I've said this before, but there's something I don't like about this paper: it covers essentially 2 different things. That makes it confusing for people to try to understand or summarize.<p>One part is the Logjam protocol flaw in TLS.<p>The other is the mathematical precomputation attack against DH. It would cost $100M (well within NSA's budget) and matches capabilities show in Snowden slides. This seems to me like the more important half of the paper, but all the media focused on the Logjam half.
(Related) How to Backdoor Diffie-Hellman<p>Discussion which contains a number of good comments about weakening DH: <a href="https://news.ycombinator.com/item?id=11973365" rel="nofollow">https://news.ycombinator.com/item?id=11973365</a><p>Paper: <a href="http://eprint.iacr.org/2016/644" rel="nofollow">http://eprint.iacr.org/2016/644</a>