For more than a century, election officials across the United States have
inspected voting machines before elections using a procedure called Logic and
Accuracy Testing (LAT). This procedure consists of election officials casting a
test deck of ballots into each voting machine and confirming the machine
produces the expected vote total for each candidate. We bring a scientific
perspective to LAT by introducing the first formal approach to designing test
decks with rigorous security guarantees. Specifically, our approach employs
robust optimization to find test decks that are guaranteed to detect any voting
machine misconfiguration that would cause votes to be swapped across
candidates. Out of all the test decks with this security guarantee, our robust
optimization problem yields the test deck with the minimum number of ballots,
thereby minimizing implementation costs for election officials. To facilitate
deployment at scale, we develop a practically efficient exact algorithm for
solving our robust optimization problems based on the cutting plane method. In
partnership with the Michigan Bureau of Elections, we retrospectively applied
our approach to all 6928 ballot styles from Michigan's November 2022 general
election; this retrospective study reveals that the test decks with rigorous
security guarantees obtained by our approach require, on average, only 1.2%
more ballots than current practice. Our approach has since been piloted in
real-world elections by the Michigan Bureau of Elections as a low-cost way to
improve election security and increase public trust in democratic institutions