2019.06.25 11:46:22 (1143455385023438848) from Daniel J. Bernstein:
Brier, Ferradi, Joye, Naccache in https://eprint.iacr.org/2019/484.pdf claim 2^256 security for factoring p^29 q where p and q each have 512 bits. ECM easily breaks this. The claim seems to start from https://keylength.com saying 512-bit primes, but that's for group sizes in Schnorr etc.
2019.06.25 19:28:19 (1143571639008931840) from Daniel J. Bernstein:
After the same talk, Dan Boneh commented that the factoring algorithm from https://crypto.stanford.edu/~dabo/pubs/abstracts/prq.html should be even faster than ECM here. I wonder which of these attacks is a bigger constraint if one is trying to increase the size of p^29 q to reach 2^256 security.