Chapter 12

Merkle Trees

Efficient Verification Through Hash Trees

How can we prove that a specific transaction is included in a block without revealing all other transactions? The answer lies in a elegant data structure invented by Ralph Merkle in 1979: the hash tree, now universally known as the Merkle tree. This structure enables Bitcoin's crucial ability to verify transaction inclusion with logarithmic efficiency.

Merkle trees are foundational to Bitcoin's scalability. They allow lightweight clients to verify payments without downloading full blocks—a property we will explore thoroughly in Volume III when we study Simplified Payment Verification.

12.1 Binary Hash Trees

A Merkle tree is a binary tree where each leaf node contains a hash of data, and each internal node contains a hash of its two children.

Definition 12.1 (Merkle Tree)

A Merkle tree over data elements d₁, d₂, ..., dₙ is a binary tree where:

  • Each leaf Lᵢ = H(dᵢ) is the hash of a data element
  • Each internal node N = H(left || right) is the hash of its two children concatenated
  • The Merkle root is the single hash at the top of the tree
Merkle Root H(AB) H(CD) H(A) H(B) H(C) H(D) Tx A Tx B Tx C Tx D Level 0 Level 1 Level 2 Data
Figure 12.1: A Merkle tree over four transactions. The root commits to all data.

Definition 12.2 (Bitcoin Merkle Tree)

In Bitcoin, the Merkle tree is constructed using double SHA-256:

H(x) = SHA256(SHA256(x))

Leaf nodes are hashes of serialized transactions (txids). Internal nodes hash the concatenation of their children in left-to-right order.

12.2 Computing the Merkle Root

The Merkle root is computed bottom-up, starting from the transaction hashes.

Algorithm 12.1 (Merkle Root Computation)

Given transaction hashes h₁, h₂, ..., hₙ:

  1. If n = 1, return h₁
  2. If n is odd, duplicate the last hash: hₙ₊₁ = hₙ
  3. Pair adjacent hashes and compute: pᵢ = H(h₂ᵢ₋₁ || h₂ᵢ)
  4. Recursively compute the Merkle root of p₁, p₂, ..., p_{n/2}

Remark 12.1 (Odd Number of Elements)

When a tree level has an odd number of nodes, Bitcoin duplicates the last node before pairing. This ensures every internal node has exactly two children.

Merkle Tree with 5 Transactions (Odd Count) Root H(ABCD) H(EE) H(AB) H(CD) H(E) H(E) A B C D E duplicated
Figure 12.2: When the transaction count is odd, the last hash is duplicated.

Example 12.1 (Computing a Merkle Root)

Given four transaction hashes (32 bytes each, shown truncated): 

TxA: 3a5b...8c1d
TxB: 7f2e...4a9b
TxC: 1c8d...2e3f
TxD: 9a4b...5c6d

Step 1: Compute leaf pairs:

H(AB) = SHA256(SHA256(3a5b...8c1d || 7f2e...4a9b))
H(CD) = SHA256(SHA256(1c8d...2e3f || 9a4b...5c6d))

Step 2: Compute root:

Root = SHA256(SHA256(H(AB) || H(CD)))

12.3 Merkle Proofs

The key insight of Merkle trees is that inclusion of any element can be proven with only O(log n) hashes.

Definition 12.3 (Merkle Proof)

A Merkle proof (or inclusion proof) for element dᵢ is the sequence of sibling hashes along the path from the leaf to the root, together with directional flags indicating whether each sibling is on the left or right.

Merkle Proof for Transaction B Root ✓ H(AB) H(CD) ← proof[1] H(A) proof[0] → H(B) H(C) H(D) Tx B target Proof elements Computed path
Figure 12.3: To prove Tx B is included, we need only H(A) and H(CD)—just 2 hashes for 4 transactions.

Theorem 12.1 (Merkle Proof Size)

For a Merkle tree with n leaves, a Merkle proof consists of exactly ⌈log₂ n⌉ hashes.

Proof.

A balanced binary tree with n leaves has height ⌈log₂ n⌉. The path from any leaf to the root traverses this many edges. At each level, we need the sibling hash to compute the parent. Therefore the proof requires exactly ⌈log₂ n⌉ hashes. □

Example 12.2 (Proof Size Scaling)

Consider proof sizes for various block sizes:

Transactions Proof Hashes Proof Size
1,000 10 320 bytes
10,000 14 448 bytes
100,000 17 544 bytes
1,000,000 20 640 bytes

Even for a million transactions, the proof fits in under 1 KB.

12.4 Verifying Merkle Proofs

Given a transaction, a Merkle proof, and the expected root, verification recomputes the root and checks equality.

Algorithm 12.2 (Merkle Proof Verification)

Given transaction tx, proof [(h₁, d₁), (h₂, d₂), ...] where dᵢ indicates direction (left/right), and expected root R:

  1. Compute current = H(tx)
  2. For each (hᵢ, dᵢ) in the proof:
    • If dᵢ = left: current = H(hᵢ || current)
    • If dᵢ = right: current = H(current || hᵢ)
  3. Return current = R

Theorem 12.2 (Merkle Proof Security)

If H is a collision-resistant hash function, then it is computationally infeasible to produce a valid Merkle proof for a transaction that is not in the committed set.

Proof sketch.

To forge a proof for a non-existent transaction tx', the attacker must find hash values that combine to produce the correct root. This requires either finding a preimage (to make a valid leaf) or a collision (to substitute intermediate hashes). Both are infeasible under the assumption that H is collision-resistant. □

12.5 Transaction Merkle Tree in Bitcoin

Every Bitcoin block contains a Merkle root that commits to all transactions in the block.

Definition 12.4 (Block Merkle Root)

The Merkle root in a Bitcoin block header is computed from the txids of all transactions in the block, with the coinbase transaction always at position 0.

Block Header (80 bytes) version prev_block merkle_root timestamp bits nonce Merkle Tree coinbase ...transactions
Figure 12.4: The Merkle root in the block header commits to all transactions.

Remark 12.2 (Txid Byte Order)

Bitcoin uses little-endian byte order for txids in Merkle tree construction. This means the internal representation differs from the "natural" display format shown in block explorers.

12.6 Witness Commitment

SegWit introduced a second Merkle tree that commits to witness data.

Definition 12.5 (Witness Commitment)

The witness commitment is computed as:

commitment = SHA256(SHA256(witness_root || witness_reserved))

where witness_root is the Merkle root of all wtxids (with the coinbase wtxid set to all zeros), and witness_reserved is a 32-byte value in the coinbase witness.

The witness commitment is stored in an OP_RETURN output of the coinbase transaction, allowing old nodes to validate blocks without understanding witness data.

Transaction Merkle Root of txids → Block header Witness Merkle Root of wtxids → Coinbase OP_RETURN Commits to transaction structure Commits to witness data
Figure 12.5: SegWit blocks have two Merkle trees: one for transactions, one for witnesses.

12.7 SPV and Merkle Proofs

Merkle proofs enable Simplified Payment Verification (SPV), where a lightweight client can verify transaction inclusion without downloading full blocks.

Theorem 12.3 (SPV Verification)

Given:

  • A transaction tx
  • A Merkle proof π
  • A block header H (from the longest chain)

An SPV client can verify that tx is included in the block represented by H by checking that π is valid for the Merkle root in H.

The SPV security model assumes the longest chain represents honest consensus. We will examine this assumption critically in Volume III.

Example 12.3 (SPV Data Requirements)

To verify a transaction, an SPV client needs:

  • Block headers (80 bytes each, ~4 MB per year)
  • The transaction itself (~250 bytes typical)
  • Merkle proof (~500 bytes for large blocks)

Compare this to downloading the full block (1–2 MB) or the entire blockchain (500+ GB as of 2024). The efficiency gain is dramatic.

12.8 Security Considerations

12.8.1 CVE-2012-2459: Merkle Tree Malleability

A vulnerability in Bitcoin's original implementation allowed malformed blocks to appear valid.

Remark 12.3 (Duplicate Transaction Attack)

Because odd-numbered transaction lists duplicate the last element, an attacker could construct blocks where duplicating certain transactions produced the same Merkle root. This was fixed by rejecting blocks with duplicate transactions.

12.8.2 Leaf vs. Internal Node Ambiguity

If an internal node hash happens to be a valid transaction hash, confusion could arise. Bitcoin mitigates this by:

12.9 Generalized Merkle Trees

Several Bitcoin proposals extend the basic Merkle tree concept.

12.9.1 Merkle Mountain Ranges

Merkle Mountain Ranges (MMRs) allow efficient append-only commitment, useful for UTXOs and chain state.

12.9.2 Merkle-ized Abstract Syntax Trees (MAST)

MAST (now realized through Taproot) allows committing to multiple spending conditions while revealing only the executed path. This improves both privacy and efficiency for complex scripts.

Definition 12.6 (Taproot Script Tree)

Taproot encodes alternative spending scripts as leaves in a Merkle tree. The Merkle root is tweaked into the public key. When spending via script, only the executed script and its Merkle proof are revealed—other branches remain private.

Exercises

Exercise 12.1

Construct a Merkle tree for the following txids (use first 8 characters to represent each hash): 

A: 1a2b3c4d
B: 5e6f7a8b
C: 9c0d1e2f
D: 3a4b5c6d
E: 7e8f9a0b

What is the structure of the tree? How many hash computations are needed?

Exercise 12.2

A block contains 4,096 transactions. How many hashes are needed in a Merkle proof? If each hash is 32 bytes, what is the total proof size?

Exercise 12.3

Explain why the Merkle root changes completely if even a single bit of any transaction is modified. What property of hash functions guarantees this?

Exercise 12.4

In the witness commitment scheme, why is the coinbase wtxid defined as all zeros rather than the actual hash? What would go wrong otherwise?

Exercise 12.5

A Merkle tree has 1,000 leaves. Without knowing which leaf you'll need to prove, how much data must you store to be able to generate a proof for any leaf? (Consider storing the full tree vs. just the leaves.)