Author

Topic: Re: Why are transactions stored in a hash/merkle tree ? (Read 1351 times)

hero member
Activity: 524
Merit: 500
I don't think the tree, as opposite to sequential hashing,  adds any security.
Consider the possibility of using SAT solvers for Bitcoin mining. I think double SHA-256 is unpenetrable for the current generation of solvers, but let's assume things will change Smiley BTW, if such progress will come from academic world, we can expect RSA challenge to be solved first, this will be a good warning for Bitcoin community. SAT solvers work by exploring 'easy' area of potential solution space first, postponing 'hard' part for latter. Now, imagine that there are many solutions for valid block hash - SAT solver will be more effective in such situation. But with current difficulty there are something like 67 required zeroes in resulting hash value and only, say, 32+10 free variables (32 bit nonce and may be lower part of time field), so there aren't many solution, on the average the equation system will be compatible once per 2^25 attempts. Straightforward way to use SAT solver for mining puts it into disadvantage. To provide more free variables one can use data bits inside or around transaction. Obvious candidate is input of coinbase transaction of an empty block (and nonce2 will be huge in such case), but sequential hashing allows using the last transaction of non-empty block for this purpose. Well, OK, that's rather a speculation right now, let's watch for a progress in SAT solvers development Smiley

But it decreases number of steps you need to perform in order to recalculate the output hash value, when only one element is changing. If you're a miner and need to apply a new TX to a block - with the tree it can go faster.
To quickly change Merkle root value one can swap two children of some inner node, the only requirement is keeping coinbase transaction the first - instead of increasing nonce2 or adding new transaction. See, no need to actually change elements Smiley
legendary
Activity: 2053
Merit: 1356
aka tonikt
Why are the transactions stored in a hash/merkle tree ?
Why simply not store them sequential and calculate a single hash over all of them ?
Only reason I can think of is "more security" because of hash tree, more hashes to calculate...
When Merkle tree root is calculated, hash function is applied to fixed length data (32+32 bytes). Possibly, Satoshi considered some variant of length extension attack. Possibly, something went wrong Smiley
I don't think the tree, as opposite to sequential hashing,  adds any security.
But it decreases number of steps you need to perform in order to recalculate the output hash value, when only one element is changing. If you're a miner and need to apply a new TX to a block - with the tree it can go faster.
sr. member
Activity: 467
Merit: 267
The largest advantage is it can lead to lite clients which don't need full blocks and instead can request block headers and merkle branch from other nodes.  This isn't implemented yet and I believe one of the developers indicated it may require a seperate protocol.

The use of merkle tree can also allow blockchain pruning by removing older transactions once a newer transaction for a particular address is deep enough in the block chain.  With a single hash for all transactions this wouldn't be possible not without some mechanism to re-sign the pruned block and that would require some sort of alternate proof-of-work to ensure decentralized consensus.

More generally speaking using a merkle tree allows more granularity in transaction validation.  You can validate an entire block, a group of transactions, or just a single transaction.  Using a merkle tree allows options to deal w/ future issues that the network may need to deal with.


If I understood correctly what you mean is that the entire block will be removed from the blockchain. Wouldn't that compromise the whole blockchain since each block includes the hash of the previous block, and therefore if one is removed then its reference in the next block will be not verifiable (as the block was removed).

Not the entire block. There are two hashes. The block hash that only covers the header and the merkle root that covers the transactions. The block hash is simply a hash over the bytes of header. The merkle root hash is more sophisticated.
All the transactions are put in a binary tree. Then the leaves (= the transactions) are hashed. Afterwards, the parents are hashes of the concatenation of the 2 children. And so on so forth until the root. With a merkle tree, one can replace part of the data by a hash while still proving that the remaining data hasn't been compromised.

As the block chain gets older, old transactions will become irrelevant because the money that were at these addresses is spent.
Today, a full node carries the entire block chain. A smart client could detect that these transactions are useless and remove them from their block. It will leave a 'hole'. When two holes are next to each other, they can be combined into a bigger hole. Finally, the hope is that the block chain becomes much smaller.
hero member
Activity: 524
Merit: 500
Why are the transactions stored in a hash/merkle tree ?
Why simply not store them sequential and calculate a single hash over all of them ?
Only reason I can think of is "more security" because of hash tree, more hashes to calculate...
When Merkle tree root is calculated, hash function is applied to fixed length data (32+32 bytes). Possibly, Satoshi considered some variant of length extension attack. Possibly, something went wrong Smiley
legendary
Activity: 1792
Merit: 1111
I hope people could read the white paper before asking noob questions: https://bitcoin.org/bitcoin.pdf
member
Activity: 114
Merit: 12


If I understood correctly what you mean is that the entire block will be removed from the blockchain. Wouldn't that compromise the whole blockchain since each block includes the hash of the previous block, and therefore if one is removed then its reference in the next block will be not verifiable (as the block was removed).

The block *header* is hashed, not the transactions. The block header contains the merkel root, so you can't lie that a transaction was included when it wasn't.

SPV clients can be fooled by omission however.
member
Activity: 66
Merit: 10
The largest advantage is it can lead to lite clients which don't need full blocks and instead can request block headers and merkle branch from other nodes.  This isn't implemented yet and I believe one of the developers indicated it may require a seperate protocol.

The use of merkle tree can also allow blockchain pruning by removing older transactions once a newer transaction for a particular address is deep enough in the block chain.  With a single hash for all transactions this wouldn't be possible not without some mechanism to re-sign the pruned block and that would require some sort of alternate proof-of-work to ensure decentralized consensus.

More generally speaking using a merkle tree allows more granularity in transaction validation.  You can validate an entire block, a group of transactions, or just a single transaction.  Using a merkle tree allows options to deal w/ future issues that the network may need to deal with.


If I understood correctly what you mean is that the entire block will be removed from the blockchain. Wouldn't that compromise the whole blockchain since each block includes the hash of the previous block, and therefore if one is removed then its reference in the next block will be not verifiable (as the block was removed).
Jump to: