 Hello and welcome back to the FEM channel. Our next speaker will be Rajiv Gauray. Until last year he was a professor at the Australian National University. And his talk will be about how the counting of elections with complex voting schemes, if that happens electronically and verifiably. After the talk there will be a Q&A session, a live Q&A session here, to ask questions post them in the IEC hack-in-channel hashtag rc3-fem in the rocket chat at hashtag FEM and in the FEDiverse and Twitter with the hashtag rc3-fem without the dash. For our German viewers there is a translation, for this you have to translate the native of translated in the web player and then you can listen to the simultaneous translation. And now enjoy the talk. Hello everybody, my name is Rajiv Gauray. I used to be a full professor at the Australian National University. I'm now emeritus and this is joint work with Milad Gale, who was a PhD student with us until a couple of years ago, and Dirk Pattinson who is an associate professor at the ANU. Just before I go ahead all of the stuff that I'm talking about, the code and the verification and the proofs are available here if you want them. Okay, so what am I going to talk about? I'm going to talk about a way that we can count complex voting schemes, for example the single transferable voting scheme by computer, but in a way so that the results are both formally and publicly verifiable by pretty much anybody. Okay, so this is the overview. First of all I'm going to talk a little bit about what end to end verifiabilities in electronic voting as it's known. Then I'll explain what single transferable voting is. Then I'll explain the parlous situation of computer counting in Australia. Then I'll explain a little bit about how interactive theorem proving works and then the work that we did in more detail. Now there's a lot of stuff here and so I need to give a flavour of everything rather than go into the depth of the details. So I hope you'll bear with me and I'm more than happy to answer any questions you have in the chat session afterwards. So let's get going. So in electronic voting the gold standard is known as end to end verifiability and the way that they achieve it is by three steps which sort of feed into each other. So the first one is called cast as intended and the idea is that a voter should be able to verify in some way that the electronic ballot that he or she is casting is actually what they intended. So the idea here is to mimic a paper ballot because when you put a paper ballot in the box you know exactly what you're putting in the box but when you do electronic voting via some sort of computer terminal you don't necessarily know what the computer is actually casting on your behalf. And so cast as intended is to make sure that the electronic ballot really is what you meant it to be and there are cryptographic ways to achieve that. Recorded as cast says that you must be able to provide public evidence that the ballot was not tampered with in transit. So it's all great the electronic ballot is what you intended but if there's a man in the middle attack then the man in the middle can change the ballot in transit. And finally there's the tallied as recorded. So the idea is that a voter can verify that the ballot was tallied. In other words that the telling program didn't just throw the ballot away. Now these three things naturally form a cascade so that if you have cast as intended and then recorded as cast and tallied as recorded you have end to end verifiability. And there are publicly available electronic voting systems that try to guarantee these things. Now most of these solutions for the first two are cryptographic in some sense you know some sort of hashing some sort of mixing I won't go into the details. Now tallied is recorded is all well and good you know that you know that your vote was tallied but what if the vote counting program contains a bug. So what you really want to know is that it was tallied correctly and that's what we're trying to address in this work here. And the idea is called software independence and it goes back to Ron Revest one of the co-inventors of RSA. So the idea is that a vote counting program has to produce a telling script right some sort of evidence of what it was doing. And then what we do is we try and guarantee that if the telling script is correct with some notion of correctness then the result is correct with the appropriate notion of correctness. Okay so there are two notions of correctness here. One is the correctness of the telling script and the other is the correctness of the count. And what we do is we formally tie them together with this implication in line in idea two right. So that's a formal implication which has to hold in logic. And then our claim is that it's trivial to write a program to check the telling script and I'm hoping to demonstrate that in the rest of my talk. Okay so the idea is rather than verifying that every run of the vote counting program is correct what we verify is that this particular run of the vote counting program is correct. The one that counted your ballots or the one that counted this election. And so this idea of this run is correct will come up through my slides a little bit. Okay it's a new take on formal verification. Alright so what do we mean by a voting scheme? So the example that I want to deal with is single transferable voting. So it's basically a method for setting out filling in and counting paper ballots right. Of course if you make it electronic you still have to have an electronic voting scheme but now we're out of the scope of what we've done. So we have a paper ballot and for example like this one here it says that you know there are four candidates and I vote Charlie one, Dave two, Alice three and I don't really care about Bob. Now depending on the voting scheme this can either be a legal ballot or not. So for example do you have to fill out all the numbers? So in some jurisdictions this would be an illegal ballot because I haven't put a four here but in other jurisdictions this is allowed. In the Australian Capital Territory in Canberra where I am what we do is we also do something called Robson Rotation and the idea is that if you just have a fixed order of the candidates then the donkey vote right the voter that doesn't care will just go one, two, three, four vertically and that those donkey votes will all go to Alice. And unfortunately we have a lot of donkeys in Canberra and so there are lots of votes that are donkey votes. So what they do is they produce reordered versions of these ballots in all the possible permutations and distribute them to the physical locations and equal numbers. So the idea is that you know the donkeys get equally distributed through all of the candidates. The main thing that we need to do of course in counting is detect when a candidate reaches a quota. If someone doesn't reach a quota then detect who the weakest candidate is because that's who we're going to eliminate and how do we take ties and how do we transfer a vote and when to stop counting. So as you can see this has got nothing to do with the cyber security aspects of electronic voting. It's about formal verification of an algorithm and I'm going to go into the details of STV counting now to explain why it's hard. So these are all the details or the technical terms that I might use and I'm just going to talk about how we count the ballots and refer to these things. So I'm going to let you read these. Just note here that the transfer value of a ballot can be less than or equal to one. That's the main thing that I want to get across. Okay, so here is our pile of ballots and what do we do? We do the following. We tally all the highest preferences. So what does that mean? That means that we create a pile of ballots for Charlie and this ballot goes into Charlie's pile and that's it. Then we take the next ballot off the pile and put it into wherever the one candidate is. So at the end of that, what we're going to get is we're going to get, in this case, four piles, one for Alice, one for Bob, one for Charlie and one for Dave and every ballot in Charlie's pile will have a one here and every ballot in David's pile will have a one here and every ballot in Alice's pile will have a one here and so on. So the idea is that we've counted the first preferences. Now, if anyone meets the quota, if whatever we fix the quota to be, then they're elected. I'll explain how that's done in a moment. But if nobody is elected, then we have to choose a weakest candidate and eliminate that candidate. And either way, whether we elect a candidate or we eliminate a candidate, we have to transfer their ballots. So let me explain what transferring means. So suppose that in the first count Charlie is elected. So what we want to do now is we want this ballot to go into Dave's pile. But typically we don't let it go into Dave's pile with a full value because Charlie is, this voter has already got his or her preference by having Charlie elected and now allowing them to have a full vote to elect Dave is sort of giving them more power. So the idea is that we attenuate the value of this ballot in some way and the ballot value becomes less than one. I'll explain more in a moment. Of course, if the number of candidates that are remaining is less than the number of seats that we need to elect, then you can just elect everybody. So that's also done in the ACT where I live. Let me go into the details a bit more. So here's an example. So we have four candidates, A, B, C and D. We have to run an election where we have to elect two of them. And here are the five ballots in the election. So A1, B2, D3 similarly, D1, C2, C1, D2. That's what these ballots represent. Let's assume that there are no fractional transfers for the moment. So we don't attenuate the value just to keep things simple. And let's not do this autofil thing, right? Where we elect all of the candidates if there are less candidates than the seats. It just keeps things simple for my example. Now in Canberra, what we use is something called a droop quota named after a person. And it's defined to be this. It's the total number of ballots, which is five, divided by the number of seats plus one, which is three, and it's the floor function, right? So it's the greatest integer that's less than that, plus one. So what does that mean? It's five divided by three is one point something. The floor is one, plus one is two. So as soon as someone gets two votes in this election, they get elected. So what am I going to do now? I'm going to count all the first preferences. I'm going to go down here and count all the first preferences. So as you expect, we should get a three for A, a one for D, and a one for C. So here they are, right? There's a three for A, a one for D, and one for C. Now what we have to do is see whether anybody meets the quota. Well, A does meet the quota, right? A has three ballots and the quota is two ballots. So A actually has one ballot more than the quota. So let's elect A. Now what we have to do is decide what are we going to do with the surplus? So what was the surplus? Well, the surplus is one because A only needed two of these ballots to get across line, but A has got three. So the surplus is one. We have to decide how to transfer the surplus. There are various ways, which I'll come back to a bit later, but right now I just want to keep things simple. What I'm going to do is I'm going to say, look, all these ballots are identical. So let's just delete two of them and transfer the third. So let's just delete the first two and transfer the third. So what's going to happen is this ballot is now going to move from A's pile to B's pile. So B's count should go up by one, and that's exactly what happens. Now we have a three-way tie. Nobody's elected because nobody meets the quota, so we have to eliminate the weakest candidate. How are we going to choose the weakest candidate? Well, again, there are various ways and it makes a difference. But for simplicity, let's just pretend that this ballot, because it's transferred, is somehow worth less than these ballots, which are not transferred. I'm just making something up, but there are much better ways, of course, right? So what I'm going to do is I'm going to now transfer, I'm going to eliminate A, sorry, I'm going to eliminate B and transfer the ballot, right? So I've eliminated B and transferred the ballot to D, but D now gets two votes, right? So we had B equals one, D equals one. We eliminated B, the vote went to D, so D's count goes to two. He or she meets the quota, and so D's elected. And that's it, that's the end of the election, because we were tasked with electing two people. We elected two people, we eliminated B, and C's just left hanging as, well, neither elected nor eliminated, but the winners are A and D. Okay, so what I'd like to do now is tell you a little bit about the sad state of affairs of electronic vote counting in Australia. We don't have any official electronic voting as such. We have booth-based voting in the ACT, but I just want to talk about vote counting. So at the highest level, we have the Australian Election Commission, which counts the federal elections, the national elections. And as you can see here, the code is hidden, it's proprietary, it's not available for scrutiny. When a lawyer in Tasmania put in a freedom of information request that the code be published, he was denied by the Australian Electoral Commission on the grounds of security and commercial incompetence. He appealed the decision to something called the arbitration commission and the arbitration commission threw out the defence of security because the code is just run in-house, right? It's not connected to the internet in any way. But they maintained the commercial incompetence argument and denied the freedom of information request. Now, what you should be asking yourself is why would the highest electronic authority, sorry, election authority in Australia have commercial incompetence reasons for keeping their code secret? And it's because they make roughly $19 million a year by running elections privately for electing the directors of companies, and they don't want to endanger that business. So what they're choosing to do is they are choosing to deny the public the right to see the code, which is used to elect their representatives in the national government because they want to make a profit on the side. The Victorian Electoral Commission also has some proprietary code. Victoria is the state where Melbourne is. Also has some proprietary code. As far as I know, it's available for scrutiny, but as far as I know, nobody has done any scrutiny. The situation that I'm most familiar with is the Australian Capital Territory, where the code was developed by a company called Software Improvements using C++. It's been used four times since the 2001 election, and up until recently the counting code, not the casting code, but the counting code was available from the website. But in the last election, which happened in 2019, they decided to keep that secret as well. Of course, the full code is available if you're willing to sign a non-disclosure agreement, which says you shall not publish until we give you permission to publish, but being good academics, we're not willing to do that. The other province that I know of is the New South Wales Electoral Commission. New South Wales is the province where Sydney is. So they make on there, or at least a couple of years ago, on their website you could get detailed functional requirements. There was a letter from a legal expert at the Queensland University of Technology to say that he or she thinks that the functional requirements meet the legislation. Then the code was certified by a company called BirlaSoft, which I'm assuming is an Indian company, because I know that Birla is a big company in India, as passing all tests. But when you look at their certificate, the very first line says, we give no guarantees that the code does what it's supposed to do. We just check this, this, this, and this, and you know, it's all okay. It's proprietary code when we ask for the code, they denied us the code, and it's not available for scrutiny. Okay, so how can we sort of abstract the approaches? Because I want to try and keep things in the abstract. So the idea here is that let's look at three aspects. So let's look at the artefacts that exist, the scrutiny that we can place them under, and lacking the scrutiny, where is the trust, the blind trust that we have to place. So we have, you know, a 14 page document which outlines what the Hare Clark Act is in Canberra for how to count votes according to single transferable voting, and the Australian Capital Touratory Electoral Commission and Software Improvements to Company have come up with these functional specifications in UML. They're not published, but presumably I could get them if I was willing to sign a non-disclosure agreement. So here we have to trust Software Improvements and the Election Commission. Then Software Improvements have produced a computer code in C++. They're not willing to publish the code. Well, they used to publish the counting code, but they're not even doing that now. And so what we have to do is we have to trust this auditing by some company called BMM. So in Canberra, the company that certified the code or ordered to the code is called BMM. Now why on earth should you trust this BMM company? What do they do? Well, BMM is a company that actually audits gaming machines. So I'm assuming you have them in Germany as well, but we have these things which we call one-armed bandits. So these machines that you put money into and they roll the dice and tell you whether you've won the jackpot or not. Now in Australia, the legislation says that they have to return some percentage of their takings. 85% has to be returned to the players. So this company actually audits gaming machines and certifies them to be correct in the sense of returning 85% of their takings. So at some stage, they decided that, well, if we audit gaming machines, why don't we audit software as well? And so they audit software. Again, the very first page of their certificate says we do not give any guarantees that this code actually counts the ballots properly. In New South Wales, they have a similar approach. So again, legal texts, they have 47 pages of specs, but they're actually published. There was a vendor, we don't know who produced the computer code. The computer code is proprietary, you can't look at it. But now we have to trust this company called Billersoft. And again, the very first page is we don't guarantee that the code does what it was supposed to do. Now, what's the situation? So over the past 20 years, we've found many bugs in the ACT system and some of my colleagues have recently found bugs in the New South Wales system. So I'd like to tell you a little bit about the bugs. So the very first bug that we found was a simple for loop error. What you want is an out of most for loop that says something like, for i equals one to the number of candidates do blah, blah, blah. Now they had a slight bug in that. So they either had n minus one or n plus one. I can't quite remember which. But one of my PhD students who now works for Google Zurich found that the code would run perfectly fine if there was an even number of candidates, but would just crash and burn if there was an odd number of candidates. I can't remember which way it would have actually happened. We found the bug three days before these people were going to count the ACT 2001 election live on television on the day of the election. They admitted the error, they fixed it, but we got this nice letter back from the election commission saying, thank you for notifying us of this simple error. It was easy to fix and everything's fine now. So we asked them, well, if there was this simple error, how do you know there are not other errors? And they said, no, no, no, we're sure everything's fine. Of course, a little bit later, one of my colleagues, Olwin, too, found another bug. That's this one here. There was an uninitialized Boolean and different compilers could give different results. Another one of my colleagues, Jeremy Dawson, rewrote the implementation or rewrote his own implementation using a functional programming language. And when we checked the results of the 2001 election, he found that three ballots were going in a slightly different way at a certain point. And when we traced it, what we found is that there was a three-way tie for the weakest candidate. So in a real election, there was a three-way tie where there were three candidates all with equal number of votes and none of them who met the quota and one of them had to be chosen as the weakest candidate. Now, the legislation says that when you're in this situation, you've got a three-way tie, you go back and go back to the previous rounds until all candidates have an unequal number of votes. Now, Jeremy's a mathematician. So what he said is, what does that mean? Well, all candidates have an unequal number of votes, means no two candidates have the same number of votes. So what this English text actually means is that all the ballots have to be, counts have to be pair-wise distinct, right? So they're equal. We have to go back until this one is not equal to this one, this one is not equal to this one, and this one is not equal to this one, pair-wise distinct. But the e-vex code wasn't doing that. What it was doing is going back until one of them was different. So we wrote to the election commissioner and said, look, we think we found a problem. Your code doesn't meet the legislation. And he wrote us a very nice letter saying, thank you very much. But we've defined the meaning of this English text to be exactly what the code, our current code does. Right? Well, we can't argue with that. He was the election commissioner. How bad were these things? Well, for every bug, we could generate a very small election, which we could demonstrably show gave the wrong result. But they just said, we have full confidence in our code. The University of Melbourne group found a bug in the New South Wales code recently, which actually reduced the chances of a candidate winning from 90% to 10%. The first question you should be asking is, why are we talking about probabilities here when we're talking about an election? And this is worth discussing. So let me go back to here where I had to transfer one of these ballots. So remember that A has been elected, A has got a surplus of one, and I need to transfer one of these three ballots. So what we did was we just transferred one of them because they were all equal. What New South Wales does is something really clever. They randomly select one of these ballots to transfer and transfer that randomly selected ballot, which is all fine in this case because they're all equal. But if these things were different, then we'd basically be flipping a coin to see who gets elected. And more importantly, what it means is that you can't rerun the count because your random number generator may do different things at the same position in the second count. So what did my colleagues do? What they did is they ran the election a hundred times. And what they found is that one particular candidate was winning in 90% of their runs. But in the real election, there was a bug and it reduced the chances of that person winning to 10%. But the person couldn't challenge the result because the three-month period for a legal challenge had passed. So this poor person potentially lost the election because of a bug, but she couldn't challenge. Now I want to talk about a better way of doing things. So I'm switching now, right? So this is the parlor state of electronic voting counting in Australia. I want to try and talk about how to do it properly. But in order to do it properly, we need something called formal verification. And so what I want to do is tell you a little bit about formal verification and what that means. So formal verification started in the 60s with an AI dream, right? So the artificial intelligence researchers were dreaming about automating mathematics. So the idea is that we can do mathematics fully automatically on a computer. And you can read a really nice paper by a guy called, one of the authors is John Harrison, who is an expert in this formal verification area. And he currently works for Amazon. Why? Because they want to do formal verification of their code eventually. Of course, what they found is that, you know, automating mathematics is the ultimate, just in a second, automating mathematics is the ultimate undecidable problem. And so human guidance was indispensable, right? So they tried for 10 years and basically realized that we needed to be interactive. It couldn't be automatic. Now, the reasons why you might want to automate mathematics began to get more and more serious. So the first example was the Apple Harkenproof of the four-color theorem. This is the famous theorem that says you take any map in 3Ds of countries and you can color it in four, in at most four colors so that no two countries have the same adjacent, no two adjacent countries have the same color. So Apple and Harken came up with a proof in 1976 and there were some 1,500 lines of code and people were asking, is the code correct? And they said, well, we think it is, but what can we do? The best example that I know of is the Pentium Bug in 1994 because it cost Intel half a billion dollars. So they then started hiring people in formal verification and they had a team for many years and John Harrison actually used to work for Intel for a number of years before he moved to Amazon. The next example is called the Kepler Conjecture. This was approved by Thomas Hales that the best way of stacking oranges is the face-centered cubic way. It's the way that your average greengrocer at your market stacks them, but there was no proof that this was the most space-efficient way of stacking oranges. He came up with a proof but it had 200 pages of handwritten notes or type notes and a three gigabyte computer disk of examples. So again, the journal said, well, we're not sure about this but we think it's okay. So what's the idea of formal proof? The idea of formal proof is that we use computers to do logic-based checking of proofs. So we enter the proof into a computer using a specially designed language and the computer checks whether the proof is correct or not. Now, as you can see, this is a chicken or egg problem because how do you know that the computer program is correct? That's what I want to talk a little bit about now. This is actually a very well-developed area of research and the current goal, there are many proof assistants, but the current goal is actually to make them more human-friendly. So let me talk a little bit about formal proof and I'm going to do that using an example. So let's take the example of odd and even numbers. So what's the definition of an even number? Well, it's a number which can be divided by two. So it can be written, any is even if it can be written as two times some other number, right? So for example, zero times zero, one times two, two times two, three times two, and so on. What's an odd number? Well, an odd number is just an even number plus one, right? The odd numbers are sitting in here. So it's zero plus one, two plus one, four plus one, five plus one, and so on. So now I want to prove a lemma. If the natural number n is even, then the natural number n plus one is odd. So how can I do that? Well, here's a simple proof. How does it proceed? So what we do is we say, okay, let's assume that n is even. That means that there's some k such that n is equal to two times k. So we know that this holds for our even number n. Well, now what we'll do is just we'll add one to this and one to this. And what will we get? We'll get that n plus one is of the form two times k plus one. But what do we know about numbers of the form two times k plus one? Well, they're odd by definition. So n plus one must be odd, all right? Now, what I want to do next is to show you an example of a computer script where a computer program called COG, which is a theorem prover, an automated proof assistant, has proven this, has checked the proof. So this is what it looks like. Now, I can't go into the details, of course, but the idea is this, that we import some library called arithmetic because they've defined a library which allows us to do arithmetic. We define that for the natural number n is even if what? Well, if there's a k such that n equals two times k, the natural number n is odd if what? There exists a k such that n equals two times k plus one. And here is a encoding of the lemma for all natural numbers n. If n is even, then n plus one is odd. And this is the proof. Again, I can't go into the details, but these are commands that I've given to the interactive theorem prover. These are comments where I've tried to capture what line of the previous proof I'm capturing here. And the idea is that when I get down to here, I type QED and the computer program is checking all these steps. And it says, yes, all the steps are correct. Or it says, no, this step is wrong here, fix it up. And so the idea is that we interactively push the proof through. I can't go through the details. OK. The next question you should be asking is, why should we trust machine check proof? So what we do is machine check proof is based on the Alonzo Church's Lambda calculus from the 1930s. It's a published paper. It's been reviewed for the last, goodness knows, almost 90 years or so by mathematicians. The official research laboratory called INRIA from France has produced this COC theorem prover, which is about 50,000 lines of code. It's been in development since 1976. It's been checked by lots of people. And everything is published. And so, yes, we do have to trust some of these things, but you can actually check these things. So the idea is that we're going to use this framework to do formally verified electronic counting. So here's a map of what we've done. So what we did is we took the legal text. That's the English 14 pages of the Hair Clerk Act. We manually transferred it into logic as rules capturing the state transitions of an automaton. So basically the state transitions where a computer moves from this state to that state, and we tried to keep the computer as simple as possible. So we're not trying to mimic a full computer. We're trying to mimic some sort of abstract machine. We're capturing abstract machine in logic. Then we converted this legal text into formulae of high-order intuitionistic logic as our functional specification. So this is logic, and this is logic. And what we proved in COC is that if this thing produces a correct certificate with some notion of correctness, then this thing produces a correct count with the appropriate notion of correct count. Again, I can't go into the details, but I'll try to give you an example in a minute. Now, the COC Interactive Theorem Prover is so well-developed that actually we were able to extract the code automatically, which I can't go into. So the idea is that once you do a proof in COC and COC accepts the proof, you can generate the code automatically. So we didn't write any code. We did a proof, and we pressed a button. Why should you trust any of this? Well, everything's published, right? You can get your election expert to check this. You can get your mathematical logician from Theo Darmstadt, say, to check this. And the only thing you really need to trust is the certificate, which we're going to publish, and you can check. So that's what I want to go into now. So what have we done? We've completed STV vote counting so the Schultzer method. The Schultzer method is used, for example, by the Linux community when they want to decide which way to fork branches. Our code computes with exact fractions. It's efficient. We can count up to 10 million votes with 40 candidates and 20 vocancies in 20 minutes. It produces a certificate. It produces a paper printout of the state machine and what states it's going through. And what we claim is that an average third-year computer science student can write a program to check the certificate. And that's what I want to go into in a moment. In reality, you don't even need to trust the hardware or the software because all you need to do is check whether the certificate is correct because our proof guarantees you that a correct certificate implies a correct count, right? And the converse of this is that incorrect count means incorrect certificate. If you check the certificate, you can check whether the count. So this is what I want to talk about now. So what we actually did is we encoded a minimal abstract machine which has three types of states. There's an initial state where all the ballots are uncounted. There's a final state where we declare winners and then there are a bunch of intermediate states. I can't go into the details, but the idea is that these intermediate states carry complicated data which are usually lists and ballots are moving from one list to another list according to the state transitions of this machine. And the state transitions correspond to counting, eliminating, transferring, electing and declaring winners as rules. And so the machine moves from this state to this state if you count. It moves from this state to this state if you eliminate. And that's captured in logic. Then what we did is we actually proved minimal conditions that the rules need to satisfy for everything to be correct. Now I can't go into the details of this but what I want to do is give a simple example. So let's go back to that idea of the natural numbers and what I'll do is I'll show you some coding which encodes the natural numbers into COC. So this is actual COC code and it says to the COC theorem proofer that capital zero is my type of natural number. I'm defining my private type of natural number. Capital O is a my type of natural number and S is a function which takes any natural number that you give it and gives back another natural number. So what does that mean? It means that zero is capital O. One is S of capital O. Two is S of S of capital O. Three is S of S of S of capital O and so on. So every natural number is represented as a string which ends in capital O and has a number of S's in front of it. So what we did is the state machine is encoded using this complicated thing and what you can see here is right that there's initial list of ballots. There's the final list of candidates which are elected and then there's a complicated structure which captures these lists. Again, I can't go into the details. The minimal STV instance is then given by the definitions of these rules and the rules that satisfy the respective conditions. The conditions consist of two parts. When is the rule applicable and how does it change the state? And then in COC we prove three theorems. Every applicable transition reduces complexity. So whenever you do something, you're reducing the complexity of what remains. That means that eventually we have to reduce the complexity to zero. There's a notion called liveness which says from any state you can't be blocked. There's always at least one exit. And these two things together imply that whenever you give me a set of ballots, my process will terminate. So I guarantee you that this is an algorithm which terminates. Okay, then what we did is we used the code extraction facilities of COC to actually extract the code which I can't go into. And what we did is produced a program that actually produces a certificate. And once the certificate, it's a run of the state machine. And what we claim is that it's easy to write a program to check the certificate. Again, I can't go into the details, but I'll give you an example. Going back to our natural numbers, I claim that this is a certificate of correct addition. All right? So what is it? It's just a stack of lines of the form add something, something, something. Okay? And in the same way, this is a certificate produced by our vote counting program. And as you can see, it's a bunch of lists. So this is a ballot which says A preferred over C preferred over B. And it moves in some way through the lists until we declare a winner. Okay? I can't go into the details, but this is what's going on. So the claim is that to check the certificate, all you need to do is simple pattern matching and check that these actually are the rules that are being used to go from here to here, where these are the rules at zero and at S. In this case, right? But in our case, it would be to start and count rules. So now I want to go into an example. So keeping the example simple. So what we're going to do is we're going to define the natural numbers, as I said. And we're going to say that a basic derivation is any string of this form. That is a string that starts with the word add and has three things after it, all of which are X, Ys and Zs. But the first one has to be equal to the third one. And the middle one has to be big O. And why is that? Well, because that just says that adding zero to X is X. And we know that adding zero leaves X alone. And then the step case says, if you know that adding X to Y gives Z, then you know that adding X to Y plus one gives Z plus one. And so all we're doing is we're inserting S twice into this position and this position to convert that to an S of Y and convert that to an S of Z. Right? So what's a derivation? It's a stack of correct derivations. And the result is in the bottom. And the theorem says a correct derivation always contains a correct result. How can you verify that? Well, I claim that this is a correct derivation. So let's check. Is this a correct derivation? Yes, because it's something and the same thing with a big O in the middle. That was a correct definition. And it says that zero plus one equals one. This one is a correct definition because if this is a correct derivation, then all we've done is added an S here and added an S here. And this thing says you can transform one correct derivation into another correct derivation. So this is a correct derivation. What's the result? One plus one is two and so on. What's the final result? One plus three is four. So all you need to do is all you need to check are those rules that I specified up here. And it's just a pattern matching problem. So what's the election process? So what we do is we publish our logical encoding of the vote counting process. We publish the specification of what correct certificate means. We publish the mathematical proof that a correct certificate implies a correct result. What does the software vendor do? The software vendor delies a program, which is almost certainly buggy for vote counting. But it has to produce a correct certificate. It has to produce a certificate according to what we mean to be a certificate and what we mean to be a correct certificate. Now, of course, if the program is buggy, it may not do that. So the election authorities have to publish all the ballots. Now what can we do? Well, now we can have very, very widely available scrutiny. Because, look, the political parties can each hire a third-year computer science student to write a certificate checker. What's a certificate checker program? They just look at what a correct certificate means and what a certificate means and encode what it means for the certificate to be correct. It's pattern matching. Other academics could set a software engineering project to cite a certificate checker. So what we could have is we could have lots and lots of certificate checkers which have been independently developed. And it's highly unlikely that all of them will contain the same bug. So what do we do? Well, we run the election, everybody checks and someone says the public certificate is incorrect. So what we say, okay, you claim that the public certificate is incorrect. Where does it break the correctness criteria? We told you what it meant to be correct. You tell us where it's incorrect. And if you tell us that it's incorrect in line 35, so I don't know it's incorrect, in going from here to here, well we can check that, right? So there's public checking of that claim. Then someone else says, oh no, your mathematical proof is wrong. So we'll say, all right, you claim the mathematical proof is wrong. Tell us where it breaks the rules of logic. We've published our rules and we've published our proof. So you could go to the people in Berlin or Darmstadt or Karlsruhe and get the academics there to check our proofs. Someone else might say, the correctness criteria or the mathematical encoding is wrong. Again, we say, all right, when you claim something is wrong, give us an example of where it does something wrong. And we can check. So the electoral experts can check. Finally, what if the vote counting program is buggy or hacked, right? We don't care, because the theorem says that the correct certificate implies the correct result. So the contrapositive says incorrect result implies incorrect certificate. And we've got all these thousands of people around Germany checking the certificate, right? So what it says is that the bug or even the hack could not have manifested itself during this run of the program, right? The hacker tried to do something or the vendor had a bug in their program, but that bug did not manifest itself during this run. So this run is correct. That's the idea. So what have we done? We've completed STV counting. As I said, we've completed the Schultzer method, counts 10 million votes, blah, blah, blah, right? Our certificate is a plain text certificate, which vouchers for the correctness of the count. And you don't even need to trust the hardware or software, because there are all these certificate checkers written by independent people who will check the certificate. Now, the only caveat, the dangerous one, is that we have to publish all ballots. And that's actually a problem, because what is known is that if you publish ballots, then the election can be vulnerable to something called a Sicilian attack, which I won't go into for now. What we've actually done is Millard has even verified the certificate checker. So he has produced a verified certificate checker which is formally correct with respect to the semantics of C, using a different theorem prover, interactive theorem prover, for KKML. We can cover all the STV schemes used in Australia. And the problem that we're really interested in now is can we do this to encrypted ballots because that would remove the Sicilian attack. So the message that I want to try to get across to you in Germany is verified and publicly verified e-counting is now possible. Thank you for your attention. Hello and welcome back. And thank you for the nice talk. As someone in the chat mentioned after hearing STV for the, like before hearing of STV for the first time, they thought the German electoral system was complicated. As a reminder, we have a Q&A session now. If you want to ask questions, you can ask in the IRC at RT3-FEM, in the rocket chat at FEM, in the Twitter and Fendiverse at RT3-FEM. And now welcome to the Q&A session. Rajiv should join us now. Yes, he's here. Hello and welcome. Hi. Okay, we actually do have quite a few questions. I'm positively surprised about that. And the first one is, are there similar movements to public or money public code in Australia? Or if there are, is there any international cooperation between these movements? And how do you do these play into arguing against closed source voting code? So the first one is about international cooperation. And as far as I know, there isn't any. The only cooperation there is is between academics like myself. So there are groups in culture. There are groups in France, in India. And there are various other groups around the world that are trying to push the election commissions to take up our technology. The biggest problem that we have is that the election commissions are not sophisticated... Sorry, are not acquirers of sophisticated software. So they're not like NASA or they're not like the space commissions. They go out to tender. And if a vendor says our code is correct, then they just say, well, okay, yeah, the code is correct. The vendor says so. And what was the second question? Sorry, how was I going to argue? How did these play into arguing against closed source voting code? So I think it was more about the push to get the public... to get the voting code and the counting code published. Right, so what's going on here is it's a strange confluence of interests. So the election commissions have built up a lot of trust over the last 200 years. And the last thing they want is to have their trust undermined. So what they don't want is they don't want academics like jumping up and down and saying there's a bug in your code, there's another bug in your code. And so what they prefer is to say our vendor guarantees us that everything is fine. Trust us. And this is only going to change when there actually is a disaster and somebody losing candidate challenges the result and it goes to court and the case is thrown out and they have to run the election again and it's going to cost them a couple of million dollars and be very embarrassing. So the only time this will change is when there's a disaster, unfortunately. And what we've found around the world is there are many academics like myself jumping up and down saying look we need to do formal verification and almost all of them have been ignored by the election commissions that I just explained. That sounds like the concept of security by obscurity is still popular in some in some sense. Trust us. OK, then maybe we go to the next question. Regarding the bugs in the counting modules, were there any requirements on the code quality to avoid common mistakes, for example, by forcing compiler warnings to be treated as errors or using static analyzers? I don't know. They won't tell us. All they tell us is we've tested the code extensively and it passes all our tests. Now you have to understand where the election is coming from this year. So in the old days they used to count ballots by hand. Now in Canberra we have about 350,000 voters and so they needed to count these votes quickly by hand to declare the election. And what happened is that in 1996 there was actually a challenge and it went down to some very small number of votes, you know, three votes or something like that. And so candidate A was declared the winner. Candidate B challenged. So they had to do a recount by hand which took a week. Then the result went the other way. Candidate B was the winner by five votes say and candidate A challenged. So then they had to do another recount which took another week and in the end I can't remember the result but you know it took three or four weeks to give the results, the final results which were challenge free. And so at that time the ACT Electoral Commission has said look this is silly, there's got to be a better way let's do it by computer counting. But of course what he or she doesn't realize is that by doing it by computer counting you're putting all your eggs in one basket, right? You have a single point of failure and you're putting a lot of trust on that single point of failure and that's what we're not able to get across to them. Okay. Thank you. Okay, the next one is have you proved the cock to Haskell compiler to be correct and are you certain that you don't end up with the force as a precondition anywhere? Right. So this is the classic thing of formal verification that we can gauge out, right? So if our formulas are inconsistent then we can prove anything we like and no there is no proof that cock is consistent there could well be some sort of serious logical error in our formal coding but at the end of the day we have a proof that a correct certificate implies a correct count, right, which you can check. So even though there may be a problem in cock we can tell you that that bug in cock didn't manifest itself in our proof. If our proof is correct and you can check the proof, right? So this is classic peer review scientific peer review. You know string theory might be wrong but it passes all the tests that we can throw at it at the moment because it passes all the experiments that we can do. Okay, so I think the next question is not completely serious. It is, does anyone trust a third year computer science student? Well frankly, I wouldn't trust a third year computer science from any Australian university but I know that in Germany you teach them properly and a four-diplom is not trivial so I trust German third year computer science students. Okay, I guess a lot of yours will be happy about that answer. Okay the next one is to what degree do voters trust these voting machines? I'm not sure if there were any voting machines in the talk but I guess you have a better quality to answer it. Right, so in Canberra as I said we don't have any electronic voting you know by your tablet or something like that, right? So what we have is you go into a booth and the booth has a computer with a screen and you press the buttons, I think it's a touch screen you touch the screen to create your ballot and then you say yes this is the ballot that I want to submit and then you get a nice friendly screen that says thank you very much your ballot has been cast and trust us, right? Now what I'm going to be asking is how do you know that the ballot that you show on the screen is the one that you're actually casting? How do you know that the machine isn't making a mistake and casting you know vote one Raj every time? And unfortunately the average voter is not sophisticated enough to ask these sorts of questions and so what they do is they say well you know I can't check a pen and paper election who do I trust? I trust the election authority and in this case I do the same I don't know enough about computers to know that what's on the screen is what's being cast but I trust the election commission to have done their job Okay, yeah so another one wants to know how can you if you can clarify how you distinguish e-counting from e-voting? Right, so if you remember right at the beginning I gave you this idea of end-to-end verifiable voting right, do you remember there was this cascade there was cast there was cast as intended there was collected as cast and counted as collected so the idea of electronic voting is that you have all of these right so you cast your ballot on your tablet somehow the tablet has to give you evidence that what you created on the tablet was actually the electronic ballot that was cast then the tablet sends the ballot somehow magically over the ethernet to the election authority and the election authority has to produce some evidence and verify that the electronic ballot wasn't tampered with in transit and finally when the election authority publishes a result they have to provide some evidence publicly verifiable evidence that you can check to say that your ballot was actually in the count right now so that's the traditional way of doing electronic voting there are systems out there that do that as I said in Canberra we have booth based voting so you cast your ballot inside a booth in privacy on a computer that they say works properly then the ballot is somehow transferred to the election authority which they say is secure and everything is fine they count the ballots according to their computer program which they won't show us and they assure us that everything is fine so as you can see in Canberra we have nothing we have no ill into end verifiability because we have to trust the election commission or the vendor at every stage does that answer the question I guess so so basically you're tackling this third of the three problems and leaving the first two out of scope okay so another and there are cryptographic there are incredibly intricate cryptographic methods to solve the first two okay so another one was in Germany we have more bizarre voting methods than single transferable votes any idea of if this would work with cumulative voting or sorry panacea panacea panacea so in other words is it a solution for all situations the simple answer is I don't know I haven't tried but as I said my colleagues in Kaltura there's a theoretical computer science group and a verification formal methods group in Kaltura they would be the people to understand the German system I'm sorry I just haven't I just haven't had a look okay but I have a reverse question you said that the German system is a bit bizarre but I mean STV counting itself is pretty arcane as well right so does it get any more bizarre than STV in Germany that's a good question as I haven't looked into the federal election system lately but it didn't look so complicated to me but it could be in the local elections that there are more complicated voting systems but that's just my unqualified answer so that's probably a lot more qualified people there so what's known is that STV is actually one of the hardest okay so there's an area called social choice theory where people typically mathematicians compare different voting schemes and people have come up with many other alternatives to STV to try and make it fairer or better and there are at least 10 different voting schemes that we could discuss but STV is known to be one of the more arcane ones because everything depends on for example how do you break ties how do you decide who's the weakest candidate and this sort of stuff and for example in the ACT system the one in Canberra there's actually a clause which says if everything is equal all the way up to the beginning then the election commissioner can toss a coin or he or she can choose names out of a hat right so that's how you know bizarre it gets yeah okay so someone noted that apparently these more bizarre voting systems appear in Bavaria like one of the southern states of Germany yeah actually yeah I knew that Bavaria was a bit unusual yeah okay so the last of the official questions how is the certificate generated and the asker noted that he or she might have missed it during the talk the certificate is just a naive print out of the run of the state machine right so I mean strictly speaking you know we could be cheating what we could be doing is taking your ballots and randomly generating a certificate and claiming that this certificate contains a correct count we might not even be running a program right literally we could have a thousand monkeys sitting on typewriters randomly generating a certificate and then after I don't know say an hour we say this is the certificate and Raj wins but it doesn't matter because the proof says that if you can verify that the certificate is correct the count that it contains is correct so it doesn't matter if we generate it using a random number generator I mean we don't of course but strictly speaking we could okay thank you and the one last question that we had in the studio here could you maybe elaborate a little bit more about what was the problem with publishing the words you said there was the Sicilian attack yeah sure alright so this goes back to the mafia in Sicily and that's why it's called the Sicilian attack right so what you want is you know you're running you have an election for mayor and you want to make sure that Raj gets elected because Raj is crooked and you can bribe him and get him to do whatever you want so what you do is you tell the voter that I want you to vote in a particularly arcane way right so you vote Frederick III and Frida 1 and Raj 17 and you know Yurg 5 or something like that and then what you do is if you publish the ballots you can check whether that ballot exists you know is there a ballot that was it Frida 17, Yurg 5, Raj 17 and Fred 1 or whatever it was if that ballot is missing then you know that the voter didn't do as you asked and then you can you know either burn down their house or shoot their children or whatever you've done to coerce them right and so in Australia in STV it's actually very plausible because for example we have elections where there are 43 candidates and you can encode your ballot in many many different combinations in to be unique and so we ask you to vote in this way and once the ballots are published we check whether that particular perversely generated ballot is in there and what we've done of course is made sure that we're scattering all the candidates except the one that we want to win and making them win does that help? Yes for me it makes it makes it understandable it basically breaks the basic assumption that any vote the way you vote is really actually secret that's right so you can uniquely identify a vote because of the complexity of the system yes okay that means we're out of questions perfect thank you so much Rush for your talk and also for the very detailed answers and thank you very much okay and now on the FEM channel the last thing the last thing for today happening is the Herod News Show at midnight and tomorrow it continues or we continue at 5pm with writing lecture notes directly in Lattic and then see you bye bye