An observer combines a system's disclosed outputs with a prior over possible inputs to reconstruct a protected input to whatever resolution the prior permits. Reconstruction fidelity is bounded by channel mutual information times prior sharpness, so privacy is a property of the (system, adversary-with-prior) pair, not of the disclosure surface alone.
How would you explain it like I'm…
Guessing From Shadows
Imagine you hide a toy in a box and only let me see the box's shadow. If I know a lot about toys, I might guess what's inside just from the shadow's shape. Hidden-Information Reconstruction is figuring out a hidden thing from the clues it leaves behind, plus what you already know.
Rebuilding The Secret
Sometimes someone keeps a secret but lets you see things the secret *causes*, like the outputs of a machine the secret runs. An observer can take those outputs and combine them with a good *guess about what's likely* to rebuild the secret. It works because the outputs change depending on the secret (so they leak information), and a sharp guess narrows the possibilities until the outputs are enough to tell them apart. So 'I only showed the outputs, the secret is safe' is often wrong, the safety really depends on how much the outputs reveal and how good the observer's guesses are.
Outputs Plus A Prior
Hidden-Information Reconstruction is the pattern where a *holder* tries to protect an input by exposing only the *observable outputs* of a system that input drives, while an *observer* combines those outputs with a *prior* over possible inputs to rebuild the protected input to whatever resolution the prior allows. The holder's intended privacy is 'outputs only, inputs sealed,' but two facts defeat it: the outputs are *informative* about the inputs (because the system's behavior depends on them), and a *sharp enough prior* collapses the space of possibilities until the outputs can discriminate the survivors. Reconstruction quality is bounded by the product of two things, how much the output channel reveals about the input and how sharp the observer's prior is, and neither can be driven to zero without breaking the system's usefulness. The upshot: privacy is a property of the (system, adversary-with-prior) pair, not of the system alone, so a privacy claim that doesn't name the adversary's prior is incomplete.
Hidden-Information Reconstruction is the pattern by which a *holder* of some input intends to protect it by exposing only *observable outputs* of a system the input drives, while an *observer* combines those outputs with a *prior over possible inputs* to reconstruct the protected input to whatever resolution the prior permits. The holder's intended privacy envelope is 'outputs only, inputs sealed.' The observer's inference exploits two structural facts the holder cannot in general remove: the outputs are *informative* about the inputs because the system that produces them is not constant in the inputs, and a *sharp enough prior* over the input space collapses the hypothesis space to where the observable output channel suffices to discriminate among the remaining candidates. Reconstruction quality is bounded by the product of two quantities, the output channel's mutual information with the input, and the sharpness of the observer's prior, and neither can be driven to zero without changing the system's utility. Four commitments hold: an input the holder wants to protect (a key, a training record, a redacted word, a tissue density); a system the input drives whose outputs the holder discloses (a prediction, a power trace, a CT scan); a channel of informativeness by which output distributions differ across inputs; and a prior available to the observer from corpus statistics, physical models, or side knowledge. The distinctive move is placing the burden of non-reconstruction on the output channel and the prior, not on the disclosure surface alone: the correct model is 'I disclose outputs of known informativeness, an observer with a sharp prior reconstructs to that informativeness, and my defenses are to narrow the channel and deny the prior.' Privacy is thus a property of the (system, adversary-with-prior) pair, and a privacy claim that does not name the adversary's prior is structurally incomplete.
Separates cryptographic privacy (output independent of input) from operational privacy (informative but not reconstructable to the assumed adversary), exposing that most production privacy claims rest silently on an unverified bound on the adversary's prior.
Compresses many named attacks — side-channel, model inversion, traffic analysis, redaction reversal — into one diagnostic with a two-family defence taxonomy: channel narrowing and prior denial.
Audits any privacy design by naming the channel's informativeness, the adversary's prior, the defence family for each leg, and the composition exposure — since defences must be paired, reconstruction improves as adversary models improve, and disclosures compose super-additively.
In federated learning, a client shares only a gradient believing "the data never leaves the device," yet with a sharp natural-image prior that gradient reconstructs the contributing images at near-pixel fidelity — defeating the disclosure-surface framing exactly as the prime predicts.
Hidden Information Reconstruction is not Information Asymmetry because asymmetry names a static gap in who knows what whereas this is the active inference process by which an observer closes that gap.
Hidden Information Reconstruction is not Inversion because generic inversion is the exact reversal of a mapping whereas this is probabilistic, prior-bounded recovery to a resolution, with no exact reversal required.
Hidden Information Reconstruction is not Compression because compression cooperatively removes redundancy to enable recovery whereas here the output leaks input information as an unintended side effect and the holder wants reconstruction to fail.