We also know the cycle length $L_c$ $$|\{\forall a: b^{\textstyle\alpha^{\textstyle a}} \bmod N\}| = p_{sf} \cdot q_{sf} = L_c$$ with $p_{sf}$ and $q_{sf}$ prime factors of the safe primes $p_{s}$ and $q_{s}$.
$p_s$ and $q_s$ are supposed to be small value factors. $p_b$ and $q_b$ are supposed to be big values and unknown factors (for security).
Furthermore those factors have some known internal structure:
$$p_s = 2\cdot p_{sf} +1$$
$$p_b = 2\cdot 3 \cdot p_{bf} +1$$
$$p_{sf} = 2\cdot p_{sff} +1$$
$$p_{bf} = 2\cdot p_{bff} +1$$
Same for $q$ factors. All those non-constant factors are prime, unique and $>3$
So for $N$ with prime factors $P,Q$
$$N= P\cdot Q = (2p_sp_b+1)(2q_sq_b+1)$$
We know some factors of $\phi(N)$
$$\phi(N) = 2\cdot 2 \cdot p_s \cdot q_s \cdot p_b \cdot q_b$$
and also from $\phi(\phi(N))$
$$\phi(\phi(N)) = 2^5 \cdot 3^2 \cdot p_{sf} \cdot q_{sf} \cdot p_{bf} \cdot q_{bf} $$
With $p_s, p_{sf}, q_s, q_{sf}$ and constant factors $2,3$ known and $p_b, p_{bf}, q_b, q_{bf}$ not known.
To get the target cycle length $L_c$ we had to pick a $b \equiv r^\alpha \bmod N$ with $r\in[2,N-1]$ and need to take care it is not a special case of only length $1,p_{sf}, q_{sf}$ (we ignore these here). Depending on chosen suitable $b$ it can be part of 1 out of 4 disjoint sequences with length $p_s\cdot q_s$. For finding $a$ in
$$c \equiv b^{\textstyle\alpha^{\textstyle a}} \bmod N$$
$$\alpha = (2p_bq_b)^2 \bmod \phi(N)$$
we assume $b$ and $c$ are part of the same sequence.
Question: Can we find $a$ (quickly) without knowing all factors of $\phi(N)$ and without computing each member?
Solving trial:
If $\phi(N)$ would have been known we could use the Baby-step giant-step algorithm. With this it would take $O(\sqrt{L_c})$ steps of calculation (if we assume computing powers,multiplications and other basic operations with numbers $<N$ have a constant time).
If we define $2^{100}$ computation steps are secure $L_c$ had to be at least $2^{200}$.
But I'm looking for a problem with $\phi(N)$ not fully known (only some prime factors). To maintain the target security $L_c$ had to be at least $100$-bit else we could just cycle through it. To avoid factorization of $N$ and with this the knowledge of $\phi(N)$ it had to be more than $\approx {2000}$ bits and with this $p_b$ and $q_b$ around $1000$-bit each (as far as I know).
If we want to compute the giant-step $\alpha^{\sqrt{\textstyle L_c}}$ without knowing $\phi(N)$ it can get pretty big. Let's focus at the smallest possible values. $$\alpha^{\textstyle 2^{\textstyle 50}}$$ To compute this we have to square $\alpha$ 50 times. Even if $\alpha$ is only a 2-bit values it would be a product out of two $2^{50}$-bit values at the very end. This would take at least $O(2^{50} \log(2^{50}) )$ steps of calculation (we do not assume multiplication time to be constant here). For all giant-steps we had to do this $2^{50}$ times. With this we are above $>O(2^{100})$ steps of calculation and it wouldn't be faster than cycle through them all.
Any way to do it better? Any simplification possible? Can we make use of cycle length not a prime?
Example:
$N=20578375897= P \cdot Q =95819 \cdot 214763$
$P =2\cdot p_s \cdot b_b = 2 \cdot 23 \cdot 2083$
$Q =2\cdot q_s \cdot q_b = 2 \cdot 167 \cdot 643$
$p_{sf} \cdot q_{bf} = 11 \cdot 83$
$\alpha = 14470542676 \equiv (2\cdot 2083 \cdot 643)^2 \bmod \phi(N)$
$\phi(N) = 20578065316$
Found some way. If we do the $p_s$ or $q_s$'th power of a member we will end up in a shorter sequence of length $q_{sf}$ or $p_{sf}$. Assuming $p_s,q_s$ have about the same size we only need to compute giant-steps until member $\approx 2^{50}$. So we only need to power up to $2^{25}$. After repeating this $2^{25}$ times we can determine the indices at those shorter sequences. Knowing those we can use the Chinese remainder theorem to compute $a$ for the long sequence.
If $L_c$ is only $2^{100}$ we should end up -even without knowing $\phi(N)$ slightly above $2^{50}$ (maybe $\approx 2^{60}$) computation steps which is way less than target security of $2^{100}$