to understand how it works you need to first read and understand how public key cryptography works:

https://en.wikipedia.org/wiki/Public-key_cryptographyin short, in asymmetric cryptography we have a key pair. a private key (that is kept private) and a public key (that can be revealed publicly). the operation that converts a private key to a public key is irreversible.

in this scheme you can create what is called a "signature" with the private key that can be verified by only having the public key and knowing the message that was signed.

Bob creates a key pair (d,Q) where d is the private key and Q is the public key. he then publishes his public key (Q) publicly. now every time he wants to prove he has access to the private key of that public key he creates a signature (r,s) and publishes the massage he signed alongside the signature.

anybody can use the signature + message + public key to verify if the signature was corrected created.

bitcoin addresses relate to hash of that public key. so when Bob wants to prove he owns an address, he signs a message using his private key and releases his signature. we already know the message (M) + signature (r,s) and can recover his public key (Q) and then hash it to see if it creates the correct address. if it did then the signature is valid and he proved he has access to the private key of the said address.