The problem of course is the payee can't verify that one of the owners did not double-spend the

coin. A common solution is to introduce a trusted central authority, or mint, that checks every
transaction for double spending. After each transaction, the coin must be returned to the mint to
issue a new coin, and only coins issued directly from the mint are trusted not to be double-spent.
The problem with this solution is that the fate of the entire money system depends on the company
running the mint, with every transaction having to go through them, just like a bank.
We need a way for the payee to know that the previous owners did not sign any earlier
transactions. For our purposes, the earliest transaction is the one that counts, so we don't care
about later attempts to double-spend. The only way to confirm the absence of a transaction is to be
aware of all transactions. In the mint based model, the mint was aware of all transactions and
decided which arrived first. To accomplish this without a trusted party, transactions must be
publicly announced [1], and we need a system for participants to agree on a single history of the
order in which they were received. The payee needs proof that at the time of each transaction, the
majority of nodes agreed it was the first received.

1. Timestamp Server
The solution we propose begins with a timestamp server. A timestamp server works by taking a
hash of a block of items to be timestamped and widely publishing the hash, such as in a newspaper
or Usenet post [2-5]. The timestamp proves that the data must have existed at the time, obviously,
in order to get into the hash. Each timestamp includes the previous timestamp in its hash, forming
a chain, with each additional timestamp reinforcing the ones before it.
Hash Hash

Block Block

Item Item ... Item Item ...

2. Proof-of-Work
To implement a distributed timestamp server on a peer-to-peer basis, we will need to use a
proofof-work system similar to Adam Back's Hashcash [6], rather than newspaper or Usenet posts.
The proof-of-work involves scanning for a value that when hashed, such as with SHA-256, the
hash begins with a number of zero bits. The average work required is exponential in the number
of zero bits required and can be verified by executing a single hash.
For our timestamp network, we implement the proof-of-work by incrementing a nonce in the
block until a value is found that gives the block's hash the required zero bits. Once the CPU effort
has been expended to make it satisfy the proof-of-work, the block cannot be changed without

1
redoing the work. As later blocks are chained after it, the work to change the block would include
redoing all the blocks after it.
Block Block

Prev Hash Nonce Prev Hash Nonce

Tx Tx ... Tx Tx ...

The proof-of-work also solves the problem of determining representation in majority decision
making. If the majority were based on one-IP-address-one-vote, it could be subverted by anyone
able to allocate many IPs. Proof-of-work is essentially one-CPU-one-vote. The majority decision
is represented by the longest chain, which has the greatest proof-of-work effort invested in it. If a
majority of CPU power is controlled by honest nodes, the honest chain will grow the fastest and
outpace any competing chains. To modify a past block, an attacker would have to redo the proof-
of-work of the block and all blocks after it and then catch up with and surpass the work of the
honest nodes. We will show later that the probability of a slower attacker catching up diminishes
exponentially as subsequent blocks are added.
To compensate for increasing hardware speed and varying interest in running nodes over time,
the proof-of-work difficulty is determined by a moving average targeting an average number of
blocks per hour. If they're generated too fast, the difficulty increases.

3. Network
The steps to run the network are as follows:

1) New transactions are broadcast to all nodes.

2) Each node collects new transactions into a block.
3) Each node works on finding a difficult proof-of-work for its block.
4) When a node finds a proof-of-work, it broadcasts the block to all nodes.
5) Nodes accept the block only if all transactions in it are valid and not already spent.
6) Nodes express their acceptance of the block by working on creating the next block in the
chain, using the hash of the accepted block as the previous hash.

Nodes always consider the longest chain to be the correct one and will keep working on
extending it. If two nodes broadcast different versions of the next block simultaneously, some
nodes may receive one or the other first. In that case, they work on the first one they received, but
save the other branch in case it becomes longer. The tie will be broken when the next proofof-
work is found and one branch becomes longer; the nodes that were working on the other branch
will then switch to the longer one.
New Het probleem is natuurlijk dat de begunstigde niet kan verifiëren dat een van de
eigenaren de munt niet dubbel heeft uitgegeven. Een veel voorkomende oplossing is
het introduceren van een vertrouwde centrale autoriteit, of munt, die elke transactie
controleert op dubbele uitgaven. Na elke transactie moet de munt worden
teruggestuurd naar de munt om een nieuwe munt uit te geven, en alleen munten die
rechtstreeks van de munt zijn uitgegeven, worden vertrouwd om niet dubbel te
worden uitgegeven. Het probleem met deze oplossing is dat het lot van het hele
geldsysteem afhangt van het bedrijf dat de munt runt, waarbij elke transactie er
doorheen moet, net als een bank. We hebben een manier nodig voor de begunstigde
om te weten dat de vorige eigenaren geen eerdere transacties hebben ondertekend.

2
Voor onze doeleinden is de vroegste transactie degene die telt, dus we geven niet
om latere pogingen om dubbele uitgaven uit te geven. De enige manier om de
afwezigheid van een transactie te bevestigen, is door op de hoogte te zijn van alle
transacties. In het op munt gebaseerde model was de munt op de hoogte van alle
transacties en besliste welke als eerste aankwam. Om dit te bereiken zonder een
vertrouwde partij, moeten transacties openbaar worden aangekondigd [1], en we
hebben een systeem nodig waarin deelnemers het eens kunnen worden over een
enkele geschiedenis van de volgorde waarin ze zijn ontvangen. De begunstigde heeft
bewijs nodig dat op het moment van elke transactie de meerderheid van de
knooppunten ermee instemde dat het de eerste was die werd ontvangen.
Tijdstempelserver De oplossing die wij voorstellen begint met een tijdstempelserver.
Een tijdstempelserver werkt door een hash van een blok items te nemen dat een
tijdstempel moet worden opgedragen en de hash op grote schaal te publiceren,
zoals in een krant of Usenet-bericht [2-5]. De tijdstempel bewijst dat de gegevens op
dat moment natuurlijk al moeten bestaan om in de hash te komen. Elke tijdstempel
bevat de vorige tijdstempel in de hash en vormt een keten, waarbij elke extra
tijdstempel de vorige versterkt. Proof-of-Work Om een gedistribueerde
tijdstempelserver op peer-to-peer-basis te implementeren, moeten we een proofof-
work-systeem gebruiken dat vergelijkbaar is met Hashcash [6] van Adam Back, in
plaats van kranten- of Usenet-berichten. De proof-of-work omvat het scannen naar
een waarde die bij gehasht, zoals bij SHA-256, de hash begint met een aantal nulbits.
Het gemiddelde vereiste werk is exponentieel in het aantal vereiste nul bits en kan
worden geverifieerd door een enkele hash uit te voeren. Voor ons tijdstempelnetwerk
implementeren we de proof-of-work door een nonce in het blok te verhogen totdat
een waarde is gevonden die de hash van het blok de vereiste nul bits geeft. Zodra de
CPU-inspanning is besteed om het te laten voldoen aan de proof-of-work, kan het
blok niet worden gewijzigd zonder het werk opnieuw te doen. Omdat latere blokken
erna worden geketend, zou het werk om het blok te veranderen het opnieuw doen
van alle blokken erna omvatten. De proof-of-work lost ook het probleem op van het
bepalen van vertegenwoordiging in meerderheidsbesluitvorming. Als de meerderheid
gebaseerd zou zijn op één-IP-adres-één-stem, zou deze kunnen worden ondermijnd
door iedereen die in staat is om veel IP's toe te wijzen. Proof-of-work is in wezen
één-CPU-één-stem. De meerderheidsbeslissing wordt vertegenwoordigd door de
langste keten, die de g
By convention, the first transaction in a block is a special transaction that starts a new coin
owned by the creator of the block. This adds an incentive for nodes to support the network, and
provides a way to initially distribute coins into circulation, since there is no central authority to
issue them. The steady addition of a constant of amount of new coins is analogous to gold miners
expending resources to add gold to circulation. In our case, it is CPU time and electricity that is
expended.

The incentive can also be funded with transaction fees. If the output value of a transaction is
less than its input value, the difference is a transaction fee that is added to the incentive value of

3
the block containing the transaction. Once a predetermined number of coins have entered
circulation, the incentive can transition entirely to transaction fees and be completely inflation free.
The incentive may help encourage nodes to stay honest. If a greedy attacker is able to
assemble more CPU power than all the honest nodes, he would have to choose between using it to
defraud people by stealing back his payments, or using it to generate new coins. He ought to find
it more profitable to play by the rules, such rules that favour him with more new coins than
everyone else combined, than to undermine the system and the validity of his own wealth.

4. Reclaiming Disk Space

Once the latest transaction in a coin is buried under enough blocks, the spent transactions before it
can be discarded to save disk space. To facilitate this without breaking the block's hash,
transactions are hashed in a Merkle Tree [7][2][5], with only the root included in the block's hash.
Old blocks can then be compacted by stubbing off branches of the tree. The interior hashes do not
need to be stored.
Block Block
Block Header (Block Hash) Block Header (Block Hash)

Prev Hash Nonce Prev Hash Nonce

Root Hash Root Hash

Hash01 Hash23 Hash01 Hash23

Hash0 Hash1 Hash2 Hash3 Hash2 Hash3

Tx0 Tx1 Tx2 Tx3 Tx3

Transactions Hashed in a Merkle Tree After Pruning Tx0-2 from the Block

A block header with no transactions would be about 80 bytes. If we suppose blocks are
generated every 10 minutes, 80 bytes * 6 * 24 * 365 = 4.2MB per year. With computer systems
typically selling with 2GB of RAM as of 2008, and Moore's Law predicting current growth of
1.2GB per year, storage should not be a problem even if the block headers must be kept in
memory.
5. Simplified Payment Verification
It is possible to verify payments without running a full network node. A user only needs to keep a
copy of the block headers of the longest proof-of-work chain, which he can get by querying
network nodes until he's convinced he has the longest chain, and obtain the Merkle branch linking
the transaction to the block it's timestamped in. He can't check the transaction for himself, but by
linking it to a place in the chain, he can see that a network node has accepted it, and blocks added
after it further confirm the network has accepted it.

4
 Longest Proof-of-Work Chain

Block Header Block Header Block Header

Prev Hash Nonce Prev Hash Nonce Prev Hash Nonce

Merkle Root Merkle Root Merkle Root

Hash01 Hash23

Merkle Branch for Tx3

Hash2 Hash3

Tx3

As such, the verification is reliable as long as honest nodes control the network, but is more
vulnerable if the network is overpowered by an attacker. While network nodes can verify
transactions for themselves, the simplified method can be fooled by an attacker's fabricated
transactions for as long as the attacker can continue to overpower the network. One strategy to
protect against this would be to accept alerts from network nodes when they detect an invalid
block, prompting the user's software to download the full block and alerted transactions to confirm
the inconsistency. Businesses that receive frequent payments will probably still want to run their
own nodes for more independent security and quicker verification.

6. Combining and Splitting Value

Although it would be possible to handle coins individually, it would be unwieldy to make a
separate transaction for every cent in a transfer. To allow value to be split and combined,
transactions contain multiple inputs and outputs. Normally there will be either a single input from
a larger previous transaction or multiple inputs combining smaller amounts, and at most two
outputs: one for the payment, and one returning the change, if any, back to the sender.
Transaction

In Out

In ...

...

It should be noted that fan-out, where a transaction depends on several transactions, and those
transactions depend on many more, is not a problem here. There is never the need to extract a
complete standalone copy of a transaction's history.
7. Privacy
The traditional banking model achieves a level of privacy by limiting access to information to the
parties involved and the trusted third party. The necessity to announce all transactions publicly
precludes this method, but privacy can still be maintained by breaking the flow of information in
another place: by keeping public keys anonymous. The public can see that someone is sending an
amount to someone else, but without information linking the transaction to anyone. This is similar
to the level of information released by stock exchanges, where the time and size of individual
trades, the "tape", is made public, but without telling who the parties were.

5
 Traditional Privacy Model

Trusted
Identities Transactions Public Counterparty
Third Party

New Privacy Model

Identities Transactions Public

As an additional firewall, a new key pair should be used for each transaction to keep them from
being linked to a common owner. Some linking is still unavoidable with multi-input transactions,
which necessarily reveal that their inputs were owned by the same owner. The risk is that if the
owner of a key is revealed, linking could reveal other transactions that belonged to the same
owner.

8. Calculations
We consider the scenario of an attacker trying to generate an alternate chain faster than the honest
chain. Even if this is accomplished, it does not throw the system open to arbitrary changes, such
as creating value out of thin air or taking money that never belonged to the attacker. Nodes are not
going to accept an invalid transaction as payment, and honest nodes will never accept a block
containing them. An attacker can only try to change one of his own transactions to take back
money he recently spent.
The race between the honest chain and an attacker chain can be characterized as a Binomial
Random Walk. The success event is the honest chain being extended by one block, increasing its
lead by +1, and the failure event is the attacker's chain being extended by one block, reducing the
gap by -1.
The probability of an attacker catching up from a given deficit is analogous to a Gambler's
Ruin problem. Suppose a gambler with unlimited credit starts at a deficit and plays potentially an
infinite number of trials to try to reach breakeven. We can calculate the probability he ever
reaches breakeven, or that an attacker ever catches up with the honest chain, as follows [8]:

p = probability an honest node finds the next block

q = probability the attacker finds the next block
qz = probability the attacker will ever catch up from z blocks behind

qz=1 z
{
if p≤q }
q/ p if pq
Given our assumption that p > q, the probability drops exponentially as the number of blocks the
attacker has to catch up with increases. With the odds against him, if he doesn't make a lucky
lunge forward early on, his chances become vanishingly small as he falls further behind.
We now consider how long the recipient of a new transaction needs to wait before being
sufficiently certain the sender can't change the transaction. We assume the sender is an attacker
who wants to make the recipient believe he paid him for a while, then switch it to pay back to
himself after some time has passed. The receiver will be alerted when that happens, but the sender
hopes it will be too late.

6
 The receiver generates a new key pair and gives the public key to the sender shortly before
signing. This prevents the sender from preparing a chain of blocks ahead of time by working on it
continuously until he is lucky enough to get far enough ahead, then executing the transaction at
that moment. Once the transaction is sent, the dishonest sender starts working in secret on a
parallel chain containing an alternate version of his transaction.
The recipient waits until the transaction has been added to a block and z blocks have been
linked after it. He doesn't know the exact amount of progress the attacker has made, but assuming
the honest blocks took the average expected time per block, the attacker's potential progress will
be a Poisson distribution with expected value:

q
=z
p

To get the probability the attacker could still catch up now, we multiply the Poisson density for
each amount of progress he could have made by the probability he could catch up from that point:

z−k

if

k≤z } k=0 k! 1 if

kz

Rearranging to avoid summing the infinite tail of the distribution...

∑z k e− 1−q/ pz−k

1− k=0
k!

Converting to C code...
#include <math.h>
double AttackerSuccessProbability(double q, int z)
{
double p = 1.0 - q;
double lambda = z * (q / p);
double sum = 1.0; int i, k;
for (k = 0; k <= z; k++)
{

7
 double poisson = exp(-lambda);
for (i = 1; i <= k; i++)
poisson *= lambda / i;
sum -= poisson * (1 - pow(q / p, z - k));
}
return sum;
}
Running some results, we can see the probability drop off exponentially with z.
q=0.1 z=0
P=1.0000000 z=1
P=0.2045873 z=2
P=0.0509779 z=3
P=0.0131722 z=4
P=0.0034552 z=5
P=0.0009137 z=6
P=0.0002428 z=7
P=0.0000647 z=8
P=0.0000173 z=9
P=0.0000046 z=10
P=0.0000012

q=0.3 z=0
P=1.0000000 z=5
P=0.1773523 z=10
P=0.0416605 z=15
P=0.0101008 z=20
P=0.0024804 z=25
P=0.0006132 z=30
P=0.0001522 z=35
P=0.0000379 z=40
P=0.0000095 z=45
P=0.0000024 z=50
P=0.0000006

Solving for P less than 0.1%...

P < 0.001
q=0.10 z=5
q=0.15 z=8
q=0.20 z=11
q=0.25 z=15
q=0.30 z=24
q=0.35 z=41
q=0.40 z=89
q=0.45 z=340

9. Conclusion
We have proposed a system for electronic transactions without relying on trust. We started with
the usual framework of coins made from digital signatures, which provides strong control of
ownership, but is incomplete without a way to prevent double-spending. To solve this, we
proposed a peer-to-peer network using proof-of-work to record a public history of transactions that
quickly becomes computationally impractical for an attacker to change if honest nodes control a
majority of CPU power. The network is robust in its unstructured simplicity. Nodes work all at
once with little coordination. They do not need to be identified, since messages are not routed to
any particular place and only need to be delivered on a best effort basis. Nodes can leave and
rejoin the network at will, accepting the proof-of-work chain as proof of what happened while they
were gone. They vote with their CPU power, expressing their acceptance of valid blocks by

8
working on extending them and rejecting invalid blocks by refusing to work on them. Any needed
rules and incentives can be enforced with this consensus mechanism.
References
[1] W. Dai, "b-money," http://www.weidai.com/bmoney.txt, 1998.
[2] H. Massias, X.S. Avila, and J.-J. Quisquater, "Design of a secure timestamping service with minimal
trust requirements," In 20th Symposium on Information Theory in the Benelux, May 1999.
[3] S. Haber, W.S. Stornetta, "How to time-stamp a digital document," In Journal of Cryptology, vol 3, no
2, pages 99-111, 1991.
[4] D. Bayer, S. Haber, W.S. Stornetta, "Improving the efficiency and reliability of digital time-stamping,"
In Sequences II: Methods in Communication, Security and Computer Science, pages 329-334, 1993.
[5] S. Haber, W.S. Stornetta, "Secure names for bit-strings," In Proceedings of the 4th ACM Conference
on Computer and Communications Security, pages 28-35, April 1997.
[6] A. Back, "Hashcash - a denial of service counter-measure,"
http://www.hashcash.org/papers/hashcash.pdf, 2002.
[7] R.C. Merkle, "Protocols for public key cryptosystems," In Proc. 1980 Symposium on Security and
Privacy, IEEE Computer Society, pages 122-133, April 1980.
[8] W. Feller, "An introduction to probability theory and its applications," 1957.

9
 2018 NATIONAL SEMINAR US SENTENCING COMMISSION

National
Seminar

Bitcoin Glossary:
2018 Annual National Seminar

Address - A incumbent This unit is

Bitcoin cryptocurrenc usually more
address is ies such as convenient
similar to a bitcoin, for pricing,
physical litecoin and tips, goods
address or an dogecoin. and services.
email. It is
the only ASIC - ASIC Bitcoin /
information stands for BTC
you need to application (shorthand) -
provide for specific A form of
someone to integrated digital
pay you with circuit, which currency
Bitcoin. An is a created in
important specialized 2009, that is
difference, silicon chip created and
however, is that performs distributed on
that each just one task. a peer-to-peer
address In the digital basis. It has
should only currency no central
be used for a space, these bank -
single chips process transactions
transaction. SHA-256 in are conducted
Typically order to mine directly
consists of bitcoin and between
between 26 validate individuals.
and 35 transactions. Bitcoin is the
alphanumeric most popular
characters. ASIC Miner kind of
- An ASIC cryptocurrenc
Altcoin - A Miner is the y.
form of hardware that
cryptocurrenc houses the Bitcoin
y that has the chip of the Index - The
same same name. live bitcoin
decentralized, You put them news bitcoin
peer-to-peer into your index is a
principles as Internet weighted
bitcoin, but connection average index
which uses its via a modem that shows
own or wireless the value of
blockchain mode. one bitcoin
and has its Bitcoin is versus one
own rules of independent single unit of
operation. of your currency of
Altcoin is the desktop each of the
term used to computer. majors in the
describe Forex space –
those digital Bit - Bit is a EUR, USD,
currencies common unit JPY, GBP
that do not used to and AUD.
have as big a designate a
market sub-unit of a Bitcoin
capitalization bitcoin - Whitepaper
or do not 1,000,000 - Written by
have the bits is equal Satoshi
recognition to 1 bitcoin Nakamoto in
of the current (BTC or ). 2008, it
describes the network. reversed
original plan Everyone can transaction.
and protocol look at the
for Bitcoin. blockchain to
see what
BitPay - transactions
BitPay is a have
payment happened on
processing the network,
company and and the
software that blockchain is
allows sealed using
merchants cryptography
such as eBay, so that no one Cryptocurre
Amazon and can tamper ncy - The
other online with it. broad name
shopping for digital
channels to Cold Storage currencies
accept bitcoin – A security that use
as payment measure for blockchain
for its goods Bitcoin that is technology to
and services. disconnected work on a
from the peer-to-peer
Block - A internet. basis.
block is a Could be a Cryptocurren
record in the paper wallet cies don't
block chain [see below], need a bank
that contains USB stick or to carry out
and confirms hardware transactions
many waiting wallet. between
transactions. individuals.
Roughly Confirmatio The nature of
every 10 n - the
minutes, on Confirmation blockchain
average, a means that a means that
new block transaction individuals
including has been can transact
transactions processed by between each
is appended the network other, even if
to the block and is highly they don't
chain through unlikely to be trust each
mining. reversed. other. The
Transactions cryptocurrenc
Block receive a y network
Reward - confirmation keeps track of
This term when they are all the
refers to the included in a transactions
“reward” that block and for and ensures
the Miner each that no one
receives for subsequent tries to
successfully block. Even a renege on a
hashing a single transaction.
transaction confirmation
block. can be Cryptograph
considered y -
Blockchain - secure for Cryptography
A digital file low value is the branch
distributed to transactions, of
everyone although for mathematics
participating larger that lets us
in a crypto- amounts like create
currency $1,000 US, it mathematical
network. The makes sense proofs that
blockchain to wait for 6 provide high
acts as a kind confirmations levels of
of general or more. security.
ledger, Each Online
keeping track confirmation commerce
of all the exponentially and banking
transactions decreases the already uses
that happen risk of a cryptography.
in the In the case of
Bitcoin, is exactly identify that
cryptography how it file. A hash
is used to sounds, has a couple
make it somewhere of key
impossible where properties: It
for anybody account is unique.
to spend holders can Only a
funds from exchange one particular file
another user's digital can produce a
wallet or to currency for particular
corrupt the another or a hash, and two
block chain. Fiat currency different files
It can also be for a digital will never
used to currency. produce the
encrypt a same hash. It
wallet, so that Faucet - cannot be
it cannot be When an reversed. You
used without individual or can't work
a password. team of out what a
individuals file was by
Dogecoin - develop a looking at its
An altcoin digital hash.
first started as currency, Hashing is
a joke in late they may pre- used to prove
2013. mine a that a set of
Dogecoin, certain data has not
which amount been
features a before release tampered
Japanese and give with. It is
fighting dog these pre- what makes
as its mascot, mined coins bitcoin
gained a away. This is mining
broad called a possible.
international faucet.
following and Hash Rate -
quickly grew FIAT - A The hash rate
to have a Fiat currency is the
multi-million is a measuring
dollar market traditional unit of the
capitalization paperback processing
. currency that power of the
is regulated Bitcoin
Double by an network. The
Spend - If a organization Bitcoin
malicious such as the network must
user tries to central bank. make
spend their Examples intensive
bitcoins with include the mathematical
two different Euro, the US operations for
recipients at dollar and the security
the same Australian purposes.
time, this is dollar. When the
double network
spending. Genesis reached a
Bitcoin Block - The hash rate of
mining and very first 10 Th/s, it
the block block in the meant it
chain are block chain could make
there to of any digital 10 trillion
create a currency. calculations
consensus on per second.
the network Hash - A
about which cryptographic Microtransa
of the two hash is a ction – The
transactions mathematical ability to pay
will confirm function that for things in
and be takes a file very small
considered and produces sums thanks
valid. a relatively to the fact
short code that Bitcoin
Exchange - that can be may be
An exchange used to extended to 8
 2018 NATIONAL SEMINAR US SENTENCING COMMISSION

Bitcoin Glossary: National

2018 Annual National Seminar Seminar
decimal fees for the refers to a
places. transactions printed sheet
Microtransact they confirm, of paper that
ions are along with holds a
especially newly created number of
important to bitcoins. public bitcoin
Bitcoin Mining is a addresses and
casinos by specialized correspondin
providing and g private
players the competitive keys.
ability to market where
deposit and the rewards P2P - Peer-
gamble are divided to-peer refers
fractions of up according to systems
Bitcoins. to how much that work like
calculation is an organized
Mining - The done. Not all collective by
act of Bitcoin users allowing each
producing do Bitcoin individual to
units of a mining, and it interact
cryptocurrenc is not an easy directly with
y (such as way to make the others. In
bitcoins) money. the case of
through some Bitcoin, the
kind of effort. Mt. Gox – network is
The effort is one of the built in such
required so first Bitcoin a way that
that people exchanges each user is
can't just that began broadcasting
create infinite liquidating the
amounts of after more transactions
the digital than 850,000 of other
currency, of its users’ users. And,
which would Bitcoins were crucially, no
devalue it. In lost or stolen bank is
bitcoin, – an amount required as a
mining equal to more third party.
requires than
computing $450,000,000 Private Key -
power. Here at the time. A private key
is a detailed is a secret
description of Output - piece of data
how mining When a that proves
works. bitcoin your right to
Bitcoin transaction spend
mining is the takes place, bitcoins from
process of the output a specific
making refers to the wallet
computer destination through a
hardware do address used cryptographic
mathematical in the signature.
calculations transaction. Your private
for the key(s) are
Bitcoin Paper Wallet stored in your
network to - Some computer if
confirm people prefer you use a
transactions to store their software
and increase bitcoin in the wallet; they
security. As a paper wallet are stored on
reward for – a form of some remote
their services, cold storage – servers if you
Bitcoin in order to use a web
miners can improve wallet.
collect security. The Private keys
transaction term simply must never be
revealed as Silk Road – network can
they allow An see that the
you to spend underground signature
bitcoins for website, as matches the
their part of the bitcoins
respective “dark web”, being spent.
Bitcoin that was However,
wallet. essentially a there is no
black market way for the
Proof of online. One world to
Work [PoW] could guess your
- Proof of purchase private key to
work simply illegal drugs, steal your
refers to the organs or hire hard-earned
output of any assassins bitcoins.
efforts to online. The
mine bitcoin. site used Transaction
In the bitcoin cryptocurrenc Fee - Some
block chain, ies such as transactions
the hashing Bitcoin and that occur in
of a block was shut the bitcoin
takes time down in 2013 block chain
and effort, by the FBI. contain
meaning the transaction
hash block SHA-256 - fees. These
can be Every digital transaction
considered currency fees are paid
proof of must have a to the miner
work. cryptographic that hashes
function that the block in
Public key - dictates how question.
The public the hash is
key is a string constructed. Wallet - A
of digits and In bitcoin, Bitcoin
letters (your SHA-256 is wallet is
bitcoin this function, loosely the
address). and is used as equivalent of
When hashed the basis for a physical
with a hash creation wallet on the
correspondin (i.e. bitcoin’s Bitcoin
g string proof of network. The
known as a work). wallet
private key it actually
digitally Signature - contains your
signs and A private key(s)
online cryptographic which allow
communicati signature is a you to spend
on. mathematical the bitcoins
mechanism allocated to it
Satoshi – A that allows in the block
Bitcoin someone to chain. Each
“cent”, the prove Bitcoin
smallest form ownership. In wallet can
of Bitcoins. the case of show you the
One Bitcoin Bitcoin, a total balance
is equal to 1 Bitcoin of all bitcoins
million wallet and its it controls
Satoshis. private key(s) and lets you
are linked by pay a specific
Satoshi some amount to a
Nakamoto – mathematical specific
the creator of magic. When person, just
Bitcoin and your Bitcoin like a real
the author of software wallet. This
the original signs a is different
Bitcoin transaction from credit
whitepaper with the cards where
and code. His appropriate you are
real identity private key, charged by
is unknown the whole the merchant.
to the world.
*This glossary contains terminology and
explanations of concepts relevant to various
emerging technologies.
The purpose of the
glossary is to inform the
reader of the most
commonly used
vocabulary terms in the
cyber world. This
glossary was compiled
from various sources
readily available on the
Internet.

The United States

Sentencing Commission, an independent
To receive updates on future events and other
Commission agency in the judicial branch of the federal
government, activities, visit us on Twitter
@TheUSSCgov, or subscribe to was organized in 1985 to
develop a national sentencing e-mail updates through
our website at www.ussc.gov. For policy for the federal
courts. The resulting sentencing guidelines questions, call
our Helpline at 202.502.4545, and discretion to help
guidelines
ensure that similar offenders who commit
provide structure for the courts’ sentencing

to request training, email us at

training@ussc.gov.similar offenses receive
similar sentences.