[xg15]

I think the difference is which kind of hash you needed.

For PoW, you'd have to know the hash of the start of the chain (the "genesis block") in advance to verify you downloaded the correct chain. That's true, but this hash doesn't change during operation. You could get that hash from a history book if you will.

For PoS, the hash is from the end of the chain and therefore constantly changing. This means the challenge of finding out whether the hash is the right one is a lot more real than in the PoW case, because there is no "common knowledge" to go by which hash is right.

[supermatt]

> For PoW, you'd have to know the hash of the start of the chain (the "genesis block") in advance to verify you downloaded the correct chain.

Nope. You could fork the chain at a period of low difficulty and it would still stem from the genesis block. It would either be a short chain, or have clearly low difficulty though, so it wouldnt fool anyone knowledgeable. Im not sure how you would leverage that chain for fraud.

[rocqua]

A while ago bitcoin clients changed from facoring the 'longest' chain to favoring the chain with the most work done on it. (To prevent long chains with low difficulty)

[somebodythere]

So... the consensus rules of the network changed, you need to make sure you have the correct client, and bitcoin is weakly subjective after all?

[madacol]

Asking "what's the correct client?" will always be a subjective question

Bitcoin doesn't decide what is called bitcoin, we as a community do

[rocqua]

In practice this was essentially a soft-fork. But yes the consensus rules of bitcoin software changed.

[PeterisP]

The client can choose properly, but it needs to "call a friend" in order to get the options - if the client doesn't receive the proper chain but only fake ones, it will chose the fake one with the most work done on it.

[neuroma]

Why fork at low difficulty?

[mlyle]

You need to fork at low difficulty if you want to significantly lengthen the chain from that point, because creating a high difficulty, long chain that is valid is hard.

But-- there's nothing to preclude you making big steps up in difficulty at the end of the chain. It means that one evaluating the length of the chain for authenticity really needs to integrate the difficulty over the entire chain and not just look at the number of blocks.

[xg15]

I was wondering about that bit actually.

Suppose I'm a new node and want to verify the blockchain. How do I verify that each block was mined with the correct difficulty?

I'd need some record about the actual real-world timestamps for each block. Then I could say something like "duration between block x and block x+1 was > 10 min, so the down-adjustment in block x+5 is justified".

But if those timestamps were stored on-chain, an attacker could simply lie about them and keep difficulty artificially low on its alternative chain.

On the other hand, if we had some un-forgeable record of block timestamps, wouldn't this solve the double-spend problem all on its own? Would we even need PoW at this point?

Edit:

Ok, sibling comment seems to suggest bitcoin has solved this problem differently: https://news.ycombinator.com/item?id=29368166

[mlyle]

Yes, Bitcoin effectively integrates the difficulty over the entire chain.

[runeks]

> For PoW, you'd have to know the hash of the start of the chain (the "genesis block") in advance to verify you downloaded the correct chain.

No. For Bitcoin you can accept a chain with an arbitrary starting point and you would still arrive at the same chain everyone else uses.

Although you do need to have an idea of the earliest acceptable starting point-in-time — e.g. verifying a low-difficulty chain starting the year 200,000 BC (with one block every 10 minutes) would take quite a while

[DennisP]

Because of withdrawal delays, the PoS hash isn't from the end of the chain, but from a few months before. So it changes only about as often as client software updates.