⛓️ Trust No One, Trust Everyone — Blockchains & Bitcoin

Ages: 11–15  ·  Duration: 120 minutes  ·  Topics: Cryptographic hashing, Merkle trees, Proof of work, Game theory, Bitcoin protocol, Ethereum & smart contracts


Part 0 — The Trust Problem (10 min)

The Big Idea

"Imagine you and nine friends play a trading-card game. You trade cards at school, but nobody keeps a fair list. Alex says 'I traded my holo-Charizard to Bella,' and Bella says 'No, Alex still owes me.' Who's right? You need a RECORD everyone trusts. You could ask a teacher to keep the list — but what if the teacher is sick? Or unfair? Or hacked?

Today we build a system where nobody is in charge, yet nobody can cheat. The secret? Mathematics."

The Three Enemies of Trust

EnemyExampleReal-world analogue
ForgeryAlex writes "Bella paid me 10 coins" — but she never didFake bank transfers
TamperingCharlie changes an old record: "I never owed David"Cooking the books
Double-spendingEve sends the same digital coin to both Frank and GraceCopying a file = copying money?
Key Rule: A blockchain is a ledger that nobody owns, everybody can read, and nobody can secretly change — enforced by mathematics, not by authority.

Part 1 — Hash Functions: Digital Fingerprints (≈ 20 min)

What Is a Hash Function?

Every security system needs a way to detect tampering. A cryptographic hash function takes any input — a word, a book, an entire movie — and produces a fixed-size output called a digest (the "digital fingerprint").

PropertyMeaningAnalogy
DeterministicSame input → same hash, alwaysSame person → same fingerprint
FastComputing the hash is quickScanning a fingerprint takes seconds
Avalanche effectChange one bit → ~50 % of output bits flipCompletely different fingerprint
One-wayGiven a hash, you can't find the inputCan't reconstruct a person from a print
Collision-resistantNearly impossible to find two inputs with the same hashNo two people share a fingerprint*

*Fingerprints aren't truly unique, but SHA-256 hashes essentially are: $2^{256} \approx 10^{77}$ possible outputs — roughly the number of atoms in the observable universe.

🔒 Interactive: SHA-256 Hasher

Type anything and watch the hash change. Click Compare to save the current hash and see the avalanche effect.

A Toy Hash (for hand computation)

Real SHA-256 is too complex to compute by hand. Let's invent a toy hash for classroom exploration:

$$H(n) = (31 \times n + 17) \bmod 256$$

Only 256 possible outputs — wildly insecure, but it demonstrates the key properties.

🎲 Interactive: Toy Hash $(31n + 17) \bmod 256$

How Big Is $2^{256}$?

ComparisonApproximate value
SHA-256 outputs$2^{256} \approx 1.16 \times 10^{77}$
Atoms in the observable universe$\approx 10^{80}$
Grains of sand on Earth$\approx 10^{19}$
Seconds since the Big Bang$\approx 4.3 \times 10^{17}$
Intuition: SHA-256 turns any message into one specific grain of sand on a beach the size of the visible universe. Good luck finding two messages that land on the same grain.

Part 2 — Building Blocks: Chains, Trees & Signatures (≈ 25 min)

Step 1: Chaining with Hashes

A blockchain literally chains blocks together using hashes. Each block contains: (1) the hash of the previous block, (2) its own data (transactions), and (3) its own hash — computed from all of the above.

⛓️ Interactive: Blockchain Builder

Add blocks, then try editing one — watch the chain break!

The Tamper-Proof Property: Change one block's data → its hash changes (avalanche effect) → the next block's "previous hash" doesn't match → the entire chain after the tampered block is broken. To fix it, an attacker would need to recompute every subsequent block — while the honest network keeps adding new ones.

Step 2: Merkle Trees — Verifying Without Downloading Everything

What if a block contains 2 000 transactions? Checking one would mean downloading all 2 000. Ralph Merkle (1979) invented a better way: a binary tree of hashes. Each leaf is the hash of a transaction; each internal node is the hash of its two children. The root summarises ALL transactions in 32 bytes.

To prove transaction C is in the block, you only need Hash(D), Hash(AB), and the Root — that's $\lceil \log_2 n \rceil$ hashes instead of $n$.

🌳 Interactive: Merkle Tree Builder

Enter transaction names separated by commas. The tree will show how hashes propagate upward.

Step 3: Digital Signatures

In the Postcard Paradox lecture (#9), we saw public-key cryptography. Bitcoin uses ECDSA (Elliptic Curve Digital Signature Algorithm) on the curve $y^2 = x^3 + 7 \pmod{p}$ (secp256k1).


☕ Break (5 min)


Part 3 — Proof of Work: The Mining Puzzle (≈ 15 min)

The Byzantine Generals Problem

In a network where some participants may be dishonest, how do honest participants agree on a single truth? — Lamport, Shostak & Pease, 1982

Satoshi Nakamoto's brilliant insight: make cheating expensive.

The Mining Puzzle

To add a block, you must find a nonce such that:

$$\text{SHA-256}(\text{block data} \mathbin\Vert \text{nonce}) < \text{target}$$

In practice, this means the hash must start with a certain number of zeros. The more zeros required, the harder the puzzle.

⛏️ Interactive: Mining Simulator

Set difficulty (leading hex zeros) and watch the miner search for a valid nonce.

2

The Probability

With $k$ leading hex zeros required:

$$P(\text{success}) = \frac{1}{16^k} \qquad E[\text{attempts}] = 16^k$$
Leading zeros $k$Expected attemptsTime @ 10 B hashes/s
116Instant
465 536Instant
8$4.3 \times 10^{9}$0.4 seconds
16$1.8 \times 10^{19}$~58 years
Why it works: Finding a nonce is hard (brute force). Verifying is easy (one hash). To rewrite history, an attacker needs more computing power than the entire honest network — the "51 % attack." Proof of work is a lottery where the ticket costs electricity.

Solution 1 — Hash Functions: The Foundation 🥉

Using the toy hash $H(n) = (31n+17) \bmod 256$:

Collision hunt: $H(0) = 17$ and $H(256) = (31 \times 256 + 17) \bmod 256 = 7953 \bmod 256 = 17$. So $H(0) = H(256)$! By the pigeonhole principle, among any 257 inputs at least two must collide (only 256 possible outputs). This is why we need SHA-256 with its $2^{256}$ outputs.

$$\boxed{H(n) = (31n + 17) \bmod 256 \text{ — deterministic, fast, mini-avalanche; but only 256 outputs (insecure!)}}$$

Solution 2 — Mining: The Nonce Lottery 🥈

Mining follows a geometric distribution. With target of $k$ leading hex zeros:

$$P(\text{hit}) = p = \frac{1}{16^k} \qquad E[\text{trials}] = \frac{1}{p} = 16^k \qquad \sigma \approx 16^k$$

The standard deviation is approximately equal to the mean — so actual mining times vary wildly. Sometimes 30 seconds, sometimes 40 minutes, even if the average is 10 minutes.

📊 Interactive: Mining Difficulty Calculator

3
$$\boxed{E[\text{attempts}] = 16^k \text{ where } k = \text{number of leading hex zeros required}}$$

Solution 3 — The Bitcoin Protocol 🥇

The Genesis Block

On 31 October 2008, someone calling themselves Satoshi Nakamoto posted a 9-page paper: "Bitcoin: A Peer-to-Peer Electronic Cash System." Nobody knows who Satoshi is. They mined the first block — the Genesis Block — on 3 January 2009, embedding a newspaper headline:

"The Times 03/Jan/2009 Chancellor on brink of second bailout for banks"

A message about trust in financial institutions — hidden in the first block of a system designed to replace that trust with mathematics.

The UTXO Model

Bitcoin doesn't track balances. It tracks Unspent Transaction Outputs (UTXOs) — like specific bills in a wallet:

Transaction #247
INPUT: Alice's 1.0 BTC (from Tx #189, output 0) — signed by Alice's private key
OUTPUTS: Bob 0.70 BTC  |  Alice 0.29 BTC (change)  |  Fee: 0.01 BTC

Input sum = Output sum + Fee. Miners collect the fee as reward.

The Halving: Controlled Scarcity

Bitcoin's block reward halves every 210 000 blocks (~4 years). Total supply: exactly 21 000 000 BTC.

$$\text{Total} = 210{,}000 \times 50 \times \sum_{k=0}^{\infty} \frac{1}{2^k} = 10{,}500{,}000 \times 2 = 21{,}000{,}000$$

📈 Interactive: Bitcoin Halving Timeline

Visualises the block reward schedule and cumulative supply approaching the 21 M cap.

$$\boxed{\text{Bitcoin} = \text{SHA-256} + \text{Merkle trees} + \text{ECDSA signatures} + \text{Proof of Work} + \text{21 M cap}}$$

Solution 4 — The Stories: From Pizza to Billions 🎓

🍕 The Bitcoin Pizza (22 May 2010)

Laszlo Hanyecz paid 10 000 BTC for two Papa John's pizzas (~$41 at the time). At Bitcoin's all-time high (~$69 000 in November 2021):

$$10{,}000 \times \$69{,}000 = \$690{,}000{,}000$$

$690 million for two pizzas. Every year on 22 May, the crypto community celebrates Bitcoin Pizza Day.

💀 Mt. Gox: When Trust Fails (2014)

Mt. Gox handled ~70 % of all Bitcoin trades. In February 2014, it lost 850 000 BTC (~$450 M) and filed for bankruptcy. The blockchain itself was never hacked — Mt. Gox was a centralised exchange, exactly the kind of trusted intermediary Bitcoin was built to remove.

🕵️ The Silk Road (2011–2013)

Ross Ulbricht ran the Silk Road dark-web marketplace using Bitcoin for payments. The FBI seized 144 000 BTC and Ulbricht was sentenced to life in prison (pardoned in 2025). The lesson: Bitcoin is pseudonymous, not anonymous — every transaction is public.

💡 Ethereum: Programmable Money (2015)

Vitalik Buterin, a 19-year-old from Toronto, asked: what if the blockchain stored programs? These smart contracts execute automatically:

// Pseudocode: a simple bet
contract Bet {
    if (ETH_price > $5000 on Jan 1, 2025) {
        send(Alice, prize);
    } else {
        send(Bob, prize);
    }
}

No judge, no lawyer, no bank. The code IS the contract.

🔓 The DAO Hack (2016)

The DAO raised $150 million in Ethereum. A hacker exploited a smart-contract bug and drained $60 million. The community chose to rewrite history (a hard fork), creating today's Ethereum. The original chain survives as Ethereum Classic.

🌿 The Merge: Proof of Stake (15 September 2022)

Ethereum switched from Proof of Work to Proof of Stake, cutting energy use by 99.95 %. Instead of burning electricity, validators stake their ETH as collateral — honest behaviour earns rewards; dishonesty costs your stake ("slashing").

As of 2025Value
Total BTC mined~19.8 million
Remaining to mine~1.2 million
Estimated lost forever~3–4 million
Bitcoin energy / month~10 TWh (≈ Sweden)
Ethereum energy / month (post-Merge)~0.01 TWh

Summary — The Complete Picture

$$\underbrace{\text{Hash functions}}_{\text{integrity}} + \underbrace{\text{Merkle trees}}_{\text{efficiency}} + \underbrace{\text{Signatures}}_{\text{identity}} + \underbrace{\text{Proof of Work}}_{\text{consensus}} = \underbrace{\text{Blockchain}}_{\text{trust without authority}}$$
FactValue
SHA-256 output256 bits = 64 hex chars
Possible outputs$2^{256} \approx 10^{77}$
Bitcoin block time~10 minutes
Total supply21 000 000 BTC (exactly)
Halving interval210 000 blocks (~4 years)
Merkle proof for $n$ txns$\lceil \log_2 n \rceil$ hashes
Genesis Block3 January 2009
Most expensive pizza10 000 BTC (22 May 2010)

Extensions & Challenge Problems 🧩

🥉 Bronze

  1. Using $H(n) = (31n+17) \bmod 256$, compute $H(7)$ and $H(8)$. How different are the outputs?
  2. If Block A's hash is a3f1 and Block B stores Prev: a3f1, what happens if Block A's data is changed?
  3. At 3.125 BTC per block and one block every 10 min, how many BTC are created per day?

🥈 Silver

  1. A block has 1 024 transactions. How many hashes does a Merkle proof need? What about 1 000 000?
  2. You need a hash starting with 3 leading hex zeros. Probability per attempt? Expected attempts?
  3. Prove: $210{,}000 \times 50 \times \sum_{k=0}^{\infty} (1/2)^k = 21{,}000{,}000$. Why does the sum converge?

🥇 Gold

  1. Birthday attack: how many hashes to find a collision in a 256-bit hash with 50 % probability? (Use the birthday bound: $\approx \sqrt{2^{256}} = 2^{128}$.)
  2. If an attacker controls 30 % of mining power, what's $P(\text{6 consecutive blocks})$? Feasible?
  3. If the last 2 016 blocks took 3 weeks instead of 2, by what factor should the difficulty change?

🎓 Diamond

  1. On $y^2 = x^3 + 7$ over $\mathbb{F}_{23}$, verify that $(0, \sqrt{7})$ is a point and find its order.
  2. Research the longest-chain rule (Nakamoto consensus). Why does it converge? What assumptions does it need?
  3. Research the DAO re-entrancy attack. Write pseudocode showing the bug and the fix.

Answer Key

🥉 Bronze Answers
  1. $H(7) = (217+17) \bmod 256 = 234$. $H(8) = (248+17) \bmod 256 = 265 \bmod 256 = 9$. Outputs: 234 vs 9 — wildly different for inputs differing by 1.
  2. Block A's hash changes (avalanche effect). Block B's Prev no longer matches → chain is broken → tampering detected.
  3. $24 \text{ h} \times 6 \text{ blocks/h} \times 3.125 = \mathbf{450}$ BTC per day.
🥈 Silver Answers
  1. $\lceil \log_2 1024 \rceil = 10$ hashes. $\lceil \log_2 1{,}000{,}000 \rceil = 20$ hashes.
  2. $P = (1/16)^3 = 1/4096 \approx 0.024\,\%$. Expected attempts: 4 096.
  3. $\sum (1/2)^k = 1/(1-1/2) = 2$. So $210{,}000 \times 50 \times 2 = 21{,}000{,}000$. Converges because $|r| = 1/2 < 1$.
🥇 Gold Answers
  1. Birthday bound: $\approx 1.2 \times \sqrt{2^{256}} = 1.2 \times 2^{128} \approx 4 \times 10^{38}$ hashes. Still astronomically hard.
  2. $P = 0.3^6 = 7.29 \times 10^{-4} \approx 0.073\,\%$. Not feasible — and the honest network extends the main chain faster.
  3. Target: 2 weeks. Actual: 3 weeks. New difficulty $= \text{old} \times (2/3)$ — make it easier so blocks come faster.

⛓️ Trust No One, Trust Everyone — Math Circle Lecture #11 — generated for interactive classroom use.