With PoW, a miner needs to make an investment in mining equipment for to mine the cryptocurrency. If that equipment cannot be used to mine that cryptocurrency, there is no other way for the equipment to create value for its owner. If the miners as a whole were to act badly, the mining algorithm could be changed, and the mining equipment would become worthless.
Similarly, with PoS, a miner must "lock up" their coin in order to receive mining rewards. This is similar to a miner buying a miner, except without the mining manufacturer. If a PoS "miner" were to produce invalid blocks, their "locked up" stake would be lost. It would be up to the other PoS "miners" to determine if another miner is producing invalid blocks. If the miners as a whole were to act badly, the value of the coin would become worthless.
In both PoS and PoW, if the miners as a whole act badly, they will lose their investment. However, with PoW, the underlying coin will survive. This is an important distinction. If a large PoS miner were to successfully act badly, they could potentially enter into derraritive contracts to offset the coin they have "locked up" that is mining. This removes the requirement for a PoS miner to actually invest in their "mining" operation. OTOH, a PoW miner cannot easily hedge their investment if they intend to act badly while mining.
Maybe some algorithm that doesn't utilize cryptographic algorithms (I.e. energy) or tokens is what is necessary to create a low-energy PoW alternative that doesn't put your coins at financial risk (locking tokens I.e. POS).
For example - Proof of Time (I made this one up).
Most operating systems support nanosleep(2) for pausing execution for a certain amount of nanoseconds.
So instead of solving a problem where you must find successively smaller hash inputs, we turn it into a problem of sleeping for a random amount of nanoseconds (1 second = 1 billion nanoseconds) up to a certain target.
The idea would be that the network keeps a global 256-bit counter that tells how long all of the nodes have slept, and that all of the nodes will compete with each other to sleep, each amount of time slept increments the global counter, and the node that whose sleep time causes the counter to hit the target will get the block reward. Then the counter time is reset to zero and the target is increased or decreased based on a difficulty adjustment algorithm similar to the ones in Proof of Work.
The sleep time will be hardcoded, to e.g 100ms.
A "stale message" multiplier will also be hardcoded, e.g 20.
This means that nodes have 2 seconds to sleep for 100ms and relay the messages over the network to other peers before they start rejecting the message.
So, what happens after a node sleeps (it actually doesn't have to sleep, it just need to wait for the sleep time doing something else but the only logical activity that wakes programs up after particular intervals is sleeping), then it sends this message to all of its network peers, with the following content:
{current_UTC_datetime: string
public key: string
hash: ECDSA sign of current_UTC_datetime against private key
}
A message with datetime in the future is rejected.
Messages with datetime more than (sleep_time * multiplier) nanoseconds in the past are also rejected.
Otherwise, the sleep time is added to the global counter, stored in a ledger I.e. an array of entries that look like:
{
current_counter: 256-bit int
message: {above message embedded here}
}
If the node finds that their public key is associated with an entry that has hit the target, then it generates a block reward for itself (as the consensus is coded in the program) .
Then each node only does one ECDSA operation per "sleep time" interval instead of several trillion SHA256d iterations, while keeping a decentralized blockchain.