Well both of my methods transmit a random number, the difference is the way the number is encrypted. In the first scenario we simply use the public key of the payee to encrypt it and then the payee will use his private key to decrypt it. But in the second scenario the first shared secret is computed using ECDH as usual, but instead of using it to produce Q', we use it to encrypt the random number with a symmetric cipher.

But the flaw you mentioned does still apply to my second scenario because if the payer were to have their private key compromised it would allow anyone to calculate the first shared secret and then decrypt the metadata, allowing them to see the second shared secret, thus allowing them to calculate Q' using a brute force tactic in which they use a list of all known stealth addresses to see if they can produce Q'.

Ephemeral keypairs have the same problem if they get leaked, it's just that they are only used that one time and then thrown away, so it's harder to accidentally leak an ephem keypair. I'll have to think about this problem some more. As mentioned earlier, the first scenario isn't really a good way to go either. I think I understand the point tacotime was making now. EC cryptography can't produce a truly asymmetric encryption scheme so it cannot be used the same way as RSA.

That seems pretty stupid to me. Wouldn't it mean both parties have to be online at the same time in order to do this? ECDH seems like a much more elegant solution to me.