Guide

Bloom filters explained

Your API receives ten million requests per day. Ninety-five percent ask for user IDs that do not exist — yet every miss still hits the database because you cannot know absence without a lookup. A Bloom filter is a compact probabilistic data structure that answers one question cheaply: "Has this key definitely not been inserted?" If the filter says no, you skip the expensive path. If it says maybe, you confirm against authoritative storage. Bloom filters trade a controlled false positive rate for dramatic memory savings and constant-time membership tests — which is why Cassandra, Bigtable, Chrome's Safe Browsing list, and countless Redis caching layers rely on them. This guide covers how Bloom filters work, the math behind sizing, variants that support deletion, pairing with exact stores, and when a hash set or B-tree index is the better tool.

What a Bloom filter guarantees

Invented by Burton Bloom in 1970, a Bloom filter is a fixed-size bit array of m bits, initially all zero. Inserting an element runs k independent hash functions on the key, each mapping to a bit position in [0, m), and sets those k bits to 1. Querying repeats the same k hashes: if any bit is 0, the element was never inserted — a definite negative. If all k bits are 1, the element might be present.

The critical contract:

  • No false negatives — if inserted, a query always returns "maybe present."
  • Possible false positives — unrelated keys can hash to the same bit pattern, so "maybe present" does not mean "definitely present."
  • No deletion in the classic form — clearing a bit would break other keys sharing that bit.
  • Fixed capacity mindset — performance degrades as the filter fills beyond its design load.

That asymmetry makes Bloom filters ideal as a first-pass gate in front of slower truth sources: disk, network RPCs, or cross-shard lookups in distributed systems.

How insertion and lookup work

Consider inserting the string "user:48291" into an 8-bit filter with k = 2 hash functions (real filters use thousands of bits and 3–10 hashes):

  1. Compute h1("user:48291") mod m and h2("user:48291") mod m.
  2. Set bits at those positions to 1.
  3. On lookup for "user:99999", hash again; if either position is 0, return "definitely absent."

Hash quality matters. Use fast, well-distributed hashes — MurmurHash3, xxHash, or double hashing where h_i(x) = h1(x) + i * h2(x) — rather than cryptographic SHA-256 unless security against preimage attacks is required. Double hashing lets you derive k positions from two base hashes, which is how most libraries implement the structure efficiently.

Lookup is O(k) — a handful of memory reads. Compare that to a remote database round trip at 1–5 ms or a Redis GET at 0.1 ms when you can reject 90% of keys locally in microseconds.

Sizing: false positive rate math

Given n expected insertions and a target false positive probability p, classical formulas approximate optimal parameters:

  • Bit array size: m ≈ −(n ln p) / (ln 2)²
  • Hash count: k ≈ (m/n) ln 2

Example: one million keys at p = 0.01 (1% false positive rate) needs roughly 9.6 million bits (~1.2 MB) and k ≈ 7 hash functions. At p = 0.001, memory roughly triples. The curve is steep — halving the error rate can double memory — so pick p based on downstream cost: if a false positive only triggers one extra cache read, 1% may be fine; if it triggers a cross-region database query, target 0.1% or lower.

Monitor the fill ratio ones / m in production. Inserting far beyond n pushes the false positive rate toward 100%, at which point the filter becomes useless. Rebuild or migrate to a scalable variant when load exceeds design capacity.

Common production use cases

Cache negative filtering

A cache-aside pattern normally misses on unknown keys, then queries the DB and stores the result. Attackers or buggy clients hammering random IDs cause a cache penetration storm. Maintain a Bloom filter of known IDs (or known-absent IDs) in process memory: if the filter says absent, return 404 without touching Redis or Postgres.

Database and storage engines

LSM-tree stores (RocksDB, Cassandra, HBase) attach Bloom filters per SSTable to skip disk reads when a key cannot exist in that file. Without them, every point lookup might scan multiple on-disk blocks. The filter sits alongside B-tree indexes as a separate probabilistic layer optimized for "definitely not here."

Deduplication and crawlers

Web crawlers and log pipelines use Bloom filters to track "already seen" URLs or event IDs when exact sets would exhaust RAM. A false positive merely skips a URL that was new — usually acceptable — while a false negative would never occur, so no URL is crawled twice undetected.

Blocklists and security

Chrome Safe Browsing and similar systems ship compact Bloom filters to clients for offline malware URL checks. A positive match triggers a full hash lookup against a server-side exact set. The filter shrinks bandwidth; the exact set provides certainty.

Variants when the classic filter is not enough

Counting Bloom filter

Replace each bit with a small counter (typically 4 bits). Insert increments counters; delete decrements (never below zero). Supports removal at the cost of more memory and counter saturation risk — if a counter overflows, deletes become unsafe.

Scalable Bloom filter

Chain multiple standard Bloom filters. When filter i fills, add filter i+1 with stricter p. Queries check all filters. Growth is unbounded; false positive rate stays bounded if sized correctly per layer.

Cuckoo filters

An alternative using cuckoo hashing that supports deletion, better lookup performance for some workloads, and slightly different false positive behavior. Worth evaluating when you need removable membership with compact footprint and can accept implementation complexity.

Blocked Bloom filter

Partition the bit array into cache-line-sized blocks so each hash sets bits within one block — improves CPU cache locality on modern hardware.

Implementation patterns

In-process libraries: Guava BloomFilter (Java), bloomfilter (Python), and Rust crates like bloomfilter or probabilistic-collections handle sizing math and serialization. Serialize the bit array to disk on shutdown and reload on startup so cold starts do not lose negative knowledge.

Redis: The RedisBloom module provides BF.ADD, BF.EXISTS, and BF.MEXISTS with automatic scaling options. Useful when multiple app instances share one filter without shipping snapshots to every node — pair with TTL and rebuild jobs for unbounded key spaces.

Application architecture: Never treat a Bloom filter as authoritative storage. The pattern is always:

  1. Query Bloom filter.
  2. If negative, return absent immediately.
  3. If positive, confirm against database, cache, or authoritative set.
  4. On confirmed insert, add to Bloom filter (and rebuild periodically if deletions are needed).

For hot paths, keep the filter in local memory on each replica. For sharded databases, maintain per-shard filters so a key's absence on shard A does not require querying shards B through Z.

Bloom filter vs hash set vs database index

Approach Memory False positives Deletion Best for
Bloom filter Very low (bits only) Yes, tunable Classic: no Negative lookups, disk skip, shared blocklists
Hash set High (full keys) No Yes Exact membership under ~millions of keys in RAM
B-tree / hash index Disk + cache No Yes Range queries, authoritative storage

If every false positive is expensive and RAM is affordable, a hash set wins. If you need range scans or durability, use indexes. Bloom filters shine in the gap: billions of keys, tight memory budget, and asymmetric cost where negatives are cheap to verify but positives need confirmation anyway.

Failure modes and testing

  • Oversized load: More insertions than planned — monitor FP rate with synthetic probes.
  • Stale filters: Keys deleted from DB but still in filter cause extra positive lookups, not wrong answers, if you always confirm.
  • Non-deterministic hashing across versions: Changing hash seeds between deploys invalidates persisted filters — version your serialization format.
  • Assuming positives are real: Granting access or skipping validation on filter alone is a security bug.

Unit-test with a small m and known keys to measure empirical false positive rate against theory. Property-based tests that insert random keys and verify zero false negatives catch hash implementation bugs early.

Production checklist

  1. Define expected insertion count n and acceptable false positive rate p from downstream cost.
  2. Compute m and k; document rebuild threshold when load exceeds 1.2× design n.
  3. Always confirm positives against authoritative storage — never return user data from filter alone.
  4. Use fast non-cryptographic hashes unless threat model requires otherwise.
  5. Serialize and version filters for restart safety; plan full rebuild from source of truth on corruption.
  6. Expose metrics: fill ratio, estimated FP rate, rebuild latency, and "filter negative" bypass count.
  7. For deletions, choose counting Bloom, cuckoo filter, or periodic rebuild — do not clear bits in classic filters.
  8. Load-test with adversarial random keys to validate cache penetration protection.
  9. Per-shard filters in distributed topologies — avoid one global filter unless keys are uniformly distributed.
  10. Compare against in-memory hash set if n is small; Bloom filters pay off at scale.

Key takeaways

  • Bloom filters answer "definitely not in set" with no false negatives and tunable false positives.
  • Memory is bits × hash functions — sizing math ties n, m, k, and p together.
  • Use as a gate, not a database — confirm every positive against real storage.
  • Classic filters cannot delete — use counting, cuckoo, or scalable variants when removal matters.
  • LSM stores and CDNs depend on them to skip work that would otherwise dominate latency.

Related reading

All guides Database sharding