Maybe I'm asking this question on the wrong mailing list:

Matt/Adam: do you have some reason to think that RIPEMD160 will be broken before SHA256?
And do you have some reason to think that they will be so broken that the nested hash construction RIPEMD160(SHA256()) will be vulnerable?

Adam: re: "where to stop"  :  I'm suggesting we stop exactly at the current status quo, where we use RIPEMD160 for P2SH and P2PKH.

Ethan:  your algorithm will find two arbitrary values that collide. That isn't useful as an attack in the context we're talking about here (both of those values will be useless as coin destinations with overwhelming probability).

Dave: you described a first preimage attack, which is 2**160 cpu time and no storage.


--
--
Gavin Andresen