As for toy examples, I fail to see how two X.509 certificates which collide, and two PDF
documents which collide, to be toy examples. In neither case where the structures or content
arbitrary from the standpoint of the recipient viewer. Indeed, the published attack requires
on its face only that you can add an arbitrary suffix of maximum 512 bits (64 bytes). That
gives you tremendously wide latitude.
Indeed, I fail to see how there could be such a thing as a toy example, anyhow. The purpose of
a cryptographic hash is that you can make reasonable declarations about the qualities of the
algorithm without reference or qualification to the structure or content of the input. You
cannot do that now, so its no longer a secure hash. Period.
Why people are defending this is beyond me. Its broken. People shouldn't be using it,
particularly for such a use (as opposed to simply for one-wayness).