And that addresses' EC public key is not public.

Thanks, I did not know that. But there's little reason to believe that whatever encryption that bitcoin uses (presumably EC?) won't be vulnerable at some point in the future.

Bitcoin address is a hash of public key. So, without address reuse you should break both EC, RIPEMD-160 and SHA-256

DES was broken about 23 years after it was designed.

I'd be surprised if 30 years into the future (probably earlier given the incentives we have to break crypto today are so much than those we had in '98) if these algorithms weren't broken.

There is actually no precedent of a cryptographic system relying on computational hardness surviving for more than a generation. And given that our fundamental theoretical understanding hasn't really evolved beyond, "we think a bunch of these problems are hard", things are likely to stay that way for a while.

That's an oversimplification. The field of cryptography has advanced by orders of magnitude since DES and RC4. Each time one of those breaks, we abstract the weakness into a class of vulnerability that the next algorithm will be immune to.

>There is actually no precedent of a cryptographic system relying on computational hardness surviving for more than a generation.

That's because cryptosystems relying on computational hardness aren't that old.

>And given that our fundamental theoretical understanding hasn't really evolved beyond, "we think a bunch of these problems are hard", things are likely to stay that way for a while.

These assumptions haven't really broken though. You give an example of DES, but that doesn't rely on computational hardness assumptions. Asymmetric crypto with a trapdoor function does. There hasn't even been a big breakthrough in the original prime number factorization assumptions of RSA/DH.

I'm confused, how can you break EC but not be able steal people's money?

Similarly, if you found had preimage attack for ripemd160(sha256(x)) (you can find a public key with the same hash as any other hash), how could you not steal people's money?

The public key behind an address is only revealed if you do a transaction to spend the bitcoins in that address. So the public key is effectively secret until just before it is scrapped with normal use.

To break EC you need to get EC public key. You can't get it unless bitcoin address was reused.

If you found pre-image for ripemd160(sha256(x)), you still need to find a private key for it.

Say public key x receives 1 BTC in block A. I'm guessing it's encoded as ripemd160(sha256(o)) -> 1 BTC -> ripemd160(sha256((x)) where o is some other public key with sufficient funds. I create a new key pair with public key y, such that ripemd160(sha256((x)) = ripemd160(sha256((y)). From now on let's call this address hash h.

In block B, I make a transaction h -> 1 BTC -> s. Where s is a securely generated public key that I own. I then sign this transaction with my forged public key, which hashes to h.

How does this not give me x's money?

If you can create a pair of (private key, public key with collision), then yes bitcoin will be broken.