백서 Stories 그림 용어집 그래프 검색
Technical Explainer

Merkle Trees: The Data Structure That Makes Blockchains Possible

How hash trees enable efficient verification of massive datasets, from Bitcoin's SPV to Ethereum's state tries and beyond.

Bitcoin Bitcoin Ethereum Ethereum

A Data Structure Built for Verification

A Merkle tree is a cryptographic data structure that allows efficient and secure verification of large datasets. Named after Ralph Merkle, who patented the concept in 1979, Merkle trees were a fundamental computer science tool long before Bitcoin existed. Satoshi Nakamoto's insight was recognizing that Merkle trees were precisely the right data structure for solving a core blockchain problem: how do you efficiently verify that a specific transaction is included in a block without downloading the entire block?

The answer that Merkle trees provide is both elegant and powerful. You can prove that a transaction is in a block by providing a small amount of data — a "Merkle proof" — that is logarithmic in size relative to the total dataset. This efficiency scales gracefully: proving membership in a set of a million transactions requires only about 20 hash values, not a million.

How Hash Trees Work

Building the Tree from the Bottom Up

A Merkle tree is built by starting with the data you want to organize — in Bitcoin's case, a list of transactions. Each transaction is first hashed individually using SHA-256 (applied twice, as Bitcoin does). These transaction hashes form the leaves — the bottom layer of the tree.

From the leaves, the tree is built upward by repeatedly combining pairs of nodes. Take two adjacent leaf hashes, concatenate them, and hash the result. This produces a parent node hash. Repeat this process for all pairs in the leaf layer, producing a new layer of hash values. Then repeat again for that layer, and again, until only a single hash value remains at the top: the Merkle root.

If the number of transactions is odd, Bitcoin duplicates the last transaction hash to make it even — a minor quirk that ensures the tree is always a complete binary tree. In practice, the Merkle root is a 32-byte value that compactly represents the entire set of transactions in a block.

The Critical Property: Tamper Detection

Any change to any transaction anywhere in the tree will cascade upward through the tree, changing the Merkle root. If someone alters a single byte in any transaction, the leaf hash changes. That changes the parent hash. That changes the grandparent hash. And so on, all the way to the root. Since the Merkle root is included in the block header — which is itself hashed as part of mining — changing any transaction would invalidate the block's proof of work, making the tampering immediately detectable.

This property means that the Merkle root acts as a cryptographic fingerprint of the entire transaction set. It is computationally infeasible to find two different sets of transactions that produce the same Merkle root — the same collision resistance that makes SHA-256 suitable as a hash function in the first place.

Merkle Proofs: Proving Inclusion Efficiently

What a Merkle Proof Contains

A Merkle proof — also called a Merkle path or audit path — is the minimum information needed to verify that a specific leaf is part of a tree with a given root, without knowing the contents of the rest of the tree.

Suppose you want to prove that transaction T is in a block with Merkle root R. The proof consists of the sibling hash at each level of the tree from the leaf to the root. For a tree with 8 leaves, that's 3 sibling hashes (since 2^3 = 8). With these 3 hashes and the transaction itself, any verifier can:

  1. Hash the transaction to get its leaf hash.
  2. Combine that with the first sibling hash and hash them together.
  3. Combine the result with the second sibling hash and hash again.
  4. Combine with the third sibling hash and hash once more.
  5. Compare the final result with the known Merkle root.

If the computed result matches the root, the transaction is provably in the tree. If it doesn't match, either the transaction wasn't in the block or something has been tampered with.

For a block with 2,000 transactions, a Merkle proof requires only 11 hashes (log base 2 of 2,048) — approximately 352 bytes. This is orders of magnitude smaller than downloading all 2,000 transactions, which could easily be several megabytes.

spv-lightweight-verification">SPV: Lightweight Verification

Verification Without Downloading Everything

Bitcoin's whitepaper introduced the concept of Simplified Payment Verification (SPV) as a way for mobile devices and lightweight clients to verify payments without downloading the full blockchain. SPV clients download only block headers — which contain the Merkle root — rather than entire blocks with all transactions.

A block header is only 80 bytes, compared to a full block that might be 1-2 megabytes. A client that downloads only headers can verify the proof-of-work chain (since headers contain the previous block hash and the nonce) without downloading a single transaction.

When an SPV client needs to verify a specific payment, it requests a Merkle proof from a full node. The full node provides the small list of hashes needed to prove that the transaction is in the block. The SPV client verifies the Merkle proof against the Merkle root in the block header it already has, confirming the transaction's inclusion.

SPV was important for making Bitcoin practically usable on devices with limited storage and bandwidth. The tradeoff is that SPV clients cannot verify that the transactions themselves are valid — they can only verify that the transactions were included in a block that the network accepted. They rely on the assumption that the network's miners would not build on a block containing invalid transactions.

state-tries-merkle-trees-for-accounts">State Tries: Merkle Trees for Accounts

Ethereum's Extension: Patricia Merkle Tries

Ethereum extended the Merkle tree concept to handle a more complex problem: representing the entire current state of the blockchain. While Bitcoin's Merkle trees organize a list of transactions per block, Ethereum needs to represent a key-value database of account states — every address, its ETH balance, its nonce, and any associated smart contract code and storage.

Ethereum uses a variant called a Merkle Patricia Trie (often abbreviated as MPT or "trie," pronounced "try"). The trie is a tree structure where the keys of the database (Ethereum addresses) determine the path from the root to the leaf nodes. Each node stores a hash of its children, propagating changes upward just like a standard Merkle tree.

Ethereum blocks contain not one but three separate state roots in their headers: - The state root: A root hash of the entire account state database after the block's transactions are applied. - The transactions root: A Merkle root of the block's transactions (analogous to Bitcoin's Merkle root). - The receipts root: A root of the transaction receipts (including logs and gas usage).

This means that Ethereum blocks provide cryptographic commitments to all three of these databases simultaneously. An SPV client could verify not just that a transaction was included in a block, but also what the current balance of any account is — using the same Merkle proof mechanism.

rollup-systems">Merkle Proofs in Rollup Systems

Scalability Applications

One of the most important modern applications of Merkle proofs is in Layer 2 rollup systems — the technology powering networks like Arbitrum, Optimism, and zkSync. Rollups execute transactions off the main blockchain (Layer 1) for efficiency, but periodically submit summaries back to Layer 1 for security.

A rollup's approach to committing state uses the same Merkle structure. The rollup batches thousands of transactions, computes a new state root after applying them all, and posts just that state root to Layer 1. The state root is a compact commitment to the entire rollup state.

In optimistic rollups, Merkle proofs are used during the fraud-proof process. If someone believes the rollup operator posted an incorrect state root, they can submit a fraud proof — a Merkle proof demonstrating that a specific transaction was incorrectly processed. The Layer 1 contract verifies the Merkle proof, checks the claimed computation, and if the fraud is confirmed, penalizes the rollup operator.

In ZK-rollups, the prover generates a zero-knowledge proof that encompasses all the state transitions in a batch. The proof verifies that the new state root was correctly derived from the old state root by applying all the transactions, without revealing the transaction details themselves. Merkle trees are embedded in the arithmetic circuits that ZK provers use to represent state, making Merkle-tree verification a fundamental primitive in ZK circuit design.

The Merkle tree is a reminder that some of the most impactful building blocks in blockchain technology are not new inventions. Ralph Merkle invented hash trees to improve digital signature schemes in the 1970s. Satoshi Nakamoto applied them to transaction verification in 2008. Today they are fundamental to SPV wallets, Ethereum's state model, cross-chain bridges, and rollup proofs. The same core data structure, serving the same core purpose — efficient cryptographic verification of large datasets — across four decades of evolving applications.

Related Stories

Technical Explainer

How Proof-of-Work Mining Actually Works: From Hash Puzzles to Block Rewards

A beginner-friendly explanation of SHA-256 mining, difficulty adjustment, and why Bitcoin uses more electricity than so…
Technical Explainer

Proof of Stake Explained: Validators, Staking, and Slashing

Understanding how PoS blockchains replace energy-intensive mining with economic staking, and the mechanisms that keep v…
Technical Explainer

Smart Contracts Explained: From Ethereum's EVM to Modern Alternatives

What smart contracts actually are, how the EVM executes them, and why gas fees exist — explained for developers and cur…
Technical Explainer

How Stablecoins Maintain Their Peg: USDT, USDC, and the Trust Spectrum

The mechanisms behind fiat-backed stablecoins — reserves, attestations, redemption, and the regulatory landscape that g…