Collision example (conceptual):
1. OP_SHA1 — SHA1 Hashing on the Stack
Overview
OP_SHA1 is one of Bitcoin's earliest cryptographic opcodes, introduced in Satoshi Nakamoto's original codebase. It applies the SHA-1 (Secure Hash Algorithm 1) hash function to the top element of the script execution stack, replacing that element with the resulting 20-byte hash digest.
Opcode value: 0xa7 (decimal 167)
Output size: 20 bytes (160 bits)
Stack effect: Pops 1 element, pushes 1 element
How SHA-1 Works
SHA-1 was designed by the NSA and published by NIST in 1995. It processes input data in 512-bit (64-byte) chunks and produces a 160-bit digest. The algorithm involves bitwise operations, modular addition, and a compression function applied across 80 rounds.
SHA1("hello") = aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d
SHA1("hello world") = 2aae6c69c37c8a4ef491a8d4c64b3e7c0618ef1c
SHA1("") = da39a3ee5e6b4b0d3255bfef95601890afd80709
Script Execution Behavior
When the script interpreter encounters OP_SHA1, it performs the following steps:
Before: [ ... | top_element ]
Operation: hash = SHA1(top_element)
After: [ ... | hash_result ]
A script that hashes the input with SHA-1 and checks it against an expected value looks like this:
scriptPubKey: OP_SHA1 <expected_hash> OP_EQUAL
scriptSig: <preimage>
Full execution trace:
Initial stack: [ <preimage> ]
After OP_SHA1: [ SHA1(<preimage>) ]
Push hash: [ SHA1(<preimage>) | <expected_hash> ]
After OP_EQUAL: [ 1 ] (if hashes match, else 0)
Security Concerns with SHA-1
SHA-1 is considered cryptographically broken. In 2017, Google's research team published the "SHAttered" attack, demonstrating the first practical SHA-1 collision — two different files that produce the same SHA-1 hash. This means:
-
An attacker could potentially construct a second preimage that hashes to the same value.
-
Scripts relying solely on SHA-1 for security can no longer be considered safe.
# Collision example (conceptual):
SHA1(file_A) == SHA1(file_B) where file_A != file_B
Because of this, OP_SHA1 should never be used alone as a security mechanism in modern Bitcoin scripts. It remains in the codebase for backward compatibility but is discouraged.
Practical Example: SHA1 Hash Puzzle
An SHA1 hash puzzle is a locking script that anyone can spend if they know the preimage of a specific SHA1 hash:
# Locking script (scriptPubKey)
OP_SHA1
<20-byte-SHA1-hash>
OP_EQUAL
# Unlocking script (scriptSig)
<preimage-data>
This was used historically to create bounty scripts — Bitcoin amounts locked to known SHA1 collisions. Several such puzzles were placed on-chain and claimed after the SHAttered collision was published.
Difference Between SHA-1 and SHA-256
| Property | SHA-1 | SHA-256 | |
TeachMeBitcoin is an ad-free, open-source educational repository curated by a passionate team of Bitcoin researchers and educators for public benefit. If you found our articles helpful, please consider supporting our hosting and ongoing content updates with a clean donation: