• Belenios
• Administer an election
• Instructions for participants
• How it works
• Alternative voting
• Documentation
• Software
• Translation
• GDPR
• Contact us
• About us
• FAQ

---

  Some France/French
  specific pages:

• Règles CNIL
• RGPD
• Organiser une élection
• Instructions pour participants
• FAQ

To set up an election with Belenios:

• The simplest option is to use our voting platform and let you guide by the system. You will have the choice between a few options and we explain here in more details what they mean in practice.
• For more professional use, you may also prefer to run your own voting server by installing Belenios source code.

In any case, we strongly recommend to run test elections beforehand so that you get familiar with the interface. Note also that depending on your country, you may have to comply with voting regulations. We describe here the CNIL (French) regulations.

To offer more support, a commercial service is under construction. You may contact its members to ask for more help.

---

To vote, a voter needs:

• a credential (received by email);
• a password (received in a separate email, before or during the election, depending on the authentication mode).

This double authentication prevents ballot stuffing. We discuss here how the credentials and the login/passwords are managed.

Credential management

As election organizer, you are given two options. Either the vote credentials are generated and emailed by our server or you should chose a credential authority that is in charge of this task.

• Credentials generated by our platform. This is the simplest option. Our server generates the (private) vote credentials, emails them to the voters and stores only their public counterparts. It is recommended that the election organizer save the private vote credentials, in case a voter loses it. The list of private credentials must be destroyed once the election is over.
  However, this solution offers less security: in case our server is compromised during the election setup, the attacker will be able to add more ballots to the ballot box, therefore adding more votes to the candidates of their choice.
• Credentials generated by some credential authority. When setting up the election, you will be given an url that should be transmitted to the credential authority. By clicking on that url, the credential authority will generate (on his own computer) the private credentials and send the public part to the voting server.
  This solution offers better security and allows to resend credentials to voters. Note that the credential authority will need to email one credential to each voter. This requires some expertise like writing a script for sending emails.

Authentication

• Short passwords. By default, passwords are handled by our server: a short password, renewed for each vote, is sent to the voter when voting, using the email address provided by the voter.
• Long term passwords. Passwords may also by sent in advance by the server. When this authentication mode is selected, a voter may keep their password across elections, which may be useful in case of multiple elections (the administrator should then "import" voters from one election to another one).
• CAS authentication. We also support CAS authentication, in which case we rely on an existing authentication system (for example the INRIA CAS authentication). We recommend to use this solution whenever it is possible since voters are typically more careful with their professional password. Moreover, in this case, the election organizer does not have to deal directly with forgotten passwords.

---

Trustees and decryption keys

Votes are sent encrypted to the ballot box, using the public key of the election. As election organizer, you are given two options. Either the decryption key is generated and stored on our server or you should choose trustees that are in charge of this task.

• Decryption key generated by our platform. This is the simplest option. Our server will generate and store the (secret) decryption key. There is however one important drawback.
  • This solution offers little security w.r.t. ballot privacy: in case our server is compromised, the attacker will be able to learn the decryption key and decrypt all ballots. In case they also log which voter is associated with which ballot, they will learn how anyone voted.
• Shared decryptions keys handled by trustees. This is the solution we recommend and also recommended by the CNIL. When setting up the election, you will have the possibility to add as many trustees as you want (the CNIL recommends 3 trustees) and for each of them, you will be given an url that should be transmitted to the corresponding trustee. By clicking on that url, the trustee will generate (on his own computer) his private decryption key and send the public part to our voting server. This solution offers much better security: an attacker needs to compromise each authority to recover the whole decryption key. However, you should be aware of the two following risks.
  • The trustees have to store their decryption keys properly. If one of the decryption keys is lost, there is no way to tally the election and the election will simply be canceled.
  • The trustees have to store their decryption keys securely (either in a safe or using cryptographic techniques) otherwise ballot privacy may be compromised.