wow, there is so much erroneous information on this thread about POS coins...
It is true that the thing I argue for, is not the classical PoS. Classical PoS that wants to play the same game as PoW has indeed a problem of principle, because both approaches are wanting to adhere to a property that is, when you think about it, quite crazy. It is what I said before:
"suppose that an entity E is presented with a set of potential consensus propositions X (containing the "true one" A) and entity F is presented
with another set of potential consensus propositions Y (also containing A), how to make sure that both will elect A, assuming E and F don't trust anyone, and have no previous information (weren't online) ?"
In absolute terms, PoW can provide a solution, by spending more than half of planet earth's energy and hardware on the true consensus A. Any set can only contain consensus documents with less PoW, so "maximum PoW" will elect this A for sure. But this is madness.
If we define PoS in a very similar manner as PoW, that is, a block chain with rewards by stakers, to stakers in a similar way that PoW works, then there's no way to satisfy the above condition. Indeed, if A was the "true" chain, there can be an infinite amount amount of different chains that can be just as well chosen. Any selection procedure that picks "the best" chain out of a set, can be tricked in picking a chain that is different if you are allowed to propose chains. I can make easily hundreds of chains that will all be preferred over the "true" chain, no matter what is the deterministic selection function. This is the main reason why people say that PoS is not trustless secure.
Indeed, I can always make a new genesis block, giving me the first coins. As I'm the only staker at that point, I can make the second block, and win coins. I can now transact from myself to myself. I'm still the only staker, but it looks like there's two of us. And so on. I can make an entirely new chain from scratch, and I'm the full owner of all coins. I could decide to transact to "real users" on the original chain. Depending on the deterministic selection function, I can steer that in such a way, that my chain will be preferable over the the original one, and that I and all my addresses, remain nevertheless stakers for all blocks according to the rules at hand. As such, I can give myself a big chunk of coins, while leaving some of them to others. If ever I publish this entire chain, all nodes should switch to it, and forget the original true chain.
However, we saw that PoW is only solving the issue when we accept madness: wasting more than half of humanity's energy on it.
So something has to give in. Some trust must be allowed for. If we accept trust in the genesis block, and a given client software, it becomes harder... but now, the founder of the chain has all the power to do what I proposed and/or if this genesis block is checked for in the software, the software signer can do so. These guys can screw the entire system if they want to, but at least, ONLY they can do so.
But PoS as presented is not at the end of its problems. Former owners of stake, that have transacted their coins later, and are, on the true chain, not stake holders, were potential stake holders in the past. There are ways for them to construct a new chain from a point after they became legitimate owners, as stake holders, and so they can, as stake holders, remove the transaction where they weren't stake holder any more. Of course, any sensible pseudo-random stake selector will try to avoid to allow same stakers to stake successively. But as our former stake holder can put in new transactions of his former holdings (to himself), and is also winning new blocks, and can include or exclude as many other transactions as he wants to, he can tweek the stakeholder choice function (a pseudo random generator) in such a way, that nevertheless, he's allowed to make every successive block with all the stuff he has. This requires some "proof of work", but you can easily see that if, say, in total, there are 1 billion potential stakers in the system, of which he holds, say, 100 addresses, you only need on average to try 10 million different configurations (order, date, whatever the pseudo random generator is sensitive to as source of entropy) to always have it fall on one of YOUR addresses "by coincidence". So that's the PoW equivalent of a meagre "10 million hashes" or so, each time to "be lucky" and be allowed to be the next preferred staker.
This is why many people consider the bare bones PoS system to be profoundly insecure. But that is because this kind of PoS imitates bitcoin's PoW, that mixes up coin creation, consensus voting online, and "consensus proof after-the-fact". Pure PoS that way is simply not secure, and this is why people say that it is IN GENERAL not secure.
The first thing to remove, is coin creation. As PoS doesn't require a huge effort, there's no reason to be rewarded a fortune over it. In fact, this rewarding can actually induce you to try to attack the chain, just to be able to stake and reap in the rewards.
The second problem, which is common with PoW, is the silliness of rewinding far back in time. Uncertainty over reached consensus comes from splits of the group, so that two or more parts independently, and honestly, each come to a different consensus in their own partition of the group. Whenever the group joins, one can only see that others came visibly according to the rules, to a different chain of consensus decisions.
If one defines an absolute consensus rule that has no notion of time, then this problem seems "easy": of different proposals, find the "best" one. As I said before, no matter what PoS system, it is always possible to invent a "better" chain than a given one. In as much as in PoW, the decision is easy (even though terrible for the part that truly lost) and the attack expensive, in PoS, pretending to be a "lost piece of network" and winning over everyone is easy.
But this is in practice not thinkable. The rule that one should accept a risk of attack and rewind over a long period, because of the theoretical possibility of a long net split, is stupid. The net doesn't split in separate big parts for days of weeks - most probably not even for tens of minutes, apart maybe catastrophic events. As such, there is no reason to allow a "rewind" for a long period. In reality, a network consensus can be reached in real time in a period of several minutes. It is totally ridiculous to accept attacks that "redo past consensus" for long periods, when it is obvious to all parties online present, that this winding back is an attack. This is also why many clients have "fixed points" in their code. But this is nothing else but a very slow PoS kind of consensus, by a centralized signature, that of the dev.
This is even something that makes PoW also much, much more secure. Indeed, "overtaking the chain" in PoW usually takes time, unless one has an IMMENSE amount of extra PoW hardware over the rest of the network. If there are "PoS" signatures of consensus that don't allow one to wind back, these attacks fail. But then, instead of having such a clumsy and centralized way of "certifying past consensus by dev signature" in the code, it is much smarter to make this certification the real consensus fixing rule. If, after a reasonable time lapse by which all network propagation times are largely taken into account, a network consensus is reached, it would be pure madness for an online entity to accept to wind back the consensus it witnessed, for many epochs, by some or other silly rule, in the same way that the devs will not re-consider their "fixed points in the past" in the code.
So my idea is that when one drops the unnecessary and illusionary requirements, and one looks at the practical mechanism of consensus, one can arrive at a much, much lighter and in for all practical purposes even more secure way to do things, avoiding the huge disadvantages of many current systems.