Overall, I like where you're going with this! You're addressing the two major issues I've been thinking about for some time: 1) Allowing all members to verify all votes to improve trust in the system, 2) Allowing "anonymous" voting while not compromising the ability to verify results. I don't see any obvious flaws in your suggested process but I am not an expert in crypto systems.

Regarding Secretary-initiated exploits: I like that you've made some effort to mitigate those but, in the end, I'm not sure that anything could prevent system exploitation by a determined and knowledgeable Secretary. That is why I consider the Secretary to be the single most-important position in Debian and the one in which the most trust is placed.

A related point that I've been considering is that I think all votes should be masked (aka secret). There have been some very contentious issues in the past and there likely will be more in the future. Assuming we have a verification system such as what you have outlined here, I see no value in publishing who voted for which controversial position. Once the decision is made, we should all move forward from that decision together, no matter how we voted.

If someone feels they are unable to do so, they certainly have the freedom to reveal how they voted, or even to leave the project if their disagreement is that strong.

@olek Thank you for your feedback! I have revised the text a bit and added references to known cryptographic protocols to make the analysis easier.