We can use a minor variant of Baby-step/giant-step to find $d$ with in the order of $3\,2^{n/2}$ point additions (and normalization to a unique point representation). We make baby steps from $X_1$, and giant steps from $X_2$ (in both directions for the later, to compensate for the unknown sign of $x_1-x_2$). Here it goes:
- let $m=\lceil2^{n/2}\rceil$
- let $W_0:=X_1$
- for $i$ from $1$ to $m-1$ (Baby steps)
- set $W_i=W_{i-1}+G$
note: here $W_i=X_1+i\,G$
- let $H=m\,G$ (which can be obtained as $H=W_{m-1}+G-W_0$ )
- let $U:=X_2$ and $V:=X_2-H$
- let $j=0$
- repeat (Giant steps)
note: here $U=X_2+(j\,m)\,G$ and $V=X_2-((j+1)\,m)\,G$
- if $U$ is found in the $W_i$
- output $|j\,m-i|$ and stop
- if $V$ is found in the $W_i$
- output $(j+1)\,m+i$ and stop
- let $U:=U+H$ and $V:=V-H$
- let $j:=j+1$
If follows from the conditions stated in notes that this algorithm always stops with output $d$ after about $d/2^{n/2}$ (at most $m$) iterations of the repeat loop. Notice that using an appropriate data structure, the cost of the searches of $U$ and $V$ in the table of $W_i$ is essentially constant w.r.t. $n$, thus the main computational cost is the point additions (and the normalization of their result so that the $W_i$ can be searched efficiently).
Problems are, this requires a lot of memory for the table of $W_i$, and the algorithm as stated is sequential. This can be solved, and the search distributed among several machines, by using the techniques in Paul C. van Oorschot and Michael J. Wiener's Parallel Collision Search with Cryptanalytic Applications, in Journal of Cryptology, 1999.
