This appendix collects the works, standards, and protocol documents cited or discussed in the text. Citations in the chapters are informal (author and year, or protocol name); the full records appear here. Entries marked "discussed in" are constructions the text presents without a formal inline citation.
B.1 Primary Sources
Nakamoto, S. (2008). "Bitcoin: A Peer-to-Peer Electronic Cash System." bitcoin.org/bitcoin.pdf. Section 8 is quoted in full in Chapter 17; the double-spend analysis of Section 11 underlies Theorems 14.4, 17.6, and 36.1.
Nakamoto, S. (17 January 2009). "Bitcoin v0.1 released." Post to the Cryptography Mailing List. Quoted as the Chapter 40 epigraph.
The Times (London), 3 January 2009, front page: "Chancellor on brink of second bailout for banks." Embedded in the genesis block coinbase; quoted in Chapters 10 and 13.
B.2 Academic Works and Technical Reports
Al-Bassam, M., Sonnino, A., & Buterin, V. (2018). "Fraud and Data Availability Proofs: Maximising Light Client Security and Scaling Blockchains with Dishonest Majorities." arXiv:1809.09044. Data availability sampling; the unattributability of unavailability is discussed in Section 20.6.
Auer, R. (2019). "Beyond the Doomsday Economics of 'Proof-of-Work' in Cryptocurrencies." BIS Working Papers No. 765. Bank for International Settlements. The security-budget problem; Chapter 38.
Aumasson, J.-P., & Bernstein, D. J. (2012). "SipHash: A Fast Short-Input PRF." INDOCRYPT 2012, LNCS 7668. Springer. SipHash-2-4 is used by BIP-158 filters; discussed in Chapter 19.
Back, A. (2002). "Hashcash — A Denial of Service Counter-Measure." Technical report, hashcash.org. First announced on the cypherpunks mailing list, 1997. Cited in Chapter 14.
Back, A., Corallo, M., Dashjr, L., Friedenbach, M., Maxwell, G., Miller, A., Poelstra, A., Timón, J., & Wuille, P. (2014). "Enabling Blockchain Innovations with Pegged Sidechains." Blockstream whitepaper. Cited in Chapter 31 as the original sidechain proposal.
Bose, P., Guo, H., Kranakis, E., Maheshwari, A., Morin, P., Morrison, J., Smid, M., & Tang, Y. (2008). "On the false-positive rate of Bloom filters." Information Processing Letters 108(4), 210–213. Cited in Chapter 18.
Budish, E. (2018). "The Economic Limits of Bitcoin and the Blockchain." NBER Working Paper 24717. The security-budget problem; Chapter 38.
Cohen, B. (2003). "Incentives Build Robustness in BitTorrent." Workshop on Economics of Peer-to-Peer Systems, Berkeley. The BitTorrent precedent; Chapter 34.
Danezis, G., & Goldberg, I. (2009). "Sphinx: A Compact and Provably Secure Mix Format." IEEE Symposium on Security and Privacy. Lightning's onion routing is Sphinx-style; discussed in Chapter 24.
Decker, C., & Wattenhofer, R. (2013). "Information Propagation in the Bitcoin Network." 13th IEEE International Conference on Peer-to-Peer Computing. Source of the 2013 stale-rate measurement cited in Chapter 26.
Dobbertin, H., Bosselaers, A., & Preneel, B. (1996). "RIPEMD-160: A Strengthened Version of RIPEMD." Fast Software Encryption (FSE 1996), LNCS 1039. Springer. RIPEMD-160 is discussed in Chapters 6 and 9.
Dwork, C., & Naor, M. (1993). "Pricing via Processing or Combatting Junk Mail." Advances in Cryptology — CRYPTO '92, LNCS 740. Springer. Cited in Chapter 14 as an independent invention of proof of work.
Eyal, I., & Sirer, E. G. (2014). "Majority Is Not Enough: Bitcoin Mining Is Vulnerable." Financial Cryptography and Data Security (FC 2014), LNCS 8437. Springer. Cited in Chapter 14; the selfish-mining threshold of Theorem 36.2 is this paper's result.
Fiat, A., & Shamir, A. (1987). "How to Prove Yourself: Practical Solutions to Identification and Signature Problems." Advances in Cryptology — CRYPTO '86, LNCS 263. Springer. The Fiat–Shamir transform is presented in Chapter 8.
Fielding, R. T. (2000). Architectural Styles and the Design of Network-based Software Architectures. Ph.D. dissertation, University of California, Irvine. Chapter 5 defines REST. Why the web scaled; Chapter 34.
Finney, H. (30 December 2010). "Bitcoin Bank" post. bitcointalk.org. The bitcoin-banks scenario; Chapter 34.
Gallager, R. G., & Van Voorhis, D. C. (1975). "Optimal Source Codes for Geometrically Distributed Integer Alphabets." IEEE Transactions on Information Theory 21(2), 228–230. Optimality of Golomb coding; underlies Theorem 19.2.
Gervais, A., Karame, G. O., Gruber, D., & Capkun, S. (2014). "On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients." 30th Annual Computer Security Applications Conference (ACSAC 2014). ACM. Cited in Chapter 18.
Golomb, S. W. (1966). "Run-Length Encodings." IEEE Transactions on Information Theory 12(3), 399–401. Golomb coding is developed in Chapter 19.
Grover, L. K. (1996). "A Fast Quantum Mechanical Algorithm for Database Search." 28th ACM Symposium on Theory of Computing (STOC), 212–219. Cited in Chapter 39.
Hankerson, D., Menezes, A. J., & Vanstone, S. (2004). Guide to Elliptic Curve Cryptography. Springer. Cited in Chapter 5 for the formal definition of Koblitz curves.
Koblitz, N. (1992). "CM-Curves with Good Cryptographic Properties." Advances in Cryptology — CRYPTO '91, LNCS 576. Springer. Cited in Chapters 4 and 5 (as "Koblitz, 1991", the conference year).
Lamport, L. (1979). "Constructing Digital Signatures from a One-Way Function." Technical Report CSL-98, SRI International. Lamport signatures are discussed in Chapters 30 and 39.
Lovejoy, J. (2020). "Bitcoin Gold (BTG) 51% attack reports." MIT Digital Currency Initiative. Source for the BTG attack figures in Chapter 27.
Maxwell, G., Poelstra, A., Seurin, Y., & Wuille, P. (2019). "Simple Schnorr Multi-Signatures with Applications to Bitcoin." Designs, Codes and Cryptography 87(9), 2139–2164. MuSig is presented in Chapter 8.
Merkle, R. C. (1979). Secrecy, Authentication, and Public Key Systems. Ph.D. thesis, Stanford University. Origin of the hash tree; Chapter 12.
Mosca, M. (2018). "Cybersecurity in an Era with Quantum Computers: Will We Be Ready?" IEEE Security & Privacy 16(5), 38–41. Mosca's inequality is Definition 39.8.
Nick, J., Ruffing, T., & Seurin, Y. (2021). "MuSig2: Simple Two-Round Schnorr Multi-Signatures." Advances in Cryptology — CRYPTO 2021, LNCS 12825. Springer. MuSig2 is presented in Chapters 8 and 29.
Poelstra, A. (2021). "CAT and Schnorr Tricks I–II." wpsoftware.net blog. The on-stack sighash construction of Proposition 30.1.
Roetteler, M., Naehrig, M., Svore, K. M., & Lauter, K. (2017). "Quantum Resource Estimates for Computing Elliptic Curve Discrete Logarithms." Advances in Cryptology — ASIACRYPT 2017, LNCS 10625. Springer. Cited in Chapter 39 for the ~2,330 logical-qubit estimate.
Schnorr, C. P. (1991). "Efficient Signature Generation by Smart Cards." Journal of Cryptology 4(3), 161–174. The signature scheme of Chapter 8.
Sharp, T. (2025). "Hornet Node and the Hornet DSL: A Minimal, Executable Specification for Bitcoin Consensus," v1.2. hornetnode.org. Declarative executable specification of the validation pipeline; discussed in Section 33.9 and Appendix D.
Shor, P. W. (1994). "Algorithms for Quantum Computation: Discrete Logarithms and Factoring." 35th IEEE Symposium on Foundations of Computer Science (FOCS), 124–134. Cited in Chapter 39.
Silverman, J. H. (2009). The Arithmetic of Elliptic Curves, 2nd ed. Graduate Texts in Mathematics 106. Springer. Cited in Chapter 3 for the associativity proof (Ch. III, Prop. 2.2).
Somsen, R. (2025). "SwiftSync — Smarter Synchronization with Hints." Published as a public gist and discussed on the Bitcoin development forums. Hints-based initial block download; Remark 21.1.
Sompolinsky, Y., & Zohar, A. (2015). "Secure High-Rate Transaction Processing in Bitcoin." Financial Cryptography and Data Security (FC 2015), LNCS 8975. Springer. The GHOST fork-choice rule mentioned in Chapter 26.
Todd, P. (2016). "Building Blocks of the State Machine Approach to Consensus." petertodd.org. Origin of single-use seals; cited in Chapter 22.
Todd, P. (2022). "Surprisingly, Tail Emission Is Not Inflationary." petertodd.org. The tail-emission argument; Remark 38.10.
Walch, A. (2019). "In Code(rs) We Trust: Software Developers as Fiduciaries in Public Blockchains." In Regulating Blockchain, Oxford University Press. The developer-power critique; Remark 33.6.
B.3 Standards
Certicom Research / SECG (2010). "SEC 2: Recommended Elliptic Curve Domain Parameters," Version 2.0. Standards for Efficient Cryptography Group. Defines secp256k1; Chapter 5.
NIST (2015). FIPS PUB 180-4, Secure Hash Standard. SHA-256; Chapter 6 (first published 2001–2002).
NIST (2024). FIPS PUB 203, Module-Lattice-Based Key-Encapsulation Mechanism Standard (ML-KEM / Kyber). Chapter 39.
NIST (2024). FIPS PUB 204, Module-Lattice-Based Digital Signature Standard (ML-DSA / Dilithium). Chapter 39.
NIST (2024). FIPS PUB 205, Stateless Hash-Based Digital Signature Standard (SLH-DSA / SPHINCS+). Chapter 39.
Pornin, T. (2013). RFC 6979, "Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA)." IETF. Deterministic nonces; Chapter 7.
Resnick, P. (2014). RFC 7282, "On Consensus and Humming in the IETF." IETF. The original meaning of rough consensus; Definition 33.4.
B.4 Bitcoin Improvement Proposals
BIPs are published in the bitcoin/bips repository. The chapters listed are where each BIP is cited or treated substantively.
| BIP | Title | Chapters |
|---|---|---|
| 2 | BIP process, revised | 33 |
| 3 | Updated BIP Process | 33 |
| 8 | Version bits with lock-in by height | 16, 33 |
| 9 | Version bits with timeout and delay | 13, 16, 28, 33 |
| 16 | Pay to Script Hash | 9, 15, 16 |
| 30 | Duplicate transactions | 16, 35 |
| 32 | Hierarchical Deterministic Wallets | 20 |
| 34 | Block v2, Height in Coinbase | 10, 13, 16, 20, 35 |
| 37 | Connection Bloom filtering | 17, 18, 19 |
| 50 | March 2013 Chain Fork Post-Mortem | 33, 36, 37 |
| 65 | OP_CHECKLOCKTIMEVERIFY | 11, 16 |
| 66 | Strict DER signatures | 16, 26 |
| 68 | Relative lock-time using consensus-enforced sequence numbers | 10, 16 |
| 101 | Increase maximum block size | 27 |
| 112 | CHECKSEQUENCEVERIFY | 11, 16 |
| 113 | Median time-past as endpoint for lock-time calculations | 16 |
| 118 | SIGHASH_ANYPREVOUT for Taproot Scripts | 16, 24, 30, 32 |
| 119 | CHECKTEMPLATEVERIFY | 16, 30 |
| 125 | Opt-in Full Replace-by-Fee Signaling | 10 |
| 141 | Segregated Witness (Consensus layer) | 16, 20, 28 |
| 143 | Transaction Signature Verification for Version 0 Witness Program | 16, 28 |
| 144 | Segregated Witness (Peer Services) | 16, 28 |
| 146 | Dealing with signature encoding malleability | 28 |
| 148 | Mandatory activation of segwit deployment (UASF) | 16, 25, 28, 33 |
| 152 | Compact Block Relay | 13 |
| 157 | Client Side Block Filtering | 17, 18, 19, 20 |
| 158 | Compact Block Filters for Light Clients | 18, 19, 20, A |
| 173 | Base32 address format for native v0–16 witness outputs (Bech32) | 9 |
| 180 | Block size/weight fraud proof | 20 |
| 300 | Hashrate Escrows (Consensus layer) | 31 |
| 301 | Blind Merged Mining (Consensus layer) | 31 |
| 340 | Schnorr Signatures for secp256k1 | 4, 6, 8, 9, 11, 16, 29, A |
| 341 | Taproot: SegWit version 1 spending rules | 8, 11, 16, 28, 29 |
| 342 | Validation of Taproot Scripts (Tapscript) | 11, 16, 29 |
| 345 | OP_VAULT | 30 |
| 346 | OP_TXHASH | 30 |
| 347 | OP_CAT in Tapscript | 30 |
| 348 | OP_CHECKSIGFROMSTACK | 30 |
| 350 | Bech32m format for v1+ witness addresses | 9 |
| 360 | QuBit — Pay to Quantum Resistant Hash (draft) | 39 |
B.5 Lightning Network Specifications (BOLTs)
The Basis of Lightning Technology specifications are published in the lightning/bolts repository. All are treated in Chapter 24 (channel mechanics in Chapter 23).
| BOLT | Title |
|---|---|
| 1 | Base Protocol |
| 2 | Peer Protocol for Channel Management |
| 3 | Bitcoin Transaction and Script Formats |
| 4 | Onion Routing Protocol |
| 5 | Recommendations for On-chain Transaction Handling |
| 7 | P2P Node and Channel Discovery |
| 8 | Encrypted and Authenticated Transport |
| 9 | Assigned Feature Flags |
| 10 | DNS Bootstrap and Assisted Node Location |
| 11 | Invoice Protocol for Lightning Payments |
| 12 | Offers (draft) |
B.6 Security Advisories
| Identifier | Subject | Chapters |
|---|---|---|
| CVE-2012-1909 | Duplicate transaction IDs overwriting transactions (addressed by BIP-30/BIP-34) | 35 |
| CVE-2012-2459 | Merkle-tree duplicate-subtree block mutation | 12, 35 |
| CVE-2013-5700 | BIP-37 Bloom-filter remote denial of service | 18 |
| CVE-2017-12842 | 64-byte-transaction Merkle leaf/interior ambiguity (motivates the policy minimum transaction size and part of the Great Consensus Cleanup) | 15, 35 |