Deterministic Construction of an Approximate M-Ellipsoid and its Application to Derandomizing Lattice Algorithms

Determin istic Construction of an Approxi mate M-Ellipsoid and its Applicatio n to Derando mizing Lattice Algorithms Daniel Dadush ∗ Santosh V empala † September 7, 2018 Abstract W e gi ve a de terministic O (lo g n ) n algorithm fo r the S hortest V ector Pr oblem (SVP ) of a lattice under any norm, impr oving on the previous best deterministic bound o f n O ( n ) for general norms and nearly matching th e bound of 2 O ( n ) for the standar d Eu clidean norm estab lished b y Micciancio an d V oulgaris ( STOC 201 0). Our algorithm c an be vie wed as a deran domization of the AKS random ized sie ve algor ithm, which can be used to s olve SVP for any nor m in 2 O ( n ) time with high pr obability . W e use the technique o f covering a con vex body by ellipsoids, as introduced for lattice problems in (Dadush et al., FOCS 201 1). Our main contribution is a deterministic approximatio n o f an M-ellipsoid of any con ve x bo dy . W e achieve this via a co n vex programming form ulation of the optimal ellipsoid with the objective function being an n -dimen sional integral that we show can be app roximate d deterministically , a techn ique that appears to be of indepen dent interest. ∗ School of Industrial and Systems Engineering, Georgia T ech. dndadush@gmai l.com † School of Computer Science, Georgia T ech. vempala@gatech.e du 1 Introd uction The Shortest V ector Problems (SVP) on lattice s is a central algorithmic problems in the geometry of num- bers, with applicatio ns to Integer Programming [Len83], factor ing polynomials ov er the rational s [LLL82], crypta nalysi s (e.g., [Odl90, JS98, NS01]), and much more. (An n -dimen sional latti ce L is a discrete ad- diti ve subgroup of R n , and is generate d as the set of integer linear combinatio ns of some basis vectors b 1 , . . . , b k ∈ R n , for some k ≤ n . ) The SVP is simply: gi ven a la ttice L re presen ted by a basis, fi nd a nonze ro v ∈ L such that k v k is minimized , where k·k denote s a particul ar norm on R n . The f astest kno wn algorithms for solv ing SVP in gen eral norms, are 2 O ( n ) time algor ithms based on the AKS S ie ve [AK S01, AJ08]. These algorithms use an e xponential amoun t of rand omness and only gu arante e the correc tness of their outputs with high probabili ty . Improv ing on this, [DPV11] gav e a 2 O ( n ) Las V egas algori thm (i.e. only the runtime is random, not the correctness ) for general norm SVP which uses onl y a polyn omial amount of rand omness. In this paper , bu ilding on the id eas of [DPV11], we giv e a determinist ic O (log n ) n algori thm for general norm S VP , hence completely eliminating the randomne ss while sustain ing a moder ate slowdo wn in the runni ng time. The pre vious best determinist ic complex ity for general norm SVP is n Ω( n ) . W e re vie w th e id eas b ehind [DPV11]. For t he E uclide an norm (w hen K is a ball in R n ), Mic cianci o and V ou lgaris [MV 10] showed how to solv e the SVP in time 2 O ( n ) , usin g a new enumeration technique based on usin g the vor onoi cell of a lattice (the set o f points in R n closer to the ori gin than any ot her lattice point). Unfortun ately , the direct generaliza tion of their technique to other norms (i.e., using the associated v oronoi cell of the norm), e ven for ℓ p norms, seems to break do wn. In [DPV11], Dadush et al. prop osed a differ ent approach that uses the enumerati on techni que [MV10] and directly reduces SVP in ge neral norms to enumera tion in the ℓ 2 norm. Their k ey id ea was to use th e classic al M -ellips oid cover ing from con ve x geomet ry to cove r a giv en con ve x body K by a small numbe r of ellipsoi ds each of roughly the same vo lume as K . An M -ellip soid of a con vex body K is an ellipsoid E with the follo wing prope rties: 1. N ( K, E ) ≤ 2 O ( n ) 2. N ( E , K ) ≤ 2 O ( n ) where N ( A, B ) = inf {| Λ | : Λ ⊆ R n , A ⊆ B + Λ } is the number of translatio ns of B required to cov er A . In words , the number of copies of E require d to co ver K and vice v ersa are both bound ed by a single exp onent ial in n . The exi stence of such an ellipsoid for any con vex body was establi shed by Milman [Mil86]. W e note that an M-elli psoid can be quit e differ ent from the more classical John el lipsoi d, e.g. the lar gest ellipso id contained in K , since its v olume can be an n O ( n ) fact or of f from K (e.g., the cube v s the unit ba ll) implying than N ( K, E ) = n Ω( n ) . The first ste p in [DPV11] is reduce to ge neral no rm S VP under k · k K and a lat tice L to lattic e poi nt enumerat ion inside a scaling of K , in particu lar any scaling s > 0 such that sK ∩ L 6 = ∅ and s 2 K ∩ L = ∅ (which can easily be guessed). Importantly , at th is scaling, it is shown that sK ne ver contains more than 2 O ( n ) lattice points in any tran slation . The main idea in [DPV11] is then that enumerating the lattice points inside sK reduces to enumerat ing the lattice points inside the ellipsoids in an M-ellipsoid co ver ing of s K , thereb y reducing the prob lem to enumeratio n in ℓ 2 (which can be solv ed using the techniques in [MV10]). Giv en the cov ering propertie s satisfied by the M -ellips oid, we get that the total number of lattice points enumerat ed in this wa y is at most a 2 O ( n ) fact or more than the m aximum numbe r of lattice poin ts K can contai n in any t ransla tion, and hence 2 O ( n ) . 1 Thus a ke y ingredi ent in the app roach of [DPV11] to solve SV P under k · k K is fi nding an M-ellipso id of K . Inde ed, the paper [DPV 11] giv es a polynomial-ti me randomized algorith m to construct an M-ellipso id with hig h probabi lity , based on the tech niques of Klartag [Kla06] (suc h an algorit hm was implicit in his paper) . Unfortunatel y , the algo rithm mak es e ssentia l use of random samp ling o ve r c on ve x bodies and seems inhere ntly difficult to deran domize. In th is paper , we gi ve a d eterminis tic algorithm to b uild an “ appro ximate” M-ellipsoid E for an y co n ve x body K . While we do not obtain the optimal coveri ng bo unds, we will gu arante e tha t N ( K , E ) = 2 O ( n ) and N ( E , K ) = O (log n ) n = 2 O ( n log log n ) . Moreove r , we sho w that this ellip soid E can be computed O ( √ log n ) n time. This result and its conse quenc e for the SVP are stated more precisel y in the follo wing theore ms. Theor em 1.1. Ther e is deterministic O (log n ) n -time algo rithm that given any con vex body K ⊂ R n , speci - fied by a m embers hip orac le, finds an ellipso id E suc h that N ( K, E ) ≤ 2 O ( n ) and N ( E , K ) ≤ O (log n ) n . The comple xity of the algorit hm (or acle calls and arithmetic opera tions) is O ( √ log n ) n . Using this theore m, and the techniques from [DPV11], we obtain the follo wing result: Theor em 1.2. Given a lattice L by a ba sis and a nor m k . k K specifi ed by a con vex body K , the shortest vector in L under the norm k . k K can be found in time O (log n ) n . Applicat ions to other lattice problems (clos est vector , integ er programming ) are described in Section 5. These results are based on two main ideas. T he first is a con ve x progr am inspired by an exist ential approx imation to the M -ellipsoid based on a position called the ℓ -position, gi ve n by P isier [Pis89]. The second is an algor ithm fo r solving the con ve x program, where the key hurdle is an ef fi cient determini stic approx imation of the objec ti ve valu e at any gi ven feasibl e point. In the ne xt sect ion, we describe the ℓ -po sition w hich leads to the approxi mate M -ellipsoid. T hen we gi ve our con ve x programming based algori thm for computi ng the approximate M -ellipsoid , follo wed by its analys is. Sectio n 5 applies this to the SVP and other problems. W e conclude this section with a comment on the comple xity of computin g (approximate ) M -ellipsoids (and therefore the ℓ -posit ion). An M -ellipsoid E for a con vex body K achie ving cov ering numbers N ( K, E ) , N ( E , K ) gi ves an N ( K, E ) N ( E , K ) to the v olume of K . It is well-kno w n tha t in the ora cle model for con- ve x bo dies, any deterministic algorithm tha t has complexit y at most n a incurs an approx imation fa ctor of ( cn/a log n ) n/ 2 , implying in particu lar that an algorith m that achie ves a 2 O ( n ) approx imation must hav e comple xity 2 Ω( n ) . Theorem 1.1 readily implies an O (log n ) n approx imation with O ( √ log n ) n comple xity , gettin g close to the lo wer bound. Fully closin g this gap is an inte restin g open problem. 2 M -ellipsoids and the ℓ -position As explain ed above , one usefu l view of whether an ellipsoid E “ap proximat es” a con ve x body K well is if N ( K, E ) , N ( E , K ) = 2 O ( n ) . A similar vie w , t ake n by Pisier , is to find an ellips oid E with the pro perty that v ol ( K ∩ E ) ≥ v ol( E ) / 2 and v ol ( K ) not m uch lar ger than v ol( E ) . This is useful in light of the follo wing elemen tary bound on cover ing numbers for centr ally symmetric bodies (see [MP00]). Lemma 2.1. Let A, B ⊆ R n be symmetric con ve x bodies. T hen N ( A, B ) ≤ 3 n v ol ( A ) v ol ( A ∩ B ) 2 W e are now ready for the ℓ -positio n which lets us find an ellipsoid with small cove ring numbers using this perspe cti ve. Let K ⊆ R n be a symmetric con ve x body , and let K ∗ = { x : sup y ∈ K h x, y i ≤ 1 } denote the polar of K . Let B n 2 ⊆ R n denote the unit euclide an ball, and S n − 1 = ∂ B n 2 denote the unit sphere. Let γ n ( x ) =  1 √ 2 π  n e − 1 2 k x k 2 be the density of the canonica l gaussian measure on R n . W e define the expecte d norm of a rando m Gaussian point as ℓ ( K ) = Z k x k K γ n ( x ) dx. The follo wing lemma, see [ Pis89 ] , prov ides an asymptotic estimate of this quantity . Lemma 2.2. Let K ⊆ R n be a symmetric con vex body . Then for m = sup { r ≥ 0 : vol n − 1 ( r S n − 1 ∩ K ) ≥ 1 2 v ol n − 1 ( r S n − 1 ) } we have that l ( K ) = Θ  √ n m  . Furthermor e, vo l( mB n 2 ∩ K ) ≥ 1 2 v ol ( mB n 2 ) . A theorem of Pisier [Pis89] relates the ℓ -estimate of a body with that of its dual. Theor em 2.3. Let K ⊆ R n be a symmetric con vex body . Then inf T ∈ S L ( n ) l ( T K ) l ( T ∗ K ∗ ) ≤ cn log n wher e S L ( n ) is the set of n × n matrices of determina nt 1 and c > 0 is an absolute constant. The next theorem, known as the Blashke-San tal ´ o inequa lity [Bla1 8, S an49], giv es an upper bound on the v olume produ ct, a fundamen tal quanti ty in con vex geometry . Theor em 2.4 (Blashk e-Santal ´ o) . Let K ⊆ R n be a symmetric con vex body . T hen v ol ( K )vo l( K ∗ ) ≤ vo l( B n 2 ) 2 with equa lity if f K is an ellip soid. Using the above estimates, we get the follo wing well-k no wn result, whose proof we includ e for com- pleten ess. Theor em 2.5 (Pisier) . Let K ⊆ R n be a symmetric con ve x body . Then ther e exi sts an ellipsoid E ⊆ R n suc h that v ol ( E ∩ K ) ≥ 1 2 v ol ( E ) and v ol( K ) ≤ O (log n ) n v ol ( E ∩ K ) In additio n, we get that N ( K, E ) = O (log n ) n and N ( E , K ) = 1 2 3 n Pr oof. L et us first app ly a meas ure pres erving linear transformation T to K such that l ( T K ) l ( T ∗ K ∗ ) is minimized, and hence by 2 .3 we may assu me that l ( K ) l ( K ∗ ) = O ( n log n ) . N o w using Lemma 2 .2 we see that m = sup { r ≥ 0 : v ol( r B n 2 ∩ K ) ≥ 1 2 v ol ( r B n 2 ) } = Ω  √ n l ( K )  3 and that m ∗ = sup { r ≥ 0 : v ol( r B n 2 ∩ K ∗ ) ≥ 1 2 v ol ( r B n 2 ) } = Ω  √ n l ( K ∗ )  Hence we get that mm ∗ = Ω  1 log n  Using Theorem 2.4 we get that v ol ( K ) ≤ v ol ( B n 2 ) 2 v ol ( K ∗ ) ≤ 2 v ol ( B n 2 ) 2 v ol ( m ∗ B n 2 ) =  1 m ∗  n v ol ( B n 2 ) = O ( m log n ) n v ol ( B n 2 ) = O (log n ) n v ol ( mB n 2 ) = O (log n ) n v ol ( mB n 2 ∩ K ) W e now see that the ellipsoid E = mB n 2 satisfies the claims of the corolla ry . T o deriv e the additional asserti ons, we simply apply Lemma 2.1 to the v olume estimate s abov e. 3 Algorithm to compute an ℓ -type Ellipsoid Our algori thm w ill find an ellips oid by (appro ximately ) solving the follo wing con vex progra m (CP). inf f ( A ) = Z R n k Ax k K γ n ( x ) dx subjec t to A  0 det( A ) ≥ 1 (3.1) The abo ve pro gram models a tractable formulatio n of the imp licit op timizatio n problem in Theo rem 2.3. Indeed it is not hard to sho w that the ℓ -elli psoid (unders tood by its associa ted linear transfo rmation) alluded to in Theore m 2.3, in fact gi ves a feasib le solution to the abov e progra m of good quality . Hence the o ptimal soluti on to the abov e pr ogram, will be at least as good as the ℓ -ellip soid for our purpos es. Hence to yield our approx imate M -ellips oid, it suf fices to solv e the abov e program. In the abo ve program, K will be a symmetric con vex bod y presented by a weak members hip oracle, satisfy ing r B n 2 ⊆ K ⊆ RB n 2 . T o solv e the program, we first round K using the ellipsoid method [GLS88] so that B n 2 ⊆ K ⊆ nB n 2 (note the impro vement from n 3 2 to n is possible since K is cen trally symmet- ric). Next we use a discrete ap proximat ion of space to approximat e the ℓ -estimate at an y giv en A , where this app roximati on remains con ve x. Next we ana lyze the properties of the abov e con vex pro gram, show- ing that (1) a well sandwic hed subset of the feasible region (ratio of in ner contai ned and ou ter contain ing ball) contain s the optimal solution, (2) the object i ve function is L ipshitz, and (3) the objecti ve val ue of the optimal solution is not too small. F rom here, we apply th e classical reduction from weak membership to weak optimiza tion [GLS88] (which simulates the ellipso id method), which allo ws us to compute a (1 + ǫ ) approx imation (multiplica ti ve ) of the optimal solution using at most a polyn omial number of queries to the object i ve functio n. Our appro ximation of the ℓ -estimat e is as follo ws: Let s = 1 √ 2 π r log(2(2 n + 1)) π , C s = 1 2 s [ − 1 , 1] n and p x = Z C s γ n ( x + y ) dy . 4 Define D ⊆ R n be se t of po ints fro m the la ttice (1 / s ) Z n that lie in the ball of radius 3 √ n arou nd the or igin, i.e., D =  1 s Z n  \  3 √ nB n 2  Then ˜ f ( A ) = X x ∈ D p x k Ax k K . W e conclude the descrip tion of th e algorithm by boundin g the size of D and observing that it can be ef fi ciently enumerate d. First we note that | D | = O ( √ log n ) n . S ince C s tiles space with respec t to 1 s Z n and C s ⊆ √ nB n 2 , we ha ve that | D | = v ol ( D + C s ) v ol ( C s ) ≤ v ol (3 √ nB n 2 + C s ) v ol ( C s ) ≤ v ol (4 √ nB n 2 ) s − n = 4 n v ol ( √ nB n 2 ) s n = O ( p log n ) n as claimed . It is straig htforw ard to comput e the set D using O ( √ log n ) n time and space. T o see this, we obser ve that the graph induced on D by connecti ng elements x, y ∈ D iff x − y ∈ ± 1 s { e 1 , . . . , e n } is connecte d: a path to the origin can be constru cted from any v ∈ D by decreasi ng each component of v by 1 s until it hits zero. Hence a breadth -first or depth-first search of this graph starting from the origin allo w s us to compute all of D in the require d time. 4 Analysis The analysis is di vided int o two parts. First, we gi ve an O ( √ log n ) n algori thm to compute an ap proxima tion of the objecti ve value in 3.1 on an y gi ven input. Second, w e show that the optimizat ion problem with the approx imated objecti ve 3.1 is well-beha ved, i.e. th at it is con ve x, that the feasibl e region can be nicely bound ed, the objecti ve functio n is Lipshitz. T his will allow us to apply the ellipsoid algorithm to solve the proble m. 4.1 Computing the ℓ -estimate In th is se ction, we a nalyze the deterministi c algorithm to appr oximatel y compute ℓ ( K ) in O ( √ log n ) n time. Recall that our approa ch is to approx imate the associ ated integral as a sum ov er a discret e set. W e first de scribe the idea. A reasona ble first app roach would be to check whether the in tegr and (i.e. k x k K ) is Lipschitz enough so that reaso nably sized discre tizatio n may be used to approxi mate the integra l ℓ ( K ) . In deed, it will be true that |k x k K − k y k K | ≤ O ( ℓ ( K )) k x − y k 2 . Giv en that the mass of the n dimensio nal standard gaussian is concentr ated inside of shell of constant width at radius √ n , this bound on the Lipshi tz constan t would sug gest that a di scretiz ation D of √ nS n − 1 , such t hat e very poin t in √ nS n − 1 is at distance O (1) from D , should su f fice to estimate ℓ ( K ) . Though thi s will indeed be true, any su ch d iscrete set D must hav e size O ( √ n ) n , i.e. far lager than O ( √ log n ) n . T aking a close r look howe ver , we observ e that one onl y needs suc h a Lipschit z bound “on a ve rage”, since all we want is to ap proximat e is the integ ral. This we are able to bound below , using some standar d tail bounds and a simple monoton icity inequal ity about expe ctatio ns. 5 T o perform the analy sis of our algori thm, w e will need certain fact s abou t the discre te Gaussian distri- b ution . Let ρ s ( x ) = e − π k x s k 2 for x ∈ R n , and we write ρ s ( A ) to mean P x ∈ A ρ s ( x ) for A ⊆ R n . For an n -dimensional lattice L ⊆ R n , and c ∈ R n we define the discr ete Gaussian measure on L + c with paramete r s as D L + c,s ( A ) = ρ s ( A ) ρ s ( L + c ) for A ⊆ L + c . In our setting, w e will only need the case L = Z n . W e let U stand for the uniform distrib ution on [ − 1 / 2 , 1 / 2] n . W e no w state some useful standard lemmas. See [Ban95, MR04]. Lemma 4.1. T ake s ≥ q log(2( t +1)) π and let X be distrib uted as D L + c,s for c ∈ R n . Then  1 − 1 t  n s n ≤ ρ s ( Z n + c ) ≤  1 + 1 t  n s n Lemma 4.2. Let X be drawn fr om a stand ar d n -dimensio nal Gaussian N (0 , 1) n , i.e., with density  1 √ 2 π  n e − 1 2 k x k 2 , then for t ≥ 1 we have that Pr( k X k ≥ t √ n ) ≤ e −  1 − 1+ln( t 2 ) t 2  1 2 nt 2 The nex t lemma is an inequali ty that we will use in the main proof. Lemma 4.3. Let f : R n → R be a con ve x funct ion. Let U denote the uniform distrib ution on [ − 1 2 , 1 2 ] n and let X de note the n -dimensiona l Gaussian N (0 , 1 / √ 2 π ) , i.e., with densit y e − π k x k 2 . Then we have that E[ f ( X )] ≥ E[ f ( U )] Pr oof. W e shall prov e the state ment by in ductio n. Let C = [ − 1 2 , 1 2 ] . W e start with the base case n = 1 . T he densit y of U here is I [ x ∈ C ] , and the density for X is e − π x 2 (this dens ity function is chosen so that the densit y is at most 1 ev erywhere). For our con ve x functi on f : R → R , let φ deno te the linear function satisfyi ng φ ( − 1 2 ) = f ( − 1 2 ) and φ ( 1 2 ) = f ( 1 2 ) . By con vexi ty of f we note that f ( x ) ≤ φ ( x ) for x ∈ C and f ( x ) ≥ φ ( x ) for x ∈ R \ C . No w we note that E[ f ( X )] − E[ f ( U )] = Z R f ( x )( e − π x 2 − I [ x ∈ C ]) dx = Z R \ C f ( x )( e − π x 2 ) dx + Z C f ( x )( e − π x 2 − 1) dx For x ∈ R \ C , we ha ve that e − π x 2 ≥ 0 and f ( x ) ≥ φ ( x ) , and hence Z R \ C f ( x )( e − π x 2 ) ≥ Z R \ C φ ( x )( e − π x 2 ) . For x ∈ C , we ha ve that e − π x 2 ≤ 1 and that f ( x ) ≤ φ ( x ) , and hence Z C f ( x )( e − π x 2 − 1) ≥ Z C φ ( x )( e − π x 2 − 1) 6 So we see that Z R \ C f ( x )( e − π x 2 ) dx + Z C f ( x )( e − π x 2 − 1) dx ≥ Z R \ C φ ( x )( e − π x 2 ) dx + Z C f ( x )( e − π x 2 − 1) dx = Z R φ ( x )( e − π x 2 − I [ x ∈ C ]) dx = E[ φ ( X − U )] = φ (E[ X − U ]) = φ (0) = 0 . Here the last equalities foll o w si nce φ is l inear and bo th X and U hav e mean 0 . The b ase c ase i s thus pro ven. W e no w assume that the claim is true for n ≥ 1 and prove it for n + 1 . Note that X = ( X 1 , . . . , X n +1 ) where the X i s are i.i.d. gau ssians with density e − π x 2 , and that U = ( U 1 , . . . , U n +1 ) where the U i s are i.i.d. unifor m random v ariables on C . W e first sho w that E[ f ( X 1 , . . . , X n +1 )] ≥ E[ f ( X 1 , . . . , X n , U n +1 )] T o see this, note that E[ f ( X 1 , . . . , X n +1 )] = Z R n e − π ( P n i =1 x 2 i ) Z R f ( x 1 , . . . , x n +1 ) e − π x 2 n +1 dx n +1 . . . dx 1 No w by con ve xity of f , we see that for any x 1 , . . . , x n ∈ R n the function g ( y ) = f ( x 1 , . . . , x n , y ) is a con ve x function from R to R . Therefore, by the analysis of the base case, w e ha ve that Z R n e − π ( P n i =1 x 2 i ) Z R f ( x 1 , . . . , x n +1 ) e − π x 2 n +1 dx n +1 . . . dx 1 ≥ Z R n e − π ( P n i =1 x 2 i ) Z R f ( x 1 , . . . , x n +1 ) I [ x n +1 ∈ C ] dx n +1 . . . dx 1 = E[ f ( X 1 , . . . , X n , U n +1 )] as need ed. Ne xt by con vexity of f , we get that the functio n g ( x 1 , . . . , x n ) = E[ f ( x 1 , . . . , x n , U n +1 )] is also con ve x. Therefore by the indu ction hypothesi s, we get that E[ f ( X 1 , . . . , X n , U n +1 )] = E[ g ( X 1 , . . . , X n )] ≥ E[ g ( U 1 , . . . , U n )] = E[ f ( U 1 , . . . , U n +1 )] as need ed. W e are no w ready for the main theore m of this sectio n. Theor em 4.4. Let s = 1 √ 2 π q log(2(2 n +1)) π and C s = 1 2 s [ − 1 , 1] n . Define D ⊆ R n as D =  1 s Z n  \  C s + 2 √ nB n 2  and p x = Z C s γ n ( x + y ) dy for x ∈ D . Then for any symmetric con ve x body K ⊆ R n , we have that  1 − 1 s  l ( K ) ≤ ˜ l ( K ) ≤  1 + 1 s  l ( K ) wher e ˜ l ( K ) = P x ∈ D p x k x k K . 7 Pr oof. T he pr oof proc eeds as follo w s. First we note in Claim 1 belo w that w e can restrict atte ntion to a ball of radius 2 √ n via a tail boun d on the standa rd Gaussian . Then, in Claim 2, we bound the error of the discre te approxima tion computed in terms of th e no rm of a rando m poin t from U (uniform in [ − 1 / 2 , 1 / 2] n ). Finally , using Lemm a 4.3, we can bou nd this norm by the ℓ -estimate itself (Claim 3 belo w). Claim 1. (1 − e − 0 . 3 n ) Z R n k x k K γ n ( x ) dx ≤ Z D + C s k x k K γ n ( x ) dx ≤ Z R n k x k K γ n ( x ) dx Claim 2.      X x ∈ D p x k x k K − Z C + D s k x k K γ n ( x ) dx      ≤ 2 s E[ k U k K ] . Claim 3. E[ k U k K ] ≤ 1 √ 2 π E[ k X k K ] where X is a standard n -dimensi onal G aussia n. W e prov e these claims prese ntly . Combining Claims (1) , (2) , and (3) , we get the upper bound X x ∈ D p x k x k K ≤ Z D + C s k x k K γ n ( x ) dx + 2 s E[ k U k K ] ≤ E[ k X k K ] + √ 2 √ π s E[ k X k K ] = 1 + √ 2 √ π s ! E[ k X k K ] , and the lo wer boun d X x ∈ D p x k x k K ≥ Z D + C s k x k K γ n ( x ) dx − 2 s E[ k U k K ] ≥  1 − e − 0 . 3 n  E[ k X k K ] − √ 2 √ π s E[ k X k K ] = 1 − e − 0 . 3 n − √ 2 √ π s ! E[ k X k K ] . Since e − 0 . 3 n + √ 2 √ π s ≤ 1 s for n lar ge enough , we get the claimed result. No w we pro ve the claims. Pro of o f Claim 1: Since th e sc aled cub e C s tiles sp ace with respect to the lattice 1 s Z n , we get by construc- tion of D that 2 √ nB n 2 ⊆ D + C s . Since k · k K is non-n eg ati ve, we clearly ha ve that Z 2 √ nB n 2 k x k K γ n ( x ) dx ≤ Z D + C s k x k K γ n ( x ) dx ≤ Z R n k x k K γ n ( x ) dx Expressi ng the inte gral in polar coordina tes, we ha ve Z 2 √ nB n 2 k x k K γ n ( x ) dx =  1 √ 2 π  n Z S n − 1 Z 2 √ n 0 k r θ k K e − 1 2 r 2 r n − 1 dr dθ =  1 √ 2 π  n Z S n − 1 Z 2 √ n 0 k θ k K e − 1 2 r 2 r n dr dθ . 8 Thus, R 2 √ nB n 2 k x k K γ n ( x ) dx R R n k x k K γ n ( x ) dx = R S n − 1 R 2 √ n 0 k θ k K e − 1 2 r 2 r n dr dθ R S n − 1 R ∞ 0 k θ k K e − 1 2 r 2 r n dr dθ ≥ R 2 √ n 0 e − 1 2 r 2 r n dr R ∞ 0 e − 1 2 r 2 r n dr = 1 − Z R n +1 \ 2 √ nB n 2 γ n +1 ( x ) dx ≥ 1 − e − (1 − 1+ln( 4 n n +1 ) 4 n n +1 )2 n ≥ 1 − e − 0 . 3 n using L emma 4.2 (i.e., the standa rd Gaussian tai lbound ) with t = 2 q n n +1 , and noting that n ≥ 1 . This pro ves the claim. Pro of of Claim 2: For y ∈ R n , let r ( y ) denote the closest vec tor to y in 1 s Z n under the l 2 norm. Giv en the structu re of Z n , a simple compu tation yields that r ( y ) =  ⌊ sy 1 ⌉ s , . . . , ⌊ sy n ⌉ s  Furthermor e, for x ∈ 1 s Z n we ha ve that r ( y ) = x iff y ∈ x + C s . Now we see tha t X x ∈ D p x k x k K = X x ∈ D Z x + C s k x k K γ n ( y ) dy = Z D + C s k r ( y ) k K γ n ( y ) dy From here, using the triang le inequa lity , we get that Z D + C s k r ( y ) k K γ n ( y ) dy ≤ Z D + C s ( k y k K + k y − r ( y ) k K ) γ n ( y ) dy = Z D + C s k y k K γ n ( y )+ Z D + C s k y − r ( y ) k K γ n ( y ) dy Similarly , we also get that Z D + C s k r ( y ) k K γ n ( y ) dy ≥ Z D + C s k y k K γ n ( y ) − Z D + C s k y − r ( y ) k K γ n ( y ) dy Hence t o get the de sired u pper and lo w er bo unds on P x ∈ D p x k x k K , we need on ly up per bou nd t he qu antity R D + C s k y − r ( y ) k K γ n ( y ) dy . No w we note that Z D + C s k y − r ( y ) k K γ n ( y ) dy = Z C s k c k K X y ∈ D + c γ n ( y ) dc =  1 s  n Z C 1    c s    K X y ∈ D + c s γ n ( y ) dc =  1 s  n Z C 1    c s    K X y ∈ s D + c γ n  y s  dc =  1 √ 2 π s  n 1 s Z C 1 k c k K X y ∈ s D + c e − π k y √ 2 π s k 2 dc 9 Next no te that sD = Z n ∩ ( C 1 + 2 √ nsB n 2 ) . Therefore by Lemma 4.1 we hav e that  1 √ 2 π s  n 1 s Z C 1 k c k K X y ∈ s D + c e − π k y √ 2 π s k 2 dc ≤  1 √ 2 π s  n 1 s Z C 1 k c k K X y ∈ Z n + c e − π k y √ 2 π s k 2 dc ≤  1 √ 2 π s  n 1 s Z C 1 k c k K ( √ 2 π s ) n (1 + 1 2 n ) n dc ≤ 2 s Z C 1 k c k K dc = 2 s E[ k U k K ] Pro of of Claim 3: W e wish to show tha t E[ k U k K ] ≤ 1 √ 2 π E[ k X k K ] = E[ k 1 √ 2 π X k K ] A simple computat ion giv es that 1 √ 2 π X has density e − π k x k 2 for x ∈ R n . Since k · k K is a con ve x functio n, the abo ve inqu ality follows dire ctly from Lemm a 4.3. The claim thus follo ws. 4.2 Efficiency of solving the con vex pr ogram In what follo ws we will assume that our symmetric c on ve x body K is well s andwiche d, i.e. that B n 2 ⊆ K ⊆ nB n 2 . As mentioned pre viously , this can be achiev ed by GLS type roundi ng using the ellipsoi d algorit hm. W e recall the functio ns f , ˜ f : R n × n → R f ( A ) = Z R n k Ax k K γ n ( x ) dx and ˜ f ( A ) = X x ∈ D p x k Ax k K W e will conside r an appro ximate version of Program 3.1: inf ˜ f ( A ) = X x ∈ D p x k Ax k K subjec t to A  0 det( A ) ≥ 1 (4.1) The main result of this section is the follo wing: Theor em 4.5. Let ˜ A denote an optimal solution to Pr ogra m 4.1. Then for 0 < ǫ ≤ 1 , a m atrix A ∈ R n × n satisfy ing ˜ f ( A ) ≤ (1 + ǫ ) ˜ f ( ˜ A ) can be computed in determinist ic p oly( n, ln 1 ǫ ) O ( √ log n ) n time. Furthermor e, let A ∈ R n × n be any 2 -appr oximate solution to 4.1, then for E = √ n ˜ f ( A ) AB n 2 we have that N ( E , K ) = 2 O ( n ) N ( K, E ) = O (log n ) n Pr oof. L et A ∗ denote an optimal solution to 3.1. Then by Theorem 4.4 we hav e that (1 − 1 s ) f ( A ∗ ) ≤ (1 − 1 s ) f ( ˜ A ) ≤ ˜ f ( ˜ A ) ≤ ˜ f ( A ∗ ) ≤ (1 + 1 s ) f ( A ∗ ) (4.2) where the first inequa lity follows by optimali ty of A ∗ , and the third inequa lity by optimalit y of ˜ A . 10 Claim 1: f ( A ∗ ) = O  log n v ol( K ) 1 n  . P ick a linea r transformat ion T ∈ S L ( n ) minimizing l ( T K ) l ( T ∗ K ) . From the proof of Lemma 2.5, for some c 1 , c 2 = Θ(1) , letting m = c 1 √ n l ( T K ) we ha ve that 1 2 v ol ( mT − 1 B n 2 ) = vo l( mT − 1 B n 2 ∩ K ) ≥  c 2 log n  n v ol ( K ) No w v ol ( mT − 1 B n 2 ) = v ol ( B n 2 ) det ( T − 1 ) m n = v ol ( B n 2 ) m n det( T ) = v ol ( B n 2 ) m n . Therefore v ol ( B n 2 ) 1 n m ≥ c 2 log n v ol ( K ) 1 n ⇒ c 1 c 2 v ol ( B n 2 ) 1 n √ n log n v ol ( K ) 1 n ≥ l ( T K ) ⇒ l ( T K ) = O log n v ol ( K ) 1 n ! Using the identit y k x k T K = k T − 1 x k K we see that l ( T K ) = Z x ∈ R n k x k T K γ n ( x ) dx = Z x ∈ R n k T − 1 x k K γ n ( x ) = f ( T − 1 ) Let A = T − 1 . For a standard ga ussian vect or X is R n , w e note that A s = ( A t A ) 1 2 X , wher e A s is the unique positi ve definite square root of A t A , is iden tically distri b uted to AX . Therefo re f ( A s ) = E [ k A s X k K ] = E [ k AX k K ] = f ( A ) = f ( T − 1 ) . Since A s = ( A t A ) 1 2  0 and d et( A s ) = | det( A ) | = d et( T − 1 ) = 1 , we ha ve that A s is feasib le for Progra m 3.1. Since A ∗ is the optimal solutio n to 3.1 we ha ve that f ( A ∗ ) ≤ f ( A s ) = f ( T − 1 ) = O log n v ol ( K ) 1 n ! as need ed. Claim 2: The Programs 3.1 and 4.1 are con ve x. By Lemma 4.6 , we kno w that both f and ˜ f are con vex ov er the feasib le regi on. In both programs, the feasib le re gion is the set of positi ve semi-de finite m atrices of determina nt great er tha n 1 , which is clearly con ve x. Claim 3: Program 4.1 can be solved to within (1 + ǫ ) multiplicati ve error in determin istic p oly( n, ln 1 ǫ ) O ( √ log n ) n time. Giv en that B n 2 ⊆ K ⊆ nB n 2 , by Lemma 4.7 we may con strain con ve x P rogram 4.1 to the well-bo unded reg ion R withou t removing any optimal solutio ns. Now by Lemma 4.6 (3) the objecti ve functio n is 2 √ n Lipshitz over operator norm (and hence ov er the Frobeniu s norm), and by Lemma 4.7 (3) that the ratio of min and max value of the objecti ve fun ction ov er R is O ( n 5 2 ) . Give n all this, we may apply the ellipsoid algori thm (see [GLS88] Theorem 4.3.1 3 for e xample) to solve the con vex program 4.1 to within (1 + ǫ ) multiplic ati ve error using at most p oly ( n , ln 1 ǫ ) ev aluations of ˜ f and arithmet ic operation s. S ince each e v aluation of ˜ f can be computed in deterministic O ( √ log n ) n time, this pro ves the claim. 11 Claim 4: Let A be a 2 -approx imation for the program 4.1. T hen the elli psoid E = √ n ˜ f ( A ) AB n 2 satisfies N ( K, E ) = O (log n ) n and N ( E , K ) = 2 O ( n ) . Let ˜ A be as abov e. By Equati on (4.2), L emma 4.4 and Claim 1, we ha ve that f ( A ) ≤ s s − 1 ˜ f ( A ) ≤ 2 s s − 1 ˜ f ( ˜ A ) ≤ s + 1 s − 1 f ( A ∗ ) = O log n v ol ( K ) 1 n ! . By Theore m 4.4, we no te that √ n ˜ f ( A ) = Θ(1) √ n f ( A ) . Hence by L emma 2.2, th ere e xists c ≤ 1 , wher e c = Ω(1) , such that v ol ( cE ∩ K ) = 1 2 v ol ( cE ) . No w note tha t v ol ( cE ) =  c √ n ˜ f ( A )  n det( A )v ol ( B n 2 ) ≥ c √ n v ol( B n 2 ) 1 n ˜ f ( A ) ! n = Ω  1 log n  n v ol ( K ) No w since vol( E ∩ K ) ≥ v ol( cE ∩ K ) = 1 2 v ol ( cE ) = 1 2 c n v ol ( E ) and vo l( E ∩ K ) ≥ vol( cE ∩ K ) = Ω  1 log n  n v ol ( K ) , applying the cover ing estimates of Lemm a 2.1 yi elds the claim. Lemma 4.6. 1. f , ˜ f define norms on R n × n . 2. A t A  B t B ⇒ f ( A ) ≥ f ( B ) . 3. | f ( A ) − f ( B ) | , | ˜ f ( A ) − ˜ f ( B ) | ≤ 2 √ n k A − B k , wher e k A − B k denote the ope rat or norm of A − B . Pr oof. L et X ∈ R n denote a stan dard Gaussian random vecto r . T ake A, B ∈ R n × n and scalars s, t ∈ R . Then note that f ( sA + tB ) = E[ k ( sA + tB ) X k K ] = E[ k sAX + tB X k K ] ≤ E[ | s |k AX k K + | t |k B X k K ] = | s | f ( A )+ | t | f ( B ) where the ineq uality abo ve foll o ws since k · k K defines a norm. Lastly , using the fac t that 1 n k x k 2 ≤ k x k K ≤ k x k 2 for x ∈ R n (since B n 2 ⊆ K ⊆ n B n 2 ) it is easy to veri fy that f ( A ) = 0 ⇔ A = 0 n × n and f ( A ) < ∞ for all A ∈ R n × n . Hence f defines a norm on R n × n as claimed. The ar gument for ˜ f is symmetric. No w tak e A, B sa tisfyin g the conditi on of (2). Note that AX is an origi n centered gauss ian with cov ari- ance matrix E[ AX ( AX ) t ] = E[ AX X t A t ] = A t A . Similarly B X is origin centere d with cov ariance B t B . From our assumptions , the matrix C = A t A − B t B  0 , hence C has a PS D squar e root which we denote C 1 2 . No w let Y denote standa rd n -dimension al Gaussian independ ent from X . No w note that B X + C 1 2 Y is again a G aussian vec tor w ith cov ariance B t B + C = A t A . Henc e B X + C 1 2 Y is identical ly distrib uted to AX . T herefor e w e see that f ( A ) = E[ k AX k K ] = E[ k B X + C 1 2 Y k K ] = E X [E Y [ k B X + C 1 2 Y k K ]] ≥ E X [ k B X + C 1 2 E Y [ Y ] k K ] = E[ k B X k K ] = f ( B ) 12 where the ineq uality follo ws by Jensen ’ s inequality and the con vex ity of k · k K . W e no w prov e (3). T ake A, B ∈ R n × n . By the triangle inequa lity , we ha ve that f ( B ) − f ( A − B ) ≤ f ( A ) ≤ f ( B ) + f ( A − B ) . Therefore | f ( B ) − f ( A ) | ≤ f ( A − B ) . Since ˜ f is also a norm, we similarly ge t that | ˜ f ( B ) − ˜ f ( A ) | ≤ ˜ f ( A − B ) . L et λ = k A − B k . B y defini tion of the operator norm, we hav e that ( A − B ) t ( A − B )  λ 2 I n , where I n denote the n × n identity matrix. Therefore by (2) , we hav e that f ( A − B ) = E[ k ( A − B ) X k K ] ≤ E[ k λX k K ] = λ E[ k X k K ] ≤ λ E [ k X k 2 ] ≤ λ q E[ k X k 2 2 ] = λ √ n as need ed. Ne xt by Theorem 4.4, we ha ve that ˜ f ( A − B ) ≤ 2 f ( A − B ) ≤ 2 k A − B k √ n as requi red. Lemma 4.7. Define the set R = { A ∈ R n × n : A  0 , d et( A ) ≥ 1 , k A k ≤ 2 n 3 / 2 } wher e k A k denote the operato r norm of A . Then R satisfies the foll owing: 1. R conta ins an optimal solution to the pr ogra ms 3.1 and 4.1. 2. R satis fies the following sandwich ing pr operties: n 3 2 I n + ( n 3 2 − 1) B n × n 2 ⊆ R ⊆ n 3 2 I n + 3 n 2 B n × n 2 wher e I n is the n × n iden tity matrix and B n × n 2 = { A ∈ R n × n : A = A t , k A k F ≤ 1 } , th e se t o f n × n symmetric matrices of F r obenius norm at most 1 . 3. Ther e is an absolu te consta nt c suc h that for any A ∈ R , we have that c √ n ≤ f ( A ) , ˜ f ( A ) ≤ 3 n 2 Pr oof. L et X ∈ R n denote a stand ard n dimensio nal gauss ian vec tor , and let s = 1 √ 2 π q log(2(2 n +1)) π . W e start by sho wing property (1). Let A be an optimal solution for Program 3.1. W e wish to show that k A k ≤ n 3 2 . Since k x k 2 ≥ k x k K for all x ∈ R n , we ha ve that f ( I n ) = E[ k X k K ] ≤ E[ k X k 2 ] ≤ q E [ k X k 2 2 = √ n Since I n is feasibl e for 3.1, it suf fices to sho w that if k A k ≥ 2 n 3 2 , we get that f ( A ) ≥ √ n . Let λ = k A k , and let v denote an eigen vector of A sa tisfyin g Av = λv and k v k = 1 n . Since K ⊆ nB n 2 , we ha ve that K ⊆ W = { x : |h v , x i| ≤ 1 } (sinc e k v k = 1 n ). Therefore f ( A ) = E[ k X k K ] ≥ E[ k AX k W ] = E[ |h v , AX i| ] = λ E [ |h v , X i| ] = λ ( r 2 π k v k ) = λ n r 2 π 13 Since A is optimal, we get that λ n q 2 π ≤ √ n ⇒ λ ≤ 2 n 3 2 as claimed. W e now show the same for Program 4.1. By 4.4, ˜ f ( I n ) ≤ (1 + 1 s ) f ( I n ) ≤ (1 + 1 s ) √ n . Now if A is an optimal solution to 4.1, letting λ = k A k , we ha ve that ˜ f ( A ) ≥ (1 − 1 s ) f ( A ) ≥ (1 − 1 s ) λ n r 2 π But then as abo ve we ha ve that λ ≤ 1 + 1 s 1 − 1 s r π 2 n 3 2 ≤ 2 n 3 2 for n lar ge enough as needed. Therefore R satisfies prope rty (1) as need ed. W e no w sho w the co ntainmen t relation ship in (2). T ake A = n 3 2 I n + B where B ∈ ( n 3 2 − 1) B n × n 2 . W e must sho w that A ∈ R . W e recall that k B k ≤ k B k F ≤ √ n k B k . First, not e that k A k ≤ n 3 2 + k B k ≤ n 3 2 + n 3 2 − 1 < 2 n 3 2 as need ed. Ne xt note that inf v ∈ S n − 1 v t Av = inf v ∈ S n − 1 v t ( n 3 2 I n + B ) v ≥ inf v ∈ S n − 1 n 3 2 v t v − v t B v = n 3 2 − sup v ∈ S n − 1 v t B v ≥ n 3 2 − k B k ≥ 1 Since A is symmetric, the abov e sho ws the A ’ s smallest eigen value is at least 1 , and hence A  0 and det( A ) ≥ 1 as needed. T o show the oppo site containment, note that for A ∈ R , we ha ve that k A − n 3 2 I n k F ≤ k A k F + k n 3 2 I n k F ≤ √ n k A k + n 2 ≤ 3 n 2 as need ed. No w we need to sho w the bound s on f ( A ) for A ∈ R to pro ve prop erty (3). First we re member that E[ k AX k 2 ] ≥ f ( A ) ≥ 1 n E[ k AX k 2 ] Hence it suf fices to upper and lo wer bound E[ k AX k 2 ] . W e see that c q E[ k AX k 2 2 ] ≤ E[ k AX k 2 ] ≤ q E[ k AX k 2 2 ] for an absolut e constant 0 ≤ c < 1 . Here the first inequali ty follows by B orell’ s Lemma and the second by Jensen ’ s inequ ality . Next we h a ve that q E[ k AX k 2 2 ] = p E[ X t A t AX ] = p E[trace( A t AX X t )] = p trace( A t A ) = k A k F Since A ∈ R , we know that k A k ≤ 2 n 3 2 , and hence k A k F ≤ 2 n 2 . Combining the abov e inequalitie s, this yields that f ( A ) ≤ 2 n 2 as need ed. W e n o w prov e the lo wer bound . S ince A ∈ R , we ha ve that det ( A ) ≥ 1 . Let A i denote the i th column of A . Now w e ha ve that k A k F ≥ √ n n Y i =1 k A i k 1 n 2 ≥ √ n det( A ) 1 n ≥ √ n 14 where the fi rst inequali ty follo ws by the arithmet ic - geometri c mean ineq uality , and the s econd follo ws from Hadamard’ s inequa lity . Combining the abo ve ineq ualiti es, we get that f ( A ) ≥ 1 n E[ k AX k 2 ] ≥ c n k A k F ≥ c √ n as neede d. The bounds for ˜ f ( A ) follo w from the relationsh ip (1 − 1 s ) f ( A ) ≤ f ( A ) ≤ (1 + 1 s ) f ( A ) (Theorem 4.4). 5 A pplication t o lattice algorithms W e no w apply our construction of ℓ -type ellipsoid s to lattice algor ithms. D adush et al [DPV11] ga ve algo- rithms for SVP in an y no rm, CVP in any norm and Inte ger Programming (IP). These alg orithms were all based on the construct ion of an M -ellipsoid . Their core result can be stated as follo ws. For a lattice L and con ve x body K in R n , let G ( K, L ) be the larges t number of lattice points conta ined in any transla te of K , i.e., G ( K, L ) = max x ∈ R n | ( K + x ) ∩ L | . (5.1) Theor em 5.1. [DP V11] Given any con vex body K ⊆ R n along with an M -ellip soid E of K and any n -dimensio nal lattic e L ⊆ R n , the set K ∩ L can be computed in determin istic time G ( K, L ) · 2 O ( n ) . They then proceeded to giv e a randomized const ruction of an M -ellipsoi d. The necessary properti es of the M -ellipsoi d E are that the cov ering numbers N ( K , E ) and N ( E , K ) are both bounded by 2 O ( n ) . In fact , the result of [DPV 11] can be sta ted more generally as follo ws. Theor em 5.2. Given any con vex body K ⊆ R n along with an ellipsoid E of K and any n -dimensio nal lattice L ⊆ R n , the set K ∩ L can be computed in determin istic time G ( K, L ) · N ( K, E ) N ( E , K ) · 2 O ( n ) . Furthemore , in [DP V11], they only require an algo rithm which build s an M-ellips oid when K is centrall y symmetric. This follo ws since one can sho w th at an M-ellip soid E for K − K (which is symmetric) is also an M-ellips oid for K (of sli ghtly w orse quality). Hence from Theorem 1.1 and the bounds deri ved on N ( K, E ) and N ( E , K ) , we obtain a simple corollary . Cor ollar y 5.3. Given any con ve x body K ⊆ R n and any n -dimensio nal lattice L ⊆ R n , the set K ∩ L can be computed in determin istic time G ( K, L ) · O (log n ) n . This lattice point en umerato r is th e co re of subsequen t algorithms for SV P , CVP and IP in [DP V11]. W e obtain similar co nclusi ons with det erminist ic algorithms but w ith an o verhead of O (log n ) n . The prec ise statemen t for SVP is Theorem 1.2. For CVP th e statement is as follo ws. Theor em 5.4. T her e is a determinis tic algorithm that, given any well-cen ter ed n -dimensio nal con ve x body K , solves CVP exa ctly on a ny n -di mensiona l lattice L in the semi-nor m k·k K define d by K , in (2 + γ ) O ( n ) · O (log n ) n time and space, pr ovided that the distance fr om the que ry point x to L is at most γ times the length of the short est nonze r o vector of L (under k·k K ). A central motiv ation for solving SV P in general norms is to improv e the complexi ty of integer pro- gramming. The IP algorithm directly uses the SVP algori thm. Moreo ver , in this case, the final comple xity bound is already hi gher than O (log n ) n , so we simply ge t the IP co mplex ity o f [DPV11] with a d etermini stic algori thm. 15 Theor em 5.5. Ther e exists a determini stic algorithm that, given a con ve x b ody K ⊆ R n and an n -dimensiona l lattice L ⊂ R n , either decide s that K ∩ L = ∅ or re turns a point y ∈ K ∩ L in expe cted O ( f ∗ ( n )) n time, wher e f ∗ ( n ) is the optimal bound for the “flatness theor em. ” The flatness theorem, which we do not describe here, giv es a bound on the lattice width of lattice-poi nt- free con ve x bodies. 6 Conclusion The ℓ -ellipsoi d with its cov ering guarantees is in fact the starting point of Milman and Bour gain’ s proof of the ex istenc e of M -ellipsoid s. H o we ver , unlike the ℓ -ellipsoid , we are not aw are of any con ve x p rogramming formulat ion of M -ellipsoids . It remains open to giv e a determini stic 2 O ( n ) algori thm for M -ellips oids and cov ering s. This would resolv e the open problem of a determinis tic 2 O ( n ) SVP algorith m in any no rm. Another o pen pro blem is t o ful ly ex tend the approach sugges ted in [DPV11] to exac t or (1 + ǫ ) CVP . At the moment, their result only holds for exac t CVP when the target point’ s distance to the lattice is at most a consta nt times the minimum distanc e of the latt ice. In p articul ar , it is open to giv e a 2 O ( n ) algori thm for the CVP under the L ∞ norm. Acknowledgments. W e are deeply grateful to G rigoris Paouris and C hris P eike rt for illuminat ing discus sions, and to Gilles Pisier for his book on con ve x bodies . Refer ences [AJ08] V . Arvind and P . S. Joglekar . Some sie ving algorithms for lattice problems. In FSTTCS , pages 25–36 . 2008. [AKS01] M. Ajtai, R. Kumar , and D. Siv akumar . A siev e algorithm for the shortest lattice vec tor problem. In ST OC , pages 601–61 0. 2001. [Ban95] W . Banaszczyk . Inequalites for con vex bod ies and polar reciproc al lattices in R n . Discr ete & Computatio nal G eometry , 13:21 7–231 , 1995. [Bla18] W . Blaschk e. ¨ Uber affine geometry xiv: eine minimum aufgabe f ¨ ur legen dres tr ¨ agheits ellipsoid. Ber . verh. s ¨ ach s. Akad. d. W iss. , 70:72–7 5, 1918. [DPV11] D. D adush, C. Peikert, and S. V empala. Enumerat i ve lattice algorithms in an y norm via m- ellipso id cov erings. In FOCS . 2011. [GLS88] M . Gr ¨ ots chel, L. Lov ´ asz, and A . Schrijver . Geometric Algorithms and C ombinato rial Optimiza- tion . Springer , 1988. [JS98] A. Jou x and J. S tern. Latti ce reduc tion: A toolb ox for the cry ptanal yst. J. Cryp tolo gy , 11(3):161– 185, 1998. [Kla06] B. K lartag. On con ve x pertur bation s w ith a bou nded isotro pic consta nt. Geometri c And Func- tional Analysis , 16:1 274–1 290, 2006. ISSN 1016-44 3X. 16 [Len83] H. W . Lenstra . Inte ger programming with a fi xed number of v ariables. Mathematics of Opera tions Resear ch , 8(4):5 38–54 8, November 198 3. [LLL82] A. K. Lens tra, H. W . Lenstra, Jr ., and L. Lov ´ asz. Fa ctorin g polyn omials with ra tional coe f ficients. Mathematis che Annalen , 261(4): 515–5 34, December 1982. [Mil86] V . Milman. Inegali tes d e brunn-mink owski in ve rse et a pplica tions at la theorie locales des e spaces normes. C. R. Acad. Sci. P aris , 302(1):25 –28, 1986. [MP00] V . Milman and A . Pajor . Entropy and asymptotic geometry of non-symmetric con ve x bodies. Advances in Mathematics , 152(2) :314 – 335, 2000. [MR04] D. M iccianc io and O. Re gev . W orst-cas e to a verage-c ase reduction s based on Gaussian measures . SIAM J . Comput. , 37(1):2 67–30 2, 2007. Preliminary versi on in FOC S 20 04. [MV10] D. Micciancio and P . V oul garis. A d etermini stic sin gle expone ntial time algorith m for most lattice proble ms based on V o ronoi cell computat ions. In STOC , pages 351–3 58. 2010. [NS01] P . Q. Nguy en and J. Stern. The two f aces of latti ces in crypto logy . In C aLC , page s 146–180 . 2001. [Odl90] A. M. Odlyzk o. The rise and f all of kna psack cryptosys tems. In C. P omerance , editor , Cryp- tolo gy and Computatio nal Number Theory , volume 42 of Pr oceedin gs of Symposi a in Applied Mathematic s , pages 75–88 . 1990. [Pis89] G. Pisier . T he V olume of Con vex Bodies and Bana ch Space Geometry . Cambridge Uni versity Press, 1989 . [San49] L. A. Santal ´ o . Un in varian te afin para los cuerpos con vex os del espaci o de n dimensi ones. P ortu- galie Math. , 8:15 5–161 , 1949. 17