Lecture 3 - Merkle Trees

00:05

at the end of the last session we talked

00:06

about this problem of a bank with two

00:09

branches and let's just revisit that so

00:12

let's say that I have one branch here in

00:16

Hong Kong and let's say there is another

00:18

branch in

00:20

London and we said that people can

00:23

deposit money in Hong Kong and they want

00:24

to get their money back in London later

00:28

now the idea was that the Hong Kong

00:30

Branch can send only one message to the

00:32

London branch and this message we called

00:34

it

00:36

m we said that this is sent over an

00:39

unsecure channel so my assumption is

00:42

that this message M can be seen by

00:44

anyone maybe a hacker sees it and then

00:46

publishes it to everyone but no one can

00:48

change it okay and we will talk about

00:52

digital signatures later on but for now

00:54

just imagine that this message somehow

00:56

has a signature from Hong Kong and it's

00:58

impossible to forge that okay so this is

01:03

what we have and then we have a bunch of

01:05

people who are depositing money so let's

01:07

say again we have Alice

01:11

Bob maybe

01:13

Carol and let's say

01:16

Dave and each of them is depositing some

01:18

amounts maybe

01:20

50 100 200 and maybe

01:24

10 right and then later on they want to

01:27

be able to go to the other branch and

01:29

get their money back and we said that

01:31

the Hong Kong Branch should give each

01:33

one of these people uh a proof so let's

01:37

call it P1 P2 P3 and

01:43

P4 and generally whenever I don't say

01:45

what the type of something is you should

01:47

just assume that it's a string of zeros

01:49

and ones so the message M that's I'm

01:52

sending from Hong Kong to London is just

01:54

a string of zeros and ones the proofs

01:56

that I'm giving to each one of the

01:58

depositors these are also just strings

02:01

of zeros s ons and then the idea was

02:04

that let's say this happens on day one

02:06

so on day

02:07

one everyone does the deposit and then

02:10

the Hong Kong Branch gives them the

02:11

proofs and then let's say the next day

02:14

on day

02:16

two each one of them go to the London

02:18

Branch the London branch has already

02:20

received the message M but now each of

02:23

them should be able to give the proofs

02:25

that they have received from Hong Kong

02:27

to the London branch and get their money

02:30

now if we want to write our requirements

02:33

more

02:34

specifically these are the requirements

02:36

that I

02:38

have I have to make sure that everyone

02:40

can get their money back and I have to

02:43

make sure that they can get their money

02:44

back only once so you shouldn't be able

02:47

to deposit once and then withdraw twice

02:50

so uh let's say the first one is that

02:54

every

02:58

depositor can

03:02

withdraw but the second constraint is

03:05

that each deposit can be withdrawn at

03:08

most

03:13

once

03:17

okay and we will later on see that this

03:19

is actually one of the most problematic

03:23

issues when we're designing a

03:24

cryptocurrency so this is the problem of

03:26

double spending maybe someone has just

03:28

one coin and they're trying to use it

03:30

twice or something like that here we

03:32

will have someone who has deposited once

03:35

let's say Alice has deposited $50 and

03:37

maybe she goes to the London branch and

03:39

then she tries to withdraw $50 twice we

03:43

have to make sure this cannot

03:45

happen and the other constraints that we

03:49

want to

03:50

have is basically I don't want to leak

03:53

any data based on M so m is public

03:56

everyone can see M no one should be able

03:59

to find any of the personal information

04:01

on of the depositors and the amounts

04:03

that they deposited based on M so

04:08

M does not

04:10

leak any personal

04:19

data

04:20

okay and then we also talked about this

04:23

idea that maybe this channel is really

04:27

expensive maybe I want my message M to

04:30

be as short as possible so this is

04:33

another requirement I just want to say

04:35

that the message m is really small so

04:39

let's say m has constant lengths

04:46

has1 this is another thing that I would

04:48

like to

04:49

have because otherwise if M could be

04:51

large well the Hong Kong Branch could

04:54

just take the hash of every transaction

04:56

the hash of every deposit and send all

04:59

of these has hases to the London ranch

05:01

right that would make the problem

05:03

trivial but at the same time we have a

05:06

really

05:07

huge now we saw a solution last time and

05:10

the solution was to just use a linked

05:13

list or a ledger with hash pointers so

05:16

the idea was very simple this was our

05:20

initial

05:21

idea so uh maybe I can call it nons

05:25

solution one because we know that it

05:27

will not work in the end

05:30

was that I'll just create some

05:32

transactions and let's say every

05:35

transaction has some ID and a let's say

05:38

this is transaction number one and let's

05:40

say it also has a pointer to the

05:42

previous transaction now in this case

05:44

because there is no previous transaction

05:46

this pointer is just null there's

05:48

nothing in there but then in this

05:50

transaction I say who paid the money and

05:52

how much so maybe I just say this is

05:56

Alice and

05:58

50 then I I create another

06:01

transaction it's really hard

06:04

to this so this was transaction one this

06:07

is my transaction two it has a serial

06:10

number two it should also have a pointer

06:13

to the previous transaction so it will

06:16

have a

06:16

pointer to this transaction and

06:19

basically the way that works is that I

06:21

have a hash of the previous transaction

06:24

so the pointer is just a hash of

06:26

transaction one and then in transaction

06:28

two I'm saying that Bob paid 100 so I

06:31

would just write Bob

06:35

100 and I just repeat this for the other

06:38

two transactions as well so I have

06:41

transaction

06:43

three and this one was Carol plus d 200

06:48

and then

06:49

10 okay so 200 and it also includes the

06:53

hash of the previous

06:56

transaction and then finally I have this

07:00

last transaction transaction

07:03

4 it has the hash of transaction

07:08

three and it says that they've paid

07:14

much

07:17

okay now the question was what is the

07:20

proof that we can give uh to each of the

07:23

depositors and what is the message M

07:25

that we're going to send to the other

07:27

Branch so for the message m

07:30

we said we just take the hash of the

07:31

very last transaction so I just take

07:34

this whole transaction I hash it I get

07:37

hash of transaction for and I say this

07:40

is my message

07:41

M and I send this to the other

07:45

Branch now let's say that you're one of

07:48

these depositors and you need to go to

07:50

the London branch and prove that one of

07:52

these transactions actually exists it's

07:55

actually in this list now let's say

07:57

you're Dave if you're Dave you can just

08:00

go to the other uh branch and you can

08:03

just show your

08:04

transaction and they can just calculate

08:06

the hash they see that it's the same as

08:08

M that they received from the other

08:10

Branch so they know that you didn't fake

08:12

this

08:13

transaction so they would give you the

08:15

money but now imagine your Carol if

08:19

you're Carol you can't just give your

08:21

own transaction you have to also provide

08:24

Dave's

08:25

transaction because that's the only way

08:27

you can verify Carol's transaction here

08:30

see uh as the London Branch You Know M

08:33

you know the hash of this last

08:35

transaction so if Carol wants to prove

08:37

that this transaction transaction three

08:40

actually I forgot to write the

08:42

transaction name so this was transaction

08:44

three this is transaction

08:46

4 if Carol wants to prove that this

08:48

transaction is actually in the list she

08:52

has to start from the end of the list

08:55

she has to First say here's transaction

08:57

four which has the the correct hash and

09:00

the bank can check that and then she has

09:02

to say okay now in transaction four as

09:05

you see there is a hash pointer to

09:06

transaction three and here's transaction

09:09

three and now you can check that it has

09:11

the correct hash so that's how Carol can

09:14

prove that her transaction is in there

09:17

so in order for Carol to prove the

09:19

existence of her transaction in this

09:21

list she has to actually know her own

09:24

transaction but also Dave's

09:27

transaction now the problem because

09:29

comes even worse for Bob because you can

09:32

just continue with this Bob has to know

09:34

his own transaction Carol's transaction

09:36

and Dave's transaction in general each

09:39

person who wants to prove the existence

09:40

of their transaction has to also prove

09:42

every transaction that comes after it

09:45

right so in general the proof that I'm

09:48

going to have if I have end

09:52

transactions

09:53

[Music]

09:55

uh I don't know why this writing is not

09:58

working okay so assuming that I have n

10:03

transactions this is what happens the

10:05

proof of transaction I is going to

10:08

include transaction I itself but also

10:11

transaction I + one transaction I plus 2

10:15

all the way to transaction

10:17

n right so this is the proof that I'm

10:20

giving to each one of my

10:23

depositors so Alice here is going to

10:25

have the longest proof because she

10:27

actually needs to have all all of the

10:29

transactions in order to prove the

10:31

existence of

10:32

a now two problems and these were the

10:35

problems that I mentioned at the end of

10:37

the previous session the first problem

10:40

is that now our proofs are too

10:42

long and the second problem is privacy

10:45

if Alice needs to know all of the

10:48

transactions that come after hers in

10:50

order to prove the existence of her

10:52

transaction that means that Alice has to

10:54

know that Bob deposited 100 and Carol

10:56

deposited 200 and so on so Alice knows

10:59

everyone's name and amount that they

11:01

transacted and that's not something that

11:04

we would be happy with so let's add some

11:08

extra requirements

11:11

here I can apparently only write towards

11:14

the top of the page for some

11:18

reason okay

11:21

so my extra

11:25

requirements are going to be short

11:27

proofs and privacy

11:34

see so short proofs is fine

11:37

privacy by privacy at this point I mean

11:40

that no one should be able to see other

11:42

people's transactions so no one should

11:45

be able to see other people's names and

11:47

no one should be able to also see the

11:48

amounts that they

11:50

deposited so uh no

11:55

client

11:57

sees

12:00

other people's

12:04

information but are these the only

12:07

requirements that are not satisfied can

12:08

we just check that these previous

12:10

requirements are already all

12:12

satisfied

12:14

so every depositor can withdraw yes

12:17

because every depositor can prove that

12:19

their uh transaction was actually in the

12:22

linked list in The Ledger so we have

12:24

this one each deposit can be withdrawn

12:27

at most once well this one is something

12:30

that we can enforce on the side of the

12:32

London Branch because the London Branch

12:34

can just remember which transactions uh

12:37

have been paid out and just don't pay

12:39

out the same transaction more than once

12:42

right and every transaction has a serial

12:43

number so they can just keep track of

12:45

the serial numbers that are paid out so

12:48

this is

12:49

easy now here's the interesting part we

12:53

already had the requirement that M the

12:56

message that is sent from Hong Kong to

12:57

London does not leak any information any

13:00

of the personal information of the

13:02

people and actually we satisfied that

13:05

because m is just the hash of this

13:09

transaction right and hopefully the hash

13:11

of the transaction doesn't really leak

13:13

any information but in the last session

13:16

we saw that if you don't have nones in

13:19

your hash it can actually leak

13:22

information right but here I don't need

13:25

to add an extra NS because this hash is

13:28

pretty much like an ANS

13:30

itself right so the hash of transaction

13:32

three is already included in transaction

13:35

four and that's something that uh really

13:38

makes our domain large so no one can

13:41

really do uh any kind of uh butterfly

13:45

attack or uh just trying every

13:47

possibility root forcing things like

13:49

that but if you don't trust your hash

13:52

function you can also add a non here

13:55

that's fine so this makes sure that M

13:58

does not leak any information and of

14:01

course M's length was fixed because the

14:03

output of a hash function always has a

14:05

fixed length let's say

14:07

256 so this is also F now the thing that

14:12

is interesting here is that I didn't

14:14

want M to leak any personal data and

14:18

basically I used the hiding property of

14:21

the hash function here I said that

14:23

because m is just the hash of something

14:26

and because my uh hash function is

14:29

hiding this m is not going to leak any

14:32

information

14:34

right so now here for privacy I need

14:38

something very similar it's just that I

14:41

want to make sure that none of the

14:42

clients can see anyone else's

14:45

information so maybe I can again use

14:48

hashes so the idea here is to use

14:53

hash to hide

14:57

data

15:00

okay so what was our problem here why

15:03

were we leaking any personal

15:07

information basically the problem was

15:09

that when Carol wanted to prove that her

15:11

transaction is in there she had to also

15:14

provide the transaction for Dave but

15:16

then the transaction of Dave actually

15:18

included his name and his amount right

15:22

so if I just Define my transactions in a

15:24

different way so that my transactions

15:27

don't have this personal information in

15:29

them but they only have let's say the

15:31

hash of the personal

15:34

information then no information will be

15:36

leaked so let's do this let's say that

15:40

uh first of all I need a bunch of

15:42

nonsense for my hashes so let's say

15:44

whenever someone is depositing money

15:47

they're also giving a random nons to the

15:49

branch so Alice when she deposits the

15:52

money she chooses some nons n one and

15:56

also gives this nons uh to the Hong Kong

15:59

branch and let's say this N1 is just a

16:01

random string of 1,24

16:05

bits and let's say Bob does the same

16:07

thing Carol does the same thing and Dave

16:10

also does this now I'm going to change

16:14

the structure of my

16:17

transactions so this is nons solution

16:23

two it's going to solve our privacy

16:26

issue but it's not going to solve the

16:28

problem problem with really long

16:31

proofs now again look here transaction

16:35

one used to include the personal

16:37

information of Alice instead I'm just

16:39

going to say this transaction will only

16:41

have the hash of the personal

16:43

information so I'm going to create a new

16:47

transaction

16:51

one and again just as before it has a

16:54

serial number it has a pointer to the

16:56

previous transaction but there is no

16:58

previous previous transaction so this

16:59

one is null so when I say null you can

17:01

just imagine a string of all zeros right

17:05

and then here instead of actually

17:08

putting Alice 50 I put the hash of the

17:11

string that contains her name and then

17:14

concatenated with the amount and then

17:17

concatenated with the nons that she

17:20

chose okay so this is now my new

17:23

structure for my transactions and of

17:26

course I do the same thing for the other

17:28

trans transaction so

17:30

uh this is my transaction

17:33

two and let's say transaction three and

17:36

transaction four and each one of them

17:40

will have a serial number it will have a

17:43

pointer to the previous transaction

17:45

which is basically just the hash of the

17:46

previous

17:47

transaction and instead of the

17:50

information it will just have the hash

17:52

of the information so Bob

17:54

100 and the nons of Bob

18:03

two okay and so on I'm just too lazy to

18:06

draw this you

18:09

know okay now first of all why do we

18:13

need the nones we need the nonsense

18:16

because otherwise uh again someone can

18:19

do a Brute Force attack If someone knows

18:21

the names of all of our clients they can

18:24

just try every possible name and they

18:26

can also try every possible value if the

18:28

values are small so we need the nonsense

18:31

here to really hide the

18:33

data but now actually my laziness is

18:36

backfiring I have to actually put them

18:39

here I guess so I have this hash of

18:43

whatever here hash of the personal

18:45

information I have a pointer to the

18:47

previous one I have a serial number and

18:51

here again I have the hash I have a

18:55

serial number and I have a pointer to

18:57

the prev

18:59

okay

19:01

now just as

19:04

before we have to talk about what kind

19:07

of proof we have to give to each one of

19:08

the

19:09

depositors so the last depositor again

19:12

just uh brings the transaction so I just

19:16

say that my m is the hash of this last

19:22

transaction so that's the value that the

19:24

Hong Kong branch is sending to the

19:26

London branch

19:28

and if the last depositor wants to prove

19:31

that their transaction is in the this

19:33

they can just bring their transaction

19:35

and when they bring their

19:36

transaction the Hong Kong Branch can

19:38

check that it has the right

19:40

hash and then when they see that it has

19:43

the right hash what is it that uh I'm

19:47

providing I'm basically providing this

19:49

pointer this serial number and this

19:52

other

19:54

hash but now the Hong Kong the London

19:58

branch is convinced about this

20:01

hash right but this hash is the hash of

20:05

my personal information so it's the hash

20:08

of my name and the amounts that I put in

20:10

and the nons that I chose but I know all

20:13

of those things so I can give those

20:15

things to the London Branch as well and

20:17

they can verify it and they can know

20:19

that this was the amount that I put

20:21

in so the proofs actually work just like

20:26

before so now let's consider

20:29

Alice let's say that Alice wants to

20:32

prove that transaction one was in there

20:35

so she has to start with the last

20:37

transaction she has to give the hash of

20:39

the last

20:40

transaction right uh so sorry she has to

20:43

give the last transaction transaction 4

20:45

and then the branch checks that it has

20:47

the right hash but after it checks that

20:50

transaction 4 has the right hash it can

20:53

see the pointer here to transaction

20:55

three and then Alice can give

20:56

transaction three and then we can just

20:59

Traverse all the pointers back until we

21:01

get to transaction one so everything is

21:05

just like before Alice knows all of

21:07

these transactions the difference is

21:09

that these transactions now don't

21:11

include any personal information of

21:13

anyone they just include these hashes so

21:16

even though Alice knows this hash that

21:18

appears in transaction two she doesn't

21:21

know that transaction two actually

21:23

belongs to Bob and it was for $100 and

21:25

so on that information is Now hidden

21:30

she knows that information only for her

21:31

own transaction so now the proof is

21:34

exactly like before she just proves that

21:37

this transaction transaction one is in

21:39

the linked list but after she does this

21:42

she also knows the values that created

21:45

this hash so so she can actually open

21:47

this hash and say okay now this hash

21:49

says that I'm Alice I deposited 50 and

21:52

this is my NS so she can know only about

21:56

her own personal data and she can prove

21:58

the existence of the transaction to the

22:00

other branch and everything else goes

22:02

through because well of course she can

22:04

withdraw now because she can prove her

22:06

own

22:07

transaction uh every deposit can be

22:09

withdrawn at most once because again

22:12

let's say the London Branch just keeps

22:14

track of the serial numbers that are

22:16

withdrawn and it's really important that

22:19

these serial numbers and the hash

22:21

pointers they're outside of this hash so

22:24

the design is quite important here and M

22:29

does not leak personal data for the same

22:31

reason as before it's a hash it has

22:33

constant lengths for the same reason as

22:35

before but now we also have this

22:38

privacy now we have this as well no

22:42

client can see any other clients

22:44

information they can only see the hashes

22:46

and the hashes don't

22:48

leak but we still don't have short

22:50

proofs the lengths of our proofs are

22:52

still as bad as before so my proof is

22:55

still the same as before if I want to

22:57

prove transaction I I have to provide

22:59

all the transactions from transaction I

23:02

forward so if I want to prove the first

23:04

transaction I have to give all of the

23:05

transactions so in the worst case my

23:07

proofs have a length of basically Theta

23:11

n

23:13

okay

23:16

so how do we make this better let's

23:19

forget about the hashes and let's just

23:21

look at the data structure what are we

23:24

doing this message M that I'm giving to

23:27

the London branch

23:28

it's basically a pointer to the last

23:31

transaction right because we talked

23:33

about this hashes are

23:35

Pointers now I'm giving a pointer to

23:37

this last transaction and whenever

23:39

someone wants to prove that their

23:42

transaction is in the list they have to

23:45

basically help the London Branch

23:47

Traverse this whole list until it

23:50

reaches their

23:52

transaction so that's the problem the

23:55

problem is that I have a link list and

23:57

basically I have to Traverse this link

23:59

list until I get the transaction I was

24:02

looking for and doing

24:05

that uh in the worst case takes n steps

24:09

or n minus one steps

24:11

okay now from your basic data structures

24:15

coures what is a data structure that

24:18

would allow you to Traverse it

24:21

faster you can just use something like a

24:24

binary tree right so this is the

24:27

intuition that I want you to have

24:28

imagine that instead of having a linked

24:33

list I just use a binary

24:39

tree so let's say I have a root in my

24:43

tree and each node has two children it's

24:46

a binary

24:48

tree so it's a tree that looks like

24:54

this okay now if I have a tree like this

24:59

and if I have n elements in the tree so

25:03

let's say n nodes or n

25:05

elements what is the height of this

25:09

tree it's logarithmic in N right so my

25:16

height is just going to be o of

25:20

log now let's say that I

25:24

somehow can give the London Branch a

25:28

pointer to the root of this tree and

25:31

let's say that every node also has two

25:34

pointers it has a pointer to the left

25:36

side and a pointer to the right side so

25:37

a pointer to the left child and another

25:40

one to the right

25:41

child if this is the case then you can

25:45

see that my proofs will be shorter so if

25:48

I want to prove that this node for

25:52

example let's say I want to prove that

25:55

this is in my tree let's say this is the

25:57

transaction where I've deposited some

25:59

money in Hong Kong I want to prove that

26:01

this is in the tree and let's say that

26:05

the pointer that Hong Kong sent to

26:07

London was a pointer to the rout all I

26:10

have to do is that I have to prove that

26:13

the root is there so I have to give the

26:15

root to the London Branch then I have to

26:18

show that the root has a pointer to this

26:20

left child and give this left child to

26:22

the London Branch then I have to show

26:25

that this left child has a pointer to a

26:26

right child and give this

26:29

one so now as you see I'm basically

26:32

providing only one of the nodes at each

26:34

level of the tree so I'm providing a

26:37

proof that has a length of login but I

26:40

didn't tell you how to create this tree

26:42

yet this is just the intuition the

26:44

intuition is that instead of

26:46

traversing a whole link list which takes

26:49

linear time I just want to be able to

26:52

Traverse a binary tree which takes login

26:55

time okay now how how do we actually

26:58

make this kind of tree this is what we

27:01

call a miracle

27:06

tree

27:08

okay now here's how this works let's say

27:12

that I have a bunch of transactions

27:15

transaction one to transaction four now

27:18

in my transactions I'm just going to put

27:20

the uh personal data so

27:23

basically I have um let's say I don't

27:27

personal data let's show with d so I

27:30

have D1 D2

27:34

D3 and D4 and basically D1 is the

27:38

personal data of Alice it's basically

27:40

the string that says Alice deposited 50

27:44

and her nons was N1 so that's what

27:48

d1s right and similarly for all the

27:50

other ones so for example D4 is just

27:53

Dave 10

27:56

N4 okay so

28:00

D4 it's just going to be Dave deposited

28:04

10

28:06

and is non for N4 okay I want to create

28:10

a binary tree that contains all of these

28:13

uh pieces of information D1 to

28:16

D4 uh kind of as its leaves but not

28:20

exactly so here's what I'm going to do

28:22

I'm going to create a leaf for each one

28:25

of

28:26

these so I'm going to create a node in

28:29

my tree and in this one I'm going to put

28:31

the hash of

28:33

D1 in this node I'm going to put the

28:36

hash of

28:38

D2 similarly I'll just put the hash of

28:41

D3 the hash of

28:46

D4

28:48

okay now I want to create a binary tree

28:51

so there should be a node that is the

28:54

parent of both of

28:56

these and let's give this a name let's

28:59

call this one L1 so L1 is just the hash

29:03

of D1 L2 is just the hash of D2 I have

29:07

L3 here and L4

29:09

here now I create a parent that

29:13

basically has the hash of L1 and L2 so I

29:16

do this hash of L1 concatenated with

29:22

L2 and I make it the parent of both of

29:26

these

29:27

and here I do the same thing I have to

29:31

scroll up in order to be able to write

29:34

so hash of

29:36

L3 oops concatenated with

29:44

L4 okay let's give this some other name

29:48

so I don't know let's call this one B1

29:50

and let's call this one B2 I will

29:53

finally have a root which basically has

29:56

the hash of B1 concatenated with

30:05

B2 and this is my root let call it

30:10

R

30:12

okay let me just clarify something here

30:16

so I have a bunch of pieces of data and

30:18

all of these are strings D1 D2 D3 D4

30:21

right so I'm taking the hash of D1 I'm

30:24

calling that L1 so L1 is also a string

30:28

it's just the hash of D1 L2 is just the

30:30

hash of D2 so I then take these two

30:33

strings I concatenate them and I take

30:36

their hash and I call that B1 so if I

30:39

want to expand this B1 is basically the

30:43

hash of the hash of D1 concatenated with

30:48

the hash of

30:49

D2 that's what B1

30:53

is okay and similarly B2 is the hash of

30:56

the hash of D3 concatenated with the

30:58

hash of

31:00

D3 now finally I'm going to use my root

31:05

hash uh which is called also the miracle

31:08

root so this whole tree is called the

31:09

miracle tree after its inventor and The

31:12

Roots we always call it the miracle rout

31:15

I'm going to use this route as my

31:17

message M so this is what the Hong Kong

31:20

branch is sending to the London

31:22

Branch now the first thing I want you to

31:25

see is that when send this message m to

31:28

the other Branch I'm basically

31:30

committing to everything in this tree

31:32

I'm committing to all of the data points

31:35

D1 to D4 because if I later want to

31:38

change any of them let's say I want to

31:41

change D2 this would also change L2

31:44

because it's just the hash of T2 but if

31:46

it changes L2 it will also change

31:49

B1 and generally whenever any node in

31:53

this three changes it also changes its

31:55

parents because you you have to

31:57

recalculate the hashes so this means

32:00

that when I'm giving the hash of the

32:01

root I'm committing to everything in

32:04

this tree I cannot change any of the

32:05

entries in this

32:07

tree

32:09

okay so that's good because it means

32:12

that uh I can just send this root hash

32:15

to the other branch and I have sent a a

32:18

very short message a message of constant

32:20

length but I'm now sure that that

32:23

message has enough information to commit

32:24

me to every one of the transactions

32:27

now let's say that someone wants to

32:29

prove that their transaction is actually

32:31

in the list so what kind of proof should

32:34

I give to Alice so that Alice can prove

32:37

that D1 is actually in this

32:40

stream so Alice should be able to go to

32:43

the London branch and she should be able

32:46

to basically let the r London Branch

32:48

start from here and then go to B1 and

32:52

then go to L1 so that they're convinced

32:55

that D1 is there so the information that

32:58

Alice needs to know is going to be what

33:01

well she needs to know the root

33:04

hash needs to basically Know M or let's

33:08

say

33:09

this right but let's say that she knows

33:14

M and the London Branch also knows M but

33:18

now Alice wants to prove that B1 is the

33:20

left child of

33:22

M okay how can you do that well you

33:26

actually also o need to know

33:29

B2 right because the only way I can

33:31

prove that B1 is the left child is by

33:35

providing both B1 and B2 and saying just

33:37

take the hash of B1 V2 and that gives

33:39

you the hash that you already have here

33:41

it gives you

33:43

R right so Alice needs to know this note

33:48

Alice needs to know R she needs to know

33:51

B1 but she also needs to know

33:54

B2 and the role of B2 is to just prove

33:57

that B1 is the left child of

34:00

R okay so now that she has provided this

34:05

information the London branch has

34:07

verified that B1 is the left child of R

34:10

but B1 is just the hash at this point

34:12

right now Alice wants to prove that L1

34:15

is the left child of B1 but in order to

34:19

do that she also needs to know the right

34:20

child she also needs to know L2 so if

34:23

she provides both L1 and L2 then uh the

34:27

branch can just compute the hash of L1

34:30

and L2 and verify that it was correct

34:32

which means that L1 is the left child

34:33

and L2 is the right child so she needs

34:36

to know L2 and she needs to also know

34:40

L1 and at this point when she gives all

34:43

of this information to the London Branch

34:45

the London Branch knows that L1 is in

34:47

the tree now L1 was just the hash of the

34:51

personal data of Alice and Alice knows

34:53

her own personal data she knows that uh

34:56

d one was basically Alis 50 and N1 so

35:00

she can just provide this and then at

35:03

this point it's proven to the bank that

35:05

this deposit was actually in the list

35:07

and it was actually in this

35:09

tree

35:11

so now let's do it for someone

35:16

else let's say

35:19

that uh Carol wants to prove it so I

35:23

want to prove this third transaction

35:25

again I have to prove the root

35:29

I have to prove that B2 is the right

35:31

child of the root but in order to do

35:33

that I have to also know B1 so she

35:36

should also know

35:38

B1 and B2 but at this point B2 is proven

35:43

to the bank so she wants to prove that

35:45

L3 is the left child of B2 but to do

35:48

that she needs to also know L4 so she

35:50

needs to know L3 and

35:53

L so this is the proof that I'm going to

35:56

give

35:57

to Carol to the person who's done the

36:00

third deposit and so now in general this

36:03

might not look great when I have only

36:05

four deposits because the proofs seem to

36:08

be

36:09

long but in general if I have a Long

36:13

Tree basically my intuition holds I can

36:16

start at the top of the tree and I just

36:20

have to provide the path that goes to my

36:22

particular Leaf but the difference is

36:25

that whenever I'm providing some node I

36:28

have to also provide it

36:30

sibling so I'm not going to just give

36:34

proofs of lengths login the lengths of

36:36

the proofs are actually two times login

36:38

but that's fine I don't care about just

36:40

the constant factor it's all login

36:42

anyway so I can now have proofs whose

36:46

lengths are just all Lin so every

36:51

Pi

36:53

now if I take any proof Pi the lengths

36:57

of this

36:59

proof is in O of login more specifically

37:02

it's twice the logarithm plus one plus

37:04

two whatever

37:07

okay nice so this is what we call a

37:10

mirle tree and it finally now satisfies

37:13

all of our requirements so first of all

37:16

it has short proofs short in the sense

37:19

that the length of the proof is all in

37:22

we will later on see how we can actually

37:24

decrease this to even constant time

37:27

when we talk about digital signatures

37:29

and other things but for now this is

37:31

short enough for

37:33

us it also protects the privacy because

37:37

you

37:38

see any one of my clients would just see

37:41

some of the hashes this tree but these

37:45

hashes they don't contain any personal

37:47

information so in my tree I'm not

37:50

putting any of the actual personal data

37:52

I'm only ever putting the hashes and all

37:54

of my hashes have nonsense in them

37:58

so it also satisfies the Privacy

38:01

requirement and these previous

38:03

requirements it's also kind of easy to

38:05

verify so the message that is sent from

38:08

one branch to the other branch is just

38:10

the hash of the root that's constant

38:12

size of course it doesn't leak any

38:14

information none of our hashes leak any

38:16

information and every depositor can

38:19

prove that their deposit exists by just

38:21

proving the path from the route to their

38:24

deposit so that's fine and when we say

38:27

each deposit can be withdrawn at most

38:29

once that's also easy because uh

38:33

the the London Branch can basically keep

38:36

track of the hashes of all the deposits

38:38

that have already been paid out and you

38:41

don't pay out for the same hash more

38:43

than once or you can keep track of the

38:45

paths that have been paid out and you

38:47

don't pay for the same paths more than

38:49

once in any case it's easy to keep track

38:52

of these

38:55

things okay

38:58

but we still have another problem and

39:00

this is a problem that we will solve in

39:03

future sessions and the problem is that

39:06

this is not in real time right so in

39:09

order to create this whole tree I need

39:12

to know all of my transactions so the

39:15

way this actually works is that on day

39:19

one in the morning everyone goes to the

39:21

Hong Kong branch and deposits their

39:23

money and gives their nonsense and

39:25

everything and then after all the

39:27

deposits are done only then the Hong

39:30

Kong Branch can create that tree the

39:32

miracle tree so they create the Merle

39:35

tree they send the hash of the root to

39:37

the London Branch but again only after

39:41

they have created the Merle tree they

39:42

can give the proofs to the

39:44

clients so when the client makes a

39:47

deposit they're not going to get a proof

39:49

immediately they're going to have to

39:51

wait until everyone else does their

39:53

deposits too and then only at the end of

39:56

the the day they each get their

39:59

proof okay so we have this problem

40:05

here

40:09

now let's forget about our use case and

40:11

let's just focus on Miracle

40:13

trees so we saw how we can prove that a

40:17

particular item is in the leaf of a

40:19

miracle tree I can just start at the

40:22

root prove the

40:23

pass what if I want to prove that the

40:25

particular item is not in the Merle

40:29

tree can I give those kinds of

40:34

BS so right now it seems

40:37

impossible right because I mean how can

40:40

you prove that something is not there

40:42

unless you know everything unless you

40:44

can prove every single element that is

40:47

there if you know all of the hashes uh

40:51

at every level and if you know D1 D2 D3

40:53

and D4 you can prove everything that is

40:56

in there and then you can say nothing

40:57

else is there right but in general if I

41:01

give you some other number D5 and I ask

41:04

you is D5 in this tree or not there is

41:08

no way you can give a short proof that

41:10

D5 is not in the tree but we can solve

41:13

that by a very nice trick and this is

41:17

what we call ass sorted mle

41:23

tree so the idea in a sorted tree is

41:26

that I'm just going to create a miracle

41:29

tree but when it comes to the leaves

41:31

when it comes to the data Le I'm going

41:34

to sort

41:36

those okay so I'm going to have the

41:39

exact same thing as

41:41

here let me see if I can just copy

41:55

this I'm going to have the exact same

41:59

thing now it's going to be

42:04

sorted so it means that D1 is going to

42:07

be less than D2 less than D3 less than

42:11

D4 and in general I can do this with n

42:14

of

42:15

course now why does this sorting

42:18

actually help

42:21

me well first of all how do I sort

42:24

strings I can just sort them in lexical

42:26

graphic order so even if you think of

42:29

these not as numbers but as just

42:32

sequences of zeros and ones you can sort

42:34

them anyway so we have an

42:37

order and

42:39

now let's think of them as numbers for a

42:41

second because for this example it's

42:43

easier to do with numbers let's say D1

42:46

is two D2 is five D3 is 8 and this one

42:51

D4 is 10

42:53

let's and suppose that I want to prove

42:56

that's there is no six in

42:59

here how can I prove it well I can just

43:02

prove the existence of D2 and D3 I can

43:05

just prove the existence of five and

43:06

eight because when I prove the existence

43:09

of five and eight I'm not just proving

43:12

that they exist in the tree I'm also

43:14

proving their location in the tree so if

43:17

I prove that five is here which I can do

43:21

and I can give a proof of uh length

43:23

login and then if I can also prove that

43:26

8 is

43:28

here because I've also proven the

43:31

location I've proven that 8 comes

43:34

exactly after five which means that

43:36

there is no six there is no

43:38

seven right so this is how we can prove

43:41

that a particular value does not exist

43:44

in a miricle tree if I just sort all of