The answer is the second choice.
If it were possible to compute discrete logs quickly,
and our adversary had a way to do that,
well then, they could compute the discrete log of the
intercepted value y-A, the g, and the q values,
which were also intercepted.
Those ones were public,
and the result of this would be the
x-A value that was Alice's secret,
and then the adversary can
compute the key the same way that Alice would.
This was the only secret value,
and if you had the discrete log function,
you could compute that secret value.
The second answer doesn't compute the right thing.
It's computing the straight log of y-B,
which would be the y-A value.
That's not the value that is necessary to compute the key.
The third value doesn't use discrete log.
If we could actually compute the key this way,
well then the protocol would be completely
unsecure because it turns out that
modular exponentiation is a function
that we can compute efficiently,
and it's necessary that we can compute modular exponentiation efficiently
because otherwise, the legitimate participates
in the protocol wouldn't be able to determine their keys.
So we will look at that soon.
Before doing that, I want to emphasize that this is not a proof
that breaking discrete log is hard.
