The quoted text seems to talk about finding a collision of a 128-bit hash function with the Birthday attack. In a birthday attack, one creates around $\sqrt{2^{128}} = 2^{64}$ messages so that they expect to find a colliding pair with 1/2 probability.
In the described attack, Oscar wants to create two specific messages that have the same hash value.
$x_1$= Transfer \$10 into Oscar’s account
$x_2$= Transfer \$10,000 into Oscar’s account
In order to create $2^{64}$ messages, one can use invisible characters like the space
and tab
. If you append 64 characters to $x_1$ or $x_2$ those are either tab or space then you can get 64 locations. This makes $2^{64}$ messages that have the same meaning with high probably different hashes.
This invisible modification applies both $x_1$ and $x_2$.
Creat $2^{64}$ different strings for $x_1$ and $x_2$ and combine them in a set. In this set, we expect a collision. Keep in mind that, in this way, we may have a collision within the variant of $x_1$ (or $x_2$).
Now, Oscar seeks a way to deceive you. Oscar sends you the message $x_1$ with hash and sign paradigm and you verify it. Later oscar claims that they sent you $x_2$. They show you that the signatures are the same as the previous and here we have the conflict to resolve.
For other examples of using hash collision in realistic attacks see this question;
Collision attack vs second pre-image attack
In the collision attack we are looking two messages $m_1$ and $m_2$ with $m_1 \neq m_2$ such $h(m_1) = h(m_2)$. In a collision attack the attacker has free of choosing the hash value, they only seek two messages that have the same hash value. This freeness reduces the attack cost. The generic cost of collision is $\mathcal{O}(\sqrt{2^{n/2}})$-time for $n$-bit output hash function.
In some other scenarios, the attacker needs second pre-image attack; given a message $m$ and it's hash value $x=h(m)$, find another message $m' \neq m$ such that $h(m)=h(m')$. This is the scenario where the attacker creates a forgery of a digital signature ( hash and sign). Given the signature, they try to find another message $m'$ such that the signature is the same as the given.
Two generic cost of secondary pre-image attack is $\mathcal{O}(\sqrt{2^n})$-time for $n$-bit hash function.
Formal definitions can be found in