4 Note that the ciphertext contains elements in $G_1$ as well as $G_t$
5 and therefore we need to be able to serialize them in a way that is
6 (computationally) indistinguishable from random. As per Shermans
7 comment and reference to https://ia.cr/2015/247