Belenios: A Simple Private and Verifiable Electronic Voting System

  • Véronique CortierEmail author
  • Pierrick Gaudry
  • Stéphane Glondu
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11565)


We present the electronic voting protocol Belenios together with its associated voting platform. Belenios guarantees vote privacy and full verifiability, even against a compromised voting server. While the core of the voting protocol was already described and formally proved secure, we detail here the complete voting system from the setup to the tally and the recovery procedures.

We comment on the use of Belenios in practice. In particular, we discuss the security choices made by election administrators w.r.t. the decryption key and the delegation of some setup tasks to the voting platform.


  1. 1.
    Belenios – Verifiable online voting system.
  2. 2.
    Exigences techniques et administratives applicables au vote électronique. Chancellerie fédérale ChF (2014). Swiss recommendation on e-votingGoogle Scholar
  3. 3.
    Adida, B.: Helios: web-based open-audit voting. In: 17th USENIX Security Symposium (Usenix 2008), pp. 335–348 (2008)Google Scholar
  4. 4.
    Adida, B., de Marneffe, O., Pereira, O., Quisquater, J.-J.: Electing a university president using open-audit voting: analysis of real-world use of Helios. In: Electronic Voting Technology Workshop/Workshop on Trustworthy Elections. USENIX, August 2009Google Scholar
  5. 5.
    Arapinis, M., Cortier, V., Kremer, S.: When are three voters enough for privacy properties? In: Askoxylakis, I., Ioannidis, S., Katsikas, S., Meadows, C. (eds.) ESORICS 2016. LNCS, vol. 9879, pp. 241–260. Springer, Cham (2016). Scholar
  6. 6.
    Barthe, G., Dupressoir, F., Grégoire, B., Kunz, C., Schmidt, B., Strub, P.-Y.: EasyCrypt: a tutorial. In: Aldini, A., Lopez, J., Martinelli, F. (eds.) FOSAD 2012-2013. LNCS, vol. 8604, pp. 146–166. Springer, Cham (2014). Scholar
  7. 7.
    Bell, S., et al.: STAR-vote: a secure, transparent, auditable, and reliable voting system. In: Electronic Voting Technology Workshop/Workshop on Trustworthy Elections (EVT/WOTE 2013) (2013)Google Scholar
  8. 8.
    Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: ACM CCS 1993 (1993)Google Scholar
  9. 9.
    Benaloh, J.: Simple verifiable elections. In: USENIX Security Symposium (EVT 2006) (2006)Google Scholar
  10. 10.
    Bernhard, D., Cortier, V., Galindo, D., Pereira, O., Warinschi, B.: A comprehensive analysis of game-based ballot privacy definitions. In: 36th IEEE Symposium on Security and Privacy (S&P 2015), pp. 499–516. IEEE Computer Society Press, May 2015Google Scholar
  11. 11.
    Bernhard, D., Pereira, O., Warinschi, B.: How not to prove yourself: pitfalls of the Fiat-Shamir heuristic and applications to Helios. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 626–643. Springer, Heidelberg (2012). Scholar
  12. 12.
    Blanchet, B.: Automatic verification of security protocols in the symbolic model: the verifier ProVerif. In: Aldini, A., Lopez, J., Martinelli, F. (eds.) FOSAD 2012-2013. LNCS, vol. 8604, pp. 54–87. Springer, Cham (2014). Scholar
  13. 13.
    Blazy, O., Fuchsbauer, G., Pointcheval, D., Vergnaud, D.: Signatures on randomizable ciphertexts. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 403–422. Springer, Heidelberg (2011). Scholar
  14. 14.
    Chaidos, P., Cortier, V., Fuchsbauer, G., Galindo, D.: BeleniosRF: a non-interactive receipt-free electronic voting scheme. In: 23rd ACM Conference on Computer and Communications Security (CCS 2016), Vienna, Austria, pp. 1614–1625 (2016)Google Scholar
  15. 15.
    Clarkson, M.R., Chong, S., Myers, A.C.: Civitas: toward a secure voting system. In: IEEE Symposium on Security and Privacy (S&P 2008), pp. 354–368. IEEE Computer Society (2008)Google Scholar
  16. 16.
    Cortier, V., Dragan, C.C., Strub, P.-Y., Dupressoir, F., Warinschi, B.: Machine-checked proofs for electronic voting: privacy and verifiability for Belenios. In: 31st IEEE Computer Security Foundations Symposium (CSF 2018), pp. 298–312 (2018)Google Scholar
  17. 17.
    Cortier, V., Galindo, D., Glondu, S., Izabachene, M.: Distributed ElGamal à la Pedersen - application to Helios. In: Workshop on Privacy in the Electronic Society (WPES 2013), Berlin, Germany (2013)Google Scholar
  18. 18.
    Cortier, V., Galindo, D., Glondu, S., Izabachène, M.: Election verifiability for Helios under weaker trust assumptions. In: Kutyłowski, M., Vaidya, J. (eds.) ESORICS 2014. LNCS, vol. 8713, pp. 327–344. Springer, Cham (2014). Scholar
  19. 19.
    Cortier, V., Galindo, D., Küsters, R., Müller, J., Truderung, T.: SoK: verifiability notions for e-voting protocols. In: 36th IEEE Symposium on Security and Privacy (S&P 2016), pp. 779–798, San Jose, USA, May 2016Google Scholar
  20. 20.
    Cortier, V., Lallemand, J.: Voting: you can’t have privacy without individual verifiability. In: 25th ACM Conference on Computer and Communications Security (CCS 2018), pp. 53–66. ACM (2018)Google Scholar
  21. 21.
    Cortier, V., Smyth, B.: Attacking and fixing Helios: an analysis of ballot secrecy. J. Comput. Secur. 21(1), 89–148 (2013)CrossRefGoogle Scholar
  22. 22.
    Cuvelier, E., Pereira, O., Peters, T.: Election verifiability or ballot privacy: do we need to choose? In: 18th European Symposium on Research in Computer Security (ESORICS 2013), pp. 481–498 (2013)Google Scholar
  23. 23.
    Filipiak, A.: Design and formal analysis of security protocols, an application to electronic voting and mobile payment. Ph.D. thesis, Université de Lorraine, March 2018Google Scholar
  24. 24.
    Galindo, D., Guasch, S., Puiggalí, J.: 2015 Neuchâtel’s cast-as-intended verification mechanism. In: Haenni, R., Koenig, R.E., Wikström, D. (eds.) VOTELID 2015. LNCS, vol. 9269, pp. 3–18. Springer, Cham (2015). Scholar
  25. 25.
    Gaudry, P.: Some ZK security proofs for Belenios (2017).
  26. 26.
    Glondu, S.: Belenios specification - version 1.6 (2018).
  27. 27.
    Haenni, R., Koenig, R.E., Locher, P., Dubuis, E.: CHVote system specification. Cryptology ePrint Archive, Report 2017/325 (2017)Google Scholar
  28. 28.
    Halderman, J.A., Teague, V.: The New South Wales iVote system: security failures and verification flaws in a live online election. In: Haenni, R., Koenig, R.E., Wikström, D. (eds.) VOTELID 2015. LNCS, vol. 9269, pp. 35–53. Springer, Cham (2015). Scholar
  29. 29.
    Juels, A., Catalano, D., Jakobsson, M.: Coercion-resistant electronic elections. In: Workshop on Privacy in the Electronic Society (WPES 2005), pp. 61–70. ACM (2005)Google Scholar
  30. 30.
    Kiayias, A., Zacharias, T., Zhang, B.: DEMOS-2: scalable E2E verifiable elections without random oracles. In: ACM Conference on Computer and Communications Security (CCS 2015) (2015)Google Scholar
  31. 31.
    Küsters, R., Müller, J., Scapin, E., Truderung, T.: sElect: a lightweight verifiable remote voting system. In: 29th IEEE Computer Security Foundations Symposium (CSF 2016), pp. 341–354 (2016)Google Scholar
  32. 32.
    Küsters, R., Truderung, T., Vogt, A.: Accountabiliy: definition and relationship to verifiability. In: 17th ACM Conference on Computer and Communications Security (CCS 2010), pp. 526–535 (2010)Google Scholar
  33. 33.
    Moran, T., Naor, M.: Receipt-free universally-verifiable voting with everlasting privacy. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 373–392. Springer, Heidelberg (2006). Scholar
  34. 34.
    Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992). Scholar
  35. 35.
    Ryan, P.: Prêt à Voter with Paillier encryption. Math. Comput. Model. 48(9–10), 1646–1662 (2008)CrossRefGoogle Scholar
  36. 36.
    Ryan, P.Y.A., Rønne, P.B., Iovino, V.: Selene: voting with transparent verifiability and coercion-mitigation. In: Clark, J., Meiklejohn, S., Ryan, P.Y.A., Wallach, D., Brenner, M., Rohloff, K. (eds.) FC 2016. LNCS, vol. 9604, pp. 176–192. Springer, Heidelberg (2016). Scholar
  37. 37.
    Schmidt, B., Meier, S., Cremers, C., Basin, D.: Automated analysis of Diffie-Hellman protocols and advanced security properties. In: 25th IEEE Computer Security Foundations Symposium (CSF 2012), pp. 78–94 (2012)Google Scholar
  38. 38.
    Springall, D., et al.: Security analysis of the Estonian Internet voting system. In: 11th ACM Conference on Computer and Communications Security (CCS 2004), pp. 703–715 (2004)Google Scholar
  39. 39.
    Swamy, N., et al.: Dependent types and multi-monadic effects in F*. In: 43rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL 2016), pp. 256–270. ACM (2016)Google Scholar
  40. 40.
    Wolchok, S., Wustrow, E., Isabel, D., Halderman, J.A.: Attacking the Washington, D.C. internet voting system. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 114–128. Springer, Heidelberg (2012). Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Véronique Cortier
    • 1
    Email author
  • Pierrick Gaudry
    • 1
  • Stéphane Glondu
    • 1
  1. 1.CNRS, Inria, Univ. LorraineLorraineFrance

Personalised recommendations