Subspace is the first protocol to fully resolve the blockchain trilemma
without making compromises.
Proof-of-Archival-Storage (PoAS) consensus maintains the honest majority assumption and permissionless nature of Nakamoto consensus without the massive electricity cost of mining.
Decoupled execution keeps farming lightweight and resistant to pooling, while the farmer storage network allows the blockchain to "bloat" massively without becoming centralized.
Block decoupling and data-availability sampling allow for vertical scaling, while our unique separation of consensus and computation provide for horizontal scaling at log(n) overhead to operators.
The blockchain trilemma is a term coined by Vitalik Buterin to describe the challenges of creating a secure, scalable and decentralized blockchain. He argues that a blockchain can only achieve two out of the three features in practice.
Security means retaining safety and liveness for up to a one-half adversarial fraction of nodes (the honest majority assumption).
Decentralization means keeping the compute, storage, and network resources low enough for anyone to run a node on their laptop.
Scalability means transaction throughput should increase as more users join the network and as their computer hardware improves.
PoW or "one-CPU-one-vote" is simple, secure, and permissionless, but it comes at a high cost in electricity that is not environmentally sustainable and leads to centralized, or pooled, mining.
PoS or "one-coin-one-vote" employs a system of virtual mining based on one's wealth. While eco-friendly, PoS is not fair or permissionless, instead encouraging a system whereby the rich only get richer.
PoC or "one-disk-one-vote" replaces mining with storage-intensive farming. In theory, PoC is secure, eco-friendly, and fair, but in practice, most designs devolve back to PoW or PoS models.
To begin, farmers write thousands of small (1MiB) pieces to their free disk space grouped into sectors of 1GiB. Each piece is masked with a memory bandwidth bound based on a custom implementation of Chia Proof-of-Space. Unlike Chia, plotting does not fill the SSD with random data, but creates unique partial replicas of history for each farmer. Unlike Filecoin, farmers do not have to stake coins proportional to their disk space. This allows anyone in the world to quicklyandeasily pledge their free space and participate in consensus.
Following c-Nakamoto PoS, we construct a secure randomness beacon from the blockchain history itself. At each slot, all farmers partially scan their plots for any 32B chunk close enough to the challenge to satisfy the difficulty setting. They may then compile the chunk, commitments proving it to be a part of chain history and corresponding proof-of-space into a Proof-of-Replication (PoR) and produce the next block in the chain. Anyone may then cheaply verify the proof by performing 64 hashes and 2 KZG verifications. This allows farming to be constant and lightweight in terms of the storage and computing overhead required.
To prevent simulation attacks, the entropy from the blockchain history is re-used over many consecutive time slots. To prevent grinding attacks, we segregate PoRs from the block content while basing the randomness solely on the PoRs. To prevent compression attacks, we require farmers to submit the whole encoding to produce a block and make decompression equally infeasible in a slot time as plotting. To prevent long-range attacks, bribing attacks, and space-time trade-off attacks, we employ a simple Proof-of-Time (PoT) based on AES-128. For a formal security analysis read our research paper.
Farmers may choose between using their storage to either a) retain the chain state and history or b) to maximize their plot size and return on investment.
As the chain grows, farmers will always choose the latter, at best becoming light clients, while at worst choosing to join a farming pool run by a trusted operator.
If no one stores the history, nodes may only sync from centralized providers. If no one maintains the state, we must rely on trusted third-parties for our balance.
To incentivize farmers to retain the history we extend proof-of-space consensus into a proof-of-storage of the history of the blockchain itself. Under proof-of-archival-storage (PoAS) consensus, each farmer stores as many provably unique segments of the chain history as their disk space allows. The more pieces of the history a farmer stores, the more likely they are to be elected to produce a new block. To ensure farmers store as many unique pieces as possible we enforce a rule on which pieces each farmer can store tied to their identities. A change of identity would require re-plotting, protecting from Sybil attacks.
Farmers store the history collectively, forming a distributed storage network (DSN) that ensures the history is always available to download.
To prevent the history from being lost, blocks are erasure-coded into both source and parity pieces.
To provide for proper load balancing and consistent replication, each farmer stores unencoded pieces closest to its ID in a hot cache taking below 1% of pledged storage.
To allow for efficient retrievals, a node first requests pieces from the farmers’ hot caches. Only in a rare case of a cache miss farmers are asked to decode the pieces from their plot cold storage. The properties of the archiving protocol and the DSN we built a unique chain sync mechanism based on pulling pieces and reconstructing the chain locally. This allows Subspace nodes to store only recent blocks and purge archived history, keeping memory requirements for full nodes constant no matter how long the chain grows.
To relieve farmers of the burden of maintaining the state and performing redundant computation, we apply the classic technique in distributed systems of decoupling consensus and computation. Farmers are solely responsible for ordering transactions, while a separate class of operator nodes maintain the state and compute the transitions for each new block. To ensure operator remain accountable for their actions, we employ a system of staked deposits, verifiable computation, and non-interactive fraud proofs.
One way to scale throughput is to increase the block size, but this leads to longer propagation times and a higher honest fork rate, reducing security.
Another technique is to scale-out with multiple chains or shards, but existing designs are insecure against an adaptive adversary who may target a single shard.
Both methods result in faster growth of the chain state and history, leading to blockchain bloat and centralization under a handful of powerful nodes.
Subspace adapts the Prism scalability proposal to achieve high-throughput transaction processing without reducing security. When combined with data availability sampling and super light-clients, farming can remain low-bandwidth and decentralized.
By employing a virtual beacon chain we eliminate the bottleneck of a single main chain and support up to 2^16 shards. Farmers rotate shards each block while operators may stake on as many different shards as they choose, following the Free2Shard design.
Subspace extends the Taiji fast confirmation protocol for PoC consensus, allowing farmers to achieve nearly deterministic finality within three blocks, reducing the confirmation latency of new transactions from minutes to seconds, without relying on operators.
The future is multi-chain and it's clear that users prefer AMMs over centralized exchanges. Subspace provides the layer one scalability needed to bridge numerous chains while allowing for trustless, low-latency, and high-throughput asset exchange.
Since the history may grow far beyond the storage capacity of any single farmer, yet is still priced efficiently, Subspace is uniquely able to provide cheap, permanent dApp storage, while still making the data available to a global execution layer.
By decoupling execution and storage, then scaling each individually, Subspace allows for a much wider array of layer two constructions, limited only by the protocol designers imagination.