Comment: That part is optional, strictly speaking

(See in situ)

In reply to comment: One thing I don't understand (see in situ)

That part is optional, strictly speaking

a UUID-person relation makes it easy to guarantee votes cast only by legitimate voters (with records that can be verified after the fact). But if 100% secret ballots are required (I wasn't sure about the level of anonymity required by law here), that can be left out--sort of.

Instead, the UUID for any given voter would be generated for them on the spot right before they vote. The fact that they showed up and received a UUID would need to be recorded to prevent duplicate votes, but the UUID itself would not be recorded along with their name. It would be required to cast a vote, and still included on the receipt though.

Come to think of it, all of the votes I've cast (only 27 years old here) have used a system like this, it seems. I have to give my name, then they press a button on a little receipt machine and it gives me a piece of paper with a 4-digit code on it, which I have to enter on the machine. This is probably exactly what it's for.

A UUID is a 32-byte hex string, which is probably overkill and too much of a headache to type in by hand. Maybe a QR code representation would work instead--easily generated and easily scanned. It doesn't have to be 32 bytes either, as long as it's unique.