The answer is it could reveal all three of their nonces
and show that they compute the correct xi value.
Assuming the encryption function has the properties it should, it should be difficult to find
r0, r1, and r2 values that encrypt in the same way with a different vote.
Note that this requires the property of the encryption function
that it's hard to do this by cheating by finding a different vote
with different nonce values that encrypt to the same thing.
This is actually a required property of encryption.
As long as the encryption is invertible, this would be impossible.
If we could find two such values, well then we couldn't decrypt
and get the same x or y out correctly that went in.
That's why this works--if we're willing to reveal these values and show that they produce xi
that proves that someone somewhere along the chain cheated
if the vote is not recorded in the final tally.
The big drawback of this is it requires that the voter reveals her vote
in order to show that her vote was not included in the tally.
