A non-cryptographic "vouching" system

The raffle library offers functionality similar to public key signatures, except without any pretense of cryptographic strength. Rather than signatures, it generates Vouchers, and while it's not hard to deliberately forge Vouchers, accidental forgery seems implausible.

TL;DR: use real cryptography to defend against motivated bad actors. Consider raffle to detect innocent API misuse and buggy code.

The raffle library lets us pass CheckingParameters to modules so that they can check whether a value looks like it was generated by code with access to the corresponding VouchingParameters, while making it implausibly hard for these checking modules to accidentally generate valid Vouchers for arbitrary values.

It not hard to back out the VouchingParameters that'll satisfy a given set of CheckingParameters. However, there is no code to do so in the library, and I don't see that being typed out by accident: the conversion code would need a few large integer constants that are unlikely to just appear naturally.

In other words, the library's interface lets us pass parameters for a voucher "checking" capability without also granting "vouching" capabilities (while being able to vouch implies being able to check vouchers), and it's implausible that code would accidentally regain vouching capabilities from voucher-checking parameters.

The parameter space is also large enough that accidental collisions (i.e., CheckingParameters accept Vouchers for the wrong VouchingParameters) are much more likely to indicate hardware issues or deliberate action than mere bad luck or innocent bugs.