PoW has been shown, in bitcoin, to centralize, and we know the economic reason for that: "economies of scale".
No. PoW in bitcoin has shown to be a trustless, reliable proxy for elapsed time.
Yes, and nobody needs that. One only needs ORDER, not "real world time proxies". You need the order of spendings, in order to exclude the double spend, and to certify the first spending. In bitcoin, if these are more than a few times 10 minutes apart, that's usually considered definitive. But *any* mechanism that comes to a consensus that transaction A came before transaction B is good enough. You don't need real world time for that. You only need order.
- cryptographically not very secure. Indeed, the cryptographic security resides solely in the need for an external attacker to do a *similar* amount of work than was needed to generate the security in the first place.
Firstly, 'cryptographic security' is the wrong term for what you are trying to describe. Secondly the security of a PoW chain is not based on doing a 'similar' amount of work, but to do more work than the rest of the miners in the network combined. That is indeed, 'vastly' more work.
No, that is not vastly more work. If I make a digital signature, I can do that with a smart phone using a few mW during a few seconds. In order to FAKE that digital signature, even the NSA with all its supercomputers, can't. So the effort of the attacker (here, the NSA) is so vastly more important than the effort the "good guy" (me) had to do, that it is simply practically not feasible. This is the core of cryptography: the good guy (with the key) can do something easily that the bad guy without the key cannot even dream of doing with all the computation power in the world. It is sufficient to show that one single digital signature has been faked without the key, and one considers that scheme as broken.
In proof of work, if you do slightly more work than the "good guys" (that is, the ensemble of miners that were working "honestly"), you won. It is sufficient that you have proven, say, 50% more hashes than the "good guys" your chain will take over. With a digital signature, that is not "50% more", but 2^128 times more or so.
But that is what a crypto currency should be: entirely determined by its owners. It is very strange to have a crypto currency that is depending on an external industry, and of which the users are not making up the consensus. A PoW coin is very much exposed to an external attack, while a PoS coin is cryptographically secure against an external attack. It can of course suffer *internal* attacks.
Again, you're misusing 'cryptographically secure' and even if we take your intended meaning, your statement is still wrong as PoS coins are vulnerable to a much broader range of attacks than PoW coins, both external and internal. Please see this thread for details:
They are only vulnerable to attacks from the inside, that is, from their owners, and then it depends exactly on the PoS scheme used. They cannot be attacked from the outside, from someone who doesn't have any stake in the system and never owned some stash. As to the exact attacks that are possible, that depends on the precise implementation of the PoS scheme.
Yes, PoS can be attacked by its owners. Which is obvious, because that's what a crypto currency is about: the owners should be the master of what's going to happen, of the rules, and of everything. But it cannot be attacked from the outside because it is cryptographically simply unfeasible if you don't possess any of the signing keys.
There is a paper describing a provably secure PoS chain, but even the author concedes that it can only be that way if a majority of honest nodes remain online. This is not a very resilient design, especially in the face of power cuts, wars and 'force majeure'.
PoW can even be attacked with all users offline, because the PoW stake holders have nothing to do with the coin. If tomorrow, the Chinese government confiscates most of the mining equipment, bitcoin is in the hands of the Chinese government. With a PoS coin, that's simply impossible.
The thing is that all these theoretical attacks are way beyond the normal use case: by the time these attacks become possible, the use case of the coin has already crumbled. If you first need to obtain 15% of the stash of a coin before you can attack it, you could do already much more harm in the market than you would by setting up a rather improbable attack. We now have 4 people in the world that, via a simple phone call and an agreement, could attack bitcoin, and they don't even need to possess it. They won't, because it is their business. If you own 15% of a coin, you won't set up an attack.
Don't get me wrong, I'm not saying that bitcoin is a success - the network is congested beyond usability, but PoW remains the only trustless solution to the byzantine generals problem.
I think PoW proved that it failed, by economies of scale. If 4 people can decide to attack the system, even if they won't, I think that I can rest my case. If this system is considered safe, then PoS should be considered safe too for all practical purposes, even though theoretical attacks are possible.
The real, initial problem with PoS was that one thought that it wouldn't *converge*. That semi-honest players wouldn't find the same consensus. The "nothing at stake" issue.
That, from a certain level of investment onward, you can break the system, is obvious, but we saw that with PoW in practice. 4 guys (and maybe they are the same guy !!) can collude, and kill bitcoin tomorrow if they want to. Simply, they don't want to.
If the 4 most important mining pools decide to reduce their hash rate in the building of the new chain, and use 80% of their hash power to overdo an older piece of chain, reversing transactions of last week, next week we have broken bitcoin with an orphaned prong a week long.
The point is that in PoW, you don't know how much invisible potential PoW hardware is available to an attacker. In PoS, you know: it is the amount of stash. Nobody knows if someone is not stealthily collecting mining hardware without using it, so without pushing the difficulty upward, and to switch it on in the frame of an attack. This is especially the case in the case of large price swings on the market. If tomorrow, bitcoin tumbles a factor of 5 in the market, and miners "switch off hardware" because it is wasteful, there's a huge potential of hardware ready to be used for an attack.
So all these attacks are just as well theoretically possible with PoW. PoW is just as theoretically broken as PoS. In reality, they won't happen, because they need big players to kill their own investment in one way or another ; and these big players can do that also in the market if they want to. From that PoV, PoS is more logical. An outside attacker might want to invest in the killing of a coin more probably than an insider.