Formal Model-Based Validation for Tally Systems
Existing commercial and open source e-voting systems have horrifically poor testing frameworks. Most tally systems, for example, are tested by re-running all past elections and seeing if the new system gives the same answer as an older, perhaps erroneous, system did. This amounts to a few dozen system tests and, typically, few-to-no unit tests. These systems are used today in a dozen countries to determine the outcome of national elections. This state-of-affairs cannot continue because it calls into question the legitimacy of elections in major European and North American democracies.
In this work, the ballot counting process for one of the most complex electoral schemes used in the world, Proportional Representation by Single Transferable Vote (PR-STV), is mechanically formally modeled. The purpose of such a formalization is to generate, using an algorithm of our design, a complete set of non-isomorphic test cases per electoral scheme, once and for all. Using such a system test suite, any digital election technology (proprietary or open source) can be rigorously evaluated for correctness. Doing so will vastly improve the confidence experts have—and can only improve the level of trust citizens have—in these digital elections systems.
Unable to display preview. Download preview PDF.
- 1.Bowler, S., Grofman, B.: Elections in Australia, Ireland, and Malta under the Single Transferable Vote: Reflections on an embedded institution. University of Michigan Press (2000)Google Scholar
- 2.Coyle, L., Cunnigham, P., Doyle, D.: Appendix 2D - second report of commission on electronic voting in Ireland: Secrecy, accuracy and testing of the chosen electronic voting system: Reliability and accuracy of data inputs and outputs (December 2004)Google Scholar
- 3.Department of Environment and Local Government, Commission on Electronic Voting in Ireland. Count requirements and commentary on count rules (June 23, 2000)Google Scholar
- 6.Farrell, D.M., McAllister, I.: The Australian electoral system: origins, variations, and consequences. New South Wales University Press, Ltd. (2006)Google Scholar
- 10.Jackson, D.: Software Abstractions: logic, language and analysis. MIT Press, MA (2012)Google Scholar
- 11.Kiniry, J.R., Cochran, D., Tierney, P.E.: Verification-centric realization of electronic vote counting. In: Proceedings of the USENIX/Accurate Electronic Voting Technology on USENIX/Accurate Electronic Voting Technology Workshop. USENIX Association Berkeley, CA (2007)Google Scholar
- 12.Kjölbro, O.: Verifying the Danish Voting System. Master’s thesis, IT University of Copenhagen (May 2011)Google Scholar
- 13.Koopman, P., Hubbers, E., Pieters, W., Poll, E., de Vries, R.: Testing the eSTV program for the Scottish local government elections. Technical report, Radboud University Nijmegen (2007)Google Scholar
- 15.Leino, K.R.M., Monahan, R.: Reasoning about comprehensions with first-order SMT solvers. In: Proceedings of the 24th Annual ACM Symposium on Applied Computing, SAC 2009 (2009)Google Scholar
- 16.McGaley, M., Gibson, J.P.: Electronic voting: A safety critical system. Final Year Project Report, NUI Maynooth Department of Computer Science (2003)Google Scholar
- 17.Meagher, M.: Towards the development of an electronic count system using formal methods, MPhil thesis, University of Southampton (2001)Google Scholar
- 18.The Scottish Ministers, Scottish local government elections order 2007, rule 45–52 (December 2006)Google Scholar
- 19.Rayadurgam, S., Heimdahl, M.P.E.: Coverage based test-case generation using model checkers. In: Proceedings of the IEEE International Conference on the Engineering of Computer Based Systems (ECBS 2001), pp. 83–91. IEEE (2001)Google Scholar
- 20.Sinnott, R.: Irish voters decide: Voting behaviour in elections and referendums since 1918. Manchester Univ. Pr. (1995)Google Scholar
- 21.SMT-LIB: The satisfiability modulo theories library, http://combination.cs.uiowa.edu/smtlib/
- 22.Teague, V., Ramchen, K., Naish, L.: Coercion-resistant tallying for STV voting. In: Proceedings of the USENIX/Accurate Electronic Voting Technology Workshop (2008)Google Scholar