[lhgaghl]

I'm confused, how can you break EC but not be able steal people's money?

Similarly, if you found had preimage attack for ripemd160(sha256(x)) (you can find a public key with the same hash as any other hash), how could you not steal people's money?

[kzrdude]

The public key behind an address is only revealed if you do a transaction to spend the bitcoins in that address. So the public key is effectively secret until just before it is scrapped with normal use.

[mike_esspe]

To break EC you need to get EC public key. You can't get it unless bitcoin address was reused.

If you found pre-image for ripemd160(sha256(x)), you still need to find a private key for it.

[lhgaghl]

Say public key x receives 1 BTC in block A. I'm guessing it's encoded as ripemd160(sha256(o)) -> 1 BTC -> ripemd160(sha256((x)) where o is some other public key with sufficient funds. I create a new key pair with public key y, such that ripemd160(sha256((x)) = ripemd160(sha256((y)). From now on let's call this address hash h.

In block B, I make a transaction h -> 1 BTC -> s. Where s is a securely generated public key that I own. I then sign this transaction with my forged public key, which hashes to h.

How does this not give me x's money?

[mike_esspe]

If you can create a pair of (private key, public key with collision), then yes bitcoin will be broken.