To me, the N@S problem can be formulated as follows:
"there are an unlimited amount of different, correct block chains under a PoS rule that can fork off from a given common point using a relatively small amount of stake, and given a finite set of transactions signed by the other stake holders"
I think that's reasonably correct. I would only add that the amount cannot be infinitely small but still must be high enough to ensure that you could trick others to think it is the "longest chain".
There is a difference in the required stake size between "secretly mined alternative chains" like those used in the infamous "History Attack" and "publicly mined alternative chains". Secretly mined chains require much more stake to become the "longest chain" as they can't trick other users to sign them with their stake while minting, but if they win they are more dangerous, because they also can use "double-spent stake" (emptied addresses that at a moment had large balances).
The trick is to define an ordering over that amount of block chains such that the chain including most transactions of the other stake holders wins with high probability unless the amount of stake that has to collude becomes significant (at which point, the coin is essentially in the hands of a colluding set of cheaters, at which point, it doesn't matter any more that it fails technically, because it failed already economically).
Yes, I think that is very similar to the "Economic Clustering" feature NXT wanted to implement at some point and was first released as a part of the "
TaPoS" proposal by Daniel Larimer. Bitshares, I think, had implemented it but then switched to DPOS. The trick in this system is that the payer has to add a signed hash of a recent block to all transactions. So you could see exactly on which chain every actor is - e.g. if you are on the same chain like the largest exchanges or payment providers.
An attacker then couldn't fake a secret chain anymore, because in the case of a reorg all nodes would see that no important actors were active in the attack chain. What he could to instead is to try to create a "public" double spending chain and lure the network into a reorg to this chain after the victim has confirmed payment. That is what kushti considered the most dangerous N@S variant (and suggested to increase the amount of required confirmations in PoS currencies). But without rewards it's pretty difficult to attack this way if you haven't a LOT of stake because the attacker on most blocks would have to use his own stake to mint it and not many others would "help" him.
This goes a long way in the right direction. This is also what I tend to conclude: that many attacks lose their potential or their incentive if there are no rewards, because most stake holders have no incentive to cooperate with any "chain reorg" of significance. I would even go further, and say that we have to go away from the "chain" concept as a whole, and go to a "bag" concept (mathematically, a
set instead of a
sequence). The only sets that are disallowed, are sets with forbidden transactions (double transactions or transactions without valid inputs).
As such, if you have to consider two sets A and B, and you have to come to consensus over them, you try to come to consensus over their union. If their union is a valid set, then that's the best consensus, but A and B are not anti-consensus, they are partial consensus. That is, one doesn't REJECT A and B individually, but one considers their union, and hence also all the valid subsets of their union.
The only place where consensus cannot happen is if A is a valid set, B is a valid set, but A U B isn't. That is simply because A and B contain a double spend. In that case, there must be a deterministic way to prune A U B of the double spends, and the most logical way is to keep the spend which has most PoS to it. If A has a certain amount of PoS to it, and B another, which is smaller, then A U B will be pruned by leaving out the conflicting B spends (and ONLY the conflicting B spends).
Note that if there is no reward for staking, many stakers can stake in parallel, so that you get the same transaction in different blocks signed by different stakers, which adds to the total stake of those transactions.
If I receive a block A from Joe, with stake 0.2% and I receive a block B from Mary with stake 0.3%, then for the transactions that are in both, I consider that they have a weight of 0.5%, as a receiving node.
In the end, the time stamp on a transaction becomes the most important one. You cannot accept a transaction that is "back-dated" for more than a small multiple than the maximal propagation delay on the network (say, half a day).
You don't consider re-organizing transactions that are 2 days old, say. So you don't even need to keep their history !
After all, if you are new to the network, you *don't care* about its transaction history. You want to know the "current state". And if you aren't new to the network, you have the last old history you consider correct ; but you only care about 2 things:
1) that your old balance is still valid
2) that there hasn't been any non-legit coin creation
You don't care about what happened to the other coins in between. You don't have to decide upon the past transactions of coins that were transacted when you weren't on-line: if the total amount of coins is OK, and YOUR coins are OK, then that's all you need to know and you care about.
You can of course only "stake" when you are "up and running and online" for a certain while.
There is one problem with this assumption: the attacker could lend stake. If there is a Bitfinex-like market so big that he would be able to lend - let's say - 20% of the total stake, then it becomes dangerous. He could try to attack and fork the currency, trying to crash the market because of the "malfunctioning" currency and then give the coins back to the original holders for a small fraction of its price.
This is in fact a universal attack that can work against just any system. PoW included: you can lend hash power, you can lend nodes, you can lend about anything. If your only goal is to DESTROY a system and you are willing to spend value on it, you can always succeed if you can lend a large part of the system.
Suppose that I lend 200000 bitcoin, then I pay the 5 most important mining pools 10 times their daily earnings if I can lend their hash power for half a day, then I do a 51% attack on bitcoin, I buy now 200 500 coins on the market for a few dollars, now that bitcoin has crashed, and I pay back the unlucky bag holders their 200 500 coins with interest.
I need to lend much much less to obtain potentially a majority of PoW than I need PoS: I would have to lend 3 million BTC to do what you propose, and with 200 000 coins I can do my PoW lending attack.
If you can lend an important fraction of the stake, honestly, the system is just as economically insecure as it is technically insecure, because when I lend 20% of the stash, I can DUMP IT in the morning, buy back the coins at noon when the price crashed to hell, and make a lot of benefit ; much better than trying to do a double spend.
This attack has also been called the "Pirate attack" because it could also be accomplished running a HYIP scheme like "Pirateat40" and secretly selling the coins on exchanges before you have to return them to their owners. It is also a very unlikely attack, but it is not impossible, like most of the N@S variants, and it could be devastating to the currency.
My point is that by the time that you can do things that make the system already an economic failure, the technical security doesn't matter any more. If you can lend easily 20% of the stash, that would mean that I can lend easily 3 million BTC. You imagine the damage I can do with 3 million LENDED BTC on the market ? I dump them all at once and I buy back more when the price has crashed (with the fiat I made when dumping them) and when all the weak hands are selling too. I give back the 3 million BTC + interest, and what I have more is in my pocket.
If you can lend 20% of the stash, the system is already economically dead.