BitcoinMachine
TERM_DEF // MODULE_5_CRYPTO_PRIMITIVES / HASH_FUNCTION
HASH
FUNCTION
Hash function. One-way function that maps arbitrary data to a fixed-size digest.

A cryptographic hash function takes any input and produces a fixed-size output (the digest or hash). It is deterministic, fast to compute, and practically impossible to reverse (preimage-resistance/">preimage resistance) or to find two inputs with the same output (collision resistance). Bitcoin Script has five built-in hash functions: OP_SHA1, OP_SHA256, hash256/">OP_HASH256, OP_RIPEMD160, and hash160/">OP_HASH160.

This page sits in the Module 5 — Crypto Primitives section — Vocabulary introduced in the Crypto Primitives module. Read on for what it is, why it exists, how it works under the hood, and what to watch out for.
WHAT_HASH_FUNCTION_IS
Hash function — at a glance
MODULE 5
A hash function is a deterministic one-way map from arbitrary-length input to a fixed-length digest. Bitcoin relies on two specific hash functions — SHA-256 and RIPEMD-160 — for every txid, every block-hash/">block hash, every merkle root, every address, every BIP32 derivation, and every proof of work. Replace either with something weaker and the entire edifice falls down.
A cryptographic hash function takes any input and produces a fixed-size output (the digest or hash). It is deterministic, fast to compute, and practically impossible to reverse (preimage resistance) or to find two inputs with the same output (collision resistance). Bitcoin Script has five built-in hash functions: OP_SHA1, OP_SHA256, OP_HASH256, OP_RIPEMD160, and OP_HASH160.
Why it exists
DESIGN
A blockchain needs short, fixed-size identifiers for arbitrarily large objects (transactions, blocks, scripts) so they can be referenced by name without copying. It needs one-wayness so commitments are binding — once a block header commits to a merkle root, no one can swap in a different transaction set without breaking every downstream hash. And it needs collision resistance so two distinct objects cannot share an ID. Hash functions deliver all three from a single primitive, with no shared secret and no trusted party.
HOW_IT_WORKS
Mechanism
HOW IT WORKS
Bitcoin almost never uses a hash function once. Block hashes and txids use SHA256d = SHA256(SHA256(x)) — the double hash defends against length-extension attacks on the underlying Merkle-Damgård construction. Addresses use HASH160 = RIPEMD160(SHA256(x)) — two independent hash functions in series, so an attacker must break both, and a 20-byte digest keeps scriptPubKey short. HD key derivation uses hmac-sha512/">HMAC-SHA512 — a keyed construction whose output is unpredictable to anyone without the chaincode.
1. Take the input bytes — a transaction serialisation, a block header, a public key, whatever needs an identifier. 2. Apply the construction Bitcoin defines for that use case: SHA256d, HASH160, or HMAC-SHA512. 3. The output is fixed-size: 32 bytes for SHA-256/SHA256d, 20 bytes for HASH160, 64 bytes for HMAC-SHA512. 4. Any verifier on the network re-runs the same construction against the same public input and re-checks the result. 5. A single bit flipped in the input changes roughly half the output bits (avalanche) — what makes hashes usable as tamper-evident fingerprints. 6. Reversing the output to recover the input requires ≈ 2²⁵⁶ work for SHA-256 — more than every computer on Earth has ever done, combined.
WORKED_EXAMPLE
Bitcoin's three hash constructions, side by side
EXAMPLE
Input: "hello bitcoin" Bytes: 68 65 6c 6c 6f 20 62 69 74 63 6f 69 6e (13 bytes) SHA256d(input) = SHA256(SHA256(input)) ← used for block hashes, txids output: 32 bytes HASH160(input) = RIPEMD160(SHA256(input)) ← used for P2PKH / P2SH addresses output: 20 bytes HMAC-SHA512(key, input) ← used for BIP32 child key derivation output: 64 bytes — split as 32 bytes key tweak + 32 bytes chaincode Real digests on the chain (all SHA256d): Genesis block hash : 000000000019d6689c085ae165831e934ff763ae46a2a6c172b3f1b60a8ce26f Genesis coinbase txid : 4a5e1e4baab89f3a32518a88c31bc87f618f76673e2cc77ab2127b7afdeda33b Avalanche — flip one bit in input ("hello bitcoin" → "hellp bitcoin"): SHA-256 output flips ≈ 128 of 256 bits (~50%) No exploitable structure links input to output.
KEY_PROPERTIES
ONE-WAY
Forward: microseconds. Reverse (input from output): infeasible — security 256 bits for SHA-256, 160 bits for RIPEMD-160.
DETERMINISTIC
Same input → identical output on every machine, every time. No randomness, no clocks. This is what lets nodes agree.
AVALANCHE
One bit changed in the input → roughly half the output bits change. A near-miss in input looks nothing like a near-miss in output.
FIXED OUTPUT SIZE
32 bytes (SHA-256), 20 bytes (RIPEMD-160). Constant size regardless of input length — what makes hashes usable as IDs.
COMMON_PITFALLS
Things that catch people out
PITFALLS
  • Treating "SHA-256" and "SHA256d" as interchangeable. Bitcoin block hashes and txids use the double hash; single SHA-256 produces a different value entirely.
  • Forgetting that the on-disk byte order of a hash in Bitcoin is the reverse of how block explorers display it. Internally little-endian; displayed big-endian.
  • Assuming RIPEMD-160's 160-bit output gives 160-bit collision resistance. By the birthday bound it gives ~80 bits — still strong, but not "160-bit security".
  • Hashing a public key to derive an address hides the pubkey only until the address is spent from; the spend reveals the pubkey on-chain, which matters for quantum resistance assumptions.
WHERE_YOU'LL_SEE_IT
Pages on this site that cover Hash function in more depth:
Hash Function
RELATED_CONCEPTS
Other terms from Module 5 — Crypto Primitives — click any to read its page:
SHA-256 RIPEMD-160 HASH160 Preimage
TERMINOLOGY_INDEX
TERMINOLOGY
Hash function
One-way function that maps arbitrary data to a fixed-size digest.
SHA-256
256-bit cryptographic hash function used throughout Bitcoin.
RIPEMD-160
160-bit hash function; combined with SHA-256 gives HASH160.
HASH160
RIPEMD160(SHA256(x)) — produces the 20-byte pubkey hash.
Preimage
The original input to a hash function.