Bloom Filter Encryption and Applications to Efficient Forward-Secret 0-RTT Key Exchange

Forward secrecy is considered an essential design goal of modern key establishment (KE) protocols, such as TLS 1.3, for example. Furthermore, efficiency considerations such as zero round-trip time (0-RTT), where a client is able to send cryptographically protected payload data along with the very first KE message, are motivated by the practical demand for secure low-latency communication. For a long time, it was unclear whether protocols that simultaneously achieve 0-RTT and full forward secrecy exist. Only recently, the first forward-secret 0-RTT protocol was described by Günther et al. (Eurocrypt, 2017). It is based on puncturable encryption. Forward secrecy is achieved by “puncturing” the secret key after each decryption operation, such that a given ciphertext can only be decrypted once (cf. also Green and Miers, S&P 2015). Unfortunately, their scheme is completely impractical, since one puncturing operation takes between 30 s and several minutes for reasonable security and deployment parameters, such that this solution is only a first feasibility result, but not efficient enough to be deployed in practice. In this paper, we introduce a new primitive that we term Bloom filter encryption (BFE), which is derived from the probabilistic Bloom filter data structure. We describe different constructions of BFE schemes and show how these yield new puncturable encryption mechanisms with extremely efficient puncturing. Most importantly, a puncturing operation only involves a small number of very efficient computations, plus the deletion of certain parts of the secret key, which outperforms previous constructions by orders of magnitude. This gives rise to the first forward-secret 0-RTT protocols that are efficient enough to be deployed in practice. We believe that BFE will find applications beyond forward-secret 0-RTT protocols.


Introduction
One central ingredient to secure today's Internet is key exchange (KE) protocols with the most prominent and widely deployed instantiations thereof in the transport layer security (TLS) protocol [45]. Using a KE protocol, two parties (e.g., a server and a client) are able to establish a shared secret (session key) which afterward can be used to cryptographically protect data to be exchanged between those parties. The process of arriving at a shared secret requires the exchange of messages between client and server, which adds latency overhead to the protocol. The time required to establish a key is usually measured in round-trip times (RTTs). A novel design goal, which was introduced by Google's QUIC protocol [47] and is also adopted in TLS version 1.3 [45], aims at developing zero round-trip time (0-RTT) protocols with strong security guarantees. So far, quite some effort was made in the cryptographic literature, e.g., [35,49], and, indeed, 0-RTT protocols are probably going to be used heavily in the future Internet as TLS version 1.3 adoption is growing rapidly. Besides TLS 1.3, Google's QUIC protocol is used on Google webservers and within the Chrome and Opera browsers to support 0-RTT. Unfortunately, none of the above mentioned protocols are enjoying 0-RTT and full forward secrecy at the same time. Only recently, Günther, Hale, Jager, and Lauer (GHJL henceforth) [33] made progress and proposed the first 0-RTT key exchange protocol with full forward secrecy for all transmitted payload messages. However, although their 0-RTT protocol offers the desired features, their construction is not yet practical.
In more detail, GHJL's forward-secret 0-RTT key-exchange solution is based on puncturable encryption (PE), which they showed can be constructed in a black-box way from any selectively secure hierarchical identity-based encryption (HIBE) scheme. Loosely speaking, PE is a public-key encryption primitive which provides a Puncture algorithm that, given a secret key and a ciphertext, produces an updated secret key that is able to decrypt all ciphertexts except the one it has been punctured on. PE has been introduced by Green and Miers [31] (GM henceforth) who provide an instantiation relying on a binarytree encryption (BTE) scheme-or selectively secure HIBE-together with a key-policy attribute-based encryption (KP-ABE) [30] scheme for non-monotonic (NM) formulas with specific properties. In particular, the KP-ABE needs to provide a non-standard property to enhance existing secret keys with additional NOT gates, which is satisfied by the NM KP-ABE in [44]. Since then, PE has proved to be a valuable tool to construct public-key watermarking schemes [20], forward-secret proxy re-encryption [24], 1 or to achieve chosen-ciphertext security for fully homomorphic encryption [17]. However, the mentioned PE instantiations from [17,20] are based on indistinguishability obfuscation and, thus, do not yield practical schemes at all.
When looking at the two most efficient PE schemes available, i.e., GM and GHJL, they still come with severe drawbacks. In particular, puncturing in GHJL is highly inefficient and takes several seconds to minutes on decent hardware for reasonable deployment parameters. In the GM scheme, puncturing is more efficient, but the cost of decryption is very significant and increases with the number of puncturings. More precisely, cost of decryption requires a number of pairing evaluations that depends on the number of puncturings, and can be in the order of 2 10 to 2 20 for realistic deployment parameters. These issues make both of them especially unsuitable for the application in forwardsecret 0-RTT key exchange in a practical setting.
Contributions In this paper, we introduce Bloom filter encryption (BFE), which can be considered as a variant of PE [17,20,31,33]. The main difference to other existing PE constructions is that in case of BFE, we tolerate a non-negligible correctness error. 2 This allows us to construct PE with highly efficient puncturing and in particular where puncturing only requires a few very efficient operations, i.e., to delete parts of the secret key, but no further expensive cryptographic operations. Altogether, this makes BFE a very suitable building block to construct practical forward-secret 0-RTT key exchange. In more detail, our contributions are as follows: -We formalize the notion of BFE by presenting a suitable security model. The intuition behind BFE is to provide highly efficient decryption and puncturing. Interestingly, puncturing mainly consists of deleting parts of the secret key. This approach is in contrast to existing puncturable encryption schemes, where puncturing and/or decryption is a very expensive operation. -We propose efficient constructions of BFE. First, we present a direct construction which uses ideas from the Boneh-Franklin identity-based encryption (IBE) scheme [12]. This construction allows us to achieve constant size public keys. Second, we present a black-box construction from a ciphertext-policy attribute-based encryption (CP-ABE) scheme that only needs to be small-universe (i.e., bounded) and to support threshold policies, which allows us to achieve constant size ciphertexts. Third, we describe a generic construction from identity-based broadcast encryption (IBBE), which is efficiently instantiable with the IBBE scheme by Delerablée [22]. This construction allows us to simultaneously achieve compact public keys and constant size ciphertexts. Finally, we propose time-based BFE (TB-BFE), an enhancement of BFE which additionally provides forward secrecy and thus prevents message suppression attacks, and provide a generic construction of TB-BFE from selectively secure HIBEs. -We adapt the Fujisaki-Okamoto (FO) transformation [25] to obtain CCA security in the random oracle model (ROM) to the BFE setting. This is technically nontrivial, and therefore we consider it as another interesting aspect of this work. In particular, the original FO transformation [25] works only for schemes with perfect correctness. Recently, Hofheinz et al. [37] have described a variant which works also for schemes with negligible correctness error. We formalize additional properties that are required to apply the FO transform, and show that our CPAsecure constructions satisfy them. This serves as a template that allows an easy application of the FO transform in a black-box manner to BFE schemes. Moreover, we also discuss how to achieve CCA security in the standard model. -We provide a construction of a forward-secret 0-RTT key exchange protocol (in the sense of GHJL) from TB-BFE. Furthermore, we give a detailed comparison of (TB-)BFE with other PE schemes and discuss the efficiency in the context of the proposed application to forward-secret 0-RTT key exchange. In particular, our construction of forward-secret 0-RTT key-exchange from TB-BFE has none of the drawbacks mentioned in Introduction (at the cost of a somewhat larger secret key, that, however, shrinks with the number of puncturings). Consequently, our forwardsecret 0-RTT key exchange can be seen as a significant step forward to construct very practical forward-secret 0-RTT key exchange protocols.
On tolerating a non-negligible correctness error for 0-RTT The huge efficiency gain of our construction stems partially from the relaxation of allowing a non-negligible correctness error, which, in turn, stems from the potentially non-negligible false-positive probability of a Bloom filter. While this is unusual for classical public-key encryption schemes, we consider it as a reasonable approach to accept a small, but non-negligible correctness error for the 0-RTT mode of a key exchange protocol, in exchange for the huge efficiency gain. For example, a 1 /10000 chance that the key establishment fails allows to use 0-RTT in 9999 out of 10,000 cases on average, which is a significant practical efficiency improvement. Furthermore, the communicating parties can implement a fallback mechanism which immediately continues with running a standard 1-RTT key exchange protocol with perfect correctness, if the 0-RTT exchange fails. Thus, the resulting protocol can have the same worst-case efficiency as a 1-RTT protocol, while most of the time 0-RTT is already sufficient to establish a key and full forward secrecy is always achieved.
Compared to other practical 0-RTT solutions, note that both TLS 1.3 [45] and QUIC [47] have similar fallback mechanisms. Furthermore, to achieve at least a very weak form of forward secrecy, they define so called tickets [45] or server configuration (SCFG) messages [47], which expire after a certain time. Forward secrecy is only achieved after the ticket/SCFG message has expired and the associated secrets have been erased. Therefore, the lifetime should be kept short. If a client connects to a server after the ticket/SCFG message has expired, then the fallback mechanism is invoked and a full 1-RTT handshake is performed. In particular for settings where a client connects only occasionally to a server, and for reasonably chosen parameters and a moderate life time of the ticket/SCFG message, which at least guarantees some weak form of forward secrecy, this requires a full handshake more often than with our approach.
Finally, note that puncturable encryption with perfect (or negligible) correctness error inherently seems to require secret keys whose size at least grows linearly with the number of puncturings. This is because any such scheme inherently must (implicitly or explicitly) encode information about the list of punctured ciphertexts into the secret key, which lower-bounds the size of the secret key [41]. By tolerating a non-negligible correctness error, we are also able to restrict the growth of the secret key to a limit which seems tolerable in practice.

Remark on forward secrecy and time-based constructions
In the literature, time-based puncturable encryption schemes are often termed puncturable forward-secure encryption schemes [31,33], which may seem confusing as the puncturable encryption schemes already provide mechanisms to achieve forward secrecy. The motivation for why timebased constructions was initially introduced is along the same lines and goes back to Green and Miers [31]. They described a message suppression attack against the forward secrecy of puncturable encryption. An adversary that suppresses message delivery can break forward secrecy of the primitive by compromising the receiving party's secret at a later point in time, and retroactively decrypting all suppressed messages.
Hence, Green and Miers proposed to construct a time-based construction where the attack is only feasible until both parties move to the next time slot, achieving a form of delayed forward secrecy. As the time-based constructions were inspired by forwardsecure encryption, the qualifier "forward-secure" was added to the primitive's name. For a detailed discussion on the meaning of forward secrecy in non-interactive settings such as 0-RTT, we refer to a recent work by Gellert and Boyd [14].
We believe a distinction between time-based and non-time-based constructions is meaningful. It makes explicit that the non-time-based constructions puncture out ciphertexts, in order to remove decryption capability for this ciphertext. In contrast, time-based constructions additionally allow to puncture time slots, which removes decryption capability for all possible ciphertexts from previous time slots. For our constructions, this also makes it possible to keep the size of secret keys smaller, as we explain in Sect. 4.
Differences to the conference version [23] In contrast to the conference version [23], this extended version contains some additions and updates. First, we chose to present all constructions explicitly as Bloom filter key encapsulation mechanisms (BFKEMs) instead of referring to them as Bloom filter encryption (cf. Sect. 2 for a discussion). Second, we provide an additional generic construction of a BFKEMfrom identity-based broadcast encryption (IBBE) in Sect. 3.4. Furthermore, we have corrected some ambiguities and minor issues within the definitional framework. Third, we provide a more elaborate discussion on the choice of parameters to provide more insights and decision support for the practical application of our proposals.
Follow-up work After the conference version of this paper, there was some follow-up work which we want to mention for completeness. Aviram et al. [3] study practical forward secrecy for 0-RTT in TLS 1.3 and in particular the session resumption feature of TLS 1.3. Lauer et al. [40] introduce a single-pass circuit construction protocol with forward secrecy for Tor, called Tor 0-RTT (T0RTT), which they construct from BFE. Dallmeier et al. [21] use BFE to implement the first fully forward-secret 0-RTT key exchange in Google's QUIC protocol and analyze its performance. Finally, there is follow-up work on puncturable encryption from Sun et al. [46] providing further constructions with negligible correctness error and different trade-offs.
Outline The remainder of this paper is organized as follows. In Sect. 2, we introduce the concept of Bloom filter encryption including a discussion on how to choose suitable Bloom filter parameters for our schemes. In Sect. 3, we present three constructions of Bloom filter encryption alongside with a modified Fujisaki-Okamoto transformation to achieve CCA security for our schemes. In Sect. 4, we formally define time-based Bloom filter encryption and present a generic construction based on hierarchical identity-based encryption. Section 5 explains that our time-based construction can be used to construct forward-secret 0-RTT key exchange. In Sect. 6, we compare computational efficiency and parameter size of our constructions with existing constructions in literature. Section 7 concludes the results of our work.

Bloom Filter Encryption
Notation Let λ ∈ N be the security parameter. For a finite set S, we denote by s ← $ S the process of sampling s uniformly from S. For an algorithm A, let y ← $ A(λ, x) be the process of running A on input (λ, x) with access to uniformly random coins and assigning the result to y. (We may omit to mention the λ-input explicitly and assume that all algorithms take λas input.) To make the random coins r explicit, we write A(λ, x; r ). We say an algorithm A is probabilistic polynomial time (PPT) if the running time of A is polynomial in λ. A function f is negligible if its absolute value is smaller than the inverse of any polynomial (i.e., if ∀ c ∃ k 0 ∀ λ ≥ k 0 : | f (λ)| < 1/λ c ). Furthermore, for n ∈ N, let [n] := {1, . . . , n} and let BilGen be an algorithm that, on input a security parameter 1 λ , outputs (q, e, G 1 , G 2 , G T , g 1 , g 2 ) ← $ BilGen(1 λ ), where G 1 , G 2 , G T are groups of prime order q with bilinear map e : G 1 ×G 2 → G T and generators g i ∈ G i for i ∈ {1, 2}. Finally, we will use square brackets to access the individual bits of bitstrings, i.e., T [i] denotes the i-th bit of a bitstring T = {0, 1} m , for m ∈ N.

Bloom Filter Encryption
The key idea behind Bloom filter encryption (BFE) is that the key pair of such a scheme is associated with a Bloom filter (BF) [10], a probabilistic data structure for the approximate set membership problem with a non-negligible falsepositive probability in answering membership queries. A BF initially represents a bit array of m bits, all set to 0. Insertion takes an element and inputs it to k different hash functions each mapping the element to one of the m array positions, which are then set to 1. When querying the BF on an element, it is considered to be in the BF if all positions obtained by evaluating the hash evaluations are set to 1. The initial secret key sk output by the key generation algorithm of a BFE scheme corresponds to an empty BF. Encryption takes a message M and the public key pk, samples a random element s (acting as a tag for the ciphertext) corresponding to the universe U of the BF and encrypts a message using pk with respect to the k positions set in the BF by s. A ciphertext is then basically identified by s and decryption works as long as at least one index pointed to by s in the BF is still set to 0. Puncturing the secret key with respect to a ciphertext (i.e., the tag s of the ciphertext) corresponds to inserting s in the BF (i.e., updating the corresponding indices to 1 and deleting the corresponding parts of the secret key). This basically means updating sk such that it no longer can decrypt any position indexed by s.
A note on modeling BFE For 0-RTT key establishment, our prime application in this paper, we do not need a full-blown encryption scheme, but only a key-encapsulation mechanisms (KEM) to transport a symmetric encryption key. Consequently, we chose to focus on what we call Bloom filter key encapsulation mechanisms (BFKEMs). We stress that defining BFKEM instead of BFE does not represent any limitation, as any KEM can generically be converted into a secure full-blown encryption scheme [25]. Conversely, any secure encryption scheme trivially yields a secure KEM. For the reasons mentioned before we, henceforth, may thus use the terms BFE and BFKEM interchangeably. Nonetheless, for completeness, we give stand-alone definitions of BFE tolerating a non-negligible correctness error in "Appendix A."

Formal Definition of Bloom Filters
A Bloom filter (BF) [10] is a probabilistic data structure for the approximate set membership problem. It allows a succinct representation T of a set S of elements from a large universe U. For elements s ∈ S a query to the BF always answers 1 ("yes"), i.e., its false-negative probability is 0. Ideally, a BF would always return 0 ("no") for elements s ∈ S, but the succinctness of the BF comes at the cost that for any query to s ∈ S the answer can be 1, too, but only with small probability (called the false-positive probability).
We will only be interested in the original construction of Bloom filters [10] and omit a general abstract definition. Instead, we describe the construction from [10] directly. For a general definition, we refer to [43].

Relevant Properties of Bloom Filters
Let us summarize the properties of Bloom filters relevant to our work.
Perfect completeness. A Bloom filter always "recognizes" elements that have been added with probability 1. More precisely, let S = (s 1 , . . . , s n ) ∈ U n be any vector of n elements of U. Let (H, T 0 ) ← $ BFGen(m, k) and define Then, for all s * ∈ S and all (H, T 0 ) ← $ BFGen(m, k) with m, k ∈ N, it holds that where the probability is taken over the random coins of BFGen. Compact representation of S Independent of the size of the set S ⊂ U and the representation of individual elements of U, the size of representation T is a constant number of m bits. A larger size of S increases only the false-positive probability, as discussed below, but not the size of the representation. Bounded false-positive probability The probability that an element which has not yet been added to the Bloom filter is erroneously "recognized" as being contained in the filter can be made arbitrarily small, by choosing m and k adequately, given (an upper bound on) the size of S. More precisely, let S = (s 1 , . . . , s n ) ∈ U n be any vector of n elements of U. Then, for any s * ∈ U \ S, the false positive probability μ is bounded by , and the probability is taken over the random coins of BFGen. See Goel and Gupta [29] for a proof of this bound.
Discussion on the choice of parameters In order to provide a first intuition on the concrete selection of Bloom filter parameters and their impact on the size of ciphertexts, public and secret keys for BFE, we subsequently give some examples.
Suppose we are given an upper bound n on the number of elements inserted into the Bloom filter, and an upper bound p on the false positive probability for this number of elements that we can tolerate. Our goal is to determine the size m of the Bloom filter and the number k of hash functions to achieve a false positive probability of μ ≤ p with respect to n. As already mentioned above, Goel and Gupta [29] proved that the false positive probability μ of a Bloom filter is strictly bounded by Hence, if we set m := −(n + 1/2) log 2 p ln 2 + 1 and k := (m − 1) ln 2 then due to our choice of k we obtain   Table 1 lists m and k for different values of p and n. In order to give an intuition of the impact of different choices of p and n, Table 1 also lists the size of ciphertexts, secret and public keys, when the BFE construction in Sect. 3.1 is instantiated for these parameters using the pairing-friendly BLS12-381 curve, which provides a security level of about "120-bit." Here, we need to emphasize that initially the secret key (representing the empty BF) has its maximum size, but every puncturing (i.e., addition of an element to the BF), reduces the size of the secret key. Moreover, we stress that the false-positive probability represents an upper bound as it assumes that all n elements are added to the BF. The false positive probability before n insertions, as a function of the number of inserted elements and for given parameters m and k, is discussed below. Finally, we note that when we use our time-based BFE approach (TB-BFE) from Sect. 4, we can even reduce the secret key size by reducing the maximum number of puncturings at the cost of switching the time intervals more frequently.
False-positive probability p before n insertions So far we have argued that we can bound the probability of an non-inserted element being recognized by a BF after n elements have been added to the BF. However, we stress that this probability is far lower if only a fraction of the n elements have been added. We can illustrate this by computing the false-positive probability of an element after only α < n insertions.
We prove the above lemma in "Appendix B." To give some intuition how the false-positive probability evolves over time, we plot the above function for n = 2 20 and k ∈ {8, 11, 17, 21} in Fig. 1. Furthermore, we provide plots for n ∈ {2 16 , 2 24 , 2 30 } in "Appendix C." It is clearly visible that the false-positive probability is overwhelmingly low if only a fraction of the n elements have been added to the Bloom filter.
A remark on Bloom filters in adversarial environments For our bounds of the correctness error in the BFKEM, we assume that the puncturing inserts random elements (ciphertexts) into the BF. Now, an adversary could more efficiently exhaust a BF by a clever choice of the ciphertexts and thus violating our bounds. This would essentially represent a denial-of-service (DoS) attack on the scheme. We, however, stress that this class of attacks is hard to prevent in our application in general and thus we do not consider this as an attack vector. Nevertheless, one approach to counter such types of attacks on BFs is the concept of adversarial resilient Bloom-filters introduced by Naor and Yogev in [43]. However, the efficient approach to construct such BFs in [43] requires a secret (unknown to the adversary) to evaluate BF queries, and thus would not applicable in our setting. Naor and Yogev additionally provide a construction secure against unbounded adversaries, which, however, requires to know the precise set S upfront. This is not the case in our application, and we leave the study of BFs in adversarial environments for application in BFE for future work.

Formal Model of a BFKEM
Subsequently, we introduce the formal model for BFKEM, which is a KEM-variant of puncturable encryption (PE) [17,20,31,33] with the difference that with BFKEM we tolerate a non-negligible correctness error. Our Definition 2 is a variant of the one in [33], except that we allow the key generation to take the additional parameters m and k (of the BF) as input, which specify the correctness error. As already mentioned in Introduction, resorting to present BFKEMs instead of BFE does not represent any limitation.

Definition 2.
(BFKEM) A Bloom filter key encapsulation scheme (BFKEM) with key space K is a tuple (KGen, Enc, Punc, Dec) of PPT algorithms: KGen(1 λ , m, k) : Takes as input a security parameter λ, parameters m and k and outputs a secret and public key (sk, pk) (we assume that K is implicit in pk, and that pk is implicit in sk). Enc(pk) : Takes as input a public key pk and outputs a ciphertext C and a symmetric key K. Punc(sk, C) : Takes as input a secret key sk, a ciphertext C and outputs an updated secret key sk . Dec(sk, C) : Takes as input a secret key sk, a ciphertext C and deterministically computes and outputs a symmetric key K or ⊥ if decapsulation fails.
Correctness We start by defining correctness of a BFKEM scheme. Basically, here one requires that a ciphertext can always be decapsulated with unpunctured secret keys. However, we allow that if punctured secret keys are used for decapsulation, then the probability that the decapsulation fails is bounded by some non-negligible function in the scheme's parameters m, k.
is motivated by the bound achievable by Bloom filters, cf. Equation (1) and the subsequent discussion.

Additional Properties of a BFKEM
In this section, we will define additional properties of a BFKEM that we will use for the application to 0-RTT key exchange from [33] and to construct a CCA-secure BFKEM via the Fujisaki-Okamoto (FO) transformation, as described in Sect. 3.2. We will show below that our constructions of CPA-secure BFKEMs satisfy these additional properties, and thus are suitable for our variant of the FO transformation, and to construct 0-RTT key exchange.
Extended correctness Intuitively, we first require an extended variant of correctness which demands that (1) decapsulation always yields a failure when attempting to decapsulate under a secret key previously punctured for that ciphertext. This is analogous to [33]. Second, we additionally demand that (2) decapsulating an honest ciphertext with the unpunctured key does always succeed and (3) if decryption does not fail, then the decapsulated value must match the key returned by the Enc algorithm, for any key sk obtained from applying any sequence of puncturing operations to the initial secret key sk.

Perfect correctness of the initial secret key:
Dec(sk, C) = K for all (C, K) ← $ Enc(pk).
Separable randomness We require that the encapsulation algorithm Enc essentially reads the key K in (C, K) ← $ Enc(pk) directly from its random input tape. Intuitively, this will later enable us to make the randomness r used by the encapsulation algorithm Enc dependent on the key K computed by Enc.
Remark We note that one can generically construct a separable BFKEM from any non-separable BFKEM. Given a non-separable BFKEM with encapsulation algorithm Enc, a separable BFKEM with encryption algorithm Enc can be obtained as follows: We need separability in order to apply our variant of the FO transformation, which is the reason why we have to make it explicit. Alternatively, we could have started from a non-separable BFKEM and applied the above construction. However, this adds an additional component to the ciphertext, while the construction given in Sect. 3.1 will already be separable, such that we can avoid this overhead.
Publicly checkable puncturing Finally, we need that it is efficiently checkable whether the decapsulation algorithm outputs ⊥ = Dec(sk, C), given not the secret key sk, but only the public key pk, the ciphertext C to be decrypted, and the sequence C 1 , . . . , C w at which the secret key sk has been punctured.
. . , C w ) be any list of ciphertexts. We say that BFKEMallows publicly checkable puncturing, if there exists an efficient algorithm CheckPunct with the following correctness property. 3. Let C be any string. We require that From a high-level perspective, this additional property will be necessary to simulate the decryption oracle properly in the CCA security experiment when our variant of the FO transformation is applied. Together with the second and third property of Definition 4, it replaces the perfect correctness property required in the original FO transformation.
Min-entropy of ciphertexts Following [37], we require that ciphertexts of a randomnessseparable BFKEM have sufficient min-entropy, even if K is fixed: (γ -Spreadness) Let BFKEM = (KGen, Enc, Punc, Dec) be a randomnessseparable BFKEM with ciphertext space C. We say that BFKEM is γ -spread, if for any honestly generated pk, any key K and any C ∈ C

Security Definitions
We define three security properties for BFKEMs. The two "standard" security notions are indistinguishability under chosen-plaintext (IND-CPA) and chosen-ciphertext (IND-CCA) attacks. In addition, we define one-wayness under chosen-plaintext attacks (OW-CPA). The latter is the weakest notion among the ones considered in this paper and implied by both IND-CPA and IND-CCA, but sufficient for our generic construction of IND-CCA-secure BFKEMs. Figure 2 defines the IND-CPA and IND-CCA experiments for BFKEMs. The experiments are similar to the security notions for conventional KEMs, but the adversary can arbitrarily puncture the secret key via the Punc oracle and retrieve the punctured secret key via the Corr oracle, once it has been punctured on the challenge ciphertext C * .

Indistinguishability-based security
is a negligible function in λ for all m, k > 0 and all PPT adversaries A. Figure 3 defines the OW-CPA experiment. The experiment is similar to the IND-CPA experiment, except that the goal of the adversary is to recover the encapsulated key, given a random challenge ciphertext.

Definition 9. (One-Wayness Under Chosen-Plaintext Attack) We define the advantage of an adversary
is a negligible function in λ for all m, k > 0 and all PPT adversaries A.
Relation to "standard KEM security" We would like to point out that it is possible to remove both the puncture and corrupt oracle and immediately send the secret key (punctured at the challenge ciphertext) to the adversary. However, this security definition is only equivalent to our security definition if an adversary cannot detect in which order ciphertexts have been punctured. That is, this security definition only provides reasonable security for schemes where the secret key does not reveal the order of puncturings. A formalization of this can be found in [26].

BFKEM Constructions
In this section, we present different BFKEMconstructions. We start with a CPA-secure version inspired by the hashed Boneh-Franklin identity-based encryption (IBE) scheme [12] in Sect. 3.1 and then show how we can obtain a CCA secure variant via the Fujisaki-Okamoto (FO) transform [25] in the random oracle model (ROM) in Sect. 3.2. Then, in Sect. 3.3 we present a construction of a CPA-secure BFKEMfrom ciphertextpolicy attribute-based encryption (CP-ABE) schemes and discuss how to obtain CCA security via the FO transform in the ROM. Finally, in Sect. 3.4 we present a CPA secure BFKEMfrom identity-based broadcast encryption (IBBE) and discuss how to obtain CCA security via the FO transform in the ROM or the CHK transform [16] without requiring random oracles.

BFKEM from Hashed IBE
Construction In the sequel, let Params := (q, e, G 1 , G 2 , G T , g 1 , g 2 ) ← $ BilGen(1 λ ), and g T = e(g 1 , g 2 ). We will always assume that all algorithms described below implicitly receive these parameters as additional input. Let B = (BFGen, BFUpdate, BFCheck) be a Bloom filter for set G 1 . Furthermore, let G : N → G 2 and E : G T → {0, 1} λ be cryptographic hash functions (which will be modeled as random oracles [7] in the security proof).
KGen ( Remark The reader familiar with the Boneh-Franklin IBE scheme [12] may note that the secret key contains m elements of G 2 , each essentially being a secret key of the Boneh-Franklin scheme for "identity" i, i ∈ [m], with respect to "master public-key" g α 1 . Enc(pk) : This algorithm takes as input a public key pk of the above form. It samples a uniformly random key K ← $ {0, 1} λ and exponent r ← $ Z q . Then, it computes , and finally Remark Note that for each j ∈ [k], the tuple (g r 1 , E(y j ) ⊕ K) is essentially a "hashed Boneh-Franklin IBE" ciphertext, encrypting K for "identity" i j = H j (g r 1 ) and with respect to master public key g α 1 , where the identity is derived deterministically from a "unique" (with overwhelming probability) ciphertext component g r 1 . Thus, the ciphertext C essentially consists of k Boneh-Franklin ciphertexts that share the same randomness r , each encrypting the same key K for an "identity" derived deterministically from g r 1 . Note also that this construction of Enc satisfies the requirement of separable randomness from Definition 5. Furthermore, ciphertexts are γ -spread according to Definition 7 with γ = log 2 p, because g r 1 is uniformly distributed over G 1 .
where T [i] denotes the i-th bit of T . Finally, this algorithm returns Remark Note that the above procedure is correct even if the procedure is applied repeatedly with different ciphertexts C, since the BFUpdate algorithm only changes bits of T from 0 to 1, but never from 1 to 0. So we can delete a secret key element Intuitively, this will ensure that we can use this key to decrypt a ciphertext C : is the Bloom filter instance contained in the public key. Note also that the puncturing algorithm essentially only evaluates k universal hash functions H = (H j ) j∈ [k] and then deletes a few secret keys, which makes this procedure extremely efficient. Finally, observe that the filter state T can be efficiently re-computed given only public information, namely the list of hash functions H contained in pk and the sequence of ciphertexts C 1 , . . . , C w on which a secret key has been punctured. This yields the existence of an efficient CheckPunct according to Definition 6.
Remark If BFCheck(H, T n , C[0]) = 0, then the decryption algorithm performs a "hashed Boneh-Franklin" decryption with a secret key for one of the identities. Note that Dec(sk n , C) = ⊥ ⇐⇒ BFCheck(H, T, C[0]) = 0, which guarantees the first extended correctness property required by Definition 4. It is straightforward to verify that the other two extended correctness properties of Definition 4 hold as well.
Design choices We note that we have chosen to base our BFKEM on hashed Boneh-Franklin IBE instead of standard Boneh-Franklin for two reasons. First, it allows us to keep ciphertexts short and independent of the size of the binary representation of elements of G T . This is useful, because the recent advances for computing discrete logarithms in finite extension fields [39] apply to the target group of state-of-the-art pairing-friendly elliptic curve groups. Recent assessments of the impact of these advances by Menezes et al. [42] as well as Barbulescu and Duquesne [4] suggest that for currently used efficient curve families such as BN [6] or BLS [5] curves a conservative choice of parameters for the 128 bit security level yields sizes of G T elements of ≈ 4600−5500 bits. The hash function allows us to "compress" these group elements in the ciphertext to 128 bits (the size of a symmetric encryption key). Even if future research enables the construction of bilinear maps where elements of G T can be represented by 2λ bits for λ-bit security (which is optimal), it is still preferable to hash group elements to λ bits to reduce the ciphertext by a factor of about 2. Second, by modeling E as a random oracle, we can reduce security to a weaker complexity assumption.
Correctness error of this scheme We will now explain that the correctness error of this scheme is essentially identical to the false-positive probability of the Bloom filter, up to a statistically small distance which corresponds to the probability that two independent ciphertexts share the same randomness r .
to determine the secret key sk n obtained from puncturing sk 0 iteratively on all ciphertexts C i ∈ S. Now let us consider the probability Pr Dec(sk n , C * ) = K * : (C * , K * ) ← $ Enc(pk), C * ∈ S that a newly generated ciphertext C * ∈ S is not correctly decrypted by sk n . To this end, let C * [0] = g r * 1 denote the first component of ciphertext [m] ) and pk = (g α 1 , H ), one can now verify that we have is a uniformly random element of G 1 . Therefore the probability that this happens is upper bounded by n/q, which is negligibly small.
. In this case, as explained in Sect. 2.1, the soundness of the Bloom filter guarantees that In summary, the correctness error of this scheme from the discussion in Sect. 2.1 is approximately 2 −k + n/q. Since n/q is negligibly small, this essentially amounts to the correctness error of the Bloom filter, which in turn depends on the number of ciphertexts n, and the choice of parameters m, k.
Flexible instantiability of this scheme Our scheme is highly parameterizable in the sense that we can adjust the size of keys and ciphertexts by adjusting the correctness error (determined by the choice of parameters m, k that in turn determine the falsepositive probability of the Bloom filter) of our scheme.
Additional properties As already explained in the remarks after the description of the individual algorithms of BFKEM, the scheme satisfies the requirements of Definitions 4, 5, 6, and 7. IND-CPAsecurity. We base IND-CPA security on a bilinear computational Diffie-Hellman variant in the bilinear groups generated by BilGen.
Definition 10. (BCDH [12]) We define the advantage of adversary Ain solving the BCDH problem with respect to BilGenas

Theorem 1. From each efficient adversary Bthat issues u queries to random oracle E, we can construct an efficient adversary Awith
Proof. Algorithm Areceives as input a BCDH-challenge tuple (g r 1 , g α 1 , g α 2 , h 2 ). It runs adversary B as a subroutine by simulating the Exp IND-CPA B,BFKEM (λ, m, k) experiment, including random oracles G and E, as follows.
First, it defines Q := ∅, runs (H, T ) ← $ BFGen(m, k), and defines the public key as pk := (g α 1 , H ). Note that this public key is identically distributed to a public key output by KGen (1 λ , m, k). In order to simulate the challenge ciphertext, the adversary chooses a random key K ← $ {0, 1} λ and k uniformly random values and defines the challenge ciphertext as C * : Whenever a random oracle query to G : N → G 2 is made (either by Aor B), with input ∈ N, then Aresponds with G( ), if G( ) has already been defined. If not, then Achooses a random integer r ← $ Z q , and returns G( ), where This definition of G allows Ato simulate the Corr oracle as follows. When Bqueries Corr, then it first checks whether C * ∈ Q, and returns ⊥ if this does not hold. Otherwise, and T [ ] denotes the -th bit of T . Thus, by the simulation of G described above, Ais able to compute and return G( Finally, whenever Bqueries random oracle E : G T → {0, 1} λ on input y, then Aresponds with E(y), if E(y) has already been defined. If not, then Achooses a random string Y ← $ {0, 1} λ , assigns E(y) := Y , and returns E(y). Now we have to distinguish between two types of adversaries.

A Type-1 adversary
Bnever queries E on input of a value y, such that there exists j ∈ [k] such that y = e(g α 1 , G(H j (g r 1 ))) r . Note that in this case the value Y j := E(e(g α 1 , G(H j (g r 1 ))) r ) remains undefined for all j ∈ [k] throughout the entire experiment. Thus, information-theoretically, a Type-1 adversary receives no information about the key encrypted in the challenge ciphertext C * , and thus can only have advantage Adv IND-CPA B,BFKEM (λ, m, k) = 0, in which case the theorem holds trivially. 2. A Type-2 adversary queries E(y) such that there exists j ∈ [k] with y = e(g α 1 , G(H j (g r 1 ))) r . Auses a Type-2 adversary to solve the BCDH challenge as follows. At the beginning of the game, it picks two indices uniformly random. When Boutputs y in its u * -th query to E, then Acomputes and outputs W := y ·e(g α 1 , g r 2 ) −r . Since Bis a Type-2 adversary, we know that at some point it will query E(y) with y = e(g α 1 , G(H j (g r 1 ))) r for some j ∈ [k]. If this is the u * -th query and we have j = j * , which happens with probability 1/(uk), then we have and thus W is a solution to the given BCDH instance. Note that r is chosen in the simulation and therefore known.
OW-CPA-Security. The following theorem can either be proven analogous to Theorem 1, or based on the fact that IND-CPA security implies OW-CPA security. Therefore, we give it without proof.

Theorem 2. From each efficient adversary Bthat issues u queries to random oracle E, we can construct an efficient adversary Awith
Remark 2. The construction presented above allows to switch the roles of G 1 and G 2 , i.e., to switch all elements in G 1 to G 2 and vice versa. This might be beneficial regarding the size of the secret key when instantiating our construction using a bilinear group where the representation of elements in G 2 requires more space than the representation of elements in G 1 .

CCA Security of the BFKEM from Hashed IBE via Fujisaki-Okamoto
We obtain a CCA-secure BFKEM by adopting the Fujisaki-Okamoto (FO) transformation [25] to the BFKEM setting. Since the FO transformation does not work generically for any BFKEM, we have to use the additional requirements on the underlying BFKEM that are defined in Sect. 2.3. These additional properties enable us to overcome the difficulty that the original Fujisaki-Okamoto transformation from [25] requires perfect correctness. We remark that Hofheinz et al. [38] give a new, modular analysis of the FO transformation, which also works for public key encryption schemes with negligible correctness error; however, it is not applicable to BFKEMs, because, due to their non-negligible correctness error, the bounds given in [38] provide insufficient security in this case.
Game 0. This is the original IND-CCA security experiment from Definition 8, played with the scheme described above. In particular, the decryption oracle O 0 is implemented as follows (we omit the check for C = C * ): If (C, K) = Enc(pk; (r, K)) thenreturn⊥ Return K Recall that K 0 denotes the encapsulated key computed by the IND-CCA experiment. K 0 is uniquely defined by the challenge ciphertext C * via K 0 := Dec(sk 0 , C * ), where sk 0 is the initial (non-punctured) secret key, since the scheme satisfies extended correctness (Definition 4, second property). Let A 0 denote the event that Aever queries K 0 to random oracle R. Note that Ahas zero advantage in distinguishing K from random, until A 0 occurs, because R is a random function. Thus, we have Pr BFKEM (λ, m, k). In the sequel, we denote with A i the event that Aever queries K 0 to random oracle R in Game i. Game 1. This game is identical to Game 0, except that after computing K ← $ Dec(sk, C) and checking whether K = ⊥, the experiment additionally checks whether the adversary has ever queried random oracle R on input K, and returns ⊥ if not. More precisely, the experiment maintains a list to record all queries K made by the adversary to random oracle R, along with the corresponding response (r, K ) = R(K). The decryption oracle O 1 uses this list as follows (boxed statements highlight changes to O 0 ): Note that Games 0 and 1 are perfectly indistinguishable, unless Aever outputs a ciphertext C with O 1 (C) = ⊥, but O 0 (C) = ⊥. Note that this happens if and only if Aoutputs C such that C = Enc(pk; (r, K)), where r is the randomness defined by (r, K ) = R(K), but without prior query of R(K).
The random oracle R assigns a uniformly random value r ∈ {0, 1} ρ to each query, so, by the γ -spreadness of BFKEM, the probability that the ciphertext C output by the adversary "matches" the ciphertext produced by Enc(pk; (r, K)) is 2 −γ . Since Aissues at most q O queries to O 1 , this yields Pr[

Game 2.
We make a minor conceptual modification. Instead of computing (r, K ) = R(K) by evaluating R, O 2 reads (r, K ) from list L R . More precisely: Define (r, K ) to be the unique tuple such that (K, (r, K )) ∈ L R . If (C, K) = Enc(pk; (r, K)) thenreturn⊥ Return K By definition of L R it always holds that (r, K ) = R(K) for all (K, (r, K )) ∈ L R . Indeed (r, K ), is uniquely determined by K, because (r, K ) = R(K) is a function. Since R is only evaluated by O 1 if there exists a corresponding tuple (K, (r, K )) ∈ L R anyway, due to the changes introduced in Game 1, oracle O 2 is equivalent to O 1 and we have Game 3. This game is identical to Game 2, except that whenever Aqueries a ciphertext C to oracle O 3 , then O 3 first runs the CheckPunct algorithm associated with BFKEM(cf. Definition 6). If CheckPunct(pk, Q, C) = ⊥, then it immediately returns ⊥. Otherwise, it proceeds exactly like O 2 . More precisely: (K, (r, K )) ∈ L R thenreturn⊥ Define (r, K ) to be the unique tuple such that (K, (r, K )) ∈ L R . If (C, K) = Enc(pk; (r, K)) thenreturn⊥ Return K Recall that by public checkability (Definition 6) we have ⊥ = Dec(sk, C) ⇐⇒ ⊥ = CheckPunct(pk, Q, C). Therefore, the introduced changes are conceptual, and Game 4. We modify the secret key used to decrypt the ciphertext. Let sk 0 denote the initial secret key generated by the experiment (that is, before any puncturing operation was performed). O 4 uses sk 0 to compute K ← $ Dec(sk 0 , C) instead of K ← $ Dec(sk, C), where sk is a possibly punctured secret key. More precisely: If CheckPunct(pk, Q, C) = ⊥ thenreturn⊥ K ← $ Dec(sk 0 , C) If (r, K ) : (K, (r, K )) ∈ L R thenreturn⊥ Define (r, K ) to be the unique tuple such that (K, (r, K )) ∈ L R . If (C, K) = Enc(pk; (r, K)) thenreturn⊥ Return K Remark Due to the fact that we are now using the initial secret key to decrypt C, we have reached a setting where, due to the perfect correctness of the initial secret key sk 0 , essentially a perfectly correct encryption scheme is used-except that the decryption oracle implements a few additional abort conditions. Thus, we can now basically apply the standard Fujisaki-Okamoto transformation, but we must show that we are also able to simulate the additional abort imposed by the additional consistency checks properly. To this end, we first replace these checks with equivalent checks before applying the FO transformation.
Game 5. We replace the consistency checks performed by O 4 with an equivalent check. More precisely, O 5 works as follows: , (r, K )) ∈ L R ∧ (C, K) = Enc(pk; (r, K))) thenreturn⊥ Return K such that (K, (r, K )) ∈ L R ∧ (C, K) = Enc(pk; (r, K)) This is equivalent, so that we have Pr[ Game 6. Observe that in Game 5 we check whether there exists a tuple (r, K ) with (K, (r, K )) ∈ L R and (C, K) = Enc(pk; (r, K), where K must match the secret key computed by K ← $ Dec(sk 0 , C).
In Game 6, we relax this check. We test only whether there exists any tuple (K, (r ,K )) ∈ L R such that (C,K) = Enc(pk; (r ,K) holds. Thus, it is not explicitly checked whether K matches the value K ← $ Dec(sk 0 , C). Furthermore, the corresponding valueK is returned. More precisely: If (r ,K ) : ((K, (r ,K )) ∈ L R ∧ (C,K) = Enc(pk; (r ,K))) thenreturn⊥ ReturnK such that (K, (r ,K )) ∈ L R ∧ (C,K) = Enc(pk; (r ,K)) By the perfect correctness of the initial secret key sk 0 , we have Game 7. This game is identical to Game 6, except that we change the decryption oracle again. Observe that the value K computed by K ← $ Dec(sk 0 , C) is never used by O 6 . Therefore, the computation of K ← $ Dec(sk 0 , C) is obsolete, and we can remove it. More precisely, O 7 works as follows.
If CheckPunct(pk, Q, C) = ⊥ thenreturn⊥ If (r ,K ) : ((K, (r ,K )) ∈ L R ∧ (C,K) = Enc(pk; (r ,K))) thenreturn⊥ ReturnK such that (K, (r ,K )) ∈ L R ∧ (C,K) = Enc(pk; (r ,K)) We have only removed an obsolete instruction, which does not change the output distribution of the decryption oracle. Therefore, O 7 simulates O 6 perfectly, and we have Reduction to OW-CPA-security. Now we are ready to describe the OW-CPA-adversary B. Breceives (pk, C * ). It samples a uniformly random key K ← $ {0, 1} λ and runs the IND-CCA-adversary Aas a subroutine on input (pk, C * , K ). Whenever Aissues a Puncor Corr-query, then Bforwards this query to the OW-CPA-experiment and returns the response. In order to simulate the decryption oracle O, adversary B implements the simulated oracle O 7 from Game 7 described above. When Aterminates, then B picks a uniformly random entry (K, (r ,K )) ← $ L R , and outputsK.
Analysis of the reduction LetQ denote the event that Aever queries K 0 to random oracle R. Note that B simulates Game 7 perfectly until A 7 occurs; thus, we have Pr[Q] ≥ Pr[A 7 ]. Summing up, the probability that the valueK output by Bmatches the key encapsulated in C * is therefore at least Remark on the tightness Alternatively, we could have based the security of our IND-CCAsecure scheme on the IND-CPA (rather than OW-CPA) security of BFKEM . In this case, we would have achieved a tighter reduction, as we would have been able to avoid guessing the index (K, (r ,K )) ← $ L R , at the cost of requiring stronger security of the underlying scheme. From IND-CCA-secure KEMs to IND-CCA-secure encryption. It is well known that IND-CCA-secure KEMs can be generically transformed into IND-CCA-secure encryption schemes, by combining it with a CCA-secure symmetric encryption scheme [25]. This construction applies to BFKEMs as well.

BFKEM from CP-ABE
We now present an alternative, generic construction of a BFKEM from ciphertext-policy attribute-based encryption (CP-ABE) [8]. In particular, the construction can be instanti-ated with any small-universe (i.e., bounded) CP-ABE scheme 3 that is adaptively secure, supports at least OR-policies, and allows to encrypt messages from an exponentially large space. We note that since the formulation of KEMs in context of ABE is not widely used, we opt to start from a CP-ABE scheme which we implicitly turn into a KEM in the construction via the folklore compiler to obtain KEMs from encryptions schemes.
In contrast to the basic BFKEM construction in Sect. 3.1, we are able to generically obtain constant-size ciphertexts (independent of the parameters m and k) if the underlying CP-ABE scheme beyond possessing the aforementioned properties, is also compact, i.e., provides constant-size ciphertexts, (as, e.g., [2,18] which are obtained from static and parameterized assumptions, respectively). Compact-size ciphertexts come at the cost of increased secret key size in existing schemes (at least quadratic in the number of attributes). However, for forward-secret 0-RTT key-exchange storage cost at the server is less expensive than communication bandwidth and thus can be considered a viable trade-off.
CP-ABE Before we describe our construction let us briefly recall CP-ABE. Therefore, let U be the universe of attributes and we require only small-universe constructions, i.e., U is fixed at setup and |U| is polynomially bounded in the security parameter λ (in our BFKEM construction we will have |U| = m). Intuitively, in a CP-ABE scheme secret keys are issued with respect to attribute sets U ⊆ U and messages are encrypted with respect to access structures (policies) defined over U. Decryption works iff the attributes in the secret key satisfy the policy used to produce the ciphertext. Let us discuss this a bit more formally. Definition 11. (Access Structure [8]) Let U be the attribute universe. A collection A ∈ 2 U of non-empty sets is an access structure on U. The sets in A are called the authorized sets, and the sets not in A are called the unauthorized sets. A collection A ∈ 2 U is called monotone if ∀ B, C ∈ A : if B ∈ A and B ⊆ C, then C ∈ A.
Subsequently, we do not require arbitrary monotone access structures, but only ORpolicies (i.e., threshold policies with threshold 1). In particular, for some attribute set U := (u 1 , . . . , u n ) ⊆ U we consider policies of the form u 1 OR . . . OR u n , representing an access structure A := 2 U \ ∅.

Definition 12. (CP-ABE) A ciphertext-policy attribute-based encryption scheme is a tuple CP-ABE = (Setup, KGen, Enc, Dec) of PPT algorithms:
Setup(1 λ , U) : Takes as input a security parameter λ and an attribute universe description U and outputs a master secret and public key (msk, mpk). We assume that all subsequent algorithms will implicitly receive the master public key mpk (public parameters) as input which implicitly fixes a message space M. KGen(msk, U ) : Takes as input the master secret key msk and a set of attributes U ⊆ U and outputs a secret key sk U .  Figure 4 defines adaptive IND-T with T ∈ {CPA, CCA} security for CP-ABE. We stress that we use a formalization for small-universe schemes where the size of U is polynomially bounded in the security parameter λ (for large universe U is not required for Setup). We denote this value by n and consider the attribute set to be U = {1, . . . , n}. Intuition of the BFKEM construction The intuition of constructing a CPA-secure BFKEM from CP-ABE is very simple. Basically, we map the indices m in T ∈ {0, 1} m of a Bloom filter (H, T ) to the attribute universe U. Then, we generate for every attribute i ∈ [m] (we consider U = {1, . . . , m}) a secret key sk {i} , set our secret key of the BFKEM scheme to be sk := (T, (sk {1} , . . . , sk {m} )) and delete msk. Encryption is with respect to the attributes given by the indices I obtained from sending a randomly sampled tag r through the hash functions H j , j ∈ [k] of the Bloom filter. Decryption works by using one secret key sk {i} indexed by I. Puncturing a ciphertext simply amounts to discarding all the secret keys sk {i} indexed by I.

Definition 13. (IND-T Security of CP-ABE) We define the advantage of an adversary
Construction Subsequently, we describe the generic CPA-secure BFKEM construction from a CP-ABE scheme ABE. We, thereby, require a CP-ABE with exponentially large message space M and assume that the key space K of the BFKEM scheme is equivalent to M. Correctness error of this scheme Under the same argumentation as in the correctness proof in Sect. 3.1, we obtain that the correctness error is approximately 2 −k + n/2 λ .
CPA security We directly relate the CPA security of our construction to the hardness of breaking CPA security for the underlying CP-ABE.

Theorem 4. From each efficient adversary B against CPA security of our BFKEM, we can construct an efficient adversary A which breaks CPA security of the underlying CP-ABE, with
Proof. We present a reduction which uses an adversary B against CPA security of the BFKEM to break CPA security of the CP-ABE. First, we engage with a CPA challenger for a CP-ABE with respect to universe [m] to obtain mpk. Then, we complete the setup by running the following KeyGen algorithm and obtain pk: and outputs pk.
to the challenger to obtain C * . We start B on (pk, (r, C * ), K 0 ) and simulate the oracles as follows: , and, for all i j = 0 obtain sk j ← KGen( j) using the key generation oracle provided by the challenger and return sk ← (T, {sk j } j∈[k],i j =0 ).
If B eventually outputs a bit b * we output b * to break CPA security of the CP-ABE scheme with the same probability as B breaks the CPA security of the BFKEM. Note that the Corr oracle can only be called after the challenge ciphertext C * , and, therefore r , is determined. This ensures that we only request "allowed" keys via the KGen oracle provided by the challenger.
Obtaining CCA security The construction satisfies the additional properties of Definitions 4, 5, and 6 with the same arguments as in Sect. 3.1. Additionally, γ -spreadness (Definition 7) is given by construction: The randomness r is chosen uniformly at random from {0, 1} λ . Thus, we can apply the Fujisaki-Okamoto [25] transform the same way as done in Sect. 3.2 to achieve CCA security.

BFKEM from IBBE
In this section, we present our generic construction of a BFKEM from any identity-based broadcast encryption (IBBE) scheme. We note that taking the path via IBBE allows us to simultaneously obtain small ciphertexts and small public keys.

Identity-Based Broadcast Encryption
We recall the basic definition of IBBE and its security. Setup(1 λ , k) : Takes as input the security parameter λ and the maximal number of receivers k and outputs a master public key pk and a master secret key msk.
We assume that pk implicitly defines the identity space ID. Extract(msk, ID i ) : Takes as input the master secret key msk and an user identity ID i and outputs and user private key sk ID i . Enc(pk, S) : Takes as input the master public key pk and a set of user identities S and outputs a ciphertext C and a key K. Dec(sk ID i , S, C) : Takes as input a user secret key sk ID i , a set of user identities S and a ciphertext C and outputs the key K. Construction Let B = (BFGen, BFUpdate, BFCheck) be a Bloom filter and let IBBE = (Setup, Extract, Enc, Dec) be an identity-based broadcast encryption scheme. We construct a Bloom filter key encapsulation mechanism BFKEM= (KGen, Enc, Punc, Dec) as follows: KGen(λ, m, k) : The key generation algorithm generates a Bloom filter instance by running (H, T ) ← $ BFGen(m, k) and generates an IBBE instance by invoking (pk IBBE , msk) Finally, it sets pk := (H, pk IBBE ) and sk := T, (sk i ) i∈ [m] .
Remark Observe that the maximum number of recipients is set to the Bloom filter's optimal number of universal hash functions k and the user identity space is bound to the Bloom filter's entries m. Enc(pk) : Given a public key pk = (H, pk IBBE ), it samples a random value r ← $ {0, Remark This algorithm essentially checks, if an user secret key of the user identities in set S still exists. If so, the ciphertext can be decrypted.
Correctness error With exactly the same arguments as for the scheme from Sect. 3.1, one can verify that the correctness error of this scheme is essentially identical to the false positive probability of the Bloom filter, unless a given ciphertext C = (r, C ) has a value of r which is identical to the value of r of any previous ciphertext. Since r is uniformly random in {0, 1} λ , this probability is approximately 2 −k + n · 2 −λ . IND-CPA-security. We prove the IND-CPA security of our construction, if the IBBE is IND-sID-CPA-secure. The challenger Cgenerates a master public key pk and a master secret key msk by invoking IBBE.Setup(λ, k) and sends us the master public key pk. Additionally, Cprepares a challenge by running (C , K 0 ) ← $ IBBE.Enc(pk, S * ) and sampling K 1 ← $ K, where K is the symmetric key space. The challenger sends us the challenge (C , K b ), where b is a bit drawn uniformly at random.
We will initialize the adversary Bwith input (pk, C * = (r * , C ), K b ). In the sequel, Bhas access to several oracles, which we simulate as follows: • Punct(C = (r, C )): We invoke T := BFUpdate(H, T, r ) and set Q := Q ∪ {C}. • Corr : If C * / ∈ Q, return ⊥. Else query sk j := Extract( j) for all j ∈ [k] such that T [ j] = 0. Note that we are allowed to call Extract on all user identities, since puncturing at C * removes all troublesome secret keys. We return (T, Eventually, Bwill output a bit b * which we will forward to the challenger C. Since all queries are perfectly simulated, we get This concludes the proof. Additionally, γ -spreadness (Definition 7) is given by construction: The randomness r is chosen uniformly at random from {0, 1} λ . Separable randomness is not achieved as the symmetric key K algebraically depends on the IBBE (i.e., the symmetric key K is chosen by the IBBE and not by the generic construction). 4 It is, however, possible to transform any non-separable BFKEM into a separable BFKEM as shown in Sect. 2.3. Note that this transformation adds an additional component of size λ to the ciphertext.
Thus, we can apply the Fujisaki-Okamoto transform the same way as done in Sect. 3.2 to achieve CCA security. One notable drawback is that the transformation requires that the encapsulation procedure be run once during each decapsulation. Should the encapsulation procedure be computationally expensive and should the application strive for high efficiency, it might be worth considering a different approach for achieving IND-CCA security.
A different approach to achieve IND-CCA security for our construction would be to directly use an IND-sID-CCA-secure IBBE. This can for example be achieved by using a variant of the CHK transformation [16] sketched in [22]. The basic idea is to derive one of the broadcasted identities from a verification key of a strongly unforgeable one-time signature (sOTS) scheme, which then in turn is used to sign the ciphertext. A reasonable choice for the signature scheme might be the Boneh-Lynn-Shacham signature scheme [13], which is strongly unforgeable due to its unique ciphertexts, or the sOTS due to Groth [32] which avoids pairing evaluations. Drawbacks of the transformation include an expansion of the ciphertext as both the signature verification key and the signature must be included. A formal description and security proof of the transformation can be found in [26].

Time-Based Bloom Filter Encryption
For a standard BFKEM scheme, we have to update the public key after the secret key has been punctured n-times, because otherwise the false-positive probability would exceed an acceptable bound. In this section, we describe a construction of a scheme where the lifetime of the public key is split into time slots. Ciphertexts are associated with time slots, which assumes loosely synchronized clocks between sender and receiver of a ciphertext. The main advantage is that for a given bound on the correctness error, we are able to handle about the same number of puncturings per time slot as the basic scheme during the entire life time of the public key. We call this approach time-based Bloom filter encryption. It is inspired by the time-based approach used to construct puncturable encryption in [31,33], which in turn is inspired by the construction of forward-secure public-key encryption by Canetti, Halevi, and Katz [15].
Note that a time-based BFKEM (TB-BFKEM) scheme can trivially be obtained from any BFE scheme, by assigning an individual public/secret key pair for each time slot. 4 Depending on the instantiation, it might still be possible to directly achieve separable randomness. For this to work, the IBBE would need separable keys, that is, if we can equivalently write However, if we want to split the life time of the public key into, say, 2 t time slots, then this would of course increase the size of keys by a factor 2 t . Since we want to enable a fine-grained use of time slots, to enable a very large number of puncturings over the entire lifetime of the public key without increasing the false positive probability beyond an unacceptable bound, we want to have 2 t as large as possible, but without increasing the size of the public key beyond an acceptable bound. To this end, we give a direct construction which increases the size of secret keys only by an additive amount of additional group elements, which is only logarithmic in the number of time slots. Thus, for 2 t time slots we have to add merely about t elements to the secret key, while the size of public keys remains even constant. Recall also that due to the time slots, a TB-BFKEM helps to counter message suppression attacks by achieving a form of delayed forward secrecy.

Formal Model of TB-BFKEM
Likewise to considering our BFKEMs as an instantiation of a puncturable KEM with non-negligible correctness error, we can view the time-based approach analogously as an instantiation of a forward-secret BFKEM [33] with non-negligible correctness error, henceforth referred to as TB-BFKEM. We chose to align our model with the existing formal framework for puncturable forward-secret KEMs. It is essentially our BFKEM Definition 2, augmented by time slots and an additional algorithm PuncInt that allows to puncture a secret key not with respect to a given ciphertext in a given time slot, but with respect to an entire time slot.

Definition 16.
(TB-BFKEM) A puncturable forward-secret key encapsulation (TB-BFKEM) scheme is a tuple of the following PPT algorithms: KGen(1 λ , m, k, t) : Takes as input a security parameter λ, parameters m and k for the Bloom filter, and a parameter t specifying the number of time slots. It outputs a secret and public key (sk, pk), where we assume that the key-space K is implicit in pk and that pk is implicit in sk. Enc(pk, τ ) : Takes as input a public key pk and a time slot τ and outputs a ciphertext C and a symmetric key K. PuncCtx(sk, τ, C) : Takes as input a secret key sk, a time slot τ , a ciphertext C and outputs an updated secret key sk . Dec(sk, τ, C) : Takes as input a secret key sk, a time slot τ , a ciphertext C and deterministically computes and outputs a symmetric key K or ⊥ if decapsulation fails. PuncInt(sk, τ ) : Takes as input a time slot τ and a secret key sk for any time slot ≤ τ , and outputs an updated secret key sk for the time slot τ + 1.
Correctness Essentially, the correctness definition is based on that of a BFKEM, but additionally considers time slots (see also [33]).

Additional Properties of a TB-BFKEM
Again, we will require additional properties for the TB-BFKEM, similar to those from Sect. 2.3.
We say that TB-BFKEMallows publicly checkable puncturing, if there exists an efficient algorithm CheckPunct with the following correctness property.

Security Definitions
The security of a TB-BFKEM scheme is defined in a selective-time experiment, where the adversary has to commit to a time slot τ * to attack before seeing the parameters of the scheme. We present the IND-CPA and IND-CCA experiments in Fig. 6.

A Generic Time-Based BFKEM Construction
Before we can present our construction, we recall hierarchical identity-based key encapsulation schemes (HIB-KEMs). HIB-KEMs represent a building block of our construction.

HIB-KEMs
Below we present the basic definition and the security properties of HIB-KEMs.

Definition 23.
A (t + 1)-level hierarchical identity-based key encapsulation scheme (HIB-KEM) with identity space D ≤t +1 , ciphertext space C, and key space Kconsists of the following four algorithms: HIBGen(1 λ ) : Takes as input a security parameter and outputs a key pair (mpk, sk ε ).
We say that mpk is the master public key, and sk ε is the level-0 secret key. HIBDel(sk d , d) : Takes as input secret key sk d and d ∈ D, and outputs a secret key sk d |d . (We refer to | as concatenation.) HIBEnc(mpk, d) : Takes as input the master public key mpk and an identity d ∈ D ≤t +1 and outputs a ciphertext C ∈ C and a key K ∈ K. HIBDec(sk d , C) : Takes as input a secret key sk d and a ciphertext C, and outputs a value K ∈ K ∪ {⊥}, where ⊥ is a distinguished error symbol.
Correctness for HIB-KEM. We require that for all λ ∈ N, for all (mpk, sk ε ) ← $ HIBGen(1 λ ), for all d ∈ D, for all sk d |d ← $ HIBDel(sk d , d), for all d ∈ D ≤t +1 , for all (C, K ) ← $ HIBEnc(mpk, d), we have that HIBDec(sk d , C) = K holds. Security definition for HIB-KEM. As for our generic construction, we will essentially follow the proof strategy of the BFKEMconstruction and thus will rely on the weak notion of one-wayness under selective-ID and chosen-plaintext attacks (OW-sID-CPA) Time slots We will construct a TB-BFKEM scheme that allows to use t = 2 t time slots. We associate the i-th time slot with the string in {0, 1} t that corresponds to the canonical t -bit binary representation of integer i.
Following [15,31,33], each time slot forms a leaf of an ordered binary tree of depth t . The root of the tree is associated with the empty string . We associate the lefthand descendants of the root with bit string 0, and the right-hand descendant with 1. Continuing this way, we associate the left descendant of node 0 with 00 and the right descendant with 01, and so on. We continue this procedure for all nodes, until we have constructed a complete binary tree of depth t . Note that two nodes at level j ≤ t of the tree are siblings if and only if their first j − 1 bits are equal and that each bit string in {0, 1} t is associated with a leaf of the tree. Note also that the leafs in the tree are ordered, in the sense that the leftmost leaf is associated with 0 t , its right neighbor with 0 t −1 1, and so on.
Intuition of the construction The basic idea behind the construction combines the binary tree approach of [15,31,33] with the BF-KEM construction described in Sect. 3.1. We use a HIB-KEM with identity space Each bit vector τ ∈ D 1 × · · · × D t = {0, 1} t corresponds to one time slot, and we set D t +1 = [m], where m is the size of the Bloom filter. The hierarchical key delegation property of the HIB-KEM enables the following features: First, given a HIB-KEM key sk τ for some "identity" (= time slot) τ ∈ {0, 1} t , we can derive keys for all Bloom filter bits from sk τ by computing Second, in order to advance from time slot τ to τ + 1, we first compute As soon as we have computed all Bloom filter keys for time slot τ , we "puncture" the tree "from left to right," such that we are able to compute all sk τ with τ > τ, but not any sk τ with τ ≤ τ . Here, we proceed exactly as in [15,31,33]. That is, in order to puncture at time slot τ , we first compute the HIB-KEM secret keys associated with all right-hand siblings of nodes that lie on the path from node τ to the root (if existent), and then we delete all secret keys associated with nodes that lie on the path from node τ to the root, including sk τ itself. This yields a new secret key, which contains m level-(t + 1) HIB-KEM secret keys plus at most t HIB-KEM secret keys for levels ≤ t , even though we allow for 2 t time slots.
Finally, it outputs the ciphertext C : Note that the ciphertexts essentially consists of k + 1 elements of {0, 1} λ , plus k elements of C, where k is the Bloom filter parameter. Remark We note again that the above procedure is correct even if the procedure is applied repeatedly, with the same arguments as for the construction from Sect. 3.1. Also, the puncturing algorithm essentially only evaluates k universal hash functions and then deletes a few secret keys, which makes this procedure extremely efficient. Remark Note that puncturing between time intervals may become relatively expensive.
Depending on the choice of Bloom filter parameters, in particular on m, this may range between 2 15 and 2 25 HIBKEM key delegations. However, the main advantage of BFKEM over previous constructions of puncturable encryption is that these computations must not be performed "online," during puncturing, but can actually be computed separately (for instance, parallel on a different computer, or when a server has low workload, etc.). More formally, we have that for all λ, m, k, t ∈ N, for all t = 2 t , for all z ∈ N with z ≤ t, and any (sk, pk) ← $ KGen(1 λ , m, k, t):
CPA Security Below we state theorem for CPA security of our scheme. The proof is almost identical to the proof of Theorem 1 and a straightforward reduction to the security of the underlying HIB-KEM. We sketch it below.
Proof. (Sketch). We sketch the proof of Theorem 6. Recall that a ciphertext has the form Essentially, one argues exactly as in Theorem 1 that the adversary receives no information about the key K encapsulated by the Bloom filter encryption scheme, unless it ever queries K j to random oracle G for some j ∈ [k]. Therefore, assume that Bqueries some K j to G in its u * -th query. At the beginning of the reduction, Afirst guesses index j ← $ [k] and u * ← $ [u]. It also samples the random string c ← $ {0, 1} λ used for the challenge BFKEM ciphertext at the beginning of the game, generates a Bloom filter and requests a challenge ciphertext for identity d * = (τ * |H j (c)), where τ * is the time slot selected by B. The challenge ciphertext received back from the HIB-KEM experiment is then embedded in the TB-BFKEM challenge ciphertext. The PuncCtx and PuncInt(sk, ·) queries of Bcan trivially be simulated by A. The Corr queries can be answered using the HIBDeloracle provided by the OW-sID-CPA security experiment of the HIB-KEM.
When Bmakes its u * -th query to G on value K , then Aterminates and outputs K . We know that any non-trivial adversary Bqueries K j to G for some j. If Ahas guessed u * and j correctly, which happens with probability 1/(uk), then it holds that K = K j , which yields the claim.

CCA Security
In order to apply the Fujisaki-Okamoto [25] transform in the same way as done in Sect. 3.2 to achieve CCA security, we need to show that the time based variants of the properties presented in Sect. 2.3 are satisfied (i.e., Definitions 18,19,20,and 21). First, using a full-blown HIBE as a starting point yields a separable HIB-KEM as discussed in Sect. 2.3. Hence, the separable randomness (Definition 19) is satisfied. Moreover, the publicly checkable puncturing (Definition 20) is given by construction (as in Sect. 3.1). Regarding extended correctness (Definition 18), the impossibility of false-negatives is given by construction, the perfect correctness of the non-punctured secret key is given by the perfect correctness of the HIBE and the semi-correctness of punctured secret keys is given by construction. Finally, γ -spreadness (Definition 21) is also given by construction: the ciphertext component c is chosen uniformly at random from {0, 1} λ . Consequently, all properties are satisfied. We note that one could omit c in the ciphertext if the concretely used HIBE ciphertexts are already sufficiently random. Considering the HIBE of Boneh-Boyen-Goh [11], HIBE ciphertexts are of the form (g r , (h I 1 1 · · · h I t t · h 0 ) r , H (e(g 1 , g 2 ) r ) ⊕ K), for honestly generated fixed group elements g, g 1 , g 2 , h 0 , . . . , h t , universal hash function H , fixed K and fixed integers I 1 , . . . , I t . Consequently, we have that the ciphertext has at least min-entropy log 2 q with q being the order of the groups. We want to mention that also many other HIBE construction satisfy the required properties, including, for example [19,27,48].
Remark on CCA Security Alternatively to applying the FO transform to a TB-BFKEM satisfying the additional properties of extended correctness, separable randomness, publicly checkable puncturing and γ -spreadness to obtain CCA security, we can add another HIBE level to obtain IND-CCA security via the CHK transform [15] in the standard model, and thus to avoid random oracles if required. 6

Forward-Secret 0-RTT Key Exchange
In [33] (with full version in [34]), Günther, Hale, Jager, and Lauer (GHJL) provide a formal model for forward-secret one-pass key exchange (FSOPKE) by extending the one-pass key exchange [36] by Halevi and Krawczyk. They provide a security model for FSOPKE which requires both forward secrecy and replay protection from the FSOPKE protocol and captures unilateral authentication of the server and mutual authentication simultaneously.
We recap the definition of FSOPKE with a slightly adapted KGen and correctness notion to allow for a non-negligible correctness error, which constitutes the main difference to the work of [33,34]. We remark that we do not change the security model of [34,Sec. 3.2] (i.e., the new input parameters added to KGen do only affect FSOPKE correctness and not the FSOPKE security model).
In particular, we now take into account the maximum number of server and client runs n ∈ N and a false-positive probability p of succeeding the runs (in computing the same session key for a particular time step  , r, τ max , n, p) : Takes as input a security parameter 1 λ , a role r ∈ {server, client}, the maximum number of time slots τ max ∈ N, and the maximum number of server and client runs n ∈ N with false-positive probability p, outputs public and secret keys (pk, sk) for a specific role r (we assume that the key-space K is implicit in pk). FSOPKE.RunC(sk, pk) : Takes as input a secret key sk, a public key pk, and outputs a (potentially modified) secret key sk , a session key K ∈ {0, 1} * ∪{⊥}, and a message M ∈ {0, 1} * ∪ {⊥}. FSOPKE.RunS(sk, pk, M) : Takes as input a secret key sk, a public key pk, and a message M ∈ {0, 1} * and outputs a (potentially modified) secret key sk and a session key K ∈ {0, 1} * ∪ {⊥}. FSOPKE.TimeStep(sk, r ) : Takes as input a secret key sk and an according role r ∈ {client, server} and outputs a (potentially modified) secret key sk .
Server and client flow within an FSOPKE scheme A server and a client are engaging in an FSOPKE scheme as follows. According to their role, a server (i.e., when the role is server) and a client (i.e., when the role is client) execute (pk s , sk s,1,1 ) ← FSOPKE.KGen(1 λ , server, τ max , n, p), for client's private key sk c,i, j and a server's public key pk s , to receive a (potentially modified) secret key sk c,i, j+1 , a session key K c,i, j , and a message M (e.g., a ciphertext) which is transmitted to the server (associated with pk s ). The server obtains M and executes for the server's secret key sk s,i, j and the client's public key pk c to receive a (potentially modified) secret key sk s,i, j+1 and a session key K s,i, j .
By our adapted correctness notion of the FSOPKE (see Definition 26 below), we have that K c,i, j = K s,i, j except with potentially non-negligible probability (bounded by μ(n, p) + ε(λ), for a potential non-negligible function μ(·, ·) that only depends on n and p, as well as a negligible function ε(·) that depends on λ).
for all j ∈ [n] and i ∈ [τ max ], we have that where μ(·, ·) is some (possibly non-negligible) function that depends on n and p, and ε(·) is a negligible function that depends on λ. FSOPKE.KGen(1 λ , r, τ max , n, p) : On input security parameter 1 λ , role r ∈ {server, client}, maximum number of time steps τ max ∈ N, maximum number of server and client runs n ∈ N with false-positive probability p, proceed as follows:
By p we denote the number of times a secret key has already been punctured, and by we denote the maximum number of time slots. We consider the GHJL [33] instantiation with the BKP-HIBE of [9], the GM [31] and our instantiations with the BBG-HIBE [11], though other HIBE schemes may lead to different parameters. Finally, note that p ≤ 2 20 , k and m refer to the parameters in the Bloom filter, where k is some orders of magnitude smaller than λ, i.e., k = 10 vs. λ = 128, and |G i | denotes the bitlength of an element from G i TB-BFKEM. In Table 3, we provide an overview of all existing practically instantiable approaches to construct a PFSKEM and compare them to the TB-BFKEM proposed in this paper. 8 We compare all schemes for an arbitrary number of time slots, where for sake of simplicity we assume = 2 t for some integer t, (corresponding to our timebased BFKEM) and only count the expensive cryptographic operations, i.e., such as group exponentiations and pairings.
To quickly summarize the schemes: The most interesting characteristic of our approach compared to previous approaches is that our scheme allows to offload all expensive operations to an offline phase, i.e., to the puncturing of time intervals. Here, in addition to the O(w 2 ) operations which are common to all existing approaches, we have to generate a number of keys, linear in the size m of the Bloom filter. We believe that accepting this additional overhead in favor of blazing fast online puncturing and decryption operations is a viable tradeoff. For the online phase, our approach has a ciphertext size depending on k (where k = 10 is a reasonable choice), decryption depends on k, the secret key shrinks with increasing amount of puncturings and one does only require to securely delete secret keys during puncturing. 9 In contrast, decryption and puncturing in GHJL is highly inefficient and takes several seconds to minutes on decent hardware for reasonable deployment parameters as it involves a large amount of O(λ 2 ) HIBE delegations and consequently expensive group operations. In the GM 8 We consider all but the PE schemes from indistinguishability obfuscation [17,20]. 9 First, note that all constructions have to implement a secure-delete functionality for secret keys within puncturing anyways. Second, note that the question regarding which data structures to choose so that implementations can actually benefit from the shrinking keys is out of scope here. Note that low-level optimizations for sparse files are typically implemented by modern operating systems and file systems [28]. This way one would even benefit when the memory for the secret keys is allocated as a single monolithic block and the deleted keys are simply zeroed out. scheme, 10 puncturing is efficient, but the size of the secret key and thus cost of decryption grows in the number of puncturings p. Hence, it gets impractical very soon. More precisely, cost of decryption requires a number of pairing evaluations that depends on the number of puncturings and can be in the order of 2 20 for realistic deployment parameters.

Conclusion
In this paper, we introduced the new notion of Bloom filter encryption as a variant of puncturable encryption which tolerates a non-negligible correctness error. We presented various BFKEM constructions. The first one is a simple and very efficient construction which builds upon ideas known from the Boneh-Franklin IBE. It achieves constant size public keys. The second one is a generic construction from CP-ABEs, where a suitable choice of the CP-ABE achieves constant size ciphertexts are available. Those constant size ciphertexts, however, come at the cost of larger keys in existing schemes. The third one is a generic construction from IBBEs, which can be instantiated with the IBBE by Delerablée [22]. This instantiation simultaneously yields constant size ciphertexts and compact public keys. Furthermore, we extended the notion of BFKEM to the forwardsecrecy setting and also presented a construction of what we call a time-based BFKEM (TB-BFKEM). This construction is based on HIBEs and in particular can be instantiated very efficiently using the Boneh-Boyen-Goh HIBE [11]. Our time-based BFKEM can directly be used to instantiate forward-secret 0-RTT key exchange (fs 0-RTT KE) as in [33].
From a practical viewpoint, our motivation stems from the observation that forwardsecret 0-RTT KE requires very efficient decryption and puncturing. Our framework-for the first time-allows to realize practical forward-secret 0-RTT KE, even for larger server loads: while we only require to delete secret keys upon puncturing, puncturing in [33] requires, besides deleting secret-key components, additional computations in the order of seconds to minutes on decent hardware. Likewise, when using [31] in the forward-secret 0-RTT KE protocol given in [33], one requires computations in the order of the current number of puncturings upon decryption, while we achieve decryption independent of this number. Finally, we believe that BFE will find applications beyond forward-secret 0-RTT KE protocols. 10 Although GM supports an arbitrary number d of tags in a ciphertext, we consider the scheme with only using a single tag (which is actually favorable for the scheme) to be comparable to GHJL as well as our approach. Note that the correctness is essentially our BFKEM definition ported to the encryption setting. As in Sect. 2.3, we can define the extended correctness, separable randomness, publicly checkable puncturing and γ -spreadness. As this is straightforward, we do not explicitly repeat the definitions here.
Security notions Subsequently, in Fig. 8, we define the IND-CPA/IND-CCA2experiment for BFE. The experiment is identical to IND-CPA/IND-CCA2 security for conventional publickey encryption, but in addition, the adversary in the second phase can arbitrarily puncture the secret key and retrieve the punctured secret key as long as the key has been punctured on the challenge ciphertext C * . This still should not help the adversary to obtain any information about the message hidden in C * .

B Proof of Lemma 1
We begin by computing the expected number of bits set to one in the BF after α random elements have been added. Let T 0 = b 0 b 1 . . . b m be the sequence of bits of a BF with size m. After initialization, we have b i := 0 for all i ∈ [m]. With each added element, we set up to k bits to one, that is we sample k elements a 1 , . . . , a k ∈ [m] with replacement and set b a i := 1. At the end of α time steps, we have at most αk bits equal to one and at least 1 bit equal to one. Let X t i be the event that b i is set at time t, that is, X t i = 1 ⇒ b i = 1 has already been set to one at time t. Thus, the number bits set to one after α time steps is To compute the expected number of bits set to one at time t, we need to compute the expected value of each X i . Then, the expected number of bits set to one after α time steps is We can now bound the probability by applying a simple combinatorial argument. When choosing a random bit b i , we have a probability of X α /m to choose an index i with b i = 1. Independently repeating this process k times, leads us to the expected false-positive probability of a random element u ∈ U being recognized by the Bloom filter:

D Identity-based Broadcast Encryption with Constant Size Ciphertexts and Private Keys
The subsequent construction is the identity-based broadcast encryption scheme by Delerablée [22]. The main advantages of her scheme are the constant size ciphertexts and private keys. Let ( p, e, G 1 , G 2 , G T ) ← $ BilGen(1 λ ) be public parameters of a bilinear map e : G 1 ×G 2 → G T with prime orders p and | p| = λ. Let H : Z * q → Z * q be a cryptographic hash function. We construct an identity-based broadcast encryption scheme IBBE = (Setup, Extract, Enc, Dec) as follows: Setup(λ, k) : The key generation algorithm chooses two generators g 1 ∈ G 1 and g 2 ∈ G 2 and a secret value γ ← $ Z * q . Finally, we set and output the public key pk and master secret key msk as pk := w = g