Script that verifies a SHA256 preimage
2. OP_SHA256 — SHA256 Hashing on the Stack
Overview
OP_SHA256 applies the SHA-256 hash function to the top stack element and replaces it with the resulting 32-byte hash. It is one of the most widely used cryptographic opcodes in Bitcoin and is the foundation of many advanced script constructions, including hash time-locked contracts (HTLCs), preimage puzzles, and payment channel mechanics.
Opcode value: 0xa8 (decimal 168)
Output size: 32 bytes (256 bits)
Stack effect: Pops 1 element, pushes 1 element
SHA-256 Algorithm Overview
SHA-256 (Secure Hash Algorithm 256-bit) is part of the SHA-2 family, designed by the NSA and standardized by NIST in 2001. It processes data in 512-bit blocks using a Merkle-Damgård construction with a Davies-Meyer compression function.
Key properties:
-
Deterministic: Same input always produces same output.
-
Preimage resistant: Given hash H, it's computationally infeasible to find M such that SHA256(M) = H.
-
Second-preimage resistant: Given M1, it's computationally infeasible to find M2 ≠ M1 such that SHA256(M1) = SHA256(M2).
-
Collision resistant: No known practical collision attacks exist.
SHA256("hello") = 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824
SHA256("") = e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA256("Bitcoin") = b4056df6691f8dc72e56302ddad345d65fead3ead9299609a826e2344eb63aa4
Stack Execution
# Script that verifies a SHA256 preimage
scriptPubKey: OP_SHA256 <32-byte-hash> OP_EQUAL
scriptSig: <preimage>
# Execution trace:
Stack after push preimage: [ <preimage> ]
Stack after OP_SHA256: [ SHA256(<preimage>) ]
Stack after push hash: [ SHA256(<preimage>) | <expected_hash> ]
Stack after OP_EQUAL: [ 0x01 ] or [ 0x00 ]
Use in Hash Time-Locked Contracts (HTLCs)
HTLCs are the building block of the Lightning Network. They use OP_SHA256 to lock funds behind a hash preimage:
# Simplified HTLC locking script
OP_IF
OP_SHA256 <payment_hash> OP_EQUALVERIFY
<recipient_pubkey> OP_CHECKSIG
OP_ELSE
<timelock> OP_CHECKLOCKTIMEVERIFY OP_DROP
<sender_pubkey> OP_CHECKSIG
OP_ENDIF
To claim via the hash path:
<recipient_signature> <preimage> OP_1
To reclaim via the timeout path:
<sender_signature> OP_0
SHA256 in Mining
Bitcoin's proof-of-work also uses SHA-256 (double SHA-256 specifically), so miners are intimately familiar with this function. Every block header is hashed repeatedly until the result meets a difficulty target:
block_hash = SHA256(SHA256(block_header))
valid_block = block_hash < difficulty_target
This demonstrates that SHA-256 is deeply embedded in Bitcoin's security model at both the protocol and script layers.
Internal Workings (Simplified)
Initial hash values (H0-H7): first 32 bits of fractional parts of sqrt of first 8 primes
Round constants (K0-K63): first 32 bits of fractional parts of cbrt of first 64 primes
Process:
1. Pre-process: pad message to 512-bit boundary
2. Break into 512-bit chunks
3. Create message schedule (64 words)
4. Apply 64 rounds of compression
5. Add compressed chunk to current hash value
6. Output final 256-bit hash
Comparison: OP_SHA1 vs OP_SHA256
OP_SHA1: 20-byte output, broken, use only for legacy compatibility
OP_SHA256: 32-byte output, secure, use for all new script designs
In the Lightning Network protocol specification, OP_SHA256 is the standard opcode for payment hashes. The preimage r must satisfy:
payment_hash = SHA256(r)
TeachMeBitcoin is an ad-free, open-source educational repository curated by a passionate team of Bitcoin researchers and educators for public benefit. If you found our articles helpful, please consider supporting our hosting and ongoing content updates with a clean donation: