So here is the interesting attack: You give me your pubkey, and then I create my pubkey for a 2-of-2 (or some other more elaborate contract), and then we pay to the resulting address.
Oops. In the background I did ~2^80 work and found a colliding address which didn't have the same policy, and I use it to steal the funds.
2^80 is a lot of work, but it isn't enough to be considered secure by current standards.
Forgive me, but I still don't quite get that. Where does the transaction with a different policy come from? If you only find two colliding addresses yourself, how can you use it for a contract that steals someone else's fund?
Could someone elaborate on this attack?
Besides, doesn't that require you to create 2^80 "proper" addresses. Thus 2^80 times keypair creation plus double hashing?