I always like to explain it in terms of security:

• We need a way to incentivize people to check that the most recent transactions (in the last 10 minutes or so) are valid, and a way to ensure that new blocks are allowed to be added to the database (blockchain). Just like you rely on a secure connection to your bank, and the banks rely on secure connections to each other so that funds can't be intercepted, this sequence of transactions needs a similar amount of security to guard against theft.
• These tasks need to be performed in such a way that can't be gamed by a centralized organization or a group of coordinated actors, because then they could write whatever sequence of transactions & blocks they wished and divert potentially all funds to themselves. We want to make it extremely costly to do that.
• So we need an algorithm or computer program that anybody in the whole can run that allows them to 1) organize the most recent transactions 2) factor in the solution from the previous block and 3) combine them in such a way that produces a solution to a new puzzle unique to those inputs. It's very difficult to solve this new puzzle, but it's easy to verify that it's correct. This asymmetry is the basis of modern cryptography and is what virtually guarantees the integrity of the transaction history.
• The people running this program need to produce a block roughly every ten minutes, so as computers get faster with technological advancements and the number of running this program increases, the algorithm needs to be periodically adjusted so that new blocks are added on that schedule.

solving a randomly generated, big ass rubik cube. the miners are solving it, each on their own, turning sections and getting it to the right position. and once completed, the miner yells 'done!' and shows the nodes. its frivolous for nodes to confirm it was solved correctly as its obvious that all sides are the right color. then, onto the next cube

I’ve used the math problem example many times. I usually get asked “but what is the problem for?” I think people have a hard time understanding that the goal is to provide a way to convert energy to Bitcoin at a (roughly) regulated rate.

I've also used that explanation before, but I've found a new one that's more technically accurate and easier to understand. Computers compete with each other to find a unique identifier, which must have a variable number of leading zeros.

IMO The best mental model for conveying proof of work to a layman is to explain it as a lottery game, where you have to guess a magic number to win.

The magic number is very large, completely random, and unknowable beforehand. The only viable strategy is to guess randomly until you get it.

That is an easy enough game for anyone understand, though it sounds like the most boring game on earth.

However, one upside is that you can guess as much as you want, as quickly as you can handle. So it makes better sense to play this game using a computer, where essentially the most computation wins.

It is also the simplest and fastest provably fair lottery system that you can play amongst computers. There are no ways to cheat and no central authority conducting the lottery. It's just a game of math and computation that a network of computers can play.

So while this lottery may be the most boring game on earth to humans, it can provide great utility for computer networks, and it happens to scale incredibly well.

The greatest example of course (in hindsight) is to run a peer-to-peer decentralized banking system, where computers can compete in the lottery to make updates to the central ledger, in a way that's provably fair across the network.

But another good example is spam prevention, where the lottery is kept fairly easy to play for a single round, but scales very poorly for multiple rounds (i.e a spam attack). Proof-of-work was invented originally for this use-case.

I hope this helps.

Proof of work is like starting a live stream, writing some viewer comments on a basketball, and trying to make full-court shots backwards. You keep trying until the ball gets in and once you make it, you number the ball and repeat the process with a new ball. Let's say everyone who got their comment on a ball sends some money to an escrow you can only spend after 100 balls are made after it.

Now if someone else comes into the stream while you're trying to get ball 64 in and does the same process of writing the comments and shooting backwards, then they can start stealing escrowed funds. For example, if they started from ball 63 and got ball 64 in, they would be entitled to the escrows for both balls (63 and 64). In that case the original person could focus on ball 65 and get a new escrow, or he can try his luck at overtaking the second person from ball 63 again.

In this example the balls are blocks, the comments are transactions, the miners are players, and the escrow is the combined fees and subsidy. Shooting balls is the equivalent of mining with sha256 and the winning block hash (with preimage) is like the video of the ball going in (the thing produced that shows you did the work).

I didn't add a difficulty adjustment in my analogy, but let's say when the commenters see too many balls get in the hoop too quickly, the commenters stop giving money until the basket is moved even farther from the players.

Hands down a Rubik cube metaphore.

Does anyone remember peercoin?

I say it's more like becoming a partner in the Bitcoin Revolution while maintaining the security and ethics for Bitcoin.