In the 1978 RSA paper, it is recommended, among other things, to choose primes $p$ such that $(p-1)$ has a large prime factor $u$. This was motivated by Pollard's p-1 algorithm. Further, the authors state:
Additional security is provided by ensuring that $(u−1)$ also has a large prime factor.
What was the motivation for that?
This issue, and its history, was discussed at length in Silverman and Rivest. The relevant passage here is in Section 6, which I quote:
In 1977 Simmons and Norris [53] discussed the following "cycling" or "superencryption" attack on the RSA cryptosystem: given a ciphertext C, consider decrypting it by repeatedly encrypting it with the same public key used to produce it in the first place, until the message appears. Thus, one looks for a fixed point of the transformation of the plaintext under modular exponentiation. Since the encryption operation effects a permutation of $\mathbb{Z}_n = \{0,1,\ldots,n-1\}$, the message can eventually be obtained in this manner. Rivest [46] responds to their concern by (a) showing that the odds of success are minuscule if the n is the product of two $p^{--}$-strong primes, and (b) arguing that this attack is really a factoring algorithm in disguise, and should be compared with other factoring attacks.
(p - 1)has a large prime factor requires very little extra effort. – Jul 06 '12 at 08:44