Conference Proceeding
Adversarial Leakage in Games.
01/2010;
pp.111-119 In proceeding of: Innovations in Computer Science - ICS 2010, Tsinghua University, Beijing, China, January 5-7, 2010. Proceedings
Source: DBLP
0
0
·
0 Bookmarks
·
27 Views
-
Citations (0)
-
Cited In (0)
Data provided are for informational purposes only. Although carefully collected, accuracy cannot be guaranteed.
The impact factor represents a rough estimation of the journal's impact factor and does not reflect the actual
current impact factor.
Publisher conditions are provided by RoMEO. Differing provisions from the publisher's actual policy or licence
agreement may be applicable.
Page 1
Adversarial Leakage in Games
Noga Alon∗
Yuval Emek†
Michal Feldman‡
Moshe Tennenholtz§
Abstract
While the maximin strategy has become the standard, and most agreed-upon solution for
decision-making in adversarial settings, as discussed in game theory, computer science and other
disciplines, its power arises from the use of mixed strategies, a.k.a. probabilistic algorithms.
Nevertheless, in adversarial settings we face the risk of information leakage about the actual
strategy instantiation. Hence, real robust algorithms should take information leakage into account.
To address this fundamental issue, we introduce the study of adversarial leakage in games. We
consider two models of leakage. In both of them the adversary is able to learn the value of b binary
predicates about the strategy instantiation. In one of the models these predicates are selected after
the decision-maker announces its probabilistic algorithm and in the other one they are decided in
advance. We give tight results about the effects of adversarial leakage in general zero-sum games
with binary payoffs as a function of the level of leakage captured by b in both models. We also
compare the power of adversarial leakage in the two models and the robustness of the original
maximin strategies of games to adversarial leakage. Finally, we study the computation of optimal
strategies for adversarial leakage models. Together, our study introduces a new framework for
robust decision-making, and provides rigorous fundamental understanding of its properties.
∗Tel-Aviv University, and Microsoft Israel R&D Center.
†Microsoft Israel R&D Center.
‡School of Business Administration, The Hebrew University of Jerusalem, and Microsoft Israel R&D Center.
§Microsoft Israel R&D Center, and Technion-Israel Institute of Technology.
Page 2
1Introduction
Decision-Making lies in the foundations of fields such as Economics, Operations Research, and Arti-
ficial Intelligence. The question of what should be the action to be taken by a decision-maker when
facing an uncertain environment, potentially consisting of other decision makers, is a fundamental
problem which led to a wide variety of models and solutions. The only type of situations for which
this question got an agreed-upon answer is in the context of two-player zero-sum games. This set-
ting can model any situation in which a decision-maker aims at maximizing his guaranteed payoff.
When mixed strategies are allowed, such desired behavior, termed an agent’s maximin (or safety
level) strategy, leads to a well defined expected payoff (known as the value of the game). Moreover,
when presented explicitly in a matrix form, the computation of a maximin strategy is polynomial (by
solving a linear program). Various equilibrium concepts have been considered in the game-theoretic
literature, but none of them provides a prescriptive advice to a decision-maker which will be as
acceptable as the maximin strategy solution in adversarial settings. Since the introduction of the
study of two-person zero-sum games [13], maximin strategies have received very little criticism (see
[5] for an exception). Moreover, the safety level strategy has been advocated for some non zero-sum
settings as well (see [11], following observations by [4]).
Much of the power of a maximin strategy is associated with the use of mixed strategies, a.k.a.
randomized algorithms.In such algorithms the randomization phase is assumed to be done in
a private manner by the decision-maker, and no information about the instantiation selected in
that phase is assumed to be revealed. In reality, however, nothing is really private; for example,
competitors will always strive to obtain the private actions of a business, possibly by means of
industrial espionage [10]; hence, information leakage should be considered. As a result, it may be
of interest to study the effects of adversarial leakage, where a limited amount of information on an
agent’s instantiation of its mixed strategy may leak in an adversarial manner. We believe that only
by considering this situation, it will be possible to construct robust strategies when acting in an
adversarial setting. Information leakage appeared in game theory in the context of conditioning a
player’s strategy about the other player’s strategy [12, 8]; however that work did not consider the
leakage of mixed strategy instantiations nor its effects on designing robust algorithms in adversarial
settings taking information leakage into account.
Our model of adversarial leakage is general. We consider a two-player zero-sum game in strategic
form (a.k.a. matrix form), where the MAX player is our decision-maker and the MIN player is the
adversary. Both MAX and MIN have a set of (pure) strategies they can choose from. MAX chooses
a mixed strategy, that is, a distribution vector over its pure strategies. MIN may base its action on
the value of b binary predicates defined on MAX’ pure strategies; each such predicate is a Boolean
formula on the set of strategies whose value is determined according to the actual instantiation of
MAX’ mixed strategy. The parameter b can be thought of as the amount of information leakage
(or number of leaking bits) regarding the instance of MAX’ mixed strategy; MAX would like to
maximize his guaranteed expected payoff against any choice of such b binary predicates.
We consider two settings, distinguished by the information structure assumed in them. In the
Strong Model the MAX player chooses a mixed strategy, which is observable by the MIN player, who
can then act upon it in determining the b predicates. In the Weak Model, on the other hand, the
MIN player chooses the b predicates first, and MAX can observe it and act upon it in choosing his
mixed strategy.
Compared with the Strong Model, the information structure of the Weak Model provides a poten-
tial advantage to MAX, but is it effectively advantageous? Understanding this issue is particularly
1
Page 3
interesting in light of the minimax theorem, which essentially states that in a classic two-player zero-
sum game, if mixed strategies are allowed, then gaining information about the opponent’s mixed
strategy prior to playing does not give the agent possessing it any strategic advantage.
Other intriguing questions arise in this setting of adversarial leakage. What would be the best
mixed strategy for the MAX player? How well will the original maximin strategy of the game
perform? What is the computational complexity of finding the optimal strategy under information
leakage? We address all these questions, focusing our attention on general two-person games, where
the decision-maker has m strategies to choose from, the adversary has n strategies to choose form,
and the payoffs to the decision maker are either 1 or 0. This is known to be a highly applicable
model, as it captures games in which a goal is either achieved or not.
Our results.
2bis much smaller than 1/?, then MAX can ensure value close to 1 (at least 1 − 2b?), and this is
tight. To do so, she simply uses the maximin strategy (that is, the optimal mixed strategy for the
original game with no predicates). On the other hand, if 2bis much bigger than 1/?, then for every
mixed strategy of MAX, the MIN player can ensure value close to zero (at most e−2b?). Therefore,
for EVERY such game with value 1 − ?, which is close to 1, a sharp transition occurs at b which
is about log(1/?): if b is slightly smaller, the value stays close to 1; if it is slightly larger, the value
drops to nearly zero.
For games with value q bounded away from 1, even one bit enables MIN to square the value and
drop it to at most q2, and every additional bit squares the value again. There are also examples
showing that this is essentially tight. Finally, for any fixed value q < 1, loglogm+Oq(1) bits suffice
to enable MIN to drop the value to precisely 0.
For the Weak Model, the situation is different. Clearly, here MAX is in a better shape, hence
if the value of the game is q = 1 − ? (for small positive ?), MAX can still ensure a value close to 1
if the number of bits is much smaller than log(1/?) as in the Strong Model. For games with value
q bounded away from 1, however, there are examples in which she can do much better than in the
Strong Model, and in fact can ensure no essential drop in the value as long as the number of leaking
bits is somewhat smaller than loglogm. More precisely, for any fixed value 0 < q < 1 and for every
large polynomially related m,n, there are examples of games represented by a binary m by n matrix
with value q + o(1), so that even if b = loglogm − O(1), MAX can ensure that the value will stay
roughly q. This should be contrasted with the Strong Model, where every additional bit squares
MAX’ value.
Somewhat surprisingly, once the number of leaking bits is slightly larger, that is, b = loglogm+
O(1), the MIN player can already ensure value 0 in any game with a fixed value q < 1. Thus, in
the examples above a sharp transition occurs at nearly b = loglogm under the Weak Model: nearly
loglogm bits have essentially no effect on the value, while slightly more bits already suffice to drop
the value to 0.
Note that, in contrast to leakage-free settings, where no advantage is gained by observing the
opponent’s mixed strategy (due to the minimax theorem), in settings of adversarial leakage, such
information can contribute a great deal to the informed player, reflected by the advantage obtained
by MAX in the Weak Model compared with the Strong Model.
With respect to computation complexity, computing the optimal strategy in the Strong Model
(for the MAX player) against b leaking bits is poly-time for any fixed b, while this problem becomes
NP-hard to compute, or even to approximate within any factor, for a general b. In the Weak Model,
For the Strong Model, if the value of the game is q = 1−? (for small positive ?) and
2
Page 4
the optimal strategy of MAX can be computed in polynomial time for every b. As for the MIN
player, computing the optimal predicates is polynomial for a fixed number of bits, but is NP-hard in
general.
2Model
We consider two-player zero-sum games defined by an m by n matrix M with {0,1} entries, where
the rows correspond to MAX’ pure strategies and the columns correspond to MIN’s pure strategies:
Mi,j is the payoff of MAX if MAX and MIN play row i and column j, respectively (the payoff of
MIN is then −Mi,j).1The matrix M is known to both players.
Given a matrix M and an integer b ≥ 0, we describe a precise setting of adversarial leakage, as
follows:
(1) MAX chooses a distribution vector p = (p1,...,pm) on [m] and MIN chooses a b-bit leakage
function f : [m] → {0,1}b.
(2) MAX realizes i ∈ [m] according to p (i.e., chooses row i with probability pi).
(3) MIN observes f(i) (for i realized by MAX) and chooses a strategy j ∈ [n].
(4) MAX and MIN receive payoffs Mi,jand −Mi,j, respectively.
The two leakage models we consider, referred to as the Strong Model and the Weak Model differ in
the order in which the choices in step (1) are made. In the Strong Model MAX first chooses a mixed
strategy p and MIN may base its choice of f on the knowledge of p. In the Weak Model MIN first
choose a leakage function f and MAX may base its choice of p on the knowledge of f.
It will be convenient to formalize the choice of (pure) strategy made by MIN in step (3) as a
function g : {0,1}b→ [n]. Note that MIN decides on g when it already knows the mixed strategy p
of MAX. This is less important under the Strong Model, where it can be assumed that MIN chooses
g simultaneously with its choice of f. However, under the Weak Model, the choice of g must be made
at a later stage (when MIN already knows p).
Given a matrix M, a non-negative integer b, a distribution vector p on [m], a function f : [m] →
{0,1}b, and a function g : {0,1}b→ [n], let
u(M,b,p,f,g) =
?
w∈{0,1}b
?
i:f(i)=w
piMi,g(w)
denote the expected payoff of MAX (with respect to these parameters). Denote
up(M,b) =min
f:[m]→{0,1}band g:{0,1}b→[n]u(M,b,p,f,g) .
The value of M against b leaking bits under the Strong Model is defined as
vstrong(M,b) = max
p∈∆(m)up(M,b) ,
where ∆(m) is the set of all distribution vectors on [m]. We denote by p∗
realizes vstrong(M,b), i.e., up∗
Weak Model is defined as
ba distribution vector that
b(M,b) = vstrong(M,b). The value of M against b leaking bits under the
vweak(M,b) =min
f:[m]→{0,1}b
max
p∈∆(m)
min
g:{0,1}b→[n]u(M,b,p,f,g) .
1While we focus on the natural binary case, some of our results hold for any matrix with entries in [0,1] as well,
while some become non-interesting or easily seen to be false.
3
Page 5
When the leakage model is clear from the context, we may omit the superscripts and write simply
v(M,b). Observe that under this notation, v(M,0) is the classical value of (the game defined by) M.
Unless otherwise specified, all logarithms are in base 2.
3 Adversarial leakage in the Strong Model
We first show that for any m by n matrix with {0,1} entries of value q = 1 − ?, the MAX player
can guarantee herself at least a payoff of 1 − 2b?. This can be done, in particular, by playing the
maximin strategy.
Proposition 3.1. Let M be an m by n matrix with {0,1} entries. Let q = 1 − ? be the value of the
game defined by M, that is, v(M,0) = 1 − ?. Then, for every b ≥ 0, up∗
Proof. Let p = (p1,...,pm). For every w ∈ {0,1}b, let Sw= {i|f(i) = w}, and let pw=?
?
?
The expected payoff of MAX is given by the expression?
expression?
0(M,b) ≥ 1 − 2b?.
i∈Sw pi.
Fix some column j. Since 1 − ? is the value of the game, it holds that for every w,?
Substituting?
i∈Sw piMi,j+
i∈[m]\Sw pi ≥ 1 − ?.
i/ ∈Sw piMi,j ≥ 1 − ?. As Mi,j ≤ 1 for every i,j, we have?
i∈Sw piMi,j+?
i∈Sw pi= 1 − pwand rearranging the last inequality yields
i∈Sw
piMi,j≥ pw− ?.
(1)
w∈{0,1}b?
i:f(i)=wpi· Mi,g(w)and the
expected payoff of MAX conditioned on the event that some row i ∈ Swis played is given by the
i:f(i)=w
payoff of MAX is at least?
The above bound is tight, as established in the following proposition.
pi
pw·Mi,g(w), which is at least
w∈{0,1}bpw 1
1
pw(pw−?), by Equation (1). Therefore the expected
pw(pw− ?) = 1 − 2b?.
Proposition 3.2. For every ? > 0 and every b ≥ 0, there exists a matrix M with {0,1} entries so
that (1) v(M,0) = 1 − ?; and (2) up∗
0(M,b) = up∗
b(M,b) = 1 − 2b?.
Proof. Let n = 1/? and consider the n by n matrix M in which Mi,i= 0 for every i, and Mi,j= 1
for every i ?= j. From symmetry considerations, both the maximin strategy and the optimal strategy
against b leaking bits is the uniform distribution over the rows. Let f be a function which imposes
the following partition on the rows: each one of the first 2b− 1 rows constitutes its own subset, and
the remaining rows constitute the last subset. In this case, if one of the first 2b− 1 rows is chosen
(each with probability ?), then MAX’ payoff is 0, while if one of the remaining rows is chosen (with
a total probability of 1 − (2b− 1)?), then the payoff obtained by the MAX player is
expected payoff of the MAX player is therefore (1 − (2b− 1)?) ·
1
?−2b
1
?−(2b−1). The
1
?−2b
1
?−(2b−1)= 1 − 2b?.
The above two propositions essentially say that for games with value q = 1 − ? and b such that
2b? = o(1), MAX can guarantee a payoff of about q2bby playing the maximin strategy, and this
is optimal. The case of general q and b, however, requires more work, and this is the focus of the
following statement.
4
