I’ve used the math problem example many times. I usually get asked “but what is the problem for?” I think people have a hard time understanding that the goal is to provide a way to convert energy to Bitcoin at a (roughly) regulated rate.

I always like to explain it in terms of security:

solving a randomly generated, big ass rubik cube. the miners are solving it, each on their own, turning sections and getting it to the right position. and once completed, the miner yells 'done!' and shows the nodes. its frivolous for nodes to confirm it was solved correctly as its obvious that all sides are the right color. then, onto the next cube

I've also used that explanation before, but I've found a new one that's more technically accurate and easier to understand. Computers compete with each other to find a unique identifier, which must have a variable number of leading zeros.

Proof of work is like starting a live stream, writing some viewer comments on a basketball, and trying to make full-court shots backwards. You keep trying until the ball gets in and once you make it, you number the ball and repeat the process with a new ball. Let's say everyone who got their comment on a ball sends some money to an escrow you can only spend after 100 balls are made after it.

Now if someone else comes into the stream while you're trying to get ball 64 in and does the same process of writing the comments and shooting backwards, then they can start stealing escrowed funds. For example, if they started from ball 63 and got ball 64 in, they would be entitled to the escrows for both balls (63 and 64). In that case the original person could focus on ball 65 and get a new escrow, or he can try his luck at overtaking the second person from ball 63 again.

In this example the balls are blocks, the comments are transactions, the miners are players, and the escrow is the combined fees and subsidy. Shooting balls is the equivalent of mining with sha256 and the winning block hash (with preimage) is like the video of the ball going in (the thing produced that shows you did the work).

I didn't add a difficulty adjustment in my analogy, but let's say when the commenters see too many balls get in the hoop too quickly, the commenters stop giving money until the basket is moved even farther from the players.

IMO The best mental model for conveying proof of work to a layman is to explain it as a lottery game, where you have to guess a magic number to win.

The magic number is very large, completely random, and unknowable beforehand. The only viable strategy is to guess randomly until you get it.

That is an easy enough game for anyone understand, though it sounds like the most boring game on earth.

However, one upside is that you can guess as much as you want, as quickly as you can handle. So it makes better sense to play this game using a computer, where essentially the most computation wins.

It is also the simplest and fastest provably fair lottery system that you can play amongst computers. There are no ways to cheat and no central authority conducting the lottery. It's just a game of math and computation that a network of computers can play.

So while this lottery may be the most boring game on earth to humans, it can provide great utility for computer networks, and it happens to scale incredibly well.

The greatest example of course (in hindsight) is to run a peer-to-peer decentralized banking system, where computers can compete in the lottery to make updates to the central ledger, in a way that's provably fair across the network.

But another good example is spam prevention, where the lottery is kept fairly easy to play for a single round, but scales very poorly for multiple rounds (i.e a spam attack). Proof-of-work was invented originally for this use-case.

I hope this helps.

Hands down a Rubik cube metaphore.

Does anyone remember peercoin?

I say it's more like becoming a partner in the Bitcoin Revolution while maintaining the security and ethics for Bitcoin.