Formal Property-Oriented Design of Voting Rules Using Composable Modules

Voting rules aggregate multiple individual preferences in order to make a collective decision. Commonly, these mechanisms are expected to respect a multitude of different notions of fairness and reliability, which must be carefully balanced to avoid inconsistencies. We present an approach for the sound and flexible design of voting rules from composable modules. Formal composition rules guarantee social choice properties from properties of the individual components. The approach can be applied to many voting rules from the literature

Verified Construction of Fair Voting Rules

Voting rules aggregate multiple individual preferences in order to make collective decisions. Commonly, these mechanisms are expected to respect a multitude of different fairness and reliability properties, e.g., to ensure that each voter\u27s ballot accounts for the same proportion of the elected alternatives, or that a voter cannot change the election outcome in her favor by insincerely filling out her ballot. However, no voting rule is fair in all respects, and trade-off attempts between such properties often bring out inconsistencies, which makes the construction of arguably practical and fair voting rules non-trivial and error-prone. In this paper, we present a formal and systematic approach for the flexible and verified construction of voting rules from composable core modules to respect such properties by construction. Formal composition rules guarantee resulting properties from properties of the individual components, which are of generic nature to be reused for various voting rules. We provide a prototypical logic-based implementation with proofs for a selected set of structures and composition rules within the theorem prover Isabelle/HOL. The approach can be readily extended in order to support many voting rules from the literature by extending the set of basic modules and composition rules. We exemplarily construct the well-known voting rule sequential majority comparison (SMC) from simple generic modules, and automatically produce a formal proof that SMC satisfies the fairness property monotonicity. Monotonicity is a well-known social-choice property that is easily violated by voting rules in practice

Automated Verification for Functional and Relational Properties of Voting Rules

In this paper, we formalise classes of axiomatic properties for voting rules, discuss their characteristics, and show how symmetry properties can be exploited in the verification of other properties. Following that, we describe how automated verification methods such as software bounded model checking and deductive verification can be used to verify implementations of voting rules. We present a case study, where we use and compare different approaches to verify that plurality voting satisfies the majority and the anonymity property

Machine Learning? In MY Election? It\u27s More Likely Than You Think: Voting Rules via Neural Networks

Impossibility theorems in social choice have represented a barrier in the creation of universal, non-dictatorial, and non-manipulable voting rules, highlighting a key trade-off between social welfare and strategy-proofness. However, a social planner may be concerned with only a particular preference distribution and wonder whether it is possible to better optimize this trade-off. To address this problem, we propose an end-to-end, machine learning-based framework that creates voting rules according to a social planner\u27s constraints, for any type of preference distribution. After experimenting with rank-based social choice rules, we find that automatically-designed rules are less susceptible to manipulation than most existing rules, while still attaining high social welfare

Formal Methods for Trustworthy Voting Systems : From Trusted Components to Reliable Software

Voting is prominently an important part of democratic societies, and its outcome may have a dramatic and broad impact on societal progress. Therefore, it is paramount that such a society has extensive trust in the electoral process, such that the system’s functioning is reliable and stable with respect to the expectations within society. Yet, with or without the use of modern technology, voting is full of algorithmic and security challenges, and the failure to address these challenges in a controlled manner may produce fundamental flaws in the voting system and potentially undermine critical societal aspects. In this thesis, we argue for a development process of voting systems that is rooted in and assisted by formal methods that produce transparently checkable evidence for the guarantees that the final system should provide so that it can be deemed trustworthy. The goal of this thesis is to advance the state of the art in formal methods that allow to systematically develop trustworthy voting systems that can be provenly verified. In the literature, voting systems are modeled in the following four comparatively separable and distinguishable layers: (1) the physical layer, (2) the computational layer, (3) the election layer, and (4) the human layer. Current research usually either mostly stays within one of those layers or lacks machine-checkable evidence, and consequently, trusted and understandable criteria often lack formally proven and checkable guarantees on software-level and vice versa. The contributions in this work are formal methods that fill in the trust gap between the principal election layer and the computational layer by a reliable translation of trusted and understandable criteria into trustworthy software. Thereby, we enable that executable procedures can be formally traced back and understood by election experts without the need for inspection on code level, and trust can be preserved to the trustworthy system. The works in this thesis all contribute to this end and consist in five distinct contributions, which are the following: (I) a method for the generation of secure card-based communication schemes, (II) a method for the synthesis of reliable tallying procedures, (III) a method for the efficient verification of reliable tallying procedures, (IV) a method for the computation of dependable election margins for reliable audits, (V) a case study about the security verification of the GI voter-anonymization software. These contributions span formal methods on illustrative examples for each of the three principal components, (1) voter-ballot box communication, (2) election method, and (3) election management, between the election layer and the computational layer. Within the first component, the voter-ballot box communication channel, we build a bridge from the communication channel to the cryptography scheme by automatically generating secure card-based schemes from a small formal model with a parameterization of the desired security requirements. For the second component, the election method, we build a bridge from the election method to the tallying procedure by (1) automatically synthesizing a runnable tallying procedure from the desired requirements given as properties that capture the desired intuitions or regulations of fairness considerations, (2) automatically generating either comprehensible arguments or bounded proofs to compare tallying procedures based on user-definable fairness properties, and (3) automatically computing concrete election margins for a given tallying procedure, the collected ballots, and the computed election result, that enable efficient election audits. Finally, for the third and final component, the election management system, we perform a case study and apply state-of-the-art verification technology to a real-world e-voting system that has been used for the annual elections of the German Informatics Society (GI – “Gesellschaft für Informatik”) in 2019. The case study consists in the formal implementation-level security verification that the voter identities are securely anonymized and the voters’ passwords cannot be leaked. The presented methods assist the systematic development and verification of provenly trustworthy voting systems across traditional layers, i.e., from the election layer to the computational layer. They all pursue the goal of making voting systems trustworthy by reliable and explainable formal requirements. We evaluate the devised methods on minimal card-based protocols that compute a secure AND function for two different decks of cards, a classical knock-out tournament and several Condorcet rules, various plurality, scoring, and Condorcet rules from the literature, the Danish national parliamentary elections in 2015, and a state-of-the-art electronic voting system that is used for the German Informatics Society’s annual elections in 2019 and following

A deep exploration of the complexity border of strategic voting problems

Voting has found applications in a variety of areas. Unfortunately, in a voting activity there may exist strategic individuals who have incentives to attack the election by performing some strategic behavior. One possible way to address this issue is to use computational complexity as a barrier against the strategic behavior. The point is that if it is NP-hard to successfully perform a strategic behavior, the strategic individuals may give up their plan of attacking the election. This thesis is concerned with strategic behavior in restricted elections, in the sense that the given elections are subject to some combinatorial restrictions. The goal is to find out how the complexity of the strategic behavior changes from the very restricted case to the general case.Abstimmungen werden auf verschiedene Gebiete angewendet. Leider kann es bei einer Abstimmung einzelne Teilnehmer geben, die Vorteile daraus ziehen, die Wahl durch strategisches Verhalten zu manipulieren. Eine Möglichkeit diesem Problem zu begegnen ist es, die Berechnungskomplexität als Hindernis gegen strategisches Verhalten zu nutzen. Die Annahme ist, dass falls es NP-schwer ist, um strategisches Verhalten erfolgreich anzuwenden, der strategisch Handelnde vielleicht den Plan aufgibt die Abstimmung zu attackieren. Diese Arbeit befasst sich mit strategischem Vorgehen in eingeschränkten Abstimmungen in dem Sinne, dass die vorgegebenen Abstimmungen kombinatorischen Einschränkungen unterliegen. Ziel ist es herauszufinden, wie sich die Komplexität des strategischen Handelns von dem sehr eingeschränkten zu dem generellen Fall ändert