Yes, it took me some time to understand that too. The "lever arms" are a couple of private keys drawn from a set, that gives rise to a couple of public keys, to be combined with conditions (one is the counterparty's public key, the other is an own public key arbitrarily chosen of which one has the private key), giving rise to two P2SH hashes. One only needs to test on average a set of 2^80 private keys to find such a couple that has identical such P2SH hashes.
Note that it is somewhat more involved than just testing 2^80 private keys ; one needs to store somehow these results to find out what couple has a collision after the fact.
I think I'm missing a piece here on how this attack only requires (on average) 2
80 attempts.
I can see that I can just generate a 1-of-1 P2SH script with a nonce, and then try MANY nonce values until I get an address that collides with the 2-of-2 contract address. In that case, I think I can reduce my operations to hashing only, and not need to mess around with multiple private keys and generating public keys.
Once I find an address that collides, I no longer need the victim to sign anything. I can sign with my private key and can broadcast my nonce based script in the input. The 2-of-2 contract is no longer important.
What I don't fully understand is how I can expect to see a collision after only 2
80 attempts. Wouldn't I need 2
159 attempts just to have a 50% chance of success?
It seems likely that some other attack is being suggested by gmaxwell, but if it is then I've failed to understand how that attack would work.