Here's an experiment to try with your friends and family to see if PoS is viable. Play the game Monopoly by Parker Brothers with a few small rule changes. You would play with one die per turn because shaking two dice takes more energy (we can't have that) than one. We remove the rule about shaking doubles for extra turns because too much variance is just silly in a PoS game. Then, compare your real life net worth with them and you each get to take a proportional number of turns by ranking order. For instance, if you as a childless adult have five as much wealth as your poorest married competitor, you would get five turns at the start. After the first round you then get another roll each round for every property and house that you own. After playing one game, see who would play the game with you again. Most likely the winner of the game would be the same every time.
Foolish analogy.
Wealth =/= stake.
Wealth PUT AT RISK PROTECTING THE NETWORK = stake.
Any PoS model should require escrowing (via protocol directly) funds thus those funds become linked to the survivability of Bitcoin.
An example:
Currently coinbase is 0 BTC IN. 50 BTC + transactions Out.
In a hybrid model coinbase could be.
Stake IN. 50 BTC + transactions + stake OUT.
The output of coinbase is now unspendable for x blocks. One could make x relatively large. Bitcoin uses 120 blocks but that is to avoid orphaned double spends. X could be 2016 blocks (2 weeks of escrow), or even 12960 blocks (90 days). Thus the amount of the stake isn't your wealth it is the amount of wealth you have put at risk. If Bitcoin fails during the escrow period you LOSE the stake. An entity like Deepbit operating in a hybrid model would have a huge amount of funds "locked up" in the success of Bitcoin. It would be in their best interest to no just maximize revenue but to maximize the long term strength of Bitcoin. That may mean funding development, funding attack testing, innovating new security features, etc. It aligns the interests of the "network" with the interests of the miner.
$1 mil in hashing hardware buys you a "stake" in a pure proof of work model.
$1 mil in escrowed funds buys you a "stake" in a pure proof of stake model.
$500K in hashing hardware & $500K in escrowed funds (or the optimal split) buys you a "stake" in a hybrid model
Your argument is that wealth "PUT AT RISK PROTECTING THE NETWORK" is stake, then if "Bitcoin fails during the escrow period you LOSE the stake." In that we agree, but it won't happen right away. Fiat currency works the same way. All is well and good while the flow of money is free, but with PoS, a monopolist can choose to support a society. The monopolist can then slowly and quietly chose to eliminate competitors
insidiously.
PoW does have a real threat that if someone gets too much control of the network they can reject transactions until that monopoly is broken, but it can be broken and then things go back to normal.
That is of little value. There is no economic value to disrupting the network. In a non-economic attack it is naive to think an attacker would spend an amount of funds which makes "breaking" the attack feasible. Say $20M buys 51% of the network. If citibank wanted to destroy Bitcoin they wouldn't be stupid enough to spend $20M. They would budget $80M. They would spend $40M to gain 70%+ hashing power and deploy only enough as needed. This would be horribly bad for "defenders" because despite adding hashing power citi would simply add more and defenders would keep falling behind (and racking up operating costs). They could keep another $20M ready to buy additional off the shelf hardware to deploy if necessary and use another $20M to fund proxies (120% PPS pools) to gain the "marginal" hashing power without any long term investment/cost.
Sure $80M > $20M but if an entity wishes Bitcoin destroyed spending $50M to $80M for a guaranteed destruction vs $20M on a roll of the dice is far more likely.
You are talking about $80M like it's real money. You are thinking far too small, my friend. Add several more zeroes and we'll start talking. If Bitcoin is that small a game for you, then you are not long. For every Citibank there will be someone else playing king-of-the-hill. Citibank isn't anywhere near the wealthiest or most powerful entity in the world. Not even close. Citibank is no threat at all. In a game where the rules are fair and honest, corporations built by litigation lawyers and scam artist will lose against honest, hard working people willing to sacrifice their lives for the security of their families.
With PoS, once a monopoly takes hold it would be nearly impossible to change the balance of power. As a monopolist, you could dictate who does business with whom. You can even choose who gets to buy food for their families and who shall starve to death.
There is no economic value in that and proof of work can easily be outspent if the intent is non-economic. Like you said anyone trying to do that for economic gain would simply see people move to an alternative.
Their non-economic intent would not be so overt. "
First they came..." Again, absolute power is
insidious.
There is a reason that Satoshi created variance for block rewards. The element of chance (like playing the game Monopoly with an equal amount of dice) adds enough chaos to make the balance of power unpredictable.
Cite? The variance is a by product of the mechanisms used in proof of work not a desired attribute. On a large scale over a long period of time variance is mostly meaningless. Check with Tycho how much the variance for Deepbit is over 90 days, 180 days, 365 days? Rapidly approaching 0%.
Mining pools mitigate variance, but also puts faith in potential monopolists that may or may not act with bad intent. The Tychos of today could be the Joseph Stalins of tomorrow. As far as a cite for the introduction of variance instead of a time based block release mechanism, I'm not sure if the intent was to promote random fairness or it is simply serendipitous. If he didn't want variance, he would have chosen a SolidCoinish model like PoS.