A bribed voter can provide to the briber which original ciphertext vector they submitted. Later, when the sequencer publishes the reencrypted ballot, the briber can test whether that published ciphertext came from the bribed voter.
With proper rerandomization, that matching should be hard. With the current scheme, it may be easy.
Concrete flow:
- The briber tells the voter: vote for option 1 and show me the exact ciphertexts you submitted.
- The voter submits the ballot and records the original ciphertext vector:
- field 1:
(C1_1, C2_1)
- field 2:
(C1_2, C2_2)
- etc.
- Later, the sequencer publishes the reencrypted ballot:
(C1'_1, C2'_1), (C1'_2, C2'_2), ...
- Because reencryption adds the same encrypted-zero offset to every field in that ballot, the briber computes pairwise differences such as:
C1'_1 - C1'_2C2'_1 - C2'_2
- Those differences are unchanged from the original ballot:
C1'_1 - C1'_2 = C1_1 - C1_2C2'_1 - C2'_2 = C2_1 - C2_2
- If the pattern matches, the briber links the published reencrypted ballot to the voter’s original ballot.
What the briber gains:
- They can check whether the voter really submitted the ballot they claimed.
- If the option-1 ballot shape is distinctive enough, they can recognize it after reencryption.
- That weakens receipt-freeness / anti-coercion, because reencryption no longer fully breaks the connection between “what the voter showed me” and “what appeared in the public/state output.”
Important nuance:
- This does not let the briber read arbitrary votes from ciphertext alone.
- It helps when the briber already has the original ciphertexts or can force the voter to reveal them.
- That is exactly the threat model reencryption is supposed to mitigate: a voter should not be able to produce a durable receipt that remains linkable later.
So the report’s point is: if reencryption is meant to destroy that receipt, using one identical translation for all fields leaves a fingerprint behind.
A bribed voter can provide to the briber which original ciphertext vector they submitted. Later, when the sequencer publishes the reencrypted ballot, the briber can test whether that published ciphertext came from the bribed voter.
With proper rerandomization, that matching should be hard. With the current scheme, it may be easy.
Concrete flow:
(C1_1, C2_1)(C1_2, C2_2)(C1'_1, C2'_1), (C1'_2, C2'_2), ...C1'_1 - C1'_2C2'_1 - C2'_2C1'_1 - C1'_2 = C1_1 - C1_2C2'_1 - C2'_2 = C2_1 - C2_2What the briber gains:
Important nuance:
So the report’s point is: if reencryption is meant to destroy that receipt, using one identical translation for all fields leaves a fingerprint behind.