Description
This is a follow-up on #1314
Rationale
If a juror does remember exactly their vote and justification to the letter, then the commitment can be recovered with the existing method.
In practice it is unlikely that a juror remembers the justification string to the letter and punctuation which has to match exactly with the committed justification since it is part of commitment hash for Shutter disputes (not for Classic ones). This hash formula secures the integrity of the decrypted vote but it makes recovering more difficult.
Solution
Assuming that the juror does remember what they voted, even for complex question types (e.g. uint, datetime, ranked vote) but not the exact justification, we authorize the juror to re-input their justification at reveal time.
It does not affect the crypto-economic incentives since the revealed vote still has to match the committed one.
This solution does not rely on the existing brute-forcing mechanism which is ineffective for complex question types and justifications.
Implementation
Distinguish between 2 types of castVote() calls: permissionless auto-reveal vs. juror recovery.
castVote()called by the juror = this is a recovery scenario = allow changing the justification
-> Verify only{vote + salt}castVote()called by someone else = this is an auto-reveal call = the justification must match the commitment
-> Verify{vote + justification + salt}
Therefore the Shutter dispute kit must store 2 hashes: with and without justification.