If $m > n$ are coprime, then there (often) exists $p$, $q$ where $mq+1=n^p$. why?

Question

One of the key reductions in Shor's algorithm in quantum computing for finding prime factors of $m$ is that if $n < m$ is coprime with $m$, then there likely exists integers $p$ and $q$ where $mq+1=n^p$. Then since $$ mq = \underbrace{(n^{p/2}-1)}_{f_1}\underbrace{(n^{p/2}+1)}_{f_2} $$ then as long as $p$ is even and $q$ doesn't divide both$f_1$ or $f_2$, then at least one is a factor of $m$.

Can anyone give me a lead as to the reasoning behind the bolded statement? Is this a counting result? Is there a more precise statement? Is there a bound on how large $p$ may be?

Thanks!

Answer 1

First let's consider the underlying idea. By here, we can quickly split $m$ into nontrivial factors by a quick gcd computation if we are given any $a$ which is nontrivial square root of $\,1\pmod{\!m},\,$ i.e. $\,a^2\equiv 1,\ a\not\equiv \pm 1.\,$ Your example is the special case $\,a\equiv n^{p/2}.\,$

This is a common technique used by many factorization algorithms. As explained in the linked post, the same idea works given any integer coef. polynomial $\,f(x)\in\Bbb Z[x]\,$ with more roots mod $m$ than its degree. Above is the special case $\,f(x) = x^2-1,\,$ with $\,3\,$ distinct roots $\,-1,1,a\pmod{\!m}$.

By CRT, such nontrivial square roots always exist for $m$ with at least $2$ prime factors, e.g. see here (it is trivial to factor integers with only one prime factor, i.e. prime powers)