TeachMeBitcoin

Script that verifies a SHA256 preimage

From TeachMeBitcoin, the free encyclopedia Reading time: 3 min

2. OP_SHA256 — SHA256 Hashing on the Stack

Overview

OP_SHA256 applies the SHA-256 hash function to the top stack element and replaces it with the resulting 32-byte hash. It is one of the most widely used cryptographic opcodes in Bitcoin and is the foundation of many advanced script constructions, including hash time-locked contracts (HTLCs), preimage puzzles, and payment channel mechanics.

Opcode value: 0xa8 (decimal 168)
Output size: 32 bytes (256 bits)
Stack effect: Pops 1 element, pushes 1 element

SHA-256 Algorithm Overview

SHA-256 (Secure Hash Algorithm 256-bit) is part of the SHA-2 family, designed by the NSA and standardized by NIST in 2001. It processes data in 512-bit blocks using a Merkle-Damgård construction with a Davies-Meyer compression function.

Key properties:

SHA256("hello") = 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824
SHA256("") = e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA256("Bitcoin") = b4056df6691f8dc72e56302ddad345d65fead3ead9299609a826e2344eb63aa4

Stack Execution

# Script that verifies a SHA256 preimage
scriptPubKey: OP_SHA256 <32-byte-hash> OP_EQUAL
scriptSig:    <preimage>

# Execution trace:
Stack after push preimage:  [ <preimage> ]
Stack after OP_SHA256:      [ SHA256(<preimage>) ]
Stack after push hash:      [ SHA256(<preimage>) | <expected_hash> ]
Stack after OP_EQUAL:       [ 0x01 ] or [ 0x00 ]

Use in Hash Time-Locked Contracts (HTLCs)

HTLCs are the building block of the Lightning Network. They use OP_SHA256 to lock funds behind a hash preimage:

# Simplified HTLC locking script
OP_IF
    OP_SHA256 <payment_hash> OP_EQUALVERIFY
    <recipient_pubkey> OP_CHECKSIG
OP_ELSE
    <timelock> OP_CHECKLOCKTIMEVERIFY OP_DROP
    <sender_pubkey> OP_CHECKSIG
OP_ENDIF

To claim via the hash path:

<recipient_signature> <preimage> OP_1

To reclaim via the timeout path:

<sender_signature> OP_0

SHA256 in Mining

Bitcoin's proof-of-work also uses SHA-256 (double SHA-256 specifically), so miners are intimately familiar with this function. Every block header is hashed repeatedly until the result meets a difficulty target:

block_hash = SHA256(SHA256(block_header))
valid_block = block_hash < difficulty_target

This demonstrates that SHA-256 is deeply embedded in Bitcoin's security model at both the protocol and script layers.

Internal Workings (Simplified)

Initial hash values (H0-H7): first 32 bits of fractional parts of sqrt of first 8 primes
Round constants (K0-K63):    first 32 bits of fractional parts of cbrt of first 64 primes

Process:

1. Pre-process: pad message to 512-bit boundary

2. Break into 512-bit chunks

3. Create message schedule (64 words)

4. Apply 64 rounds of compression

5. Add compressed chunk to current hash value

6. Output final 256-bit hash

Comparison: OP_SHA1 vs OP_SHA256

OP_SHA1:   20-byte output, broken, use only for legacy compatibility
OP_SHA256: 32-byte output, secure, use for all new script designs

In the Lightning Network protocol specification, OP_SHA256 is the standard opcode for payment hashes. The preimage r must satisfy:

payment_hash = SHA256(r)
☕ Help support TeachMeBitcoin

TeachMeBitcoin is an ad-free, open-source educational repository curated by a passionate team of Bitcoin researchers and educators for public benefit. If you found our articles helpful, please consider supporting our hosting and ongoing content updates with a clean donation:

Ethereum: 0x578417C51783663D8A6A811B3544E1f779D39A85
Bitcoin: bc1q77k9e95rn669kpzyjr8ke9w95zhk7pa5s63qzz
Solana: 4ycT2ayqeMucixj3wS8Ay8Tq9NRDYRPKYbj3UGESyQ4J
Address copied to clipboard!