Risk-limiting audits (RLAs) guarantee a high probability of correcting incorrect reported outcomes before the outcomes are certified. The most efficient use ballot-level comparison, comparing the voting system's interpretation of individual ballot cards sampled at random (cast-vote records, CVRs) from a trustworthy paper trail to a human interpretation of the same cards. Such comparisons require the voting system to create and export CVRs in a way that can be linked to the individual ballots the CVRs purport to represent. Such links can be created by keeping the ballots in the order in which they are scanned or by printing a unique serial number on each ballot. But for precinct-count systems (PCOS), these strategies may compromise vote anonymity: the order in which ballots are cast may identify the voters who cast them. Printing a unique pseudo-random number ("cryptographic nonce") on each ballot card after the voter last touches it could reduce such privacy risks. But what if the system does not in fact print a unique number on each ballot or does not accurately report the numbers it printed? This paper gives two ways to conduct an RLA so that even if the system does not print a genuine nonce on each ballot or misreports the nonces it used, the audit's risk limit is not compromised (however, the anonymity of votes might be compromised). One method allows untrusted technology to be used to imprint and to retrieve ballot cards. The method is adaptive: if the technology behaves properly, this protection does not increase the audit workload. But if the imprinting or retrieval system misbehaves, the sample size the RLA requires to confirm the reported results when the results are correct is generally larger than if the imprinting and retrieval were accurate.

翻译：风险限制审计（RLAs）能够以高概率确保在认证选举结果之前纠正错误报告的结果。最有效的方式是使用选票级比较，将投票系统对随机抽取的个别选票卡的解释（即已投票记录，CVRs）与人类对相同选票卡的解释进行对比。此类比较要求投票系统以能够链接到CVRs所声称代表的个别选票的方式创建并导出CVRs。这种链接可以通过保持选票按扫描顺序排列或每张选票上打印唯一序列号来实现。但对于选区计票系统（PCOS），这些策略可能损害投票匿名性：选票被投出的顺序可能识别出投票者。在选民最后一次接触后，每张选票卡上打印一个唯一的伪随机数（“密码学随机数”）可以减少此类隐私风险。但若系统实际上并未在每张选票上打印唯一数，或未准确报告其打印的数，结果如何？本文给出两种进行RLA的方法，使得即使系统未在每张选票上打印真正的随机数或误报其所用的随机数，审计的风险限制也不会被破坏（然而，投票的匿名性可能受损）。一种方法允许使用不可信技术来印记和检索选票卡。该方法具有自适应性：若技术行为正常，此保护措施不会增加审计工作量。但若印记或检索系统行为不当，当结果正确时，RLA为确认报告结果所需样本量通常大于印记和检索准确时的样本量。