I don't know where you found this formula, here is the code to derivate a childkey, the BIP is here, it does not look like your formula, but I'll try to respond to some of your questions.
I just got a little confused about this. Is s the mnemonic seed that user knows? which generates the private keys.
A mnemonic seed is just a sentence that permit you to get the master key with (optionally) a password. A master key is the real important piece of information, a mnemonic is only a way to generate one that can be write it down in words.
Secondly a service provider only needs to know sG to calculate the user's next address. Am I right?
Your formula does not look like what is in the BIP, so I can't really comment on that.
And lastly more importantly I am just wondering whether it is possible to calculate the master private key (seed) if an attacker or service provider gets one child's private key address?
Yes, if all the children in the path to the leaked private are non-hardened keys AND the root HD PubKey leaked. I explain that P 35 of my book.
A non-hardened key can “climb” the hierarchy.
Non-hardened key should only be used for categorizing accounts that belongs to a single control.
1The link you give doesn't define the notation PK.a and so on. – Nate Eldredge – 2015-03-09T15:14:38.037
@NateEldredge precisely you can look at this link
– abeikverdi – 2015-03-11T03:57:59.3531@abeikverdi I don't see that notation on the first page of the thread you link, and I don't see it in a search of the forums. – Nick ODell – 2015-03-14T04:15:30.723
@NickODell PK.a refers to the public key of a and SK.a refers to the private key of a. G is the generator point and s I suppose is the secret that is used to generate next keys. In HD wallets as you know we can generate new key pairs by adding the private key with a secret s. Anyone without knowing your private key by knowing a "master public key" can generate your next public key. Does this "master public key" refer to sG here? – abeikverdi – 2015-03-24T08:34:29.587
@abeikverdi What you're saying doesn't describe BIP32. Are you asking about BIP32, or some other HD wallet system? – Nick ODell – 2015-03-24T09:15:49.600
I was assuming that this is the description of BIP32 for HD wallets. Can you tell me at which part I'm wrong? – abeikverdi – 2015-03-25T07:49:47.863
@NickODell Alright I found the reason for this confusion. The thing that I am referring to is currently called deterministic wallet type 2 which was proposed by Maxwell which eventually was used as the initial idea of BIP32 proposed by Pieter Wuille. It kinda makes more sense now to me. – abeikverdi – 2015-04-09T07:13:06.447