Key management
Electobox uses threshold public-key encryption. Each election has a set of trustees, and the election's public key is derived from the combined public keys of all trustees. Decryption requires every trustee's private key.
Key generation (Action #1)
Each trustee generates their key pair independently in their browser. The generation runs client-side — no key material is transmitted during this process. The trustee downloads their private key as a .json file and sends their public key to Electobox.
Electobox combines the trustees' public keys to produce the election public key, which is used to encrypt all submitted ballots.
Private key storage
Trustees are responsible for storing their private key file securely. Electobox never holds, transmits, or has access to any trustee's private key at any point.
The key file should be kept in at least two separate physical locations — typically the trustee's computer and a USB drive stored separately. If a private key is permanently lost, the election results cannot be recovered.
Key verification (Action #2)
Before voting begins, each trustee verifies they still have access to their key file. The browser reads the file locally, extracts the public key, and sends only the result of a comparison to Electobox. The private key is not transmitted.
Partial decryption (Action #3)
After the election closes and ballots are anonymized, each trustee uses their private key to perform partial decryption in their browser. The computation runs locally. Only the partial decryption result — not the key itself — is uploaded to Electobox.
Electobox combines all partial decryptions to produce the final result. No individual partial decryption is sufficient to reveal any vote.
Key lifecycle
| Phase | Who holds the key | What happens |
|---|---|---|
| Generation | Trustee only | Public key sent to Electobox; private key downloaded |
| Voting | Trustee only | Key not used; must be kept safe |
| Decryption | Trustee only | Partial decryption computed locally; result uploaded |
| After decryption | Trustee (for audit) | Key can be retained for audit purposes or discarded |