Dermot Cochran Supervisor : Joe Kiniry

1. Dermot Cochran Supervisor:Joe Kiniry Formal Verificationof Elections that use Electronic Voting

2. PhD Thesis Statement: Verifiable Computer Mediated Remote Voting is appropriate for National and International Governmental Elections if (and only if) A proven and trustworthy election process is used.

3. Definitions • Computer mediated voting: using a computer to record and count ballots • Remote voting: the voter need not be at a polling station e.g. might be using internet or mobile phone to cast a ballot • Verifiable: can be formally proven that each and every vote is counted as cast

4. Voting Requirements • Privacy – no link between voter and ballot • Eligibility – proper registration of voters • Uniqueness – each vote counted once • Secrecy – inability to reveal a vote • Accuracy – all votes counted correctly • Robustness – no undetectable errors • Transparency – openness and verifiability

5. Conflicting Requirements • Publishing anonymous ballots in a a bulletin board would allow for public transparency but violates secrecy, because vote signing is still possible • Receipt free voting schemes promote privacy and secrecy but deny transparency

6. Are paper ballots trustworthy? • It depends on the process for: • Voter registration • Custody of ballot papers • Privacy within the polling stations; could I use a mobile phone camera to record my vote?

7. Trustworthy vs Trusted • Some people trust paper ballots • Some election officialstrust voting machines • Most people won’t trust complicated mathematical proofs • I am not exploring the question of public trust in electronic voting

8. Research Plan • Demonstrate that electronic vote counting can be made reliable and accurate; treat all counting errors with extreme suspicion • Model the election process as a whole, including security requirements • Prove that at least one such election process, is valid i.e. non-conflicting when electronic voting is allowed

9. Preference Voting • Ireland uses Proportional Representation by Single Transferable Vote i.e. preference voting • Voters express multiple preferences for candidates in constituencies with between three and five seats • Formalized as a Java Modeling Language (JML) specification

10. Methodology • Business Object Notation for analysis, design and architecture • Finite State Machine model • Java Modeling Language specification • Scenario tests from BON and state model • Unit tests from JML

11. Finite State Machine for Ballot Counting

12. Lessons Learnt • At first I went straight from the legal requirements to JML specifications, without using BON • When I implemented the JML into Java I then had to re-factor all my JML into the correct architecture and add a more detailed state machine

13. Refinement • BON is object-oriented, although a classifier in BON might refine to either a field, method, class or package in Java • BON pre-conditions, post-conditions and constraints are written in structured English suitable for refinement into JML statements

14. Future Work • Formally specify the whole election process including actions by people • Proved the correctness of the specification using software verification tools, including model checkers • Modular verification e.g. require that software and machines are verifiable

15. Thank You for Listening • Questions? • Criticisms? • Suggestions? • Possible Collaborations?