Erm. What exactly is stopping an attacker from doing the same math between the pubkey of each input and the list of known public keys to recover all of the transactions?
A, B and C are all publicly known, which means that d is known, which means that E is known. The attacker still can't spend them because b is unknown, but he can sure see them.
P.S. Diffie-Hellman is an online protocol. It requires (bidirectional) active participation from both parties.
To compute
d an attacker would need to know either
a or
c. None of them is public.
I define
d=
A*
c=
C*
a. The fact that it's hard to compute
d from
A and
C is the basis of DiffieHellman key agreement protocol.
Ahh, I missed that it was A*c and a*C. To make this easier for non-cryptographers:
g is the basis point (x,y) of the curve we are using.
a and
c are a secret 256 bit integers. (Keep in mind that in EC math, a point multiplied by an integer is a point.)
A =
a *
gC =
c *
gA *
c =
a *
g *
cC *
a =
c *
g *
aEC multiplication is commutative, so
A*
c =
a*
g*
c =
c*
g*
a =
C*
a =
E