Canonical hash puzzle
7. Hash Preimage Puzzles Using OP_SHA256
What Are Hash Preimage Puzzles?
A hash preimage puzzle is a Bitcoin UTXO whose spending condition is knowledge of data that hashes to a specific value. Anyone who knows the preimage can spend the output, regardless of whether they generated the puzzle or not.
# Canonical hash puzzle
scriptPubKey:
OP_SHA256
<target_hash>
OP_EQUAL
# Solution
scriptSig:
<preimage>
Creating a SHA256 Hash Puzzle
import hashlib
import os
# Create a puzzle
secret = os.urandom(32) # 32 random bytes
target_hash = hashlib.sha256(secret).digest()
# Locking script bytes (simplified)
script = (
b'\xa8' # OP_SHA256
+ b'\x20' # PUSH 32 bytes
+ target_hash
+ b'\x87' # OP_EQUAL
)
print(f"Secret: {secret.hex()}")
print(f"Target: {target_hash.hex()}")
print(f"Script: {script.hex()}")
Types of Hash Puzzles
1. Simple Knowledge Puzzle
The most basic form — spend if you know the preimage:
scriptPubKey: OP_SHA256 <H> OP_EQUAL
scriptSig: <preimage_of_H>
2. Signature + Hash (Payment Proof)
Used in Lightning HTLCs — requires both a valid signature AND the hash preimage:
scriptPubKey:
OP_SHA256
<payment_hash>
OP_EQUALVERIFY # Must know preimage AND have valid sig
<pubkey>
OP_CHECKSIG
scriptSig:
<signature>
<preimage>
3. Multiple Hash Conditions (AND logic)
Require two separate preimages:
scriptPubKey:
OP_SHA256 <H1> OP_EQUALVERIFY
OP_SHA256 <H2> OP_EQUAL
scriptSig:
<preimage_of_H2>
<preimage_of_H1>
4. Hash with Timelock
Funds claimable with preimage OR refundable after timeout:
scriptPubKey:
OP_IF
OP_SHA256 <H> OP_EQUALVERIFY
<receiver_pubkey> OP_CHECKSIG
OP_ELSE
<locktime> OP_CHECKLOCKTIMEVERIFY OP_DROP
<sender_pubkey> OP_CHECKSIG
OP_ENDIF
Atomic Swaps Using Hash Puzzles
Hash puzzles enable atomic cross-chain swaps. Both UTXOs use the same hash, so revealing the preimage to claim one automatically enables claiming the other:
# Chain A HTLC (Alice locks BTC for Bob)
OP_IF
OP_SHA256 <H> OP_EQUALVERIFY <bob_pubkey_A> OP_CHECKSIG
OP_ELSE
<48h_locktime> OP_CHECKLOCKTIMEVERIFY OP_DROP <alice_pubkey_A> OP_CHECKSIG
OP_ENDIF
# Chain B HTLC (Bob locks LTC for Alice)
OP_IF
OP_SHA256 <H> OP_EQUALVERIFY <alice_pubkey_B> OP_CHECKSIG
OP_ELSE
<24h_locktime> OP_CHECKLOCKTIMEVERIFY OP_DROP <bob_pubkey_B> OP_CHECKSIG
OP_ENDIF
# Secret known only to Alice
secret s such that SHA256(s) = H
Alice reveals s to claim Bob's LTC. Bob sees s on-chain and uses it to claim Alice's BTC. Neither party can cheat.
Hash Collision Bounties
A fascinating application: locking Bitcoin to the discovery of hash collisions.
# SHA1 collision puzzle (Peter Todd style)
# Pays to anyone who can find two distinct values with the same SHA1 hash
OP_2DUP # Duplicate both inputs
OP_EQUAL # Check if they're equal
OP_NOT # They must NOT be equal (different preimages)
OP_VERIFY # Fail if they're the same
OP_SHA1 # Hash first value
OP_SWAP # Bring second value to top
OP_SHA1 # Hash second value
OP_EQUAL # Their SHA1 hashes must be equal
This puzzle was claimed in 2017 when the SHAttered SHA1 collision was found, with 2.48 BTC being swept in the same block the collision was published.
Security Considerations for Puzzle Designs
``` Danger: Short preimages
TeachMeBitcoin is an ad-free, open-source educational repository curated by a passionate team of Bitcoin researchers and educators for public benefit. If you found our articles helpful, please consider supporting our hosting and ongoing content updates with a clean donation: