The following document outlines security measures against well-known attacks in PoC. The reader is advised to first read Subspace's design in order to understand these better.
A farmer's chance of winning a leader election only depends on the number of encodings it stores. A farmer with space for $n$ encodings has two choices:
We would like farmers to follow honest farming as it results in better replication of the whole blockchain history. A rational farmer in Subspace may prefer lazy farming because they save on network bandwidth for downloading multiple pieces. Note that in Spartan, a farmer derives their plot from only one Genesis piece, so does not gain anything by lazy farming.
Although similar to a Sybil attack, this is not a direct attack on consensus. Subspace's PoC consensus is already Sybil resistant because the chance of winning a leader election only depends on the total number of encodings, not on the number of identities. Lazy farming however impacts Subspace's distributed storage network because the entire blockchain history may not be stored. Lazy farming can also exacerbate a compression attack, which is discussed in the next section.
To deter lazy farming, we require farmers to compute one local challenge per public key. Precisely, for each slot, a farmer computes the global challenge as Hash(epoch_randomness||slot). The farmer then computes their local_challenge as Hash(challenge||public_key_hash).
Suppose that a farmer stores $n$ encodings on disk. In the honest farming strategy, the farmer computes one local challenge every slot and queries the binary search tree (BST) to find the closest commitment. This requires $\log(n)$ lookups since the binary seach tree is sorted. In the lazy farming strategy, the farmer computes $n$ local challenges (one for each public key) and must compare each challenge with the commitment for the encoding from the corresponding public key ($n$ lookups). When the number of encodings stored by the farmer is large, the lazy farming strategy incurs a huge overhead of BST lookups (memory reads) in every slot which will quickly overcome the one-time cost of downloading and plotting distinct pieces. Thus, a rational farmer would prefer to first store one entire replica of the blockchain history with a single public key before using additional storage to store multiple replicas with different public keys
This is an example of a space-time trade-off attack where an attacker may use additional computation to save on storage.
A Subspace farmer may choose to discard the encodings, and store only the much smaller BST of commitments and one single copy of the unencoded blockchain. Since the leader elections only require the commitments, the farmer can win leader elections without storing the encodings. Once they produce a block, the farmer encodes the piece on-demand to generate the proof. Thus, the farmer only uses a fraction of the required storage while encoding pieces on-demand to win the leader elections. Thus, an attacker can launch a 51% attack even without owning 51% of the network's storage, but by using additional computation. This attack is exacerbated by the lazy farming strategy because the attacker only needs to store one piece, and encode it on-demand with different public keys. Then the attacker's actual storage is very little - only one unencoded piece and the commitments.
To deter this attack, the commitments include a salt, which is updated at regular intervals (eons). This makes the compression attack harder because an attacker would have to re-encode their pieces every time the salt changes.
To analyze the cost of the compression attack, let $t_{eon}$ be the salt update interval (a protocol parameter), $P$ be the piece size (4 KiB) and let $S$ be the storage (in bytes) pledged by a farmer for a time horizon $T$.
Let $C_s$ be the cost of storage media (HDD/SSD) in $/byte. Let $C_{salt}$ be the power cost of reading the encoding from disk, re-commiting with the new salt and updating the binary search tree as per the honest protocol (in $/encoding). Let $C_e$ be the power cost of encoding a piece, recommiting with the new salt and updating the BST as per the compression attack, in $/encoding. Let $C_{cpu}$ be the cost of a CPU + memory configuration that can encode one piece per $t_{enc}$ seconds.
Honest strategy: An honest farmer initially stores $S$ bytes worth of encodings to disk. Additionally, they store the binary search tree of commitments to disk. (Note that if the size of a piece/encoding is 4 KiB and the size of a commitment is 8 B, the storage required for the binary search tree is $S \times 8/4096 = S/256$ bytes, which is much smaller than the $S$ bytes required for the encodings themseleves, hence can be ignored.)
A one-time cost of $C_s\cdot S$ is paid initially to buy $S$ bytes of storage. Everytime the salt is updated ($T/t_{eon}$ times in $T$ time), $S/P$ encodings must be re-commited. The cost of running the honest strategy can be estimated as
$$ C_{hon} = \text{plotting cost + re-commit cost} = C_s\cdot S + C_{salt}\cdot (S/P) \cdot T/t_{eon}. $$