⛓️ Trust No One, Trust Everyone — Blockchains & Bitcoin

Ages: 11–15 · Duration: 120 minutes · Topics: Cryptographic hashing, Merkle trees, Proof of work, Game theory, Bitcoin protocol, Ethereum & smart contracts

Part 0 — The Trust Problem (10 min)

The Big Idea

"Imagine you and nine friends play a trading-card game. You trade cards at school, but nobody keeps a fair list. Alex says 'I traded my holo-Charizard to Bella,' and Bella says 'No, Alex still owes me.' Who's right? You need a RECORD everyone trusts. You could ask a teacher to keep the list — but what if the teacher is sick? Or unfair? Or hacked?

Today we build a system where nobody is in charge, yet nobody can cheat. The secret? Mathematics."

The Three Enemies of Trust

Enemy	Example	Real-world analogue
Forgery	Alex writes "Bella paid me 10 coins" — but she never did	Fake bank transfers
Tampering	Charlie changes an old record: "I never owed David"	Cooking the books
Double-spending	Eve sends the same digital coin to both Frank and Grace	Copying a file = copying money?

Key Rule: A blockchain is a ledger that nobody owns, everybody can read, and nobody can secretly change — enforced by mathematics, not by authority.

Part 1 — Hash Functions: Digital Fingerprints (≈ 20 min)

What Is a Hash Function?

Every security system needs a way to detect tampering. A cryptographic hash function takes any input — a word, a book, an entire movie — and produces a fixed-size output called a digest (the "digital fingerprint").

Property	Meaning	Analogy
Deterministic	Same input → same hash, always	Same person → same fingerprint
Fast	Computing the hash is quick	Scanning a fingerprint takes seconds
Avalanche effect	Change one bit → ~50 % of output bits flip	Completely different fingerprint
One-way	Given a hash, you can't find the input	Can't reconstruct a person from a print
Collision-resistant	Nearly impossible to find two inputs with the same hash	No two people share a fingerprint*

*Fingerprints aren't truly unique, but SHA-256 hashes essentially are: $2^{256} \approx 10^{77}$ possible outputs — roughly the number of atoms in the observable universe.

A Toy Hash (for hand computation)

Real SHA-256 is too complex to compute by hand. Let's invent a toy hash for classroom exploration:

$$H(n) = (31 \times n + 17) \bmod 256$$

Only 256 possible outputs — wildly insecure, but it demonstrates the key properties.

How Big Is $2^{256}$?

Comparison	Approximate value
SHA-256 outputs	$2^{256} \approx 1.16 \times 10^{77}$
Atoms in the observable universe	$\approx 10^{80}$
Grains of sand on Earth	$\approx 10^{19}$
Seconds since the Big Bang	$\approx 4.3 \times 10^{17}$

Intuition: SHA-256 turns any message into one specific grain of sand on a beach the size of the visible universe. Good luck finding two messages that land on the same grain.

Part 2 — Building Blocks: Chains, Trees & Signatures (≈ 25 min)

Step 1: Chaining with Hashes

A blockchain literally chains blocks together using hashes. Each block contains: (1) the hash of the previous block, (2) its own data (transactions), and (3) its own hash — computed from all of the above.

The Tamper-Proof Property: Change one block's data → its hash changes (avalanche effect) → the next block's "previous hash" doesn't match → the entire chain after the tampered block is broken. To fix it, an attacker would need to recompute every subsequent block — while the honest network keeps adding new ones.

Step 2: Merkle Trees — Verifying Without Downloading Everything

What if a block contains 2 000 transactions? Checking one would mean downloading all 2 000. Ralph Merkle (1979) invented a better way: a binary tree of hashes. Each leaf is the hash of a transaction; each internal node is the hash of its two children. The root summarises ALL transactions in 32 bytes.

To prove transaction C is in the block, you only need Hash(D), Hash(AB), and the Root — that's $\lceil \log_2 n \rceil$ hashes instead of $n$.

Step 3: Digital Signatures

In the Postcard Paradox lecture (#9), we saw public-key cryptography. Bitcoin uses ECDSA (Elliptic Curve Digital Signature Algorithm) on the curve $y^2 = x^3 + 7 \pmod{p}$ (secp256k1).

Every user has a private key (secret) and a public key (shared)
To send coins, you sign the transaction with your private key
Anyone can verify the signature with your public key
Nobody can forge your signature without your private key

☕ Break (5 min)

Part 3 — Proof of Work: The Mining Puzzle (≈ 15 min)

The Byzantine Generals Problem

In a network where some participants may be dishonest, how do honest participants agree on a single truth? — Lamport, Shostak & Pease, 1982

Satoshi Nakamoto's brilliant insight: make cheating expensive.

The Mining Puzzle

To add a block, you must find a nonce such that:

$$\text{SHA-256}(\text{block data} \mathbin\Vert \text{nonce}) < \text{target}$$

In practice, this means the hash must start with a certain number of zeros. The more zeros required, the harder the puzzle.

The Probability

With $k$ leading hex zeros required:

$$P(\text{success}) = \frac{1}{16^k} \qquad E[\text{attempts}] = 16^k$$

Leading zeros $k$	Expected attempts	Time @ 10 B hashes/s
1	16	Instant
4	65 536	Instant
8	$4.3 \times 10^{9}$	0.4 seconds
16	$1.8 \times 10^{19}$	~58 years

Why it works: Finding a nonce is hard (brute force). Verifying is easy (one hash). To rewrite history, an attacker needs more computing power than the entire honest network — the "51 % attack." Proof of work is a lottery where the ticket costs electricity.

Solution 1 — Hash Functions: The Foundation 🥉

Using the toy hash $H(n) = (31n+17) \bmod 256$:

$H(5) = (155+17) \bmod 256 = 172$
$H(6) = (186+17) \bmod 256 = 203$
Small input change → big output change: mini-avalanche!

Collision hunt: $H(0) = 17$ and $H(256) = (31 \times 256 + 17) \bmod 256 = 7953 \bmod 256 = 17$. So $H(0) = H(256)$! By the pigeonhole principle, among any 257 inputs at least two must collide (only 256 possible outputs). This is why we need SHA-256 with its $2^{256}$ outputs.

$$\boxed{H(n) = (31n + 17) \bmod 256 \text{ — deterministic, fast, mini-avalanche; but only 256 outputs (insecure!)}}$$

Solution 2 — Mining: The Nonce Lottery 🥈

Mining follows a geometric distribution. With target of $k$ leading hex zeros:

$$P(\text{hit}) = p = \frac{1}{16^k} \qquad E[\text{trials}] = \frac{1}{p} = 16^k \qquad \sigma \approx 16^k$$

The standard deviation is approximately equal to the mean — so actual mining times vary wildly. Sometimes 30 seconds, sometimes 40 minutes, even if the average is 10 minutes.

$$\boxed{E[\text{attempts}] = 16^k \text{ where } k = \text{number of leading hex zeros required}}$$

Solution 3 — The Bitcoin Protocol 🥇

The Genesis Block

On 31 October 2008, someone calling themselves Satoshi Nakamoto posted a 9-page paper: "Bitcoin: A Peer-to-Peer Electronic Cash System." Nobody knows who Satoshi is. They mined the first block — the Genesis Block — on 3 January 2009, embedding a newspaper headline:

"The Times 03/Jan/2009 Chancellor on brink of second bailout for banks"

A message about trust in financial institutions — hidden in the first block of a system designed to replace that trust with mathematics.

The UTXO Model

Bitcoin doesn't track balances. It tracks Unspent Transaction Outputs (UTXOs) — like specific bills in a wallet:

Transaction #247

INPUT: Alice's 1.0 BTC (from Tx #189, output 0) — signed by Alice's private key

OUTPUTS: Bob 0.70 BTC | Alice 0.29 BTC (change) | Fee: 0.01 BTC

Input sum = Output sum + Fee. Miners collect the fee as reward.

The Halving: Controlled Scarcity

Bitcoin's block reward halves every 210 000 blocks (~4 years). Total supply: exactly 21 000 000 BTC.

$$\text{Total} = 210{,}000 \times 50 \times \sum_{k=0}^{\infty} \frac{1}{2^k} = 10{,}500{,}000 \times 2 = 21{,}000{,}000$$

$$\boxed{\text{Bitcoin} = \text{SHA-256} + \text{Merkle trees} + \text{ECDSA signatures} + \text{Proof of Work} + \text{21 M cap}}$$

Solution 4 — The Stories: From Pizza to Billions 🎓

🍕 The Bitcoin Pizza (22 May 2010)

Laszlo Hanyecz paid 10 000 BTC for two Papa John's pizzas (~$41 at the time). At Bitcoin's all-time high (~$69 000 in November 2021):

$$10{,}000 \times \$69{,}000 = \$690{,}000{,}000$$

$690 million for two pizzas. Every year on 22 May, the crypto community celebrates Bitcoin Pizza Day.

💀 Mt. Gox: When Trust Fails (2014)

Mt. Gox handled ~70 % of all Bitcoin trades. In February 2014, it lost 850 000 BTC (~$450 M) and filed for bankruptcy. The blockchain itself was never hacked — Mt. Gox was a centralised exchange, exactly the kind of trusted intermediary Bitcoin was built to remove.

🕵️ The Silk Road (2011–2013)

Ross Ulbricht ran the Silk Road dark-web marketplace using Bitcoin for payments. The FBI seized 144 000 BTC and Ulbricht was sentenced to life in prison (pardoned in 2025). The lesson: Bitcoin is pseudonymous, not anonymous — every transaction is public.

💡 Ethereum: Programmable Money (2015)

Vitalik Buterin, a 19-year-old from Toronto, asked: what if the blockchain stored programs? These smart contracts execute automatically:

// Pseudocode: a simple bet
contract Bet {
    if (ETH_price > $5000 on Jan 1, 2025) {
        send(Alice, prize);
    } else {
        send(Bob, prize);
    }
}

No judge, no lawyer, no bank. The code IS the contract.

🔓 The DAO Hack (2016)

The DAO raised $150 million in Ethereum. A hacker exploited a smart-contract bug and drained $60 million. The community chose to rewrite history (a hard fork), creating today's Ethereum. The original chain survives as Ethereum Classic.

🌿 The Merge: Proof of Stake (15 September 2022)

Ethereum switched from Proof of Work to Proof of Stake, cutting energy use by 99.95 %. Instead of burning electricity, validators stake their ETH as collateral — honest behaviour earns rewards; dishonesty costs your stake ("slashing").

As of 2025	Value
Total BTC mined	~19.8 million
Remaining to mine	~1.2 million
Estimated lost forever	~3–4 million
Bitcoin energy / month	~10 TWh (≈ Sweden)
Ethereum energy / month (post-Merge)	~0.01 TWh

Summary — The Complete Picture

$$\underbrace{\text{Hash functions}}_{\text{integrity}} + \underbrace{\text{Merkle trees}}_{\text{efficiency}} + \underbrace{\text{Signatures}}_{\text{identity}} + \underbrace{\text{Proof of Work}}_{\text{consensus}} = \underbrace{\text{Blockchain}}_{\text{trust without authority}}$$

Fact	Value
SHA-256 output	256 bits = 64 hex chars
Possible outputs	$2^{256} \approx 10^{77}$
Bitcoin block time	~10 minutes
Total supply	21 000 000 BTC (exactly)
Halving interval	210 000 blocks (~4 years)
Merkle proof for $n$ txns	$\lceil \log_2 n \rceil$ hashes
Genesis Block	3 January 2009
Most expensive pizza	10 000 BTC (22 May 2010)

Extensions & Challenge Problems 🧩

🥉 Bronze

Using $H(n) = (31n+17) \bmod 256$, compute $H(7)$ and $H(8)$. How different are the outputs?
If Block A's hash is a3f1 and Block B stores Prev: a3f1, what happens if Block A's data is changed?
At 3.125 BTC per block and one block every 10 min, how many BTC are created per day?

🥈 Silver

A block has 1 024 transactions. How many hashes does a Merkle proof need? What about 1 000 000?
You need a hash starting with 3 leading hex zeros. Probability per attempt? Expected attempts?
Prove: $210{,}000 \times 50 \times \sum_{k=0}^{\infty} (1/2)^k = 21{,}000{,}000$. Why does the sum converge?

🥇 Gold

Birthday attack: how many hashes to find a collision in a 256-bit hash with 50 % probability? (Use the birthday bound: $\approx \sqrt{2^{256}} = 2^{128}$.)
If an attacker controls 30 % of mining power, what's $P(\text{6 consecutive blocks})$? Feasible?
If the last 2 016 blocks took 3 weeks instead of 2, by what factor should the difficulty change?

🎓 Diamond

On $y^2 = x^3 + 7$ over $\mathbb{F}_{23}$, verify that $(0, \sqrt{7})$ is a point and find its order.
Research the longest-chain rule (Nakamoto consensus). Why does it converge? What assumptions does it need?
Research the DAO re-entrancy attack. Write pseudocode showing the bug and the fix.

Answer Key

🥉 Bronze Answers

$H(7) = (217+17) \bmod 256 = 234$. $H(8) = (248+17) \bmod 256 = 265 \bmod 256 = 9$. Outputs: 234 vs 9 — wildly different for inputs differing by 1.
Block A's hash changes (avalanche effect). Block B's Prev no longer matches → chain is broken → tampering detected.
$24 \text{ h} \times 6 \text{ blocks/h} \times 3.125 = \mathbf{450}$ BTC per day.

🥈 Silver Answers

$\lceil \log_2 1024 \rceil = 10$ hashes. $\lceil \log_2 1{,}000{,}000 \rceil = 20$ hashes.
$P = (1/16)^3 = 1/4096 \approx 0.024\,\%$. Expected attempts: 4 096.
$\sum (1/2)^k = 1/(1-1/2) = 2$. So $210{,}000 \times 50 \times 2 = 21{,}000{,}000$. Converges because $|r| = 1/2 < 1$.

🥇 Gold Answers

Birthday bound: $\approx 1.2 \times \sqrt{2^{256}} = 1.2 \times 2^{128} \approx 4 \times 10^{38}$ hashes. Still astronomically hard.
$P = 0.3^6 = 7.29 \times 10^{-4} \approx 0.073\,\%$. Not feasible — and the honest network extends the main chain faster.
Target: 2 weeks. Actual: 3 weeks. New difficulty $= \text{old} \times (2/3)$ — make it easier so blocks come faster.

⛓️ Trust No One, Trust Everyone — Math Circle Lecture #11 — generated for interactive classroom use.