Gavin Andresen - 2012-08-19 15:55:00

There are different ways of designing proof-of-stake. Some of the designs do not require collecting large number of signatures. Our design will be made public by the coming Sunday so in due time we welcome the crypto-currency/Bitcoin community to examine our design.
From the whitepaper:
Quote
The block chain with highest total consumed coin age is chosen as main chain.

I'd have to think about it a lot harder than I'm willing to right now to be absolutely sure, but that seems like a mistake to me.

If peers have to fetch inputs and compute coin age to determine whether or not a chain is longest then it seems like that could be leveraged into a denial-of-service attack. Because an attacker could do minimal proof-of-work (or proof-of-stake) but then broadcast a chain with JUST a little-less consumed coin age than the current best chain.

Their chain will be rejected, but their peers will waste time figuring out that it should be rejected.

Also note that Bitcoin does NOT use total proof-of-work-performed to determine the best chain; it uses total proof-of-work-target. That's deliberate; if it used proof-of-work-performed, then if you happened to get lucky and found an extremely small block hash you could hold on to it, build on top of it, and only announce your "more proof of work" chain when the network chain's work started to catch up with your secret chain.