Non(c)esuch Ballot-Level Risk-Limiting Audits for Precinct-Count Voting Systems

TL;DR

This paper introduces two methods for conducting risk-limiting audits in precinct-count voting systems that protect voter anonymity even if the system misreports or does not print genuine nonces on ballots, ensuring audit integrity.

Contribution

It proposes novel techniques for RLAs that remain valid despite untrusted or faulty ballot nonce imprinting and retrieval, enhancing privacy and audit robustness.

Findings

Methods maintain risk limit even with misreported nonces

Adaptive approach reduces workload if technology behaves correctly

Larger sample sizes needed if imprinting or retrieval misbehaves

Abstract

Risk-limiting audits (RLAs) guarantee a high probability of correcting incorrect reported outcomes before the outcomes are certified. The most efficient use ballot-level comparison, comparing the voting system's interpretation of individual ballot cards sampled at random (cast-vote records, CVRs) from a trustworthy paper trail to a human interpretation of the same cards. Such comparisons require the voting system to create and export CVRs in a way that can be linked to the individual ballots the CVRs purport to represent. Such links can be created by keeping the ballots in the order in which they are scanned or by printing a unique serial number on each ballot. But for precinct-count systems (PCOS), these strategies may compromise vote anonymity: the order in which ballots are cast may identify the voters who cast them. Printing a unique pseudo-random number ("cryptographic nonce") on each ballot card after the voter last touches it could reduce such privacy risks. But what if the system does not in fact print a unique number on each ballot or does not accurately report the numbers it printed? This paper gives two ways to conduct an RLA so that even if the system does not print a genuine nonce on each ballot or misreports the nonces it used, the audit's risk limit is not compromised (however, the anonymity of votes might be compromised). One method allows untrusted technology to be used to imprint and to retrieve ballot cards. The method is adaptive: if the technology behaves properly, this protection does not increase the audit workload. But if the imprinting or retrieval system misbehaves, the sample size the RLA requires to confirm the reported results when the results are correct is generally larger than if the imprinting and retrieval were accurate.