Schulze Voting as Evidence Carrying Computation

  • Dirk PattinsonEmail author
  • Mukesh TiwariEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10499)


The correctness of vote counting in electronic election is one of the main pillars that engenders trust in electronic elections. However, the present state of the art in vote counting leaves much to be desired: while some jurisdictions publish the source code of vote counting code, others treat the code as commercial in confidence. None of the systems in use today applies any formal verification. In this paper, we formally specify the so-called Schulze method, a vote counting scheme that is gaining popularity on the open source community. The cornerstone of our formalisation is a (dependent, inductive) type that represents all correct executions of the vote counting scheme. Every inhabitant of this type not only gives a final result, but also all intermediate steps that lead to this result, and can so be externally verified. As a consequence, we do not even need to trust the execution of the (verified) algorithm: the correctness of a particular run of the vote counting code can be verified on the basis of the evidence for correctness that is produced along with determination of election winners.


  1. 1.
    Arkoudas, K., Rinard, M.C.: Deductive runtime certification. Electr. Notes Theoret. Comput. Sci. 113, 45–63 (2005)CrossRefGoogle Scholar
  2. 2.
    Arrow, K.J.: A difficulty in the concept of social welfare. J. Polit. Econ. 58(4), 328–346 (1950)CrossRefGoogle Scholar
  3. 3.
    Beckert, B., Goré, R., Schürmann, C., Bormer, T., Wang, J.: Verifying voting schemes. J. Inf. Secur. Appl. 19(2), 115–129 (2014)Google Scholar
  4. 4.
    Bertot, Y.: Coinduction in Coq. CoRR, abs/cs/0603119 (2006)Google Scholar
  5. 5.
    Bertot, Y., Castéran, P., Huet, G., Paulin-Mohring, C.: Interactive Theorem Proving and Program Development: Coq’Art the Calculus of Inductive Constructions. Texts in Theoretical Computer Science. Springer, Berlin (2004). doi: 10.1007/978-3-662-07964-5 CrossRefzbMATHGoogle Scholar
  6. 6.
    Carré, B.A.: An algebra for network routing problems. IMA J. Appl. Math. 7(3), 273 (1971)MathSciNetCrossRefzbMATHGoogle Scholar
  7. 7.
    Chaum, D.: Secret-ballot receipts: true voter-verifiable elections. IEEE Secur. Privacy 2(1), 38–47 (2004)CrossRefGoogle Scholar
  8. 8.
    Cochran, D., Kiniry, J.: Votail: a formally specified and verified ballot counting system for Irish PR-STV elections. In: Pre-proceedings of 1st International Conference on Formal Verification of Object-Oriented Software (FoVeOOS) (2010)Google Scholar
  9. 9.
    Hemaspaandra, L.A., Lavaee, R., Menton, C.: Schulze and ranked-pairs voting are fixed-parameter tractable to bribe, manipulate, and control. Ann. Math. Artif. Intell. 77(3–4), 191–223 (2016)MathSciNetCrossRefzbMATHGoogle Scholar
  10. 10.
    Kozen, D., Silva, A.: Practical coinduction. Math. Struct. Comput. Sci. 1–21 (2016)Google Scholar
  11. 11.
    Kumar, R., Myreen, M.O., Norrish, M., Owens, S.: CakeML: a verified implementation of ML. In: Jagannathan, S., Sewell, P. (eds.) Proceedings of POPL 2014, pp. 179–192. ACM (2014)Google Scholar
  12. 12.
    Letouzey, P.: Extraction in Coq: an overview. In: Beckmann, A., Dimitracopoulos, C., Löwe, B. (eds.) CiE 2008. LNCS, vol. 5028, pp. 359–369. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-69407-6_39 CrossRefGoogle Scholar
  13. 13.
    Necula, G.C.: Proof-carrying code. In: Lee, P., Henglein, F., Jones, N.D. (eds.) Proceedings of POPL 1997, pp. 106–119. ACM Press (1997)Google Scholar
  14. 14.
    Pattinson, D., Schürmann, C.: Vote counting as mathematical proof. In: Pfahringer, B., Renz, J. (eds.) AI 2015. LNCS, vol. 9457, pp. 464–475. Springer, Cham (2015). doi: 10.1007/978-3-319-26350-2_41 CrossRefGoogle Scholar
  15. 15.
    Rivest, R.L., Shen, E.: An optimal single-winner preferential voting system based on game theory. In: Conitzer, V., Rothe, J. (eds.) Proceedins of COMSOC 2010. Duesseldorf University Press (2010)Google Scholar
  16. 16.
    Schulze, M.: A new monotonic, clone-independent, reversal symmetric, and condorcet-consistent single-winner election method. Soc. Choice Welf. 36(2), 267–303 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    Schürmann, C.: Electronic elections: trust through engineering. In: Proceedings of RE-VOTE 2009, pp. 38–46. IEEE Computer Society (2009)Google Scholar
  18. 18.
    Stoltenberg-Hansen, V., Lindström, I., Griffor, E.: Mathematical Theory of Domains. Cambridge Tracts in Theoretical Computer Science, vol. 22. Cambridge University Press, Cambridge (1994)CrossRefzbMATHGoogle Scholar
  19. 19.
    Tarski, A.: A lattice-theoretical fixpoint theorem and its applications. Pac. J. Math. 5(2), 285–309 (1955)MathSciNetCrossRefzbMATHGoogle Scholar
  20. 20.
    The Wikimedia Foundation. Wikimedia Foundation Board Election Results (2011). Accessed 30 May 2017

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.The Australian National UniversityCanberraAustralia

Personalised recommendations