Security Analysis of a 13th Century Venetian Election Protocol

I love stuff like this: “Electing the Doge of Venice: Analysis of a 13th Century Protocol,” by Miranda Mowbray and Dieter Gollmann.

This paper discusses the protocol used for electing the Doge of Venice between 1268 and the end of the Republic in 1797. We will show that it has some useful properties that in addition to being interesting in themselves, also suggest that its fundamental design principle is worth investigating for application to leader election protocols in computer science. For example it gives some opportunities to minorities while ensuring that more popular candidates are more likely to win, and offers some resistance to corruption of voters. The most obvious feature of this protocol is that it is complicated and would have taken a long time to carry out. We will advance a hypothesis as to why it is so complicated, and describe a simplified protocol with very similar features.

Venice was very clever about working to avoid the factionalism that tore apart a lot of its Italian rivals, while making the various factions feel represented.

Posted on July 27, 2007 at 12:08 PM11 Comments


Pat Cahalan July 27, 2007 12:55 PM

“On the other hand, according to Maranini ([12], p.274), older candidates were preferred by voters in order to mitigate the risk of elections for life. Indeed, the Doges elected under this protocol did not tend to last long.”

Sounds like your average papal election. Now my interest is piqued; how much of “elect the older guy” is based upon this factor, and how much is based upon reverse ageism – elect the older guy, since he has more experience?

Spider July 27, 2007 1:02 PM

I’ll have to think about it, but the more I think about it, the more I think I like it, I think.

Hassan July 27, 2007 1:28 PM

The paper was presented as an invited paper in CSF 2007 (formerly known as CSFW), which took place in Venice some weeks ago. Nice conference. Everyone in the room seemed to be a bit puzzled about the point of the paper, but there was an interesting discussion after the presentation.

Patrick Stein July 27, 2007 2:52 PM

I also couldn’t help but notice the phrase “security theatre” at the end of section one. That’s one of your frequently-used-phrases, Bruce.

Paul Robinson July 27, 2007 3:46 PM

Patrick: Bruce gets a name check in the paper specifically for the phrase ‘security theatre’. It’s a fascinating paper in many ways, and I blogged it a few days back – I find it interesting when research labs try and do something a little different. Miranda Mowbray (one of the authors) was kind enough to email me thanking me for the link as well. What nice people they must be down at HP Labs! 🙂

guvn'r July 30, 2007 9:09 AM

“its general principle—that of repeatedly
reducing an electoral college by lot and then increasing it by election” sounds more like an S-box design than an electoral system!

The protocol “would have taken a long time to carry out.” Well, it was used for over 500 years, that gives a lot of time!

So when the US electoral system is twice its present age it will still be almost a hundred years from enduring as long as the Venetian protocol – talk about standing the test of time…

Jon Kay July 31, 2007 1:04 AM

You know, something like this could’ve come in handy for deciding who should have power over the Internet Domain Name Service, back in the ’90s.

Nobody trusted one another, and people had to worry about a ginned-up electorate because of the money involved. It’s still a hopeless situation, but now it’s probably too late to do something like that, sigh, because money has captured it via Congress.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.