Lattice Cipher Nearest Plane Algorithm: How to Solve the Nearest Vector CVP Problem (1)

Table of contents

1. Introduction to Nearest Plane Algorithm

2. A simple rounding algorithm to solve the CVP problem

3. Nearest plane algorithm steps

4. Graphical Understanding of the Nearest Plane Algorithm

---

1. Introduction to Nearest Plane Algorithm

In 1986, L.Babai proposed the nearest plane algorithm to solve the CVP problem, using n to represent the rank of the lattice, the output approximation of the algorithm is as follows:

CVP: Closest Vector Problem, full name Closest Vector Problem

The six variants of the CVP problem are as follows:

At that time , the last three questions were the same as the first three.

If the calculation problem is solved , since the calculation, optimization and Gap problems are equally difficult, then the remaining optimization and Gap problems can be solved. Recently, the planar algorithm can solve the problem of calculating CVP, and at this time , in order to simplify the thinking of the analysis, the follow-up is only discussed , and the desired approximate value can also be achieved by modifying the parameters related to the algorithm.

2. A simple rounding algorithm to solve the CVP problem

The simple rounding algorithm is to directly round all the coefficients of a given vector (it can be rounded up or down), and the grid points obtained by the approximate algorithm have a lot to do with the selection of the grid base, as shown in the figure below:

3. Nearest plane algorithm steps

The algorithm mainly consists of two steps. The first step is to output the LLL reduced basis for the input lattice; at this time, for this reduced basis vector, an integer linear combination is formed to ensure that it is close enough to the given vector t. This step is very similar to the inner loop reduction operation of the LLL algorithm.

The algorithm steps are as follows:

Obviously, it has been proved that the LLL algorithm and the algorithm of the reduction step belong to the polynomial time algorithm, so it can be obtained that the relationship between the nearest plane algorithm and the input scale n is also a polynomial time relationship. The following discussion and analysis will include full-rank lattices and non-full-rank lattices.

Given a unit orthonormal basis, as follows:

For non-full-rank lattices, it is necessary to add mn rows of zero matrix vectors, so the corresponding matrix B and the combination formed by t are as follows:

The nearest plane algorithm is to seek the integer combination of the matrix B column vector to ensure that when subtracting from the t vector, the range of the subtraction difference of each dimension is as follows: 

The algorithm starts from the nth column and calculates continuously and recursively. If it is a non-full-rank lattice, then the remaining mn dimensions are spaces perpendicular to the original lattice.

4. Graphical Understanding of the Nearest Plane Algorithm

Given a 3-dimensional example, reduce it to 2-dimensional through the nearest plane algorithm, as shown in the following figure:

The core idea of ​​the algorithm can be divided into four steps: 

1. t is projected onto the plane corresponding to the grid to form a point s;
2. Find the corresponding integer c so that the hyperplane is as close as possible to the point s;
3.  Order , to iteratively find the relationship between, assuming that the answer obtained at this time is ;
4. The final returned answer is ;

The purpose of the first step of the projection process operation is to convert the shortest distance from the grid point to t into the shortest distance to s. This step is very necessary when the grid is not full rank. The next step is to select the nearest hyperplane each time, and then move dimension by dimension.