How to set up an election with Belenios?
Some guidelines

To set up an election with Belenios, the simplest option is to use our voting platform and let you guide by the system. You will have the choice between a few options and we explain here in more details what they mean in practice. For more professional use, you may also prefer to run your own voting server by installing Belenios source code. In any case, we strongly recommend to run test elections beforehand so that you get familiar with the interface. Note also that depending on your country, you may have to comply with voting regulations. We describe here the CNIL (French) regulations.


To vote, a voter needs:

  • a credential (received by email);
  • a login and password (received in a separate email).
This double authentication prevents ballot stuffing. We discuss here how the credentials and the login/passwords are managed.

Credential management

As election organizer, you are given two options. Either the vote credentials are generated and emailed by our server or you should chose a credential authority that is in charge of this task.

  • Credentials generated by our platform. This is the simplest option. Our server generates the (private) vote credentials, emails them to the voters and stores only their public counterparts. There are however two drawbacks.
    • If a voter loses his credential (or never receives the email), then this voter can simply not vote.
    • This solution offers less security: in case our server is compromised during the election setup, the attacker will be able to add more ballots to the ballot box, therefore adding more votes to the candidates of her choice.

  • Credentials generated by some credential authority. When setting up the election, you will be given an url that should be transmitted to the credential authority. By clicking on that url, the credential authority will generate (on his own computer) the private credentials and send the public part to the voting server. This solution offers better security and allows to resend credentials to voters. There is however one drawback
    • The credential authority will need to email one credential to each voter. This requires some expertise like writing a script for sending emails.

Authentication

By default, login and passwords, specific to the election (or a set of elections) are generated and handled by our server. We also support CAS authentication, in which case we rely on an existing authentication system (for example the INRIA CAS authentication). We recommend to use this solution whenever it is possible since voters are typically more careful with their professional password. Moreover, in this case, the election organizer does not have to deal directly with forgotten passwords.


Trustees and decryption keys

Votes are sent encrypted to the ballot box, using the public key of the election. As election organizer, you are given two options. Either the decryption key is generated and stored on our server or you should choose trustees that are in charge of this task.

  • Decryption key generated by our platform. This is the simplest option. Our server will generate and store the (secret) decryption key. There is however one important drawback.
    • This solution offers little security w.r.t. ballot privacy: in case our server is compromised, the attacker will be able to learn the decryption key and decrypt all ballots. In case she also logs which voter is associated with which ballot, she will learn how anyone voted.

  • Shared decryptions keys handled by trustees. This is the solution we recommend and also recommended by the CNIL. When setting up the election, you will have the possibility to add as many trustees as you want (the CNIL recommends 3 trustees) and for each of them, you will be given an url that should be transmitted to the corresponding trustee. By clicking on that url, the trustee will generate (on his own computer) his private decryption key and send the public part to our voting server. This solution offers much better security: an attacker needs to compromise each authority to recover the whole decryption key. However, you should be aware of the two following risks.
    • The trustees have to store their decryption keys properly. If one of the decryption keys is lost, there is no way to tally the election and the election will simply be canceled.
    • The trustees have to store their decryption keys securely (either in a safe or using cryptographic techniques) otherwise ballot privacy may be compromised.