last changed: Oct 3, 2023
The election manifest and each input plaintext ballot are expected to be validated before being passed to the EKM library.
Input Validation is orthogonal to cryptographic verification. This document summarizes required (non-crypto) validations.
A specific validation is referenced as for example: Manifest.B.5, Ballot.A.2.1, etc.
Manifest Validation can be run to catch problems while developing the Manifest.
Manifest Validation must be run when accepting Input Ballots to be encrypted.
For additional safety, Manifest Validation may be run during other workflow steps.
-
Referential integrity of BallotStyle geopoliticalUnitIds.
- For each BallotStyle, all geopoliticalUnitIds reference a GeopoliticalUnit in Manifest.geopoliticalUnitIds
-
Referential integrity of Candidate partyId.
- For each Candidate, the partyId is null or references a Party in Manifest.parties
-
Referential integrity of ContestDescription geopoliticalUnitId.
- For each ContestDescription, the geopoliticalUnitId references a GeopoliticalUnit in Manifest.geopoliticalUnitIds
-
Referential integrity of SelectionDescription candidateId.
- For each SelectionDescription, the candidateId references a Candidate in Manifest.candidates
-
Every ContestDescription geopoliticalUnitId exists in some BallotStyle
- For each ContestDescription, the geopoliticalUnitId exists in at least one Manifest.ballotStyles.geopoliticalUnitIds
-
All BallotStyles have a unique ballotStyleId.
-
All ContestDescription have a unique contestId.
-
All ContestDescription have a unique sequenceOrder.
-
Within a ContestDescription, all SelectionDescription have a unique selectionId.
-
Within a ContestDescription, all SelectionDescription have a unique sequenceOrder.
-
Within a ContestDescription, all SelectionDescription have a unique candidateId.
-
All SelectionDescription have a unique candidateId within the election.
-
A ContestDescription has VoteVariationType = n_of_m, one_of_m, or approval.
-
A one_of_m contest has contest_limit == 1.
-
A n_of_m contest has 0 < contest_limit <= number of selections in the contest.
-
An approval contest has contest_limit == number of selections in the contest.
-
A contest contest_limit must be > 0.
-
A contest option_limit must be > 0 and <= contest_limit.
Input Ballot Validation can be run to catch problems while developing the Manifest; a ballot for each ballot style should be generated and tested.
Input Ballots are generated external to the egk library, so Input Ballot Validation must be run on each ballot, before accepting the ballot for encryption.
If an Input Ballot fails validation, it is annotated as to why it failed, and placed in the invalid ballot directory for examination.
-
A PlaintextBallot's ballotStyleId must match a BallotStyle in Manifest.ballotStyles.
-
For each PlaintextBallot.Contest, the contestId must match a ContestDescription.contestId in Manifest.contests.
2.1 The PlaintextBallot.Contest and matching ContestDescription must have matching sequenceOrder.
-
The matching ContestDescription's geopoliticalUnitId must be listed in the PlaintextBallot's BallotStyle.geopoliticalUnitIds.
-
Within the PlaintextBallot.Contest and matching ContestDescription, each Selection.selectionId must match a SelectionDescription.selectionId.
4.1 The PlaintextBallot.Selection and matching SelectionDescription must have matching sequenceOrder.
-
All PlaintextBallot.Contests have a unique contestId.
-
Within a PlaintextBallot.Contest, all Selections have a unique selectionId.
-
Within a PlaintextBallot.Contest, all Selections have a unique sequenceOrder.
Voting limits are not enforced at ballot validation. They are marked as overvotes, so that an overvote on one contest does not invalidate the entire ballot.