This PR closes #25 by making clear that SK == 0 is never allowed. In particular:
it fixes KeyGen to never return SK == 0.
it also fixes a slight abuse of HKDF in prior versions, namely, the salt parameter is supposed to be a (close to) uniformly random string for the HKDF security analysis to hold. Now we always pass salt through H at least once, so we meet this requirement.
it updates KeyValidate to return INVALID for identity pubkeys
it says explicitly in the KeyGen section that other methods for keygen are OK as long as they meet the security requirements. Note that this was explicitly stated elsewhere in the document in prior versions; I've removed these redundant statements.
it updates Security Considerations to give the rationale for disallowing SK == 0.
This PR closes #25 by making clear that SK == 0 is never allowed. In particular: