### Rating (1--4):
+ 3: Weak Accept -- This paper may have flaws, but I would not argue against it at a major conference and further more, I am not a cryptanalysis expert so I may even not aware of potential flaws in this paper if such flaws exist.
### What did this paper do well?
+ Presented Logjam - a novel attack against TLS in a manner that I think very easy to understand ("easy" in the context of cryptanalysis as a very complicated topic, of limited paper space where the authors could not explain all related math backgrounds, etc)
+ The proposed strategy - forcing the downgrade to a less secure technologies - maybe reused in different scenarios, in present or future. That leads to a big philosophical decision when it comes to compatibility v.s security.
### Where did this paper fall short?
+ Appears to exploit only export-grade D-H and only "affordable" when targeting 512-bit D-H (server has to support DHE_export)
### What did you learn from reading this paper?
+ How configuration mistakes, design and implementation flaws can be used to exploit weaknesses in D-H (i.e. not using safe primes, reuse of standard primes, browser settings that allow indefinite reset of TLS connection clock...)
+ Special-q lattice sieving
+ Once again, we see an example of design flaws leading to great compromise (flaws in the way server and client negotiate cipher suite)
+ Until April 2015, FBI.gov was still using 512-bit DH group !!
### What questions do you have about the paper or the area?
+ What is "number field sieve discrete log algorithm" ?
+ How many servers are still using weak primes or common "standard primes" ?
+ Did TOR change its settings to avoid the pitfalls ? (TOR relies on TLS and D-H)
+ How affordable is this attack considering advances in GPU computation and chip manufacturing?
