To vote, a voter needs:
- a credential (received by email);
- a login and password (typically received in a separate email).
Using the web interface, the voter enters her credential and selects her vote. Her computer then computes the ballot, which corresponds to the vote encrypted with the election public key. To ease the verification, only the tracking number (the hash of the ballot) is displayed. Once the ballot is sent, the voter can check that her vote has been received by simply checking that her tracking number appears on the public ballot box (which can be accessed from the web page of the election). The voter may also see the entire ballot.
Note: a voter may vote several times. Only the last ballot will be counted.
The ballot is encrypted using ElGamal encryption. The ciphertext is computed together with a zero knowledge proof that guarantees that a valid choice has been encrypted (eg no more than one vote per candidate). To learn more about zero knowledge proofs, you may have a look at these slides. The precise specification of our zero knowledge proofs is available in the Belenios specification and a companion draft, with the security proofs, is available here.
The election server authenticates the voters through their login and password, maintains the voting list, and displays the received ballots on the public web page of the election, provided the ballots are valid.
By default, the election server generates and sends one credential for each voter. The public part of each credential is stored on the election server while the private credentials are discarded.
Alternatively, the election administrator may ask a third party to generate and send the credentials. The code for generating credentials is available in the Belenios sources.
By default, the election server stores the decryption key. The encryption scheme has a particular property, called a homomorphism: from the encrypted ballots, anyone can compute the encryption of the result (the sum of the votes for each candidate) by combining the ciphertexts (without using any key). This way, only the final encrypted result needs to be decrypted, which guarantees vote privacy: the ballot of an individual voter is never decrypted.
Alternatively and to distribute the trust, the election administrator may choose decryption authorities and simply send them a private link obtained from the Belenios web interface. When clicking on this link, the decryption authorities will generate locally their private key and send the corresponding public key to the election server. All the authorities need to collaborate to decrypt, offering better privacy guarantees (they need to all collude to decrypt your ballot).
Belenios is end-to-end verifiable.
- Voters may check that their vote has been counted by verifying that their ballot appears on the election server (through a public web page).
- Anyone can check that the result corresponds to the ballots displayed on the ballot box and that no ballot has been added thanks to the credentials
We provide the appropriate tools to check the validity of an election in the Belenios sources. However, we welcome tools built by external teams, that we would be happy to refer to here. The precise protocol specification should provide all the necessary details (but of course, questions are welcome).