Can Belenios be used for high stake elections?
In our opinion, none of the existing voting schemes achieve the same level of security guarantees than traditional on-site paper voting (as it is organized in France for example). Indeed, high stake elections would need schemes that simultaneously achieve vote secrecy, coercion-resistance, and verifiability, without having to place the trust in the organizing authorities nor the company running the election. Furthermore, a voting scheme should also protects against the corruption of the voters devices: even if a voter device is compromised (by a malware for example), it should still not be possible to change the vote chosen by the voter nor even to leak her vote.
Belenios fails to achieve coercion resistance: it is easy to sell the credentials and the login and passwords (unless a CAS server is used). A more sophisticated coercion attack (even when a CAS server is used) consists in requesting voters to provide the randomness used to encrypt their ballot. Our own implementation of the Belenios voting booth of course does not include this feature (that is,. leaking the random numbers) but a coercer could easily adapt our tool and provides a special voting service to voters under coercion. Another important limitation of Belenios is that it is not resistant against the corruption of the voter's device. If corrupted, your computer may leak for who you voted to a third party or could even vote for a different candidate.
Some schemes overcome these limitations but often at the price of other security or usability compromise.
For which elections is Belenios suitable?
This is a tricky question. If you consider using Belenios for some election, you should analyse the security of the system previously in use. For example, if you were using some postal paper voting, this is a good indication that Belenios can only improve security. On the other hand, if you were using on-site paper ballot voting, then it depends on how the ballot box and the tally were actually monitored. There are also cases (e.g. if you wish to use sophisticated counting system where e.g. voters rank candidates) where counting by hand is not really an option.
So we do not have a definitive answer on when to use Belenios. Our main advice is to conduct a security analysis in the same way for Belenios and the other possible systems, in particular the one previously in use (if any).
I was able to vote twice, is it normal?
Yes! In Belenios, you may vote as many times as you wish, until the election closes. Only the last vote is kept (and you may check its presence in the public ballot box using your tracking number).
Is it safe to use a Google account to administer an election?
I've seen that I must accept cookies to vote, why?
What is the difference between Belenios and Helios?
While the implementations of Belenios and Helios are distinct, the voting protocol underlying Belenios (cf corresponding research report) builds on Helios. The main difference is the use of credentials, that prevent ballot stuffing. In Belenios, each voter receives a private credential (by email) while the election server receives only the corresponding public credential. Even if the election server is compromised, no ballot can be added!
By default, the Belenios server stores the decryption key, similarly to Helios. However, the Belenios platform also provides an easy way for the election administrator to add decryption authorities. The decryption keys are then generated locally on the computer of each decryption authority and only the public keys are transmitted to the server.
Why Belenios is named Belenios?
Please direct any enquiries about Belenios to the public mailing list.