From "squishing a fingerprint" all the way to "figuring out who has more without telling"
How to read: in each section, read the story first, then get your hands dirty with the little experiment below
1Hashing · Squish a Fingerprint
In one line: easy to go in, impossible to come back out.
A blender. Drop an apple into a blender, press the button, and you get a cup of juice. No matter how hard anyone
stares at that cup of juice, they can't rebuild the apple — its shape, how many seeds it had. But blend the same apple
again and the juice tastes exactly the same.
Apple → juice: super easy. Juice → apple: impossible. That's what "one-way" means.
A fingerprint. Billions of people, and no two have exactly the same fingerprint. Hand someone a fingerprint and
they can't tell you who it belongs to; but the moment a suspect shows up, one quick comparison tells you whether it's them.
Hashing is like pressing a fingerprint onto data — change one letter, and the whole fingerprint changes.
Why is "no way back" not just hard but actually impossible? Because a hash squishes something of any length
down to a fingerprint of the same length. "Hi" and the whole of The Lord of the Rings both squish down to a fingerprint
of the same length. Infinitely many different originals get crammed into the same-sized output — so lots of different originals
must land on the same fingerprint. That means: given only the fingerprint, there's no single "right answer" to rebuild.
TRY IT · SQUISH A FINGERPRINT
Type in anything, press the button, and watch it "fall into the blender and get spat out as a fingerprint." Then change one character and watch the whole row flip.
Input: apple42 Fingerprint (SHA-256): e2bf5bd014c36f5f427d39946a3d7afc608da41b04c67bb5128a454e95bd5b5a No matter how long the input is, the fingerprint is always 64 hex characters = 32 bytes.
Try it: change "apple42" to "apple43" and the whole row of color cells and the fingerprint will look totally different — this is called the "avalanche effect."
And whether you type 1 character or a whole book, the fingerprint that comes out is always the same length.
2Encryption · The Secret Code on the Battlefield
In one line: you can come back (because you kept the secret code).
Sending a battle order. In a war you need to send the front line an order: "ATTACK." But the messenger might
be captured, the letter might be intercepted. What do you do? The general and the front line agree on a number ahead of
time — say, 3. Before sending, shift every letter forward by 3: A→D, T→W… so "ATTACK" becomes "DWWDFN."
An enemy who intercepts "DWWDFN" is completely puzzled; the front line knows the secret code is 3, shifts each letter back
by 3, and turns it back into ATTACK.
That's encryption: the same agreed-on secret code both locks the order (when sending) and opens it (when reading); an
enemy without the code can only stare helplessly.
So encryption naturally comes in pairs — where there's a lock there's an open, and both come from one secret code.
An "encryption" you can't undo is pointless, because then even your own side can't read it.
This is where it clearly parts ways with hashing:
Hashing
Encryption
Can you go back?
No way back
You can go back
How things line up
Many-to-one (info is lost)
One-to-one (info is kept)
Is there a secret code / key?
No reverse operation
There's a secret code
TRY IT · ENCRYPT A BATTLE ORDER WITH A SECRET CODE
Shifting each letter "forward by a few spots" is an ancient military encryption (the Caesar cipher — legend says Caesar used it to send battle orders). Shift back and it's decoded.
Secret code (shift by):
Notice: with the same secret code you get the original back — something hashing can never do.
(Both sides share the same secret code, which is called a "symmetric key" — the opposite of the public/private keys later, where "one is public, one is kept hidden.")
3Commitment · Seal It Now, Open It Later
In one line: decide now, and you can't secretly swap it later.
Commitment isn't a new building block — it's one way of playing with hashing. Back to the guessing game you've played:
I secretly pick the number 42, then post its fingerprint hash(42) for you to see (that's the commitment).
You guess. Only after you guess do I reveal the original 42; you squish the fingerprint again and compare — if it matches, I didn't cheat.
The key point: from the fingerprint you can't guess the original (hidden); once I reveal it you can check (binding);
and I can't find a different number that produces the same fingerprint (I can't cheat).
Notice one thing that's easy to miss: a commitment doesn't need to be "decrypted." The original is something I
choose to show, not something dug out of the fingerprint — a hash can never spit out the original, but a commitment
never asked it to.
So the very same "no way back" property is a fatal flaw for encryption, yet a core strength for commitment.
TRY IT · GUESSING GAME, NO TAKEBACKS
Rules: think of a number from 1 to 100 and have a friend guess it. If they guess right they win; if not, you win. The cheating loophole: if no one's watching, your friend guesses "50," and you can just switch your story to "I was thinking of 51, you lose." How commitment closes it: at the start you post the hash of your number first (write it on the blackboard); at reveal time you announce the original number, everyone computes the hash and checks it against the blackboard — proving you never changed it from the start.
① Start: think of a number
② Friend has guessed, ③ you reveal: you say the number you were thinking of was
Try to cheat: change the revealed number to something else (as if trying to weasel out), then check — the hash won't match the blackboard, and you're caught red-handed.
Trust radius: how far can this game reach?
The real power of a commitment is that it pushes "no cheating" farther and farther out, one layer at a time. Click the three lamps below to see how it goes from face-to-face all the way out to the whole world.
TRY IT · LIGHT UP THE TRUST RADIUS
①
Face to face · relying on "I'm watching you"
You and a friend guess numbers face to face. Worried they'll take it back? You just watch them — they write it down, tuck it in an envelope, and as long as your eyes never leave, they can't change it. What stops cheating: physical supervision (I'm watching you)
②
A city apart · relying on "posting the hash"
The other person is in a faraway city and you can't watch them anymore. They first send you the hash of their number (the commitment); after you guess, they send the original number and you compute the hash yourself and compare. What stops cheating: math watches for you (a mismatch means they changed it)
③
To the whole world · relying on "anyone can check"
They broadcast the hash to a circle of strangers, and after the reveal every one of them can verify it themselves — nobody has to trust this person. What stops cheating: anyone can check the math independently
In one line: commitment turns "no cheating" from "I have to watch you" (physical), into "math watches you for me" (at a distance),
and finally into "anyone can watch you" (the whole world). You no longer need to trust this person, only to trust math that anyone can check.
This idea of "anyone can verify it independently" is the very soul of Bitcoin — strangers make deals not on trust, but on math.
But let's be clear about one thing, so nobody gets confused: Bitcoin uses the idea of "anyone can verify," but it does not use this commitment-style "reveal the original and then check" approach.
Commitment: to prove it, you have to reveal the hidden number — and once revealed, it's used up; you can only play one round.
Spending Bitcoin: you spend over and over, and you can never reveal your private key even once. It uses signatures — the private key signs, the whole network verifies with the public key, and the private key never appears.
So: commitment teaches us the idea of "anyone can verify"; Bitcoin uses signatures to pull it off even more cleverly —
spend money ten thousand times, and the private key never has to show its face. 👉 This "verify without even revealing" magic is Section 5: signatures.
4Public / Private Keys · One Hidden, One Public
In one line: one key for the whole world, one key just in your pocket.
Step one: use a "piggy bank" to get the hang of it
A piggy bank only you can open. On top there's an open coin slot — anyone can drop coins in;
on the bottom there's a lock, and the key is only in your hands. You build the piggy bank and set it out for everyone;
anyone can drop coins in, but only you can open it and take the money out.
Piggy bank
Cryptography
Key point
the open coin slot
public key / address
set out in the open, anyone can drop coins in
the key on the bottom
private key
only in your hands, never shown to anyone
others drop coins in
send you a payment
dropping coins in needs no key
you open it to take the money
use the private key to spend
only you can open it
This is what Bitcoin really looks like. A Bitcoin address is a piggy bank: you build it, post the address,
and others send money in; when you want to spend, you use the private key to open the bank. What Bitcoin does all day long is exactly "build a bank to receive money, use the key to open the bank and spend."
Step two: one key can build countless banks
This is where the piggy bank explains things better than a "lock," and it's exactly how Bitcoin really works:
your one key can build a whole pile of banks that all look different from each other, and every one of them opens with your one key.
One wallet, countless addresses: a real Bitcoin wallet derives thousands of addresses from a single seed, all managed by your one master key.
"One key opens many banks" is literally what it is.
A fresh bank each time: precisely because you can build countless banks, you can use a new one every time you receive money, which is crucial for privacy (coming up next).
TRY IT · ONE KEY, MANY BANKS: BUILD A ROW, THEN OPEN THEM ALL WITH ONE KEY
Click "build a new bank" a few times and see how different they look; then click "use my key" and see if one key opens them all.
Notice: every bank (address) looks nothing like the others, and outsiders can't tell they belong to the same person — yet your one key opens them all.
Step three: two ideas you absolutely must build
About "what someone can do if they find one of your banks," there are two different things, and telling them apart matters a lot:
Idea
Meaning
What it protects
① Can't figure out the key
whoever finds one of your banks can't work backward to your key (bank → key: can't be done)
others can't steal your money
② Can't tell they're from the same source
the hundred banks your one key built — outsiders can't tell they're all one person's, but you can open them all
others can't figure out how much money you have
So a Bitcoin address is used once and then swapped. It's not pointless fuss — even though the key is safe (①), if you always use the same bank to receive all your money,
the whole world can see how much goes in and out of that bank (② is broken). Use a fresh bank each time and others can't figure out your stash.
A hook for later: banks naturally don't recognize each other, but if you pour the money from several banks into one new bank, that's like announcing to everyone "these are all mine" —
which is exactly what privacy techniques like CoinJoin and change addresses are meant to deal with.
Step four: a bank's "opening conditions" can be designed — this is Script
The neatest thing about the piggy bank: "who, and under what conditions, can open it" can be designed. Behind a Bitcoin address there is really a piece of
locking condition that specifies what must be true before it can be spent:
an ordinary bank = "whoever has this key can open it" (single-sig)
a safe that needs two keys turned together = multisig (say, 2-of-3)
a timed bank that only opens on a certain day = timelock
a bank that opens only for the right secret word = hashlock (the cornerstone of the Lightning Network)
So an address isn't one dead lock, but a "spending-condition contract." Starting from the piggy bank, later on Bitcoin Script is just a smooth extension all the way.
Step five: one thing the piggy bank can't explain — how a private key "gives birth to" a public key
A real bank and its key are made at the same time by the factory; there's no "which gives birth to which." But a real public/private key pair has a direction:
Private key → public key: easy (computed in one step)Public key → private key: almost impossible
And be careful about direction: your key can build countless banks (private key → address, easy going forward);
but the other way, whoever finds one of your banks can't work out the key (address → private key, can't be done backward).
This "easy to build forward, impossible to figure out backward" is something the piggy bank can't explain — we need a different picture: a special curve, hopping across points on it.
Before looking at the curve, first picture it as a "world with a boundary, like a clock."
This curve doesn't run over endless numbers — it runs inside a fixed upper limit: reach 97 and it wraps back to 0. Picture it as a clock with "only 97 slots" —
adding, subtracting, and multiplying are easy enough, but division needs a different phrasing: find a number that, multiplied in, comes out to exactly 1. That "number that multiplies to 1" is called the inverse.
Now the "hopping across points" on the curve isn't so mysterious anymore: the private key = the number of hops, the public key = the point you land on.
There's a special curve with a ring of points on it. Agree on a starting point G, and the rule is "each hop takes you to another point, following the curve's rule."
Start from G, hop "private key" times, and the point you land on is the public key, which you make public.
The key thing: these points hop around with no pattern — the 1st is here, the 2nd pops up there, the 3rd shoots way off, looking like a tangled mess. Private key → public key: you know how many hops, so you just hop along and get there in no time. Public key → private key: others only see which point you stopped at, and have to work out how many hops you took. But the landing points have no pattern,
so there's no shortcut — they can only try 1 hop, 2 hops, 3 hops… one at a time, checking which count lands exactly there.
TRY IT · REAL ELLIPTIC-CURVE HOPPING (PRIVATE KEY → PUBLIC KEY, INSTANT)
Here are 50 points on a real curve y² = x³ + 2x + 3 (mod 97) arranged in a ring. Drag the slider to watch the little figure hop away from G.
Private key (how many hops): 7
Public key (landing point): point (10, 76)
Look how messy the trail is — that's exactly why "seeing the endpoint won't tell you how many hops it took."
TRY IT · CRACK IT THE OTHER WAY (PUBLIC KEY → PRIVATE KEY, ONLY BRUTE-FORCE)
Now you're told only the landing point (public key), and the computer tries from hop 1, one at a time, to see which count lands exactly there.
This time the private key is hidden; the public key (landing point) is: —
Press "start trying."
This toy curve only has 50 points, so it cracks in a flash. The real Bitcoin curve has
about 2 to the 256th power points — same "you can only try one at a time, no shortcut," but every computer in the universe would still be trying at the end of time and never finish.
That's why the public key can be public while the private key stays safe.
(Remember? An ordinary computer can only brute-force like this; a quantum computer's trick is that it can hear the hidden "rhythm" in these points and skip the brute force — but that's for a later bonus section.)
The "multiply / factor" here is about public/private keys — and let's tell it apart from hashing while we're at it
Public/private keys' "easy to build forward, impossible to figure out backward" and "multiplying two numbers is easy, splitting them apart is hard" are the same magic:
The easy direction
The hard direction
Multiply version
61 × 53 → 3233
3233 → 61, 53
Hopping version
how many hops → landing point (public key)
landing point → how many hops (private key)
Bitcoin uses the "hopping version" (elliptic curves), but the "multiply version" is plenty for building intuition. Both are: lightning-fast forward, hopeless backward.
The piggy bank handles the picture and the usage; the hopping handles the direction and the safety — put the two together and public/private keys are complete.
But let's tell it apart from hashing — their "one-wayness" isn't quite the same:
Public/private keys (multiply / hop)
Hashing (the blender)
Easy forward, hard backward?
Yes
Yes
Is there a "back door"?
Yes → the private key (the matching other half, which can go backward)
No → nobody can go back
What it's called
trapdoor one-way (has a back door)
pure one-way (no back door)
In one line: both are "easy forward, hard backward," but public/private keys left a back door (the private key), while hashing doesn't even have a back door.
Multiply/factor is the "has a back door" kind (know one factor and you can open it); hashing is the "no back door" kind (nobody can open it).
So "multiply/factor is the same magic" only describes public/private keys — hashing is a close cousin, but even more extreme.
Step six: the same key pair works both ways
This key pair can do more than "lock a letter" — it can also "stamp a seal." The two uses point in exactly opposite directions:
Who does it
Which key
Purpose
Encryption
others → you
public key locks → private key opens
secrecy (only you can read)
Signature
you → others
private key signs → public key verifies
proof (confirm it's you)
Used forward it's "locking a letter" (encryption); used backward it's "stamping a seal" (signature).
Key point: Bitcoin barely uses the "encryption" one — on-chain transactions are public; anyone can see how much moved and to whom;
what it protects isn't "hiding the contents" but "only I can spend my money." So what Bitcoin uses every day is signatures, not encryption.
A small correction: strictly speaking, a signature isn't "encrypting with the private key" — it's a different, dedicated bit of math. But the picture of "lock a letter forward, stamp a seal backward"
is enough to build the intuition.
★Bonus · Using a "Fingerprint" as a Keytoward the frontier
A kid's question forces out the reason "signatures" exist.
Someone might ask: isn't a hash also "easy forward, impossible backward"? So could we use it as a public and private key?
What a great question — it will lead us all the way to the frontier of cryptography.
Step one: a hash really can be a one-time key
I pick a secret number x at random (private key), compute the fingerprint hash(x), and make it public (public key).
Whoever sees the fingerprint can't work backward to x. When I need to prove "I'm the person behind this public key," I reveal x,
everyone hashes it, and if it matches → it really is me. This is actually the commitment from Section 3, used as an "ID card."
Step two: we're stuck — and this is exactly the part to really feel
Here's the trouble: to prove it, you have to reveal the secret x; reveal it once and x is burned.
Next time you use it, everyone already knows x, and anyone can impersonate you.
Stop and think for a second — hidden here is one of the most important contrasts in the whole book:
Hash identity: to prove it, you must dig out the secret itself (reveal) — and one dig ruins it.
A real private key: the private key never appears, yet it can prove things over and over.
So a question pops up — is there a way to prove I know a secret without saying the secret out loud?
That question is the entire reason digital signatures exist.
Notice the two layers clearly: at the public-key layer, both sides are public (the fingerprint is public / the elliptic-curve public key is also public) — that's not the difference.
The whole difference is at the proving layer: hashing makes you reveal the secret along with it, while the private key only reveals a "result computed from the secret."
This step is the watershed.
👉 This "prove it while keeping the secret hidden" magic is the next section: signatures.
Want to see the solution? A hash can be turned into a signature too — click for "mini Lamport" ▾
Since one secret can only be used once, just prepare a few more and selectively reveal part of them based on what you want to sign.
The mini version below signs "one bit" (answering one yes/no question: 0 or 1). Walk through it yourself:
TRY IT · MINI LAMPORT (A SIGNATURE MADE ONLY FROM FINGERPRINTS)
① Make keys: I secretly stash two secrets — one for "0," one for "1" — and publish their fingerprints as the public key.
② Sign: the answer I want to sign is —
Signing = revealing only "the secret for that answer," while the other stays hidden.
③ Verify: anyone hashes the secret I revealed and checks whether it matches that slot in the public key.
Real Lamport signs a whole message, preparing one pair of secrets for each bit (256 bits → 256 pairs),
and then uses a "fingerprint tree" (Merkle tree) to string many signatures together — turning "one-time" into being able to sign many times.
★Bonus · Why a Quantum Computer Can Crack a Keyplanning ahead
Not a faster computer — one that knows a clever trick nobody else does.
What exactly is a quantum computer? First, clear up three misunderstandings
It's a real machine, not a program. Like the computer on your desk, it's hardware — just with different parts. The key-cracking program (called Shor's)
is software running on this machine, and only a quantum machine can run it.
Its parts can be "both 0 and 1." An ordinary computer's smallest unit is a bit, which can only be 0 or 1, like a coin lying flat on the table (heads or tails, nothing in between).
A quantum computer's qubit can be in a superposition of 0 and 1, like a coin still spinning, not yet settled — a bit of both.
Many spinning coins let you compute many possibilities stacked together at once.
It's not "a faster computer." For gaming, watching videos, doing addition, it's not fast at all — actually slower and more fragile.
It has magic only for a tiny handful of special problems.
It's like a special-purpose chip (say, a mining rig), but the source of its "speed" is completely different:
A mining rig's speed = brute strength. Copy the same algorithm circuit tens of thousands of times and have them all grind away together. It's still "try one at a time," just with more workers.
Quantum's speed = a wild approach. Using "superposition + interference," wrong answers cancel each other out and right answers stack up and amplify, skipping the whole "try one at a time" business.
In one line: a mining rig is ten thousand people brute-forcing at once; quantum is one person who figured out a shortcut that skips the brute force.
How can it crack public/private keys? — it heard the lock's rhythm
Back to the clock track from Section 4: the private key is the number of steps, the public key is the endpoint. An ordinary computer (even ten thousand mining rigs) can only "try 1 step, 2 steps… one at a time,"
and facing 2 to the 256th power positions, it would be trying until the end of the universe.
But this track hides a secret an ordinary computer can't see: it has a rhythm, it repeats.
What a quantum computer is best at is precisely spotting "the repeating rhythm" at a glance — it doesn't try one at a time; it lets all the step-counts run in parallel and interfere with each other,
and it shakes out this hidden period directly. Once the rhythm is known, working backward to the private key goes from "trying until the end of time" to "a few steps of math."
An ordinary computer cracks a key by trying one at a time in the dark;
a quantum computer doesn't try — it hears the rhythm of the lock's tumblers turning and cuts a key straight along the rhythm.
A wall you couldn't climb no matter how high you piled brute force gets bypassed by a little side path.
So why isn't hashing afraid? — it's a rhythmless mess
Hashing has no "repeating rhythm" to hear; it's just a mess, with no period and no structure.
Quantum's "find the rhythm" skill is useless here, and it's forced back to brute force — and at brute force it's only a little faster than an ordinary computer (a square-root speedup),
which you make up for by doubling the fingerprint's length.
Public/private keys (elliptic curve)
Hash signatures (Lamport-style)
What's hidden inside
a rhythm, a structure
a mess, no rhythm
Can quantum crack it?
Yes (find the rhythm, take the shortcut)
No (no shortcut to find)
How to fix it
switch to new math
just double the fingerprint length
So the same property works both ways: precisely because a hash is "a mess," you can't go backward, and you can only verify after revealing (the weakness from the last section),
and precisely because it's "a mess," quantum can't find a rhythm (the shield of this section).
Three sentences for kids:
A quantum computer lets many possibilities run in parallel and uses "wave interference" to amplify the right answer.
Public/private keys hide a "repeating rhythm," and quantum is a rhythm-finder → it can be cracked.
Hashing is a rhythmless mess, and quantum can find no shortcut → it's not afraid.
In reality quantum computers are still tiny and fragile — that "spinning coin" collapses back into ordinary heads-or-tails the moment it's heated or shaken (called decoherence),
and it only works when cooled to near absolute zero and shielded layer upon layer. It's still several orders of magnitude away from actually cracking Bitcoin. But the threat is real, which is why it's worth defending ahead of time with schemes like hash signatures.
5Digital Signature · Anyone Can Check the Seal, but the Ring Stays With You
In one line: everyone can tell you signed it, but nobody can imitate it.
First, get this straight: a handwritten signature actually has two holes
We sign our names on contracts every day, but a handwritten signature isn't actually that reliable — it has two big holes, and these are exactly what digital signatures fix:
Hole one: it can be imitated. Someone can practice your handwriting and copy it pretty well, and the person checking might not tell real from fake.
Hole two: it can be "peeled off and stuck elsewhere." The name you sign on a contract and the name you sign on an IOU look exactly the same —
because the signature has nothing to do with the contents. So someone can peel off the page you signed and stick it onto a different document:
"You clearly signed version A, so how did it end up approving version B?" And you can't explain your way out.
Remember these two holes — can be imitated, can be peeled and re-stuck. Below you'll see digital signatures plug each one:
"the ring stays with you" plugs imitation, "the signature changes with the contents" plugs peel-and-stick.
The wax-seal ring. In ancient times a king had one unique ring; pressed into wax, it left a mark that was his alone.
Everyone in the land had seen what that mark looks like (the public key), so one look told them it was a genuine letter. But the ring itself was locked away with the king (the private key), and no one could make a second one.
The neatest part: the person looking at the mark doesn't need to hold the ring. That's "verify publicly without leaking the secret."
This plugs hole one: there's only one ring, locked away, and nobody can imitate a second one — unlike handwriting, which can be copied.
A stamp + a seal-checking lamp (to make "two keys" crystal clear). You have a one-of-a-kind stamp (private key),
and others hold a seal-checking lamp (public key). To stamp you use your stamp, which only you have; anyone who wants to check shines the seal-checking lamp on it — the lamp lights up = genuine stamp.
The lamp can only check, not stamp, so handing it to the whole world is harmless; and there's only one stamp, and it's never lent out, even after ten thousand stampings.
Everyone shines the lamp to confirm, without touching your stamp — that's why the private key stays hidden forever.
The signature changes with the contents — this plugs hole two
Remember that "peel off the signature page" trick at the start? A handwritten signature can be peeled and re-stuck precisely because it has nothing to do with the contents — it's the same signed anywhere.
A digital signature is the opposite: it's computed from your private key together with every single character of this document. Change one character, and the whole signature changes.
So a digital signature is welded onto this one document, this one version — you can't peel version A's signature and stick it onto version B (stick it on and it's dead the moment it's checked).
And that's how the peel-and-stick hole is plugged.
TRY IT · CHANGE ONE CHARACTER, WATCH THE WHOLE SIGNATURE FLIP
Type and edit in the box, and the signature color bar on the right will flip its whole row in real time — even if you change just one character.
+🔑 private key →
Compare: two sentences that differ by just one character/number, yet the signatures are totally unrelated —
Send 0.5 to Alice
Send 5 to Bob
Change one character and the whole signature is new — so version A's signature, stuck onto version B, is dead the moment it's checked. Can't be peeled off, can't be stuck on.
Two holes, two locks:
A handwritten signature can be imitated → a digital signature plugs it with "the ring/stamp stays with you" (no private key, no forging).
A handwritten signature can be peeled and re-stuck → a digital signature plugs it with "the signature changes with the contents" (change one character and it's dead, welded to this version).
That's the whole reason a digital signature beats a handwritten one — it plugs each of two old holes.
This is exactly how Bitcoin spends money
When you spend Bitcoin, you use your private key to stamp a seal (a signature) on that transfer: "I, the owner of this address, agree to send this money to so-and-so."
The whole network checks the stamp with your public key. On-chain transactions are public, and everyone can see them — but:
Nobody can forge your stamp (without your private key, you can't produce a stamp that passes) → unforgeable; others can't steal or impersonate.
Change one character and the stamp is void (the signature changes with the contents) → nobody can move your "Send 0.5 to Alice" signature onto "Send 5 to Bob."
You can't deny it afterward either (the stamp is ironclad proof) → non-repudiable; you can't say "I never signed."
TRY IT · A SIGNATURE ISN'T "JUST A HASH" — SEE THE DIFFERENCE
Many people think a signature is just hashing the contents. It isn't. Put the two machines side by side and you'll spot the difference at a glance:
Hash machineone input
Anyone can compute it. You verify by hashing again and comparing.
Signature machinetwo inputs
Only the private-key holder can do it. The private key and the contents go in together.
See it? The hash machine has only one input, "contents"; the signature machine has an extra "🔑 private key" input. That's the first layer of "signature ≠ hash."
Transfer contents:
Check the seal: feed contents + signature + 🔓 public key into the seal-checking lamp, and if the lamp lights up it's genuine.
Note: there's no private key inside the lamp, and it doesn't re-create the signature — it just runs a gate check.
Why do we say "only once we had digital signatures could we pay with math"?
Ordinary signatures have been around forever — signing a contract, making your mark, all of that is signing. But an ordinary signature can't do payments: it can be imitated, peeled and re-stuck, and still needs a bank as a middleman to keep the books. A digital signature is different: it "links" what's signed to your private key, and makes the signature change with every character. So —
What's signed is the sentence "Send 0.5 to Alice", bound tight to your private key → it becomes a payment only you can authorize, that can't be changed and can't be denied.
A string of numbers alone proves "I authorized spending this money," anyone can verify it, nobody can forge it, and no middleman is needed at any point.
The same action — signing a contract vs. signing a transaction — differs only in this: once what's signed is bound to the private key, and changing one character kills it, an ordinary signature is upgraded into "payment by math."
So — thirty years before Bitcoin, the moment cryptographers had digital signatures, they started seriously discussing "could we build a kind of money made of math."
It gave "ownership" and "authorization" their two foundation stones.
But signatures alone are still one step short: they can handle "this money was authorized by me," but not "whether I spent the same money twice" (double-spending).
What finally filled that last gap is Bitcoin's timestamped blockchain — but that's another story.
Want the thirty-year mini-history of "money made of math"? Click ▾
Signatures (asymmetric cryptography) existed by 1976–77, thirty years before Bitcoin (2008). The moment we had them, people immediately started chasing "money made of math":
1982 David Chaum: blind signatures, later made into DigiCash / eCash — the earliest serious attempt at digital cash using signatures.
1997 Adam Back: Hashcash (proof of work, later a prototype for mining).
1998 Wei Dai's b-money, Nick Szabo's Bit Gold: designs even closer to Bitcoin.
They all assumed "signatures" as a foundation stone, and were all stuck on the same thing: double-spending. It wasn't until 2008 that Satoshi solved double-spending with
"a blockchain of timestamps + proof of work," and the thirty-year puzzle was finally completed.
Signatures are a borrowed old building block; the timestamp chain is Bitcoin's true new invention.
★Bonus · Signing a Message vs Signing a TransactionCHECKSIG / CSFS
Same seal-checking lamp — but which "sheet of paper" is the stamp on?
A signature was always "stamping a seal on a piece of text"
Signatures were never only for transfers. Their essence is: use a stamp (private key) to stamp a seal on some specified piece of text, and anyone can verify it with the seal-checking lamp (public key).
Everyday life is full of it — a teacher stamps "✔read" on this essay, you make your mark on this contract, Apple signs this installer, I attach a signature to this email.
The stamped text differs, but the action is the same: stamp with the stamp, check with the lamp, and one changed character kills the stamp.
Signing a transaction vs signing a message: only "who decides that text" differs
Signing a transaction
Signing a message
The stamped text is
this transaction itself (to whom, how much…)
any piece of text (a price, an "I agree," a number…)
Who specifies that text
the protocol nails it down: to spend, you must sign this transaction
you specify it freely: put down whatever you want to sign
The action (stamp / check) is identical; the only difference is who decides the text being stamped. That one sentence is the whole difference between the two opcodes below.
CHECKSIG vs CSFS — two seal-checking lamps
In Bitcoin Script there are two opcodes that verify signatures, both "seal-checking lamps," differing in which sheet of paper the stamp was made for:
OP_CHECKSIG: a welded-down seal checker — it only accepts "a stamp made on this transaction."
The message being signed = this transaction, hard-coded; you can't make it check anything else. So it's born to serve spending: proving "I authorize spending this specific transaction."
OP_CHECKSIGFROMSTACK (CSFS): a universal seal checker — you put any piece of text on the stack,
and it checks "was this signature made for this text." The message being signed is freely specified by you (the script), and can be a price, a quote, another transaction, a promise…
CHECKSIG: the lamp is welded to shine only on this transaction | CSFS: whatever you put up, the lamp shines on
TRY IT · SWAP "THE SHEET BEING SIGNED" AND SEE WHICH MACHINE ACCEPTS IT
Pick a "message being signed" and see whether CHECKSIG and CSFS each accept it.
The signed thing is:
OP_CHECKSIG (welded to this transaction)
Pick a message to try
CSFS (universal seal checker)
Pick a message to try
Why this is a big deal
CSFS frees signatures from "can only back this transaction" into "can back any statement," turning signatures into a general-purpose building block:
Bring in external facts: an oracle stamps a seal on "BTC = $100k," and a script verifies it with CSFS → bringing an off-chain fact onto the chain.
Signatures can be referenced/reused: because it signs a standalone piece of text, not a particular transaction, the same signature can be referenced elsewhere too.
Assemble a covenant: have a script check "a certain promised text was correctly signed," without relying on the transaction itself —
combined with opcodes that can assemble messages (like CAT), you can constrain "money can only be spent in a certain way."
In one line: CHECKSIG is "a seal checker that only accepts this check," CSFS is "a universal seal checker that verifies any sheet of paper."
Precisely because it's universal, a signature is no longer only for spending — it can back any statement at all, which is the root of it being able to assemble more complex contracts (covenants).
6Zero-Knowledge Proof · Prove It's True Without Leaking Why It's Truethis is a machine, not a building block
In one line: you're convinced, yet you got no secret at all.
Ali Baba's cave. You've surely heard "Open sesame." Picture a ring-shaped cave: past the entrance it splits into a left path and a right path,
and deep inside they're blocked by a magic stone door that only opens — letting you pass from one side to the other — if you shout the right spell, "Open sesame."
Ali Baba says he knows the spell, but flatly refuses to say it out loud. How can he make you believe he really knows it, without revealing the spell?
The trick is to play a three-step game. Memorize these three steps first — this is the skeleton of every zero-knowledge proof:
① Commit (lock in the choice): Ali Baba first walks into the cave and freely picks the left or right path down to the stone door.
Once he's picked he can't take it back — but you at the entrance can't see which side he went.
② Challenge (you make it hard): You shout a direction, say "come out the right side!" You shout it randomly on the spot, so he can't prepare in advance.
③ Respond (he handles it): If he really knows the spell, then no matter which side he went in, he can shout "Open sesame," pass through the stone door, and come out the right side you specified.
What if he doesn't know it? He only gets out if he happened to guess right (started out on the right side) — a fifty-fifty chance.
That's the key point, and it's why you have to play over and over: play once, and a cheat has a fifty-fifty chance of getting lucky, so you can't believe him.
But each extra round, the cheat has to get lucky again — two rounds 1/4, three rounds 1/8, ten rounds only about one in a thousand…
Play twenty rounds and he still comes out each time from the direction you randomly specify, and his chance of bluffing is small enough to ignore, so you're almost certain he really knows the spell.
And from start to finish you never heard a single word of the spell.
Why is the "commit" step essential? Because if Ali Baba could hear you finish shouting before deciding which side to go, he could go the right way every time even without knowing the spell —
he has to lock in his choice before you shout (①) for your on-the-spot challenge (②) to mean anything. This is exactly the use of the commitment from Section 3: lock in first, no takebacks.
But it's different from the guessing-game commitment: that guessing-game commitment has to be opened publicly at the end; this commitment is never opened from start to finish —
he locked in "go left or go right," but that choice is never made public; you only see him come out from the direction you specified.
The watershed between zero-knowledge and the first two ideas — in one line: what you want is "true or false," not "the contents."
Not encryption: encryption has to hand the secret back to you, so the endpoint is you knowing the contents; zero-knowledge never lets you know the spell,
and all you want is the judgment "he really does know it." (Decryption means you have to know what it originally was; with zero-knowledge, solving the problem is enough — you don't need to know the original.)
Not an ordinary commitment: the guessing-game commitment has to reveal the original at the end to check; the cave's commitment is never revealed —
he locked in which side he entered, but that choice is never made public from start to finish; you believe him because "he keeps handling your challenges over and over," not because you saw him show his cards.
So zero-knowledge is: you committed, but it's never made public (and there's no hash to reveal), and no encryption is needed either.
Follow one line through — encryption lets you "know the contents," commitment lets you "check the contents afterward," zero-knowledge lets you "believe one thing without even touching the contents."
The further you go, the less you need to know — that's what the "zero" means: the "knowledge" you get is zero, but the "certainty" you get is full.
TRY IT · ALI BABA'S CAVE: WALK THROUGH ONE ROUND, THEN PLAY MANY IN A ROW
First round, step by step:
② You shout a direction (challenge):
Got it? Play many rounds in a row and watch your confidence climb:
Confidence: 0%
Uncheck "really knows the spell" to make him guess — you'll see him caught out within a few rounds (he can't come out from the wrong side).
That's "repeated challenges → probability closing in on certainty," and not one word of the spell leaked.
7The Millionaires · Find Out Who Has More Without Saying the NumberYao 1982
In one line: we compute together, but nobody shows their hand.
Two millionaires want to know who's richer, but neither wants to say how much money they have. Can we compute just the conclusion "who's richer"
without leaking each person's number? This is the Millionaires' Problem posed by Andrew Yao, which opened up a whole field called
secure multi-party computation (MPC).
We need a new building block: encryption you can compute on
Homomorphic encryption. Ordinary encryption, once locked, can only be stored; to compute you have to unlock first.
"Encryption you can compute on" lets you compute even while it's locked! I lock 5 and 3 into separate boxes, and without opening them, I add the two locked boxes together
and get a locked 8. Whoever opens it gets 8, yet at no point did anyone see 5 and 3. That's "still computable after encryption."
It and zero-knowledge are close siblings, but with different jobs
Zero-knowledge proof
Secure multi-party computation
How many people have a secret
one person
many people, each with their own
What they want to do
prove "a statement is true"
jointly compute a result
In one line
I prove, you believe
we compute together, nobody shows their hand
TRY IT · COMPARE CANDY WITHOUT SAYING THE NUMBER
Two kids each fill in their own candy count (once filled, imagine the other can't see your number). Click once, and only "who has more" pops out.
Mia:
Rosie:
The real protocol uses that "encryption you can compute on" math so neither side sees the other's number — here we just show "the result came out, and the numbers were never said out loud."
8Lay Them All Out on One Map
The hidden thread: building block → tool → machine.
All of cryptography is layered. Grab these three layers and everything afterward has a place to hang:
bottom building block
Hashing a one-way fingerprint, neither encryption nor commitment
tools (uses)
Encryption / Commitment / Signature commitments are often built from hashing
advanced building block
Homomorphic encryption computable while locked
machines (protocols)
Zero-knowledge proof / Secure multi-party computation built from the blocks above
Thing
In one line
Analogy
Core property
Hashing
one-way fingerprint
blender / fingerprint
irreversible
Encryption
hide it for a specific person to read
battlefield secret code
secret · reversible
Commitment
lock in first, reveal later
an answer sealed in an envelope
binding
Symmetric key
both sides share one secret code
battlefield secret code (shared)
shared secret
Public/private keys
one hidden, one public
piggy bank / elliptic-curve hopping
one-way pairing
Signature
anyone can check the seal, the ring stays with you
stamp + seal-checking lamp
public verification without leaking the secret
Zero-knowledge
prove it's true without leaking why it's true
the maze key
verifiable + zero leakage
Secure multi-party computation
compute together, nobody shows their hand
compare sizes without saying the number
compute jointly + don't leak inputs
Essence reconciliation table · three clean cuts through the three easiest to mix up
Put hashing, public/private-key encryption, and public/private-key signatures side by side, and slice them apart in one go with three questions:
Hashing
Public/private · encryption
Public/private · signature
Easy forward, hard backward?
Yes
Yes
Yes
Is there a reversible "decrypt" operation?
No
Yes (public key locks → private key opens)
Same family but not secret (private key signs → public key verifies)
How do you "open / verify"?
by revealing the original yourself then checking (reveal)
by decrypting with the private key
by verifying with the public key (the private key never appears)
Three essentials to remember:
① "Easy forward, hard backward" is the foundation hashing and public/private keys share — hashing is easy forward and hard backward; public/private keys' private key makes the public key easily while going backward is hard. Same magic.
② Hashing is not encryption. It has no key and no decrypt step; it only produces a "data fingerprint." To "open" it, the only way is to reveal the original yourself (reveal), not to decrypt with an algorithm.
③ Hashing's "must be revealed" trait is sometimes a weakness and sometimes a weapon: used as identity/signature → weakness (one-time, which is exactly why real signatures are needed); used as commitment → weapon (revealed only when it should be, otherwise locked down); against quantum → weapon (a rhythmless mess quantum can find no shortcut in). Same property, three scenarios, both sides of the coin.
There's another thread that strings encryption → commitment → zero-knowledge together — "how much you ultimately need to know" decreases all the way down:
Encryption
Commitment
Zero-knowledge
What you end up with
the contents themselves
contents you check afterward
only "true/false"
The endpoint
you know the secret
you checked the secret
you never even touched the secret
In one line
hand the contents to you
lock first, reveal later
don't give the contents at all, just give you a "convinced"
The further you go, the less you need to know — that's the "zero" of "zero-knowledge": the knowledge you get is zero, and the certainty you get is full.
TRY IT · IDENTIFICATION QUIZ
You'll get a scenario; guess whether it uses hashing, encryption, or commitment. Answer, see if you're right, then click "next."
Question 1 / 5 · score 0
You turn the number 42 into a string that can never be turned back, show it to your opponent, and keep the number to reveal later — to stop them from cheating.