Verification of the Socio-Technical Aspects of Voting The Case of the Polish Postal Vote 2020 Yan Kim1 Wojciech Jamroga12 and Peter Y .A. Ryan1
2025-05-06
0
0
840.65KB
19 页
10玖币
侵权投诉
Verification of the Socio-Technical Aspects of Voting:
The Case of the Polish Postal Vote 2020
Yan Kim1, Wojciech Jamroga1,2, and Peter Y.A. Ryan1
1Interdisciplinary Centre for Security, Reliability, and Trust, SnT, University of Luxembourg
2Institute of Computer Science, Polish Academy of Sciences, Warsaw, Poland
{yan.kim, wojciech.jamroga, peter.ryan}@uni.lu
Abstract.
Voting procedures are designed and implemented by people, for people,
and with significant human involvement. Thus, one should take into account the
human factors in order to comprehensively analyze properties of an election and
detect threats. In particular, it is essential to assess how actions and strategies of
the involved agents (voters, municipal office employees, mail clerks) can influence
the outcome of other agents’ actions as well as the overall outcome of the election.
In this paper, we present our first attempt to capture those aspects in a formal multi-
agent model of the Polish presidential election 2020. The election marked the
first time when postal vote was universally available in Poland. Unfortunately, the
voting scheme was prepared under time pressure and political pressure, and without
the involvement of experts. This might have opened up possibilities for various
kinds of ballot fraud, in-house coercion, etc. We propose a preliminary scalable
model of the procedure in the form of a Multi-Agent Graph, and formalize selected
integrity and security properties by formulas of agent logics. Then, we transform
the models and formulas so that they can be input to the state-of-art model checker
Uppaal. The first series of experiments demonstrates that verification scales rather
badly due to the state-space explosion. However, we show that a recently developed
technique of user-friendly model reduction by variable abstraction allows us to
verify more complex scenarios.
1 Introduction
In the last 30 years, the world has become densely connected. This results in a consider-
able space of potential threats, risks, and conflicting interests, that call for systematic
(and preferably machine-assisted) analysis. What is more, IT services are implemented
by people, with people, and for people. The intensive human involvement makes them
hard to analyse beyond the usual computational complexity obstacles.
Voting procedures. Voting and elections are prime examples of services that are difficult
to specify, hard to verify, and extremely important to the society [
27
]. If democracy is
to be effective, it is essential to assess and mitigate the threats of fraud, manipulation,
and coercion [
44
,
53
]. However, formal analysis of voting procedures must consider both
the technological side of elections (i.e., protocols, architectures, and implementations)
and the human and social context in which it is embedded [
5
]. The impact of the social
factor has become especially evident during the US presidential elections of 2016 and
2020. In 2016, individual voters were targeted before the election by a combination
arXiv:2210.10694v2 [cs.MA] 18 Oct 2023
2 Yan Kim, Wojciech Jamroga, and Peter Y.A. Ryan
of technology and social engineering to induce emotional reactions that would change
their decisions, and possibly swing the outcome of the vote (the Cambridge Analytica
scandal). In 2020, a large group of voters was targeted after the election by unfounded
claims that severely undermined the public trust in the outcome. In both cases, it is
impossible to understand the nature of what happened, and devise mitigation strategies,
without the focus on human incentives and capabilities.
Specification and verification of multi-agent systems. Multi-agent systems (MAS)
provide models and methodologies for the analysis of systems that feature interaction
of multiple autonomous components, be it humans, robots, and/or software agents. The
theoretical foundations of MAS are based on mathematical logic and game theory [
50
].
In particular, logic-based methods can be useful to formally specify and verify the
outcomes of multi-agent interaction [22].
Formal analysis with multi-agent logics is typically based on model checking [
4
].
The system is formalized through a network of graphs (or automata) that define its com-
ponents, their available actions, and the information flow between them. The properties
are usually given as temporal properties, expressing that a given temporal pattern must
(or may) occur, or strategic properties capturing the strategic abilities of agents and their
groups. Especially the latter kind of properties are relevant for MAS; e.g., one may try
to capture voter-verifiability as the ability of the voter to verify her vote, and coercion-
resistance as the inability of the coercer to influence the behavior of the voter [
53
]. There
are many available model checking tools, though none of them is perfect. Some admit
only temporal properties [
8
], some focus on the less practical case of perfect information
strategies [
38
], and the others have limited verification capabilities [
37
]. Moreover, it is
often unclear how to formalize an actual real-life scenario, including the “right” model
of the system [32] and the formal “transcription” of its desirable properties [34].
Socio-technical aspects of voting. In this paper, we use agent-based methodology to
propose and analyze a simple multi-agent model of an actual election, that combines
the technological backbone of the voting infrastructure with a model of possible human
behaviors. The work is preliminary, in the sense that we do not explore the real breadth
of participants’ activities that might occur during the vote. Moreover, we mostly look at
requirements that can be expressed as trace properties. This is because the computational
complexity of the formal analysis turned out prohibitive even for such simple models
and properties. We managed to mitigate the complexity by an innovative abstraction
technique, but seeing if it scales well enough for realistic models of human interaction
remains a subject for future work.
Case study: Polish postal vote of 2020. To focus on a concrete scenario, we consider
the Polish presidential election of 2020. That was the first time when postal voting
was universally available in Poland. Unfortunately, the voting scheme was prepared
under pressure, and without the involvement of experts. This might have opened up
possibilities for various kinds of ballot fraud, in-house coercion, etc. We propose a
preliminary scalable model of the procedure in the form of a Multi-Agent Graph [
8
,
31
],
and formalize selected integrity and security properties by formulas of agent logics. Then,
we transform the models and formulas so that they can be input to the state-of-art model
checker Uppaal [
8
], chosen because of its flexible model specification language and user-
friendly GUI. As expected, the verification of unoptimized models scales rather badly
Verification of Socio-Technical Aspects of Voting 3
due to the state-space explosion. To improve the performance, we employ a recently
developed technique of user-friendly abstraction [31], with more promising results.
Related research. Formal verification of voting protocols has been the subject of
research for over a decade. Prominent approaches include theorem proving in first-
order, linear or higher order logic [
46
,
14
,
21
,
20
,
25
,
26
], and model checking of temporal,
strategic and temporal-epistemic logics [29,32,33]. Most if not all results show that the
task is very hard due to the prohibitive computational complexity of the underlying
problems. For example, [
20
,
21
] conducted a formal analysis of voting protocols using
ProVerif, and reported that they had to come up with workarounds for the model in order
to the limitations of the tool.
Modelling and analysis of socio-technical systems is even more difficult because of
the vast space of possible human behaviors, and problematic nature of the assumptions
usually made about how users choose their actions. The theory of socio-technical systems
dates back to the work of Trist and Bamforth in 1940s. In security, perhaps the best
studied methodology is based on ceremonies [
17
], in particular the Concertina cere-
mony [
9
,
10
,
40
]. Some research has been also based on choreographies [
15
]. Moreover,
game-theoretic models and analysis have been used in [
16
,
30
,
5
]. Here, follow up on the
strand based on modeling and verification in multi-agent logics [
29
,
32
,
33
], while trying
to put more emphasis on the social part of the system outside of the voting infrastructure.
When analyzing systems that involve human agents, it is important to take into
account that they behave differently from the machines, and can make errors, or more
generally, deviate from the prescribed protocol. This can happen due to a variety of rea-
sons: misunderstanding, inattentiveness, malicious intention, or strategic self-interested
action. Possible deviations from protocol in user behavior have been studied in [
7
,
6
], and
we follow up on those ideas. To this end, we use the skilled-human approach to capture a
variety of users’ behaviors in our model of postal voting. That is, we extend the protocol
specification of an “honest” behaviour through a hierarchy of deviation sets, i.e., sets of
actions that deviate from the protocol and expand the repertoire of the participants. As
pointed out in [
6
], there is a trade-off between the breadth of the deviation model and
the computational feasibility of the formal analysis. In fact, our experiments in section 4
show that even for the skilled human approach only, the explicit state model checking
becomes hard enough, and dedicated techniques must be used to mitigate the complexity.
Related verification tools. We use the Uppaal model checker [
8
] in our case study,
mainly because of its GUI and a flexible system specification language. Other verification
tools that we considered when preparing the study are:
–
MCMAS [
39
]: a state-of-art OBDD-based symbolic model checker for agent-based
systems. The system is described using ISPL (Interpreted Systems Programming
Language), and the requirements are specified as formulae of strategic or temporal-
epistemic properties;
–
Tamarin-prover [
43
]: a tool for security protocol verification and not a model checker
per se. The system specification language is based on multiset rewriting theories, and
the requirements are specified as first-order temporal properties;
–
STV [
36
,
37
]: an experimental toolbox for explicit-state model checking of strategic
properties; at the moment, custom input models are not fully supported and may lack
documentation;
4 Yan Kim, Wojciech Jamroga, and Peter Y.A. Ryan
–
ProVerif [
13
]: an automated cryptographic protocol verifier, in the symbolic (Dolev-
Yao) model. The protocol representation is based on Horn clauses; it can be used for
proving secrecy, authentication and equivalence properties.
Among the above tools, only STV, Uppaal, and (to lesser extent) Tamarin provide a
graphical view of the system structure. Of those, only Uppaal allows for interactive
graphical system specification, which we claim to be crucial in modelling and analysis
of voting protocols. Real-life voting procedures include the interaction of numerous
participants, each of them with a possibly different agenda and capabilities. Furthermore,
the behaviour of most participants is characterized with a mixture of controllable and
uncontrollable nondeterminism. In consequence, interactive GUI is crucial if we want
to ensure that the model we verify and the one we want to verify are the same thing,
cf. [32] for discussion.
Moreover, Uppaal (and, to a smaller extent, STV) allow for parameterized specifica-
tion of the system, without forcing the designer to program a dedicated model-generator
(e.g., as in the verification of SELENE protocol with MCMAS in [29]).
2 Postal Voting Procedure
Postal voting is one of the oldest forms for voting. In its simplest version, it is easy to
setup for the authorities and easy to follow for the voters. On the other hand, it can be
susceptible to ballot fraud, lacks verifiability, and opens up potential for vote buying and
coercion. What is more, only basic mechanisms of recovery are possible (e.g., cancelling
the whole elections in case of irregularities). This sometimes leads to controversial ad
hoc decisions when dealing with the irregularities [28].
The postal voting procedure employed for the Polish Presidential Election in 2020
is no exception. There was an overall impression that the procedure had been prepared
in haste [
2
,
51
] and with no proper research on the existing postal voting schemes that
were proposed and used during the last two decades, such as [
12
,
35
]. For example,
voter authentication is based on the assumption that a voter’s national identification
number (PESEL) is secret, which is hardly the case in real life. Moreover, there are
various ways how authorities can delete votes, e.g., by sending invalid ballots to districts
with anti-government majority [
51
,
52
,
24
]. In this paper, we make the first step towards
systematic modeling and analysis of this kind of threats.
2.1 Postal Voting Procedure for the 2020 Presidential Election
The rules for organizing the election of the President of Poland, with the possibility of
postal vote, were published on June 2 and June 3, 2020; the date of the election was set
to June 28, 2020. A complete list of legal acts defining the election procedure can be
found in [
48
,
45
]. For the postal vote, the regulations (mostly concerning the time limits)
vary based on the voter’s location and her current quarantine status. We focus on the
non-expat and non-quarantined voters, but the protocol for the other types of voters is
nearly the same.
The protocol consists of several, partly overlapping phases: the setup which involves
expression of intention to vote by post, preparation and distribution of election packages
(EPs), casting of the vote, validation of votes, and tallying, see Figure 1.
摘要:
展开>>
收起<<
VerificationoftheSocio-TechnicalAspectsofVoting:TheCaseofthePolishPostalVote2020YanKim1,WojciechJamroga1,2,andPeterY.A.Ryan11InterdisciplinaryCentreforSecurity,Reliability,andTrust,SnT,UniversityofLuxembourg2InstituteofComputerScience,PolishAcademyofSciences,Warsaw,Poland{yan.kim,wojciech.jamroga,pe...
声明:本站为文档C2C交易模式,即用户上传的文档直接被用户下载,本站只是中间服务平台,本站所有文档下载所得的收益归上传人(含作者)所有。玖贝云文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。若文档所含内容侵犯了您的版权或隐私,请立即通知玖贝云文库,我们立即给予删除!
相关推荐
-
【词汇变形总汇】2025高考词汇变形总汇 - 教师版VIP免费
2024-12-06 3 -
【超简37页】新课标高考英语考纲3500词汇VIP免费
2024-12-06 4 -
《高考英语3500词详解》(WORD版)VIP免费
2024-12-06 13 -
《高考英语3500词详解》VIP免费
2024-12-06 11 -
高中英语-[教师版]80天通关高考3500词汇VIP免费
2024-12-06 12 -
高中人教选修7课文逐句翻译VIP免费
2024-12-06 7 -
高中人教选修7课文原文及翻译VIP免费
2024-12-06 13 -
高中人教必修4课文逐句翻译VIP免费
2024-12-06 8 -
高中人教必修4课文原文及翻译VIP免费
2024-12-06 13 -
高考英语核心高频688词汇VIP免费
2024-12-06 10
分类:图书资源
价格:10玖币
属性:19 页
大小:840.65KB
格式:PDF
时间:2025-05-06
作者详情
-
Voltage-Controlled High-Bandwidth Terahertz Oscillators Based On Antiferromagnets Mike A. Lund1Davi R. Rodrigues2Karin Everschor-Sitte3and Kjetil M. D. Hals1 1Department of Engineering Sciences University of Agder 4879 Grimstad Norway10 玖币0人下载
-
Voltage-controlled topological interface states for bending waves in soft dielectric phononic crystal plates10 玖币0人下载
相关内容
-
山西大学附属中学2023-2024学年高三上学期10月月考 数学答案
分类:中学教育
时间:2025-05-11
标签:无
格式:PDF
价格:10 玖币
-
山西大学附属中学2023-2024学年高三上学期10月月考 数学
分类:中学教育
时间:2025-05-11
标签:无
格式:PDF
价格:10 玖币
-
山西大学附属中学2023-2024学年高三上学期10月月考 生物答案
分类:中学教育
时间:2025-05-11
标签:无
格式:PDF
价格:10 玖币
-
山西大学附属中学2023-2024学年高三上学期10月月考 生物
分类:中学教育
时间:2025-05-11
标签:无
格式:PDF
价格:10 玖币
-
山西大学附属中学2023-2024学年高三上学期10月月考 历史答案
分类:中学教育
时间:2025-05-11
标签:无
格式:PDF
价格:10 玖币
渝公网安备50010702506394
