Short Principal Ideal Problem in multicubic fields

Andrea Lesavourey; Thomas Plantard; Willy Susilo

doi:10.1515/jmc-2019-0028

Open Access Published by De Gruyter August 20, 2020

Short Principal Ideal Problem in multicubic fields

Andrea Lesavourey , Thomas Plantard and Willy Susilo

From the journal Journal of Mathematical Cryptology

https://doi.org/10.1515/jmc-2019-0028

Abstract

One family of candidates to build a post-quantum cryptosystem upon relies on euclidean lattices. In order to make such cryptosystems more efficient, one can consider special lattices with an additional algebraic structure such as ideal lattices. Ideal lattices can be seen as ideals in a number field. However recent progress in both quantum and classical computing showed that such cryptosystems can be cryptanalysed efficiently over some number fields. It is therefore important to study the security of such cryptosystems for other number fields in order to have a better understanding of the complexity of the underlying mathematical problems. We study in this paper the case of multicubic fields.

Keywords: Public-key cryptography; Post-quantum cryptography; Number Fields; Ideal lattice; Cryptanalysis; Unit Group; Cubic Field

1 Introduction

Given a number field K, an ideal lattice over K is simply an ideal I of 𝓞_K considered as a ℤ–module in ℝⁿ, where 𝓞_K is the ring of integers of K. It can be represented by an integral basis. In the simplest version of encryption using ideal lattices, such as in [15, 16, 20], we can consider a number field K and I = g𝓞_K a principal ideal with a short g when I is considered as a lattice. Short means that the euclidean norm of g is small compared to the determinant of I. Then K and I are public – with I which can be given by the Hermite Normal Form of a basis matrix of I for example – and g is the private key. The security of the cryptosystem relies on the hardness of finding g or another short generator. Finding a generator is called the Principal Ideal Problem (PIP) and is referred as one of the main tasks of Computational Number Theory by Cohen in [11]. Finding a short generator is referred as the Short Principal Ideal Problem (SPIP). The first advantage of such a system compared to a general lattice based system is that instead of storing a n² matrix to designate the lattice we can use a more compact representation. We therefore need less space to store the public and private keys. Moreover the algebraic structure of the fields we are working with allows faster computations. Because of this efficiency, ideal lattices – and more generally structured lattices – are under a lot of investigation to evaluate the security of lattice-based cryptosystems. By default an attack to recover the generator g is done in two steps:

recover a generator h of I;
find a short generator given h.

The first step corresponds to the PIP which is considered a hard problem in classical computational number theory. However it is shown that it can be efficiently done by using quantum computing as in [6]. The second is a reduction phase which is the kind of tasks that seem difficult even for quantum computers. In order to solve it, one may use the structure of the set of generators of I and the Log-unit lattice. This strategy was mentioned in [9] where it was claimed that in the case of cyclotomic fields the group of cyclotomic units has a good enough geometry in the Log-unit lattice to help recovering a short secret vector. A proper analysis of this situation has been done in [13] where the authors gave a bound for the norm of the vectors of the dual basis. More precisely they analysed a subgroup of the unit group which is easily computable and whose index is small i.e. close to 1. They showed that one can shorten a generator with respect to this subgroup and that an enumeration process allows to retrieve a short generator with respect to the full unit group. In [4] the authors studied another family of fields, namely the multiquadratic fields, and were able to recover a short generator of an ideal in classical polynomial time for a wide range of fields.

Objectives and results

In this paper we study the case of real multicubic fields i.e. fields generated by real cube roots of integers. We aim to show that such fields should not be used for cryptography in a post-quantum setting i.e. that one can retrieve a short generator using the Log-unit lattice. For this purpose we prove that their algebraic structure is similar to the one of multiquadratic fields so that the framework of the attack in [4] can be adapted to multicubic fields. We are able to compute units of degree 3ⁿ number fields for n up to 5. Experiments on the PIP show a success rate similar to the ones presented in [4].

Future work

Further work can consist in improving the results on multicubic fields and generalise the approach to number fields generated by p-root of integers for bigger primes p. This could lead to a better understanding on what can be done regarding ideal lattices. Moreover it would be interesting to work on other important tasks of computational number theory over these fields such as computing the class group. Another direction would be to study number fields with more complicated structures in order to look whether we can again find a good basis for the Log-unit lattice or not.

2 Background

Notations : The inner product is denoted by (⋅ | ⋅). When we consider a tuple (λ₁, …, λ_n) we can designate it by λ. An interval in the integers will be written ⟦a, b⟧. Given a rational number a we will write a3 or a13 its real cube root.

Lattices

A lattice is a discrete subgroup of ℝⁿ where n is a positive integer. A basis of a lattice 𝓛 is a basis of 𝓛 when considered as a ℤ-module. One way of representing a lattice is then to consider the matrix of a basis of the lattice. Let us denote by λ₁(𝓛) the norm of the shortest non zero vector of 𝓛. There is an approximation of λ₁(𝓛) called the Gaussian heuristic which tells that the expected value of λ₁(𝓛) is in O(r×det(L)r) where r is the rank of 𝓛. This gives an expected value for the norm of what we call a short vector. The classical problems over lattices are:

the Shortest Vector Problem (SVP) : «Given a a lattice 𝓛 of dimension n, find u ∈ 𝓛 ∖ {0} such that ∥u∥ = λ₁(𝓛)»;
the Closest Vector Problem (CVP) : «Given a lattice 𝓛 of dimension n and t ∈ ℝⁿ, find u ∈ 𝓛 such that ∀v ∈ 𝓛, ∥t – u∥ ⩽ ∥t – v∥;»;
the Bounded Distance Decoding (BDD) : «Given a basis B of a lattice 𝓛, a target vector t such that d(t, 𝓛) < λ₁(𝓛)/2, find the lattice vector v ∈ 𝓛 closest to t.».

In practice we can consider relaxed versions of these problems with respect to an approximation factor. For general lattices these problems are NP-hard thus at least as hard as factorising for example. Moreover we do not have any result showing that quantum computers can solve these problems for general lattices. These problems are easier to solve if we have a good basis at our disposal i.e. a basis built with relatively short vectors which are nearly orthogonal to each other.

Despite the hardness of these problems over random lattices, high-dimensional lattices are large objects and slow to handle. A way of copping with that is to work with lattices with extra algebraic structure such as ideal lattices. However this can introduce a security weakness as it may be easier to find good basis related to such lattices or to use the algebraic structure to solve lattice problems.

Number Fields

We will quickly recall some facts about number fields. A number fieldK is a field which is a finite extension of ℚ. It can always be described as a polynomial quotient ring

Q[X](P(X))

where P(X) is irreducible in ℚ[X]. Equivalently if we choose θ to be any root of P(X) we can see K as ℚ(θ) the smallest field containing ℚ and θ. If we write n the degree of P(X) then the dimension of K over ℚ – written [K : ℚ] – is n.

There are n distinct complex field embeddingsK ↪ ℂ denoted by σ₁, …, σ_n. They map θ to the other complex roots of P(X). We will write Hom(K, ℂ) for this set. Among them we have r₁ real embeddings and r₂ pairs of complex embeddings. The two elements of a given pair are conjugates one from each other. It is the usage to denote by σ₁, …, σ_r₁ the real embeddings and to consider that σ_j+r₂ = σ_j for all j ∈ ⟦r₁ + 1, r₁ + r₂⟧. Given a complex embedding σ ∈ Hom(K, ℂ) the set {x ∈ K | σ(x) = x} is a subfield of K. We will denote it by Inv(σ) or K_σ to follow notations used in [4].

The Galois Group of a field extension L/K denoted by Gal(L/K) is the group of field automorphisms of L which are congruent to the identity when restricted to K. It is a subset of Hom(L, ℂ). An extension L/K is called a Galois extension when the cardinality of Gal(L/K) equals the dimension [L : K]. Moreover the Galois correspondence states that given a Galois extension L/K there is a one-to-one correspondence between the subgroups of Gal(L/K) and the subfields of L containing K. Given a subgroup H of Gal(L/K) we will write Inv(H) the corresponding subfield of L. In the case of a number field K we say it is a Galois field if it is Galois as an extension of ℚ. For example the cyclotomic fields are Galois number fields as well as the multiquadratic fields. However this property is not verified by a general number field K and we have to consider the Galois closure of K, denoted by K͠, which is in fact the smallest extension containing all the roots of the irreducible polynomial P(X).

One ring of particular importance is the ring of integers ofKdenoted by 𝓞_K. It consists of the elements of K which are roots of a monic polynomial of ℤ[X]. This ring as well as its ideals are full rank sub-ℤ-module of K. The images of 𝓞_K and of any ideal I of 𝓞_K under the action of any embedding of K into ℝⁿ are lattices. The usual embedding corresponds to view a number field K as a quotient Q[X](f(X)). Then every element g(X) = g₀ + … + g_nXⁿ of K can be seen as the vector with coordinates (g₀, …, g_n) in ℝⁿ. The other fundamental example is called the Minkowski embedding and is

σ:K⟶Rnx⟼(σi(x))i∈ [[ 1,r1+r2 ]] .

The group of units of 𝓞_K written OK× is the set {u ∈ 𝓞_K | u^–1 ∈ 𝓞_K}. It has a specific structure that we can take advantage of. Given a number field K of degree n with n = r₁ + 2r₂ as before, we have

OK×≃ZmZ×Zr1+r2−1.

This isomorphism which allows to see the units of OK× modulo its torsion group as a lattice is realised by an important embedding which is the Log-embedding of K. It is defined as

LogK:K∗⟶Rr1+r2x⟼log(|σi(x)|)i∈ [[ 1,r1+r2 ]] .

The set Log_K(OK×) is a lattice of the hyperplane orthogonal to the all ones vector. It is called the Log-unit lattice. Sometimes we define the Log-embedding by using all of the embeddings σ_i. By doing so the Log-unit lattice is a lattice of rank r₁ + r₂ – 1 in ℝⁿ.

Given a family (x₁, …, x_n) of a number field K the discriminant D(x₁, …, x_n) is the rational number det((σ_j(x_i))_i,j)². Given 𝓞 a full-rank subring of 𝓞_K the discriminant of 𝓞 is D(x₁, …, x_n) where (x₁, …, x_n) is an integral basis of 𝓞. The discriminant of K – written D(K) – is the discriminant of its integer ring.

Ideal lattice cryptosystem

Recall that ideal based cryptosystems such as presented in [15, 16, 20] have in general a private key which is a short generator of a public ideal I. The security of such cryptosystems relies on the supposed hardness of finding such a generator given an ideal, problem called the Short Principal Ideal Problem. The Principal Ideal Problem consists in finding any generator of the principal ideal i.e. given an ideal I = g 𝓞_K, find some h such that I = h𝓞_K. As mentioned the process done to solve the SPIP relies essentially in two steps : solve the PIP and then shorten the retrieved generator. The set of generators of I is {gu | u ∈ OK×}. Therefore solving the PIP yields h = gu with u ∈ OK×. It is then possible to retrieve g from h by finding u. This is where we can use the Log-unit lattice. If we transpose the situation with the Log-embedding, for every generator h we have Log_K(h) = Log_K(g) + Log_K(u). Using that remark and finding the element of the Log-unit lattice closest to h it is possible to retrieve g. This corresponds to solve the Closest Vector Problem (CVP) with respect to the target h and the lattice Log OK×, and even the BDD because we know the generator g is short. The success of such a method is therefore dependent on the particular geometry of the Log-unit lattice meaning that we want to have access to a somehow good basis i.e. orthogonal enough. This attack requires to

solve the PIP : this is considered hard classically and can be done in quantum polynomial time;
compute OK× : as the PIP this is considered hard classically and can be done in quantum polynomial time;
shorten a generator h by solving the BDD with respect to Log_K(OK×) : this will depend on the basis obtained.

Multiquadratic fields

Multiquadratic fields are fields which are generated by a sequence of square roots of integers d1,…,dn. In [4] Bauch and al. proved that it is possible to compute the units OK× and solve the PIP efficiently using only a classical computer. This goes even further than for cyclotomic fields. They use the full unit group to solve the SPIP corresponding to the second part of an attack on an ideal lattice. In order to be able to do all of that they take advantage of the special structure of a multiquadratic field, particularly that it has a lot of subfields which are multiquadratic fields too. As in the cyclotomic case they exhibit a subgroup of the unit group that they call multiquadratic units. We can denote it by U. This subgroup is generated by the fundamental units of all quadratic subfields. Under the Log-embedding it constitutes a full rank sublattice of Log_K(OK×) and the fundamental units of quadratic subfields form an orthogonal basis. This is the best situation possible to solve lattices problem. However even if [OK× : U] is finite it is too large to be used in the same way as cyclotomic units are. It is however the fundamental stone to build the whole unit group. The algorithms of [4] rely essentially on the Lemma 5.1 which can be stated as

Lemma 2.1

LetKbe a multiquadratic field of dimension 2ⁿ. Then for allx ∈ K

x2∈K1K2K3

whereK₁, K₂andK₃are multiquadratic subfields ofKof dimension 2^n–1. Moreover ifxis a unit then the fields can be replaced by their unit group.

We see that if it is possible to compute the unit group of multiquadratic fields of degree 2^n–1 then we can compute a subgroup G of OK× such that (OK×)2 < G < OK×. The authors of [4] then prove that we can retrieve OK× from G with high probability. This last step require to compute square roots of element of K. Therefore in order to construct OK× from the units of subfields of K of degree 2^n–1 we only have to carry out products and square root operations. All of these can be done quickly in K. The algorithm then works recursively. It will compute the fundamental units of all the quadratic subfields using classical algorithms and will build the whole unit group by doing products and square root extractions. In order to solve the PIP in multiquadratic fields the authors of [4] use again the previous Lemma. If I = gO_K is a principal ideal then g² = g₁g₂g₃ where the g_i are the generators of the relative norm ideals N_{K/K_i}(I) which are ideals of 𝓞_{K_i} respectively. As before the algorithm works recursively to compute an element h which is a generator of I² then use the unit group to retrieve a generator of I. The last step of the attack is then carried using the Log-unit lattice and using a rounding algorithm. The results of experiments show a high rate of success.

3 Multicubic fields

In this section we will study multicubic fields i.e. number fields generated by cube roots of integers. Cubic fields have been well studied and one can find several results in textbooks or papers. See for instance [2, 11]. We still present some facts useful to our presentation. However we could not find papers on multicubic fields dealing with the results we are interested in. We prove that the structure of multicubic fields is similar to {the one of} multiquadratic fields so that the attack of Bauch and al. can be adapted. The facts that are needed for the algorithms to work are the following:

every subfield of a multicubic field is a multicubic field;
there is a structural result similar to Lemma 2.1 so that we can work recursively on subfieds.

Moreover we show that the situation in the Log-unit lattice is also similar because the fundamental units of the cubic subfields form an orthogonal basis of a full-rank sublattice.

3.1 First structural results

First we will present several facts concerning multicubic fields useful for our study. Let us start with a lemma on cubic fields that we will use later.

Lemma 3.1

Considerpandqtwo rational numbers which are not rational cubes. Then the cubic fields ℚ(p3) and ℚ(q3) are equal if, and only if, the following holds : p = q × a³orp = q² × a³, witha ∈ ℚ.

Definition 3.2

Consider n distinct integers d₁, …, d_n which are not rational cubes. We will call (real) multicubic field generated by d₁, …, d_n the number field K=Qd113,…,dn13.

Remark 3.3

The sequence elements not being cubes forbids ℚ to be a multicubic field. {Moreover we consider only real cube roots.} We have not supposed anything more about the defining sequence. For example several elements could be equal to each other. However we can always find a minimal sequence whose length will be proved to be equivalent to the dimension of the corresponding multicubic field.

Proposition 3.4

Every multicubic fieldK=Qc113,…,cm13can be defined by a sequence of cube-free integersd₁, …, d_nsuch that for none of the tuples of exponentsα = (α₁, …, α_n) ∈ ⟦0, 2⟧ⁿ ∖ {0} the product∏i=1ndiαiis a cube.

Proof

We will proceed by induction on m. If m = 1 then there is nothing to prove. Now suppose that the property is true for a fixed integer m ⩾ 1 and consider a multicubic field K=Qc113,…,cm+113 defined by m + 1 integers. Denote by L the multicubic field defined by the first coefficients c₁, …, c_m. We have K = Lcm+113 and by hypothesis L can be defined by cube-free integers d₁, …, d_n verifying the desired property. First we can assume that c_m+1 is cube-free. Secondly the integers d₁, …, d_n, c_m+1 define K as a multicubic field. If they verify the property then nothing more needs to be done. Suppose now that

∏i=1ndiαi×cm+1α=a3

for some (α₁, …, α_n, α) ∈ ⟦0, 2⟧ⁿ⁺¹ ∖ {0} and a ∈ ℤ. By induction hypothesis the product ∏i=1ndiαi is not a cube if (α₁, …, α_n) ≠ 0, therefore α ≠ 0 and we can write

cn+1α3=a∏i=1ndiαi3∈L

meaning that we have K = L and that K verifies the desired property.□

Definition 3.5

A sequence of integers defining a multicubic field K will be called reduced if it verifies the property of Proposition 3.4.

Proposition 3.6

ConsiderK=Qd113,…,dn13a multicubic field such thatd₁, … d_nis reduced. ThenKhas exactly3n−12cubic subfields of the form

Qd1α13×⋯×dnαn3

withα = (α₁, …, α_n) ∈ ⟦0, 2⟧ⁿ ∖ {0}. Moreover if we seeαandβas elements of (𝔽₃)ⁿwe have

Qd1α13×⋯×dnαn3=Qd1β13×⋯×dnβn3⟺α_=β_ or α_=2β_.

Proof

Consider α ∈ ⟦0, 2⟧ⁿ ∖ {0}. There is i ∈ ⟦1, n⟧ such that α ≠ 0. Then the product d1α1×⋯×dnαn is not a cube so d1α13×⋯×dnαn3 is not rational and therefore generates a subfield of K of degree 3 over ℚ. The subfields of the form considered are then cubic. Now consider two elements α and β such that

Qd1α13×⋯×dnαn3=Qd1β13×⋯×dnβn3.

By Lemma 3.1, this is equivalent to the existence of a rational a such that one of the three following possibilities is true:

d1α1×⋯×dnαn=d1β1×⋯×dnβn×a3(1)d1α1×⋯×dnαn=d12β1×⋯×dn2βn×a3(2)d1β1×⋯×dnβn=d12α1×⋯×dn2αn×a3(3).

Now consider μ and ν two non-zero elements of (𝔽₃)ⁿ. Write in ℤ the equality μ_i = ν_i + r_i + 3q_i with 0 ⩽ r_i < 3 for all i ∈ ⟦0, n⟧. Then we have

d1μ1×⋯×dnμn=d1ν1×⋯×dnνn×a3⟺∏i=0ndiri=a∏i=0ndiqi3⟺r_=0_.

since no product of d_i’s with corresponding exponents less than 2 can be a rational cube except for the trivial one, for we suppose the sequence d₁, …, d_n to be reduced. Combining this with the three previous possibilities we indeed obtain the searched equivalence relation. The claimed number of such cubic subfields is directly deduced by counting the possible α modulo this relation.□

Remark 3.7

Given K=Q(d113,…,dn13) defined by a reduced sequence and α ∈ ⟦0, 2⟧ⁿ ∖ {0} we denote by K_α the cubic subfield of K generated by the product ∏i=1ndiαi3.
When considering these subfields we will therefore identify ⟦0, 2⟧ⁿ with F3n. Given a fixed multicubic field defined by a reduced sequence, cubic subfields in the form mentioned in Proposition 3.6 are in one-to-one correspondence with elements α ∈ ⟦0, 2⟧ⁿ modulo multiplication by 2 over 𝔽₃, which is the same as the colinearity relation over the vector space (𝔽₃)ⁿ. Therefore these cubic subfields are univoquely parametrised by the lines or the hyperplanes of (𝔽₃)ⁿ. When considering these subfields we will therefore identify ⟦0, 2⟧ⁿ with (𝔽₃)ⁿ.
In fact we will see that all cubic subfields of a multicubic field are pure cubic fields of the previous form.

In order to study multicubic fields further we need to examine the set of the complex embeddings Hom(K, ℂ).

3.2 Set of complex embeddings and other results

Fix a set of n distinct integers {d₁, …, d_n} supposed to constitute a reduced sequence as before and let K be the multicubic field associated to it. The degree of K over ℚ is at most 3ⁿ. Given an embedding of K into ℂ, its action can be fully described by its action on each di3 and therefore by the embedding it defines when restricted to each of the cubic fields ℚ(di3). Now if we fix one d_i, the polynomial X³ – d_i factorises as

X3−di=(X−di3)(X−ζ3di3)(X−ζ32di3).

We suppose d_i to be cube-free so X³ – d_i is irreducible over ℚ. We then have the following isomorphism

Qdi3≃Q[X](X3−di)

and the three embeddings of ℚ (di3) into ℂ are the ℚ–linear maps which send di3 respectively to di3, ζ₃di3 and ζ32di3. We will denote these embeddings by σi(0),σi(1) and σi(2). Remark that σi(0) is the identity, that σi(1) and σi(2) are complex embeddings conjugate one to each other. Moreover all this description still applies to any cube-free integer m and the field Qm13, especially to the fields K_α. Thus we will similarly denote the three complex embeddings of K_α by σα_(0),σα_(1) and σα_(2). Finally any embedding K ↪ ℂ can be described as

⨂i=1nσi(βi),(β1,…,βn)∈ [[ 0,2 ]] n.

Given such a decomposition, the corresponding embedding will be written σ^(β).

Remark 3.8

We can see that in this situation too the sets ⟦0, 2⟧ⁿ and (𝔽₃)ⁿ can be identified. Then the data of an embedding of K into ℂ is equivalent to the data of a point in (𝔽₃)ⁿ. We do not know yet if all such points can be obtained, which is equivalent to proving that the dimension of K is 3ⁿ.

We will see that the duality of complex embeddings of K relatively to cubic subfields K_α can be expressed as a duality situation in (𝔽₃)ⁿ thanks to their geometric interpretation as points and hyperplanes. This will help in proving the following.

Theorem 3.9

ConsiderKdefined by a reduced sequenced₁, …, d_n. Then we have

[K : ℚ] = 3ⁿand∏i=0ndiαi3α_∈(F3)nis a ℚ–basis ofK;
the set Hom (K, ℂ) is exactly {σ^(β) | β ∈ (𝔽₃)ⁿ}.

We will study the action of an element σ^(β) of Hom(K, ℂ) on a cubic subfield K_α. Recall that the three possibilities for σ(β_)d1α13×⋯×dnα13 are

σα_(0)(d1α13×⋯×dnα13)=d1α13×⋯×dnα13;σα_(1)(d1α13×⋯×dnα13)=ζ3×d1α13×⋯×dnα13;σα_(2)(d1α13×⋯×dnα13)=ζ32×d1α13×⋯×dnα13.

We will relate the action of a morphism σ^(β) on a field K_α to a geometric relation between α and β as said earlier. Recall that we can think of α as an hyperplane and β as a point in the vector space (𝔽₃)ⁿ. Let us fix some notation. Given α ∈ (𝔽₃)ⁿ ∖ {0} and t ∈ 𝔽₃ we will write H_α(t) the affine hyperplane of (𝔽₃)ⁿ defined by the equation α₁X₁ + ⋯ + α_nX_n = t.

Proposition 3.10

LetK=Qd113,…,dn13be a multicubic field, α ∈ (𝔽₃)ⁿ ∖ {0} andβ ∈ (𝔽₃)ⁿ. Then for anyt ∈ 𝔽₃we have

(σ(β_))|Kα_=σα_(t)⟺β_∈Hα_(t).

Proof

We need to evaluate σ^(β) on d1α13×⋯×dnαn3. We have

σ(β_)∏i=1ndiαi3=⨂k=1nσk(βk)∏k=1ndkαk3=∏k=1nσk(βk)(dkαk3)=∏k=1n(σk(βk)(dk13))αk=∏k=1n(ζ3βkdk13)αk=∏k=1nζ3αkβk∏k=1ndkαk3=ζ3α1β1+⋯+αnβn∏k=1ndkαk3.

Thus we have (σ^(β))_{|K_α} = σα_(t) if, and only if, ζ3α1β1+⋯+αnβn=ζ3t which is equivalent to α₁β₁ + ⋯ + α_nβ_n = t.□

Remark 3.11

We see that in order to analyse how the action of the embeddings of K are distributed among the different cubic subfields we have to do some affine geometry. First, the data of a cubic subfield is the same as the data of α modulo multiplication by a non-zero element of 𝔽₃ or equivalently the vectorial hyperplane H_α(0). One can verify that the relation of the previous Proposition is coherent with the equality of K_α and K_2α by making the observation that H_α(2t) = H_2α(t)

Now we will describe more precisely the action of the morphisms σ_i for i ∈ ⟦0, n⟧.

Lemma 3.12

LetKbe a multicubic field defined by a reduced sequenced₁, …, d_n. Then for allα ∈ (𝔽₃)ⁿ, i ∈ ⟦0, n⟧ andk ∈ ⟦0, 2⟧ we have

σi∏j=0ndjαj3=ζ3k∏j=0ndjαj3⟺αi=k.

Proof

This is applying the above Proposition and remarking that this is true for a null α.□

Lemma 3.13

LetKbe a multicubic field defined by a reduced sequence of integersd₁, …, d_n. Suppose thatKverifies the properties of Theorem 3.9. Then for allx ∈ Kthe following assertions are equivalent:

∀σ ∈ Hom(K, ℂ), ∃k ∈ ⟦0, 2⟧, σ(x) = ζ3k × x;
∃α ∈ (𝔽₃)ⁿ, ∃a ∈ ℚ, x = a∏i=0ndiαi3.

Proof

Consider x ∈ K. We already know that the second assertion implies the first one. Suppose now the first condition to be true. Since we assumed K to verify the properties of Theorem 3.9, x can be written as

∑α_∈(F3)nxα_∏i=0ndiαi3

with x_α ∈ ℚ for every α ∈ (𝔽₃)ⁿ and write Supp(x) = {α ∈ (𝔽₃)ⁿ | x_α ≠ 0}. There is nothing to prove if Supp(x) is the void space so we assume it is not trivial. The property being true for all morphisms is equivalent to be true for σ_i for all i ∈ ⟦1, n⟧. Fix such an integer. We can write x = x₀ + x₁ + x₂ with

xt=∑α_∈(F3)n∣αi=txα_∏i=0ndjαj3

for all t ∈ ⟦0, 2⟧. By Lemma 3.12 we have σ_i(x) = x₀ + ζ₃ × x₁ + ζ32 × x₂. There is some k_i ∈ ⟦0, 2⟧ such that σ_i(x) = ζ3ki(x₀ + x₁ + x₂). Let us show that x is equal to x_{k_i}. We will do the calculation for k = 1 and omit the two other cases since they are almost identical. Therefore we have x₀ + ζ₃ × x₁ + ζ32 × x₂ = ζ₃(x₀ + x₁ + x₂) and we can write x₀(1 – ζ₃) + x₂(ζ32 – ζ₃) = 0 which leads to x₀(1 – ζ₃) – x₂(1 – ζ₃)ζ₃ = 0. This is equivalent to x₀ – x₂ × ζ₃ = 0 and since x₀ and x₂ are real numbers it is equivalent to x₀ = x₂ = 0, and we can conclude that we have x = x₁ = x_{k_i}. Remark that we proved that Supp(x) ⊆ {α ∈ (𝔽₃)ⁿ | α_i = k_i}. The action of the morphism σ_i forces the elements of Supp(x) to have a fixed ith coordinate. Geometrically Supp(x) is included in an hyperplane of (𝔽₃)ⁿ. By considering all of such morphisms we can see that we have

Supp(x)⊆α_∈(F3)n∣α1=k1∩⋯∩α_∈(F3)n∣αn=kn

which is the point k = (k₁, …, k_n). But Supp(x) is not trivial so it is equal to this point and we can finally write x=xk_∏i=0ndki3 which gives us the desired result.□

Now that we have these results we can prove Theorem 3.9.

Proof

We will proceed by induction on the length n of the sequence d₁, …, d_n. We proved the case n = 1 during the discussion at the beginning of the subsection. Now fix some integer n ⩾ 1 and suppose the searched results to be true for this n. Let K be a multicubic field defined by a reduced sequence d₁, …, d_n+1. Consider L the multicubic field defined the reduced sequence d₁, …, d_n. Then K = L(dn+113). First let us show that K has degree 3ⁿ⁺¹ over ℚ. Since by induction [L : ℚ] = 3ⁿ, we need to prove that dn+113 does not belong to L. Suppose the contrary. Every element of Hom(L, ℂ) permutes the roots of X³ – d_n+1 therefore sends dn+113 to some ζ3kdn+113 with k ∈ ⟦0, 2⟧. By induction hypothesis L verifies the properties of the Theorem so we can apply Lemma 3.13 to L and dn+113 obtaining

dn+113=a∏i=1ndiαi3

which implies the equality

Qdn+113=Q∏i=1ndiαi3.

This is impossible because the sequence d₁, …, d_n+1 is reduced. Therefore we have dn+113 ∉ K and [K : ℚ] = 3ⁿ⁺¹. Let us now prove that the complex embeddings of K are exactly those of the described form. Using the induction hypothesis it is clear that there are 3ⁿ⁺¹ such morphisms and this gives us the desired result. □

We will pursue the study of complex embeddings of multicubic fields by considering its Galois closure. We will be able to deduce from this other structural results on the field considered. Let us fix K a multicubic field generated by a reduced sequence d₁, …, d_n. We will see that K̃ is K(ζ₃). Given σ ∈ Hom(K, ℂ) a complex embedding of K we will write σ̃ the field morphism of K(ζ₃) obtained as

K(ζ3)⟶K(ζ3)x∈K⟼σ(x)ζ3⟼ζ

and τ the morphism which acts as the complex conjugation.

Proposition 3.14

The Galois closure ofKis thenK(ζ₃) and its Galois group is generated by the set {τ} × {σ̃_i | i ∈ ⟦1, n⟧}. Moreover it is isomorphic to the group

Z2Z⋉Z3Zn=〈s,r1,…,rn∣s2=1,ri3=1,srisri=1〉.

Proof

The field K(ζ₃) has dimension 2 × 3ⁿ over ℚ. Therefore in order to prove that it is Galois with the claimed Galois group it suffices to prove that the last has cardinality 2 × 3ⁿ. Denote it by G for the sake of the proof. By the previous study on complex embeddings of K we already know that the group generated by the σ̃_i has order 3ⁿ which divides the order of G. Moreover the complex conjugation has order 2 which again divides the order of G. Therefore 2 × 3ⁿ divides the order of G which is smaller than the dimension of K(ζ₃) and we have the desired result. Now let us prove that G has the announced structure. We already stated that the complex conjugation has order 2. Clearly the σ̃_i commute and we have σ~ik(di13)=ζ3kdi13 proving that all of the σ̃_i have order 3 and that they generate a subgroup isomorphic to (Z3Z)n. Let us prove that the last relation holds. For all i ∈ ⟦1, n⟧ we have

τσ~iτσ~i(di13)=τσ~i(τ(ζ3di13))=τσ~i(ζ32di13)=τ(d13)=d13

and

τσ~iτσ~i(ζ3)=τσ~i(τ(ζ3))=τσ~i(ζ32)=τ(ζ32)=ζ3

which means that τσ̃_iτσ̃_i is indeed the identity morphism on K̃.□

Remark 3.15

We can see that any element of Gal(K͠ / ℚ) can be written uniquely as τα∏i=1nσ~iβi with (α, β₁, …, β_n) ∈ 𝔽₂ × (𝔽₃)ⁿ.

As said before we will use the Galois group to study the structure of the multicubic field K. Recall that given a Galois extension M/N there is a correspondence between subgroups of the Galois group Gal(M/N) and subfields of the extension, which is given by invertible decreasing maps.

Remark 3.16

Let F be a subfield of K͠. Then F is a subfield of K = Inv(τ) if, and only if, the group associated to F contains τ.

One of the first properties that we can deduce from the structure of the Galois group is that the cubic subfields of the form K_α considered previously are all of the cubic subfield.

Proof

Consider F a cubic subfield of K. The associated subgroup H of the Galois group Gal(K͠/ℚ) is generated by a set

S=τα(1)∏i=1nσ~iβi(1),…,τα(r)∏i=1nσ~iβi(r)

with r ⩾ 1. Since F is real we know that τ belongs to H and we can consider that we have

S=τ,∏i=1nσ~iβi(1),…,∏i=1nσ~iβi(r)

and therefore we can see that the data of H is the same as the data of the subgroup generated by S ∖ {τ} which is a subgroup of (Z3Z)n. Moreover we have [K͠ : F] = 2 × 3^n–1 thus the order of H is the same by the Galois correspondence and therefore the group generated by S ∖ {τ} has order 3^n–1. Cubic subfields of K are then in one-to-one correspondence with subgroup of (Z3Z)n. of order 3^n–1. Counting the last is equivalent to counting sub-vector spaces of (𝔽₃)ⁿ of dimension 3^n–1 or 3. Their number is

n33=(3n−1)(3n−1−1)…(3n−(n−1)−1−1)(3n−1−1)(3n−2−1)…(3−1)=3n−12.

We saw in Proposition 3.6 that there are 3n−12 cubic subfields of the form K_α.□

The cubic subfields are of particular interest for us because as in the multiquadratic case, we will compute their units and construct from these the units of K. As we will see later their number is the one we need.

Lemma 3.17

Any subfieldFofKof degree 3^n–1is of the form Inv(σ̃^(β), τ) and is a multicubic field.

Proof

We have [K͠ : F] = 6 therefore the associated subgroup H of Gal(K͠ / ℚ) has order 6. Since F ⊂ K we know that τ is in H and by using the orders we can conclude that H is generated by τ and only one σ̃^(β) with β ≠ 0. Let fix these notations for the proof. We write I = {i₁, i₂, …, i_r} the set of indexes of the non-zero coefficients of β. We can suppose i₁ < … < i_r. Now consider the sets

S={dj13∣j∈ [[ 1,n ]] ∖I}

and

T=di12−δβi1,βik3dik13∣k∈ [[ 2,r ]] .

Then the cardinal of T is r – 1 and any element of T is invariant under the action of σ̃^β. The field L = ℚ(S ∪ T) is therefore a field defined by n – r + r – 1 = n – 1 cube roots of integers and its elements are invariant under the action of σ̃^(β). Recall that we assumed the sequence d₁, …, d_n to be reduced. This implies that neither the elements d_j nor the elements di12−δβi1,βikdik are cubes. Thus we know that L is a multicubic field. Let us show now that the sequence defined by S ∪ T is a reduced sequence. First write for simplicity λ_{i_k} = 2 – δ_{β_i₁,β_{i_k}} which is 1 or 2. Consider now without any loss of generality that we have I = ⟦1, r⟧. Let (α₂, …, α_n) ∈ (𝔽₃)^n–1 and assume that

P=∏k=2r(d1λkdk)αk×∏k=r+1ndkαk=d1α1∏k=2ndkαk

– where α₁ = ∑k=2rλ_kα_k – is a cube. We can write α₁ = 3q + r with 0 ⩽ r < 3 thus the product

d1r∏k=2ndkαk

is a cube. But (r, α₂, …, α_n) ∈ 𝔽₃ and the sequence (d₁, …, d_n) is reduced therefore r = α₂ = … = α_n = 0. Consequently the sequence defined by S ∪ T is reduced too. Now L is a multicubic field defined by a reduced sequence of length n – 1 so by Theorem 3.9 it has degree 3^n–1. Finally L ⊂ F and they have the same degree so they are identical which means that F is indeed a multicubic field.□

Theorem 3.18

LetKbe a multicubic field. Any subfieldFofKis a multicubic field.

Proof

We will proceed by induction on [K : F]. The previous Lemma states that it is true for [K : F] = 3¹. Consider the result to be true for [K : F] = 3^r for some r ⩾ 1 and suppose [K : F] = 3^r+1. As usual write H the subgroup of Gal(K͠/ℚ) such that F = Inv(H). Just as before we can write H = 〈τ, σ̃^(β₁), …, σ̃^(β_r+1)〉. Denote by L the field fixed by the group 〈τ, σ̃^(β₁), …, σ̃^(β_r)〉 < H. By the Galois correspondence we know that [K : L] = 3^r and that F is subfield of L with [L : F] = 3. The induction hypothesis states that L is multicubic field and we can apply again the previous Lemma to the extension L/F to conclude that F is a multicubic field too.□

We see that the structure of multicubic fields is similar to the one of multiquadratic fields even if they are not Galois. This structure will allow us to work recursively and fasten considerably our computations. The following result is similar to Lemma 5.1 in [4] and is a generalisation of a result over bicubic fields proved by Charles Parry in [18].

Notation : For now on if σ̃ is an element of Gal(K͠/ℚ) we will denote by K_σ̃ the field Inv(τ, σ̃) = K̃_σ̃ ∩ ℝ, and by H(K̃) the subgroup {σ̃ | σ ∈ Hom(K, ℂ)}.

Proposition 3.19

LetKbe a multicubic fieldwith [K : ℚ] > 3. Consideruandvtwo elements ofH(K̃) which are independent. Then for anyx ∈ Kwe have

x3=xuxvxuvxu2v

wherex_w ∈ K_wfor everyw ∈ {u, v, uv, u²v}. Moreover ifxis a unit ofKthenx_wis a unit ofK_wfor allw ∈ {u, v, uv, u²v}.

Proof

As mentioned before the proof relies exactly on the same idea that appears in [4, 18]. For every element x ∈ K we can rewrite the cube as

x3=x⋅u(x)⋅u2(x)⋅x⋅v(x)⋅v2(x)⋅x⋅uv(x)⋅(uv)2(x)u(x)⋅u2(x)⋅v(x)⋅v2(x)⋅uv(x)⋅(uv)2(x)=NK~/K~u(x)NK~/K~v(x)NK~/K~uv(x)NK~/K~u2v(u(x)⋅uv(x)).

Then for all w ∈ {u, v, uv, u²v} we write x_w the relative norm element corresponding to w in the previous expression. Since x is an element of K any of the norm in the numerator N_{K̃/K̃_w}(x) is in the fact the same as the relative norm N_{K/K_w}(x) which is an element of K_w. The relative norm N_{K̃/K̃_u²v}(u(x) ⋅ uv(x)) is in K̃_u²v. However x³ is in ℝ as well as the numerator therefore N_{K̃/K̃_u²v}(u(x) ⋅ uv(x)) is in K̃_u²v ∩ ℝ = K_u²v. The statement concerning units is clear given the algebraic expression of the elements as relative norms.□

3.3 Unit Group

The structure of the unit group of a number field is related to its complex embeddings. Consider a multicubic field K defined by a reduced sequence d₁, …, d_n. We can see that a multicubic field K has only one real embedding – the identity – and 3ⁿ – 1 complex ones. Therefore we know that the group of units OK× is isomorphic to

Z2Z×Z3n−12.

In the special case of the cubic subfields K_α we have

OKα_×≃Z2Z×Z.

Then for every α we can write OKα_×=±(ϵα_)k∣k∈Z with ϵ_α > 1 just as in the quadratic case. This specific generating unit will be called the fundamental unit. Just as the authors of [4] defined the subgroup of multiquadratic units we will define the subgroup of multicubic units using the units of cubic subfields.

Definition 3.20

Consider a multicubic field K=Qd113,…,dn13 defined by a reduced sequence. We call multicubic units and write MCU(K) – or MCU if there is no ambiguity – the subgroup of OK× generated by the set {–1, ϵ_α | α ∈ (𝔽₃)ⁿ}.

Just as in the multiquadratic case we will see that MCU is a full-rank subgroup of OK× and that the basis {ϵ_α | α ∈ (𝔽₃)ⁿ} yields an orthogonal basis under the action of the Log-embedding.

Notation : Given an integer k and a subset S of a field F we will denote by S^k the set {x^k | x ∈ S}.

Proposition 3.21

LetKbe a multicubic field of degree 3ⁿ. Then we have

(OK×)3n−1<MCU.

Moreover MCU is a full-rank subgroup ofOK×such that [OK× : MCU] divides3(n−1)⋅3n−12and the set {–1, ϵ_α | α ∈ (𝔽₃)ⁿ} is in fact a basis.

Proof

The result is trivial for n = 1. Now assume it is true for some fixed n ⩾ 1 and let K be a multicubic field of degree 3ⁿ⁺¹. As stated in Proposition 3.19 we have

(OK×)3<OKu×OKv×OKuv×OKu2v×

with u, v being two elements of H(K̃). Then for every w ∈ {u, v, uv, u²v} the field K_w is a subfield of K of dimension 3ⁿ. Since it is a multicubic field too it verifies the recursion hypothesis. Therefore (OKw×)3n−1 is included in MCU(K_w) which is itself included in MCU(K). Thus we have

(OK×)3n=((OK×)3)3n−1<(OKu×OKv×OKuv×OKu2v×)3n−1<MCU(K).

We have proven the first result. The property on the index follows immediately from (OK×)3n−1 < MCU(K) < OK× and the fact that the units of a multicubic field of degree 3ⁿ is a free group of rank 3n−12. The previous tower of groups shows that MCU is indeed a full-rank subgroup of OK× and since the cardinal of the generating set {–1, ϵ_α | α ∈ (𝔽₃)ⁿ} equals the rank of the group we can conclude that this set is a basis of MCU.□

In order to study the geometry of the lattice Log_K(MCU) we need to evaluate the action of each embedding σ^(β) on the units ϵ_α which is induced by the action of the embedding on the cubic field K_α and thus on d1α13×⋯×dnα13. Recall that we introduced a geometrical point of view regarding this duality situation in Subsection 3.2. We will use it to describe properly the vectors Log_K(ϵ_α). The following proposition can be deduced from known affine geometric results.

Notation : Given a vector space V and a family (f₁, …, f_r) in V we will write Vect(f₁, …, f_r) the subvector space generated by this family.

Proposition 3.22

Considerrelementsα₁, …, α_rlinearly independent in (𝔽₃)ⁿ. We have the following geometric facts:

For every r-tuple (t₁, …, t_r) of elements of 𝔽₃, the intersection⋂k=1rHα_k(tk)defines an affine variety of dimension n – r.
For everyr-tuple (t₁, …, t_r) and everyγ ∉ Vect(α₁, …, α_r) we have
⋂k=1rHα_k(tk)=⨆t∈F3⋂k=1rHα_k(tk)∩Hγ_(t).

If we transfer this in the setting of number fields and embeddings, we can tell that the actions of the embeddings of a multicubic field K into ℂ are uniformly distributed among the cubic subfields of the form K_α. This well distributed duality will give rise to a nice geometric situation in the Log-unit lattice. Here we consider the Log map as follow

LogK:K∗⟶R3nx⟼(log|⨂i=1nσi(βi)(x)|)βi∈F3.

Proposition 3.23

Consider a multicubic fieldK=Qd113,…,dn13.The vectors Log_K(ϵ_α) withα ∈ (𝔽₃)ⁿ ∖ {0} form an orthogonal family in ℝ^3ⁿ.

Proof

Consider α and γ two elements of (𝔽₃)ⁿ independent over 𝔽₃. We will evaluate the scalar product of Log_K(ϵ_α) and Log_K(ϵ_γ).

LogK(ϵα_)∣LogK(ϵγ_)=∑σ∈Hom(K,C)log|σ(ϵα_)|×log|σ(ϵγ_)|=∑β_∈(F3)nlog|σ(β_)(ϵα_)|×log|σ(β_)(ϵγ_)|.

Now we will use the geometric properties described before to rewrite the sum over well distributed subsets. First recall that (𝔽₃)ⁿ = ⨆_t∈𝔽₃H_α(t) which allows us to write

We can decompose the hyperplanes H_α(t) as H_α(t) = ⨆_s∈𝔽₃H_α(t) ∩ H_γ(s) and we can write

In the right-hand side of the previous equality, every term of the second sum have the same value. Moreover the set we are summing over has 3^n–2 elements since it is a (n – 2)– dimensional affine variety of (𝔽₃)ⁿ. This gives us

∑β_∈Hα_(t)log|σ(β_)(ϵγ_)|=∑s∈F33n−2×log|σγ_(s)(ϵγ_)|

and the scalar product can be rewritten

The elements ϵ_α and ϵ_γ are units thus their algebraic norm is ±1 and the scalar product is

LogK(ϵα_)∣LogK(ϵγ_)=3n−2×log1×log1=0.

□

The orthogonality of the vectors Log_K(ϵ_α) assures that we are in the best situation possible to solve problems in the lattice Log_K(MCU). However in order to use this sublattice to decode in the Log-unit lattice it would need to be close from Log_K(OK×) which is not the case experimentally. We can evaluate the norm of the basis vector of Log_K(MCU).

Lemma 3.24

Consider a multicubic fieldK=Qd113,…,dn13.Then for allα ∈ (𝔽₃)ⁿ ∖ {0} we have

∥LogK(ϵα_)∥2=3n−1×∥LogKα_(ϵα_)∥2.

Proof

By following the same arguments as in previous calculations we can write

LogK(ϵα_)∣LogK(ϵα_)=∑t∈F3∑β_∈Hα_(t)log|σ(β_)(ϵα_)|×log|σ(β_)(ϵα_)|

which is

∥LogK(ϵα_)∥2=∑t∈F3∑β_∈Hα_(t)log|σα_(t)(ϵα_)|×log|σα_(t)(ϵα_)|

but H_α(t) has 3^n–1 elements so

∥LogK(ϵα_)∥2=∑t∈F33n−1×log|σα_(t)(ϵα_)|×log|σα_(t)(ϵα_)|=3n−1×∥LogKα_(ϵα_)∥2.

□

Now we will be able to express the norm of Log_K(ϵ_α) in function of the value of ϵ_α.

Proposition 3.25

Consider a multicubic fieldK=Qp113,…,pn13.Then for allαwe have

∥LogK(ϵα_)∥=3n2×log(ϵα_).

Proof

We will use the expression found in the previous lemma and express the quantity ∥Log_{K_α}(ϵ_α)∥². First recall some facts. We have ϵ_α > 1 therefore log(|ϵ_α|) = log(ϵ_α) > 0. Moreover the quantity σ_α(ϵ_α) and σα_(2)(ϵα_) are conjugates thus they have the same modulus. We can write

∥LogKα_(ϵα_)∥2=(log(ϵα_))2+2(log|σα_(ϵα_)|)2.

Then we know that we have

log(ϵα_)+2log|σα_(ϵα_)|=log|NKα_(ϵα_)|=0

which gives

log|σα_(ϵα_)|=−log(ϵα_)2.

By using this equality we obtain

∥LogKα_(ϵα_)∥2=(log(ϵα_))2+2×−log(ϵα_)22=32×(log(ϵα_))2

and by consequence

∥LogK(ϵα_)∥2=3n−1×32×(log(ϵα_))2=3n2×(log(ϵα_))2.

The searched equality is found by taking the square root of the previous equation.□

3.4 Discriminant

We will now establish a formula for the discriminant of multicubic fields. The proofs are left in Appendix. See [11] for cubic fields and [10] for bicubic fields.

Lemma 3.26

Consider a bicubic fieldK=Qd13,d23defined by cube-free integersd₁andd₂. Then for any prime integerpifpdividesd₁then one can assume thatpdoes not divided₂i.e. K=Qd1′3,d2′3andp ∤ d2′.

Lemma 3.27

Consider a multicubic fieldK=Q(d113,…,dn13).Write ℙ(d) the set of primes dividing∏i=1ndi.Then we have:

∀p∈P(d_), one can assume p∣d1,∀i>1,p∤di.

Lemma 3.28

Consider a bicubic fieldK=Qd13,d23defined by cube-free integersd₁andd₂such that 3 does not divided₁d₂. Then one can always assume that one of the following is true

d1=±1(mod 9),d2=±1(mod 9)d1=±1(mod 9),d2≠±1(mod 9)

Proposition 3.29

Consider a multicubic fieldK = ℚ(d113,…,dn13)defined by a reduced sequence. We can always assume one of the following is true:

∀i ∈ ⟦1, n⟧, d_i = ± 1 (mod 9);
d₁ = 2, 4, 5, 7 (mod 9) and ∀i ∈ ⟦2, n⟧, d_i = ± 1 (mod 9);
d₁ = 0 (mod 3) and ∀i ∈ ⟦2, n⟧, d_i = ± 1 (mod 9);
d₁ = 0 (mod 3), d₂ = 2, 4, 5, 7 (mod 9) and ∀i ∈ ⟦3, n⟧, d_i = ± 1 (mod 9).

Theorem 3.30

(Discriminant of a multicubic field). Consider a multicubic fieldK = ℚ(d113,…,dn13)withn ⩾ 2. Assume thatdis in one of the four possibilities of Proposition 3.29. Then the absolute discriminant ofKverifies

D(K)=3α∏p∈P(d_)∖{3}p2×3n−1

withαbeing:

α=3n−12(i).3n+3n−1−12(ii).2×3n−1+3n+3n−1−12(iii).2×3n+3n−2−12(iv).

One can deduce from Theorem 3.30 the following result.

Proposition 3.31

Consider a multicubic fieldK = ℚ(d113,…,dn13). LetSbe the sequence of the cube-free part of the elements of(∏i=1ndiαi)α_∈(F3)n.LetBbe the ℚ-basis ofKwhich is constituted by the cube roots of the elements ofS. Then we have 3ⁿ 𝓞_K < ℤ[B] < 𝓞_K.

Proof

Remark that D(ℤ[B]) | D(3ⁿ𝓞_K).□

4 Algorithms and experiments

In all the following we will consider multicubic fields defined by reduced sequence. Fix the field K = ℚ(d113,…,dn13). We proved that K has dimension 3ⁿ over ℚ and that the elements of the form

∏i=1ndiαi3

with α ∈ ⟦0, 2⟧ⁿ form a basis of K/ℚ. In fact we can consider the cube-free part of each of these elements which we will do in all the following. Therefore elements of K are represented as vectors of length 3ⁿ with rational coefficients. Moreover we can see K as a relative extension of degree 3 over a multicubic subfield of dimension 3^n–1 over ℚ. The most natural is to write K as L(dn13) with L = ℚ(d113,…,dn−113). If we choose this point of view we can see elements of K as vectors of length 3 with coefficients in the subfield L.

As we saw already one important tool for us is the Log-embedding. As in [4] we will not compute the exact Log-embedding but an approximate version of it, very much like the authors did. This leads us to represent any non zero element x ∈ K by the pair (x, ApproxLog_K(x)) where x is a vector with rational coefficients as described before and ApproxLog_K(x) will be a vector as described later.

In the following we make an extensive use of the LLL algorithm presented in [17] to solve multivariate linear systems.

General procedure

In [4] the authors compute units of a multiquadratic field K as follow:

Recursively compute the units of three subfields K₁, K₂, K₃ which verify (OK×)2<U=∏i=13OKi×<OK×;
Find non trivial squares of U;
Calculate their square roots.

For multicubic fields this general procedure can be followed : only replace “squares” by “cubes” and consider four subfields in the first step as in Proposition 3.19. The step (ii) can be directly adapted and is described in Subsections 4.1 and 4.2 however computing cube roots is more complicated as seen in Subsection 4.3.

4.1 Finding Good Primes

As in [4] we will need to be able to find primes verifying fixed cubic conditions with respect to the d_i’s. Consider (d₁, …, d_n) a reduced sequence and C = (c₁, …, c_n) ∈ {0, 1}ⁿ. A good prime for d and C is a prime p such that d_i is a cube modulo p if, and only if, c_i is 1.

In particular we need to find good primes p for the condition sequence (1, …, 1) in order to construct morphisms from K^* into finite fields 𝔽_p. Remark that the primes should not divide any of the d_i. Now if we fix a prime p > 3 we have the following situation:

if p ≡ 1 (mod 3) then 𝔽_p contains a fundamental cube root of unity and Fp∗(Fp∗)3≃F3;
if p ≡ 2 (mod 3) then 𝔽_p does not contain a fundamental cube root of unity and Fp∗(Fp∗)3≃1.

Therefore we can have different strategies depending on our goal. If we want the condition (1, …, 1) to be verified we might consider primes only congruent to 2 modulo 3 as long as we do not need a non-trivial cube root of 1 to be in the field 𝔽_p. Otherwise we have to consider primes which are congruent to 1 modulo 3.

Let us now describe how the algorithm operates in this case. First we have to draw a prime p and verify that it is not congruent to 2 modulo 3. This happens with probability 12. Then we have to check whether the sequence of cube conditions C is verified by (d₁, …, d_n) and p. We know that dip−13 (mod p) has order 1 or 3 which is equivalent to d_i being a cube or not. We have therefore Algorithm 1 named OneGoodPrime where we make use of two functions : CheckCubeCondition which has been explained and DrawPrime which corresponds to the way we select the candidates for the prime numbers. One can follow [4] and generate a random prime number in a range given as argument. We could also generate a random prime first and then draw the next prime.

Algorithm 1

Finding a good prime for a sequence d and a condition sequence C.

Require: A reduced sequence (d₁, …, d_n) and C = (c₁, …, c_n) ∈ {0, 1}ⁿ

Ensure: A prime p which does not divide any of the d_i’s and such that for all i ∈ {0, n} we have : (d_i is a cube modulo p) = c_i.

1: b ← false

2: Whileb = false do

3: p ← DrawPrime

4: whilep (mod 3) ≡ 2 do

5: p ← DrawPrime

6: end while

7: b ← ⋀i=1n CheckCubeCondition(d_i, p, c_i) ⊳ logical AND

8: end while

9: returnp

For a random prime p ≡1 (mod 3) the probability that the ith cube condition is true is equal to 23 if c_i = 0 and 13 if c_i = 1. Therefore if Hw(C) designates the Hamming weight of C we have

P(⋀i=1nCheckCubeCondition(di,p,ci)=true)=(13)Hw(C)×(23)n−Hw(C).

In average the algorithm will try 3n2n−Hw(C) primes before finding one verifying the condition sequence C. In particular the probability that all d_i’s are cubes in 𝔽_p is 13n and the algorithm will try 3ⁿ primes before finding one verifying the condition sequence C = (1, …, 1).

Complexity : We obtain a complexity essentially in O(N).

4.2 Detecting cubes

One important procedure in [4] consists in finding non trivial products of a given family of K^* which are squares. In the case of multicubic fields we need to detect cubes. We consider U = 〈u₁, …, u_m〉 a subgroup of K^*. We need to compute non trivial “cubic characters” from U to 𝔽₃. To do so we will use several primes p to create non trivial morphisms from Z[d113,…,dn13] to 𝔽_p which can be extended multiplicatively to U.

In order to create morphisms from Z[d113,…,dn13] to some 𝔽_p we need to find a p such that every d_i is a cube modulo p i.e. verifying the cubic conditions C = (1, …, 1). This is done with Algorithm 1. Such a morphism can be extended to all elements of K whose denominators are not divided by p. For this morphism to be defined on U it is sufficient that p does not divide the denominators of the u_i’s. We then verify that the embeddings of the u_i’s are not zero so that the morphism restricted to U is not trivial.

Now suppose a prime p has been selected. Write ϕ_p the morphism it induces as explained before. We want to create a character i.e. a group morphism U ⟶ 𝔽₃ in order to detect non trivial cubes in U. Similarly to [4] we use the cubic character Fp∗ ⟶ 𝔽₃ which corresponds to the natural morphism Fp∗↠Fp∗(Fp∗)3. Remark that p needs to be congruent to 1 modulo 3 because we are looking for a non trivial morphism. Denote by ζ_3,p a fundamental root of unity in 𝔽_p. Let us now describe how this morphism can be realised. For any y in 𝔽_p we know that yp−13 is a cube root of unity in 𝔽_p. Therefore it can be expressed as ζ3,pλy with λ_y = log_{ζ_3,p}, (y) ∈ ⟦0, 2⟧. We can see that the canonical morphism can be written

Fp∗↠Fp∗(Fp∗)3y↦logζ3,p,(y).

As a cubic character induced by p we will therefore consider

χp:U⟶Fp∗(Fp∗)3u⟼logζ3,p,(ϕp(u)).

Remark that if u is a cube in OK× then ϕ_p(u) is also a cube in 𝔽_p but the opposite is not true in general. So if u is a cube then u ∈ ker χ_p. Therefore to properly detect non trivial cubes in U we need to use several primes. First remark that the character induces a morphism

χp:UU∩(K∗)3⟶F3.

The group UU∩(K∗)3 is isomorphic to some (Z3Z)m′ with m′ ⩽ r. Moreover it can be seen as 𝔽₃-vector space. Following [8] as in [4] if we consider characters χ_p to be uniformly distributed elements of the dual of this vector space, drawing sufficiently enough of them will detect cubes. We can adapt Lemma 8.1 of [8] to 𝔽₃-vector spaces to say that m′ + s uniformly drawn primes generate the dual of UU∩(K∗)3 with probability at least 1 – 3^–s. Therefore by choosing s large enough the cubic characters χ_p₁, …, χ_{p_m+s} would generate the dual with high probability and the intersection ⋂i=1s ker χ_{p_i} would be the orthogonal of the dual i.e. U ∩ (K^*)³. This allows us to have Algorithm 2 which returns a matrix of exponents expressing a generating set of non trivial cubes in U ∩ (K^*)³. The fact that the exponent are non trivial means that the cubes are not in U³ so generate U∩(K∗)3U3. As mentioned before with s large enough we have a very low probability of yielding an exponent vector λ such that ∏i=1muiλi is not a cube. Like the authors of [4] we never encountered such a case.

Complexity : Generating a cubic character consists in applying Algorithm 1 to find a prime p and reducing the elements u₁, …, u_m modulo p to verify that the morphism ϕ_p is defined and non zero on U = 〈u₁, …, u_m〉. In order to calculate ϕ_p(u_i) we need to compute the cube roots of d₁, …, d_n, reduce the coefficients of u_i and compute a sum modulo p. All of this can be done in O(NB) with B an upper bound on the number of bits of the coefficients of any of the u_i. This is mainly due to reduction of u_i modulo p. The computation of m + s characters is therefore in O((m + s)NB). We will consider m + s to be equivalent to N asymptotically so we obtain O(N²B). Finally the computation of the kernel of a matrix of size N over 𝔽₃ has complexity N³ so the complexity of Algorithm 2 is O(N³ + N²B).

Algorithm 2

Compute non trivial cubes of a subgroup of K^* – CubeKernel

Require: U = 〈u₁, …, u_m〉 a subgroup of K^*

Ensure: λ₁, …, λ_r ∈ ⟦0, 2⟧^m such that ∏i=1muiλj,i is a cube for all j ∈ ⟦1, r⟧

1: Generate sufficiently enough cubic characters χ_p₁, …, χ_{p_m+s}

2: M ← [χ_{p_j}(u_i)]_i,j ∈ M_m,m+s(𝔽₃)

3: N ← ker(M) ⊳ Left Kernel in 𝔽₃

4: returnN as a matrix in ℤ

4.3 Computing cube roots

Consider the following problem : «Given an elementyin a multicubic fieldK = ℚ(d113,…,dn13)which is a cube, compute its cube root». In [4] the authors showed how to compute efficiently square roots in multiquadratic fields using only a few polynomial expressions. In a multiquadratic field E = F(d) – with F a subfield of E – consider h = g². Then if we write h = h₀ + dh₁ and h = g₀ + dg₁ we have h0=g02+dg12 and h₁ = 2g₀g₁. Moreover the algebraic norm N_E/F(h) = N_E/F(g)² is an element of E. So if we can compute square-roots efficiently in F we can know NE/F(g)=g02−g12d and then retrieve g₀ and g₁ using h₀ and h₁. This require to compute one more square-root in F. The only obstacle in this procedure is the sign since a square-root may have two distinct solutions. Doing such errors at each level of the recursive process can lead to an exponential number of possibilities to verify. However the authors of [4] overcame this difficulty and provided an efficient recursive algorithm to compute square-roots in multiquadratic fields. The problem of sign does not appear with cube roots. However the polynomial equations are more complex. Write x=x0+x1dn13+x2dn23 and y=y0+y1dn13+y2dn23. Then we have:

y0=x03+x13dn+x23dn2+6x0x1x2dny1=3(x02x1+x12x2dn+x22x0dn)y2=3(x02x2+x12x0+x22x1dn)NK/L(x)=x03+x13dn+x23dn2−3x0x1x2dn.

There is no straightforward way of transforming these equations into a cube that we could take advantage of. Therefore we choose to use a real embedding and a LLL reduction. This allows to progressively increase the needed precision and save the real lattice used to recover the coefficients. Let us now describe the procedures composing this algorithm. We use a function called RealBasisEmbedding which creates the vector of the basis elements of the multicubic field K computed in ℝ to a given precision. Then we can create the matrix representing the basis as a lattice. Write v the column vector RealBasisEmbedding((d₁, …, d_n), l). We choose as a “real basis matrix” the following

LLLv|C⋅Id

where C is a coefficient chosen to avoid errors due to the precision. We typically used C=⌊3n12⌉. Now if a basis lattice matrix has been computed for a given precision here how one can try to fasten the computation of a basis lattice matrix to a bigger precision. First denote by v_l₁ and v_l₂ the real basis vectors given up to two precisions l₁ < l₂. We can write

LLLvl1∣C⋅Id=U×vl1∣C⋅Id

with U being a unitary matrix. If we save this unitary operator we can then first calculate

U×vl2∣C⋅Id

then apply the LLL algorithm to finally reduce the lattice. This reduction is done by multiplying by a unitary operator V and the full reduction can be written

LLLvl2∣C⋅Id=V×U×vl2∣C⋅Id.

Therefore we can now save V × U and use the same process if we need to actualise again the precision. Now recall that we want to compute cube roots. Given L a real lattice matrix for K here how we can expect to do so. Consider y ∈ K as before. First compute x up to precision l in ℝ. Write RealEmbedding this procedure and the returned value x_l. Then create the row vector x = [x_l | 0 | B] with B being a coefficient larger than the maximum euclidean norm of the rows of L. We can then build the matrix

Algorithm 3

Compute a matrix representing the real embedding of the matrix of a multicubic field – RealLattice

Require: A LLL-reduced real lattice matrix of (d₁, …, d_n), a unitary operator U, a precision l

Ensure: A LLL-reduced real lattice matrix of (d₁, …, d_n) at precision l and the corresponding unitary operator

1: v ← RealBasisEmbedding(d, l)

2: M ← U × ([v | C ⋅ Id])

3: L, V ← LLL(M) ⊳ L = LLL(M) = VM

4: returnL, V × U

L∣0x

and apply a LLL algorithm to it. This can be seen as the overall reduction of

vC×Id0xl0B

which would reduce the last vector with respect to the real basis lattice. Considering the shape of the last matrix we expect the central part of the last row vector to be the vector of coefficients of Cx in K. We denote by CubeRootCandidate this procedure. Once we have this candidate we can check its validity by computing its cube and looking whether it is y or not. If not we can increase the precision and find another candidate. We can evaluate the needed precision with a function PrecisionEvaluation. This function takes y and n the number of primes defining K in argument. Experiments suggest that for a given degree the precision is linear in log(∥y∥₂). However the slope increases with n and seems to be multiplied by a coefficient between 2 and 3. We choose to use 3 so the slope for K of dimension 3ⁿ is 3^n–1.

Remark 4.1

In fact as in [4] Algorithm 5 is valid only in ℤ[B] where B is the chosen basis. But an element y = x³ with integral coefficient can have a cube root with rational ones. Therefore, to ensure that the algorithm will finish, one has to compute the cube root of D³y with D ∈ ℤ such that Dx has integral coefficients. The dimension of the field 3ⁿ is a valid choice, ensured by Proposition 3.31.

Complexity : The algorithm consists essentially in applying several LLL with coefficients of size given by PrecisionEvaluation. Denote by B an upper bound on the bit size of coefficients of y. Then the complexity of CubeRootCandidate would be O(N⁵B²). We might have to increase the precision but experimentally it is only done a few times. We expect the complexity to stay in O(N⁵B²).

4.4 Computing units

We will describe in this section the algorithm used to compute the units of a multicubic field. As mentioned before we will mainly proceed as in the multiquadratic case. We will recursively compute the units of chosen subfields and then retrieve the whole group by detecting cubes and computing their cube root. Therefore the algorithm can be seen as computing the subgroup MCU(K) and then deduce OK× only by doing products and cube root extractions in successive subfields. Moreover we represent any unit at each step of the algorithm for K as (u, ApproxLog_K(u)) even if we are computing the units of a subfield. This can be done easily because we can compute the approximate logarithm of any element of MCU(K) by a function CubicApproxLog. Then we compute the approximate logarithm of other units by doing only sums and divisions by 3. Since the lattice generated by the multicubic units in the Log-unit representation has an orthogonal basis we compute ApproxLog_K(OK×) starting by an orthogonal basis of a sublattice and then only adding and dividing by three these vectors. In Algorithm 6 we use several sub-algorithms namely

CubicUnitGroup;
BasisFromGeneratingSet;
UnitsFromCubes.

Algorithm 4

Compute a candidate for a cube root in a multicubic field – CubeRootCandidate

Require: An cube element y = x³ in a multicubic field K of dimension N, a precision l and a real basis lattice of K for precision l

Ensure: x′ a candidate for x

1: x_l ← RealEmbedding(y, l)

2: x ← [x_l | 0 | B]

3: M←LLLL∣0x

4: x′←MN,2C,…,MN,N+1C

5: returnx′

The first one is the classical unit group algorithm implemented in Magma. We apply it only to compute the multicubic units. The last two algorithms are adapted from [4] in the multicubic case. BasisFromGeneratingSet takes into argument a generating set of a subgroup of OK× and returns a basis. It is done by reducing the corresponding generating family in the Log_K-representation. If the subgroup U is given by a generating family (u₁, …, u_m) we apply a LLL algorithm on the matrix

12l×ApproxLogK(u1,l)12l×ApproxLogK(u2,l)⋱⋮12l×ApproxLogK(um,l)

to reduce the matrix of the ApproxLog_K(u_i, l) and recover as well V the unitary transform. We therefore obtain a basis of ApproxLog_K(U) and can compute the corresponding elements of K by using V. The stretched Identity matrix allows to recover a matrix V with relatively small relations in a way similar to what did the authors of [4]. The function UnitsFromCubes computes a generating set of OK× given a generating set of a subgroup U such that (OK×)3 < U < OK×. Let us write (u₁, …, u_m) a generating set of U. The algorithm computes exponent vectors using the CubeKernel algorithm and obtains a basis of non trivial cubes in U. Then it computes their cube roots (v₁, …, v_r) using MC_CubeRoot and returns the family (u₁, …, u_s, v₁, …, v_r). Following [4] it is not hard to see that the returned family generates the whole group OK×. Remark that the approximate logarithm of the resulting new vectors can be computed by sums and division by three.

Algorithm 5

Computing a cube root in a multicubic field – MC_CubeRoot

Require: An cube element y = x³ in a multicubic field K = ℚ(d113,…,dn13)

Ensure: The cube root x of y

1: l ← PrecisionEvaluation(y, n)

2: L, U ← RealLattice(d, l)

3: x′ ← CubeRootCandidate(y, l, L)

4: while(x′)³ ≠ ydo

5: l ← 2l

6: L, U ← RealLattice(d, l, L, U)

7: x′ ← CubeRootCandidate(y, l, L)

8: end while

9: returnx′

Algorithm 6

Compute the unit group of a multicubic field – MC_Units

Require: A reduced sequence (d₁, …, d_n) defining a multicubic field, a precision factor l.

Ensure: A basis {u₁, …, u_r} of the torsion-free part of unit group OK×〈±1〉

1: ifn = 1 then

2: u ← CubicUnitGroup(K)

3: return (u, CubicApproxLog(u, l))

4: else

5: Choose v, w two independent elements of H(K͠) and recursively compute a basis of U = OKv×OKw×OKvw×OKv2w×

6: V ← UnitsFromCubes(U) ⊳ Algorithm 2 and Algorithm 5

7: U ← BasisFromGeneratingSet(〈U, V〉)

8: returnU

9: end if

Complexity : The complexity of the algorithm is Poly(N, B) where B is an upper-bound on the bit-size of the elements we are computing.

4.5 Principal Ideal Problem

Our main goal is to find a short generator for a given principal ideal of K. This problem can be solved by finding a generator first and finding a short vector using the Log-unit lattice. Since we can compute the unit group we “only” need to find a generator of an ideal. An ideal I can be described by several representations, for example:

an integral basis;
the two element representations that is used to fasten ideal based cryptosystem such as in [9, 20].

We consider the more basic situation which is the first one. It has the advantage of being more general. However it is a much bigger representation and operations may be much slower. For example one fundamental operation on ideals for the PIP algorithm in multiquadratic fields and multicubic fields is the relative norm computation. Given an ideal I of a number field K and L a subfield of K the relative norm of I with respect to K/L is the ideal of L generated by the norms N_K/L(x) for x ∈ I. If K/L is a Galois extension then we have

NK/L(I)=∏σ∈Gal(K/L)σ(I).

This is for example the case if K and L are multiquadratic fields. Multicubic fields are not Galois however the situation is pretty similar. Instead of computing the product over Gal(K/L) we compute it over the complex embeddings which are the identity when restricted to L and the product is done in K͠. Then one way of computing N_K/L(I) given an integral basis (b₁, …, b_n) is to calculate all of the products ∏_σσ(b_σ) with b_σ ∈ {b₁, …, b_n}, express them in basis of 𝓞_K, then reduce the matrix obtained by calculating its Hermite Normal Form (HNF) for example and finally intersect with F. We can see that this requires to compute [K : L]–1 product of ideals of K. The complexity of the HNF is polynomial in the degree of K however it is still quite slow. In Algorithm 7 the fields considered are K a multicubic field of dimension 3ⁿ and L a multicubic field of dimension 3^n–1. Therefore K/L is a degree 3 extension and the embeddings in Hom(K, ℂ) which are the identity on L are {1, σ^(β), σ^(2β)} for a given β. Therefore we need to compute two ideal products which are done by reducing matrices of 3²ⁿ vectors in a HNF with 3ⁿ rows.

The PIP algorithm in multicubic fields is similar to the one for multiquadratic fields as their algebraic structure are almost the same. Given an ideal I we compute recursively a generator for each of four norm ideals in subfields, combine them to yield a generator h of I³ and finally find ϵ ∈ OK× such that hϵ is a cube to compute a = (hϵ)13. Like the computation of units, this relies on the structure of the field and Proposition 3.19. Indeed let us write I = gOK×. Then we know that we have

g3=NK~/K~u(g)NK~/K~v(g)NK~/K~uv(g)NK~/K~u2v(u(g)⋅uv(g))=NK~/K~u(g)NK~/K~v(g)NK~/K~uv(g)u(NK~/K~u2v(g))⋅uv(NK~/K~u2v(g))

for any independent u, v in H(K͠). For clarity write N₁, N₂, N₃, N₄ the four considered relative norm operators and g₁, g₂, g₃, g₄ the four relative norm elements such that

g3=g1g2g3u(g4)uv(g4).

Then for all i ∈ ⟦1, 4⟧, g_i is a generator of the principal ideal N_i(I). If h_i is a generator of N_i(I) then we have h_i = g_iϵ_i with ϵ_i a unit of the fixed subfield so of K. Then we have

h1h2h3u(h4)uv(h4)=g1g2g3u(g4)uv(g4)×ϵ1ϵ2ϵ3u(ϵ4)uv(ϵ4)=g3ϵ1ϵ2ϵ3u(ϵ4)uv(ϵ4).

Finally if we find a unit ϵ such that hϵ is a cube we can retrieve gη by computing (hϵ)13. Once we have calculated the ideal norms, retrieved one generator for each of them and computed the element h as stated before we will find the unit ϵ the same way we find non trivial cubes in the algorithm for units. Write U the subgroup of K^* generated by h and OK× = 〈u₁, …, u_m〉. By following [4] we compute enough good cubic characters as in Algorithm 2 then we store separately M = [χ_{p_j}(u_i)]_i,j and the row vector c_h = [χ_j(h)]_j. A solution e of eM = –c_h yields the desired vector of exponents.

Remark that to solve the PIP in the cubic subfields in Algorithm 7, we use a classical algorithm named CubicPrincipalIdeal as we used CubicUnitGroup in Algorithm 6. Moreover it is not precised but we compute the approximate logarithm of the retrieved generators of cubic fields. Then we compute the logarithm of the final generator of I only doing sums and division by three.

Algorithm 7

Solve the PIP – MC_PIP

Require: A principal ideal I of a multicubic field K

Ensure: A generator g of I

1: ifn = 1 then

2: g ← CubicPrincipalIdeal(K)

3: returng

4: else

5: Choose u, v two indepedent elements of H(K͠) and recursively compute generators h₁, h₂, h₃, h₄ of N_{K_u}(I), N_{K_v}(I), N_{K_uv}(I), N_{K_u²v}(I)

6: g ← GeneratorFromCubeh1h2h3u(h4)uv(h4)

7: returng

8: end if

4.6 Shortening of the generator

Now the problem that we want to solve is the SPIP. Assume that we know that I has a short generator.

Once a generator h of the ideal I is found, one can choose from several techniques to try to recover the secret g or a short enough generator. In [13] the authors used the dual lattice. They considered a subgroup C of OK× easily computable such that [OK× : C] is close to 1. They gave a bound on the dual vectors of Log_K(C) so they proved decryption could be done in this sublattice. The very small gap between Log_K(C) and Log_K(OK×) allowed a full decryption. In the case of multiquadratic and multicubic fields there is a good subgroup with a perfect decryption situation, namely the multiquadratic units and the multicubic units. They form orthogonal sublattices of the Log-unit of their respective fields. However in both cases the gap between the unit groups and these subgroups is too large to try the previous strategy. However there are efficient algorithms to compute the units and solve the PIP of a wide range of multiquadratic fields so the full Log-unit lattice can be computed efficiently. In the case of multicubic fields we are less efficient but we still manage to compute units in reasonable time for some cases. Finally even if we can compute a basis of the Log-unit lattice it is not certain that we can efficiently recover short generators. This will depend on the geometrical properties of the basis.

In [4] the shortening procedure is a rounding. The authors considered the vector Log(h) = Log(g) + Log(u) expressed in the basis Log(OK×) and rounded its coefficient to the nearest integer. In the case of multicubic fields we cannot use this rounding method since the Log-unit lattice is not a full rank lattice in its ambient vector space. Instead we used a decryption method based on LLL. Write L the matrix of the approximate Log-embedding of the units computed, h the vector found by the PIP algorithm and B an upper bound of the norm of the vectors of L. Then consider – similarly to the cube root procedure – the matrix

L0ApproxLogK(h)B=ApproxLogK(u1)0ApproxLogK(u2)0⋮⋮ApproxLogK(um)0ApproxLogK(h)B

and reduce it with a LLL algorithm. If Log_K(g) is short respectively to the Log-unit lattice this is expected to reduce the last row to the Log-embedding of the closest generator. If we compute the unitary operator corresponding to this LLL reduction we can retrieve u and g.

Algorithm 8

Shorten a given generator of an ideal – ShortGen

Require: A generator h of a principal ideal I, OK× = 〈u₁, …, u_m〉

Ensure: A candidate g for a short generator.

1: L ← [ApproxLog_K(u_i)]_{i∈⟦1,m⟧}

2: B ← max{∥L[i]∥₂ | i ∈ ⟦1, m⟧}

3: M,V←LLL(L0ApproxLogK(h)B)

4: returnhVm+1,1×∏i=2m+1ui−1Vm+1,i

4.7 Experiments and Results

We present here the data we collected from computations. We considered multicubic fields defined by prime sequences (p₁, …, p_n). We did computations essentially for multicubic fields defined by n primes with n equal to 2, 3 and 4. These correspond to fields of dimension 9, 27 and 81. We did some computations for fields defined by 5 primes i.e. with dimension 243.

Computing OK×

Recall that we compute units of a multicubic field K recursively and at each step the main procedure is CubeRoot presented in Algorithm 5. The efficiency of the overall algorithm is strongly related to the efficiency of CubeRoot and tends to be dominated by it. This is illustrated by the times computed in Table 1. In Figure 1 we can find the times for n = 2 printed. It illustrates well the correlation between the time taken to compute the units and the time taken to compute cube roots. If we analyse the function CubeRoot we can see that it depends on the dimension, the sequence defining the field K and the norm of the elements it is given. Therefore together with the times we computed the number of cube roots computed by the last call to CubeRoot in Algorithm 6 and the average of the logarithm of their norms. We can understand from these data why the algorithm does not scale as the algorithm in [4]. The norm of the elements from which we compute cube root seems to scale poorly and we have to compute more cube roots when the degree increases. Moreover the efficiency seems to decrease quickly with increasing primes.

$Figure 1 Times to compute OK×$\begin{array}{} \displaystyle \mathcal{O}_K^{\times} \end{array}$ and the cube roots for fields defined by consecutive primes and n = 2$

Figure 1

Times to compute OK× and the cube roots for fields defined by consecutive primes and n = 2

Table 1

Times and data for Algorithm 5 and 6 for number fields defined by consecutive primes for n = 2, 3, 4 and 5

(a) n = 2

First prime	2	3	5	7	11	13	17	19	23	29
OK× (times in s)	0.260	0.260	0.260	0.270	0.290	0.350	0.330	0.360	0.480	0.320
CubeRoot (times in s)	0.010	0.010	0.010	0.010	0.000	0.050	0.060	0.070	0.180	0.010

# cube roots	3	3	1	1	1	1	1	2	3	1
Average logarithm of the Norm of cubes	3	18	31	45	24	215	270	175	162	70

(b) n = 3

First prime	2	3	5	7	11	13	17	19	23	29
OK× (times in s)	2.110	2.250	2.490	4.500	2.780	18.780	4.060	24.810	9.230	24.420
CubeRoot (times in s)	0.060	0.180	0.350	2.310	0.350	15.980	1.020	16.540	5.950	16.490

# cube roots	3	4	3	4	2	5	4	5	4	3
Average logarithm of the Norm of cubes	13	29	46	127	83	404	112	398	313	781

(c) n = 4

First prime	2	3	5	7	11	13	17
OK× (times in s)	39.670	71.160	157.460	873.670	7479.250	9862.540	29308.850
CubeRoot (times in s)	19.220	47.270	130.240	832.780	7370.470	9271.600	28425.140
# cube roots	14	12	10	11	11	11	13
Average logarithm of the Norm of cubes	29	75	168	533	1090	2178	3295

(d) n = 5

First prime	2	3	5
OK× (times in s)	16026.410	87701.680	566029.130
CubeRoot (times in s)	15246.560	85036.150	562127.470

# cube roots	36	36	48
Average logarithm of the Norm of cubes	63	199	531

Complexity : An analysis of the norm of the units that the algorithm compute cube roots of can be found in Appendix and gives a bound essentially polynomial in Nn2∏i=1ndi. This gives a complexity for the overall algorithm essentially in Poly(Nn2∏i=1ndi).

We obtained better results that the standard algorithm implemented in Magma. For example we can see in Table 2 the times to compute units for consecutive primes and n = 2. We can see that the size of primes has a strong impact. It took 2540.490 seconds to compute the units of the field defined by (2, 3, 5) and did not retrieve the units of the field defined by (3, 5, 7) after 34 hours.

Table 2

Times to compute OK× with UnitGroup of Magma for n = 2

First prime	2	3	5	7	11	13	17	19	23	29
OK× (times in s)	0.190	0.200	0.240	0.520	2.190	8.510	0.700	61.480	200.540	503.640

Retrieving a short generator

For each given size of keys (except 243) we chose two sequences. The first is the n consecutive primes and the second follows an arithmetic progression i.e. p₁ is fixed and the p_k+1 is NextPrime(p_k + 4) for each k. We considered keys as vectors of coefficients drawn uniformly at random in {–1, 0, 1}. This type of keys are indeed “short vectors” in the ideal lattice they generate. The data are presented in Table 3. For each n and each progression the first row is the percentage of exact decoding and the second is the percentage of shorter generators – exact of strictly shorter generators – retrieved.

Table 3

Percentages of keys recovered for n = 2, 3 and 4

(a) n = 2

First prime	2	3	5	7	11	13	17	19	23	29
Consecutive	35.20	90.80	98.40	98.20	100.0	100.0	99.70	99.80	100.0	100.0
	46.20	91.50	98.40	98.20	100.0	100.0	99.70	99.80	100.0	100.0

Arithmetic	69.90	95.10	98.60	97.40	100.0	99.80	100.0	99.80	100.0	100.0
	75.20	95.10	98.60	97.40	100.0	99.80	100.0	99.80	100.0	100.0

(b) n = 3

First prime	2	3	5	7	11	13	17	19	23	29
Consecutive	46.00	93.30	100.0	99.91	100.0	100.0	100.0	100.0	100.0	100.0
	46.40	93.30	100.0	99.91	100.0	100.0	100.0	100.0	100.0	100.0

Arithmetic	84.10	99.59	100.0	99.50	100.0	n/a	n/a	n/a	n/a	n/a
	84.10	99.59	100.0	99.50	100.0	n/a	n/a	n/a	n/a	n/a

(c) n = 4

First prime	2	3	5	7	11	13	17	19
Consecutive	64.20	99.91	100.0	100.0	100.0	100.0	100.0	100.0
	64.20	99.91	100.0	100.0	100.0	100.0	100.0	100.0

Arithmetic	95.00	100.0	100.0	100.0	100.0	n/a	n/a	n/a
	95.00	100.0	100.0	100.0	100.0	n/a	n/a	n/a

We can remark that the probability of success seems to converge to 1 as the primes of the defining sequence increase. The probability of failure is particularly big when the smaller primes are in the sequence, especially two. The same phenomenon were noticed in [4]. Moreover we can see that the rate of generators retrieved which were strictly shorter than the key follow the inverse pattern. It is quite high compared to the rate of retrieved key when the latest is low and n = 2 and tends to 0 otherwise. For the multicubic field defined by the sequence (2, 3, 5, 7, 11) we retrieved exactly 74.02 % of the keys and no shorter generator and for the field defined by (3, 5, 7, 11, 13) we retrieved exactly all of the keys.

These results tend to show that multicubic fields should not be used to build cryptosystems. Even if we are still too slow to attack dimensions of cryptographic interest the results we obtained suggest that the we can easily recover short vectors using the Log-unit lattice. Finally in post-quantum perspective we have to think that computing OK× and solving the PIP can be done efficiently. Therefore the fact that the algorithms presented in this paper are slow is not completely relevant. We are essentially interested in the quality of the basis of the Log-unit lattice.

References

[1] L. Babai, On Lovász’ lattice reduction and the nearest lattice point problem, Combinatorica 6(1), (1986).10.1007/BFb0023990Search in Google Scholar

[2] P. Barrucand, Quelques aspects de la théorie des corps cubiques, Séminaire Delange-Pisot-Poitou. Théorie des nombres 16, (1974-1975), 1–10.Search in Google Scholar

[3] P. Barrucand, J. Loxton, H. C. Williams, Some explicit upper bounds on the class number and regulator of a cubic field with negative discriminant, Pacific Journal of Mathematics, 128(2), (1987), 209–222.10.2140/pjm.1987.128.209Search in Google Scholar

[4] J. Bauch, Daniel J. Bernstein, H. de Valence, T. Lange, C. Van Vredendaal, Short generators without quantum computers : The case of multiquadratics, in: Advances in Cryptology, EUROCRYPT 2017 - 36th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings., Lecture Notes in Computer Science 10210, LNCS Springer Verlag (2017), 27–59.10.1007/978-3-319-56620-7_2Search in Google Scholar

[5] K. Belabas, Topics in computational algebraic number theory, in: Journal de théorie des nombres de Bordeaux, 16(1), (2004), 19–63.10.5802/jtnb.433Search in Google Scholar

[6] J.-F. Biasse, F. Song, Efficient quantum algorithms for computing class groups and solving the principal ideal problem in arbitrary degree number fields, in: Proceedings of the Twenty-Seventh Annual ACM-SIAM Symposium on Discrete Algorithms, 893-902.10.1137/1.9781611974331.ch64Search in Google Scholar

[7] W. Bosma, J. Cannon, and C. Playoust, The Magma algebra system. I. The user language, J. Symbolic Comput., 24 (1997), 235–265.10.1006/jsco.1996.0125Search in Google Scholar

[8] J. P. Buhler, H. W. Lenstra, Jr., C. Pomerance, Factoring integers with the number field sieve, in: The development of the number field sieve, Lecture Notes in Math., 1554, Springer, Berlin (1993), 50-94.10.1007/BFb0091539Search in Google Scholar

[9] P. Campbell, M. Groves, D. Shepherd, Soliloquy : a cautionary tale, ETSI 2nd Quantum-Safe Crypto Workshop, 2014, http://docbox.etsi.org/Workshop/2014/201410_CRYPTO/S07_Systems_and_Attacks/S07_Groves_Annex.pdf.Search in Google Scholar

[10] A. P. Chalmeta, On the Units and the Structure of the 3-Sylow Subgroups of the Ideal Class Groups of Pure Bicubic Fields and their Normal Closures, Ph.D. thesis, Virginia Polytechnic Institute and State University, 2006.Search in Google Scholar

[11] H. Cohen, A Course in computational algebraic number theory, Springer-Verlag, Berlin, Heidelberg, 1995.Search in Google Scholar

[12] H. Cohen, Advanced Topics in Computational Number Theory, Graduate Texts in Mathematics, Springer, New York, 1999.10.1007/978-1-4419-8489-0Search in Google Scholar

[13] R. Cramer, L. Ducas, C. Peikert, O. Regev, Recovering Short Generators of Principal Ideals in Cyclotomic Rings, in: Fischlin M., Coron JS. (eds) Advances in Cryptology, Lecture Notes in Computer Science, vol 9666. Springer, Berlin, Heidelberg (2016).Search in Google Scholar

[14] K. Eisenträger, S. Hallgren, A. Kitaev and F. Song, A Quantum Algorithm for Computing the Unit Group of an Arbitrary Degree Number Field, in: Proceedings of the Forty-sixth Annual ACM Symposium on Theory of Computing, ACM, New York (2014).Search in Google Scholar

[15] C. Gentry, A fully homomorphic encryption scheme, Ph.D. thesis, Stanford University, 2009, https://crypto.stanford.edu/craig.Search in Google Scholar

[16] C. Gentry and S. Halevi, Implementing Gentry’s fully-homomorphic encryption scheme, in: Kenneth G. Paterson, editor, Advances in Cryptology - EUROCRYPT 2011 - 30th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tallinn, Estonia, May 15-19, 2011. Proceedings, Lecture Notes in Computer Science, 6632, Springer (2011), 129–148.10.1007/978-3-642-20465-4_9Search in Google Scholar

[17] A. K. Lenstra, H. W. Lenstra, L. Lovász, Factoring polynomials with rational coefficients, Mathematische Annalen, 261(4), (1982), 515–534.10.1007/BF01457454Search in Google Scholar

[18] C. J. Parry, Class number formulae for bicubic fields, Illinois J. Math., 1, (1977), 148–163.10.1215/ijm/1256049510Search in Google Scholar

[19] P. Samuel, Algebraic theory of numbers, Paris, Hermann; Boston, Houghton Mifflin Co., 1970.Search in Google Scholar

[20] N. P. Smart, F. Vercauteren, Fully homomorphic encryption with relatively small key and ciphertext sizes, in: Phong Q. Nguyen and David Pointcheval, editors, Public Key Cryptography - PKC 2010, 13th International Conference on Practice and Theory in Public Key Cryptography, Paris, France, May 26-28, 2010. Proceedings, Lecture Notes in Computer Science, 6056, Springer (2010), 420–443.10.1007/978-3-642-13013-7_25Search in Google Scholar

Appendix : An upper bound on the norm of cubes

We will give an upper bound for the norm of the units that we compute the cube root of in Algorithm 6 depending on the degree and the sequence defining the multicubic field K. Write (d₁, …, d_n) this sequence. We assume that they are prime numbers. Let us fix v is a unit in K found by CubeKernel in Algorithm 6. As stated before MC_CubeRoot consists essentially in several LLL procedures applied to matrices of size approximately N with coefficients of size evaluated by PrecisionEvaluation. In order to find the complexity of the LLL used to compute the cube root of u we need to bound PrecisionEvaluation(v) = 3ⁿ × log(∥v∥). We therefore need to evaluate ∥v∥. We will consider here the infinity norm. For x, y ∈ K we have

∥xy∥∞⩽∥x∥∞∥y∥∞∏i=1n(1+2di).

Consider C(k, d) = sup{∥v∥_∞ | v ∈ OL×, [K : L] = 3^n–k} the maximal infinity norm of a unit of a subfield of K of dimension 3^k found in the course of Algorithm 6. Write U = 〈u₁, …, u_m〉 the subgroup computed in Algorithm 6 before computing the procedure CubeKernel. We have m⩽4×3n−1−12 and v=u1e1×⋯×umem with (e₁, …, e_m) ∈ ⟦0, 2⟧^m. Typically the previous exponent tuple has a fair proportion of 0 but we will assume we are in the worst case which is half of 1 and half of 2. Therefore v is calculated by a product of 3×(3^n–1 – 1) terms so we have

∥v∥∞⩽C(n−1,d)3×(3n−1−1)×∏i=1n(1+2di)3×(3n−1−1)−1.

If we designate by P(1 + 2d) the product we have

log⁡(∥v∥∞)⩽3(3n−1−1)log(C(n−1,d))+3(3n−1−1)log⁡(P(1+2d_)).

If we assume that ∥x∥_∞ ⩽ ∥x³∥_∞ ⩽ for any x ∈ K we can write

log⁡(∥v∥∞)⩽3(3n−1−1)×3(3n−2−1)log(C(n−2,d)) +3(3n−1−1)+(3(3n−1−1)×3(3n−2−1))log⁡(P(1+2d_)).

Then if we write c_k = 3^k – 1 we have

log⁡(∥v∥∞)⩽3n−1cn−1cn−2…c1log(C(1,d)) +(3cn−1+32cn−1cn−2+⋯+3n−1cn−1cn−2…c1)log⁡(P(1+2d_))

which gives rise to

log⁡(∥v∥∞)⩽3n−13(n−1)n2log(C(1,d))+3(n−1)n2(3+32+⋯+3n−1)log⁡(P(1+2d_))

and therefore

log⁡(∥v∥∞)⩽3n−13(n−1)n2log(C(1,d))+3(n−1)n2×3×3n−1−12log⁡(P(1+2d_)).

Thus we can bound log(∥v∥_∞) by N × Nlog3⁡(N)2 (log(C(1, d)) + log(P(1 + 2d)). Now we assume that the infinity norm of a fundamental unit of cubic field is less than its real embedding (it is verified by computations made) or at least a polynomial of evaluated in it. Therefore we can write

log⁡(∥v∥∞)⩽N×Nlog3⁡(N)2(log⁡(P(1+2d_)+max{log⁡(ϵα_)∣α_∈(F3)n∖{0_}})

and by using an upper bound for the regulator of pure cubic fields and the discriminant of a pure cubic field we have

log⁡(∥v∥∞)⩽N×Nlog3⁡(N)2(log⁡(P(1+2d_))+P(d_))

where P(d) = ∏i=1ndi.

If we compare this bound to the experimental results the subexponential part seems reasonable. However the norm of the elements that we work with during the algorithm seem to be lower in general.

Appendix B: Discriminant of multicubic fields

In this section we will study the discriminant of multicubic fields i.e. number fields of the form ℚ(d113,…,dn13) with d₁, …, d_n being integers. Since the discriminant of a number field is related to the splitting of primes in its ring of integers we will establish some results on the splitting of primes in multicubic fields. One can see [19] for a fairly clear and complete presentation of the objects and results used in this part.

Notations

𝔇(L/K) relative discriminant of L/K

𝔡(L/K) relative different of L/K

N_L/K relative norm of L/K

D(K) aabsolute discriminant of K

Proof of Lemma 3.26

Assume p | d₁ and p | d₂. Without loss of generality one can assume p² ∤ d₁ and p² | d₂. Then fix d1′=d1 and d2′=d1d2p3.□

Proof of Lemma 3.27

Let p ∈ ℙ(d). There is i₀ ∈ ⟦1, n⟧ such that p | d_i₀. Without loss of generality one can assume i₀ = 1. Then apply Lemma 3.26 to every (d₁, d_i) with i > 1.□

Proof of Lemma 3.28

Assume d₁ ≠ ± 1 (mod 9) and d₂ ≠ ± 1 (mod 9). One can replace d1 by d1d2 or d1d22.□

Proof of Proposition 3.29

First assume that 3 does not appear in the prime decomposition of any of the d_i, i ∈ ⟦1, n⟧. Then two cases arise. Either d_i = ± 1 (mod 9) for all i ∈ ⟦1, n⟧ and nothing need to be done, either there is i₀ ∈ ⟦1, n⟧ such that d_i₀ = 2, 4, 5, 7 (mod 9). Without loss of generality one can assume that i₀ = 1, and for all j > 1 such that d_j ≠ ± 1 (mod 9) one can apply Lemma 3.28 to (d₁, d_j) and assume that d_j = ± 1 (mod 9). This corresponds to (ii). Now assume that 3 divides d_i₀ for some i₀ ∈ ⟦1, n⟧. Again one can assume i₀ = 1 and – by applying Lemma 3.27 – that 3 ∤ d_i for all i ∈ ⟦2, n⟧. Finally we can apply the first case to the sequence (d₂, …, d_n) which gives rise to the two last possibilities of the proposition.□

We will now prove Theorem 3.30. Remark that the formulae can be extended to pure cubic fields – see for instance [11] – and were proven by Chalmeta in [10] for bicubic fields. In order to determine the discriminant of multicubic fields we will study the splitting of primes in such fields. A prime p divides D(K) if, and only if, it ramifies in K. Moreover given two linearly disjoint fields K₁ and K₂ the discriminant of their compositum D(K₁K₂) divides the product D(K₁)^[K₂:ℚ]D(K₂)^[K₁:ℚ]. If we apply this to a multicubic field we obtain that a prime p divides D(K) if, and only if, it divides one of the discriminant of the pure cubic fields ℚ(di3) for i in ⟦1, n⟧. Given the discriminant of a pure cubic field this is equivalent to being in ℙ(d) ∪ 3. Let us first consider the case of primes different from 3.

Proposition 4.2

ConsiderK = ℚ(d113,…,dn13)a multicubic field andpa prime integer in ℙ(d) ∖ {3}. Then we havev_p(D(K)) = 2 × 3^n–1.

Proof

The result is true for n = 1, see for instance [11]. Suppose now that n ⩾ 2. By using Lemma 3.27 one can assume p | d₁ and p ∤ d_i for any i in ⟦2, n⟧. Let K₁ = ℚ(d13) and K₂ = ℚ(d23, …, dn3). By [11] the prime p ramifies in K₁ as 𝔭³. Moreover p is unramified in K₂ so p𝓞_K₂ = 𝔮₁ ⋯ 𝔮_s with s ⩾ 1. By multiplicativity of the ramification index, for all i ∈ ⟦1, s⟧, the ideal 𝔮_i ramifies completely in K as Pi3. Therefore p𝓞_K = (𝔓₁ ⋯ 𝔓_s)³. Now recall that the different of K/ℚ verifies 𝔡(K/ℚ) = ∏_𝔓 𝔓^s_𝔓 where the product is over the prime ideals of 𝓞_K which are ramified over ℚ. Thus the part of 𝔡(K/ℚ) above p is ∏i=1sPisi for some integers s_i. For all i ∈ ⟦1, s⟧ we know that e(𝔓_i|p) = 3 and p are coprime. Therefore s_i is equal to e(𝔓_i|p) – 1 = 2. Thus one has for the discriminant v_p(D(K)) = v_p(N_K/ℚ(𝔡(K/Q))) = vp(NK2/Q(NK/K2(∏i=1sPi2))). Finally since N_K/K₂(𝔓_i) = 𝔮_i we obtain vp(D(K))=vp(NK2/Q(∏i=1sqi2)) = v_p(N_K₂/ℚ(p𝓞_K₂)²) = 2 × 3^n–1.□

We will now study the splitting of 3 in K in function of the four types of multicubic fields established in Proposition 3.29.

Proposition 4.3

Consider a multicubic fieldK = ℚ(d113,…,dn13)such thatd_i = ±1 (mod 9) for alliin ⟦1, n⟧. Then 3 splits inKas

(3)=P1P22⋯Pr+12

with r=3n−12.Thereforef(𝔓_j|3) = 1 for allj ∈ ⟦1, r + 1⟧.

Proof

We will prove the result by induction on n. The result is true for n = 1, see [11] for instance. Consider n ⩾ 2 and suppose the result to be true for n – 1. Write K₁ = ℚ(d113,…,dn−113), K₂ = ℚ(dn3) and K͠, K1~, K2~ the respective Galois closure of the considered fields. If one denotes 3n−1−12 by s, one has the following situation by using the induction hypothesis, where the numbers labelling the vertices are the dimensions of the respective extensions.

First we consider the splitting of (3) in the Galois closure K1~ and K2~. We focus on K2~ for the situation in K1~ is similar. Remark that K2~/ℚ is Galois with dimension [K2~ : ℚ] = 6 so the decomposition of 3𝓞_K₂ verifies efg = 6 with the functions e(⋅|3) and f(⋅|3) being constant – equal to e and f respectively – over prime ideals 𝔮͠ of K̃₂ such that 𝔮͠ | (3). But considering the factorisation 3 𝓞_K₂ = 𝔮₁q22 we obtain 2 | e(𝔮͠|3). Moreover for the decomposition of 𝔮_𝔦 in K2~, since K2~/K₂ is Galois, we have e_if_ig_i = 2. But 2 | e and e = e₁ so we have e₁ = 2, f₁ = 1 and g₁ = 1. Therefore q1OK1~=q~12. Moreover f = f₁ = f₂ and e = 2e₂ so e₂ = 1 and g₂ = 2. Thus 𝔮₂ splits completely in K2~ as q2~q3~. Finally we obtain the factorisation (3) = q~12q~22q~32 in K2~. Similarly we have pOK1~=p~2 and 𝔭_i splits completely in K1~ for all i ∈ ⟦1, s⟧. Therefore the factorisation of (3) in K1~ is (3) = p~12p~22⋯p~2s+12. Remark that the residual degree is 1 everywhere. We will now consider the decomposition of (3) in K̃. Since K͠/ℚ is Galois we obtain efg = 2 × 3ⁿ. If we consider the decomposition of some 𝔭͠_i we have e_if_ig_i = 3. Moreover e = 2e_i and f = f_i for all i ∈ ⟦1, 2s + 1⟧. Assume e_if_i = 3 and g_i = 1. If we write 𝔓͠_i the ideal of K͠ with 𝔓͠_i | 𝔭͠_i the decomposition group 𝓓(𝔓_i) is therefore a subgroup of Gal(K͠/K1~) ≃ Z3Z of cardinal 3. By considering the decomposition of some 𝔮͠_j in K͠ we have that e_jf_j = 3 too so the decomposition subgroup of 𝔓͠_i with respect to the extension K͠/K2~ is also a subgroup of order 3 of Gal(K͠/K2~) and since Gal(K͠/ℚ(ζ₃)) ≃ Gal(K͠/K1~) × Gal(K͠/K2~) the decomposition subgroup of 𝔓͠_i with respect to K͠ / ℚ has order at least 9. But we supposed that e_if_i = 3 so ef = 6 thus an absurdity. Finally 𝔭͠_i totally splits in K͠ for all i in ⟦1, 2s + 1⟧ and

3OK~=P~12⋯P~3(2s+1)2.

Then for all i ∈ ⟦1, s⟧ the ideal 𝔭_i splits totally in K͠ therefore it splits totally in K too. On the contrary 𝔭̃ is not totally split in K̃ so 𝔭 is not totally split in K. We have

pOK=∑j=1ge(Pj|p)f(Pj|p)=3

and we know that f(𝔓_j|𝔭) for all j ∈ ⟦1, g⟧ so

pOK=∑j=1ge(Pj|p)=3.

We stated above that g = 3 and e(𝔓_j|𝔭) = 1 for all j ∈ ⟦1, g⟧ is not possible. Clearly g = 1 and e(𝔓₁|𝔭) = 3 is not possible either. Finally we have

pOK=P1P22

which gives

3OK=P1P22⋅P32P42P52⋯P3s2P3s+12P3s+22,

and 3s+2=3×3n−1−12+2=3n−12+1 so we obtain the desired decomposition.□

Corollary 4.1

Under the same conditions for the sequencedone has

v3(D(K))=3n−12.

Proof

The part of the different 𝔡(K/ℚ) above 3 is

∏i=2r+1Pi

because 3 is coprime to 1 and 2. Therefore one has

v3(D(K))=v3(NK/Q(∏i=2r+1Pi))=v3(∏i=2r+1NK/Q(Pi))=v3(3r)=r=3n−12.

□

Now we will consider the second type of multicubic fields.

Proposition 4.4

Consider a multicubic fieldK = ℚ(d113,…,dn13)withd₁ = 2, 4, 5, 7 (mod 9) andd_i = ± 1 (mod 9) for alli ∈ ⟦2, n⟧. Then, ifr = 3n−1−12, we have

3OK=P13P26⋯Pr+16

and consequently

v3(D(K))=3n+3n−1−12.

Proof

As in the proof of the previous proposition, consider K₁ = ℚ(d13) and K₂ = ℚ(d23, …, dn3). Following Cohen [11] and by using the previous proposition, if we write s = 3n−1−12, we have the following situation

Now consider 𝔓 dividing 𝔮_i in K for a given i ∈ ⟦1, s + 1⟧. By the multiplicativity of the ramification index 3 | e(𝔓|𝔮_i) and we know that e(𝔓 | 𝔮_i) ⩽ [K : K₂] = 3 so e(𝔓 | 𝔮_i) = 3. We obtain the claimed splitting of 3 in K. For any i ∈ ⟦1, s +1⟧ let us denote by 𝔓_i the ideal of K such that 𝔓_i | 𝔮_i. In order to study the discriminant consider the splitting of 𝔭 in K which is P1P22⋯Ps+12. We have D(K) = D(K₁)^[K:K₁] N_K₁/ℚ(𝔇(K/K₁)) = D(K₁)^[K:K₁] N_K₁/ℚ(N_K/K₁(𝔡(K/K₁))) and the part of 𝔡(K/K₁) over 𝔭 is 𝔓₂ ⋯ 𝔓_s+1 because 3 is coprime to 1 and 2. We know by [11] that v₃(D(K₁)) = 3 so v₃(D(K)) = [K : K₁]v₃(D(K₁)) + v₃(N_K/ℚ(𝔓₂ ⋯ 𝔓_s+1)) and finally

v3(D(K))=3n−1×3+s=3n+3n−1−12.

□

We will consider the third type of multicubic fields. The proof is very similar.

Proposition 4.5

Consider a multicubic fieldK = ℚ(d113,…,dn13)withd₁ = 0 (mod 3) andd_i = ± 1 (mod 9) for alli ∈ ⟦2, n⟧. Then, ifr = 3n−1−12, we have

3OK=P13P26⋯Pr+16

and consequently

v3(D(K))=2×3n−1+3n+3n−1−12.

Proof

Fix K₁ = ℚ(d13) and K₂ = ℚ(d23, …, dn3). The splitting of 3 in the fields is then the same as in the previous Proposition and we can use the same formula except that v₃(D(K₁)) = 5.□

Finally we will consider the last type of multicubic field. The proof is similar to the last two cases.

Proposition 4.6

Consider a multicubic fieldK = ℚ(d113,…,dn13)withd₁ = 0 (mod 3), d₂ = 2, 4, 5, 7 (mod 3) andd_i = ± 1 (mod 9) for alli ∈ ⟦3, n⟧. Then, ifr = 3n−2−12, we have

3OK=P19P218⋯Pr+118

and consequently

v3(D(K))=2×3n+3n−2−12.

Proof

Fix K₁ = ℚ(d13, d23) and K₂ = ℚ(d33, …, dn3). By [10] the splitting of 3 in K₁ is 𝔓⁹ and the splitting of 3 in K₂ is P1P22⋯Pr+12. We use the same argument as for the two previous types of multicubic fields and obtain the claimed splitting of 3 in K. Then by [10] we have v₃(D(K1)) = 18 and the reasoning used before gives rise to the claimed formula.□

Received: 2019-07-14

Accepted: 2020-05-01

Published Online: 2020-08-20

This work is licensed under the Creative Commons Attribution 4.0 International License.