Well, the precise criticism you're making is a bit unclear to me but I'll try to respond:
Modern proof of stake systems have a concept of "finality" which I think is what you're referring to when you say "checkpoint" (older POS systems also had a more traditional checkpoint concept, but I assuming you're arguing against modern implementations)
In order to determine whether a block has "finality" in a POS system you need to either (A) have a computer running regularly on the network to determine finality on your own or (B) trust a third party to give you a valid finality designator.
So it is true that you have to trust a third party with these systems if (1) you haven't connected to the network for a year or so or (2) you are launching a brand new node.
Of course, with bitcoin #2 is also an issue since there's no way you can install bitcoin software on a new node without getting it from a trusted party.
I have never heard of "finality" being used outside Ethereum, but maybe you can point me at which existing PoS systems use the term? Or is it Ethereum specifically which is the modern PoS system?
The Ethereum PoS system, which is still a prototype and may change before the final version, uses checkpoints to guard against chain re-orgs. It is not trustless in the same sense as the Ethash system is. It's not exactly a secret but a calculated tradeoff.
The question here however was about how "currencies like NXT" work, which can hardly be described as modern seeing it was one of the first together with PPC. I believe they never fixed the fact that the optimum mining strategy is not the altruistic one the reference client uses. As long as all participants use the reference client they're safe, but it's not something you would want to base a trillion dollar economy on.
In general the challenges with proof-of-stake systems are how to avoid collusion, how to avoid exploratory mining on every possible chain, and variants thereof. (There's also the related problem how to bootstrap a node from scratch in face of equally probable views of history.) Different blockchains have tried different ways to mitigate this, including hard coded re-org limits and coin weights, but the only ones that have proven at scale are the ones that regularly checkpoint the chain. But please correct me if you know of any exceptions.
Tendermint and Ethereum are the ones I'm most familiar with- Both use the term "finality" frequently.
In Ethereum POS, an arbitrary PC can use a deterministic algorithm to exactly calculate the checkpointed/finalized block- There is no magical signature used by the ethereum foundation that "blesses" blocks as being checkpoints.
> how to avoid exploratory mining on every possible chainges with proof-of-stake systems are how to avoid collusion
In both Ethereum POS and tendermint this is a solved problem, anyone can earn a reward by providing proof that a user is mining multiple histories.
> There's also the related problem how to bootstrap a node from scratch in face of equally probable views of history
Yes, this is still an existing theoretical limitation of POS that is not shared by POW and is a valid criticism of POS- But even on a POW chain you still have to trust software from a third party to some degree in order bootstrap your node.
"Solved problem" is perhaps a bit strong. There's no reason to assume every possible chain is visible to every client. An attacker would not release a chain until they are certain to profit from it. There are likely bribes to be taken for reversing transactions, and these add up at scale. There is the suggestion that penalizing non-cooperating miners would be sufficient to prevent this, but this has never been shown to hold theoretically and cover all externalities such as the mentioned bribes.
If a such a blockchain is under the control of a mining cartel, it would be rational to join that cartel instead of fighting it. When every participant knows this it should be possible to bootstrap such cartels from scratch.
And Ethereum absolutely plans to implement some sort of checkpoints. As you say, it's required to bootstrap new nodes anyway. The straightforward way to do this would be to sign them, but I'm not sure what they're planning to do.
> An attacker would not release a chain until they are certain to profit from it.
There are two scenarios: If they release a new chain after they have released a previous signature, their entire deposit gets slashed in both chains. If instead they withhold all chains then this would only work if they are able to mine multiple blocks in quick succession on different chains (since they would lose the opportunity to validate a block within the timeout window) and this is exactly equivalent to a POW selfish mining attack.
Right, and there are many variants of this scenario that other people can think of. It all stems from the same basic problems above. Punishing cheaters is necessary, but not necessarily sufficient.
The difference from a PoW model is that when mining is essentially free the incentives are different. If it doesn't cost you anything to try it makes game theoretical sense to do it speculatively.
>But even on a POW chain you still have to trust software from a third party to some degree in order bootstrap your node.
You really don't have to trust the software with POW. The POW is encoded in the blockchain itself and can be independently verified by performing a series of hash operations.
With only the blockchain data, and a description of the blockchain layout, one can independently confirm the total amount of "work" done.
This is true decentalization & a huge benefit of POW over POS.
Modern proof of stake systems have a concept of "finality" which I think is what you're referring to when you say "checkpoint" (older POS systems also had a more traditional checkpoint concept, but I assuming you're arguing against modern implementations)
In order to determine whether a block has "finality" in a POS system you need to either (A) have a computer running regularly on the network to determine finality on your own or (B) trust a third party to give you a valid finality designator.
So it is true that you have to trust a third party with these systems if (1) you haven't connected to the network for a year or so or (2) you are launching a brand new node.
Of course, with bitcoin #2 is also an issue since there's no way you can install bitcoin software on a new node without getting it from a trusted party.