I understand conceptually the global consistency requirement is lower than a more deterministic traditional PoW or even PoS system (although these diverge on reorganizations and total divergence at 51% attack), but doesn't that come with the tradeoff of a risk of divergence of the tree's *final* conclusion about a double-spend (two reasonably balanced leaves each with a double-spend)?
This is a case where common sense loses against math, I thought like you but
mthcl proved that I was wrong. Surprisingly, if a transaction got included into the majority of the tips (i.e. adaptation period is over) then we get near the same assurance against a double-spending as in a blockchain-based coin.
Well that seems to make common sense that we entangle such that all transactions are included in the majority of the tips, then the consensus is those transactions are more likely final than the ones in the minority of the tips, since there doesn't appear to be an incentive to favor tangling with minority tips over majority tips. But that seems to imply that before I combine two tree branches into my signature, I must insure there is no double spend in the (combined) history otherwise my signature is invalid and no other node should include my branch tip as input to their node in the graph. Thus it seems each payer has to keep an entire history and table of conflicting branches (at least back to check points but aren't check points the antithesis of unmanaged, decentralized crypto-currency)? Are payer nodes supposed to entrust this verification to other nodes?
Okay I think I can see intuitively how participants have an incentive to maximally tangle (extend the depth of) the graph and not broaden it too much, but I will still need to go deeper to analyze attack vectors.
So far my main intuitive concern seems to stem around the apparently much more intensive (exponentially more?) resources that payers will need to have versus in a system where they can autonomously sign a transaction without context of other transactions in the network.
Also I can't see how anonymity technology such as ring signatures can be integrated into a system like this, nor Lightning Networks. My mistake. I realize the inputs and outputs of the transaction are orthogonal to the DAG. So yes transactions could still be signed with on-chain anonymity I presume. Afaics, Lightning Networks appears to not be compatible with the anonymity methods we've used for block chains.
It is very interesting the concept of a chain without the aliasing error of stepwise blocks. Somehow I think this stuff is important, but I haven't yet figured out the sweet spot for this technology. I need to understand more about the benefits and tradeoffs.