[luchs]

Note that your protocol isn't actually a zero-knowledge proof. While transcripts can be made up, a third person observing everything Gavin does would absolutely be convinced by the exchange. For real interactive zero-knowledge proof, even a dishonest prover has a good chance to provide a correct answer at each step. This isn't the case with the DH exchange.

[amluto]

Only sort of. Gavin would have a hard time convincing the eavesdropper that he didn't leak b to Wright.

A much bigger issue in my mind is that, if Wright doesn't hash the final derived key properly, then Gavin can steal money from Wright/Satoshi -- Gavin would never have proved that he generated the challenge the way he said he did, and Gavin could use Wright as an exponentiation oracle.

Also, I suspect that my protocol can be abused by Gavin to defeat the deniability property if he properly manipulates his challenge. I'm not sure and haven't looked carefully, though.

Much better ZK protocols exist.

[Natanael_L]

That's why Signal uses triple DH. That setup allows for full deniability.