Buterin floats iO to remove trusted committees from private onchain voting
He says the most conservative designs are “galactic” to compute, keeping the idea in research mode for now.
Vitalik Buterin outlined a cryptographic design that could eventually enable private, collusion-resistant onchain voting without relying on trusted vote-decryption committees. He argued the approach is not practical today because current indistinguishability obfuscation constructions are either computationally extreme or depend on weaker security assumptions.
Key Takeaways
- Indistinguishability obfuscation (iO) was presented as a path to private, collusion-resistant onchain voting that does not rely on trusted threshold committees.
- The proposed design uses protected programs that can be executed for a result while revealing only the final tally, aiming for “almost no trust assumption.”
- Conservative iO constructions were described as requiring “galactic” computation, while faster variants lean on less-tested security assumptions.
- Buterin also earmarked 16,384 ETH (about $45 million at the time) for privacy, open infrastructure, and self-sovereign tools, with the year of the Jan. 30 allocation not specified.
Buterin’s iO Pitch: Private DAO Voting Without Trusted Decryptors
Vitalik Buterin published a technical essay describing how indistinguishability obfuscation (iO) combined with blockchain infrastructure could support private, collusion-resistant onchain voting with “almost no trust assumption.” The core target is a familiar governance weak point: private onchain voting systems that depend on threshold committees, where a group jointly decrypts voting data and is assumed to safeguard ballot secrecy and behave honestly.
Buterin’s framing is explicit about the trade. Removing committee trust could reduce insider interference risk and make governance harder to manipulate, while letting participants vote without exposing how they voted. For governance traders, that is a security-design signal, not a near-term catalyst. The essay itself stresses that iO voting is not deployable today.
How iO Would Work: Protected Programs That Only Output the Tally
Buterin described iO as cryptography that turns software into a protected program. Users can run it and receive the intended output, but they cannot inspect the internal code or extract data stored inside it. He characterized the technique as hiding the code rather than the information being processed.
Applied to voting, the protected program would embed the logic to process encrypted ballots and output only the final tally, without revealing individual votes. In Buterin’s design, that obfuscated program replaces the threshold committee’s role as the decryption bottleneck. If that ever becomes viable, it directly attacks the trust surface that private voting inherits today: a small set of operators sitting between encrypted ballots and the revealed result.
The constraint is feasibility. Buterin wrote that the most conservative iO constructions require “galactic” amounts of computation. He also noted that faster approaches exist, but they rely on less-tested security assumptions. That combination keeps the proposal firmly in research territory, with the main value today being direction-setting for governance security rather than immediate implementation.
Why the Chain Still Matters in an iO Voting Design
Buterin argued blockchains still matter even if iO does the privacy heavy lifting. An obfuscated program cannot prevent itself from being copied, and it cannot independently maintain changing information.
That point matters for market structure around governance. Even with a protected program, the chain remains the coordination layer that anchors state, ordering, and execution context. In other words, iO is pitched as a way to reduce trust in the vote-reveal mechanism, not as a replacement for the blockchain’s role in synchronizing who voted, when, and under what rules.
Signals to Watch for Buterin pitches iO for private onchain
The next useful signal is specificity on the “faster approaches” Buterin referenced, including what security assumptions they require and whether any are considered viable for adversarial governance settings. A second signal is concrete milestones from Ethereum researchers for when iO-based private voting could be testable beyond theory, since no timeline was provided.
Traders should also watch for prototypes that actually implement the “protected program reveals only the outcome” model on blockchain infrastructure. Finally, Buterin’s Jan. 30 earmark of 16,384 ETH (about $45 million at the time) needs clarification on the year and whether the allocation is connected to iO and voting research or is simply part of a broader privacy tooling push.
What This Signals for Ethereum Governance Risk—And What It Doesn’t
I treat this essay as a governance-security research signal, not a trigger for repricing. Buterin is clear that today’s iO is either “galactic” to compute or dependent on less-tested assumptions, which is the opposite of what you want for production governance that will be attacked.
The threshold that matters is whether iO can move from a theoretical committee-replacement story into a prototype that runs on real blockchain infrastructure without importing new trust assumptions through the back door. If that holds, the setup starts to look structural rather than narrative-driven, because it would remove a known trust bottleneck in private voting instead of merely reshuffling it.
