A family of subsets C of [n] def = {1, . . . , n} is (r, t)exclusive if for every S ⊂ [n] of size at least n − r, there exist S1, . . . , St ∈ C with S = S1∪S2∪· · · ∪St. These families, also known as complement-cover families, have cryptographic applications, and form the basis of informationtheoretic broadcast encryption and multi-certificate revocation. We give the first explicit construction of such families with size poly(r, t)nr/t , essentially matching a basic lower bound. Our techniques are algebraic in nature. When r = O(t), as is natural for many applications, we can improve our bound to poly(r, t) n r 1/t . Further, when r, t are small, our construction is tight up to a factor of r. We also provide a poly(r, t, log n) algorithm for finding S1, . . . , St, which is crucial for efficient use in applications. Previous constructions either had much larger size, were randomized and took super-polynomial time to find S1, . . . , St, or did not work for arbitra...
Craig Gentry, Zulfikar Ramzan, David P. Woodruff