3rd Usenix Workshop on Hot Topics in Security (hotsec '08) Securing Systems N Security Benchmarking Using Partial Verification Exploring New Directions

Each ballot is first transformed into a square matrix with a row and column for each candidate. Each cell in the matrix represents a pairwise preference of the row candidate to the column candidate. A value of –1 indicates that the row candidate is preferred, whereas a 0 indicates the column candidate is preferred. By summing the column for a candidate and multiplying by –1, you can recover the rank from the traditional ballot. Additionally, by adding an eliminated row to the column sums the votes are automatically redistributed to reflect the new ordering. The final step is to take this matrix and encrypt it using something such as exponential ElGamal, which has the property of additive homomorphism. Tallying then takes place using the encrypted matrices for each ballot instead of the cleartext votes. The authors have implemented this scheme and said that for a 30-candidate election and one million voters it required 10,000 PC hours to tally the election and produced a 400 GB audit log of the encrypted ballots.