Skip to main content

Security overview

Electobox is built around the principle that election integrity and voter privacy must be guaranteed by cryptographic design, not by policy or trust in any single party.

Ballot encryption

When a voter submits their ballot, it is encrypted on their device using the combined public keys of all trustees before it leaves the browser. Electobox receives only ciphertext. The platform cannot read any ballot, even with full database access.

Threshold decryption

Results can only be produced when every trustee contributes their private key. This is threshold encryption: the decryption key is mathematically split such that all shares are required. If any trustee's key is unavailable, results cannot be produced.

This property means:

  • Electobox cannot produce results unilaterally
  • No single trustee can produce results alone
  • A compromise of the Electobox server does not expose how anyone voted

Anonymization

Before trustees are asked to decrypt, all ballots are anonymized. This is an irreversible cryptographic operation that permanently breaks the link between each ballot and the voter who submitted it. Even after full decryption, it is impossible to determine how any individual voted.

Each voter receives a unique link that works exactly once. After submission, the link is permanently deactivated. The system prevents double voting at the link level, not just at the database level.

Auditability

Electobox generates cryptographic proofs alongside the election record. The anonymized ballot export can be used to independently verify that the published results match the collected votes, without revealing anything about individual voters.

For full technical details, see Security & Compliance.