No Difference

There are two possible solutions to this problem. One involves the method of differential cryptanalysis (normally done on the substitution box SBOX like these), and another brute-force, or more specifically birthday attack solution. I attempt this using the birthday attack solution. The idea is that the space of state is too small. Indeed, the shuffling of the first stage of the hash: 1 2 3 4 5 6 7 8 9 state = [16, 32, 48, 80, 80, 96, 112, 128] for i in range(0, len(data), 4): block = data[i:i+4] state[4] ^= block[0] state[5] ^= block[1] state[6] ^= block[2] state[7] ^= block[3] state = permute(state) state = substitute(state) Only state[4:] are modified from the block’s content....