為什麼一個國家需要把身分與稅務放在同一條鏈上,以及為什麼用 Rust。

Why a nation would put identity and tax on one ledger — and why in Rust.

Ferrum(鐵鏈)是一套許可制主權區塊鏈,目標是同時承載兩項國家核心職能:數位身分驗證與稅務管理。兩者共享同一組信任問題——「這個人是誰」與「這個人該負什麼義務」——統一在可稽核、防竄改、且具密碼學隱私保護的帳本上,能消除政府各機關間重複認證、資料孤島與對帳成本。

Ferrum is a permissioned sovereign blockchain that carries two core state functions on one ledger: digital identity verification and tax administration. Both share the same trust questions — "who is this person" and "what do they owe" — and unifying them on an auditable, tamper-evident, privacy-preserving ledger removes duplicate verification, data silos and reconciliation costs across agencies.

名稱「Ferrum」即拉丁文的「鐵」;鐵的氧化物正是 Rust——我們以 Rust 實作的雙關,也象徵基礎設施應如鑄鐵般耐久。選擇 Rust 並非風格偏好:其所有權與借用檢查器在編譯期消除整類記憶體安全漏洞(緩衝區溢位、釋放後使用、資料競爭),這對承載全國身分與財稅資料的系統是難以替代的安全底線。

"Ferrum" is Latin for iron; iron's oxide is literally rust — a pun on our implementation language, and a nod to infrastructure built to last. The choice of Rust is not stylistic: its ownership and borrow checker eliminate whole classes of memory-safety bugs at compile time (buffer overflows, use-after-free, data races), an irreplaceable safety floor for a system holding a nation's identity and fiscal data.

主權系統的限制條件,與我們因此放棄的「典型加密貨幣」假設。

The constraints of sovereign systems, and the "typical crypto" assumptions we drop.

多數公有鏈假設匿名參與、無許可驗證者、以代幣價格驅動安全性——這與國家基礎設施直接衝突。承載稅務義務的帳本不能讓公民義務隨幣價波動;承載身分的帳本不能讓匿名者擔任最終裁決者。Ferrum 因此從五項原則出發,並讓每項對應具體技術選擇:

Most public chains assume anonymous participation, permissionless validators and price-driven security — which directly conflicts with state infrastructure. A ledger of tax obligations cannot let duties float with a token price; a ledger of identity cannot let anonymous parties be the final arbiter. Ferrum therefore starts from five principles, each tied to a concrete technical choice:

1. 主權與問責並存。驗證者為受認證的公私機構,身分公開、行為可究責,但仍以密碼學最終性而非單一中央點背書。
2. 隱私即預設值。系統預設不揭露任何超出必要的資訊;揭露需經授權或法定程序,並留稽核軌跡。
3. 可稽核但不可全知。監理與審計在授權範圍內檢視,但沒有任何單一角色能讀取全民明文。
4. 包容性優先。無智慧型手機、無加密資產者仍能透過代理據點完成身分與稅務事務。
5. 可演進。透過 WASM runtime 無分叉升級,並預留後量子密碼遷移路徑。

1. Sovereignty with accountability. Validators are accredited public/private institutions — publicly identified and answerable — yet backed by cryptographic finality, not a single central point.
2. Privacy by default. Nothing beyond the necessary is disclosed; disclosure requires authorization or due process and leaves an audit trail.
3. Auditable, not omniscient. Supervisors audit within authorized scope, but no single role can read everyone's plaintext.
4. Inclusion first. Those without a smartphone or crypto assets can still complete identity and tax tasks via assisted points of service.
5. Evolvable. Forkless WASM runtime upgrades, with a post-quantum migration path reserved.

五個分層,從密碼學底層到公民與機關的應用介面。

Five layers, from the cryptographic base to citizen and agency interfaces.

Ferrum 採分層架構。核心邏輯以 FRAME pallet 實作為原生 runtime 模組,商業與第三方邏輯則以 ink!(Rust→WASM)智能合約沙箱執行。下圖呈現由下而上的五層:

Ferrum is layered. Core logic ships as native FRAME pallets; commercial and third-party logic runs in an ink! (Rust→WASM) contract sandbox. The diagram shows the five layers from the bottom up:

關鍵設計在於資料的物理位置:L1–L3 永遠只看得到密碼學承諾與雜湊;明文個資存於 L4 治理下、由機關營運的鏈下加密儲存。這讓「鏈的不可竄改性」與「個資的可刪除/可遺忘權」得以共存。

The key design is where data physically lives: L1–L3 only ever see commitments and hashes; plaintext PII sits in agency-run encrypted off-chain stores governed at L4. This lets chain immutability coexist with a right to erasure / to be forgotten.

為何整條鏈、從網路到合約都用 Rust。

Why the whole stack — network to contracts — is Rust.

身分註冊 Pallet(節錄)

Identity pallet (excerpt)

核心身分邏輯以原生 pallet 實作。請注意:鏈上儲存的是 doc_hash(DID 文件雜湊),而非任何個資。

Core identity logic is a native pallet. Note that only doc_hash (the DID document hash) is stored on-chain — never PII.

// 由「認證簽發機構」錨定 DID 文件雜湊；鏈上不存任何個資。
#[frame_support::pallet]
pub mod pallet {
    #[pallet::storage]
    pub type DidRegistry<T: Config> =
        StorageMap<_, Blake2_128Concat, Did, DidDocument<T::AccountId>, OptionQuery>;

    #[pallet::call]
    impl<T: Config> Pallet<T> {
        #[pallet::weight(T::WeightInfo::register_did())]
        pub fn register_did(origin: OriginFor<T>, did: Did, doc_hash: H256) -> DispatchResult {
            let issuer = ensure_signed(origin)?;          // 僅承諾值，非明文
            ensure!(Issuers::<T>::contains_key(&issuer), Error::<T>::NotAccredited);
            ensure!(!DidRegistry::<T>::contains_key(&did), Error::<T>::AlreadyExists);
            DidRegistry::<T>::insert(&did, DidDocument { controller: issuer, doc_hash });
            Ok(())
        }
    }
}

// An accredited issuer anchors the DID document hash; no PII is ever stored on-chain.
#[frame_support::pallet]
pub mod pallet {
    #[pallet::storage]
    pub type DidRegistry<T: Config> =
        StorageMap<_, Blake2_128Concat, Did, DidDocument<T::AccountId>, OptionQuery>;

    #[pallet::call]
    impl<T: Config> Pallet<T> {
        #[pallet::weight(T::WeightInfo::register_did())]
        pub fn register_did(origin: OriginFor<T>, did: Did, doc_hash: H256) -> DispatchResult {
            let issuer = ensure_signed(origin)?;          // commitment only, never plaintext
            ensure!(Issuers::<T>::contains_key(&issuer), Error::<T>::NotAccredited);
            ensure!(!DidRegistry::<T>::contains_key(&did), Error::<T>::AlreadyExists);
            DidRegistry::<T>::insert(&did, DidDocument { controller: issuer, doc_hash });
            Ok(())
        }
    }
}

自主管理身分(SSI)、可驗證憑證,以及「證明而不揭露」。

Self-sovereign identity, verifiable credentials, and "prove without revealing".

Ferrum 採用 W3C 去中心化識別碼(DID)與可驗證憑證(VC)標準,定義 did:fer 方法。公民私鑰由本人裝置持有,政府戶政與受認證機構擔任憑證簽發者。

Ferrum uses W3C DIDs and Verifiable Credentials (VCs), defining the did:fer method. Citizens hold their own keys on-device; civil registries and accredited institutions act as credential issuers.

零知識年齡證明(節錄)

Zero-knowledge age proof (excerpt)

驗證者只收到證明與公開輸入,即可確認「持證人已成年」,過程中不接觸生日、姓名或證件號。

A verifier receives only a proof and public inputs, confirming "the holder is of age" without ever touching a birthdate, name or ID number.

// 驗證「年齡 ≥ 18」的零知識證明，毋須揭露出生日期。
pub fn verify_age_threshold(
    proof: &Proof<Bls12_381>,
    vk: &PreparedVerifyingKey<Bls12_381>,
    public_inputs: &[Fr],   // [issuer_commitment, threshold, nullifier]
) -> Result<bool, VerifyError> {
    Groth16::<Bls12_381>::verify_proof(vk, proof, public_inputs)
        .map_err(|_| VerifyError::Malformed)
}

// Verify a zero-knowledge proof of "age ≥ 18" without revealing the birth date.
pub fn verify_age_threshold(
    proof: &Proof<Bls12_381>,
    vk: &PreparedVerifyingKey<Bls12_381>,
    public_inputs: &[Fr],   // [issuer_commitment, threshold, nullifier]
) -> Result<bool, VerifyError> {
    Groth16::<Bls12_381>::verify_proof(vk, proof, public_inputs)
        .map_err(|_| VerifyError::Malformed)
}

電子發票錨定、自動預扣、隱私保護的稅級證明與可授權稽核。

E-invoice anchoring, automatic withholding, privacy-preserving bracket proofs, authorized audit.

稅務身分綁定於公民的 DID。稅務邏輯由 pallet-tax 與稅務引擎合約承載,重點是讓計算可驗證、繳納可追蹤、明細維持隱私。

Tax identity binds to a citizen's DID. Logic lives in pallet-tax and a tax-engine contract, designed so that computation is verifiable, payment traceable, and line items private.

核心機制

Core mechanisms

• 電子發票錨定。發票雜湊即時上鏈,形成防偽且可稽核的供應鏈,壓縮逃漏稅與假發票空間;明細仍加密於鏈下。
• 可程式化預扣。薪資、利息等所得可由合約於支付當下自動預扣稅額,直接結算入國庫帳戶。
• 零知識稅級證明。納稅人可證明「所得落於某稅級」或「符合扣抵資格」而不揭露精確金額。
• 授權式稽核。審計須持有授權檢視金鑰方能解密特定區段;每次存取產生不可竄改稽核記錄。

• E-invoice anchoring. Invoice hashes are anchored in real time, creating a tamper-evident, auditable supply chain that shrinks evasion and fake-invoice space; line items stay encrypted off-chain.
• Programmable withholding. Wages, interest and similar income can be withheld automatically at the moment of payment and settled to the treasury.
• ZK bracket proofs. A taxpayer can prove "income is in bracket X" or "eligible for relief" without revealing the exact amount.
• Authorized audit. Auditors need an authorized viewing key to decrypt a specific segment; every access leaves an immutable audit record.

電子發票開獎 — 以隱私為前提的全民稅務誘因

E-invoice Lottery — a privacy-preserving civic tax incentive

臺灣自 1951 年以「統一發票給獎」鼓勵消費者索取發票、商家誠實開立,把每張發票號碼變成一張彩券,將逃漏稅的監督權交給數百萬消費者。Ferrum 將此制度原生上鏈:每一筆已依本節錨定、由商家本人簽署、且對應一筆真實已結算營業稅的電子發票承諾(invoice_hash)即為一張彩券——毋須另立帳本、毋須揭露個資、毋須持有任何投機代幣。獎金以央行發行、十足準備的 eTWD 給付,價值移轉走 CBDC 軌道,鏈上僅留去識別化的收據承諾與金額。

Since 1951 Taiwan's Uniform-Invoice Lottery (統一發票) has turned every receipt number into a lottery ticket, enlisting millions of consumers to police merchant under-reporting through a prize incentive. Ferrum makes this native to the chain: every e-invoice anchored under this section, signed by the issuing merchant and backed by a real, settled VAT amount — its invoice_hash commitment — is a ticket. No parallel ledger, no PII disclosure, no speculative token to hold. Prizes pay in fully-reserved, central-bank-issued eTWD; the value moves on the CBDC rail and only a PII-free receipt commitment stays on-chain.

錨定發票即隱私彩券。「一發票一票」由三道門共同保證:pallet-tax 強制只有持商家金鑰者可錨定並對同一雜湊去重;pallet-lottery 以 invoice_hash 為主鍵不可重複登記;登記時須以零知識證明持有人握有該發票的購買秘密。買方 DID 與發票明細只存在於 ZK 見證中,永不上鏈;每張票以電路推導的一次性 nullifier 防止重複登記。發票錨定的區塊高度(而非可被驗證者影響的時間戳)決定其落入哪一期。

Anchored invoice = privacy ticket. "One invoice = one ticket" rests on three gates: pallet-tax lets only the merchant key-holder anchor and de-duplicates each hash; pallet-lottery keys tickets on invoice_hash so re-registration is rejected; and registration needs a ZK proof of possessing that invoice's purchase secret. The buyer DID and line items live only in the ZK witness — never on-chain — and a circuit-derived one-time nullifier blocks double-entry. The block height at which an invoice was anchored (not a validator-influenceable timestamp) decides its draw period.

可驗證的公開開獎。Ferrum 共識為 Aura + GRANDPA、無原生 VRF,故開獎採承諾—揭示並錨定於 GRANDPA 已最終化的未來區塊雜湊:具保證金的驗證者先提交 H(seed),於嚴格早於最終化區塊的揭示期公開 seed,最終隨機數 R = blake2(⊕seedᵢ ‖ block_hash(B_fin) ‖ draw_id)。如此最後揭示者無法預知 B_fin 雜湊、出塊者無法碾磨;缺席揭示以固定公開後備值代入,且承諾保證金不小於單期可被改向之獎金上限,使「承諾後扣留」嚴格虧損。任何人皆可由公開錨定集、揭示事件與最終化雜湊獨立重算每位中獎者並以 Merkle 證明核對。

A verifiable public draw. Ferrum runs Aura + GRANDPA with no native VRF, so the draw is commit–reveal anchored to a GRANDPA-finalized future block hash: bonded validators post H(seed), reveal during a window that ends strictly before the finalize block, and randomness is R = blake2(⊕seedᵢ ‖ block_hash(B_fin) ‖ draw_id). The last revealer cannot know B_fin's hash and the author cannot grind it; a missing reveal is replaced by a fixed published fallback, and the commit bond is no less than the maximum prize a colluding set could redirect — making commit-then-withhold strictly loss-making. Anyone can recompute every winner from the public anchor set, reveals and finalized hash, checking each via a Merkle proof.

領獎與 eTWD 給付。領獎免手續費、可由臨櫃輔助點代送,使無錢包者亦能領獎。中獎人以 ZK 所有權電路證明持有中獎票,並將受款帳戶綁入公開輸入,故複製他人證明也改不了收款人;選擇性揭露的檢視金鑰承諾為電路的已驗證輸出,稽核軌跡不可偽。給付透過 pallet-treasury-fer 記錄一筆去識別化收據,收據鍵為 H(invoice_hash ‖ nullifier),無法將公開中獎雜湊與付款金額交叉連結;真正價值移轉走央行 CBDC 軌道。逾期未領由 sweep_expired 冪等回流主權準備。

Claim & eTWD payout. Claiming is fee-free and relayable by any assisted point-of-service, so winners without a wallet can still claim. The winner proves ownership with a ZK circuit that binds the payout beneficiary as a public input, so a copied proof cannot redirect funds; the selective-disclosure viewing-key commitment is a verified circuit output, making the audit trail unforgeable. Payout records a PII-free receipt via pallet-treasury-fer keyed by H(invoice_hash ‖ nullifier) — never the raw winning hash — so payout amount and winning invoice cannot be cross-linked; the value itself moves on the CBDC rail. Unclaimed prizes recycle to the sovereign reserve idempotently via sweep_expired.

隱私邊界(誠實揭露)。pallet-tax 的錨定集為公開,其商家帳戶與錨定資訊可被讀取;將彩券資格綁定於此公開集,意味中獎收據可被關聯到「哪一商家、何時開立」,長期相關可能洩漏商家層級型態,即使消費者身分隱藏。緩解方式為以 issuer_commitment(治理維護之商家集合根成員)取代明文商家帳戶。「無從推得購買明細」之保證僅及於消費者端,不及於商家側中繼資料。

Privacy boundary (honest disclosure). pallet-tax's anchor set is public, exposing the merchant account and anchoring metadata; binding eligibility to it means a winning receipt can be correlated to "which merchant issued it, and when," potentially leaking merchant-level patterns over time even though the consumer stays hidden. The mitigation is to store an issuer_commitment (membership under a governance-maintained merchant-set root) instead of the plaintext merchant account. The "no purchase detail derivable" guarantee is scoped to the consumer side only — not merchant-side metadata.

PoSA:受認證驗證者 + 質押問責 + BFT 最終性。

PoSA: accredited validators + staked accountability + BFT finality.

Ferrum 採用 PoSA(Proof of Staked Authority,質押權威證明):出塊權限僅開放給受認證機構,但每個驗證者須質押 FER 作罰沒保證金,最終性由 GRANDPA 提供 BFT 保證。投票權不依質押量加權,而是合格驗證者近乎等權,避免資本集中導致權力集中。

Ferrum uses PoSA (Proof of Staked Authority): authoring is open only to accredited institutions, but each validator stakes FER as a slashing bond, and GRANDPA provides BFT finality. Voting power is not stake-weighted — eligible validators are near-equal, so capital concentration does not become power concentration.

節點角色

Node roles

驗證者的加入與移除由鏈上治理控制,並要求組織與地理分散,避免單一部門或地區掌握出塊多數。共識參數以 runtime 常數定義:

Validator admission and removal are governed on-chain, with organizational and geographic diversity required so no single department or region holds an authoring majority. Consensus parameters are runtime constants:

// PoSA：Aura 出塊 + GRANDPA 最終性，驗證者集合由治理控制
parameter_types! {
    pub const SlotDuration: u64 = 3_000;            // 3 秒一個出塊時槽
    pub const MaxAuthorities: u32 = 100;            // 受認證機構節點上限
    pub const MinValidatorBond: Balance = 250_000 * FER;
    pub const EquivocationSlash: Perbill = Perbill::from_percent(100); // 雙簽：全沒收
    pub const OfflineSlash: Perbill = Perbill::from_percent(1);
}

// PoSA: Aura authoring + GRANDPA finality; validator set is governed
parameter_types! {
    pub const SlotDuration: u64 = 3_000;            // one 3-second authoring slot
    pub const MaxAuthorities: u32 = 100;            // cap on accredited institutional nodes
    pub const MinValidatorBond: Balance = 250_000 * FER;
    pub const EquivocationSlash: Perbill = Perbill::from_percent(100); // equivocation: full seizure
    pub const OfflineSlash: Perbill = Perbill::from_percent(1);
}

單一主權鏈內的雙資產設計:非投機網路代幣(FER)+ 法幣計價支付工具(eTWD)。跨國延伸見第 10、11 節。

A dual-asset design within one chain: a non-speculative network token (FER) + a fiat-denominated payment unit (eTWD). Cross-national extension in §10–11.

為身分與稅務系統設計代幣,首要原則是讓公民的義務與權利不暴露於幣價波動。Ferrum 因此採雙資產模型,將「網路安全與治理」和「價值支付」徹底分離:

The first principle for tokenizing an identity and tax system is to keep citizens' duties and rights out of price volatility. Ferrum therefore uses a dual-asset model, cleanly separating "network security & governance" from "value settlement":

FER 創世配置

FER genesis allocation

主權網路由國家控制發行。創世配置以「安全、公共服務、永續維運」為導向,而非以早期投資人回報為導向:

A sovereign network controls its own issuance. Genesis is oriented toward security, public service and sustainable operations — not early-investor returns:

從單一主權鏈,到一個主權鏈聯邦——身分與稅務跨越國界,而主權不被讓渡。

From one sovereign chain to a federation of them — identity and tax cross borders without ceding sovereignty.

當多國各自部署 Ferrum 實例,價值來自互通:公民憑證能在他國被驗證,跨境交易的稅務能由兩國協調。Ferrum 刻意不採用「單一全球鏈」,而組成主權鏈聯邦——每國保有自己的鏈、貨幣與治理,透過中立互通層連結。設計承襲 Polkadot 的 XCM、Cosmos 的 IBC,以及國際清算銀行多國 CBDC 專案(mBridge、Dunbar)。

When several nations each deploy a Ferrum instance, the value lies in interoperability: a citizen's credential is verifiable abroad, and cross-border tax is coordinated between two states. Ferrum deliberately avoids a "single global chain" and forms a federation of sovereign chains — each keeps its own chain, currency and governance, linked by a neutral interop layer. The design draws on Polkadot's XCM, Cosmos's IBC and the BIS multi-CBDC projects (mBridge, Dunbar).

跨鏈訊息與信任最小化橋接

Cross-chain messaging & trust-minimized bridging

鏈間以 XCM 式跨共識訊息溝通,橋接不依賴受託保管人:每條鏈在對方鏈上運行一個輕客戶端,直接驗證對方的 GRANDPA 最終性證明後才接受跨鏈訊息。互認的信任根來自密碼學最終性,而非中介機構,大幅降低橋接被攻擊或單點操控的風險。

Chains talk via XCM-style cross-consensus messages; bridging needs no trusted custodian: each chain runs an on-chain light client of the other and verifies its GRANDPA finality proofs before accepting messages. The root of trust is cryptographic finality, not an intermediary — sharply reducing bridge-attack and single-point risk.

跨國身分互認

Cross-border identity recognition

跨境稅務協調

Cross-border tax coordination

• 自動資訊交換(AEOI)。承襲 OECD CRS / FATCA,但以零知識與選擇性揭露達成——只交換條約所需最小事實。
• 雙重課稅減免。鏈上維護租稅協定登記表,合約自動套用稅率與扣抵,跨境所得不被重複課徵。
• 跨境電子發票互認。各國錨定的發票雜湊可跨鏈驗證,支撐跨境供應鏈勾稽。
• 跨境消費稅(VAT/GST)。採一站式登記(OSS):跨境數位服務於單一入口申報,稅收依消費地原則經清算聯盟分配。

• Automatic exchange of information (AEOI). In the spirit of OECD CRS / FATCA, but via ZK and selective disclosure — exchanging only the minimum facts a treaty requires.
• Double-tax relief. An on-chain tax-treaty registry lets contracts auto-apply rates and credits so cross-border income is not taxed twice.
• Cross-border e-invoice recognition. Anchored invoice hashes verify across chains, supporting cross-border supply-chain reconciliation.
• Cross-border VAT/GST. One-Stop-Shop (OSS) registration: cross-border digital services file at a single entry point; revenue is allocated by destination via the clearing union.

三層資產設計:主權不共享投機代幣,跨境以中立籃子單位清算。

A three-tier asset design: no shared speculative token; cross-border clearing in a neutral basket unit.

國內模型(第 8 節)將「網路安全」與「價值支付」分離。跨國再添一道難題:多個主權各有網路代幣與 CBDC,如何在不犧牲主權、也不引入投機性全球幣下清算彼此義務?答案是三層資產模型,並在頂層引入 SDR 式中立籃子單位。

The domestic model (§8) separates network security from value settlement. Cross-national adds a harder question: multiple sovereigns each have their own network token and CBDC — how do they clear mutual obligations without ceding sovereignty or introducing a speculative global coin? The answer is a three-tier asset model topped by an SDR-style neutral basket unit.

XSU · 跨境結算單位

XSU · Cross-border Settlement Unit

XSU 是中立合成記帳單位,定義為一籃參與國 CBDC 的固定權重組合,概念等同「數位化的 IMF 特別提款權(SDR)」,並呼應凱因斯在布列敦森林提出的「Bancor」清算同盟。其職能:

XSU is a neutral synthetic unit of account, defined as a fixed-weight basket of member CBDCs — conceptually a "digital IMF Special Drawing Right (SDR)", echoing Keynes's Bretton-Woods "Bancor" clearing union. Its roles:

• 中立計價。跨境義務以 XSU 計價,避免任一國貨幣成為事實上的霸權計價單位,降低匯率爭議。
• 多邊淨額清算。跨境流量先以 XSU 軋差,只就淨部位以各國 CBDC 結算,降低流動性需求與外匯摩擦。
• 足額準備、非投機。XSU 由 CBDC 準備池1:1 支撐,不自由浮動;籃子權重由聯邦治理定期再平衡。

• Neutral denomination. Cross-border obligations are priced in XSU, so no single currency becomes a de-facto hegemonic unit, reducing FX disputes.
• Multilateral netting. Flows net in XSU first; only the net positions settle in CBDCs, cutting liquidity needs and FX friction.
• Fully reserved, non-speculative. XSU is backed 1:1 by a CBDC reserve pool, does not float freely, and is reweighted periodically by federation governance.

下方為籃子的示意權重(實際權重由參與國依貿易與儲備結構協商):

Below is an illustrative basket (real weights are negotiated by members per trade and reserve structure):

各層資產的角色與激勵

Roles & incentives by tier

互通層的中立性,取決於沒有任何單一主權能片面掌控它。本節說明誰決策、如何決策、決策如何在鏈上自動執行。

The interop layer's neutrality rests on no single sovereign controlling it. This section covers who decides, how, and how decisions execute on-chain.

聯邦治理回答三個問題:誰來決策、如何決策、決策如何在鏈上自動執行。互通層(鐵橋)不屬於任何一國,而由條約理事會共同治理,XSU 籃子與準備池的每一次變動都須通過明確的鏈上門檻,並以時間鎖延遲生效以利各國準備。

Federation governance answers three questions: who decides, how they decide, and how decisions execute automatically on-chain. The interop layer (Ferrum Bridge) belongs to no single nation; it is co-governed by a treaty council. Every change to the XSU basket or reserve pool must clear an explicit on-chain threshold and is delayed by a timelock so members can prepare.

11.1 條約理事會

11.1 The Treaty Council

11.2 雙重多數表決

11.2 Dual-Majority Voting

一般提案通過,須同時滿足兩個維度:(a)成員數達門檻(主權平等),且(b)贊成方合計 XSU 籃子權重達門檻(經濟份量)。如此防止小國集團與大國霸權兩種極端,承襲歐盟「雙重多數」與 IMF 加權表決的折衷。憲制級變更(籃子重新定義、條約修訂)需近乎一致;任一成員可對「直接影響其主權」的議案啟動限時緊急煞車觸發複審,但不得無限期阻撓。

A normal proposal passes only if it clears both axes: (a) a threshold share of members (sovereign equality), and (b) a threshold share of XSU basket weight among the Aye voters (economic weight). This blocks both small-bloc capture and large-state dominance, echoing the EU's "double majority" and the IMF's weighted vote. Constitutional changes (basket redefinition, treaty amendment) need near-unanimity; any member may trigger a time-boxed emergency brake for matters directly affecting its sovereignty, forcing review but not allowing indefinite obstruction.

雙重多數的判定可直接以一個純函式表達,供 pallet-federation 在表決結束時呼叫:

The dual-majority test is a pure function that pallet-federation calls when a vote closes:

// pallets/federation/src/voting.rs
// 雙重多數：必須同時通過「成員數」與「籃子權重」兩個維度。
pub fn passes_dual_majority(
    votes: &BTreeMap<MemberId, Vote>,
    basket: &BTreeMap<MemberId, Perbill>,   // 各成員 XSU 籃子權重
    threshold: Perbill,                       // 例：from_rational(2u32, 3u32)
) -> bool {
    let total = votes.len() as u32;
    let ayes = votes.values().filter(|v| **v == Vote::Aye).count() as u32;

    // 維度一：贊成的成員數比例
    let by_count = Perbill::from_rational(ayes, total.max(1)) >= threshold;

    // 維度二：贊成方的籃子權重總和
    let ayes_weight = votes.iter()
        .filter(|(_, v)| **v == Vote::Aye)
        .map(|(m, _)| *basket.get(m).unwrap_or(&Perbill::zero()))
        .fold(Perbill::zero(), |a, w| a.saturating_add(w));
    let by_weight = ayes_weight >= threshold;

    by_count && by_weight   // 兩維度皆須成立
}

// pallets/federation/src/voting.rs
// Dual majority: must pass BOTH the "member count" and "basket weight" axes.
pub fn passes_dual_majority(
    votes: &BTreeMap<MemberId, Vote>,
    basket: &BTreeMap<MemberId, Perbill>,   // each member's XSU basket weight
    threshold: Perbill,                       // e.g. from_rational(2u32, 3u32)
) -> bool {
    let total = votes.len() as u32;
    let ayes = votes.values().filter(|v| **v == Vote::Aye).count() as u32;

    // Axis 1: share of members voting Aye
    let by_count = Perbill::from_rational(ayes, total.max(1)) >= threshold;

    // Axis 2: summed basket weight of Aye voters
    let ayes_weight = votes.iter()
        .filter(|(_, v)| **v == Vote::Aye)
        .map(|(m, _)| *basket.get(m).unwrap_or(&Perbill::zero()))
        .fold(Perbill::zero(), |a, w| a.saturating_add(w));
    let by_weight = ayes_weight >= threshold;

    by_count && by_weight   // both axes must hold
}

11.3 XSU 籃子與準備池運作

11.3 XSU Basket & Reserve-Pool Operations

• 足額擔保。每個成員依籃子權重向準備池存入等值 CBDC,作為 XSU 的 1:1 擔保。
• 鑄造 / 贖回。成員可用一籃 CBDC 按當前權重鑄造 XSU,或銷毀 XSU 贖回 CBDC;準備池始終足額。
• 多邊清算。跨境流量先以 XSU 記帳軋差,清算窗口結束時只就淨部位從準備池或雙邊 CBDC 結算。
• 再平衡。秘書處定期(如每 3 年或觸發門檻)提出新權重,經雙重多數核准後以漸進過渡實施,避免市場衝擊。
• 儲備證明。準備池每日發布鏈上儲備證明(proof-of-reserves),公開可稽。

• Full backing. Each member deposits CBDC into the reserve pool per its basket weight, backing XSU 1:1.
• Mint / redeem. A member mints XSU with a basket of CBDCs at current weights, or burns XSU to redeem CBDCs; the pool stays fully reserved.
• Multilateral clearing. Flows are booked and netted in XSU; at window close, only net positions settle from the pool or bilateral CBDCs.
• Reweighting. The secretariat periodically (e.g. every 3 years or on a trigger) proposes new weights; once dual-majority-approved, they phase in gradually to avoid market shock.
• Proof of reserves. The pool publishes a daily on-chain proof-of-reserves, publicly auditable.

11.4 鏈上實作:pallet-federation

11.4 On-chain Implementation: pallet-federation

治理流程為:propose → 理事會表決(記錄各成員票與其籃子權重)→ 雙重多數判定 → 時間鎖佇列 → enact(必要時觸發 WASM runtime 無分叉升級)。不同領域套用不同時間鎖長度,憲制級變更另需各國國內批准。

The flow is: propose → council vote (recording each member's ballot and basket weight) → dual-majority test → timelock queue → enact (triggering a forkless WASM upgrade where needed). Different domains use different timelock lengths; constitutional changes additionally require domestic ratification.

#[pallet::call]
impl<T: Config> Pallet<T> {
    // 任一理事會成員提出聯邦層提案（費率、籃子權重、成員資格…）。
    pub fn propose(origin: OriginFor<T>, action: FederationAction) -> DispatchResult {
        let who = T::CouncilMember::ensure_origin(origin)?;
        let id = NextId::<T>::mutate(|n| { let i = *n; *n += 1; i });
        Proposals::<T>::insert(id, Proposal::new(action, now::<T>()));
        Self::deposit_event(Event::Proposed { id, by: who });
        Ok(())
    }

    // 達雙重多數後進入時間鎖佇列；不同領域套用不同時間鎖。
    pub fn close(origin: OriginFor<T>, id: ProposalId) -> DispatchResult {
        ensure_signed(origin)?;
        let p = Proposals::<T>::get(id).ok_or(Error::<T>::Unknown)?;
        ensure!(
            passes_dual_majority(&p.votes, &BasketWeights::<T>::get(), p.threshold()),
            Error::<T>::Rejected
        );
        let eta = now::<T>() + T::TimelockFor::get(&p.action);
        Queued::<T>::insert(eta, id);              // on_initialize 到期自動 enact
        Self::deposit_event(Event::Queued { id, eta });
        Ok(())
    }
}

#[pallet::call]
impl<T: Config> Pallet<T> {
    // Any council member proposes a federation action (fees, basket weights, membership…).
    pub fn propose(origin: OriginFor<T>, action: FederationAction) -> DispatchResult {
        let who = T::CouncilMember::ensure_origin(origin)?;
        let id = NextId::<T>::mutate(|n| { let i = *n; *n += 1; i });
        Proposals::<T>::insert(id, Proposal::new(action, now::<T>()));
        Self::deposit_event(Event::Proposed { id, by: who });
        Ok(())
    }

    // On dual majority, queue under a timelock; each domain has its own timelock.
    pub fn close(origin: OriginFor<T>, id: ProposalId) -> DispatchResult {
        ensure_signed(origin)?;
        let p = Proposals::<T>::get(id).ok_or(Error::<T>::Unknown)?;
        ensure!(
            passes_dual_majority(&p.votes, &BasketWeights::<T>::get(), p.threshold()),
            Error::<T>::Rejected
        );
        let eta = now::<T>() + T::TimelockFor::get(&p.action);
        Queued::<T>::insert(eta, id);              // on_initialize auto-enacts at eta
        Self::deposit_event(Event::Queued { id, eta });
        Ok(())
    }
}

11.5 透明與爭議

11.5 Transparency & Disputes

所有提案、票數、權重變更與儲備證明皆上鏈公開可稽。爭議以鏈上爭議登記表記錄,依條約仲裁;理事會可暫停成員的出塊與清算權,但保留其準備金的請求權,確保停權不等於沒收。

All proposals, tallies, weight changes and reserve proofs are public and auditable on-chain. Disputes are recorded in an on-chain dispute registry and arbitrated per treaty; the council may suspend a member's authoring and clearing rights while preserving its claim on reserves — so suspension is never confiscation.

五條端到端流程:身分簽發、選擇性揭露、稅務申報、區塊最終性,以及跨境互認。

Five end-to-end flows: issuance, selective disclosure, tax filing, block finality, and cross-border recognition.

流程 A · 公民身分註冊與 DID 簽發

Flow A · Citizen registration & DID issuance

流程 B · 選擇性揭露驗證(如:證明已成年)

Flow B · Selective disclosure (e.g. prove of age)

流程 C · 稅務申報與繳納

Flow C · Tax filing & payment

流程 D · 區塊共識與最終性

Flow D · Block consensus & finality

流程 E · 跨境身分與稅務互認

Flow E · Cross-border identity & tax recognition

從語言層的記憶體安全,到密碼學層的最小揭露。

From language-level memory safety to cryptographic minimal disclosure.

鏈上治理,但受憲政層約束。(跨國治理見第 11 節)

On-chain governance, bounded by a constitutional layer. (Federation governance is in §11.)

Ferrum 的國內治理在「鏈上效率」與「憲政正當性」之間取得平衡。技術參數與驗證者集合可由鏈上提案與表決調整,但其權限邊界由憲政層(法律授權的機關與監督機制)界定,確保技術治理不逾越民主授權。

Domestic governance balances on-chain efficiency with constitutional legitimacy. Technical parameters and the validator set can be adjusted by on-chain proposal and vote, but the bounds of that authority are set by a constitutional layer (legally mandated bodies and oversight), so technical governance never exceeds its democratic mandate.

• 驗證者准入。新增或移除驗證者須經鏈上治理通過,並符合組織/地理分散要求。
• 無分叉升級。runtime 以 WASM 升級,經治理批准後全網一致切換,無需硬分叉。
• 透明度要求。提案、表決與參數變更公開可稽;緊急程序須事後公開究責。
• 技術委員會。負責安全升級的快速通道,但行動受監督並可被推翻。

• Validator admission. Adding or removing validators requires on-chain approval and must satisfy organizational/geographic diversity.
• Forkless upgrades. The runtime upgrades as WASM, switching network-wide after approval without a hard fork.
• Transparency. Proposals, votes and parameter changes are public; emergency procedures are accountable after the fact.
• Technical committee. A fast track for security upgrades, under oversight and overridable.

從規格與形式化模型,到聯邦清算與後量子互通。

From specs and formal models to federation clearing and post-quantum interop.

誠實面對這套設計的代價與未解難題。

An honest account of this design's costs and open problems.

• 中心化張力。許可制換取問責與監理相容,但本質上比無許可鏈集中。緩解:多機構、地理分散、公開狀態根與開放節點,但無法完全消除。
• 隱私 vs. 可稽核的拉鋸。授權檢視金鑰雖留稽核軌跡,但「誰能授權、在什麼門檻下」是法律與制度問題,技術只能約束、不能取代民主監督。
• 金鑰遺失與包容性。社會化回復降低風險,但弱勢與數位落差族群仍需可靠的線下代理據點。
• 法制與憲政對齊。本系統須與個資法、稅捐稽徵法及憲法保障相容,任何部署前都需完整法律審查。
• 跨境主權協調成本。聯邦治理、租稅協定數位化與成員准入皆需多邊協商,政治與外交複雜度高,進度受國際關係牽動。
• 籃子治理與匯率風險。XSU 籃子權重與準備池管理須有中立機構與明確再平衡規則,否則可能引發成員國對計價公平性的爭議。
• 跨境法遵分歧。各國個資與稅法標準不一,跨境最小揭露與資訊交換的法律基礎需逐一對齊,難以一體適用。
• 本文件性質。這是一份概念性技術設計,非可直接上線的實作。任何實際部署都必須經過獨立安全稽核、形式化驗證、法律審查與分階段試點。

• Centralization tension. Permissioning buys accountability and regulatory fit but is inherently more centralized. Mitigated by multi-institution dispersion, public state roots and open nodes — not eliminated.
• Privacy vs. auditability. Viewing keys leave a trail, but "who may authorize, under what threshold" is a legal-institutional question; technology can constrain, not replace, democratic oversight.
• Key loss & inclusion. Social recovery reduces risk, but vulnerable and less-connected groups still need reliable offline points of service.
• Legal & constitutional alignment. The system must fit data-protection law, tax law and constitutional guarantees; any deployment needs full legal review.
• Cross-border coordination cost. Federation governance, digitizing treaties and admitting members all require multilateral negotiation — politically and diplomatically complex, paced by international relations.
• Basket governance & FX risk. XSU weights and reserve management need a neutral body and clear reweighting rules, or members may dispute the fairness of denomination.
• Cross-border compliance divergence. Data and tax standards differ by country; the legal basis for cross-border minimal disclosure and information exchange must be aligned case by case.
• Nature of this document. This is a conceptual design, not a deployable implementation. Any real deployment requires independent security audit, formal verification, legal review and staged pilots.