SHA-256

What Is SHA-256?

SHA-256 (Secure Hash Algorithm 256-bit) is a cryptographic hash function published by the U.S. National Institute of Standards and Technology (NIST) as part of the SHA-2 family. It takes an arbitrary-length input (up to 2⁶⁴ bits) and produces a deterministic, fixed-size 256-bit output called a message digest or hash. Even a single-bit change in the input produces a completely different hash: a property known as the avalanche effect.

Designed by the National Security Agency (NSA) and first published in 2001 under FIPS PUB 180-2 (later updated to FIPS 180-4), SHA-256 belongs to the SHA-2 family alongside SHA-224, SHA-384, and SHA-512. When Satoshi Nakamoto designed Bitcoin in 2008, SHA-256 was chosen as the core hash function for mining, transaction integrity, and address derivation: a decision that remains foundational to the protocol today.

The function is one-way: given a hash output, there is no known method to recover the original input other than brute-force guessing. This property underpins Bitcoin's proof-of-work consensus, where miners must find inputs that produce hashes below a target threshold.

How It Works

SHA-256 follows the Merkle-Damgård construction: an iterative process that breaks the input message into fixed-size blocks, processes each block through a compression function, and chains the results together.

Message Preprocessing

Before hashing begins, the input message is padded to ensure its length is a multiple of 512 bits:

1. Append a single '1' bit to the message
2. Append zero bits until the message length is congruent to 448 mod 512
3. Append the original message length as a 64-bit big-endian integer

The padded message is then divided into 512-bit (64-byte) blocks for sequential processing.

Compression Function

Each 512-bit block goes through a compression function consisting of 64 rounds. The function operates on eight 32-bit working variables (a through h), initialized from either the fixed initial hash values or the output of the previous block.

The initial hash values are derived from the fractional parts of the square roots of the first eight prime numbers (2, 3, 5, 7, 11, 13, 17, 19). Each of the 64 rounds uses a unique constant derived from the fractional parts of the cube roots of the first 64 primes.

Each round applies four core operations:

• Ch (Choose): selects bits from f or g based on the value of e
• Maj (Majority): outputs the majority bit among a, b, and c
• Sigma0 and Sigma1: bitwise rotation and shift combinations that diffuse bit patterns

// SHA-256 round function (pseudocode)
for i = 0 to 63:
    T1 = h + Sigma1(e) + Ch(e,f,g) + K[i] + W[i]
    T2 = Sigma0(a) + Maj(a,b,c)
    h = g
    g = f
    f = e
    e = d + T1
    d = c
    c = b
    b = a
    a = T1 + T2

After all 64 rounds complete for a block, the working variables are added to the input hash values. This output becomes the input for the next block, or the final hash if no blocks remain.

Message Schedule Expansion

Each 512-bit block is split into 16 initial 32-bit words. These are expanded to 64 words using a schedule function that mixes earlier words through rotations and shifts:

// Message schedule expansion
W[0..15] = block split into 16 x 32-bit words

for i = 16 to 63:
    s0 = ROTR7(W[i-15]) XOR ROTR18(W[i-15]) XOR SHR3(W[i-15])
    s1 = ROTR17(W[i-2]) XOR ROTR19(W[i-2]) XOR SHR10(W[i-2])
    W[i] = W[i-16] + s0 + W[i-7] + s1

The Avalanche Effect

One of SHA-256's most important properties is the avalanche effect: changing a single bit in the input flips approximately 50% of the output bits. This makes the relationship between input and output appear random, preventing any shortcut to finding inputs that produce specific hashes.

SHA-256("hello")  = 2cf24dba5fb0a30e26e83b2ac5b9e29e...
SHA-256("hellp")  = 6013fa8f35f69c8e0e1a1c49e4582cef...

// One letter changed, completely different hash

SHA-256 in Bitcoin

Bitcoin relies on SHA-256 more extensively than any other cryptographic primitive. The protocol uses a double-hashing variant: SHA-256d, which applies SHA-256 twice in sequence. This was originally intended to protect against length extension attacks inherent to the Merkle-Damgård construction.

Mining and Proof of Work

Bitcoin miners compute the double SHA-256 of an 80-byte block header repeatedly, incrementing a 32-bit nonce and other fields until the resulting hash falls below the current difficulty target. A valid hash must begin with a certain number of leading zeros, making the search computationally expensive but verification trivial.

// Bitcoin mining (simplified)
block_header = version + prev_hash + merkle_root
             + timestamp + difficulty_bits + nonce

hash = SHA-256(SHA-256(block_header))

// Valid only if hash < difficulty_target
// Example valid hash:
// 00000000000000000002a7c4f8...

The network's combined hashrate currently exceeds 900 EH/s (exahashes per second), meaning miners collectively perform over 900 quintillion SHA-256d computations every second. Difficulty adjusts every 2,016 blocks (approximately two weeks) to maintain an average 10-minute block interval.

Transaction IDs and Merkle Trees

Every Bitcoin transaction has a unique identifier (txid) computed as the double SHA-256 of its serialized data. These txids serve as leaves in a Merkle tree: pairs of transaction hashes are concatenated and double-hashed to form parent nodes, repeating upward until a single Merkle root remains. This root is stored in the block header, cryptographically committing to every transaction in the block.

Merkle trees enable SPV clients to verify that a transaction is included in a block by checking only a logarithmic number of hashes rather than downloading the entire block. Learn more in our transaction lifecycle deep dive.

Address Generation

Bitcoin addresses are derived from public keys through a two-step hashing process. The public key is first hashed with SHA-256, then the result is hashed with RIPEMD-160, producing a 160-bit hash called Hash160. A version byte is prepended, a checksum (the first four bytes of the double SHA-256 of the versioned hash) is appended, and the result is encoded using Base58Check or Bech32 depending on the address type.

Cryptographic Properties

SHA-256's security relies on several mathematically grounded properties that make it suitable for cryptographic applications:

As of 2026, no practical collision or pre-image attack has been demonstrated against full 64-round SHA-256. Academic attacks have reduced the number of rounds in theoretical settings, but these do not threaten the full algorithm.

SHA-256 vs Other Hash Functions

SHA-256 exists alongside other widely used hash functions, each with different security profiles and design choices:

SHA-3 uses the Keccak sponge construction rather than Merkle-Damgård, making it inherently resistant to length extension attacks. However, Bitcoin was designed before SHA-3 was standardized in 2015, and SHA-256 remains secure with no compelling reason to migrate.

ASIC Mining and Hardware Optimization

SHA-256's design makes it exceptionally well-suited for ASIC (Application-Specific Integrated Circuit) optimization. The algorithm uses only simple 32-bit operations: bitwise AND, OR, XOR, NOT, right rotation, right shift, and modular addition. These operations map directly to basic logic gates, allowing chip designers to unroll all 64 rounds into physical circuitry.

Unlike memory-hard algorithms (such as Scrypt or Ethash), SHA-256 requires minimal memory, enabling pure computational throughput. A modern ASIC miner can compute over 200 TH/s (terahashes per second) while consuming under 3,500 watts. By comparison, a high-end GPU achieves roughly 250 MH/s on SHA-256: approximately one million times slower.

This ASIC dominance has shaped Bitcoin's mining ecosystem into an industrial-scale operation. Techniques like AsicBoost exploit structural properties of the SHA-256 algorithm to reduce computation per hash attempt, further widening the gap between specialized hardware and general-purpose processors. For a deeper analysis, see our Bitcoin mining economics research.

Risks and Considerations

Quantum Computing

Grover's algorithm could theoretically reduce SHA-256's pre-image resistance from 2²⁵⁶ to 2¹²⁸ operations, effectively halving the security level. However, 128-bit security remains far beyond the reach of any foreseeable quantum computer. NIST currently considers SHA-256 quantum-resistant for practical purposes. The greater quantum threat to Bitcoin lies in elliptic curve signatures, which are vulnerable to Shor's algorithm. Explore this topic further in our post-quantum cryptography analysis.

Length Extension Attacks

Because SHA-256 uses the Merkle-Damgård construction, it is susceptible to length extension attacks: given SHA-256(m) and the length of m, an attacker can compute SHA-256(m || padding || m') without knowing m. Bitcoin mitigates this by using double SHA-256 for critical operations. Newer protocol features like P2WSH script hashes use single SHA-256, as the attack vector is not relevant in those contexts.

Mining Centralization

SHA-256's ASIC-friendliness creates a high barrier to entry for mining. The capital expenditure required for competitive ASIC hardware concentrates mining power among well-funded operations, raising centralization concerns. This is a deliberate tradeoff: ASIC efficiency maximizes the total energy securing the network, but it excludes casual participants who might mine with general-purpose hardware.

Algorithm Permanence

Changing Bitcoin's hash function would require a hard fork and would render the entire existing ASIC mining industry obsolete. This creates strong path dependency: even if a theoretically superior hash function emerged, the economic and coordination costs of migration make it extremely unlikely. SHA-256 is effectively a permanent fixture of the Bitcoin protocol.

This glossary entry is for informational purposes only and does not constitute financial or investment advice. Always do your own research before using any protocol or technology.