Motivated by a practical scenario in blockchains in which a client, who possesses a transaction, wishes to privately verify that the transaction actually belongs to a block, we investigate the problem of private retrieval of Merkle proofs (i.e. proofs of inclusion/membership) in a Merkle tree. In this setting, one or more servers store the nodes of a binary tree (a Merkle tree), while a client wants to retrieve the set of nodes along a root-to-leaf path (i.e. a Merkle proof, after appropriate node swapping operations), without letting the servers know which path is being retrieved. We propose a method that partitions the Merkle tree to enable parallel private retrieval of the Merkle proofs. The partitioning step is based on a novel tree coloring called ancestral coloring in which nodes that have ancestor-descendant relationship must have distinct colors. To minimize the retrieval time, the coloring is required to be balanced, i.e. the sizes of the color classes differ by at most one. We develop a fast algorithm to find a balanced (in fact, any) ancestral coloring in almost linear time in the number of tree nodes, which can handle trees with billions of nodes in a few minutes. Our partitioning method can be applied on top of any private information retrieval scheme, leading to the minimum storage overhead and fastest running times compared to existing approaches.

翻译：受区块链实际场景中某客户端（持有交易）希望私有验证该交易确实属于某个区块的启发，我们研究了Merkle树中Merkle证明（即包含/成员关系证明）的私有检索问题。在该场景中，一个或多个服务器存储二叉树（Merkle树）的节点，而客户端希望检索从根节点到叶节点的路径上的节点集合（即经适当节点交换操作后的Merkle证明），同时不让服务器知晓所检索的具体路径。我们提出了一种对Merkle树进行划分以支持Merkle证明并行私有检索的方法。该划分步骤基于一种称为祖先着色的新型树着色方法，其中具有祖先-后代关系的节点必须分配不同颜色。为最小化检索时间，该着色需满足平衡性，即各颜色类别的规模至多相差1。我们开发了一种快速算法，可在几乎线性于树节点数的时间内找到平衡（实际上任意）的祖先着色方案，能够处理包含数十亿节点的树结构，运行时间仅需数分钟。我们的划分方法可应用于任何私有信息检索方案之上，相比现有方法实现了最小存储开销与最快运行时间。