Motivated by a practical scenario in blockchains in which a client, who possesses a transaction, wishes to privately verify that the transaction actually belongs to a block, we investigate the problem of private retrieval of Merkle proofs (i.e. proofs of inclusion/membership) in a Merkle tree. In this setting, one or more servers store the nodes of a binary tree (a Merkle tree), while a client wants to retrieve the set of nodes along a root-to-leaf path (i.e. a Merkle proof, after appropriate node swapping operations), without letting the servers know which path is being retrieved. We propose a method that partitions the Merkle tree to enable parallel private retrieval of the Merkle proofs. The partitioning step is based on a novel tree coloring called ancestral coloring in which nodes that have ancestor-descendant relationship must have distinct colors. To minimize the retrieval time, the coloring is required to be balanced, i.e. the sizes of the color classes differ by at most one. We develop a fast algorithm to find a balanced (in fact, any) ancestral coloring in almost linear time in the number of tree nodes, which can handle trees with billions of nodes in a few minutes. Our partitioning method can be applied on top of any private information retrieval scheme, leading to the minimum storage overhead and fastest running times compared to existing approaches.

翻译：受区块链实际场景的启发——在该场景中，拥有某笔交易的客户端希望私有地验证该交易是否确实属于某个区块——我们研究了Merkle树中Merkle证明（即包含/隶属证明）的私有检索问题。在该设定下，一个或多个服务器存储二叉树（Merkle树）的节点，而客户端希望检索从根节点到叶节点的路径上的节点集合（即经适当节点交换操作后的Merkle证明），同时不向服务器透露所检索的路径。我们提出了一种Merkle树分区方法，以实现Merkle证明的并行私有检索。该分区步骤基于一种称为祖先着色的新型树着色方法，其中具有祖先-后代关系的节点必须分配不同颜色。为最小化检索时间，着色需保持平衡，即各颜色类的大小至多相差一。我们开发了一种快速算法，能在近乎线性的节点数量时间内找到平衡的（实际上任意）祖先着色，可处理数十亿节点的树。与现有方法相比，我们的分区方法可应用于任何私有信息检索方案之上，从而实现最低存储开销和最快运行时间。