Hacker News new | ask | show | jobs
by stouset 1791 days ago
If you have the output

    h = SHA-256(k || m1)
you can easily compute a function `F(h, m2)` such that

    SHA-256(k || m1 || m2) = F(h, m2)
allowing you to forge a verifier for `m1 || m2` under `k` for any `m2` you wish without actually knowing `k`.