Cryptographic hash functions explained

| 7 min read
Cryptographic hash functions explained

What are cryptographic hash functions?

A cryptographic hash function is a type of mathematical formula that transforms a piece of information (for example, a text, file, or password) into a short “fingerprint” of fixed length. Such a fingerprint is called a hash value.

A hash value usually looks like a long sequence of numbers and letters. For example, if you put the word "Hello" through the SHA-256 hash function (a well-known hash function used by Bitcoin), you get:

185f8db32271fe25f561a6fc938b2e264306ec304eda518007d1764826381969

No matter how many times or on which computer you do this: as long as the input is “Hello,” the hash value will always be exactly the same. The hash is therefore tied to a specific piece of information. This makes it a reliable way to verify whether data has been altered.

Key Takeaways

  • Hash functions create a digital fingerprint of data: the same input always produces the same hash, but small changes lead to a completely different output.

  • Hashes are irreversible: from the hash you cannot reconstruct the original data, which makes them suitable for security and blockchains.

  • Applications are broad: including secure password storage, integrity checks, digital signatures, and blockchain transactions.

  • Security varies by algorithm: MD5 and SHA-1 are broken and unsafe, while SHA-2 and SHA-3 are still considered secure.

  • In blockchains, hashes are crucial: they link blocks together, secure transactions, and enable Proof-of-Work mining.

Applications of a hash function

A hash value is often used in the digital security of data, communication, and systems. You will encounter them, for example, in:

  • Password storage: instead of storing passwords in plain text, a system stores only the hash value.
  • Integrity checks: when downloading or updating software, a hash is provided so users can verify that the file has not been modified.
  • Digital signatures and certificates: hash functions ensure that a signed document cannot be altered unnoticed.
  • Blockchains: every transaction and every block is secured through hashing, ensuring the chain remains immutable.

Properties of a Hash Function

Important properties of a hash function are:

  • Same input, same output:
    When you input the same data, you always get exactly the same hash. This is because the hash function always performs the same calculation. Take a password as an example. The system only stores the hash of your password. When you try to log in again later, the system checks whether the hash exactly matches the new hash calculated from the entered value. Only in that way do you gain access.

  • Not reversible:
    A hash cannot be converted back into the original input. This means that someone who only sees the hash cannot reconstruct the original data. This makes it extremely suitable for a blockchain. Each block in the blockchain contains a unique hash (and sometimes multiple hashes) with transactions stored inside. It also contains the hash of the previous block. If someone tries to manipulate a transaction by changing a single number or letter, the hash changes immediately. Since this hash is also stored in the next block, the entire chain changes. This is immediately detected by validators or miners. Moreover, an attacker would have to recalculate and revalidate all subsequent blocks to get away with it, which is practically impossible. This makes manipulation impossible, ensuring the integrity and immutability of the blockchain.

  • Sensitive to small changes:
    If you change just one letter or even a single bit, the hash looks completely different. This makes it impossible to determine how similar two texts are based on their hashes.

    Example: “World” has a completely different hash than “Worlt”, even though the words are very similar.

  • Avoiding collisions:
    A collision means that two different inputs produce the same hash. This is theoretically possible, but with secure hash functions practically impossible.

    Example: With SHA-256, it would take billions of years to generate enough hashes before you accidentally find two identical ones. Older variants such as MD5 and SHA-1 have experienced this issue in the past, which is why they are no longer used today.

How Do Hash Functions Work?

The process that hash functions perform to make the calculation is called hashing.
A hash function is the algorithm that performs the calculation, while hashing is the process of applying that function to data to produce a hash value.

Hashing works technically as follows:

  1. Input processing
    The data (text, file, password, etc.) is divided into fixed-size blocks.

    Example: Suppose you enter the text “Hello.” It is divided into blocks of, for example, 512 bits. Since “Hello” is much shorter, additional padding is added so that it fits neatly.

  2. Mathematical transformations
    Each block undergoes a series of operations such as bit shifts, permutations, and modular additions.

    Example: Bits are shifted and combined, making the original text unrecognizable. Even a simple string like “Hello” results in a long sequence of numbers and letters, such as:
    185f8db32271fe25f561a6fc938b2e264306ec304eda518007d1764826381969

  3. Combining (compression or sponge)
    The results are merged into an internal state — a kind of temporary memory where intermediate calculations are stored until the final hash value can be formed.

    • In older algorithms such as SHA-2, this happens block by block through a compression function.
    • In more modern algorithms like SHA-3, this works via a sponge construction, where the input is first “absorbed” and then the hash is “squeezed out.”

    Example: Whether you input a short message or a 1 GB file, the result is always a single hash of fixed length — for example, 256 bits.

  4. Output
    After the final operation, a fixed-length hash value remains. This is the digital fingerprint of the input.

    Example:

    • “Hello” →

      185f8db32271fe25f561a6fc938b2e264306ec304eda518007d1764826381969

    • “Hello!” (with an exclamation mark) →

      334d74c95ed3ceec833219cd94ef7a8320b9c9d98c14b622d0535fbe7bb3f3a4

What is the Avalanche Effect?

The avalanche effect ensures that it is impossible to derive one hash from another, since even small differences in the input lead to a completely different hash value. Even if the inputs look very similar, the result is a completely different sequence of numbers and letters. This makes it impossible to deduce from hashes what the original data looked like or how similar two inputs are.

Which hash functions exist?

Over the years, several cryptographic hash functions have been developed or improved. Well-known hash functions include:

  • MD5
    Developed in the 1990s as the successor to earlier MD algorithms. This algorithm produces a 128-bit hash and was used for years for file verification and digital certificates. MD5 is now considered insecure, because since 2004 there have been cases where two different inputs produced the same hash value. This is called a collision. As a result, MD5 is now only used for simple applications, but no longer for security.

  • SHA-1
    SHA-1 was long the standard for digital signatures and SSL certificates. It is an algorithm with a 160-bit hash. In 2017, Google and CWI Amsterdam demonstrated a collision: they created two different PDF files with exactly the same SHA-1 hash. This proved that it was possible in practice to forge a hash. Since then, SHA-1 has been considered cryptographically broken and insecure. Major browsers and certificate authorities therefore no longer support it.

  • SHA-2 (SHA-224, SHA-256, SHA-384, SHA-512)
    The successor to SHA-1 is SHA-2. This hash algorithm uses blocks of 512 or 1024 bits and produces outputs of 224, 256, 384, or 512 bits. A well-known SHA-2 system is SHA-256, which is used to secure the Bitcoin blockchain. SHA-512 is more efficient on 64-bit systems. To date, no successful attacks are known that threaten the security of SHA-2, which is why it remains one of the most widely used cryptographic hash functions.

  • SHA-3 (Keccak)
    Developed in 2007 by Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche, the Keccak algorithm was adopted in 2015 by NIST as the new hash standard under the name SHA-3. It was introduced as an alternative alongside SHA-2, in case weaknesses were found in SHA-2 in the future. SHA-3 is currently not widely used in practice, because SHA-2 is still secure, broadly supported in hardware, and deeply integrated into protocols such as TLS and SSL certificates.

Hash functions in cryptocurrency and blockchain

Hash functions play a crucial role in blockchains. Hashing is used to secure transactions, link blocks, and is the core of blockchains that validate transactions through mining. Blockchains that use the Proof of Work consensus mechanism rely on computational power to solve hash puzzles.

Some examples of popular projects:

  • Bitcoin → SHA-256 (for mining and hashing blocks).
  • Litecoin → scrypt (faster and less ASIC-sensitive than SHA-256).
  • Zcash → Equihash (memory-intensive, designed for fairer mining).
  • Dogecoin → scrypt (same algorithm as Litecoin, with merge-mining).
  • Ripple (XRP Ledger) → SHA-512/256 (a shortened variant of SHA-512).
  • Algorand → SHA-512/256 (for key generation and digital signatures).

Final thoughts

Cryptographic hash functions are an essential building block of the digital world. They provide a reliable way to secure data, ensure integrity, and enable complex systems such as blockchains. While older algorithms such as MD5 and SHA-1 are no longer safe due to proven vulnerabilities, modern variants such as SHA-2 and SHA-3 remain robust and essential for current applications.

The strength of hash functions lies in their simplicity and effectiveness: one-way functions that turn small input differences into completely different outputs, without the possibility of recovering the original data. This makes them not only crucial for password security and digital signatures, but also for the functioning of cryptocurrencies and the wider internet.

Hash functions will continue to play a key role in the future, both in existing applications and in new innovations in blockchain, digital security, and cryptography.

About Finst

Finst is one of the leading cryptocurrency providers in The Netherlands and offers a best-in-class investment platform together with institutional-grade security standards and ultra-low trading fees. Finst is led by the ex-core team of DEGIRO and is authorized as a crypto-asset service provider by the Dutch Authority for the Financial Markets (AFM). Finst offers a full suite of crypto services including trading, custody, fiat on/off ramp, and staking for both retail and institutional investors.

The crypto platform you'll love

We are here to give you the tools, inspiration, and support you need to become a better investor.

Sign up
Trustpilot