nit: Don't use citation tags as words

Author: real-or-random

README.md

@@ -122,10 +122,10 @@ which is common to all participants and does not need to be kept confidential.
 Recovering a device that has participated in a DKG session then requires just the device's host secret key and the recovery data,
 the latter of which can be obtained from any cooperative participant (or the coordinator) or from an untrusted backup provider.
 
-ChillDKG outputs a threshold public key that can be safely used in [[BIP 341](https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki)] Taproot outputs.
-In contrast, a standard PedPop implementation would allow a malicious participant to secretly embed a Taproot commitment to a BIP 341 script path within the threshold public key.
+ChillDKG outputs a threshold public key that can be safely used in Taproot outputs [[BIP 341](https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki)].
+In contrast, a standard PedPop implementation would allow a malicious participant to secretly embed a Taproot commitment to a script path within the threshold public key.
 If such a key was used directly in a Taproot output, the malicious participant could spend the output through their hidden script path, bypassing the requirement for `t - 1` additional signatures.
-While BIP 341 outlines special precautions for using threshold public keys generated by standard PedPop, ChillDKG eliminates this vulnerability entirely, providing built-in protection against accidental misuse.
+While [BIP 341](https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki) outlines special precautions for using threshold public keys generated by standard PedPop, ChillDKG eliminates this vulnerability entirely, providing built-in protection against accidental misuse.
 
 If a ChillDKG session fails due to the participants or the coordinator deviating from the protocol,
 any aborting party will be able to identify and blame a single party responsible for the failure
@@ -144,7 +144,7 @@ In summary, we aim for the following design goals:
  - **Simple backups**: ChillDKG allows recovering the DKG output using the host secret key and common recovery data shared among all participants and the coordinator. This eliminates the need for session-specific backups, simplifying user experience.
  - **Untrusted coordinator**: Like FROST, ChillDKG uses a coordinator that relays messages between the participants. This simplifies the network topology, and the coordinator additionally reduces communication overhead by aggregating some of the messages. A faulty coordinator can force the DKG to fail but cannot negatively affect the security of the DKG.
  - **Per-participant public shares**: ChillDKG supports partial signature verification in FROST signing sessions.
- - **Taproot-safe threshold public key**: ChillDKG prevents malicious participants from embedding a hidden [[BIP 341]](https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki) Taproot commitment to a script path in the threshold public key.
+ - **Taproot-safe threshold public key**: ChillDKG prevents malicious participants from embedding a hidden Taproot commitment to a script path [[BIP 341]](https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki) in the threshold public key.
  - **Blame functionality**: If a ChillDKG session aborts, it is possible to identify and blame a single party responsible for the failure (assuming the network, and, depending on the circumstances, the coordinator, is reliable).
 
 In summary, ChillDKG incorporates solutions for both secure channels and consensus and simplifies backups in practice.
@@ -206,7 +206,7 @@ We make the following modifications as compared to the original SimplPedPop prop
  - Every participant holds a secret seed, from which all required random values are derived deterministically using a pseudorandom function (based on tagged hashes as defined in [[BIP 340](https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki)]).
  - Individual participants' public shares are added to the output of the DKG. This allows partial signature verification.
  - The participants send VSS commitments to an untrusted coordinator instead of directly to each other. This lets the coordinator aggregate VSS commitments, which reduces communication costs. Nevertheless, if a session fails, participants are able to investigate who provided invalid secret shares by asking the coordinator for the other participants' individual contributions to their public share.
- - To prevent a malicious participant from embedding a [[BIP 341](https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki)] Taproot script path in the threshold public key, the participants tweak the VSS commitment such that the corresponding threshold public key has an unspendable BIP script path.
+ - To prevent a malicious participant from embedding a Taproot script path [[BIP 341](https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki)] in the threshold public key, the participants tweak the VSS commitment such that the corresponding threshold public key has an unspendable script path.
  - ~The proofs of knowledge are not included in the data for the equality check. This will reduce the size of the backups in ChillDKG.~ (TODO: This will be fixed in an updated version of the paper.)
 
 Our variant of the SimplPedPop protocol then works as follows:
@@ -277,7 +277,7 @@ Our variant of the SimplPedPop protocol then works as follows:
     Participant `i` blames this participant `j` .
 
     Otherwise, i.e., in the successful case that the equation `secshare * G = pubshare` holds, participant `i` proceeds as follows.
-    In order to obtain a threshold public key with an unspendable [[BIP 341](https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki)] Taproot script path,
+    In order to obtain a threshold public key with an unspendable Taproot script path [[BIP 341](https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki)],
     participant `i` computes a Taproot tweak `tweak` for an unspendable script path,
     and adds the point `tweak * G` to `sum_coms[0]`, resulting in a new VSS commitment called `sum_coms_tweaked`.
     Participant `i` computes the public share of every participant as