Proof sketch. We first note that for \(p = p_{i,j,k}\) where \(|B_i|=2^{2^n}\) is arbitrary and \(D_{i,n,j,k}= \{p_{i',j,k} : B_{i'} \subset B_i: |B_{i'}| = 2^n \}\), we have that for every \(q\in D_{i,n,j,k}\) \[\begin{align} d_{\mathrm {TV}}(p, q) &\geq \left(\frac{1}{j} - \frac{1}{k}\right)d_{\mathrm {TV}}(U_{B_i \times {2j}}, U_{B_{i'} \times {2j}}) \\ &\geq \frac{1}{2} \left(\frac{1}{j} - \frac{1}{k}\right). \end{align}\]

Furthermore, consider \(Q = U_{D_{i,n,j.k}}\). We note that the distributions \(V_{\mathrm{sub},\eta}(p^m)\) and \(V_{\mathrm{sub},\eta}(|Q|^m)\) are both distributions over multisets \(S' = \mathrm{constants}(S') \cup \mathrm{odds}(S') \cup \mathrm{ind}(S')\). We further note that the distributions of the count of each of those subsets are the same for both \(S' \sim V_{\mathrm{sub},\eta}(p^m)\) and \(S'\sim V_{\mathrm{sub},\eta}(|Q|^m)\). Furthermore, since all elements of \(\mathrm{constants}(S')\) are the same, we also have that the probability distributions of \(\mathrm{constants}(S')\) are the same for both \(S' \sim V_{\mathrm{sub},\eta}(p^m)\) and \(S' \sim V_{\mathrm{sub},\eta}(|Q|^m)\). We also observe that the distributions for \(\mathrm{odds}(S')\) conditioned on \(S' \sim V_{\mathrm{sub},\eta}(p^m)\) and \(S' \sim V_{\mathrm{sub},\eta}(|Q|^m)\) are the same, if \(\mathrm{odds}(S')\) does not contain any repeated elements. Lastly, we note that while the indicators of samples from \(p\) and samples from \(Q\) differ, the adversary \(V_{\mathrm{sub},\eta}\) deletes all these elements, if \(|\mathrm{ind}(S)|\) does not exceed \(\eta |S|\).

Taking all of these observations together, we can bound the total variation distance in terms of repeating elements in \(\mathrm{odds}(S)\) and the probability that \(|\mathrm{ind}(S)|\) exceeds the budget of the adversary. \[\begin{align} & d_{\mathrm {TV}}(V_{\mathrm{sub},\eta}(p^m),V_{\mathrm{sub},\eta}(|Q|^m) )\\ &\leq \mathbb{P}_{S\sim p^m}[\mathrm{odds}(S) \text{ contains repeated elements}]\\ &\quad+\mathbb{P}_{S\sim |Q|^m}[\mathrm{odds}(S) \text{ contains repeated elements}]\\ &\quad + \mathbb{P}_{S\sim p^m}[|\mathrm{ind}(S)| > \eta|S|]\\ &\quad + \mathbb{P}_{S\sim |Q|^m}[|\mathrm{ind}(S)| > \eta|S|].\\ \end{align}\] The first two terms can each be upper bounded by \(1 - \left(1 -\frac{m}{2^n}\right)^m\) using the birthday paradox. The last two terms can each be upper bounded by \[\begin{align} &\mathbb{P}_{S\sim p^m}\left[|\mathrm{ind}(S)| > \eta|S|\right] + \mathbb{P}_{S\sim |Q|^m}\left[|\mathrm{ind}(S)| > \eta|S|\right]\\ &\leq \frac{\mathbb{E}_{S\sim p^m}[|\mathrm{ind}(S)|]}{\eta|S|} + \frac{\mathbb{E}_{S\sim |Q|^m}[|\mathrm{ind}(S)|]}{\eta|S|}\leq 2 \cdot \frac{\frac{m}{k}}{\eta m} = \frac{2}{k \eta}, \end{align}\] using Markov’s inequality.

Since we are considering distributions in \(\mathcal{C}_g\), we note that the distributions \(D_{i,n,j,k}\) need to be of the form \(D_{i,n,j,g(j)}\). We now want to argue that for appropriate choices of \(j\) and \(\eta\) (both independent of \(m\)), as well as for \(n\) given \(m\), the inequalities of the theorem are satisfied. First, we note that since \(g\) grows faster than linear, it is possible to pick \(j\) in such a way that it satisfies the inequality \[g(j) \geq 1024 c\alpha j.\] Given such \(j\), we then pick \(\eta = \frac{32}{g(j)}\) and \(\gamma'= \frac{\alpha}{g(j)}\). This ensures, that for every \(n\in \mathbb{N}\) and every \(q\in D_{i,n.j,g(j)}\), we get \[\begin{align} d_{\mathrm {TV}}(p,q) &\geq \frac{1}{2} \left(\frac{1}{j} - \frac{1}{g(j)}\right) \\ &= 4\alpha \eta + 4\gamma'. \end{align}\]

Then, for every \(m\geq 1\), if we choose \(n\geq \frac{m}{1-(1-\frac{1}{32})^{1/m}}\), we get \[\begin{align} & d_{\mathrm {TV}}(V_{\mathrm{sub},\eta}(p^m),V_{\mathrm{sub},\eta}(|Q|^m) ) \\ &\leq \frac{2}{g(j)\cdot \frac{32}{g(j)}} + 2 \left(1 - \left(1 - \frac{m}{2^n}\right)^m\right)\\ & \leq \frac{1}{8}. \end{align}\] ◻

Proof sketch. While adversaries act on samples drawn from two different distributions to make the manipulated sample distributions close, we will first give an illustration in terms of manipulating simple point-sets \(S_{p^m}\sim p^m\) and \(S_{|Q|^m} \sim |Q|^m\).

Roughly speaking, a successful subtractive adversary can remove part of the first sample \(S_{p^m}\) and part of the second sample \(S_{|Q|^m}\) to leave behind a common set \(S_{\mathrm{core}} = V_{\mathrm{sub}}(S_{p^m}) = V_{\mathrm{sub}}(S_{|Q|^m}) \subset S_{p^m} \cap S_{|Q|^m}\). We can view the generative process of \(S_{p^m}\) to be a sample \(S_{\mathrm{core}}\) combined with a sample \(S_{p^m} \setminus S_{\mathrm{core}}\), and the generative process of \(S_{|Q|^m}\) to be a sample \(S_{\mathrm{core}}\) combined with a sample from \(S_{|Q|^m}\setminus S_{\mathrm{core}}\). Hence to confuse the learner, the additive adversaries just needs to add the “opposite piece,” i.e., \(V_{\mathrm{add},Q^m}\) is mapping \(S_{p^m} = S_{\mathrm{core}} \cup (S_{p^m} \setminus S_{\mathrm{core}})\) to \(S_{\mathrm{core}} \cup (S_{p^m} \setminus S_{\mathrm{core}}) \cup (S_{|Q|^m} \setminus S_{\mathrm{core}})\) and \(V_{\mathrm{add},p^m}\) is mapping \(S_{Q^m} = S_{\mathrm{core}} \cup (S_{Q^m} \setminus S_{\mathrm{core}})\) to \(S_{\mathrm{core}} \cup (S_{Q^m} \setminus S_{\mathrm{core}})\cup (S_{p^m} \setminus S_{\mathrm{core}})\). Thus, if a pair of samples \(S_{p^m}\) and \(S_{|Q|^m}\) could be made indistinguishable by a subtractive adversary \(V_{\mathrm{sub}}\), then they can also be made indistinguishable by a pair of adversaries \(V_{\mathrm{add},|Q|^m}\) and \(V_{\mathrm{add},p^m}\).

Now we want to lift this intuition from samples to a more rigorous discussion of distributions. We note that if the subtractive adversary \(V_{\mathrm{sub}}\) is successfully confusing distributions \(p^m\) and \(|Q|^m\), then there is a distribution \(p_{\mathrm{core}}\) of common sets \(S_{\mathrm{core}} \sim p_{\mathrm{core}}\) that is close to both \(V_{\mathrm{sub}}(p^m)\) and \(V_{\mathrm{sub}}(|Q|^m)\) in total variation distance. Now, due to \(V_{\mathrm{sub}}(p^m)\) and \(p_{\mathrm{core}}\) being close, most samples in \(S_{p^m} \sim p^m\) can successfully be generated in an alternative way by first sampling \(S_{\mathrm{core}} \sim p_{\mathrm{core}}\) and then reversing the subtractive adversary \(V_{\mathrm{sub}}\) to generate \(S_{p^m} = S_{\mathrm{core}} \cup (S_p \setminus S_{\mathrm{core}}) = V^{-1}_{\mathrm{sub}, p^m}(S_{\mathrm{core}})\). In order to successfully reverse \(V_{\mathrm{sub}}\) we also need access to a prior distribution that generated the input samples for the adversary \(V_{\mathrm{sub}}\). If we have a prior distribution \(p^m\), we can define \(V_{\mathrm{sub},p^m}^{-1}(S_{\mathrm{core}})\) as the conditional distribution of \(S\), given \(V_{\mathrm{sub}}(S) = S_{\mathrm{core}}\), i.e., for every measurable subset \(B\subset \mathcal{X}\): \[\begin{align} &\mathbb{P}_{S \sim V_{\mathrm{sub},p^m}^{-1}(S_{\mathrm{core}})}[S \in B] = \\ &\quad \mathbb{P}_{S \sim p^m}[S \in B | V_{\mathrm{sub}}(S) = S_{\mathrm{core}}]. \end{align}\] Similarly, we can make the same observations for \(|Q|^m\) and define the reversed adversary \(V_{\mathrm{sub},|Q|^m}^{-1}\) equivalently. The additive adversaries \(V_{\mathrm{add},|Q|^m}\) and \(V_{\mathrm{add},p^m}\) are now defined by \[V_{\mathrm{add},|Q|^m}(S) = V_{\mathrm{sub},|Q|^m}^{-1}(V_{\mathrm{sub}}(S)) \cup (S \setminus V_{\mathrm{sub}}(S))\] and \[V_{\mathrm{add},p^m}(S) = V_{\mathrm{sub},p^m}^{-1}(V_{\mathrm{sub}}(S)) \cup (S \setminus V_{\mathrm{sub}}(S)).\] Now, since both \(V_{\mathrm{sub}}(p^m)\) and \(V_{\mathrm{sub}}(|Q|^m)\) are close to \(p_{\mathrm{core}}\), the distributions \(V_{\mathrm{add},|Q|^m}(p^m)\) and \(V_{\mathrm{add},p^m}(|Q|^m)\) are both close in TV-distance to the distribution of samples \[V_{\mathrm{add},|Q|^m}(S_{\mathrm{core}}) \cup V_{\mathrm{add},p^m}(S_{\mathrm{core}}) \setminus S_{\mathrm{core}},\] where \(S_{\mathrm{core}}\sim p_{\mathrm{core}}\). In particular, the only difference between \(V_{\mathrm{add},|Q|^m}(p^m)\) and \(V_{\mathrm{add},p^m}(|Q|^m)\) can be understood as differences in the sampling of \(S_{\mathrm{core}}\), as given \(S_{\mathrm{core}}\), the distribution of additional samples is the same in both cases. Thus, \(d_{\mathrm {TV}}(V_{\mathrm{add},|Q|^m}(p^m), V_{\mathrm{add},p^m}(|Q|^m))\leq d_{\mathrm {TV}}(V_{\mathrm{sub}}(p^m), V_{\mathrm{sub}}(|Q|^m)) < \zeta.\) ◻

Proof. This corollary directly follows from Theorem 5 and Theorem 4. ◻

Proof. This corollary follows directly from Corollary 1 and Lemma 4. ◻

Proof sketch. Given a subtractive adversary \(V_{\mathrm{sub}}\) as before, the additive adversary obtains new samples by first applying \(V_{\mathrm{sub}}\) to obtain a subset \(S'=V_{\mathrm{sub}}(S)\subset S\). We then again use the reverse mappings \(V^{-1}_{\mathrm{sub},p^m}\) and \(V^{-1}_{\mathrm{sub},|Q|^m}\) to obtain new sample points. However, now, in contrast to the previous theorem, the idea is not to apply \(V_{\mathrm{sub},p^m}^{-1}\) or \(V_{\mathrm{sub},|Q|^m}^{-1}\) just once for their respective distribution. Instead, the adversary makes use of both of these mappings a randomized number of times. That is, the adversary \(V_{\mathrm{add},k}\) picks a number \(u\) from \(\{0,1,\dots,k\}\) uniformly at random. Then, for every \(i\in [k]\) it generates a sample \(S_i'' = V_{\mathrm{sub},p^m}^{-1}(S')\) if \(i \leq u\) and \(S_i'' = V_{\mathrm{sub},|Q|^m}^{-1}(S')\) otherwise. All newly obtained samples are then concatenated with the original \(S\) to produce the output sample \[S'' = S' \cup (S\setminus S') \cup (S_1''\setminus S') \cup \dots \cup (S_k''\setminus S').\] Now consider the number of different subsamples within this concatenation that are generated by \(V_{\mathrm{sub},p^m}^{-1}(S')\). This number is \(u+1\) if the initial sample \(S\) was generated by \(S\sim p^m = V_{\mathrm{sub},p^m}^{-1}(S')\) and this number is \(u\) if the initial sample \(S\) was generated by \(S\sim|Q|^m =V_{\mathrm{sub}, |Q|^m}^{-1}(S')\). The resulting total variation distance \(d_{\mathrm {TV}}(V_{\mathrm{add},k}(|Q|^m), V_{\mathrm{add},k}(p^m))\) is thus upper bounded by \[\begin{align} & d_{\mathrm {TV}}(V_{\mathrm{add},k}(|Q|^m), V_{\mathrm{add},k}(p^m)) \\ & \quad \leq d_{\mathrm {TV}}(V_{\mathrm{sub}}(|Q|^m), V_{\mathrm{sub}}(p^m)) \\ &\quad + d_{\mathrm {TV}}(U_{\{0,1,\dots,k\}},U_{\{1,\dots,k,k+1\}} ) \\ &\quad = \zeta+\frac{1}{k+1}. \end{align}\] ◻

Proof. This corollary directly follows from Theorem 6 and Theorem 4. ◻

Proof. From Lemma 1 we know that \(\mathcal{C}_g\) is realizably learnable with sample complexity function \(m_{\mathcal{C}_g}^{\mathrm{re}}(\varepsilon,\delta) \leq \log\left(\frac{1}{\delta}\right) g\left(\frac{1}{\varepsilon}\right)\). From Lemma 4 and Corollary 1, we can infer that for every \(\alpha\geq 1\) there is a universal subtractive adversary \(V_{\mathrm{sub},\eta}\) with budget \(\eta\), such that for every \(m\in \mathbb{N}\), \(V_{\mathrm{sub},\eta}\) is successfully \((4\alpha \eta + 4 \gamma', \zeta)\)-confusing \(\mathcal{C}_g\) generated examples of size \(m\). Finally, from Corollary 3, we get that the above implies that there is a adaptive additive adversary that has budget \(2\eta\) and is a universal \(\alpha\)-adversary for \(\mathcal{C}_g\). ◻

Proof. This result follows directly from Theorem 3 and Theorem 1.5 of [6]. ◻

Proof. By definition of \((\gamma,\zeta)\)-confusion of \(\mathcal{C}\)-generated samples of size \(m\), there are distributions \(p\in \mathcal{C}\) and \(|Q|\in \Delta(\mathcal{C})\), such that

• for every \(q\in \mathrm{supp}(Q)\), we have \(d_{\mathrm {TV}}(p,q)> \gamma\) and

• \(d_{\mathrm {TV}}(V_1(|Q|^m), V_2(p^m) ) < \zeta\).

Assume by way of contradiction that there is a learner \(A\) such that for every \(r\in \mathcal{C}\), \[\mathbb{P}_{S\sim r^m}\left[d_{\mathrm {TV}}(A(V_1(S)), r) > \frac{\gamma}{2}\right] < \frac{1}{2} - \frac{\zeta}{2}\] and \[\mathbb{P}_{S\sim r^m}\left[d_{\mathrm {TV}}(A(V_2(S)), r) > \frac{\gamma}{2}\right] < \frac{1}{2} - \frac{\zeta}{2}.\] In particular, this means that for \(p\in \mathcal{C}\), we have \[\mathbb{P}_{S\sim p^m}\left[d_{\mathrm {TV}}(A(V_1(S)), p) \leq \frac{\gamma}{2}\right] \geq 1 -\left(\frac{1}{2} - \frac{\zeta}{2}\right) = \frac{1}{2} + \frac{\zeta}{2}\] and \[\label{eq:lemma1952} \mathbb{P}_{S\sim p^m}\left[d_{\mathrm {TV}}(A(V_2(S)), p) \leq \frac{\gamma}{2}\right] \geq 1 -\left(\frac{1}{2} - \frac{\zeta}{2}\right) = \frac{1}{2} + \frac{\zeta}{2}.\tag{1}\]

We note that for any \(p_1, p_2\) with \(d_{\mathrm {TV}}(p_1,p_2) < d\) and any predicate \(F\), we have \[\mathbb{P}_{x\sim p_2}\left[F(x)\right] - d \leq \mathbb{P}_{x\sim p_1}[F(x)] \leq \mathbb{P}_{x\sim p_2}[F(x)] +d .\] Thus, for meta-distribution \(Q\) with \(d_{\mathrm {TV}}(V_1(|Q|^m),V_2(p^m))] < \zeta\) we have, \[\label{eq:lemma1953} \mathbb{P}_{S \sim |Q|^m}\left[d_{\mathrm {TV}}(A(V_1(S)),p) \leq \frac{\gamma}{2}\right] \geq \mathbb{P}_{S \sim p^m}\left[d_{\mathrm {TV}}(A(V_2(S)),p) \leq \frac{\gamma}{2}\right] - \zeta \geq_{(\ref{eq:lemma1952})} \frac{1}{2} + \frac{\zeta}{2}- \zeta = \frac{1}{2} - \frac{\zeta}{2}.\tag{2}\] Furthermore, we have \[\begin{align} &&\max_{q\in \mathrm{supp}(Q)} \mathbb{P}_{S \sim q^m}\left[d_{\mathrm {TV}}(A(V_1(S)),p) \leq \frac{\gamma}{2}\right] \notag\\ &\geq& \mathbb{P}_{q\sim Q}\mathbb{P}_{S \sim q^m}\left[d_{\mathrm {TV}}(A(V_1(S)),p) \leq \frac{\gamma}{2}\right] \notag \\ &=_{\text{Definition of |Q|^m}}& \mathbb{P}_{S \sim |Q|^m}\left[d_{\mathrm {TV}}(A(V_1(S)),p)\leq \frac{\gamma}{2}\right] \notag \\ &\geq_{(\ref{eq:lemma1953})}& \frac{1}{2} - \frac{\zeta}{2}. \label{eq:lemma951954} \end{align}\tag{3}\] Let \[q_{\mathrm{max}} = \arg\max_{q\in \mathrm{supp}(Q)} \mathbb{P}_{S \sim q^m}\left[d_{\mathrm {TV}}(A(V_1(S)),p) \leq \frac{\gamma}{2}\right].\]

Recall that, for every \(q\in \mathrm{supp}(Q)\), we have \(d_{\mathrm {TV}}(p,q) > \gamma\). Thus triangle inequality yields \[d_{\mathrm {TV}}(A(V_1(S)),q_{\mathrm{max}}) + d_{\mathrm {TV}}(A(V_1(S)),p) > \gamma.\]

Thus, \(d_{\mathrm {TV}}(A(V_1(S),p)) \leq \frac{\gamma}{2}\) implies \(d_{\mathrm {TV}}(A(V_1(S),q_{\mathrm{max}})) > \frac{\gamma}{2}\), yielding, \[\begin{align} & &\mathbb{P}_{S \sim q_{\mathrm{max}}}\left[d_{\mathrm {TV}}(A(V_1(S)),q_{\mathrm{max}}) > \frac{\gamma}{2}\right]\\ &\geq &\mathbb{P}_{S \sim q_{\mathrm{max}}}\left[d_{\mathrm {TV}}(A(V_1(S)),p) \leq \frac{\gamma}{2}\right]\\ &\geq_{(\ref{eq:lemma951954})}& \frac{1}{2} -\frac{\zeta}{2}. \end{align}\] This contradicts our assumption on \(A\), which proves the claim. ◻

Proof. Assume by way of contradiction that there was a successful \(\alpha\)-robust learner \(A\) with sample complexity \(m_{\mathcal{C}}\) for \(\mathcal{C}\) with respect to \(\mathcal{V}\supset \{V_1, V_2\}\).

Let \[\delta= \min\left\{\frac{1 - \zeta}{2},\delta'\right\}\] and \[\varepsilon= \min\{\gamma',\varepsilon'- \alpha \max\{\eta_1, \eta_2\}\}.\] Furthermore, let \(m= m_{\mathcal{C}}^{\mathcal{V},\alpha}(\varepsilon,\delta)\).

According to the assumptions of the theorem, we know that the pair \((V_1,V_2)\) successfully \((\gamma,\zeta)\)-confuses \(\mathcal{C}\)-generated samples of size \(m\) with \[\gamma = 2 \alpha \cdot \max\{\eta_1, \eta_2\} + 2 \gamma.\] Now consider \[\begin{align} \alpha \cdot \eta_1 +\varepsilon&= \alpha \cdot \eta_1 + \gamma' \\ &\leq \frac{\gamma}{2}. \end{align}\] With the same argument, we have \(\alpha \cdot \eta_2 +\varepsilon\leq \frac{\gamma}{2}\). Now using Lemma 2, we can infer that there is a distribution \(r\in \mathcal{C}\) such that either \[\begin{align} &\mathbb{P}_{S\sim r^m}\left[d_{\mathrm {TV}}(A(V_1(S) ), r)> \alpha \cdot \eta_1 +\varepsilon\right] \\ &\geq \mathbb{P}_{S\sim r^m}\left[d_{\mathrm {TV}}(A(V_1(S) ), r)> \frac{\gamma}{2}\right] \\ &\geq \frac{1}{2}- \frac{\zeta}{2} = \delta. \end{align}\] or \[\begin{align} &\mathbb{P}_{S\sim r^m}[d_{\mathrm {TV}}(A(V_2(S) ), r)> \alpha \cdot \eta_2 +\varepsilon] \\ &\geq \mathbb{P}_{S \sim r^m}[d_{\mathrm {TV}}(A(V_2(S) ), r) > \frac{\gamma}{2}]\\ &\geq \frac{1}{2}- \frac{\zeta}{2}= \delta. \end{align}\] This is a contradiction to the assumption that \(A\) is a \(\alpha\)-robust learner of \(\mathcal{C}\) with respect to \(\mathcal{V}\) with sample complexity \(m_{\mathcal{C}}^{\mathcal{V},\alpha}\). Furthermore, if \(V_1=V_2\), then \(V_1\) is a universal \(\alpha\)-adversary. ◻

Proof. We will start by making observations for the adversary \(V_{\mathrm{sub}, \eta}\) for arbitrary \(\eta> 0\), and later discuss how to choose \(\eta\) for a given \(\alpha\). Similarly, we first start by making observations for general \(n,i,j,k \in \mathbb{N}\) and then discuss appropriate choices for these numbers.

We first note that for \(p = p_{i,j,k}\) with \(|B_i|=2^{2^n}\) and \(D_{i,n,j,k}= \{p_{i',j,k} : B_{i'} \subset B_i: |B_{i'}| = 2^n \}\), we have that for every \(q\in D_{i,n,j,k}\) \[\begin{align} d_{\mathrm {TV}}(p, q) &\geq \left(\frac{1}{j} - \frac{1}{k}\right)d_{\mathrm {TV}}(U_{B_i \times {2j}}, U_{B_{i'} \times {2j}}) \\ &\geq \frac{1}{2} \left(\frac{1}{j} - \frac{1}{k}\right). \end{align}\]

Furthermore, consider \(Q = U_{D_{i,n,j,k}}\).

We note that the distributions \(V_{\mathrm{sub},\eta}(p^m)\) and \(V_{\mathrm{sub},\eta}(|Q|^m)\) are both distributions over multisets \(S' = \mathrm{constants}(S') \cup \mathrm{odds}(S') \cup \mathrm{indicators}(S')\). We note that for any two samples \(S'_a \in \mathcal{X}^*\) and \(S'_b \in \mathcal{X}^*\) by definitions of \(\mathrm{constants}, \mathrm{odds}, \mathrm{ind}\), we have \[\begin{align} &S'_a \cap S'_b =\\ &\quad (\mathrm{constants}(S'_a) \cap \mathrm{constants}(S'_b)) \cup (\mathrm{odds}(S'_a) \cap \mathrm{odds}(S'_b)) \cup (\mathrm{ind}(S'_a) \cap \mathrm{ind}(S'_b)). \end{align}\] Where each of the three sets \((\mathrm{constants}(S'_a) \cap \mathrm{constants}(S'_b)), (\mathrm{odds}(S'_a) \cap \mathrm{odds}(S'_b)) , (\mathrm{ind}(S'_a) \cap \mathrm{ind}(S'_b))\) are pairwise disjoint. We can thus write the total variation distance between \(V_{\mathrm{sub},\eta}(p^m)\) and \(V_{\mathrm{sub},\eta}(|Q|^m)\) as

\[\begin{align} & d_{\mathrm {TV}}(V_{\mathrm{sub},\eta}(p^m),V_{\mathrm{sub},\eta}(|Q|^m) )\\ & = d_{\mathrm {TV}}(\mathrm{constants}(V_{\mathrm{sub},\eta}(p^m)),\mathrm{constants}(V_{\mathrm{sub},\eta}(|Q|^m) )) \\ & \quad + d_{\mathrm {TV}}(\mathrm{odds}(V_{\mathrm{sub},\eta}(p^m)),\mathrm{odds}(V_{\mathrm{sub},\eta}(|Q|^m) )) \\ & \quad+ d_{\mathrm {TV}}(\mathrm{ind}(V_{\mathrm{sub},\eta}(p^m)),\mathrm{ind}(V_{\mathrm{sub},\eta}(|Q|^m) ))\\ \end{align}\]

For a distribution \(P \in \Delta(\mathcal{X}^*)\) over sets, we define the distribution \(\mathrm{count}(P)\in \Delta(\mathbb{N})\) by \[\forall B\subset \mathbb{N}: \mathrm{count}(P)(B) = \mathbb{P}_{S\sim P}[|S|\in B].\] We note that the distributions of the count of each of the subsets are the same for both \(V_{\mathrm{sub},\eta}(p^m)\) and \(V_{\mathrm{sub},\eta}(|Q|^m)\). That is, \[d_{\mathrm {TV}}(\mathrm{count}(\mathrm{constants}\left(V_{\mathrm{sub},\eta}(p^m))),\mathrm{count}(\mathrm{constants}(V_{\mathrm{sub},\eta}(|Q|^m))) \right) = 0,\] \[d_{\mathrm {TV}}(\mathrm{count}(\mathrm{odds}(V_{\mathrm{sub},\eta}(p^m))),\mathrm{count}(\mathrm{odds}(V_{\mathrm{sub},\eta}(|Q|^m))) ) = 0,\] and \[d_{\mathrm {TV}}(\mathrm{count}(\mathrm{indicators}(V_{\mathrm{sub},\eta}(p^m))),\mathrm{count}(\mathrm{indicators}(V_{\mathrm{sub},\eta}(|Q|^m))| ) = 0.\] Furthermore, for two different samples \(S_a\) and \(S_b\), \(\mathrm{constants}(S_a) = \mathrm{constants}(S_b)\) if and only if \(|\mathrm{constants}(S_a)| = |\mathrm{constants}(S_b)|\). Thus, \[d_{\mathrm {TV}}(\mathrm{constants}(V_{\mathrm{sub},\eta}(p^m)),\mathrm{constants}(V_{\mathrm{sub},\eta}(|Q|^m) )) =0.\]

Furthermore, \[\begin{align} &\mathbb{P}_{S'\sim V_{\mathrm{sub},\eta}(p^m)}[\mathrm{odds}(S') | |\mathrm{odds}(S')|=l \text{ and there are no repeated elements in } \mathrm{odds}(S') ] = \\ & \qquad \mathbb{P}_{S'\sim V_{\mathrm{sub},\eta}(|Q|^m)}[\mathrm{odds}(S') | |\mathrm{odds}(S')|=l \text{ and there are no repeated elements in } \mathrm{odds}(S') ], \end{align}\] since both \(|Q|^m\) and \(p^m\) give equal weights to all subsets of \(B_i\) the same size. Lastly, we note that while the indicator of samples from \(p\) and samples from \(Q\) differ, the adversary \(V_{\mathrm{sub},\eta}\) deletes all these elements, if \(|\mathrm{indicators}(S)|\) does not exceed the budget-count.

Taking all of these observations together, we can bound the total variation distance in terms of repeating elements in \(\mathrm{odds}(S)\) and the probability that \(|\mathrm{ind}(S)|\) exceeds the budget of the adversary.

\[\begin{align} & d_{\mathrm {TV}}(V_{\mathrm{sub},\eta}(p^m),V_{\mathrm{sub},\eta}(|Q|^m) )\\ & \leq d_{\mathrm {TV}}(\mathrm{constants}(V_{\mathrm{sub},\eta}(p^m)),\mathrm{constants}(V_{\mathrm{sub},\eta}(|Q|^m) )) \\ & \quad + d_{\mathrm {TV}}(\mathrm{odds}(V_{\mathrm{sub},\eta}(p^m)),\mathrm{odds}(V_{\mathrm{sub},\eta}(|Q|^m) )) \\ & \quad+ d_{\mathrm {TV}}(\mathrm{ind}(V_{\mathrm{sub},\eta}(p^m)),\mathrm{ind}(V_{\mathrm{sub},\eta}(|Q|^m) ))\\ &\leq \mathbb{P}_{S\sim p^m}[\mathrm{odds}(S) \text{ contains repeated elements}]\\ &\quad+\mathbb{P}_{S\sim |Q|^m}[\mathrm{odds}(S) \text{ contains repeated elements}]\\ &\quad + \mathbb{P}_{S\sim p^m}[|\mathrm{ind}(S)| > \eta |S|]\\ &\quad + \mathbb{P}_{S\sim |Q|^m}[|\mathrm{ind}(S)| > \eta|S|].\\ \end{align}\] The first two terms can be bounded via a birthday paradox: \[\begin{align} \mathbb{P}_{S\sim p^m}[\mathrm{odds}(S) \text{ contains repeated elements}] +\mathbb{P}_{S\sim |Q|^m}[\mathrm{odds}(S) \text{ contains repeated elements}] \leq 2\cdot \left(1 - \left(1 -\frac{m}{2^n}\right)^m\right) \end{align}\]

The last two terms can each be upper bounded by using Markov’s inequality:

\[\begin{align} \mathbb{P}_{S\sim p^m}[|\mathrm{ind}(S)| > \eta |S|] + \mathbb{P}_{S\sim |Q|^m}[|\mathrm{ind}(S)| > \eta |S|] &\leq 2 \frac{\frac{m}{k}}{\eta m } = \frac{2}{k\eta} \end{align}\]

Since we are considering distributions in \(\mathcal{C}_g\), we note that the distributions \(D_{i,n,j,k}\) need to be of the form \(D_{i,n,j,g(j)}\). We now want to argue that for appropriate choices of \(j\) and \(\eta\) (both independent of \(m\)), as well as for an appropriate choice of \(n\) given \(m\), the inequalities of the theorem are satisfied.

First, we note that since \(g\) grows faster than linear, it is possible to pick \(j\) in such a way that it satisfies the inequality \[g(j) \geq \max\{1024 \alpha j\}.\] Given such \(j\), we then pick \(\eta = \frac{32}{g(j)}\) and \(\gamma'= \frac{\alpha}{g(j)}\). This ensures, that for every \(n\in \mathbb{N}\) and every \(q\in D_{i,n.j,g(j)}\), we get \[\begin{align} d_{\mathrm {TV}}(p,q) &\geq \frac{1}{2} \left(\frac{1}{j} - \frac{1}{g(j)}\right) \\ &\geq \frac{1}{2}\left(\frac{1024\alpha }{g(j)} - \frac{1}{g(j)}\right) \\ &> \frac{256\alpha}{g(j)} \\ &= 4\alpha \eta + 4\gamma'. \end{align}\]

Then, for every \(m\geq 1\), if we choose \(n\geq \frac{m}{1- \left(1-\frac{1}{32}\right)^{1/m}}\), we get \[\begin{align} & d_{\mathrm {TV}}(V_{\mathrm{sub},\eta}(p^m),V_{\mathrm{sub},\eta}(|Q|^m) ) \\ &\leq \frac{2}{g(j) \cdot \frac{32}{g(j)}} + 2 \left( 1- \left( 1- \frac{m}{2^{n}}\right)^m\right)\\ &\leq \frac{1}{16} +2 \left( 1- \left( 1- \frac{m}{n}\right)^m\right)\\ &\leq \frac{1}{16} +2 \left( 1- \left( 1- \frac{m}{\frac{m}{\left(1 - \left(1 - \frac{1}{32}\right)^{1/m}\right)}}\right)^m\right)\\ & \leq \frac{1}{16} + 2\cdot \frac{1}{32}\\ & \leq \frac{1}{8}. \end{align}\] ◻

Proof. While in the main part of the paper, we often use the same notation for a random variable \(S\sim p^m\) and a specific sample set \(S\in \mathcal{X}^*\), in order to make this proof more formal, we will now distinguish between random variables \(S\sim p^m\), which we keep writing with capitalized notation and specific sample set \(s\in \mathcal{X}^*\) for which we use non-capitalized notation.

We note, that since adversaries \(V\) are in general randomized, for every \(s\in \mathcal{X}^*\), \(V(s)\) is a random variable with samples in \(s'\in \mathcal{X}^*\). For every adversary \(V\), let us denote the distribution of random variable \(V(s)\) by \(p_{V(s)}\).

We note, that for a random variable \(S\sim r^m\), the distribution of the random variable \(V(S)\) defined for every \(B\subset \mathcal{X}^*\) by

\[p_{V,r}(B) = \int_{s'\in B} \int_{s\in \mathcal{X}^*} dp_{V(s)}(s') dr(s).\] Accordingly, we have \[dp_{V,r}(s') = \int_{s\in \mathcal{X}^*} dp_{V(s)}(s') dr(s).\]

We now want to formally define the reverse mapping \(f_{V,r,s'}\) that, when given an input sample \(S'\sim V(S)\) with \(S\sim r^m\), outputs a sample \(S''\sim r^m\). That is, roughly, \(f_{V,r,s'}(s) =\mathbb{P}_{S\sim r^m}[S=s|V(S)=s']\).

For a distribution \(r\) over \(\mathcal{X}^*\) and an adversary \(V\), let us consider the random function \(f_{V, r}^{-1}\) that takes as input a sample \(s'\in \mathcal{X}^*\) and outputs an element of \(\mathcal{X}^*\) according to the probability distribution \(p_{V^{-1},r,s'}\) which for every \(B\subset \mathcal{X}^*\) is defined by \[p_{V^{-1},r,s'}(B) = \frac{\int_{s\in B} dp_{V(s)}(s') dr(s) }{\int_{S\in \mathcal{X}^m} dp_{V(s)}(s') dr(s)} .\]

Similarly,

\[dp_{V^{-1},r,s'}(s'') = \frac{ dp_{V(s'')}(s') dr(s'') }{\int_{s\in \mathcal{X}^m} dp_{V(s)}(s') dr(s)} .\]

Thus, if we consider the random variable \(S''=f^{-1}_{V,r}(V(S))\) for some \(S\sim r\), we get \(S'' \sim r\), as desired:

\[\begin{align} \mathbb{P}_{S\sim r}[f^{-1}_{V,r}(V(S)) \in B''] &= \int_{s''\in B''}\int_{s\in \mathcal{X}^*}\int_{s'\in \mathcal{X}^*} dp_{V^{-1},r,s'}(s'') dp_{V(s)}(s') dr(s)\\ &= \int_{s''\in B''}\int_{s\in \mathcal{X}^*}\int_{s'\in \mathcal{X}^*} \frac{ dp_{V(s'')}(s') dr(s'') }{\int_{s'''\in \mathcal{X}^m} dp_{V(s''')}(s') dr(s''')} dp_{V(s)}(s') dr(s)\\ &= \int_{s''\in B''}\int_{s'\in \mathcal{X}^*} \frac{ \int_{s\in \mathcal{X}^*} dp_{V(s)}(s') dr(s) dp_{V(s'')}(s') dr(s'') }{\int_{s'''\in \mathcal{X}^m} dp_{V(s''')}(s') dr(s''')} \\ &= \int_{s''\in B''}\int_{s'\in \mathcal{X}^*} dp_{V(s'')}(s') dr(s'')\frac{ \int_{s\in \mathcal{X}^*} dp_{V(s)}(s') dr(s) }{\int_{s'''\in \mathcal{X}^m} dp_{V(s''')}(s') dr(s''')} \\ &= \int_{s''\in B''}\int_{s'\in \mathcal{X}^*} dp_{V(s'')}(s') dr(s'')\\ &= \int_{s''\in B''}dr(s'') \\ = \mathbb{P}_{S\sim r}[S\in B'']. \end{align}\]

We note, that by the same argument, we can factorize \(r\) in the following way:

\[r(B) = \int_{s\in B} \int_{s'\in \mathcal{X}^*} dp_{V,r}(s') dp_{V^{-1},r,s'}(s).\]

Now consider a subtractive adversary \(V_{\mathrm{sub}}\).Since it is subtractive adversary, we know that for every \(s\in \mathcal{X}^m\) and every \(s' \in \mathrm{supp}(p_{V_{\mathrm{sub}}(s)} \subset \bigcup_{i=(1-b)m}^m X^i\), we have \(s'\subset s\).

In particular, this means that for every \(s\in \mathcal{X}^m\) and every \(s' \in \mathrm{supp}(p_{V_{\mathrm{sub}}(s)}\), we have \(s = s' \cup (s\setminus S')\). Now let \(f^{\setminus}_{V^{-1},r}(s) = f_{V^{-1},r}(s) \setminus s\) with the corresponding probability measure.

\[p^{\setminus}_{V^{-1},r,s}(B) = p_{V^{-1},r,s}(B'),\] where \(B' = \{ s\cup s': s'\in B\}\).

Now consider the (randomized) additive adversary \(V_{\mathrm{add},r}\), defined by:

\[V_{\mathrm{add},r}(s) = S \cup f^{\setminus}_{V^{-1}_{\mathrm{sub}},r}(V_{\mathrm{sub}}(s))).\]

Thus for the corresponding probability measure for the random variable \(V_{\mathrm{add},r}(s)\) is defined by \[\begin{align} p_{V_{\mathrm{add},r}(s)}(B''') &= \int_{s'''\in B'''}\int_{s''\in \mathcal{X}^*}\int_{s'\in X^*}dp_{V_{\mathrm{sub}}(s)}(s')dp_{V^{-1}_{\mathrm{sub},r,s'}}(s'') \mathbb{1}[s''' = s' \cup (s \setminus s') \cup (s'' \setminus s')] \end{align}\]

Furthermore, for every probability distribution \(q\) we have.

\[\begin{align} &\mathrm{P}_{S\sim q}[V_{\mathrm{add},r}(S) \in B''']\\ &= \int_{s'''\in B'''}\int_{s\in \mathcal{X}^*} dp_{V_{\mathrm{add},r}(s)}(s''') dq(s)\\ &= \int_{s'''\in B'''}\int_{s\in \mathcal{X}^*}\int_{s'\in X^*}\int_{s'\in X^*}dp_{V_{\mathrm{sub}}(s)}(s')dp_{V^{-1}_{\mathrm{sub},r,s'}}(s'') \mathbb{1}[s''' = s' \cup (s \setminus s') \cup (s'' \setminus s')] dq(s)\\ &= \int_{s'''\in B'''}\int_{s\in \mathcal{X}^*}\int_{s'\in X^*}\int_{s'\in X^*} \mathbb{1}[s''' = s' \cup (s \setminus s') \cup (s'' \setminus s')] dp_{V_{\mathrm{sub}},q}(s') dp_{V^{-1},q,s'}(s) dp_{V^{-1},r,s'}(s'') \end{align}\]

Now consider the additive adversaries \(V_{\mathrm{add},p^m}\) and \(V_{\mathrm{add},|Q|^m}\).

\[\begin{align} &d_{\mathrm {TV}}(V_{\mathrm{add},p^m}(|Q|^m), V_{\mathrm{add},|Q|^m}(p^m) )\\ & =\frac{1}{2}\int_{s''' \in X^*} \left|\int_{s\in \mathcal{X}^m} dp_{V_{\mathrm{add},p^m}(s''')} d|Q|^m(s) - \int_{s\in \mathcal{X}^m} dp_{V_{\mathrm{add},p^m}(s''')} d|Q|^m(s)\right|\\ & =\frac{1}{2} \int_{s''' \in X^*}| \int_{s'\in \mathcal{X}^*} \int_{s \in \mathcal{X}^m} \int_{s'' \in \mathcal{X}^*} \mathbb{1}[s''' = s' \cup (s \setminus s') \cup (s'' \setminus s')] dp_{V_{\mathrm{sub}},|Q|^m}(s') dp_{V^{-1},|Q|^m,s'}(s) dp_{V^{-1},p^m,s'}(s'') \\ &- \int_{s'\in \mathcal{X}^*} \int_{s \in \mathcal{X}^*} \int_{s''' \in \mathcal{X}^*} \mathbb{1}[s''' = s' \cup (s \setminus s') \cup (s'' \setminus s')] dp_{V_{\mathrm{sub}}, p^m}(s') dp_{V^{-1},|Q|^m,s'}(s) dp_{V^{-1},p^m,s'}(s'') |\\ & =\frac{1}{2} \int_{s''' \in X^*}| \int_{s'\in \mathcal{X}^*} |dp_{V_{\mathrm{sub}},|Q|^m}(s') - dp_{V_{\mathrm{sub}}, p^m}(s'))| \\ &\qquad \cdot|\int_{s \in \mathcal{X}^m} \int_{s'' \in \mathcal{X}^*} \mathbb{1}[s''' = s' \cup (s \setminus s') \cup (s'' \setminus s')] dp_{V^{-1},|Q|^m,s'}(s) dp_{V^{-1},p^m,s'}(s'')' | \\ & =\frac{1}{2} \left| \int_{s'\in \mathcal{X}^*} |dp_{V_{\mathrm{sub}},|Q|^m}(s') - dp_{V_{\mathrm{sub}}, p^m}(s'))\right| \\ &\qquad \cdot \int_{s''' \in X^*}\left|\int_{s \in \mathcal{X}^m} \int_{s'' \in \mathcal{X}^*} \mathbb{1}[s''' = s' \cup (s \setminus s') \cup (s'' \setminus s')] dp_{V^{-1},|Q|^m,s'}(s) dp_{V^{-1},p^m,s'}(s'') \right| \\ &\leq \frac{1}{2} \left| \int_{s'\in \mathcal{X}^*} |dp_{V_{\mathrm{sub}},|Q|^m}(s') - dp_{V_{\mathrm{sub}}, p^m}(s'))\right| \\ & = d_{\mathrm {TV}}(p_{V_{\mathrm{sub}}, p^m}, p_{V_{\mathrm{sub}}, |Q|^m}) \leq \zeta \end{align}\] where we get the second to last step by noticing that the last three integrals are a conditional probability distribution of the additive adversary outputting \(s'''\), conditioned on the subtractive adversary outputting \(s'\). As such, these integrals equate to 1.

Furthermore, we note that if \(V_{\mathrm{sub}}\) has a fixed constant budget with \(\eta m -1 < m \cdot \mathrm{budget}^{\mathrm{sub}}(V_{\mathrm{sub}},m ) \leq \eta m\), then we have \[\begin{align} \mathrm{budget}^{\mathrm{add}}(V_{\mathrm{add},r}, m ) &= \sup_{s\in \mathcal{X}^m} \frac{|V_{\mathrm{add},r}(s)|-|s|}{|s|} \\ &\leq \sup_{s\in \mathcal{X}^m} \sup_{s': s'\in \text{supp}\left(p_{V(s)}\right)} \sup_{s'': s''\in \mathrm{supp}\left(p_{V_{\mathrm{sub},r}^{-1}(s')}\right)}\frac{ |s\setminus s'|+|s''| - |s|}{|s|} \\ &\leq \max\left\{\frac{ \eta m -1 + (m -(\eta m -1)) \frac{1}{1-\eta} - m}{m}, \frac{ \eta m + (m -\eta m ) \frac{1}{1-\eta} - m}{m}\right\} \\ &\leq \max\left\{ \eta - 1 + \frac{ \eta + m -\eta m }{m(1-\eta)}, \eta \right\} \\ &\leq \max\left\{ \eta + \frac{ \eta }{m(1-\eta)}, \eta \right\} \\ &\leq \eta + \frac{\eta}{m - \eta m }. \end{align}\]

In particular, this means, that \[m \cdot \mathrm{budget}^{\mathrm{add}}(V_{\mathrm{add},r}, m ) \leq \eta m + \frac{\eta}{(1-\eta)}.\]

We note that \(\frac{\eta}{1-\eta}\) is strictly monotonically increasing in \(\eta\). Thus, for \(\eta < \frac{1}{2}\) we thus get,

\[m \cdot \mathrm{budget}^{\mathrm{add}}(V_{\mathrm{add},r}, m ) < \eta m + \frac{\frac{1}{2}}{\frac{1}{2}} = \eta m + 1.\]

Thus, \(\mathrm{budget}^{\mathrm{add}}(V_{\mathrm{add},r}) \leq \eta.\) ◻

Proof. Let \(u\) be a random variable that is uniformly distributed over \([k+1]= \{0,\dots, k\}\). Now let \(V_{\mathrm{add},k}\) be defined by the probability distribution \[\begin{align} dp_{V_{{\mathrm{add},k}(s)}} (s'') =& \int_{s'\in \mathcal{X}^*} d p_{V_{\mathrm{sub}}(s)}(s') \\ &\cdot\frac{1}{k+1}\sum_{u=0}^k \int_{s_1\in \mathcal{X}^*}\dots \int_{s_k\in \mathcal{X}^*} \left(\Pi_{i=0}^k ( \mathbb{1}[u\geq i] dp_{V^{-1}_{\mathrm{sub}},|\mathcal{Q}|^m,s'}(s_i)+ \mathbb{1}[u < i] dp_{V^{-1}_{\mathrm{sub}},p^m,s'}(s_i)) \right)\\ &\cdot \mathbb{1}\left[s'' = s' \cup (s\setminus s') \cup \left(\bigcup_{i=1}^k (s_i \setminus s')\right)\right]. \end{align}\] We now note that \[\begin{align} \int_{s\in \mathcal{X}^m} dp_{V_{{\mathrm{add},k}(s)}} (s'') dp^m(s) &= \int_{s\in \mathcal{X}^m} \int_{s'\in \mathcal{X}^*} d p_{V_{\mathrm{sub}}(s)}(s') \\ &\cdot\frac{1}{k+1}\sum_{u=0}^k \int_{S_1\in \mathcal{X}^*}\dots \int_{S_k\in \mathcal{X}^*} \left(\Pi_{i=0}^k ( \mathbb{1}[u\geq i] dp_{V^{-1}_{\mathrm{sub}},|\mathcal{Q}|^m,S'}(S_i)+ \mathbb{1}[u < i] dp_{V^{-1}_{\mathrm{sub}},p^m,S'}(S_i)) \right)\\ &\cdot \mathbb{1}\left[s'' = s' \cup (s\setminus s') \cup \left(\bigcup_{i=1}^k (s_i \setminus s')\right)\right]\\ & = \int_{s'\in \mathcal{X}^*} d p_{V_{\mathrm{sub},p^m}}(s') \int_{s\in \mathcal{X}^*} d p_{V_{\mathrm{sub},p^m,s'}}(s)\\ &\cdot\frac{1}{k+1}\sum_{u=0}^k \int_{S_1\in \mathcal{X}^*}\dots \int_{S_k\in \mathcal{X}^*} \left(\Pi_{i=0}^k ( \mathbb{1}[u\geq i] dp_{V^{-1}_{\mathrm{sub}},|\mathcal{Q}|^m,s'}(s_i)+ \mathbb{1}[u < i] dp_{V^{-1}_{\mathrm{sub}},p^m,s'}(s_i)) \right)\\ &\cdot \mathbb{1}\left[s'' = s' \cup (s\setminus s') \cup \left(\bigcup_{i=1}^k (s_i \setminus s')\right)\right].\\ \end{align}\] Similarly, \[\begin{align} \int_{s\in \mathcal{X}^m} dp_{V_{{\mathrm{add},k}(s)}} (s'') dp^m(s) & = \int_{s'\in \mathcal{X}^*} d p_{V_{\mathrm{sub},|Q|^m}}(s') \int_{s\in \mathcal{X}^*} d p_{V_{\mathrm{sub},|Q|^m,s'}}(s)\\ &\cdot\frac{1}{k+1}\sum_{u=0}^k \int_{s_1\in \mathcal{X}^*}\dots \int_{s_k\in \mathcal{X}^*} \left(\Pi_{i=0}^k ( \mathbb{1}[u\geq i] dp_{V^{-1}_{\mathrm{sub}},|\mathcal{Q}|^m,s'}(s_i)+ \mathbb{1}[u < i] dp_{V^{-1}_{\mathrm{sub}},p^m,s'}(S_i)) \right)\\ &\cdot \mathbb{1}\left[s'' = s' \cup (s\setminus s') \cup \left(\bigcup_{i=1}^k (s_i \setminus s')\right).\right] \end{align}\] We now note that \[\begin{align} \frac{1}{2} \int_{s'\in \mathcal{X}^*} \left| dp_{V_{\mathrm{sub},p^m}(s)}(s') - \int dp_{V_{\mathrm{sub}}(s),|Q|^m}(s') \right| \leq \zeta. \end{align}\] and \[\begin{align} &\frac{1}{k+1}\sum_{u=0}^k \int_{s\in \mathcal{X}^*} d p_{V_{\mathrm{sub},|Q|^m,s'}}(s)\int_{s_1\in \mathcal{X}^*}\dots \int_{s_k\in \mathcal{X}^*} \left(\Pi_{i=0}^k ( \mathbb{1}[u\geq i] dp_{V^{-1}_{\mathrm{sub}},|\mathcal{Q}|^m,s'}(s_i)+ \mathbb{1}[u < i] dp_{V^{-1}_{\mathrm{sub}},p^m,s'}(s_i)) \right)\\ &\cdot \mathbb{1}\left[s'' = s' \cup (s\setminus s') \cup \left(\bigcup_{i=1}^k (s_i \setminus s')\right).\right]\\ &-\frac{1}{k+1}\sum_{u=0}^k \int_{s\in \mathcal{X}^*} d p_{V_{\mathrm{sub},p^m,s'}}(S)\int_{s_1\in \mathcal{X}^*}\dots \int_{s_k\in \mathcal{X}^*} \left(\Pi_{i=0}^k ( \mathbb{1}[u\geq i] dp_{V^{-1}_{\mathrm{sub}},|\mathcal{Q}|^m,s'}(s_i)+ \mathbb{1}[u < i] dp_{V^{-1}_{\mathrm{sub}},p^m,s'}(s_i)) \right)\\ &\cdot \mathbb{1}\left[s'' = s' \cup (s\setminus s') \cup \left(\bigcup_{i=1}^k (s_i \setminus s')\right).\right]\\ &= \frac{1}{k+1} \int_{s\in \mathcal{X}^*} d p_{V_{\mathrm{sub},|Q|^m,s'}}(s)\int_{s_1\in \mathcal{X}^*}\dots \int_{s_k\in \mathcal{X}^*} \left(\Pi_{i=0}^k (dp_{V^{-1}_{\mathrm{sub}},|\mathcal{Q}|^m,s'}(s_i)\right) \cdot \mathbb{1}\left[s'' = s' \cup (s\setminus s') \cup \left(\bigcup_{i=1}^k (s_i \setminus s')\right).\right]\\ &- \frac{1}{k+1} \int_{s\in \mathcal{X}^*} d p_{V_{\mathrm{sub},p^m,s'}}(S)\int_{S_1\in \mathcal{X}^*}\dots \int_{S_k\in \mathcal{X}^*} \left(\Pi_{i=0}^k (dp_{V^{-1}_{\mathrm{sub}},p^m,s'}(s_i)\right) \cdot \mathbb{1}\left[s'' = s' \cup (s\setminus s') \cup \left(\bigcup_{i=1}^k (s_i \setminus s')\right).\right]\\ &\leq \frac{1}{k+1}. \end{align}\]

This means that \[\begin{align} d_{\mathrm {TV}}(V_{\mathrm{add},k}(p^m),V_{\mathrm{add},k}(|Q|^m) ) &= \frac{1}{2} \int_{s''\in \mathcal{X}^*} \left|\left(\int dp_{V_{\mathrm{add},k}(s)}(s'') dp^m(s) - \int dp_{V_{\mathrm{add},k}(s)}(s'') d|Q|^m(s) \right)\right|\\ &\leq \zeta + (1-\zeta)\frac{1}{k+1}. \end{align}\]

Furthermore, we note that if \(V_{\mathrm{sub}}\) has a fixed constant budget with \(\eta m -1 < m \cdot \mathrm{budget}^{\mathrm{sub}}(V_{\mathrm{sub}},m ) \leq \eta m\), then we have \[\begin{align} \mathrm{budget}^{\mathrm{add}}(V_{\mathrm{add},k}, m ) &= \sup_{s\in \mathcal{X}^m} \frac{|V_{\mathrm{add},k}(s)|-|s|}{|s|} \\ &\leq \max\{\frac{ (\eta m -1) + (m -(\eta m -1)) + k\left((m -(\eta m -1))\frac{1}{1-\eta} - (m -(\eta m -1)\right) - m}{m}, \\ &\qquad \frac{ \eta m + (m -\eta m ) + k(m -\eta m ) \left(\frac{1}{1-\eta} -1\right) - m}{m}\} \\ &\leq \max\left\{k\eta +\frac{ k\eta}{(1-\eta)m}, k \eta \right\} \leq k\eta +\frac{ k\eta}{(1-\eta)m} \end{align}\]

In particular, this means, that \[m \cdot \mathrm{budget}^{\mathrm{add}}(V_{\mathrm{add},r}, m ) \leq k\eta m + \frac{k\eta}{(1-\eta)}.\]

We note that \(\frac{\eta}{1-\eta}\) is strictly monotonically increasing in \(\eta\). Thus, for \(\eta < \frac{1}{2k}\) we thus get,

\[m \cdot \mathrm{budget}^{\mathrm{add}}(V_{\mathrm{add},r}, m ) < k \eta m + \frac{1/2}{1 -1/2k} < \eta m + 1.\]

Thus, \(\mathrm{budget}^{\mathrm{add}}(V_{\mathrm{add},r}) \leq \eta k.\) ◻

Proof. Assume by way of contradiction that there was a successful \(f\)-robust learner \(A\) with sample complexity \(m_{\mathcal{C}}^{\mathcal{V},f}\) for \(\mathcal{C}\) with respect to adversary class \(\mathcal{V}\supset \{V_1, V_2\}\).

Let \[\delta= \frac{1 - \zeta}{2}\] and

\[\varepsilon= \gamma'.\] Furthermore, let \(m= m_{\mathcal{C}}^{\mathcal{V},f}(\varepsilon,\delta)\). According to the assumptions of the theorem, we know that the pair \((V_1,V_2)\) successfully \((\gamma_f,\zeta)\)-confuses \(\mathcal{C}\)-generated samples of size \(m\) with \[\gamma_f= 2 \cdot \max\{f(\eta_1), f(\eta_2)\} + 2\gamma'.\] Now consider \[\begin{align} f(\eta_1) +\varepsilon&= f(\eta_1) + \gamma' \\ &\leq \frac{\gamma_f}{2} \end{align}\] With the same argument, we have \(f(\eta_2) +\varepsilon\leq \frac{\gamma_f}{2}\). Now using Lemma 2, we can infer that there is a distribution \(r\in \mathcal{C}\) such that either \[\begin{align} &\mathbb{P}_{S\sim r^m}\left[d_{\mathrm {TV}}(A(V_1(S) ), r)> f(\eta_1)+\varepsilon\right] \\ &\geq \mathbb{P}_{S\sim r^m}\left[d_{\mathrm {TV}}(A(V_1(S) ), r)> \frac{\gamma_f}{2}\right] \\ &\geq \frac{1}{2}- \frac{\zeta}{2} = \delta. \end{align}\] or \[\begin{align} &\mathbb{P}_{S\sim r^m}[d_{\mathrm {TV}}(A(V_2(S) ), r)> f(\eta_2)+\varepsilon] \\ &\geq \mathbb{P}_{S \sim r^m}\left[d_{\mathrm {TV}}(A(V_2(S) ), r) > \frac{\gamma_f}{2}\right]\\ &\geq \frac{1}{2}- \frac{\zeta}{2}= \delta. \end{align}\] This is a contradiction to the assumption that \(A\) is a \(f\)-robust learner of \(\mathcal{C}\) w.r.t \(\mathcal{V}\) with sample complexity \(m_{\mathcal{C}}^{\mathcal{V},f}\). Furthermore, if \(V_1=V_2\), then \(V_1\) is a universal \(\alpha\)-adversary. ◻

Proof. We note, that it is sufficient to show that there exists \(\eta \in [0,1]\) such that there is an adversary \(V_{\mathrm{sub}}\) with budget \(\eta\), such that there are \(\gamma', \zeta \in (0,1)\), such that for every \(m\in \mathbb{N}\), the adversary \(V_{\mathrm{sub}}\) successfully \((4f(\eta) +4 \gamma', \zeta)\)-confuses \(\mathcal{C}\)-generated samples of size \(m\).

For every monotonously increasing, continuous \(f: [0,1] \to [0,1]\) with \(f(0) = 0\) and every \(j\in \mathbb{N}\), there exists some \(\eta_j \in [0,1]\), such that \(f(\eta_j) < \frac{1}{16j}\). Thus, we can now define the function \(g\) as a monotonous function \(g: \mathbb{N}\to \mathbb{N}\) with \(\lim_{n \to \mathbb{N}} g(n) = \infty\) such that for every \(j \in \mathbb{N}\) we have \(g(j) \geq \max\{\frac{32}{\eta_j}, 4j\}\). It follows that, \[\begin{align} \label{inequality95frobust} \frac{1}{2j} &\geq \frac{1}{4j} + \frac{1}{4j} \geq 4f(\eta_j) + \frac{1}{g(j)}. \end{align}\tag{4}\]

Now let \(\mathcal{C}_g\) be the hypothesis class defined by \(g\) and \(V_{\mathrm{sub}, \eta}\) the corresponding subtractive adversary defined in Section 5.1. As in the proof of Theorem 3 we consider the class \(\mathcal{C}_g\) and the distribution \(p = p_{i,j,k} \in C_g\) with \(|B_i|=2^{2^n}\) and a set of distributions \(D_{i,n,j,g(j)}= \{p_{i',j,g(j)} : B_{i'} \subset B_i: |B_{i'}| = 2^n \}\). As in the previous proof, we note that for every \(q\in D_{i,n,j,g(j)}\) we have \[\begin{align} d_{\mathrm {TV}}(p, q) &\geq \left(\frac{1}{j} - \frac{1}{g(j)}\right)d_{\mathrm {TV}}(U_{B_i \times {2j}}, U_{B_{i'} \times {2j}}) \\ &\geq \frac{1}{2} \left(\frac{1}{j} - \frac{1}{g(j)}\right)\\ &\geq \frac{1}{2j} - \frac{1}{2g(j)}\\ &\geq_{(\ref{inequality95frobust})} 4f(\eta_j) +\frac{1}{g(j)} -\frac{1}{2g(j)}\\ &\geq 4f(\eta_j) +\frac{1}{2g(j)}.\\ \end{align}\] We now choose \(\eta = \eta_j = \frac{32}{g(j)}\), \(\gamma' = \frac{1}{8g(j)}\) and \(\zeta = \frac{1}{8}\). Then, \[\begin{align} d_{\mathrm {TV}}(p, q) &\geq \left(\frac{1}{j} - \frac{1}{g(j)}\right)d_{\mathrm {TV}}(U_{B_i \times {2j}}, U_{B_{i'} \times {2j}}) \\ &\geq 4f(\eta_j) +\frac{1}{2g(j)}\\ & = 4 f(\eta) + 4 \gamma'. \end{align}\] Now if we pick the meta-distribution \(Q\) as the uniform distribution over the set \(D_{i,n,j,g(j)}\) with \(n := \frac{m}{1 -\left(1\;- \frac{1}{32}\right)^{\frac{1}{m}}} + 1\). By the same calculation as in the proof of Theorem 3, we get

\[\begin{align} & d_{\mathrm {TV}}(V_{\mathrm{sub},\eta}(p^m),V_{\mathrm{sub},\eta}(|Q|^m) )\\ & \leq d_{\mathrm {TV}}(\mathrm{constants}(V_{\mathrm{sub},\eta}(p^m)),\mathrm{constants}(V_{\mathrm{sub},\eta}(|Q|^m) )) \\ & \quad + d_{\mathrm {TV}}(\mathrm{odds}(V_{\mathrm{sub},\eta}(p^m)),\mathrm{odds}(V_{\mathrm{sub},\eta}(|Q|^m) )) \\ & \quad+ d_{\mathrm {TV}}(\mathrm{ind}(V_{\mathrm{sub},\eta}(p^m)),\mathrm{ind}(V_{\mathrm{sub},\eta}(|Q|^m) ))\\ &\leq \mathbb{P}_{S\sim p^m}[\mathrm{odds}(S) \text{ contains repeated elements}]\\ &\quad+\mathbb{P}_{S\sim |Q|^m}[\mathrm{odds}(S) \text{ contains repeated elements}]\\ &\quad + \mathbb{P}_{S\sim p^m}[|\mathrm{ind}(S)| > \eta |S|]\\ &\quad + \mathbb{P}_{S\sim |Q|^m}[|\mathrm{ind}(S)| > \eta|S|]\\ &\leq 2\cdot \left(1 - \left(1 -\frac{m}{2^n}\right)^m\right) + \frac{2}{g(j) \eta}\\ &\leq 2\cdot \left(1 - \left(1 -\frac{m}{2^n}\right)^m\right) + \frac{2}{g(j) \eta}\\ &\leq 2 \left( 1- \left( 1- \frac{m}{\frac{m}{\left(1 - \left(1 - \frac{1}{32}\right)^{1/m}\right)}}\right)^m\right) + \frac{2}{g(j) \frac{32}{g(j)}}\\ & \leq 2\cdot \frac{1}{32} + \frac{2}{32} \\ & \leq \frac{1}{8}. \end{align}\]

Thus, for every \(m\in \mathbb{N}\) the adversary \(V_{\mathrm{sub}}\) successfully \((4 f(\eta) + 4\gamma', \zeta)\)-confuses \(\mathcal{C}_g\) generated samples of size \(m\). Using Theorem 6 and Theorem 7, we get the claimed result. ◻

Proof. Since \(V_{\mathrm{obl}}\) is subtractive with budget \(\eta\), there is \(r\in \Delta(\mathcal{X})\) with \(p = (1-\eta) V_{\mathrm{obl}}(p) + \eta r.\) We want to define a subtractive adaptive adversary \(V_{\mathrm{adp}}\) that takes into account \(p\) and \(r\) in such a way that it fulfills the requirement. We thus need to specify a way in which elements of a randomly drawn sample are deleted. Let \(\perp\) denote an abstract element that is not element of \(\mathcal{X}\). An instance of \(\perp\) can be thought of as a "deleted element". We now define an element-wise randomized subproceedure \(\mathrm{ElementRandomDelete}: \mathcal{X}\times \Delta(\mathcal{X}) \times \Delta(\mathcal{X}) \to \mathcal{X}\cup \{ \perp\}\) that randomly deletes \(x\) according to its probability (or density in the continuous case) of \(p(x)\) and \(r(x)\) respectively: \[\begin{align} \mathrm{ElementRandomDelete}(x,p,r) = \begin{cases} x &\text{, with probability } \frac{p(x) - \eta \cdot r(x)}{p(x)}\\ \perp &\text{, with probability } \frac{\eta \cdot r(x)}{p(x)} \end{cases} \end{align}\] Now for a sample \(S =\{x_1, \dots, x_m\}\), we define the corresponding operation \(\mathrm{SampleRandomDelete}: \mathcal{X}^* \times \Delta(\mathcal{X}) \times \Delta(\mathcal{X}) \to (\mathcal{X}\cup \{ \perp\})^*\) as element-wise (and independent) application of \(\mathrm{ElementRandomDelete}\): \[\begin{align} \mathrm{SampleRandomDelete}(S,r,p) &= \mathrm{SampleRandomDelete}(\{x_1, \dots, x_m\},p,r ):=\\ &=\{\mathrm{ElementRandomDelete}(x_1,p,r), \dots, \mathrm{ElementRandomDelete}(x_m,p,r)\}. \end{align}\] Now consider a sample \(S\sim p^m\). We now want to understand the distribution of \(\mathrm{SampleRandomDelete}(S,p,r)\). First, we note that since \(\mathrm{SampleRandomDelete}\) applies \(\mathrm{ElementRandomDelete}\) on all elements independently, we have \(\mathrm{SampleRandomDelete}(S,p,r) = \bigcup_{x\in S }\mathrm{ElementRandomDelete}(x,p,r)\), where every \(x\in S\) is independently drawn according to \(p\). Now, the distribution \(q\) of \(\mathrm{ElementRandomDelete}(x,p,r)\) for \(x\sim p\) can be understood as follows for \(x'\in \mathcal{X}\), we have \[q(x') = p(x') \cdot \frac{p(x') - \eta \cdot r(x')}{p(x')} = p(x') - \eta \cdot r(x') = (1-\eta) V_{\mathrm{obl}}(p)(x'),\] since \(\mathrm{ElementRandomDelete}(x,p,r)\) can only elvaluate to \(x'\) if \(x'=x\). Furthermore, for \(q(\perp)\) we get \[q(\perp) = \int_{x\in \mathcal{X}} p(x)\frac{\eta \cdot r(x)}{p(x)} = \int_{x\in \mathcal{X}} \eta \cdot r(x) = \eta.\] Thus, \(\mathrm{SampleRandomDelete}(S,p,r)\) is distributed according to \(q^m\), where \(q = (1-\eta) V_{\mathrm{obl}}(p) + \eta \delta_{\{\perp\}}\), where \(\delta_{\{\perp\}}\) is the deterministic distribution with all its mass on \(\{\perp\}\). The distribution \(q^m\) can alternatively be understood as \(V_{\mathrm{obl}}(p)^{m-n} \times \delta_{\{\perp\}}^(n)\) for a binomial random variable \(n \sim \mathrm{Binom}(m,\eta)\). Since the median of a binomial distribution \(\mathrm{Binom}(m, \eta)\) is between \(\lfloor \eta m\rfloor\) and \(\lceil \eta m\rceil\), with probability greater \(\frac{1}{2}\) we have \(n \leq \lceil \eta m\rceil\). We now define the (randomized) subtractive adaptive adversary \(V_{\mathrm{adp}}\) as follows.

• The adversary that first applies \(\mathrm{SampleRandomDelete}(\cdot,p,r)\) to \(S\) to generate some sample \(S'\).

• It then checks, whether \(|S'\cap \mathcal{X}|\leq (1-\frac{\lceil \eta m\rceil}{m})|S|\).

• Case 1: \(|S'\cap \mathcal{X}|\leq (1-\frac{\lceil \eta m\rceil}{m})|S|\). Then in order to match the desired budget, the adversary selects a subset \(S'' \subset S\setminus S'\) uniformly at random, such that \(|S''| + |S' \cap \mathcal{X}| = ((1-\frac{\lceil \eta m\rceil}{m}))|S|\) and outputs \(S'' \cup (S' \cap \mathcal{X})\).

• Case 2: \(|S'\cap \mathcal{X}|\geq (1-\frac{\lceil \eta m\rceil}{m})|S|\). In this case, the adversary outputs a subset \(S''' \subset (S' \cap \mathcal{X})\) which is uniformly selected at random and has size \(|S'''| = ((1-\frac{\lceil \eta m\rceil}{m}))|S|\).

By definition, the adaptive adversary \(V_{\mathrm{adp}}\) has a budget of \(\mathrm{budget}^{\mathrm{sub}}(V_{\mathrm{adp}}, m) = \frac{m - ((1-\frac{\lceil \eta m\rceil}{m}))|S| }{m} = \frac{\lceil \eta m\rceil}{m} \approx \eta\).

Lastly, we need to argue that \[\mathbb{P}_{S \sim p^m }[d_{\mathrm {TV}}(A(V_{\mathrm{adp}}(S)),p) \leq \alpha \cdot \mathrm{budget}(V_{\mathrm{adp}}) + \varepsilon] > \frac{\delta}{2}.\] We note, that the number of initially deleted elements \(|S| - |S' \cap \mathcal{X}|\) corresponds to the previously introduced binomial random variable \(n\). As argued before \(|S| - |S' \cap \mathcal{X}| = n \leq \lceil \eta m\rceil\) with probability at least \(\frac{1}{2}\). Thus with probability at least \(\frac{1}{2}\) Case 2 occurs, i.e., \(|S'\cap \mathcal{X}|\geq (1-\frac{\lceil \eta m\rceil}{m})|S|\). Furthermore, conditioned on Case 2 occuring, \(V_{\mathrm{adp}}(S)\) is distributed according to \(V_{\mathrm{obl}}(p)^{m-\lceil \eta \cdot m\rceil}\). The assumption that \[\mathbb{P}_{S \sim V_{\mathrm{obl}}(p)^{m- \lceil \eta \cdot m \rceil } }[d_{\mathrm {TV}}(A(S),p) > \alpha \cdot \mathrm{budget}(V_{\mathrm{obl}}) + \varepsilon] > \delta,\] therefore implies \[\mathbb{P}_{S \sim p^m }[d_{\mathrm {TV}}(A(V_{\mathrm{adp}}(S)),p) \leq \alpha \cdot \mathrm{budget}(V_{\mathrm{adp}}) + \varepsilon] > \frac{\delta}{2}.\] ◻