Say I have a publicly available Merkle tree, and I want to prove the existence of a leaf (containing a number, maybe) in the tree. I could give the path along with the siblings, for a normal Merkle proof, but this reveals the leaf itself.
How can I do this in zero knowledge, i.e., proving that the leaf exists, but not revealing which leaf?
The "path" is only a witness for your proof; you don't actually want to give the path to the verifier. Turns out that going from a NP-problem with witness to an actual zero-knowledge proof is not that trivial.
What you could do: one of your leaves $L_1, \dots, L_{n}$ has the value of your commitment $x$. You might write something like
$$\bigvee^{n}_{i=1}\left(L_i=x\right).$$
This is a satisfaction problem, so it's suited to be fed in a bunch of ZK libraries.
Lately, I've been playing with rank-1 constraint systems (r1cs), such as provided by libsnark or in a little time by dalek's ``bulletproof'' library. These provide non-interactive, fast, compact zero-knowledge proves.
You said your leaves could contain numbers. This translates very nicely in a r1cs system!
$$\prod^n_{i=1}(L_i-x)=0$$
You simply prove that one of the roots of the above polynomial equals zero, which is true when $x$ represents a leaf.
