Formal Model-Based Validation for Tally Systems

  • Dermot Cochran
  • Joseph R. Kiniry
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7985)

Abstract

Existing commercial and open source e-voting systems have horrifically poor testing frameworks. Most tally systems, for example, are tested by re-running all past elections and seeing if the new system gives the same answer as an older, perhaps erroneous, system did. This amounts to a few dozen system tests and, typically, few-to-no unit tests. These systems are used today in a dozen countries to determine the outcome of national elections. This state-of-affairs cannot continue because it calls into question the legitimacy of elections in major European and North American democracies.

In this work, the ballot counting process for one of the most complex electoral schemes used in the world, Proportional Representation by Single Transferable Vote (PR-STV), is mechanically formally modeled. The purpose of such a formalization is to generate, using an algorithm of our design, a complete set of non-isomorphic test cases per electoral scheme, once and for all. Using such a system test suite, any digital election technology (proprietary or open source) can be rigorously evaluated for correctness. Doing so will vastly improve the confidence experts have—and can only improve the level of trust citizens have—in these digital elections systems.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Bowler, S., Grofman, B.: Elections in Australia, Ireland, and Malta under the Single Transferable Vote: Reflections on an embedded institution. University of Michigan Press (2000)Google Scholar
  2. 2.
    Coyle, L., Cunnigham, P., Doyle, D.: Appendix 2D - second report of commission on electronic voting in Ireland: Secrecy, accuracy and testing of the chosen electronic voting system: Reliability and accuracy of data inputs and outputs (December 2004)Google Scholar
  3. 3.
    Department of Environment and Local Government, Commission on Electronic Voting in Ireland. Count requirements and commentary on count rules (June 23, 2000)Google Scholar
  4. 4.
    Detlefs, D., Nelson, G., Saxe, J.B.: Simplify: a theorem prover for program checking. Journal of the Association of Computing Machinery 52(3), 365–473 (2005)MathSciNetCrossRefGoogle Scholar
  5. 5.
  6. 6.
    Farrell, D.M., McAllister, I.: The Australian electoral system: origins, variations, and consequences. New South Wales University Press, Ltd. (2006)Google Scholar
  7. 7.
    Gallagher, M.: Comparing proportional representation electoral systems: Quotas, thresholds, paradoxes and majorities. British Journal of Political Science 22(4), 469–496 (1992)CrossRefGoogle Scholar
  8. 8.
    Gilmour, J.: Detailed description of the STV count in accordance with the rules in the Scottish local government elections order 2007. Representation 43(3), 217–229 (2007)CrossRefGoogle Scholar
  9. 9.
    Jackson, D.: Alloy: A lightweight object modelling notation. ACM Transactions on Software Engineering and Methodology 11(2), 290 (2002)CrossRefGoogle Scholar
  10. 10.
    Jackson, D.: Software Abstractions: logic, language and analysis. MIT Press, MA (2012)Google Scholar
  11. 11.
    Kiniry, J.R., Cochran, D., Tierney, P.E.: Verification-centric realization of electronic vote counting. In: Proceedings of the USENIX/Accurate Electronic Voting Technology on USENIX/Accurate Electronic Voting Technology Workshop. USENIX Association Berkeley, CA (2007)Google Scholar
  12. 12.
    Kjölbro, O.: Verifying the Danish Voting System. Master’s thesis, IT University of Copenhagen (May 2011)Google Scholar
  13. 13.
    Koopman, P., Hubbers, E., Pieters, W., Poll, E., de Vries, R.: Testing the eSTV program for the Scottish local government elections. Technical report, Radboud University Nijmegen (2007)Google Scholar
  14. 14.
    Koopman, P., Plasmeijer, R.: Testing with functional reference implementations. In: Page, R., Horváth, Z., Zsók, V. (eds.) TFP 2010. LNCS, vol. 6546, pp. 134–149. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  15. 15.
    Leino, K.R.M., Monahan, R.: Reasoning about comprehensions with first-order SMT solvers. In: Proceedings of the 24th Annual ACM Symposium on Applied Computing, SAC 2009 (2009)Google Scholar
  16. 16.
    McGaley, M., Gibson, J.P.: Electronic voting: A safety critical system. Final Year Project Report, NUI Maynooth Department of Computer Science (2003)Google Scholar
  17. 17.
    Meagher, M.: Towards the development of an electronic count system using formal methods, MPhil thesis, University of Southampton (2001)Google Scholar
  18. 18.
    The Scottish Ministers, Scottish local government elections order 2007, rule 45–52 (December 2006)Google Scholar
  19. 19.
    Rayadurgam, S., Heimdahl, M.P.E.: Coverage based test-case generation using model checkers. In: Proceedings of the IEEE International Conference on the Engineering of Computer Based Systems (ECBS 2001), pp. 83–91. IEEE (2001)Google Scholar
  20. 20.
    Sinnott, R.: Irish voters decide: Voting behaviour in elections and referendums since 1918. Manchester Univ. Pr. (1995)Google Scholar
  21. 21.
    SMT-LIB: The satisfiability modulo theories library, http://combination.cs.uiowa.edu/smtlib/
  22. 22.
    Teague, V., Ramchen, K., Naish, L.: Coercion-resistant tallying for STV voting. In: Proceedings of the USENIX/Accurate Electronic Voting Technology Workshop (2008)Google Scholar
  23. 23.
    Wing, J.M.: A specifier’s introduction to formal methods. Computer 23(9), 8–22 (1990)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Dermot Cochran
    • 1
  • Joseph R. Kiniry
    • 2
  1. 1.Siemens A/SBallerupDenmark
  2. 2.Technical University of DenmarkLyngbyDenmark

Personalised recommendations