Model Checkers Are Cool: How to Model Check Voting Protocols in Uppaal

The design and implementation of an e-voting system is a challenging task. Formal analysis can be of great help here. In particular, it can lead to a better understanding of how the voting system works, and what requirements on the system are relevant. In this paper, we propose that the state-of-art model checker Uppaal provides a good environment for modelling and preliminary verification of voting protocols. To illustrate this, we present an Uppaal model of Pr\^et \`a Voter, together with some natural extensions. We also show how to verify a variant of receipt-freeness, despite the severe limitations of the property specification language in the model checker

Design verification of SIFT

A SIFT reliable aircraft control computer system, designed to meet the ultrahigh reliability required for safety critical flight control applications by use of processor replications and voting, was constructed for SRI, and delivered to NASA Langley for evaluation in the AIRLAB. To increase confidence in the reliability projections for SIFT, produced by a Markov reliability model, SRI constructed a formal specification, defining the meaning of reliability in the context of flight control. A further series of specifications defined, in increasing detail, the design of SIFT down to pre- and post-conditions on Pascal code procedures. Mechanically checked mathematical proofs were constructed to demonstrate that the more detailed design specifications for SIFT do indeed imply the formal reliability requirement. An additional specification defined some of the assumptions made about SIFT by the Markov model, and further proofs were constructed to show that these assumptions, as expressed by that specification, did indeed follow from the more detailed design specifications for SIFT. This report provides an outline of the methodology used for this hierarchical specification and proof, and describes the various specifications and proofs performed

Accuracy: The fundamental requirement for voting systems

There have been several attempts to develop a comprehensive account of the requirements for voting systems, particularly for public elections. Typically, these approaches identify a number of "high level" principals which are then refined either into more detailed statements or more formal constructs. Unfortunately, these approaches do not acknowledge the complexity and diversity of the contexts in which voting takes place. This paper takes a different approach by arguing that the only requirement for a voting system is that it is accurate. More detailed requirements can then be derived from this high level requirement for the particular context in which the system is implemented and deployed. A general, formal high level model for voting systems and their context is proposed. Several related definitions of accuracy for voting systems are then developed, illustrating how the term "accuracy" is in interpreted in different contexts. Finally, a context based requirement for voting system privacy is investigated as an example of deriving a subsidiary requirement from the high level requirement for accuracy

A Peered Bulletin Board for Robust Use in Verifiable Voting Systems

The Web Bulletin Board (WBB) is a key component of verifiable election systems. It is used in the context of election verification to publish evidence of voting and tallying that voters and officials can check, and where challenges can be launched in the event of malfeasance. In practice, the election authority has responsibility for implementing the web bulletin board correctly and reliably, and will wish to ensure that it behaves correctly even in the presence of failures and attacks. To ensure robustness, an implementation will typically use a number of peers to be able to provide a correct service even when some peers go down or behave dishonestly. In this paper we propose a new protocol to implement such a Web Bulletin Board, motivated by the needs of the vVote verifiable voting system. Using a distributed algorithm increases the complexity of the protocol and requires careful reasoning in order to establish correctness. Here we use the Event-B modelling and refinement approach to establish correctness of the peered design against an idealised specification of the bulletin board behaviour. In particular we show that for n peers, a threshold of t > 2n/3 peers behaving correctly is sufficient to ensure correct behaviour of the bulletin board distributed design. The algorithm also behaves correctly even if honest or dishonest peers temporarily drop out of the protocol and then return. The verification approach also establishes that the protocols used within the bulletin board do not interfere with each other. This is the first time a peered web bulletin board suite of protocols has been formally verified.Comment: 49 page

Verifying privacy by little interaction and no process equivalence

While machine-assisted verification of classical security goals such as confidentiality and authentication is well-established, it is less mature for recent ones. Electronic voting protocols claim properties such as voter privacy. The most common modelling involves indistinguishability, and is specified via trace equivalence in cryptographic extensions of process calculi. However, it has shown restrictions. We describe a novel model, based on unlinkability between two pieces of information. Specifying it as an extension to the Inductive Method allows us to establish voter privacy without the need for approximation or session bounding. The two models and their latest specifications are contrasted

Regional influences on U.S. monetary policy: some implications for Europe

This paper looks at the monetary policy decisions of the U.S. Federal Reserve and asks whether those decisions have been influenced solely by national concerns, or whether regional factors have played a role. All of the Federal Reserve''s policymakers have some regional identity, i.e., either their positions explicitly carry some regional affiliation or their region of origin is a factor that must be considered in the selection process. This research is relevant for the Fed, and it may also be relevant for Europe''s fledgling central bank in Frankfurt. Critics have asserted that ECB policymakers have an incentive to base policy on national developments and respond to national political pressures. We find that Fed policymakers do take into account developments in regional unemployment when deciding monetary policy, and that these regional developments are more important for central bankers at the hub than in the spokes. These findings are robust to a variety of different specifications of the voting equation