Schulze Voting as Evidence Carrying Computation

The correctness of vote counting in electronic election is one of the main pillars that engenders trust in electronic elections. However, the present state of the art in vote counting leaves much to be desired: while some jurisdictions publish the source code of vote counting code, others treat the code as commercial in confidence. None of the systems in use today applies any formal verification. In this paper, we formally specify the so-called Schulze method, a vote counting scheme that is gaining popularity on the open source community. The cornerstone of our formalisation is a (dependent, inductive) type that represents all correct executions of the vote counting scheme. Every inhabitant of this type not only gives a final result, but also all intermediate steps that lead to this result, and can so be externally verified. As a consequence, we do not even need to trust the execution of the (verified) algorithm: the correctness of a particular run of the vote counting code can be verified on the basis of the evidence for correctness that is produced along with determination of election winners.

[1]  B. Carré An Algebra for Network Routing Problems , 1971 .

[2]  Ramana Kumar,et al.  CakeML: a verified implementation of ML , 2014, POPL.

[3]  Yves Bertot,et al.  CoInduction in Coq , 2006, ArXiv.

[4]  Yves Bertot,et al.  Interactive Theorem Proving and Program Development: Coq'Art The Calculus of Inductive Constructions , 2010 .

[5]  Viggo Stoltenberg-Hansen,et al.  Mathematical theory of domains , 1994, Cambridge tracts in theoretical computer science.

[6]  Konstantine Arkoudas,et al.  Deductive Runtime Certification , 2005, RV@ETAPS.

[7]  George C. Necula,et al.  Proof-carrying code , 1997, POPL '97.

[8]  David Chaum,et al.  Secret-ballot receipts: True voter-verifiable elections , 2004, IEEE Security & Privacy Magazine.

[9]  Lane A. Hemaspaandra,et al.  Schulze and ranked-pairs voting are fixed-parameter tractable to bribe, manipulate, and control , 2015, Annals of Mathematics and Artificial Intelligence.

[10]  Carsten Schürmann,et al.  Electronic Elections: Trust Through Engineering , 1899, 2009 First International Workshop on Requirements Engineering for e-Voting Systems.

[11]  Pierre Letouzey Extraction in Coq: An Overview , 2008, CiE.

[12]  Alexandra Silva,et al.  Practical coinduction , 2016, Mathematical Structures in Computer Science.

[13]  K. Arrow A Difficulty in the Concept of Social Welfare , 1950, Journal of Political Economy.

[14]  Dirk Pattinson,et al.  Vote Counting as Mathematical Proof , 2015, Australasian Conference on Artificial Intelligence.

[15]  Markus Schulze,et al.  A new monotonic, clone-independent, reversal symmetric, and condorcet-consistent single-winner election method , 2011, Soc. Choice Welf..

[16]  A. Tarski A LATTICE-THEORETICAL FIXPOINT THEOREM AND ITS APPLICATIONS , 1955 .

[17]  Jian Wang,et al.  Verifying voting schemes , 2014, J. Inf. Secur. Appl..

[18]  R. Rivest,et al.  An Optimal Single-Winner Preferential Voting System Based on Game Theory , 2010 .