I wonder why noone mentions the 2 huge flaws the paper has:
1. It throws all PoS implementations in one pot, while there are huge differences between them.(centralized checkpoints vs. decentralized ones, unlimited reorg vs. 720 block reorg limit etc. etc.)
Any checkpoints that are designed to avoid a fork are by their nature a driver of centralization because it compromises long term independent validation in favor of short term "guarantees" that depend on a smaller subset of honest nodes, which in turn opens up the potential for Sybil attacks.
The whole thing is extremely messy and at the end of the day boils down to; The differences don't actually solve the problem of decentralized consensus so there's no reason to put them into different pots.
2. It does not bother to mention how many calculations are needed to secretly build a valid longer chain with a small stake in a specific PoS system. This is like saying sha512 algo can be cracked, without calculating how many tries one needs to crack it...
I'm eagerly awaiting a revised version that calculates needed computing power to n@s-attack, let's say current version of Nxt.
The tedious details that would go into trying to figure out precisely how NxT would be attacked don't resolve the problem that the paper is talking about, and more importantly, it's not the responsibility of us to put forward the security model.
It's worth noting that by writing a well-defined security model and working toward it, it is possible to create a "working" PoS which is only broken when the assumptions of the security model are violated. If one were to do this, it would then be easy to point out how the security model is not applicable to the real world. But Vitalik's posts --- and no PoS writeups that I'm aware of --- actually do this.
The way I see it is the difference between PoS and PoW is the difference between a geocentric and a heliocentric model of the solar system. In the geocentric model (ptolemaic system) you have to keep adding all sorts of convoluted rules and behaviors to get it to spit back a result that you're looking for, whereas with the heliocentric model, it's comparatively easy to map and model the appropriate behavior of the bodies in the solar system. Similarly, PoW is very simple, and it does it's job very well. However, the ptolemaic system actually worked, whereas it's not clear that PoS can actually work in the sense of allowing decentralized consensus.
Why bother with a cryptocurrency if it doesn't accomplish decentralized consensus? I could run a program on my computer that could easily run tens of thousands of transactions per second (If I had the bandwidth), it would only cost maybe a few cents per transaction, confirm in seconds, you could access it from anywhere in the world, I could return stolen funds, roll it back when it inevitably messed up, and no one else could see your transactions (Until the government asked for them.), but who wants to trust some bonehead to always do the right thing? PoS throws the baby out with the bathwater. By trying to avoid the "waste" of PoW it also vaporizes decentralized consensus, which is arguably a defining feature of a real cryptocurrency.