In November 2008, a paper entitled “Bitcoin: A Peer-to-Peer Electronic Cash System” was published online.1 The system described in the paper, including a monetary unit termed “bitcoins,” embodied the world’s first cryptocurrency. The most striking characteristic of the bitcoin system is the complete absence of any form of centralized control. There is no role for governments, financial institutions, or regulatory bodies. The system is completely autonomous. Peer-to-peer networking technology and mathematical encryption form the basis for the system. A distributed ledger, known as the blockchain, maintains a public record of all transactions. In the absence of trusted third parties, the security and maintenance of the system is a shared responsibility.

On January 3, 2009, with access limited to a select few cryptologists, the bitcoin software was released and the first bitcoins issued. Bitcoin was not, it must be noted, an overnight success. In fact, it wasn’t until 2013 that the system really began to take off. That year saw a fifty-fold increase in valuation, so that by January 2014, a bitcoin was worth around nine hundred euros. A series of advances and declines since then has seen the value of bitcoins fluctuate. Against the expectations of some observers, the currency has recovered and a bitcoin is again worth around six hundred euros.2 There are now more than seven hundred cryptocurrencies competing with bitcoin.3 Their success to date has been limited, with a cumulative capitalization of only around twenty percent that of bitcoin. The total capitalization of the bitcoins issued thus far amounts to more than fifteen billion euros.

Although credited to Satoshi Nakamoto, the true identity of the person, or people, responsible for the bitcoin paper remains unknown. Nakamoto, it seems, was merely a pseudonym. A number of people, most recently Craig Steven Wright, have come forward claiming to be the inventor of bitcoin.4 These claims have either been proven false or lack credibility. Nick Szabo is considered a more plausible candidate, but, like others, he has always denied being Nakamoto.

## Encryption and Hash Functions

The protocol described in the bitcoin paper relies on a series of advances in mathematical cryptography. Some are embedded in conventional encryption methods—the transformation of a message, or plain text, in such a way as to render the text unreadable without a special key.5 When the same key is used for both encryption and decryption, the process is known as symmetric, or secret key, encryption; asymmetric, or public key, encryption uses a pair of keys for encryption and decryption, one public and the other private. Authentication processes and digital signatures also arise from advances in cryptography. The former involves methods for ensuring that the person using a credit card is authorized to do so, while the latter creates digital paths certifying that a message has been sent by a particular person and prevents a signed message from being altered.

The bitcoin protocol uses the Elliptic Curve Digital Signature Algorithm (ECDSA) for transaction signatures. Two keys are involved. A private key is used to sign transactions and a public key, similar to an account number, is used to verify that the signature is correct. This method ensures that the source of the transaction is, in fact, the person associated with the private key. If implemented correctly, ECDSA is considered safe and secure. The integrity of the system is derived from the difficulty in determining a private key from a public key. This involves calculating the discrete logarithm of a large integer; given three integers a, b, and c, such that a = bn mod c, one must find n, the discrete logarithm. Bitcoin uses the ECDSA system and 256-bit keys, providing a level of security comparable to that of RSA (the Rivest–Shamir–Adleman cryptosystem), an earlier encryption method which uses keys 3,072 bits in length.6

Another cryptographic component in the bitcoin protocol is the hash function.7 For a given character string of any length x, a hash function generates a fixed-length value, f(x), known as the digest of x, or the hash. Hash functions possess the following properties:

1. The function f(x) can be calculated quickly and easily, but, for a given y, finding x such that f(x) = y is, in practice, impossible.
2. Finding two different values x and x' such that f(x) = f(x') is also impossible.
3. If x and x' are both character strings, or files, differing by only a single character, the values f(x) and f(x') appear to be entirely random.

Bitcoin uses the SHA-256 hash function, which, as the name suggests, generates 256-bit hashes.8 SHA-256 is used to link together the records in bitcoin’s distributed ledger, the blockchain. Linking the records in this manner makes it impossible to modify the blockchain without those changes being immediately apparent. SHA-256 is also used in the system for issuing bitcoins. A second hash function, RIPEMD-160, is also used when creating destination addresses for transactions, but has a less important overall role in the protocol.

## Mining and Proofs of Work

Bitcoins were initially created and assigned at the rate of fifty bitcoins approximately every ten minutes. Every four years or so, the amount issued every ten minutes is halved. The most recent adjustment was made on July 9, 2016, with bitcoins now being issued at the rate of 12.5 every ten minutes. The protocol specifies an upper limit of 21 million for the number of bitcoins that can be issued. This figure will be reached in 2140, after which bitcoins will no longer be issued. Nearly 16 million bitcoins have been issued to date.

There are currently around 5,000 nodes, known as primary nodes, in the bitcoin network that maintain a copy of the blockchain and receive newly created bitcoins. Candidates, or miners, who occupy these major nodes on the bitcoin network, are anonymous and known only by their account numbers. The candidates compete with one another to solve puzzles and win bitcoins. The puzzles generally involve finding an x such that f(x) has a certain property, where f is SHA-256. That property, for example, might involve beginning with five zeroes. Solving puzzles involves calculating many possible values for f(x). The probability of winning is directly proportional to the miner’s ability to compute the SHA-256 function. The greater the computing capacity he or she possesses, the quicker a suitable value can be found. Due to the computation effort involved, this method is termed a proof of work.

It is impossible, in practice, to find an x for a given y such that f(x) = y. What is needed is a puzzle that is both feasible and that could be solved in a reasonable period of time. Thus the request for a partial inversion of f that involves finding an x such that f(x) is a sequence of characters beginning with k zeroes. The value of k can be used to adjust the puzzle’s difficulty. The larger the value of k, the more difficult it becomes to find a satisfactory x. On average, finding x involves testing 2k values of x. For example, if k = 10, then 210 = 1,024 calculations of f(x) are required. For k = 20, around a million attempts would be needed. To obtain a finer level of control, the value f(x) is treated as a number in base 2. The sequence 11010001 … 01 represents the number 0.11010001 ... 01 = 1/2 + 1/4 + 1/16 + 1/256 + … . One then requests a number x such that f(x) < y, where y is a positive threshold set between 0 and 1. The average resolution time can then be determined with great precision by carefully selecting the value for y. This is the method used in bitcoin’s proof-of-work protocol.

It is important to avoid submitting the same puzzle multiple times to provide protection from spam and denial of service attacks; otherwise libraries of solutions could be calculated in advance. This scenario can be easily avoided by making the puzzle dependent on a parameter p; find an x that starts with the string p = 0100011010100, such that f(x) < y. The number of possible parameters p is unlimited.

The first miner to solve a puzzle wins the newly created bitcoins. The miner selects the transactions that are waiting on the network and groups them into a page, or block, which is then added to the blockchain. In this manner, the blockchain is lengthened by one page every ten minutes. The winning miner also accrues, via his bitcoin account, all the optional fees associated with transactions. These additional payments ensure that miners will continue to be paid when bitcoins are no longer being issued and that there will always be volunteers to manage and monitor the blockchain. These fees, voluntarily associated to a signed transaction by the issuer, played only a minor role before 2016. They have gradually increased in importance because the size of the pages added every ten minutes have become inadequate for the volume of transactions, which are also issued at ten-minute intervals. An increase in the block size used by bitcoin is currently being discussed among miners. The outcome will be determined by a voting system in which only the miners can participate. The same mechanism is used to decide on the adoption of changes to the protocol.

Proofs of work are periodically adjusted in difficulty so that they require, on average, ten minutes to resolve. This system has led to an arms race among miners. The most successful have begun using specialized Application-Specific Integrated Circuits (ASICs) optimized for calculating SHA-256. Mining guilds, or mining pools, have been formed in response. Miners work together as if they were a single entity, collectively solving each puzzle. Winnings are shared in proportion to the computing power contributed by each miner. Members win smaller amounts, but do so more regularly.

The processing power of the miner network, or hash power, is currently estimated at a staggering 1.5 × 1018 SHA-256 calculations per second.9 The investment required to obtain specialized equipment, and the associated electricity overheads, serves to guarantee the blockchain’s resistance to attacks, in particular 51% attacks. Otherwise, a miner with more than 50% of the network’s total hash power has the ability to seriously disrupt the operation of the protocol.

## Accessibility and Participation

The bitcoin protocol envisioned a system in which there are, and always will be, volunteers to maintain the blockchain. When a new page is added, each miner verifies that the state of the blockchain is correct. If this is not the case, the miner does not include the addition. Other cryptocurrencies have differing implementations. The length of time between page additions, for example, is often less than ten minutes and in some cases, such as in the Ethereum protocol, there is no upper limit on the number of monetary units that can be issued.

The open and transparent design of bitcoin is also an important consideration. Other types of blockchain can be limited, or even totally abandoned. The free bitcoin software can be downloaded by anyone. The codebase is open sourced and freely accessible. As a result, anyone can participate in monitoring the bitcoin currency by helping to ensure that no one creates bitcoins in contravention of protocols, all transactions are conducted according to the rules, and no one issues transactions by spending bitcoins they do not have in their account.

Advances in computing in terms of processing, storage, and networking, have been instrumental in the establishment and growth of bitcoin. The current generation of microprocessors command the resources needed to manipulate, explore, and control the bitcoin system. The blockchain is roughly ninety five gigabytes, a volume of data that can be comfortably accommodated by current laptop computers. The increasing reliability and efficiency of computer networks allows for almost instantaneous updates to a single blockchain. These advances, taken together, would have been impossible just fifteen years ago. Anyone possessing a reasonably recent personal computer can participate in the system.

## Obtaining Bitcoins

To use bitcoin, an account and digital wallet are required.10 An account can be created anonymously, but it would be naïve to assume that the system can be used in complete anonymity. The complete history of transactions made using bitcoin since its inception can be found on the blockchain. One should also consider the possibility that there may be eavesdroppers in the peer-to-peer network monitoring IP addresses. When bitcoins are bought and sold in regular currencies, such as euros, some proof of identity is usually required. Maintaining the security of bitcoin account details is paramount. If a hacker manages to obtain an account key, he has full access to its contents. Deleting a digital wallet, even by mistake, is an irreversible process; the money in the account is lost forever.

The partial anonymity of accounts is also an attractive feature for unsavory individuals who might use bitcoin to avoid taxes or engage in money laundering. Bitcoin has, indeed, been used to conduct fraudulent and illegal transactions. This has often been portrayed as a particular weakness of the currency. Cash can also be used for illegal activities, circumstances that hardly sully its reputation. The operation of bitcoin is not affected by these problems. The strength of the protocol is derived from its design and mathematical cryptography. In over seven years of operation none of these elements has been found to be faulty.

Bitcoins can be obtained from platforms similar to physical currency exchanges. The purchased bitcoins are then registered in an account that can be managed from a computer or mobile phone. Bitcoins can also be kept in accounts that are managed by independent operators, the bitcoin equivalent of bank deposits. There are now specialized automatic teller machines that accept bills and send the corresponding sum in bitcoins to a nominated account. Bitcoins can be acquired by trading: selling a book, for example, and receiving payment in the form of bitcoins added to an account. Many merchants and websites accept payment in bitcoins, but to mitigate against the risk of fluctuations in valuation, they often automatically convert bitcoin payments into common currency.

## Misconceptions, Durability, and Risk

The status of bitcoin as a competitor to established centralized currencies has created hostility in some countries.11 Bitcoin has been banned in Russia and is regulated in other countries such as Canada, where it is subject to anti-money laundering and counter-terrorist financing laws. The evolution of these regulations will shape the future adoption of cryptographic currencies.

Bitcoin and cryptocurrencies have been described as Ponzi schemes.12 It is true that the first miners—among them Nakamoto, who is thought to possess at least five percent of all the bitcoins in circulation—acquired quantities of bitcoins for next to nothing that are now worth hundreds of millions of euros. But this was not at the expense of other miners. Nor was it at the expense of current bitcoin users, who, with full knowledge of the risks and costs of mining, acquire bitcoins in currency exchanges or by investing in mining infrastructure. Nothing in the bitcoin protocol suggests an inevitable collapse, as is always the case for Ponzi schemes.

Bitcoins are, for all intents and purposes, every bit as real and solid as gold bullion, or the bank notes in one’s pocket. Cryptography has succeeded in creating unfalsifiable virtual objects. Bitcoins can also be circulated, almost without cost, from one location to another almost instantaneously. Since the abandonment of the gold standard, bitcoin, like any physical currency, relies only on the trust of its users. But in the case of bitcoins, that trust is not established by a central issuing bank. The cryptographic protocol prevents anyone from falsifying an account, and, in particular, from flooding the market with newly issued currency, leading to a collapse in its value. Holders of bitcoins are also protected against inflation. New bitcoins are issued at a predetermined rate and the supply cannot exceed the quantity specified in the protocol. A deflation of the currency is thus impossible.

At around fifteen billion euros, the current total capitalization of bitcoin represents only a fraction of the value of the euro or the dollar; counting only the bills in circulation, the latter are about a hundred times the value of bitcoin. For bitcoin to become truly competitive with these currencies, its value would have to rise dramatically.

The lack of centralized control means that the price of bitcoins can be subject to currency speculation, and it has been claimed that the value of bitcoins is manipulated by individuals who own large quantities of them. Their value does vary, sometimes by several percentage points per day, and on one occasion by more than thirty percent in a single day. This makes the currency difficult to use for trading purposes. But these variations have greatly declined over the last two years. It is not unreasonable to suggest that the high total capitalization value of bitcoins has had the effect of broad self-regulation.

There are now more than seven hundred cryptographic currencies. While based on principles similar to those of bitcoin, they differ in their implementation and may prove better suited for particular uses. Some of these protocols, in contrast to bitcoin, offer complete anonymity. This feature may entice users away from bitcoin.

The Ethereum protocol and its associated currency, known as ether, differs from bitcoin in that applications can be deposited on the blockchain. For example, a program could be developed that holds ethers and operates a lottery. Ethers are added or subtracted from accounts, depending on the result. This is, in fact, a form of decentralized autonomous organization (DAO). A variety of so-called smart contracts can be implemented using this protocol. This feature has proven to be both a strength and a weakness of the Ethereum protocol. In June 2016, the initial enthusiasm for Ethereum ended in a mini disaster. A DAO that, rather imprudently, held ether equivalent in value to 150 million euros was emptied of a third of its contents by a hacker who exploited a programming error. A smart contract should thus be handled with extreme care. Once placed on the blockchain, it cannot be easily modified. To remedy these weaknesses, verification techniques, such as those used in aeronautics, and more generally in embedded computing, must be developed and implemented for smart contracts.

## The Future

The prospects for bitcoin, and cryptocurrencies in general, remain unclear. No currencies of this type have ever existed. Some believe that bitcoin’s current trajectory is nothing more than a bubble.13 But as each year passes, the continuing growth of bitcoin serves to reduce fears of a sudden collapse. Vitalik Buterin, co-founder of Ethereum, claims that

The long-term goal for Ethereum 2.0 and 3.0 is for the protocol to quite literally be able to maintain a blockchain capable of processing Visa-scale transaction levels, or even several orders of magnitude higher, using a network consisting of nothing but a sufficiently large set of users running nodes on consumer laptops.14

In the future, the blockchain principle could be adjusted in a multitude of ways, correcting the defects in Nakamoto’s protocol and creating new opportunities for expansion. It seems certain that Nakamoto did not envision the creation of mining pools. If a limit were set on the number of miners, the SHA-256 proof-of-work mechanism used by bitcoin could be eliminated. The Ethereum protocol uses a different proof-of-work algorithm, one that requires a significant amount of memory and that cannot be accelerated by specialized processors. Interest in mining is maintained for all participants, even those with less powerful computing resources. Another defect in the bitcoin protocol is the halving of payments to miners every four years. Miners will inevitably become reliant on payment from commissions. This has also been corrected in the Ethereum protocol, under which the rate of issue remains constant.

Considered more broadly, the range of possible future applications for blockchain technology is intriguing.

Blockchain systems of the type used by bitcoin ensure that a transaction between two users takes place. The transaction is conducted in public and is controlled by the network’s principal nodes, the miners. The transaction is computed by each principal node, and is thus computed many times, which serves to increase security. In a system with a central node, or a series of intermediary nodes, user confidence is required at each step. Controls and recalculations are possible and necessary, but these require complicated and cumbersome constructions. The general model of security is confused and not well established. Traditional systems were developed when only a small number of calculations were involved, storage requirements were minimal, and information circulated slowly. The solutions worked well, but were also clumsy, slow, and costly. The advent of high-speed networks has made possible a new form of agreement. This type of network, in which there is no central node, no third-party security, and no intermediaries that must be controlled separately, seems an obvious solution for the future.

Public blockchains of the type used by bitcoin are not without their drawbacks. The mining and proof-of-work systems are computer intensive and relatively complicated. Other methods, such as a proof-of-stake approach have not been tested to the same extent as the system used by bitcoin. Public blockchains are limited in terms of their capacity to execute transactions. A communication failure in the bitcoin network could lead to two different blockchains coexisting for a few minutes. Some accounts may spend the same amount twice due to a split in the blockchain. A selection procedure based on the calculated content of each blockchain allows for the recovery of system coherence once communication is restored.15

Private or semi-private blockchain models, in which the information on the blockchain is still freely available but the ability to write to the blockchain is limited, could be of interest to the finance and banking sector. If the principal nodes are fixed, there is no need for a mining system to designate who adds a new page to the blockchain. Consequently, there is almost no limit to the number of transactions that can be processed per second.

The Ukraine is currently evaluating a platform developed for the Ethereum blockchain as a way to organize and guarantee the results of elections.16 A blockchain would be used to collect votes, which would be added to the blockchain anonymously, but verified using encryption, meaning that when the election closes, the results are freely available and easily verifiable.17

The viability of loans implemented via the blockchain remains unclear. If a user lends money to another user who defaults on the loan, the lender cannot force repayment using the blockchain. One deterrent for defaulting is the automatic publication of the information, validated by the blockchain, and the prospect of reputational damage for the borrower. For a loan made in order to acquire property, it is conceivable that the certificate of ownership for the property could be linked on the blockchain to a successful repayment, and automatically canceled if the borrower defaults. If blockchains eventually acquire legal status, lenders could initiate legal action when borrowers default on a loan, requesting an external authority to force repayment of the loan or to pursue the defaulter.

Cryptocurrencies, in particular proof-of-work systems based on one-way functions, have given rise to some interesting developments in online gambling. An approach similar to bitcoin mining might seem applicable, given that a winner is declared every ten minutes and cheating is impossible. But the odds of a player winning would be dependent on their computing power, meaning that some participants would have an unfair advantage. More direct methods that deliver randomized drawings and are both perfectly fair and controllable have been developed. Online dice games in which neither the casino or the player can cheat are one example. The underlying protocols have long been known in cryptography; Manuel Blum proposed a telephone protocol for coin flipping in 1981.18 But it is only recently that online casinos have begun offering provably-fair games, the honesty of which is guaranteed by mathematical cryptography and for which no supervision is needed.19 These protocols are only concerned with ensuring randomness in games of chance; payments to players are not guaranteed. In the future, smart contracts may be a solution.

Translated and revised in English by the editors.

## Letters to the Editors

• ### A Cold Cup of Coffee

1. Satoshi Nakamoto, “Bitcoin: A Peer-to-Peer Electronic Cash System.”
2. The dramatic growth of bitcoin can be seen in the story of Kristoffer Koch, a Norwegian student who bought 5,000 bitcoins for US$27 in 2009. Koch resold the bitcoins in late 2013 and was able to buy an apartment in the center of Oslo using the proceeds. See Daniel Cawrey, “This Man Bought$27 of Bitcoins in 2009 and They’re Now Worth \$980k,” CoinDesk, October 29, 2013.

4. Andrew O’Hagan, “The Satoshi Affair,” London Review of Books 30, no. 13 (2016).
5. When the same key is used for both encryption and decryption, the process is known as symmetric, or secret key, encryption. An alternative approach is asymmetric, or public key, encryption, which uses a pair of keys for encryption and decryption, one public and the other private.
6. The curve used by bitcoin is secp256k1. nbsp;
7. Cryptographic hash functions have many applications. They can be used to ensure the integrity of a file x. If one puts a large file on a server, it can be associated with a footprint f(x), which is much shorter. Whoever downloads x will be sure that x has arrived without error and in whole by calculating the footprint of the file and comparing it to the value published on the site. The probability that a modification to file has not changed the footprint is infinitesimal. Hash functions can also be used to generate a series of random numbers from a file x. One calculates f(x.1) f(x.2) f(x.3) … , where x.i designates the file x, followed by the number i (in binary, for example). Random sequences of this type are useful for simulating games of chance, but also for encrypting messages and generating keys. The importance of hash functions is such that great care is taken in their development and testing. The United States National Institute of Standards and Technology (NIST) publishes recommendations on the selection and use of hash functions. NIST recently held a competition to design a new generation of hash functions that led to the development of the SHA-3 standard. See NIST, “Cryptographic Hash Algorithm Competition.”
8. See Wikipedia, “SHA-2.”
9. According to some estimates, if the bitcoin network continues expanding at its current rate, by 2020 the total energy consumption required for these calculations could match that of Denmark. See Jean-Pierre Buntinx, “Bitcoin’s Electricity Use to Match Denmark, But It’s Worth It,” Bitcoin News, March 30, 2016.
10. How to Store Your Bitcoins,” CoinDesk, October 19, 2015.
11. Cryptocurrencies complement local currencies, such as, for example, the sol alpin in Grenoble, the graine in Montpellier, and the miel in the Libourne. These local currencies promote local trade and bartering, but still rely on centralized control.
12. See Matt O’Brien, “Bitcoin Isn’t the Future of Money—It’s Either a Ponzi Scheme or a Pyramid Scheme,” Washington Post, June 8, 2015; Paul Madore, “Financial Times Writer Calls Bitcoin A ‘Pyramid Scheme’,” cryptocoins news, November 10, 2015.
13. See “The Bitcoin Bubble,” The Economist, November 30, 2013; Rory Cellan-Jones, “The Bitcoin Bubble,” BBC News, April 11, 2013; Henry Blodget, “Bitcoin is the Perfect Asset Bubble—Prices Could Go Vastly Higher From Here,” Business Insider, November 7, 2013; Alex Wilhelm, “The Bitcoin Bubble,” TechCrunch, November 6, 2013; Edward Chancellor, “Review: The Virtual Bubble of Bitcoin,” Reuters, May 15, 2015.
14. Pete Rizzo, “R3 Publishes Vitalik Buterin Report on Ethereum for Banks,” Coindesk, June 1, 2016.
15. One might reasonably wonder how a system such as bitcoin’s blockchain might handle the problem of double-spending. It suffices to ensure that an account does not disburse more than it contains. The information needed to verify this is present on the blockchain. A difficulty arises when communication between nodes of the peer-to-peer network is not instantaneous and when parties on the network are temporarily isolated. This can lead to the addition of two different pages by two different miners, which then leads to the presence two concurrent blockchains on the network. These duplications of the blockchain are rare, but they do sometimes happen. Each miner could validate a disbursement of account x to a different destination: a double payment. Nakamoto’s system for dealing with these situations and to reestablish a consensus over the network is that the blockchain with the highest calculated amount is the one that should be taken into consideration. This is determined by the accumulated difficulties of all the proofs of work. This is one reason why avoiding recourse to costly proofs of work, and to the competition that then arises among miners, may be impossible. When one blockchain is selected, some disbursements can be undone, restoring the integrity of the account so that it has paid out only once what it contained. It is because of this difficulty and the resulting potential cancellations that it is said that a bitcoin transaction should not be considered definitively confirmed until the addition of several pages (thus after several periods of ten minutes).
16. Nick Abouzeid, “Ukraine Government Plans to Trial Ethereum Blockchain-Based Election Platform,” Bitcoin Magazine, February 16, 2016.
17. A range of measures, including smart contracts and digital certificates issued to voters by trusted third parties such as the government and banks, is being considered as a means to prevent voter fraud and ensure the integrity of an election conducted in this way.
18. Manuel Blum, “Coin Flipping by Telephone.”
19. The following is a protocol for a lottery offering players a chance k of success, where k is an integer greater than or equal to 2, and S is the sum bet by a player. If the lottery draw goes against you, the casino keeps your stake; if you win, the casino will give your stake back, and add to it (k - 1)S, minus, for example, 1% of the total, for expenses.

A provably fair protocol for a lottery with a chance of succeeding k (one takes k = 2 to simulate flipping a coin).

The casino chooses a number x, and sends the result of the calculation f(x) = y to the player. The function f is a one-way function producing results comparable to chance, as is the case of the SHA-256 function.

The player sends the casino a number z that he chooses as he wishes.

The casino calculates t = x + z, and u = f(t) mod k.

If u = 0, the player has won; if not, he has lost.

After the lottery, the casino sends x to the player. The player checks that the casino did not cheat by verifying that the y he had received before choosing z is indeed f(x). He can also check the calculation of t = x + z and u = f(t) mod k.

The outcome cannot be manipulated by the casino because when it chose x, it did not know z. The same is also true for player, when they chose z, the value of x was unknown to them.