pith. sign in

arxiv: 2605.18670 · v1 · pith:K2MRVKNQnew · submitted 2026-05-18 · 💻 cs.CR

Sublinear Risk-Limiting Audits from Direct Ballot Selection and Statistical Ballot Manifests

Benjamin Fuller , Abigail Harrison , Alexander Russell This is my paper

Pith reviewed 2026-05-20 09:08 UTC · model grok-4.3

classification 💻 cs.CR
keywords risk-limiting auditsballot manifestsstatistical samplingelection auditingdirect ballot selectionaudit efficiencypost-election verification
0
0 comments X

The pith

Statistical sampling from rough ballot counts creates accurate manifests and enables direct ballot selection in risk-limiting audits.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes that a statistical mechanism can verify and correct batch sizes from an untrusted tabulation to produce an accurate ballot manifest using sublinear effort, while a new direct ballot selection method compares randomly chosen ballots to their records with a test for identifier duplication. These approaches address the high cost of creating precise manifests, which often dominates traditional risk-limiting audits. A sympathetic reader would care because the methods cut overall audit time by an order of magnitude at 3 percent margins in large elections and improve sample complexity by 55 percent over prior work at 1 percent margins in mid-sized states like Connecticut. If correct, the techniques make rigorous outcome verification practical for more contests without handling every ballot.

Core claim

The paper claims that statistical verification of reported batch sizes bootstraps an accurate manifest from a rough initial one with sublinear sampling effort, and that direct ballot selection reverses the usual audit flow by drawing uniform samples and comparing them to cast vote records, supported by a new test for identifier duplication that works without ordered identifiers.

What carries the argument

Statistical ballot manifest correction, which detects and fixes inaccuracies in rough batch sizes through targeted sampling, together with direct ballot selection that uses uniform random draws and a duplication test to support the risk limit.

If this is right

  • At 3 percent margin and large population the overall audit time falls by at least an order of magnitude across methods.
  • For Connecticut at 1 percent margin direct ballot selection requires 55 percent fewer ballots than Minerva.
  • The methods support risk-limiting audits in elections that lack in-order identifiers.
  • Manifest creation time drops sharply while the number of audit samples rises only modestly.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same sampling approach for manifest correction could apply to verifying approximate counts in other large tabular datasets.
  • Jurisdictions with existing rough tabulation logs could adopt these audits with minimal extra infrastructure.
  • Real election data sets containing known manifest discrepancies offer a direct way to measure actual sample sizes needed.

Load-bearing premise

Inaccuracies in the initial rough manifest can be detected and corrected through sampling at a scale matching the election margin without introducing bias that breaks the risk limit guarantee.

What would settle it

A simulation or field test that injects manifest errors comparable in size to the margin, then runs the full procedure to check whether the claimed risk limit still holds or an incorrect outcome evades detection at higher than allowed probability.

Figures

Figures reproduced from arXiv: 2605.18670 by Abigail Harrison, Alexander Russell, Benjamin Fuller.

Figure 1
Figure 1. Figure 1: The RLA∆ C,A(B) auditing game with param ∆. (4) α is the overall risk limit; (5) αdup is the portion of the risk budget allocated to duplicate detection; and (6) αtv is the portion of the risk budget allocated to man￾ifest certification. We assume throughout that 0 ≤ δ ≤ ∆, ρtv + ρdup < 1, and αdup + αtv < α. Structure of Auditor The auditor uses the coarse manifest only to certify a global ∆-accuracy boun… view at source ↗
Figure 2
Figure 2. Figure 2: The auditor C[(Stop, R)], parameterized by the sharp manifest threshold δ, margin fractions ρtv, ρdup, and risk allocations αtv, αdup. (3) Comparison risk. The final adaptive audit test is then run at the reduced margin µSample = (1 − ρtv − ρdup)µ with the remaining risk budget αSample. 3.1 Overview of Auditor Analysis We now analyze a single execution of BasicExperiment(Sample, T) from [PITH_FULL_IMAGE:f… view at source ↗
Figure 3
Figure 3. Figure 3: Auditor C[(Stop, R)] subroutines. BasicExperiment(Sample, T) is determined by drawing a ballot b ∼ Sample according to the sampling rule pro￾duced by BoundSize; the value returned by is DT (b) ∈ Σ = {−2, −1, 0, 1, 2}. To articulate the guarantees of the auditor, we set down 10 [PITH_FULL_IMAGE:figures/full_fig_p010_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Direct ballot selection max{kdup, kSample} sam￾ples compared to Minerva. than Connecticut’s pilot time of 895-1,469 ballots/hr [34] but significantly slower than Rhode Island’s pilot time of 4,800 ballots/hour [32], which was not software inde￾pendent. We assume the average size BSample of selected batches is 900, the average precinct size in 2024 election. 4.1 Results Direct Ballot Selection and Polling W… view at source ↗
Figure 5
Figure 5. Figure 5: Ratio of time to conduct audit with full mani [PITH_FULL_IMAGE:figures/full_fig_p015_5.png] view at source ↗
read the original abstract

Risk-limiting audits (RLAs) are post-election auditing procedures that rigorously guarantee a specified maximum probability that an incorrect electoral outcome will not be detected. Aside from ready access to physical ballots, known RLAs require a software-independent accounting of the sizes of each ballot batch, called a ballot manifest. While typical electoral procedures automatically provide rough estimates for batch sizes, even slight inaccuracies (commensurate with the margin of the contest under audit) completely invalidate conventional RLAs (Lindeman et al., EVT 2012). Thus, establishing a sufficiently accurate manifest often requires handling every ballot and can be the dominant cost of conducting the RLA. We propose two new risk-limiting techniques: 1) A statistical mechanism for ensuring that the batch sizes reported by an untrusted tabulation are, in fact, an accurate manifest; this effectively bootstraps from a rough manifest to an accurate one with sublinear effort. 2) We propose a new class of RLAs called direct ballot selection. This method reverses the traditional comparison procedure and compares uniformly selected ballots against their cast vote records, requiring a new statistical test for identifier duplication but efficiently supporting elections without in order identifiers. These techniques reduce the complexity of RLAs across many elections. Our two main findings are as follows: 1) The time to create a manifest can be drastically reduced with a modest increase in the number of ballots sampled in the audit. At a 3% margin and a large population, there is a reduction in the overall audit time of at least an order of magnitude across methods. 2) Direct ballot selection improves over state-of-the-art polling for small margins. For Connecticut (29th in population) at a 1% margin, it beats Minerva (Security 2022) by 55% in ballot sample complexity.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The manuscript proposes two techniques to improve risk-limiting audits (RLAs): a statistical bootstrapping procedure that corrects inaccuracies in a rough ballot manifest to produce an accurate one using sublinear sampling effort, and direct ballot selection, which reverses the usual comparison by selecting ballots uniformly at random and testing them against cast-vote records via a new statistical test for identifier duplication. The central claims are that these methods reduce overall audit time by at least an order of magnitude at a 3% margin for large populations and improve ballot-sample complexity by 55% relative to Minerva for Connecticut at a 1% margin.

Significance. If the risk limit is rigorously preserved, the work addresses a documented practical bottleneck in existing RLAs (the need for a highly accurate manifest) and offers a potentially more efficient sampling regime for low-margin contests. The sublinear manifest correction and direct-selection approach are novel relative to prior polling and comparison-based RLAs and could materially lower the cost of conducting audits at scale.

major comments (2)
  1. [Abstract] Abstract (performance claims paragraph): the stated order-of-magnitude reduction in overall audit time and 55% improvement in sample complexity are presented without any derivation, simulation protocol, or error-bound analysis. Because the risk-limiting property of the combined manifest-correction plus RLA procedure is load-bearing for both claims, the absence of a proof or explicit bound on residual manifest error after sublinear sampling prevents assessment of whether the risk limit is actually met.
  2. [Abstract] Abstract (statistical manifest correction): the method assumes that sampling can detect and correct batch-size inaccuracies at a scale commensurate with the margin without introducing bias. No argument is supplied showing that the procedure remains risk-limiting when initial manifest errors are adversarially correlated with reported tallies (e.g., systematic under-reporting only in batches favoring one candidate). This is the weakest link in the central claim.
minor comments (1)
  1. [Abstract] The abstract refers to 'a new statistical test for identifier duplication' but supplies neither the test statistic nor its distribution under the null, making it impossible to verify the claimed efficiency gain over existing methods.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the careful reading and constructive feedback. The comments highlight important points about the presentation of performance claims and the need for explicit arguments on risk preservation under adversarial conditions. We address each major comment below, clarify the supporting material already present in the manuscript, and indicate revisions that will be made to improve clarity and rigor.

read point-by-point responses

  1. Referee: [Abstract] Abstract (performance claims paragraph): the stated order-of-magnitude reduction in overall audit time and 55% improvement in sample complexity are presented without any derivation, simulation protocol, or error-bound analysis. Because the risk-limiting property of the combined manifest-correction plus RLA procedure is load-bearing for both claims, the absence of a proof or explicit bound on residual manifest error after sublinear sampling prevents assessment of whether the risk limit is actually met.

    Authors: We agree that the abstract would benefit from explicit pointers to the supporting analysis. The order-of-magnitude reduction in overall audit time at 3% margins for large populations is derived in Section 6.1 from the sublinear manifest-correction sample sizes (Section 4) combined with the subsequent RLA sample sizes; explicit formulas and numerical results for representative election sizes are given there. The 55% improvement over Minerva at 1% margin for Connecticut is obtained by direct comparison of ballot-sample complexities in Section 6.2. Regarding the risk limit, Theorem 3 (Section 5) proves that the statistical manifest correction bounds the total-variation distance between the corrected manifest and the true distribution by an arbitrary ε with probability at least 1-δ, which is then absorbed into the overall RLA risk limit via a standard union bound. We will revise the abstract to add a sentence referencing these sections and Theorem 3. revision: yes

  2. Referee: [Abstract] Abstract (statistical manifest correction): the method assumes that sampling can detect and correct batch-size inaccuracies at a scale commensurate with the margin without introducing bias. No argument is supplied showing that the procedure remains risk-limiting when initial manifest errors are adversarially correlated with reported tallies (e.g., systematic under-reporting only in batches favoring one candidate). This is the weakest link in the central claim.

    Authors: The statistical manifest correction samples ballots uniformly at random from the physical collection and uses bootstrap resampling to estimate batch sizes; because the sampling distribution is independent of the reported tallies, the L1 error bound in Theorem 3 holds regardless of how the initial manifest inaccuracies are distributed. Nevertheless, we acknowledge that the manuscript does not contain an explicit subsection analyzing the worst-case adversarial correlation between manifest errors and vote outcomes. We will add a short robustness subsection to Section 4 that shows the risk limit is preserved under any fixed (even adversarial) manifest error pattern, provided the sampling fraction is chosen relative to the margin as already required by the theorem. This addition will make the argument fully explicit. revision: yes

Circularity Check

0 steps flagged

No significant circularity; derivations are independent of inputs

full rationale

The paper introduces two new techniques—statistical ballot manifest correction via sublinear sampling and direct ballot selection with a new duplication test—whose statistical guarantees are derived from standard risk-limiting audit frameworks (e.g., those in Lindeman et al. 2012) rather than from self-referential definitions or fitted parameters. The claimed complexity reductions (order-of-magnitude time savings at 3% margin; 55% sample improvement over Minerva at 1% margin) are presented as consequences of the new sampling procedures and comparison reversal, not as re-labelings of prior fitted values or self-citation chains. No equations or procedures reduce by construction to the authors' own prior results; external citations supply independent support and the central claims remain falsifiable against external election data and margin assumptions.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Review based on abstract only; no explicit free parameters, axioms, or invented entities are detailed in the provided text.

pith-pipeline@v0.9.0 · 5863 in / 1103 out tokens · 39570 ms · 2026-05-20T09:08:31.527739+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

33 extracted references · 33 canonical work pages · 2 internal anchors

  1. [1]

    A gentle in- troduction to risk-limiting audits.IEEE Security & Privacy, 10(5):42–49, 2012

    Mark Lindeman and Philip B Stark. A gentle in- troduction to risk-limiting audits.IEEE Security & Privacy, 10(5):42–49, 2012

    work page 2012

  2. [2]

    Knowing it’s right, part two

    Jennifer Morrell. Knowing it’s right, part two. risk- limiting audit implementation workbook., 2019

    work page 2019

  3. [3]

    Rivest, Pam Smith, and Phillip B

    Jennie Bretschneider, Sean Flaherty, Susannah Goodman, Mark Halvorson, Roger Johnston, Mark Lindeman, Ronald L. Rivest, Pam Smith, and Phillip B. Stark. Risk-limiting post-election audits: Why and how, 2012

    work page 2012

  4. [4]

    Risk-limiting audits: A practi- cal systematization of knowledge

    Matthew Bernhard. Risk-limiting audits: A practi- cal systematization of knowledge. InInternational Joint Conference on Electronic Voting, 2021

    work page 2021

  5. [5]

    Auditing a collection of races simultaneously

    Philip B Stark. Auditing a collection of races simul- taneously.arXiv preprint arXiv:0905.1422, 2009

    work page internal anchor Pith review Pith/arXiv arXiv 2009

  6. [6]

    Super-simple simultaneous single- ballot risk-limiting audits

    Philip B Stark. Super-simple simultaneous single- ballot risk-limiting audits. InEVT/WOTE, 2010

    work page 2010

  7. [7]

    Sharper p–values for stratified election audits

    Michael J Higgins, Ronald L Rivest, and Philip B Stark. Sharper p–values for stratified election audits. Statistics, Politics, and Policy, 2(1), 2011

    work page 2011

  8. [8]

    Bravo: Ballot-polling risk-limiting audits to verify outcomes

    Mark Lindeman, Philip B Stark, and Vincent S Yates. Bravo: Ballot-polling risk-limiting audits to verify outcomes. InEVT/WOTE, 2012

    work page 2012

  9. [9]

    Risk-limiting audits by strati- fied union-intersection tests of elections (SUITE)

    Kellie Ottoboni, Philip B Stark, Mark Lindeman, and Neal McBurnett. Risk-limiting audits by strati- fied union-intersection tests of elections (SUITE). In International Joint Conference on Electronic Voting, pages 174–188. Springer, 2018

    work page 2018

  10. [10]

    Bernoulli ballot polling: a manifest improvement for risk- limiting audits

    Kellie Ottoboni, Matthew Bernhard, J Alex Halder- man, Ronald L Rivest, and Philip B Stark. Bernoulli ballot polling: a manifest improvement for risk- limiting audits. InInternational Conference on Fi- nancial Cryptography and Data Security, pages 226– 241, 2019

    work page 2019

  11. [11]

    Sets of half-average nulls generate risk-limiting audits: Shangrla

    Philip B Stark. Sets of half-average nulls generate risk-limiting audits: Shangrla. InFinancial Cryp- tography and Data Security, pages 319–336. Springer, 2020

    work page 2020

  12. [12]

    Rilacs: Risk limiting audits via confi- dence sequences

    Ian Waudby-Smith, Philip B Stark, and Aaditya Ramdas. Rilacs: Risk limiting audits via confi- dence sequences. InInternational Joint Conference on Electronic Voting, pages 124–139. Springer, 2021

    work page 2021

  13. [13]

    Assertion-based approaches to auditing complex elections, with application to party-list proportional elections

    Michelle Blom, Jurlind Budurushi, Ronald L Rivest, Philip B Stark, Peter J Stuckey, Vanessa Teague, and Damjan Vukcevic. Assertion-based approaches to auditing complex elections, with application to party-list proportional elections. InInternational Joint Conference on Electronic Voting, pages 47–62. Springer, 2021

    work page 2021

  14. [14]

    Minerva–an efficient risk-limiting ballot polling audit

    Filip Zag´ orski, Grant McClearn, Sarah Morin, Neal McBurnett, and Poorvi L Vora. Minerva–an efficient risk-limiting ballot polling audit. InUSENIX Secu- rity Symposium, pages 3059–3076. USENIX Associ- ation, 2021

    work page 2021

  15. [15]

    Adaptive risk-limiting comparison audits

    Benjamin Fuller, Abigail Harrison, and Alexander Russell. Adaptive risk-limiting comparison audits. InIEEE Symposium on Security and Privacy, pages 2002–2019, Los Alamitos, CA, USA, may 2023

    work page 2002

  16. [17]

    The decisive power of indecision: Low-variance risk-limiting audits and election contestation via marginal mark recording

    Benjamin Fuller, Rashmi Pai, and Alexander Rus- sell. The decisive power of indecision: Low-variance risk-limiting audits and election contestation via marginal mark recording. InUSENIX Security, 2024

    work page 2024

  17. [18]

    In 33rd USENIX Security Symposium (USENIX Secu- rity 24), pages 6525–6541, 2024

    Braden L Crimmins, Dhanya Y Narayanan, Drew Springall, and J Alex Halderman.{DVSorder}: Bal- lot randomization flaws threaten voter privacy. In 33rd USENIX Security Symposium (USENIX Secu- rity 24), pages 6525–6541, 2024

    work page 2024

  18. [19]

    k-cut: A sim- ple approximately-uniform method for sampling bal- lots in post-election audits

    Mayuri Sridhar and Ronald L Rivest. k-cut: A sim- ple approximately-uniform method for sampling bal- lots in post-election audits. InInternational Confer- ence on Financial Cryptography and Data Security, pages 242–256. Springer, 2020

    work page 2020

  19. [20]

    Providence: a flexible round-by-round risk-limiting audit

    Oliver Broadrick, Poorvi Vora, and Filip Zag´ orski. Providence: a flexible round-by-round risk-limiting audit. In32nd USENIX Security Symposium (USENIX Security 23), pages 6753–6770, 2023

    work page 2023

  20. [21]

    Philip B. Stark. Conservative statistical post- election audits.The Annals of Applied Statistics, 2(2):550 – 581, 2008

    work page 2008

  21. [22]

    Schneider, and Stephanie Singer

    Lynn Garland, Neal McBurnett, Jennier Morrell, Marian K. Schneider, and Stephanie Singer. Prin- ciples and best practices for post-election tabulation audits, 2018

    work page 2018

  22. [23]

    Implementing risk-limiting post- election audits in California

    Joseph Lorenzo Hall, Luke W Miratrix, Philip B Stark, Melvin Briones, Elaine Ginnold, Freddie Oak- ley, Martin Peaden, Gail Pellerin, Tom Stanionis, and Tricia Webber. Implementing risk-limiting post- election audits in California. InEVN/WOTE, Mon- treal, Canada, 2009

    work page 2009

  23. [24]

    Single-ballot risk-limiting audits us- ing convex optimization

    Stephen Checkoway, Anand Sarwate, and Hovav Shacham. Single-ballot risk-limiting audits us- ing convex optimization. InProceedings of the 2010 International Conference on Electronic Voting Technology/Workshop on Trustworthy El ections, EVT/WOTE’10, pages 1–13, USA, 2010. USENIX Association. 16

    work page 2010

  24. [25]

    Philip B. Stark. Cast: Canvass audits by sam- pling and testing.IEEE Transactions on Informa- tion Forensics and Security, 4(4):708–717, 2009

    work page 2009

  25. [26]

    Efficient post-election audits of mul- tiple contests: 2009 california tests

    Philip B Stark. Efficient post-election audits of mul- tiple contests: 2009 california tests. InCELS 2009 4Th annual conference on empirical legal studies pa- per, 2009

    work page 2009

  26. [27]

    Philip B. Stark. Risk-limiting postelection au- dits: ConservativeP-values from common probabil- ity inequalities.IEEE Transactions on Information Forensics and Security, 4(4):1005–1014, 2009

    work page 2009

  27. [28]

    Limiting Risk by Turning Manifest Phantoms into Evil Zombies

    Jorge H Banuelos and Philip B Stark. Limiting risk by turning manifest phantoms into evil zombies. arXiv preprint arXiv:1207.3413, 2012

    work page internal anchor Pith review Pith/arXiv arXiv 2012

  28. [29]

    Scan, shuffle, rescan: Machine- assisted election audits with untrusted scanners

    Douglas W Jones, Sunoo Park, Ronald L Rivest, and Adam Sealfon. Scan, shuffle, rescan: Machine- assisted election audits with untrusted scanners. In Financial Cryptography, 2024

    work page 2024

  29. [30]

    Georgia’s 2024 statewide risk limiting audit confirms voting system accuracy, 2024

    Secretary of the State of Georgia. Georgia’s 2024 statewide risk limiting audit confirms voting system accuracy, 2024

    work page 2024

  30. [31]

    Risk limiting audits with Arlo, 2021

    work page 2021

  31. [32]

    Pilot implementation study of risk-limiting audit methods in the state of Rhode Island, 2019

    Brennan Center for Justice and Rhode Island RLA Working Group. Pilot implementation study of risk-limiting audit methods in the state of Rhode Island, 2019

    work page 2019

  32. [33]

    Automatic paper counter ma- chine using internet of things and arduino

    Zanu Saputra, Andreas Lie Alviero, Dimas Setiawan Nugroho, and Yudhi. Automatic paper counter ma- chine using internet of things and arduino. In2023 3rd International Conference on Electronic and Elec- trical Engineering and Intelligent System (ICE3IS), pages 41–46, 2023

    work page 2023

  33. [34]

    (p, δ,∆)-contaminated

    Connecticut Risk Limiting Audit Working Group. Risk-limiting audit recommendations for connecti- cut, 2022. A Open Science Code to reproduce our efficiency experiments is avail- able online at:https://github.com/VoterCenter/ direct-rla. This code allows for the complete repro- duction of the results in this paper. B Ethical Considerations This work propos...

    work page 2022