Belenios: A Verifiable Online Voting System

One important thing about any voting system – digital or not – is that it has to be good at producing agreeable consent. That means bitter, betrayed and hurt (but reasonable/democratic!) losing parties need to be able to say: yeah we accept the result because we are confident in the outcome of the election.

This is something all digital systems are really bad at, even if everything is readable and verifiable, unless all your members know how to read that code.

Edit: and even if they know how to read that code, can they trust the machines are running that code at the big day?

Personally I love the idea of a fully verifiable election. I do the the current election protocol my county uses is pretty good: you present id in one room, they check your eligibility, then you’re given an anonymous ticket, in another room you vote using said ticket, and get a receipt. You can see your but counted online using said receipt.

There are two problems with this: 1. You can’t verify extra or in eligible voters voted. 2. It relies on trust that to tell you your vote was counted.

I am very interested in reading about this protocol, and it might make a fun hobby to re implement it as a research project.

The one issue I have is: the act of physically showing up is an important one. Mass stuffing of ballot boxes is nearly impossible when physical presence is required. It also puts ‘your ass in the game’, meaning you really care so to speak; as you have to do a minor piece of physical labor in order to get your vote counted.

If this protocol could be adapted to the physical world, I think it would be perfect barring any other issues.

Personally I think the biggest flaw in any online voting system is that a network-connected computing device cannot be trusted by any party. Email inbox can not be trusted or verified. Such a simplistic online voting would never stand a chance against malicious actors who are somewhat more sophisticated and creative.

The future of paper voting can be something like a quick fingertip-actuated DNA sequencer which will imprint your DNA hash right into the paper ballot, but it will never be an effective system on top of the current network architecture. You have to show up personally to vote. Like can you imagine voting with SMS or something? This is complete non-sense.

However I think this tool would work pretty good on a smaller community scale.

> Using the web interface, the voter enters her credential and selects her vote. Her computer then computes the ballot, which corresponds to the vote encrypted with the election public key.

Like most (or all?) online protocols, this doesn't protect against vote selling or vote coercion.

In reality private keys will be mailed in insecure envelopes, issued multiple times (just to be sure) or issued to people, who are not citizens, moved away or died.

The goal of a voting system is not verifiability, but trust. Without trust elections have no legitimacy.

Tom Scott videos which cover why electronic voting is a bad idea:

https://youtu.be/w3_0x6oaDmI?si=kGDOYOb_RiiQaZ3u

https://youtu.be/LkH2r-sNjQs?si=YdQgNC4uUZDUDbab

Nothing will beat the paper with physical verification/monitoring of people from different parties with the details of the end results properly published for everybody to double check.

The only way to trust voting machines (which could be rigged before delivery), would be to physically watch which buttons the voters did press, and manually account it... which would violate the core rule of anonymity, that to avoid retaliation.

I would love to see constitutional amendments in every western country that outlaws all forms of electronic voting.

There is a contradiction on the first page. If "ballots are signed by the voter credential" then there is no vote privacy.

Electronic voting system must be prohibited across the board. Every system is vulnerable, electronic system are all remote controllable, I much prefer to have a person within the jurisdiction to go after than someone outside of it.

I don't understand howhy it's ever made out to be more complex than that.

Awesome! I hadn't heard of this.

Obviously not something that seems reasonable for government implementation, but this seems like it would be great for soliciting a specific kind of feedback about a project or business. Board elections, or product reviews from third party stakeholders, or stuff like that.

Truly auditable voting is definitely a tough enough problem that I'd never want to tackle it myself, so I'm glad this is available should I ever find a use for it!

Can you even reliably verify the entire voting process? From individuals using digital devices to votes being counted and tallies confirmed?

The many ways that an electronic ballot machine can lose its integrity:

https://x.com/TallJohnSilver/status/1721918130568511822

Current and past voting systems have always been counterpart to boundaries of land, thus government of that land. Physically showing up at the polling station is symbolic enough for that realisation

As usual, good old fashioned pen and paper is worlds better than this or any other attempt by overzealous tech people with a hammer looking to hit this particular nail.

This is not about government elections, right? Because it seems to have no protection from creating millions of fake accounts and voting in their name.

Another problem with electronic voting is that votes can be bought or people might be pressured to vote specific way. The voter might save hashes/keys as a proof that they voted for a certain candidate and this can be used as a basis for payout or not being punished.

We did something similar with eglasovanje.si (currently only in Slovenian). Our idea is that secret online elections do not need a technological solution, but a procedural one.

We wrote a whole bunch on the topic here (again, use automatic translation) https://eglasovanje.si/vsi-clanki

I wonder why no one has introduced a hybrid of the two, for example, you have a private key on your Gov ID, you turn up to the polling station, sign your paper with your ID, bob's your dads brother.

Seems like this would solve the ballot stuffing issues as well as being easily electronically verifiable, it's just not a fully digital solution

Use homomorphic encryption to allow a voter to create multiple “valid” keys from their root key, and sell those votes to as many people as they want! Provide instructions publicly on exactly how to do so.

Then, the voter can vote using their root key, reversing all the sold votes and cast a vote for their preferred candidate.

Vote selling problem solved.

> The account creation failed because the password is too weak (it is too simplistic/systematic). Please try again with a different one.

What does it want in a password? Would be nice if it actually listed out the requirements from the get go.

It's worth noting that it's licensed AGPL so the source code is open and available. Arguably this is necessary for a fully verifiable election system. Or is there some kind of zero knowledge approach to it?

a common problem of all systems that include a way for voters to verify their vote is that it opens the possibility of parties buying votes, as you can prove your voted for them.

Warning: This is going to be a rant.

The Belenios voting system is one of the E2E verifiable ones that allows the voter to ensure that their vote is correctly counted without submitting trust to a third party, which is necessary to prevent a corrupt election authority from deceiving and manipulating election results. However, it is also one of the underperforming ones in terms of usability. Like most of the existing E2E verifiable systems, deployability is a logistical nightmare if one wants to safeguard both privacy and resistance against sabotage.

In particular, if I understand correctly, individual verifiability is ensured through a challenge where the voter, after casting a vote to the server, has a chance to test the voting client by challenging it with revelling encryption exponent to the server, which then can decrypt the vote and show it on the screen. This one is a bit concerning in itself, as the voting client can decide to manipulate only votes cast for one candidate. Whereas checking and casting the same vote again would reveal the vote to potentially corrupt authority. Imagine explaining to ordinary voters such verifiability guarantees. There are better systems where one can get a tracking number at the end of the vote and check it with all cast votes when they are decrypted (one can look up Selene).

Another issue with the system and all existing E2E verifiable voting systems is the deployment of a threshold decryption ceremony. To recap for everyone. Before the elections, the authority manages the creation of a shared public key between multiple parties, which voters use to encrypt their votes during the vote. After the vote, all encrypted votes go through reencryption mixes or are homomorphically tallied and then finally, the votes are threshold decrypted. The challenge here is choosing the redundancy threshold of a number of all parties that need to come together to decrypt the election result. If too few come together, the election result can remain undecrypted, whereas if the hold is set too low, a small minority could collude and see how everyone has voted. Hence, securing both privacy and robustness is an expensive activity.

The website offers the service for those who don’t want to deploy the system themselves. The issue is that the voters’ privacy is handed over to the running service. There is no way to verify to what extent the parties used by the organisation are truly independent and would safeguard their vote privacy.

My biggest gripe is that theese arguments don’t land well to thoose who are acustomed to mathematical formalism of security definitions and proofs. The E2E verifiability with strong privacy guarantees can also be achieved in expoinentiation mix setting wihtout the need to threshold decryption ceremony [1, 2]. Receipt freeness is still an unresolved challenge here, but I see a path to resolve it with ideas similar to those used in Selene. Whereas if you are concerned about fairness not being distributed between multiple parties, please explain to me an attack vector there that can’t be accounted for!

[1]: https://www.usenix.org/legacy/events/evtwote11/tech/final_fi...

[2]: https://eprint.iacr.org/2024/1040

Australia, with a first class reputation for election credibility, uses paper ballots.

Integrity

Verifiability

Absolute Privacy between the above two

Sounds like Time, Money, Resource: only pick two.

Does this solve Sybil attacks?

Did anyone think of blockchain for a voting system ? I had a feeling it would be useful in this scenario as anyone could actually check it's own vote and the outcome. However reading comments here I may be delusionnal in regards to the requirements of such technology.

> Belenios: Verifiable online voting system

As long as we trust "certificate authorities", this is pure bulshit.

Involving computers in vote tallying is an invitation to fraud.

In the US right now, our problems are well understood and primarily relate to ensuring that only legally eligible people vote, and that the vote was cast by that actual person.

These are fundamentally not technical problems. We have known about them for decades if not centuries and as recently as the early 2000s the Carter-Baker commission laid out the problems and the relatively straightforward solutions.

There have always been political “machines” in big cities, and if given the opportunity, they will try to stuff ballot boxes, intimidate voters, harvest ballots, exclude observers, apply voting laws unequally, and do any number of other shenanigans to give their party an advantage.

This has reached epic proportions since mail-in ballots for able bodied voters was normalized during COVID.

And the problems have all been exacerbated by the unwillingness of the courts to force states to abide by their own voting laws.

Election administration is not difficult, it is a straightforward set of tasks that require diligence and integrity, and that benefits greatly from having highly motivated partisan observers at every stage of the process.

Technology currently used in voting mostly just introduces more ways to mess up elections either intentionally (via manipulation, by administrators or hackers) or accidentally (as via bugs).

The fixes as I said, are simple but inconvenient:

1. Diligently clean voter rolls every year, or even throw them out and restart every year

2. Strongly authenticate voters via in-person registration with trusted nonpartisan agents (government officials) and verify eligibility to vote (citizenship, residency, age, selective service)

3. Vote in person. If intimidation is known to be a problem in a precinct, bring in state police (not local). Note that machine precincts are likely determinable via statistical and electoral analysis, eg where can small swings have big electoral impact). You don’t have to fortify everywhere.

4. Check voter id at the polls.

5. Paper ballots, hand counted on the day of election.

6. Invalidate the count and require revote from any precinct that counts any vote not in the presence of partisan observers from any party on the ballot that asks. Do not allow any vote to be counted after results are reported; the remedy for custody mistakes and “finding uncounted votes” is re-vote.

7. Publicly post precinct level results BEFORE reporting to the county or state. Publicly post county results before reporting to the state. This allows independent channels to confirm that tallies at the county or state level are not tampered with or inadvertently miscomputed.

8. Fast track any election challenge hearings from any eligible voter in an election and do not allow judges to reject cases due to standing, mootness or laches.

9. Absentee ballots should be rare and require proof of need and extraordinary verification with partisan monitoring.

Voting is a deeply flawed decision making process compared to deliberation. If there are too many stakeholders for direct deliberation to scale, it is better to just pick a random sample of them and have them deliberate. You can have the sample vote afterwards to get the final result if they can't come to an agreement, but then you don't need fancy tech to check or tally the votes, you just need a room.