SMT concepts

This document covers more concepts needed in understanding our specific design of the zkProver storage using binary SMTs. These concepts also help in elucidating how keys influence the shape of binary SMTs.

First is the level of a leaf. The level of a leaf, $L_{x}$ , in a binary SMT is defined as the number of edges one traverses when navigating from the root to the leaf. Denote the level of the leaf $L_{x}$ by $lvl (L_{x})$ .

Leaf levels¶

Consider the below figure for an SMT storing seven key-value pairs, built by following the principles explained in the foregoing subsection;

(K_{a}, V_{a}), (K_{b}, V_{b}), (K_{c}, V_{c}), (K_{c}, V_{c}), (K_{d}, V_{d}), (K_{e}, V_{e}), (K_{f}, V_{f}) and (K_{g}, V_{g})

where the keys are,

K_{a} = 10101100, K_{b} = 10010010, K_{c} = 10001010, K_{d} = 11100110, K_{e} = 11110101, K_{f} = 10001011, K_{g} = 00011111.

The leaf levels are as follows;

$lvl (L_{a}) = 2$ , $lvl (L_{b}) = 4$ , $lvl (L_{c}) = 4$ , $lvl (L_{d}) = 3$ , $lvl (L_{e}) = 2$ , $lvl (L_{f}) = 3$ and $lvl (L_{g}) = 3$ .

Figure 6: An SMT of 7 key-value pairs

As illustrated, keys basically determine the shape of the SMT. They dictate where respective leaves must be placed when building the SMT.

The main determining factor of the SMT shape is in fact the common key-bits among the keys. For instance, the reason why the leaves $L_{b}$ and $L_{c}$ have the largest leaf level $4$ is because the two leaves have the longest string of common key-bits “ $010$ ” in the SMT of Figure 6 above.

This explains why different leaves in SMTs can have different levels.

The height of a Merkle Tree refers to the largest number of edges traversed when navigating from the root to any leaf. Since all leaves are of the same level in Merkle Trees, the concept of a height coincide with that of the level of a leaf for Merkle Trees.

But this is not the case for SMTs. Since leaf levels differ from one leaf to another in SMTs, the height of an SMT is not the same as the leaf level.

Rather, the height of an SMT is defined as the largest leaf level among the various leaf levels of leaves on the SMT. For instance, the height of the SMT depicted in the figure above, is $4$ .

Now, since all keys have the same fixed key-length, they not only influence SMT leaf levels and shapes, but also restrict SMT heights to the fixed key-length. The maximum height of an SMT is the maximum key-length imposed on all keys.

Remaining keys¶

In a general Sparse Merkle Tree (SMT), values are stored at their respective leaf-nodes.

But a leaf node $L_{x}$ not only stores a value, $V_{x}$ , but also the key-bits that are left unused in the navigation from the root to $L_{x}$ . These unused key-bits are called the remaining key, and are denoted by ${RK}_{x}$ for the leaf node $L_{x}$ .

Consider again the SMT of the 7 key-value pairs depicted in the figure above. The remaining keys of each of the 7 leaves in the SMT are as follows;

${RK}_{a} = 110101$ , ${RK}_{b} = 1001$ , ${RK}_{c} = 0001$ , ${RK}_{d} = 00111$ , ${RK}_{e} = 101111$ , ${RK}_{f} = 10001$ and ${RK}_{g} = 11000$ .

Fake-leaf attack¶

Note that the above simplified design of binary SMTs, based on key-value pairs, presents some problems. The characteristic of binary SMTs having leaves at different levels can be problematic to verifiers, especially when carrying out a simple Merkle proof.

Scenario: Fake SMT leaf¶

What if the verifier is presented with a fake leaf?

Consider the below figure, showing a binary SMT with a branch $B_{ab}$ and its children $L_{a}$ and $L_{b}$ hidden from the verifier’s sight.

That is, suppose the verifier is provided with the following information;

The key-value $(K_{fk}, V_{fk})$ , where $K_{fk} = 11010100$ and $V_{fk} = L_{a} ‖ L_{b}$ .
The root ${root}_{ab . . f}$ , the number of levels to root, and the siblings $S_{cd}$ and $S_{ef}$ .

That is, the Attacker claims that some $V_{fk}$ is stored at $L_{fk} := B_{ab}$ .

Verifier is unaware that $V_{fk}$ is in fact the concatenated value of the hidden real leaves, $L_{a}$ and $L_{b}$ , that are children of the supposed leaf $L_{fk}$ . i.e., Verifier does not know that leaf $L_{fk}$ is in fact a branch.

Figure 7: MPT - Fake Leaf Attack

So then, the verifier being unaware that $L_{fk}$ is not a properly constructed leaf, starts verification as follows;

He uses the key $K_{fk}$ to navigate the tree until locating the supposed leaf $L_{fk}$ .
He computes $H (V_{fk})$ and sets it as ${\tilde{L}}_{fk} := H (V_{fk})$ .
Then takes the sibling $S_{cd}$ and calculates
${\tilde{B}}_{fkcd} = H ({\tilde{L}}_{fk} ‖ S_{cd})$ .
And then, uses ${\tilde{B}}_{fkcd}$ to compute the root, ${\tilde{root}}_{ab . . f} = H ({\tilde{B}}_{fkcd} ‖ S_{ef})$ .

The question is: “Does the fake leaf $L_{fk}$ pass the verifier’s Merkle proof or not?” Or, equivalently: “Is ${\tilde{root}}_{ab . . f}$ equal to ${root}_{ab . . f}$ ?”

Since the actual branch $B_{ab}$ is by construction the hash, $H (L_{a} ‖ L_{b})$ , then $B_{ab} = {\tilde{L}}_{fk}$ . The parent branch $B_{abcd}$ also, being constructed as the hash, $H (B_{ab} ‖ S_{cd})$ , should be equal to $H ({\tilde{L}}_{fk} ‖ S_{cd}) = {\tilde{B}}_{fkcd}$ . As a result, ${root}_{ab . . f} = H (B_{abcd} ‖ S_{ef}) = H ({\tilde{B}}_{fkcd} ‖ S_{ef}) = {\tilde{root}}_{ab . . f}$ .

Therefore, the fake leaf $L_{fk}$ passes the Merkle proof.

Solution to the Fake-leaf attack¶

In order to circumvent the Fake-Leaf Attack we modify how the binary SMTs are built.

Here’s the trick: When building binary SMTs, differentiate between how leaves are hashed and how branches are hashed.

That is, use two different hash functions; one hash function to hash leaves, denote it by $H_{leaf}$ , and the other function for hashing non-leaf nodes, denote it by $H_{noleaf}$ .

How does this prevent the Fake-leaf attack?¶

Reconsider now, the Scenario A, given above. Recall that the Attacker provides the following;

The key-value $(K_{fk}, V_{fk})$ , where $K_{fk} = 11010100$ and $V_{fk} = L_{a} ‖ L_{b}$ .
The root $ \mathbf{{root}_{ab..f}}$ , the number of levels to root, and the siblings $S_{cd}$ and $S_{ef}$ .

The verifier suspecting no foul, uses $K_{fk} = 11010100$ to navigate the tree until he finds $V_{fk}$ stored at $L_{fk} := B_{ab}$ .

He subsequently starts the Merkle proof by hashing the value ${\tilde{V}}_{fk}$ stored at the located leaf. Since, this computation amounts to forming a leaf, he uses the leaf-hash function, $H_{leaf}$ .

He then sets ${\tilde{L}}_{fk} := H_{leaf} (V_{fk}) = H_{leaf} (L_{a} ‖ L_{b})$ .
And further computes ${\tilde{B}}_{fkcd} = H_{noleaf} ({\tilde{L}}_{fk} ‖ S_{cd})$ .
Again, calculates the root, ${\tilde{root}}_{ab . . f} = H_{noleaf} ({\tilde{B}}_{fkcd} ‖ S_{ef})$ .

But the actual branch $B_{ab}$ was constructed with the no-leaf-hash function, $H_{noleaf}$ . That is,

B_{ab} = H_{noleaf} (L_{a} ‖ L_{b}) \neq H_{leaf} (L_{a} ‖ L_{b}) = {\tilde{L}}_{fk} .

The parent branch $B_{abcd}$ also, was constructed as, $B_{abcd} = H_{noleaf} (B_{ab} ‖ S_{cd})$ . Since the hash functions used are collision-resistant, $B_{abcd}$ cannot be equal to $H_{noleaf} ({\tilde{L}}_{fk} ‖ S_{cd}) = {\tilde{B}}_{fkcd}$ . Consequently, ${root}_{ab . . f} \neq {\tilde{root}}_{ab . . f}$ . Therefore, the Merkle Proof fails.

Non-binding key-value pairs¶

Whenever the verifier needs to check inclusion of the given key-value pair $(K_{x}, V_{x})$ in a binary SMT identified by the ${root}_{a . . x}$ , he first navigates the SMT in order to locate the leaf $L_{x}$ storing $V_{x}$ , and thereafter carries out two computations.

Both computations involve climbing the tree from the located leaf $L_{x}$ back to the root, ${root}_{a . . x}$ . And the two computations are;

Checking correctness of the key $K_{x}$ .

That is, verifier takes the Remaining Key, ${RK}_{x}$ , and reconstructs the key $K_{x}$ by concatenating the key bits used to navigate to $L_{x}$ from ${root}_{a . . x}$ , in the reverse order.

Suppose the number of levels to root is 3, and the least-significant bits used for navigation are ${kb}_{2}$ , ${kb}_{1}$ and ${kb}_{0}$ .

In order to check key-correctness, verifier the remaining key $RK$ and,

Concatenates ${kb}_{2}$ and gets $RK ‖ {kb}_{2}$ ,
Concatenates ${kb}_{1}$ then gets $RK ‖ {kb}_{2} ‖ {kb}_{1}$ ,
Concatenates ${kb}_{0}$ and gets $RK ‖ {kb}_{2} ‖ {kb}_{1} ‖ {kb}_{0}$ .

He then sets ${\tilde{K}}_{x} := RK ‖ {kb}_{2} ‖ {kb}_{1} ‖ {kb}_{0}$ , and checks if ${\tilde{K}}_{x}$ equals $K_{x}$ .

The Merkle proof: That is, checking whether the value stored at the located leaf $L_{x}$ was indeed included in computing the root, ${root}_{a . . x}$ .

This computation was illustrated several times in the above discussions. Note that the key-correctness and the Merkle proof are simultaneously carried out.

Example: Indistinguishable leaves¶

Suppose a binary SMT contains a key-value pair $(K_{d}, V_{d})$ at the leaf $L_{d}$ , where $K_{d} = 11100110$ . That is, $L_{d} := H_{leaf} (V_{d})$ .

Note that, when building binary SMTs, it is permissible to have another key-value pair $(K_{x}, V_{x})$ in the same tree with $V_{x} = V_{d}$ .

An Attacker can pick the key-value pair $(K_{x}, V_{x})$ such that $V_{x} = V_{d}$ and $K_{x} = 10100110$ . And, with the above design, it means $L_{x} = H_{leaf} (V_{x}) = H_{leaf} (V_{d}) = L_{d}$ .

Consider the below figure and suppose the Attacker provides the following data;

Non-binding Key-Value Pairs

The key-value $(K_{x}, V_{x})$ , where $K_{x} = 10100110$ and $V_{x} = V_{d}$ .
The root, ${root}_{a . . x}$ , the number of levels to root = 3, and the siblings $B_{bc}$ , $L_{a}$ and $S_{efg}$ .

The verifier uses the least-significant key bits; ${kb}_{0} = 0$ , ${kb}_{1} = 1$ and ${kb}_{2} = 1$ ; to navigate the tree and locate the leaf $L_{x}$ which is positioned at $L_{d}$ .

In order to ensure that $L_{x}$ actually stores the value $V_{x}$ ; The verifier first checks key-correctness. He takes the remaining key $RK = 10100$ and,

Concatenates ${kb}_{2} = 1$ , and gets $RK ‖ {kb}_{2} = 10100 ‖ 1$ ,
Concatenates ${kb}_{1} = 0$ to get $RK ‖ {kb}_{2} ‖ {kb}_{1} = 10100 ‖ 1 ‖ 0$ ,
Concatenates ${kb}_{0} = 0$ , yielding $RK ‖ {kb}_{2} ‖ {kb}_{1} ‖ {kb}_{0} = 10100 ‖ 1 ‖ 0 ‖ 0$ .

He sets ${\tilde{K}}_{x} := 10100 ‖ 1 ‖ 0 ‖ 0 = 10100100$ . Since ${\tilde{K}}_{x}$ equals $K_{x}$ , the verifier concludes that the supplied key is correct.

As the verifier climbs the tree to test key-correctness, he concurrently checks if the value $V_{x}$ is included in the SMT identified by the given root, ${root}_{a . . x}$ . That is, he executes the following computations;

He computes the hash of $V_{x}$ and sets it as, ${\tilde{L}}_{x} := H_{leaf} (V_{x})$ .
Then he uses $B_{bc}$ to compute, ${\tilde{B}}_{bcd} = H_{noleaf} (B_{bc} ‖ {\tilde{L}}_{x})$ .
He also uses $L_{a}$ to compute, ${\tilde{B}}_{abcd} = H_{noleaf} (L_{a} ‖ {\tilde{B}}_{bcd})$ .
He further calculates, ${\tilde{root}}_{abcd} = H_{noleaf} ({\tilde{B}}_{abcd} ‖ S_{efg})$ .

Next, the verifier checks if ${\tilde{root}}_{abcd}$ equals ${root}_{abcd}$ .

Since $V_{x} = V_{d}$ , it follows that all the corresponding intermediate values to the root are equal;

$L_{d} = H_{leaf} (V_{d}) = H_{leaf} (V_{x}) = {\tilde{L}}_{x}$ ,
$B_{bcd} = H_{noleaf} (B_{bc} ‖ L_{d}) = H_{noleaf} (B_{bc} ‖ {\tilde{L}}_{x}) = {\tilde{B}}_{bcd}$ ,
$B_{abcd} = H_{noleaf} (L_{a} ‖ B_{bcd}) = H_{noleaf} (L_{a} ‖ {\tilde{B}}_{bcd}) = {\tilde{B}}_{abcd}$ ,
${root}_{abcd} = H_{noleaf} (B_{abcd} ‖ S_{efg}) = H_{noleaf} ({\tilde{B}}_{abcd} ‖ S_{efg}) = {\tilde{root}}_{abcd}$ .

The verifier therefore concludes that the key-value pair $(K_{x}, V_{x})$ is in the SMT, when it is not.

Why is this attack successful?¶

Note that equality of values, $V_{x} = V_{d}$ , associated with two distinct keys, has nothing to do with the efficacy of this attack. In fact, for all practical purposes, it should be permissible for distinct leaves to store any value, irrespective of whether other leaves store an equivalent value or not.

The downfall of our binary SMTs design, thus far, is that it does not give the verifier any equation that relates or ties the keys to their associated values.

In other words, the attack succeeds simply because the key-value pairs (as ‘committed’ values) are not binding.

Solution to the non-binding key-value problem¶

The solution to this problem is straightforward, and it is to build the binary SMTs in such a way that the key-value pairs are binding. This means, create a relationship between the keys and their associated values, so that the verifier can simply check if this relationship holds true.

In order to ensure that checking such a relationship blends with the usual proof machinery, one has two options. The naïve solution, which involves the keys, is one option.

The Naïve solution¶

The naïve solution is to simply include keys in the argument of the hash function, when forming leaves.

That is, when building a binary SMT, one includes a key-value pair $(K_{x}, V_{x})$ by setting the leaf $L_{x}$ to be the hash of both the value and the key;

L_{x} = H_{leaf} (K_{x} ‖ V_{x})

Does this change remedy the non-binding problem?

Suppose $(K_{x}, V_{x})$ and $(K_{z}, V_{z})$ are two key-value pairs such that $V_{x} = V_{z}$ , while $K_{x}$ and $K_{z}$ differ only in one of the most-significant bits.

Since the hash functions used are collision-resistant, it follows that

L_{x} = H_{leaf} (K_{x} ‖ V_{x}) \neq H_{leaf} (K_{z} ‖ V_{z}) = L_{z}

Consequently, although the key-value pairs $(K_{x}, V_{x})$ and $(K_{z}, V_{z})$ might falsely pass the key-correctness check, they will not pass the Merkle proof test. And this is because, collision-resistance also guarantees that the following series of inequalities hold true;

L_{x} = H_{leaf} (K_{x} ‖ V_{x}) \neq H_{leaf} (K_{z} ‖ V_{z}) = L_{z} B_{bx} = H_{noleaf} (S_{b} ‖ L_{x}) \neq H_{noleaf} (S_{b}^{'} ‖ L_{z}) = B_{bz} B_{abx} = H_{noleaf} (S_{a} ‖ B_{bx}) \neq H_{noleaf} (S_{a}^{'} ‖ B_{bz}) = B_{abz}

where; $S_{b}$ is a sibling to $L_{x}$ and $S_{a}$ is a sibling to $B_{bx}$ , making $B_{bx}$ and $B_{abx}$ branches traversed while climbing the tree from $L_{x}$ to root; Similarly, $S_{b}^{'}$ is a sibling to $L_{z}$ , while $S_{a}^{'}$ is a sibling to $B_{bx}$ , also making $B_{bz}$ and $B_{abz}$ branches traversed while climbing the tree from $L_{z}$ to root.

The only chance for the Merkle proof to pass is if the key-value pairs $(K_{x}, V_{x})$ and $(K_{z}, V_{z})$ are distinct and are individually on the same SMT.

The inclusion of keys, in the argument of the hash functions, therefore ensures that leaves $L_{x}$ and $L_{z}$ are distinguishable. And most importantly, that key-value pairs in our SMTs are now binding.

A better solution¶

The other solution, which is much more apt than the Naïve option, utilises the remaining keys when forming leaves.

Since levels to root is related to the Remaining Key ( $RK$ ) notion, a much more apt solution is to rather include the remaining key, ${RK}_{x}$ , as the argument to the hash function, instead of the whole key $K_{x}$ .

That is, for a key-value pair $(K_{x}, V_{x})$ , one sets the leaf $L_{x}$ to be the hash of both the value and the remaining key;

L_{x} = H_{leaf} ({RK}_{x} ‖ V_{x}) .

With this strategy, the verifier needs the remaining key ${RK}_{x}$ , instead of the whole key, in order to carry out a Merkle proof. So he adjusts the Merkle proof by;

Firstly, picking the correct hash function $H_{leaf}$ for leaves,
Secondly, concatenating the value $V_{x}$ stored at the leaf $L_{x}$ and the remaining key ${RK}_{x}$ , instead of the whole key $K_{x}$ ,
Thirdly, hashing the concatenation $H_{leaf} ({RK}_{x} ‖ V_{x}) =: L_{x}$ .

This approach not only ensures that key-value pairs in our SMTs are now binding, but also implicitly ‘encodes’ the levels to root in the leaf.

The strategy of using the ${RK}_{x}$ instead of the key $K_{x}$ , coupled with hashing leaves and branches differently, yields sound verification.

Hiding values¶

It is often necessary to ensure that a commitment scheme has the hiding property. And this can be achieved by storing hashes of values, as opposed to plainly storing the values.

A leaf therefore is henceforth constructed in two steps;

Firstly, for a key-value pair $(K_{x}, V_{x})$ , compute the hash the value $V_{x}$ , $$ \text{Hashed Value} = \text{HV}\mathbf{{x}} = \mathbf{H}(V_\mathbf{{x}}) $$
Secondly, form the leaf containing $V_{x}$ , as follows, $$ \mathbf{L_{x}} = \mathbf{H_{leaf}}( \text{RK}\mathbf{x} | \text{HV}\mathbf{{x}}) $$

Since it is infeasible to compute the preimage of the hash functions, $H_{leaf}$ and $H_{noleaf}$ , computing the hash of the value $V_{x}$ amounts to ‘encrypting’.

The prover therefore achieves zero-knowledge by providing the pair, $(K_{x}, {HV}_{x})$ , as the key-value pair instead of the explicit one, $(K_{x}, V_{x})$ .

The verifier, on the other hand, has to adjust the Merkle proof by starting with;

Firstly, picking the correct hash function $H_{leaf}$ for leaf nodes,
Secondly, concatenating the hashed-value ${HV}_{x}$ and the remaining key ${RK}_{x}$ ,
Thirdly, hashing the concatenation in order to form the leaf, $L_{x} := H_{leaf} ({RK}_{x} ‖ {HV}_{x})$ .

Example: Zero-Knowledge Merkle Proof¶

The following example illustrates a Merkle proof when the above strategy is applied.

Consider an SMT where the keys are 8-bit long, and the prover commits to the key-value $(K_{c}, {HV}_{c})$ with $K_{c} = 10010100$ . See figure below.

ZK Merkle Proof Example

Since the levels to root is 3, the prover provides; the least-significant key-bits, ${kb}_{0} = 0$ , ${kb}_{1} = 0$ , ${kb}_{2} = 1$ , the stored hashed-value ${HV}_{c}$ , the root ${root}_{a . . f}$ , the Remaining Key ${RK}_{c} = 10010$ , and the siblings $S_{ab}$ , $L_{d}$ and $S_{ef}$ .

The verifier first uses the least-significant bits of the key $K_{c} = 10010100$ to navigate the SMT from the root, ${root}_{a . . f}$ , to the leaf $L_{c}$ . Then, he executes the following computations;

He computes, $L_{c} = H_{leaf} ({RK}_{c} ‖ {HV}_{c}) = H_{leaf} (10010 ‖ {HV}_{c})$
Then, he uses the sibling $S_{ab}$ to compute, ${\tilde{B}}_{abc} := H_{noleaf} (S_{ab} ‖ L_{c})$ .
Next, he computes, ${\tilde{B}}_{abcd} := H_{noleaf} ({\tilde{B}}_{abc} ‖ L_{d})$ .
Now, verifier uses ${\tilde{B}}_{abcd}$ to compute the supposed root, ${\tilde{root}}_{ab . . f} := H_{noleaf} ({\tilde{B}}_{abcd} ‖ S_{ef})$ .
Checks if ${\tilde{root}}_{ab . . f}$ equals ${root}_{ab . . f}$ .

The verifier accepts that the key-value pair $(K_{c}, V_{c})$ is in the SMT only if ${\tilde{root}}_{ab . . f} = {root}_{ab . . f}$ . And he does this without any clue about the exact value $V_{c}$ which is hidden as ${HV}_{c}$ .

Last update: January 17, 2024

Authors: avenbreaks