BibTex referencesnotation

5 files changed, 230 insertions, 47 deletions

diff --git a/Makefile b/Makefile
index 462ee14..f284fed 100644
--- a/Makefile
+++ b/Makefile
@@ -1,19 +1,19 @@
 
 default: noise.html noise.pdf
 
-noise.html: noise.md template_pandoc.html spec_markdown.css
-	pandoc noise.md -s --toc \
+noise.html: noise.md template_pandoc.html spec_markdown.css my.bib
+	/usr/local/bin/pandoc noise.md -s --toc \
 	        -f markdown+yaml_metadata_block+startnum \
 		--template template_pandoc.html \
 		--css=spec_markdown.css \
-		--filter pandoc-citeproc \
+		--filter /usr/local/bin/pandoc-citeproc \
 		-o noise.html
 
-noise.pdf: noise.md template_pandoc.latex
-	pandoc noise.md -s --toc \
+noise.pdf: noise.md template_pandoc.latex my.bib
+	/usr/local/bin/pandoc noise.md -s --toc \
 	        -f markdown+yaml_metadata_block+startnum \
 		--template template_pandoc.latex \
-		--filter pandoc-citeproc \
+		--filter /usr/local/bin/pandoc-citeproc \
 		-o noise.pdf
 
 clean:
diff --git a/ieee-with-url.csl b/ieee-with-url.csl
index 08dbeb1..44067a8 100644
--- a/ieee-with-url.csl
+++ b/ieee-with-url.csl
@@ -170,7 +170,6 @@
       <if variable="URL">
         <group delimiter=". ">
           <group delimiter=": ">
-            <text term="available at" text-case="capitalize-first"/>
             <text variable="URL"/>
           </group>
           <group prefix="[" suffix="]" delimiter=": ">
@@ -327,11 +326,6 @@
             </group>
           </else>
         </choose>
-        <choose>
-          <if variable="URL">
-            <text value=" [Online]"/>
-          </if>
-        </choose>
       </group>
       <text macro="access"/>
     </layout>
diff --git a/my.bib b/my.bib
new file mode 100644
index 0000000..be05fec
--- /dev/null
+++ b/my.bib
@@ -0,0 +1,188 @@
+
+@inproceedings{Rogaway:2002,
+ author = {Rogaway, Phillip},
+ title = "{Authenticated-encryption with Associated-data}",
+ booktitle = "{Proceedings of the 9th {ACM} Conference on Computer and Communications Security}",
+ series = {CCS '02},
+ year = {2002},
+ isbn = {1-58113-612-9},
+ location = {Washington, DC, USA},
+ doi = {10.1145/586110.586125},
+ acmid = {586125},
+ publisher = {ACM},
+ address = {New York, NY, USA},
+ keywords = {OCB, associated-data problem, authenticated-encryption, block-cipher usage, key separation, modes of operation},
+ url="http://web.cs.ucdavis.edu/~rogaway/papers/ad.pdf"
+} 
+
+
+@misc{rfc7748,
+  author="A. Langley and M. Hamburg and S. Turner",
+  title="{Elliptic Curves for Security}",
+  series="Request for Comments",
+  number="7748",
+  howpublished="RFC 7748 (Informational)",
+  publisher="IETF",
+  organization="Internet Engineering Task Force",
+  year=2016,
+  month=jan,
+    url="http://www.ietf.org/rfc/rfc7748.txt",
+}
+
+@misc{rfc2104,
+  author="H. Krawczyk and M. Bellare and R. Canetti",
+  title="{HMAC: Keyed-Hashing for Message Authentication}",
+  series="Request for Comments",
+  number="2104",
+  howpublished="RFC 2104 (Informational)",
+  publisher="IETF",
+  organization="Internet Engineering Task Force",
+  year=1997,
+  month=feb,
+    note="Updated by RFC 6151",
+  url="http://www.ietf.org/rfc/rfc2104.txt",
+}
+
+@misc{rfc5869,
+  author="H. Krawczyk and P. Eronen",
+  title="{HMAC-based Extract-and-Expand Key Derivation Function (HKDF)}",
+  series="Request for Comments",
+  number="5869",
+  howpublished="RFC 5869 (Informational)",
+  publisher="IETF",
+  organization="Internet Engineering Task Force",
+  year=2010,
+  month=may,
+    url="http://www.ietf.org/rfc/rfc5869.txt",
+}
+
+@misc{elligator,
+    author = {Daniel J. Bernstein and Mike Hamburg and Anna Krasnova and Tanja Lange},
+    title = "{Elligator: Elliptic-curve points indistinguishable from uniform random strings}",
+    howpublished = {Cryptology ePrint Archive, Report 2013/325},
+    year = {2013},
+    url = "http://eprint.iacr.org/2013/325",
+}
+
+@misc{rfc7539,
+  author="Y. Nir and A. Langley",
+  title="{ChaCha20 and Poly1305 for IETF Protocols}",
+  series="Request for Comments",
+  number="7539",
+  howpublished="RFC 7539 (Informational)",
+  publisher="IETF",
+  organization="Internet Engineering Task Force",
+  year=2015,
+  month=may,
+    url="http://www.ietf.org/rfc/rfc7539.txt",
+}
+
+@techreport{nistgcm,
+ author = {Dworkin, Morris J.},
+ title = "{SP 800-38D. Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC}",
+ year = {2007},
+ publisher = {National Institute of Standards \& Technology},
+ address = {Gaithersburg, MD, United States},
+ url="http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf"
+} 
+
+@TechReport{nistsha2,
+  author =       "NIST",
+  key =          "FIPS-180-4",
+  title =        "{FIPS 180-4.  Secure Hash Standard (SHS)}",
+  publisher = {National Institute of Standards \& Technology},
+  address = {Gaithersburg, MD, United States},
+  year =         "2012",
+  URL =          "http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf"
+}
+
+@misc{rfc7693,
+
+  author="M-J. Saarinen and J-P. Aumasson",
+  title="{The BLAKE2 Cryptographic Hash and Message Authentication Code (MAC)}",
+  series="Request for Comments",
+  number="7693",
+  howpublished="RFC 7693 (Informational)",
+  publisher="IETF",
+  organization="Internet Engineering Task Force",
+  year=2015,
+  month=nov,
+    url="http://www.ietf.org/rfc/rfc7693.txt",
+}
+
+@misc{nacl,
+  author="Daniel J. Bernstein and Tanja Lange and Peter Schwabe",
+  title="{NaCl: Networking and Cryptography Library}",
+  url="https://nacl.cr.yp.to/"
+}
+
+@misc{curvecp,
+  author="Daniel J. Bernstein",
+  title="{CurveCP: Usable security for the Internet}",
+  url="https://curvecp.org"
+}
+
+@Inbook{sigma,
+author="Krawczyk, Hugo",
+title="{SIGMA: The `SIGn-and-MAc' Approach to Authenticated Diffie-Hellman and Its Use in the IKE Protocols}",
+bookTitle="{Advances in Cryptology - CRYPTO 2003}",
+year="2003",
+url="http://webee.technion.ac.il/~hugo/sigma.html"
+}
+
+@misc{homqv,
+    author = {Shai Halevi and Hugo Krawczyk},
+    title = "{One-Pass HMQV and Asymmetric Key-Wrapping}",
+    howpublished = {Cryptology ePrint Archive, Report 2010/638},
+    year = {2010},
+    url = {http://eprint.iacr.org/2010/638},
+}
+
+@article{ntor,
+ author = {Goldberg, Ian and Stebila, Douglas and Ustaoglu, Berkant},
+ title = "{Anonymity and One-way Authentication in Key Exchange Protocols}",
+ journal = {Design, Codes, and Cryptography},
+ issue_date = {May       2013},
+ volume = {67},
+ number = {2},
+ month = may,
+ year = {2013},
+ issn = {0925-1022},
+ numpages = {25},
+ doi = {10.1007/s10623-011-9604-z},
+ acmid = {2458069},
+ publisher = {Kluwer Academic Publishers},
+ address = {Norwell, MA, USA},
+ url="http://cacr.uwaterloo.ca/techreports/2011/cacr2011-11.pdf"
+}
+
+@inproceedings{otr,
+ author = {Di Raimondo, Mario and Gennaro, Rosario and Krawczyk, Hugo},
+ title = "{Secure Off-the-record Messaging}",
+ booktitle = "{Proceedings of the 2005 ACM Workshop on Privacy in the Electronic Society}",
+ series = {WPES '05},
+ year = {2005},
+ isbn = {1-59593-228-3},
+ address = {New York, NY, USA},
+ url="http://www.dmi.unict.it/diraimondo/web/wp-content/uploads/papers/otr.pdf"
+} 
+
+@Inbook{kudla2005,
+author="Kudla, Caroline and Paterson, Kenneth G.",
+title="{Modular Security Proofs for Key Agreement Protocols}",
+bookTitle="{Advances in Cryptology - ASIACRYPT 2005: 11th International Conference on the Theory and Application of Cryptology and Information Security}",
+year="2005",
+isbn="978-3-540-32267-2",
+doi="10.1007/11593447_30",
+url="http://www.isg.rhul.ac.uk/~kp/ModularProofs.pdf"
+}
+
+@Inbook{blakewilson1997,
+author="Blake-Wilson, Simon and Johnson, Don and Menezes, Alfred",
+editor="Darnell, Michael",
+title="Key agreement protocols and their security analysis",
+bookTitle="{Crytography and Coding: 6th IMA International Conference Cirencester, UK, December 17--19, 1997 Proceedings}",
+year="1997",
+url="http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.25.387"
+}
+
diff --git a/noise.md b/noise.md
index 8b95bcd..0946a70 100644
--- a/noise.md
+++ b/noise.md
@@ -1,8 +1,8 @@
 ---
 title:      'The Noise Protocol Framework'
 author:     'Trevor Perrin (noise@trevp.net)'
-revision:   '30'
-date:       '2016-07-14'
+revision:   '31draft'
+date:       '2016-10-06'
 bibliography: 'my.bib'
 link-citations: 'true'
 csl:        'ieee-with-url.csl'
@@ -67,7 +67,7 @@ Each party maintains the following variables:
    nonce `n`.  Whenever a new DH output causes a new `ck` to be calculated, a
    new `k` is also calculated.  The key `k` and nonce `n` are used to encrypt
    static public keys and handshake payloads.  Encryption with `k` uses some
-   **AEAD** cipher mode (in the sense of [@Rogaway:2002] 
+   **AEAD** cipher mode (in the sense of Rogaway [@Rogaway:2002]) 
    and includes the current `h` value as "associated data"
    which is covered by the AEAD authentication.  Encryption of static public
    keys and payloads provides some confidentiality and key confirmation during
@@ -251,7 +251,7 @@ Noise depends on the following **cipher functions**:
  * **`ENCRYPT(k, n, ad, plaintext)`**: Encrypts `plaintext` using the cipher
    key `k` of 32 bytes and an 8-byte unsigned integer nonce `n` which must be
    unique for the key `k`.  Returns the ciphertext.  Encryption must be done
-   with an "AEAD" encryption mode with the associated data `ad` (using the terminology from [Rogaway](http://web.cs.ucdavis.edu/~rogaway/papers/ad.pdf)) and returns a
+   with an "AEAD" encryption mode with the associated data `ad` (using the terminology from [@Rogaway:2002]) and returns a
    ciphertext that is the same size as the plaintext plus 16 bytes for 
    authentication data.  The entire ciphertext must be indistinguishable from
    random if the key is secret. 
@@ -275,11 +275,11 @@ Noise depends on the following **hash function** (and associated constants):
 
  * **`BLOCKLEN`** = A constant specifying the size in bytes that the hash
    function uses internally to divide its input for iterative processing.  This
-   is needed to use the hash function with HMAC (`BLOCKLEN` is `B` in [RFC 2104](https://www.ietf.org/rfc/rfc2104.txt)).
+   is needed to use the hash function with HMAC (`BLOCKLEN` is `B` in [@rfc2104]).
 
 Noise defines additional functions based on the above `HASH()` function:
 
- * **`HMAC-HASH(key, data)`**:  Applies `HMAC` from [RFC 2104](https://www.ietf.org/rfc/rfc2104.txt) 
+ * **`HMAC-HASH(key, data)`**:  Applies `HMAC` from [@rfc2104] 
    using the `HASH()` function.  This function is only called as part of `HKDF()`, below.
 
  * **`HKDF(chaining_key, input_key_material)`**:  Takes a `chaining_key` byte
@@ -292,7 +292,7 @@ Noise defines additional functions based on the above `HASH()` function:
      * Returns the pair `(output1, output2)`.
 
    Note that `temp_key`, `output1`, and `output2` are all `HASHLEN` bytes in
-   length.  Also note that the `HKDF()` function is simply `HKDF` from [RFC 5869](https://www.ietf.org/rfc/rfc5869.txt) 
+   length.  Also note that the `HKDF()` function is simply `HKDF` from [@rfc5869] 
    with the `chaining_key` as HKDF `salt`, and zero-length HKDF `info`.
 
 5. Processing rules
@@ -1201,7 +1201,7 @@ This is fairly easy:
 This leaves the Noise ephemerals in the clear, so an eavesdropper might suspect
 the parties are using Noise, even if it can't distinguish the handshakes.  To
 make the ephemerals indistinguishable from random, techniques like
-[Elligator](https://elligator.cr.yp.to) could be used.
+Elligator [@elligator] could be used.
 
 9.4. Channel binding
 ---------------------
@@ -1224,10 +1224,10 @@ can't be used by the receiving party with a different sesssion.
 
  * **`GENERATE_KEYPAIR()`**: Returns a new Curve25519 key pair.
  
- * **`DH(keypair, public_key)`**: Executes the Curve25519 DH function (aka "X25519"
-   in [RFC 7748](https://www.ietf.org/rfc/rfc7748.txt)).  The null public key
-   value is all zeros, which will always produce an output of all zeros.  Other
-   invalid public key values will also produce an output of all zeros.
+ * **`DH(keypair, public_key)`**: Executes the Curve25519 DH function (aka
+   "X25519" in [@rfc7748].  The null public key value is all zeros, which will
+   always produce an output of all zeros.  Other invalid public key values will
+   also produce an output of all zeros.
 
  * **`DHLEN`** = 32
 
@@ -1236,10 +1236,10 @@ can't be used by the receiving party with a different sesssion.
 
  * **`GENERATE_KEYPAIR()`**: Returns a new Curve448 key pair.
  
- * **`DH(keypair, public_key)`**: Executes the Curve448 DH function (aka "X448" in
-   [RFC 7748](https://www.ietf.org/rfc/rfc7748.txt)).  The null public key
-   value is all zeros, which will always produce an output of all zeros.  Other
-   invalid public key values will also produce an output of all zeros.
+ * **`DH(keypair, public_key)`**: Executes the Curve448 DH function (aka "X448"
+   in [@rfc7748].  The null public key value is all zeros, which will always
+   produce an output of all zeros.  Other invalid public key values will also
+   produce an output of all zeros.
 
  * **`DHLEN`** = 56
 
@@ -1247,43 +1247,45 @@ can't be used by the receiving party with a different sesssion.
 ------------------------------
 
  * **`ENCRYPT(k, n, ad, plaintext)` / `DECRYPT(k, n, ad, ciphertext)`**:
- `AEAD_CHACHA20_POLY1305` from [RFC 7539](https://www.ietf.org/rfc/rfc7539.txt).  The 96-bit nonce is formed 
- by encoding 32 bits of zeros followed by little-endian encoding of `n`.
- (Earlier implementations of ChaCha20 used a 64-bit nonce; with these implementations it's
- compatible to encode `n` directly into the ChaCha20 nonce without the 32-bit
- zero prefix).
+   `AEAD_CHACHA20_POLY1305` from [@rfc7539].  The 96-bit nonce is formed by
+   encoding 32 bits of zeros followed by little-endian encoding of `n`.
+   (Earlier implementations of ChaCha20 used a 64-bit nonce; with these
+   implementations it's compatible to encode `n` directly into the ChaCha20
+   nonce without the 32-bit zero prefix).
 
 10.4. The `AESGCM` cipher functions
 ---------------------------
 
- * **`ENCRYPT(k, n, ad, plaintext)` / `DECRYPT(k, n, ad, ciphertext)`**:
- AES256-GCM from [SP-800-38D](http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf) with a 128-bit tag appended to the ciphertext.  The 96-bit nonce is formed by encoding 32 bits of zeros followed by big-endian encoding of `n`.
+ * **`ENCRYPT(k, n, ad, plaintext)` / `DECRYPT(k, n, ad, ciphertext)`**: AES256
+   with GCM from [@nistgcm] with a 128-bit tag appended to the
+   ciphertext.  The 96-bit nonce is formed by encoding 32 bits of zeros
+   followed by big-endian encoding of `n`.
 
 10.5. The `SHA256` hash function
 ------------------------------
 
- * **`HASH(input)`**: `SHA-256` from [FIPS 180-4](http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf).
+ * **`HASH(input)`**: `SHA-256` from [@nistsha2].
  * **`HASHLEN`** = 32
  * **`BLOCKLEN`** = 64
 
 10.6. The `SHA512` hash function
 ------------------------------
 
- * **`HASH(input)`**: `SHA-512`  from [FIPS 180-4](http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf).
+ * **`HASH(input)`**: `SHA-512`  from [@nistsha2].
  * **`HASHLEN`** = 64
  * **`BLOCKLEN`** = 128
 
 10.7. The `BLAKE2s` hash function
 -------------------------------
 
- * **`HASH(input)`**: `BLAKE2s` from [RFC 7693](https://www.ietf.org/rfc/rfc7693.txt) with digest length 32.
+ * **`HASH(input)`**: `BLAKE2s` from [@rfc7693] with digest length 32.
  * **`HASHLEN`** = 32
  * **`BLOCKLEN`** = 64
 
 10.8. The `BLAKE2b` hash function
 -------------------------------
 
- * **`HASH(input)`**: `BLAKE2b` from [RFC 7693](https://www.ietf.org/rfc/rfc7693.txt) with digest length 64.
+ * **`HASH(input)`**: `BLAKE2b` from [@rfc7693] with digest length 64.
  * **`HASHLEN`** = 64
  * **`BLOCKLEN`** = 128
 
@@ -1545,11 +1547,11 @@ The Noise specification (this document) is hereby placed in the public domain.
 
 Noise is inspired by:
 
-  * The [NaCl](https://nacl.cr.yp.to/) and [CurveCP](https://curvecp.org/) protocols from Dan Bernstein et al.
-  * The [SIGMA](http://webee.technion.ac.il/~hugo/sigma.html) and [HOMQV](https://eprint.iacr.org/2010/638) protocols from Hugo Krawczyk.
-  * The [Ntor](http://cacr.uwaterloo.ca/techreports/2011/cacr2011-11.pdf) protocol from Ian Goldberg et al.
-  * The [analysis of OTR](http://www.dmi.unict.it/diraimondo/web/wp-content/uploads/papers/otr.pdf) by Mario Di Raimondo et al.
-  * The [analysis by Caroline Kudla and Kenny Paterson](http://www.isg.rhul.ac.uk/~kp/ModularProofs.pdf) of ["Protocol 4"](http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.25.387) by Simon Blake-Wilson et al.
+  * The NaCl and CurveCP protocols from Dan Bernstein et al [@nacl; @curvecp].
+  * The SIGMA and HOMQV protocols from Hugo Krawczyk [@sigma; @homqv].
+  * The Ntor protocol from Ian Goldberg et al [@ntor].
+  * The analysis of OTR by Mario Di Raimondo et al [@otr].
+  * The analysis by Caroline Kudla and Kenny Paterson of "Protocol 4" by Simon Blake-Wilson et al [@kudla2005; @blakewilson1997].
 
 General feedback on the spec and design came from: Moxie Marlinspike, Jason
 Donenfeld, Rhys Weatherley, Tiffany Bennett, Jonathan Rudenberg, Stephen
@@ -1569,6 +1571,5 @@ Jeremy Clark, Thomas Ristenpart, and Joe Bonneau gave feedback on much earlier
 versions.
 
 
-17. References
-===============
-
+17.  References
+================
diff --git a/output/noise.pdf b/output/noise.pdf
index c4ebed6..f30b178 100644
--- a/output/noise.pdf
+++ b/output/noise.pdf