【】は そのままだと理解し難いので、補足として表記しています。
※は 解説を章ごとに記載しています。

Proof os Stake 資産の証明(※1)

Proof of Stake is a proposed alternative to Proof of Work. Like proof of work, proof of stake provides a mechanism for determining who signs bitcoin transactions (see "main" bitcointalk thread, and a Bounty Thread).
It was probably first proposed here by Quantum Mechanic. With Proof of Work, the probability of mining a block depends on the work done by the miner (e.g. CPU/GPU cycles spent checking hashes). With Proof of Stake,
the resource that's compared is the amount of Bitcoin a miner holds - someone holding 1% of the Bitcoin can mine 1% of the "Proof of Stake blocks".
Some argue that methods based on Proof of Work alone might lead to a low network security in a cryptocurrency with block incentives that decline over time (like bitcoin) due to Tragedy of the Commons,
and Proof of Stake is one way of changing the miner's incentives in favor of higher network security.

Proof Of Stake は Bitcoinの代替システムとして提唱されました。Proof of Work と同様にトランザクション【=取引】に署名する人を決定する機構があります。
このProof of StakeはおそらくQuantum Mechanicによって提唱されました。Proof of Workのように、Proof of StakeではBlockを掘り当てる確率はマイナー(例:CPU/GPUのネットワークがハッシュを調べる【=マイニング】)に依存します。
Proof of Stakeでは資源【=ブロック】はBitocoinを持っている人が持っています。1%のBitcoinをもっている人は、1%のPOSブロックをマイニングできます。
Proof of Workに基づいたネットワークのセキュリティはマイナーへのインセンティブが減るとともに時間が経つごとに低下し、公衆の悲劇(※2)のキッカケとなると主張する人もいますが、Proof of Stakeは、

※1 直訳すると「資産の証明」となりますが、この「Proof of Stake」という一連の語で一つの意味を為しているので、言葉の意味についてあまり深く考えなくても大丈夫です。
※2 後に詳しく出てきますが、この「Tragedy of the Commons【公衆の悲劇】」とはネットワークの決定権の独占による問題【悲劇】のことです。
※3 冗長となってしまいますので、以下をご参照下さい。
+ ...

The Monopoly Problem 独占問題

If a single entity (hereafter a monopolist) took control of the majority of txn verification resources, he could use these resources to impose conditions on the rest of the network.
Potentially, the monopolist could choose to do this in malicious ways, such as double spending or denying service. If the monopolist chose a malicious strategy and maintained his control for a long period,
confidence in bitcoin would be undermined and bitcoin purchasing power would collapse. Alternatively, the monopolist could choose to act benevolently.
A benevolent monopolist would exclude all other txn verifiers from fee collection and currency generation, but would not try to exploit currency holders in any way. In order to maintain a good reputation,
he would refrain from double spends and maintain service provision. In this case, confidence in Bitcoin could be maintained under monopoly since all of its basic functionality would not be affected.
Both benevolent and malevolent monopoly are potentially profitable, so there are reasons to suspect that an entrepreneurial miner might attempt to become a monopolist at some point.
Due to the Tragedy of the Commons effect, attempts at monopoly become increasingly likely over time.

※1 ノードとは投票権を持った存在のことで、CPUやGPU、ASICなどのことを指し、マジョリティとはそれらの総意を指します。通常は善良な総意がマジョリティを形成し、悪意ある総意がマジョリティを形成した場合、システムに不正を起こすことができるようになります。
※2 Bitcoinを始めとする仮想通貨では処理能力に応じて投票権が与えられます。またそれらは多数決で決定されるので、全体の半分の処理能力を手に入れれば独占者となれます。
※3 システム側からでは他人のウォレットからコインを奪うことはできないということです。
※4 大衆効果による悲劇とは、ネットワークの判断権が独占されてしまうことです。

How Proof of Stake Addresses Monopoly Problems どのようにしてProof of Stakeは独占問題に対処するのか

Monopoly is still possible under proof-of-stake. However, proof-of-stake would be more secure against malicious attacks for two reasons.
Firstly, proof-of-stake makes establishing a verification monopoly more difficult. At the time of writing, an entrepreneur could achieve monopoly over proof-of-work by investing at most 10 million USD in computing hardware.
The actual investment necessary might be less than this because other miners will exit as difficulty increases, but it is difficult to predict exactly how much exit will occur.
If price remained constant in the face of extremely large purchases (unlikely), such an entrepreneur would need to invest at least 20 million USD to obtain monopoly under proof-of-stake.
Since such a large purchase would dramatically increase bitcoin price, the entrepreneur would likely need to invest several times this amount.
Thus, even now proof-of-stake monopoly would be several-fold more costly to achieve than proof-of-work monopoly. Over time the comparison of monopoly costs will become more and more dramatic.
The ratio of bitcoin's mining rewards to market value is programmed to decline exponentially. As this happens, proof-of-work monopoly will become easier and easier to obtain,
whereas obtaining proof-of-stake monopoly will become progressively more difficult as more of the total money supply is released into circulation.
Secondly, and perhaps more importantly, a proof-of-stake monopolist is more likely to behave benevolently exactly because of his stake in Bitcoin.
In a benevolent monopoly, the currency txn continue as usual, but the monopolist earns all txn fees and coin generations. Other txn verifiers are shut out of the system, however.
Since mining is not source of demand for bitcoin, bitcoin might retain most of its value in the event of a benevolent attack.
Earnings from a benevolent attack are similar regardless of whether the attack occurs under proof-of-stake or proof-of-work.
In a malicious attack, the attacker has some outside opportunity which allows profit from bitcoin's destruction (simple double-spends are not a plausible motivation; ownership of a competing payment platform is).
At the same time, the attacker faces costs related to losses on bitcoin-specific investments which are necessary for the attack.
It can be assumed that a malicious attack causes the purchasing power of bitcoin to fall to zero. Under such an attack, the proof-of-stake monopolist will lose his entire investment.
By contrast, a malicious proof-of-work monopolist will be able to recover much of their hardware investment through resale.
Recall also, that the necessary proof-of-work investment is much smaller than the proof-of-stake investment. Thus, the costs of a malicious attack are several-fold lower under proof-of-work.
The low costs associated with malicious attack make a malicious attack more likely to occur.

独占者は今の所Proof of Stakeを支配するとこが可能ではあります。しかしながら、Proof of Stakeは2つの理由により悪意ある攻撃から保護されています。
 第一にProof of Stakeはよネットワークの決定権の独占がより難しくなっています。これを書いている時点で、Proof of Workでは起業家達が1億ドルの投資をハードウェアに行うことで独占が可能です。
(ありそうもありませんが、)他方、Proof of Stakeでは最低でも2億ドルの投資を行う必要があります。
このように、Proof of Stakeでは、独占をするのにProof of Workよりもよりコストがかかります。また、時間がたてば独占にかかるコストは飛躍的に上昇します。
Bitcoinのマイニングの報酬は指数関数的に減るようにプログラムされています。これにより、Proof of Workの独占は将来的に非常にネットワークの独占が簡単となります。【→1章の※3参照】
一方Proof of Stakeではコインの総量が演算を通して増えるたびに独占がより難しくなります。
第二に、そしておそらく最も重要なのは、Proof of Stakeの独占者は自らのBitcoin資産のために、Proof of Stakeにとって利益となるように振る舞う可能性が高いです。
「慈悲深い攻撃」がProof of StakeかProof of Workのどちらの下に起こるか、とは関係なく、「慈悲深き独占」による独占者の利益はどちらも似ています。
これらからは悪意ある攻撃によってBitcoinぼ価値がゼロになることを想定することができます。このような攻撃の元ではProof of Stakeの独占者は彼のすべての資産を失います。(※1)
対照的にProof of Workの独占者は独占に使用したハードウェアを処分することで、ある程度資本の回収が見込めます。
Proof of Workに必要な資金はProof of Stakeに必要な資金よりも少なかったこと思い出してください。悪意ある攻撃はProof of Workが数倍低いコストで行えるのです。

Why Proof of Stake Would Likely Decrease Long-run Txn Fees Considerably なぜProof of Stakeでは長期に渡り取引手数料を大きく低減させることができるのか

In a competitive market equilibrium, the total volume of txn fees must be equal to opportunity cost of all resources used to verify txns. Under proof-of-work mining,
opportunity cost can be calculated as the total sum spent on mining electricity, mining equipment depreciation, mining labor, and a market rate of return on mining capital.
Electricity costs, returns on mining equipment, and equipment depreciation costs are likely to dominate here. If these costs are not substantial, then it will be exceptionally easy to monopolize the mining network.
The fees necessary to prevent monopolization will be onerous, possibly in excess of the 3% fee currently charged for credit card purchases.
Under pure proof-of-stake, opportunity cost can be calculated as the total sum spent on mining labor and the market interest rate for risk-free bitcoin lending (hardware-related costs will be negligible).
Since bitcoins are designed to appreciate over time due to hard-coded supply limitations, interest rates on risk-free bitcoin-denominated loans are likely to be negligible.
Therefore, the total volume of txn fees under pure proof-of-stake will just need to be just sufficient to compensate labor involved in maintaining bandwidth and storage space.
The associated txn fees will be exceptionally low. Despite these exceptionally low fees, a proof-of-stake network will be many times more costly to exploit than the proof-of-work network.
Approximately, a proof-of-work network can be exploited using expenditure equal to about one years worth of currency generation and txn fees.
By contrast, exploitation of a proof-of-stake network requires purchase of a majority or near majority of all extant coins.
Proof of Workにおいては機会費用はマイニングの電気代、マイニングの機器の減価償却(※2)、マイニングにかかる手間、そして市場価格による収益の合計によって計算することができます。
純粋なProof of Stakeの下では、機会費用はマイニングの手間とリスクゼロの市場金利ビットコイン貸付を合わせたものとして計算することができます。(ハードウェア関連の費用はちょっとしたものです)
したがって、純粋なProof of Stakeの下でのトランザクション手数料の総量は、HDDの容量と、ネットワーク維持にかかる費用よりも十分に多くなくてはならないです。
これら【Proof of Stake】にかかる手数料は非常に低いはずです。この低い手数料にもかかわらず、Proof of StakeはProof of Workよりも悪事を働くのに高い費用がかかります。【Proof of Workよりも攻撃にさらされる危険性が低い】
Proof of Workはおよそ1年分の通貨生成と取引手数料の合計と同価値程度の費用でネットワークを攻撃することができるようになります。
対照的に、Proof of Stakeでは過半数か、過半数に近い数の現存する通貨を買い集めることが要求されます。

※1 機会費用(opportunity cost)とは二者択一の費用のことです。マイニングの世界ではそのDifficulty(コインの堀やすさり指標)では一定であることが少なく、大きく上下します。つまり、同じ費用で掘れる通貨の量は状況によってことなるのです。この場合の機会費用とはその瞬間しかない機会(Diff)でお金を使うのか(マイニングする)、それとも使わないのか(マイニングしない)をいうことを指します。詳しくは「機会費用」検索してください。
※2 機器の購入にかかった費用を、利益で穴埋め(償却)するのに必要な期間のことです。この場合は、GPUやASICの費用をマイニングで得た利益から穴埋めするのに必要な期間から計算します。(この説明は実際の減価償却の意味とは異なります。)
※3 普通の人は仮想通貨の手数料が3%(例:Bitcoinの場合標準で0.01BTC(0.01%))を超えた場合、わざわざ仮想通貨を使わずに、信用もあるクレジットカードなどの機関を使うということ。

Implementation  実装

There are currently a few distinct proposals on how to implement PoS
Proof of Stakeを実装するいくつかの明確な案があります。

Cunicula's Implementation of Mixed Proof-of-Work and Proof-of-Stake  CuniculaによるProof of WorkとProof of Stakeを混合した実装

This suggestion is of a mixed Proof-of-Work / Proof-of-Stake system.
この提案はProof of StakeとProof of Stakeを混合して行うものです。

Cunicula's Note Cuniculaによるノート

Check the page history for the older implementation. I am replacing my description with a new system which I believe to be much more secure. The new system is a greatly improved version of Coblee's Proof of Activity proposal.
It provides extremely strong protection against PoW attacks, both double-spends and denials of service. It is not vulnerable even if PoW attackers also have substantial (but non majority) stake.
It provides strong incentives to maintain full nodes. The system is supported through taxes on coin owners who fail to maintain full nodes. Tax revenue is redistributed to coin owners who maintain full nodes.
The maintenance of full nodes is the key element providing security in the system.

The discussion focuses on long-term maintenance of the system. Initial distribution of coins could occur through PoW mining, an IPO mechanism,
or a more complex scheme that allows initial coins to be distributed to both PoW miners and businesses voted for by coin owners.
The issue of initial distribution is separate from long-term maintenance and it is confusing to discuss the two together.
「older implementation 」についてのページを見てみてください。私は私による解説をよりセキュアなものだと思った説明に変更しています。解説を変更した新システムはCobleeによって提案されたものの大幅な改良を加えたものです。
それはProof of Workの攻撃の二重払いとシステムダウン対して極めて強力なセキュリティを作り出します。PoWの攻撃者が実質的な独占権(過半数以下であることが条件ですが)を持っていたとしても、新システムが脆弱であるとはいえません。


Glossary  用語解説

Voluntary Signatures - Voluntary signatures result from a random auditing processes. As blocks are mined, keys are selected for auditing based on random selection. The signatures provide public evidence that a public key owner is running a full node. Passing the audit allows a private key to remain active.

Active Keys - By default, public keys that appear in the blockchain are active if they have a balance of at least one full coin. Public keys that provide voluntary signatures when randomly audited remain active.Active public keys are eligible to participate in lotteries to sign PoW blocks and mine PoS blocks. This is remunerative. Public keys that fail to provide signatures become dead private keys.

Dead Keys - Keys that have failed to provide signatures lose lottery eligibility. Keys that have balances of less than 1 coin are considered dead by default. Dead keys can no longer mine PoS blocks. However, these dead keys can still be used to generate txns. Network maintenance is supported primarily through mandatory fees levied on coins sent by dead keys.After coins are sent using a dead key, the key becomes active provided that it retains a balance of at least 1 coin.

Mandatory Signature Sequence - In order for a PoW block to be valid and enter the blockchain, it must be signed by a sequence of 5 randomly selected active keys. The fifth signatory in the sequence mines a PoS block.

PoS block - The fifth signatory of a PoW block must mint his own block without any PoW submission at all. This block is called a PoS block.

Coin-age - Coin age refers to the age of txn inputs. Coin age is equal to the number of coins sent times the average age on these coins. Age is measured in blocks. Age is reset to 1 block whenever a coin is sent AND whenever a coin provides a signature (both mandatory and voluntary signatures count). Coin-age is used to calculate mandatory fees.

Demurrage Fee - Chain Security is supported primarily through a demurrage tax on sent inputs. This tax proportional to average input age as measured in coin-years. I suggest 5% per coin-year as a reasonable fee. Active keys can avoid demurrage fees simply by remaining active. Thus the actual fee generation will be much lower than 5% per year. Dead keys must pay demurrage. The opportunity to evade demurrage motivates activity.

Optional Fee - Fees are used to ration block space. Blocks select prioritize txns with high fees. If demurrage fees alone are insufficient to motivate txn inclusion, the user can add an optional fee to his txn.

Fee Fund - Both optional fees and demurrage fees enter a fund, rather than being distributed directly to miners. Fees are added to the fund immediately, so there is a weak incentive to include high fee txns in blocks.The PoW miner receives a distribution equal to 0.01% of the accumulated fund. The first four mandatory signatories also receive 0.1% each. The PoS block miner receives 0.1% as well, but his takings will differ slightly because the fund is updated based on txns included in his block. Use of a fund reduces volatility in mining reward.

Root Private Key - The root private key has full spending and signing authority. When significant balances are held, this key should be kept as an offline backup to guard against theft.

Stake Signing Key - Private Key can delegate signing and sending authority to one other private key. The delegated key can sign blocks and has limited authority to send coins.Authority to send coins is determined by two positive constants, t and k. The following txn rule limits the stake signing keys' spending authority: