Rather simple.
You start in reverse meaning instead of adding random public keys to the starting pubkey, you find the final key and then start working your way backwards by subtracting the pub key (of the private key you already have) from the starting public key (which you don't have the private key of).
Oh duh. That is pretty simple.
You only sign with the summed private key, so that is the only one you actually need to know.
The rest of the addresses are done by finding any public keys that add up to the summed public key (after subtracting the satoshi keys) and have the appropriate second letters in the address.
I have a question: From which addresses do we have the private keys if we calculate it that way?
In the example we have "C", "W", "r", "i", "g", "h", "t" and the "sum".
"sum": we have private key -> signed message
"C": we don't have private key
"W": we don't have privte key
"r": ?
"i": ?
"g": ?
"h": ?
"t": ?
Who can answer?