Backported from Helios-C branch.

 * The Schnorr signature scheme is used for signing ballots.
 * The private key is derived from a (relatively) short password
   (advertised as "token" to the voter) that includes a checksum that
   is supposed to be sent to the voter. We estimate that a 15-letter
   password gives 82 bits of entropy, and this implementation rejects
   shorter ones.
 * We use the public credential as identity in NIZK proofs.