Computational Sparse Merkle Trees

• Computational Sparse Merkle Trees are authenticated binary trees that use parameterized data transforms and zero-knowledge proofs to ensure data integrity without disclosing sensitive information.
• They extend classic SMTs by enabling interactive verification of complex, data-driven computations, making them suitable for secure statistical analysis and privacy-preserving machine learning.
• CSMTs are applied in regulatory and clinical research settings, offering publicly verifiable inclusion or exclusion proofs with efficient, cryptographic protocols that balance performance and security.

A computational sparse Merkle tree (CSMT) is an authenticated binary tree in which both the leaf and internal node values are computed using parameterized data transforms and aggregation operations, and whose correctness is enforced via succinct zero-knowledge proofs. This extends the classic sparse Merkle tree (SMT) paradigm from static key-value authentication to interactive verification of data-driven computations under privacy and integrity constraints. In applied settings such as privacy-preserving analytics, CSMTs enable statistical and machine learning computations over committed data while supporting publicly verifiable inclusion or exclusion proofs, all within minimally disclosive cryptographic protocols (Shahid et al., 17 Jan 2026).

1. Formal Structure of Computational Sparse Merkle Trees

A CSMT is built as follows. Let the tree height be $K$ (with $2^K$ leaves), and consider a set $U$ of users $u$ supplying secret data $\delta_u \in \mathbb{R}^d$. For each $u$, a leaf transform $$\mathcal{L}^s: \mathbb{R}^{d+s_u} \rightarrow \mathbb{R}^{p+s_t}$$ is applied to $(\delta_u, \mu_u, \tau_u)$, where $\mu_u$ and $\tau_u$ are per-user and per-transform salts for uniqueness and binding, producing the salted leaf $$\varphi^0_u = \mathcal{L}^s(\delta_u, \mu_u, \tau_u; \theta_{\mathcal{L}^s})$$.

Leaf indices in the tree are computed as $H_u = \text{hash}(\varphi^0_u) \in \{0,1\}^K$. Each internal node is derived by a parameterized aggregator $$\mathcal{A}^l: \mathbb{R}^q \times \mathbb{R}^q \rightarrow \mathbb{R}^q$$, applied recursively:

$$\varphi_j^k = \mathcal{A}^l(\varphi^{k-1}_{2j}, \varphi^{k-1}_{2j+1}; \theta_{\mathcal{A}^l}) \ H_j^k = \text{hash}(\varphi_j^k)$$

with the root $\varphi^{\text{root}} = \varphi_0^K$ and digest $$H^{\text{root}} = \text{hash}(\varphi^{\text{root}})$$. This generalizes the classical SMT, where leaves are simply $H(v_i)$ and internal nodes are $H(h_{L} \| h_{R})$ without computational transforms other than hashing (Shahid et al., 17 Jan 2026, Koisser et al., 2022, Ramabaja et al., 2020).

2. Inclusion and Exclusion Proofs under Zero Knowledge

For a target user $u$, inclusion (resp. exclusion) at position $N_u$ is established by a proof of knowledge of the leaf data, salts, and all relevant aggregation witnesses along the path to the root. An inclusion proof for $u$ consists of the tuple $$(\varphi^0_u, (\varphi^{k-1}_{s(k)}, \varphi^{k-1}_{t(k)})_{k=1}^K)$$, i.e., the leaf and all siblings required to reconstruct the path, such that:

• Each aggregation is correctly applied at every level: $$\varphi^k_{p(k)} = \mathcal{A}^l(\varphi^{k-1}_{s(k)}, \varphi^{k-1}_{t(k)})$$.
• Node hashings are consistent.
• The resulting root hash matches $H^{\text{root}}$. If $\varphi^0_u \neq \varphi^0_\varnothing$, inclusion holds. If $\varphi^0_u = \varphi^0_\varnothing$ (the designated empty leaf), non-membership is proven (Shahid et al., 17 Jan 2026).

All proofs are cryptographically succinct and zero-knowledge via specialized circuits (e.g., in Halo2/EZKL), with no disclosure of underlying data, salts, or transform outputs except for their hashes. The protocol ensures input consistency, circuit correctness, and membership soundness according to Propositions 2 and 3 (Shahid et al., 17 Jan 2026).

3. Protocol Architecture and Computational Complexity

The CSMT protocol comprises:

• Setup: Generation of public/private SNARK keys for both the leaf transform $\mathcal{L}^s$ and aggregator $\mathcal{A}^l$ circuits.
• Prover: (1) Compute and prove correct $\varphi^0_u$ from user data (leaf circuit); (2) For each tree level, recursively prove correct aggregation and hashing to next parent hash (aggregator circuit instantiated $K$ times).
• Verifier: (1) Check the leaf proof for input consistency; (2) Recursively check each aggregator proof and consistency of resulting hashes along the path to root.

Gate complexity is dominated by $O(K \cdot g_A)$ for per-user inclusion/exclusion proofs (where $g_A$ is the gate count of the aggregator), while tree construction overall is $O(N \cdot g_L + 2^K \cdot g_A)$ (Shahid et al., 17 Jan 2026). For practical scenarios ($N \approx 50$–$600$, $K = 8$–$10$), total proof size is sub-megabyte, and runtime is on the order of hours on 16 vCPUs with memory usage in the 4 GB range.

4. Comparison with Classic Sparse Merkle Trees

In contrast to classic SMTs—where leaves are hashed values (or default) and internal nodes are pairwise hash reductions—CSMTs store arbitrary per-leaf and per-node computational results. The security model for a standard SMT is purely collision resistance of the hash; computing an inclusion proof for a set of leaves or a multiproof involves traversing $O(\log N)$ nodes, revealing all sibling hashes along the path, and reduction is performed by hash concatenation (Koisser et al., 2022, Ramabaja et al., 2020).

By contrast, CSMTs:

• Allow expressive, parameterized transforms and aggregations at each tree level.
• Deliver zero-knowledge proofs of both membership and correct computation, without data disclosure.
• Generalize SMTs to support computation-integrity claims, such as correct statistical computations or constrained data analytics (e.g., two-sample KS, LRT, logistic regression), all under SNARK-based public verification (Shahid et al., 17 Jan 2026).

5. Security Guarantees and Integrity Properties

The CSMT achieves zero-knowledge, soundness, and strong integrity via:

• Proving in zero knowledge the correct application of data transformations and aggregations, leaking no user data or intermediate computation.
• Ruling out forgery: Propositions 2 & 3 formalize that any successful proof implies existence of genuine data and correct computation along the path.
• Ensuring exclusivity: The protocol includes mechanisms to enforce that only registered users’ data appears in the aggregated computation, as the presence of any non-committed “spurious” leaf alters the root, enabling robust public auditability (Shahid et al., 17 Jan 2026).

6. Practical Applications and Empirical Evaluation

CSMTs are suited for regulatory environments requiring both privacy and accountability. In clinical research, for example, they enable controlled access to inclusion/exclusion proofs for participant data in regulatory audits, with verified correctness for statistical tests (e.g., Kolmogorov-Smirnov, likelihood-ratio, and classification tasks) and guaranteed privacy over raw values (Shahid et al., 17 Jan 2026). The CoSMeTIC framework demonstrates that ZK-proving is stable across different circuit scales, with constant proof size and runtime as a function of numerical precision.

Experimental results reveal:

• Prover CPU utilization stabilizes near 80–90%.
• Proof sizes remain sub-megabyte for hundreds of leaves.
• Statistical test outputs are invariant across scales, matching non-private baselines up to full numerical accuracy.
• Key sizes for protocol public keys and verification keys exhibit minimal variance with respect to scale.

This architecture enables a wide range of data-driven, privacy-preserving computations with standalone public auditability, well beyond the commitment and key-value inclusion supported by classic SMTs.

7. Theoretical and Future Implications

The computational sparse Merkle tree paradigm unifies classical authenticated data structures with circuit-based, publicly verifiable computation, enabling robust use-cases in privacy-preserving analytics, secure multi-party computation, and regulatory compliance. A plausible implication is the extension of this approach to more complex computation trees (e.g., higher-arity, vectorial operations) or alternative backends such as succinct non-interactive arguments of knowledge (SNARK-friendly arithmetizations), further generalizing the interface between authenticated data and trusted computation (Shahid et al., 17 Jan 2026).