TECHNICAL_DOC // CRYPTOGRAPHY / HASH-FUNCTION
HASH
FUNCTION
FUNCTION
A cryptographic hash function maps arbitrary-length input to a fixed-length output
(digest) with three key properties: preimage-resistance/">preimage resistance (can't reverse), second
preimage resistance (can't find input with same hash), and collision resistance (can't find
two inputs with the same hash). Bitcoin uses SHA-256 and
RIPEMD-160 throughout its protocol.
HASH_FUNCTIONS_IN_BITCOIN
WHERE EACH HASH IS USED
SHA-256:
Block hash: SHA256(SHA256(header))
TxID: SHA256(SHA256(tx_bytes))
WTXID: SHA256(SHA256(tx_with_witness))
Merkle tree: SHA256(SHA256(left || right))
BIP32 child key: via HMAC-SHA512 (keyed SHA-512)
Output: 32 bytes (256 bits)
RIPEMD-160:
Address hash: RIPEMD160(SHA256(pubkey))
P2SH hash: RIPEMD160(SHA256(redeemscript))
Called HASH160 = SHA256 then RIPEMD160
Output: 20 bytes (160 bits)
SHA-512:
BIP32 key derivation: HMAC-SHA512(chaincode, data)
Output: 64 bytes (512 bits) → split into key + chaincode
Why Double SHA-256?
DESIGN CHOICE
Bitcoin uses SHA256d (double SHA-256) for block hashes and TxIDs — applying SHA-256 twice. This provides defense against certain length-extension attacks.
SHA256 output: 32 bytes
SHA256d = SHA256(SHA256(data)):
Round 1: hash = SHA256(data) → 32 bytes
Round 2: hash = SHA256(hash) → 32 bytes final
Length-extension attack:
SHA256 is vulnerable: if you know H(m), you can compute
H(m || padding || extra) without knowing m.
SHA256d is NOT vulnerable because the inner hash
is just data to the outer hash.
Performance note:
SHA256d ≈ 2× the cost of SHA256
For block hashing: tradeoff is worth the security
Why RIPEMD-160 for Addresses?
DESIGN RATIONALE
Bitcoin addresses use HASH160 = RIPEMD160(SHA256(pubkey)) — a 20-byte output instead of 32 bytes. Shorter addresses reduce scriptPubKey size.
HASH160 output: 20 bytes (160 bits)
→ 2^80 security (birthday bound)
→ Shorter than 32-byte SHA256 output
P2PKH scriptPubKey:
OP_DUP OP_HASH160 <20-byte hash> OP_EQUALVERIFY OP_CHECKSIG
Total: 25 bytes (vs 35 bytes with full 33-byte pubkey in P2PK)
Dual-hash design:
Even if RIPEMD-160 is weakened: SHA-256 provides 32 bytes
before RIPEMD-160 sees it — attacker must also break SHA-256.
Two independent hash functions = defense in depth.
TERMINOLOGY_INDEX
SHA-256
Secure Hash Algorithm 256-bit. 32-byte output. Used for block hashes, TxIDs, Merkle trees in Bitcoin.
SHA256d
Double SHA-256: SHA256(SHA256(x)). Used for all block and transaction-id-txid/">transaction ID computation in Bitcoin.
RIPEMD-160
RACE Integrity Primitives Evaluation Message Digest. 20-byte output. Used in Bitcoin address hashing.
Preimage Resistance
Given a hash output, it is computationally infeasible to find an input that produces it.
INTERACTIVE — TRY IT YOURSELF
INTERACTIVE_DOC // CRYPTOGRAPHY / HASH-FUNCTIONS
HASH FUNCTIONS
INTERACTIVE
INTERACTIVE
Bitcoin uses five hash primitives. SHA-256 hashes block headers and
forms TXIDs. SHA-256d (SHA-256 applied twice) is the workhorse — used
everywhere a hash needs to commit to data immutably. RIPEMD-160 shrinks
a hash to 160 bits for compactness. HASH160 = RIPEMD-160(SHA-256(x)),
the address-fingerprint function. HMAC-SHA-512 drives wallet-hierarchical-deterministic/">HD wallet
derivation. Type below — see them all compute live, then test the avalanche property
that makes them useful.
§ 1 — THE FIVE HASHES IN PARALLEL
Type any input — every hash function Bitcoin uses computes simultaneously. Note the
output sizes: SHA-256 → 32 bytes, RIPEMD-160 → 20 bytes, HMAC-SHA-512 → 64 bytes.
Two of these (SHA-256d and HASH160) are composed functions, not separate
algorithms — but they appear so often they get their own names.
INTERACTIVE — MULTI-HASH PLAYGROUNDtype any input
SHA-256
32 bytes · used in PoW, TXID, sighash
—
SHA-256d (= SHA-256(SHA-256(x)))
32 bytes · block hash, TXID, checksum
—
RIPEMD-160
20 bytes · address compression
—
—
HMAC-SHA-512 (key="Bitcoin seed")
64 bytes · BIP-32 master key derivation
—
Why HASH160 and not just SHA-256? Two reasons. First, compactness
— 20 bytes vs 32 makes addresses shorter. Second, defense in depth
— if a flaw is found in SHA-256 OR RIPEMD-160, the composition is still secure
against attacks that need both.
§ 2 — AVALANCHE (CHANGE 1 BIT, FLIP HALF THE OUTPUT)
A core property of cryptographic hashes: a single input bit changing flips
~50% of output bits. This is what prevents an attacker from
incrementally tweaking an input to nudge the output toward a target. Below: the same
pair of hashes, with red marking every bit that differs between them.
INTERACTIVE — AVALANCHE COMPARISONflip toggles input case
SHA-256(A) vs SHA-256(B)
—
—
—
HASH160(A) vs HASH160(B)
—
—
—
§ 3 — HASH160 STAGE-BY-STAGE
HASH160 is two hashes pipelined. The intermediate value is a 32-byte SHA-256, which
then gets compressed to 20 bytes by RIPEMD-160. Watch each stage produce its output
— the kind of pipeline view you'd build when debugging an address-derivation bug.
INTERACTIVE — HASH160 PIPELINEtype to trace
STAGE 0 — INPUT BYTES— bytes
—
↓ SHA-256
STAGE 1 — SHA-256 OUTPUT32 bytes
—
↓ RIPEMD-160
STAGE 2 — HASH160 OUTPUT (final)20 bytes
—
§ 4 — HMAC-SHA-512 (BIP-32's WORKHORSE)
HMAC takes a key and a message and produces a fixed-size output. The
key proves the output came from someone who knew the secret. In BIP-32, the master
seed becomes the master private key + chain code by HMAC'ing the seed with the literal
string
"Bitcoin seed" as key — and child keys are derived by HMAC'ing
parent's chain code with parent pubkey + index.
INTERACTIVE — HMAC-SHA-512try BIP-32 master derivation
—
LEFT 32 BYTES → master privkey
—
RIGHT 32 BYTES → chain code
—
Why split exactly in half? HMAC-SHA-512 outputs 64 bytes. BIP-32 needs
a 32-byte private key AND a 32-byte chain code from a single derivation. The simplest
answer: produce 64 bytes, take the first half as one, the second half as the other.
The chain code carries forward to derive children — that's what makes the tree
deterministic.
§ 5 — COLLISION RESISTANCE & THE BIRTHDAY BOUND
A hash function with n-bit output has 2ⁿ possible values. By
the birthday paradox, you expect a collision after roughly 2ⁿ⁄²
queries. So a 256-bit hash gives you 128-bit collision security — the relevant number
for practical attack difficulty. SHA-1's 80-bit collision security is why it's
deprecated. SHA-256's 128 bits is calibrated to be permanently safe.
INTERACTIVE — HASH SIZE → SECURITY MARGINreference table
SHA-1
160 bits · 80-bit collisions · deprecated since 2017 (SHAttered attack)
2⁸⁰ ≈ 10²⁴
RIPEMD-160
160 bits · 80-bit collisions · still safe in HASH160 because attackers need preimage of SHA-256
2⁸⁰ ≈ 10²⁴
SHA-256
256 bits · 128-bit collisions · permanent classical security; ~64 quantum (Grover)
2¹²⁸ ≈ 10³⁸
SHA-256d
256 bits · same as SHA-256 collision-wise; double-hashing prevents length-extension
2¹²⁸ ≈ 10³⁸
SHA-512
512 bits · 256-bit collisions · used in HMAC for BIP-32 derivation
2²⁵⁶ ≈ 10⁷⁷
HASH160
160 bits · 80-bit collision security — fine for addresses (signatures still required to spend)
2⁸⁰ ≈ 10²⁴
§ 6 — THE THREE PROPERTIES THAT MATTER
REFERENCE — CRYPTOGRAPHIC PROPERTIES
PREIMAGE RESISTANCE
Given h = H(x), finding x is computationally infeasible.
Required for: address derivation (HASH160 hides the pubkey until spend),
commitments (revealing inputs only at chosen times). Brute-force cost: 2ⁿ.
SECOND-PREIMAGE RESISTANCE
Given x, finding a different x' with H(x) = H(x')
is infeasible. Required for: data integrity (you can't substitute
different content with the same hash). Brute-force cost: 2ⁿ.
COLLISION RESISTANCE
Finding any pair x ≠ x' with H(x) = H(x') is
infeasible. Required for: Merkle trees, signatures (an attacker
who could find collisions could swap signed messages). Brute-force cost: 2ⁿ⁄²
(birthday paradox) — this is the weakest property and the one that constrains hash size.
TERMINOLOGY_INDEX
SHA-256
NIST's 256-bit hash standard. Bitcoin's primary cryptographic primitive.
SHA-256d
Double SHA-256. Used for block hashes, TXIDs, Base58Check checksums. Defends against length-extension.
RIPEMD-160
160-bit hash function. Used in HASH160 to compress the SHA-256 of a pubkey or script to 20 bytes.
HASH160
RIPEMD-160(SHA-256(x)). The 20-byte fingerprint used in P2PKH/P2SH/P2WPKH addresses.
HMAC
Hash-based Message Authentication Code. Combines a key with a message; only key-holders can compute valid output.
HMAC-SHA-512
HMAC built on SHA-512. Outputs 64 bytes. Used by BIP-32 for hierarchical derivation.
Avalanche
Property where a single input bit change flips ~50% of output bits. Hallmark of good cryptographic hashes.
Birthday Bound
2ⁿ⁄² queries needed to find a collision in an n-bit hash. Why hashes need 256 bits to be 128-bit-secure.
Length Extension
Attack on Merkle-Damgård hashes (incl. SHA-256) where given H(secret||msg), an attacker can compute H(secret||msg||extra). Double-hashing defeats it.