Pollard’s rho method: use the polynomial $f(x) = x^2$, show for $j

Question

Let $n > 1$ be a number which we wish to factorize. Suppose we try to change the implementation of Pollard’s rho method to use the polynomial $f(x) = x^2$ instead. That is, we define our sequence $a_1,a_2,\ldots$ by choosing $a_1 ∈\{0,1,\ldots ,n −1\}$ at random and then defining $a_i$ to be the remainder of $a_{i−1}^2 \pmod n$, for all $i ≥2$. Assume that our chosen $a_1$ is coprime to $n$.

Let $p$ denote a prime factor of $n$, and let $k$ be the multiplicative order of $a_1 \pmod p$. Show that for $j < i$, $a_i ≡a_j \pmod p ⇔ 2^{i−1} ≡2^{j−1} \pmod k$.

I have checked other questions in this topic.

Attempt

From $a_i \equiv a_j \pmod p$:

$$a_i - a_j \equiv 0 \pmod p$$

$$a_i - a_j = bp \quad \text{for some integer b}$$

Since $a_i$ and $a_j$ are obtained from the polynomial $f(x) = x^2$ modulo $n$:

$$a_i = a_{i-1}^2 \pmod n$$ $$a_j = a_{j-1}^2 \pmod n$$

Then we get:

$$a_{i-1}^2 - a_{j-1}^2 \pmod n = bp$$

This implies:

$$(a_{i-1} + a_{j-1})(a_{i-1} - a_{j-1}) \pmod n = bp$$

$$a_i - a_j \equiv 0 \pmod p \quad \Rightarrow \quad a_{i-1} - a_{j-1} \equiv 0 \pmod p$$

---

From $2^{i-1} \equiv 2^{j-1} \pmod k$:

$$2^{i-1} - 2^{j-1} = mk \quad \text{for some integer }m.$$

Now, we can use the fact that $2^{i-1} - 2^{j-1}$ is also a power of 2:

$$2^{i-1} - 2^{j-1} = 2^{j-1}(2^{i-j} - 1) = mk$$

This implies:

$$2^{i-j} - 1 = \frac{mk}{2^{j-1}}$$

Since the left-hand side is an integer, the right-hand side must also be an integer.

Answer 1

I don't see how to continue your approach to solve the problem. Instead, from

$$a_i \equiv a_{i-1}^2 \pmod{n}, \;\; i \ge 2$$

we get $a_2 \equiv a_1^2 \pmod{n}$, $a_3 \equiv a_2^2 \equiv (a_1^2)^2 \equiv a_1^{2^2} \pmod{n}$, $a_4 \equiv a_3^2 \equiv (a_1^{2^2})^2 \equiv a_1^{2^3} \pmod{n}$, and so on. We can prove, such as by induction, that for all integers $m \ge 1$,

$$a_m \equiv a_1^{2^{m - 1}} \pmod{n}$$

Since $p \mid n$, we also have $a_m \equiv a_1^{2^{m - 1}} \pmod{p}$. Thus,

$$a_i \equiv a_j \pmod{p} \iff a_1^{2^{i - 1}} \equiv a_1^{2^{j - 1}} \pmod{p} \iff 2^{i - 1} \equiv 2^{j - 1} \pmod{k}$$

To show the last part, have $2^{i - 1} = ak + b, \; 0 \le b \lt k$ and $2^{j - 1} = ck + d, \; 0 \le d \lt k$. Also, WLOG, have $b \ge d$. We then get from the middle part above that

$$a^{ak+b} \equiv a^{ck+d} \pmod{p} \to a^b \equiv a^d \pmod{p} \to a^{b-d} \equiv 1 \pmod{p}$$

However, $0 \le b - d \lt k$ so, since $k$ is the smallest positive integer where $a_1^k \equiv 1\pmod{p}$, this means $b - d = 0 \;\to\; b = d$, i.e., $2^{i - 1} \equiv 2^{j - 1} \pmod{k}$.