If what I have found so far is correct, the world would have to prepare for that day anyway when SHA-256 could be cracked as it is widely used in many (systemically critical) applications around the world.
So in general, hash functions are not particularly susceptible to being broken by quantum computers. Without getting too technical, the best known quantum attack against SHA256 would reduce the search space from 2
256 to 2
128. 2
128 remains too large a number to attack (and indeed, all bitcoin private keys in the current system have 128 bits of security). Rather, it is the elliptic curve discrete logarithm problem (ECDLP) which is susceptible to quantum computer. In simple terms, this is the bit that turns your private key in to your public key. Again, without getting too technical, the best known quantum attack against the ECDLP could result in only 128
3 operations being required to turn a public key back in to a private key.
So it would remain impossible to break any hash functions, meaning you could not turn an address back in to a public key, but it would be possible if you knew the public key to calculate the corresponding private key.
Essentially (and correct me if I am exaggerating here), the potential susceptibility of SHA-256 to an attack poses a massive systemic risk in many areas of our lives.
Again it's not hash functions, but otherwise you are correct. If the ECDLP can be broken, then so too can almost all encryption that is currently used across the internet, including in all financial institutions and governments.
With more emphasis on Bitcoin, if there was a single actor succeeding in developing quantum computing that could reverse engineer the private key from a public key, what would be the incentive of that actor to go public in all honesty in order to protect the Bitcoin network instead of silently starting to move, for example, Satoshi's coins in the hope that Satoshi doesn't live anymore and can't prove that someone must have obtained a machine to successfully attack the network? What guarantees us that we get aware of the fact in a timely manner that a machine exists such that a fork to a quantum-resistant algorithm can be done (if it's not already too late)?
There are no guarantees, and as you point out, an adversary with access to such a computer would be incentivized to try to steal as many coins as possible before being discovered. The safety net is that there are hundreds (if not thousands) of different research teams around the world all working on quantum computers, and it is highly unlikely that one team in secret is decades ahead of everyone else.
Would we first have to wait for the machine to exist in order to then fork to a proper new algorithm accordingly?
Not at all. There already exist quantum resistant algorithms we could fork to today if we wanted to. The problem with such algorithms at the moment is that they are generally quite large and inefficient, which would significantly increase transaction size and pose a variety of other problems. But with constant development ongoing, then hopefully by the time it becomes necessary we will have much better algorithms available to choose from.
That part got me thinking because isn't the re-introduction essentially equal to the end of Bitcoin?
Not at all. As I said above, we are decades away from such a scenario and we will fork to a quantum resistant algorithm well before it becomes a serious concern. All that is at risk will be old lost or abandoned coins with revealed public keys, which will eventually over time be stolen and re-enter circulation. The majority of coins will be safe and the network itself will continue without issue.
And what is your stance on the re-introduction of lost coins? From an economic point of view, it seems to be negligible as the number of proven lost coins is so small.
So there are potentially several million coins in either P2PK outputs or reused addresses which could be stolen in such a scenario. We have absolutely no idea how many of those coins are actually lost and how many are not lost at all and the owner simply has chosen not to move them for many years, but would move them to a new quantum resistant address when the time comes. My opinion is that the network should not lock or otherwise freeze any coins, and if some lost coins are stolen and re-enter circulation, then so be it.