Proof-of-Archival-Storage (PoAS) consensus maintains the honest majority assumption and permissionless nature of Nakamoto consensus without the massive electricity cost of mining.
Decoupled execution keeps farming lightweight and resistant to pooling, while our distributed storage network of farmers allows the blockchain to 'bloat' significantly without becoming centralized.
Block decoupling and data-availability sampling allow for vertical scaling, while our unique separation of consensus and computation provides horizontal scaling at log(n) overhead to operators.
built with the best technology
WebAssembly
Rust-Lang
Substrate
LibP2P
To solve the blockchain trilemma, we constructed Subspace, a secure, sustainable PoAS protocol for free and fair consensus via 'one-disk-one-vote'.
Our protocol was built with three challenges in mind. The first—to find a secure consensus mechanism that is simultaneously environmentally friendly, permissionless and fair.
PoW or 'one-CPU-one-vote' is simple, secure, and permissionless, but comes at a high cost of electricity that is not environmentally sustainable, and leads to centralized, or pooled, mining.
PoS or 'one-coin-one-vote' employs a system of virtual mining based on one's wealth. While eco-friendly, PoS is not fair or permissionless, instead encouraging a system whereby the rich only get richer.
PoC or 'one-disk-one-vote' replaces mining with storage-intensive farming. In theory, PoC is secure, eco-friendly, and fair, but in practice, most designs devolve back to PoW or PoS models.
In PoAS, farmers write thousands of small (1MiB) pieces, grouped into sectors of 1GiB, to their free disk space. Each piece is masked with a memory bandwidth bound based on a custom implementation of Chia Proof-of-Space.
Unlike Chia, plotting does not fill the SSD with random data, but creates unique partial replicas of history for each farmer.
Unlike Filecoin, farmers do not have to stake coins proportional to their disk space. This allows anyone in the world to quickly and easily pledge their free space and participate in consensus.
Following c-Nakamoto PoS, we construct a secure randomness beacon from the blockchain history itself. At each slot, all farmers partially scan their plots for any 32B chunk close enough to the challenge to satisfy the difficulty setting. They may then compile the chunk, commitments proving it to be a part of chain history and corresponding proof-of-space into a Proof-of-Replication (PoR) and produce the next block in the chain. Anyone may then cheaply verify the proof by performing 64 hashes and 2 KZG verifications. This allows farming to be constant and lightweight in terms of the storage and computing overhead required.
To incentivize farmers to retain the history we extend proof-of-space consensus into a proof-of-storage of the history of the blockchain itself. Under proof-of-archival-storage (PoAS) consensus, each farmer stores as many provably unique segments of the chain history as their disk space allows. The more pieces of the history a farmer stores, the more likely they are to be elected to produce a new block. To ensure farmers store as many unique pieces as possible we enforce a rule on which pieces each farmer can store tied to their identities. A change of identity would require re-plotting, protecting from Sybil attacks.
The second—to resolve the farmer's dilemma, a mechanism design challenge that leaves PoC-style networks prone to centralization.
Farmers can choose between using their storage to either a) retain the chain state and history, or b) to maximize their plot size and return on investment.
As the chain grows, farmers will always choose the latter, at best becoming light clients, while at worst, choosing to join a farming pool run by a trusted operator.
If no one stores the history, nodes may only sync from centralized providers. If no one maintains the state, we must rely on trusted third-parties for our balances.
Farmers store the history collectively, forming a distributed storage network (DSN) that ensures the history is always available to download.
To prevent the history from being lost, blocks are erasure-coded into both source and parity pieces.
To provide for proper load balancing and consistent replication, each farmer stores the unencoded pieces closest to its ID in a hot cache that uses less than 1% of pledged storage.
To allow for efficient retrievals, a node first requests pieces from the farmers’ hot caches. Only in the rare case of a cache miss are farmers asked to decode the pieces from their plot cold storage.
For the archiving protocol, we built a unique chain sync mechanism based on pulling pieces and reconstructing the chain locally. This allows Subspace nodes to store only recent blocks and purge archived history, keeping memory requirements for full nodes constant, no matter how long the chain grows.
To relieve farmers of the burden of maintaining the state and performing redundant computation, we apply the classic technique in distributed systems of decoupling consensus and computation. Farmers are solely responsible for ordering transactions, while a separate class of operator nodes maintain the state and compute the transitions for each new block. To ensure operator remain accountable for their actions, we employ a system of staked deposits, verifiable computation, and non-interactive fraud proofs.
To prevent simulation attacks, the entropy from the blockchain history is re-used over many consecutive time slots. To prevent grinding attacks, we segregate PoRs from the block content while basing the randomness solely on the PoRs. To prevent compression attacks, we require farmers to submit the whole encoding to produce a block and make decompression equally infeasible in a slot time as plotting. To prevent long-range attacks, bribing attacks, and space-time trade-off attacks, we employ a simple Proof-of-Time (PoT) based on AES-128. For a formal security analysis read our research paper.
The third—to scale transaction throughput without sacrificing the security or decentralization of the network.
One way to scale throughput is to increase the block size, but this leads to longer propagation times, and a higher honest fork rate, reducing security.
Another technique is to scale-out with multiple chains or shards, but existing designs are insecure against an adaptive adversary who may target a single shard.
Both methods result in faster growth of the chain state and history, leading to blockchain bloat and centralization under a handful of powerful nodes.
In resolving the farmer's dilemma with our DSN, Subspace also addresses the challenge of blockchain bloat, allowing our network to scale without compromise.
Subspace adapts the Prism scalability proposal to achieve high-throughput transaction processing without reducing security. When combined with data availability proofs and super light-clients, farming is able to remain low-bandwidth and decentralized.
By employing a virtual beacon chain we eliminate the bottleneck of a single main chain and support up to 2^16 shards. Farmers rotate shards regularly while operators may stake on as many different shards as they choose, following a design similar to Free2Shard.
Subspace extends the Taiji fast confirmation protocol for PoC consensus, allowing farmers to achieve nearly deterministic finality within three blocks, reducing the confirmation latency of new transactions from minutes to seconds, without relying on operators.