Together with Rachel Player and Sam Scott (both also from the Information Security Group at Royal Holloway, University of London) we finally managed to put our survey on solving the Learning with Errors problem out. Here’s the abstract:

The Learning with Errors (LWE) problem has become a central building block of modern cryptographic constructions. This work collects and presents hardness results for concrete instances of LWE. In particular, we discuss algorithms proposed in the literature and give the expected resources required to run them. We consider both generic instances of LWE as well as small secret variants. Since for several methods of solving LWE we require a lattice reduction step, we also review lattice reduction algorithms and use a refined model for estimating their running times. We also give concrete estimates for various families of LWE instances, provide a Sage module for computing these estimates and highlight gaps in the knowledge about algorithms for solving the Learning with Errors problem.

And here is a slightly cleaned up version of the table of contents:

Introduction Notation & Tools Lattice Reduction Algorithms LLL Running Time Quality of Output Implementations BKZ BKZ 2.0 Quality of Output Running Time SVP Oracles Estimating ρ Asymptotic Behaviour Existing Estimates Estimates for t_k Overall Implementations Choosing m Strategies Short Integer Solutions (SIS) Bounded Distance Decoding (BDD) Solving for s Algorithms Exhaustive Search BKW Using Lattice Reduction To Distinguish Decoding Approach Lindner and Peikert Nearest Planes Solving BDD by Enumeration: an Update (Liu, Nguyen) Runtime Analysis Reducing BDD to uSVP Arora-Ge and Gröbner Bases Small Secret Variants Exhaustive Search Modulus Switching for Lattice Reduction Bai’s and Galbraith’s Embedding Small Secret BKW Arora-Ge and Gröbner Bases Examples Discussion

From the TOC you might have guessed that we’re trying to give a reasonably complete overview of strategies and algorithms for solving the Learning with Errors problem, including its small secret variant. Though, I should mention, that We’re exclusively focusing on the scenario, though, where we have access to as many LWE samples as we want. See the brief discussion in the introduction.

We also provide a Sage module for estimating the cost of solving concrete LWE instances. The code is available on bitbucket. You can play with it here.

Update (2015-03-13): We updated our survey based on feedback from various people. In particular, Paul Kirchner and Steven Galbraith pointed out mistakes and where we missed relevant literature.