1. Sybil-resistance (faking strong consensus by deploying cheap replica nodes you control) in a protocol like this is crucial. All I could find is this:
To prevent Sybil attacks, it uses a mechanism like proof-of-stake that assigns weights to participants in committee selection based on the money in their accounts.
2. Every non-proof-of-work protocol I've seen, including Ripple Consensus Process and proof-of-stake creates a problem of initial coin distribution. PoW systems have a clean distribution mechanism based on external resource consumption. Non-PoW systems produce an airdrop situation. Players start with no funds, and so can't stake. The creator of the network manually assigns ownership, with important long-term political consequences (e.g., Ripple).
3. The lack of an incentive structure around fees in protocols like Ripple creates bizarre economic consequences. For example, Ripple is guaranteed to lose money stock because fees are simply burned, rather than given to the consensus leader as in Bitcoin.
4. So far, I haven't seen anything in the paper regarding denial of service attacks on nodes. In other words, I see no negative incentives levied on those who can sign transactions from flooding the network with useless spam, bogging everything down.
May deployed PoW implementations are provably worse than most modern proposals for Proof of Stake. PoW mining opens selfish mining strategies, whereas Proof of Stake fixes the set of actors opens to scrutiny the mechanism for "who gets to mine the next block."
This doesn't mean that proof-of-stake is magical, but it's certainly less prone to issues than Proof of Work. It's also less inundated by religious zeal; PoS proposals face healthy skepticism and more vetting BEFORE they tend to be deployed. PoW is the axiomatic and beloved sacred "nakamoto consensus" in (incorrectly, but to many in the space) a platonic form.
(1) Isn't it Plutocratic? PoW can be too in that capital and energy costs money, but PoS seems to directly reward the largest stakeholders with more stake.
(2) Removing money from circulation is not free. It reduces monetary velocity and has other detrimental effects on the currency's economic system.
2. If a network can hold back some currency, but actually scale to meet global transactional demand, it'll be better in this regard anyways.
This isn't really true. It's true of Bitcoin but selfish mining is an artifact of Bitcoin's sloppy way of estimating how much work is being done, not an artifact of PoW. An enhancement like Bobtail  eliminates the incentive to selfishly mine by improving the network's ability to estimate the network hash strength.
It does require a larger block header and more network traffic but Bitcoin's scalability is currently limited by politics, not network bandwidth.
Unless the creators are the only ones mining for a time.
OTOH, consider the alternative. Satoshi gave himself all the money in the system, then divvied it up among his friends.
However, given the availability of multiple multi-billion dollar cryptocurrency economies, another option might be possible. Airdrop to the current holders of some other cryptocurrency. Or maybe a basket of cryptocurrencies. Key owners could then claim their money on the newly-created network. This idea really started to take off in 2018 with Bitcoin hard forks.
The problem is that the network creator will face intense pressure to withhold just a little currency to fund a war chest. Yielding to that pressure creates the very political problems I alluded to earlier (e.g., Ethereum).
Basically, PoW provides consensus by providing an absolute timestamp (we know that at the difficulty adjustment equilibrium, a certain block header must have taken 10 minutes to produce), but this does not imply that a consensus algorithm that all public ledger consensus algorithms must produce an absolute timestamp (the later claim is stronger).
I think the most precise name might be something like "affine timestamp"; you don't actually need timestamp wrt the big bang but being able to measure the rate-of-time is stronger than merely being able to order events
Isn't this already implemented by STEEM ?
"Algorand  uses a verifiable random function to
select a committee of nodes that participate in a novel
Byzantine consensus protocol. It achieves over 360 tps
with 50 second latency on an emulated network of 2000
committee nodes (500K users in total) distributed among
20 cities. To prevent Sybil attacks, it uses a mechanism
like proof-of-stake that assigns weights to participants in
committee selection based on the money in their accounts."
edit: not only that, but it will be vulnerable to all kinds of history attacks for bootstrapping nodes
There are well known problems with DAGs: lack of incentive to run full nodes, tip choice attacks, flooding/spam attacks if there are no fees, and many and varied types of Sybil attacks.
For flooding or spam a transaction proof of work isn't enough. Not only does it "waste" a lot of energy (though at the edge nodes where it's less visible than mining farms) which negates part of the purported benefit of a DAG, but it's vulnerable to ASICs or botnets. If you can short a cryptocurrency on any major exchange that supports short selling then it will get attacked with the goal not of stealing coins or censoring transactions but of just destroying it.
Tip choice attacks combined with Sybil attacks can be very sophisticated. Tip choice is "random" but randomness cannot be verified. 3, 18, 593, 3, 3, now prove those were not random numbers modulus 1024. You can't of course. So I can non-randomly choose the transactions I link to. If I combine this with some sophisticated analysis of the network's transaction structure and physical topology I might be able to skew the network in some disastrous way over time in ways that would be completely undetectable since my apparently "random" tip/link choices were not in fact random. Then I can do something like short the coin and do something nasty to the network.
Attackers can be very very creative, and attacks only get better.
Last but not least: there is no mining mechanism in a DAG coin, or at least I've never heard of how one could be done. This means DAG coins are "Big Bang" coins that begin with all the money that will ever exist. This is problematic from an economic point of view and opens a huge can of worms around what is done with that money and how it is distributed to initial holders.
"We adopt what is commonly known as Bitcoin’s unspent
transaction output (UTXO) model. In this model, clients
are authenticated and issue cryptographically signed
transactions that fully consume an existing UTXO and
issue new UTXOs."
I also always like authors who are willing to acknowledge the limitations of their work. If this work described the limitations I didn't see it; maybe they think there are none :-)
> Specifically, the system operates by repeatedly sampling
the network at random, and steering the correct nodes
towards the same outcome.
Obviously random sampling could be trivially manipulated if anybody can spawn nodes very easily. I expected that the "fix" would be in the "Snowflake" algorithm but I don't see how it prevents that:
> When the protocol is correctly parameterized for a given threshold of Byzantine nodes and a desired guarantee, it can ensure both safety (P1) and liveness (P2).
But isn't that threshold effectively infinite? If you look at something like the bitcoin network there are very few incentives to maintain full nodes. Meanwhile if having a majority of nodes let you cheat and steer the network (which is not the case for BTC thanks to PoW) the incentive to spawn a huge amount of byzantine nodes would be very high.
After that the paper introduces the notion of "confidence" which might be the key to unraveling all that but I haven't yet fully understood that part. I don't have more time to look into it at the moment, hopefully somebody else will.
It seems thats the only problem in the crypto world, but I dont know if verification will ever be scalable.
PoW solves the problem by making it so that any node which receives two valid but conflicting versions of blockchain has an objective metric to decide which one is the "right" one. The answer being whichever has the most work put into it. Since you can't fake work you can't arbitrarily create a new chain that would take over the others (unless you manage to work harder than all the rest of the network combined, hence the 51% attacks).
Without PoW if you receive two valid but conflicting chains you need an other metric to decide which one you select. This paper describes such an approach.
One could read "Beyond Hellman's Time-Memory Trade-Offs with Applications to Proofs of Space" https://eprint.iacr.org/2017/893.pdf
I see a few flaws in this. First of all: all fast storage media consume energy even when idle. Secondly I think this neglects the embodied energy (energy to manufacture) of storage media. Lastly if a proof of storage mining scheme became popular you'd probably see ASICs that incorporate onboard fast memory controllers with huge caches and other approaches that would improve performance to the point that this would just become another proof of work.
Comparing full life cycle energy of different approaches to securing a cryptocurrency is actually pretty tough. It's also pretty hard to compare it to the energy requirements of more conventional approaches to currency since the energy cost of those is so spread out across society.