Note that your protocol isn't actually a zero-knowledge proof. While transcripts can be made up, a third person observing everything Gavin does would absolutely be convinced by the exchange. For real interactive zero-knowledge proof, even a dishonest prover has a good chance to provide a correct answer at each step. This isn't the case with the DH exchange.
Only sort of. Gavin would have a hard time convincing the eavesdropper that he didn't leak b to Wright.
A much bigger issue in my mind is that, if Wright doesn't hash the final derived key properly, then Gavin can steal money from Wright/Satoshi -- Gavin would never have proved that he generated the challenge the way he said he did, and Gavin could use Wright as an exponentiation oracle.
Also, I suspect that my protocol can be abused by Gavin to defeat the deniability property if he properly manipulates his challenge. I'm not sure and haven't looked carefully, though.
