[JanisErdmanis]

> It’s difficult to make an E2E-VIV checking app that’s both trustworthy and receipt-free. The best solutions known allow checking only of votes that will be discarded, and casting of votes that haven’t been checked; this is highly counterintuitive for most voters!

Actually, Benaloh's challenge also does not offer receipt freeness. The adversarial strategy in such a model is to outsource the challenger itself in a hash function which decides whether to accept or discard the vote. It may look impractical at first, but one can build an app that could do that efficiently.

It can be said that all existing end-to-end verifiable remote e-voting systems compromise individual verifiability when reconciling it with receipt-freeness by introducing an assumption about the hardware-based protection of voters' secrets. If they leak or are predetermined by a corrupt vendor implementation, the malware on the voter's client can manipulate the vote at submission, and the adversary later fakes verification for the voter by exploiting that knowledge.

Still, I believe it's a solvable problem which needs more attention. Bingo evoting system is almost there, for instance, with verifiably random generated trackers, but needs a voting booth with a Bingo machine taken at home.