Why Merkle trees are everywhere

A hash tree that lets you prove one tiny piece of a giant dataset is correct without re-downloading the whole thing — the trick that quietly underpins Git, Bitcoin, IPFS, and certificate transparency.

Data intro Apr 29, 2026

Why it exists

You have a big pile of data — millions of files, a long log of transactions, all the blocks of a 200 GB virtual disk — and you want to answer two awkward questions:

Has any of it changed?
Can I prove this one specific piece is part of it, to someone who doesn’t have the rest?

The dumb answer to (1) is “hash the whole thing.” That works, but it means re-reading 200 GB to notice that one byte flipped. The dumb answer to (2) is “send the whole thing and let them hash it.” Also fine, also a non-starter when “the whole thing” is the entire Bitcoin chain and “someone” is a phone.

Ralph Merkle’s 1979 thesis (Secrecy, Authentication, and Public Key Systems, Stanford) proposed a clean trick: hash the data in pieces, then hash the hashes pairwise up a tree until you have a single root hash. The root summarises the whole dataset in one fixed-size fingerprint. To prove a specific leaf belongs under that root, you only need the O(log n) sibling hashes along the path from that leaf to the top — a few hundred bytes for a tree with billions of leaves.

That’s the entire idea. Everything else — Git’s commit graph, Bitcoin’s SPV proofs, IPFS content addressing, BitTorrent piece verification, certificate transparency, ZFS scrubs, Cassandra anti-entropy repair — is what happens when different fields rediscover that the answer to “trust this slice of a big thing” is shaped like a tree of hashes.

Why it matters now

Two pressures keep pushing this primitive into more places:

Datasets keep getting bigger faster than network and memory. Verifying a multi-terabyte model checkpoint, a container image, or a Git monorepo by re-hashing the whole thing is wasteful when you could verify just the chunks that changed. Merkle trees turn “does this match?” from an O(n) question into an O(log n) patch check: only the subtrees that touched a changed leaf need re-hashing.
More systems need to be verifiable by someone who doesn’t trust the source. A light wallet on a phone can’t store the whole chain. A browser can’t store every issued TLS cert. A peer downloading model weights from a swarm can’t trust any single seeder. In all three cases, the move is the same: publish the root somewhere trustworthy (a signed block header, a public log, a manifest you fetched over HTTPS), then verify each piece against the root using a tiny inclusion proof.

If you’ve ever wondered why so many wildly different systems converged on “and there’s a Merkle root in the header,” that’s why. It’s the cheapest way to make part of something checkable without shipping the whole.

The short answer

Merkle tree = binary tree + hash of children at every internal node

You hash each chunk of data into a leaf hash. You hash each pair of sibling hashes into their parent. You repeat until one hash remains — the root. The root is a fingerprint of the entire dataset; any change anywhere bubbles up and changes it. To prove a leaf is in the tree, you ship the leaf plus the sibling hash at each level on its path to the root — log₂ n hashes — and the verifier recomputes the root.

How it works

Concretely, with eight leaves L0..L7:

                        ROOT = H(H01_23, H45_67)
                       /                        \
              H01_23 = H(H01,H23)        H45_67 = H(H45,H67)
              /          \                /            \
       H01=H(h0,h1)  H23=H(h2,h3)   H45=H(h4,h5)   H67=H(h6,h7)
        /    \         /    \         /    \         /    \
       h0    h1       h2    h3       h4    h5       h6    h7
        |     |        |     |        |     |        |     |
       L0    L1       L2    L3       L4    L5       L6    L7

Each h_i = H(L_i) for some cryptographic hash H (SHA-256 in Bitcoin and Git’s newer object format; Git’s classic format uses SHA-1, which is broken for adversarial collisions but still in use; certificate transparency uses SHA-256). The tree is balanced and binary in the textbook version; real systems get fancier (more on the seams below).

Inclusion proof for L5: to convince someone who only knows ROOT that L5 is the fifth leaf, you send:

L5 itself.
h4 (its sibling).
H67 (the sibling of H45).
H01_23 (the sibling of H45_67).

The verifier computes h5 = H(L5), then H45 = H(h4, h5), then H45_67 = H(H45, H67), then ROOT' = H(H01_23, H45_67), and checks ROOT' == ROOT. If H is collision-resistant, the only way to forge that match is to find a hash collision — i.e., the proof’s security reduces to the hash function’s.

For a tree with n leaves, the proof is ⌈log₂ n⌉ hashes. A billion leaves with SHA-256 is 30 hashes — about 960 bytes. That’s the magic number that makes light clients viable.

Updates are also O(log n). Change one leaf, and only the log n nodes on its path to the root need rehashing. This is what lets ZFS detect bit rot during a scrub, what makes incremental Git commits cheap, and what lets BitTorrent and IPFS verify individual chunks as they arrive in any order.

The seams — where the textbook picture is misleading:

The “second-preimage” hazard. Naive Merkle trees have a sneaky attack: a leaf hash and an internal node hash are indistinguishable, so an attacker can sometimes craft a fake “leaf” that’s actually an interior pair (h_a, h_b) and convince a verifier it’s a single leaf. The standard fix is domain separation — prepend a different byte (0x00 for leaf, 0x01 for internal) before hashing, as CT does (RFC 6962) and as Bitcoin notably doesn’t. Bitcoin’s odd-sized-tree handling has a related quirk: duplicating the last leaf when there’s an odd number of children means certain distinct transaction lists can hash to the same Merkle root (CVE-2012-2459), which let a peer poison its block-validity cache with a bad version of a real block. Patched, but still a famous footgun.
Real systems aren’t always balanced binary trees. Git’s tree objects are k-ary (one entry per file/subdir, hashed into a directory blob). IPFS uses a Merkle DAG, not a tree (shared subgraphs can be referenced once). Certificate transparency uses an append-only tree with consistency proofs between root versions, not just inclusion proofs. The invariant — “hashes of children determine the parent” — is what travels; the topology adapts.
Sparse Merkle trees flip the model: every possible key has a fixed leaf position (often H(key) interpreted as a path), most of which are empty. With a careful default-value scheme you get non-membership proofs almost for free. This is what Ethereum’s state trie is reaching for, though Ethereum specifically uses a Merkle Patricia Trie — a hybrid with radix-trie compression on top of the Merkle structure — not a plain sparse tree.
Hash choice is load-bearing. Git still uses SHA-1 for most repositories. SHA-1 fell first to a practical identical-prefix collision (the SHAttered attack, 2017) and then to a chosen-prefix collision (SHA-1 is a Shambles, 2020), and Git has shipped collision detection (sha1dc) plus an experimental SHA-256 object format to migrate. The Merkle structure inherits the strength of its hash, no more.
Proof verification needs the right root. A Merkle proof says “this leaf is under this root.” If you trust the wrong root, you’ve proven nothing. That’s why every real system pairs the tree with some out-of-band trust anchor: a signed block header, a notary’s signature on a CT log root, a manifest fetched over a TLS connection, a git tag signed with your key.

Hash chain — hash chain = sequence + each entry hashes the previous — the 1-D ancestor of the Merkle tree; gives you tamper-evidence for a log but not O(log n) inclusion proofs. Bitcoin’s block header chain is a hash chain; the transactions inside each block form a Merkle tree.
Merkle DAG — Merkle DAG = Merkle tree − "must be a tree" + content-addressing — what IPFS and Git’s object graph actually are. Shared subtrees can be referenced by multiple parents.
Merkle Patricia Trie — MPT = sparse Merkle tree + radix-trie path compression — Ethereum’s state representation; lets you prove account state at a given block.
Verkle tree — Verkle tree ≈ Merkle tree + vector commitments instead of hashes — produces much smaller proofs (constant-ish per level instead of one hash per sibling). Proposed for Ethereum’s state trie; I don’t have a current public timeline for rollout and won’t guess.
Certificate transparency log — CT log = append-only Merkle tree of issued TLS certs + signed roots — the “trust but log” backstop for the public CA system. RFC 6962.

Going deeper

Ralph C. Merkle — Secrecy, Authentication, and Public Key Systems, Stanford PhD thesis, 1979. The construction.
Satoshi Nakamoto — Bitcoin: A Peer-to-Peer Electronic Cash System, 2008. Section 7 (“Reclaiming Disk Space”) introduces the Merkle tree over transactions; Section 8 (“Simplified Payment Verification”) is where the light-client argument lives. Two pages, both worth reading together.
RFC 6962 / RFC 9162 — Certificate Transparency. The clearest production spec for Merkle inclusion and consistency proofs, with the leaf/internal domain-separation prefixes spelled out.
Laurie & Kasper — Revocation Transparency, 2012. Short, readable motivation for CT-style logs.
Git internals docs (git help gitformat-pack, gitformat-tree) — for how a Merkle DAG looks when it grew up inside a VCS instead of a blockchain.