F O R K I D S

Cryptography: Six Ideas + Two Kinds of Magic

From "squishing a fingerprint" all the way to "figuring out who has more without telling"

How to read: in each section, read the story first, then get your hands dirty with the little experiment below

1Hashing · Squish a Fingerprint

In one line: easy to go in, impossible to come back out.
A blender. Drop an apple into a blender, press the button, and you get a cup of juice. No matter how hard anyone stares at that cup of juice, they can't rebuild the apple — its shape, how many seeds it had. But blend the same apple again and the juice tastes exactly the same.
Apple → juice: super easy. Juice → apple: impossible. That's what "one-way" means.
A fingerprint. Billions of people, and no two have exactly the same fingerprint. Hand someone a fingerprint and they can't tell you who it belongs to; but the moment a suspect shows up, one quick comparison tells you whether it's them. Hashing is like pressing a fingerprint onto data — change one letter, and the whole fingerprint changes.

Why is "no way back" not just hard but actually impossible? Because a hash squishes something of any length down to a fingerprint of the same length. "Hi" and the whole of The Lord of the Rings both squish down to a fingerprint of the same length. Infinitely many different originals get crammed into the same-sized output — so lots of different originals must land on the same fingerprint. That means: given only the fingerprint, there's no single "right answer" to rebuild.

TRY IT · SQUISH A FINGERPRINT

Type in anything, press the button, and watch it "fall into the blender and get spat out as a fingerprint." Then change one character and watch the whole row flip.

apple42 blender hash() a fixed-length fingerprint (always 32 bytes)
Input: apple42
Fingerprint (SHA-256): e2bf5bd014c36f5f427d39946a3d7afc608da41b04c67bb5128a454e95bd5b5a
No matter how long the input is, the fingerprint is always 64 hex characters = 32 bytes.
Try it: change "apple42" to "apple43" and the whole row of color cells and the fingerprint will look totally different — this is called the "avalanche effect." And whether you type 1 character or a whole book, the fingerprint that comes out is always the same length.

2Encryption · The Secret Code on the Battlefield

In one line: you can come back (because you kept the secret code).
Sending a battle order. In a war you need to send the front line an order: "ATTACK." But the messenger might be captured, the letter might be intercepted. What do you do? The general and the front line agree on a number ahead of time — say, 3. Before sending, shift every letter forward by 3: A→D, T→W… so "ATTACK" becomes "DWWDFN."
An enemy who intercepts "DWWDFN" is completely puzzled; the front line knows the secret code is 3, shifts each letter back by 3, and turns it back into ATTACK.

That's encryption: the same agreed-on secret code both locks the order (when sending) and opens it (when reading); an enemy without the code can only stare helplessly. So encryption naturally comes in pairs — where there's a lock there's an open, and both come from one secret code. An "encryption" you can't undo is pointless, because then even your own side can't read it.

This is where it clearly parts ways with hashing:

HashingEncryption
Can you go back?No way backYou can go back
How things line upMany-to-one (info is lost)One-to-one (info is kept)
Is there a secret code / key?No reverse operationThere's a secret code
TRY IT · ENCRYPT A BATTLE ORDER WITH A SECRET CODE

Shifting each letter "forward by a few spots" is an ancient military encryption (the Caesar cipher — legend says Caesar used it to send battle orders). Shift back and it's decoded.

Secret code (shift by):
Notice: with the same secret code you get the original back — something hashing can never do. (Both sides share the same secret code, which is called a "symmetric key" — the opposite of the public/private keys later, where "one is public, one is kept hidden.")

3Commitment · Seal It Now, Open It Later

In one line: decide now, and you can't secretly swap it later.

Commitment isn't a new building block — it's one way of playing with hashing. Back to the guessing game you've played:

I secretly pick the number 42, then post its fingerprint hash(42) for you to see (that's the commitment). You guess. Only after you guess do I reveal the original 42; you squish the fingerprint again and compare — if it matches, I didn't cheat.

The key point: from the fingerprint you can't guess the original (hidden); once I reveal it you can check (binding); and I can't find a different number that produces the same fingerprint (I can't cheat).

Notice one thing that's easy to miss: a commitment doesn't need to be "decrypted." The original is something I choose to show, not something dug out of the fingerprint — a hash can never spit out the original, but a commitment never asked it to.
So the very same "no way back" property is a fatal flaw for encryption, yet a core strength for commitment.

TRY IT · GUESSING GAME, NO TAKEBACKS

Rules: think of a number from 1 to 100 and have a friend guess it. If they guess right they win; if not, you win.
The cheating loophole: if no one's watching, your friend guesses "50," and you can just switch your story to "I was thinking of 51, you lose."
How commitment closes it: at the start you post the hash of your number first (write it on the blackboard); at reveal time you announce the original number, everyone computes the hash and checks it against the blackboard — proving you never changed it from the start.

① Start: think of a number
Try to cheat: change the revealed number to something else (as if trying to weasel out), then check — the hash won't match the blackboard, and you're caught red-handed.

Trust radius: how far can this game reach?

The real power of a commitment is that it pushes "no cheating" farther and farther out, one layer at a time. Click the three lamps below to see how it goes from face-to-face all the way out to the whole world.

TRY IT · LIGHT UP THE TRUST RADIUS
friend you 👁️
Face to face · relying on "I'm watching you"
You and a friend guess numbers face to face. Worried they'll take it back? You just watch them — they write it down, tuck it in an envelope, and as long as your eyes never leave, they can't change it.
What stops cheating: physical supervision (I'm watching you)
City A City B hash
A city apart · relying on "posting the hash"
The other person is in a faraway city and you can't watch them anymore. They first send you the hash of their number (the commitment); after you guess, they send the original number and you compute the hash yourself and compare.
What stops cheating: math watches for you (a mismatch means they changed it)
hash
To the whole world · relying on "anyone can check"
They broadcast the hash to a circle of strangers, and after the reveal every one of them can verify it themselves — nobody has to trust this person.
What stops cheating: anyone can check the math independently
In one line: commitment turns "no cheating" from "I have to watch you" (physical), into "math watches you for me" (at a distance), and finally into "anyone can watch you" (the whole world). You no longer need to trust this person, only to trust math that anyone can check. This idea of "anyone can verify it independently" is the very soul of Bitcoin — strangers make deals not on trust, but on math.
But let's be clear about one thing, so nobody gets confused: Bitcoin uses the idea of "anyone can verify," but it does not use this commitment-style "reveal the original and then check" approach.
  • Commitment: to prove it, you have to reveal the hidden number — and once revealed, it's used up; you can only play one round.
  • Spending Bitcoin: you spend over and over, and you can never reveal your private key even once. It uses signatures — the private key signs, the whole network verifies with the public key, and the private key never appears.
So: commitment teaches us the idea of "anyone can verify"; Bitcoin uses signatures to pull it off even more cleverly — spend money ten thousand times, and the private key never has to show its face. 👉 This "verify without even revealing" magic is Section 5: signatures.

4Public / Private Keys · One Hidden, One Public

In one line: one key for the whole world, one key just in your pocket.

Step one: use a "piggy bank" to get the hang of it

A piggy bank only you can open. On top there's an open coin slot — anyone can drop coins in; on the bottom there's a lock, and the key is only in your hands. You build the piggy bank and set it out for everyone; anyone can drop coins in, but only you can open it and take the money out.
Piggy bankCryptographyKey point
the open coin slotpublic key / addressset out in the open, anyone can drop coins in
the key on the bottomprivate keyonly in your hands, never shown to anyone
others drop coins insend you a paymentdropping coins in needs no key
you open it to take the moneyuse the private key to spendonly you can open it
This is what Bitcoin really looks like. A Bitcoin address is a piggy bank: you build it, post the address, and others send money in; when you want to spend, you use the private key to open the bank. What Bitcoin does all day long is exactly "build a bank to receive money, use the key to open the bank and spend."

Step two: one key can build countless banks

This is where the piggy bank explains things better than a "lock," and it's exactly how Bitcoin really works: your one key can build a whole pile of banks that all look different from each other, and every one of them opens with your one key.

TRY IT · ONE KEY, MANY BANKS: BUILD A ROW, THEN OPEN THEM ALL WITH ONE KEY

Click "build a new bank" a few times and see how different they look; then click "use my key" and see if one key opens them all.

Notice: every bank (address) looks nothing like the others, and outsiders can't tell they belong to the same person — yet your one key opens them all.

Step three: two ideas you absolutely must build

About "what someone can do if they find one of your banks," there are two different things, and telling them apart matters a lot:

IdeaMeaningWhat it protects
① Can't figure out the keywhoever finds one of your banks can't work backward to your key (bank → key: can't be done)others can't steal your money
② Can't tell they're from the same sourcethe hundred banks your one key built — outsiders can't tell they're all one person's, but you can open them allothers can't figure out how much money you have

So a Bitcoin address is used once and then swapped. It's not pointless fuss — even though the key is safe (①), if you always use the same bank to receive all your money, the whole world can see how much goes in and out of that bank (② is broken). Use a fresh bank each time and others can't figure out your stash.

A hook for later: banks naturally don't recognize each other, but if you pour the money from several banks into one new bank, that's like announcing to everyone "these are all mine" — which is exactly what privacy techniques like CoinJoin and change addresses are meant to deal with.

Step four: a bank's "opening conditions" can be designed — this is Script

The neatest thing about the piggy bank: "who, and under what conditions, can open it" can be designed. Behind a Bitcoin address there is really a piece of locking condition that specifies what must be true before it can be spent:

So an address isn't one dead lock, but a "spending-condition contract." Starting from the piggy bank, later on Bitcoin Script is just a smooth extension all the way.

Step five: one thing the piggy bank can't explain — how a private key "gives birth to" a public key

A real bank and its key are made at the same time by the factory; there's no "which gives birth to which." But a real public/private key pair has a direction:

Private key → public key: easy (computed in one step) Public key → private key: almost impossible

And be careful about direction: your key can build countless banks (private key → address, easy going forward); but the other way, whoever finds one of your banks can't work out the key (address → private key, can't be done backward). This "easy to build forward, impossible to figure out backward" is something the piggy bank can't explain — we need a different picture: a special curve, hopping across points on it.

Before looking at the curve, first picture it as a "world with a boundary, like a clock."
This curve doesn't run over endless numbers — it runs inside a fixed upper limit: reach 97 and it wraps back to 0. Picture it as a clock with "only 97 slots" — adding, subtracting, and multiplying are easy enough, but division needs a different phrasing: find a number that, multiplied in, comes out to exactly 1. That "number that multiplies to 1" is called the inverse.
Now the "hopping across points" on the curve isn't so mysterious anymore: the private key = the number of hops, the public key = the point you land on.
There's a special curve with a ring of points on it. Agree on a starting point G, and the rule is "each hop takes you to another point, following the curve's rule." Start from G, hop "private key" times, and the point you land on is the public key, which you make public.
The key thing: these points hop around with no pattern — the 1st is here, the 2nd pops up there, the 3rd shoots way off, looking like a tangled mess.
Private key → public key: you know how many hops, so you just hop along and get there in no time.
Public key → private key: others only see which point you stopped at, and have to work out how many hops you took. But the landing points have no pattern, so there's no shortcut — they can only try 1 hop, 2 hops, 3 hops… one at a time, checking which count lands exactly there.
TRY IT · REAL ELLIPTIC-CURVE HOPPING (PRIVATE KEY → PUBLIC KEY, INSTANT)

Here are 50 points on a real curve y² = x³ + 2x + 3 (mod 97) arranged in a ring. Drag the slider to watch the little figure hop away from G.

G
Private key (how many hops): 7
Public key (landing point): point (10, 76)
Look how messy the trail is — that's exactly why "seeing the endpoint won't tell you how many hops it took."
TRY IT · CRACK IT THE OTHER WAY (PUBLIC KEY → PRIVATE KEY, ONLY BRUTE-FORCE)

Now you're told only the landing point (public key), and the computer tries from hop 1, one at a time, to see which count lands exactly there.

This time the private key is hidden; the public key (landing point) is:
Press "start trying."
This toy curve only has 50 points, so it cracks in a flash. The real Bitcoin curve has about 2 to the 256th power points — same "you can only try one at a time, no shortcut," but every computer in the universe would still be trying at the end of time and never finish. That's why the public key can be public while the private key stays safe.
(Remember? An ordinary computer can only brute-force like this; a quantum computer's trick is that it can hear the hidden "rhythm" in these points and skip the brute force — but that's for a later bonus section.)

The "multiply / factor" here is about public/private keys — and let's tell it apart from hashing while we're at it

Public/private keys' "easy to build forward, impossible to figure out backward" and "multiplying two numbers is easy, splitting them apart is hard" are the same magic:

The easy directionThe hard direction
Multiply version61 × 53 → 32333233 → 61, 53
Hopping versionhow many hops → landing point (public key)landing point → how many hops (private key)

Bitcoin uses the "hopping version" (elliptic curves), but the "multiply version" is plenty for building intuition. Both are: lightning-fast forward, hopeless backward. The piggy bank handles the picture and the usage; the hopping handles the direction and the safety — put the two together and public/private keys are complete.

But let's tell it apart from hashing — their "one-wayness" isn't quite the same:
Public/private keys (multiply / hop)Hashing (the blender)
Easy forward, hard backward?YesYes
Is there a "back door"?Yes → the private key (the matching other half, which can go backward)No → nobody can go back
What it's calledtrapdoor one-way (has a back door)pure one-way (no back door)
In one line: both are "easy forward, hard backward," but public/private keys left a back door (the private key), while hashing doesn't even have a back door. Multiply/factor is the "has a back door" kind (know one factor and you can open it); hashing is the "no back door" kind (nobody can open it). So "multiply/factor is the same magic" only describes public/private keys — hashing is a close cousin, but even more extreme.

Step six: the same key pair works both ways

This key pair can do more than "lock a letter" — it can also "stamp a seal." The two uses point in exactly opposite directions:

Who does itWhich keyPurpose
Encryptionothers → youpublic key locks → private key openssecrecy (only you can read)
Signatureyou → othersprivate key signs → public key verifiesproof (confirm it's you)

Used forward it's "locking a letter" (encryption); used backward it's "stamping a seal" (signature). Key point: Bitcoin barely uses the "encryption" one — on-chain transactions are public; anyone can see how much moved and to whom; what it protects isn't "hiding the contents" but "only I can spend my money." So what Bitcoin uses every day is signatures, not encryption.

A small correction: strictly speaking, a signature isn't "encrypting with the private key" — it's a different, dedicated bit of math. But the picture of "lock a letter forward, stamp a seal backward" is enough to build the intuition.

Bonus · Using a "Fingerprint" as a Keytoward the frontier

A kid's question forces out the reason "signatures" exist.

Someone might ask: isn't a hash also "easy forward, impossible backward"? So could we use it as a public and private key? What a great question — it will lead us all the way to the frontier of cryptography.

Step one: a hash really can be a one-time key

I pick a secret number x at random (private key), compute the fingerprint hash(x), and make it public (public key). Whoever sees the fingerprint can't work backward to x. When I need to prove "I'm the person behind this public key," I reveal x, everyone hashes it, and if it matches → it really is me. This is actually the commitment from Section 3, used as an "ID card."

Step two: we're stuck — and this is exactly the part to really feel

Here's the trouble: to prove it, you have to reveal the secret x; reveal it once and x is burned. Next time you use it, everyone already knows x, and anyone can impersonate you.

Stop and think for a second — hidden here is one of the most important contrasts in the whole book:
  • Hash identity: to prove it, you must dig out the secret itself (reveal) — and one dig ruins it.
  • A real private key: the private key never appears, yet it can prove things over and over.
So a question pops up — is there a way to prove I know a secret without saying the secret out loud? That question is the entire reason digital signatures exist.

Notice the two layers clearly: at the public-key layer, both sides are public (the fingerprint is public / the elliptic-curve public key is also public) — that's not the difference. The whole difference is at the proving layer: hashing makes you reveal the secret along with it, while the private key only reveals a "result computed from the secret." This step is the watershed.

👉 This "prove it while keeping the secret hidden" magic is the next section: signatures.

Want to see the solution? A hash can be turned into a signature too — click for "mini Lamport" ▾

Since one secret can only be used once, just prepare a few more and selectively reveal part of them based on what you want to sign. The mini version below signs "one bit" (answering one yes/no question: 0 or 1). Walk through it yourself:

TRY IT · MINI LAMPORT (A SIGNATURE MADE ONLY FROM FINGERPRINTS)

① Make keys: I secretly stash two secrets — one for "0," one for "1" — and publish their fingerprints as the public key.

Real Lamport signs a whole message, preparing one pair of secrets for each bit (256 bits → 256 pairs), and then uses a "fingerprint tree" (Merkle tree) to string many signatures together — turning "one-time" into being able to sign many times.

Bonus · Why a Quantum Computer Can Crack a Keyplanning ahead

Not a faster computer — one that knows a clever trick nobody else does.

What exactly is a quantum computer? First, clear up three misunderstandings

It's a real machine, not a program. Like the computer on your desk, it's hardware — just with different parts. The key-cracking program (called Shor's) is software running on this machine, and only a quantum machine can run it.

Its parts can be "both 0 and 1." An ordinary computer's smallest unit is a bit, which can only be 0 or 1, like a coin lying flat on the table (heads or tails, nothing in between). A quantum computer's qubit can be in a superposition of 0 and 1, like a coin still spinning, not yet settled — a bit of both. Many spinning coins let you compute many possibilities stacked together at once.

It's not "a faster computer." For gaming, watching videos, doing addition, it's not fast at all — actually slower and more fragile. It has magic only for a tiny handful of special problems.

It's like a special-purpose chip (say, a mining rig), but the source of its "speed" is completely different:
  • A mining rig's speed = brute strength. Copy the same algorithm circuit tens of thousands of times and have them all grind away together. It's still "try one at a time," just with more workers.
  • Quantum's speed = a wild approach. Using "superposition + interference," wrong answers cancel each other out and right answers stack up and amplify, skipping the whole "try one at a time" business.
In one line: a mining rig is ten thousand people brute-forcing at once; quantum is one person who figured out a shortcut that skips the brute force.

How can it crack public/private keys? — it heard the lock's rhythm

Back to the clock track from Section 4: the private key is the number of steps, the public key is the endpoint. An ordinary computer (even ten thousand mining rigs) can only "try 1 step, 2 steps… one at a time," and facing 2 to the 256th power positions, it would be trying until the end of the universe.

But this track hides a secret an ordinary computer can't see: it has a rhythm, it repeats. What a quantum computer is best at is precisely spotting "the repeating rhythm" at a glance — it doesn't try one at a time; it lets all the step-counts run in parallel and interfere with each other, and it shakes out this hidden period directly. Once the rhythm is known, working backward to the private key goes from "trying until the end of time" to "a few steps of math."

An ordinary computer cracks a key by trying one at a time in the dark;
a quantum computer doesn't try — it hears the rhythm of the lock's tumblers turning and cuts a key straight along the rhythm.
A wall you couldn't climb no matter how high you piled brute force gets bypassed by a little side path.

So why isn't hashing afraid? — it's a rhythmless mess

Hashing has no "repeating rhythm" to hear; it's just a mess, with no period and no structure. Quantum's "find the rhythm" skill is useless here, and it's forced back to brute force — and at brute force it's only a little faster than an ordinary computer (a square-root speedup), which you make up for by doubling the fingerprint's length.

Public/private keys (elliptic curve)Hash signatures (Lamport-style)
What's hidden insidea rhythm, a structurea mess, no rhythm
Can quantum crack it?Yes (find the rhythm, take the shortcut)No (no shortcut to find)
How to fix itswitch to new mathjust double the fingerprint length

So the same property works both ways: precisely because a hash is "a mess," you can't go backward, and you can only verify after revealing (the weakness from the last section), and precisely because it's "a mess," quantum can't find a rhythm (the shield of this section).

Three sentences for kids:
  • A quantum computer lets many possibilities run in parallel and uses "wave interference" to amplify the right answer.
  • Public/private keys hide a "repeating rhythm," and quantum is a rhythm-finder → it can be cracked.
  • Hashing is a rhythmless mess, and quantum can find no shortcut → it's not afraid.

In reality quantum computers are still tiny and fragile — that "spinning coin" collapses back into ordinary heads-or-tails the moment it's heated or shaken (called decoherence), and it only works when cooled to near absolute zero and shielded layer upon layer. It's still several orders of magnitude away from actually cracking Bitcoin. But the threat is real, which is why it's worth defending ahead of time with schemes like hash signatures.

5Digital Signature · Anyone Can Check the Seal, but the Ring Stays With You

In one line: everyone can tell you signed it, but nobody can imitate it.

First, get this straight: a handwritten signature actually has two holes

We sign our names on contracts every day, but a handwritten signature isn't actually that reliable — it has two big holes, and these are exactly what digital signatures fix:

Remember these two holes — can be imitated, can be peeled and re-stuck. Below you'll see digital signatures plug each one: "the ring stays with you" plugs imitation, "the signature changes with the contents" plugs peel-and-stick.

The wax-seal ring. In ancient times a king had one unique ring; pressed into wax, it left a mark that was his alone. Everyone in the land had seen what that mark looks like (the public key), so one look told them it was a genuine letter. But the ring itself was locked away with the king (the private key), and no one could make a second one.
The neatest part: the person looking at the mark doesn't need to hold the ring. That's "verify publicly without leaking the secret."
This plugs hole one: there's only one ring, locked away, and nobody can imitate a second one — unlike handwriting, which can be copied.
A stamp + a seal-checking lamp (to make "two keys" crystal clear). You have a one-of-a-kind stamp (private key), and others hold a seal-checking lamp (public key). To stamp you use your stamp, which only you have; anyone who wants to check shines the seal-checking lamp on it — the lamp lights up = genuine stamp. The lamp can only check, not stamp, so handing it to the whole world is harmless; and there's only one stamp, and it's never lent out, even after ten thousand stampings. Everyone shines the lamp to confirm, without touching your stamp — that's why the private key stays hidden forever.

The signature changes with the contents — this plugs hole two

Remember that "peel off the signature page" trick at the start? A handwritten signature can be peeled and re-stuck precisely because it has nothing to do with the contents — it's the same signed anywhere. A digital signature is the opposite: it's computed from your private key together with every single character of this document. Change one character, and the whole signature changes. So a digital signature is welded onto this one document, this one version — you can't peel version A's signature and stick it onto version B (stick it on and it's dead the moment it's checked). And that's how the peel-and-stick hole is plugged.

TRY IT · CHANGE ONE CHARACTER, WATCH THE WHOLE SIGNATURE FLIP

Type and edit in the box, and the signature color bar on the right will flip its whole row in real time — even if you change just one character.

+🔑 private key →
Compare: two sentences that differ by just one character/number, yet the signatures are totally unrelated —
Send 0.5 to Alice
Send 5 to Bob
Change one character and the whole signature is new — so version A's signature, stuck onto version B, is dead the moment it's checked. Can't be peeled off, can't be stuck on.
Two holes, two locks:
  • A handwritten signature can be imitated → a digital signature plugs it with "the ring/stamp stays with you" (no private key, no forging).
  • A handwritten signature can be peeled and re-stuck → a digital signature plugs it with "the signature changes with the contents" (change one character and it's dead, welded to this version).
That's the whole reason a digital signature beats a handwritten one — it plugs each of two old holes.

This is exactly how Bitcoin spends money

When you spend Bitcoin, you use your private key to stamp a seal (a signature) on that transfer: "I, the owner of this address, agree to send this money to so-and-so." The whole network checks the stamp with your public key. On-chain transactions are public, and everyone can see them — but:

TRY IT · A SIGNATURE ISN'T "JUST A HASH" — SEE THE DIFFERENCE

Many people think a signature is just hashing the contents. It isn't. Put the two machines side by side and you'll spot the difference at a glance:

Hash machine one input contents hash fingerprint
Anyone can compute it. You verify by hashing again and comparing.
Signature machine two inputs contents 🔑 private key sign machine signature
Only the private-key holder can do it. The private key and the contents go in together.

See it? The hash machine has only one input, "contents"; the signature machine has an extra "🔑 private key" input. That's the first layer of "signature ≠ hash."

Transfer contents:
Why do we say "only once we had digital signatures could we pay with math"?
Ordinary signatures have been around forever — signing a contract, making your mark, all of that is signing. But an ordinary signature can't do payments: it can be imitated, peeled and re-stuck, and still needs a bank as a middleman to keep the books.
A digital signature is different: it "links" what's signed to your private key, and makes the signature change with every character. So —
  • What's signed is the sentence "Send 0.5 to Alice", bound tight to your private key → it becomes a payment only you can authorize, that can't be changed and can't be denied.
  • A string of numbers alone proves "I authorized spending this money," anyone can verify it, nobody can forge it, and no middleman is needed at any point.
The same action — signing a contract vs. signing a transaction — differs only in this: once what's signed is bound to the private key, and changing one character kills it, an ordinary signature is upgraded into "payment by math."
So — thirty years before Bitcoin, the moment cryptographers had digital signatures, they started seriously discussing "could we build a kind of money made of math." It gave "ownership" and "authorization" their two foundation stones.
But signatures alone are still one step short: they can handle "this money was authorized by me," but not "whether I spent the same money twice" (double-spending). What finally filled that last gap is Bitcoin's timestamped blockchain — but that's another story.
Want the thirty-year mini-history of "money made of math"? Click ▾

Signatures (asymmetric cryptography) existed by 1976–77, thirty years before Bitcoin (2008). The moment we had them, people immediately started chasing "money made of math":

  • 1982 David Chaum: blind signatures, later made into DigiCash / eCash — the earliest serious attempt at digital cash using signatures.
  • 1997 Adam Back: Hashcash (proof of work, later a prototype for mining).
  • 1998 Wei Dai's b-money, Nick Szabo's Bit Gold: designs even closer to Bitcoin.

They all assumed "signatures" as a foundation stone, and were all stuck on the same thing: double-spending. It wasn't until 2008 that Satoshi solved double-spending with "a blockchain of timestamps + proof of work," and the thirty-year puzzle was finally completed. Signatures are a borrowed old building block; the timestamp chain is Bitcoin's true new invention.

Bonus · Signing a Message vs Signing a TransactionCHECKSIG / CSFS

Same seal-checking lamp — but which "sheet of paper" is the stamp on?

A signature was always "stamping a seal on a piece of text"

Signatures were never only for transfers. Their essence is: use a stamp (private key) to stamp a seal on some specified piece of text, and anyone can verify it with the seal-checking lamp (public key). Everyday life is full of it — a teacher stamps "✔read" on this essay, you make your mark on this contract, Apple signs this installer, I attach a signature to this email. The stamped text differs, but the action is the same: stamp with the stamp, check with the lamp, and one changed character kills the stamp.

Signing a transaction vs signing a message: only "who decides that text" differs

Signing a transactionSigning a message
The stamped text isthis transaction itself (to whom, how much…)any piece of text (a price, an "I agree," a number…)
Who specifies that textthe protocol nails it down: to spend, you must sign this transactionyou specify it freely: put down whatever you want to sign

The action (stamp / check) is identical; the only difference is who decides the text being stamped. That one sentence is the whole difference between the two opcodes below.

CHECKSIG vs CSFS — two seal-checking lamps

In Bitcoin Script there are two opcodes that verify signatures, both "seal-checking lamps," differing in which sheet of paper the stamp was made for:

OP_CHECKSIG: a welded-down seal checker — it only accepts "a stamp made on this transaction." The message being signed = this transaction, hard-coded; you can't make it check anything else. So it's born to serve spending: proving "I authorize spending this specific transaction."
OP_CHECKSIGFROMSTACK (CSFS): a universal seal checker — you put any piece of text on the stack, and it checks "was this signature made for this text." The message being signed is freely specified by you (the script), and can be a price, a quote, another transaction, a promise…

CHECKSIG: the lamp is welded to shine only on this transaction | CSFS: whatever you put up, the lamp shines on

TRY IT · SWAP "THE SHEET BEING SIGNED" AND SEE WHICH MACHINE ACCEPTS IT

Pick a "message being signed" and see whether CHECKSIG and CSFS each accept it.

The signed thing is:
OP_CHECKSIG (welded to this transaction)
Pick a message to try
CSFS (universal seal checker)
Pick a message to try

Why this is a big deal

CSFS frees signatures from "can only back this transaction" into "can back any statement," turning signatures into a general-purpose building block:

In one line: CHECKSIG is "a seal checker that only accepts this check," CSFS is "a universal seal checker that verifies any sheet of paper." Precisely because it's universal, a signature is no longer only for spending — it can back any statement at all, which is the root of it being able to assemble more complex contracts (covenants).

6Zero-Knowledge Proof · Prove It's True Without Leaking Why It's Truethis is a machine, not a building block

In one line: you're convinced, yet you got no secret at all.
Ali Baba's cave. You've surely heard "Open sesame." Picture a ring-shaped cave: past the entrance it splits into a left path and a right path, and deep inside they're blocked by a magic stone door that only opens — letting you pass from one side to the other — if you shout the right spell, "Open sesame."
Ali Baba says he knows the spell, but flatly refuses to say it out loud. How can he make you believe he really knows it, without revealing the spell?

The trick is to play a three-step game. Memorize these three steps first — this is the skeleton of every zero-knowledge proof:

① Commit (lock in the choice): Ali Baba first walks into the cave and freely picks the left or right path down to the stone door. Once he's picked he can't take it back — but you at the entrance can't see which side he went.
② Challenge (you make it hard): You shout a direction, say "come out the right side!" You shout it randomly on the spot, so he can't prepare in advance.
③ Respond (he handles it): If he really knows the spell, then no matter which side he went in, he can shout "Open sesame," pass through the stone door, and come out the right side you specified. What if he doesn't know it? He only gets out if he happened to guess right (started out on the right side) — a fifty-fifty chance.

That's the key point, and it's why you have to play over and over: play once, and a cheat has a fifty-fifty chance of getting lucky, so you can't believe him. But each extra round, the cheat has to get lucky again — two rounds 1/4, three rounds 1/8, ten rounds only about one in a thousand… Play twenty rounds and he still comes out each time from the direction you randomly specify, and his chance of bluffing is small enough to ignore, so you're almost certain he really knows the spell. And from start to finish you never heard a single word of the spell.

Why is the "commit" step essential? Because if Ali Baba could hear you finish shouting before deciding which side to go, he could go the right way every time even without knowing the spell — he has to lock in his choice before you shout (①) for your on-the-spot challenge (②) to mean anything. This is exactly the use of the commitment from Section 3: lock in first, no takebacks.

But it's different from the guessing-game commitment: that guessing-game commitment has to be opened publicly at the end; this commitment is never opened from start to finish — he locked in "go left or go right," but that choice is never made public; you only see him come out from the direction you specified.

The watershed between zero-knowledge and the first two ideas — in one line: what you want is "true or false," not "the contents."
  • Not encryption: encryption has to hand the secret back to you, so the endpoint is you knowing the contents; zero-knowledge never lets you know the spell, and all you want is the judgment "he really does know it." (Decryption means you have to know what it originally was; with zero-knowledge, solving the problem is enough — you don't need to know the original.)
  • Not an ordinary commitment: the guessing-game commitment has to reveal the original at the end to check; the cave's commitment is never revealed — he locked in which side he entered, but that choice is never made public from start to finish; you believe him because "he keeps handling your challenges over and over," not because you saw him show his cards.
So zero-knowledge is: you committed, but it's never made public (and there's no hash to reveal), and no encryption is needed either. Follow one line through — encryption lets you "know the contents," commitment lets you "check the contents afterward," zero-knowledge lets you "believe one thing without even touching the contents." The further you go, the less you need to know — that's what the "zero" means: the "knowledge" you get is zero, but the "certainty" you get is full.
TRY IT · ALI BABA'S CAVE: WALK THROUGH ONE ROUND, THEN PLAY MANY IN A ROW
🔒 stone door Left Right entrance (you're here)
First round, step by step:
Uncheck "really knows the spell" to make him guess — you'll see him caught out within a few rounds (he can't come out from the wrong side). That's "repeated challenges → probability closing in on certainty," and not one word of the spell leaked.

7The Millionaires · Find Out Who Has More Without Saying the NumberYao 1982

In one line: we compute together, but nobody shows their hand.

Two millionaires want to know who's richer, but neither wants to say how much money they have. Can we compute just the conclusion "who's richer" without leaking each person's number? This is the Millionaires' Problem posed by Andrew Yao, which opened up a whole field called secure multi-party computation (MPC).

We need a new building block: encryption you can compute on

Homomorphic encryption. Ordinary encryption, once locked, can only be stored; to compute you have to unlock first. "Encryption you can compute on" lets you compute even while it's locked! I lock 5 and 3 into separate boxes, and without opening them, I add the two locked boxes together and get a locked 8. Whoever opens it gets 8, yet at no point did anyone see 5 and 3. That's "still computable after encryption."

It and zero-knowledge are close siblings, but with different jobs

Zero-knowledge proofSecure multi-party computation
How many people have a secretone personmany people, each with their own
What they want to doprove "a statement is true"jointly compute a result
In one lineI prove, you believewe compute together, nobody shows their hand
TRY IT · COMPARE CANDY WITHOUT SAYING THE NUMBER

Two kids each fill in their own candy count (once filled, imagine the other can't see your number). Click once, and only "who has more" pops out.

Mia: Rosie:
The real protocol uses that "encryption you can compute on" math so neither side sees the other's number — here we just show "the result came out, and the numbers were never said out loud."

8Lay Them All Out on One Map

The hidden thread: building block → tool → machine.

All of cryptography is layered. Grab these three layers and everything afterward has a place to hang:

bottom building block
Hashing a one-way fingerprint, neither encryption nor commitment
tools (uses)
Encryption / Commitment / Signature commitments are often built from hashing
advanced building block
Homomorphic encryption computable while locked
machines (protocols)
Zero-knowledge proof / Secure multi-party computation built from the blocks above
ThingIn one lineAnalogyCore property
Hashingone-way fingerprintblender / fingerprintirreversible
Encryptionhide it for a specific person to readbattlefield secret codesecret · reversible
Commitmentlock in first, reveal lateran answer sealed in an envelopebinding
Symmetric keyboth sides share one secret codebattlefield secret code (shared)shared secret
Public/private keysone hidden, one publicpiggy bank / elliptic-curve hoppingone-way pairing
Signatureanyone can check the seal, the ring stays with youstamp + seal-checking lamppublic verification without leaking the secret
Zero-knowledgeprove it's true without leaking why it's truethe maze keyverifiable + zero leakage
Secure multi-party computationcompute together, nobody shows their handcompare sizes without saying the numbercompute jointly + don't leak inputs

Essence reconciliation table · three clean cuts through the three easiest to mix up

Put hashing, public/private-key encryption, and public/private-key signatures side by side, and slice them apart in one go with three questions:

HashingPublic/private · encryptionPublic/private · signature
Easy forward, hard backward?YesYesYes
Is there a reversible
"decrypt" operation?
NoYes
(public key locks → private key opens)
Same family but not secret
(private key signs → public key verifies)
How do you "open / verify"?by revealing the original yourself
then checking (reveal)
by decrypting with the private keyby verifying with the public key
(the private key never appears)

Three essentials to remember:

"Easy forward, hard backward" is the foundation hashing and public/private keys share — hashing is easy forward and hard backward; public/private keys' private key makes the public key easily while going backward is hard. Same magic.

Hashing is not encryption. It has no key and no decrypt step; it only produces a "data fingerprint." To "open" it, the only way is to reveal the original yourself (reveal), not to decrypt with an algorithm.

Hashing's "must be revealed" trait is sometimes a weakness and sometimes a weapon: used as identity/signature → weakness (one-time, which is exactly why real signatures are needed); used as commitment → weapon (revealed only when it should be, otherwise locked down); against quantum → weapon (a rhythmless mess quantum can find no shortcut in). Same property, three scenarios, both sides of the coin.

There's another thread that strings encryption → commitment → zero-knowledge together — "how much you ultimately need to know" decreases all the way down:

EncryptionCommitmentZero-knowledge
What you end up withthe contents themselvescontents you check afterwardonly "true/false"
The endpointyou know the secretyou checked the secretyou never even touched the secret
In one linehand the contents to youlock first, reveal laterdon't give the contents at all, just give you a "convinced"

The further you go, the less you need to know — that's the "zero" of "zero-knowledge": the knowledge you get is zero, and the certainty you get is full.

TRY IT · IDENTIFICATION QUIZ

You'll get a scenario; guess whether it uses hashing, encryption, or commitment. Answer, see if you're right, then click "next."

Question 1 / 5 · score 0
You turn the number 42 into a string that can never be turned back, show it to your opponent, and keep the number to reveal later — to stop them from cheating.