Benjamin Fuller, Abigail Harrison, Alexander Russell
2023 IEEE Symposium on Security and Privacy (SP), pp. 2002-2019
May 22-26, 2023, San Francisco, CA, USA https://arxiv.org/abs/2202.02607v5
Risk-limiting audits (RLAs) are rigorous statistical procedures meant to detect invalid election results. RLAs examine paper ballots cast during the election to statistically assess the possibility of a disagreement between the winner determined by the ballots and the winner reported by tabulation. The most ballot efficient approaches proceed by “ballot comparison.” However, ballot comparison requires an untrusted declaration of the contents of each cast ballot, rather than a simple tabulation of vote totals. This “cast-vote record table” (CVR) is then spot-checked against ballots for consistency. In many practical settings, the cost of generating a suitable CVR dominates the cost of conducting the audit, preventing widespread adoption of these sample-efficient techniques.
We introduce a new RLA procedure: an “adaptive ballot comparison” audit. In this audit, a global CVR is never produced; instead, a three-stage procedure is iterated:
1) a batch is selected,
2) a CVR is produced for that batch, and
3) a ballot within the batch is sampled, inspected by auditors, and compared with the CVR.
We prove that such an audit can achieve risk commensurate with standard comparison audits while generating a fraction of the CVR. We present three main contributions:
1) a formal adversarial model for RLAs;
2) definition and analysis of an adaptive audit procedure with rigorous risk limits and an associated correctness analysis accounting for the incidental errors arising in typical audits; and
3) an analysis of practical efficiency.
This method can be organized in rounds (as is typical for comparison audits) where sampled CVRs are produced in parallel. Using data from Florida’s 2020 presidential election with 5% risk and 1% margin, only 22% of the CVR is generated; at 10% margin, only 2% is generated.