@s{quotedtext}
@s{quotedtext}
From the whitepaper:
@s{quotedtext}
@s{quotedtext}
I'd have to think about it a lot harder than I'm willing to right now to be absolutely sure, but that seems like a mistake to me.
If peers have to fetch inputs and compute coin age to determine whether or not a chain is longest then it seems like that could be leveraged into a denial-of-service attack. Because an attacker could do minimal proof-of-work (or proof-of-stake) but then broadcast a chain with JUST a little-less consumed coin age than the current best chain.
Their chain will be rejected, but their peers will waste time figuring out that it should be rejected.
Also note that Bitcoin does NOT use total proof-of-work-performed to determine the best chain; it uses total proof-of-work-target. That's deliberate; if it used proof-of-work-performed, then if you happened to get lucky and found an extremely small block hash you could hold on to it, build on top of it, and only announce your "more proof of work" chain when the network chain's work started to catch up with your secret chain.