Next lesson →

Hash Functions: The Common Workhorse

SHA-256 vs Keccak across Bitcoin, Ethereum and Monero, the hash-to-scalar and hash-to-point maps Monero adds, and how hashing becomes commitment.

A hash function is the most-used and least-glamorous tool in any blockchain. It turns arbitrary data into a fixed fingerprint that is easy to compute and effectively impossible to reverse or forge. Every chain uses hashes for the same jobs — linking blocks, building Merkle trees, deriving keys — but the choice of hash, and the extra tricks built on top of it, are one of the first places Bitcoin, Ethereum and Monero quietly diverge.

What a Hash Must Guarantee

Three properties make a function cryptographic rather than just a checksum:

  • Preimage resistance — given H(x), you cannot find x. This is what makes a hash one-way.
  • Second-preimage resistance — given x, you cannot find a different x' with H(x') = H(x).
  • Collision resistance — you cannot find any pair x ≠ x' that hash equal. With an n-bit output, the birthday bound makes this cost about 2^(n/2) work, which is why 256-bit hashes are standard: 2¹²⁸ is out of reach.

SHA-256: Bitcoin's Choice

Bitcoin uses SHA-256 (from the SHA-2 family, a Merkle–Damgård construction) almost everywhere, usually doubled as SHA256(SHA256(x)) — "Hash256" — to blunt length-extension attacks. It hashes block headers for proof-of-work, builds the transaction Merkle root, and (combined with RIPEMD-160) produces addresses. SHA-256 is also the mining function: miners grind the header nonce until the double-SHA-256 digest falls below the difficulty target. Its simplicity and hardware-friendliness are exactly why Bitcoin mining became an ASIC arms race.

Keccak: Ethereum's and Monero's Choice

Ethereum and Monero both use Keccak, the sponge-construction winner of the SHA-3 competition — but the original Keccak submission, not the slightly re-padded final FIPS-202 standard. People casually call it "SHA-3", yet keccak256("") differs from sha3_256(""); this padding distinction has bitten many integrators. Ethereum hashes with Keccak-256 to derive addresses (the last 20 bytes of the hash of the public key), to compute storage slots, and to build its state and receipt tries. Monero inherits Keccak from CryptoNote and uses it as the basis for two derived helpers that matter enormously.

Monero's Derived Hashes: Hash-to-Scalar and Hash-to-Point

Plain hashing isn't enough for Monero's math, which lives on an elliptic curve. So it builds two specialized maps on top of Keccak:

  • Hash-to-scalar, Hs(x): hash bytes, then reduce the result modulo the group order to land on a valid scalar. This is how shared secrets become usable private offsets in stealth addresses.
  • Hash-to-point, Hp(P): deterministically map bytes to a curve point whose discrete logarithm with respect to G nobody knows. This is the secret behind key images (I = x·Hp(P)) and the second commitment generator — and a transparent chain simply never needs it.

The existence of Hp is a small but telling sign of Monero's ambitions: you only need a "nothing-up-my-sleeve" second generator if you are going to hide things, which Bitcoin and Ethereum are not.

Commitment: The Privacy-Critical Use of Hashing

The deepest use of a hash isn't integrity — it's commitment. A commitment lets you lock in a value now and reveal it later, proving you didn't change it, while keeping it secret in the meantime. A naive commitment is H(value ‖ randomness). Monero needs something stronger that is also additively homomorphic (commitments you can add together), so it upgrades from a hash commitment to a Pedersen commitment on the curve — but the conceptual seed is exactly this hash-commitment idea. We unpack that fully in Monero's Math II: Hiding Amounts.

Mining vs. Hashing: Don't Confuse Them

One last clarification, because hashes appear in two very different roles. Bitcoin's mining function is its general hash (double SHA-256), so mining is just hashing fast — which ASICs do best. Monero deliberately separates the two: it still uses Keccak for protocol hashing, but its proof-of-work is RandomX, a memory-hard virtual machine designed so commodity CPUs stay competitive. Same family of math, opposite philosophy about who should be allowed to mine. With hashing mapped, we move to the richer structure underneath every key: the elliptic curve.

Comments

Log in or create a free account to comment.

No comments yet — be the first.

🎓 Graduate from Monero Academy

Create a free account, ace every quiz across all courses, and earn your place on the Graduates wall — with your own Monero address for donations. An account also tracks your progress through the courses, and graduating is the prize for finishing.