Are they really separable though? As I understood it, the precomputation attack is what makes the discrete log attack practical for the size of primes that you can get with the Logjam TLS vulnerability.
Otherwise the downgrade attack wouldn't be worth much if you still had to spend years and years of computation to recover each weak DH secret.
At the same time, once the authors have spent several pages talking about the practicality of NFS and the precomputation work, it's a logical next step to speculate about what a more powerful adversary might do.
> This seems to me like the more important half of the paper, but all the media focused on the Logjam half.
Otherwise the downgrade attack wouldn't be worth much if you still had to spend years and years of computation to recover each weak DH secret.
At the same time, once the authors have spent several pages talking about the practicality of NFS and the precomputation work, it's a logical next step to speculate about what a more powerful adversary might do.
> This seems to me like the more important half of the paper, but all the media focused on the Logjam half.
Here we agree.