Cryptographic hash functions explained

| 7 min read
Cryptographic hash functions explained

What are cryptographic hash functions?

A cryptographic hash function is a type of mathematical formula that transforms a piece of information (for example, a text, file, or password) into a short “fingerprint” of fixed length. Such a fingerprint is called a hash value.

A hash value usually looks like a long sequence of numbers and letters. For example, if you put the word "Hello" through the SHA-256 hash function (a well-known hash function used by Bitcoin), you get:

185f8db32271fe25f561a6fc938b2e264306ec304eda518007d1764826381969

No matter how many times or on which computer you do this: as long as the input is “Hello,” the hash value will always be exactly the same. The hash is therefore tied to a specific piece of information. This makes it a reliable way to verify whether data has been altered.

Key Takeaways

  • Hash functions create a digital fingerprint of data: the same input always produces the same hash, but small changes lead to a completely different output.

  • Hashes are irreversible: from the hash you cannot reconstruct the original data, which makes them suitable for security and blockchains.

  • Applications are broad: including secure password storage, integrity checks, digital signatures, and blockchain transactions.

  • Security varies by algorithm: MD5 and SHA-1 are broken and unsafe, while SHA-2 and SHA-3 are still considered secure.

  • In blockchains, hashes are crucial: they link blocks together, secure transactions, and enable Proof-of-Work mining.

Applications of a hash function

A hash value is often used in the digital security of data, communication, and systems. You will encounter them, for example, in:

  • Password storage: instead of storing passwords in plain text, a system stores only the hash value.
  • Integrity checks: when downloading or updating software, a hash is provided so users can verify that the file has not been modified.
  • Digital signatures and certificates: hash functions ensure that a signed document cannot be altered unnoticed.
  • Blockchains: every transaction and every block is secured through hashing, ensuring the chain remains immutable.

Properties of a hash function

Important properties of a hash function are:

  • Same input, same output
    If you enter the same data, you always get exactly the same hash. Take a password as an example. The system only stores the hash of your password. When you try to log in again later, the system checks whether the hash matches the new one calculated from the entered value. Only in this way do you gain access.

  • Irreversible
    A hash cannot be reversed back to the original input. This makes it highly suitable for a blockchain. Every block in the blockchain contains a unique hash (and sometimes multiple hashes) with embedded transactions. It also contains the hash of the previous block. If someone tries to tamper with a transaction, the hash changes immediately. Since this hash also appears in the next block, the entire chain changes. Validators or miners notice this right away. An attacker would have to recalculate all subsequent blocks, which is practically impossible. This makes manipulation impossible.

  • Sensitive to small changes
    If you change a single letter or even a single bit, the hash looks completely different. Example: ‘World’ has a completely different hash than ‘Worlt’, even though the words look very similar.

  • Collision resistance
    A collision means that two different inputs produce the same hash. This is theoretically possible, but with secure hash functions practically impossible. Example: with SHA-256, it would take billions of years to generate enough hashes to find two that are the same by chance. Older variants such as MD5 and SHA-1 are vulnerable to this and are therefore no longer used.

How do hash functions work?

The process that hash functions perform is called hashing. A hash function is the algorithm that performs the calculation, while hashing is the process of applying that function to data.

Input processing

The data (text, file, password, etc.) is divided into blocks of fixed size.
Example: “Hello” is divided into blocks of, for example, 512 bits. Because it is shorter, extra padding is added.

Mathematical transformations

Each block undergoes operations such as bit shifts, permutations, and modular additions.
Example: “Hello” produces the following when hashed with SHA-256:

185f8db32271fe25f561a6fc938b2e264306ec304eda518007d1764826381969

Combining (compression or sponge)

The results are combined into an internal state.

  • With SHA-2 via a compression function
  • With SHA-3 via a sponge construction

Output

After the final calculation, a hash value remains.
Example:
“Hello” → 185f8db32271fe25f561a6fc938b2e264306ec304eda518007d1764826381969
“Hello!” → 334d74c95ed3ceec833219cd94ef7a8320b9c9d98c14b622d0535fbe7bb3f3a4

What is the Avalanche Effect?

The avalanche effect ensures that it is impossible to derive one hash from another, since even small differences in the input lead to a completely different hash value. Even if the inputs look very similar, the result is a completely different sequence of numbers and letters. This makes it impossible to deduce from hashes what the original data looked like or how similar two inputs are.

Which hash functions exist?

Over the years, several cryptographic hash functions have been developed or improved. Well-known hash functions include:

  • MD5
    Developed in the 1990s as the successor to earlier MD algorithms. This algorithm produces a 128-bit hash and was used for years for file verification and digital certificates. MD5 is now considered insecure, because since 2004 there have been cases where two different inputs produced the same hash value. This is called a collision. As a result, MD5 is now only used for simple applications, but no longer for security.

  • SHA-1
    SHA-1 was long the standard for digital signatures and SSL certificates. It is an algorithm with a 160-bit hash. In 2017, Google and CWI Amsterdam demonstrated a collision: they created two different PDF files with exactly the same SHA-1 hash. This proved that it was possible in practice to forge a hash. Since then, SHA-1 has been considered cryptographically broken and insecure. Major browsers and certificate authorities therefore no longer support it.

  • SHA-2 (SHA-224, SHA-256, SHA-384, SHA-512)
    The successor to SHA-1 is SHA-2. This hash algorithm uses blocks of 512 or 1024 bits and produces outputs of 224, 256, 384, or 512 bits. A well-known SHA-2 system is SHA-256, which is used to secure the Bitcoin blockchain. SHA-512 is more efficient on 64-bit systems. To date, no successful attacks are known that threaten the security of SHA-2, which is why it remains one of the most widely used cryptographic hash functions.

  • SHA-3 (Keccak)
    Developed in 2007 by Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche, the Keccak algorithm was adopted in 2015 by NIST as the new hash standard under the name SHA-3. It was introduced as an alternative alongside SHA-2, in case weaknesses were found in SHA-2 in the future. SHA-3 is currently not widely used in practice, because SHA-2 is still secure, broadly supported in hardware, and deeply integrated into protocols such as TLS and SSL certificates.

Hash functions in cryptocurrency and blockchain

Hash functions play a crucial role in blockchains. Hashing is used to secure transactions, link blocks, and is the core of blockchains that validate transactions through mining. Blockchains that use the Proof of Work consensus mechanism rely on computational power to solve hash puzzles.

Some examples of popular projects:

  • Bitcoin → SHA-256 (for mining and hashing blocks).
  • Litecoin → scrypt (faster and less ASIC-sensitive than SHA-256).
  • Zcash → Equihash (memory-intensive, designed for fairer mining).
  • Dogecoin → scrypt (same algorithm as Litecoin, with merge-mining).
  • Ripple (XRP Ledger) → SHA-512/256 (a shortened variant of SHA-512).
  • Algorand → SHA-512/256 (for key generation and digital signatures).

Final thoughts

Cryptographic hash functions are an essential building block of the digital world. They provide a reliable way to secure data, ensure integrity, and enable complex systems such as blockchains. While older algorithms such as MD5 and SHA-1 are no longer safe due to proven vulnerabilities, modern variants such as SHA-2 and SHA-3 remain robust and essential for current applications.

The strength of hash functions lies in their simplicity and effectiveness: one-way functions that turn small input differences into completely different outputs, without the possibility of recovering the original data. This makes them not only crucial for password security and digital signatures, but also for the functioning of cryptocurrencies and the wider internet.

Hash functions will continue to play a key role in the future, both in existing applications and in new innovations in blockchain, digital security, and cryptography.

About Finst

Finst is one of the leading cryptocurrency providers in The Netherlands and offers a best-in-class investment platform together with institutional-grade security standards and ultra-low trading fees. Finst is led by the ex-core team of DEGIRO and is authorized as a crypto-asset service provider by the Dutch Authority for the Financial Markets (AFM). Finst offers a full suite of crypto services including trading, custody, fiat on/off ramp, and staking for both retail and institutional investors.

The crypto platform you'll love

We are here to give you the tools, inspiration, and support you need to become a better investor.

Sign up
Trustpilot