+Implementation Notes
+====================
+
Selection of Curves
-===================
+-------------------
Note that the ciphertext contains elements in $G_1$ as well as $G_t$
and therefore we need to be able to serialize them in a way that is
(computationally) indistinguishable from random. As per Shermans
comment and reference to https://ia.cr/2015/247
+
+Key derivation
+--------------
+
+We're using `HKDF <https://ia.cr/2010/264>`_ to extract the AES key
+and iv from the $G_t$ element.
+
+Encryption Mode
+---------------
+
+Ciphertext is ``AES128`` in ``GCM`` mode with 12 bit IV and 16 bit
+tag. The ciphertext-format is as follows::
+
+ compress(s) | compress(cx) | c
+ enc(4 byte len(ptxt) | ptxt | 0 padding) | tag