To set up an election with Belenios, the simplest option is to use our voting platform and let you guide by the system. You will have the choice between a few options and we explain here in more details what they mean in practice. For more professional use, you may also prefer to run your own voting server by installing Belenios source code. In any case, we strongly recommend to run test elections beforehand so that you get familiar with the interface. Note also that depending on your country, you may have to comply with voting regulations. We describe here the CNIL (French) regulations.
To vote, a voter needs:
- a credential (received by email);
- a login and password (received in a separate email).
As election organizer, you are given two options. Either the vote credentials are generated and emailed by our server or you should chose a credential authority that is in charge of this task.
- Credentials generated by our
platform. This is the simplest option. Our server generates the (private) vote credentials, emails them to the
voters and stores only their public counterparts. There are
however two drawbacks.
- If a voter loses his credential (or never receives the email), then this voter can simply not vote.
- This solution offers less security: in case our server is compromised during the election setup, the attacker will be able to add more ballots to the ballot box, therefore adding more votes to the candidates of her choice.
- Credentials generated by some
credential authority. When setting up the election, you
will be given an url that should be transmitted to the
credential authority. By clicking on that url, the credential
authority will generate (on his own computer) the private
credentials and send the public part to the voting
server. This solution offers better security and allows to
resend credentials to voters. There is however one drawback
- The credential authority will need to email one credential to each voter. This requires some expertise like writing a script for sending emails.
By default, login and passwords, specific to the election (or a set of elections) are generated and handled by our server. We also support CAS authentication, in which case we rely on an existing authentication system (for example the INRIA CAS authentication). We recommend to use this solution whenever it is possible since voters are typically more careful with their professional password. Moreover, in this case, the election organizer does not have to deal directly with forgotten passwords.
Trustees and decryption keys
Votes are sent encrypted to the ballot box, using the public key of the election. As election organizer, you are given two options. Either the decryption key is generated and stored on our server or you should choose trustees that are in charge of this task.
- Decryption key generated by our
platform. This is the simplest option. Our server will
generate and store the (secret) decryption key. There is
however one important drawback.
- This solution offers little security w.r.t. ballot privacy: in case our server is compromised, the attacker will be able to learn the decryption key and decrypt all ballots. In case she also logs which voter is associated with which ballot, she will learn how anyone voted.
- Shared decryptions keys handled
by trustees. This is the solution we recommend and
also recommended by
the CNIL. When setting up the election, you
will have the possibility to add as many trustees as you want (the CNIL
recommends 3 trustees) and for each of them, you will be given
an url that should be transmitted to the corresponding
trustee. By clicking on that url, the trustee will generate
(on his own computer) his private
decryption key and send the public part to our voting
server. This solution offers much better security: an attacker
needs to compromise each authority to recover the whole decryption key.
However, you should be aware of the two following risks.
- The trustees have to store their decryption keys properly. If one of the decryption keys is lost, there is no way to tally the election and the election will simply be canceled.
- The trustees have to store their decryption keys securely (either in a safe or using cryptographic techniques) otherwise ballot privacy may be compromised.