Forward secrecy is considered an essential design goal of modern key establishment (KE) protocols, such as TLS 1.3, for example. Furthermore, efficiency considerations such as zero round-trip time (0-RTT), where a client is able to send cryptographically protected payload data along with the very first KE message, are motivated by the practical demand for secure low-latency communication. For a long time, it was unclear whether protocols that simultaneously achieve 0-RTT and full forward secrecy exist. Only recently, the first forward-secret 0-RTT protocol was described by Günther et al. (Eurocrypt, 2017). It is based on puncturable encryption. Forward secrecy is achieved by “puncturing” the secret key after each decryption operation, such that a given ciphertext can only be decrypted once (cf. also Green and Miers, S&P 2015). Unfortunately, their scheme is completely impractical, since one puncturing operation takes between 30 s and several minutes for reasonable security and deployment parameters, such that this solution is only a first feasibility result, but not efficient enough to be deployed in practice. In this paper, we introduce a new primitive that we term Bloom filter encryption (BFE), which is derived from the probabilistic Bloom filter data structure. We describe different constructions of BFE schemes and show how these yield new puncturable encryption mechanisms with extremely efficient puncturing. Most importantly, a puncturing operation only involves a small number of very efficient computations, plus the deletion of certain parts of the secret key, which outperforms previous constructions by orders of magnitude. This gives rise to the first forward-secret 0-RTT protocols that are efficient enough to be deployed in practice. We believe that BFE will find applications beyond forward-secret 0-RTT protocols.

前向保密被认为是现代密钥建立（KE）协议（例如TLS 1.3）的基本设计目标。此外，出于对安全低延迟通信的实际需求，诸如零往返时间（0-RTT）之类的效率考虑使客户能够将受密码保护的有效载荷数据与最先的KE消息一起发送。长期以来，还不清楚是否存在同时实现0-RTT和完全前向保密性的协议。直到最近，Günther等人才描述了第一个前向秘密的0-RTT协议。（Eurocrypt，2017）。它基于可穿孔加密。通过在每次解密操作后对安全密钥进行“打孔”来实现前向保密，这样，给定的密文只能被解密一次（另请参见Green and Miers，S＆P 2015）。不幸的是，他们的方案是完全不切实际的，因为一个穿孔操作需要30 s到几分钟的时间才能获得合理的安全性和部署参数，因此该解决方案仅是第一个可行性结果，但效率不足以在实践中部署。在本文中，我们介绍了一个称为“布隆过滤器加密”（BFE）的新原语，它是从概率性布隆过滤器数据结构派生而来的。我们描述了BFE方案的不同构造，并展示了它们如何产生具有极高效率穿孔的新的可穿孔加密机制。最重要的是，穿孔操作只涉及少量非常高效的计算，加上删除密钥的某些部分，其性能要比以前的构造好几个数量级。这产生了第一个前向秘密的0-RTT协议，该协议足够有效以在实践中部署。我们相信BFE将发现前向秘密0-RTT协议之外的应用程序。