Let t denote the index of the first repeated value in the 
sequence, and let u > 0 denote the length of the cycle that has been produced.
i.e. t and u > 0 are the smallest values such that 
for all i ≥ 0. Clearly the length t of the tail of the ‘Rho' and the length u of the cycle take the value 
in expectation.
When Pollard-Rho saves as y any value xk such that k ≥ t then y mod p will always remain on the cycle modulo p because future values will always be ones already on the cycle. Then, to ensure that line 8 of Pollard-Rho computes a nontrivial factor, all that is required is that 
. This happens when k is set to a value greater than u which causes xi to loop around all values in the cycle modulo p without a change in y. A factor of n is then discovered when xi ‘runs into' the previously stored value of y modulo p.
Since the expected values of both t and u are , the expected number of steps to produce the factor p is . For the smallest factor of n, p is less than 
and hence the overall run time is 
in expectation.
Two reasons why the algorithm may not perform as expected:
• The heuristic analysis of the run time may result in the the cycle of values modulo p to be much larger than 
, in which case the algorithm performs correctly but slower than desired.
• The divisors of n produced may not always be a trivial one like 1 or n.
Both these problem are found to be insignificant in practice.
Reference:
1. Introduction to Algorithms , Second Edition, T. H. Cormen, C. E. Leiserson, R. Rivest and C. Stein, Prentice Hall India .
2. A course in Number Theory and Cryptography, Neal Koblitz , Springer.