overvotes #112
Description
Election-Tech-Initiative/electionguard-python#385
Election-Tech-Initiative/electionguard-python#556
From Josh Benaloh (@benaloh)
In some use cases, it is desirable to capture details about overvotes without affecting tallies. In ElectionGuard, an overvote in a contest (i.e., the number of selections exceeds the selection limit) causes the following things to happen.
All selectable options in that contest are set to zero.
All placeholder options in that contest are set to one.
The extended data field for the overvoted contest contains the following data:
a. The first byte is set to x01 as a tag to indicate an overvote.
b. The remaining bytes form a bit array indicating the indices of selections made by the voter.
If the voter selected one or more write-ins among the overvotes, any such write-in text is retained in the text field of the associated write-in even though the associated write-in selection is set to zero.
The lengths of the extended data field(s) and the write-in text fields are set in the ballot coding file. To accommodate preservation of overvote data as described here, the bit-length of each extended data field must be at least 8 greater than the number of selectable options in that contest (including write-ins).
As will be described in greater detail elsewhere, the encryption of all non-binary data on a ballot, (extended data fields, write-in text fields, etc.) is done as follows.
For each contest, a single hashed ElGamal encryption is performed on the concatenation of the extended data fields and each write-in text field in order. This encryption is parsed according to the pre-determined fixed length of each of these fields. This optimization allows all of the non-binary data for a contest to be encrypted using a single ElGamal encryption (1KB using standard parameters) plus the total length of all of the non-binary fields. The trade-off in achieving this optimization is that the non-binary fields within any contest cannot be separately decrypted – if one of these fields is decrypted, all of the fields within that contest are decrypted.