Three Things #45: November 27, 2022
Spacemesh Design Rationale Part I
We’re in the final gauntlet leading up to the initial Spacemesh release, so I thought it would make sense to walk through some of the larger, more interesting design decisions we’ve made, including the justification for each. This is as much for my future self and for posterity as it is for anyone else—since in my experience it’s often the case that we make decisions with high conviction and, just a little while later, totally forget why we made those decisions in the first place!
Let me say upfront that the overarching rationale for Spacemesh design is as follows: Start with the values and ethos of Bitcoin. Design and build for the very long term. Where technology is concerned, do as Ethereum has done or intends to do with three exceptions: 1. Pick a small number of high-impact places to improve upon Ethereum, and make those changes with strong conviction and on strong technical grounds—and never deviate without a good reason; 2. Where Ethereum technology and values clash, go with values; 3. Where Ethereum has clearly made a technological blunder that it intends to fix, leapfrog it and go with the fixed version. (Note that point three means we’ll have to take some incomplete ideas from Ethereum and complete the design. In these cases, we hope to contribute our improvements and final designs back to Ethereum.)
With that in place, we can dive into some of the more interesting and impactful specific design decisions we’ve made. I won’t be able to get through all of the important ones in one issue, so look for Part II soon.
Thing #1: Proof of Spacetime
The single most significant design decision, and the single largest differentiator of Spacemesh relative to other blockchains, is the proof of spacetime consensus mechanism. In many ways proof of spacetime is Spacemesh’s raison d'être; if you don’t believe in it you probably won’t like Spacemesh, and if you’re interested in Spacemesh you’re almost definitely also interested in proof of spacetime. Of course, Spacemesh is not a project that serves a consensus mechanism. It’s very much the other way around: proof of spacetime serves certain goals of Spacemesh.
Proof of spacetime emulates proof of work mining using hard drive space rather than CPU cycles. I won’t explain much more about proof of spacetime here—that’s beyond the scope of this newsletter and you can find more information in our docs. Let me talk instead about why we chose, first of all, to design and build our own consensus mechanism and secondly, why we chose proof of spacetime.
In short, we chose to implement our own consensus mechanism rather than taking one “off the shelf” because we were dissatisfied with the existing choices on offer. We like Nakamoto consensus and proof of work a lot because it’s permissionless, promotes a high degree of decentralization, and is provably secure—but, like many, we’re concerned about its energy intensity, and we asked the question, Could we somehow keep the nice properties of Nakamoto consensus without the downsides?
On the flipside, we like the fact that proof of stake requires much less energy, but we dislike that it’s not as permissionless as proof of work, the way it tends to centralize control and wealth in the hands of a small number of entities, and the way it tends towards censorship as a result. There’s a handful of other, nuanced reasons we dislike it as well. As we contemplated building Spacemesh a few years ago and surveyed the landscape of options, we couldn’t help but think, Is this it? Can’t we do better? Spacemesh, and proof of spacetime, is our attempt to do exactly that.
We designed proof of spacetime to be a hybrid of proof of work and proof of stake that maintains the nice properties of each. It’s truly permissionless and promotes a high degree of decentralization just like proof of work (unlike proof of stake, miners do not need coins to mine, and miners do not need to approve incoming, future miners). At the same time, like proof of stake, it’s much less energy intensive than proof of work.
But proof of spacetime is more than just this hybrid. It has some very important, unique properties. We want it to be possible for as many people as possible all around the world to mine Spacemesh from home, profitably and sustainably. The key insight is that millions of people already have large hard drives with hundreds of gigabytes of free space, so their marginal cost to mine under proof of spacetime is near zero, whereas industrial mining operations have an extraordinarily complex task ahead of them acquiring, configuring, and maintaining the necessary infrastructure, dealing with sporadic hard drive failures, etc.. Therefore, the marginal cost will always be much higher for industrial miners, and at equilibrium they will not price out home miners.
Game theory dictates that block producers need to commit a scarce resource to the network in order to become eligible for mining (and so that they can be punished for misbehaving). In proof of work, that resource is computation and, by extension, electricity. In proof of stake it’s the staked funds. Proof of spacetime uses hard drive space.
Hard drive space is that rare commodity that pretty much everyone has, but it’s nevertheless scarce and valuable in aggregate, making it the perfect choice for a protocol based on home mining and with an extraordinarily high degree of decentralization. Our goal is that a million miners join Spacemesh, and we can’t imagine another commodity or another protocol that would permit this in a way that’s decentralized and true to our values. (Another good example of such a resource is a phone number. Nearly everyone has one, but acquiring many of them is expensive. But it’s not possible to verify phone numbers in a permissionless, decentralized fashion—i.e., using only math!)
Proof of spacetime accomplishes this goal by emulating proof of work mining: rather than miners burning electricity and CPU cycles to become eligible to produce blocks, they burn spacetime, i.e., storage committed exclusively to the protocol for a meaningful period of time. We had to get creative in some other parts of the protocol to make this emulation seamless—more on that to follow—but the final product should be a coin that anyone can mine from home: easily, profitably and sustainably.
For more: Join the Spacemesh testnet and try mining for yourself! See how easy it is.
Thing #2: Tortoise and Hare
A consensus mechanism has several parts. It’s easy to miss this when looking at Nakamoto Consensus and proof of work because Nakamoto consensus works pretty seamlessly. The same algorithm that’s used for Sybil resistance, eligibility, and leader election (finding the nonce and successfully sealing the block) is also used for the fork choice rule (which block represents the chain tip): it’s simply the block with the greatest accumulated proof of work (“longest chain” rule). And the miner that wins the computational race and finds the first matching nonce has the exclusive ability to construct a block and order transactions in that block however it wants.
Replace Nakamoto Consensus as we have and things get a bit more complicated. We need to replicate each of these elements of the consensus mechanism one at a time. For Sybil resistance and miner eligibility we use proofs of spacetime: miners commit a certain amount of space to the network, fill it with special files, keep those files, then read them and generate a proof once every two weeks. If a miner misbehaves their identity is canceled, they immediately cease to earn rewards, and they must perform another costly initialization procedure in order to start mining again. For leader election, we use a VRF that randomly samples from the pool of eligible miners each layer.
For fork choice, Spacemesh uses two consensus protocols in tandem: Tortoise and Hare. As the name suggests, Tortoise is a slow, robust, asynchronous vote-counting mechanism that, thanks to a self-healing mechanism, is guaranteed to always eventually reach consensus. In every layer, every miner votes on their view of history, i.e., which historical blocks they consider valid. Tortoise sums up these votes so that all nodes eventually have a consistent view of history (and, e.g., an attacker’s blocks would be ignored). Note that this isn’t so different from Ethereum’s LMD Ghost, for folks who are familiar with consensus in Ethereum.
By contrast, Hare is a fast, synchronous, PBFT-compatible protocol that’s more fragile but in all normal cases should reach consensus very quickly. Every miner is eligible to participate in Hare, but not every miner participates in every round since fast PBFT protocols don’t support as many participants as slow vote-counting protocols like Tortoise.
Why use two protocols rather than one? Tortoise and Hare work very well together, and neither would work as well on its own. Hare is somewhat fragile and easier to attack than Tortoise; with Tortoise we know that, even if Hare is attacked or our assumptions fail, all honest nodes will eventually reach consensus. But Tortoise is slow, so in all normal scenarios Hare allows us to achieve a degree of finality much more quickly. It also allows Tortoise to work much more quickly and efficiently, since all honest nodes that were online and listening to Hare messages will vote the same way. In normal situations, Tortoise follows along and “notarizes” the Hare results a layer or two after Hare finishes.
Why did we invent our own algorithms rather than use off the shelf solutions? The short answer is that we didn’t find any existing protocols that suited our purposes. In Hare, we needed a Byzantine agreement protocol not on a single value but rather on a set of values. In Tortoise, we needed not only millions of participants to be able to achieve consensus on a set of values, but also a self-healing mechanism that’s capable of automatically re-establishing consensus even after assumptions have failed for a while and the network has lost consensus. Both Tortoise and Hare are bespoke protocols custom tailored to the needs of the Spacemesh network.
For more: See the Spacemesh protocol docs.
Thing #3: Cooperative Mining
One of the main design goals for Spacemesh is to make mining as easy as possible for home miners. Part of this is economic: as described above, home miners have lower marginal costs and therefore should not be priced out by industrial miners. Part of this is down to great UX: mining at home is as simple as downloading and running a single, user-friendly app. No special hardware or technical skills are required and the app works on Windows, Mac, and Linux.
But we can do even better than that. There are other cryptocurrencies you can mine from home, but even assuming you can do so in an economically sustainable fashion (which is usually not the case) you always need to join a mining pool. This is because, as a home miner without expensive, specialized hardware, you represent such a tiny proportion of the overall mining power in the network that, realistically, you’ll never mine a block on your own. You could mine for a dozen years and never produce a single block, which means you’d never earn a single reward. This happens because miners win blocks probabilistically relative to their overall stake or hash power in the network.
Mining pools help smooth out rewards but they’re not without downsides. For one thing, joining a mining pool requires additional software, additional accounts, and additional configuration. It’s easy to make mistakes, e.g., by configuring the software incorrectly and putting in the wrong address to receive your portion of the proceeds (I learned this one the hard way 😭). Pools charge fees, and what’s more, the fee structures can be extremely opaque and difficult to understand. When you mine using a pool you’re trusting the pool operator not only to pay you, but also to calculate and pay out your share of the mining proceeds fairly and correctly—and it’s impossible to verify this because you don’t even have access to the relevant information. What’s more, pools themselves can go down, so by joining a pool you’re adding more possible points of failure. All of this boils down to a simple but important fact: when you mine as part of a pool, you’re a second-class citizen on the network.
By contrast, all Spacemesh miners including home miners are first-class citizens. We make sure that home miners never need to join a pool. This is possible because of a strategy called cooperative mining. In proof of work, miners race to create the next block. And in proof of stake, only one miner is chosen to create a block in each slot. If you spend tens of thousands of dollars and buy 32 ETH to run one Ethereum validator, at present your validator can be expected to produce one block every 66 days on average. (Ethereum validators earn smaller rewards for attesting every day, but only collect juicy block fees and MEV when they successfully produce a block.)
In proof of spacetime, miners are assigned to slots deterministically at the beginning of each epoch. In contrast to Ethereum, each miner, no matter how small, is guaranteed at least one slot per epoch (epochs are a few days long). Home miners should expect to participate in block production and receive frequent rewards, probably at least every day or two (the exact numbers depend on how many others are mining). We ensure that there are plenty of slots by having many miners cooperate to produce the block each layer.
The way this works is that each eligible miner submits a proposal containing the transactions that they think should be included in that block (based on their view of the mempool). The proposals from all the eligible miners form the input to the Hare protocol (described above). Then, after several rounds of message passing, the Hare outputs a single, canonical block for the layer containing an ordered set of transactions. All honest nodes will agree about the contents of this block (and will subsequently vote for the block in Tortoise).
Cooperative mining has another positive side effect: unlike in protocols where a single miner produces the next block, in Spacemesh no single miner or validator ever has the exclusive ability to order the transactions in a block. The final set of transactions is determined by the input proposals collected from all eligible miners, the Hare consensus protocol, and a deterministic algorithm that’s used to randomize the order of the transactions in each block. (Users still have a way to order their own transactions, but transactions from different accounts get randomized.) This makes it much harder for miners to extract MEV by ordering transactions a certain way, meaning that users have some in-protocol protection against MEV-based attacks like frontrunning.
For more: Try participating in an Ethereum staking pool. This is good practice for mining Spacemesh—but, unlike Spacemesh, it requires upfront stake!