Greetings, interesting work.
I'm not sure if you're aware of it, but Bitcoin core hasn't used the blockchain for verification for years; instead it uses a compact state summary and differences which we call the UTXO set (unspent transaction outputs). Among other things, this allows you to run a Bitcoin full node with under 1GB storage.
The UTXO set is not authenticated in Bitcoin core today, it's just locally generated-- though the utility of a committed utxo set
has been known for years (also, somewhat later
https://bitcointalk.org/index.php?topic=88208.0) it's a rather expensive commitment (e.g. a single spend/create update is factor log(utxo) more IO required) and perhaps not as useful as it seems-- if nodes do not construct their own but jump in mid-stream they only have SPV security of the history. SPV security is a substantial step down from the Bitcoin security model (in particular people expect the full node rules to limit the damage of dishonest miners) but it might still be reasonable-- but if you're willing to accept SPV security why not go all the way and use a SPV node at a massive cost savings?
With respect to proof of stake, I'm disappointed to see it just applied here with no analysis to the actual security model being used. It appears to be
impossible to achieve the same security model as Bitcoin with POS; existing systems compromise with centralized block signers or other external sybil-proof beacon assumptions (which seemingly could just replace the blockchain entirely if you really trusted them). For some applications these might be reasonable trade-offs, but if they're ignored or pretended to be the same trafeoffs as Bitcoin, thats just sloppy cryptography. I'd encourage you to not take these things for granted.
I haven't reviewed your COQ yet, but have you benchmarked the performance of your extractions? Having some formal statements of the system is interesting indeed, but perhaps of low utility if there isn't a way to get extractions with acceptable computational/memory performance.
Create an initial "genesis" ledger in which each address holds assets corresponding to the unspent transaction outputs that can be spent by that address. (I don't know a general way to handle P2SH, so I will ignore these.)
The parenthetical at the end suggests that you could use some improvement in how you're thinking about the signature system in Bitcoin. You shouldn't think in terms of addresses, addresses are just human friendly (compact) ways to encode a scriptPubKey. A scriptPubKey is a public key for the script cryptosystem, and like in other signature systems a public key is an identifier for the criteria required to sign to authenticate a signature. A UTXO oriented system should track scriptPubKeys, not addresses. (And P2SH itself shows how to make those entries constant size, with computational security). What Bitcoin does is much more general than basic multisignature-- in particular atomic swaps are not possible in a model which is constrained to simple thresholds. (Also, thresholds can be done much more efficiently than multisignature in any case, if supporting only thresholds was really the goal).
What you're calling a 'snapshot' has been described before (by PeterR) as 'spinoffs'.
