Cool idea!
However, if someone sends money twice from the same normal address to the same proposed address, then destination normal address will also be the same.
You can replace d by d*txid before deriving E, to get a unique address for each transaction even when resending from the same A.
Here txin is the hash of the output owned by A that is used as input for the transaction. The receiver sees txin as he iterates over all inputs.
Well, d is an EC point hashed to an integer. So it can be implemented this way:
d=hash(A*c)=hash(C*a)
E=B+G*d
e=b+d
Here, hash is any hash function, and G is the base point.
Practically, d would just be the x-coordinate of the point A*c, no need for a "real hash".
A remark, just to inform the readers of this
paper (which was posted in this
thread):
Your proposal makes a very nice substitution for the "signalling protocol" described in section IV.D of that paper, which is sub-optimal because it requires the private key to detect and monitor incoming payment. Your proposal invents the "semi-private" key and thereby allows to detect and monitor incoming payments without having to have the private key at hand. Taking A=B, hence private key=semi-private key, would give the old protocol.