Here's a way to repair the security of the process of the miner claiming the fee for doing the KDF work.
Q=xG (x is ECDSA private key, Q is ECDSA public key)
A=H2(Q) address is hash of public key
Extended public key (R,S) as R = H2( (y=H(salt)), Q ), S=salt*G
Extended address E=H2(R,S).
K=Scrypt(password), encrypted private key X=AESEnc(K,x).
As stated that is a single use password because once a miner has published y=H(salt), Q is revealed and someone in possession of the encrypted private key X=AES(K,x) where K=Scrypt(password) can grind by trying x' values to check if x'G =? Q.
To have a multiple address, reusable password the user needs to use BIP 32 private address derivation and store encrypted random chain codes so that Q
i=(x+c
i)*G is used in place of Q in the above protocol. ie Q'
i=H2(y=H(salt),Q
i) and to delete c
i after it is spent.
Adam