Explicit Exclusive Set Systems with Applications to Broadcast Encryption

A family of subsets C of [n] =^def {1,...,n} is (r, t)-exclusive if for every S sub [n] of size at least n - r, there exist S₁,...,S_t isin C with S = S₁cupS₂cup...cupS_t. These families, also known as complement-cover families, have cryptographic applications, and form the basis of information-theoretic broadcast encryption and multi-certificate revocation. We give the first explicit construction of such families with size poly(r, t)n^rt/, essentially matching a basic lower bound. Our techniques are algebraic in nature. When r = O(t), as is natural for many applications, we can improve our bound to poly(r, t)(ⁿ _r)¹t/. Further, when r, t are small, our construction is tight up to a factor of r. We also provide a poly(r, t, log n) algorithm for finding S₁ ,...,S_t, which is crucial for efficient use in applications. Previous constructions either had much larger size, were randomized and took super-polynomial time to find S₁,...,S _t, or did not work for arbitrary n, r, and t. Finally, we improve the known lower bound on the number of sets containing each i isin [n]. Our bound shows that our derived broadcast encryption schemes have essentially optimal total number of keys and keys per user for n users, transmission size t, and revoked set size r