1 files changed, 11 insertions, 11 deletions

diff --git a/spec/rend-spec/hsdesc-encrypt.md b/spec/rend-spec/hsdesc-encrypt.md
index 10a7d77..06713a2 100644
--- a/spec/rend-spec/hsdesc-encrypt.md
+++ b/spec/rend-spec/hsdesc-encrypt.md
@@ -1,6 +1,6 @@
 <a id="rend-spec-v3.txt-2.5"></a>
 
-## Hidden service descriptors: encryption format {#HS-DESC-ENC}
+# Hidden service descriptors: encryption format {#HS-DESC-ENC}
 
 Hidden service descriptors are protected by two layers of encryption.
 Clients need to decrypt both layers to connect to the hidden service.
@@ -12,7 +12,7 @@ and protects against entities that do not possess valid client credentials.
 
 <a id="rend-spec-v3.txt-2.5.1"></a>
 
-### First layer of encryption {#HS-DESC-FIRST-LAYER}
+## First layer of encryption {#HS-DESC-FIRST-LAYER}
 
 The first layer of HS descriptor encryption is designed to protect
 descriptor confidentiality against entities who don't know the public
@@ -20,7 +20,7 @@ identity key of the hidden service.
 
 <a id="rend-spec-v3.txt-2.5.1.1"></a>
 
-#### First layer encryption logic {#first-layer-logic}
+### First layer encryption logic {#first-layer-logic}
 
 The encryption keys and format for the first layer of encryption are
 generated as specified in \[HS-DESC-ENCRYPTION-KEYS\] with customization
@@ -43,7 +43,7 @@ multiple of 10k bytes.
 
 <a id="rend-spec-v3.txt-2.5.1.2"></a>
 
-#### First layer plaintext format {#first-layer-plaintext}
+### First layer plaintext format {#first-layer-plaintext}
 
 After clients decrypt the first layer of encryption, they need to parse the
 plaintext to get to the second layer ciphertext which is contained in the
@@ -138,7 +138,7 @@ Here are all the supported fields:
 
 <a id="rend-spec-v3.txt-2.5.1.3"></a>
 
-#### Client behavior {#FIRST-LAYER-CLIENT-BEHAVIOR}
+### Client behavior {#FIRST-LAYER-CLIENT-BEHAVIOR}
 
 ```text
     The goal of clients at this stage is to decrypt the "encrypted" field as
@@ -160,7 +160,7 @@ Here are all the supported fields:
 
 <a id="rend-spec-v3.txt-2.5.1.4"></a>
 
-#### Hiding client authorization data {#hiding-client-auth}
+### Hiding client authorization data {#hiding-client-auth}
 
 ```text
     Hidden services should avoid leaking whether client authorization is
@@ -183,7 +183,7 @@ Here are all the supported fields:
 
 <a id="rend-spec-v3.txt-2.5.2"></a>
 
-### Second layer of encryption {#HS-DESC-SECOND-LAYER}
+## Second layer of encryption {#HS-DESC-SECOND-LAYER}
 
 The second layer of descriptor encryption is designed to protect descriptor
 confidentiality against unauthorized clients. If client authorization is
@@ -196,7 +196,7 @@ does not offer any additional security, but is still used.
 
 <a id="rend-spec-v3.txt-2.5.2.1"></a>
 
-#### Second layer encryption keys {#second-layer-keys}
+### Second layer encryption keys {#second-layer-keys}
 
 The encryption keys and format for the second layer of encryption are
 generated as specified in \[HS-DESC-ENCRYPTION-KEYS\] with customization
@@ -213,7 +213,7 @@ parameters as follows:
 
 <a id="rend-spec-v3.txt-2.5.2.2"></a>
 
-#### Second layer plaintext format {#second-layer-plaintext}
+### Second layer plaintext format {#second-layer-plaintext}
 
 After decrypting the second layer ciphertext, clients can finally learn the
 list of intro points etc. The plaintext has the following format:
@@ -396,7 +396,7 @@ newline.
 
 <a id="rend-spec-v3.txt-2.5.3"></a>
 
-### Deriving hidden service descriptor encryption keys {#HS-DESC-ENCRYPTION-KEYS}
+## Deriving hidden service descriptor encryption keys {#HS-DESC-ENCRYPTION-KEYS}
 
 In this section we present the generic encryption format for hidden service
 descriptors. We use the same encryption format in both encryption layers,
@@ -439,7 +439,7 @@ Here is the key generation logic:
 
 <a id="rend-spec-v3.txt-2.5.4"></a>
 
-### Number of introduction points {#NUM_INTRO_POINT}
+## Number of introduction points {#NUM_INTRO_POINT}
 
 This section defines how many introduction points an hidden service
 descriptor can have at minimum, by default and the maximum: