What's the catch with this Diffie-Hellman based cryptosystem?

This is most likely a dumb question. I'm doing a mathematical research project that overflowed a bit into cryptography. It got me thinking about something. Can the following cryptosystem work?

Let Alice and Bob share a private key $d$ using the Diffie Hellman key exchange, where $d\in \mathbb{F}_p$ for some prime $p$. If Alice wants to send Bob a message $x$, then Alice sends Bob the encrypted message $x+d$. Bob decrypts this message by subtracting $d$ (all while in $\mathbb{F}_p$, of course).

If a hacker was to crack this cryptosystem, it would essentially be the same difficulty as cracking Diffie-Hellman, right? The encryption/decryption is incredibly fast, it's just an addition/subtraction modulo $p$, and the cracking is hard. It seems that the rate of information transfer is a lot faster with this cryptosystem as opposed to RSA.

My main question is: What's the catch, if there is any? Is this a known cryptosystem?

It's studied Diffie-Hellman in the multiplicative subgroup of the finite field $\mathbb F_p$, followed by encryption in $\mathbb F_p$. That is, appropriate prime $p$ and some $g\in\mathbb F_p$ are publicly agreed upon, e.g. the 3072-bit MODP Group of RFC 3526. Then sending a confidential message $x\in[0,p)$ from $A$ to $B$ goes:

• A chooses random $s_A\in[1,p)$, computes and sends $t_A=g^{s_A}\bmod p$
• B chooses random $s_B\in[1,p)$, computes and sends $t_B=g^{s_B}\bmod p$
• A computes $d={t_B}^{s_A}\bmod p$, computes and sends $c=d+x\bmod p$
• B computes $d={t_A}^{s_B}\bmod p$, computes $x=c-d\bmod p$

Absent alterations, $d$ and $x$ are the same on both sides. But there are serious security issues:

1. The system is totally vulnerable to a Man in the Middle attack, where an active adversary $E$ impersonates $B$ w.r.t. $A$, and $A$ w.r.t. $B$, which allows to intercept $x$ unknown to $A$ and $B$, or/and alter $x$ in transit as desired.
2. An integer $x$ can carry a limited amount of information (383 bytes for the parameters considered). For larger messages the protocol needs to be redone. If instead we reused $d$ for multiple distinct $x$, the protocol would be very insecure: if e.g. we cut a 384-byte message into a 383-byte segment and a 1-byte segment, the later can take only a few (at most 256) values, leading to 256 possible values for $d$ given the second $c$, which allows to decipher most of the first segment of the message; and for messages with some redundancy, probably the whole message.
3. In circumstances where the adversary knows that $x$ is one of two distinct known values $x_0$ or $x_1$ (e.g. because $x$ is the name of one of two candidates in an election), an adversary merely capturing a copy of the communications can find $x$ and be sure of that for about at half of the uses of the protocol (so gets at least 75% probability of correct guess of $x$), based on quadratic residuosity. The attack goes as follows.

   • Acquire $t_A$, $t_B$ and $c$ as they are transmitted.

   • Compute $d_0=c-x_0\bmod p$ and $d_1=c-x_1\bmod p$, which are the two possible values of $d$. In the rare event that one of these $d_i$ is $0$, that can't be the correct $d$, thus we get $x=x_{1-i}$.

   • Otherwise compute the Legendre symbol for $d_0$, that is $\left(\frac{d_0}p\right)=({d_0}^{(p-1)/2}+1\bmod p)-1$, and similarly $\left(\frac{d_1}p\right)$. If they are equal (that is both $+1$ or both $-1$), we can't learn $x$, stop.

   • Otherwise, compute the Legendre symbol $\left(\frac d p\right)$ for the real $d$, using that

     • if $\left(\frac{t_A}p\right)=+1$ or $\left(\frac{t_B}p\right)=+1$ then $\left(\frac d p\right)=+1$
     • otherwise $\left(\frac d p\right)=-1$.

     [Note: if $\left(\frac g p\right)=+1$, then $\left(\frac d p\right)=+1$ and it's not necessary to intercept $t_A$ or $t_B$]

   • This $\left(\frac d p\right)$ will match one of the two $\left(\frac{d_i}p\right)$, and we get $x=x_i$.

As in any cryptosystem there are possible implementation issues, on top of the above theoretical ones.

Note: contrary to the question's claim, the system is slower than RSA at equal size of the public modulus, ignoring establishment of the public/private key pair (which in RSA is reused): it's hundreds times slower for encryption (because it uses thousands of modular multiplications rather than 17 typically in RSA), and over 3 times slower for decryption (because the Chinese Remainder Theorem can't be used with of a prime public modulus, as typically in RSA).