Prove balance in zero knowledge

[nothingmuch]

This change addresses two mistakes found by Jonas Nick:

The first is a privacy leak. After seeing the sums of the r-terms the coordinator could attempt link credential presentation to issuance. This can be done by computing the products of different subsets of credential request attributes, and seeing if the resulting commitment can be opened to the sum of the r terms and the registered amount.

The second mistake was in the formula for the balance proof, neglecting a set of r-terms.

Closes #40

[MaxHillebrand]

Thanks @jonasnick for the report, and thanks @nothingmuch for the fix! :green_heart:

[nothingmuch]