Tool · Animator
Merkle-Damgård Animator
A SHA-256 walkthrough, one 64-byte block at a time. See the input padded, the chaining variable threaded from block to block, and the final digest emerge as nothing more than the state at the end.
43 bytes · 1 64-byte blocks after padding
Block 1 of 1
State entering this block (chaining variable)
6a09e667bb67ae853c6ef372a54ff53a510e527f9b05688c1f83d9ab5be0cd19Block 0 (64 bytes)· padding starts at byte 43
54686520717569636b2062726f776e20666f78206a756d7073206f76657220746865206c617a7920646f67800000000000000000000000000000000000000158
Pink bytes are the Merkle-Damgård padding: 0x80, zeros, then 8-byte big-endian bit length.
State after compression (chaining variable for the next block)
d7a8fbb307d7809469ca9abcb0082e4f8d5651e46d3cdb762d02d0bf37c9e592After the last block, the final state IS the SHA-256 digest:
d7a8fbb307d7809469ca9abcb0082e4f8d5651e46d3cdb762d02d0bf37c9e592Length-extension turns on exactly here: a digest is just the state. See the attack demo.
Reading guide
- Padding (pink bytes):
0x80, zero bytes, then an 8-byte big-endian bit length, padded so the total is a multiple of 64 bytes. - Chaining variable: the 256-bit state going in and coming out of each compression. The output of the last block IS the digest.
- Length-extension: because the digest is just the state, anyone who has the digest can keep hashing. See the attack demo.
- Why sponge fixes it: a sponge keeps a portion of the state (the “capacity”) hidden from the output, so a digest does not let an attacker reconstruct the internal state. See the sponge animator.
FAQ