I don't quite understand why hiding the public key behind a hash really helps.
If ECDSA is broken, that is if a private key can be found from a public key in limited amount of time, can't we assume that the time taken to find the private key consists of independent trials?
Unknown. That depends on the weakness that is discovered. Since a significant weakness hasn't been discovered yet, it's impossible to know.
And if so, can't any node simply keep attempting at incoming transactions, stealing one every N days? Making every transaction a gamble?
Possibly.
However, lets imagine for a moment that ECDSA is broken in such a way that the time to crack a private key from a public key is reduced to 6 months.
If I always use a new address for every transaction, then all of my bitcoins are protected by SHA256 and RIPEMD160.
If you have an address that you've re-used, then you might have bitcoins sitting out there on the blockchain with their public key exposed. An attacker can spend the next 6 months working out your private key and then steal your bitcoins.If I send a transaction, the attacker has (on average) 10 minutes to figure out the private key, craft a replacement transaction that pays the bitcoins to him, and then convince a miner to mine his transaction instead of mine.Which is safer? Your bitcoins sitting on the blockchain with an exposed public key allowing the attacker to continuously try to craft a transaction that takes your bitcoins until you get around to sending them to a new address? Or my bitcoins that have a window of 10 minutes on average to try to both crack the key AND convince a miner to accept a double-spend transaction in place of the existing one?
The increase in security from using a new address for every transaction is quite small, but it is still better than re-using addresses.
Using a new address for every transaction can also increase your privacy a bit.
This is a good summary !
All depends of course HOW ECDS is cracked. While "an attacker needs 6 months" versus "an attacker has only 10 minutes" SOUNDS totally different, in matters of cryptographic security, in fact, the difference is near nothing. In fact, some time ago, I fell myself in the trap, so I'm explaining what I got wrong, so that others don't get it wrong.
Cryptographic security is usually expressed grossly in "bit level". If a system has a security of, say 64 bits, it grossly means that the amount of trials an attacker needs to perform, is 2^64. A "trial" is of the same level of individual difficulty as the "normal single operation" the normal user needs to do to sign/check/encrypt/... whatever is the purpose of the system.
The ECDS system used by bitcoin has keys of 256 bits, and, because a general attack is known on this type of systems (called "Pollard rho" method), has a security which is half the key length, that is: 128 bits. In other words, if I'm given a 256 bit public key, using Pollard rho method, I need about 2^128 trials to find the private key that goes with it. That's in general considered not feasible for the foreseeable future, so it is considered strongly secure.
If ECDS is "cracked", it means that a new method is available that can calculate the private key in MUCH LESS than 2^128 trials. In fact, the type of curve Satoshi used, a Koblitz curve, is known to undergo an attack that can win a few bits, but not much (at least, what is publicly known).
Seriously cracked means, for instance, that the security level goes down to 60 bits, or 50 bits or 90 bits... depending on the attack method. As we don't know the method, we can't know what will be the "level of cracking".
Now, suppose that an attacker can do it in 6 months. It would mean that he can crack an n-bit security in 6 months. How much lower must the security go for him to be able to do it in 10 minutes ? This is 26000 times shorter. It means, something like 15 bits less security.
So the difference between "cracking in 6 months" and "cracking in 10 minutes" is 16 bits of security. If we already came down from, say, 128 bits nominal ECDS security to, say, 70 bits (so that it can be done in 6 months, say), it is hard to say that going down to 55 bits is not going to happen soon !
So, essentially, when the "long term" ECDS protection is broken, chances are that the short term protection isn't going to help either. There's only 16 bits of security difference between them.
As to quantum computers, sufficiently large quantum computers can crack ECDS *completely*. It essentially means that no matter the length of the key, such a computer can crack it in a matter of milliseconds. In fact, the only thing is that the bigger the key (the more bits in the key) the *bigger* the quantum computer needs to be, but not so much the longer it takes for it to crack the key.
