1-1 1-2 ci-3. (Thc lowcr indiccs i, i-I, i-2. i-3, ci-3 arc takcn modulo 16) ..... L 6CC 37C8. C62f 9554. L23C 959E. 6370 9A6E. 6370 9A6E. 988. 6. 995. 416A. 58E6.
F.F.T. Hashing is not Collision-free
T. BARITAUD * , H. GILBERT * , M. GIRAULT ** (*)
CNET PAAITSAISRC 38 - 40. avcnuc du GQCral Lcclcrc 92131 ISSY LFS MOULINEAUX (Francc)
(**) SEF'T
PEM
42. NC dcs Coutum BP 6243 14066 CAEN (Francc)
Abstract
The F I T Hmhing Function proposed by C.P.Schwrr [I] h h e s messages of arbitrary length inlo a 128bit hash value. I n this paper, we show that this function is not collision fiee, and we give an example of two disrinct 256-bit messages with the same hask value. Finding a collision (in facr a large family 01 23 colliding messages) requires approrimalely 2 parrial cornpiations of rhe hash function, and takes 0 few hours on a SUN3-workstation. and less than an hour on a SPARC-workstation. A similar resuli discovered independently has k e n announced at the AsiacryprPI rump session by Dnemen -Bosselaers-Covaerts-Vandewalle [2 1.
1 The FFT Hashing Function 1.1 The Hash algorithm
Let the messagc be given as a bit string mlm 2...ml of L bit. Thc mcssagc is first p d d c d so that its lcngth (in bits) bccomcs a multiplc of 128. Lct thc paddcd rncssagc
MI% ... Mn consist oln blocks MI,.__ ,Mn ,wch of thc Mi ( k l , _..3) k i n g 128-bit long.
Thc algorithm uses a constanl initial value Ho givcn in hexadecimal as Ho = 0123 4S67 89ab cdcf fcdc ba98 7654 3210 in (0.11
128
.
R.A. Rueppel (Ed.): Advances in Cryptology - EUROCRYPT '92, LNCS 658, pp. 35-44, 1993 0 Springer-Verlag Berlin Heidelberg 1993
298 36 16
in computational security, most results have a non-uniform and a LCIp bcInthcgeneral, p r i m 65537 = 2 + 1. uniform version (depending on which model of security is chosen). Historically, non8 8 Wc will uscresults thc Fouricr T8 ’. (0. ... ,p-l) ------>them (0. ... ,p-l] uniform weretransform obtained F first, and extending to the uniform case is often a hard task. Thc main technique for obtaining uniform results is now classical. It an be (ao, ... ,?) ------>(bp ... ,b7) found in Levin [5]: it consists in replacing true probabilities by approximations computed from random samplings. 7 4ij The of this paper We prove that Schrift and Shamir’s nextwilh bi = purpose 2 aj mod p ,Tor i = O ,is...twofold. ,7. bit test j=O remains universal in the uniform model of security. More importantly, we initiate a general framework in which the sampling technique can always be applied to obtainforuniform results.h :Our main theorem specifies some conditions which are Algorithm lhc hash function sufficient to extend a non-uniform result into a uniform one. 111 fact., Ihe universality of the next-bit test becomes a consequence n. 128of our main theorem. “PUT M IT... Mfunctions n in (0.1)and pseudorandom (a paddd mcwgc) The theory: of one-way generators involves different notions of resistance of some object against an adversary. Two distributions are indistinguishable if they resist to be distinguished by a probabilistic polynomialDo :A one-way Hi = g(Hi-] ,Mi) is lorai function = 1 , ... , n which resists to be inverted. A bit time adversary. function is hard-core on a function f if it resists to be predicted using the knowledge off(.). Several well known results can he restated in terms of reduction of one notion of resistance to: another. For OUTPUT h(M) := Hnexample, the universality of the next-bit test can be expressed as follows: the resistance of two distributions against an arbitrary adversary reduces to their resistance against the particular one who tries to distinguish them by the next-bit prediction. Let us quote a few other: 8.16 Algorithm for g : 2 ’‘ ------> [2]: (0, I ]“if thcrc cxists a one-way furiclion, then there exists a - Goldreich-Levin P function with a hard-core bit”. This result has been proved in [2] in both models of 16.16 security. INPUT (coo’... ,cI5) in ( O J I - Impagliazzo-Levin-Luby: “if there exists a one-way function, then there exists a pseudorandom generator”. This theorem was first proved under different 1. (CO’C2’... .el&([1],[5]), := Fr8(C0.C2, ’CI4) types of restrictive assumptions then...in the general case in [4], in the nonuniform model of security. It was then proved in the uniform model by Hastad [3]. 2. [ 6 ] : FOR i = 0, exists ,15 DO - Rompel “if there a one-way function, then there exists a secure signature scheme”. := c.1a+few c.1-1 e.notations 1 1-2 + cci-3 +2’ In section 2, we e.give and (mod somep) basic definitions about uniform and non-uniform computation. In section 3, we formalize the very general notion of resistance by defining a security scheme and the resistance of a security scheme. i, i-I, i-2.saying i-3, ci-3that arc takcn modulo 16) (Thc lowcrisindiccs Basically, a security scheme a predicate some algorithm significantly succeeds in attacking some object. Then we define the reduction between two security 3. REPEAT skps 1 and 2 schemes (reduction of a scheme to another means that the problem of proving the resistance of the former reduces to16the same problem for the latter).8.16 Finally we illusOUTPUT c . := ci mod 2 , for i = 8, ... .I5 (on clcmcnt of [0.1) ) trate our definitions by1 restating several theorems in terms of reducibility between security schemes. In section 4, we introduce the notion of a virtual algorithm which will be crucial 1.2 Notations for extending non-uniform results to uniform ones. Intuitively, a virtual algorithm
___
-
0 . For a bcllcr clarity of our cxplanation, wc will dcnote by ci (1=0,... ,15) UIc initial ci valucs, and wc will denotc by slcp 3 (rcsp. step 4) UICsecond pass of step 1 (rcsp. stcp2) in thc algorilhm for g.
k
Whcn it will bc ncccSSary to avoid any kind of slip, we will dcnoic by ci (i=O, .__ .I5 ; k=O, thc ci inkrmediatc valuc. aflcr slcp k.
... ,4)
31
In ordcr to simplify thc cxprcssions, wc iuc using lhc following notations : - Thc additions (x+y), multiplications (x.y) and cxponcnliations (xY) arc implicitly madc modulo
p. cxccpt whcn Lhc opcrands arc lowcr indiccs. - The = symbol denotcs that thc right and thc lcft t c m s arc cungrucnt modulo p. - For lowcr indiccs thc additions (i+j) and substractions (i-j) m implicitly madc modulo 16, and Lhc z symbol dcnotcs lhat thc right and thc Icft tcrrns m congrucnt modulo 16. 1.3 Preliminary remarks
Thc difficulty of finding collisions is rclalcd to thc diffusion propcrlics of lhc hshing funclion, i.c. thc iiinucncc of il modification of an inarrncdiaa variablc on Ihc subscqucnt variablcs of thc calculation.
Rcrnark 1 (limitation on thc diffusion at skps I and 3) At stcp 1 and 3, thc input valucs cI, c2.
... ,c I 5 arc kcpt unchangcd.
(limitation on Lhc diffusion at stcps 2 and 4) Thc diffusion inlroduccd by thc ~ ~ - , tams c ~ -in~lhc rccurrcncc for stcps 2 and 4 can somclirncs bc 1 1 canccllcd (if onc of valucs ei-l and ci-2 is 0). Morc prcciscly. Ict (co, e l ,
..
: If for a givcn valuc i in ( 1 .
... ,141 wc havc
1 ...,eI5) bc thc input to Sap 2 :
2 1 1 2i- 1 = ci+l = 0 and if c,3 f i; cI4 $ i;
1 2 . 1 1 1 c , f~ i; c. f I for j in (0, ... ,121, then thc impact of rcplacing thc input valuc ci by a ncw valuc ei + Aei 1 1 1 1 . . . 2 2 such that ci + Aci i ci ,IS linirtcd to thc output valuc ci (that mcans c. arc not modificd for j fi).
J
..
input value e
1
2
2
: If e14 = co = 0 and if c. J
ik
15 for j in [ I ,
... , I 1 )
thcn Ihc impact or rcplacing Lhc
1 1 1 1 1 1 . . 2 by a new value e15 + Acls such that c , +~ Ac15 c15 , IS limited to thc output valuc cI5. 1s
3 3 3 Similarly, Ict (cl, c2’ ... , cis) bc thc input LO stcp 4 :
.. m: If for a 3 3 c14 # i: c I 5 !j i;
3
3
4 4 3 given valuc i in (1, ... ,14) wc havc ei-l = ei+l = Oand if eI3 & i ;
?I J & i for j in (0.___ ,121. hcn thc impact of replacing hc input valuc ci3 by a ncw 3
ei + Aci such that c.
. . 4 + Aci3 z ei3 ,IS limitcd to the ouiput valuc ci .
V ~ U C
38
..
I
3 4 4 : lfc14 = eo = 0 and ifc. 2 15 lor j in [ I . J
3
3
3
3
input value cI5 by a ncw valuc ei5 + Ac15 such that e,5
3
... , I I ]
hcn h e impact olrcplacing thc
3
4
+ AcI5 3 cl5 is limitcd to thc output value elS.
2 Construction or two colliding messages
2.1 Construction of a partial collision -4 Wc first find two 128-bit blocks M1 and MI1 which hash valucsH1 = ( c 8,
-4 H 1 = ( c' 8'
... ,c' :5)
... .-e4 15)md
-4 -4 dilfccr only by thcir right componcnls c 15 and c' Is. Wc will lalcr rclcr to this
. .
propcrty in saying that M Iand MI1 rwlizc a .-
1
Our kchniquc for finding M1and M'l is thc lollowing : we swrch MI valucs such that cI4= 0; 2 3 4 0 c - 0; c , ~ = 0; c0- 0. The propositions 2 and 2' suggcst that for such a message M,=(cs. 0-
-
0
M1and h e rncssagc M1= (cs,
0 0 ... , eI4. clS + 16)
0 ... ,e,4,
0 c,5),
rcaliu: a partial collision with a significant probability
(approximakly VX).
Them arc two main steps lor finding M1. 0 0 0 0 SlEpl : Sclection of c8, el@eI2 and eI4
0 0 0 Arbilrq (c.g. random) valucs are lakcn for ei2 and c , ~ .Thc valucs of e8 and c& arc thcn dcduced from
hcsc valucs by solving thc lollowing l i n w systcm :
0 14 thcn cI4 1 2 0 0 0 0 = 0 and co = 0 independcnlly of thc valucs of e9, el 1, e13.elS . If c 13 = Emaf :This is a dircct consequence of the dclinition of hc g runction.
39 0
0 0
0
2 : Sclcction or c9, c1 1. cI3. cI5 0
0 0
0
Thc valucs of cg, cl0' c12. c14 arc taken from Slcp 1 . 0 0 We fix thc valucs of cI1 = 0 and c15 = 0. An arbitmy (c.g random) valuc is lakcn for
4.
wc first
2 3 0 0 0 wlculatc thc cI2 and cI4 valucs comsponding to the choscn valuc or c9, c1 and c15 and lo thc lcmponv 0
0
valuc cI3 = 14. Bascd on thcsc preliminary calculations, wc "correct" thc temporary valuc c , =~ 14 by a 0
0
0
quantity AcY3, i.c. we rcplacc thc valuc c13 = 14 by thc valuc cI3 = 14 + Ac13, and wc l a v e thc othcr input valucs unchanged. Wc dcnolc by Ac! (KIM ; OSjS15) the corresponding variations J
inlcrmcdiatc variablcs in thc HIcalculation. Wc sclcct A{3
Of
thc
3 3 in such a way t h a ~thc quantity c14 + AC14
3 . (i.c thc ncw valuc of cI4) IS qua1 u, zcro with a good probability. 3
.. 2 &QDUUW!: If C I 2
# 0 and
-e14
-
2 J
0 and c. & 13 lor ISj5ll ihcn thc abovc valucs of
e12
3
1 2 0 ,cI5, co and thc valuc AcI3 =
- '14
lead to the thrcc rclations 24.7.7 2 5 2
(4
3
3
c14+ Ac14 = 0
(C)
Erppf : (a) is suaightrorwanl; @) and (c) from h c dcfinition of thc g function :
;m: d i m (
conscqucnccs of thc lollowing rclalions. which rcsult
We performed a large numbcr n of lrials of stcp 1. For each trial or stcp 1, wc made a largc
nurnbcr n2 of lrials of stcp 2. Thc succcss probabilily of stcp 2, i.c thc probability lhal Ihc Uial Or a
0
C9
Vahc lcads Lo a rncssagc such that (a). @) and (c) arc d i x d is slightly less than 1/16 (sincc Ihc strow-
40 3
-=- 0). Thcrcforc thc probability
-14 condition in proposi tion 2 is : 4.4.7
that a stcp 2 trial lwds to a mcssagc
c12
1 2 3 4 -16 -20 M Isuch that cI4 = co = cI4 = co = 0 is slightly lcss than 1/16.2 = 2 . Morcovcr, thc probability that such a message M I Imds LO a partial collision is basically the 2 2 4 4 probability that nonc of thc cie3mod 16 indiccs occurring in thc calculation of co lo c15 and co UJc15
23
lakes thc valuc 15. which is closc to 1/8. So, in summary,approxirnadvcly 2 0
g function wcrc ncccssary to obkiin a suibblc mcssagc MI = (c8. 0
0
0
partial computations of thc
... ,{4,cy5),
such hat MI and thc -4
mcssagc M 1 = (c8. ... ,cl4,cI5 + 16) l a d lo partially colliding hash valucs H1= ( c -4 -4 W1 = ( c 8, ... c
... ,-c4 ,5)
and
+ 16).
2.2 Constructionof a full collision wing a partial collision
0 Wc now show how to find a 128-bit message M2 = (cx, .. , c0, ~ )such that thc previously oblaincd
0
hash valucs H1 and IT1(dcnotcd in &is scction by (co.
.. .c,)0
0 0 0 0 0 0 and (dl , .. , c ' ,c', ~ ) = (cl, .. ,c6'c7 + 16) 1
rcspe~tivclylcad to the samc hash valuc H2 (whcn combinul with M2) : g(H1,M2) = g(HI.M2)Our kxhniquc lor finding i J
% is quitc similar to the one uscd for finding M I and M,.
Let US
dcnotc by c. (rcsp c$ (OSi54, BjSl5) thc intermcdiak variablcs of thc calculations or g(HI,M2) (rcsp J
gcH'1 MZ)).
We sciuch
% valucs such that
4 probability hat thc lduples (co.
2
2
c6 = cg
= c64 = cx4 = 0. Thc propositions 1 and 1'
suggest (hat
4 4 4 4 4 .. ,elS) and (do, .. .dI5)dirlcr only by thcir componcnts c7 and c ' ~
which implies that hc probability LO havc g(Hi,M2) = g(HI,%) is quitc subsmtial. appmximadvcly 1fs.
Thcrc arc two main skps for thc scarch of M2 : 0 0
0
0
0
W 1 :Sclcction of c8, cl0' eI2. cI4. c9. 0
0
0
0
0
An wbiuary (c.g nndom) valuc is takcn for cI4. Thc valucs of c8' cl0' c I 2 an: dcduccd from c14 by
solving Ihc rollowing lincar systcm :
0 0 0 A prcliminvy calculation, whcrc cg, cI1 and e15 arc sct to Lhc tcmporary valuc 0 and
$., is sct to
IhC
2 tcmporary valuc 14, is madc. Thc obtain4 valuc of c6, dcnolcd by 6. is kcpl.
.. 0 0 0 0 prowsilmo_T: If c8, cl0, el2. c14 an: solutions of (3), (4), (5) and if in addition Ihc values 0 0 0 0 2 eg = p-6. e l l = 0, cI3 = 14, e15 = 0 lcad to inlcrmcdialc valucs such that : c I mod 16 is not in [9,11.13.15];
2 2 2 c2 mod 16 is no1 in [9,11,13,15]; c3 z 9 mod 16; e4 mod 16 is not in {Y,ll,13,15J; 0
2
c5 mod 16 is in (0.6.14). thcn iT wc fix Ihc value c9 = p6, for any valuc of
0
c I 3 3 14 and lor any valuc
0 0 of cI5 such that cI5 I 0 wc havc :
0 0 0 0 0 & ~ :fThc proof of this proposition is casy. Finding thc c8, cl0, cI2' eI4 and c9 valucs satisfying thc 0
conditions of thc abovc proposition is quitc casy. and rcquircs Uic trial of a fcw hundrcds c , valucs. ~
-2
0 0 0 : Sclection of e l l . eI3,e15
0 0 0 0 0 Thc valucs of c8. cID' c12, e14. c9 arc takcn kom stcp 1 ; Ihcsc valucs arc assumul
LO
rcaliu:
conditions of Ihc abovc propsilion. 0
0
An arbitnry (c.g nndom) valuc is lakcn for c1 A prcliminary calculation is madc, using Ihc scI~~b.4 Cl1
0
0
vduc and h c tcmporvy valucs c I 3 = 14; c
15
2 3 = 0. The corrcsponding valucs of e l 2 and c8 arc kcpL
42
Bascd on thcsc preliminary calculations. wc
"COITCCL"
0 0 thc temporary valuc of cI3 by a quantity Ac13 and
0 0 0 0 . wc also consider ncw valucs cI5+Acl5 for cI5. Thc variation AcI3 I S sclcclcd in such a way thnl for any
0 0 15 valuc satisfyingAcl
3 3 3 a . 0. the new valuc eg+Acg of eg is qua1 LO -2 with a substantial probability.
Ac
8
3
-2 - e 8
..
: If
0 and ef mod 16 is not in [ 13,15) rorlsjjls11 thcn for 24.4.7 2 J
# 0 and
z
CI,
0 any variation Acl5 E O on
&t
2 0 such that c I 5 + AcI5
I:
p and
4
4
p. chc variation
a 3 -2 -e*
-
0
on the cI3 value lwds LO the fotlowing new valucs :
43=c12
1 1 2 2 cI4 + AcI4 = 0 ; c + A c O = O ; 0
2 2 c6+Ac - 0 ; 6-
2
2
c +Ac8=0;
8
3 3 8 c8 +Ac8 = - 2
,
Wc pcrformcd a numbcr n of trials of stcp 1. For wch succcssful trial of stcp 1, wc madc a large
numbcr
3 of trials of
0
0 values at stcp 2. For those e l valucs satislying Ihc conditions of ihc abovc
c,
0 0 ~ such that A C , ~E 0. Thc probability proposiuon, we madc a large numbcr n3 of trials of ncw c , valucs 0 2 that Lhc trial of a ncw Ac15 valuc l a d s lo inlermcdiatc variables satisfying h c four cquations c6*,
4
6--0;
e
4
4
4
4
2 c8=O;
4
eg=O is basically thc probability bat randomly tried c6 and c5 valucs satisfy c6 = 0 and c5 E 6; the
-20 ordcr of magniludc of his probabdiiy is thcrcfore 2 . Moreavcr, the probability hat a mcssagc
2 2 4 4 5 satisfying h c four cquations c6=O; c8=O; c6=O; c -0 8-
to a full collision g(H1.MZ) = g(HI,%)
is basically Lhc probability h a t none of thc ci-3 mod 16 indices
lcads
2 2 4 4 occurring in thc calculation of c to cI5 and of eo to c , takes ~ thc value 15. which is closc LO 1/8. So in 0
23
summary appmximatively 2
giving a full collision.
@a1 cornputillionsof the g runction arc necessary m obtain a mcssagc %
43
23 Implementation details Thc a b v c attack mcthod was implcmcntcd using a non-optimi;rxxl Pascal program. Thc scarch for a collision took a k w hours on a SUN3 workstation and lcss lhan an hour on a SPARC worlstalion. W C provide in anncx thc dcuil of thc intcrmcdiak calculations for two colliding mcssagcs MI% and MI%
.
of two 128-bit blocks each. Note that for many olhcr V ~ U & W 1 of h c form
0
(eo.
0 ___ ,e15 + k. 6) (k : an intcgcr) of Ihc first 128-bit
block, thc mcssagc MI% lads to the samc hash value as MIMZ thc obscrvcd phcnomenon is in fact a
3 Conclusions Thc attack dcscribcd in this paper ukcs advanhgc ol thc two lollowing wcakncsscs Hashing algorithm :
-
thc influcncc of thc krm cc. 1-3
Of rhc
m-
in the rccurrcncc ci := ci + c.1-1e.1-2 cci-3 + 2' (mod p) on the +
2
2
sccunly of thc algorithm is nhcr ncgativc (see for cxamplc the mclhcd to obtain c6 = 0 (or c8 = 0) at
stcp 1 of Scction 2.2). - as mentioned in Scdon 1.3. thc dirfusion inlroduccd by thc four skps ofh c algorithm
quitc
limilcd. In pyticular, thc ITgFouricr m s l o r m acts only on half of thc intcrmcdialc valucs (ew ... ,eI5), namcly thc 8 valucs eg' c2, ... ,c14. This suggcsts that quite simplc modifications might security of lhc FFT-Hashing algorithm.
rcsult in a substanlial impmvcmcnt Of the
4 Acknowledgements
The aulors arc grcatcful to Jacques BURGER (SEPTPEM.42 mc dcs Coutures, BP 6243, 14066 CAEN.Francc) for ihc Sparc implcmcntation as wcll as useful discussions. 5 References C.P. SCHNORR; FFT-Hashing : An Elficicnt Cryptographic Hash Function; July 15. 1991 (This papcr was prcscntcd at thc rump scssion of thc CRYPT091 Conrcrcwc. S U t a BXbUq A u ~ u s 11-15.1991) ~.
DAEMEN - BOSSELAERS - GOVAERTS - VANDEWALLE : Annwnccmcnt madc a1 IhC rump scssion of thc ASIACRYiT '91 Confcrcncc, Fujiyoshida. Japan, Novcmber 11-14. 1991)
-
E8tC
A853
A853
HASHED MESSAGE : 0
M 5 3
0
-
5551 0
step 2 :
H2
CDE4 5402
6268 rF01
Step 1:
SCF5
5EF5
4E2O 5EF5
8879 CD5
C5C2 F306
9804
CDE4 5402
0
C5BE
5202
3284
4508
CDE2
0
5202
CDEZ
step 2:
1537
7DCh
10000 FFOl
-
-
450e
4508
27136
27D8
EA99 27D8
17A9 99A5
17.49 99.45
358
3BE5
358
38ES
38E5
30C5
91L1
riec
4560
lDDl CD52
CDEF 0
0
CDEF
CDL2
CDE2
0 358
lDDl CD52
5ACE
4f76
4F72 C628
26A
09A8
3284
26A
with
2466 3057
4569 156
s t e p 1:
l42
H1
7DCA
0 1DCA
s t e p 2:
-
crA9 8305
s t e p 1:
H1
4569 156
0 ADDC
step 2:
8OlA
4567
4567
807A
123
5202
C95A
1537
8071
Hl M2
F9SA
U
10000 F830
-
-
-
s t e p 1:
Ul
HO
H2
nl
FIRST UESSAGE
9554
9554
C62f 9554
L 6CC 37C8
8885
6501
3E13 EFO
5D1C
BP64
8F64
64FB 8F64
5A7
2ClA
6CEA A692
3617
884C
440
FEDC
5D1C
440
995
995
995
988 6
6370 9A6E
6370 9A6E
959E
L23C
959E
E23C
E23C
F6D2 t23C
F49C l58A
F49C 158A
365E
8A98
3658
BA98
959E
365E
983F
983F
0 983F
C7C2 7FF2
0 38EF
416A 0
6D6B
988A
988A
988A
F899
F3D7 0
1D89 4626
D98A 0
0
7654
6D68
0
89CF
89CF
9E72 89Cf
2A49 73A9
2A49 73A9
75EO
58E6
75EO
5886
50E6
5B06
A787
BBOB
7D13
8808
7D13
3210 0
0
3210
7590
0
WNCX
1:
-
-
-
-
U
-
007A
4561
5202
807A
Ul H2
26A
89AB
3284
26A
with
0
0
CDEF
358
D
0
5551 0
E268 FFOl
0 0
10000 FFOl
1537
7DCA
JDCA
7DCA
0
CFh9 8305
ADDC
0
A853
A853
E84C A853
CDE4 5402
CDO4 5402
CDE2 5202
5202
CDE2
COEZ
4568 CDE2
4569 156
4S69 156
5EFS
5EF5
4L20 5EF5
8879 CD5
C5C2 f306
C58E 9804
3201
1508
4508
Fl8C 4508
2466 3057
4F76 SAFE
21D0
2708
LA99 27D8
17A9 99A5
17A9 9915
358
38E5
358
38f5
3865
91L1 38E5
JDDl CD52
lDDl cc52
4567 4F72 CDEF ~ 8 3 0 8 0 7 ~ F~XE o
10000
F95A
123
1537
r95A
HASHED UCSSAGE :
K2
step 2:
s t e p 1:
step 2:
-
-
-
2:
step 1:
H:
Hi
HI
Step
Step 1:
step 2 :
SLep
Ml
HO
H2
Ml
SECOND MESSAGE 440
9554
9554
C82F 9554
C6CC 37C8
8885
6501
3E13 EFO
5D1C
8F64
8F64
64F8 8F61
5A7
2FlA
6CEA a692
3677
884C
440
FEDC
5D1C
995
995
9886 995
6370 9A6E
6370 9A6E
E23C 9598
959E
E23C
E23C
C6DZ E23C
158A
F49C
158s
F49C
BA98 3651
3656
BA90
959E
365E
0
10
983F
983f
0 983F
C7C2 7FF2
0 30Ef
418A 0
6D68
988A
9B8A
FB99 9BBA
F3D7 0
89CF
89CF
9.582 89Cf
2h59 73A9
2A59 73A9
5BF6 75EO
75EO
50F6
58F6
5Bf6
A787
8818
7D13
eel8
7D13
10
1DB9 4526
3210
o
10
3210
7590
DJaA
0
1654
6D68
P
P
