A non-cryptographic "vouching" system
=====================================

The `raffle` library offers functionality similar to public key
signatures, except without any pretense of cryptographic strength.
Rather than signatures, it generates `Voucher`s, and while it's not
hard to deliberately forge `Voucher`s, *accidental* forgery seems
implausible.

TL;DR: use real cryptography to defend against motivated bad actors.
Consider `raffle` to detect innocent API misuse and buggy code.

The `raffle` library lets us pass `CheckingParameters` to modules so
that they can check whether a value looks like it was generated by
code with access to the corresponding `VouchingParameters`, while
making it implausibly hard for these checking modules to
*accidentally* generate valid `Voucher`s for arbitrary values.

It not hard to back out the `VouchingParameters` that'll satisfy a
given set of `CheckingParameters`.  However, there is no code to do so
in the library, and I don't see that being typed out by accident: the
conversion code would need a few large integer constants that are
unlikely to just appear naturally.

In other words, the library's interface lets us pass parameters for a
voucher "checking" capability without also granting "vouching"
capabilities (while being able to vouch implies being able to check
vouchers), and it's implausible that code would accidentally regain
vouching capabilities from voucher-checking parameters.

The parameter space is also large enough that accidental collisions
(i.e., `CheckingParameters` accept `Voucher`s for the wrong
`VouchingParameters`) are much more likely to indicate hardware issues
or deliberate action than mere bad luck or innocent bugs.