VAULT: Verifiable Audits Using Limited Transparency

Risk-limiting audits (RLAs) can provide strong evidence that reported election outcomes are correct, on the assumption that the paper trail of voter-verified ballots is trustworthy. Ballot-comparison RLAs involve comparing a human reading of voter intent from the paper ballot to the voting system’s electronic representation of voter intent for that ballot, the cast-vote record (CVR). Ballot-comparison RLAs first check that the full list of CVRs reproduces the reported results, then compare manual readings to CVRs for randomly selected ballots. For a ballot-comparison RLA to deserve public trust, the public must be able to validate those two steps. The easiest way to do that is to publish the entire list of CVRs. However, if every CVR is published, “Italian attacks” via pattern voting can be used to coerce voters or to facilitate selling votes.