Comment by Cpoll
4 years ago
> any kind of PoW would cost more to check
Cost more to check than it would for the attacker to generate an _incorrect_ proof. I'm sure that's what you mean, but my brain first went to NP problems.
And actually, now that I think of it, maybe, maybe not. A PoW can be pre-calculated (possibly using off-peak cloud resources for very cheap) and then stored in a lookup table. It can be reused until the attacker actually solves the problem. Then _maybe_ you could offload that verification to a cheaper, harder to DDoS service, like a cloud function that won't charge you for SYN flooding.
But then the hard part is letting legitimate users bypass the check after doing their PoW, but not letting an attacker through.
[removed]
Prime numbers are expensive to generate and writing a reasonably efficient factorization algorithm isn't that easy either. It's far faster on the server side to just spit out a nonce and have the client generate a partial hash collision up to an arbitrary number of bits (ie, the same proof of work many cryptocurrencies use)