Why are spoiled ballots decrypted and not revealed?

[felixdoerre]

As far as I understand the current specification:

• when the guardians decrypt all summed-up ballots, they also decrypt all spoiled ballots individually.
• as is, spoiled ballots cannot be immediately verified, but one has to wait for their decryption after the election.
  Observations:
• Publishing the encryption randomness used for spoiled ballots instead of the individual decryption is sufficient to verify that the contents of all encryptions are correct
• That encryption randomness is also revealed when a ballot is challenged while being submitted, to be able to prove immediately that the encryption was correct

So summing it up, publishing the encryption randomness looks like a far easier proof of correctness of the spoiled ballots for me and is possible immediately during vote submission, is there any rationale why this isn't done?

[benaloh]

You're absolutely right, and this feature will be available in ElectionGuard v2. In v1, we wanted to keep things as simple as possible and have as few different processes as we could. Since there already needed to be a process for decrypting tallies, we simply doubled up and used the same process for decrypting spoiled ballots. This also allowed the two to be verified in exactly the same way.

However, "instant verification" will be implemented as a feature in v2 so that voters can potentially confirm the correctness of their spoiled ballots in real time -- perhaps with a mobile phone app. We are still debating the best UX for this process. The following three options are all on the table.

1. Reveal just the nonce and an encoding of the voter selections. The app used to check the opened ballot displays the actual plaintext selections.
2. Reveal the nonce and plaintext voter selections along with an encoding of the voter selections. The app checks that the ballot is correctly opened and also displays the voter selections.
3. Reveal the nonce and plaintext voter selections. The app checks that the ballot is correctly opened and that the revealed plaintext selections are correct.

There are interesting trade-offs. Option 1 is simple and has the best security/verification properties, but voters may be uncomfortable having an app look at a QR code and display their selections. Option 2 is also simple, but it relies on the voter to check that the selections displayed with the nonce match the selections displayed in the app. Option 3 may be the best blend, but it requires the app to OCR the plaintext selections -- which is much harder to do.