Struct BitcoinMerkleTree

pub struct BitcoinMerkleTree { /* private fields */ }

Code is taken from Clementine https://github.com/chainwayxyz/clementine/blob/b600ea18df72bdc60015ded01b78131b4c9121d7/operator/src/bitcoin_merkle.rs

Implementations

impl BitcoinMerkleTree

pub fn new(transactions: Vec<[u8; 32]>) -> Self

Constructs a standard Bitcoin Merkle tree. Leaf nodes are transaction IDs (txids), which are double-SHA256 hashes of transaction data. Internal nodes are formed by DSHA256(LeftChildHash || RightChildHash).

pub fn root(&self) -> [u8; 32]

pub fn new_mid_state(transactions: &[CircuitTransaction]) -> Self

Constructs a “mid-state” Merkle tree, designed for generating secure SPV (Simplified Payment Verification) proofs. This structure, when used with the corresponding calculate_root_with_merkle_proof (or BlockInclusionProof::get_root) method, helps mitigate vulnerabilities associated with standard Bitcoin Merkle trees in SPV contexts, such as certain forms of hash duplication or ambiguity attacks (e.g., CVE-2012-2459). Also please check: https://bitslog.com/2018/06/09/leaf-node-weakness-in-bitcoin-merkle-tree-design/ with the suggested fix: https://bitslog.com/2018/08/21/simple-change-to-the-bitcoin-merkleblock-command-to-protect-from-leaf-node-weakness-in-transaction-merkle-tree/

The leaves of this tree are transaction identifiers (mid_state_txid()), typically standard Bitcoin txids (double-SHA256 of the transaction). The internal nodes of this “mid-state” tree are constructed differently from a standard Bitcoin Merkle tree: N_parent = SHA256(SHA256(N_child_left) || SHA256(N_child_right)) where N_child_left and N_child_right are nodes from the level below in this mid-state tree.

The root of this mid-state tree (Root_ms) is an intermediate hash. The actual Bitcoin block Merkle root is expected to be SHA256(Root_ms), as demonstrated in the test cases.

The security enhancement for SPV comes from how proofs generated from this tree are verified: specifically, sibling nodes from this tree’s proof path are further hashed with SHA256 before being combined in the standard double_SHA256 Merkle path computation during proof verification (see BlockInclusionProof::get_root). This acts as a domain separation, ensuring that the internal nodes of this mid-state tree cannot be misinterpreted as leaf txids or other hash types during verification.

pub fn generate_proof(&self, idx: u32) -> BlockInclusionProof

pub fn calculate_root_with_merkle_proof( mid_state_txid: [u8; 32], inclusion_proof: BlockInclusionProof, ) -> [u8; 32]

Calculates the Bitcoin Merkle root from a leaf’s transaction ID (mid_state_txid) and its inclusion proof derived from a “mid-state” Merkle tree. This function is central to secure SPV.

The inclusion_proof contains sibling nodes from the “mid-state” Merkle tree. The security enhancement lies in how these proof elements are processed: Each sibling node from the proof path is first hashed with SHA256 before being combined with the current hash using the standard Bitcoin calculate_double_sha256 method.

current_hash = calculate_double_sha256(current_hash || SHA256(sibling_from_mid_state_proof))

This transformation of sibling proof elements acts as a domain separator, robustly distinguishing them from leaf transaction IDs. This prevents vulnerabilities where an attacker might craft a transaction whose ID could collide with or be misinterpreted as an internal node of the mid-state tree, or create other ambiguities that could fool an SPV client. The final [u8; 32] returned should match the block’s official Merkle root.

Trait Implementations

impl Clone for BitcoinMerkleTree

fn clone(&self) -> BitcoinMerkleTree

Returns a copy of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for BitcoinMerkleTree

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.