On recoverability from failures in dual voting

Verifiable voting systems have been around for a while. There are two primary approaches for achieving verifiability: a) through end-to-end verifiable voting (E2E-V) systems that offer cryptographic guarantees of correctness, and b) through risk-limiting audit systems that do not rely on cryptography but verify the tally reported by an electronic vote tabulation system against voter-verified paper records (VVPRs). However, while end-to-end verifiable methods lack easy methods of recovery in case elections fail to verify, risk-limiting audit based methods usually require the electorate to trust the post-election custody chain of the VVPRs. In this paper we examine recovery from elections in dual voting, which combines the formal guarantees of E2E-V with the simplicity of VVPR-based audit. We argue that large public elections should not only be publicly verifiable, but, in case of verification failures, there should also be transparent methods of recovery without necessarily re-running entire elections. We focus on multi-polling booth elections and formally define the concept of recoverability for such protocols. Informally, our formulation captures the ability to verifiably identify the polling booths contributing to verification failures, and the partial tally contributed by the other booths, without leaking any additional information. This enables possible recovery through limited re-polling, without necessitating a complete re-run of the election or privileging the paper tally over the electronic one. We also propose a multi-polling booth voting protocol called \emph{OpenVoting} that achieves our proposed recoverability requirements.