Formally verified invariants of vote counting schemes

The correctness of ballot counting in electronically held elections is a cornerstone for establishing trust in the final result. Vote counting protocols in particular can be formally specified by as systems of rules, where each rule application represents the effect of a single action in the tallying process that progresses the count. We show that this way of formalising vote counting protocols is also particularly suitable for (formally) establishing properties of tallying schemes. The key notion is that of an invariant: properties that transfer from premiss to conclusion of all vote counting rules. We show that the rule-based formulation of tallying schemes allows us to give transparent formal proofs of properties of the respective scheme with relative ease. As our proofs are based on the specification of vote counting protocols, rather than a program that implements them, we are guaranteed that the property holds for every possible specification-confirming implementation of the respective protocol. This in particular includes the vote counting programs that are automatically extracted from the specification. We demonstrate this point by means of two examples: the monotonicity criterion for majority (first-past-the-post) voting, and the majority criterion for a simple version of single transferable vote.

[1]  Rajeev Goré,et al.  Machine-Checked Reasoning About Complex Voting Schemes Using Higher-Order Logic , 2015, VoteID.

[2]  Bernhard Beckert,et al.  Reasoning About Vote Counting Schemes Using Light-weight and Heavy-weight Methods , 2014 .

[3]  David Chaum,et al.  Secret-ballot receipts: True voter-verifiable elections , 2004, IEEE Security & Privacy Magazine.

[4]  K. Arrow A Difficulty in the Concept of Social Welfare , 1950, Journal of Political Economy.

[5]  Carsten Schürmann,et al.  Linear Logical Voting Protocols , 2011, VoteID.

[6]  Dirk Pattinson,et al.  Vote Counting as Mathematical Proof , 2015, Australasian Conference on Artificial Intelligence.

[7]  Douglas W. Jones,et al.  Broken Ballots: Will Your Vote Count? , 2012 .

[8]  Carsten Schürmann,et al.  The Twelf Proof Assistant , 2009, TPHOLs.

[9]  Jeremy Clark,et al.  Scantegrity: End-to-End Voter-Verifiable Optical- Scan Voting , 2008, IEEE Security & Privacy.

[10]  I. D. Hill,et al.  Algorithm Supplement: Single Transferable Vote by Meek's Method , 1987 .

[11]  Pierre Castéran,et al.  Interactive Theorem Proving and Program Development , 2004, Texts in Theoretical Computer Science An EATCS Series.

[12]  Rajeev Goré,et al.  Proving the monotonicity criterion for a plurality vote-counting program as a step towards verified vote-counting , 2014, 2014 6th International Conference on Electronic Voting: Verifying the Vote (EVOTE).

[13]  T. Hales Formal Proof , 2008 .

[14]  Yves Bertot,et al.  Interactive Theorem Proving and Program Development: Coq'Art The Calculus of Inductive Constructions , 2010 .