I think that Ouroboros paper [1] is a bit overhyped. A common criticism of proof of stake is that an attacker could acquire private keys to old accounts whose coins have already been spent, then use those to build a long fork. It has been shown [2] that these attacks are not wholly preventable if we assume that posterior corruption will happen:
> We shall formally prove that absent additional trust assumptions, it is impossible to achieve consensus in the presence of posterior corruptions when nodes can join or rejoin late.
The only tool we have to defend against posterior corruption attacks is checkpointing. If we treat blocks beyond a certain age T as irreversible checkpoints, and posterior corruption requires going back farther than T (because of staker withdrawal delays), then continuously running nodes won't be fooled by posterior corruption forks. New nodes, or nodes which went offline for a long period, could still be fooled, but they can always "ask a friend" for a recent checkpoint. This approach is what Vitalik [3] and others call weak subjectivity.
Charles et al. like to imply that they've solved this problem without resorting to weak subjectivity, but their "solution" to posterior corruption attacks is to mandate that honest parties delete private keys after using them:
> in order to achieve adaptive security the blocks are signed using a key-evolving signature scheme F_KES instead of a standard signature, and honest parties are mandated to update their private key in each slot.
It isn't much of a solution, since users have no incentive to delete their old private keys.
> We shall formally prove that absent additional trust assumptions, it is impossible to achieve consensus in the presence of posterior corruptions when nodes can join or rejoin late.
The only tool we have to defend against posterior corruption attacks is checkpointing. If we treat blocks beyond a certain age T as irreversible checkpoints, and posterior corruption requires going back farther than T (because of staker withdrawal delays), then continuously running nodes won't be fooled by posterior corruption forks. New nodes, or nodes which went offline for a long period, could still be fooled, but they can always "ask a friend" for a recent checkpoint. This approach is what Vitalik [3] and others call weak subjectivity.
Charles et al. like to imply that they've solved this problem without resorting to weak subjectivity, but their "solution" to posterior corruption attacks is to mandate that honest parties delete private keys after using them:
> in order to achieve adaptive security the blocks are signed using a key-evolving signature scheme F_KES instead of a standard signature, and honest parties are mandated to update their private key in each slot.
It isn't much of a solution, since users have no incentive to delete their old private keys.
[1] https://eprint.iacr.org/2018/378
[2] https://eprint.iacr.org/2016/919
[3] https://blog.ethereum.org/2014/11/25/proof-stake-learned-lov...