![Smiley](https://bitcointalk.org/Smileys/default/smiley.gif)
Something just occurred to me: I know that given some a*G (with commonly known generator point G), obviously one cannot divide by G to retrieve a, otherwise you could calculate private keys from public keys.
However, suppose I know someone is using a HD wallet, and in particular I know a few subsequent spending transactions. In other words, I know:
c*Q
(c+1)*Q
(c+2)*Q
for some unknown scalar c (I don't know how far they are within the HD wallet sequence).
Now, could I substract (c+1)*Q from (c+2)*Q for example (this is possible in EC, right?) thus extracting Q. Now I can restore all their previously used addresses, and brute force c (assuming the number of used addresses for a person's wallet will typically be within the thousands at most), allowing me to predict all their future public keys as well.
Or do HD wallets not generate keys as 1*Q, 2*Q, 3*Q etc but rather some deterministic yet irreversible sequence of c-values? e.g. scalar = sha256(c||Q)
Not that this would be a serious issue (private keys are still 100% safe) but it would somewhat harm one's privacy.