My proposal doesn't require sending anything privately. All the necessary information is contained in the transaction itself. At the same time, the transaction looks exactly like the ordinary send-to-address transaction.
You can also send the factor encrypted with the recipient public key, embedded in the input script. This way it works exactly like your proposal.
Not exactly. Everyone would be able to see that something is embedded in the input script. In my proposal, nothing reveals that the transaction is in any way different from an ordinary pay-to-address transaction.
I agree that for some cases, like anonymous donations, where you don't want any out-of-band communication to occur a scheme such as this would be nice.
That's the whole point. A person who wants to receive donations doesn't have to set up a server for out-of-band communication. He only needs to publish an address. This also means that it won't be necessary to keep multiple keys in a wallet. One key would be enough.