# Number Theory

In this notes I just review some important notions of number theory necessary for your first steps in cryptography

## Divisibility and greatest common divisor

Let $a$ and $b$ be integers with $b!=0$. We say that $b$ **divides** $a$, if there is an integer $c$ such that $a=bc$. 

A **common divisor** of two integers $a$ and $b$ is a positive integer $d$ that divides both of them.

Let **a** and **b** be positive integers. Then we say that *a divided by b has quotient q and remainder r* if $a=bq+r$ with $0\leq r < b$.

### Finding the greatest common divisor using the Euclidean altorithm

A nice explanation can be found [here](https://en.wikipedia.org/wiki/Euclidean_algorithm). Also in the book [An introduction to mathematical cryptography](https://www.springer.com/gp/book/9781441926746) in page 13.

Let $a$ and $b$ be positive integers with $a>b$. The following is the euclidean algorithm to calculate the greatest common divisor of $a$ and $b$ (i.e. the largest number that divides both).

1. Let $r_0=a$ and $r_1=b$.
2. Set $i=1$.
3. Divide $r_{i-1}$ by $r_i$ to get the quotient $q_i$ and the remainder $r_{i+1}$.
4. If $r_{i+1}=0$ then $r_i$ is the greatest common divisor.
5. Otherwise set $i=i+1$ and go to step 3.

Here's the code for this

In [1]:
def gcd(a,b):
    #a must be greater than a, otherwise flip a and b
    a, b = (a,b) if a>b else (b,a)
    r_prev, r = a, b
    
    while r!=0:
        r_post = r_prev%r
        if r_post == 0:
            return r
        else:
            r_prev, r = r, r_post
    

In [2]:
a = 2024
b = 748
c = gcd(a,b)
print("gcd of {} and {} is {}".format(a,b,c))
print("remainder of a/gcd(a,b) = {}, remainder of b/gcd(a,b) = {}".format(a%c, b%c))

gcd of 2024 and 748 is 44
remainder of a/gcd(a,b) = 0, remainder of b/gcd(a,b) = 0


In [3]:
a = 16261
b = 85652
c = gcd(a,b)
print("gcd of {} and {} is {}".format(a,b,c))
print("remainder of a/gcd(a,b) = {}, remainder of b/gcd(a,b) = {}".format(a%c, b%c))

gcd of 16261 and 85652 is 161
remainder of a/gcd(a,b) = 0, remainder of b/gcd(a,b) = 0


There exists many ways of calculating the greatest common divisor of two natural numbers. Let's deep dive on the **extended euclidean algorithm** (actually a theorem)

Let $a$ and $b$ be positive integers, then the equation

$$au+bv=gcd(a,b)$$

has a solution in $u$ and $v$.

A good [implementation](https://en.wikipedia.org/wiki/Extended_Euclidean_algorithm) to find u, v and gcd(a,b) is:

In [4]:
def xgcd(a, b):
    # Solving equation au+bv=gcd(a,b)
    # result is: (g,u,v) where g is greatest common divisor and u,v the solution of the eq above
    u0, u1, v0, v1 = 0, 1, 1, 0
    while a != 0:
        q, b, a = b // a, a, b % a
        v0, v1 = v1, v0 - q * v1
        u0, u1 = u1, u0 - q * u1
    return b, u0, v0

In [5]:
a = 16261
b = 85652
g, u, v = xgcd(a,b)

print("the solution to the equation au+bv=gcd(a,b) where (a,b)=({},{})".format(a,b))
print("is g, u, v = ({}, {}, {}) where g is the gcd\n".format(g,u,v))
print("therefore the equation holds:")
print("{}u+{}v={} for the above mentioned values of u and v\n".format(a,b,g))

print("Let's check the equation:")
print("Left hand side a*u+b*v={}".format(a*u+b*v))
print("Right hand side gcd(a,b)={}".format(g))


assert int(a*u+b*v)==g, "Warning, something is wrong!. g, u, v does not match the equation!"

print(xgcd(a,b))

the solution to the equation au+bv=gcd(a,b) where (a,b)=(16261,85652)
is g, u, v = (161, -79, 15) where g is the gcd

therefore the equation holds:
16261u+85652v=161 for the above mentioned values of u and v

Let's check the equation:
Left hand side a*u+b*v=161
Right hand side gcd(a,b)=161
(161, -79, 15)


In [6]:
a = 139024789
b = 93278890
g, u, v = xgcd(a,b)

print("the solution to the equation au+bv=gcd(a,b) where (a,b)=({},{})".format(a,b))
print("is g, u, v = ({}, {}, {}) where g is the gcd\n".format(g,u,v))
print("therefore the equation holds:")
print("{}u+{}v={} for the above mentioned values of u and v\n".format(a,b,g))

print("Let's check the equation:")
print("Left hand side a*u+b*v={}".format(int(a*u+b*v)))
print("Right hand side gcd(a,b)={}".format(g))


assert int(a*u+b*v)==g, "Warning, something is wrong!. g, u, v does not match the equation!"

the solution to the equation au+bv=gcd(a,b) where (a,b)=(139024789,93278890)
is g, u, v = (1, 6944509, -10350240) where g is the gcd

therefore the equation holds:
139024789u+93278890v=1 for the above mentioned values of u and v

Let's check the equation:
Left hand side a*u+b*v=1
Right hand side gcd(a,b)=1


In this last case the greatest common divisor is 1, in this special case $a$ and $b$ are said to be comprimes. I.e. two naturals $a$ and $b$ are coprimes iff $au+bv=gcd(a,b)=1$. For any two natural numbers we can find two coprimes by simply dividing by the gcd(a,b) on both sides of the equation:

$$\frac{a}{gcd(a,b)}u+\frac{b}{gcd(a,b)}v=1$$

Then $a/gcd(a,b)$ and $b/gcd(a,b)$ are coprimes. Let's test this with a simple example

In [7]:
a = 16261
b = 85652
g, u, v = xgcd(a,b)

print("the solution to the equation au+bv=gcd(a,b) where (a,b)=({},{})".format(a,b))
print("is g, u, v = ({}, {}, {}) where g is the gcd\n".format(g,u,v))

a_coprime = int(a/g)
b_coprime = int(b/g)

print("The coprimes are {} and {}".format(a_coprime,b_coprime))

g, u, v = xgcd(a_coprime, b_coprime)
print("the solution to the equation au+bv=gcd(a,b) where (a,b)=({},{})".format(a_coprime,b_coprime))
print("is g, u, v = ({}, {}, {}) where g is the gcd\n".format(g,u,v))

the solution to the equation au+bv=gcd(a,b) where (a,b)=(16261,85652)
is g, u, v = (161, -79, 15) where g is the gcd

The coprimes are 101 and 532
the solution to the equation au+bv=gcd(a,b) where (a,b)=(101,532)
is g, u, v = (1, -79, 15) where g is the gcd



There you go! We found two coprimes from two numbers that are not coprimes originally.

## Prime numbers

Altough in many books this section comes later I think is worth having a look. **A natural number $p$ is said to be prime iff it is only divisible by himself and 1**. Prime numbers actually construct all the other numbers by multiplication, this is, if we are given the whole (infinitely) set of prime numbers we can construct all other natural numbers by multiplying different prime numbers. This is the fundamental theorem of arithmetics:

Let $a\geq 2$ be an integer: Then $a$ can be factored as a product fo prime numbers:

$$a = p_1^{e_1} \cdot p_2^{e_2} \cdots \cdot p_r^{e_r}$$

where each $p_i$ is a prime number and $e_i$ a natural number. Another property is that this factorisation is unique so there is no other set of primes that can reconstruct $a$ (check the proof on Hoffstein, Pipher, Silverman book)

In [8]:
# TODO: implement algorithm of factorization

### Calculating Prime numbers: Sieve of Eratosthenes

The [Sieve of Eratosthenes](https://en.wikipedia.org/wiki/Sieve_of_Eratosthenes) is a way to calculate prime numbers giving an upper limit. It is very easy to understand the algorithm. We start by 2 (obviously prime) and mark all multiples of 2 in the list as not primes, then we take 3 (also prime) and we mark all multiples of 3 as not primes. When we go to 4 we see it is marked as not prime (it is multiple of 2) so there is no necessity to check twice. The algorithm finishes when it has looped over all numbers in the list. Let's code it

In [9]:
def primes_sieve_eratosthenes(limit):
    a = [True] * limit                          # Initialize the primality list
    a[0] = a[1] = False
    for i, isprime in enumerate(a):
        if isprime:
            yield i
            for n in range(i*i, limit, i):     # Mark factors non-prime
                a[n] = False


n = 100
primes = list(primes_sieve_eratosthenes(n))

print("All prime numbers bellow {} are:\n{}".format(n,primes))

All prime numbers bellow 100 are:
[2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97]


We'll get back to prime numbers in a while!.

## Modular Arithmetic

Modular arithmetic is a system of arithmetic for integers, where numbers "wrap around" when reaching a certain value—the modulus (plural moduli). First we need to fix a number $m$ on which we will write the modular operation. The numbers will vary from 0 to $m-1$. I'll show an example

In [10]:
m = 7
for i in range(3*m):
    print("i={}, i(mod m)={}".format(i,i%m))

i=0, i(mod m)=0
i=1, i(mod m)=1
i=2, i(mod m)=2
i=3, i(mod m)=3
i=4, i(mod m)=4
i=5, i(mod m)=5
i=6, i(mod m)=6
i=7, i(mod m)=0
i=8, i(mod m)=1
i=9, i(mod m)=2
i=10, i(mod m)=3
i=11, i(mod m)=4
i=12, i(mod m)=5
i=13, i(mod m)=6
i=14, i(mod m)=0
i=15, i(mod m)=1
i=16, i(mod m)=2
i=17, i(mod m)=3
i=18, i(mod m)=4
i=19, i(mod m)=5
i=20, i(mod m)=6


See that we are looping all over in between 0 and $m-1$ and the operation modulo is nothing less than the remainder of the division by $m$. We say that two integers $a$ and $b$ are **congruent modulo** if their difference is integer modulo $m$. This is, $a\equiv b$(mod m). In our example 10 and 3 are congruent modulo because 10-3 = 7 and 7 is multiple of 7. 

### Sum in modular arithmetic

A property of the modulo operation:
If $a_1 \equiv a_2$(mod m) and $b_1 \equiv b_2$(mod m), then $a_1 \pm b_1 \equiv a_2 + b_2$ (mod m)


In [11]:
m = 7
a2 = 10
b2 = 14

a1 = a2%m
b1 = b2%m

print("a1={}, a2={}, b1={}, b2={}".format(a1,a2,b1,b2))
print("a1 + b1 = {}, a2 + b2 (mod m)= {}".format(a1+b1, (a2+b2)%m))

a1=3, a2=10, b1=0, b2=14
a1 + b1 = 3, a2 + b2 (mod m)= 3


The set of numbers $0, 1 \cdots m-1$ along with the sum modulo operation forms an algebraic structure called abelian group. Here's the definition.

A group is a set, $G$, together with an operation $\times$ (it can be multiplication in some cases but not necessarily, $\times$ is a symbol here) that combines any two elements $a$ and $b$ to form another element, denoted $ a \times b$ or ab. To qualify as a group, the set and operation, ($G$, $\times$), must satisfy four requirements:

* **Closure**: for any $a$ and $b$ in the set, the operation $a \times b$ must also be in the set.
* **Associativity** for any $a$, $b$ and $c$ in the set, $(a\times b)\times c = a \times (b \times c)$
* **Existence of identity**: There exist an element $e$ in the set such that for any $a$ in the set $a \times e = a$
* **Inverse Element**: For any element in the group $a$ there must be another element $b$ such that $a \times b = e$

If all these conditions are met, we say that ($G$, $\times$) is a group. Also, if the condition $a \times b = b \times a$ is met (commutativity) then we call the group an abelian group.

In our case, we name the set as

$$Z/Z_m = {0, 1, 2,... m-1}$$

and the operation

$$a \times b = a \cdot b (mod m)$$

### Multiplication in modular arithmetic

Similar happens with multiplication $a_1b_1\equiv a_2b_2$(mod m)

In [12]:
print("a1={}, a2={}, b1={}, b2={}".format(a1,a2,b1,b2))
print("a1*b1 = {}, a2*b2 (mod m)= {}".format(a1*b1, (a2*b2)%m))

a1=3, a2=10, b1=0, b2=14
a1*b1 = 0, a2*b2 (mod m)= 0


The **inverse** can also be defined in the modululo operation. Let $a$ be an integer then, there exists $b$ such that $a\cdot b \equiv 1$ (mod m) if and only if $gcd(a,m)=1$.

To prove this, let's assume gcd(a,m)=1, then by the extended euclidean theorem we know that 

$$au+mv=1$$

This means that 

$$au-1=-mv$$

so, $au-1$ is multiple of m and therefore if we apply (mod m) operation to both sides we get $au\equiv 1$ (mod m). Therefore we can take $b$ (the inverse) as $u$. Let's code this:

In [13]:
def InverseMod(a, m):
    g, u, _ = xgcd(a,m)
    if g!=1:
        print("{} has no inverse on modulo {}".format(a,m))
        return None
    return u

a = 10
m = 7
inv_a = InverseMod(a,m)

print("inverse of {} in modulo {} is {}\na*inv_a = {}".format(a,m,inv_a,a*inv_a%m))

inverse of 10 in modulo 7 is -2
a*inv_a = 1


Note that the existence of the inverse is guaranteed if and only if gcd(a,m)=1. For instance 2 mod(8) has no inverse.

In [14]:
a = 2
m = 8
inv_a = InverseMod(a,m)
print(a,m,inv_a)

2 has no inverse on modulo 8
2 8 None


The fact that the inverse is not defined for all elements of $Z/mZ$ prevents us to define the triplet ($Z/mZ$,+,$\times$) as an algebraic [field](https://en.wikipedia.org/wiki/Field_(mathematics)) but a [ring](https://en.wikipedia.org/wiki/Ring_(mathematics)). 

A ring is a triplet ($G$,+,$\times$), i.e. a set of elements with two operations with the following properties

* ($G$,+) is an abelian group
* **Associativity on $\times$** for any $a$, $b$ and $c$ in the set, $(a\times b)\times c = a \times (b \times c)$
* **Existence of identity on $\times$**: There exist an element $e$ in the set such that for any $a$ in the set $a \times e = a$
* **$\times$ is distributive with respect to +**: $$a \times (b + c) = a \times b + a\times c$$ and $$(b+c)\times a = b\times a + c\times a$$

But what is a Field?

Basically a field is a ring such that the second operation also satisfies all the group properties (after throwing out the additive identity); i.e. it has multiplicative inverses, multiplicative identity, and is commutative

Let's try to define an abelian group with the elements of $Z/mZ$ and the modular multiplication, to do so, we have to get rid of the non invertible elements. We do so with the help of the gcd(a,m). We define the set

$$(Z/mZ)^* = a \in Z/mZ | gcd(a,m)=1$$

Let me write a function


In [15]:
def InvertibleNumbers(m):
    inv = []
    for i in range(m):
        g, _, _ = xgcd(i,m)
        if g==1:
            inv.append(i)
    return inv

m = 24
inv = InvertibleNumbers(m)
print("The invertible numbers (product wise) of Z/mZ m={} are\n{}".format(m,inv))

The invertible numbers (product wise) of Z/mZ m=24 are
[1, 5, 7, 11, 13, 17, 19, 23]


Now let's do the multiplication table and find the inverses of all elements

In [16]:
for i,elem1 in enumerate(inv):
    for j,elem2 in enumerate(inv[i:]):
        print("{} times {} is {}".format(elem1,elem2, (elem1*elem2)%m))

1 times 1 is 1
1 times 5 is 5
1 times 7 is 7
1 times 11 is 11
1 times 13 is 13
1 times 17 is 17
1 times 19 is 19
1 times 23 is 23
5 times 5 is 1
5 times 7 is 11
5 times 11 is 7
5 times 13 is 17
5 times 17 is 13
5 times 19 is 23
5 times 23 is 19
7 times 7 is 1
7 times 11 is 5
7 times 13 is 19
7 times 17 is 23
7 times 19 is 13
7 times 23 is 17
11 times 11 is 1
11 times 13 is 23
11 times 17 is 19
11 times 19 is 17
11 times 23 is 13
13 times 13 is 1
13 times 17 is 5
13 times 19 is 7
13 times 23 is 11
17 times 17 is 1
17 times 19 is 11
17 times 23 is 7
19 times 19 is 1
19 times 23 is 5
23 times 23 is 1


In [17]:
for elem in inv:
    i = InverseMod(elem,m)
    print("Inverse of {} is {}, check == {}".format(elem,i, elem*i%m))

Inverse of 1 is 1, check == 1
Inverse of 5 is 5, check == 1
Inverse of 7 is 7, check == 1
Inverse of 11 is 11, check == 1
Inverse of 13 is -11, check == 1
Inverse of 17 is -7, check == 1
Inverse of 19 is -5, check == 1
Inverse of 23 is -1, check == 1


Now recall that if $m$ is a prime number $p$, for all elements $a$ in $Z/pZ=0,\cdots p-1$ the greatest common divisor $gcd(a, p) = 1$ and so every element has an inverse. Now we can define an algebraic field on this set!

In [18]:
m = 11
inv = InvertibleNumbers(m)
print("The invertible numbers (product wise) of Z/mZ m={} are\n{}".format(m,inv))

for i,elem1 in enumerate(inv):
    for j,elem2 in enumerate(inv[i:]):
        print("{} times {} is {}".format(elem1,elem2, (elem1*elem2)%m))

The invertible numbers (product wise) of Z/mZ m=11 are
[1, 2, 3, 4, 5, 6, 7, 8, 9, 10]
1 times 1 is 1
1 times 2 is 2
1 times 3 is 3
1 times 4 is 4
1 times 5 is 5
1 times 6 is 6
1 times 7 is 7
1 times 8 is 8
1 times 9 is 9
1 times 10 is 10
2 times 2 is 4
2 times 3 is 6
2 times 4 is 8
2 times 5 is 10
2 times 6 is 1
2 times 7 is 3
2 times 8 is 5
2 times 9 is 7
2 times 10 is 9
3 times 3 is 9
3 times 4 is 1
3 times 5 is 4
3 times 6 is 7
3 times 7 is 10
3 times 8 is 2
3 times 9 is 5
3 times 10 is 8
4 times 4 is 5
4 times 5 is 9
4 times 6 is 2
4 times 7 is 6
4 times 8 is 10
4 times 9 is 3
4 times 10 is 7
5 times 5 is 3
5 times 6 is 8
5 times 7 is 2
5 times 8 is 7
5 times 9 is 1
5 times 10 is 6
6 times 6 is 3
6 times 7 is 9
6 times 8 is 4
6 times 9 is 10
6 times 10 is 5
7 times 7 is 5
7 times 8 is 1
7 times 9 is 8
7 times 10 is 4
8 times 8 is 9
8 times 9 is 6
8 times 10 is 3
9 times 9 is 4
9 times 10 is 2
10 times 10 is 1


Let's now study the fast powering algorithm that can be found in the book [An Introduction to Mathematical Cryptography](https://www.springer.com/gp/book/9781493917105). 

In [19]:
def fastPowering(a,k,p):
    """
    Fast powering algorithm
    a in $Z_p$ and integers 0 <= k <= p
    p is a large prime number
    
    returns:
    a^k (mod p)
    
    Note: exactly the same as pow(a,k,p) implemented in python
    """
    b = 1
    if k == 0:
        return b
    A = a
    # If the least significant bit is 1, $a^1 = a$
    if 1 & k:
        b = a
    k = k >> 1
    while k:
        A = (A**2) % p
        if 1 & k:
            b = (b * A) % p
        k = k >> 1
    return b

So let's calculate powers of 3 modulo 7

In [20]:
p = 7
for k in range(3*p):
    print("3^{} (mod {}) = {}".format(k, p, fastPowering(3,k,p)))

3^0 (mod 7) = 1
3^1 (mod 7) = 3
3^2 (mod 7) = 2
3^3 (mod 7) = 6
3^4 (mod 7) = 4
3^5 (mod 7) = 5
3^6 (mod 7) = 1
3^7 (mod 7) = 3
3^8 (mod 7) = 2
3^9 (mod 7) = 6
3^10 (mod 7) = 4
3^11 (mod 7) = 5
3^12 (mod 7) = 1
3^13 (mod 7) = 3
3^14 (mod 7) = 2
3^15 (mod 7) = 6
3^16 (mod 7) = 4
3^17 (mod 7) = 5
3^18 (mod 7) = 1
3^19 (mod 7) = 3
3^20 (mod 7) = 2


Muliplications modulo have interesting properties when dealing with prime numbers. One of them is **Fermat's little theorem**. This is $a^{p-1}=1$(mod p) if a is not divisible by $p$. If conversely a is divisible by $p$ the result is 1. Let's check with few numbers.

In [21]:
p = 17
print("Using prime number p = {}".format(p))

a = 10
print("a = {}, a^(p-1)={}".format(a, fastPowering(a,p-1,p)))

a = 17
print("a = {}, a^(p-1)={}".format(a, fastPowering(a,p-1,p)))

a = 2*17
print("a = {}, a^(p-1)={}".format(a, fastPowering(a,p-1,p)))

a = 16
print("a = {}, a^(p-1)={}".format(a, fastPowering(a,p-1,p)))

Using prime number p = 17
a = 10, a^(p-1)=1
a = 17, a^(p-1)=0
a = 34, a^(p-1)=0
a = 16, a^(p-1)=1


Fermat's little theorem can help us calculate the inverse of a number $a<p$. Since $a^{p-1}=1$(mod p) we multiply both sides by $a^{-1}$ so we get $a^{p-2}=a^{-1}$(mod p)

In [22]:
def InverseFermat(a, p):
    #p must be a prime number
    return fastPowering(a, p-2, p)

p = 17
a = 10
print("Inverse modulo of {} with p={} is {}. a*a^-1={}".format(a, p, InverseFermat(a,p), a*InverseFermat(a,p)%p))
a = 11
print("Inverse modulo of {} with p={} is {}. a*a^-1={}".format(a, p, InverseFermat(a,p), a*InverseFermat(a,p)%p))
a = 5
print("Inverse modulo of {} with p={} is {}. a*a^-1={}".format(a, p, InverseFermat(a,p), a*InverseFermat(a,p)%p))



Inverse modulo of 10 with p=17 is 12. a*a^-1=1
Inverse modulo of 11 with p=17 is 14. a*a^-1=1
Inverse modulo of 5 with p=17 is 7. a*a^-1=1


Which algorithm should we use here? The Euclidean algorithm or the Fermat's little theorem to calculate the inverse?. The fact is that both presented here run in similar time. There are however better implementations of the Euclidean algorithm.

So far we found an interesting algebraic structure called Field in $(Z/pZ)^*$ where the elements with respect to the sum are {0,1,...,p-1} and those with respect to the product {1, 2, ..., p-1}. Of course both, product are sum are modulo operations. 

The multiplicative elements of field $(Z/pZ)^*$ can all be generated by powering an element of the set called generator $g$. In fact we are guaranteed that such an element exist but not all elments of the set are generators. This is called the **primitive root theorem**.

As an example, 2 is a generator of the group $F_{11}$. Let's power it!

In [23]:
p = 11
a = 2

l = []
for i in range(0,p-1):
    print("2^{} (mod {}) = {} || ".format(i,p,fastPowering(a,i,p)), end = '')
    l.append(fastPowering(a,i,p))

print("\n")
l.sort()
print("The sorted elements generated by powering {} are:".format(a))
print(set(l))

2^0 (mod 11) = 1 || 2^1 (mod 11) = 2 || 2^2 (mod 11) = 4 || 2^3 (mod 11) = 8 || 2^4 (mod 11) = 5 || 2^5 (mod 11) = 10 || 2^6 (mod 11) = 9 || 2^7 (mod 11) = 7 || 2^8 (mod 11) = 3 || 2^9 (mod 11) = 6 || 

The sorted elements generated by powering 2 are:
{1, 2, 3, 4, 5, 6, 7, 8, 9, 10}


But 3 is not a generator on this field

In [24]:
p = 11
a = 3

l = []
for i in range(0,p-1):
    print("2^{} (mod {}) = {} || ".format(i,p,fastPowering(a,i,p)), end = '')
    l.append(fastPowering(a,i,p))

print("\n")
l.sort()
print("The sorted elements generated by powering {} are:".format(a))
print(set(l))

2^0 (mod 11) = 1 || 2^1 (mod 11) = 3 || 2^2 (mod 11) = 9 || 2^3 (mod 11) = 5 || 2^4 (mod 11) = 4 || 2^5 (mod 11) = 1 || 2^6 (mod 11) = 3 || 2^7 (mod 11) = 9 || 2^8 (mod 11) = 5 || 2^9 (mod 11) = 4 || 

The sorted elements generated by powering 3 are:
{1, 3, 4, 5, 9}
