Let $d=x_2-x_1$, and let the public keys be on the well-known base point $G$. Therefore, the key-pairs will be $(x_1, X_1=x_1G)$ and $(x_2, X_2=x_2G)$.
The value $d$ can be brute-forced using the Big-Step-Little-Step method, which will take less than a second on a modern CPU when $n=20$.
If you use a Schnorr signature to sign a message $m$ using $X_1$, you would create the signature pair $(c, r_1)$ by picking a uniformly random nonce $k$, and then calculating $c=H(kG\mathbin\| m)$ and $r_1=k-cx_1$.
The signature is verified by checking $c\overset{?}{=}H(r_1G+cX_1 \mathbin\| m)$.
The attacker, who has brute-forced $d$, can then create a signature on the same message but appearing to be signed by your other private key $x_2$, as follows:
The values of $k$ and $c$ would remain the same. Then calculate $r_2=r_1-cd$. The forged signature is the pair $(c, r_2)$.
The signature will be verified by checking that $c\overset{?}{=}H(r_2G+cX_2 \mathbin\| m)$.
This will successfully verify if $kG==r_2G+cX_2$, which will be true if $k==r_2+cx_2$.
By substituting $r_2==r_1-cd$ and $x_2==d+x_1$, we can see that this will be true thanks to our choice of $r_2$.
This attack only works if the hash or message does not bind the signature to a particular public key. If the protocol required that $c$ was instead calculated as $c=H(kG\mathbin\| X_1\mathbin\| m)$, the attack would not work because the value of $c$ could not be re-used between signatures (because the verifier would verify the signature by concatenating $X_2$ inside the hash instead of $X_1$).
