First, a surprising number of servers use weak Diffie-Hellman parameters or maintain support for obsolete 1990s-era export-grade crypto. More critically, the common practice of using standardized, hard-coded, or widely shared Diffie-Hellman parameters has the effect of dramatically reducing the cost of large-scale attacks, bringing some within range of feasibility today. The current best technique for attacking Diffie-Hellman relies on compromising one of the private exponents ( a , b )
by computing the discrete log of the corresponding public value ( g a mod p , g b mod p ). With state-of-the-art number field sieve algorithms, computing a single discrete log is more difficult than factoring an RSA modulus of the same size.
However, an adversary who performs a large precomputation
for a prime p can then quickly calculate arbitrary discrete logs
in that group, amortizing the cost over all targets that share
this parameter. Although this fact is well known among mathematical cryptographers, it seems to have been lost among practitioners deploying cryptosystems.