[amluto]

Only sort of. Gavin would have a hard time convincing the eavesdropper that he didn't leak b to Wright.

A much bigger issue in my mind is that, if Wright doesn't hash the final derived key properly, then Gavin can steal money from Wright/Satoshi -- Gavin would never have proved that he generated the challenge the way he said he did, and Gavin could use Wright as an exponentiation oracle.

Also, I suspect that my protocol can be abused by Gavin to defeat the deniability property if he properly manipulates his challenge. I'm not sure and haven't looked carefully, though.

Much better ZK protocols exist.