We provide an overview of the Belenios system. For a more detailed description, you may read the protocol description or the related research paper.
Voters
To vote, a voter needs:
- a credential (received by email);
- a login and password (typically received in a separate email).
Using the web interface, the voter enters her credential and selects her vote. Her computer then computes the ballot, which corresponds to the vote encrypted with the election public key. To ease the verification, only the tracking number (the hash of the ballot) is displayed. Once the ballot is sent, the voter can check that her vote has been received by simply checking that her tracking number appears on the public ballot box (which can be accessed from the web page of the election). The voter may also see the entire ballot.
Note: a voter may vote several times. Only the last ballot will be counted.
The ballot is encrypted using ElGamal encryption. The ciphertext is computed together with a zero knowledge proof that guarantees that a valid choice has been encrypted (eg no more than one vote per candidate). To learn more about zero knowledge proofs, you may have a look at these slides. The precise specification of our zero knowledge proofs is available in the Belenios specification and a companion draft, with the security proofs, is available here.
Election server
The election server authenticates the voters through their
login and password, maintains the voting list, and displays
the received ballots on the public web page of the election,
provided the ballots are valid.
Credential generation
By default, the election server generates and sends one
credential for each voter. The public part of
each credential is stored on the election server while the
private credentials are discarded.
Alternatively, the election administrator may ask a third party to generate and send the credentials. The code for generating credentials is available in Belenios sources.
Tally
By default, the election server stores the decryption key. The encryption scheme has a particular property, called a homomorphism: from the encrypted ballots, anyone can compute the encryption of the result (the sum of the votes for each candidate) by combining the ciphertexts (without using any key). This way, only the final encrypted result needs to be decrypted, which guarantees vote privacy: the ballot of an individual voter is never decrypted.
Alternatively and to distribute the trust, the election administrator may choose decryption authorities and simply send them a private link obtained from the Belenios web interface. When clicking on this link, the decryption authorities will generate locally their private key and send the corresponding public key to the election server. All the authorities need to collaborate to decrypt, offering better privacy guarantees (they need to all collude to decrypt your ballot).
Auditors
Belenios is end-to-end verifiable.
- Voters may check that their vote has been counted by verifying that their ballot appears on the election server (through a public web page).
- Anyone can check that the result corresponds to the ballots displayed on the ballot box and that no ballot has been added thanks to the credentials
We provide the appropriate tools to check the validity of an election in Belenios sources. However, we welcome tools built by external teams, that we would be happy to refer to here. The precise protocol specification should provide all the necessary details (but of course, questions are welcome).