Factoring $$N=p^rq^s$$ for Large r and s

“…Special purpose -very efficient when a factor p|n or n itself is of a special form: (a) A certain number related to the prime factor p is smooth (has only small prime divisors) -Pollard's p − 1 (Pollard, 1974), Williams's p + 1 (Williams, 1982), Bach-Shallit (Bach and Shallit, 1985) and Lenstra's Elliptic Curve (ECM) (Lenstra, 1987) methods assume smoothness of the integers p −1, p +1, φ k (p) (k-th cyclotomic polynomial) and #E(p), respectively. (b) Assumptions about p or n: there are fast methods for n of the form n = p r q (Boneh et al, 1999) or n = p r q s (Coron et al, 2016). Cheng's 4p − 1 (Cheng, 2002a) method is effective whenever the square-free part of 4p − 1 is small.…”

I Want to Break Square-free: The 4p − 1 Factorization Method and Its RSA Backdoor Viability

“…Special purpose -very efficient when a factor p|n or n itself is of a special form: (a) A certain number related to the prime factor p is smooth (has only small prime divisors) -Pollard's p − 1 (Pollard, 1974), Williams's p + 1 (Williams, 1982), Bach-Shallit (Bach and Shallit, 1985) and Lenstra's Elliptic Curve (ECM) (Lenstra, 1987) methods assume smoothness of the integers p −1, p +1, φ k (p) (k-th cyclotomic polynomial) and #E(p), respectively. (b) Assumptions about p or n: there are fast methods for n of the form n = p r q (Boneh et al, 1999) or n = p r q s (Coron et al, 2016). Cheng's 4p − 1 (Cheng, 2002a) method is effective whenever the square-free part of 4p − 1 is small.…”

I Want to Break Square-free: The 4p − 1 Factorization Method and Its RSA Backdoor Viability

“…As for the RSA variant with the modulus N = p r q s presented by Lim et al [13], there are also some research works [14,6,7] on its security. In 2015, Lu, Peng and Sarkar [14] claimed that for the case of same bit-size p, q, one can factor N in polynomial time if given a min{ s r+s , 2|r−s| r+s }-fraction of the LSBs of one prime.…”

“…In 2015, Lu, Peng and Sarkar [14] claimed that for the case of same bit-size p, q, one can factor N in polynomial time if given a min{ s r+s , 2|r−s| r+s }-fraction of the LSBs of one prime. Then in 2016, Coron et al [6] showed that the polynomial-time factorization of N = p r q s only requires the condition r = Ω(log 3 2 max{p, q}), under which only a constant number of bits need to be known and thus can be obtained by exhaustive search. Later in 2018, Coron and Zeitoun [7] improved the attack in [6] and obtained a weaker condition r = Ω(log 2 q).…”

“…Then in 2016, Coron et al [6] showed that the polynomial-time factorization of N = p r q s only requires the condition r = Ω(log 3 2 max{p, q}), under which only a constant number of bits need to be known and thus can be obtained by exhaustive search. Later in 2018, Coron and Zeitoun [7] improved the attack in [6] and obtained a weaker condition r = Ω(log 2 q).…”

“…Actually, all these works in [14,6,7] can be summarized into one framework, namely, finding a small root of a univariate polynomial equation modulo p u q v for two selected known non-negative integers u, v with u r = v s . They are all based on Coppersmith's method and their lattice constructions are similar.…”

Further improvement of factoring <inline-formula><tex-math id="M1">\begin{document}$ N = p^r q^s$\end{document}</tex-math></inline-formula> with partial known bits

New Results of Breaking the CLS Scheme from ACM-CCS 2014