Strip governance to its operations and the list is short. A group must be able to establish who belongs. Its members must be able to communicate privately. They must be able to decide questions by vote. And they must be able to prove, to themselves and to others, what was decided.
Each of these operations has well-understood cryptographic implementations. Membership can be attested through multi-signature schemes where every member co-signs a roster hash [Bellare and Neven, 2006]. Voting can be conducted through commit-reveal protocols that guarantee ballot secrecy, tamper-evidence, and independent verifiability [Benaloh, 1987, Adida, 2008]. Communication can be encrypted end-to-end with authenticated ciphers. Proofs of outcome can be encoded as self-contained artifacts—files that anyone can verify without trusting any authority.
None of this is new. What is underexplored is the implication: if governance is a set of computations, then the infrastructure conventionally associated with governance—the standing bureaucracies, the persistent databases, the centralized registries—is not a requirement of the operations themselves. It is packaging. And the packaging has a cost.
Every existing approach to collective decision-making bundles the simple operations of governance with infrastructure dependencies that restrict who can use them.
Institutional governance requires legal standing, a jurisdiction, physical or organizational infrastructure, and ongoing administration. Forming an institution is expensive in time, money, and expertise. For a diaspora community, an informal collective, or a group of workers in a hostile environment, the overhead of incorporation is often the entire barrier.
Platform-mediated governance (online polls, shared documents, chat platforms) reduces the infrastructure burden but introduces a different dependency: trust in a third party. The platform operator can observe deliberations, alter records, de-platform participants, or comply with external demands for data. For groups whose organizing is sensitive, this is not a theoretical concern.
Blockchain governance (DAOs, on-chain voting) removes the trusted third party but substitutes capital requirements and permanent public records. Participation typically requires holding tokens, which requires purchasing them, which requires access to exchanges, which requires identity verification. And every action is permanently, publicly recorded—an unusual property to impose on groups that may have good reasons for discretion.
In each case, the governance operations themselves are simple. What makes them inaccessible is the surrounding infrastructure. The operations are bundled with dependencies, and the dependencies are the bottleneck.
Zero-state governance is the proposal that these operations can be unbundled from their infrastructure dependencies entirely. The model has three properties:
The requirements are minimal: a network connection and a shared secret. No accounts, no servers, no legal entity, no capital. Identity is derived from a passphrase—the same passphrase always yields the same cryptographic key, so a person can be recognized across sessions without any registration system.
A proof-of-concept implementation of this model, called Cauldron1 , provides working tools for ephemeral encrypted deliberation, commit-reveal voting with full verifiability, multi-signature membership attestation, and encrypted document transfer. The tools are open-source, written with zero external dependencies, and require nothing to run but a binary and a passphrase.
Zero-state governance has properties that follow directly from the absence of persistent infrastructure:
No apparatus to capture. Institutional capture—the subversion of governance machinery for private ends—requires machinery that persists long enough to be subverted. An ephemeral process has no standing apparatus, and between sessions, there is nothing to attack, seize, or pressure.
Privacy as architecture. Data that is never stored cannot be leaked, intercepted, or compelled. Deliberations held only in memory are not recoverable after the session. Votes that are cryptographically anonymized and then destroyed cannot be de-anonymized by a future adversary. This is not privacy as policy (a promise that can be broken) but privacy as mathematical property.
Accessibility. The only prerequisites are a network connection and a passphrase. There is no registration, no identity verification, no fee, no legal filing. The barrier to entry is knowing the passphrase.
The limitations are equally direct:
Scale. The current model is synchronous—all participants must be present for a ceremony. This works for groups of dozens, not thousands. Asynchronous variants are possible but introduce new attack vectors (timing, selective availability) that are open problems.
Adversarial hosts. A session host cannot falsify outcomes (the cryptography prevents this) but can deny service—refuse to advance phases or selectively drop participants. Mitigations (host rotation, replication) are well-understood in distributed systems but add complexity.
Identity. A passphrase is not a person. Passphrases can be shared, forgotten, or coerced. For contexts requiring strict one-person-one-vote guarantees, additional identity verification is needed, at the cost of introducing external dependencies.
Legal standing. No jurisdiction recognizes a cryptographic artifact as a binding collective decision. Zero-state governance currently operates only in spaces where legal recognition is unnecessary or unavailable.
Accountability. Ephemerality is in tension with auditability. If nothing is recorded by default, there is no trail to review after the fact. This is a tunable parameter—participants can choose to preserve records—but the default is forgetting.
The contribution of this paper is not the toolkit but the observation that motivates it: governance operations are simple, and the reason many groups cannot perform them is packaging, not complexity.
If this observation is correct, the design space for collective decision-making is much wider than existing tools suggest. The conventional assumption—that governance requires institutions, or at least platforms, or at least blockchains—conflates the operations with their packaging. Once separated, the operations can be performed by anyone with a computer and a shared secret.
This does not mean zero-state governance can replace existing institutions at scale. It clearly cannot, today. The model lacks Byzantine fault tolerance, handles only small groups, and has no mechanism for legal recognition. But for the many groups that have no access to any governance infrastructure—who have no legal standing, no treasury, no permanent address, no safe platform—the relevant comparison is not with existing institutions. It is with having nothing at all.
Against that baseline, a verifiable vote and a signed roster are not a complete system of government. But they are the irreducible operations, performed without dependency, producing their own proof. That seems like a reasonable place to start.
Ben Adida. Helios: Web-based open-audit voting. In Proceedings of the 17th USENIX Security Symposium, pages 335–348, 2008.
Mihir Bellare and Gregory Neven. Multi-signatures in the plain public-key model and a general forking lemma. In Proceedings of the 13th ACM Conference on Computer and Communications Security, pages 390–399, 2006.
Josh Cohen Benaloh. Verifiable secret-ballot elections. PhD thesis, Yale University, 1987.