .
Adhering to the formulation provided by the authors in [7], we get (21) to represent the local differential privacy leakage (LDPL) of the original distribution P Xp|Y . This LDPL measure computes the ratio of likelihoods for two values of X p and a specific Y : The local differential privacy leakage measure maximizes over Y and thus, implies the worst-case leakage for the system 7 413 designer. It is possible to extend the metric to represent the average leakage of the system. We shall refer to such metric as average local differential privacy leakage (ALDPL): Here indicates the true loglikelihood ratio of distinguishing two elements of X p for each y ∈ Y. Subsequently, we compute the average of such ratios over the possible realizations of Y , to have the average local differential privacy leakage metric. We can also extend the notion of local differential privacy leakage to represent the subjective evaluation of the adversary's belief of distinguishing two input values based on a specific set of realizations of the disclosed variable Y . Suppose we replace P Y |Xp with Q Y |Xp in (21). In that case, we get the attacker's subjective evaluation of the belief about their capability to differentiate two different values of X p for a specific Y . Here we are maximizing over all possible values of Y , and accordingly, we shall refer to the measure as maximum subjective local differential privacy leakage (MaxSLDPL). The mathematical formulation is shown in (23).
The adversary will be highly confident that they can differentiate between x and x ′ if (23) results in a high value. Thus, this metric also represents the confidence of the attacker.
Let us now analyze how the metric MaxSLDPL can let the police assess their conclusion that the specific user is a criminal. Police can compute Q Y |Xp beforehand from their collected (X p , X u , X, Y ) tuples. Once they observe a specific behavior of interest, specified by Y , from the particular user, straightaway they can employ MaxSLDPL metric to measure how much difference this particular realization of Y has made to the belief of the police regarding the user being guilty.
Here, x can represent the scenario where the user is guilty of a crime, and x ′ can indicate those situations where the user is innocent. If the value of MaxSLDPL is high and positive, the police will be more confident in their conclusion that the user is indeed a criminal while a negative value of the difference will reduce the confidence of police in their conclusion.
We can also formulate minimum subjective local differential privacy leakage (MinSLDPL) which captures the characteristics of a pessimistic adversary. The definition is shown in (24): Finally, we can also have the average measure of the subjective local differential privacy leakage metric. Depending on the definition of the metric, it is possible to capture both the true estimation and subjective belief of the confidence boost of the adversary to distinguish between two inputs of X p .
We have proposed the objective average subjective local differential privacy leakage (OASLDPL) to represent the true confidence boost of the adversary to distinguish between two input values for a fixed observed Y . The mathematical formulation is shown in (25): Note that we are multiplying the attacker's belief about their capability to differentiate two input values (i.e., Thus, similar to confidence boost metrics, this multiplication indicates the true confidence boost that adversary realizes for distinguishing between two inputs upon observing Y .
Similarly to subjective leakage, if we multiply with Q Y we shall get a metric representing the attacker's expectation of their ability to differentiate two input values upon further collection of Y . We have termed the metric as subjective average subjective local differential privacy leakage (SASLDPL) and the formulation is given by (26): VII. PROBLEM SETUP Heretofore, we have introduced various information leakage metrics and explained the application scenario of each of the introduced metrics. In this section, we begin by summarizing the intuition behind the formulation of each metric. Afterward, we shall present the problem formulation utilizing these different notions of information leakage metrics.
The importance of the true evaluation of the attacker's success (i.e., objective leakage) is apparent. Such a measure will indicate the correctness of the inference made by the adversary upon observing the disclosed information. The subjective leakage measures will enable the adversary to decide if further information collection for a specific individual is worth the effort. For example, let us assume an adversary tracked an individual for a certain period and collected information about the said individual's behavior. Afterward, the adversary wants to determine whether to keep collecting information about the specific user. For this, the adversary may compute the expected gain that can be achieved by a further collection of information and check if the gain is significant or not. The subjective leakage measures will facilitate such decision-making. On the other hand, confidence boost metrics measure the true boost of belief for an adversary. These metrics can be of significant importance if the adversary decides to perform an action based on her confidence. Upon collecting information, an adversary may get a significant confidence boost on an incorrect inference. However, as the confidence boost is high, the adversary will make a decision based on that wrong 8 414 inference. The adversary may carry out the unpleasant action simply because of the confidence in their inferred result (such an attacker is referred to as "robber" in [32]).

Comparison with g-leakage Framework
Let us compare the proposed metrics to the g-leakage framework of [33]. In the g-leakage framework, the authors introduced a gain function g to quantify how close the adversary's guess is to the true secret. This measure, nonetheless, still assumes the perfect knowledge of the privacy mechanism. However, the measure appropriately identifies that an adversary can gain information even if their guess is slightly wrong. Such a framework is different from our setup. The objective leakage measure indicates the true probability that the adversary has made a correct guess. For computing the objective leakage, we need to analyze that specific guess of the adversary. Such a guess is made by analyzing the approximated privacy mechanism. The same conclusion also holds for the leakage measures that evaluate the attacker's belief of success. For each of the evaluations of the attacker's belief of success, we have quantified either the subjective or true gain in confidence for the adversary. Such a measure is performed to understand the behavior of an adversary and whether such an adversary would take actions that can lead to potentially serious consequences. The measure of g-leakage does not quantify the gain in confidence for the adversary but rather the partial gain that the adversary achieves through their incorrect guess.

Utility Measurement
Recall that the utility provider infers X u from Y based on their collection of (X p , X u , X, Y ) tuples. They approximate the true distribution P Xu|Y as Q ′ Xu|Y and afterward, for each y ∈ Y, the utility provider guesses x ∈ X u that maximizes the probability of having a correct guess of X u . We have referred to this guess as x * 3 (y) = arg max x∈Xu Q ′ Xu|Y (x|y) (See Table  I). Now, we need to identify the correct metric that properly reflects the gain of the utility provider. If we compute the various minimum one-shot measures that are introduced in the paper, for such a utility provider, we get (27), and (28): Notice that confidence boost metric is a function of Q ′ Xu|Y . For each y ∈ Y, Q ′ Xu|Y (x * 3 (y)|y) indicates the utility provider's subjective evaluation of the probability with which they think they have inferred the correct value of X u . Hence, if we measure confidence boost metric in this scenario, we shall get the confidence boost the utility provider obtains through a collection of (X p , X u , X, Y ) tuples. Even though such measurement can have applications in decision making, confidence boost is not a suitable measure for utility.
The objective leakage on the other hand puts x * 3 (y) in the correct distribution P Xu|Y , and computes the corresponding leakage, as shown in (27). Thus, the objective leakage metric accurately represents the actual leakage of the system for the utility provider, and accordingly, we adopt objective leakage for computing the utility. We have seen in section IV that there are several classes of the objective leakage. Depending on the applications, the designer may employ any of them as the utility measure. However, typically the designer will be concerned about the worst-case leakage the utility provider can realize, and in that scenario, minimum objective leakage, as shown in (27), provides the accurate measure of the utility.

Problem Formulation
For our problem formulation, we are considering a system designer whose objective is to design a disclosure mechanism such that Y leaks minimal information about X p while revealing a significant amount of information about X u . These two conditions are contradictory to each other. Thus, we shall have a constrained optimization problem, and the solution of the optimization problem will result in a mechanism that ensures the information leakage between X p and Y is minimized while maintaining the utility constraint.
In the previous subsection, we have explained the measure of utility. To ensure the usability of the system, the designer needs to ensure that the utility of the designed system is higher than a nominal utility u min . Therefore, we have the utility constraint as U(X u , Y ) ≥ u min .
Subsequently, we shall develop another set of constraints for the space of Q Xp|Y . We have specified previously that the adversary will collect several (X p , X u , X, Y ) tuples and approximate P Xp|Y as Q Xp|Y . However, recall that we have assumed that the adversary only lacks the perfect knowledge of the privacy mechanism, and thus, approximates the privacy mechanism, P Y |X , as Q Y |X . Let us assume that the adversary approximates the privacy mechanism as Q Y |X upon collecting several (X p , X u , X, Y ) tuples. For each X = x, the adversary collects n samples of Y . Now, using Theorem 11.2.1 in [34], we can write: . (29) Note that (29) ensures that Q Y |X converges to P Y |X , with probability 1, when n → ∞. Now, from Pinsker's inequality [35], we know that: Here, d T V indicates the total variation distance between two distributions.
Therefore, from (29), we can write: Additionally, if we denote the Hellinger distance between P Y |X=x and Q Y |X=x as h(P Y |X=x , Q Y |X=x ), then from Lemma 12.2 of [36], we get the following: 9 415 Fig. 1: Thus, if m P ̸ = m Q , Theorem 1 of [37] provides the following lower bound on h 2 (P Y |X=x , Q Y |X=x ): where a = m P − m Q . From (32) and (33), we can write: Note that m P is fixed, and according to the central limit theorem, m Q will have a normal distribution with mean m P and variance σ 2 P n . Thus, for any a * , Pr(a > a * ) will be represented by the darker region of Figure 1. If a * is small, then such a probability will be high.
The adversary does have an incentive to have an approximated privacy mechanism as close as possible to the original privacy mechanism, such that they can have a maximum probability of having a correct guess. Due to a lack of the perfect knowledge of the true privacy mechanism, the adversary fails to achieve such a feat. However, the adversary still tries to have an approximated mechanism to maximize their probability of having a correct guess. Depending on the value of n (number of samples of Y for each value of X = x), (31) dictates that there exists an upper bound (δ U ) for d T V (P Y |X=x , Q Y |X=x ), whereas (34) shows the existence of lower bound (δ L ) for the same measure. Therefore, we need to optimize over all possible Q Y |X that are within these bounds of P Y |X . From the perspective of a system designer, such a constraint is certainly important as lower values of both δ L and δ U mean that the approximated mechanism is closer to the true mechanism, and thus, the system can leak significant information regarding X p .
Depending on the characteristics of the adversary, we can have several optimization problems. Let us consider designing the privacy mechanism for a pessimistic adversary where the system designer is interested in minimizing the confidence boost. As the adversary is of pessimistic nature, they will be doubtful about their approximated mechanism. Therefore, the designer needs to consider the lowest possible confidence boost that can be extracted from the approximated mechanism. Thus, the system designer needs to find the optimized privacy mechanism that minimizes the minimum confidence boost. Contrarily, if the designer were interested in devising the information disclosure mechanism for an optimistic adversary, the metric of interest would be the maximum confidence boost (MaxCB) as such an adversary will always be highly confident about their approximated mechanism. Finally, for a generic adversary, we shall have L(X p , Y ) = ACB(P Xp|Y , Q Xp|Y ).
The next step of the designer would be to find the optimized privacy mechanism Q Y |X . Observe that the designer does not know beforehand which Q Y |X will be chosen by the adversary. The only information that the designer has is that Q Y |X , chosen by the adversary, is at least δ L away from P Y |X , and within δ U of P Y |X . Therefore, the designer always needs to consider the worst case and consequently, find P Y |X that minimizes the worst-case value of L(X p , Y ). Accordingly, we have the following optimization problem: min For solving the optimization problem, we have adopted a greedy approach. The details are given below.
• The algorithm iteratively finds the optimum P Y |X while a specific threshold condition is maintained. We initialize our step size, µ, to a random value. Next, we utilize the function OPT P to find the optimum P Y |X at distance µ from the initial P Y |X , and accordingly, we update our privacy mechanism to the new P Y |X . At the same time, we keep track of the optimized worst-case leakage value. Afterward, we reduce the value of µ by half (µ = µ 2 ) and check if the reduced value of µ has further optimized the worst-case leakage. Such a check is done by computing the difference between the worst-case leakage values that we achieved for both µ and µ 2 . We keep repeating the process while the difference between these two leakages is higher than 0. The details are shown in Algorithm 1.
• Now we shall describe how OPT P results in the optimum P Y |X for a fixed µ. We initialize P Y |X and generate a list ofP Y |X that are µ away from P Y |X . Then, we use the function OPT Q to find the optimum P Y |X for the next iteration. We update our P Y |X to this value ofP Y |X and keep repeating the process while the difference between the previous leakage value and the current leakage value is higher than 0. The details are shown in algorithm 2.
• Finally, we shall discuss how OPT Q finds theP Y |X for the next iteration. Recall that we need to consider all Q Y |X that are at least δ L away from P Y |X and within δ U of P Y |X . Therefore, for eachP Y |X in listP Y |X , we generate a list of Q Y |X that maintains our distance constraints. Afterward we compute the leakage value only for those Q Y |X that maintain our utility constraint and (new leak, new P) ← OPT P(µ, δ L , δ U , u min , P Y |X ) 10: leak diff ← current leak − new leak 11: µ ← µ/2 12: end while 13: return current leak, P Y |X Algorithm 2 Algorithm for function OPT P Input: µ, δ L , δ U , u min , P Y |X Output: Optimum leakage value, optimum P Y |X (for a specific µ) new leak ← a large positive value 3: leak diff ← a positive value 4: new P ← P Y |X

5:
while leak diff > 0 do 6: current leak ← new leak 7: Generate listP Y |X that are µ away from P Y |X 9: (new leak, new P) ← OPT Q (listP Y |X , δ L , δ U , u min ) 10: leak diff ← current leak − new leak 11: end while 12: return current leak, P Y |X 13: end function choose that Q Y |X that maximizes the leakage value. Once we have all the worst-case leakage values for eachP Y |X in listP Y |X , we choose the one that minimizes such maximization of the leakage value as our optimumP Y |X . The details of this step are shown in algorithm 3.
Note that step 8 of algorithm 2 calls for the generation of a listP Y |X that are µ away from P Y |X . By this we mean that for each x ∈ X we generate k probability distributionŝ P Y |X=x , each one at total variation distance µ from P Y |X=x (for this latter task, it is enough to randomly choose two values y i , y j ∈ Y, and doP Y |X=x (y i ) = P Y |X=x (y i ) − µ, and P Y |X=x (y j ) = P Y |X=x (y j ) + µ, while ensuring the values are non-negative.). Here k is a compile-time constant, chosen to be lower than or equal to |Y| 2 . A similar approach is applied to generate list Q Y |X of step 3 of algorithm 3. Initially, we produce a subset of length m of Algorithm 3 Algorithm for function OPT Q Input: listP Y |X , δ L , δ U , u min Output: Optimum leakage value, optimumP Y |X 1: function OPT Q(listP Y |X , δ L , δ U , u min ) 2: for eachP Y |X in the listP Y |X do 3: if Utility constraint is maintained then 8: Append leak Q to leak list Q return leak min, min P 19: end function Q Y |X 's that are exactly at δ U distance from a specificP Y |X in the same manner. Afterward, we create another subset of Q Y |X 's that are exactly δ U − c distance from theP Y |X (c is a small constant). We keep repeating the process till we reach δ L and combine all the generated subsets to generate the list Q Y |X . Similar to k, m is also a compile-time constant.

Properties of the Proposed Metrics
In this subsection, we shall present several properties of the proposed metrics. We are only analyzing the properties of those metrics that are defined as averages over the range of outputs due to the continuous nature of the functions. Such measures are average subjective leakage, average objective leakage, and average confidence boost. For ease of explanation, we are assuming that the adversary is allowed to make a single guess upon observing Y instead of making k guesses.
is always smaller than the minentropy leakage (L).
Proof. We know that x * 1 (y) indicates the value of x ∈ X p that maximizes P Xp|Y and x * 2 (y) represents x ∈ X p that maximizes Q Xp|Y . When δ L > 0, x * 1 (y) and x * 2 (y) will refer to different values. As x * 1 (y) always maximizes P Xp|Y , P Xp|Y (x * 1 (y)|y) is always higher than P Xp|Y (x * 2 (y)|y). Therefore, maximum of average objective leakage will be lower than the min-entropy leakage.
where Q Y |X is at a distance between 0 and δ U from P Y |X (that is, when δ L = 0), is always larger than or equal to the min-entropy leakage (L).

417
Proof. From the definitions of both average confidence boost (shown in (13)) and min-entropy leakage (shown in (5)), we get the following: y P Y (y)P Xp|Y (x * 1 (y)|y) When δ L = 0, the search space for Q Xp|Y always includes P Xp|Y . Additionally, x * 2 (y) always maximizes Q Xp|Y . This leads to max Q Xp |Y y P Y (y)Q Xp|Y (x * 2 (y)|y) ≥ y P Y (y)P Xp|Y (x * 1 (y)|y), thus the difference between ACB and L is always positive. Property 3. max Q Y |X ASL, where Q Y |X is at a distance between 0 and δ U from P Y |X (that is, when δ L = 0), is always larger than or equal to the min-entropy leakage (L).
Proof. From the definitions of both average subjective leakage (shown in (19)) and min-entropy leakage (shown in (5)), we get the following: y max x∈Xp P XY (x, y) Now, since the search space for Q XY always includes P XY (recall that δ L = 0), it becomes clear that max Q XY max x∈Xp Q XY (x, y) is at least as large as the value of max x∈Xp P XY (x, y), leading to a positive difference between ASL and L.

VIII. SIMULATION RESULTS
We shall begin the section by analyzing a real-world dataset to check if our proved properties hold. Afterward, we shall compute the worst-case leakage values with the optimized privacy mechanism that results from the optimization problem.

Dataset Description
The Iris Dataset of UCI Machine Learning Repository [38] is used as a real-world example dataset to further extend the analysis of the proposed metrics. The dataset includes 150 instances of three different iris classes: Iris-setosa, Irisversicolor, and Iris-virginica. For each sample, four features were also measured: the length and width of the sepals and petals (in centimeters). For our analysis, we have selected the "Species" parameter as our private feature (X p ) and "PetalWidthCm" as the utility feature (X u ). The rest of the features (SepalLengthCm, SepalWidthCm, and Petal-LengthCm) are treated as X. Observe that, in the dataset each species has 50 samples, and consequently, we have H ∞ (X p ) = − log 2 (50/150) = 1.585.

Convergence of Average Metrics
For this subsection, we are analyzing the convergence of our proposed metrics, such as the convergence of average subjective leakage to min-entropy leakage. Consequently, we need to generate Y from X by noise addition. Sharma et al. [39] discussed an optimal noise addition mechanism. This noise addition mechanism minimizes the mutual information between the private variable (X p ) and the disclosed variable (Y ). The algorithm has two privacy parameters. The first parameter indicates when to add noise to X to increase privacy (referred to as γ), and the second parameter, β, indicates the utility loss upon the addition of noise. For our experiment, we have used γ = 0.25 and β = 1.52.
Observe that, throughout the paper; we have employed Bayesian inference to infer X p from Y . Such inference requires the data to be divided into discrete bins. Thus, we have divided each feature of Y into three separate bins. We were interested in discretizing each of the features into equal-sized bins based on the quantile values. Accordingly, we performed quantile cut for each feature of Y . We performed the same operation on X as well. As both X and Y consist of three possible features, and each feature has three possible values, we have 27 (3 3 ) possible values of both X and Y . Therefore, we have P Y |X as a 27 × 27 matrix. Note that we divided each feature of Y into three bins to keep the shape of the matrix P Y |X tractable as the paper is focused on analyzing the performance of the proposed matrix rather than dealing with a large matrix. The analysis is similar when the shape of the matrix of interest is large.
Recall that we are considering an adversary who approximates the privacy mechanism based on their collection of (X p , X u , X, Y ) tuples. We adopted the method of Chatzikokolakis et al. [13] for such an approximation. Specifically, we have taken X and Y at their face value, and utilized the number of observation for approximating the privacy mechanism. Additionally, we have varied the number of collected tuples to simulate an adversary with different Q Y |X . Figure 2 shows the box-plot of the variation of the proposed leakage measures for varying number of samples. The blue line indicates the median value for that specific instantiation. The details of the box-plot can be found in Table III. For explanation, let us consider Figure 2a first. Note that P Y |X is fixed here, and Q Y |X is approximated by the adversary upon collecting a fixed number of (X p , X u , X, Y ) tuples. If the adversary can collect a higher number of (X p , X u , X, Y ) tuples, then their approximated privacy mechanism (Q Y |X ) will be closer to the original privacy mechanism (P Y |X ). Moreover, recall that average subjective leakage is defined as the maximum over Q Xp|Y . As the adversary lacks perfect knowledge of the privacy mechanism, maximization over Q Xp|Y depends on the approximated privacy mechanism Q Y |X , and the distance between P Y |X and Q Y |X . When the adversary has access to a smaller number of samples, the distance between these two privacy mechanisms will be higher. A higher distance will result in a larger search space for Q Xp|Y , and consequently, max Q Xp |Y Q Xp|Y (x * 2 (y)|y) will be higher. Once we increase the number of samples, the distance starts to get lower, and correspondingly, we get a smaller search space for Q Xp|Y . As the search space of Q Xp|Y gets smaller, max Q Xp |Y Q Xp|Y (x * 2 (y)|y) becomes smaller and consequently results in a lower value of average subjective leakage. Finally, when the adversary gets access to all the 12 418 Authorized licensed use limited to the terms of the applicable license agreement with IEEE. Restrictions apply.   samples, Q Xp|Y becomes equal to P Xp|Y , and thus the average subjective leakage also converges to min-entropy leakage. Such a variation is represented by the blue line of Figure 2a.

Number of Samples
Observe that such variation is also consistent with our property 3 where we have proved that max Q Y |X ASL is always larger than the min-entropy leakage. Using the same reasoning, we can explain both Figures 2b and 2c, which are compatible with property 2, and property 1, respectively. Moreover, from In this subsection, we shall initially discuss how we can estimate both δ L and δ U and how the proposed leakage measures are related to these values. Recall that δ L indicates the lower bound between P Y |X=x and Q Y |X=x (∀x), whereas the upper bound is represented by δ U . The adversary usually approximates the privacy mechanism based on their collection of (X p , X u , X, Y ) tuples. The system designer does not know exactly how many original (X p , X u , X, Y ) tuples can be collected by the adversary. Therefore, the best way would be to assume a range of values for such a collection of tuples. The smallest value of the range will result in an estimate of the upper bound (i.e., δ U ), and the largest value will result in the estimation of the lower bound (i.e., δ L ).
Let us discuss the effect of δ L first. If δ L = 0, then it is possible for the adversary to have access to all the original (X p , X u , X, Y ) tuples that were used to design the privacy mechanism and thus, have complete knowledge of the privacy mechanism. As a result, both P Y |X and Q Y |X refer to the same privacy mechanism [32]. In that case, we shall have the worst-case value of average objective leakage, which is minentropy leakage (see Property 1). Additionally, both average subjective leakage and average confidence boost will be the same as the min-entropy leakage. However, in most practical circumstances, an adversary lacks this advantage which results in δ L > 0, and accordingly, AOL will be maximized when Q Y |X will be at exactly δ L distance from P Y |X . Now let us analyze the effect of δ U . For a fixed value of δ L , a higher value of δ U will result in a larger search space for Q Xp|Y . A larger search space will result in a higher value for max Q Xp |Y Q Xp|Y (x * 2 (y)|y). As both average subjective leakage and average confidence boost utilize Q Xp|Y (x * 2 (y)|y) in their definition, such a maximization will result in a higher value for both ASL and ACB.
Straightaway, we shall repeat the simulation where we let the adversary gather several input-output pairs, and based on the collection of (X p , X u , X, Y ) tuples; they have the approximated privacy mechanism Q Y |X . We have varied the number of collected tuples from 25 to 150. Of course, the system designer does not know how many samples the adversary gets. Hence, we assumed that the privacy system P Y |X is designed considering an adversary that can have anywhere between 25 and all of 150 (X p , X u , X, Y ) tuples. The upper bound on the number of tuples implies that δ L = 0. For finding an estimate of δ U , we initially generated Y using the noise addition mechanism of Sharma et al. [39], and let the adversary have access to random 25 (X p , X u , X, Y ) tuples. By repeating the process several times, we found an estimate of δ U = 0.75.

419
Authorized licensed use limited to the terms of the applicable license agreement with IEEE. Restrictions apply.  Finally, we have solved the optimization problem, using δ L = 0 and δ U = 0.75, to achieve optimum P Y |X . We compared the worst-case leakage values, obtained from the optimum P Y |X , to the worst-case leakage values achieved by minimizing the mutual information between X p and Y . The details of the median of the optimized worst-case leakage values are given in Table IV, and Figure 3 shows the comparative plot. Note that we have not solved the optimization problem when L(X p , Y ) = AOL, as we have δ L = 0 meaning AOL will be maximized when P Y |X = Q Y |X .

Number of Samples
IX. RELATED WORK Information-theoretic measures, specifically Shannon entropy and mutual information based information leakage measures, have been studied extensively in former years [3]- [6]. Shannon entropy measures the average amount of information that a message contains, and mutual information between two random variables quantifies the amount of information gained about one variable by observing the other. Concisely, mutual information measures the correlation between two variables. Authors in [40] discussed how an attacker's belief change by observing the execution of a program whereas Hamadou et al. [41] unified the notion of belief and leakage for an adversary. In [40], the authors introduced a metric where an adversary observes the execution of a program and consequently updates their initial belief about the private variable. The authors did not consider the case where an adversary approximates the privacy mechanism. Authors in [41] nevertheless introduced the metrics to represent the belief of the attacker when they had different (and potentially wrong) initial beliefs regarding the distribution of the secret and consequently presented several properties to measure the accuracy and belief of the adversary. In the current paper, we assumed the approximation of the privacy mechanism. Moreover, we have also formulated an optimization problem that results in a privacy mechanism that minimizes the worst-case leakage. Such an optimization problem was not formulated in both [40] and [41]. Another prominent measure of information leakage is min-entropy leakage [8]- [10]. The definition of min-entropy leakage captures the reduction in uncertainty of guessing a secret once some information correlated with the secret is disclosed. Minentropy is a specific case of Rényi entropy [15] with α = ∞. Authors in [33] introduced g-leakage, a generalization of minentropy leakage. The authors in [42] provided several axioms for information leakage. The notion of black-box estimation of leakage was introduced in [43]. In [44], the authors estimated the g-leakage via machine learning approaches and evaluated the performance of their approach via various experiments using k-nearest neighbors and neural network.
Authors in [45] introduced a single-shot measure of information leakage, known as maximal leakage. Additionally, in [7], they have also introduced various one-shot measures such as maximal realizable leakage, local differential privacy, maximal correlation, and maximal cost leakage. The authors in [46] and [47] showed that machine learning models are vulnerable to membership inference attacks. In [48], the authors measured the information leakage regarding the presence of an individual in a training dataset using conditional mutual information. Fisher information estimates the amount of information obtained about a parameter by observing a random variable whose characteristics depend on the said parameter. Hannun et al. [49] adopted Fisher information for defining information leakage, and later proposed a method to quantify the information leakage of the training data in a machine learning model. The authors in [50], [51] analyzed Fisher information as a privacy leakage measure to develop an optimum privacypreserving policy. Various game-theoretic settings have been proposed to simulate the interactions between a utility provider and an adversary in the context of both information flow and differential privacy [52], [53], [54].
Differential privacy, introduced in [22], was formulated around two neighboring databases, namely two databases differing in a single entry. The tradeoff between utility and privacy, for a differentially private mechanism, has been studied extensively [55]- [60]. In a recent work, Desfontaines et al. [61] provided an extensive analysis on the variants of differential privacy. They divided the various notions of differential privacy into seven categories, depending on the aspect of the original definition that is being modified. The authors in [62] performed a similar extensive analysis of information leakage metrics.
The work of Chatzikokolakis et al. [13] is closely related to our framework. In the paper, the authors have forgone the assumption that the exact probabilities of the information disclosure mechanism are known and estimated the mutual information based on the collection of samples. Afterward, they provided an estimation of the channel capacity using the estimated mutual information. Several relevant works were performed in [11] and [12]. In both papers, the authors considered a database that comprises both private and public features, and the mechanism releases a distorted version of the public features. Thereafter, the authors devised a mechanism that minimizes the privacy-utility tradeoff. The authors utilized f -information as the measure of privacy in [11] and applied χ 2 -information as a privacy measure in [12].
Note that both f -information and χ 2 -information require that the joint distribution between public and disclosed variables are completely known. The authors, however, assumed that such assumptions might not hold in various applications and consequently provided an estimation of the privacy measures. Finally, they provided a bound on the error of the difference between the privacy measures, computed under exact and approximated mechanisms.

X. CONCLUSION AND FUTURE WORK
The traditional metrics of information leakage implicitly assume that the stochastic mechanism correlating the secret with the disclosed variable is known to the adversary. This assumption does not hold up in practice as most platforms do not publicly reveal their mechanisms for privatizing sensitive data. Therefore, the adversary can only approximate the true information disclosure mechanism. The conventional information leakage measures fail to compute the information leakage in these situations correctly. This paper introduces various information leakage measures to correctly compute the leakage when an adversary lacks complete statistical information about the true joint distribution of private, utility, and disclosed variables. These measures capture the various facets of the information leakage that result from the imperfect knowledge of the distribution. Furthermore, we have also considered distinct adversary characteristics and formulated optimization problems for each of these diverse adversaries. The solution to these optimization problems results in an optimized information disclosure mechanism that will minimize the worstcase maximization of any of the proposed metrics. Finally, we have simulated a case study where we observed that both the average subjective leakage and average confidence boost metric decrease monotonically with an increasing number of samples, whereas the average objective leakage increases gradually. These metrics converge to min-entropy leakage when the adversary is given access to all the samples. Furthermore, we have also solved the formulated optimization problems to achieve the optimized worst-case leakage values of our proposed metrics, and shown that such optimization, makes significant differences to the the worst-case leakages.