Hash Function — Glossary

TERM_DEF // KEYS_CRYPTOGRAPHY / HASH_FUNCTION

HASH
FUNCTION

Hash Function. A deterministic function mapping arbitrary input to a fixed-size output; one-way and collision-resistant.

This page sits in the Keys & Cryptography section — Elliptic curves, hashes, and signatures — the math that lets a 32-byte secret control billions of dollars. Read on for what it is, why it exists, how it works under the hood, and what to watch out for.

WHAT_HASH_FUNCTION_IS

Hash Function — at a glance

KEYS

A hash function is a deterministic one-way map from arbitrary-length input to a fixed-length digest. Bitcoin relies on two specific hash functions — SHA-256 and RIPEMD-160 — for every txid, every block-hash/">block hash, every merkle root, every address, every BIP32 derivation, and every proof of work. Replace either with something weaker and the entire edifice falls down.

Why it exists

DESIGN

A blockchain needs short, fixed-size identifiers for arbitrarily large objects (transactions, blocks, scripts) so they can be referenced by name without copying. It needs one-wayness so commitments are binding — once a block header commits to a merkle root, no one can swap in a different transaction set without breaking every downstream hash. And it needs collision resistance so two distinct objects cannot share an ID. Hash functions deliver all three from a single primitive, with no shared secret and no trusted party.

HOW_IT_WORKS

Mechanism

HOW IT WORKS

Bitcoin almost never uses a hash function once. Block hashes and txids use SHA256d = SHA256(SHA256(x)) — the double hash defends against length-extension attacks on the underlying Merkle-Damgård construction. Addresses use HASH160 = RIPEMD160(SHA256(x)) — two independent hash functions in series, so an attacker must break both, and a 20-byte digest keeps scriptPubKey short. HD key derivation uses hmac-sha512/">HMAC-SHA512 — a keyed construction whose output is unpredictable to anyone without the chaincode.

1. Take the input bytes — a transaction serialisation, a block header, a public key, whatever needs an identifier. 2. Apply the construction Bitcoin defines for that use case: SHA256d, HASH160, or HMAC-SHA512. 3. The output is fixed-size: 32 bytes for SHA-256/SHA256d, 20 bytes for HASH160, 64 bytes for HMAC-SHA512. 4. Any verifier on the network re-runs the same construction against the same public input and re-checks the result. 5. A single bit flipped in the input changes roughly half the output bits (avalanche) — what makes hashes usable as tamper-evident fingerprints. 6. Reversing the output to recover the input requires ≈ 2²⁵⁶ work for SHA-256 — more than every computer on Earth has ever done, combined.

WORKED_EXAMPLE

Bitcoin's three hash constructions, side by side

EXAMPLE

Input: "hello bitcoin" Bytes: 68 65 6c 6c 6f 20 62 69 74 63 6f 69 6e (13 bytes) SHA256d(input) = SHA256(SHA256(input)) ← used for block hashes, txids output: 32 bytes HASH160(input) = RIPEMD160(SHA256(input)) ← used for P2PKH / P2SH addresses output: 20 bytes HMAC-SHA512(key, input) ← used for BIP32 child key derivation output: 64 bytes — split as 32 bytes key tweak + 32 bytes chaincode Real digests on the chain (all SHA256d): Genesis block hash : 000000000019d6689c085ae165831e934ff763ae46a2a6c172b3f1b60a8ce26f Genesis coinbase txid : 4a5e1e4baab89f3a32518a88c31bc87f618f76673e2cc77ab2127b7afdeda33b Avalanche — flip one bit in input ("hello bitcoin" → "hellp bitcoin"): SHA-256 output flips ≈ 128 of 256 bits (~50%) No exploitable structure links input to output.

KEY_PROPERTIES

ONE-WAY

Forward: microseconds. Reverse (input from output): infeasible — security 256 bits for SHA-256, 160 bits for RIPEMD-160.

DETERMINISTIC

Same input → identical output on every machine, every time. No randomness, no clocks. This is what lets nodes agree.

AVALANCHE

One bit changed in the input → roughly half the output bits change. A near-miss in input looks nothing like a near-miss in output.

FIXED OUTPUT SIZE

32 bytes (SHA-256), 20 bytes (RIPEMD-160). Constant size regardless of input length — what makes hashes usable as IDs.

COMMON_PITFALLS

Things that catch people out

PITFALLS

Treating "SHA-256" and "SHA256d" as interchangeable. Bitcoin block hashes and txids use the double hash; single SHA-256 produces a different value entirely.
Forgetting that the on-disk byte order of a hash in Bitcoin is the reverse of how block explorers display it. Internally little-endian; displayed big-endian.
Assuming RIPEMD-160's 160-bit output gives 160-bit collision resistance. By the birthday bound it gives ~80 bits — still strong, but not "160-bit security".
Hashing a public key to derive an address hides the pubkey only until the address is spent from; the spend reveals the pubkey on-chain, which matters for quantum resistance assumptions.

WHERE_YOU'LL_SEE_IT

Pages on this site that cover Hash Function in more depth:

→ Hash Function

RELATED_CONCEPTS

Other terms from Keys & Cryptography — click any to read its page:

TERMINOLOGY_INDEX

TERMINOLOGY

Hash Function

A deterministic function mapping arbitrary input to a fixed-size output; one-way and collision-resistant.

Private Key

A random 256-bit number that gives full spending authority over the coins locked to its derived public key.

Public Key

A point on the secp256k1 curve, derived from a private key, that others use to verify signatures you produce.

Key Pair

A private key paired with its mathematically-linked public key; one signs, the other verifies.

Elliptic Curve

A curve defined by y² = x³ + ax + b; "adding" two points produces a third, and that operation is easy forward but practically impossible to reverse.

secp256k1

The specific elliptic curve Bitcoin uses, chosen for its lack of suspicious constants and high-performance arithmetic.

Generator Point (G)

A fixed agreed-upon point on secp256k1; multiplying G by your private key gives your public key.

Curve Order (n)

The number of distinct points on secp256k1 reachable from G; private keys are integers modulo n.