snarkvm_console_collections/merkle_tree/mod.rs
1// Copyright (c) 2019-2025 Provable Inc.
2// This file is part of the snarkVM library.
3
4// Licensed under the Apache License, Version 2.0 (the "License");
5// you may not use this file except in compliance with the License.
6// You may obtain a copy of the License at:
7
8// http://www.apache.org/licenses/LICENSE-2.0
9
10// Unless required by applicable law or agreed to in writing, software
11// distributed under the License is distributed on an "AS IS" BASIS,
12// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13// See the License for the specific language governing permissions and
14// limitations under the License.
15
16mod helpers;
17pub use helpers::*;
18
19mod path;
20pub use path::*;
21
22#[cfg(test)]
23mod tests;
24
25use snarkvm_console_types::prelude::*;
26
27use aleo_std::prelude::*;
28
29#[cfg(feature = "locktick")]
30use locktick::parking_lot::Mutex;
31#[cfg(not(feature = "locktick"))]
32use parking_lot::Mutex;
33use serde::{Deserialize, Serialize};
34use std::{collections::BTreeMap, mem};
35
36#[cfg(not(feature = "serial"))]
37use rayon::prelude::*;
38
39#[derive(Deserialize, Serialize)]
40#[serde(bound = "E: Serialize + DeserializeOwned, LH: Serialize + DeserializeOwned, PH: Serialize + DeserializeOwned")]
41pub struct MerkleTree<E: Environment, LH: LeafHash<Hash = PH::Hash>, PH: PathHash<Hash = Field<E>>, const DEPTH: u8> {
42 /// The leaf hasher for the Merkle tree.
43 leaf_hasher: LH,
44 /// The path hasher for the Merkle tree.
45 path_hasher: PH,
46 /// The computed root of the full Merkle tree.
47 root: PH::Hash,
48 /// The internal hashes, from root to hashed leaves, of the full Merkle tree.
49 tree: Vec<PH::Hash>,
50 /// The canonical empty hash.
51 empty_hash: Field<E>,
52 /// The number of hashed leaves in the tree.
53 number_of_leaves: usize,
54 /// An optimization: the previous tree allocation reused in prepare_append.
55 #[serde(skip)]
56 preserved_tree_allocation: Mutex<Option<Vec<PH::Hash>>>,
57}
58
59impl<E: Environment, LH: LeafHash<Hash = PH::Hash>, PH: PathHash<Hash = Field<E>>, const DEPTH: u8> Clone
60 for MerkleTree<E, LH, PH, DEPTH>
61{
62 fn clone(&self) -> Self {
63 Self {
64 leaf_hasher: self.leaf_hasher.clone(),
65 path_hasher: self.path_hasher.clone(),
66 root: self.root,
67 tree: self.tree.clone(),
68 empty_hash: self.empty_hash,
69 number_of_leaves: self.number_of_leaves,
70 preserved_tree_allocation: Default::default(),
71 }
72 }
73}
74
75impl<E: Environment, LH: LeafHash<Hash = PH::Hash>, PH: PathHash<Hash = Field<E>>, const DEPTH: u8>
76 MerkleTree<E, LH, PH, DEPTH>
77{
78 #[inline]
79 /// Initializes a new Merkle tree with the given leaves.
80 pub fn new(leaf_hasher: &LH, path_hasher: &PH, leaves: &[LH::Leaf]) -> Result<Self> {
81 let timer = timer!("MerkleTree::new");
82
83 // Ensure the Merkle tree depth is greater than 0.
84 ensure!(DEPTH > 0, "Merkle tree depth must be greater than 0");
85 // Ensure the Merkle tree depth is less than or equal to 64.
86 ensure!(DEPTH <= 64u8, "Merkle tree depth must be less than or equal to 64");
87
88 // Compute the maximum number of leaves.
89 let max_leaves = match leaves.len().checked_next_power_of_two() {
90 Some(num_leaves) => num_leaves,
91 None => bail!("Integer overflow when computing the maximum number of leaves in the Merkle tree"),
92 };
93
94 // Compute the number of nodes.
95 let num_nodes = max_leaves - 1;
96 // Compute the tree size as the maximum number of leaves plus the number of nodes.
97 let tree_size = max_leaves + num_nodes;
98 // Compute the number of levels in the Merkle tree (i.e. log2(tree_size)).
99 let tree_depth = tree_depth::<DEPTH>(tree_size)?;
100 // Compute the number of padded levels.
101 let padding_depth = DEPTH - tree_depth;
102
103 // Compute the empty hash.
104 let empty_hash = path_hasher.hash_empty()?;
105
106 // Calculate the size of the tree which excludes leafless nodes.
107 // The minimum tree size is either a single root node or the calculated number of nodes plus
108 // the supplied leaves; if the number of leaves is odd, an empty hash is added for padding.
109 let minimum_tree_size =
110 std::cmp::max(1, num_nodes + leaves.len() + if leaves.len() > 1 { leaves.len() % 2 } else { 0 });
111
112 // Initialize the Merkle tree.
113 let mut tree = vec![empty_hash; minimum_tree_size];
114
115 // Compute and store each leaf hash.
116 tree[num_nodes..num_nodes + leaves.len()].copy_from_slice(&leaf_hasher.hash_leaves(leaves)?);
117 lap!(timer, "Hashed {} leaves", leaves.len());
118
119 // Compute and store the hashes for each level, iterating from the penultimate level to the root level.
120 let mut start_index = num_nodes;
121 // Compute the start index of the current level.
122 while let Some(start) = parent(start_index) {
123 // Compute the end index of the current level.
124 let end = left_child(start);
125 // Construct the children for each node in the current level; the leaves are padded, which means
126 // that there either are 2 children, or there are none, at which point we may stop iterating.
127 let tuples = (start..end)
128 .take_while(|&i| tree.get(left_child(i)).is_some())
129 .map(|i| (tree[left_child(i)], tree[right_child(i)]))
130 .collect::<Vec<_>>();
131 // Compute and store the hashes for each node in the current level.
132 let num_full_nodes = tuples.len();
133 tree[start..][..num_full_nodes].copy_from_slice(&path_hasher.hash_all_children(&tuples)?);
134 // Use the precomputed empty node hash for every empty node, if there are any.
135 if start + num_full_nodes < end {
136 let empty_node_hash = path_hasher.hash_children(&empty_hash, &empty_hash)?;
137 for node in tree.iter_mut().take(end).skip(start + num_full_nodes) {
138 *node = empty_node_hash;
139 }
140 }
141 // Update the start index for the next level.
142 start_index = start;
143 }
144 lap!(timer, "Hashed {} levels", tree_depth);
145
146 // Compute the root hash, by iterating from the root level up to `DEPTH`.
147 let mut root_hash = tree[0];
148 for _ in 0..padding_depth {
149 // Update the root hash, by hashing the current root hash with the empty hash.
150 root_hash = path_hasher.hash_children(&root_hash, &empty_hash)?;
151 }
152 lap!(timer, "Hashed {} padding levels", padding_depth);
153
154 finish!(timer);
155
156 Ok(Self {
157 leaf_hasher: leaf_hasher.clone(),
158 path_hasher: path_hasher.clone(),
159 root: root_hash,
160 tree,
161 empty_hash,
162 number_of_leaves: leaves.len(),
163 preserved_tree_allocation: Default::default(),
164 })
165 }
166
167 #[inline]
168 /// Returns a new Merkle tree with the given new leaves appended to it.
169 pub fn prepare_append(&self, new_leaves: &[LH::Leaf]) -> Result<Self> {
170 let timer = timer!("MerkleTree::prepare_append");
171
172 // Compute the maximum number of leaves.
173 let max_leaves = match (self.number_of_leaves + new_leaves.len()).checked_next_power_of_two() {
174 Some(num_leaves) => num_leaves,
175 None => bail!("Integer overflow when computing the maximum number of leaves in the Merkle tree"),
176 };
177 // Compute the number of nodes.
178 let num_nodes = max_leaves - 1;
179 // Compute the tree size as the maximum number of leaves plus the number of nodes.
180 let tree_size = num_nodes + max_leaves;
181 // Compute the number of levels in the Merkle tree (i.e. log2(tree_size)).
182 let tree_depth = tree_depth::<DEPTH>(tree_size)?;
183 // Compute the number of padded levels.
184 let padding_depth = DEPTH - tree_depth;
185
186 // Reuse the previous Merkle tree, or initialize it if missing.
187 // All the (inner) nodes are rewritten, so their current values are irrelevant.
188 // The slowest part is populating the values, but large allocations are also slow.
189 let mut tree = self.preserved_tree_allocation.lock().take().unwrap_or_else(|| vec![self.empty_hash; num_nodes]);
190 // The number of nodes in the preserved allocation is too small if the depth increases.
191 // This is basically a noop if there are sufficient nodes already.
192 tree.resize(num_nodes, self.empty_hash);
193
194 // Extend the new Merkle tree with the existing leaf hashes.
195 tree.extend(self.leaf_hashes()?);
196 // Extend the new Merkle tree with the new leaf hashes.
197 tree.extend(&self.leaf_hasher.hash_leaves(new_leaves)?);
198
199 // Calculate the size of the tree which excludes leafless nodes.
200 let new_number_of_leaves = self.number_of_leaves + new_leaves.len();
201 let minimum_tree_size = std::cmp::max(
202 1,
203 num_nodes + new_number_of_leaves + if new_number_of_leaves > 1 { new_number_of_leaves % 2 } else { 0 },
204 );
205
206 // Resize the new Merkle tree with empty hashes to pad up to `tree_size`.
207 tree.resize(minimum_tree_size, self.empty_hash);
208 lap!(timer, "Hashed {} new leaves", new_leaves.len());
209
210 // Initialize a start index to track the starting index of the current level.
211 let start_index = num_nodes;
212 // Initialize a middle index to separate the precomputed indices from the new indices that need to be computed.
213 let middle_index = num_nodes + self.number_of_leaves;
214 // Initialize a precompute index to track the starting index of each precomputed level.
215 let start_precompute_index = match self.number_of_leaves.checked_next_power_of_two() {
216 Some(num_leaves) => num_leaves - 1,
217 None => bail!("Integer overflow when computing the Merkle tree precompute index"),
218 };
219 // Initialize a precompute index to track the middle index of each precomputed level.
220 let middle_precompute_index = match num_nodes == start_precompute_index {
221 // If the old tree and new tree are of the same size, then we can copy over the right half of the old tree.
222 true => Some(start_precompute_index + self.number_of_leaves + new_leaves.len() + 1),
223 // Otherwise, we need to compute the right half of the new tree.
224 false => None,
225 };
226
227 // Compute and store the hashes for each level, iterating from the penultimate level to the root level.
228 self.compute_updated_tree(
229 &mut tree,
230 start_index,
231 middle_index,
232 start_precompute_index,
233 middle_precompute_index,
234 )?;
235
236 // Compute the root hash, by iterating from the root level up to `DEPTH`.
237 let mut root_hash = tree[0];
238 for _ in 0..padding_depth {
239 // Update the root hash, by hashing the current root hash with the empty hash.
240 root_hash = self.path_hasher.hash_children(&root_hash, &self.empty_hash)?;
241 }
242 lap!(timer, "Hashed {} padding levels", padding_depth);
243
244 finish!(timer);
245
246 Ok(Self {
247 leaf_hasher: self.leaf_hasher.clone(),
248 path_hasher: self.path_hasher.clone(),
249 root: root_hash,
250 tree,
251 empty_hash: self.empty_hash,
252 number_of_leaves: self.number_of_leaves + new_leaves.len(),
253 preserved_tree_allocation: Default::default(), // Placeholder; will be updated at the callsite using Self::preserve_tree_allocation
254 })
255 }
256
257 #[inline]
258 /// Updates the Merkle tree with the given new leaves appended to it.
259 pub fn append(&mut self, new_leaves: &[LH::Leaf]) -> Result<()> {
260 let timer = timer!("MerkleTree::append");
261
262 // Compute the updated Merkle tree with the new leaves.
263 let updated_tree = self.prepare_append(new_leaves)?;
264 // Update the tree at the very end, so the original tree is not altered in case of failure.
265 *self = updated_tree;
266
267 finish!(timer);
268 Ok(())
269 }
270
271 #[inline]
272 /// Updates the Merkle tree at the location of the given leaf index with the new leaf.
273 pub fn update(&mut self, leaf_index: usize, new_leaf: &LH::Leaf) -> Result<()> {
274 let timer = timer!("MerkleTree::update");
275
276 // Compute the updated Merkle tree with the new leaves.
277 let updated_tree = self.prepare_update(leaf_index, new_leaf)?;
278 // Update the tree at the very end, so the original tree is not altered in case of failure.
279 *self = updated_tree;
280
281 finish!(timer);
282 Ok(())
283 }
284
285 #[inline]
286 /// Returns a new Merkle tree with updates at the location of the given leaf index with the new leaf.
287 pub fn prepare_update(&self, leaf_index: usize, new_leaf: &LH::Leaf) -> Result<Self> {
288 let timer = timer!("MerkleTree::prepare_update");
289
290 // Check that the leaf index is within the bounds of the Merkle tree.
291 ensure!(
292 leaf_index < self.number_of_leaves,
293 "Leaf index must be less than the number of leaves in the Merkle tree {leaf_index} , {}",
294 self.number_of_leaves
295 );
296
297 // Allocate a vector to store the path hashes.
298 let mut path_hashes = Vec::with_capacity(DEPTH as usize);
299
300 // Compute and add the new leaf hash to the path hashes.
301 path_hashes.push(self.leaf_hasher.hash_leaf(new_leaf)?);
302 lap!(timer, "Hashed 1 new leaf");
303
304 // Compute the start index (on the left) for the leaf hashes level in the Merkle tree.
305 let start = match self.number_of_leaves.checked_next_power_of_two() {
306 Some(num_leaves) => num_leaves - 1,
307 None => bail!("Integer overflow when computing the Merkle tree start index"),
308 };
309
310 // Compute the new hashes for the path from the leaf to the root.
311 let mut index = start + leaf_index;
312 while let Some(parent) = parent(index) {
313 // Get the left and right child hashes of the parent.
314 let (left, right) = match is_left_child(index) {
315 true => (path_hashes.last().unwrap(), &self.tree[right_child(parent)]),
316 false => (&self.tree[left_child(parent)], path_hashes.last().unwrap()),
317 };
318 // Compute and add the new parent hash to the path hashes.
319 path_hashes.push(self.path_hasher.hash_children(left, right)?);
320 // Update the index to the parent.
321 index = parent;
322 }
323
324 // Compute the number of levels in the Merkle tree (i.e. log2(tree_size)).
325 let tree_depth = tree_depth::<DEPTH>(self.tree.len())?;
326 // Compute the padding depth.
327 let padding_depth = DEPTH - tree_depth;
328
329 // Update the root hash.
330 // This unwrap is safe, as the path hashes vector is guaranteed to have at least one element.
331 let mut root_hash = *path_hashes.last().unwrap();
332 for _ in 0..padding_depth {
333 // Update the root hash, by hashing the current root hash with the empty hash.
334 root_hash = self.path_hasher.hash_children(&root_hash, &self.empty_hash)?;
335 }
336 lap!(timer, "Hashed {} padding levels", padding_depth);
337
338 // Initialize the Merkle tree.
339 let mut tree = Vec::with_capacity(self.tree.len());
340 // Extend the new Merkle tree with the existing leaf hashes.
341 tree.extend(&self.tree);
342
343 // Update the rest of the tree with the new path hashes.
344 let mut index = Some(start + leaf_index);
345 for path_hash in path_hashes {
346 tree[index.unwrap()] = path_hash;
347 index = parent(index.unwrap());
348 }
349
350 finish!(timer);
351
352 Ok(Self {
353 leaf_hasher: self.leaf_hasher.clone(),
354 path_hasher: self.path_hasher.clone(),
355 root: root_hash,
356 tree,
357 empty_hash: self.empty_hash,
358 number_of_leaves: self.number_of_leaves,
359 preserved_tree_allocation: Default::default(),
360 })
361 }
362
363 #[inline]
364 /// Updates the Merkle tree at the location of the given leaf indices with the new leaves.
365 pub fn update_many(&mut self, updates: &BTreeMap<usize, LH::Leaf>) -> Result<()> {
366 let timer = timer!("MerkleTree::update_many");
367
368 // Check that there are updates to perform.
369 ensure!(!updates.is_empty(), "There must be at least one leaf to update in the Merkle tree");
370
371 // Check that the latest leaf index is less than number of leaves in the Merkle tree.
372 // Note: This unwrap is safe since updates is guaranteed to be non-empty.
373 ensure!(
374 *updates.last_key_value().unwrap().0 < self.number_of_leaves,
375 "Leaf index must be less than the number of leaves in the Merkle tree"
376 );
377
378 // Compute the start index (on the left) for the leaf hashes level in the Merkle tree.
379 let start = match self.number_of_leaves.checked_next_power_of_two() {
380 Some(num_leaves) => num_leaves - 1,
381 None => bail!("Integer overflow when computing the Merkle tree start index"),
382 };
383
384 // A helper to compute the leaf hash.
385 let hash_update = |(leaf_index, leaf): &(&usize, &LH::Leaf)| {
386 self.leaf_hasher.hash_leaf(leaf).map(|hash| (start + **leaf_index, hash))
387 };
388
389 // Hash the leaves and add them to the updated hashes.
390 let leaf_hashes: Vec<(usize, LH::Hash)> = match updates.len() {
391 0..=100 => updates.iter().map(|update| hash_update(&update)).collect::<Result<Vec<_>>>()?,
392 _ => cfg_iter!(updates).map(|update| hash_update(&update)).collect::<Result<Vec<_>>>()?,
393 };
394 lap!(timer, "Hashed {} new leaves", leaf_hashes.len());
395
396 // Store the updated hashes by level.
397 let mut updated_hashes = Vec::new();
398 updated_hashes.push(leaf_hashes);
399
400 // A helper function to compute the path hashes for a given level.
401 type Update<PH> = (usize, (<PH as PathHash>::Hash, <PH as PathHash>::Hash));
402 let compute_path_hashes = |inputs: &[Update<PH>]| match inputs.len() {
403 0..=100 => inputs
404 .iter()
405 .map(|(index, (left, right))| self.path_hasher.hash_children(left, right).map(|hash| (*index, hash)))
406 .collect::<Result<Vec<_>>>(),
407 _ => cfg_iter!(inputs)
408 .map(|(index, (left, right))| self.path_hasher.hash_children(left, right).map(|hash| (*index, hash)))
409 .collect::<Result<Vec<_>>>(),
410 };
411
412 // Compute the depth of the tree. This corresponds to the number of levels of hashes in the tree.
413 let tree_depth = tree_depth::<DEPTH>(self.tree.len())?;
414 // Allocate a vector to store the inputs to the path hasher.
415 let mut inputs = Vec::with_capacity(updated_hashes[0].len());
416 // For each level in the tree, compute the path hashes.
417 // In the first iteration, we compute the path hashes for the updated leaf hashes.
418 // In the subsequent iterations, we compute the path hashes for the updated path hashes, until we reach the root.
419 for level in 0..tree_depth as usize {
420 let mut current = 0;
421 while current < updated_hashes[level].len() {
422 let (current_leaf_index, current_leaf_hash) = updated_hashes[level][current];
423 // Get the sibling of the current leaf.
424 let sibling_leaf_index = match sibling(current_leaf_index) {
425 Some(sibling_index) => sibling_index,
426 // If there is no sibling, then we have reached the root.
427 None => break,
428 };
429 // Check if the sibling hash is the next hash in the vector.
430 let sibling_is_next_hash = match current + 1 < updated_hashes[level].len() {
431 true => updated_hashes[level][current + 1].0 == sibling_leaf_index,
432 false => false,
433 };
434 // Get the sibling hash.
435 // Note: This algorithm assumes that the sibling hash is either the next hash in the vector,
436 // or in the original Merkle tree. Consequently, updates need to be provided in sequential order.
437 // This is enforced by the type of `updates: `BTreeMap<usize, LH::Leaf>`.
438 // If this assumption is violated, then the algorithm will compute incorrect path hashes in the Merkle tree.
439 let sibling_leaf_hash = match sibling_is_next_hash {
440 true => updated_hashes[level][current + 1].1,
441 false => self.tree[sibling_leaf_index],
442 };
443 // Order the current and sibling hashes.
444 let (left, right) = match is_left_child(current_leaf_index) {
445 true => (current_leaf_hash, sibling_leaf_hash),
446 false => (sibling_leaf_hash, current_leaf_hash),
447 };
448 // Compute the parent index.
449 // Note that this unwrap is safe, since we check that the `current_leaf_index` is not the root.
450 let parent_index = parent(current_leaf_index).unwrap();
451 // Add the parent hash to the updated hashes.
452 inputs.push((parent_index, (left, right)));
453 // Update the current index.
454 match sibling_is_next_hash {
455 true => current += 2,
456 false => current += 1,
457 }
458 }
459 // Compute the path hashes for the current level.
460 let path_hashes = compute_path_hashes(&inputs)?;
461 // Add the path hashes to the updated hashes.
462 updated_hashes.push(path_hashes);
463 // Clear the inputs.
464 inputs.clear();
465 }
466
467 // Compute the padding depth.
468 let padding_depth = DEPTH - tree_depth;
469
470 // Update the root hash.
471 // This unwrap is safe, as the updated hashes is guaranteed to have at least one element.
472 let mut root_hash = updated_hashes.last().unwrap()[0].1;
473 for _ in 0..padding_depth {
474 // Update the root hash, by hashing the current root hash with the empty hash.
475 root_hash = self.path_hasher.hash_children(&root_hash, &self.empty_hash)?;
476 }
477 lap!(timer, "Hashed {} padding levels", padding_depth);
478
479 // Update the root hash.
480 self.root = root_hash;
481
482 // Update the rest of the tree with the updated hashes.
483 for (index, hash) in updated_hashes.into_iter().flatten() {
484 self.tree[index] = hash;
485 }
486
487 finish!(timer);
488 Ok(())
489 }
490
491 #[inline]
492 /// Returns a new Merkle tree with the last 'n' leaves removed from it.
493 pub fn prepare_remove_last_n(&self, n: usize) -> Result<Self> {
494 let timer = timer!("MerkleTree::prepare_remove_last_n");
495
496 ensure!(n > 0, "Cannot remove zero leaves from the Merkle tree");
497
498 // Determine the updated number of leaves, after removing the last 'n' leaves.
499 let updated_number_of_leaves = self.number_of_leaves.checked_sub(n).ok_or_else(|| {
500 anyhow!("Failed to remove '{n}' leaves from the Merkle tree, as it only contains {}", self.number_of_leaves)
501 })?;
502
503 // Compute the maximum number of leaves.
504 let max_leaves = match (updated_number_of_leaves).checked_next_power_of_two() {
505 Some(num_leaves) => num_leaves,
506 None => bail!("Integer overflow when computing the maximum number of leaves in the Merkle tree"),
507 };
508 // Compute the number of nodes.
509 let num_nodes = max_leaves - 1;
510 // Compute the tree size as the maximum number of leaves plus the number of nodes.
511 let tree_size = num_nodes + max_leaves;
512 // Compute the number of levels in the Merkle tree (i.e. log2(tree_size)).
513 let tree_depth = tree_depth::<DEPTH>(tree_size)?;
514 // Compute the number of padded levels.
515 let padding_depth = DEPTH - tree_depth;
516
517 // Calculate the size of the tree which excludes leafless nodes.
518 let minimum_tree_size = std::cmp::max(
519 1,
520 num_nodes
521 + updated_number_of_leaves
522 + if updated_number_of_leaves > 1 { updated_number_of_leaves % 2 } else { 0 },
523 );
524
525 // Initialize the Merkle tree.
526 let mut tree = vec![self.empty_hash; num_nodes];
527 // Extend the new Merkle tree with the existing leaf hashes, excluding the last 'n' leaves.
528 tree.extend(&self.leaf_hashes()?[..updated_number_of_leaves]);
529 // Resize the new Merkle tree with empty hashes to pad up to `tree_size`.
530 tree.resize(minimum_tree_size, self.empty_hash);
531 lap!(timer, "Resizing to {} leaves", updated_number_of_leaves);
532
533 // Initialize a start index to track the starting index of the current level.
534 let start_index = num_nodes;
535 // Initialize a middle index to separate the precomputed indices from the new indices that need to be computed.
536 let middle_index = num_nodes + updated_number_of_leaves;
537 // Initialize a precompute index to track the starting index of each precomputed level.
538 let start_precompute_index = match self.number_of_leaves.checked_next_power_of_two() {
539 Some(num_leaves) => num_leaves - 1,
540 None => bail!("Integer overflow when computing the Merkle tree precompute index"),
541 };
542 // Initialize a precompute index to track the middle index of each precomputed level.
543 let middle_precompute_index = match num_nodes == start_precompute_index {
544 // If the old tree and new tree are of the same size, then we can copy over the right half of the old tree.
545 true => Some(start_precompute_index + self.number_of_leaves + 1),
546 // true => None,
547 // Otherwise, do nothing, since shrinking the tree is already free.
548 false => None,
549 };
550
551 // Compute and store the hashes for each level, iterating from the penultimate level to the root level.
552 self.compute_updated_tree(
553 &mut tree,
554 start_index,
555 middle_index,
556 start_precompute_index,
557 middle_precompute_index,
558 )?;
559
560 // Compute the root hash, by iterating from the root level up to `DEPTH`.
561 let mut root_hash = tree[0];
562 for _ in 0..padding_depth {
563 // Update the root hash, by hashing the current root hash with the empty hash.
564 root_hash = self.path_hasher.hash_children(&root_hash, &self.empty_hash)?;
565 }
566 lap!(timer, "Hashed {} padding levels", padding_depth);
567
568 finish!(timer);
569
570 Ok(Self {
571 leaf_hasher: self.leaf_hasher.clone(),
572 path_hasher: self.path_hasher.clone(),
573 root: root_hash,
574 tree,
575 empty_hash: self.empty_hash,
576 number_of_leaves: updated_number_of_leaves,
577 preserved_tree_allocation: Default::default(),
578 })
579 }
580
581 #[inline]
582 /// Updates the Merkle tree with the last 'n' leaves removed from it.
583 pub fn remove_last_n(&mut self, n: usize) -> Result<()> {
584 let timer = timer!("MerkleTree::remove_last_n");
585
586 // Compute the updated Merkle tree with the last 'n' leaves removed.
587 let updated_tree = self.prepare_remove_last_n(n)?;
588 // Update the tree at the very end, so the original tree is not altered in case of failure.
589 *self = updated_tree;
590
591 finish!(timer);
592 Ok(())
593 }
594
595 #[inline]
596 /// Returns the Merkle path for the given leaf index and leaf.
597 pub fn prove(&self, leaf_index: usize, leaf: &LH::Leaf) -> Result<MerklePath<E, DEPTH>> {
598 // Ensure the leaf index is valid.
599 ensure!(leaf_index < self.number_of_leaves, "The given Merkle leaf index is out of bounds");
600
601 // Compute the leaf hash.
602 let leaf_hash = self.leaf_hasher.hash_leaf(leaf)?;
603
604 // Compute the start index (on the left) for the leaf hashes level in the Merkle tree.
605 let start = match self.number_of_leaves.checked_next_power_of_two() {
606 Some(num_leaves) => num_leaves - 1,
607 None => bail!("Integer overflow when computing the Merkle tree start index"),
608 };
609
610 // Compute the absolute index of the leaf in the Merkle tree.
611 let mut index = start + leaf_index;
612 // Ensure the leaf index is valid.
613 ensure!(index < self.tree.len(), "The given Merkle leaf index is out of bounds");
614 // Ensure the leaf hash matches the one in the tree.
615 ensure!(self.tree[index] == leaf_hash, "The given Merkle leaf does not match the one in the Merkle tree");
616
617 // Initialize a vector for the Merkle path.
618 let mut path = Vec::with_capacity(DEPTH as usize);
619
620 // Iterate from the leaf hash to the root level, storing the sibling hashes along the path.
621 for _ in 0..DEPTH {
622 // Compute the index of the sibling hash, if it exists.
623 if let Some(sibling) = sibling(index) {
624 // Append the sibling hash to the path.
625 path.push(self.tree[sibling]);
626 // Compute the index of the parent hash, if it exists.
627 match parent(index) {
628 // Update the index to the parent index.
629 Some(parent) => index = parent,
630 // If the parent does not exist, the path is complete.
631 None => break,
632 }
633 }
634 }
635
636 // If the Merkle path length is not equal to `DEPTH`, pad the path with the empty hash.
637 path.resize(DEPTH as usize, self.empty_hash);
638
639 // Return the Merkle path.
640 MerklePath::try_from((U64::new(leaf_index as u64), path))
641 }
642
643 /// Returns `true` if the given Merkle path is valid for the given root and leaf.
644 pub fn verify(&self, path: &MerklePath<E, DEPTH>, root: &PH::Hash, leaf: &LH::Leaf) -> bool {
645 path.verify(&self.leaf_hasher, &self.path_hasher, root, leaf)
646 }
647
648 /// Returns the Merkle root of the tree.
649 pub const fn root(&self) -> &PH::Hash {
650 &self.root
651 }
652
653 /// Returns the Merkle tree (excluding the hashes of the leaves).
654 pub fn tree(&self) -> &[PH::Hash] {
655 &self.tree
656 }
657
658 /// Returns the empty hash.
659 pub const fn empty_hash(&self) -> &PH::Hash {
660 &self.empty_hash
661 }
662
663 /// Returns the leaf hashes from the Merkle tree.
664 pub fn leaf_hashes(&self) -> Result<&[LH::Hash]> {
665 // Compute the start index (on the left) for the leaf hashes level in the Merkle tree.
666 let start = match self.number_of_leaves.checked_next_power_of_two() {
667 Some(num_leaves) => num_leaves - 1,
668 None => bail!("Integer overflow when computing the Merkle tree start index"),
669 };
670 // Compute the end index (on the right) for the leaf hashes level in the Merkle tree.
671 let end = start + self.number_of_leaves;
672 // Return the leaf hashes.
673 Ok(&self.tree[start..end])
674 }
675
676 /// Returns the number of leaves in the Merkle tree.
677 pub const fn number_of_leaves(&self) -> usize {
678 self.number_of_leaves
679 }
680
681 /// Compute and store the hashes for each level, iterating from the penultimate level to the root level.
682 ///
683 /// ```ignore
684 /// start_index middle_index end_index
685 /// start_precompute_index middle_precompute_index end_index
686 /// ```
687 #[inline]
688 fn compute_updated_tree(
689 &self,
690 tree: &mut [Field<E>],
691 mut start_index: usize,
692 mut middle_index: usize,
693 mut start_precompute_index: usize,
694 mut middle_precompute_index: Option<usize>,
695 ) -> Result<()> {
696 // Initialize a timer for the while loop.
697 let timer = timer!("MerkleTree::compute_updated_tree");
698
699 // Compute and store the hashes for each level, iterating from the penultimate level to the root level.
700 let empty_hash = self.path_hasher.hash_empty()?;
701 while let (Some(start), Some(middle)) = (parent(start_index), parent(middle_index)) {
702 // Compute the end index of the current level.
703 let end = left_child(start);
704
705 // If the current level has precomputed indices, copy them instead of recomputing them.
706 if let Some(start_precompute) = parent(start_precompute_index) {
707 // Compute the end index of the precomputed level.
708 let end_precompute = start_precompute + (middle - start);
709 // Copy the hashes for each node in the current level.
710 tree[start..middle].copy_from_slice(&self.tree[start_precompute..end_precompute]);
711 // Update the precompute index for the next level.
712 start_precompute_index = start_precompute;
713 } else {
714 // Ensure the start index is equal to the middle index, as all precomputed indices have been processed.
715 ensure!(start == middle, "Failed to process all left precomputed indices in the Merkle tree");
716 }
717 lap!(timer, "Precompute (Left): {start} -> {middle}");
718
719 // If the current level has precomputed indices, copy them instead of recomputing them.
720 // Note: This logic works because the old tree and new tree are the same power of two.
721 if let Some(middle_precompute) = middle_precompute_index {
722 if let Some(middle_precompute) = parent(middle_precompute) {
723 // Construct the children for the new indices in the current level.
724 let tuples = (middle..middle_precompute)
725 .map(|i| {
726 (
727 tree.get(left_child(i)).copied().unwrap_or(empty_hash),
728 tree.get(right_child(i)).copied().unwrap_or(empty_hash),
729 )
730 })
731 .collect::<Vec<_>>();
732 // Process the indices that need to be computed for the current level.
733 // If any level requires computing more than 100 nodes, borrow the tree for performance.
734 match tuples.len() >= 100 {
735 // Option 1: Borrow the tree to compute and store the hashes for the new indices in the current level.
736 true => cfg_iter_mut!(tree[middle..middle_precompute]).zip_eq(cfg_iter!(tuples)).try_for_each(
737 |(node, (left, right))| {
738 *node = self.path_hasher.hash_children(left, right)?;
739 Ok::<_, Error>(())
740 },
741 )?,
742 // Option 2: Compute and store the hashes for the new indices in the current level.
743 false => tree[middle..middle_precompute].iter_mut().zip_eq(&tuples).try_for_each(
744 |(node, (left, right))| {
745 *node = self.path_hasher.hash_children(left, right)?;
746 Ok::<_, Error>(())
747 },
748 )?,
749 }
750 lap!(timer, "Compute: {middle} -> {middle_precompute}");
751
752 // Copy the hashes for each node in the current level.
753 tree[middle_precompute..end].copy_from_slice(&self.tree[middle_precompute..end]);
754 // Update the precompute index for the next level.
755 middle_precompute_index = Some(middle_precompute + 1);
756 lap!(timer, "Precompute (Right): {middle_precompute} -> {end}");
757 } else {
758 // Ensure the middle precompute index is equal to the end index, as all precomputed indices have been processed.
759 ensure!(
760 middle_precompute == end,
761 "Failed to process all right precomputed indices in the Merkle tree"
762 );
763 }
764 } else {
765 // Construct the children for the new indices in the current level.
766 let tuples = (middle..end)
767 .map(|i| {
768 (
769 tree.get(left_child(i)).copied().unwrap_or(empty_hash),
770 tree.get(right_child(i)).copied().unwrap_or(empty_hash),
771 )
772 })
773 .collect::<Vec<_>>();
774 // Process the indices that need to be computed for the current level.
775 // If any level requires computing more than 100 nodes, borrow the tree for performance.
776 match tuples.len() >= 100 {
777 // Option 1: Borrow the tree to compute and store the hashes for the new indices in the current level.
778 true => cfg_iter_mut!(tree[middle..end]).zip_eq(cfg_iter!(tuples)).try_for_each(
779 |(node, (left, right))| {
780 *node = self.path_hasher.hash_children(left, right)?;
781 Ok::<_, Error>(())
782 },
783 )?,
784 // Option 2: Compute and store the hashes for the new indices in the current level.
785 false => tree[middle..end].iter_mut().zip_eq(&tuples).try_for_each(|(node, (left, right))| {
786 *node = self.path_hasher.hash_children(left, right)?;
787 Ok::<_, Error>(())
788 })?,
789 }
790 lap!(timer, "Compute: {middle} -> {end}");
791 }
792
793 // Update the start index for the next level.
794 start_index = start;
795 // Update the middle index for the next level.
796 middle_index = middle;
797 }
798
799 // End the timer for the while loop.
800 finish!(timer);
801
802 Ok(())
803 }
804
805 /// Save the previous tree in order to reuse its allocation later on.
806 pub fn preserve_tree_allocation(&self, previous: &mut Self) {
807 *self.preserved_tree_allocation.lock() = Some(mem::take(&mut previous.tree));
808 }
809}
810
811/// Returns the depth of the tree, given the size of the tree.
812#[inline]
813fn tree_depth<const DEPTH: u8>(tree_size: usize) -> Result<u8> {
814 let tree_size = u64::try_from(tree_size)?;
815 // Since we only allow tree sizes up to u64::MAX, the maximum possible depth is 63.
816 let tree_depth = u8::try_from(tree_size.checked_ilog2().unwrap_or(0))?;
817 // Ensure the tree depth is within the depth bound.
818 match tree_depth <= DEPTH {
819 // Return the tree depth.
820 true => Ok(tree_depth),
821 false => bail!("Merkle tree cannot exceed depth {DEPTH}: attempted to reach depth {tree_depth}"),
822 }
823}
824
825/// Returns the index of the left child, given an index.
826#[inline]
827const fn left_child(index: usize) -> usize {
828 2 * index + 1
829}
830
831/// Returns the index of the right child, given an index.
832#[inline]
833const fn right_child(index: usize) -> usize {
834 2 * index + 2
835}
836
837/// Returns the index of the sibling, given an index.
838#[inline]
839const fn sibling(index: usize) -> Option<usize> {
840 if is_root(index) {
841 None
842 } else if is_left_child(index) {
843 Some(index + 1)
844 } else {
845 Some(index - 1)
846 }
847}
848
849/// Returns true iff the index represents the root.
850#[inline]
851const fn is_root(index: usize) -> bool {
852 index == 0
853}
854
855/// Returns true iff the given index represents a left child.
856#[inline]
857const fn is_left_child(index: usize) -> bool {
858 index % 2 == 1
859}
860
861/// Returns the index of the parent, given the index of a child.
862#[inline]
863const fn parent(index: usize) -> Option<usize> {
864 if index > 0 { Some((index - 1) >> 1) } else { None }
865}