I've said this before, but there's something I don't like about this paper: it covers essentially 2 different things. That makes it confusing for people to try to understand or summarize.
One part is the Logjam protocol flaw in TLS.
The other is the mathematical precomputation attack against DH. It would cost $100M (well within NSA's budget) and matches capabilities show in Snowden slides. This seems to me like the more important half of the paper, but all the media focused on the Logjam half.
Are they really separable though? As I understood it, the precomputation attack is what makes the discrete log attack practical for the size of primes that you can get with the Logjam TLS vulnerability.
Otherwise the downgrade attack wouldn't be worth much if you still had to spend years and years of computation to recover each weak DH secret.
At the same time, once the authors have spent several pages talking about the practicality of NFS and the precomputation work, it's a logical next step to speculate about what a more powerful adversary might do.
> This seems to me like the more important half of the paper, but all the media focused on the Logjam half.
That's the hard part of having a bunch of authors -- jamming together lots of opinions and fragments of work. Better to max out at 4-5, or preferably, 3, since it is easier to converge on a single topic and work on aspects of it instead of having too much related stuff in scope.
https://weakdh.org