Figure 3.5 illustrates the inductive type whose values formally represent the machine states. There are three constructors each of which is used to construct a different
§3.2 Inductive Type of the Machine States 45
Figure 3.5: Inductive Type for Machine States
group of machine states. The rationale behind initial and final constructors as defined in the figure are straightforward. However, tailoring the intermediate states has an interesting story to tell which we shall unravel shortly afterwards.
Uncounted Ballots. As explained in Subsection 2.1.2 and Section 2.2 a bballot is a pair(l,q)wherelis the list of candidates ranked according to a voter’s preferences and q is the fractional value that the ballot b carries. Note that we also explained in Subsection 2.1.2 that there are conditions which determine if and when a ballot is valid. To our best knowledge, STV algorithms agree on two of such conditions, namely that l must be not empty so that the vote is not null and there must be no duplication in the preferences expressed. We therefore decide to declare a ballot to be a value of a pair type whose first component is a Sigma type and the second one is the type of rational numbers in Coq as shown in Figure 3.6. As you see, the second part of the Sigma type demands the first part to be non-empty and duplicate free. This restriction obliges us to demonstrate when performing proofs that our operations do not deviate from these legal conditions so that our computation handle ballots correctly under any circumstances in regard to their validity.
Tally. To formalise some tie-breaking methods used in some STV schemes, we encode tallies into a chronological list so we can trace the amount of votes which each candidate received in previous rounds. This allows us to facilitate one popular tie breaking procedure. In this method, whenever two or more candidates have the least votes, we go backwards stepwise, if need be, to previous states of the machine which we have computed in the same execution until we reach a state where one candidate has fewer votes than the tied candidates. Then we update the current state of the counting by eliminating this candidate. We refer the reader to Subsection 8.1.1 for further discussion on tie-breaking with other methods.
Pile. Some STV schemes, such as lower house ACT and Tasmania STV, employ a notion called last parcel and transfer only ballots included in this parcel according to next preferences. Moreover, they compute the fractional transfer value based on the length of the last parcel. In short, the last parcel of a candidate is the set of votes they received which made them reach or exceed the quota to become elected. As a result, we choose to formalise the pile function to assign a list itself containing some lists of ballots. Every list of ballots as such contains the ballots received by a candidate after each round of application of the count rule. Therefore, we come to identify which exact set of ballots comprise the last parcel of any elected candidate. Consequently, we are able to tailor both the generic transfer and elect rule and instantiations of them in such a way to modularly formalise several STV schemes which use the last parcel effect.
We have another motivation as well for designing codomains of the piles in this way. The Victoria state STV distributes votes of an eliminated candidate step by step, rather than all at once, in order of the magnitude of the fractional value of ballots assigned to the eliminated candidate. It regroups ballots according to their fractional value and distributes each group at a time starting from the ones whose fractional value is the biggest. Therefore, we need to design the codomain of piles to be of type list of list of ballots so that we can place them in separate chunks to manage effects such as Victoria STV elimination style.
The textual specification of STV algorithms and their mechanism of handling counting requires to know the elected candidates, those continuing, and the ones whose votes await transfer because they either have been elected or eliminated. Hence we include data components in our inductive definition for machine states that represents them. However, one may wonder about choosing lists as the under- lying data structure instead of, say, sets to realise these parts. First, we note that our formalisation does not make essential use of lists as part of the structure in the sense that no matter how ballots are listed, the winners are not affected by the list repre- sentation. Second, theorem provers such as Coq have built-in verified functions and libraries that support constructs for data structures built on top lists. As reducing the workload in constructing, maintaining and extending the framework easily is on our agenda, we therefore avoid inventing the wheel again. Third, the functions in Coq libraries for the list data type are all verified. Therefore we are confident that using them does no harm to the quality of verification and trustworthiness of the framework desired. In light of this confidence and utilisation, we try to rely on Coq libraries for the formalisation as much as they have to offer.