Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ronald L. Rivest MIT NASEM Future of Voting December 7, 2017

Published byLynn Powers Modified over 5 years ago

Similar presentations

Presentation on theme: "Ronald L. Rivest MIT NASEM Future of Voting December 7, 2017"— Presentation transcript:

1 Ronald L. Rivest MIT NASEM Future of Voting December 7, 2017
Risk-Limiting Audits Ronald L. Rivest MIT NASEM Future of Voting December 7, 2017

2 Risk-Limiting Audits (RLAs)
Assumptions What do they do? What do they not do? How do RLAs work? Extensions References

3 (Assumption) Voter-Verified Paper Ballots

4 And Who Do You Hope You Voted For?

5 (Assumption) Optical scanners used, for efficient tabulation

6

7

8 Scanners (Assumption) Scanner produces one electronic CVR (cast vote record) for each ballot scanned. CVRs are tabulated to produce reported contest outcome (aka contest winner).

9 (Concern) Scanners may introduce systematic errors

10 Causes of scanner errors
Differences in interpretation between machine interpretation and hand interpretation. Voter intent rules. Stray marks (e.g. caused by folds) Configuration errors Programming errors Hacking (adversarial attack)

11 (Response to concern) Statistical “Risk-Limiting” Audit

12 What does a RLA do? A risk-limiting audit provides statistical assurance that a reported outcome is “correct.” Here “correct” means “the result that would be obtained by examining all ballots by hand.” A RLA does so efficiently using a hand examination of a random sample of the cast paper ballots. Good for in-person voting and vote-by mail. Really, a “risk-limiting tabulation audit” (RLTA).

13 What a RLA does not do A RLA does not address:
correctness of the tally (as opposed to the outcome) voter eligibility voter authentication usability privacy chain of custody

14 Who is a RLA for? Losing candidates – to convince them that “they lost fair and square” The winner – to provide a mandate The public – to assuage doubts about “rigged elections” All evidence produced by the election and the audit should be published (as much as can be published without violating voter privacy).

15 (Ballot-level) Sampling

16 Ballot manifest A ballot manifest describes the set of cast paper ballots, and how they are organized in storage (e.g. in 100-count batches, one envelope per batch, 15 batches/container). The ballot manifest defines the set of ballots to be sampled from for an audit.

17 Random Seed Generation
Because of adversaries, random sample should be determined after ballot manifest and CVRs are committed to. A good process may start by rolling 20 decimal dice. Then seeding a PRNG (pseudo-random number generator) to pick ballots at random.

18 Overall RLA structure

19 RLA structure Draw initial random sample of paper votes.
Cast Paper Votes Sample Draw initial random sample of paper votes. Interpret them by hand. Stop if reported outcome is now confirmed to desired confidence level. If all ballots now examined, you are done. Otherwise increase sample size (escalate); return to 2.

20 Two (ballot-level) auditing paradigms
Ballot-polling audits: Uses the randomly selected cast paper ballots only. Like ``exit poll’’ of ballots… Comparison audits: Compares randomly selected paper ballots with corresponding electronic records (CVRs) for all contests under audit. Comparison audit more efficient by a factor of roughly (1 / margin-of-victory).

21 What is ``Risk”?

22 What is ``Risk’’?? Risk is defined as:
the probability that an incorrect reported outcome will be accepted by audit as correct

23 What is “Risk Limit”?

24 What is ``Risk Limit’’? Risk Limit is upper bound on acceptable risk.
With 5% risk limit, there is at least a 95% chance that an incorrect reported outcome will be detected and fixed (by escalation to hand interpretation of all cast paper ballots), and at most a 5% chance that an incorrect reported outcome will be accepted as correct.

25 One RLA stopping rule For comparison audit n = sample size
m = margin (difference between winner and loser vote-count, divided by number of ballots in population being sampled) O1, O2 = number of sampled ballots revealing overstatement of margin by one or two U1, U2 = number of sampled ballots revealing understatement of margin by one or two

26 One RLA stopping rule (cont.)
Stop audit when: n > ( (O1+5O2-0.6U1-4.4U2)) / m This is for a risk limit of 0.10. For example, with no discrepancies: n > 4.8 / m (This formula used for CO initial sample sizes.) Example: if m = / m = 96

27 Extensions Many contests, not just one. Audits interact.
Many jurisdictions, not just one. Sampling is for a distributed contest is distributed. Contests have overlapping domains; may be arbitrary relationship (not necessarily nested). Some jurisdictions have equipment supporting comparison audits; some don’t. Need blended method if contest spans both. Vote-by-mail mixes ballots of different styles.

28 Conclusions Risk-limiting audits can detect and correct tabulation errors. Mathematical foundations exist; extensions to handle all real-world scenarios in best way being worked on. RLAs work in practice (Colorado!)

29 References “A Gentle Introduction to Risk-Limiting Audits” by Mark Lindeman and Philip B. Stark IEEE Security & Privacy 10, 5 (Sep-Oct. 2012), 42—49.

30 The End Thanks for your attention!

Download ppt "Ronald L. Rivest MIT NASEM Future of Voting December 7, 2017"

Similar presentations

Secret Ballot Receipts: True Voter Verifiable Elections Author: David Chaum Published: IEEE Security & Privacy Presenter: Adam Anthony.

Secret Ballot Receipts: True Voter Verifiable Elections Author: David Chaum Published: IEEE Security & Privacy Presenter: Adam Anthony.
A Pairing-Based Blind Signature

A Pairing-Based Blind Signature
ThreeBallot, VAV, and Twin Ronald L. Rivest – MIT CSAIL Warren D. Smith - CRV Talk at EVT’07 (Boston) August 6, 2007 Ballot Box Ballot Mixer Receipt G.

ThreeBallot, VAV, and Twin Ronald L. Rivest – MIT CSAIL Warren D. Smith - CRV Talk at EVT’07 (Boston) August 6, 2007 Ballot Box Ballot Mixer Receipt G.
A technical analysis of the VVSG 2007 Stefan Popoveniuc George Washington University The PunchScan Project.

A technical analysis of the VVSG 2007 Stefan Popoveniuc George Washington University The PunchScan Project.
Lesson 7: The Voting Process. Opening Discussion Have you ever voted for something before? How was the winner decided? Did you think the process was fair?

Lesson 7: The Voting Process. Opening Discussion Have you ever voted for something before? How was the winner decided? Did you think the process was fair?
By Varun Jain. Introduction  Florida 2000 election fiasco, drew conclusion that paper ballots couldn’t be counted  Computerized voting system, DRE (Direct.

By Varun Jain. Introduction  Florida 2000 election fiasco, drew conclusion that paper ballots couldn’t be counted  Computerized voting system, DRE (Direct.
Excursions in Modern Mathematics, 7e: 16.7 - 2Copyright © 2010 Pearson Education, Inc. 16 Mathematics of Normal Distributions 16.1Approximately Normal.

Excursions in Modern Mathematics, 7e: Copyright © 2010 Pearson Education, Inc. 16 Mathematics of Normal Distributions 16.1Approximately Normal.
QBM117 Business Statistics Statistical Inference Sampling 1.

QBM117 Business Statistics Statistical Inference Sampling 1.
1. Estimation ESTIMATION.

1. Estimation ESTIMATION.
August 6, 2007Electronic Voting Technology 2007 On Estimating the Size and Confidence of a Statistical Audit Javed A. Aslam College of Computer and Information.

August 6, 2007Electronic Voting Technology 2007 On Estimating the Size and Confidence of a Statistical Audit Javed A. Aslam College of Computer and Information.
8-1 Copyright ©2011 Pearson Education, Inc. publishing as Prentice Hall Chapter 8 Confidence Interval Estimation Statistics for Managers using Microsoft.

8-1 Copyright ©2011 Pearson Education, Inc. publishing as Prentice Hall Chapter 8 Confidence Interval Estimation Statistics for Managers using Microsoft.
Copyright ©2011 Pearson Education 8-1 Chapter 8 Confidence Interval Estimation Statistics for Managers using Microsoft Excel 6 th Global Edition.

Copyright ©2011 Pearson Education 8-1 Chapter 8 Confidence Interval Estimation Statistics for Managers using Microsoft Excel 6 th Global Edition.
ElectionAudits: a Django App for Good Election Auditing Neal McBurnett OSCON July 22 2009.

ElectionAudits: a Django App for Good Election Auditing Neal McBurnett OSCON July
Ballot Processing Systems February, 2005 Submission to OASIS EML TC and True Vote Maryland by David RR Webber.

Ballot Processing Systems February, 2005 Submission to OASIS EML TC and True Vote Maryland by David RR Webber.
Batch Reports for Audits - ElectionAudits and the Boulder 2008 Election Neal McBurnett NIST Common Data Formats Workshop Oct 29 2009.

Batch Reports for Audits - ElectionAudits and the Boulder 2008 Election Neal McBurnett NIST Common Data Formats Workshop Oct
Audit Purpose of Audit Quality assurance procedure Check accuracy of machine tally of ballots Ballots for a contest are sampled, manually verified, and.

Audit Purpose of Audit Quality assurance procedure Check accuracy of machine tally of ballots Ballots for a contest are sampled, manually verified, and.
Andreas Steffen, 26.06.2009, LinuxTag2009.ppt 1 LinuxTag 2009 Berlin Verifiable E-Voting with Open Source Prof. Dr. Andreas Steffen Hochschule für Technik.

Andreas Steffen, , LinuxTag2009.ppt 1 LinuxTag 2009 Berlin Verifiable E-Voting with Open Source Prof. Dr. Andreas Steffen Hochschule für Technik.
12/9-10/2009 TGDC Meeting Auditing concepts David Flater National Institute of Standards and Technology

12/9-10/2009 TGDC Meeting Auditing concepts David Flater National Institute of Standards and Technology
Panel One Why Audit? Mary Batcher Ernst & Young and Chair of ASA Working Group on Elections.

Panel One Why Audit? Mary Batcher Ernst & Young and Chair of ASA Working Group on Elections.
Oct 15-17, 2007 6.6: Integratability and Data Export Page 1Next VVSG Training Voting devices must speak (produce records) using a commonly understood language,

Oct 15-17, : Integratability and Data Export Page 1Next VVSG Training Voting devices must speak (produce records) using a commonly understood language,

Similar presentations

Ads by Google