7 Note that the ciphertext contains elements in $G_1$ as well as $G_t$
8 and therefore we need to be able to serialize them in a way that is
9 (computationally) indistinguishable from random. As per Shermans
10 comment and reference to https://ia.cr/2015/247
15 We're using `HKDF <https://ia.cr/2010/264>`_ to extract the AES key
16 and iv from the $G_t$ element.
21 Ciphertext is ``AES128`` in ``GCM`` mode with 12 bit IV and 16 bit
22 tag. The ciphertext-format is as follows::
24 compress(s) | compress(cx) | c
25 enc(4 byte len(ptxt) | ptxt | 0 padding) | tag