The fundamental flaw of Proof of Work (PoW) is that the costs of attacking the system are equal to what is spent to run the system. High security thus can only be achieved at high operating costs. The idea is that the honest participants just outspend the dishonest.
This is already today highly inefficient, but it does work for Bitcoin. As soon as the block subsidiary starts reaching zero, the ratio between the Market Capitalization and the costs of attacking Bitcoin becomes critical.
Details are presented here.
Why Proof of Stake?
Proof of Stake (PoS) promises to solve this problem. An honest validator is expected to have very low costs, compared to the costs an attacker would incur.
Another problem Casper tries to solve is to disincentivize censorship. The PoW schema of Bitcoin is, more or less, a zero sum game. This means, if a miner loses a block (it does not get included in the main chain/ it gets censored), all other miners benefit from their loss. PoS for Ethereum will not be a zero sum game but instead a coordination game, where the rewards for everyone are highest, if every participant can include their blocks.
Finally some scalability problems can be addressed more easily with PoS.
Let us start by what they have in common: they are both algorithms for reaching consensus on the blockchain.
Without going into too much details, we need consensus because anyone can create a block; while we only want an unique chain, so we want a way to decide which block we should trust.
Proof of work has the nice property that you can use Bayes' Theorem and the laws of Thermodynamics to prove that a given block has indeed required a certain amount of work to be mined. That way, users can simply pick the longest valid chain with the highest amount of work as the correct chain.
But this implies that Proof of Work is extremely inefficient in term of energy, and therefore also very expensive; which incentivize miners to centralize the hashing power -- obviously not desirable for a network whose goal is to minimize the need to trust third parties.
Proof of Stake isn't about mining, it's about validating. In effect blocks still need to be created by someone, and who gets to create the next block depends on the specific Proof of Stake algorithm, but the selection process must have some kind of randomness, or at least distribute voting shares properly (otherwise we revert to a centralized system).
In PoS, each validator owns some stake in the network, ether in the case of Ethereum, that they bond. Bonding stake means you deposit some money into the network, and in some sense use it as a collateral to vouch for a block.
In PoW you know a chain is valid because lots of work is behind it, while in PoS you trust the chain with the highest collateral.
There are important differences between the various Proof of Stake algorithms that are being developed. This question is about PoW vs. PoS so I'm keeping the answer very general.
Ethereum is going to use Casper, where the stake of malicious validators is going to get (partially) slashed, for example if they sign two (competing) blocks with too high a probability.
Best Answer
The friendly Ghost
Casper is a security-deposit based economic consensus protocol. This means that nodes, so called bonded validators, have to place a security deposit, an action called bonding, in order to serve the consensus by producing blocks.
In Casper style proof of stake anyone can participate in block production by posting a bond. After posting a bond you have an opportunity to bet on which block will be included next. The incentives are such that you make money by betting with the eventual consensus and lose money by betting against the consensus. Any crypto-graphically provable misbehavior results in the forfeit of the bond.
An analogy can be made to proof of work where each miner is betting with their hash power on which block will be accepted. If they bet wrong then any block they produce will be orphaned causing them to lose money.
This protocol has several nice properties:
Casper in non-economic terms
Casper is an eventually-consistent blockchain-based consensus protocol. It favours availability over consistency, see the CAP theorem. It is always available, and consistent whenever possible. It is robust to unpredictable message delivery times because nodes come to consensus via re-organization of transactions, after delayed messages are eventually received. It has an eventual fault tolerance of 50%, in the sense that a fork created by >50% correct nodes scores higher than any fork created by the remaining potentially-faulty validators. Notably, though, clients cannot be certain that any given fork created with 51% participation won’t be reverted because they cannot know whether some of these nodes are Byzantine. Clients therefore only consider a block as finalized if it has the participation of a supermajority of validators or bonded stake.