This post presents a research-style paper on our new Subspace consensus. It develops a simple mathematical model that allows us to highlight the most innovative elements in our consensus design as well as to formally reason about its security. We will continue improving the paper based on the feedback and comments on this forum. So, it is still a work in progress. You can access the latest version of the paper from the following links:

We hope you enjoy reading the paper!

10 Likes

Thank you Dr. Chen for sharing!

“Alternatively, each piece di can be viewed as a polynomial fi(x) over Zp of degree at most ℓ − 1.”

The question is, is the polynomial fi(x) is a polynomial, which its coefficients are the element of di, or are you using the element of di to interpolate fi(x), using for example Lagrange interpolation mechanism?

2 Likes

About the KZG commitment, for the second case it is said:

“. …In this case, we can create a KZG commitment T…”, first of all, who is WE? i dont understand who is gonna create that? Prover?

Also, in this case you said that the farmer needs to provide two KZG proofs. Why? What do you need to prove the correctness of choosing g^{id}_i. I mean the verifier has T, thus similar to the case 1, we need to provide just one proof for the polynomial evaluation. I do not understand that why do we need some additional proof in this case?

Good question, Hanzaleh! Our theory works in both cases. For efficient implementation, we view d_i as evaluations of f_i(x) at points that are powers of a primitive root of unity. This allows us to apply FFT to do polynomial interpolation.

1 Like

In the section “Putting Everything Together”, you defined T as the the KZG commitment

of (H(A0), . . . , H(An−1)). Isn’t the the KZG commitment defined for a polynomial? Are you considering (H(A0), . . . , H(An−1)) as a polynomial, similar to di and fi(x) ?!

Yes, you are right! Also, recall that a polynomial commitment scheme can be used as a vector commitment scheme.

1 Like

Short answer: Full nodes are creating T, which is also called segment commitment in our detailed specification (which will be released soon).

In Case 1, A_0, A_1, …, A_{n-1} are public information. Suppose that the verifier needs to check the evaluation of f_3(x) at x = 1 is correct. Then she can use A_3 for this purpose. In Case 2, only T is public information. So, the verifier needs to check A_3 first. The correctness of A_3 can be checked with T, which is essentially a vector commitment of ( A_0, A_1, …, A_{n-1} ).