Deterministic Construction of an Approximate M-Ellipsoid and its

Applications to Derandomizing Lattice Algorithms

Daniel Dadush∗ Santosh Vempala†

Abstract

We give a deterministic O(log n)n-time and space algo-rithm for the Shortest Vector Problem (SVP) of a latticeunder any norm, improving on the previous best deter-ministic nO(n)-time algorithms for general norms. Thisapproaches the 2O(n)-time and space complexity of therandomized sieve based SVP algorithms (Arvind andJoglekar, FSTTCS 2008), first introduced by Ajtai, Ku-mar and Sivakumar (STOC 2001) for `2-SVP, and theM-ellipsoid covering based SVP algorithm of Dadush etal. (FOCS 2011).

Here we continue with the covering approach ofDadush et al., and our main technical contributionis a deterministic approximation of an M-ellipsoid forany convex body. To achieve this we exchange theM-position of a convex body by a related position,known as the minimal mean width position of the polarbody. We reduce the task of computing this positionto solving a semi-definite program whose objective isa certain Gaussian expectation, which we show can beapproximated deterministically.

1 Introduction

The Shortest Vector Problem (SVP) on lattices is a cen-tral algorithmic problem in the geometry of numbers,with applications to Integer Programming [13], factor-ing polynomials over the rationals [12], cryptanalysis(e.g., [21, 9, 20]), and much more. (An n-dimensionallattice L is a discrete additive subgroup of Rn, and isgenerated as the set of integer linear combinations ofsome basis vectors b1, . . . , bk ∈ Rn, for some k ≤ n.)The SVP is simply: given a lattice L represented by abasis, find a nonzero v ∈ L such that ‖v‖ is minimized,where ‖·‖ denotes a particular norm on Rn.

The fastest known algorithms for solving SVP ingeneral norms, are 2O(n) time algorithms based on the

∗School of Industrial and Systems Engineering, Georgia Tech.

dndadush@gatech.edu†School of Computer Science, Georgia Tech.

vempala@gatech.edu

Both authors were supported in part by NSF awards AF-0915903and AF-0910584.

AKS sieve [1, 2]. These algorithms use an exponentialamount of randomness and guarantee the correctnessof their outputs with high probability. Improving onthis, [6] gave a 2O(n) Las Vegas algorithm (i.e. onlythe runtime is random, not the correctness) for generalnorm SVP which uses only a polynomial amount ofrandomness. In this paper, building on the ideas of[6], we give a deterministic O(log n)n algorithm forgeneral norm SVP, hence completely eliminating therandomness while sustaining a moderate increase inthe running time. The previous best deterministiccomplexity for general norm SVP is nΩ(n).

To place our contribution in context, we review theideas behind [6]. For the Euclidean norm, Micciancioand Voulgaris [16] showed how to solve the SVP andCVP in time 2O(n), using a new enumeration techniquebased on the Voronoi cell of a lattice (the set ofpoints in Rn closer to the origin than any other latticepoint). Unfortunately, the direct generalization of theirtechnique to other norms, i.e., using the associatedVoronoi cell of the norm seems very difficult, even forother `p norms. In particular, many of the crucialproperties of the `2-Voronoi cell either do not carryover or are not known to carry over for Voronoi cells ofother norms, for example Voronoi cells of other normsare generally non-convex, and it is unknown whether aconstant factor scaling of a general Voronoi cell containsat most 2O(n) lattice points. In [6], Dadush et al.proposed a different approach that reduces SVP ingeneral norms to enumeration in the `2 norm. Theirkey idea was to use the classical M -ellipsoid coveringfrom convex geometry to cover a given convex bodyK by 2O(n) translations of an ellipsoid. To solve SVPunder ‖ · ‖K and a lattice L they enumerate latticepoint inside a suitable scaling of K, namely any scalings > 0 such that sK ∩ L 6= ∅ and s

2K ∩ L = ∅. Atthis scaling, it is not hard to argue via a simple volumebound that any translation of sK contains no more than2O(n) lattice points. To enumerate lattice points in sK,the idea is to cover sK using translations of an ellipsoidE, and then to enumerate lattice points in each of theseellipsoids, thereby reducing the problem to enumerationin `2 (which can be solved using the algorithm of [16]).

The number of points in any of the ellipsoids is easilybounded as the number of translations of sK requiredto cover E times the number of points in any translationof sK. Let

N(A,B) = inf|Λ| : Λ ⊆ Rn, A ⊆ B + Λ

denote the number of translations of B required tocover A. Then it follows that complexity of the abovereduction is bounded by N(sK,E)N(E, sK)2O(n). Westate this formally in Section 5.

Thus, the question arises: given a convex body K,what is the minimum possible value ofN(K,E)N(E,K)for any ellipsoid E. An M -ellipsoid of a convex body Kis an ellipsoid E with the following property:

(1.1) N(K,E)N(E,K) ≤ 2O(n)

In words, the number of copies of E required to cover Ktimes the number of copies of K to cover E is boundedby a single exponential in n. The existence of such anellipsoid for any convex body was established by Milman[17]. We note that an M-ellipsoid can be quite differentfrom the more classical John ellipsoid, e.g. the largestellipsoid contained in K, since its volume can be annO(n) factor off from K (e.g., the cube vs the unit ball)implying than N(K,E) = nΩ(n).

A key ingredient in the approach of [6] is findingan M-ellipsoid of K. Indeed, the paper shows thatthe method of Klartag [11] gives a polynomial-timerandomized algorithm to construct an M-ellipsoid withhigh probability (such an algorithm was implicit in hispaper). Unfortunately, the algorithm makes essentialuse of random sampling over convex bodies (to estimatea covariance matrix) and seems inherently difficult toderandomize.

In this paper, we give a deterministic algorithm tobuild an “approximate” M-ellipsoid E for any convexbody K. While we do not obtain the optimal coveringbounds, we will guarantee that N(K,E) = 2O(n) andN(E,K) = O(log n)n = 2O(n log logn). Moreover,we show that this ellipsoid E can be computed inO(√

log n)n time. This result and its consequence forthe SVP are stated more precisely in the followingtheorems.

Theorem 1.1. There is deterministic algorithm thatgiven any convex body K ⊂ Rn, specified by a member-ship oracle, finds an ellipsoid E such that N(K,E) ≤2O(n) and N(E,K) ≤ O(log n)n. The time complexityof the algorithm (oracle calls and arithmetic operations)is O(

√log n)n and its space complexity is polynomial in

n.

Using this theorem, and the techniques from [6], weobtain the following result:

Theorem 1.2. Given a lattice L by a basis and a norm‖.‖K specified by a convex body K, the shortest vector inL under the norm ‖.‖K can be found in O(log n)n timeand space.

We note that the current space complexity of theSVP algorithm also grows as O(log n)n although we ex-pect this can be improved to 2O(n). Applications toother lattice problems (closest vector, integer program-ming) are described in Section 5. These results arebased on two main ideas. The first is a convex pro-gram inspired by an existential approximation to theM -ellipsoid based on a position called the `-position,given by Pisier [22]. The second is an algorithm forsolving the convex program, where the key hurdle isan efficient deterministic approximation of the objectivevalue at any given feasible point.

In the next section, we describe the `-position whichleads to the approximate M -ellipsoid. Then we giveour convex programming based algorithm for computingthe approximate M -ellipsoid, followed by its analysis.Section 5 applies this to the SVP and other problems.

We conclude this section with a remark on the com-plexity of computing (approximate) M -ellipsoids (andtherefore the `-position). An M -ellipsoid E for a convexbody K achieving covering numbers N(K,E), N(E,K)gives anN(K,E)N(E,K) to the volume ofK. It is well-known that in the oracle model for convex bodies, anydeterministic algorithm that has complexity at most na

incurs an approximation factor of (cn/a log n)n/2, im-plying in particular that an algorithm that achieves a2O(n) approximation must have complexity 2Ω(n). The-orem 1.1 readily implies an O(log n)n approximationwith O(

√log n)n complexity, getting close to the lower

bound. Fully closing this gap is an interesting openproblem.

2 M-ellipsoids and the `-position

As explained above, one useful view of whether anellipsoid E “approximates” a convex body K well is ifN(K,E), N(E,K) = 2O(n). A similar view, taken byPisier, is to find an ellipsoid E with the property thatvol(K∩E) ≥ vol(E)/2 and vol(K) not much larger thanvol(E).

This is useful in light of the following elementarybound on covering numbers for centrally symmetricbodies (see [18]).

Lemma 2.1. Let A,B ⊆ Rn be symmetric convex bod-ies. Then

N(A,B) ≤ 3nvol(A)

vol(A ∩B)

We are now ready for the `-position which lets us

find an ellipsoid with small covering numbers using thisperspective.

Let K ⊆ Rn be a symmetric convex body, andlet K∗ = x : supy∈K〈x, y〉 ≤ 1 denote the polar ofK. Let Bn2 ⊆ Rn denote the unit euclidean ball, andSn−1 = ∂Bn2 denote the unit sphere. Let γn(x) =(

1√2π

)ne−

12‖x‖

2

be the density of the canonical gaussian

measure on Rn. We define the expected norm of arandom Gaussian point as

`(K) =

∫‖x‖Kγn(x)dx.

The following lemma, see [22], provides an asymp-totic estimate of this quantity.

Lemma 2.2. Let K ⊆ Rn be a symmetric convex body.Then for

m = supr ≥ 0 : voln−1(rSn−1 ∩K) ≥ 1

2voln−1(rSn−1)

we have that `(K) = Θ(√

nm

). Furthermore, we have

that vol(mBn2 ∩K) ≥ 12vol(mBn2 ).

A theorem of Pisier [22] relates the `-estimate of abody with that of its dual.

Theorem 2.1. Let K ⊆ Rn be a symmetric convexbody. Then

infT∈SL(n)

l(TK)l(T ∗K∗) ≤ cn log n

where SL(n) is the set of n×n matrices of determinant1 and c > 0 is an absolute constant.

The next theorem, known as the Blashke-Santaloinequality [5, 25], gives an upper bound on the volumeproduct, a fundamental quantity in convex geometry.

Theorem 2.2. (Blashke-Santalo) Let K ⊆ Rn bea symmetric convex body. Then

vol(K)vol(K∗) ≤ vol(Bn2 )2

with equality iff K is an ellipsoid.

Using the above estimates, we get the following well-known result, whose proof we include for completeness.

Theorem 2.3. (Pisier) Let K ⊆ Rn be a symmetricconvex body. Then there exists an ellipsoid E ⊆ Rn suchthat

• vol(E ∩K) ≥ 12vol(E)

• vol(K) ≤ O(log n)nvol(E ∩K)

In addition, we get that

N(K,E) = O(log n)n and N(E,K) =1

23n

Proof. Let us first apply a measure preserving lineartransformation T to K such that l(TK)l(T ∗K∗) isminimized, and hence by 2.1 we may assume that`(K)`(K∗) = O(n log n). Now using Lemma 2.2 we seethat

m = supr ≥ 0 : vol(rBn2 ∩K) ≥ 1

2vol(rBn2 )

= Ω

( √n

`(K)

)and that

m∗ = supr ≥ 0 : vol(rBn2 ∩K∗) ≥1

2vol(rBn2 ) = Ω

( √n

l(K∗)

)Hence we get that mm∗ = Ω

(1

logn

).

Using Theorem 2.2 we get that

vol(K) ≤ vol(Bn2 )2

vol(K∗)≤ 2

vol(Bn2 )2

vol(m∗Bn2 )= 2

(1

m∗

)nvol(Bn2 )

= O(m log n)nvol(Bn2 ) = O(log n)nvol(mBn2 )

= O(log n)nvol(mBn2 ∩K)

We now see that the ellipsoid E = mBn2 satisfiesthe claims of the corollary. To derive the additionalassertions, we simply apply Lemma 2.1 to the volumeestimates above.

3 Algorithm to compute an `-type Ellipsoid

Our algorithm will find an ellipsoid by (approximately)solving the following convex program (CP).

inf f(A) =

∫Rn‖Ax‖Kγn(x)dx

subject to

A 0

det(A) ≥ 1

(3.2)

The above program models a tractable variant of theimplicit optimization problem in Theorem 2.1. Itencodes what is known in the convex geometry literatureas the minimal mean width position of K∗ (see forexample [7]). To interpret the above program, examinethe ellipsoid

E = c

√n

f(A)ABn2 , 0 < c < 1 an absolute constant

where we have that vol(E)1n ≈ det(A)

1n

f(A) . By Lemma

2.2, we have that vol(E ∩ K) ≥ 12vol(E), i.e. E is

“half-contained” inside K. Hence the above programin essence finds the largest volume ellipsoid that is half-contained inside K. From the existence proof of Pisier2.3, we get that the largest such ellipsoid (correspondingto the optimal solution of the above program) indeedcontains a Ω( 1

logn )n volume fraction of K, and henceachieves the desired covering bounds with respect to K.Hence to obtain an approximate M-ellipsoid, it sufficesto solve the above program 1. Moreover, by the sameargument, any solution that achieves a constant factorapproximation of the optimal for the above program,also yields an ellipsoid with the desired covering bounds.

The focus of the following sections will be to givea deterministic O(

√log n)n-time algorithm to solve the

above convex program to within a (1 +o(1))-factor. Wenote that the above program fits directly into the frame-work of stochastic convex optimization (e.g. minimizingthe expectation of a convex function), and hence thereare many available methods (stochastic gradient descent[23, 19], random walk based optimization [10, 14], · · · )to solve it within the desired accuracy (constant factorsuffices) in randomized polynomial time. Our contribu-tion here is therefore in solving the program determin-istically.

In the above program, K will be a symmetric convexbody presented by a weak membership oracle, satisfyingrBn2 ⊆ K ⊆ RBn2 . To solve the program, we first roundK using the ellipsoid method [8] so that Bn2 ⊆ K ⊆ nBn2(note the improvement from n

32 to n is possible since

K is centrally symmetric). Next we use a discreteapproximation of space to approximate the `-estimate atany given A, where this approximation remains convex.Next we analyze the properties of the above convexprogram, showing that (1) a well sandwiched subsetof the feasible region (ratio of inner contained andouter containing ball) contains the optimal solution,(2) the objective function is Lipshitz, and (3) theobjective value of the optimal solution is not too small.From here, we apply the classical reduction from weakmembership to weak optimization [8] (which simulatesthe ellipsoid method), which allows us to compute a(1 + ε) approximation (multiplicative) of the optimalsolution using at most a polynomial number of queriesto the objective function.

1Since the f(AO) = f(A), for any orthogonal transformation

O, we may assume that the optimal transformation A is positivedefinite.

Our approximation of the `-estimate is as follows:

Let s =1√2π

√log(2(2n+ 1))

π, Cs =

1

2s[−1, 1]n

and px =

∫Cs

γn(x+ y)dy.

Define D ⊆ Rn be set of points from the lattice (1/s)Znthat lie in the ball of radius 3

√n around the origin, i.e.,

D =

(1

sZn)⋂(

3√nBn2

)Then

f(A) =∑x∈D

px‖Ax‖K .

Complexity of Computing f(A): A first step inanalyzing this discretization is to bound the size of D.

We claim that |D| = O(√

log n)n. Since Cs tilesspace with respect to 1

sZn and Cs ⊆

√nBn2 , we have

that

|D| = vol(D + Cs)

vol(Cs)≤ vol(3

√nBn2 + Cs)

vol(Cs)

≤ vol(4√nBn2 )

s−n= 4nvol(

√nBn2 )sn = O(

√log n)n

as claimed.From here it is straightforward to see that for

any A ∈ Rn×n, one can compute f(A) (to withinany reasonable accuracy) using at most O(

√log n)n

norms evaluations and poly(n)-space. To see this,we note that the points in D can be enumeratedin O(D) = O(

√log n)n time using poly(n)-space, by

recursively enumerating all the integer points (scaleddown) in 3

√nBn2 by induction on coordinate values.

From here, we simply need to update the sum above,one summand at a time, where for x ∈ D computing‖Ax‖K correponds to a norm evaluation, and computingpx =

∏ni=1 γ1([− 1

2s ,12s ] + xi), which is the product of

elementary gaussian integrals, can be estimated withinthe necessary accuracy in poly(n) time using standardmethods (e.g. the trapezoid method).

4 Analysis

The analysis is divided into two parts. First, we give anO(√

log n)n algorithm to compute an approximation ofthe objective value in 3.2 on any given input. Second,we show that the optimization problem with the ap-proximated objective 3.2 is well-behaved, i.e. that it isconvex, that the feasible region can be nicely bounded,the objective function is Lipshitz. This will allow us toapply the ellipsoid algorithm to solve the problem.

4.1 Computing the `-estimate In this section, weanalyze the deterministic algorithm to approximatelycompute `(K) in O(

√log n)n time. Recall that our

approach is to approximate the associated integral asa sum over a discrete set.

We first describe the idea. A reasonable firstapproach would be to check whether the integrand(i.e. ‖x‖K) is Lipschitz enough so that reasonablysized discretization may be used to approximate theintegral `(K). Indeed, it will be true that |‖x‖K −‖y‖K | = O(`(K))‖x−y‖2. Given that the mass of the ndimensional standard Gaussian is concentrated inside ofshell of constant width at radius

√n, this bound on the

Lipshitz constant would suggest that a discretizationD of

√nSn−1, such that every point in

√nSn−1 is at

distance O(1) from D, should suffice to estimate `(K).Though this will indeed be true, any such discrete set Dmust have size O(

√n)n, i.e. far larger than O(

√log n)n.

Taking a closer look however, we observe that one onlyneeds such a Lipschitz bound “on average”, since all wewant is to approximate is the integral. This we are ableto bound below, using some standard tail bounds and asimple monotonicity inequality about expectations.

To perform the analysis of our algorithm, we willneed certain facts about the discrete Gaussian distribu-tion. Let

ρs(x) = e−π‖xs ‖

2

for x ∈ Rn, and we write ρs(A) to mean∑x∈A ρs(x)

for A ⊆ Rn. For an n-dimensional lattice L ⊆ Rn, andc ∈ Rn we define the discrete Gaussian measure on L+cwith parameter s as

DL+c,s(A) =ρs(A)

ρs(L+ c)

for A ⊆ L+ c.In our setting, we will only need the case L =

Zn. We let U stand for the uniform distributionon [−1/2, 1/2]n. We now state some useful standardlemmas. See [3, 15].

Lemma 4.1. Take s ≥√

log(2(t+1))π and let X be dis-

tributed as DL+c,s for c ∈ Rn. Then(1− 1

t

)nsn ≤ ρs(Zn + c) ≤

(1 +

1

t

)nsn

Lemma 4.2. Let X be drawn from a standard n-dimensional Gaussian N(0, 1)n, i.e., with density(

1√2π

)ne−

12‖x‖

2

, then for t ≥ 1 we have that

Pr(‖X‖ ≥ t√n) ≤ e

−(

1− 1+ln(t2)

t2

)12nt

2

The next lemma is an inequality that we will use inthe main proof. It is directly implied by Lemma 8 in[4]. For convenience we give a proof in the appendix.

Lemma 4.3. Let f : Rn → R be a convex function.Let U denote the uniform distribution on [− 1

2 ,12 ]n and

let X denote the n-dimensional Gaussian N(0, 1/√

2π),

i.e., with density e−π‖x‖2

. Then we have that

E[f(X)] ≥ E[f(U)]

The choice of standard deviation for the Gaussian inthe above lemma is to simply ensure that its maximumdensity is bounded by 1.

We are now ready for the main theorem of thissection.

Theorem 4.1. Let s = 1√2π

√log(2(2n+1))

π and Cs =12s [−1, 1]n. Define

D =

(1

sZn)⋂(

3√nBn2

)and px = γn(x+ Cs)dy

for x ∈ D. Then for any symmetric convex bodyK ⊆ Rn, we have that(

1− 1

s

)`(K) ≤ ˜(K) ≤

(1 +

1

s

)`(K)

where l(K) =∑x∈D px‖x‖K .

Proof. The proof proceeds as follows. First we notein Claim 1 below that we can restrict attention to aball of radius 2

√n via a tail bound on the standard

Gaussian. Then, in Claim 2, we bound the error of thediscrete approximation computed in terms of the normof a random point from U (uniform in [−1/2, 1/2]n).Finally, using Lemma 4.3, we can bound this norm bythe `-estimate itself (Claim 3 below).

Claim 1.

(1− e−0.3n)

∫Rn‖x‖Kγn(x)dx ≤

∫D+Cs

‖x‖Kγn(x)dx

≤∫Rn‖x‖Kγn(x)dx

Claim 2.∣∣∣∣∣∑x∈D

px‖x‖K −∫D+Cs

‖x‖Kγn(x)dx

∣∣∣∣∣ ≤ 2

sE[‖U‖K ].

Claim 3.

E[‖U‖K ] ≤ 1√2π

E[‖X‖K ]

where X is a standard n-dimensional Gaussian.We prove these claims presently.Combining Claims (1), (2), and (3), we get the

upper bound

∑x∈D

px‖x‖K ≤∫D+Cs

‖x‖Kγn(x)dx+2

sE[‖U‖K ]

≤ E[‖X‖K ] +

√2√πs

E[‖X‖K ]

=

(1 +

√2√πs

)E[‖X‖K ],

and the lower bound

∑x∈D

px‖x‖K ≥∫D+Cs

‖x‖Kγn(x)dx− 2

sE[‖U‖K ]

≥(1− e−0.3n

)E[‖X‖K ]−

√2√πs

E[‖X‖K ]

=

(1− e−0.3n −

√2√πs

)E[‖X‖K ].

Since e−0.3n +√

2√πs≤ 1

s for n large enough, we get the

claimed result.Now we prove the claims.Proof of Claim 1: Since the scaled cube Cs tiles

space with respect to the lattice 1sZ

n, for x ∈ 2√nBn2 ,

we have that x+Cs∩ 1sZ

n 6= ∅. Since x+Cs ⊆ 2√nBn2 +

√ns B

n2 ⊆ 3

√nBn2 , we get that 2

√nBn2 ⊆ D + Cs. Since

‖ · ‖K is non-negative, we clearly have that

∫2√nBn2

‖x‖Kγn(x)dx ≤∫D+Cs

‖x‖Kγn(x)dx

≤∫Rn‖x‖Kγn(x)dx

Expressing the integral in polar coordinates, we have tobound the ratio between the integral

∫2√nBn2

‖x‖Kγn(x)dx =

(1/√

2π)n∫Sn−1

∫ 2√n

0

‖θ‖Ke−12 r

2

rndrdθ.

and the same integral over all of Rn. Thus,

∫2√nBn2‖x‖Kγn(x) dx∫

Rn ‖x‖Kγn(x) dx=

∫Sn−1

∫ 2√n

0‖θ‖Ke−

12 r

2

rndrdθ∫Sn−1

∫∞0‖θ‖Ke−

12 r

2rndrdθ

≥∫ 2√n

0e−

12 r

2

rndr∫∞0e−

12 r

2rndr

= 1−∫Rn+1\2

√nBn2

γn+1(x)dx

≥ 1− e−(1−

1+ln( 4nn+1

)

4nn+1

)2n≥ 1− e−0.3n

using Lemma 4.2 (i.e., the standard Gaussian tailbound)

with t = 2√

nn+1 , and noting that n ≥ 1. This proves

the claim.Proof of Claim 2: For y ∈ Rn, let r(y) denote the

closest vector to y in 1sZ

n under the l2 norm. Given thestructure of Zn, a simple computation yields that

r(y) =

(bsy1es

, . . . ,bsynes

)

Furthermore, for x ∈ 1sZ

n we have that r(y) = x iffy ∈ x+ Cs. Now we see that

∑x∈D

px‖x‖K =∑x∈D

∫x+Cs

‖x‖Kγn(y)dy

=

∫D+Cs

‖r(y)‖Kγn(y)dy

From here, using the triangle inequality, we get that∫D+Cs

‖r(y)‖Kγn(y)dy ≤∫D+Cs

(‖y‖K + ‖y − r(y)‖K)γn(y)dy =∫D+Cs

‖y‖Kγn(y) +

∫D+Cs

‖y − r(y)‖Kγn(y)dy

Similarly, we also get that∫D+Cs

‖r(y)‖Kγn(y)dy ≥∫D+Cs

‖y‖Kγn(y)−∫D+Cs

‖y − r(y)‖Kγn(y)dy

Hence to get the desired upper and lower bounds on∑x∈D px‖x‖K , we need only upper bound the quantity

∫D+Cs

‖y − r(y)‖Kγn(y)dy. Now we note that∫D+Cs

‖y − r(y)‖Kγn(y)dy =∫Cs

‖c‖K∑

y∈D+c

γn(y)dc =

(1

s

)n ∫C1

∥∥∥ cs

∥∥∥K

∑y∈D+ c

s

γn(y)dc =

(1

s

)n ∫C1

∥∥∥ cs

∥∥∥K

∑y∈sD+c

γn

(ys

)dc =

(1√2πs

)n1

s

∫C1

‖c‖K∑

y∈sD+c

e−π‖ y√

2πs‖2dc

Next note that sD = Zn ∩ 3√nsBn2 . Therefore by

Lemma 4.1 we have that(1√2πs

)n1

s

∫C1

‖c‖K∑

y∈sD+c

e−π‖ y√

2πs‖2dc ≤

(1√2πs

)n1

s

∫C1

‖c‖K∑

y∈Zn+c

e−π‖ y√

2πs‖2dc ≤

(1√2πs

)n1

s

∫C1

‖c‖K(√

2πs)n(1 +1

2n)ndc ≤

2

s

∫C1

‖c‖Kdc =2

sE[‖U‖K ]

Proof of Claim 3: We wish to show that

E[‖U‖K ] ≤ 1√2π

E[‖X‖K ] = E[‖ 1√2πX‖K ]

A simple computation gives that 1√2πX has density

e−π‖x‖2

for x ∈ Rn. Since ‖·‖K is a convex function, theabove inquality follows directly from Lemma 4.3. Theclaim thus follows.

4.2 Efficiency of solving the convex program Inwhat follows we will assume that our symmetric convexbody K is well sandwiched, i.e. that Bn2 ⊆ K ⊆ nBn2 .As mentioned previously, this can be achieved by GLStype rounding using the ellipsoid algorithm.

We recall the functions f, f : Rn×n → R

f(A) =

∫Rn‖Ax‖Kγn(x)dx and f(A) =

∑x∈D

px‖Ax‖K

We will consider an approximate version of Program 3.2:

inf f(A) =∑x∈D

px‖Ax‖K

subject to

A 0

det(A) ≥ 1

(4.3)

The main result of this section is the following:

Theorem 4.2. Let A denote an optimal solution toProgram 4.3. Then for 0 < ε ≤ 1, a matrix A ∈ Rn×nsatisfying f(A) ≤ (1 + ε)f(A) can be computed in de-terministic poly(n, ln 1

ε )O(√

log n)n time. Furthermore,let A ∈ Rn×n be any 2-approximate solution to 4.3, then

for E =√n

f(A)ABn2 we have that

N(E,K) = 2O(n) N(K,E) = O(log n)n

Proof. Let A∗ denote an optimal solution to 3.2. Thenby Theorem 4.1 we have that

(1− 1

s)f(A∗) ≤ (1− 1

s)f(A) ≤ f(A)

≤ f(A∗) ≤ (1 +1

s)f(A∗)

(4.4)

where the first inequality follows by optimality of A∗,and the third inequality by optimality of A.

Claim 1: f(A∗) = O

(logn

vol(K)1n

). Pick a linear

transformation T ∈ SL(n) minimizing l(TK)l(T ∗K).From the proof of Lemma 2.3, for some c1, c2 = Θ(1),

letting m = c1√n

l(TK) we have that

1

2vol(mT−1Bn2 ) = vol(mT−1Bn2∩K) ≥

(c2

log n

)nvol(K)

Now

vol(mT−1Bn2 ) = vol(Bn2 ) det(T−1)mn = vol(Bn2 )mn

det(T )

= vol(Bn2 )mn.

Therefore

vol(Bn2 )1nm ≥ c2

log nvol(K)

1n ⇒

c1c2

vol(Bn2 )1n√n

log n

vol(K)1n

≥ l(TK)⇒

l(TK) = O

(log n

vol(K)1n

)Using the identity ‖x‖TK = ‖T−1x‖K we see that

l(TK) =

∫x∈Rn

‖x‖TKγn(x)dx =

∫x∈Rn

‖T−1x‖Kγn(x)

= f(T−1)

Let A = T−1. For a standard gaussian vector X isRn, we note that As = (AtA)

12X, where As is the

unique positive definite square root of AtA, is identicallydistributed to AX. Therefore f(As) = E[‖AsX‖K ] =

E[‖AX‖K ] = f(A) = f(T−1). Since As = (AtA)12 0

and det(As) = |det(A)| = det(T−1) = 1, we have thatAs is feasible for Program 3.2. Since A∗ is the optimalsolution to 3.2 we have that

f(A∗) ≤ f(As) = f(T−1) = O

(log n

vol(K)1n

)as needed.

Claim 2: The Programs 3.2 and 4.3 are convex.By Lemma 4.4, we know that both f and f are

convex over the feasible region. In both programs,the feasible region is the set of positive semi-definitematrices of determinant greater than 1, which is clearlyconvex.

Claim 3: Program 4.3 can be solved towithin (1 + ε) multiplicative error in deterministicpoly(n, ln 1

ε )O(√

log n)n time.Given that Bn2 ⊆ K ⊆ nBn2 , by Lemma 4.5 we

may constrain convex Program 4.3 to the well-boundedregion R without removing any optimal solutions. Nowby Lemma 4.4 (3) the objective function is 2

√n Lipshitz

over operator norm (and hence over the Frobeniusnorm), and by Lemma 4.5 (3) that the ratio of min and

max value of the objective function over R is O(n52 ).

Given all this, we may apply the ellipsoid algorithm(see [8] Theorem 4.3.13 for example) to solve the convexprogram 4.3 to within (1 + ε) multiplicative error usingat most poly(n, ln 1

ε ) evaluations of f and arithmetic

operations. Since each evaluation of f can be computedin deterministic O(

√log n)n time, this proves the claim.

Claim 4: Let A be a 2-approximation for the

program 4.3. Then the ellipsoid E =√n

f(A)ABn2 satisfies

N(K,E) = O(log n)n and N(E,K) = 2O(n).Let A be as above. By Equation (4.4), Lemma 4.1

and Claim 1, we have that

f(A) ≤ s

s− 1f(A) ≤ 2

s

s− 1f(A) ≤ s+ 1

s− 1f(A∗)

= O

(log n

vol(K)1n

).

By Theorem 4.1, we note that√n

f(A)= Θ(1)

√n

f(A) . Hence

by Lemma 2.2, there exists c ≤ 1, where c = Ω(1), suchthat vol(cE ∩K) = 1

2vol(cE). Now note that

vol(cE) =

(c√n

f(A)

)ndet(A)vol(Bn2 ) ≥

(c√nvol(Bn2 )

1n

f(A)

)n= Ω

(1

log n

)nvol(K)

Now since vol(E ∩ K) ≥ vol(cE ∩ K) = 12vol(cE) =

12cnvol(E) and vol(E ∩ K) ≥ vol(cE ∩ K) =

Ω(

1logn

)nvol(K), applying the covering estimates of

Lemma 2.1 yields the claim.

Lemma 4.4.

1. f ,f define norms on Rn×n.

2. AtA BtB ⇒ f(A) ≥ f(B).

3. |f(A)−f(B)|, |f(A)− f(B)| ≤ 2√n‖A−B‖, where

‖A−B‖ denote the operator norm of A−B.

Proof. Let X ∈ Rn denote a standard Gaussian randomvector. Take A,B ∈ Rn×n and scalars s, t ∈ R. Thennote that

f(sA+ tB) = E[‖(sA+ tB)X‖K ] = E[‖sAX + tBX‖K ]

≤ E[|s|‖AX‖K + |t|‖BX‖K ]

= |s|f(A) + |t|f(B)

where the inequality above follows since ‖ · ‖K defines anorm. Lastly, using the fact that

1

n‖x‖2 ≤ ‖x‖K ≤ ‖x‖2

for x ∈ Rn (since Bn2 ⊆ K ⊆ nBn2 ) it is easy to verifythat f(A) = 0 ⇔ A = 0n×n and f(A) < ∞ for allA ∈ Rn×n. Hence f defines a norm on Rn×n as claimed.The argument for f is symmetric.

Now take A,B satisfying the condition of (2). Notethat AX is an origin centered gaussian with covariancematrix E[AX(AX)t] = E[AXXtAt] = AtA. SimilarlyBX is origin centered with covariance BtB. Fromour assumptions, the matrix C = AtA − BtB 0,hence C has a PSD square root which we denote C

12 .

Now let Y denote standard n-dimensional Gaussianindependent from X. Now note that BX+C

12Y is again

a Gaussian vector with covariance BtB + C = AtA.Hence BX + C

12Y is identically distributed to AX.

Therefore we see that

f(A) = E[‖AX‖K ] = E[‖BX + C12Y ‖K ]

= EX

[EY

[‖BX + C12Y ‖K ]]

≥ EX

[‖BX + C12 EY

[Y ]‖K ] = E[‖BX‖K ] = f(B)

where the inequality follows by Jensen’s inequality andthe convexity of ‖ · ‖K .

We now prove (3). Take A,B ∈ Rn×n. By thetriangle inequality, we have that

f(B)− f(A−B) ≤ f(A) ≤ f(B) + f(A−B).

Therefore |f(B)− f(A)| ≤ f(A− B). Since f is also anorm, we similarly get that |f(B)− f(A)| ≤ f(A−B).

Let λ = ‖A − B‖. By definition of the operator norm,we have that (A−B)t(A−B) λ2In, where In denotethe n × n identity matrix. Therefore by (2), we havethat

f(A−B) = E[‖(A−B)X‖K ] ≤ E[‖λX‖K ] = λE[‖X‖K ]

≤ λE[‖X‖2] ≤ λ√

E[‖X‖22] = λ√n

as needed. Next by Theorem 4.1, we have that

f(A−B) ≤ 2f(A−B) ≤ 2‖A−B‖√n

as required.

Lemma 4.5. Define the set

R = A ∈ Rn×n : A 0,det(A) ≥ 1, ‖A‖ ≤ 2n32

where ‖A‖ denote the operator norm of A. Then Rsatisfies the following:

1. R contains an optimal solution to the programs 3.2and 4.3.

2. R satisfies the following sandwiching properties:

n32 In + (n

32 − 1)Bn×n2 ⊆ R ⊆ n 3

2 In + 3n2Bn×n2

where In is the n× n identity matrix and Bn×n2 =A ∈ Rn×n : A = At, ‖A‖F ≤ 1, the set of n × nsymmetric matrices of Frobenius norm at most 1.

3. There is an absolute constant c such that for anyA ∈ R, we have that

c√n≤ f(A), f(A) ≤ 3n2

Proof. Let X ∈ Rn denote a standard n dimensional

gaussian vector, and let s = 1√2π

√log(2(2n+1))

π .

We start by showing property (1). Let A be anoptimal solution for Program 3.2. We wish to showthat ‖A‖ ≤ n

32 . Since ‖x‖2 ≥ ‖x‖K for all x ∈ Rn, we

have that

f(In) = E[‖X‖K ] ≤ E[‖X‖2] ≤√E[‖X‖22 =

√n

Since In is feasible for 3.2, it suffices to show that if‖A‖ ≥ 2n

32 , we get that f(A) ≥

√n. Let λ = ‖A‖, and

let v denote an eigenvector of A satisfying Av = λv and‖v‖ = 1

n . Since K ⊆ nBn2 , we have that K ⊆ W =x : |〈v, x〉| ≤ 1 (since ‖v‖ = 1

n ). Therefore

f(A) = E[‖X‖K ] ≥ E[‖AX‖W ] = E[|〈v,AX〉|]

= λE[|〈v,X〉|] = λ(

√2

π‖v‖) =

λ

n

√2

π

Since A is optimal, we get that λn

√2π ≤√n⇒ λ ≤ 2n

32

as claimed. We now show the same for Program 4.3. By4.1, f(In) ≤ (1 + 1

s )f(In) ≤ (1 + 1s )√n. Now if A is an

optimal solution to 4.3, letting λ = ‖A‖, we have that

f(A) ≥ (1− 1

s)f(A) ≥ (1− 1

s)λ

n

√2

π

But then as above we have that

λ ≤1 + 1

s

1− 1s

√π

2n

32 ≤ 2n

32

for n large enough as needed. Therefore R satisfiesproperty (1) as needed.

We now show the containment relationship in (2).

Take A = n32 In + B where B ∈ (n

32 − 1)Bn×n2 . We

must show that A ∈ R. We recall that ‖B‖ ≤ ‖B‖F ≤√n‖B‖. First, note that

‖A‖ ≤ n 32 + ‖B‖ ≤ n 3

2 + n32 − 1 < 2n

32

as needed. Next note that

infv∈Sn−1

vtAv = infv∈Sn−1

vt(n32 In +B)v

≥ infv∈Sn−1

n32 vtv − vtBv

= n32 − sup

v∈Sn−1

vtBv ≥ n 32 − ‖B‖ ≥ 1

Since A is symmetric, the above shows the A’s smallesteigenvalue is at least 1, and hence A 0 and det(A) ≥ 1as needed. To show the opposite containment, note thatfor A ∈ R, we have that

‖A−n 32 In‖F ≤ ‖A‖F + ‖n 3

2 In‖F ≤√n‖A‖+n2 ≤ 3n2

as needed.Now we need to show the bounds on f(A) for A ∈ R

to prove property (3). First we remember that

E[‖AX‖2] ≥ f(A) ≥ 1

nE[‖AX‖2]

Hence it suffices to upper and lower bound E[‖AX‖2].We see that

c√

E[‖AX‖22] ≤ E[‖AX‖2] ≤√

E[‖AX‖22]

for an absolute constant 0 ≤ c < 1. Here the firstinequality follows by Borell’s Lemma and the second byJensen’s inequality. Next we have that√

E[‖AX‖22] =√

E[XtAtAX] =√

E[trace(AtAXXt)]

=√

trace(AtA) = ‖A‖F

Since A ∈ R, we know that ‖A‖ ≤ 2n32 , and hence

‖A‖F ≤ 2n2. Combining the above inequalities, thisyields that f(A) ≤ 2n2 as needed. We now prove thelower bound. Since A ∈ R, we have that det(A) ≥ 1.Let Ai denote the ith column of A. Now we have that

‖A‖F ≥√n

n∏i=1

‖Ai‖1n2 ≥

√ndet(A)

1n ≥√n

where the first inequality follows by the arithmetic- geometric mean inequality, and the second followsfrom Hadamard’s inequality. Combining the aboveinequalities, we get that

f(A) ≥ 1

nE[‖AX‖2] ≥ c

n‖A‖F ≥

c√n

as needed. The bounds for f(A) follow from therelationship (1 − 1

s )f(A) ≤ f(A) ≤ (1 + 1s )f(A)

(Theorem 4.1).

5 Application to lattice algorithms

We now apply our construction of `-type ellipsoids tolattice algorithms. Dadush et al [6] gave algorithmsfor SVP in any norm, CVP in any norm and IntegerProgramming (IP). These algorithms were all based onthe construction of an M -ellipsoid. Their core result canbe stated as follows. For a lattice L and convex bodyK in Rn, let G(K,L) be the largest number of latticepoints contained in any translate of K, i.e.,

(5.5) G(K,L) = maxx∈Rn|(K + x) ∩ L|.

Theorem 5.1. [6] Given any convex body K ⊆ Rnalong with an M -ellipsoid E of K and any n-dimensional lattice L ⊆ Rn, the set K ∩ L can be com-puted in deterministic time G(K,L) · 2O(n).

They then proceeded to give a randomized constructionof an M -ellipsoid. The necessary properties of the M -ellipsoid E are that the covering numbers N(K,E) andN(E,K) are both bounded by 2O(n). In fact, the resultof [6] can be stated more generally as follows.

Theorem 5.2. Given any convex body K ⊆ Rn alongwith an ellipsoid E of K and any n-dimensional latticeL ⊆ Rn, the set K ∩L can be computed in deterministictime G(K,L) ·N(K,E)N(E,K) · 2O(n).

Furthermore, in [6], they only require an algorithmwhich builds an M-ellipsoid when K is centrally sym-metric. This follows since one can show that an M-ellipsoid E for K − K (which is symmetric) is also anM-ellipsoid forK (of slightly worse quality). Hence fromTheorem 1.1 and the bounds derived on N(K,E) andN(E,K), we obtain a simple corollary.

Corollary 5.1. Given any convex body K ⊆ Rn andany n-dimensional lattice L ⊆ Rn, the set K ∩L can becomputed in deterministic time G(K,L) ·O(log n)n.

This lattice point enumerator is the core of subse-quent algorithms for SVP, CVP and IP in [6]. We ob-tain similar conclusions with deterministic algorithmsbut with an overhead of O(log n)n. The precise state-ment for SVP is Theorem 1.2. For CVP the statementis as follows.

Theorem 5.3. There is a deterministic algorithm that,given any well-centered n-dimensional convex body K,solves CVP exactly on any n-dimensional lattice L inthe semi-norm ‖·‖K defined by K, in (2 + γ)O(n) ·O(log n)n time and space, provided that the distancefrom the query point x to L is at most γ times the lengthof the shortest nonzero vector of L (under ‖·‖K).

A central motivation for solving SVP in generalnorms is to improve the complexity of integer program-ming. The IP algorithm directly uses the SVP algo-rithm. Moreover, in this case, the final complexitybound is already higher than O(log n)n, so we simplyget the IP complexity of [6] with a deterministic algo-rithm.

Theorem 5.4. There exists a deterministic algorithmthat, given a convex body K ⊆ Rn and an n-dimensionallattice L ⊂ Rn, either decides that K ∩L = ∅ or returnsa point y ∈ K ∩ L in O(f∗(n))n time, where f∗(n) isthe optimal bound for the “flatness” theorem.

The flatness theorem, which we do not describehere, gives a bound on the lattice width of lattice-point-free convex bodies. The current best bound on f∗(n) isn4/3 for general convex bodies [24].

6 Conclusion

It remains open to give a deterministic 2O(n) algorithmfor M -ellipsoids and coverings. This would resolve theopen problem of a deterministic 2O(n) SVP algorithmin any norm and close the gap for the complexityof deterministic volume algorithms as noted in theintroduction.

Another open problem is to fully extend the ap-proach suggested in [6] to exact or even (1 + ε) CVP.At the moment, their 2O(n) bound only holds for exactCVP when the target point’s distance to the lattice is atmost a constant times the minimum distance of the lat-tice. In particular, it is open to give a 2O(n) algorithmfor the CVP under the L∞ norm.

Acknowledgments. We are deeply gratefulto Grigoris Paouris and Chris Peikert for illuminating

discussions, and to Gilles Pisier for his book on convexbodies. We are also thankful to an anonymous refereefor useful references.

References

[1] Miklos Ajtai, Ravi Kumar, and D. Sivakumar. A sievealgorithm for the shortest lattice vector problem. InSTOC, pages 601–610, 2001.

[2] Vikraman Arvind and Pushkar S. Joglekar. Somesieving algorithms for lattice problems. In FSTTCS,pages 25–36, 2008.

[3] Wojciech Banaszczyk. Inequalites for convex bodiesand polar reciprocal lattices in Rn. Discrete & Com-putational Geometry, 13:217–231, 1995.

[4] F. Barthe and A. Naor. Hyperplane projections of theunit ball of lp

n. Discrete & Computational Geometry,27(2):215–226, 2002.

[5] W. Blaschke. Uber affine geometry xiv: eine minimumaufgabe fur legendres tragheits ellipsoid. Ber. verh.sachs. Akad. d. Wiss., 70:72–75, 1918.

[6] Daniel Dadush, Chris Peikert, and Santosh Vempala.Enumerative lattice algorithms in any norm via m-ellipsoid coverings. In FOCS, 2011.

[7] A.A. Giannopolous, V.D. Milman, and M. Rudelson.Convex bodies with minimal mean width. GeometricAspects of Functional Analysis, pages 81–93, 2001.

[8] M. Grotschel, L. Lovasz, and A. Schrijver. GeometricAlgorithms and Combinatorial Optimization. Springer,1988.

[9] Antoine Joux and Jacques Stern. Lattice reduction: Atoolbox for the cryptanalyst. J. Cryptology, 11(3):161–185, 1998.

[10] A. T. Kalai and S. Vempala. Simulated annealing forconvex optimization. Math. Oper. Res., 31(2):253–266,2006.

[11] B. Klartag. On convex perturbations with a boundedisotropic constant. Geometric And Functional Analy-sis, 16:1274–1290, 2006.

[12] Arjen K. Lenstra, Hendrik W. Lenstra, Jr., and LaszloLovasz. Factoring polynomials with rational coeffi-cients. Mathematische Annalen, 261(4):515–534, De-cember 1982.

[13] Hendrik W. Lenstra. Integer programming with afixed number of variables. Mathematics of OperationsResearch, 8(4):538–548, November 1983.

[14] L. Lovasz and S. Vempala. Fast algorithms for logcon-cave functions: Sampling, rounding, integration andoptimization. In FOCS ’06: Proceedings of the 47thAnnual IEEE Symposium on Foundations of ComputerScience, pages 57–68, Washington, DC, USA, 2006.IEEE Computer Society.

[15] Daniele Micciancio and Oded Regev. Worst-case toaverage-case reductions based on Gaussian measures.SIAM J. Comput., 37(1):267–302, 2007. Preliminaryversion in FOCS 2004.

[16] Daniele Micciancio and Panagiotis Voulgaris. A de-terministic single exponential time algorithm for mostlattice problems based on Voronoi cell computations.In STOC, pages 351–358, 2010.

[17] V. Milman. Inegalites de brunn-minkowski inverse etapplications at la theorie locales des espaces normes.C. R. Acad. Sci. Paris, 302(1):25–28, 1986.

[18] V.D. Milman and A. Pajor. Entropy and asymptoticgeometry of non-symmetric convex bodies. Advancesin Mathematics, 152(2):314 – 335, 2000.

[19] A. Nemirovski, A. Juditsky, G. Lan, and A. Shapiro.Robust stochastic programming approach to stochas-tic programming. SIAM Journal on Optimization,19:1574–1609, 2009.

[20] Phong Q. Nguyen and Jacques Stern. The two faces oflattices in cryptology. In CaLC, pages 146–180, 2001.

[21] Andrew M. Odlyzko. The rise and fall of knapsackcryptosystems. In C. Pomerance, editor, Cryptologyand Computational Number Theory, volume 42 of Pro-ceedings of Symposia in Applied Mathematics, pages75–88, 1990.

[22] G. Pisier. The Volume of Convex Bodies and BanachSpace Geometry. Cambridge University Press, 1989.

[23] H. Robbins and S. Monro. A stochastic approximationmethod. Annals of Mathematical Statistics, 22:400–407, 1950.

[24] M. Rudelson. Distance between non-symmetric convexbodies and the MM*-estimate. Positivity, 4(8):161–178, 2000.

[25] Luis A. Santalo. Un invariante afin para los cuerposconvexos del espacio de n dimensiones. PortugalieMath., 8:155–161, 1949.

7 Appendix

Proof. (of Lemma 4.3.) We shall prove the statementby induction. Let C = [− 1

2 ,12 ]. We start with the base

case n = 1. The density of U here is I[x ∈ C], and the

density for X is e−πx2

(this density function is chosenso that the density is at most 1 everywhere).

For our convex function f : R→ R, let φ denote thelinear function satisfying φ(− 1

2 ) = f(− 12 ) and φ( 1

2 ) =f( 1

2 ). By convexity of f we note that f(x) ≤ φ(x) forx ∈ C and f(x) ≥ φ(x) for x ∈ R \ C. Now we notethat

E[f(X)]− E[f(U)] =

∫Rf(x)(e−πx

2

− I[x ∈ C])dx =∫R\C

f(x)(e−πx2

)dx+

∫C

f(x)(e−πx2

− 1)dx

For x ∈ R\C, we have that e−πx2 ≥ 0 and f(x) ≥ φ(x),

and hence∫R\C

f(x)(e−πx2

) ≥∫R\C

φ(x)(e−πx2

).

For x ∈ C, we have that e−πx2 ≤ 1 and that f(x) ≤

φ(x), and hence∫C

f(x)(e−πx2

− 1) ≥∫C

φ(x)(e−πx2

− 1)

So we see that∫R\C

f(x)(e−πx2

)dx+

∫C

f(x)(e−πx2

− 1)dx ≥∫R\C

φ(x)(e−πx2

)dx+

∫C

f(x)(e−πx2

− 1)dx =∫Rφ(x)(e−πx

2

− I[x ∈ C])dx = E[φ(X − U)] =

φ(E[X − U ]) = φ(0) = 0.

Here the last equalities follow since φ is linear and bothX and U have mean 0. The base case is thus proven.

We now assume that the claim is true for n ≥ 1and prove it for n + 1. Note that X = (X1, . . . , Xn+1)

where the Xis are i.i.d. gaussians with density e−πx2

,and that U = (U1, . . . , Un+1) where the Uis are i.i.d.uniform random variables on C. We first show that

E[f(X1, . . . , Xn+1)] ≥ E[f(X1, . . . , Xn, Un+1)]

To see this, note that

E[f(X1, . . . , Xn+1)] =∫Rne−π(

∑ni=1 x

2i )

∫Rf(x1, . . . , xn+1)e−πx

2n+1dxn+1 . . . dx1

Now by convexity of f , we see that for any x1, . . . , xn ∈Rn the function g(y) = f(x1, . . . , xn, y) is a convexfunction from R to R. Therefore, by the analysis ofthe base case, we have that∫

Rne−π(

∑ni=1 x

2i )

∫Rf(x1, . . . , xn+1)e−πx

2n+1dxn+1 . . . dx1 ≥∫

Rne−π(

∑ni=1 x

2i )

∫Rf(x1, . . . , xn+1)I[xn+1 ∈ C]dxn+1 . . . dx1 =

E[f(X1, . . . , Xn, Un+1)]

as needed. Next by convexity of f , we get that thefunction

g(x1, . . . , xn) = E[f(x1, . . . , xn, Un+1)]

is also convex. Therefore by the induction hypothesis,we get that

E[f(X1, . . . , Xn, Un+1)] = E[g(X1, . . . , Xn)]

≥ E[g(U1, . . . , Un)] = E[f(U1, . . . , Un+1)]

as needed.