It's fixed and given a twisted Edward's curve over some finite field, with parameters making the curve a finite group under the point addition law; the order $h\,\ell$ of that group, with $h$ (always a multiple of $4$ due to the choice of curve, typically $h\in\{4,8\}$) and large prime $\ell$; and points $P_1$, $P_2$, $P_3$ randomly generated among thoseA of order exactly $\ell$.
Solving an instance of the problem goes: given freshB random integers $s_1$, $s_2$, $s_3$ in $[0,\ell)$, and perhapsC $s'_1$ in $[0,\ell)$ with $s'_1\ne s_1$, supply additional integers $s'_1$ (if not imposed), $s'_2$, $s'_3$ in $[0,\ell)$ with $s'_1\ne s_1$, and such that the point $s'_1\!\times\!P_1+s'_2\!\times\!P_2+s'_3\!\times\!P_3$ has the same X coordinate as the point $s_1\!\times\!P_1+s_2\!\times\!P_2+s_3\!\times\!P_3$.
The integers $t_2$ and $t_3$ in $[1,\ell)$ with $P_2=t_2\!\times\!P_1$ and $P_3=t_3\!\times\!P_1$ are uniquely defined, and do not change across instances. Baring hypothetical CRQC, they are believed impossibly hard to compute from the givens alone: that's random instances of the Discrete Logarithm Problem in the (uniquely defined) subgroup of prime order $\ell$.
Define $P=s_1\!\times\!P_1+s_2\!\times\!P_2+s_3\!\times\!P_3$, and $P'=s'_1\!\times\!P_1+s'_2\!\times\!P_2+s'_3\!\times\!P_3$. Because $P_1$, $P_2$, $P_3$ have order $\ell$, they belong to the subgroup of order $\ell$, thus so do $P$, $P'$, thus so do $P+P'$, regardless of the choice of the $s_i$ and $s'_i$.
The condition that $P$ and $P'$ are on the curve and share the same X coordinate (as required) implies that if $P\ne P'$ and $P=(x,y)$ then $P'=(x,-y)$. If $P\ne P'$, the equations of point addition thus imply that $P+P'$ has X coordinate of $0$. There are only two points with this property on the curve. One is the neutral, but if $P+P'$ was the neutral we'd have $P'=-P$; and $-P$ on a twisted Edwards curve is $(-x,y)$ thus we'd have $(x,-y)=(-x,y)$, thus $x=0$ and $y=0$ which does not match the curve's equation. This leaves the possibility that $P+P'$ is the other point with X coordinate of $0$, but that one has order $2$, which does not divide the odd $\ell$, thus does not belong to the group of order $\ell$ since $\ell$ is odd. That's a contradiction since $P+P'$ is in the group of order $\ell$. Thus $P\ne P'$ is impossible. Thus $P=P'$.
Therefore, our condition "has the same X coordinate as…" is equivalent to $$\begin{array}{l} s_1\!\times\!P_1+s_2\!\times\!P_2+s_3\!\times\!P_3\,=\,s'_1\!\times\!P_1+s'_2\!\times\!P_2+s'_3\!\times\!P_3\\ \quad\quad\begin{array}{rrcl}\iff&(s_1-s'_1)\!\times\!P_1&\!\!=\!\!&(s'_2-s_2)\!\times\!P_2+(s'_3-s_3)\!\times\!P_3\\ &&\!\!=\!\!&(s'_2-s_2)\!\times\!(t_2\!\times\!P_1)+(s'_3-s_3)\!\times\!(t_3\!\times\!P_1)\\ &&\!\!=\!\!&((s'_2-s_2)\,t_2+(s'_3-s_3)\,t_3)\!\times\!P_1\\ \end{array}\\\\ \quad\quad\begin{array}{rl}\iff&s_1-s'_1\equiv(s'_2-s_2)\,t_2+(s'_3-s_3)\,t_3\pmod\ell \end{array} \end{array} $$ Thus if we know $t_2$, we can solve any instance of the problem, regardless of choice of $s'_1$ in $[0,\ell)$ with $s'_1\ne s_1$, by picking $s'_3=s_3$ and $s'_2={t_2}^{-1}(s_1-s'_1)+s_2\bmod\ell$. The same holds exchanging indices $_2$ and $_3$.
It's would be incorrect to state that solving as particular instance is equivalent to finding $t_2$ or $t_3$: that's sufficient, but other conditions are sufficient, like finding $2t_2+3t_3\bmod\ell$, which does not allow finding $t_2$ or $t_3$.
Given one solution to one instance of the problem, we can compute $t_3$ from $t_2$ or (often and) $t_2$ from $t_3$. Argument: in that solution it can't hold both $s'_2=s_2$ and $s'_3=s_3$. With $s'_3\ne s_3$ we can compute $t_3$ from $t_2$. The same holds exchanging indices $_2$ and $_3$.
Given at least two distinct solutions to random instances of the problem allows to find $t_2$ or $t_3$ thus solve any other instance except for very particular choices of the solutions or instances.
In summary:
- To solve the problem with only the givens, it's sufficient to solve either one of two DLP problem: find at least one of the integers $t_2$ or $t_3$ in $[1,\ell)$ with $P_2=t_2\!\times\!P_1$ and $P_3=t_3\!\times\!P_1$. That's not necessary.
- A random instance of the problem is no much harder than a random instance of the DLP. I have no evidence that it's any easier, and would not be surprised if it could be proven no much easier.
- If in addition to the givens we have one (resp. more) solved instance(s), then solving another instance reusing the same $P_1$, $P_2$, $P_3$ as the solved instance(s) seems non-trivial (resp. is trivial except perhaps in some special case).
Note: If all $P_1$, $P_2$, $P_3$ are generated randomly and independently, then I don't see how to exhibit any solved instance even by rigging the generation of $s_1$, $s_2$, $s_3$, thus I don't see that solved instances could be a security issue. But if this is used in practice for other purposes than proving $s_1=s'_1$, $s_2=s'_2$, or $s_3=s'_3$, then I assume one $P_i$ is generated in another way, and then there can be solved instances.
A That's not explicit in the question. However a comment links to context implying that. Generating random $P$ of order exactly $\ell$ is achievable by generating $P'$ with random coordinate X in the base field until there exists a matching Y, randomly picking one (of the two) such Y to form $P'$, setting $P=h\!\times\!P'$, checking that $P$ is not the group's neutral (which has probability $1/\ell$ thus if it happens the best is to assume some fault and stop). That's about what's done in pseudocode there by Edwards_scalar_multiply(8,…), with this 8 our $h$. However they test $P'_i$ before the multiplication rather than $P_i$ after. That's a non-exploitable bug IMHO.
B I now assume that the question's "(sampled only the first time and not at each computation)" applies only until the next "and", as newly disambiguated by "Only the scalars varies across runs".
C The question's "1 scalar is modified" suggests (and a former version of the answer assumed) that $s'_1$ is generated in a manner the attacker does not control. However since nothing tells how $s'_1$ is generated, a standard and safer hypothesis is that's generated by the attacker. That also has the virtue to concisely add necessary restrictions to how $s'_1$ is generated, e.g. not such that $P_2=s'_1\!\times\!P_1$. Also it removes a loss of generality made when considering that across multiple instances it's $s'_1$ that's bound to change.
targetcurve.Suborder. $\endgroup$