RIPEMD-160

What Is RIPEMD-160?

RIPEMD-160 (RACE Integrity Primitives Evaluation Message Digest, 160-bit) is a cryptographic hash function designed in 1996 by Hans Dobbertin, Antoon Bosselaers, and Bart Preneel at the COSIC research group at KU Leuven in Belgium. It takes an arbitrary-length input and produces a fixed 160-bit (20-byte) digest, typically displayed as a 40-character hexadecimal string.

RIPEMD-160 was created as a strengthened successor to the original 128-bit RIPEMD, which had been developed within the EU-funded RIPE (RACE Integrity Primitives Evaluation) project. After weaknesses were found in the original design, the 160-bit version was published with a completely revised structure. The algorithm is patent-free and standardized in ISO/IEC 10118-3.

In Bitcoin, RIPEMD-160 serves a specific role: it shortens a 256-bit SHA-256 hash down to 160 bits, producing the compact public key hashes that become part of Bitcoin addresses. This composite operation is called HASH160 and appears throughout Bitcoin Script as the OP_HASH160 opcode.

How It Works

RIPEMD-160 uses the Merkle-Damgard construction with a unique dual parallel pipeline design. The input message is padded to a multiple of 512 bits, then processed through a compression function consisting of 80 stages organized as five blocks of 16 iterations each. Two independent computation paths process the message simultaneously with five distinct nonlinear functions applied in opposing directions across the two parallel lines. The results are combined at each step using modulo 2³² addition.

The HASH160 Operation

Bitcoin never uses RIPEMD-160 alone. Instead, it chains two hash functions in a composite operation called HASH160:

HASH160(data) = RIPEMD-160(SHA-256(data))

// Step 1: SHA-256 produces a 256-bit (32-byte) digest
sha256_hash = SHA-256(compressed_public_key)
// e.g., 0x600ffe422b4e00731a59557a5cca46cc183944191006324a447bdb2d98d4b408

// Step 2: RIPEMD-160 compresses to 160-bit (20-byte) digest
pubkey_hash = RIPEMD-160(sha256_hash)
// e.g., 0x010966776006953d5567439e5e39f86a0d273bee

For a P2PKH address, this 20-byte hash is then prepended with a version byte (0x00 for mainnet) and encoded with Base58Check to produce the familiar address starting with "1". For P2WPKH addresses, the same 20-byte HASH160 output becomes the witness program, encoded with Bech32 to produce addresses starting with "bc1q".

Address Generation Step by Step

The full process for creating a legacy Bitcoin address from a public key:

1. Start with a compressed public key (33 bytes)
2. Apply SHA-256 to produce a 256-bit hash
3. Apply RIPEMD-160 to the SHA-256 output, producing a 160-bit hash
4. Prepend the network version byte (0x00 for mainnet P2PKH)
5. Compute a checksum: double SHA-256 the versioned payload, take the first 4 bytes
6. Append the checksum and Base58-encode the result

The resulting address is approximately 34 characters long. Without RIPEMD-160's compression step, using a raw 256-bit hash would produce addresses exceeding 50 characters. For a deeper look at how each address format works, see the research article on Bitcoin address types from P2PKH to Taproot.

Why Two Hash Functions?

Chaining SHA-256 (designed by the NSA, standardized by NIST) with RIPEMD-160 (designed by European academics) provides several security benefits:

• Algorithm diversity: if a vulnerability is discovered in one hash family, the other still protects the address. An attacker would need to break both functions.
• Length-extension protection: SHA-256 alone is susceptible to length-extension attacks. Applying RIPEMD-160 as a second hash eliminates this vector entirely.
• Institutional independence: the two functions come from entirely separate research traditions, reducing the risk that a shared design flaw affects both.

Which Address Types Use RIPEMD-160?

Not all Bitcoin address formats rely on RIPEMD-160. The trend in newer formats has been to move toward 256-bit outputs or eliminate public key hashing altogether:

P2WSH was the first address type to drop RIPEMD-160, using a straight SHA-256 hash of the witness script to produce a 32-byte witness program. This doubled the collision resistance from 2⁸⁰ to 2¹²⁸ operations. P2TR went further by embedding the public key directly rather than hashing it at all.

Taproot and the Move Beyond RIPEMD-160

Taproot, activated in November 2021 via BIP-341, represents a deliberate architectural shift away from RIPEMD-160. P2TR addresses store the 32-byte x-coordinate of a tweaked Schnorr public key directly in the witness program rather than hashing it.

The BIP-341 specification explains the reasoning: since the public key must be revealed to every verifier for signature validation and batch verification, hashing it first adds overhead without meaningful security benefit. Maintaining 128-bit collision security would require a 256-bit hash output anyway, which is comparable in size to the public key itself.

All internal hash operations in Taproot use domain-separated ("tagged") SHA-256 exclusively. This includes the Merkle tree construction for script paths, tap tweaks, and signature hashes. RIPEMD-160 plays no role in the Taproot ecosystem. For a deeper technical explanation, see the research article on Taproot and Schnorr signatures.

Use Cases

Bitcoin Address Generation

The primary use case for RIPEMD-160 in Bitcoin is address generation. Every P2PKH, P2SH, and P2WPKH address on the network was derived using HASH160. As of 2026, the majority of Bitcoin's UTXO set still consists of outputs locked to HASH160-based scripts.

Script Validation

The OP_HASH160 opcode in Bitcoin Script performs the RIPEMD-160(SHA-256(x)) operation inline during transaction validation. It appears in the standard locking scripts for P2PKH and P2SH outputs:

// P2PKH ScriptPubKey
OP_DUP OP_HASH160 <pubkey_hash_20bytes> OP_EQUALVERIFY OP_CHECKSIG

// P2SH ScriptPubKey
OP_HASH160 <script_hash_20bytes> OP_EQUAL

When a spender provides their public key or redeem script, the node computes HASH160 on the provided data and verifies it matches the 20-byte hash committed in the output.

Compact QR Codes and Data Transmission

The 20-byte output keeps addresses short enough for practical use in QR codes, printed invoices, and manual transcription. A 34-character Base58Check address fits comfortably in low-density QR codes, while a 50+ character address from a raw 256-bit hash would require larger codes and be more prone to transcription errors.

Risks and Considerations

Collision Resistance at 160 Bits

RIPEMD-160 provides 2⁸⁰ collision resistance via the birthday bound, compared to 2¹²⁸ for SHA-256. While 2⁸⁰ operations remains computationally enormous (approximately 1.2 x 10²⁴ operations), it is considered the weakest link in Bitcoin's address security model. This is one reason the protocol has been trending toward 256-bit outputs in newer address formats.

In practice, exploiting a HASH160 collision for theft would require not just finding two inputs that produce the same hash, but finding a collision where one input corresponds to a public key the attacker controls. This is substantially harder than a generic collision attack.

Cryptanalytic Progress

Full 80-round RIPEMD-160 has never been broken. However, academic attacks against reduced-round variants have steadily advanced:

• In 2023, researchers achieved practical collision attacks against 40 of 80 rounds (50% of the full function) using SAT/SMT-based methods
• Semi-free-start collisions (a weaker attack model where the attacker chooses the initial hash state) have reached 44 rounds as of 2025
• These attacks do not threaten real-world Bitcoin usage today, but the trajectory has motivated the move to stronger constructions in Taproot

Quantum Computing Considerations

Grover's algorithm could reduce the preimage resistance of RIPEMD-160 from 2¹⁶⁰ to 2⁸⁰ and collision resistance from 2⁸⁰ to approximately 2⁵³ on a sufficiently powerful quantum computer. While such machines do not exist today, this is another factor favoring the larger security margins provided by 256-bit constructions in modern address formats. For more on this topic, see the research article on post-quantum cryptography and Bitcoin.

No Impact on Existing Funds

Funds stored in HASH160-based addresses (P2PKH, P2SH, P2WPKH) remain secure under current cryptographic assumptions. Moving to P2TR addresses is recommended for new outputs, but there is no urgent need to migrate existing holdings. The dual-hash construction of HASH160 means an attacker must defeat both SHA-256 and RIPEMD-160 to compromise an address whose public key has not been revealed on-chain.

This glossary entry is for informational purposes only and does not constitute financial or investment advice. Always do your own research before using any protocol or technology.