doc/source/notes.rst

   1 Implementation Notes
   2 ====================
   3
   4 Selection of Curves
   5 -------------------
   6
   7 Note that the ciphertext contains elements in $G_1$ as well as $G_t$
   8 and therefore we need to be able to serialize them in a way that is
   9 (computationally) indistinguishable from random. As per Shermans
  10 comment and reference to https://ia.cr/2015/247
  11
  12 Key derivation
  13 --------------
  14
  15 We're using `HKDF <https://ia.cr/2010/264>`_ to extract the AES key
  16 and iv from the $G_t$ element.
  17
  18 Encryption Mode
  19 ---------------
  20
  21 Ciphertext is `AES128` in `GCM` mode with 12 bit IV and 16 bit
  22 tag. The ciphertext-format is as follows::
  23
  24   compress(s) | compress(cx) | c
  25   enc(4 byte len(ptxt) | ptxt | 0 padding) | tag