Skip to main content
CipherChronicle

Cryptography glossary

Hash

Also known as : Cryptographic fingerprint · Digest · Hashing

A hash (or cryptographic fingerprint, digest) is a fixed-length string — typically 32, 64 or 256 hexadecimal characters — computed from arbitrary input data by a hash function. The hash acts as a “digital fingerprint” of the data: two different inputs have (barring collisions) two different hashes, and the same input always yields the same hash.

Three essential properties

  1. Determinism: the same input always produces the same hash. That sounds trivial but it’s what makes a hash verifiable: you can always recompute and compare.
  2. Avalanche effect: the slightest modification of the input changes the fingerprint top to bottom. Flipping a single input bit flips roughly half the output bits. No way to predict “if I change such-and-such character, the hash will move in such-and-such direction”.
  3. One-way: it is (in practice, in human time) impossible to recover the input from the hash. That’s what distinguishes a hash from an encryption — encryption is reversible with the key, a hash never is. You don’t “unhash”.

To these three, add collision resistance: it must be practically impossible to find two different inputs producing the same hash. For SHA-256, that probability sits at 1 in 2¹²⁸ — astronomical.

The main algorithms

AlgorithmOutput bitsStatus
MD5128Broken (collisions found in 2004). Avoid.
SHA-1160Broken (Google collisions in 2017). Still seen in legacy.
SHA-256256Current standard. Used by Bitcoin, TLS, Git, CipherChronicle.
SHA-3 / Keccak224-512NIST 2015 standard, alternative to SHA-2. Used by Ethereum.
BLAKE2 / BLAKE3256+Faster than SHA-256, equivalent quality.
Argon2 / bcrypt / scryptvariableHash-derived KDFs designed to be slow (passwords).

The Argon2 versus SHA-256 distinction is worth understanding. SHA-256 is intentionally fast — that’s what you want when hashing files or transactions. For passwords, that’s exactly what you don’t want: an attacker who downloads a database leak can test billions of candidates per second. Argon2, bcrypt, scrypt are designed to be slow and memory-heavy — each hash takes 100 ms and 64 MB of RAM, making brute-force nearly impractical.

Three canonical uses

1. Password storage

No serious database stores passwords in plaintext. You store hash = Argon2(password + salt). At login, you rehash the user’s input and compare. If the database leaks, the attacker must redo the brute-force per user (thanks to the salt) with a slow function (thanks to Argon2). The mass leaks you see in the press — when hundreds of millions of passwords end up in circulation — almost always concern sites that stored in MD5 unsalted, or in plain text.

2. Integrity verification

When you download a Linux distribution (Ubuntu, Arch), the site publishes the SHA-256 of the ISO. You compute the SHA-256 of the downloaded file and compare. If they match, the file wasn’t tampered with in transit. That’s the basis of digital signatures: you sign the hash, not the file (signing a 4 GB file would be absurd).

3. Solution validation without disclosure

On CipherChronicle, we use SHA-256 to store puzzle solutions. When an author publishes a grid, we compute:

hash = SHA-256(solution + puzzleId)

And we store only that hash in Firestore — never the plaintext solution. When a solver enters their attempt, the browser recomputes the hash locally and compares it to the stored hash. No plaintext ever travels through our servers, and even a complete database dump reveals no solution. The puzzleId prefix defeats rainbow tables: two puzzles with the same solution have different hashes.

The same mechanism powers Bitcoin mining: find a nonce such that SHA-256(SHA-256(block)) starts with N zeros. No shortcut: you have to try billions of nonces, and that very “proof of work” is what secures the network.

Don’t confuse with

  • Hash ≠ encryption: encryption is reversible with the key, a hash never is. You hash to verify; you encrypt to transmit.
  • Hash ≠ encoding: Base64, hex are reversible encodings without a key. A hash doesn’t decode.
  • Hash ≠ compression: compression is reversible. A hash irreversibly loses information (4 GB input → 32 bytes output).

Key takeaways:

  • A hash is a fixed-size, deterministic, one-way fingerprint with avalanche.
  • Modern standards: SHA-256, SHA-3, BLAKE3 for general use. Argon2 / bcrypt / scrypt for passwords.
  • Three uses: storing passwords, verifying file integrity, validating without revealing (puzzles, blockchain).
  • Never confuse with encryption: you hash to verify, you encrypt to transmit.

← Whole glossary