I've read about the "Weak Diffie-Hellman" attack (paper, website), where a resourceful entity like a state can pre-compute values for known primes to aid solving the discrete logarithm problem for that particular prime.
I've also read that SRP is very similar to Diffie-Hellman, and has common groups (see RFC 5054). Can the attack be mounted on SRP as well?
In the introduction of the Logjam paper, it is stated that
After a week-long precomputation for a specified 512-bit group, we can compute arbitrary discrete logs in that group in about a minute.
So it seems that what it actually does is attack the discrete logarithm problem, so any discrete-logarithm-based system which uses a common prime should be equally vulnerable. In particular, in Section 3.2 of RFC 5054, it is stated that
An attacker who could calculate discrete logarithms
% Ncould compromise user passwords, and could also compromise the confidentiality and integrity of TLS sessions. Clients MUST ensure that the received parameterNis large enough to make calculating discrete logarithms computationally infeasible.
Since RFC5054 specifies only one prime for each bit-length, it will indeed be vulnerable. Even though it does not specify a 512-bit prime, it does specify a 1024-bit one, which is considered vulnerable by the Logjam authors:
We estimate that even in the 1024-bit case, the computations are plausible given nation-state resources
Using a prime of at least 1536 bits should be sufficient to thwart such attacks, since there is no known "downgrade" attack on SRP.
