Algebra 2 Practice Form G Answer Key: Fill & Download for Free

It depends on what you mean by “algebra” I guess, because there are at least three different meanings that one could have in mind:You might be talking about high school algebra.You might be talking about abstract algebra, like what is taught in lower level classes in a mathematics major.You might be talking about modern algebra, like what is taught at the upper undergraduate level/graduate level.Of course, all of it is necessary, and all of it has practical applications—it’s just a question of how ubiquitous those applications are. I decided to look at the sort of posts we have in Mathematical Applications, and which ones fit which criteria. (If you are familiar with the content on Mathematical Applications, then skip ahead to the second half of this answer, where I will describe another application of algebra.)The post that most closely fits the label of describing applications of modern algebra is, not surprisingly, my answer to What applications does modern algebra have?. In it, I detail how:Lie algebras are an important tool for understanding solutions to partial differential equations, which might describe things like the flow of heat, or flow of water, or the motion of an elementary particle, or the gravitational field of an astronomical body… (the list is quite long, you see).Semi-rings get used in computer science as a way of turning problems about finding the fastest sequence of moves to perform a computation into an algebraic problem.Elliptic curves get used in elliptic curve cryptography, which is an important alternative to RSA. (These are protocols for sending information over a public channel like the Internet in a way so that only the intended recipient will be able to read this information.)Algebraic geometry gets used in the field of algebraic statistics to reason about situations where you have many different events which might occur with varying probabilities, but you know some constraints on what those probabilities will be.If we are talking about abstract algebra, the collection of answers that fits is much larger—it includes the aforementioned one, but also includes:My answer to What are the real life applications of polynomials?, which explains how you can use the properties of polynomials to take some piece of secret information and split it up into many pieces such that only if a certain amount of people come together with their individual bits of information can they put the whole thing together—this is useful for servers that handle sensitive information, if you are worried that some of the servers might get corrupted, and so you require a measure of redundancy.My answer to What's the use of matrices in real life?, which talks a little bit about how matrices come up in partial differential equations, graphics, and sending digital information in an efficient way, but which describes in the greatest amount of details how matrices come up in studying Markov chains, which are used for things like predictive text, Google search, modeling population growth, and, of course, zombies.Alon Amit's answer to What are some real life applications of complex numbers in engineering and practical life?, which describes the fast Fourier transform (useful for efficient compression, signal analysis, and more), quantum computation, and the use of quaternions to describe rotations for graphics or navigation systems—the later is useful because it avoids some of the problems that typically arise if you use rotation matrices instead.Zane Jakobs's excellent post about dual numbers, which describes how you can turn the problem of taking derivatives into an efficient algebra computation—a useful thing to have for working with partial differential equations, neural networks, computer algebra systems, and the like.My posts about Google search (parts I and II), which detail how you use Markov chains to give an efficient way to rank which websites are most likely to be important.My answer to Why should I care about group theory?, which details how knowing a little bit of group theory makes the problem of exchanging keys much easier.My answer to In cryptography, how do I achieve perfect secrecy with a known ciphertext length?, which explains how just a tiny bit of modular arithmetic allows you to send secret messages with an absolute guarantee that no one other than the intended recipient can possibly read them.If we are talking about high school algebra, then unless I am mistaken, every single post in Mathematical Applications uses it to some degree. This isn’t because the people writing for Mathematical Applications are exceptionally fond of algebra—it’s just that it is almost impossible to do any amount of science, mathematics, statistics, or computer science without making use of some high school algebra. It is unavoidable.Right. I have described applications of algebra that we have talked about in the past. However, I don’t believe in resting on one’s laurels, so let’s describe something new. I have been thinking for some time about writing something about applications of algebraic topology, but I think that is a little too advanced for this post—let’s go for something a little more basic, but perhaps unexpected. Let’s try to get at least a partial answer to the following question:How do you build a good supercomputer?My inspiration for this is Schibell and Stafford’s paper Processor Interconnection Networks from Cayley Graphs, approved for release by the NSA in 2011. Notice: the title may sound boring and dry, but the fact that the NSA is getting involved should signal the fact that this paper is eminently practical.Modern computers, let alone supercomputers, have thousands upon thousands of tiny little processors, all of which have to work in concert—each processor only does a tiny little bit of computation, and then has to pass off it to the next processor, and the next… Thus, your processors are part of a giant network that has to send signals back and forth. You want this to work in an efficient way, so that it isn’t the case, for example, that your computation slows down because one part of the network is holding everything else up. So how do you do it?One possible solution is to just connect every single processor to every other processor. The graph of this network might look like this.However, this is already a huge mess even with just 11 nodes—if you have thousands and thousands of nodes, then getting all of these connections in hardware is going to be infeasible. After all, the connections between these nodes have to be actual physical wires, all of which should be as short as possible (otherwise, you will run into timing problems where some of your nodes take a while to receive inputs from other nodes, slowing down the entire network). Ideally, you want a graph such that:the number of connections at each node (this is called the degree) is small,the network is highly interconnected, with small diameter (there are many ways of measuring this, but the gist is that you don’t want it so that it takes a long time for a signal to travel from one end of the network to another end), andthe network must be reasonably easy to actually physically realize.These properties aren’t just hard to satisfy: they are actively at odds with each other, which means that in practice you just want to find a balance between these various requirements.Finding networks of connected nodes (called graphs) with nice properties is a very important area in computer science, and there is a great deal that could be written about it. (If any computer scientists out there want to write a little bit about graph theory for Mathematical Applications, I would be very happy to include it.) Here, though, I will just discuss Akers and Krishnamurthy’s idea of using group theory to attack this problem.Part of the inspiration for this approach is that for designing good networks, it is a good idea to look at graphs that are vertex-symmetric—that is, you want every node to look like every other node. This ensures that the time it takes for a signal to go from one end of a network to anywhere else doesn’t vary in some asymmetric way, which ensures that the computational load on the network is split up evenly, preventing “traffic jams.” As we will see momentarily, there are special graphs constructed from groups that automatically have this property.Now, I do need to specify what I mean by a group. I have given before a pretty standard definition here, together with a sizable number of examples—if you are interested in that sort of thing, I recommend reading it (you’ll realize that groups aren’t actually that weird, and you have seen examples of them before, although your teachers might not have called them that). However, for our present purposes, I will define groups in a different way, which turns out to be equivalent.We start with a collection of generators, which you can think of as letters: we might label these as [math]g_1, g_2, g_3 \ldots[/math], and so on, or we might label them as [math]a,b,c,d \ldots[/math], or some other convention—it doesn’t really matter, it just matters that we have some such collection. Generally, this collection is allowed to be infinite, but for our present purposes we will always assume it to be finite.From these generators, we can form words—these are just finite sequences of the basic letters. For example, if our generators are [math]g[/math][math][/math] and [math]h[/math], then some allowed words would be [math]ggggg[/math], [math]ghhg[/math], [math]hhggggg[/math], and so on. For simplicity, we write [math]g^n[/math] to mean a string of [math]n[/math] instances of [math]g[/math][math][/math]—so, the aforementioned words would be more compactly written as [math]g^5[/math], [math]gh^2g[/math], and [math]h^2 g^5[/math].Words can be multiplied by concatenation—to find the product of two words, just write one after another. So, for example [math]g^5 \cdot gh^2g = g^6h^2 [/math][math]g[/math][math][/math].We also have the “empty word”—you can think of this as if you said nothing, but for convenience we usually give its own symbol such as [math]e[/math], [math]1[/math], or sometimes [math]id[/math]. Thus, [math]h^2 g^5 \cdot e = h^2 g^5[/math] and [math]e \cdot h^2 g^5 = h^2 g^5[/math], and so it will be for any other word.In English and other natural language, there are synonyms: different words with the same meaning. Here, we allow a similar thing: a relation is an assertion that two words are actually the same, and so we can simplify other words by swapping these words around. For example, we might have the relations that [math]gh = hg[/math] and [math]g^2 = e[/math]. Then we might simplify[math]\displaystyle gh^2g = ghhg = ghgh = gghh = g^2 h^2 = e h^2 = h^2. \tag*{}[/math](The key difference between this and English is that English doesn’t allow you to substitute parts of words like this. So, even though [math]\text{on} = \text{upon}[/math], [math]\text{coon} \neq \text{coupon}[/math]; [math]\text{in} = \text{hot}[/math] but [math]\text{sins} \neq \text{shots}[/math]; [math]\text{fix} = \text{cook}[/math], yet [math]\text{prefixed} \neq \text{precooked}[/math]. This strikes me as a deficiency of the language. As a side-note: I am genuinely curious how many such examples there are in English.)Now, a semi-group is the collection of all words that can be written with a given set of generators and relations on those generators. A group is a semi-group with the extra restriction that for each generator [math]g[/math][math][/math], there exists a generator [math]g^{-1}[/math] such that [math]g[/math][math] \cdot g^{-1} = g^{-1} \cdot [/math][math]g[/math][math] = e[/math].Groups may or may not be finite. For an example of an infinite group, consider the generators [math]g[/math][math], h[/math] with the relations that [math]gh = hg = e[/math]. Then the collection of all words precisely consists of everything of the form [math]g^n[/math] (with the convention that [math]g^0 = e[/math] and [math]g^{-n} = h^n[/math]), and all of those words are distinct. For an example of a finite group, take the generator [math]g[/math][math][/math] with the relation [math]g^2 = e[/math]. The only distinct words are [math]e[/math] and [math]g[/math][math][/math].For any group, we can form its Cayley graph. Here is how: for each word in the group, add a corresponding node. Then, add an edge between any two nodes if you can get from one word to the other by multiplying by one of the generators. For example, suppose that my group is given by generators [math]g,g^{-1},h[/math] with the relations [math]gg^{-1} = g^{-1} [/math][math]g[/math][math] = e[/math], [math]g^4 = e[/math], [math]h^2 = e[/math], and [math](gh)^2 = e[/math]. Then the Cayley graph will look like the following.Here, nodes are connected by a blue arrow if you can get from one to the other by multiplying by [math]g[/math][math][/math] or [math]g^{-1}[/math], and they are connected by a red arrow if you can get from one to the other by multiplying by [math]h[/math].Here is another example: take your generators to be [math]g,g^{-1},h,h^{-1}[/math] with the relations [math]g^4 = e[/math], [math]h^3 = e[/math], [math]gg^{-1} = g^{-1}g = e[/math], [math]hh^{-1} = h^{-1}h = e[/math], and [math](gh)^2 = e[/math]. Then the Cayley graph will look like this.The Cayley graphs become very complicated very quickly, but note that they have some very nice properties:These graphs are always vertex symmetric.The degree of each node is equal to the number of generators.So, if you want to construct vertex symmetric graphs with small degree, groups give you a fast way to make many, many examples. Better yet, groups have been studied for quite some time—Lagrange was already thinking about them in some sense back in the late 18th century. This means that a lot is known about them in terms of how to construct examples with nice properties.For example, there is a very nice and quite modern result (published in 1989) due to Babai, Kantor, and Lubotzky in which they show that there are classes of finite groups (specifically, non-abelian simple groups) with the property that the corresponding Cayley graphs have degree no more than [math]7[/math] and all nodes are connected by paths no longer than [math]\log_2(\# [/math][math]G[/math][math])[/math] (where [math]\# [/math][math]G[/math][math][/math] is the number of nodes of the group).This is directly applicable to the problem of building processor networks with good properties, and so Schibell and Stafford remark in their paper that if you want to build such networks, what you should be doing is looking at non-abelian simple groups. This tickles me, because it means that the classification of finite simple groups, one of the most ambitious accomplishments of modern mathematics, could have been described as the problem of finding the best interconnection networks of computer processors.

Sure.I thought for a while how to interpret “you know how to solve.” Arguably, one could just look up the proof of some very difficult theorem, read through it, understand it, memorize it, and then you know how to “solve” it. If that is the bar, then probably I would have to recall some big theorem I had to learn when I was passing my qualifying exams in graduate school—something like the Riemann mapping theorem, or maybe the spectral theorem for unbounded, self-adjoint operators.However, this feels like cheating. While these results were certainly difficult to prove at the time, learning them today is substantially easier, both because you don’t have to come up with the proofs from scratch, and because the proofs have been greatly simplified over the years. So, in order to stay honest, I decided to only consider theorems that I have proved myself. I will not claim that any of them are objectively more difficult than the Riemann mapping theorem, but they were certainly more difficult to me. Thus, without further ado, let’s discuss the results of the last paper I put on the arXiv—specifically, I want to consider the following question:How can you efficiently produce examples of maximal arithmetic groups?Before I can begin talking about my paper, we need to understand what are maximal arithmetic groups. Let’s start at the beginning, and understand what an algebraic group is.Consider [math]SL(2,\mathbb{R})[/math], the set of all [math]2\times [/math][math]2[/math][math][/math] matrices with real coefficients and determinant [math]1[/math]. This set is a group—there is a way of multiplying elements of this set (namely, just matrix multiplication) with the properties that:[math]A(BC) = (AB)C[/math] for any [math]A,B,C \in SL(2,\mathbb{R})[/math]. ([math]\in[/math] stands for “in”, or “element of”, if you haven’t seen this notation before.)There is an element [math]I[/math] such that [math]MI = IM = M[/math] for any [math]M\in SL(2,\mathbb{R})[/math].For any [math]M \in SL(2,\mathbb{R})[/math], there is an [math]M^{-1} \in SL(2,\mathbb{R})[/math] such that [math]MM^{-1} = M^{-1} M = I[/math].This set is also a (real) algebraic variety—that is, it is the set of real solutions to a polynomial equation. Specifically,[math]\displaystyle \begin{pmatrix} a & b \\ c & d \end{pmatrix} \in SL(2,\mathbb{R}) \tag*{}[/math]if and only if [math](a,b,c,d)[/math] is a real solution to the polynomial equation [math]ad-bc = 1[/math].(I am oversimplifying slightly. If you look up the actual definition of an algebraic variety, you will discover there is a smoothness restriction—you don’t want to consider examples with weird singularities. However, trying to give a full explanation of this is beyond the scope of this answer.)Furthermore, these two different structures of [math]SL(2,\mathbb{R})[/math] are compatible, in the sense that both matrix multiplication and matrix inverses are morphisms of algebraic varieties—roughly speaking, these maps are described by polynomials. Indeed:[math]\displaystyle \begin{pmatrix} a_1 & a_2 \\ a_3 & a_4 \end{pmatrix}\begin{pmatrix} b_1 & b_2 \\ b_3 & b_4 \end{pmatrix} = \begin{pmatrix} a_1 b_1 + a_2 b_3 & a_1 b_2 + a_2 b_4 \\ a_3 b_1 + a_4 b_3 & a_3 b_2 + a_4 b_4 \end{pmatrix}, \tag*{}[/math]so if I want to compute the product of two matrices, I am just going to be computing polynomials of their entries. The matrix inverse is even simpler:[math]\displaystyle \begin{pmatrix} a & b \\ c & d \end{pmatrix}^{-1} = \begin{pmatrix} d & -b \\ -c & a \end{pmatrix}. \tag*{}[/math]This example captures the essence of what algebraic groups are: these are algebraic varieties that also have a group structure, and that group structure plays nicely with varieties. Above, we have looked at real algebraic varieties, but one can generalize and look at solutions to polynomial equations over any field, such as the complex numbers [math]\mathbb{C}[/math], the rational numbers [math]\mathbb{Q}[/math], or finite fields [math]\mathbb{F}_{p^n}[/math]. Formally:A linear algebraic group over a field [math]F[/math] is a subgroup of [math]SL(n,F)[/math] that is an (affine) algebraic variety.Obviously, [math]SL(n,F)[/math] is always going to be a linear algebraic group, but there is no shortage of others. For example, [math]GL(n,F)[/math], the set of all invertible [math]n \times n[/math] matrices with coefficients in [math]F[/math], is a linear algebraic group, since any matrix [math]M \in GL(n,F)[/math] can be shoved inside [math]SL(n + 1,F)[/math] via[math]\displaystyle M \mapsto \begin{pmatrix} M & 0 \\ 0 & 1/\det(M) \end{pmatrix}. \tag*{}[/math]One might also be interested in [math]O(n,F)[/math], the collection of matrices [math]M \in GL(n,F)[/math] such that [math]M^T = M^{-1}[/math] (i.e. the transpose is equal to the inverse). This can equivalently be understood as the collection of matrices [math]M[/math] with the property that[math]\displaystyle q(Mv) = q(v) \tag*{}[/math]for all [math]v \in F^n[/math], where[math]\displaystyle q\left((v_1, v_2,\ldots v_n)\right) = v_1^2 + v_2^2 + \ldots + v_n^2. \tag*{}[/math]This can be generalized: choose any quadratic form [math]q[/math]. For our purposes, we will define a quadratic form as a function [math]F^n \rightarrow F[/math] of the form[math]\displaystyle q(v) = v^T N v \tag*{}[/math]for some [math]n \times n[/math] matrix [math]N[/math]. We shall assume that [math]q[/math] is non-degenerate—that is, [math]N[/math] is invertible. Then we can define [math]O(q)[/math] to be the subset of [math]M \in GL(n,F)[/math] such that[math]\displaystyle q(Mv) = q(v) \tag*{}[/math]for any [math]v \in F^n[/math].There are some pretty important examples of such groups. For instance, if you consider the real quadratic form[math]\displaystyle q((t,x,y,z)) = c^2 t^2 - x^2 - y^2 - z^2, \tag*{}[/math]then [math]O(q)[/math], also known as [math]O(1,3)[/math] or the Lorentz group, is the collection of coordinate transformations in special relativity fixing a particular point. (From here on out, I am going to take [math]c = 1[/math]. This is a common convention in theoretical physics, and is justified by the fact that you can always choose your units of time and distance so that this works out to be true.) Physicists usually don’t want to work with this group directly, but rather with [math]SO^+(1,3)[/math], the subgroup of transformations that don’t reverse orientation or the flow of time. (For the reader interested in learning more about this, I have two write-ups about it: A Rigorous Geometric Approach to Special Relativity part I, and part II.)This subgroup [math]SO^+(1,3)[/math] happens to have a very nice description—it turns out that if you view [math]O(1,3)[/math] as a manifold (it can be viewed, after all, as a six-dimensional surface in 15-dimensional Euclidean space), then it splits into four disconnected pieces—the connected piece that contains the identity [math]I[/math] is precisely [math]SO^+(1,3)[/math].The type of construction generalizes for all algebraic groups: you start with an algebraic group [math]G[/math][math][/math], and then you can produce an algebraic subgroup [math]G^0[/math] that consists of the connected component containing the identity element. There is a subtlety here because it isn’t clear what “connected” means if your algebraic group is defined over, say, [math]\mathbb{Q}[/math] rather than [math]\mathbb{R}[/math] (since it is no longer a manifold in that case). The solution is to replace the usual topology that one is likely used to with the Zariski topology. Again, I shall omit these technical details for the sake of brevity.There is an interesting connection between the algebraic groups [math]SO^+(1,3)[/math] and [math]SL(2,\mathbb{C})[/math]—I claim that in some sense these are almost the same group, even though they really don’t look the same at all. To see this, let us begin by thinking about points [math](t,x,y,z)[/math], except I am going to replace every such point with a matrix[math]\displaystyle \begin{pmatrix} t + x & y + iz \\ y - iz & t - x \end{pmatrix}. \tag*{}[/math]The reason I want to do this is because[math]\displaystyle \det \left(\begin{pmatrix} t + x & y + iz \\ y - iz & t - x \end{pmatrix}\right) = t^2 - x^2 - y^2 - z^2. \tag*{}[/math]That is, the determinant of this matrix is just the quadratic form applied to the point [math](t,x,y,z)[/math]. So, we can think of [math]O(1,3)[/math] as linear transformations that act on such matrices and preserve the determinant when they do so. The collection of such matrices has a nice description in that you can check that it is precisely the set of all [math]2[/math][math] \times [/math][math]2[/math][math][/math] matrices [math]M[/math] with complex coefficients such that [math]M = \overline{M}^T[/math] (that is, the matrix is unchanged if you take the transpose and the complex conjugate). From this, it is easy to see that for any such matrix [math]M[/math] and any [math]\gamma \in SL(2,\mathbb{C})[/math], [math]\gamma M \overline{\gamma}^T[/math] is also a matrix of this type. Furthermore, [math]\gamma M \overline{\gamma}^T[/math] has the same determinant as [math]M[/math]. Therefore,[math]\displaystyle M \mapsto \gamma M \overline{\gamma}^T \tag*{}[/math]is a linear transformation that preserves the determinant—therefore, it is an element of [math]O(1,3)[/math]! We have produced a morphism from [math]SL(2,\mathbb{C})[/math] to [math]O(1,3)[/math] (that is, a group homomorphism that is also essentially a polynomial map—i.e. it is a morphism of algebraic varieties). One checks that the kernel of this morphism consists of just [math]\pm I[/math]—that is, if [math]\gamma_1,\gamma_2 \in SL(2,\mathbb{C})[/math] map to the same element in [math]O(1,3)[/math], then [math]\gamma_1 = \pm \gamma_2[/math]. Thus, this morphism is almost injective.Since the kernel is finite, the image of [math]SL(2,\mathbb{C})[/math] inside of [math]O(1,3)[/math] must have the same dimension as [math]SL(2,\mathbb{C})[/math] itself—but [math]SL(2,\mathbb{C})[/math] is readily checked to be six-dimensional, which matches [math]O(1,3)[/math]. Furthermore, [math]SL(2,\mathbb{C})[/math] is connected, and this is enough to prove that the image of [math]SL(2,\mathbb{C})[/math] is exactly [math]SO^+(1,3)[/math]. Thus, we have found a surjective morphism [math]SL(2,\mathbb{C}) \rightarrow SO^+(1,3)[/math] with finite kernel.Another way to think about this is that every single element of [math]SO^+(1,3)[/math] can be represented as one of two elements in [math]SL(2,\mathbb{C})[/math]. This is actually extremely beneficial, because [math]SL(2,\mathbb{C})[/math] is much easier to work with. The reasons why are complicated, but the gist is that [math]SL(2,\mathbb{C})[/math] is simply-connected, unlike [math]SO^+(1,3)[/math].There is a very similar thing that happens with [math]SL(2,\mathbb{R})[/math] and [math]O(q)[/math], where [math]q(t,x,y) = t^2 - x^2 - y^2[/math]—I wrote about this in my answer to Does the quadratic form [math]x^2-y^2[/math] on the plane have anything to do with the hyperbolic plane?. In fact, for any field [math]F[/math] and quadratic form [math]q[/math], there is always going to be an algebraic group [math]\text{Spin}^0(q)[/math] and a surjective morphism [math]\text{Spin}^0(q) \rightarrow O^0(q)[/math] with finite kernel—in fact, this kernel will always consist of [math]\pm I[/math] (as long as the dimension is large enough—if [math]q[/math] only has, say, one variable, then it can happen that [math]\text{Spin}^0(q) = O^0(q)[/math]). This group [math]\text{Spin}^0(q)[/math] is known as the (connected component of the) spin group of [math]q[/math], and the point is that it has nice properties that [math]O^0(q)[/math] does not itself have, but because of the existence of this nice map between them, you can usually relate questions about [math]O^0(q)[/math] to questions about [math]\text{Spin}^0(q)[/math]. In particular, if [math]F[/math] is a field of characteristic zero (i.e. [math]1 + 1 + \ldots + 1 \neq 0[/math] for any sum of ones) and the Witt index of [math]q[/math] is [math]\leq 1[/math], then [math]\text{Spin}^0(q)[/math] is a simply-connected algebraic group. (I won’t expound on what this means here, but this is the case that is of most interest to me, since I am interested in when these groups can be thought of as subgroups of the hyperbolic isometry group, and all of these conditions are satisfied in that case.)There is a standard way to construct this spin group, but it is kind of… well, awful. Or, at the very least, I personally perceive it as being kind of awkward to work with. In low dimensions, you get accidental isomorphisms, such as how [math]SL(2,\mathbb{R})[/math] and [math]SL(2,\mathbb{C})[/math] are isomorphic to the spin groups. However, these are rather specifically accidental isomorphisms: they seem to dry up in higher dimensions, and there is no longer any known nice description.This is where the first interesting result of my paper comes into play. It states that if [math]F[/math] is a characteristic [math]0[/math] field, then there is a bijection[math]\begin{align*} \left\{\substack{\text{Isomorphism classes of} \\ \text{quaternion algebras over } F}\right\} &\rightarrow \left\{\substack{\text{Isomorphism classes of} \\ \text{spin groups of indefinite,} \\ \text{quinary quadratic forms over } F} \right\} \\ [H] & \mapsto \left[SL^\ddagger(2,H)\right]. \end{align*} \tag*{}[/math]That is, absolutely every single spin group coming from an indefinite quadratic form [math]q: F^5 \rightarrow F[/math] can be represented by a group [math]SL^\ddagger(2,H)[/math]. (“Quinary” means that there are five variables—i.e. it is a map from [math]F^5[/math].) Of course, I need to clarify what this means. First of all, we say that a quadratic form [math]q: F^n \rightarrow F[/math] is indefinite if there exists a non-zero vector [math]v \in F^n[/math] such that [math]q(v) = 0[/math]. For instance, [math]t^2 - x^2 - y^2 - z^2[/math] was clearly an indefinite quadratic form.To describe what the group [math]SL^\ddagger(2,H)[/math] is, however, will require substantially more exposition. Here, [math]H[/math] is a quaternion algebra—that is, it is an [math]F[/math]-algebra generated by elements [math]i,j[/math] satisfying [math]i^2 = a[/math], [math]j^2 = b[/math], and [math]ij = -ji[/math] for some non-zero [math]a,b \in F[/math]. Let me clarify what this means: [math]i[/math] and [math]j[/math] are symbols defined by the property that [math]i^2 = a[/math] and [math]j^2 = b[/math] for some fixed, non-zero [math]a,b \in F[/math], and [math]ij = -ji[/math]. The classic example are the quaternions as written down by Hamilton—he had the field as [math]F = \mathbb{R}[/math], and he specified that [math]i^2 = -1[/math], [math]j^2 = -1[/math], and [math]ij = -ji[/math]. He then considered the collection of elements of the form [math]a + bi + cj + dij[/math], where you add and multiply them as if this was a polynomial, but with the understanding that you simplify using the relations [math]i^2 = -1[/math], [math]j^2 = -1[/math], and [math]ij = -ji[/math].(Well, technically, Hamilton wrote down three symbols: [math]i,j,k[/math], with the properties [math]i^2 = j^2 = k^2 = ijk = -1[/math]. However, note that if we take [math]k = ij[/math], this is equivalent to the description I have given.)For instance, you might have[math]\begin{align*} (1 + 3i + j)(2 - ij) &= [/math][math]2[/math][math] - ij + 6i - 3i^2j + 2j -jij \\ &= [/math][math]2[/math][math] - ij + 6i + 3j + 2j + ij^2 \\ &= [/math][math]2[/math][math] - ij + 6i + 3j + 2j - i \\ &= [/math][math]2[/math][math] + 5i + 5j - ij. \end{align*} \tag*{}[/math]Here is another example of a quaternion algebra—let [math]F[/math] be any field, and consider [math]H=\text{Mat}(2,F)[/math], the collection of [math]2\times [/math][math]2[/math][math][/math] matrices with entries in [math]F[/math]. I claim that this is a quaternion algebra—this is because if you take[math]\displaystyle i = \begin{pmatrix} 1 & 0 \\ 0 & -1 \end{pmatrix}, \ j = \begin{pmatrix} 0 & -1 \\ 1 & 0 \end{pmatrix}, \tag*{}[/math]then[math]\begin{align*} i^2 &= \begin{pmatrix} 1 & 0 \\ 0 & 1 \end{pmatrix} \\ j^2 &= -\begin{pmatrix} 1 & 0 \\ 0 & 1 \end{pmatrix} \\ ij &= -ji \end{align*}. \tag*{}[/math]Therefore, we can think of [math]H[/math] as a quaternion algebra where [math]i^2 = 1[/math] and [math]j^2 = -1[/math]. It turns out that this basically exhausts all of the possibilities of quaternion algebras. For any field [math]F[/math] (of characteristic not [math]2[/math][math][/math]), and any quaternion algebra [math]H[/math] over [math]F[/math], one of two things happens:[math]H[/math] is a division algebra—that is, for every non-zero element [math]z[/math], there exists an element [math]w[/math] such that [math]zw = wz = 1[/math]. (Hamilton’s quaternions are an example.)[math]H[/math] is isomorphic to [math]\text{Mat}(2,F)[/math].That’s it—no other options are given. For our purposes, we will primarily be interested in quaternion algebras that are division algebras, but the theorem I have stated above applies to both cases.Next, I need to explain to you what I mean by [math]\ddagger[/math]. An involution of the first kind is a map [math]\varphi: H \rightarrow H[/math] satisfying the following properties:[math]\varphi[/math] is [math]F[/math]-linear: that is, [math]\varphi(c x + y) = c \varphi(x) + \varphi(y)[/math] for all [math]x,y \in H[/math] and [math]c \in F[/math].[math]\varphi(xy) = \varphi(y)\varphi(x)[/math] for all [math]x,y \in H[/math].[math]\varphi(\varphi(x)) = x[/math] for all [math]x \in H[/math].It turns out that there aren’t very many different types of such involutions for a quaternion algebra. In fact, there are precisely two possibilities:[math]\varphi(a + bi + cj + dij) = \overline{a + bi + cj + dij} = a - bi - cj - dij[/math].[math]\varphi(x) = \overline{zxz^{-1}}[/math] for some [math]z \in H[/math] that has no [math]F[/math]-component.The first is called the standard involution, or more commonly just quaternion conjugation. The other involutions are called the orthogonal involutions. The easiest way to think about them is that if you choose your basis the right way, you can always just write them down as[math]\displaystyle (a + bi + cj + dij)^\ddagger = a + bi + cj - dij. \tag*{}[/math]Henceforth, the reader is free to think of the above as being the definition of [math]\ddagger[/math]. Alternatively, one can think about it as follows: an involution [math]\ddagger[/math] is orthogonal if [math]H^+[/math], the subspace of [math]H[/math] fixed by [math]\ddagger[/math] (i.e. [math]x^\ddagger = x[/math] for all [math]x \in H^+[/math]) is three-dimensional over [math]F[/math]. In any case, we can now define [math]SL^\ddagger(2,H)[/math]—it is[math]\displaystyle \left\{\begin{pmatrix} a & b \\ c & d \end{pmatrix} \in \text{Mat}(2,H) \middle| ab^\ddagger \in H^+, \ cd^\ddagger \in H^+, \ ad^\ddagger - bc^\ddagger = 1\right\}. \tag*{}[/math]That is, it is the collection of [math]2\times [/math][math]2[/math][math][/math] matrices with coefficients in [math]H[/math] which is very similar to [math]SL(2,\circ)[/math], but with two key differences: rather than using the determinant, we use the quasi-determinant [math]ad^\ddagger - bc^\ddagger[/math]; and we have the extra conditions [math]ab^\ddagger \in H^+, \ cd^\ddagger \in H^+[/math].Explaining where this group came from is a whole other can of worms that I hesitate to open. Briefly, this was the basic approach used by Vahlen to write down hyperbolic isometries in a concrete way—for Vahlen, [math]H[/math] was always the Hamilton quaternions. I noted that there was no reason why we couldn’t use this same machinery for more general quaternion algebras, and this became an important component of my PhD thesis.In any case, we can now get at the meat of the above theorem: it tells you that no matter how complicated a spin group you have, as long as the underlying quadratic form is quinary and indefinite, this spin group can always be written down as [math]SL^\ddagger(2,H)[/math] for some quaternion algebra of [math]F[/math]. In fact, this result is constructive, in the sense that I show precisely how you can find this required quaternion algebra—it turns out not to be very hard, as long as you know how to diagonalize quadratic forms.I think that this is already a nice result, but we can go deeper.To proceed, we need to start talking about arithmetic groups. The idea is this: suppose that I have an algebraic group over the rational numbers [math]\mathbb{Q}[/math]. In fact, let’s be entirely concrete and suppose that our algebraic group is [math]SL(2,\mathbb{Q})[/math]. Well, if this group can be thought of as the collection of rational points on the group [math]SL(2,\mathbb{R})[/math], if one is a number theorist, one might wonder if it makes sense to ask about the collection of integer points on this group. And, indeed, [math]SL(2,\mathbb{Z})[/math] is a well-defined, well-studied, and very important group.This is the essence of the definition of an arithmetic group—it is a group produced by taking the integer points of an algebraic group over either [math]\mathbb{Q}[/math] or, more generally, an algebraic number field. Now, this isn’t quite correct, because there is a problem: you would like for it to be that whether or not something is an algebraic group to not depend on which particular coordinate system you choose, and in particular it would be good if it was a property that was maintained under group isomorphism. However, as I have defined it, this is clearly not so, since[math]\displaystyle \begin{pmatrix} [/math][math]2[/math][math] & 0 \\ 0 & 3 \end{pmatrix} \begin{pmatrix} a & b \\ c & d \end{pmatrix}\begin{pmatrix} [/math][math]2[/math][math] & 0 \\ 0 & 3 \end{pmatrix}^{-1} = \begin{pmatrix} a & 2b/3 \\ 3c/2 & d \end{pmatrix}, \tag*{}[/math]and so the image of an element in [math]SL(2,\mathbb{Z})[/math] might not look like it comes from the set of integer points of something. There is a simple way to cheat, which is to just say that a group is arithmetic if it is isomorphic to a group produced by taking the integer points of an algebraic group over an algebraic number field. In practice, this doesn’t quite allow us to get the full scope of what we need, and so we have to define everything in terms of isogenies. However, these are technical issues I would rather not deal with.The arithmetic group [math]SL(2,\mathbb{Z})[/math] has a nice property—it is maximal, meaning that it is not contained in any other arithmetic group of [math]SL(2,\mathbb{Q})[/math]. However, the obvious way of producing examples of arithmetic groups does not in general produce maximal arithmetic groups. This is why I am delighted to say that for the groups [math]SL^\ddagger(2,H)[/math] (which, remember, correspond to spin groups), I know how to produce examples of maximal arithmetic groups.I shall need to assume that [math]H[/math] is a division algebra. (The proof might still go through even if [math]H \cong \text{Mat}(2,F)[/math], but I’m not sure.) Let [math]\mathcal{O}[/math] be a maximal [math]\ddagger[/math]-order—I have written about these before. The key thing about maximal [math]\ddagger[/math]-orders is that they can be efficiently produced (and there is a fast way to determine whether a given lattice corresponds of a maximal [math]\ddagger[/math]-order). I can then state my result as follows:Let [math]F[/math] be an algebraic number field. Let [math]H[/math] be a division quaternion algebra over [math]F[/math], with orthogonal involution [math]\ddagger[/math]. Let [math]\mathcal{O}[/math] be a maximal [math]\ddagger[/math]-order of [math]H[/math]. Then [math]SL^\ddagger(2,\mathcal{O})[/math] is a maximal arithmetic subgroup of [math]SL^\ddagger(2,H)[/math].EDIT:The result above might still be true, but it was pointed out to me that since my proof makes use of the Mostow rigidity theorem, it technically only applies if [math]F = \mathbb{Q}[/math]. A shame, to be sure, but thankfully this also happens to be the case that is of primary interest for hyperbolic geometers.

I previously wrote an answer about some problems solved by group theory—if any of those appeal to you, I guess that gives you an answer to this question too. But, of course, you shouldn’t see that list as exhaustive: if you don’t see anything on that list that is relevant to you, it merely means you haven’t found why it is important for you, yet. Group theory is the study of extremely basic algebraic structures, and as such tends to snake its way into all sorts of different places, both expected and unexpected.Since the person who originally posted this question is getting a degree in mathematics and computer science, I thought I would describe a particular application of group theory in the field of cryptography. I want to note: it is far from the only application of group theory in cryptography, let alone in all of computer science. However, it is an application that comes up very frequently in our daily lives.Let’s say that I want to make some sort of transaction online—for concreteness, let’s say that I want to buy the book Introduction to Mathematical Logic by Mendelson from Amazon. I want to be able to send Amazon my financial information so that they withdraw the funds from my bank account. I also want to send them my address so that they know where to ship it. However, I absolutely do not want anyone else to be able to see any of that information.If Amazon and I had some sort of private communication channel, this would be easy. Unfortunately, I can’t afford a personal fiber-optic cable running from my house to Amazon HQ, and I have been cautioned that roving packs of bears to discourage anyone approaching the cable to mess with it might not actually be legal. So, instead, I am forced to send all of my messages over the Internet, where anyone can read them.That in itself need not be a problem. If Amazon and I had some kind of secret key, then we could use it to encode our messages such that only we could decode them (I may have to write about how to do this in some future post, but take this as given for now). But I don’t think I have ever met anyone who works for Amazon. And, to be frank, I have no desire to drive over Amazon HQ to get a secret key from them—that would completely defeat the point of ordering a book online. So, the question is: how can we communicate to one another over a public channel and thereby produce secret keys that no one else knows?On the face of it, this may seem impossible, but I assure you that it isn’t, as was first established by James H. Ellis, Clifford Cocks, and Malcolm J. Williamson in 1969—however, since they were working in secret for British intelligence, credit is often given to Diffie and Hellman, who published the first paper on the subject in 1976. Here is an illustration from A.J. Han Vinck’s Introduction to public key cryptography that gives an intuitive idea of the Diffie-Hellman protocol.The two communicating parties (denoted as Alice and Bob) start with common information known to everyone—represented here as a common paint. They then randomly select their own secret information and combine it with this common information. They then send the results to each other, and do the same thing again. Now, assuming thatit doesn’t matter in which order you added on this secret information, so Alice and Bob end up with the same result, andseparating out this information is difficult (so an eavesdropper can’t work out what Alice and Bob started with by seeing what they have sent),you can prove that it will be computationally difficult for an outside observer to reconstruct Alice and Bob’s shared secret key.Now, how is this actually implemented in practice? Diffie and Hellman’s original proposal just used the multiplicative group of the integers modulo [math]p[/math], but I want to give a more broad overlook before we get bogged down in particulars. So, here is the big picture—we shall start with a finite cyclic group [math]G[/math][math][/math] with a generator [math]g[/math][math][/math] of order [math]n[/math].In fact, let’s start with a refresher as to what this actually means. Recall that a group [math]G[/math][math][/math] is some set with an identity element [math]id[/math] and a binary operation [math]\circ[/math] such that:For all [math]x[/math], [math]y[/math], [math]z[/math] in [math]G[/math], [math]x \circ (y \circ z) = (x \circ y) \circ z[/math]. In other words, the group operation is associative.For all [math]x[/math] in [math]G[/math], [math]x \circ id = id \circ x = x[/math]. This is what it means to say that [math]id[/math] is an identity element.For all [math]x[/math] in [math]G[/math], there exists a [math]y[/math] such that [math]x \circ y = y \circ x = id[/math]. That is, every element has an inverse.I won’t go through the myriads of different examples of groups here, as I have already given many in my answer to What are fields, rings, and groups? I will use the common convention that if [math]n[/math] is a positive integer, [math]x^n[/math] denotes [math]x \circ x \circ \ldots \circ x[/math], with [math]n[/math] instances of [math]x[/math]. Similarly, [math]x^0 = id[/math], [math]x^{-1}[/math] denotes the inverse of [math]x[/math], and [math]x^{-n} = \left(x^{-1}\right)^n[/math] (which also happens to be the inverse of [math]x^n[/math]—I recommend trying to prove this if it is not obvious to you). A group is cyclic if there exists some element [math]g[/math][math][/math] in [math]G[/math][math][/math] such that every other element can be written as [math]g^n[/math] for some [math]n[/math]—such an element is called a generator. Here are some simple examples of cyclic groups:The integers, together with addition, are a cyclic group, since here [math]1^n = n \cdot 1[/math], which clearly allows you to produce all integers. (Yes, I get that the use of exponential notation here is confusing. There isn’t much I can do about that, I’m afraid.)The collection [math]\{1,i,-1,-i\}[/math], where [math]i = \sqrt{-1}[/math] is a cyclic group, if we take ordinary multiplication to be the group operation. This is since [math]i^2 = -1[/math], [math]i^3 = -i[/math], [math]i^4 = 1[/math].On a clock, we might add together hours by subtracting by 12 if they go over. Thus, if it is 4 o’clock now, in 9 hours it will be [math]4 + 9 = 13 \equiv 13 - 12 = 1[/math] o’clock. This notion of addition defines a group, which is also cyclic—one possible generator is [math]1[/math], but there are others. For example, notice that[math]\begin{align*} 2 \cdot 5 &= 10 \\ 3 \cdot 5 &= 3 \\ 4 \cdot 5 &= 8 \\ 5 \cdot 5 &= 1 \\ 6 \cdot 5 &= 6 \\ 7 \cdot 5 &= 11 \\ 8 \cdot 5 &= 4 \\ 9 \cdot 5 &= 9 \\ 10 \cdot 5 &= 2 \\ 11 \cdot 5 &= 7, \end{align*} \tag*{}[/math]hence [math]5[/math] is also a generator. However,[math]\begin{align*} 2 \cdot 2 &= 4 \\ 3 \cdot 2 &= 6 \\ 4 \cdot 2 &= 8 \\ 5 \cdot 2 &= 10 \\ 6 \cdot 2 &= 0 \\ 7 \cdot 2 &= 2 \\ 8 \cdot 2 &= 4, \end{align*} \tag*{}[/math]so [math]2[/math] is not a generator.More generally, for any integer [math]n \geq 2[/math], [math]\mathbb{Z}/n\mathbb{Z}[/math] denotes the collection [math]\{0,1,2,\ldots n - 1\}[/math], with the rule that if we add to elements together and get something that is too large, we subtract off by [math]n[/math] until we get back to the desired place. Notice that the above clock arithmetic is just the special case when [math]n = 12[/math], and if you can get past the fact that it is written with multiplication rather than addition, the example of [math]\{1,i,-1,-i\}[/math] is really nothing more than [math]\mathbb{Z}/4\mathbb{Z}[/math].If there exists some positive integer [math]n[/math] such that [math]g^n = id[/math], then the smallest such integer is called the order of the generator. If there is no such integer, we say that generator has infinite order. Note that in either case, the number of elements in the group is exactly the order of the generator.Right. Let’s start again: we take a finite cyclic group [math]G[/math][math][/math] with a generator [math]g[/math][math][/math] of order [math]n[/math]. This is public information that is known to everyone. Alice and Bob then both choose, independently, random integers [math]k[/math] and [math]r[/math] between [math]1[/math] and [math]n[/math]. Then, Alice computes [math]a = g^k[/math] and sends it to Bob, and Bob computes [math]b = g^r[/math] and sends it to Alice. Then, Alice computes [math]b^k = \left(g^r\right)^k = g^{kr}[/math] and Bob computes [math]a^r = \left(g^k\right)^r = g^{kr}[/math], and that is their shared private key.Beautifully simple, no? Well, there is a bit of problem, though: we have to assume that even if an eavesdropper knows [math]G[/math][math][/math], [math]g[/math][math][/math], [math]n[/math], [math]a = g^k[/math], and [math]b = g^r[/math], that it is difficult to compute [math]g^{kr}[/math]. Depending on how we specify our group, this may not be true.You may be thinking something along the lines of “Well, since you know what [math]g^k[/math] and [math]g^r[/math] are, just work out what [math]k[/math] and [math]r[/math] are, and then you can work out what [math]g^{kr}[/math] is!” That isn’t a bad thought, but it isn’t quite that simple. Consider the above example where we took [math]5[/math] to be the generator of [math]\mathbb{Z}/12\mathbb{Z}[/math]. If I hadn’t written down the table, would you be instantly able to work out what integer [math]n[/math] you need so that [math]n \cdot 5 = 11[/math], for example? If you aren’t familiar with number theory, it may not be obvious how to solve a problem like this. Even so, we have demonstrated an important requirement: [math]n[/math] must be large—otherwise, an eavesdropper could just work out the entire group multiplication table, as we did with [math]5[/math], and work out [math]k[/math] and [math]r[/math] from [math]g^k[/math] and [math]g^r[/math].Unfortunately, this isn’t sufficient. Let’s take [math]n = 2760727302517[/math] (this is the [math]10^{11}[/math]-th prime number)—this is still quite small, but will do for illustrative purposes. I claim that [math]2298570020914[/math] is a generator of [math]\mathbb{Z}/n\mathbb{Z}[/math] with this choice of [math]n[/math]. We might ask what is the integer [math]k[/math] that I need multiply this by to get to, say, [math]1178932971685[/math]. I ask Mathematica to do this, and it spits out an answer of [math]684240928772[/math] so absurdly quickly that it can’t even give me an accurate count of how long it took to do this computation. Now, you may well ask: how the hell is it able to do it this fast?The key observation is that while we only defined addition on [math]\mathbb{Z}/n\mathbb{Z}[/math], you can define multiplication on it just as well, with the same rules—if you go over [math]n - 1[/math], subtract off [math]n[/math] until you get to where you need to be. Using the extended Euclidean algorithm, you can prove that if [math]k[/math] is coprime to [math]n[/math], then there exists some integer [math]r[/math] such that [math]k \cdot r = 1[/math] in [math]\mathbb{Z}/n\mathbb{Z}[/math]. In fact, the extended Euclidean algorithm gives you a fast way of computing this [math]r[/math], as I showed in my answer to Why do we use the extended euclidean algorithm when the euclidean algorithm is simpler and gives the same result? So, now we know how why the group that we tried to use was never going to work—even if [math]n[/math] is very large, if [math]g[/math][math][/math] is our generator, any eavesdropper can find [math]k[/math] from the [math]a[/math] that Alice sends as follows:Realize that finding [math]k[/math] is the same as solving [math]k \cdot g = a[/math] for [math]k[/math] inside of [math]\mathbb{Z}/n\mathbb{Z}[/math].Compute [math]g^{-1}[/math] using the extended Euclidean algorithm.Multiply both sides by [math]g^{-1}[/math], giving [math]k = a \cdot g^{-1}[/math].The same trick will give you [math]r[/math] from [math]b[/math], breaking the whole scheme entirely.Thankfully, the reasons why this particular choice fails point the way to a new choice that is actually thought to be secure. I mentioned that if [math]k[/math] is coprime to [math]n[/math], then [math]k\cdot r = 1[/math] is solvable. If you think about it, you will realize that this means that the collection of integers between [math]1[/math] and [math]n[/math] that are coprime to [math]n[/math] form a group—indeed, this multiplication is associative, it has an identity ([math]1[/math], to be precise), and we have just concluded that it has inverses. By appealing to a combination of group theory and number theory, you can prove that if [math]n[/math] is a prime number, thenthe number of such elements coprime to [math]n[/math] is [math]n - 1[/math], andthis group, which we shall denote by [math]\left(\mathbb{Z}/n\mathbb{Z}\right)^\times[/math], is cyclic.Here is an example: [math]15[/math] is a generator of [math]\left(\mathbb{Z}/23\mathbb{Z}\right)^\times[/math].[math]\begin{align*} 15^{0} &= 1 \\ 15^{1} &= 15 \\ 15^{2} &= 18 \\ 15^{3} &= 17 \\ 15^{4} &= [/math][math]2[/math][math] \\ 15^{5} &= 7 \\ 15^{6} &= 13 \\ 15^{7} &= 11 \\ 15^{8} &= 4 \\ 15^{9} &= 14 \\ 15^{10} &= 3 \\ 15^{11} &= 22 \\ 15^{12} &= 8 \\ 15^{13} &= 5 \\ 15^{14} &= 6 \\ 15^{15} &= 21 \\ 15^{16} &= 16 \\ 15^{17} &= 10 \\ 15^{18} &= 12 \\ 15^{19} &= 19 \\ 15^{20} &= 9 \\ 15^{21} &= 20 \end{align*} \tag*{}[/math]Producing these generators is actually very easy—let me share the secret now. Due to basic group theoretic considerations, you know that the order of any particular element must divide the order of the group (i.e. the number of elements in the group). Notice that if the order of the group is a prime number, this implies that every element other than the identity is a generator. I used this before when I asserted without proof that [math]2298570020914[/math] is a generator of [math]\mathbb{Z}/n\mathbb{Z}[/math], where [math]n = 2760727302517[/math]. I can use this reasoning again for the group [math]\left(\mathbb{Z}/n\mathbb{Z}\right)^\times[/math] if [math]n[/math] is a prime—we know that there are [math]n - 1[/math] elements in this group, and so any randomly chosen element will be a generator if and only if its order is [math]n - 1[/math]. So, here is the trick: choose [math]n = 2p + 1[/math], where [math]p[/math] is itself a prime number—such a prime number is known as a Sophie Germain prime. Then [math]n - 1 = 2p[/math], and so the only possible orders of elements are [math]2[/math][math][/math], [math]p[/math], and [math]2p[/math]. Fixing a generator [math]g[/math][math][/math], an element will have order [math]2[/math][math][/math] if and only if it is of the form [math]g^{pk}[/math] for some odd [math]k[/math]. An element will have order [math]p[/math] if and only if it is of the form [math]g^{2k}[/math] for some [math]k[/math] that is not divisible by [math]p[/math]. What you see from this is that there is only a very slightly worse than [math]50\%[/math] chance that a randomly chosen element [math]h[/math] will be a generator, and we only need to check that [math]h^2, h^p \neq 1[/math], which can be done very quickly. As it is conjectured that there are infinitely many Sophie Germain primes, this gives an efficient way of randomly producing groups [math]G[/math][math][/math] and generators [math]g[/math][math][/math] that work for our purposes.Unfortunately, we don’t actually have mathematical proof that the choice of [math]G[/math][math] = \left(\mathbb{Z}/n\mathbb{Z}\right)^\times[/math] really is secure, and that there isn’t some algorithm like the Euclidean algorithm that quickly finds [math]k[/math] given [math]g[/math][math][/math] and [math]g^k[/math]. It is in fact an open problem (known as the Diffie–Hellman problem) to prove this for any finite group. The best that we can say is that it has held up to scrutiny thus far, and there is good reason to believe that it should be difficult. I should also note that this choice of group is not the only one conjectured to be difficult, nor even the only one that is in use—in the elliptic-curve Diffie–Hellman protocol, you swap out that group for the group of rational points on an elliptic curve over a finite field. In principle, if you can find some other nice group that works and maybe has some other nice properties, you can swap that it in instead without issue. This is the nice aspect of considering everything from an abstract, group-theoretical perspective: you don’t need to sweat the details as much.I do have to make one final note before I end this post: while the Diffie-Hellman protocol is a fundamental building block in cryptography, in practice you likely don’t want to use it in quite the way that I described—i.e. you don’t want to use it to directly contact Amazon to buy your book. This is because the pure Diffie-Hellman protocol is susceptible to man-in-the-middle attacks: if someone intercepted my messages to Amazon in the very beginning, and pretended to be me to Amazon and Amazon to me, they would become privy to all of our private correspondence. To actually make this workable, you need additional protocols that allow you to verify that you are actually talking to your desired party. For the specific application mentioned, you most likely want to use something RSA, which typically comes bundled with such protocols. However, there are plenty of similar applications where Diffie-Hellman is used instead.