This seems a bit confusing and their documentation page was out of action when I tried it - why do the results need to be decrypted by trustees after the election? Is the concern that Helios itself isn't trustworthy to hold a key? And why do they need all trustees instead of a quorum of trustees by default? Not using a secret share for the real key seems like it is setting people up for this to happen and it sets up an odd dynamic where the more election trustees there are the less likely it is that the vote will be readable (in this case, if they'd only had one trustee they'd probably be in a position to read the results). In even a small group of people it is possible that one has a moderate-to-severe personal emergency in any week.
It'd be more robust in my opinion to have 4 mostly trustworthy people and a 3-in-4 secret share. That seems as good as 3 trusted people.
>why do the results need to be decrypted by trustees after the election?
Because they’re an association of cryptographers. They’ve invented all these cool encrypted voting protocols that split trust among multiple people, so of course that’s what they’re going to use.
>why do the results need to be decrypted by trustees after the election?
they probably design this system to be used for government elections, how they can convince anyone to use it when they do not use it for their own elections?
It'd be more robust in my opinion to have 4 mostly trustworthy people and a 3-in-4 secret share. That seems as good as 3 trusted people.