Merkle trees let Bitcoin verify any transaction in milliseconds without downloading the entire blockchain. How this elegant data structure works and why it matters.
import InfoBox from '@components/shortcodes/InfoBox.astro';
A Bitcoin block can contain thousands of transactions. If you wanted to verify that your transaction was included, the naive approach would be to download every transaction in the block and check one by one. That would be slow, bandwidth-heavy, and completely impractical for phones or lightweight devices.
Instead, Bitcoin uses a data structure invented in 1979 by Ralph Merkle: the Merkle tree. It compresses thousands of transactions into a single 32-byte hash, and lets anyone prove that a specific transaction exists in a block by checking just a handful of hashes rather than the entire block.
This is how lightweight wallets on your phone can verify transactions without storing 600+ GB of blockchain data.
A Merkle tree is a binary tree of hashes. Here is how Bitcoin builds one:
Step 1: Take every transaction in a block and hash each one with SHA-256 (twice - Bitcoin always double-hashes). These are the leaf nodes.
Step 2: Pair them up. Hash each pair together to produce a parent hash. If there is an odd number, the last one is duplicated and paired with itself.
Step 3: Repeat. Keep pairing and hashing up the tree until you have a single hash at the top.
That top hash is the Merkle root. It is included in the block header - the 80-byte summary that miners hash when mining.
For a block with 2,000 transactions, the tree has about 11 levels. That means verifying any single transaction requires only 11 hashes - not 2,000.
When a block has an odd number of transactions at any level, Bitcoin duplicates the last hash and pairs it with itself. This is a design choice from the original implementation.
Search queries about "bitcoin merkle tree odd number of transactions duplicate last hash" are among the most common technical questions. The answer is straightforward: duplication ensures every node has a pair, keeping the binary tree structure intact. Without it, the algorithm would need special cases for odd levels, adding complexity for no benefit.
There is a subtle security implication: this duplication means two different sets of transactions could theoretically produce the same Merkle root (CVE-2012-2459). Bitcoin Core has patched this by rejecting blocks with duplicate transactions.
The real power of Merkle trees is the Merkle proof (also called SPV proof - Simplified Payment Verification).
Say you want to verify that transaction TX3 is in a block with 8 transactions. You do not need all 8. You need:
That is 3 hashes. You combine them step by step and check if the result matches the Merkle root in the block header. If it does, TX3 is in the block. If any transaction was altered or missing, the hashes would not match.
For a block with 4,000 transactions, a Merkle proof requires only about 12 hashes (log2 of 4,000). Each hash is 32 bytes. That is 384 bytes to verify membership in a block containing megabytes of data.
Block header. Every block header contains the Merkle root of all transactions in that block. This is what miners hash when searching for a valid proof of work.
SPV wallets. Electrum, BlueWallet, and most mobile wallets use Merkle proofs to verify transactions without downloading full blocks.
Taproot (BIP 341). Bitcoin's 2021 upgrade uses a Merkle tree structure called MAST (Merkelized Abstract Syntax Trees) to commit to multiple spending conditions. Only the condition actually used is revealed on-chain, improving both privacy and efficiency.
Segregated Witness. SegWit introduced a second Merkle tree for witness data, separate from the transaction Merkle tree. This is stored in the coinbase transaction's witness commitment.
| Approach | Data needed | Verification time | Trust required |
|---|---|---|---|
| Download full block | ~1-2 MB | Seconds | None (full verification) |
| Merkle proof | ~400 bytes | Milliseconds | Minimal (header chain only) |
| Trust the server | 0 bytes | Instant | Complete (no verification) |
Merkle proofs hit the sweet spot: near-zero bandwidth with near-zero trust.
Ralph Merkle designed this structure for efficient digital signatures in 1979 - thirty years before Bitcoin. Satoshi adopted it because it solves a fundamental scaling problem: how do you let lightweight devices participate in a system designed for trustlessness?
The answer is a tree of hashes that lets you prove membership without revealing the whole set. It is the reason your phone can verify a Bitcoin payment in milliseconds while a full node with 600 GB of data reaches the same conclusion through the same mathematics.
Simple. Efficient. Trustless. That is what good cryptographic engineering looks like.