COLDCARD logo
Shopping cart Shop

What Are Bitcoin Hash Functions?

Hash functions are mathematical procedures that take any input and produce a fixed-length output, and Bitcoin uses them throughout its design, from generating addresses to confirming transactions to running its mining operations.

Hash functions are mathematical procedures that take any input and produce a fixed-length output, and Bitcoin uses them throughout its design, from generating addresses to confirming transactions to running its mining operations. Understanding what hash functions are and why they behave the way they do explains a large part of how Bitcoin's security model works.

What is a Hash Function?

You can think of a hash function as a mathematical fingerprint machine. You feed it any piece of data (a word, a file, some data, an entire list of transactions) and it produces a fixed-length "fingerprint." The same input always produces the same fingerprint, and any slight difference in the input produces a completely different one. Crucially, you cannot work backwards from the fingerprint to recover the original data.

That last property is what makes hash functions useful for security, and in particular for Bitcoin.

A hash function converts any input into a fixed-length output called a "hash." For the Secure Hash Algorithm 256-bit (SHA-256), Bitcoin's primary hash function, the output is always 256 bits (32 bytes), regardless of whether the input is two characters or two gigabytes. The output length never changes.

Hashing is not the same as encrypting. Encryption is reversible, which means gven the right key, you can decrypt the output back to the original. Hashing is not reversible at all. There is no key, no algorithm, and no shortcut. Given a hash output, the only way to find the input is to try every possible input until one produces a matching hash, a task that is, for a well-designed hash function, computationally impossible at any realistic scale.

What Properties Make Hash Functions Useful for Bitcoin?

There are six properties that make the hash functions used by Bitcoin useful for its operations as a peer-to-peer electronic cash system:

  1. Variable input, fixed output. Any input (a single character or a gigabyte of data) produces an output of the same fixed length. For SHA-256, that is always 256 bits (32 bytes). For RIPEMD-160, always 160 bits (20 bytes). The output size is independent of the input size.

  2. Deterministic. The same input always produces the same output, every time, on any machine. This makes hash functions usable as verifiable fingerprints. Any party can recompute the hash and independently confirm a match.

  3. One-way. Given a hash output, there is no efficient method to find the input that produced it. This is why Bitcoin addresses do not reveal the public key that generated them, only its hash. There is no known "unhashing" process.

  4. Avalanche effect. A single change in the input produces a completely different output, not a slightly different one. Change one letter in a word and the entire hash looks nothing like the original. There is no relationship between similar inputs and their outputs, no gradient, and no way to approach the right answer incrementally.

  5. Collision resistant. It is computationally infeasible to find two different inputs that produce the same output (a "collision"). SHA-256's collision resistance has not been broken and the output space is 2²⁵⁶ possible values, making accidental or deliberate collisions practically impossible.

  6. Asymmetric difficulty. Finding a hash output that meets a specific criterion (such as a hash that begins with certain number of zeros) can only be done through arduous trial and error of different input variations. Verifying that a particular input produces a particular output is quick and easy. This difficulty asymmetry between producing a particular output and checking it is what proof of work is built on.

SHA-256 is not a Bitcoin-specific invention. It is the same algorithm used in TLS, the protocol behind HTTPS. If you click on the "lock" icon in your web browser's URL, you may find the security certificate is produced with SHA-256.

It is also used by U.S. government for secure communications and for banking security infrastructure worldwide. Its security has been extensively peer-reviewed over decades and is independent of Bitcoin. Readers new to cryptographic hash functions can treat SHA-256's security as established, not experimental.

How Does Bitcoin Use SHA-256 in Address Generation?

When a Bitcoin address is generated from a public key, SHA-256 is the first step in a two-stage hashing pipeline.

The pipeline takes a compressed public key (33 bytes) and processes it as follows: SHA-256 produces a 32-byte hash, then RIPEMD-160 processes that hash to produce a 20-byte output. This 20-byte value is called Hash160 and is the core of the Bitcoin address before version bytes, checksums, and encoding are applied.

The reason to use two hash functions instead of one is added defensive depth. SHA-256 and RIPEMD-160 have different internal designs, so a weakness discovered in one would not automatically compromise the other. Running both in sequence means an attacker would need to break both to reverse an address to its public key.

The one-way properties are essential for preserving security and privacy:

  1. Given a Bitcoin address, you cannot reverse it to find the underlying Hash160.
  2. Given the Hash160, you cannot reverse it to find the public key.
  3. Given the public key, you cannot reverse it to find the private key.

Each stage adds an independent layer of one-way protection.

Bitcoin also uses double-SHA-256 in several contexts: applying SHA-256 twice in sequence, using the first output as the input for the second. This is used for block header hashing, transaction IDs, and checksums embedded in Base58Check encoding.

The address generation context is covered in full in What is a Bitcoin address?

How Does Bitcoin Use SHA-256 in Proof of Work?

Bitcoin mining serves two primary purposes of adding transactions to Bitcoin's ledger and issuing new bitcoin into circulation. It is an open competition, and SHA-256 is what makes it a genuine competition rather than a calculation.

Miners work to produce a hash of the block header that falls below a specific numerical target. In practice, a valid hash starts with a required number of leading zeros. The network sets this target and adjusts it periodically to keep new blocks arriving roughly every 10 minutes.

The block header that miners hash includes two categories of inputs:

  1. Fixed information: The Bitcoin software version, the previous block's hash, the Merkle root (a hash of all the block's transactions), a timestamp, and the current difficulty target.
  2. Variable information: A number called a nonce.

Since hashes are unpredictable, the only way to produce a valid hash is trial and error. Miners increment the nonce and re-run SHA-256 until they find a hash that meets the target. The first miner to find one broadcasts it to the network and wins the right to add the next block and get paid the reward in bitcoin.

The avalanche effect ensures that every nonce attempt produces a completely different hash. There is no way to look at a hash that almost meets the target and make a small adjustment to get closer. Each attempt is independent and only brute force guessing works.

The one-way nature of SHA-256 means no one can reverse-engineer the winning nonce from the hash. The network can verify a submitted solution with a single computation by simply re-running the hash with the nonce, even though thee miner who found it had to perform billions. This asymmetry between the cost of finding the solution and the cost of verifying it is what makes proof of work work.

The proof of work mechanism is covered in greater detail in What is Bitcoin?.

Where Do Hash Functions Appear in Bitcoin?

Hash functions are used throughout Bitcoin's design. They appear wherever the protocol needs to verify integrity, compress data, or create an unforgeable proof of work.

  1. Proof of work (mining). Miners repeatedly apply double-SHA-256 to the block header until they find a hash below the current target. Each attempt is independent, and the result cannot be reverse-engineered. The winning hash is proof the computation was performed.

  2. Transaction IDs. Every Bitcoin transaction is identified by the double-SHA-256 hash of its serialized data. If any part of the transaction changes, the transaction ID changes. Transaction IDs are how nodes refer to specific transactions and how UTXOs are identified.

  3. Block integrity (Merkle trees). All transactions in a block are organized into a Merkle tree, described in the next section. The root of that tree is committed to in the block header. Altering any transaction changes the Merkle root, which changes the block header, which changes the block's hash. This is the avalanche effect, and it prevents silent manipulation of data.

  4. Address generation. The SHA-256 and RIPEMD-160 pipeline converts a 33-byte compressed public key into the 20-byte Hash160 at the core of every Bitcoin address. The full pipeline is covered in What is a Bitcoin private key? and What is a Bitcoin address?

  5. Checksum generation. SHA-256 produces the checksums embedded in Base58Check address encoding and in BIP39 seed phrase generation. These checksums allow wallets and users to detect transcription errors before funds are sent or seed phrases are recorded incorrectly.

What is a Merkle Tree?

A Merkle tree is a data structure that uses hash functions to create a compact, tamper-evident summary of a set of data. In Bitcoin, it summarizes every transaction in a block.

The construction works from the bottom up. You start with all the transactions in a block, hash each one individually, then take those hashes in pairs and hash each pair together. You then repeat the process, taking the resulting hashes in pairs and hashing again, until only a single hash remains. That final hash is the Merkle root, which is like a hash of hashes.

The Merkle root is stored in the block header and serves as compact commitment to every transaction in the block.

Tamper Evident and Efficiency

Tamper evidence follows from how hash functions work. If any transaction in the block changes, its hash changes. That changed hash propagates upward through every pair it is part of, changing every intermediate hash above it, and ultimately changing the Merkle root. A block with an altered transaction produces a different Merkle root from the one committed in the header, so the alteration is immediately detectable.

The Merkle structure also enables efficient verification. A node that does not store the full block can verify that a specific transaction is included using only a Merkle proof, a small set of hashes, one per level of the tree, rather than the full block. The node can reconstruct the path from the transaction up to the Merkle root and confirm the root matches what is in the block header. This is how lightweight nodes can verify transactions without downloading everything.

Related articles

How Bitcoin wallets work

How Bitcoin wallets generate keys, derive addresses, and sign transactions, and why they store keys, not bitcoin.

Read article

What is public key cryptography?

The mathematical system that lets Bitcoin prove ownership and authorize transactions without revealing the private key.

Read article

What is a Bitcoin address?

What a Bitcoin address is, how it is derived from a public key, and why address reuse undermines privacy.

Read article

What is a Bitcoin seed phrase?

The sequence of 12 or 24 words that generates every key in a Bitcoin wallet and serves as the sole recovery backup

Read article