OpenVoting: Recoverability from Failures in Dual Voting

In this paper we address the problem of recovery from failures without re-running entire elections when elections fail to verify. We consider the setting of \emph{dual voting} protocols, where the cryptographic guarantees of end-to-end verifiable voting (E2E-V) are combined with the simplicity of audit using voter-verified paper records (VVPR). We first consider the design requirements of such a system and then suggest a protocol called \emph{OpenVoting}, which identifies a verifiable subset of error-free votes consistent with the VVPRs, and the polling booths corresponding to the votes that fail to verify with possible reasons for the failures. To an ordinary voter \emph{OpenVoting} looks just like an old fashioned paper based voting system, with minimal additional cognitive overload.


Introduction
Conducting large-scale public elections in a dispute-free manner is not an easy task.On the one hand, there are end-to-end verifiable voting (E2E-V) systems [1,11,24,8,4] that provide cryptographic guarantees of correctness.Although the guarantees are sound, these systems are not yet very popular in large public elections.As the German Constitutional Court observes [18], depending solely on cryptographic guarantees is somewhat untenable because verification of election results requires expert knowledge.Moreover, in case voter checks or universal verifications fail, the E2E-V systems do not provide easy methods of recovery without necessitating complete re-election [6].
On the other hand, there are systems that rely on paper-audit trails to verify electronic tallies [25,21,16].These systems maintain reliable records of cleartext voter-marked paper ballots or voter-verified paper records (VVPRs) in addition to electronic vote records.They use electronic counting for efficiency and conduct easy-to-understand statistical audits, called risk-limiting audits (RLAs), to demonstrate that the electronic winners match the winners that would be declared by a full paper count.In case of conflict, the electronic outcome is suggested to be replaced by the paper one.However, these systems require the electorate to trust that the paper records correctly represent voter intent and are not corrupted in the custody chain from the time of voting to that of counting or auditing.
Dual voting approaches, where the voting protocols support simultaneous voting for both the cryptographic and the VVPR-based systems [5,13,22,17,4,12], combine the cryptographic guarantees of E2E-V systems with the simplicity and adoptability of paper records.However, in most existing dual voting systems, one typically ends up running two parallel and independent elections, only coupled loosely through simultaneous voting for both in the polling booth.If the electronic and paper record systems are not tightly coupled, and demonstrably in one-to-one correspondence, then it begs the questions: which ought be the legal definition of the vote, and, in case of a tally mismatch, which should be trusted?Why?And how to recover from errors?
It appears that existing approaches either do not provide any recovery mechanism or recover by privileging VVPR counts over electronic counts.In large public elections running simultaneously at multiple polling booths per constituency, failures due to intended or unintended errors by different actors are expected.Polling officers may upload wrong encrypted votes, backend servers may decrypt votes incorrectly, paper records may be tampered with during the custody chain, and voters may put bogus votes in ballot boxes to discredit the election.Discarding the entire election due to failures caused by some bad actors or completely trusting the VVPRs are both unsatisfactory solutions.
In this paper, we study the problem of recoverability of a dual voting protocol from audit failures.We consider large, multi-polling booth, first-past-the-post elections like the national elections in India.We observe that except for backend failures, most of the other failures are due to localised corruption of individual polling booths.Therefore, we propose to identify the offending polling booths and perform a local re-election -if at all requiredonly at those polling booths.Errors -despite the best efforts to minimise them -are inevitable in large elections and such localised recovery may considerably improve the election's overall robustness and transparency.
However, recoverability has a natural tradeoff with vote secrecy.For example, a naive approach that simply publishes and audits votes for each polling booth reveals voting statistics of each booth.In electoral contexts where voters are assigned a specific polling booth according to their residential neighbourhoods, with only a few thousand voters per booth, e.g., in India, revealing booth-level voting statistics poses a significant risk of localised targeting and coercion [3].Our approach minimises booth-level voting data exposure, disclosing only what is absolutely necessary for recovery.
Main contributions. 1) We analyse the design requirements for a recoverable and secrecy-preserving dual voting protocol (Section 2).2) We formalise the notion of recoverability and secrecy in terms of the capability to verifiably identify polling booths contributing to verification failures and extract a verifiable subset of error-free votes in zero-knowledge (Section 3). 3) We propose a novel dual-voting protocol called OpenVoting that satisfies our notions of recoverability and secrecy (Section 4).[5], following which multiple dual voting protocols emerged [17,13,22,4,12].Bernhard et al. [6] gives a comprehensive survey of the tradeoffs and open problems in E2E-V and RLA-based voting.

Related work. Dual voting was introduced by Benaloh
Rivest [23] proposed the notion of strong software independence that is similar to our notion of recoverability.It demands that a detected change or error in an election outcome (due to a change or error in the software) can be corrected without re-running the (entire) election.However, "correcting" errors without re-running even parts of an election requires a ground truth, which is usually assumed to be the paper audit trail.Instead, we propose partial recoverability via fault localisation, without completely trusting either paper or electronic votes.The notion of accountability [15] is also related, but it is focused on assigning blame for failures and not on recovering from them.

Design Requirements
In a typical dual voting protocol, the vote casting process produces a) a VVPR containing the voter's vote in cleartext and b) a voter receipt containing an encryption of the vote.The encrypted votes are published on a bulletin board, typically by a polling officer, and are processed by a cryptographic backend to produce the electronic tally.The backend typically consists of multiple independent servers which jointly compute the tally from the encrypted inputs, provide a proof of correctness, and preserve vote secrecy unless a threshold number of servers are corrupted.VVPRs counted together produce the paper tally.
Our high-level goal is to publicly verify whether both tallies represent true voter intents and whether all public outputs are consistent with each other.If not, the aim of recovery is to identify booths contributing to the inconsistencies, and segregate the outputs produced by other error-free booths, without leaking any additional information.For this, the protocol design must fundamentally have the following features: ).Note that nc and nv denote the number of encrypted votes and decrypted votes respectively.The encrypted vote c in C against vid does not match the receipt r in R against vid Mixing-phase failures 2,3 FM 1 An encrypted vote c in C does not decrypt to any cleartext vote (bid, v) in V FM 2 A cleartext vote (bid, v) in V is not obtained by decrypting any encrypted vote c in C FM 3 Two encrypted votes in C decrypt to the same cleartext vote (bid, v) in V Output-phase failures 2 FO 1 An (electronic) decrypted vote (bid, v) exists in V but no VVPR against bid exists in P FO 2 A VVPR (bid, v) exists in P but no decrypted vote against bid exists in V FO 3 The decrypted vote v against bid in V does not match the cleartext vote in the VVPR against bid in P FO 4 Two decrypted votes in V match with a single VVPR (bid, v) in P FO 5 Two VVPRs in P match with a single decrypted vote (bid, v) in V Cast-as-intended failures FC A receipt r obtained at a polling booth j does not encrypt the voter's intended vote correctly 1 A spurious encrypted vote against a vid in C without a receipt in R against that vid is not considered a failure, because some voters may not upload their receipts.Also, we do not consider duplicated receipts and encrypted votes because vids are assumed to be unique identifiers. 2We only consider authentic entries in R, C, V and P .Failures where the authenticity of these items cannot be verified are considered equivalent to failures where they are not even uploaded.Receipts and VVPRs are authenticated by official stamps and encrypted and decrypted votes by appropriate digital signatures. 3The case of a single encrypted vote in C decrypting to two different entries in V is not considered because this will result in duplicated entries in V , which can be clearly attributed to backend failures and removed without any dispute.4. For the same reason, VVPRs should be revealed and counted only after aggregating them over all the polling booths.

Input-phase failures
The encrypted and decrypted votes must be published on two public bulletin boards to enable voters to match their receipts and public verification of the electronic tally.It will also be helpful to upload all VVPRs after scanning, and as many voter receipts as possible, to two other bulletin boards for better transparency and public verifiability.We depict such a design in Figure 1.
Note that the public outputs in Figure 1 are effectively claims endorsed by various entities as to what should be the correct vote: receipts by voters, encrypted votes by polling officers, decrypted votes by the backend servers, and VVPRs by the VVPR counting authorities.We group disputes between these claims into input-phase failures, for mismatches between published voter receipts and encrypted votes, mixing-phase failures, for mismatches between encrypted votes and decrypted votes, and output-phase failures, for mismatches between decrypted votes and VVPRs (see Figure 2).Further, we categorise claims of receipts not encrypting voter intents correctly as cast-asintended failures.Given these failures, recoverability requires an audit protocol that verifies whether the different claims for a given vote are consistent, resolves disputes otherwise, and narrows down the affected votes when the disputes are unresolvable.
To recover from input-phase failures, it is not sufficient if a statistically significant sample of voters from the entire constituency verify their receipts, because in case of any failure, all the uploaded encrypted votes become untrustworthy.Thus, the population for sampling must be each polling booth.This does increase the voter verification overhead, but offers better localisation of errors and recovery.
Recoverability from mixing-phase failures requires that in case the output list of decrypted votes is not correct, individual failing entries -encrypted votes whose decryptions were not available in V and individual decrypted votes that were not decrypted by any encrypted vote on C -should be verifiably identified by the backend servers.And, this must be achieved without leaking any additional information.
Recoverability from output-phase failures requires identifying which of the electronic vote and the VVPR represents the voter's intent.This may be possible in some cases but not always.For example, if the voter's receipt is available on R, then the dispute can be resolved if one can verify in zero-knowledge that the receipt encrypted the electronic vote and not the paper one, or vice versa.
In some cases, the disputes may not be resolvable at all.Consider case FO 3 in Figure 2 and suppose the receipt is not available.FO 3 may be due to a) the polling officer uploading an encrypted vote not matching the voter's receipt; b) the voter dropping a bogus VVPR into the ballot box; c) a malicious agent altering the VVPRs post-polling; or d) the backend servers not decrypting the uploaded encrypted vote correctly.Different cases point to failures in either the electronic vote or the VVPR and it is not possible to identify the true voter intent.Thus, a conservative way to recover from this situation is to identify the polling booth where the dispute may have originated and conduct only a local re-election at this booth.This must be done without revealing polling booth statistics of at least the uncorrupted polling booths.
The required action in all the above cases can be reduced to the backend proving in zero-knowledge that an encrypted vote corresponds to one of a set of decrypted votes (a distributed ZKP of set-membership [2]), or that a clear-text vote is a decryption of one of a set of encrypted votes (a distributed ZKP of reverse set-membership [2]).
Cast-as-intended failures may typically happen in two ways.First, ballots may be malformed.Protection against this threat requires a separate audit of a statistically significant sample of ballots before vote casting.Recoverability additionally requires ballot audits to be performed per polling booth.Second, ballots or receipts may be marked incorrectly.In dual voting systems based on hand-marked ballots, the voter may mark the encrypted and the VVPR parts differently, leading to failures.Although this is easily detected and invalidated during VVPR audit, fixing accountability may be difficult and hence voters may do this deliberately to discredit the election.In systems based on ballot marking devices (BMD), such voter errors are avoided but a dispute may be raised that the ballot marking is not according to the voter's choice.Such a dispute between a man and a machine is unresolvable and the only recourse is to allow the voter to revote.This may however cause a deadlock, which can only be resolved through a social process.Still, a BMD should be a preferred option for dual voting since it minimises voter-initiated errors.

Formalisation
We now formalise the requirements outlined in the previous section.Given a positive integer x, let [x] denote the set {1, . . ., x}.We consider a dual-voting protocol involving α candidates, n voters , and an auditor A. We also assume existence of a public bulletin board where lists R, C, V and P are published.We consider a protocol structure (Setup, BallotGen, Cast, Tally, BallotAudit, ReceiptAudit, TallyAudit) where: to generate public/private key pairs and other public election parameters.
• BallotGen is a protocol involving (G t ) t∈[τ ] to securely print a sealed ballot given a booth identifier j ∈ [ℓ].
• Cast is the vote casting protocol involving V i and P j , D j , B j at booth j ∈ [ℓ] assigned to V i .V i 's input is its intended vote v and a ballot b.The protocol outputs a voter receipt r, an encrypted vote c and a VVPR p such that p gets dropped in ballot box B j , V i takes r home and P j uploads c on C. The voter may or may not publish r on R. The VVPR is published on P after aggregating VVPRs from all the booths.
• Tally is the vote processing/tallying protocol involving where they take as input the encrypted votes published on C, permute and decrypt them and publish a list • BallotAudit is a protocol involving A and P j executed at each booth j to verify if ballots at booth j are wellformed.
• ReceiptAudit is a protocol involving A and the voters to verify that voter receipts at booth j match those uploaded on list C.
• TallyAudit is a protocol involving A, (M k ) k∈[m] and (G t ) t∈[τ ] to verify whether the electronic and paper tallies are correct and narrow down errors if not.It takes as input all published lists (R, C, V, P ) and lets A output a tuple (J * , V * ) where J * denotes the set of booths that contributed potentially outcome-changing failures and V * denotes the set of votes from booths not in J * (A may also be aborted).The expected usage of the (J * , V * ) output is that in case of failures/disputes, the election could be rerun at the booths in J * and the rerun results could be merged with the recovered partial tally from V * to obtain the complete election tally.Results are announced to the general public only after TallyAudit has finished.
Note that although the above audits are performed by different auditors (even voters) at different times and places, we simplify by representing all the auditors by A.
Let ϵ b denote the probability that BallotAudit passes at some booth j yet a receipt from the booth does not encrypt the voter's intent correctly, and ϵ r denote the probability that ReceiptAudit passes for booth j yet a receipt from the booth is not uploaded correctly.Further, let R * ⊆ R, C * ⊆ C and P * ⊆ P respectively denote receipts, encrypted votes and VVPRs from booths not in J * .Finally, let failures in a tuple (R, C, V, P ) be as defined in Figure 2 with the added condition that if a receipt or encrypted vote from a booth fails with input-phase or cast-asintended failures, then all receipts and encrypted votes from that booth are considered as failures.
Definition 1 models our notion of recoverability parametrised by probabilities ϵ b and ϵ r denoting the effectiveness of ballot and receipt audits.The case when J * is empty denotes that no rerun is required at any booth, either because the election ran completely correctly, or because the number of failures are small compared to the reported winning margin.When non-empty, J * should exactly be the set of booths where re-run is required because of failures that may affect the final outcome and votes V * must be consistent with receipts, encrypted votes and VVPRs from booths not in J * .
Note that the auditor is allowed to abort the TallyAudit protocol, since if the mix-servers and the ballot generators holding the election secrets do not cooperate, then recovery cannot happen.This is not an issue because unlike polling booth failures, these failures are centralised and non-cooperation directly puts the blame on these entities.Definition 1 (Recoverability).A voting protocol (Setup, BallotGen, Cast, Tally, BallotAudit, ReceiptAudit, TallyAudit) is recoverable by the audit protocols if for all polynomially bounded adversaries corrupting and (B j ) j∈[ℓ] such that A outputs a tuple (J * , V * ) and does not abort, the following conditions hold true with probability only negligibly smaller than 1 − ℓ(ϵ b + ϵ r ): • if J * is empty, then the number of failures in (R * , C * , V * , P * ) is less than the reported winning margin computed from V ; and • if J * is non-empty, then (R * , C * , V * , P * ) does not contain any failures and J * is exactly the set of booths that contributed some failing receipt in R, some failing encrypted vote in C, or some failing VVPR in P .
Definition 2 models that in the presence of the TallyAudit protocol, the standard vote secrecy guarantee is maintained except that polling booth statistics of the booths contributing some failing items are revealed.This is generally an unavoidable tradeoff.
Definition 2 (Vote Secrecy with Recoverability).A voting protocol (Setup, BallotGen, Cast, Tally, BallotAudit, ReceiptAudit, TallyAudit) protects vote secrecy with recoverability if no polynomially bounded adversary controlling the auditor A, and (V i ) i∈[n]\{i0,i1} for some i 0 , i 1 ∈ [n] can distinguish between the following two worlds except with negligible probability: • (World 0) V i0 votes v 0 at booth j 0 and V i1 votes v 1 at booth j 1 , and where v 0 , v 1 are any two valid votes and for each failure from booth j 0 , the adversary must create an identical failure (same failure type and affected vote) from booth j 1 .
4 The OpenVoting Protocol

Preliminaries
Notation.Let G 1 , G 2 , G T denote cyclic groups of prime order q (q ≫ α, m, n, ℓ) such that they admit an efficiently computable bilinear map e : G 1 × G 2 → G T .We assume that the n-Strong Diffie Hellman (SDH) assumption [7] holds in (G 1 , G 2 ), the decisional Diffie-Hellman (DDH) and the discrete logarithm (DL) assumptions hold in G 1 , and that generators g 1 , h 1 ∈ G 1 are chosen randomly (say as the output of a hash function) so that nobody knows their mutual discrete logarithm.
Traceable Mixnets [2].Traceable mixnets extend traditional mixnets [14] to enable the distributed ZKPs of set membership mentioned in Section 2. Thus, we use them as our cryptographic backend.In traceable mixnets, the backend servers, often also called mix-servers, can collectively prove answers to the following queries in zeroknowledge: • TraceIn: whether a ciphertext c (from the mixnet's input ciphertext list) encrypts a value in a subset of output plaintexts (denoted as (v ′ i ) i∈I ′ for some I ′ ⊆ [n]).
• TraceOut: whether a plaintext v (from the mixnet's output plaintext list) is encrypted in one of a subset of input ciphertexts (denoted as (c i ) i∈I for some There are also batched versions of these queries called BTraceIn and BTraceOut, which prove multiple TraceIn and TraceOut queries together.Formally, a traceable mixnet Π TM is a protocol between a set of senders S 1 , . . ., S n , a set of mix-servers (M k ) k∈[m] and a querier Q and consists of algorithms/sub-protocols (Keygen, Enc, Mix, BTraceIn, BTraceOut) where: • Keygen is a distributed key generation protocol involving (M k ) k∈[m] that outputs a mixnet public key mpk and secret keys msk (k) for each mix-server M k .
• Enc is the encryption algorithm that a sender S i uses to create a ciphertext c i encrypting its secret input v i against mpk.
• Mix is the mixing protocol involving (M k ) k∈[m] that takes as input the list of ciphertexts and outputs a list of permuted plaintexts (v ′ i ) i∈[n] and a secret witness ω (k) for each M k .
• BTraceIn is a protocol involving (M k ) k∈[m] and Q that takes as input (c i ) i∈[n] and (v ′ i ) i∈[n] and index sets I, I ′ ⊆ [n] (each M k additionally uses ω (k) ).At the end of the protocol, Q either outputs the subset of ciphertexts {c i } i∈I that encrypt some plaintext in {v ′ i } i∈I ′ or aborts.
• BTraceOut is a protocol involving (M k ) k∈[m] and Q that takes exactly the same inputs as BTraceIn.In this case, Q either outputs the subset of plaintexts {v ′ i } i∈I ′ that are encrypted by some ciphertext in {c i } i∈I or aborts.
The soundness property of traceable mixnets states that an adversary controlling all (M k ) k∈[m] cannot make Q output an incorrect set.Their secrecy property states that an adversary controlling Q and (S i ) i∈[n]\{i0,i1} for some i 0 , i 1 ∈ [n] cannot distinguish between a world where (S i0 , S i1 ) respectively encrypt (v 0 , v 1 ) and the world where they encrypt (v 1 , v 0 ), if the BTraceIn and BTraceOut query outputs do not leak this information, i.e., if in all BTraceIn queries, An instantiation of traceable mixnets.[2] also provides a concrete instantiation of a traceable mixnet, which we use.In this instantiation, mpk is of the form ((pk M k ) k∈[m] , pk EG , pk Pa ), where pk M k is the public key of any IND-CPA secure encryption scheme E, and pk EG and pk Pa are respectively public keys of E th EG , the threshold ElGamal encryption scheme [10] with message space G 1 , and E th Pa , the threshold Paillier encryption scheme proposed in [9] with message space Z N for an RSA modulus N .The secret key msk (k) for each M k consists of the secret key sk M k corresponding to pk M k and the k th shares of the secret keys corresponding to pk EG and pk Pa .Further, Enc on input a value v ∈ Z q outputs a ciphertext of the form (ϵ, γ, (ev (k) , er (k) ) k∈[m] , ρ γ , ϵ r ), where ) is an encryption of a secret share r (k) of r, In our protocol, the encrypted votes are encryptions under Enc, where we instantiate scheme E with the (nonthreshold) Paillier encryption scheme [19].We need it for its following homomorphic property: given two Paillier ciphertexts c 1 , c 2 encrypting messages m 1 , m 2 ∈ Z q respectively (m 1 , m 2 interpreted as messages in Z N ), the ciphertext c 1 c 2 encrypts the message We also require a public-key digital signature scheme Π S := (Keygen, Sign, Ver) with the usual existential unforgeability property under chosen message attacks (EUF-CMA).

The Proposed Protocol
Figure 3 depicts the high-level OpenVoting protocol.Two ballot generators (G 1 and G 2 ) jointly generate sealed ballots to protect voter-vote association from both.Voters use the sealed ballots and a BMD to cast their votes.Each ballot contains two halves.The BMD prints the voter's choice on both halves without learning the vote.The left half becomes the VVPR and is deposited by the voter in a physical ballot box, while the right half becomes the voter receipt.Polling officers scan the voter receipts and upload the encrypted votes to C. The encrypted votes are processed by a traceable mixnet backend to produce decrypted votes V .Voters can verify their receipts against the encrypted votes, and VVPRs can be matched with the decrypted votes.The tally audit process uses the traceable mixnet's querying mechanism to identify polling booths contributing to failures without leaking additional information.Results are announced only after this audit step.Now we describe the sub-protocols of OpenVoting in detail.

Setup
During

Ballot Design
Our ballot (Figure 3 -left) customises the Scratch & Vote ballot [1] for dual voting and BMD support.It consists of two halves connected by a perforated line.The left half serves as the VVPR, while the right half serves as the voter receipt.These halves are unlinkable after the vote is cast.
The left half includes a randomly drawn ballot identifier bid from Z q .It displays a circular rotation of the official candidate list.For each w ∈ {0, . . ., α − 1}, row w corresponds to the candidate cand bid+w mod α .For example, if the official candidate list is ("Alice", "Bob", "Carol"), and bid = 302, the candidate printed on row w = 1 would be cand 302+1 mod 3 = cand 0 (i.e., "Alice").The right half contains corresponding encryptions c w obtained by running the Π TM .Enc algorithm on input vw = bid + w, except that they do not include the ρ γw component; this is added during the Tally protocol.We call values vw ∈ Z q the extended votes and values v w := vw mod α ∈ [α] the raw votes.The randomnesses r w used in creating encryption c w are kept secret and placed under a detachable scratch surface on the ballot.
Both halves feature a designated gray area at the top.During the Cast protocol, the BMD prints the voterselected w in this gray area on both halves.Additionally, the right half includes a polling booth identifier j for the designated polling booth of the ballot, while the left half contains its commitment γ booth = g j h r booth .Randomness r booth $ ← − Z q is also put under a separate scratch surface.The commitment γ booth is revealed when the polling booth of a disputed VVPR needs to be identified in the TallyAudit protocol.
Due to the size of encryptions c w (around 20 KB each [2]), they may not fit within standard QR codes on the paper ballot.However, conceptually, the actual encryptions could be stored in a backend server, with only a binding hash printed on the ballot.For simplicity, we ignore this complication.

Ballot Generation
During the BallotGen protocol, a ballot is jointly generated by G 1 and G 2 to hide the voter-vote association from any one of them (see Figure 4).G 1 , who selects the ballot secrets, does not learn the encryptions printed on the receipt half and cannot match voters to their ballot secrets, while G 2 , who creates the receipt half, does not know the ballot secrets.
G 2 knows the destination booth j but keeps it hidden from G 1 to hide booth-level voting statistics.It generates a commitment γ booth for j and shares it with G 1 (lines 1-2), who prints it on the left half of the ballot.G 1 generates a secret ballot identifier bid and signs it (lines 2-3), computes vw = bid + w for each w and accordingly prints candidate names on the left half and randomnesses r w under a scratch surface on the right half (lines 6,10).It then sends the partially printed ballot to G 2 , keeping the left half hidden.This can be done, e.g., by folding the ballot along the perforation line, sealing it and letting G 2 print its contents on the back side of the right half.It also sends encryptions of each vw under Π TM .Enc, except the ρ γw components, to G 2 (lines [7][8][9]12).
G 2 re-randomises the obtained commitments/encryptions and homomorphically computes fresh shares of vw and the commitment randomnesses using the additive homomorphism of E in Z q (lines 13-19).It then prints these re-randomised encryptions on the right half of the received ballot and signs them.The re-randomisation ensures that G 1 cannot identify the ballot corresponding to a voter from their receipt.The commitment randomness r booth of γ booth is printed on another scratch surface on the right half.

Vote Casting
The Cast protocol for voter V i at booth j is as follows (Figure 3 -center): • Ballot pick-up and eligibility verification: V i picks up a random sealed ballot from a set of ballots kept at the polling booth.The polling officer P j verifies V i 's eligibility in the presence of polling agents and allows V i to proceed to a private room containing a BMD D j .
• Vote casting: V i feeds the top gray region of the ballot to D j and presses a button on the onscreen display to select w corresponding to her preferred candidate.We denote the voter's chosen w as ẇ.D j can only access the top gray region for printing and cannot read any part of the ballot (it should not have any attached scanner or camera).D j prints ẇ on both the left and the right halves of this gray region.
V i needs to verify that indeed her intended choice is printed on both the halves.If satisfied, V i separates the left half of the marked ballot (the VVPR), folds it and drops it into a physical ballot box B j kept near P j such that P j can verify that the voter dropped an official VVPR.The right half (the receipt) is given to P j for scanning.If for w ∈ {0, . . ., α − 1}: wi )) k∈[m] 10 print ballot's left half (cand vw mod α on row w) and (r w ) w∈{0,...,α−1} under a scratch surface as per Fig. 3 -left 11 send the ballot to G 2 with its left half sealed 12 send (ϵ vw , γ w , (ev w ) k∈[m] , ϵ rw ) w∈{0,...,α−1} to G 2 electronically 13 G 2 : for w ∈ {0, . . ., α − 1}: , where H is a hash function 21 print ballot's right half and r booth under another scratch surface as per Fig. 3 -left 22 store (j, r booth ) indexed by γ booth not satisfied, V i shreds the marked ballot and raises a dispute.In this case, V i is allowed to re-vote.Note that the vote casting phase can also completely avoid the BMD and require the voter to hand-mark the two ballot halves, but this design is prone to more voter errors (see Section 2).
• Receipt scanning: P j checks that the scratch surface on V i 's receipt is intact, i.e., the ballot secrets are not compromised, and shreds the scratch region in front of V i .From the scanned receipt, P j extracts c ẇ and uploads (vid i , j, c ẇ) to C, along with σ vidi ← Π S .Sign(sk Pj , (vid i , j, c ẇ)). P j also affixes vid i to V i 's receipt, stamps it for authenticity, and returns it to V i .
Chain voting and randomisation attacks.With minor modifications, these sophisticated coercion attacks can also be handled.For chain voting, P j can stamp a serial number on the receipt half of the sealed ballot after identity verification to prevent the use of rogue ballots.This number is matched before accepting the voter's receipt.Under a randomisation attack, voters may be asked to choose a fixed ẇ, thereby randomising their votes.To counter this, voters should be allowed to choose their ballots in a private room.The ballot cover should contain a detachable slip showing the candidate order, allowing coerced voters to choose a ballot so that they can vote for their preferred candidate while producing the ẇ satisfying the coercer.Before proceeding to P j , the voter should detach the slip.

Vote Tallying
Post polling, , where c i denotes c ẇ for the i th voter (Figure 3 -right).(M k ) k∈[m] proceed as per Figure 5 where they first add the ρ γ i components to the encryptions c i by engaging in a distributed NIZK proof of knowledge (lines 2-9) and then processing (c i ) i∈[n] through the traceable mixnet's Mix protocol (line 13).At the end, the permuted extended votes (v ′ i ) i∈[n] are obtained from which the raw votes are computed (line 14).Both extended and raw votes are published on V .
The VVPRs from each polling booth's ballot box are collected and mixed in a central facility.VVPRs are revealed to the public only after this mixing phase and post audit, to avoid leaking polling booth-level voting statistics.A VVPR containing ballot identifier bid and voter choice ẇ can be matched with the corresponding decrypted vote by computing bid + ẇ, finding it on V and checking if the corresponding raw vote matches the candidate name printed on the ẇth row on the VVPR.
// Generate a distributed NIZK PoK ρ γi of the opening of γ i using shares (v // Each M k gets secret input msk (k) and secret output ω (k) (see Section ??)

Ballot and Receipt Audits
In the BallotAudit protocol, a statistically significant number of ballots at each polling booth must be audited to keep the probability ϵ b of a cast-as-intended failure (see Section 3) small.Ballot audits can happen before, during or after polling, and even be initiated by voters.When auditing a ballot, its sealed cover is opened and secrets under its scratch surfaces are revealed.For each w = 0 . . .α − 1, it is checked that encryption c w is created correctly on message bid + w using r w and the candidate name printed at row w is cand bid+w mod α , where bid is looked up from the left half and r w from the scratch surface.Further, it is checked that γ booth , where j is the audited booth's identifier and r booth is obtained from the scratch surface, and that signatures by G 1 , G 2 verify.Since the secrets of audited ballots are revealed, audited ballots cannot be used for vote casting and must be spoiled.
Similarly, in the ReceiptAudit protocol, a statistically significant number of voter receipts from each polling booth must be checked for their existence on list C to keep ϵ r small.All audited receipts should be uploaded to R to aid audit and recovery.

Tally Audit
Our tally audit protocol (see Figure 6) depends on BTraceIn and BTraceOut queries of a traceable mixnet (see Section ??).Given (R, C, V, P ), first, all input-phase failures are marked (lines 1-3).Here, as per the discussion in Section 2, we mark all receipts/encrypted votes from a booth as failed if any one of them fails and the encrypted votes as failed if the ballot audit at that booth failed.For marking mixing phase failures on C and V , we run the BTraceIn/BTraceOut queries against the complete set of entries on V and C respectively (lines 4-5).Output-phase failures are marked by comparing the VVPRs with the decrypted extended votes (lines 6-7).
If the total number of failures is less than the winning margin, then J * = ∅ and V * = V are reported, signalling that no rerun is required (lines 9-10).Otherwise, polling booths contributing all the failing items are identified: for receipts and encrypted votes, the booth identifiers directly exist on R and C (line 12); for VVPRs without an electronic entry, they are identified by asking G 2 to open the opening of γ booth printed on the VVPR (line 13); for decrypted votes, a BTraceOut query against the set of ciphertexts cast at a booth j is run for all booths j ∈ [ℓ] (lines [14][15][16][17][18].The set of all such booths is reported in J * (line 19).The decrypted votes V * contributed by the good booths are obtained by running another BTraceOut query against the entries on C contributed by booths outside of J * (line 21).

Recovery
The suggested recovery is to rerun the election only on booths in J * and later merge this tally with the tally reported in V * .However, if J * is small, one can also consider rerunning on a few randomly selected good booths too, to avoid specialised targeting of the booths in J * .Further, the general approach of TraceIn/TraceOut queries can also support other recovery options for dual voting systems.For example, one can immmediately recover from case and G 2 with public input (R, C, V, P ), each M k 's input its mixnet secret key msk (k) and witness ω (k) output by the traceable mixnet during the Tally protocol, and G 2 's input being (j, r booth ) stored indexed by γ booth at the end of the BallotGen protocol.
FO 3 if a TraceOut query is run for the decrypted vote against the set of encrypted votes that successfully matched with voter receipts.If the answer is yes, then it provides solid evidence that the VVPR is wrong, without leaking any additional information.A similar query run for the VVPR provides solid evidence that the electronic vote was wrong.Of course, what queries to allow must be carefully decided depending on the situation to best optimise the recoverability-secrecy tradeoff.

Security Analysis
Theorem 1.Under the DL assumption in G 1 , the n-SDH assumption in (G 1 , G 2 ) [7] and the EUF-CMA security of Π S , the OpenVoting protocol is recoverable as per Definition 1.
Proof (Sketch).We focus on the event that for each booth, BallotAudit passing implies that all receipts correctly captured voter intents and ReceiptAudit passing implies that all receipts were correctly uploaded.This event happens with probability 1 − ℓ(ϵ b + ϵ r ).
Let J * , V * be A's output in the TallyAudit protocol.From Figure 6, we consider the two cases: first when the branch on line 8 is taken and the second when it is not taken.In the first case, J * = ∅ and thus we must show that the number of failures in (R * , C * , V * , P * ) is less than the winning margin, where R * = R, C * = C and P * = P for J * = ∅ and V * = V by line 10.By the condition on line 9, the number of reported failures is less than the winning margin.By the soundness of Π TM under the stated assumptions [2], sets C FM and V FM correctly represent the set of true failures.This, combined with the definitions of R FI , C FI , V FO and P FO , implies that the number of real failures in (R * , C * , V * , P * ) is less than the winning margin.
In the second case, J * is, as required, exactly the non-empty set of booths that contributed some failing item in R F , C F (by the definitions on line 12), P F (by line 13 and the computational binding of Pedersen commitments under the DL assumption in G 1 ) or V FO (by lines 14-18 and the soundness property of Π TM ; note that V FM entries in V F are mix-server errors and, as required, are not reported here).Finally, by line 21 and the soundness of Π TM , V * is exactly the set of votes decrypted from encrypted votes sent by booths outside J * .Thus, by the definitions of R * , C * and P * , (R * , C * , V * , P * ) does not contain any failures.Theorem 2. Under the DDH assumption in G 1 and the DCR assumption [19], the OpenVoting protocol satisfies vote secrecy with recoverability as per Definition 2 in the random oracle model.Proof (Sketch).If the adversary corrupts G 2 but not G 1 , then it does not learn the ballot secrets of ballots used by V i0 and V i1 by the perfect hiding of Pedersen commitments under the DDH assumption and the IND-CPA security of Paillier schemes E and E th Pa under the DCR assumption (see Figure 4).Post-printing, ballots get sealed and are opened only by the voter during vote casting, where the adversary-controlled BMD does not see any information about the ballot used.The receipts and the tallying protocol does not reveal any information to the corrupted mixservers by the secrecy property of Π TM under the stated assumptions [2].VVPRs are collected after mixing and the ballot identifiers used therein cannot be linked to the identifiers of V i0 and V i1 .Finally, during the TallyAudit protocol, it is required that if the adversary causes a failure in either the receipt, encrypted vote or VVPR contributed by V i0 's booth j 0 then it should also cause a failure in V i1 's booth j 1 .Thus, sets R FI to P FO in Figure 6 do not help it distinguish between the two worlds.Outputs V Fj do not help because for each failure in booth j 0 , the adversary is required to create an identical failure in booth j 1 .Further, the partial tally V * includes either both v 0 , v 1 or none of them.The secrecy property of Π TM ensures that no additional information beyond the query outputs is revealed.
If the adversary corrupts G 1 but not G 2 , then it obtains ballot secrets but it cannot identify which of V i0 or V i1 used which ballot.The rest of the proof is similar.

Conclusion and Future Work
We have introduced and formalised the notion of recoverability and secrecy for dual voting protocols and suggested a protocol that achieves this notion.Based on existing reports for the underlying traceable mixnet construction, the total time taken by the recovery process remains within a few hours for n = 10000 ciphertexts, which can be optimised further using the construction's high degree of task parallelism [2].
Although we have shown our protocol's recoverability properties, the potential non-termination of the revoting process during vote casting seems like an inherent limitation of BMD protocols and designing voting frontends that overcome this limitation yet remain usable and minimise voter errors appears to be a challenging open problem.Further, although we have focused on recoverability for first-past-the-post voting where exact winning margins are computable, extending to other more complex voting rules also appears to be an interesting avenue for future work.

Figure 1 :
Figure1: A recoverable dual voting protocol design.The VVPR for a voter with identifier vidi voting at booth boothi contains a ballot identifier bidi and cleartext vote vi.Her encrypted vote ci encrypts a value, e.g., (bidi, vi), that when decrypted can be uniquely matched with the corresponding VVPR.Decrypted votes are published by backend servers M1, . . ., Mm in a permuted order under a secret shared permutation π such that (bid ′ i , v ′ i ) = (bid π(i) , v π(i) ).Note that nc and nv denote the number of encrypted votes and decrypted votes respectively.

Figure 3 :
Figure 3: Overview of the OpenVoting protocol: w represents the candidate index in the ballot and ẇ represents the voter's choice.

Figure 4 :
Figure 4: The BallotGen protocol for generating a ballot for booth j known only to G 2 .

Figure 5 :
Figure 5: The Tally protocol involving (M k ) k∈[m] on input mpk, (c i ) i∈[n] and M k 's input msk (k) containing sk M k .
1,2 FI 1 A receipt r against vid exists in R but no encrypted vote against vid exists in C FI 2 the Setup protocol, G 1 and G 2 generate public/private keys pk G1 , sk G1 and pk G2 , sk G2 under Π S .Polling officers (P j ) j∈[ℓ] also generate public/private keys (pk Pj , sk Pj ) j∈[ℓ] under Π S .Mix-servers (M k ) k∈[m] jointly run the Π TM .Keygen protocol of the traceable mixnet to generate the mixnet public key mpk and individual secret keys (msk(k)) k∈[m]for each (M k ) k∈[m].An official candidate list (cand 0 , . . ., cand α−1 ) is created such that cand a denotes the a th candidate.
ρ γ i can be verified by checking if c i r booth ) to A for γ booth printed on some p ∈ P F s.t.γ booth = g j 1 h rbooth j denotes indices of booth j's entries in C