By Greg Walker

$26,830.68/BTCBuy
  • Hash256
  • Hash160
  • Reverse Bytes
  • Hexadecimal
  • Satoshis

Public Key Hash

The hash of a public key, to shorten it.

The public key hash is a hashed version of your public key.

It’s the version of your public key that you give to other people so that they can send you bitcoins. It’s shorter than the original public key, and it may provide an extra layer of security for your bitcoins compared to giving out your public key directly.

It’s also basically the “raw” version of an address.

Try it! - Generate Public Key Hash

Compressed
Uncompressed

How do you create a public key hash?

Just take your public key and put it through the SHA256 and RIPEMD160 hash functions:

It’s sometimes referred to as a HASH160(publickey), because that’s simpler than writing RIPEMD160(SHA256(publickey)).

That’s it.

Example:

publickey          = 02b4632d08485ff1df2db55b9dafd23347d1c47a457072a1e87be26896549a8737
hash160(publickey) = 93ce48570b55c42c2af816aeaba06cfee1224fae

Why do we use RIPEMD160?

Because RIPEMD160 produces a 160 bit (20 byte) digest, which is smaller than the original public key (65 bytes uncompressed, 33 bytes compressed).

This means that the eventual address we create from it will contain fewer characters than a full public key, making easier to pass around.

The reason that we use it in conjunction with SHA256 is because RIPEMD160 is not the strongest hash function on its own.

How is the public key hash used in Bitcoin?

When you want to receive bitcoins, you give someone your public key hash. They will then put this in to the locking code of a transaction output.

This creates a P2PKH locking script.

Then, when you want to unlock these bitcoins (to send them to someone in a new transaction), you just put your original public key along with a digital signature in to the input’s unlocking code.

So when a node comes to validate this transaction, it will:

  1. Check that the public key provided hashes correctly to the public key hash.
  2. If that checks out, they will then validate the signature against the public key as usual.

So instead of just checking a signature against a public key (as in a P2PK lock), there is one extra step that checks the hash of the public key beforehand.

This is why this type of locking system is referred to as P2PKH.

Code

require 'digest' # Hash Functions Library

publickey = '02b4632d08485ff1df2db55b9dafd23347d1c47a457072a1e87be26896549a8737'

binary = [publickey].pack("H*") # Convert to binary first before hashing
sha256 = Digest::SHA256.digest(binary)
ripemd160 = Digest::RMD160.digest(sha256)
hash160 = ripemd160.unpack("H*")[0] # Convert back to hex

puts hash160 # 93ce48570b55c42c2af816aeaba06cfee1224fae

FAQ

Why do we hash the public key?

Because that’s the way transactions were designed to work when Satoshi developed Bitcoin.

The original reason why addresses were public key hashes is something you’ll need to ask Satoshi. - Pieter Wuille

It may have been because Satoshi was not originally aware that you could use compressed public keys (33 bytes instead of 65 bytes), so hashing the public key was a way to create a much shorter (20 byte) version of it to give to other people.

To make Bitcoin Addresses short, they are a hash of the public key. - Satoshi Nakamoto

Alternative Theory: Extra Security

An alternative theory is that using the Hash160 provides an extra layer of security.

For example, if we immediately give away our public key when we want to receive bitcoins, the “only” thing protecting you from attackers trying to get to your private key is the elliptic curve.

It’s impossibly difficult to work backwards from elliptic curve multiplication to get the private key, but you can try.

However, if we give out a hashed version of our public key instead, attackers would have to crack both the RIPEMD160 and SHA256 hash functions, as well as deal with the elliptic curve problem.

Now you’ve got two different hash functions to crack as well.

So basically, whilst you have bitcoins sitting in the blockchain, the hash functions act as extra hurdles that attackers must jump over to try and get to our private key (and steal our bitcoins).

So is the elliptic curve not enough protection?

It’s actually excellent protection.

Thanks to the properties of elliptic curve multiplication, it’s impossibly difficult to go backwards from a public key to a private key. This is known as the “elliptic curve discrete logarithm problem”.

However, if by some miracle this problem is solved, there are still two different hash functions to fall back on to protect our private key.

But don’t you still give away your public key?

Yes. But in this system your public key is only given away at the last moment (when you come to spend your bitcoins).

The theory is that if someone wants to deduce your private key, they will have a small amount of time to do it before your transaction propagates the network and gets mined in to a block. Therefore, this is more secure than leaving your public key exposed from the start.

Thanks

By Greg Walker,

Last Updated: 04 May 2022
  • 04 May 2022: Typos, thanks to Varun in email.
  • 05 Jan 2022: Satoshi quote for the reason why public keys are hashed when creating a Bitcoin Address.
  • 29 Mar 2021: /technical/ecdsa - first draft
  • 21 Jul 2020: redirected and renamed files from /guide/ to /technical/
  • 21 Jul 2020: renamed /guide/ to /technical/
Back to Top

Hey there, it's Greg.

I'll let you know about cool website updates, or if something seriously interesting happens in bitcoin.


Don't worry, it doesn't happen very often.