TeachMeBitcoin

Collision example (conceptual):

From TeachMeBitcoin, the free encyclopedia Reading time: 3 min

1. OP_SHA1 — SHA1 Hashing on the Stack

Overview

OP_SHA1 is one of Bitcoin's earliest cryptographic opcodes, introduced in Satoshi Nakamoto's original codebase. It applies the SHA-1 (Secure Hash Algorithm 1) hash function to the top element of the script execution stack, replacing that element with the resulting 20-byte hash digest.

Opcode value: 0xa7 (decimal 167)
Output size: 20 bytes (160 bits)
Stack effect: Pops 1 element, pushes 1 element

How SHA-1 Works

SHA-1 was designed by the NSA and published by NIST in 1995. It processes input data in 512-bit (64-byte) chunks and produces a 160-bit digest. The algorithm involves bitwise operations, modular addition, and a compression function applied across 80 rounds.

SHA1("hello") = aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d
SHA1("hello world") = 2aae6c69c37c8a4ef491a8d4c64b3e7c0618ef1c
SHA1("") = da39a3ee5e6b4b0d3255bfef95601890afd80709

Script Execution Behavior

When the script interpreter encounters OP_SHA1, it performs the following steps:

Before: [ ... | top_element ]

Operation: hash = SHA1(top_element)

After:  [ ... | hash_result ]

A script that hashes the input with SHA-1 and checks it against an expected value looks like this:

scriptPubKey: OP_SHA1 <expected_hash> OP_EQUAL
scriptSig:    <preimage>

Full execution trace:

Initial stack:    [ <preimage> ]
After OP_SHA1:    [ SHA1(<preimage>) ]
Push hash:        [ SHA1(<preimage>) | <expected_hash> ]
After OP_EQUAL:   [ 1 ]  (if hashes match, else 0)

Security Concerns with SHA-1

SHA-1 is considered cryptographically broken. In 2017, Google's research team published the "SHAttered" attack, demonstrating the first practical SHA-1 collision — two different files that produce the same SHA-1 hash. This means:

  1. An attacker could potentially construct a second preimage that hashes to the same value.

  2. Scripts relying solely on SHA-1 for security can no longer be considered safe.

# Collision example (conceptual):
SHA1(file_A) == SHA1(file_B)  where file_A != file_B

Because of this, OP_SHA1 should never be used alone as a security mechanism in modern Bitcoin scripts. It remains in the codebase for backward compatibility but is discouraged.

Practical Example: SHA1 Hash Puzzle

An SHA1 hash puzzle is a locking script that anyone can spend if they know the preimage of a specific SHA1 hash:

# Locking script (scriptPubKey)
OP_SHA1
<20-byte-SHA1-hash>
OP_EQUAL

# Unlocking script (scriptSig)
<preimage-data>

This was used historically to create bounty scripts — Bitcoin amounts locked to known SHA1 collisions. Several such puzzles were placed on-chain and claimed after the SHAttered collision was published.

Difference Between SHA-1 and SHA-256

| Property | SHA-1 | SHA-256 | |

☕ Help support TeachMeBitcoin

TeachMeBitcoin is an ad-free, open-source educational repository curated by a passionate team of Bitcoin researchers and educators for public benefit. If you found our articles helpful, please consider supporting our hosting and ongoing content updates with a clean donation:

Ethereum: 0x578417C51783663D8A6A811B3544E1f779D39A85
Bitcoin: bc1q77k9e95rn669kpzyjr8ke9w95zhk7pa5s63qzz
Solana: 4ycT2ayqeMucixj3wS8Ay8Tq9NRDYRPKYbj3UGESyQ4J
Address copied to clipboard!