[EC cryptography can't produce a truly asymmetric encryption scheme so it cannot be used the same way as RSA.
I thought that you'd use RSA or another
scheme to encrypt anyway (hence "additional layer of encryption" that I mentioned)
In fact, in the MillenniumCoin (script-based anonymity) you initiate
transactions by exchanging off-chain such a random nonce between the nodes,
That seems pretty stupid to me. Wouldn't it mean both parties have to be online at the same time in order to do this? ECDH seems like a much more elegant solution to me.
It's a little different situation. The nonce is exchanged between
payer and a "delegate" (basically a middleman), and the latter is selected
from the nodes that are online at any given moment, and the delegate then
transfers the amount to the payee. I was thinking about ways to
use the nonce to stealth the payees address and/or making it possible for the payee
to identify payment in the case of multiple delegates handling the transfer of the amount broken
down to round numbers (to make it more untraceable)... Not very elegant, but interesting.