A Note on the Distribution of the Distance from a Lattice

Discrete Comput Geom (009) 4: 6 76 DOI 0007/s00454-008-93-5 A Note on the Distribution of the Distance from a Lattice Ishay Haviv Vadim Lyubashevsky Oded Regev Received: 30 March 007 / Revised: 30 May 008 / Accepted: 9 June 008 / Published online: November 008 Springer Science+Business Media, LLC 008 Abstract Let L be an n-dimensional lattice, and let x be a point chosen uniformly from a large ball in R n In this note we consider the distribution of the distance from x to L, normalized by the largest possible such distance (ie, the covering radius of L) By definition, the support of this distribution is [0, ] We show that there exists a universal constant α that provides a natural threshold for this distribution in the following sense For any ε>0, there exists a δ>0 such that for any lattice, this distribution has mass at least δ on [α ε, ]; moreover, there exist lattices for which the distribution is tightly concentrated around α (and so the mass on [α + ε, ] can be arbitrarily small) We also provide several bounds on α and its extension to other l p norms We end with an application from the area of computational complexity Namely, we show that α is exactly the approximation factor of a certain natural AM protocol for the Covering Radius Problem Keywords Lattices Geometrical invariants Second moment Covering radius Computational complexity I Haviv s research was supported by the Binational Science Foundation and by the Israel Science Foundation V Lyubashevsky s research was supported by NSF ITR 0334 O Regev s research was supported by an Alon Fellowship, by the Binational Science Foundation, by the Israel Science Foundation, and by the European Commission under the Integrated Project QAP funded by the IST directorate as Contract Number 05848 I Haviv O Regev Department of Computer Science, Tel-Aviv University, Tel-Aviv 69978, Israel V Lyubashevsky University of California, San Diego, 9500 Gilman Drive, La Jolla, CA 9093-0404, USA

Discrete Comput Geom (009) 4: 6 76 63 Introduction Preliminaries A (full-rank) lattice is defined as the set of all integer combinations { n } L(b,,b n ) = x i b i : x i Z for all i n i= of n linearly independent vectors b,,b n in R n This vector set is called a basis of the lattice, and we often represent it by a matrix B having the basis vectors as columns We say that a bounded region P R n is a fundamental region of a lattice L if every element of R n can be written uniquely as the sum of an element from P and a lattice vector from L In other words, the translates of a fundamental region by lattice vectors tile R n The volume of any fundamental region of a lattice L is uniquely determined by L We define the determinant of L, denoted by det(l),tobe this volume One fundamental region is given by the l p Voronoï cell defined as Vor p (L) = { x R n : for all v L, dist p (x, 0) dist p (x, v) }, where dist p (, ) denotes the distance with respect to the l p norm In the l case, the Voronoï cells are polytopes and tile R n in a face-to-face manner Another fundamental region of a lattice is given by its basic parallelepiped defined as { n } P(B) = x i b i : 0 x i < for all i n, i= where B = (b,,b n ) is a basis of the lattice Notice that the volume of this region equals det(b), and hence det(l) = det(b) The covering radius of a lattice is defined as follows Definition The covering radius of a lattice L R n with respect to the l p norm is defined as ρ p (L) = max x R n dist p(x, L) We define the normalized distance of a point x from a lattice L as the distance of x from L divided by the covering radius of L Finally, for an n-dimensional lattice L and an n -dimensional lattice L, we define their direct sum L L as the lattice L L = { (y,,y n,y,,y n ) : (y,,y n ) L and (y,,y n ) L } We let L k denote the direct sum of k copies of L Distance from a Lattice In this note we analyze the distribution of the normalized distance from a lattice of a point x chosen uniformly from a large ball in R n Fora lattice L, a fundamental region P of L, and some p, let the random variable

64 Discrete Comput Geom (009) 4: 6 76 Fig The density function of the distribution of Z Z k, for k =,, 3, 4(from top left to bottom right) For large k, the distribution is concentrated around 0577 3 Z L,p [0, ] be the normalized l p distance from L of a point distributed uniformly in P More formally, Z L,p = dist p(x, L), ρ p (L) where x is chosen uniformly from P (see Fig ) It can be shown that the distribution of Z L,p is independent of the choice of P In particular, by choosing P to be the l p Voronoï cell Vor p (L), the definition of Z L,p simplifies to Z L,p = x p ρ p (L) Moreover, one can equivalently define Z L,p as the limit as R of the distribution of the normalized distance from L of a point chosen from a ball of radius R Finally, note that the distribution of Z L,p is invariant under scaling and orthogonal transformations of L For any p<, we define α p (L) as the pth norm of the random variable Z L,p, ie, α p (L) = p E [ Z p L,p] It is easy to see that in addition to being invariant under scaling and orthogonal transformations, α p (L) is also invariant under the direct sum operation, ie, α p ( L k ) = α p (L) for any k (a lattice parameter satisfying these properties is called a geometrical invariant in [7]) Finally, we denote by α p the infimum of the α p (L) over all

Discrete Comput Geom (009) 4: 6 76 65 lattices L Obviously, it is enough to take the infimum over all lattices L satisfying ρ p (L) = We extend the definition to the l norm by α = The following theorem proves two fundamental properties of Z L,p in terms of α p First, it shows that for arbitrarily small ε>0 and any lattice L, Z L,p must have some positive mass in the segment [α p ε, ] Second, it shows that this cannot be improved as there are lattices for which Z L,p is tightly concentrated around α p The proof appears in Sect Theorem For any p and any ε>0, the following holds There exists a δ>0 such that for any lattice L, Pr [Z L,p α p ε] δ For arbitrarily large n, there exists an n-dimensional lattice L such that is exponentially small in n Pr [ Z L,p α p ε] Related Work A somewhat related parameter was studied by Conway and Sloane [5, Chap ] and by Barnes and Sloane [3] (among others) in the context of quantizing data that is uniformly distributed over a large region of R n This parameter, known as the normalized second moment, is defined for an n-dimensional lattice L as G(L) = E x Vor (L)[ x ] n det(l) /n In other words, G(L) is the expected squared l distance from the lattice divided by the dimension, after the lattice is normalized to have determinant In [5, Chap ] formulas for G(L) were provided for some well-known lattices such as root lattices and their duals In [3] a formula for G(L) for any 3-dimensional lattice L was given, a result that we will use later in this note (see Theorem 36) The parameters G(L) and α (L) might seem very similar as they both depend on the second moment of the Voronoï cell, E x Vor (L)[ x ] However, there is one main difference between them: whereas in G(L) we normalize the Voronoï cell to have volume, in α (L) we normalize it to have circumradius This difference is crucial and is best demonstrated by considering the task of minimizing each of these parameters Since the ball has the smallest second moment among all bodies of volume, we expect lattices whose Voronoï cell is as spherical as possible to be minimizers of G On the other hand, the ball is definitely not the minimizer of the second moment among all bodies of circumradius : in the limit of large dimension, the second moment of a ball of radius approaches, whereas that of a cube of circumradius is 3 This indicates that lattices whose Voronoï cell is cubical (such as Z n ) achieve a smaller α than those whose Voronoï cell is spherical

66 Discrete Comput Geom (009) 4: 6 76 Fig Upper bounds on α p as a function of p including the bound from () and bounds from () for various values of β (0, ] Bounds on α p In Sect 3 we provide several upper and lower bounds on α p For any real p<, we show that α p p p +, () where the right inequality is achieved by the lattice Z n for any n Clearly, () implies that α = For any p<, we show the following upper bound, which is better than () for any p>(seefig) α p min 0<β p ( + β) p+ ( β) p+ β () (p + )(p + ) Combining the lower bound from () and the upper bound from () forβ = p,we get that lim α p = p Moreover, by choosing β = one gets 4 α p p (p + )(p + ) (3) For the l norm, the three bounds (), (), and (3) provide an upper bound of on α This gives some evidence to the following conjecture Conjecture 3 α = 3 As an additional evidence to this conjecture, we show in Sect 3 that α (L) 3 for all lattices of dimension at most three So any counterexample to the conjecture must be of dimension at least 4 We also show that any lattice of dimension at most three that achieves α (L) = is generated by a basis of orthogonal vectors In addition, we verified that some well-studied lattices (such as the 3 lattices 3

Discrete Comput Geom (009) 4: 6 76 67 from [5, p 6, Table 3]) satisfy α (L) We also note that α 3 for the wellknown lattices A n and D n (see [5, pp 08, 7] for the definition) tends to from 3 above as n tends to infinity, as follows easily from the parameters calculated in [5, Chap ] The Covering Radius Problem Our original motivation for studying α p comes from the area of computational complexity, as explained in Sect 4 The Covering Radius Problem (CRP)inthel p norm with approximation factor γ is that of distinguishing between YES instances, which are lattices with l p covering radius at most d, and NO instances, which are lattices with l p covering radius bigger than γ d The complexity of CRP was first studied by Guruswami et al [8] They presented a simple and natural protocol by which a prover can convince a (randomized) verifier that an instance of CRP is a YES instance for γ = This protocol implies that CRP with factor γ = is in the complexity class AM, which very roughly speaking is not much wider than NP Their analysis is not necessarily tight Based on Theorem, we observe in Sect 4 that the approximation factor achieved by the protocol is essentially α p This implies the following theorem Theorem 4 For any p and γ> α p, CRP in the l p norm with factor γ lies in AM Notice that assuming Conjecture 3, Theorem 4 yields that CRP in the l norm with factor γ is in AM for any γ> 3 Open Questions The main open question raised by this note is that of determining α p for any <p< Of special interest is the Euclidean norm case is α =? 3 One possible approach is to show that the second moment of any polytope P with circumradius that has some of the properties satisfied by Voronoï cells is at least 3 For instance, one can prove this for centrally symmetric polytopes whose facets are centrally symmetric, and in which each vector pointing from the center of the cell to the center of a facet is perpendicular to the facet A possibly easier task is showing a lower bound of on α 3 (L) for certain families of lattices L For example, it will be interesting to show it for all lattices that are associated with positive definite quadratic forms lying in the closure of what is known as Voronoï s principal domain of the first type Such a result was obtained for the lattice covering problem using techniques of convex optimization and semidefinite programming [, Chap 7] Another interesting open question is to find the smallest γ forwhichcrp in the l p norm with factor γ is in AM As mentioned before, the AM protocol of [8] achieves a factor of α p, but the existence of better protocols is indeed possible Proof of Theorem Lemmas and imply Theorem for any finite p

68 Discrete Comput Geom (009) 4: 6 76 Lemma For any p< and ε>0, there exists a constant δ>0 such that for any lattice L, Pr [ Z p L,p αp p ε ] δ Proof The random variable Z L,p satisfies 0 Z p L,p and by definition E[Z p L,p ] αp p By Markov s inequality it follows that Z p L,p αp p ε with probability at least δ = ε α p p +ε Lemma For any p< and ε>0, there exists an integer n 0 and a lattice sequence {L k } k= such that the dimension of L k is n 0 k and Pr [ Z p L k,p αp p ε] is exponentially small in k Proof Fix ε>0and let L 0 be an n 0 -dimensional lattice satisfying αp(l p 0 ) αp p + ε For any k N, we define the n 0 k-dimensional lattice L k = L k 0 Observe that the random variable Z p L k,p is an average of k independent and identically distributed random variables Z p L 0,p and that its expectation equals αp p(l 0 ) Hence, by the standard estimate of Chernoff (see, for example, Appendix A of []) we have Pr [ [ p Z L k,p ] Z αp p p ε Pr L k,p αp p(l 0 ) ] ε e ε k 8, as required Lemmas 3 and 4 imply Theorem for the l norm The former is due to [8] and holds for any p Lemma 3 [8] For any p and lattice L, [ Pr Z L,p ] Proof Let h be a point of l p distance ρ p (L) from the lattice (such a point is known as a deep-hole) and let P be some fundamental region for L By the triangle inequality, for any point x,wehave Therefore, we have ρ p (L) = dist p (L,h+ L) dist p (x, L) + dist p (x, h + L) (4) = Pr x P Pr x P = Pr [ distp (x, L) + dist p (x, h + L) ρ p (L) [ distp (x, L) ρ p (L) [ Z L,p ], ] + Pr x P ] [ distp (x, h + L) ] ρ p (L) and we are done

Discrete Comput Geom (009) 4: 6 76 69 Lemma 4 For any 0 <ε< and n, there exists an n-dimensional lattice L for which Pr [ Z L, ε] is exponentially small in n Proof Fix 0 <ε< and let D n be the checkerboard lattice defined as { D n = x = (x,,x n ) Z n : } n x i = 0(mod) Clearly, ρ (D n ) =, and this is achieved by (, 0,,0) To calculate the probability from the lemma we can consider a point chosen uniformly from P =[0, ) [0, ) n since P is a fundamental region of D n A necessary condition for the l distance from D n to be at least ε-far from is that for each i n, x i is outside the range ( ε, + ε) Therefore, [ Pr Z L, ] [ ( ε Pr x i / x P ε, ) ] + ε for each i n i= = ( ε) n 3 Bounds on α p The next claim gives some simple bounds on α p based on ideas from [8] (The lower bound in the claim can also be seen as an immediate consequence of Lemmas and 3) Claim 3 For any real p<, In particular, α p α = p p + Proof The right inequality follows from calculating α p (Z): α p (Z) = E [ p Z p ] p Z,p = / 0 x p dx = p p p + The proof of the left inequality resembles that of Lemma 3LetLbe an arbitrary lattice with some fundamental region P, and let h be a deep-hole By (4) wehave [ ] [ ] distp (x, L) distp (x, h + L) E x P + E x P = E[Z L,p ] ρ p (L) ρ p (L)

70 Discrete Comput Geom (009) 4: 6 76 Now by Jensen s inequality we get α p (L) = p E [ Z p L,p] E[ZL,p ], and the claim follows Remark 3 We note that the upper bound in Claim 3 is achieved by any lattice of the form c Z c Z c n Z, where n is a positive integer, and c i > 0 for every i n In particular, for any n and any p<,wehave α p ( Z n ) = p p + 3 The Lattices L n,k In this subsection we consider a set of lattices that improve the upper bound on α p from Claim 3 for any p> For two positive integers k n, the lattice L n,k is the n-dimensional lattice defined as { } n L n,k = x = (x,,x n ) Z n : x i = 0(modk) Notice that L n, is the lattice Z n that achieves the upper bound from Claim 3 and the tight value of α Furthermore, L n, is the lattice D n that attains the value of α Motivated by these examples, we now give an upper bound on the value of α p (L n,k ) for any real p We consider k that is linear in n, ie, k = βn for some 0 <β, and we think of n as tending to infinity Lemma 33 For any p<, 0<β, small enough ε>0, and large enough integer n for which k = βn is an odd integer, we have that α p (L n,k ) p ( + β) p+ ( β) p+ β + ε (p + )(p + ) In order to prove Lemma 33 we use a theorem of Kolmogorov and Smirnov given in [6] It says that if we take many samples from the uniform distribution over [0, ], then asymptotically we expect them to be uniformly distributed in [0, ]Belowwe use z to denote the vector obtained from z by sorting the coordinates in a nondecreasing order Theorem 34 [6] Let z [0, ) n be a vector each of whose coordinates is chosen independently and uniformly from [0, ) Then for any ε>0, [ lim Pr i n z i i ] n ε = 0 i=

Discrete Comput Geom (009) 4: 6 76 7 We also need the following claim Claim 35 For any p< and small enough ε>0, the following holds Let n be a large enough integer and k n be an odd number For any x R n, let y Z n be the integer point closest to x so that the difference z = x y is in [, )n Let l { k,, k } be such that l = i y i (mod k) If for each i n, z i ( i n ε, i n + ε), then dist p p(x, L n,k ) n [( p + + l ) p+ ( + n l ) p+ ] + O(ε n) n Proof For simplicity, assume that l 0 The case l<0 is similar Since L n,k is invariant under permutations of the coordinates, we can assume without loss of generality that the coordinates of z appear in a nondecreasing order, ie, z = z Denote by ỹ Z n the point ỹ = (y,,y l,y l+,,y n ) Observe that ỹ is a lattice point of L n,k since Therefore, n n ỹ i = y i l = 0(modk) i= i= dist p p(x, L n,k ) dist p p(x, ỹ) = l i= l i= n x i ỹ i p = i= ( i n + ) p + ε + ( i n + ) p + n i=l+ n i=l+ l z i + p + i= ( i n ) p + ε i n For large enough n, we can bound the above by an integral, p + O(ε n) n i=l+ z i p dist p p(x, L n,k ) l ( x 0 n + ) p n dx + x l n p dx + O(ε n) l ( x = 0 n + ) p n ( dx + l x ) p n ( x dx + n n n ) p dx + O(ε n) = n [( p + + l ) p+ ( + n l ) p+ ] + O(ε n), n and the claim follows

7 Discrete Comput Geom (009) 4: 6 76 Proof of Lemma 33 First, consider the vector (,,, 0,,0) with k ones The l p distance of this vector from L n,k is p k, and therefore ρ p (L n,k ) p k (5) Now our goal is to give an upper bound on the expectation of dist p p(x, L n,k ) where x is chosen uniformly from some fundamental region P of L n,k We take the fundamental region given by P =[ k, k ) [, )n Forx chosen uniformly from P, denote by y Z n the integer vector closest to x so that z = x y is in [, )n, and let l { k,, k } be such that l = i y i (mod k) It is easy to see that l and z are independent, that l is uniformly distributed in { k,, k }, and that the coordinates of z are independently and uniformly distributed in [, ) By Theorem 34, for large enough n, with probability arbitrarily close to, ( i, z i i n ε, i n ) + ε Hence Claim 35 implies that, with probability arbitrarily close to, dist p p(x, L n,k ) n [( p + + l ) p+ ( + n l ) p+ ] + O(ε n) n By taking expectations we obtain that for large enough n, E [ dist p p(x, L n,k ) ] k k 0 ( [( n p + + l ) p+ ( + n l ) p+ ]) dl+ O(ε n) n = (n + k)p+ (n k) p+ p+ kn p (p + )(p + ) + O(ε n) Finally, using our bound on the covering radius of L n,k from inequality (5) and recalling that k = βn, one has α p (L n,k ) p ( + β) p+ ( β) p+ β + O(ε), (p + )(p + ) and since ε is arbitrary, we are done 3 On α and 3-Dimensional Lattices In this subsection we show that α (L) 3 for any lattice L of dimension at most three We start with some background on 3-dimensional lattices One associates with any lattice L a quadratic form f(x)= x T (B T B)x, where the columns of the matrix B form a basis of L For 3-dimensional lattices, there is a choice of basis for which

Discrete Comput Geom (009) 4: 6 76 73 f takes the form f(x,x,x 3 ) = 3 i=0 j=0 3 ρ ij (x i x j ) for some nonnegative ρ ij satisfying ρ ii = 0 and ρ ij = ρ ji where x 0 = 0 (see, eg, [3]) Thus L is represented by these six parameters [ρ 0,ρ 0,ρ 03,ρ,ρ 3,ρ 3 ] The following theorem of Barnes and Sloane [3] expresses G(L) in terms of the ρ ij Recall that G(L) is defined as G(L) = E x Vor (L)[ x ] 3 det(l) /3 Theorem 36 (Theorem in [3]) Any 3-dimensional lattice L satisfies where and (4) G(L) = D S + S + K 36D 4/3, (3) D = det(l) = ρ0 ρ 0 ρ 03 + ρ0 ρ 3 (ρ 0 + ρ 03 + ρ + ρ 3 ), S = ρ 0 + ρ 0 + ρ 03 + ρ + ρ 3 + ρ 3, S = ρ 0 ρ 0 ρ 3 ρ 3 + ρ 0 ρ 03 ρ ρ 3 + ρ 0 ρ 03 ρ ρ 3, (4) K = ρ0 ρ 0 ρ 03 (ρ + ρ 3 + ρ 3 ) In addition, Barnes [] showed that the squared covering radius of a threedimensional lattice is given by ρ (L) = ( D S K 4min(ρ 0 ρ 03 ρ ρ 3,ρ 0 ρ 3 ρ 03 ρ,ρ 0 ρ 3 ρ 0 ρ 3 ) ) 4D In particular, we see that ρ (L) 4D (D S K) Here we are interested in bounding α (L) = E [ ZL, ] E x Vor (L)[ x = ] 3D ρ (L) = /3 G(L) ρ (L) (6) Weusehere(asin[3]) a notation for symmetric functions, so that (4) ρ0 ρ 0 ρ 03, for example, is an abbreviation for ρ 0 ρ 0 ρ 03 +ρ 0 ρ ρ 3 +ρ 0 ρ ρ 3 +ρ 03 ρ 3 ρ 3 The number (4) indicates the number of summands

74 Discrete Comput Geom (009) 4: 6 76 We derive the following lemma Lemma 37 Any lattice L of dimension at most three satisfies α (L) 3 Proof We first note that it is enough to consider lattices of dimension exactly three More generally, we claim that any lower bound on α p (L) for all (k + )-dimensional lattices holds also for all k-dimensional lattices To show this we consider an arbitrary lattice L of dimension k Obviously, the (k +)-dimensional lattice L (εz) satisfies α p (L (εz)) α p (L) as ε tends to 0, and this completes the argument By Theorem 36 and (6) we get D S + S + K α (L) = Dρ (L) D S + S + K 3 D S K 3 Remark 38 The inequality in Lemma 37 is an equality if and only if L is spanned by orthogonal vectors Indeed, for any L spanned by three orthogonal vectors, α (L) = Moreover, if L is a lattice of dimension three satisfying α 3 (L) = 3 then S = K = 0 This means that any multiplication of four of the ρ ij equals zero, ie, at least three of the ρ ij are zeros It can be shown that if this is the case, then L is spanned by three orthogonal vectors 4 Onthe AM Protocol for CRP In this section we relate α p to the complexity of the Covering Radius Problem (CRP) in the l p norm More precisely, we show a connection between α p and the approximation factor of CRP in the l p norm for which the problem is in the complexity class AM Let us start with some basic definitions (see [0] for some background on computational complexity) For any p and any factor γ, we define the following computational problem Definition 4 (Covering Radius Problem) An instance of GapCRP p γ is a pair (B, d) where B is a lattice basis and d Q is a rational number In YES instances ρ p (L(B)) d and in NO instances ρ p (L(B)) > γ d The complexity class AM is that of promise problems that can be verified by a protocol as follows A probabilistic polynomial-time verifier generates a challenge based on the input and sends it to an all-powerful prover The prover sends back a response, and then the verifier decides whether to accept We require that for every YES instance, the prover can act in such a way that the verifier accepts with probability at least p and that for any NO instance the verifier accepts with probability at most p no matter what strategy is played by the prover, where 0 p <p are two constants Like most other lattice problems, the covering radius problem seems very hard: the best known algorithm solves GapCRP p γ for any γ> in exponential time [8] On

Discrete Comput Geom (009) 4: 6 76 75 the other hand, the covering radius problem exhibits some unique properties from a computational complexity point of view (see [8] for more details) One of the most interesting facts in this respect is that for any p, GapCRP p is in AM [8] The proof of this fact is relatively simple and follows from the following AM protocol Given an instance (B, d), the verifier sends to the prover a uniformly random point x P(B), and the prover has to provide a lattice point y L(B) such that dist p (x, y) d Clearly,if(B, d) is a YES instance, then the prover can act in a way that the verifier accepts with probability On the other hand, if (B, d) is a NO instance, then by Lemma 3, with probability at least over the choice of x, there is no lattice point y L(B) such that dist p (x, y) d Moreover, it was shown in [9] that there exists a constant 0 <δ< such that for any large enough finite p and any γ< 3 p δ, GapCRP p γ is hard for Π, a complexity class in the second level of the polynomial-time hierarchy For the l norm, Π -hardness was shown there for any γ less than 3 It is interesting to mention in this context a result of Boppana et al [4] that states that if a Π -hard problem is in AM, then the polynomial-time hierarchy collapses to the second level, an event which is considered to be highly unlikely Thus we do not expect GapCRP p γ to be in AM for some γ for which it is Π -hard Our analysis of the AM protocol above is not necessarily tight An interesting open question raised in [8] is to determine the approximation factor achieved by this natural protocol Here we show that this factor is essentially α p Lemma 4 For any p, the AM protocol of GapCRP p γ given in [8] works for any γ> α p and fails for any γ< α p Proof Consider the AM protocol from [8] mentioned above Clearly, if (B, d) is a YES instance, then for any x R n, the prover can provide y L(B) such that dist p (x, y) d By Item of Theorem, for any factor γ bigger than α p,anyno instance is rejected by the verifier with constant probability On the other hand, by Item of Theorem, for any factor γ smaller than α p, there exist NO instances for which the verifier accepts with probability exponentially close to one, and the lemma follows Remark 43 One may wonder whether the protocol of [8] can be improved in the following way: the verifier sends a polynomial number of challenges to the prover (instead of one) and accepts if and only if the prover is able to respond to all of them However, by Item of Theorem, there are still NO instances which the verifier accepts with probability exponentially close to one Acknowledgements We thank the anonymous referees for their useful comments References Alon, N, Spencer, JH: The Probabilistic Method, nd edn Wiley Interscience Series in Discrete Mathematics and Optimization Wiley Interscience, New York (000) Barnes, ES: The covering of space by spheres Can J Math 8, 93 304 (956)

76 Discrete Comput Geom (009) 4: 6 76 3 Barnes, ES, Sloane, NJA: The optimal lattice quantizer in three dimensions SIAM J Algebr Discrete Methods 4(), 30 4 (983) 4 Boppana, R, Håstad, J, Zachos, S: Does co-np have short interactive proofs? Inf Process Lett 5, 7 3 (987) 5 Conway, JH, Sloane, NJ: Sphere Packings, Lattices and Groups, 3rd edn Springer, Berlin (998) 6 Durbin, J: Distribution Theory for Tests Based on the Sample Distribution Function SIAM CBMS- NSF Regional Conference Series in Applied Mathematics SIAM, Philadelphia (973) 7 Forney, GD, Jr: On the duality of coding and quantizing In: Coding and Quantization, Piscataway, NJ, 99 DIMACS Ser Discrete Math Theoret Comput Sci, vol 4, pp 4 Am Math Soc, Providence (993) 8 Guruswami, V, Micciancio, D, Regev, O: The complexity of the covering radius problem on lattices and codes Comput Complex 4(), 90 (005) Preliminary version in CCC 04 9 Haviv, I, Regev, O: Hardness of the covering radius problem on lattices In: Proc of th IEEE Annual Conference on Computational Complexity (CCC) (006) 0 Papadimitriou, CH: Computational Complexity Addison Wesley, Reading (994) Vallentin, F: Sphere covering, lattices, and tilings (in low dimensions) PhD thesis, Munich University of Technology (003)