
The answer is the second choice.

If it were possible to compute discrete logs quickly,

and our adversary had a way to do that,

well then, they could compute the discrete log of the

intercepted value yA, the g, and the q values,

which were also intercepted.

Those ones were public,

and the result of this would be the

xA value that was Alice's secret,

and then the adversary can

compute the key the same way that Alice would.

This was the only secret value,

and if you had the discrete log function,

you could compute that secret value.

The second answer doesn't compute the right thing.

It's computing the straight log of yB,

which would be the yA value.

That's not the value that is necessary to compute the key.

The third value doesn't use discrete log.

If we could actually compute the key this way,

well then the protocol would be completely

unsecure because it turns out that

modular exponentiation is a function

that we can compute efficiently,

and it's necessary that we can compute modular exponentiation efficiently

because otherwise, the legitimate participates

in the protocol wouldn't be able to determine their keys.

So we will look at that soon.

Before doing that, I want to emphasize that this is not a proof

that breaking discrete log is hard.