bitcoin-serai needs to clarify which keys/offsets are secure/insecure

[kayabaNerve]

bitcoin-serai isn't insecure as-is. If someone uses bitcoin-serai with a biased set of ThresholdKeys (which dkg doesn't allow distinguishing), then a participant in the DKG may add a custom script path allowing them to spend all outputs to that key. This makes bitcoin-serai insecure to use with biased DKGs unless an unspendable script path is explicitly added (an undocumented bound).

As for offsets, if an arbitrary offset is received to, that arbitrary offset may include a script (allowing distinct spend conditions). Static offsets (honestly generated), or offsets derived deterministically from an unbiased source of randomness, are fine however. Deterministically deriving offsets from a biased source of randomness (such as the biased group key), as would be done in a BIP32-esque system, should be fine? Since a biased output collision still requires 2**128 effort, you'd need to collide the preimages (assumed not the case).

bitcoin-serai could add an unspendable script path to all keys on its end. This has the downside of being unable to support working with keys/outputs embedding a script (a major part of Taproot). Scripts are unused by Serai however, and presumably not used in the multisig use-case. Accordingly, if the complexities of supporting scripts are notably difficult, they likely aren't worth the effort.

[kayabaNerve]

Credit to https://github.com/BlockstreamResearch/bip-frost-dkg/issues/41 for documenting the necessity of this.

The provided tweak_keys adds an unspendable script path. The offset scanner still allows scanning for arbitrary offsets, which now has documentation on offset criteria, in order to support keys which had script paths added.

[kayabaNerve]

Yanked existing releases due to how prune to misuse this is without the lack of the newly added sane defaults.