whitespace fixes on proposal 295.

1 files changed, 71 insertions, 73 deletions

diff --git a/proposals/295-relay-crypto-with-adl.txt b/proposals/295-relay-crypto-with-adl.txt
index d3414c4..a1752df 100644
--- a/proposals/295-relay-crypto-with-adl.txt
+++ b/proposals/295-relay-crypto-with-adl.txt
@@ -3,7 +3,6 @@ Title: Using ADL for relay cryptography (solving the crypto-tagging attack)
 Author: Tomer Ashur, Orr Dunkelman, Atul Luykx
 Created: 22 Feb 2018
 Last-Modified: 13 Jan. 2020
-
 Status: Open
 
 
@@ -39,11 +38,11 @@ Status: Open
 
    For authentication between the OP and the edge node we use
    the PIV scheme: https://eprint.iacr.org/2013/835 .
-   
+
    A recent paper presented a birthday bound distinguisher
-   against the ADL scheme, thus showing that the RUP security 
+   against the ADL scheme, thus showing that the RUP security
    proof is tight: https://eprint.iacr.org/2019/1359 .
-      
+
 
 2. Preliminaries
 
@@ -110,7 +109,7 @@ Status: Open
    DIG_KEY_LEN  backward digest key             	Khb
    ENC_KEY_LEN  forward tweak key               	Ktf
    ENC_KEY_LEN  backward tweak key              	Ktb
-   DIGEST_LEN   nonce to use in the                      
+   DIGEST_LEN   nonce to use in the
                   hidden service protocol(*)
 
       (*) I am not sure that if this is still needed.
@@ -136,15 +135,15 @@ Status: Open
 
    (*) The terms hash and digest are used interchangeably.
    (**) Proposal 308 suggested that using POLYVAL [GLL18]
-        would be more efficient here. This proposal will work just the 
-		same if POLYVAL is used instead of GHASH. 
+        would be more efficient here. This proposal will work just the
+		same if POLYVAL is used instead of GHASH.
 
 3. Routing relay cells
 
    Let n denote the integer representing the destination node. For
-   I = 1...n, we set Tf'_{I} = DF_I, Tb'_{I} = DB_I, and 
-   Ta'_I = AF_I where DF_I, DB_I, and AF_I are generated 
-   according to Section 2.4. 
+   I = 1...n, we set Tf'_{I} = DF_I, Tb'_{I} = DB_I, and
+   Ta'_I = AF_I where DF_I, DB_I, and AF_I are generated
+   according to Section 2.4.
 
 3.1. Forward Direction
 
@@ -255,7 +254,7 @@ Status: Open
    authenticate the message as follows.
 
 4.1.1 forward direction (executed by the end node):
-				
+
 				Ta_I = Digest(Khf_n,Ta'_I||C_{n+1})
 				Tag = Ta_I ^ D(Ktf_n,Ta_I ^ N_{n+1})
 
@@ -281,13 +280,13 @@ Status: Open
      and version-heterogenic circuits
 
    When a cell is prepared to be routed from the origin (see Section
-   3.1.1 above) the encrypted nonce N is appended to the encrypted 
+   3.1.1 above) the encrypted nonce N is appended to the encrypted
    cell (occupying the last 16 bytes of the cell). If the cell is
    prepared to be sent to a node supporting the new protocol, N is
-   used to generate the layer's nonce. Otherwise, if the node only 
-   supports the old protocol, N is still appended to the encrypted 
-   cell (so that following nodes can still recover their nonce), 
-   but a synchronized nonce (as per the old protocol) is used in 
+   used to generate the layer's nonce. Otherwise, if the node only
+   supports the old protocol, N is still appended to the encrypted
+   cell (so that following nodes can still recover their nonce),
+   but a synchronized nonce (as per the old protocol) is used in
    CTR-mode.
 
    When a cell is sent along the circuit in the 'backward'
@@ -402,20 +401,20 @@ Status: Open
    repeat with low probability. GHASH is a universal hash function,
    hence it gives such a guarantee assuming its key is chosen
    uniformly at random.
-   
+
 6. Forward secrecy
 
-   Inspired by the approach of Proposal 308, a small modification 
-   to this proposal makes it forward secure. The core idea is to 
+   Inspired by the approach of Proposal 308, a small modification
+   to this proposal makes it forward secure. The core idea is to
    replace the encryption key KF_n after de/encrypting the cell.
-   As an added benefit, this would allow to keep the authentication 
-   layer stateless (i.e., without keeping a running digest for 
-   this layer). 
-   
+   As an added benefit, this would allow to keep the authentication
+   layer stateless (i.e., without keeping a running digest for
+   this layer).
+
    Below we present the required changes to the sections above.
-   
+
 6.1. Routing from the Origin (replacing 3.1.1 above)
-   
+
    When an OP sends a relay cell, they prepare the
    cell as follows:
 
@@ -424,7 +423,7 @@ Status: Open
 			C_{n+1} = M
 			T_{n+1} = Digest(Khf_n,C_{n+1})
 			N_{n+1} = T_{n+1} ^ E(Ktf_n,T_{n+1} ^ 0)
-				
+
 
         Then, the OP prepares the multi-layered encryption:
 			For the final layer n:
@@ -433,13 +432,13 @@ Status: Open
 				N_n = T_I ^ E(Ktf_n,T_n ^ N_{n+1})
 				Tf'_n = T_n
 				Kf_n = Kf'_n
-				
-				(*) CTR mode is used to generate two additional blocks. This 
-					256-bit value is denoted K'f_n and is used in subsequent 
+
+				(*) CTR mode is used to generate two additional blocks. This
+					256-bit value is denoted K'f_n and is used in subsequent
 					steps to replace the encryption key of this layer.
-					To achieve forward secrecy it is important that the 
-					obsolete Kf_n is erased in a non-recoverable way. 				
-						
+					To achieve forward secrecy it is important that the
+					obsolete Kf_n is erased in a non-recoverable way.
+
                 For layer I=(n-1)...1:
                         C_I = Encrypt(Kf_I,N_{I+1},C_{I+1})
                         T_I = Digest(Khf_I,Tf'_I||C_I)
@@ -447,27 +446,27 @@ Status: Open
                         Tf'_I = T_I
 
 		The OP sends C_1 and N_1 to node 1.
-		
-	Alternatively, if we want that all nodes use the same functionality 
+
+	Alternatively, if we want that all nodes use the same functionality
 	OP prepares the cell as follows:
-			
+
 			For layer I=n...1:
 				(C_I,K'f_I) = Encrypt(Kf_I,N_{I+1},C_{I+1}||0||0) (*)
 				T_I = Digest(Khf_I,Tf'_I||C_I)
 				N_I = T_I ^ E(Ktf_I,T_I ^ N_{I+1})
 				Tf'_I = T_I
 				Kf_I = Kf'_I
-				
-				(*) CTR mode is used to generate two additional blocks. This 
-					256-bit value is denoted K'f_n and is used in subsequent 
+
+				(*) CTR mode is used to generate two additional blocks. This
+					256-bit value is denoted K'f_n and is used in subsequent
 					steps to replace the encryption key of this layer.
-					To achieve forward secrecy it is important that the 
-					obsolete Kf_n is erased in a non-recoverable way. 				
-						
+					To achieve forward secrecy it is important that the
+					obsolete Kf_n is erased in a non-recoverable way.
+
 		This scheme offers forward secrecy in all levels of the circuit.
-		  
+
 6.2. Relaying Forward at Onion Routers (replacing 3.1.2 above)
-	
+
    When a forward relay cell is received by OR I, it decrypts the
    payload with the stream cipher, as follows:
 
@@ -478,36 +477,36 @@ Status: Open
                 C_{I+1} = Decrypt(Kf_I,N_{I+1},C_I||0||0)
                 Tf'_I = T_I
 
-   The OR then decides whether it recognizes the relay cell as described below. 
-   Depending on the choice of scheme from 6.1 the OR uses the last two blocks 
-   of C_{I+1} to update the encryption key or discards them. 
-   
-   If the cell is recognized the OR also processes the contents of the relay 
-   cell. Otherwise, it passes C_{I+1}||N_{I+1} along the circuit if the circuit 
+   The OR then decides whether it recognizes the relay cell as described below.
+   Depending on the choice of scheme from 6.1 the OR uses the last two blocks
+   of C_{I+1} to update the encryption key or discards them.
+
+   If the cell is recognized the OR also processes the contents of the relay
+   cell. Otherwise, it passes C_{I+1}||N_{I+1} along the circuit if the circuit
    continues.
 
    For more information about recognizing and authenticating relay cells,
    see 5.4.5 below.
-   
+
 6.3. Relaying Backward at Onion Routers (replacing 3.2.1 above)
 
    When an edge node receives a message M to be routed back to the
    origin, it encrypts it as follows:
-   
+
 		T_n = Digest(Khb_n,Tb'_n||M)
                 N_n = T_n ^ E(Ktb_n,T_n ^ 0)
                 (C_n,K'b_n) = Encrypt(Kb_n,N_n,M||0||0) (*)
                 Tb'_n = T_n
 		Kb_n = K'b_n
-   
-				(*) CTR mode is used to generate two additional blocks. This 
-					256-bit value is denoted K'b_n and will be used in 
-					subsequent steps to replace the encryption key of this layer. 
-					To achieve forward secrecy it is important that the obsolete 
-					K'b_n is erased in a non-recoverable way. 
-   
-    Once encrypted, the edge node sends C_n and N_n along the circuit towards 
-	the OP. When a backward relay cell is received by OR_I (I<n), it encrypts 
+
+				(*) CTR mode is used to generate two additional blocks. This
+					256-bit value is denoted K'b_n and will be used in
+					subsequent steps to replace the encryption key of this layer.
+					To achieve forward secrecy it is important that the obsolete
+					K'b_n is erased in a non-recoverable way.
+
+    Once encrypted, the edge node sends C_n and N_n along the circuit towards
+	the OP. When a backward relay cell is received by OR_I (I<n), it encrypts
 	the payload with the stream cipher, as follows:
 
         'Backward' relay cell:
@@ -518,7 +517,7 @@ Status: Open
                 Tb'_I = T_I
 
    Each node passes C_I and N_I along the circuit towards the OP.
-   
+
    If forward security is desired for all layers in the circuit, all OR's
    encrypt as follows:
 		T_I = Digest(Khb_I,Tb'_I||C_{I+1})
@@ -526,7 +525,7 @@ Status: Open
                 (C_I,K'b_I) = Encrypt(Kb_n,N_n,M||0||0)
                 Tb'_I = T_I
 		Kb_I = K'b_I
-   
+
 
 6.4. Routing to the Origin (replacing 3.2.2 above)
 
@@ -540,26 +539,25 @@ Status: Open
                         T_I = Digest(Khb_I,Tb'_I||C_{I+1})
                         N_{I+1} = T_I ^ D(Ktb_I,T_I ^ N_I)
                         Tb'_I = T_I
-				
-				And updates the encryption keys according to the strategy 
+
+				And updates the encryption keys according to the strategy
 				chosen for 6.3.
-				
+
                 If the payload is recognized (see Section 4.1),
                 then:
 
                        The sending node is I. Process the payload!
-					   
-					   
+
+
 6.5. Recognizing and authenticating a relay cell (replacing 4.1.1 above):
-	
-	Authentication in the forward direction is done as follows: 
+
+	Authentication in the forward direction is done as follows:
 
 		T_{n+1} = Digest(Khf_n,C_{n+1})
                 Tag = T_{n+1} ^ D(Ktf_n,T_{n+1} ^ N_{n+1})
-	
+
 	The message is recognized and authenticated
 				(i.e., M = C_{n+1}) if and only if Tag = 0.
-				
-	No changes are required to the authentication process when the relay 
+
+	No changes are required to the authentication process when the relay
 	cell is sent backwards.
-