Short Principal Ideal Problem in multicubic fields

Abstract One family of candidates to build a post-quantum cryptosystem upon relies on euclidean lattices. In order to make such cryptosystems more efficient, one can consider special lattices with an additional algebraic structure such as ideal lattices. Ideal lattices can be seen as ideals in a number field. However recent progress in both quantum and classical computing showed that such cryptosystems can be cryptanalysed efficiently over some number fields. It is therefore important to study the security of such cryptosystems for other number fields in order to have a better understanding of the complexity of the underlying mathematical problems. We study in this paper the case of multicubic fields.


Introduction
Given a number field K, an ideal lattice over K is simply an ideal I of O K considered as a Z−module in R n , where O K is the ring of integers of K. It can be represented by an integral basis. In the simplest version of encryption using ideal lattices, such as in [15,16,20], we can consider a number field K and I = gO K a principal ideal with a short g when I is considered as a lattice. Short means that the euclidean norm of g is small compared to the determinant of I. Then K and I are public -with I which can be given by the Hermite Normal Form of a basis matrix of I for example -and g is the private key. The security of the cryptosystem relies on the hardness of finding g or another short generator. Finding a generator is called the Principal Ideal Problem (PIP) and is referred as one of the main tasks of Computational Number Theory by Cohen in [11]. Finding a short generator is referred as the Short Principal Ideal Problem (SPIP). The first advantage of such a system compared to a general lattice based system is that instead of storing a n 2 matrix to designate the lattice we can use a more compact representation. We therefore need less space to store the public and private keys. Moreover the algebraic structure of the fields we are working with allows faster computations. Because of this efficiency, ideal lattices -and more generally structured lattices -are under a lot of investigation to evaluate the security of lattice-based cryptosystems. By default an attack to recover the generator g is done in two steps: (i) recover a generator h of I; (ii) find a short generator given h.
The first step corresponds to the PIP which is considered a hard problem in classical computational number theory. However it is shown that it can be efficiently done by using quantum computing as in [6]. The second is a reduction phase which is the kind of tasks that seem difficult even for quantum computers. In order to solve it, one may use the structure of the set of generators of I and the Log-unit lattice. This strategy was mentioned in [9] where it was claimed that in the case of cyclotomic fields the group of cyclotomic units has a good enough geometry in the Log-unit lattice to help recovering a short secret vector. A proper analysis of this situation has been done in [13] where the authors gave a bound for the norm of the vectors of the dual basis. More precisely they analysed a subgroup of the unit group which is easily computable and whose index is small i.e. close to 1. They showed that one can shorten a generator with respect to this subgroup and that an enumeration process allows to retrieve a short generator with respect to the full unit group. In [4] the authors studied another family of fields, namely the multiquadratic fields, and were able to recover a short generator of an ideal in classical polynomial time for a wide range of fields.

Objectives and results
In this paper we study the case of real multicubic fields i.e. fields generated by real cube roots of integers. We aim to show that such fields should not be used for cryptography in a post-quantum setting i.e. that one can retrieve a short generator using the Log-unit lattice. For this purpose we prove that their algebraic structure is similar to the one of multiquadratic fields so that the framework of the attack in [4] can be adapted to multicubic fields. We are able to compute units of degree 3 n number fields for n up to 5. Experiments on the PIP show a success rate similar to the ones presented in [4].

Future work
Further work can consist in improving the results on multicubic fields and generalise the approach to number fields generated by p-root of integers for bigger primes p. This could lead to a better understanding on what can be done regarding ideal lattices. Moreover it would be interesting to work on other important tasks of computational number theory over these fields such as computing the class group. Another direction would be to study number fields with more complicated structures in order to look whether we can again find a good basis for the Log-unit lattice or not.

Background
Notations : The inner product is denoted by (︀ · | · )︀ . When we consider a tuple (λ 1 , . . . , λn) we can designate it by λ. An interval in the integers will be written Ja, bK. Given a rational number a we will write 3 √ a or a 1 3 its real cube root.

Lattices :
A lattice is a discrete subgroup of R n where n is a positive integer. A basis of a lattice L is a basis of L when considered as a Z-module. One way of representing a lattice is then to consider the matrix of a basis of the lattice. Let us denote by λ 1 (L) the norm of the shortest non zero vector of L. There is an approximation of λ 1 (L) called the Gaussian heuristic which tells that the expected value of λ 1 (L) is in O( √ r × r √︀ det(L)) where r is the rank of L. This gives an expected value for the norm of what we call a short vector. The classical problems over lattices are : (i) the Shortest Vector Problem (SVP) : «Given a a lattice L of dimension n, find u ∈ L \ {0} such that ‖u‖ = λ 1 (L) »; (ii) the Closest Vector Problem (CVP) : «Given a lattice L of dimension n and t ∈ R n , find u ∈ L such that ∀v ∈ L, ‖t − u‖ ‖t − v‖; »; (iii) the Bounded Distance Decoding (BDD) : «Given a basis B of a lattice L, a target vector t such that d(t, L) < λ 1 (L)/2, find the lattice vector v ∈ L closest to t. ».
In practice we can consider relaxed versions of these problems with respect to an approximation factor. For general lattices these problems are NP-hard thus at least as hard as factorising for example. Moreover we do not have any result showing that quantum computers can solve these problems for general lattices. These problems are easier to solve if we have a good basis at our disposal i.e. a basis built with relatively short vectors which are nearly orthogonal to each other.
Despite the hardness of these problems over random lattices, high-dimensional lattices are large objects and slow to handle. A way of copping with that is to work with lattices with extra algebraic structure such as ideal lattices. However this can introduce a security weakness as it may be easier to find good basis related to such lattices or to use the algebraic structure to solve lattice problems.

Number Fields :
We will quickly recall some facts about number fields. A number field K is a field which is a finite extension of Q. It can always be described as a polynomial quotient ring where P(X) is irreducible in Q[X]. Equivalently if we choose θ to be any root of P(X) we can see K as Q(θ) the smallest field containing Q and θ. If we write n the degree of P(X) then the dimension of K over Q -written [K : Q] -is n.
There are n distinct complex field embeddings K ˓→ C denoted by σ 1 , . . . , σn. They map θ to the other complex roots of P(X). We will write Hom(K, C) for this set. Among them we have r 1 real embeddings and r 2 pairs of complex embeddings. The two elements of a given pair are conjugates one from each other. It is the usage to denote by σ 1 , . . . , σr 1 the real embeddings and to consider that σ j+r2 = σ j for all j ∈ Jr 1 + 1, r 1 + r 2 K. Given a complex embedding σ ∈ Hom(K, C) the set {x ∈ K | σ(x) = x} is a subfield of K. We will denote it by Inv(σ) or Kσ to follow notations used in [4].
The Galois Group of a field extension L/K denoted by Gal(L/K) is the group of field automorphisms of L which are congruent to the identity when restricted to K. It is a subset of Hom(L, C). An extension L/K is called a Galois extension when the cardinality of Gal(L/K) equals the dimension [L : K]. Moreover the Galois correspondence states that given a Galois extension L/K there is a one-to-one correspondence between the subgroups of Gal(L/K) and the subfields of L containing K. Given a subgroup H of Gal(L/K) we will write Inv(H) the corresponding subfield of L. In the case of a number field K we say it is a Galois field if it is Galois as an extension of Q. For example the cyclotomic fields are Galois number fields as well as the multiquadratic fields. However this property is not verified by a general number field K and we have to consider the Galois closure of K, denoted bỹ︀ K, which is in fact the smallest extension containing all the roots of the irreducible polynomial P(X).
One ring of particular importance is the ring of integers of K denoted by O K . It consists of the elements of K which are roots of a monic polynomial of Z[X]. This ring as well as its ideals are full rank sub-Z-module of K. The images of O K and of any ideal I of O K under the action of any embedding of K into R n are lattices. The usual embedding corresponds to view a number field K as a quotient Q[X] (f (X)) . Then every element g(X) = g 0 +· · ·+gn X n of K can be seen as the vector with coordinates (g 0 , . . . , gn) in R n . The other fundamental example is called the Minkowski embedding and is It has a specific structure that we can take advantage of. Given a number field K of degree n with n = r 1 + 2r 2 as before, we have This isomorphism which allows to see the units of O × K modulo its torsion group as a lattice is realised by an important embedding which is the Log-embedding of K. It is defined as The set Log K (O × K ) is a lattice of the hyperplane orthogonal to the all ones vector. It is called the Log-unit lattice. Sometimes we define the Log-embedding by using all of the embeddings σ i . By doing so the Log-unit lattice is a lattice of rank r 1 + r 2 − 1 in R n .
Given a family (x 1 , . . . , xn) of a number field K the discriminant D(

Ideal lattice cryptosystem :
Recall that ideal based cryptosystems such as presented in [15,16,20] have in general a private key which is a short generator of a public ideal I. The security of such cryptosystems relies on the supposed hardness of finding such a generator given an ideal, problem called the Short Principal Ideal Problem. The Principal Ideal Problem consists in finding any generator of the principal ideal i.e. given an ideal I = gO K , find some h such that I = hO K . As mentioned the process done to solve the SPIP relies essentially in two steps : solve the PIP and then shorten the retrieved generator. The set of generators of I is {gu | u ∈ O × K }. Therefore solving the PIP yields h = gu with u ∈ O × K . It is then possible to retrieve g from h by finding u. This is where we can use the Log-unit lattice. If we transpose the situation with the Log-embedding, for every generator h we have Log K (h) = Log K (g) + Log K (u). Using that remark and finding the element of the Log-unit lattice closest to h it is possible to retrieve g. This corresponds to solve the Closest Vector Problem (CVP) with respect to the target h and the lattice Log O × K , and even the BDD because we know the generator g is short. The success of such a method is therefore dependent on the particular geometry of the Log-unit lattice meaning that we want to have access to a somehow good basis i.e. orthogonal enough. This attack requires to (i) solve the PIP : this is considered hard classically and can be done in quantum polynomial time; (ii) compute O × K : as the PIP this is considered hard classically and can be done in quantum polynomial time; (iii) shorten a generator h by solving the BDD with respect to Log K (O × K ) : this will depend on the basis obtained.

Multiquadratic fields :
Multiquadratic fields are fields which are generated by a sequence of square roots of integers √︀ d 1 , . . . , √ dn. In [4] Bauch and al. proved that it is possible to compute the units O × K and solve the PIP efficiently using only a classical computer. This goes even further than for cyclotomic fields. They use the full unit group to solve the SPIP corresponding to the second part of an attack on an ideal lattice. In order to be able to do all of that they take advantage of the special structure of a multiquadratic field, particularly that it has a lot of subfields which are multiquadratic fields too. As in the cyclotomic case they exhibit a subgroup of the unit group that they call multiquadratic units. We can denote it by U. This subgroup is generated by the fundamental units of all quadratic subfields. Under the Log-embedding it constitutes a full rank sublattice of Log K (O × K ) and the fundamental units of quadratic subfields form an orthogonal basis. This is the best situation possible to solve lattices problem. However even if [O × K : U] is finite it is too large to be used in the same way as cyclotomic units are. It is however the fundamental stone to build the whole unit group. The algorithms of [4] rely essentially on the Lemma 5.1 which can be stated as Lemma 2.1. Let K be a multiquadratic field of dimension 2 n . Then for all x ∈ K where K 1 , K 2 and K 3 are multiquadratic subfields of K of dimension 2 n−1 . Moreover if x is a unit then the fields can be replaced by their unit group.
We see that if it is possible to compute the unit group of multiquadratic fields of degree 2 n−1 then we can The authors of [4] then prove that we can retrieve O × K from G with high probability. This last step require to compute square roots of element of K. Therefore in order to construct O × K from the units of subfields of K of degree 2 n−1 we only have to carry out products and square root operations. All of these can be done quickly in K. The algorithm then works recursively. It will compute the fundamental units of all the quadratic subfields using classical algorithms and will build the whole unit group by doing products and square root extractions. In order to solve the PIP in multiquadratic fields the authors of [4] use again the previous Lemma. If I = gO K is a principal ideal then g 2 = g 1 g 2 g 3 where the g i are the generators of the relative norm ideals N K/K i (I) which are ideals of O K i respectively. As before the algorithm works recursively to compute an element h which is a generator of I 2 then use the unit group to retrieve a generator of I. The last step of the attack is then carried using the Log-unit lattice and using a rounding algorithm. The results of experiments show a high rate of success.

Multicubic fields
In this section we will study multicubic fields i.e. number fields generated by cube roots of integers. Cubic fields have been well studied and one can find several results in textbooks or papers. See for instance [2,11]. We still present some facts useful to our presentation. However we could not find papers on multicubic fields dealing with the results we are interested in. We prove that the structure of multicubic fields is similar to the one of multiquadratic fields so that the attack of Bauch and al. can be adapted. The facts that are needed for the algorithms to work are the following: -every subfield of a multicubic field is a multicubic field; -there is a structural result similar to Lemma 2.1 so that we can work recursively on subfieds.
Moreover we show that the situation in the Log-unit lattice is also similar because the fundamental units of the cubic subfields form an orthogonal basis of a full-rank sublattice.

First structural results
First we will present several facts concerning multicubic fields useful for our study. Let us start with a lemma on cubic fields that we will use later.
Remark 3.3. The sequence elements not being cubes forbids Q to be a multicubic field. Moreover we consider only real cube roots. We have not supposed anything more about the defining sequence. For example several elements could be equal to each other. However we can always find a minimal sequence whose length will be proved to be equivalent to the dimension of the corresponding multicubic field. )︁ and by hypothesis L can be defined by cube-free integers d 1 , . . . , dn verifying the desired property. First we can assume that c m+1 is cube-free. Secondly the integers d 1 , . . . , dn , c m+1 define K as a multicubic field. If they verify the property then nothing more needs to be done. Suppose now that for some (α 1 , . . . , αn , α) ∈ J0, 2K n+1 \{0} and a ∈ Z. By induction hypothesis the product n ∏︀ i=1 d α i i is not a cube if (α 1 , . . . , αn) ≠ 0, therefore α ≠ 0 and we can write meaning that we have K = L and that K verifies the desired property.
Proof. Consider α ∈ J0, 2K n \ {0}. There is i ∈ J1, nK such that α ≠ 0. Then the product d α1 1 × · · · × d αn n is not a cube so d α 1 3 1 × · · · × d αn 3 n is not rational and therefore generates a subfield of K of degree 3 over Q. The subfields of the form considered are then cubic. Now consider two elements α and β such that By Lemma 3.1, this is equivalent to the existence of a rational a such that one of the three following possibilities is true : Now consider µ and ν two non-zero elements of (F 3 ) n . Write in Z the equality µ i = ν i + r i + 3q i with 0 r i < 3 for all i ∈ J0, nK. Then we have since no product of d i 's with corresponding exponents less than 2 can be a rational cube except for the trivial one, for we suppose the sequence d 1 , . . . , dn to be reduced. Combining this with the three previous possibilities we indeed obtain the searched equivalence relation. The claimed number of such cubic subfields is directly deduced by counting the possible α modulo this relation. n ) defined by a reduced sequence and α ∈ J0, 2K n \ {0} we denote by Kα the cubic subfield of K generated by the product (ii) When considering these subfields we will therefore identify J0, 2K n with F n 3 . Given a fixed multicubic field defined by a reduced sequence, cubic subfields in the form mentioned in Proposition 3.6 are in one-to-one correspondence with elements α ∈ J0, 2K n modulo multiplication by 2 over F 3 , which is the same as the colinearity relation over the vector space (F 3 ) n . Therefore these cubic subfields are univoquely parametrised by the lines or the hyperplanes of (F 3 ) n . When considering these subfields we will therefore identify J0, 2K n with (F 3 ) n . (iii) In fact we will see that all cubic subfields of a multicubic field are pure cubic fields of the previous form.
In order to study multicubic fields further we need to examine the set of the complex embeddings Hom(K, C).

Set of complex embeddings and other results
Fix a set of n distinct integers {d 1 , . . . , dn} supposed to constitute a reduced sequence as before and let K be the multicubic field associated to it. The degree of K over Q is at most 3 n . Given an embedding of K into C, its action can be fully described by its action on each 3 √︀ d i and therefore by the embedding it defines when restricted to each of the cubic fields We suppose d i to be cube-free so X 3 − d i is irreducible over Q. We then have the following isomorphism We will denote these embeddings by σ (0) i , σ (1) i and σ (2) i . Remark that σ (0) i is the identity, that σ (1) i and σ (2) i are complex embeddings conjugate one to each other. Moreover all this description still applies to any cube-free integer m and the field Q (︁ m 1 3 )︁ , especially to the fields Kα. Thus we will similarly denote the three complex embeddings of Kα by σ (0) α , σ (1) α and σ (2) α . Finally any embedding K ˓→ C can be described as Given such a decomposition, the corresponding embedding will be written σ (β) .

Remark 3.8.
We can see that in this situation too the sets J0, 2K n and (F 3 ) n can be identified. Then the data of an embedding of K into C is equivalent to the data of a point in (F 3 ) n . We do not know yet if all such points can be obtained, which is equivalent to proving that the dimension of K is 3 n .
We will see that the duality of complex embeddings of K relatively to cubic subfields Kα can be expressed as a duality situation in (F 3 ) n thanks to their geometric interpretation as points and hyperplanes. This will help in proving the following.
We will study the action of an element σ (β) of Hom(K, C) on a cubic subfield Kα. Recall that the three possi- We will relate the action of a morphism σ (β) on a field Kα to a geometric relation between α and β as said earlier. Recall that we can think of α as an hyperplane and β as a point in the vector space (F 3 ) n . Let us fix some notation. Given α ∈ (F 3 ) n \ {0} and t ∈ F 3 we will write Hα(t) the affine hyperplane of (F 3 ) n defined by the equation α 1 X 1 + · · · + αn Xn = t.
Remark 3.11. We see that in order to analyse how the action of the embeddings of K are distributed among the different cubic subfields we have to do some affine geometry. First, the data of a cubic subfield is the same as the data of α modulo multiplication by a non-zero element of F 3 or equivalently the vectorial hyperplane Hα(0). One can verify that the relation of the previous Proposition is coherent with the equality of Kα and K 2α by making the observation that Hα(2t) = H 2α (t).
Now we will describe more precisely the action of the morphisms σ i for i ∈ J0, nK.
Lemma 3.12. Let K be a multicubic field defined by a reduced sequence d 1 , . . . , dn. Then for all α ∈ (F 3 ) n , i ∈ J0, nK and k ∈ J0, 2K we have Proof. This is applying the above Proposition and remarking that this is true for a null α.
Lemma 3.13. Let K be a multicubic field defined by a reduced sequence of integers d 1 , . . . , dn. Suppose that K verifies the properties of Theorem 3.9. Then for all x ∈ K the following assertions are equivalent : Proof. Consider x ∈ K. We already know that the second assertion implies the first one. Suppose now the first condition to be true. Since we assumed K to verify the properties of Theorem 3.9, x can be written as There is nothing to prove if Supp(x) is the void space so we assume it is not trivial. The property being true for all morphisms is equivalent to be true for σ i for all i ∈ J1, nK. Fix such an integer. We can write x = x 0 + x 1 + x 2 with . Let us show that x is equal to x k i . We will do the calculation for k = 1 and omit the two other cases since they are almost identical. Therefore we have This is equivalent to x 0 − x 2 × ζ 3 = 0 and since x 0 and x 2 are real numbers it is equivalent to x 0 = x 2 = 0, and we can conclude The action of the morphism σ i forces the elements of Supp(x) to have a fixed ith coordinate. Geometrically Supp(x) is included in an hyperplane of (F 3 ) n . By considering all of such morphisms we can see that we have is not trivial so it is equal to this point and we can finally 3 which gives us the desired result.
Now that we have these results we can prove Theorem 3.9.
Proof. We will proceed by induction on the length n of the sequence d 1 , . . . , dn. We proved the case n = 1 during the discussion at the beginning of the subsection. Now fix some integer n 1 and suppose the searched results to be true for this n. Let K be a multicubic field defined by a reduced sequence d 1 , . . . , d n+1 .
Consider L the multicubic field defined the reduced sequence d 1 , . . . , dn.
show that K has degree 3 n+1 over Q. Since by induction [L : Q] = 3 n , we need to prove that d 1 3 n+1 does not belong to L. Suppose the contrary. Every element of Hom(L, C) permutes the roots of X 3 −d n+1 therefore sends d 1 3 n+1 to some ζ k 3 d 1 3 n+1 with k ∈ J0, 2K. By induction hypothesis L verifies the properties of the Theorem so we can apply Lemma 3.13 to L and d 1 3 n+1 obtaining This is impossible because the sequence d 1 , . . . , d n+1 is reduced. Therefore we have d 1 3 n+1 ∉ K and [K : Q] = 3 n+1 . Let us now prove that the complex embeddings of K are exactly those of the described form. Using the induction hypothesis it is clear that there are 3 n+1 such morphisms and this gives us the desired result.
We will pursue the study of complex embeddings of multicubic fields by considering its Galois closure. We will be able to deduce from this other structural results on the field considered. Let us fix K a multicubic field generated by a reduced sequence d 1 , . . . , dn. We will see thatK is K(ζ 3 ). Given σ ∈ Hom(K, C) a complex embedding of K we will writeσ the field morphism of K(ζ 3 ) obtained as and τ the morphism which acts as the complex conjugation.
Proposition 3.14. The Galois closure of K is then K(ζ 3 ) and its Galois group is generated by the set {τ} × Proof. The field K(ζ 3 ) has dimension 2×3 n over Q. Therefore in order to prove that it is Galois with the claimed Galois group it suffices to prove that the last has cardinality 2 × 3 n . Denote it by G for the sake of the proof. By the previous study on complex embeddings of K we already know that the group generated by theσ i has order 3 n which divides the order of G. Moreover the complex conjugation has order 2 which again divides the order of G. Therefore 2 × 3 n divides the order of G which is smaller than the dimension of K(ζ 3 ) and we have the desired result. Now let us prove that G has the announced structure. We already stated that the complex conjugation has order 2. Clearly theσ i commute and we haveσ k i (d 1 3 i ) = ζ k 3 d 1 3 i proving that all of theσ i have order 3 and that they generate a subgroup isomorphic to ( Z 3Z ) n . Let us prove that the last relation holds. For all i ∈ J1, nK we have and which means that τσ i τσ i is indeed the identity morphism onK.

Remark 3.15.
We can see that any element of Gal(̃︀ K/Q) can be written uniquely as As said before we will use the Galois group to study the structure of the multicubic field K. Recall that given a Galois extension M/N there is a correspondence between subgroups of the Galois group Gal(M/N) and subfields of the extension, which is given by invertible decreasing maps. Remark 3.16. Let F be a subfield of̃︀ K. Then F is a subfield of K = Inv(τ) if, and only if, the group associated to F contains τ.
One of the first properties that we can deduce from the structure of the Galois group is that the cubic subfields of the form Kα considered previously are all of the cubic subfield.
Proof. Consider F a cubic subfield of K. The associated subgroup H of the Galois group Gal(̃︀ K/Q) is generated by a set Since F is real we know that τ belongs to H and we can consider that we have and therefore we can see that the data of H is the same as the data of the subgroup generated by S \ {τ} which is a subgroup of ( Z 3Z ) n . Moreover we have [̃︀ K : F] = 2 × 3 n−1 thus the order of H is the same by the Galois correspondence and therefore the group generated by S \ {τ} has order 3 n−1 . Cubic subfields of K are then in one-to-one correspondence with subgroup of ( Z 3Z ) n of order 3 n−1 . Counting the last is equivalent to counting sub-vector spaces of (F 3 ) n of dimension 3 n−1 or 3. Their number is We saw in Proposition 3.6 that there are 3 n −1 2 cubic subfields of the form Kα. The cubic subfields are of particular interest for us because as in the multiquadratic case, we will compute their units and construct from these the units of K. As we will see later their number is the one we need. Lemma 3.17. Any subfield F of K of degree 3 n−1 is of the form Inv(σ (β) , τ) and is a multicubic field.
Proof. We have [̃︀ K : F] = 6 therefore the associated subgroup H of Gal(̃︀ K/Q) has order 6. Since F ⊂ K we know that τ is in H and by using the orders we can conclude that H is generated by τ and only oneσ (β) with β ≠ 0. Let fix these notations for the proof. We write I = {i 1 , i 2 , . . . , ir} the set of indexes of the non-zero coefficients of β. We can suppose i 1 < · · · < ir. Now consider the sets Then the cardinal of T is r − 1 and any element of T is invariant under the action ofσ β . The field L = Q (S ∪ T) is therefore a field defined by n − r + r −1 = n −1 cube roots of integers and its elements are invariant under the action ofσ (β) . Recall that we assumed the sequence d 1 , . . . , dn to be reduced. This implies that neither the elements d j nor the elements d 2−δ β i 1 ,β i k i1 d i k are cubes. Thus we know that L is a multicubic field. Let us show now that the sequence defined by S ∪ T is a reduced sequence. First write for simplicity λ i k = 2 − δ β i 1 ,β i k which is 1 or 2. Consider now without any loss of generality that we have I = J1, rK. Let (α 2 , . . . , αn) ∈ (F 3 ) n−1 and assume that -where α 1 = ∑︀ r k=2 λ k α k -is a cube. We can write α 1 = 3q + r with 0 r < 3 thus the product is a cube. But (r, α 2 , . . . , αn) ∈ F 3 and the sequence (d 1 , . . . , dn) is reduced therefore r = α 2 = · · · = αn = 0. Consequently the sequence defined by S ∪ T is reduced too. Now L is a multicubic field defined by a reduced sequence of length n − 1 so by Theorem 3.9 it has degree 3 n−1 . Finally L ⊂ F and they have the same degree so they are identical which means that F is indeed a multicubic field. The induction hypothesis states that L is multicubic field and we can apply again the previous Lemma to the extension L/F to conclude that F is a multicubic field too.
We see that the structure of multicubic fields is similar to the one of multiquadratic fields even if they are not Galois. This structure will allow us to work recursively and fasten considerably our computations. The following result is similar to Lemma 5.1 in [4] and is a generalisation of a result over bicubic fields proved by Charles Parry in [18].
Notation : For now on ifσ is an element of Gal(̃︀ K/Q) we will denote by Kσ the field Inv(τ,σ) =Kσ ∩ R, and by H(K) the subgroup {σ | σ ∈ Hom(K, C)}. Proof. As mentioned before the proof relies exactly on the same idea that appears in [4,18]. For every element x ∈ K we can rewrite the cube as Then for all w ∈ {u, v, uv, u 2 v} we write xw the relative norm element corresponding to w in the previous expression. Since x is an element of K any of the norm in the numerator NK /Kw (x) is in the fact the same as the relative norm N K/Kw (x) which is an element of Kw. The relative norm is in R as well as the numerator therefore The statement concerning units is clear given the algebraic expression of the elements as relative norms.

Unit Group
The structure of the unit group of a number field is related to its complex embeddings. Consider a multicubic field K defined by a reduced sequence d 1 , . . . , dn. We can see that a multicubic field K has only one real embedding -the identity -and 3 n −1 complex ones. Therefore we know that the group of units O × K is isomorphic to In the special case of the cubic subfields Kα we have Then for every α we can write with ϵα > 1 just as in the quadratic case. This specific generating unit will be called the fundamental unit. Just as the authors of [4] defined the subgroup of multiquadratic units we will define the subgroup of multicubic units using the units of cubic subfields. Just as in the multiquadratic case we will see that MCU is a full-rank subgroup of O × K and that the basis {︀ ϵα | α ∈ (F 3 ) n }︀ yields an orthogonal basis under the action of the Log-embedding.
Notation : Given an integer k and a subset S of a field F we will denote by S k the set {x k | x ∈ S}.
Proposition 3.21. Let K be a multicubic field of degree 3 n . Then we have Proof. The result is trivial for n = 1. Now assume it is true for some fixed n 1 and let K be a multicubic field of degree 3 n+1 . As stated in Proposition 3.19 we have with u, v being two elements of H(K) . Then for every w ∈ {u, v, uv, u 2 v} the field Kw is a subfield of K of dimension 3 n . Since it is a multicubic field too it verifies the recursion hypothesis. Therefore (O × Kw ) 3 n−1 is included in MCU(Kw) which is itself included in MCU(K). Thus we have We have proven the first result. The property on the index follows immediately from (O × K ) 3 n−1 < MCU(K) < O × K and the fact that the units of a multicubic field of degree 3 n is a free group of rank 3 n −1 2 . The previous tower of groups shows that MCU is indeed a full-rank subgroup of O × K and since the cardinal of the generating set {︀ −1, ϵα | α ∈ (F 3 ) n }︀ equals the rank of the group we can conclude that this set is a basis of MCU.
In order to study the geometry of the lattice Log K (MCU) we need to evaluate the action of each embedding σ (β) on the units ϵα which is induced by the action of the embedding on the cubic field Kα and thus on d α 1 3 1 × · · · × d α 1 3 n . Recall that we introduced a geometrical point of view regarding this duality situation in Subsection 3.2. We will use it to describe properly the vectors Log K (ϵα). The following proposition can be deduced from known affine geometric results. V and a family (f 1 , . . . , fr) in V we will write Vect(f 1 , . . . , fr) the subvector space generated by this family. )︃ ∩ H (t).

Notation : Given a vector space
If we transfer this in the setting of number fields and embeddings, we can tell that the actions of the embeddings of a multicubic field K into C are uniformly distributed among the cubic subfields of the form Kα. This well distributed duality will give rise to a nice geometric situation in the Log-unit lattice. Here we consider the Log map as follow

Proposition 3.23. Consider a multicubic field K
form an orthogonal family in R 3 n .
Proof. Consider α and two elements of (F 3 ) n independent over F 3 . We will evaluate the scalar product of Log K (ϵα) and Log K (ϵ ).
Now we will use the geometric properties described before to rewrite the sum over well distributed subsets. First recall that (F 3 ) n = ⨆︀ t∈F3 Hα(t) which allows us to write We can decompose the hyperplanes Hα(t) as Hα(t) = ⨆︀ s∈F3 Hα(t) ∩ H (s) and we can write In the right-hand side of the previous equality, every term of the second sum have the same value. Moreover the set we are summing over has 3 n−2 elements since it is a (n − 2)− dimensional affine variety of (F 3 ) n . This gives us ∑︁ and the scalar product can be rewritten The elements ϵα and ϵ are units thus their algebraic norm is ±1 and the scalar product is The orthogonality of the vectors Log K (ϵα) assures that we are in the best situation possible to solve problems in the lattice Log K (MCU). However in order to use this sublattice to decode in the Log-unit lattice it would need to be close from Log K (O × K ) which is not the case experimentally. We can evaluate the norm of the basis vector of Log K (MCU).

Lemma 3.24. Consider a multicubic field K
Proof. By following the same arguments as in previous calculations we can write but Hα(t) has 3 n−1 elements so Now we will be able to express the norm of Log K (ϵα) in function of the value of ϵα. Proof. We will use the expression found in the previous lemma and express the quantity ‖Log Kα (ϵα)‖ 2 . First recall some facts. We have ϵα > 1 therefore log(|ϵα|) = log(ϵα) > 0. Moreover the quantity σα(ϵα) and σ (2) α (ϵα) are conjugates thus they have the same modulus. We can write ‖Log Kα (ϵα)‖ 2 = (log(ϵα)) 2 + 2(log|σα(ϵα)|) 2 .
The searched equality is found by taking the square root of the previous equation.

. Assume that d is in one of the four possibilities of Proposition 3.29. Then the absolute discriminant of K verifies
3 n + 3 n−1 − 1 2 (ii).

Algorithms and experiments
In all the following we will consider multicubic fields defined by reduced sequence. Fix the field K = Q(d n ). We proved that K has dimension 3 n over Q and that the elements of the form with α ∈ J0, 2K n form a basis of K/Q. In fact we can consider the cube-free part of each of these elements which we will do in all the following. Therefore elements of K are represented as vectors of length 3 n with rational coefficients. Moreover we can see K as a relative extension of degree 3 over a multicubic subfield of dimension 3 n−1 over Q. The most natural is to write K as L(d 1 3 n ) with L = Q(d As we saw already one important tool for us is the Log-embedding. As in [4] we will not compute the exact Log-embedding but an approximate version of it, very much like the authors did. This leads us to represent any non zero element x ∈ K by the pair (x, ApproxLog K (x)) where x is a vector with rational coefficients as described before and ApproxLog K (x) will be a vector as described later.
In the following we make an extensive use of the LLL algorithm presented in [17] to solve multivariate linear systems.

General procedure
In [4] the authors compute units of a multiquadratic field K as follow : (i) Recursively compute the units of three subfields K 1 , (iii) Calculate their square roots.
For multicubic fields this general procedure can be followed : only replace "squares" by "cubes" and consider four subfields in the first step as in Proposition 3.19. The step (ii) can be directly adapted and is described in Subsections 4.1 and 4.2 however computing cube roots is more complicated as seen in Subsection 4.3.

Finding Good Primes
As in [4] we will need to be able to find primes verifying fixed cubic conditions with respect to the d i 's. Consider (d 1 , . . . , dn) a reduced sequence and C = (c 1 , . . . , cn) ∈ {0, 1} n . A good prime for d and C is a prime p such that d i is a cube modulo p if, and only if, c i is 1.
In particular we need to find good primes p for the condition sequence (1, . . . , 1) in order to construct morphisms from K * into finite fields Fp. Remark that the primes should not divide any of the d i . Now if we fix a prime p > 3 we have the following situation : -if p ≡ 1 (mod 3) then Fp contains a fundamental cube root of unity and  condition (1, . . . , 1) to be verified we might consider primes only congruent to 2 modulo 3 as long as we do not need a non-trivial cube root of 1 to be in the field Fp. Otherwise we have to consider primes which are congruent to 1 modulo 3.
Let us now describe how the algorithm operates in this case. First we have to draw a prime p and verify that it is not congruent to 2 modulo 3. This happens with probability 1 2 . Then we have to check whether the sequence of cube conditions C is verified by (d 1 , . . . , dn) and p. We know that d p− 1 3 i (mod p) has order 1 or 3 which is equivalent to d i being a cube or not. We have therefore Algorithm 1 named OneGoodPrime where we make use of two functions : CheckCubeCondition which has been explained and DrawPrime which corresponds to the way we select the candidates for the prime numbers. One can follow [4] and generate a random prime number in a range given as argument. We could also generate a random prime first and then draw the next prime.
In average the algorithm will try 3 n 2 n−Hw(C) primes before finding one verifying the condition sequence C. In particular the probability that all d i 's are cubes in Fp is 1 3 n and the algorithm will try 3 n primes before finding one verifying the condition sequence C = (1, . . . , 1).

Complexity :
We obtain a complexity essentially in O(N).

Detecting cubes
One important procedure in [4] consists in finding non trivial products of a given family of K * which are squares. In the case of multicubic fields we need to detect cubes. We consider U = ⟨u 1 , . . . , um⟩ a subgroup of K * . We need to compute non trivial "cubic characters" from U to F 3 . To do so we will use several primes p to create non trivial morphisms from Z[d 1 3 1 , . . . , d 1 3 n ] to Fp which can be extended multiplicatively to U.
In order to create morphisms from Z[d 1 3 1 , . . . , d 1 3 n ] to some Fp we need to find a p such that every d i is a cube modulo p i.e. verifying the cubic conditions C = (1, . . . , 1). This is done with Algorithm 1. Such a morphism can be extended to all elements of K whose denominators are not divided by p. For this morphism to be defined on U it is sufficient that p does not divide the denominators of the u i 's. We then verify that the embeddings of the u i 's are not zero so that the morphism restricted to U is not trivial. Now suppose a prime p has been selected. Write ϕp the morphism it induces as explained before. We want to create a character i.e. a group morphism U −→ F 3 in order to detect non trivial cubes in U. Similarly to [4] we use the cubic character F * p −→ F 3 which corresponds to the natural morphism F * 3 . Remark that p needs to be congruent to 1 modulo 3 because we are looking for a non trivial morphism. Denote by ζ 3,p a fundamental root of unity in Fp. Let us now describe how this morphism can be realised. For any y in Fp we know that y p−1 3 is a cube root of unity in Fp. Therefore it can be expressed as ζ λy 3,p with λy = log ζ3,p , (y) ∈ J0, 2K. We can see that the canonical morphism can be written As a cubic character induced by p we will therefore consider Remark that if u is a cube in O × K then ϕp(u) is also a cube in Fp but the opposite is not true in general. So if u is a cube then u ∈ ker χp. Therefore to properly detect non trivial cubes in U we need to use several primes. First remark that the character induces a morphism χp : The group U U∩(K * ) 3 is isomorphic to some ( Z 3Z ) m ′ with m ′ r. Moreover it can be seen as F 3 -vector space. Following [8] as in [4] if we consider characters χp to be uniformly distributed elements of the dual of this vector space, drawing sufficiently enough of them will detect cubes. We can adapt Lemma 8.1 of [8] to F 3vector spaces to say that m ′ + s uniformly drawn primes generate the dual of U U∩(K * ) 3 with probability at least 1 − 3 −s . Therefore by choosing s large enough the cubic characters χp 1 , . . . , χp m+s would generate the dual with high probability and the intersection ⋂︀ s i=1 ker χp i would be the orthogonal of the dual i.e. U ∩ (K * ) 3 . This allows us to have Algorithm 2 which returns a matrix of exponents expressing a generating set of non trivial cubes in U ∩ (K * ) 3 . The fact that the exponent are non trivial means that the cubes are not in U 3 so generate . As mentioned before with s large enough we have a very low probability of yielding an exponent vector λ such that ∏︀ m i=1 u λ i i is not a cube. Like the authors of [4] we never encountered such a case. Complexity : Generating a cubic character consists in applying Algorithm 1 to find a prime p and reducing the elements u 1 , . . . , um modulo p to verify that the morphism ϕp is defined and non zero on U = ⟨u 1 , . . . , um⟩. In order to calculate ϕp(u i ) we need to compute the cube roots of d 1 , . . . , dn, reduce the coefficients of u i and compute a sum modulo p. All of this can be done in O(NB) with B an upper bound on the number of bits of the coefficients of any of the u i . This is mainly due to reduction of u i modulo p. The computation of m + s characters is therefore in O((m + s)NB). We will consider m + s to be equivalent to N asymptotically so we obtain O (N 2 B). Finally the computation of the kernel of a matrix of size N over F 3 has complexity N 3 so the complexity of Algorithm 2 is O (N 3 + N 2 B).

Computing cube roots
Consider the following problem : «Given an element y in a multicubic field K = Q(d 1 3 1 , . . . , d 1 3 n ) which is a cube, compute its cube root ». In [4] the authors showed how to compute efficiently square roots in multiquadratic fields using only a few polynomial expressions. In a multiquadratic field E = F( √ d) -with F a subfield of E -consider h = g 2 . Then if we write h = h 0 + √ dh 1 and h = g 0 + √ dg 1 we have h 0 = g 2 0 + dg 2 1 and h 1 = 2g 0 g 1 . Moreover the algebraic norm N E/F (h) = N E/F (g) 2 is an element of E. So if we can compute squareroots efficiently in F we can know N E/F (g) = g 2 0 − g 2 1 d and then retrieve g 0 and g 1 using h 0 and h 1 . This require to compute one more square-root in F. The only obstacle in this procedure is the sign since a squareroot may have two distinct solutions. Doing such errors at each level of the recursive process can lead to an exponential number of possibilities to verify. However the authors of [4] overcame this difficulty and provided an efficient recursive algorithm to compute square-roots in multiquadratic fields. The problem of sign does not appear with cube roots. However the polynomial equations are more complex. Write x = x 0 + x 1 d 1 3 n + x 2 d 2 3 n and y = y 0 + y 1 d 1 3 n + y 2 d 2 3 n . Then we have : There is no straightforward way of transforming these equations into a cube that we could take advantage of. Therefore we choose to use a real embedding and a LLL reduction. This allows to progressively increase the needed precision and save the real lattice used to recover the coefficients. Let us now describe the procedures composing this algorithm. We use a function called RealBasisEmbedding which creates the vector of the basis elements of the multicubic field K computed in R to a given precision. Then we can create the matrix representing the basis as a lattice. Write v the column vector RealBasisEmbedding((d 1 , . . . , dn), l). We choose as a "real basis matrix" the following where C is a coefficient chosen to avoid errors due to the precision. We typically used C = ⌊ 3 n 12 ⌉. Now if a basis lattice matrix has been computed for a given precision here how one can try to fasten the computation of a basis lattice matrix to a bigger precision. First denote by v l1 and v l2 the real basis vectors given up to two precisions l 1 < l 2 . We can write with U being a unitary matrix. If we save this unitary operator we can then first calculate then apply the LLL algorithm to finally reduce the lattice. This reduction is done by multiplying by a unitary operator V and the full reduction can be written Therefore we can now save V × U and use the same process if we need to actualise again the precision. Now recall that we want to compute cube roots. Given L a real lattice matrix for K here how we can expect to do so. Consider y ∈ K as before. First compute x up to precision l in R. Write RealEmbedding this procedure and the returned value x l . Then create the row vector x = [x l | 0 | B] with B being a coefficient larger than the maximum euclidean norm of the rows of L. We can then build the matrix Algorithm 3 Compute a matrix representing the real embedding of the matrix of a multicubic field -RealLattice Require: A LLL-reduced real lattice matrix of (d 1 , . . . , dn), a unitary operator U, a precision l Ensure: A LLL-reduced real lattice matrix of (d 1 , . . . , dn) at precision l and the corresponding unitary oper- and apply a LLL algorithm to it. This can be seen as the overall reduction of which would reduce the last vector with respect to the real basis lattice. Considering the shape of the last matrix we expect the central part of the last row vector to be the vector of coefficients of Cx in K. We denote by CubeRootCandidate this procedure. Once we have this candidate we can check its validity by computing its cube and looking whether it is y or not. If not we can increase the precision and find another candidate. We can evaluate the needed precision with a function PrecisionEvaluation. This function takes y and n the number of primes defining K in argument. Experiments suggest that for a given degree the precision is linear in log(‖y‖ 2 ). However the slope increases with n and seems to be multiplied by a coefficient between 2 and 3. We choose to use 3 so the slope for K of dimension 3 n is 3 n−1 .

Remark 4.1. In fact as in [4] Algorithm 5 is valid only in Z[B]
where B is the chosen basis. But an element y = x 3 with integral coefficient can have a cube root with rational ones. Therefore, to ensure that the algorithm will finish, one has to compute the cube root of D 3 y with D ∈ Z such that Dx has integral coefficients. The dimension of the field 3 n is a valid choice, ensured by Proposition 3.31.
Complexity : The algorithm consists essentially in applying several LLL with coefficients of size given by PrecisionEvaluation. Denote by B an upper bound on the bit size of coefficients of y. Then the complexity of CubeRootCandidate would be O(N 5 B 2 ). We might have to increase the precision but experimentally it is only done a few times. We expect the complexity to stay in O(N 5 B 2 ).

Computing units
We will describe in this section the algorithm used to compute the units of a multicubic field. As mentioned before we will mainly proceed as in the multiquadratic case. We will recursively compute the units of chosen subfields and then retrieve the whole group by detecting cubes and computing their cube root. Therefore the algorithm can be seen as computing the subgroup MCU(K) and then deduce O × K only by doing products and

Algorithm 4 Compute a candidate for a cube root in a multicubic field -CubeRootCandidate
Require: An cube element y = x 3 in a multicubic field K of dimension N, a precision l and a real basis lattice of K for precision l Ensure: x ′ a candidate for x 1: x l ← RealEmbedding(y, l) cube root extractions in successive subfields. Moreover we represent any unit at each step of the algorithm for K as (u, ApproxLog K (u)) even if we are computing the units of a subfield. This can be done easily because we can compute the approximate logarithm of any element of MCU(K) by a function CubicApproxLog. Then we compute the approximate logarithm of other units by doing only sums and divisions by 3. Since the lattice generated by the multicubic units in the Log-unit representation has an orthogonal basis we compute ApproxLog K (O × K ) starting by an orthogonal basis of a sublattice and then only adding and dividing by three these vectors. In Algorithm 6 we use several sub-algorithms namely The first one is the classical unit group algorithm implemented in Magma. We apply it only to compute the multicubic units. The last two algorithms are adapted from [4] in the multicubic case. BasisFromGeneratingSet takes into argument a generating set of a subgroup of O × K and returns a basis. It is done by reducing the corresponding generating family in the Log K -representation. If the subgroup U is given by a generating family (u 1 , . . . , um) we apply a LLL algorithm on the matrix to reduce the matrix of the ApproxLog K (u i , l) and recover as well V the unitary transform. We therefore obtain a basis of ApproxLog K (U) and can compute the corresponding elements of K by using V. The stretched Iden-

Algorithm 5 Computing a cube root in a multicubic field -MC_CubeRoot
Require: An cube element y = x 3 in a multicubic field K = Q(d x ′ ← CubeRootCandidate(y, l, L) 8: end while 9: return x ′ tity matrix allows to recover a matrix V with relatively small relations in a way similar to what did the authors of [4]. The function UnitsFromCubes computes a generating set of O × K given a generating set of a subgroup U such that (O × K ) 3 < U < O × K . Let us write (u 1 , . . . , um) a generating set of U. The algorithm computes exponent vectors using the CubeKernel algorithm and obtains a basis of non trivial cubes in U. Then it computes their cube roots (v 1 , . . . , vr) using MC_CubeRoot and returns the family (u 1 , . . . , us , v 1 , . . . , vr). Following [4] it is not hard to see that the returned family generates the whole group O × K . Remark that the approximate logarithm of the resulting new vectors can be computed by sums and division by three. u ← CubicUnitGroup(K) 3: return (u, CubicApproxLog(u, l)) 4: else 5: Choose v, w two independent elements of H(̃︀ K) and recursively compute a basis of U V ← UnitsFromCubes(U) ◁ Algorithm 2 and Algorithm 5 7: U ← BasisFromGeneratingSet(⟨U, V⟩) 8: return U 9: end if Complexity : The complexity of the algorithm is Poly (N, B) where B is an upper-bound on the bit-size of the elements we are computing.

Principal Ideal Problem
Our main goal is to find a short generator for a given principal ideal of K. This problem can be solved by finding a generator first and finding a short vector using the Log-unit lattice. Since we can compute the unit group we "only" need to find a generator of an ideal. An ideal I can be described by several representations, for example: -an integral basis; -the two element representations that is used to fasten ideal based cryptosystem such as in [9,20].
We consider the more basic situation which is the first one. It has the advantage of being more general. However it is a much bigger representation and operations may be much slower. For example one fundamental operation on ideals for the PIP algorithm in multiquadratic fields and multicubic fields is the relative norm computation. Given an ideal I of a number field K and L a subfield of K the relative norm of I with respect to K/L is the ideal of L generated by the norms N K/L (x) for x ∈ I. If K/L is a Galois extension then we have This is for example the case if K and L are multiquadratic fields. Multicubic fields are not Galois however the situation is pretty similar. Instead of computing the product over Gal(K/L) we compute it over the complex embeddings which are the identity when restricted to L and the product is done iñ︀ K. Then one way of computing N K/L (I) given an integral basis (b 1 , . . . , bn) is to calculate all of the products ∏︀ σ σ(bσ) with bσ ∈ {b 1 , . . . , bn}, express them in basis of O K , then reduce the matrix obtained by calculating its Hermite Normal Form (HNF) for example and finally intersect with F. We can see that this requires to compute [K : L] − 1 product of ideals of K. The complexity of the HNF is polynomial in the degree of K however it is still quite slow. In Algorithm 7 the fields considered are K a multicubic field of dimension 3 n and L a multicubic field of dimension 3 n−1 . Therefore K/L is a degree 3 extension and the embeddings in Hom(K, C) which are the identity on L are {1, σ (β) , σ (2β) } for a given β. Therefore we need to compute two ideal products which are done by reducing matrices of 3 2n vectors in a HNF with 3 n rows.
The PIP algorithm in multicubic fields is similar to the one for multiquadratic fields as their algebraic structure are almost the same. Given an ideal I we compute recursively a generator for each of four norm ideals in subfields, combine them to yield a generator h of I 3 and finally find ϵ ∈ O × K such that hϵ is a cube to compute a = (hϵ) 1 3 . Like the computation of units, this relies on the structure of the field and Proposition 3.19. Indeed let us write I = gO × K . Then we know that we have g 3 = NK /Ku (g)NK /Kv (g)NK /Kuv (g) for any independent u, v in H(̃︀ K) . For clarity write N 1 , N 2 , N 3 , N 4 the four considered relative norm operators and g 1 , g 2 , g 3 ,g 4 the four relative norm elements such that .
Then for all i ∈ J1, 4K, g i is a generator of the principal ideal N i (I). If h i is a generator of N i (I) then we have h i = g i ϵ i with ϵ i a unit of the fixed subfield so of K. Then we have Finally if we find a unit ϵ such that hϵ is a cube we can retrieve gη by computing (hϵ) 1 3 . Once we have calculated the ideal norms, retrieved one generator for each of them and computed the element h as stated before we will find the unit ϵ the same way we find non trivial cubes in the algorithm for units. Write U the subgroup of K * generated by h and O × K = ⟨u 1 , . . . , um⟩. By following [4] we compute enough good cubic characters as in Remark that to solve the PIP in the cubic subfields in Algorithm 7, we use a classical algorithm named CubicPrincipalIdeal as we used CubicUnitGroup in Algorithm 6. Moreover it is not precised but we compute the approximate logarithm of the retrieved generators of cubic fields. Then we compute the logarithm of the final generator of I only doing sums and division by three.

Shortening of the generator
Now the problem that we want to solve is the SPIP. Assume that we know that I has a short generator.
Once a generator h of the ideal I is found, one can choose from several techniques to try to recover the secret g or a short enough generator. In [13] the authors used the dual lattice. They considered a subgroup C of O × K easily computable such that [O × K : C] is close to 1. They gave a bound on the dual vectors of Log K (C) so they proved decryption could be done in this sublattice. The very small gap between Log K (C) and Log K (O × K ) allowed a full decryption. In the case of multiquadratic and multicubic fields there is a good subgroup with a perfect decryption situation, namely the multiquadratic units and the multicubic units. They form orthogonal sublattices of the Log-unit of their respective fields. However in both cases the gap between the unit groups and these subgroups is too large to try the previous strategy. However there are efficient algorithms to compute the units and solve the PIP of a wide range of multiquadratic fields so the full Log-unit lattice can be computed efficiently. In the case of multicubic fields we are less efficient but we still manage to compute units in reasonable time for some cases. Finally even if we can compute a basis of the Log-unit lattice it is not certain that we can efficiently recover short generators. This will depend on the geometrical properties of the basis.
In [4] the shortening procedure is a rounding. The authors considered the vector Log(h) = Log(g) + Log(u) expressed in the basis Log(O × K ) and rounded its coefficient to the nearest integer. In the case of multicubic fields we cannot use this rounding method since the Log-unit lattice is not a full rank lattice in its ambient vector space. Instead we used a decryption method based on LLL. Write L the matrix of the approximate Logembedding of the units computed, h the vector found by the PIP algorithm and B an upper bound of the norm of the vectors of L. Then consider -similarly to the cube root procedure -the matrix and reduce it with a LLL algorithm. If Log K (g) is short respectively to the Log-unit lattice this is expected to reduce the last row to the Log-embedding of the closest generator. If we compute the unitary operator corresponding to this LLL reduction we can retrieve u and g.

Algorithm 8 Shorten a given generator of an ideal -ShortGen
Require: A generator h of a principal ideal I, O × K = ⟨u 1 , . . . , um⟩ Ensure: A candidate g for a short generator. 1

Experiments and Results
We present here the data we collected from computations. We considered multicubic fields defined by prime sequences (p 1 , . . . , pn). We did computations essentially for multicubic fields defined by n primes with n equal to 2, 3 and 4. These correspond to fields of dimension 9, 27 and 81. We did some computations for fields defined by 5 primes i.e. with dimension 243.
Computing O ×

K
Recall that we compute units of a multicubic field K recursively and at each step the main procedure is CubeRoot presented in Algorithm 5. The efficiency of the overall algorithm is strongly related to the efficiency of CubeRoot and tends to be dominated by it. This is illustrated by the times computed in Table 1. In Figure 1 we can find the times for n = 2 printed. It illustrates well the correlation between the time taken to compute the units and the time taken to compute cube roots. If we analyse the function CubeRoot we can see that it depends on the dimension, the sequence defining the field K and the norm of the elements it is given. Therefore together with the times we computed the number of cube roots computed by the last call to CubeRoot in Algorithm 6 and the average of the logarithm of their norms. We can understand from these data why the algorithm does not scale as the algorithm in [4]. The norm of the elements from which we compute cube root seems to scale poorly and we have to compute more cube roots when the degree increases. Moreover the efficiency seems to decrease quickly with increasing primes.
Complexity : An analysis of the norm of the units that the algorithm compute cube roots of can be found in Appendix and gives a bound essentially polynomial in N n 2 ∏︀ n i=1 d i . This gives a complexity for the overall algorithm essentially in Poly(N n 2 ∏︀ n i=1 d i ). We obtained better results that the standard algorithm implemented in Magma. For example we can see in Table 2 the times to compute units for consecutive primes and n = 2. We can see that the size of primes has a strong impact. It took 2540.490 seconds to compute the units of the field defined by (2, 3, 5) and did not retrieve the units of the field defined by (3, 5, 7) after 34 hours.

Retrieving a short generator
For each given size of keys (except 243) we chose two sequences. The first is the n consecutive primes and the second follows an arithmetic progression i.e. p 1 is fixed and the p k+1 is NextPrime(p k + 4) for each k. We considered keys as vectors of coefficients drawn uniformly at random in {−1, 0, 1}. This type of keys are  indeed "short vectors" in the ideal lattice they generate. The data are presented in Table 3. For each n and each progression the first row is the percentage of exact decoding and the second is the percentage of shorter generators -exact of strictly shorter generators -retrieved.
We can remark that the probability of success seems to converge to 1 as the primes of the defining sequence increase. The probability of failure is particularly big when the smaller primes are in the sequence, especially two. The same phenomenon were noticed in [4]. Moreover we can see that the rate of generators retrieved which were strictly shorter than the key follow the inverse pattern. It is quite high compared to the rate of retrieved key when the latest is low and n = 2 and tends to 0 otherwise. For the multicubic field defined by the sequence (2, 3, 5, 7, 11) we retrieved exactly 74.02% of the keys and no shorter generator and for the field defined by (3,5,7,11,13) we retrieved exactly all of the keys.
These results tend to show that multicubic fields should not be used to build cryptosystems. Even if we are still too slow to attack dimensions of cryptographic interest the results we obtained suggest that the we  n/a n/a n/a n/a n/a 84.10 99.59 100.0 99.50 100.0 n/a n/a n/a n/a n/a n/a n/a n/a 95.00 100.0 100.0 100.0 100.0 n/a n/a n/a can easily recover short vectors using the Log-unit lattice. Finally in post-quantum perspective we have to think that computing O × K and solving the PIP can be done efficiently. Therefore the fact that the algorithms presented in this paper are slow is not completely relevant. We are essentially interested in the quality of the basis of the Log-unit lattice.