How does Belenios work?
Main principles of Belenios

We provide an overview of the Belenios system. For a more detailed description, you may read the protocol description or the related research paper.

Voters

To vote, a voter needs:

  • a credential (received by email);
  • a login and password (typically received in a separate email).
Voter

Using the web interface, the voter enters her credential and selects her vote. Her computer then computes the ballot, which corresponds to the vote encrypted with the election public key. To ease the verification, only the tracking number (the hash of the ballot) is displayed. Once the ballot is sent, the voter can check that her vote has been received by simply checking that her tracking number appears on the public ballot box (which can be accessed from the web page of the election). The voter may also see the entire ballot.

Note: a voter may vote several times. Only the last ballot will be counted.

Wish to know more?

The credential is used to sign the ballot. This is a protection against ballot stuffing. Even if the election server is compromised, it is impossible to add valid ballots. Indeed, the server knows the (public) verification keys but no one can compute the corresponding private signing keys, sent to the voters by email.
The ballot is encrypted using ElGamal encryption. The ciphertext is computed together with a zero knowledge proof that guarantees that a valid choice has been encrypted (eg no more than one vote per candidate). To learn more about zero knowledge proofs, you may have a look at these slides. The precise specification of our zero knowledge proofs is available in the Belenios specification and a companion draft, with the security proofs, is available here.

Election server

Urne The election server authenticates the voters through their login and password, maintains the voting list, and displays the received ballots on the public web page of the election, provided the ballots are valid.

Wish to know more?

The election server checks the validity of the zero-knowledge proofs and verifies that ballots are correctly signed, using a key that corresponds to the initial public credentials.

Credential generation

Credentials By default, the election server generates and sends one credential for each voter. The public part of each credential is stored on the election server while the private credentials are discarded.

Alternatively, the election administrator may ask a third party to generate and send the credentials. The code for generating credentials is available in the Belenios sources.

Wish to know more?

A credential is a pure random string, used to derive a signature key pair. Only the corresponding verification keys are stored on the election server. This way, the election server may check if a ballot comes from an eligible voter (that is, the server checks that the ballot is signed with a key corresponding to one of the verification keys) but even if the server is compromised, no ballot may be added (without being detected).

Tally

By default, the election server stores the decryption key. The encryption scheme has a particular property, called a homomorphism: from the encrypted ballots, anyone can compute the encryption of the result (the sum of the votes for each candidate) by combining the ciphertexts (without using any key). This way, only the final encrypted result needs to be decrypted, which guarantees vote privacy: the ballot of an individual voter is never decrypted.

Tally

Alternatively and to distribute the trust, the election administrator may choose decryption authorities and simply send them a private link obtained from the Belenios web interface. When clicking on this link, the decryption authorities will generate locally their private key and send the corresponding public key to the election server. All the authorities need to collaborate to decrypt, offering better privacy guarantees (they need to all collude to decrypt your ballot).

Wish to know more?

The decryption authorities (that is, the election server or the authorities chosen by the election administrator) additionally produce a zero-knowledge proof of correct decryption. This way, anyone can check that the result of the election corresponds to the ballots stored on the election server.

Auditors

Belenios is end-to-end verifiable.

Audit
  • Voters may check that their vote has been counted by verifying that their ballot appears on the election server (through a public web page).
  • Anyone can check that the result corresponds to the ballots displayed on the ballot box and that no ballot has been added thanks to the credentials

We provide the appropriate tools to check the validity of an election in the Belenios sources. However, we welcome tools built by external teams, that we would be happy to refer to here. The precise protocol specification should provide all the necessary details (but of course, questions are welcome).