Skip to main content
This document covers more concepts needed in understanding our specific design of the zkProver storage using binary SMTs. These concepts also help in elucidating how keys influence the shape of binary SMTs. First is the level of a leaf. The level of a leaf, Lx\mathbf{L}_{\mathbf{x}}, in a binary SMT is defined as the number of edges one traverses when navigating from the root to the leaf. Denote the level of the leaf Lx\mathbf{L_x} by lvl(Lx)\text{lvl}(\mathbf{L_x}).

Leaf levels

Consider the below figure for an SMT storing seven key-value pairs, built by following the principles explained in the foregoing subsection; (Ka,Va), (Kb,Vb), (Kc,Vc), (Kc,Vc), (Kd,Vd), (Ke,Ve), (Kf,Vf)  and  (Kg,Vg)(\mathbf{K}_{\mathbf{a}}, V_{\mathbf{a}}),\ (\mathbf{K}_{\mathbf{b}}, V_{\mathbf{b}}),\ (\mathbf{K}_{\mathbf{c}}, V_{\mathbf{c}}),\ (\mathbf{K}_{\mathbf{c}}, V_{\mathbf{c}}),\ (\mathbf{K}_{\mathbf{d}}, V_{\mathbf{d}}),\ (\mathbf{K}_{\mathbf{e}}, V_{\mathbf{e}}),\ (\mathbf{K}_{\mathbf{f}}, V_{\mathbf{f}})\ \ {\text{and}}\ \ (\mathbf{K}_{\mathbf{g}}, V_{\mathbf{g}}) where the keys are, Ka=10101100,Kb=10010010,Kc=10001010,Kd=11100110,Ke=11110101,Kf=10001011,Kg=00011111.\begin{aligned} &K_{\mathbf{a}} = 10101100, K_{\mathbf{b}} = 10010010, K_{\mathbf{c}} = 10001010, K_{\mathbf{d}} = 11100110,\\ &K_{\mathbf{e}} = 11110101, K_{\mathbf{f}} = 10001011, K_{\mathbf{g}} = 00011111. \end{aligned} The leaf levels are as follows; lvl(La)=2\text{lvl}(\mathbf{L}_{\mathbf{a}}) = 2, lvl(Lb)=4\text{lvl}(\mathbf{L}_{\mathbf{b}}) = 4, lvl(Lc)=4\text{lvl}(\mathbf{L}_{\mathbf{c}}) = 4, lvl(Ld)=3\text{lvl}(\mathbf{L}_{\mathbf{d}}) = 3, lvl(Le)=2\text{lvl}(\mathbf{L}_{\mathbf{e}}) = 2, lvl(Lf)=3\text{lvl}(\mathbf{L}_{\mathbf{f}}) = 3 and lvl(Lg)=3\text{lvl}(\mathbf{L}_{\mathbf{g}}) = 3. Figure 6: An SMT of 7 key-value pairs As illustrated, keys basically determine the shape of the SMT. They dictate where respective leaves must be placed when building the SMT. The main determining factor of the SMT shape is in fact the common key-bits among the keys. For instance, the reason why the leaves Lb\mathbf{L}_{\mathbf{b}} and Lc\mathbf{L}_{\mathbf{c}} have the largest leaf level 44 is because the two leaves have the longest string of common key-bits "010010" in the SMT of Figure 6 above. This explains why different leaves in SMTs can have different levels. The height of a Merkle tree refers to the largest number of edges traversed when navigating from the root to any leaf. Since all leaves are of the same level in Merkle trees, the concept of a height coincide with that of the level of a leaf for Merkle trees. But this is not the case for SMTs. Since leaf levels differ from one leaf to another in SMTs, the height of an SMT is not the same as the leaf level. Rather, the height of an SMT is defined as the largest leaf level among the various leaf levels of leaves on the SMT. For instance, the height of the SMT depicted in the figure above, is 44. Now, since all keys have the same fixed key-length, they not only influence SMT leaf levels and shapes, but also restrict SMT heights to the fixed key-length. The maximum height of an SMT is the maximum key-length imposed on all keys.

Remaining keys

In a general Sparse Merkle tree (SMT), values are stored at their respective leaf-nodes. But a leaf node Lx\mathbf{L}_{\mathbf{x}} not only stores a value, VxV_{\mathbf{x}}, but also the key-bits that are left unused in the navigation from the root to Lx\mathbf{L}_{\mathbf{x}}. These unused key-bits are called the remaining key, and are denoted by RKx\text{RK}_{\mathbf{x}} for the leaf node Lx\mathbf{L}_{\mathbf{x}}. Consider again the SMT of the 7 key-value pairs depicted in the figure above. The remaining keys of each of the 7 leaves in the SMT are as follows; RKa=110101\text{RK}_{\mathbf{a}} = 110101, RKb=1001\text{RK}_{\mathbf{b}} = 1001, RKc=0001\text{RK}_{\mathbf{c}} = 0001, RKd=00111\text{RK}_{\mathbf{d}} = 00111, RKe=101111\text{RK}_{\mathbf{e}} = 101111, RKf=10001\text{RK}_{\mathbf{f}} = 10001 and RKg=11000\text{RK}_{\mathbf{g}} = 11000.

Fake-leaf attack

Note that the above simplified design of binary SMTs, based on key-value pairs, presents some problems. The characteristic of binary SMTs having leaves at different levels can be problematic to verifiers, especially when carrying out a simple Merkle proof.

Scenario: Fake SMT leaf

What if the verifier is presented with a fake leaf? Consider the below figure, showing a binary SMT with a branch Bab\mathbf{`{B}`_`{ab}`} and its children La\mathbf{L_`{a}`} and Lb\mathbf{L_`{b}`} hidden from the verifier’s sight. That is, suppose the verifier is provided with the following information;
  • The key-value (Kfk,Vfk)(K_{\mathbf{fk}}, V_\mathbf{`{fk}`}), where Kfk=11010100K_{\mathbf{fk}} = 11010100 and Vfk=LaLbV_{\mathbf{fk}} = \mathbf{L_`{a}`} \| \mathbf{L_`{b}`}.
  • The root rootab..f\mathbf{`{root}`_{ab..f}} , the number of levels to root, and the siblings Scd\mathbf{`{S}`_{\mathbf{cd}}} and Sef\mathbf{`{S}`_{\mathbf{ef}}}.
That is, the Attacker claims that some VfkV_{\mathbf{fk}} is stored at Lfk:=Bab\mathbf{L_`{fk}`} := \mathbf{`{B}`_`{ab}`}. Verifier is unaware that VfkV_{\mathbf{fk}} is in fact the concatenated value of the hidden real leaves, La\mathbf{L_`{a}`} and Lb\mathbf{L_`{b}`}, that are children of the supposed leaf Lfk\mathbf{L_`{fk}`}. i.e., Verifier does not know that leaf Lfk\mathbf{L_`{fk}`} is in fact a branch. Figure 7: MPT - Fake Leaf Attack So then, the verifier being unaware that Lfk\mathbf{L_`{fk}`} is not a properly constructed leaf, starts verification as follows;
  1. He uses the key KfkK_{\mathbf{fk}} to navigate the tree until locating the supposed leaf Lfk\mathbf{L_`{fk}`}.
  2. He computes H(Vfk)\mathbf{H}(V_{\mathbf{fk}}) and sets it as L~fk:=H(Vfk)\tilde{\mathbf{L}}_{\mathbf{fk}} := \mathbf{H}(V_{\mathbf{fk}}).
  3. Then takes the sibling Scd\mathbf{`{S}`_{\mathbf{cd}}} and calculates
    B~fkcd=H(L~fkScd)\tilde{ \mathbf{B}}_{\mathbf{fkcd}} = \mathbf{H} \big( \tilde{\mathbf{L}}_{\mathbf{fk}} \| \mathbf{S}_{\mathbf{cd}} \big).
  4. And then, uses B~fkcd\tilde{ \mathbf{B}}_{\mathbf{fkcd}} to compute the root, root~ab..f=H(B~fkcdSef)\tilde{ \mathbf{root}}_{\mathbf{ab..f}} = \mathbf{H} \big( \tilde{ \mathbf{B}}_{\mathbf{fkcd}}\| \mathbf{S}_{\mathbf{ef}} \big).
The question is: “Does the fake leaf Lfk\mathbf{L_`{fk}`} pass the verifier’s Merkle proof or not?” Or, equivalently: “Is root~ab..f\tilde{ \mathbf{root}}_{\mathbf{ab..f}} equal to rootab..f\mathbf{root}_{\mathbf{ab..f}}?” Since the actual branch Bab\mathbf{`{B}`_`{ab}`} is by construction the hash, H(LaLb)\mathbf{H}(\mathbf{L_`{a}`} \| \mathbf{L_`{b}`}), then Bab=L~fk\mathbf{`{B}`_`{ab}`} = \tilde{\mathbf{L}}_{\mathbf{fk}}. The parent branch Babcd{\mathbf{B}}_{\mathbf{abcd}} also, being constructed as the hash, H(BabScd)\mathbf{H} \big( \mathbf{B}_{\mathbf{ab}}\| { \mathbf{S}}_{\mathbf{cd}} \big), should be equal to H(L~fkScd)=B~fkcd\mathbf{H} \big( \tilde{\mathbf{L}}_{\mathbf{fk}} \| \mathbf{S}_{\mathbf{cd}} \big) = \tilde{ \mathbf{B}}_{\mathbf{fkcd}}. As a result, rootab..f=H(BabcdSef)=H(B~fkcdSef)=root~ab..f\mathbf{root}_{\mathbf{ab..f}} = \mathbf{H} \big( {\mathbf{B}}_{\mathbf{abcd}} \| \mathbf{S}_{\mathbf{ef}} \big) = \mathbf{H} \big( \tilde{ \mathbf{B}}_{\mathbf{fkcd}}\| \mathbf{S}_{\mathbf{ef}} \big) = \tilde{ \mathbf{root}}_{\mathbf{ab..f}}. Therefore, the fake leaf Lfk\mathbf{L_`{fk}`} passes the Merkle proof.

Solution to the Fake-leaf attack

In order to circumvent the Fake-Leaf Attack we modify how the binary SMTs are built. Here’s the trick: When building binary SMTs, differentiate between how leaves are hashed and how branches are hashed. That is, use two different hash functions; one hash function to hash leaves, denote it by Hleaf\mathbf{H}_{\mathbf{leaf}}, and the other function for hashing non-leaf nodes, denote it by Hnoleaf\mathbf{H}_{\mathbf{noleaf}}.

How does this prevent the Fake-leaf attack?

Reconsider now, the Scenario A, given above. Recall that the Attacker provides the following;
  • The key-value (Kfk,Vfk)(K_{\mathbf{fk}}, V_\mathbf{`{fk}`}), where Kfk=11010100K_{\mathbf{fk}} = 11010100 and Vfk=LaLbV_{\mathbf{fk}} = \mathbf{L_`{a}`} \| \mathbf{L_`{b}`}.
  • The root rootab..f\mathbf{`{root}`_{ab..f}} , the number of levels to root, and the siblings Scd\mathbf{`{S}`_{\mathbf{cd}}} and Sef\mathbf{`{S}`_{\mathbf{ef}}}.
The verifier suspecting no foul, uses Kfk=11010100K_{\mathbf{fk}} = 11010100 to navigate the tree until he finds VfkV_{\mathbf{fk}} stored at Lfk:=Bab\mathbf{L_`{fk}`} := \mathbf{`{B}`_`{ab}`}. He subsequently starts the Merkle proof by hashing the value V~fk\tilde{V}_{\mathbf{fk}} stored at the located leaf. Since, this computation amounts to forming a leaf, he uses the leaf-hash function, Hleaf\mathbf{H}_{\mathbf{leaf}}.
  • He then sets L~fk:=Hleaf(Vfk)=Hleaf(LaLb)\tilde{\mathbf{L}}_{\mathbf{fk}} := \mathbf{H}_{\mathbf{leaf}} \big( V_{\mathbf{fk}} \big) = \mathbf{H}_{\mathbf{leaf}} \big( \mathbf{L_`{a}`} \| \mathbf{L_`{b}`} \big).
  • And further computes B~fkcd=Hnoleaf(L~fkScd)\tilde{ \mathbf{B}}_{\mathbf{fkcd}} = \mathbf{H}_{\mathbf{noleaf}} \big( \tilde{\mathbf{L}}_{\mathbf{fk}} \| \mathbf{S}_{\mathbf{cd}} \big).
  • Again, calculates the root, root~ab..f=Hnoleaf(B~fkcdSef)\tilde{ \mathbf{root}}_{\mathbf{ab..f}} = \mathbf{H}_{\mathbf{noleaf}} \big( \tilde{ \mathbf{B}}_{\mathbf{fkcd}}\| \mathbf{S}_{\mathbf{ef}} \big).
But the actual branch Bab\mathbf{`{B}`_`{ab}`} was constructed with the no-leaf-hash function, Hnoleaf\mathbf{H}_{\mathbf{noleaf}}. That is, Bab=Hnoleaf(LaLb)Hleaf(LaLb)=L~fk.\mathbf{`{B}`_`{ab}`} = \mathbf{H}_{\mathbf{noleaf}} (\mathbf{L_`{a}`} \| \mathbf{L_`{b}`}) \neq \mathbf{H}_{\mathbf{leaf}} \big(\mathbf{L_`{a}`} \| \mathbf{L_`{b}`} \big) = \tilde{\mathbf{L}}_{\mathbf{fk}}. The parent branch Babcd{\mathbf{B}}_{\mathbf{abcd}} also, was constructed as, Babcd=Hnoleaf(BabScd){\mathbf{B}}_{\mathbf{abcd}} = \mathbf{H}_{\mathbf{noleaf}} \big(\mathbf{B}_{\mathbf{ab}}\| {\mathbf{S}}_{\mathbf{cd}}\big). Since the hash functions used are collision-resistant, Babcd{\mathbf{B}}_{\mathbf{abcd}} cannot be equal to Hnoleaf(L~fkScd)=B~fkcd\mathbf{H}_{\mathbf{noleaf}} \big( \tilde{\mathbf{L}}_{\mathbf{fk}} \| \mathbf{S}_{\mathbf{cd}} \big) = \tilde{ \mathbf{B}}_{\mathbf{fkcd}}. Consequently, rootab..froot~ab..f\mathbf{root}_{\mathbf{ab..f}} \neq \tilde{ \mathbf{root}}_{\mathbf{ab..f}}. Therefore, the Merkle Proof fails.

Non-binding key-value pairs

Whenever the verifier needs to check inclusion of the given key-value pair (Kx,Vx)(K_{\mathbf{x}}, \text{V}_{\mathbf{x}}) in a binary SMT identified by the roota..x\mathbf{`{root}`_{a..x}}, he first navigates the SMT in order to locate the leaf Lx\mathbf{`{L}`_`{x}`} storing Vx\text{V}_{\mathbf{x}}, and thereafter carries out two computations. Both computations involve climbing the tree from the located leaf Lx\mathbf{`{L}`_`{x}`} back to the root, roota..x\mathbf{`{root}`_{a..x}}. And the two computations are;
  1. Checking correctness of the key KxK_{\mathbf{x}}. That is, verifier takes the Remaining Key, RKx\text{RK}_{\mathbf{x}}, and reconstructs the key KxK_{\mathbf{x}} by concatenating the key bits used to navigate to Lx\mathbf{`{L}`_`{x}`} from roota..x\mathbf{`{root}`_{a..x}}, in the reverse order. Suppose the number of levels to root is 3, and the least-significant bits used for navigation are kb2\text{kb}_\mathbf{2}, kb1\text{kb}_\mathbf{1} and kb0\text{kb}_\mathbf{0}. In order to check key-correctness, verifier takes the remaining key RK\text{RK} and,
    • Concatenates kb2\text{kb}_\mathbf{2} and gets  RKkb2\text{ } \text{RK} \| \text{kb}_\mathbf{2},
    • Concatenates kb1\text{kb}_\mathbf{1} then gets  RKkb2kb1\text{ } \text{RK} \| \text{kb}_\mathbf{2} \| \text{kb}_\mathbf{1},
    • Concatenates kb0\text{kb}_\mathbf{0} and gets  RKkb2kb1kb0\text{ } \text{RK} \| \text{kb}_\mathbf{2} \| \text{kb}_\mathbf{1} \| \text{kb}_\mathbf{0}.
    He then sets K~x:=RKkb2kb1kb0\tilde{K}_{\mathbf{x}} := \text{RK} \| \text{kb}_\mathbf{2} \| \text{kb}_\mathbf{1} \| \text{kb}_\mathbf{0}, and checks if K~x\tilde{K}_{\mathbf{x}} equals KxK_{\mathbf{x}}.
  2. The Merkle proof: That is, checking whether the value stored at the located leaf Lx\mathbf{`{L}`_`{x}`} was indeed included in computing the root, roota..x\mathbf{`{root}`_{a..x}}. This computation was illustrated several times in the above discussions. Note that the key-correctness and the Merkle proof are simultaneously carried out.

Example: Indistinguishable leaves

Suppose a binary SMT contains a key-value pair (Kd,Vd)(K_{\mathbf{d}}, V_\mathbf{`{d}`}) at the leaf Ld\mathbf{L_`{d}`}, where Kd=11100110K_{\mathbf{d}} = 11100110. That is, Ld:=Hleaf(Vd)\mathbf{L_`{d}`} := \mathbf{H_`{leaf}`}(V_\mathbf{`{d}`}). Note that, when building binary SMTs, it is permissible to have another key-value pair (Kx,Vx)(K_{\mathbf{x}}, V_\mathbf{`{x}`}) in the same tree with Vx=VdV_\mathbf{`{x}`} = V_\mathbf{`{d}`}. An Attacker can pick the key-value pair (Kx,Vx)(K_{\mathbf{x}}, V_\mathbf{`{x}`}) such that Vx=VdV_\mathbf{`{x}`} = V_\mathbf{`{d}`} and Kx=10100110K_{\mathbf{x}} = 10100110. And, with the above design, it means Lx=Hleaf(Vx)=Hleaf(Vd)=Ld\mathbf{L_`{x}`} = \mathbf{H_`{leaf}`}(V_\mathbf{`{x}`}) = \mathbf{H_`{leaf}`}(V_\mathbf{`{d}`}) = \mathbf{L_`{d}`}. Consider the below figure and suppose the Attacker provides the following data; Non-binding Key-Value Pairs
  • The key-value (Kx,Vx)(K_{\mathbf{x}}, V_\mathbf{`{x}`}), where Kx=10100110K_{\mathbf{x}} = 10100110 and Vx=VdV_{\mathbf{x}} = V_\mathbf{d}.
  • The root, roota..x\mathbf{`{root}`_{a..x}}, the number of levels to root = 3, and the siblings Bbc\mathbf{`{B}`_{\mathbf{bc}}}, La\mathbf{L_`{a}`} and Sefg\mathbf{`{S}`_{\mathbf{efg}}}.
The verifier uses the least-significant key bits; kb0=0\text{kb}_\mathbf{0} = 0, kb1=1\text{kb}_\mathbf{1} = 1 and kb2=1\text{kb}_\mathbf{2} = 1; to navigate the tree and locate the leaf Lx\mathbf{L_`{x}`} which is positioned at Ld\mathbf{L_`{d}`}. In order to ensure that Lx\mathbf{L_`{x}`} actually stores the value VxV_\mathbf{`{x}`}; The verifier first checks key-correctness. He takes the remaining key RK=10100\text{RK} = 10100 and,
  1. Concatenates kb2=1\text{kb}_\mathbf{2} = 1, and gets  RKkb2=101001\text{ } \text{RK} \| \text{kb}_\mathbf{2} = 10100 \|1,
  2. Concatenates kb1=0\text{kb}_\mathbf{1} = 0 to get  RKkb2kb1=1010010\text{ } \text{RK} \| \text{kb}_\mathbf{2} \| \text{kb}_\mathbf{1} = 10100 \|1\|0,
  3. Concatenates kb0=0\text{kb}_\mathbf{0} = 0, yielding  RKkb2kb1kb0=10100100\text{ } \text{RK} \| \text{kb}_\mathbf{2} \| \text{kb}_\mathbf{1} \| \text{kb}_\mathbf{0} = 10100 \|1\|0\|0.
He sets K~x:=10100100=10100100\tilde{K}_{\mathbf{x}} := 10100 \|1\|0\|0 = 10100100. Since K~x\tilde{K}_{\mathbf{x}} equals KxK_{\mathbf{x}}, the verifier concludes that the supplied key is correct. As the verifier climbs the tree to test key-correctness, he concurrently checks if the value VxV_\mathbf{`{x}`} is included in the SMT identified by the given root, roota..x\mathbf{`{root}`_{a..x}}. That is, he executes the following computations;
  • He computes the hash of VxV_\mathbf{`{x}`} and sets it as, L~x:=Hleaf(Vx)\tilde{\mathbf{L}}_\mathbf{x}:= \mathbf{H_`{leaf}`}(V_\mathbf{`{x}`}).
  • Then he uses Bbc\mathbf{`{B}`_{\mathbf{bc}}} to compute, B~bcd=Hnoleaf(BbcL~x)\tilde{\mathbf{B}}_{\mathbf{bcd}} = \mathbf{H_`{noleaf}`}(\mathbf{`{B}`_{\mathbf{bc}}} \|\tilde{\mathbf{L}}_\mathbf{x}).
  • He also uses La\mathbf{L_`{a}`} to compute, B~abcd=Hnoleaf(LaB~bcd)\tilde{\mathbf{B}}_{\mathbf{abcd}} = \mathbf{H_`{noleaf}`}(\mathbf{L_`{a}`} \| \tilde{\mathbf{B}}_{\mathbf{bcd}}).
  • He further calculates, root~abcd=Hnoleaf(B~abcdSefg)\tilde{\mathbf{root}}_{\mathbf{abcd}} = \mathbf{H_`{noleaf}`}(\tilde{\mathbf{B}}_{\mathbf{abcd}} \| \mathbf{`{S}`_{\mathbf{efg}}}).
Next, the verifier checks if root~abcd\tilde{\mathbf{root}}_{\mathbf{abcd}} equals rootabcd\mathbf{root}_{\mathbf{abcd}}. Since Vx=VdV_\mathbf{`{x}`} = V_\mathbf{`{d}`}, it follows that all the corresponding intermediate values to the root are equal;
  • Ld=Hleaf(Vd)=Hleaf(Vx)=L~x\mathbf{L_`{d}`} = \mathbf{H_`{leaf}`}(V_\mathbf{`{d}`}) = \mathbf{H_`{leaf}`}(V_\mathbf{`{x}`}) = \tilde{\mathbf{L}}_\mathbf{x},
  • Bbcd=Hnoleaf(BbcLd)=Hnoleaf(BbcL~x)=B~bcd\mathbf{B}_{\mathbf{bcd}} = \mathbf{H_`{noleaf}`}(\mathbf{`{B}`_{\mathbf{bc}}} \| \mathbf{L}_\mathbf{d}) = \mathbf{H_`{noleaf}`}(\mathbf{`{B}`_{\mathbf{bc}}} \|\tilde{\mathbf{L}}_\mathbf{x}) = \tilde{\mathbf{B}}_{\mathbf{bcd}},
  • Babcd=Hnoleaf(LaBbcd)=Hnoleaf(LaB~bcd)=B~abcd\mathbf{B}_{\mathbf{abcd}} = \mathbf{H_`{noleaf}`}(\mathbf{L_`{a}`} \| \mathbf{B}_{\mathbf{bcd}} ) = \mathbf{H_`{noleaf}`}(\mathbf{L_`{a}`} \| \tilde{\mathbf{B}}_{\mathbf{bcd}} ) = \tilde{\mathbf{B}}_{\mathbf{abcd}},
  • rootabcd=Hnoleaf(BabcdSefg)=Hnoleaf(B~abcdSefg)=root~abcd\mathbf{root}_{\mathbf{abcd}} = \mathbf{H_`{noleaf}`}(\mathbf{B}_{\mathbf{abcd}} \| \mathbf{`{S}`_{\mathbf{efg}}} ) = \mathbf{H_`{noleaf}`}(\tilde{\mathbf{B}}_{\mathbf{abcd}} \| \mathbf{`{S}`_{\mathbf{efg}}} ) = \tilde{\mathbf{root}}_{\mathbf{abcd}}.
The verifier therefore concludes that the key-value pair (Kx,Vx)(K_{\mathbf{x}}, V_\mathbf{`{x}`}) is in the SMT, when it is not.

Why is this attack successful?

Note that equality of values, Vx=VdV_\mathbf{`{x}`} = V_\mathbf{`{d}`}, associated with two distinct keys, has nothing to do with the efficacy of this attack. In fact, for all practical purposes, it should be permissible for distinct leaves to store any value, irrespective of whether other leaves store an equivalent value or not. The downfall of our binary SMTs design, thus far, is that it does not give the verifier any equation that relates or ties the keys to their associated values. In other words, the attack succeeds simply because the key-value pairs (as ‘committed’ values) are not binding.

Solution to the non-binding key-value problem

The solution to this problem is straightforward, and it is to build the binary SMTs in such a way that the key-value pairs are binding. This means, create a relationship between the keys and their associated values, so that the verifier can simply check if this relationship holds true. In order to ensure that checking such a relationship blends with the usual proof machinery, one has two options. The naïve solution, which involves the keys, is one option.

The Naïve solution

The naïve solution is to simply include keys in the argument of the hash function, when forming leaves. That is, when building a binary SMT, one includes a key-value pair (Kx,Vx)(K_{\mathbf{x}}, V_\mathbf{`{x}`}) by setting the leaf Lx\mathbf{L_`{x}`} to be the hash of both the value and the key; Lx=Hleaf(KxVx)\mathbf{L_`{x}`} = \mathbf{H_`{leaf}`}(K_{\mathbf{x}} \| V_\mathbf{`{x}`} ) Does this change remedy the non-binding problem? Suppose (Kx,Vx)(K_{\mathbf{x}}, V_\mathbf{`{x}`}) and (Kz,Vz)(K_{\mathbf{z}}, V_\mathbf{`{z}`}) are two key-value pairs such that Vx=VzV_\mathbf{`{x}`} = V_\mathbf{`{z}`} , while KxK_\mathbf{`{x}`} and KzK_\mathbf{`{z}`} differ only in one of the most-significant bits. Since the hash functions used are collision-resistant, it follows that Lx=Hleaf(KxVx)Hleaf(KzVz)=Lz\mathbf{L_`{x}`} = \mathbf{H_`{leaf}`}(K_{\mathbf{x}} \| V_\mathbf{`{x}`}) \neq \mathbf{H_`{leaf}`}(K_{\mathbf{z}} \| V_\mathbf{`{z}`}) = \mathbf{L_`{z}`} Consequently, although the key-value pairs (Kx,Vx)(K_{\mathbf{x}}, V_\mathbf{`{x}`}) and (Kz,Vz)(K_{\mathbf{z}}, V_\mathbf{`{z}`}) might falsely pass the key-correctness check, they do not pass the Merkle proof test. And this is because, collision-resistance also guarantees that the following series of inequalities hold true; Lx=Hleaf(KxVx)Hleaf(KzVz)=LzBbx=Hnoleaf(SbLx)Hnoleaf(SbLz)=BbzBabx=Hnoleaf(SaBbx)Hnoleaf(SaBbz)=Babz\begin{aligned} \mathbf{L_`{x}`} = \mathbf{H_`{leaf}`}(K_{\mathbf{x}} \| V_\mathbf{`{x}`}) \neq \mathbf{H_`{leaf}`}(K_{\mathbf{z}} \| V_\mathbf{`{z}`}) = \mathbf{L_`{z}`} \\ \\ \mathbf{B_`{bx}`} = \mathbf{H_`{noleaf}`}(\mathbf{S}_\mathbf{`{b}`} \| \mathbf{L}_{\mathbf{x}}) \neq \mathbf{H_`{noleaf}`}(\mathbf{S}'_\mathbf{`{b}`} \| \mathbf{L}_{\mathbf{z}}) = \mathbf{B_`{bz}`} \\ \\ \mathbf{B_`{abx}`} = \mathbf{H_`{noleaf}`}(\mathbf{S}_\mathbf{`{a}`} \| \mathbf{B_`{bx}`} ) \neq \mathbf{H_`{noleaf}`}(\mathbf{S}'_\mathbf{`{a}`} \| \mathbf{B_`{bz}`}) = \mathbf{B_`{abz}`} \end{aligned} where; Sb\mathbf{S}_\mathbf{`{b}`} is a sibling to Lx\mathbf{L}_{\mathbf{x}} and Sa\mathbf{S}_\mathbf{`{a}`} is a sibling to Bbx\mathbf{B_`{bx}`}, making Bbx\mathbf{B_`{bx}`} and Babx\mathbf{B_`{abx}`} branches traversed while climbing the tree from Lx\mathbf{L_`{x}`} to root; Similarly, Sb\mathbf{S}'_\mathbf{`{b}`} is a sibling to Lz\mathbf{L}_{\mathbf{z}}, while Sa\mathbf{S}'_\mathbf{`{a}`} is a sibling to Bbx\mathbf{B_`{bx}`}, also making Bbz\mathbf{B_`{bz}`} and Babz\mathbf{B_`{abz}`} branches traversed while climbing the tree from Lz\mathbf{L_`{z}`} to root. The only chance for the Merkle proof to pass is if the key-value pairs (Kx,Vx)(K_{\mathbf{x}}, V_\mathbf{`{x}`}) and (Kz,Vz)(K_{\mathbf{z}}, V_\mathbf{`{z}`}) are distinct and are individually on the same SMT. The inclusion of keys, in the argument of the hash functions, therefore ensures that leaves Lx\mathbf{L_`{x}`} and Lz\mathbf{L_`{z}`} are distinguishable. And most importantly, that key-value pairs in our SMTs are now binding.

A better solution

The other solution, which is much more apt than the Naïve option, utilises the remaining keys when forming leaves. Since levels to root is related to the Remaining Key (RK\text{RK}) notion, a much more apt solution is to rather include the remaining key, RKx\text{RK}_\mathbf{x}, as the argument to the hash function, instead of the whole key KxK_{\mathbf{x}}. That is, for a key-value pair (Kx,Vx)(K_{\mathbf{x}}, V_\mathbf{`{x}`}), one sets the leaf Lx\mathbf{L_`{x}`} to be the hash of both the value and the remaining key; Lx=Hleaf(RKxVx).\mathbf{L_`{x}`} = \mathbf{H_`{leaf}`}( \text{RK}_\mathbf{x} \| \text{V}_\mathbf{`{x}`}). With this strategy, the verifier needs the remaining key RKx\text{RK}_\mathbf{`{x}`} , instead of the whole key, in order to carry out a Merkle proof. So he adjusts the Merkle proof by;
  • Firstly, picking the correct hash function Hleaf\mathbf{H_`{leaf}`} for leaves,
  • Secondly, concatenating the value VxV_{\mathbf{x}} stored at the leaf LxL_{\mathbf{x}} and the remaining key RKx\text{RK}_\mathbf{`{x}`}, instead of the whole key KxK_{\mathbf{x}},
  • Thirdly, hashing the concatenation Hleaf(RKxVx)=:Lx\mathbf{H_`{leaf}`}( \text{RK}_\mathbf{x} \| \text{V}_\mathbf{`{x}`}) =: \mathbf{L_`{x}`}.
This approach not only ensures that key-value pairs in our SMTs are now binding, but also implicitly ‘encodes’ the levels to root in the leaf. The strategy of using the RKx\text{RK}_\mathbf{x} instead of the key KxK_{\mathbf{x}}, coupled with hashing leaves and branches differently, yields sound verification.

Hiding values

It is often necessary to ensure that a commitment scheme has the hiding property. And this can be achieved by storing hashes of values, as opposed to plainly storing the values. A leaf therefore is henceforth constructed in two steps;
  • Firstly, for a key-value pair (Kx,Vx)(K_{\mathbf{x}}, V_\mathbf{`{x}`}), compute the hash the value VxV_\mathbf{`{x}`},
Hashed Value=HVx=Hnoleaf(Vx)\text{Hashed Value} = \text{HV}_\mathbf{`{x}`} = \mathbf{H_`{noleaf}`}(V_\mathbf{`{x}`})
  • Secondly, form the leaf containing VxV_\mathbf{`{x}`}, as follows,
Lx=Hleaf(RKxHVx)\mathbf{L_`{x}`} = \mathbf{H_`{leaf}`}( \text{RK}_\mathbf{x} \| \text{HV}_\mathbf{`{x}`}) Since it is infeasible to compute the preimage of the hash functions, Hleaf\mathbf{H_`{leaf}`} and Hnoleaf\mathbf{H_`{noleaf}`}, computing the hash of the value VxV_\mathbf{`{x}`} amounts to ‘encrypting’. The prover therefore achieves zero-knowledge by providing the pair, (Kx,HVx)(K_{\mathbf{x}}, \text{HV}_\mathbf{`{x}`}), as the key-value pair instead of the explicit one, (Kx,Vx)(K_{\mathbf{x}}, V_\mathbf{`{x}`}). The verifier, on the other hand, has to adjust the Merkle proof by starting with;
  • Firstly, picking the correct hash function Hleaf\mathbf{H_`{leaf}`} for leaf nodes,
  • Secondly, concatenating the hashed-value HVx\text{HV}_\mathbf{`{x}`} and the remaining key RKx\text{RK}_\mathbf{`{x}`},
  • Thirdly, hashing the concatenation in order to form the leaf, Lx:=Hleaf(RKxHVx)\mathbf{L_`{x}`} := \mathbf{H_`{leaf}`}( \text{RK}_\mathbf{x} \| \text{HV}_\mathbf{`{x}`}).

Example. (Merkle proof on hidden values)

The following example illustrates a Merkle proof when the above strategy is applied. Consider an SMT where the keys are 8-bit long, and the prover commits to the key-value (Kc,HVc)( K_{\mathbf{c}} , \text{HV}_{\mathbf{c}} ) with Kc=10010100K_{\mathbf{c}} = 10010100. See figure below. ZK Merkle proof example Since the levels to root is 3, the prover provides; the least-significant key-bits, kb0=0\text{kb}_0 = 0, kb1=0\text{kb}_1 = 0, kb2=1\text{kb}_2 = 1, the stored hashed-value HVc\text{HV}_{\mathbf{c}}, the root roota..f\mathbf{`{root}`_{a..f}}, the Remaining Key RKc=10010\mathbf{ \text{RK}_{\mathbf{c}}} = 10010, and the siblings Sab\mathbf{`{S}`_`{ab}`}, Ld\mathbf{`{L}`_`{d}`} and Sef\mathbf{`{S}`_{\mathbf{ef}}}. The verifier first uses the least-significant bits of the key Kc=10010100K_{\mathbf{c}} = 10010100 to navigate the SMT from the root, roota..f\mathbf{`{root}`_{a..f}}, to the leaf Lc\mathbf{L_c}. Then, he executes the following computations;
  1. He computes, Lc=Hleaf(RKcHVc)=Hleaf(10010HVc)\mathbf{L_c} = \mathbf{H_`{leaf}`}\big( \mathbf{ \text{RK}_{\mathbf{c}}} \| \text{HV}_{\mathbf{c}} \big) = \mathbf{H_`{leaf}`}( 10010 \| \text{HV}_{\mathbf{c}})
  2. Then, he uses the sibling Sab\mathbf{`{S}`_`{ab}`} to compute, B~abc:=Hnoleaf(SabLc)\tilde{ \mathbf{B}}_{\mathbf{abc}} := \mathbf{H_`{noleaf}`} \big( \mathbf{`{S}`_`{ab}`}\|\mathbf{L}_{\mathbf{c}} \big).
  3. Next, he computes, B~abcd:=Hnoleaf(B~abcLd)\tilde{ \mathbf{B}}_{\mathbf{abcd}} := \mathbf{H_`{noleaf}`} \big( \tilde{ \mathbf{B}}_{\mathbf{abc}} \| \mathbf{L}_{\mathbf{d}} \big).
  4. Now, verifier uses B~abcd\tilde{ \mathbf{B}}_{\mathbf{abcd}} to compute the supposed root, root~ab..f:=Hnoleaf(B~abcdSef)\tilde{ \mathbf{root}}_{\mathbf{ab..f}} := \mathbf{H_`{noleaf}`} \big( \tilde{ \mathbf{B}}_{\mathbf{abcd}}\| \mathbf{S}_{\mathbf{ef}} \big).
  5. Checks if root~ab..f\tilde{ \mathbf{root}}_{\mathbf{ab..f}} equals rootab..f{ \mathbf{root}}_{\mathbf{ab..f}}.
The verifier accepts that the key-value pair (Kc,Vc)( K_{\mathbf{c}} , V_{\mathbf{c}} ) is in the SMT only if root~ab..f=rootab..f\tilde{ \mathbf{root}}_{\mathbf{ab..f}} = { \mathbf{root}}_{\mathbf{ab..f}}. And he does this without any clue about the exact value VcV_{\mathbf{c}} which is hidden as HVc\text{HV}_{\mathbf{c}}.