由於區塊鏈技術具備防竄改以及可承受多點故障的特性，近年來在各個不同的產業別逐漸受到重視與採用。建構基於區塊鏈技術的跨國交易系統，不僅能以零信任方式與交易對手進行買賣，也能受益於全天候不間斷的交易環境。傳統區塊鏈架構通常基於純粹的公開分散式帳本，任何區塊鏈用戶皆能不受阻礙地瀏覽所有歷史紀錄。

遵循「去中心化」的設計思維，區塊鏈節點會對任何從其他節點取得之資訊進行驗證。透過完整傳遞分散式帳本的內容，所有節點皆能以零信任的方式，獨立驗證資訊。然而，此舉將不利於希望保持一定程度隱私性之用戶，亦不利於吸引企業級客戶採納。

本研究提出一種基於零知識證明的可信賴農作物評分模型。透過零知識證明的優勢，我們能夠在不公開原始數據的前提下，向外界用戶提出計算證明。因此，外部使用者將能取信農作物評分結果確實源自於特定隱私資訊。更進一步，外部使用者還能利用公開的零知識證明資訊，自行查核零知識驗證流程。

Blockchain technology is gaining more attraction across many sectors due to its tamper-proof and fault-tolerance features. Building a global trading system consisting of blockchain technology can provide a trustless trading circumstance with their counterparties and establish a continuously operating environment twenty-four-seven. Conventional blockchain architectures are often developed on the public distributed ledger technology, which means blockchain participants can freely browse the history of the blockchain.

Due to the decentralization design philosophy, nodes maintaining the blockchain would verify any data received from their neighbors. By transmitting the full content of the distributed ledger, every node can check the validity of information independently in zero trust behaviors. However, this would be detrimental to users wishing to retain a degree of privacy and would not attract adoption by most enterprises worldwide.

The proposed model provides a trusted crop scoring model based on zero-knowledge proof technology. Using the advantage of zero-knowledge proof, the proposed model can offer proof of computation without disclosing the raw data. Therefore, external users can be confident that the crop scoring results derive from private information. Further, they can reproduce the whole verification procedure with publicly broadcasted zero-knowledge proofs.

Abstract..........I
摘要..........II
致謝..........III
Contents..........IV
List of Figures..........VI
List of Tables..........VIII
Chapter 1 Introduction..........1
1.1 Motivation..........1
Chapter 2 Background..........4
2.1 Ethereum..........4
2.2 Zero-Knowledge Proof..........5
2.3 Example of Zero-knowledge Proof..........6
2.4 Interactive Proof System..........9
2.5 Non-Interactive Proof System..........10
2.6 zk-SNARK..........11
2.7 Merkle Tree..........14
Chapter 3 Related Work..........16
3.1 Tornado.Cash..........16
3.2 ZETH..........17
3.3 MACI..........19
3.4 PipeZK..........20
3.5 Circom..........21
Chapter 4 Design and Implementation..........22
4.1 System Overview..........22
4.2 Components..........24
4.2.1 Database..........24
4.2.2 DataFormatConverter..........24
4.2.3 InputGenerator..........25
4.2.4 GradingAlgorithm..........29
4.2.5 ZKCircuit..........29
4.2.6 SmartContract..........30
Chapter 5 Experimental Result..........32
5.1 Environment..........32
5.2 Choices of the Merkle Tree..........33
5.2.1 Linear versus Merkle Tree..........33
5.3 ZKCircuit with Different Input Sizes..........37
Chapter 6 Conclusion and Future Work..........39
6.1 Conclusion..........39
6.2 Future Work..........40
Appendix..........41
References..........44

[1] Goldwasser, S., Micali, S., & Rackoff, C. The Knowledge Complexity of Interactive Proof-Systems. In Proceedings of the Seventeenth Annual ACM Symposium on Theory of Computing (New York, NY, USA, Dec. 1985), STOC 1985, Association for Computing Machinery, pp. 291–304.
[2] Goldwasser, S., Micali, S., & Rackoff, C. The Knowledge Complexity of Interactive Proof Systems. SIAM Journal on Computing 18, 1(1989), 186–208.
[3] Buterin, V. Ethereum: A Next-Generation Smart Contract and Decentralized Application Platform. 1–36.
[4] Wood, G., et al. Ethereum: A SECURE DECENTRALISED GENERALISED TRANSACTION LEDGER. Ethereum project yellow paper (2014), 1–32.
[5] Tani, T. Ethereum evm illustrated. https://takenobu-hs.github.io/downloads/ethereum_evm_illustrated.pdf. Accessed: 2022-02-17.
[6] Brassard, G., Crépeau, C., Laplante, S., & Léger, C. Computationally convincing proofs of knowledge. In STACS 1991 (Berlin, Heidelberg, Feb. 1991), Springer Berlin Heidelberg, pp. 251–262.
[7] Camenisch, J., & Stadler, M. Proof systems for general statements about discrete logarithms. Technical Report/ETH Zurich, Department of Computer Science 260 (Mar. 1997).
[8] Gradwohl, R., Naor, M., Pinkas, B., & Rothblum, G. N. Cryptographic and Physical Zero-Knowledge Proof Systems for Solutions of Sudoku Puzzles. In Fun with Algorithms (Berlin, Heidelberg, 2007), P. Crescenzi, G. Prencipe, and G. Pucci, Eds., Springer Berlin Heidelberg, pp. 166–182.
[9] Goldreich, O., Micali, S., & Wigderson, A. Proofs That Yield Nothing but Their Validity or All Languages in NP Have Zero-Knowledge Proof Systems. Journal of the ACM 38, 3 (July 1991), 690–728.
[10] Micali, S. Computationally Sound Proofs. SIAM Journal on Computing 30, 4 (2000), 1253–1298.
[11] Blum, M., De Santis, A., Micali, S., & Persiano, G. Noninteractive ZeroKnowledge. SIAM Journal on Computing 20, 6 (1991), 1084–1118.
[12] Blum, M., Feldman, P., & Micali, S. Non-Interactive Zero-Knowledge and Its Applications. In Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing (New York, NY, USA, Jan. 1988), STOC 1988, Association for Computing Machinery, pp. 103–112.
[13] Schnorr, C. P. Efficient Identification and Signatures for Smart Cards. In Advances in Cryptology-CRYPTO 1989 Proceedings (New York, NY, 1990), G. Brassard, Ed., Springer New York, pp. 239–252.
[14] Groth, J. On the Size of Pairing-based Non-interactive Arguments. Cryptology ePrint Archive, Paper 2016/260, Mar. 2016.
[15] Nitulescu, A. zk-SNARKs: A Gentle Introduction. 1–49.
[16] Bowe, S., Gabizon, A., & Miers, I. Scalable Multi-party Computation for zk-SNARK Parameters in the Random Beacon Model. Cryptology ePrint Archive, Paper 2017/1050, Oct. 2017.
[17] Gál, A., & Pudlák, P. A note on monotone complexity and the rank of matrices. Information Processing Letters 87, 6 (Sept. 2003), 321–326.
[18] Ambainis, A. New Developments in Quantum Algorithms. In Mathematical Foundations of Computer Science 2010. Springer Berlin Heidelberg, Aug. 2010, pp. 1–11.
[19] Gennaro, R., Gentry, C., Parno, B., & Raykova, M. Quadratic Span Programs and Succinct NIZKs without PCPs. In Advances in Cryptology – EUROCRYPT 2013 (Berlin, Heidelberg, May 2013), Springer Berlin Heidelberg, pp. 626–645.
[20] Jukna, S. Span Programs. Springer Berlin Heidelberg, Berlin, Heidelberg, Sept. 2011, ch. 16, pp. 205–218.
[21] Karchmer, M., & Wigderson, A. On Span Programs. In 1993 Proceedings of the 8th Annual Structure in Complexity Theory Conference (May 1993), pp. 102–111.
[22] Lipmaa, H. Succinct Non-Interactive Zero Knowledge Arguments from Span Programs and Linear Error-Correcting Codes. In Advances in Cryptology ASIACRYPT 2013 (Berlin, Heidelberg, Dec. 2013), K. Sako and P. Sarkar, Eds., Springer Berlin Heidelberg, pp. 41–60.
[23] Reichardt, B. W. Span Programs and Quantum Query Complexity: The General Adversary Bound Is Nearly Tight for Every Boolean Function. In 2009 50th Annual IEEE Symposium on Foundations of Computer Science (Oct. 2009), pp. 544–551.
[24] Chen, T., Lu, H., Kunpittaya, T., & Luo, A. A Review of zk-SNARKs, Feb. 2022.
[25] Ben-Sasson, E., Chiesa, A., Genkin, D., Tromer, E., & Virza, M. SNARKs for C: Verifying Program Executions Succinctly and in Zero Knowledge. In Advances in Cryptology-CRYPTO 2013 (Berlin, Heidelberg, Aug. 2013), R. Canetti and J. A. Garay, Eds., Springer Berlin Heidelberg, pp. 90–108.
[26] Bitansky, N., Canetti, R., Chiesa, A., & Tromer, E. From Extractable Collision Resistance to Succinct Non-Interactive Arguments of Knowledge, and Back Again. In Proceedings of the 3rd Innovations in Theoretical Computer ScienceConference (New York, NY, USA, Jan. 2012), ITCS 2012, Association for Computing Machinery, pp. 326–349.
[27] Damgård, I. Efficient Concurrent Zero-Knowledge in the Auxiliary String Model. n Proceedings of the 19th International Conference on Theory and Application of Cryptographic Techniques (Berlin, Heidelberg, May 2000), EUROCRYPT 2000, Springer-Verlag, pp. 418–430.
[28] Ben-Sasson, E., Chiesa, A., Tromer, E., & Virza, M. Succinct Non-Interactive Zero Knowledge for a von Neumann Architecture. Cryptology ePrint Archive, Paper 2013/879, Dec. 2013.
[29] Ben-Sasson, E., Chiesa, A., Tromer, E., & Virza, M. Succinct Non-Interactive Zero Knowledge for a von Neumann Architecture. In Proceedings of the 23rd USENIXConference on Security Symposium (USA, Aug. 2014), SEC 2014, USENIX Association, pp. 781–796.
[30] Bowe, S., Gabizon, A., & Green, M. A Multi-party Protocol for Constructing the Public Parameters of the Pinocchio zk-SNARK. In Financial Cryptography and Data Security (Berlin, Heidelberg, Feb. 2019), Springer Berlin Heidelberg, pp. 64–77.
[31] Parno, B., Howell, J., Gentry, C., and Raykova, M. Pinocchio: Nearly Practical Verifiable Computation. In 2013 IEEE Symposium on Security and Privacy (May 2013), pp. 238–252.
[32] Silverman, J. H. A Survey of Local and Global Pairings on Elliptic Curves and Abelian Varieties. In Pairing-Based Cryptography-Pairing 2010 (Berlin, Heidelberg, Dec. 2010), Springer Berlin Heidelberg, pp. 377–396.
[33] Gabizon, A., Williamson, Z. J., & Ciobotaru, O. PLONK: Permutations over Lagrange-bases for Oecumenical Noninteractive arguments of Knowledge. Cryptology ePrint Archive, Paper 2019/953, Aug. 2019.
[34] Pearson, L., Fitzgerald, J., Masip, H., Bellés-Muñoz, M., & Muñoz-Tapia, J. L. PlonKup: Reconciling PlonK with plookup. Cryptology ePrint Archive, Paper 2022/086, Jan. 2022.
[35] Merkle, R. C. Method of providing digital signatures. Patent US4309569A (Sept. 1979).
[36] Baylina, J. Circom. https://iden3.io/circom. Accessed: 2022-02-14.
[37] Pertsev, A., Semenov, R., & Storm, R. Tornado cash privacy solution. https://tornado.cash/audits/TornadoCash_whitepaper_v1.4.pdf. Accessed: 2022-02-14.
[38] Miers, I., Garman, C., Green, M., & Rubin, A. D. Zerocoin: Anonymous Distributed E-Cash from Bitcoin. In 2013 IEEE Symposium on Security and Privacy (May 2013), pp. 397–411.
[39] Ben-Sasson, E., Chiesa, A., Garman, C., Green, M., Miers, I., Tromer, E., & Virza, M. Zerocash: Decentralized Anonymous Payments from Bitcoin. In 2014 IEEE Symposium on Security and Privacy (May 2014), pp. 459–474.
[40] Hopwood, D., Bowe, S., Hornby, T., & Wilcox, N. Zcash Protocol Specification. Electric Coin Company (2016), 1–217.
[41] Rondelet, A., & Zajac, M. ZETH: On Integrating Zerocash on Ethereum, Apr. 2019.
[42] WhiteHat, B., Tan, K., Gurkan, K., Liang, C.-C., & Jie, K. W. Minimum Anti-Collusion Infrastructure. https://github.com/privacy-scaling-explorations/maci. Accessed: 2022-06-28.
[43] Zhang, Y., Wang, S., Zhang, X., Dong, J., Mao, X., Long, F., Wang, C., Zhou, D., Gao, M., & Sun, G. PipeZK: Accelerating Zero-Knowledge Proof with a Pipelined Architecture. In 2021 ACM/IEEE 48th Annual International Symposium on Computer Architecture (ISCA) (June 2021), pp. 416–428.
[44] IEEE Standard for Binary Floating-Point Arithmetic. ANSI/IEEE Std 754-1985 (1985), 1–20.
[45] IEEE Standard for Radix-Independent Floating-Point Arithmetic. ANSI/IEEE Std 854-1987 (1987), 1–19.
[46] Instruments, T. Tms320c64x DSP library programmer’s reference. https://www.ti.com/lit/ug/spru565b/spru565b.pdf. Accessed: 2022-10-09.
[47] Shao, J.-J. Agri-food markets in times of COVID-19: A Food Supply Chain Traceability System Based on Blockchain Technology. Master’s thesis, National Tsing Hua University, July 2021.
[48] Grassi, L., Khovratovich, D., Rechberger, C., Roy, A., & Schofnegger, M. Poseidon: A New Hash Function for Zero-Knowledge Proof Systems. In 30th USENIX Security Symposium (USENIX Security 21) (Aug. 2021), pp. 519–535.
[49] Ben-Sasson, E., Chiesa, A., Green, M., Tromer, E., & Virza, M. Secure Sampling of Public Parameters for Succinct Zero Knowledge Proofs. In 2015 IEEE Symposium on Security and Privacy (May 2015), pp. 287–304.
[50] Blum, M., & Micali, S. How to Generate Cryptographically Strong Sequences of Pseudorandom Bits. SIAM Journal on Computing 13, 4 (Jan. 1984), 850–864.
[51] Brassard, G., Chaum, D., & Crépeau, C. Minimum disclosure proofs of knowledge. Journal of Computer and System Sciences 37, 2 (1988), 156–189.
[52] Buchanan, W. J. zkSnarks: Proving you know the answer of x^2+x+5=11. https://asecuritysite.com/zero/zksnark04. Accessed: 2022-12-16.
[53] Canetti, R., & Fischlin, M. Universally Composable Commitments. Cryptology ePrint Archive, Paper 2001/055, July 2001.
[54] Corn, P., and Khim, J. Schwartz-Zippel lemma. https://brilliant.org/wiki/schwartz-zippel-lemma/. Accessed: 2022-10-04.
[55] Green, M. Zero knowledge proofs: An illustrated primer. https://blog.cryptographyengineering.com/2014/11/27/zero-knowledge-proofs-illustrated-primer/. Accessed: 2022-02-17.
[56] Reitwießner, C. zksnarks in a nutshell. http://chriseth.github.io/notes/articles/zksnarks/zksnarks.pdf. Accessed: 2022-06-17.
[57] Setty, S., Braun, B., Vu, V., Blumberg, A. J., Parno, B., & Walfish, M. Resolving the conflict between generality and plausibility in verified computation. Cryptology ePrint Archive, Paper 2012/62.
[58] Virza, M. On deploying succinct zero-knowledge proofs. Ph.D. thesis, Massachusetts Institute of Technology, Sept. 2017.