X-Git-Url: https://git.siccegge.de//index.cgi?p=software%2FDIPE.git;a=blobdiff_plain;f=doc%2Fsource%2Fnotes.rst;h=bf83ecbca5a5dcecb699dcf509d2f2072aa622e5;hp=7397dcb3f203bc50c86a38652e4a7c96fb1a501f;hb=2d85aad0494ae9dbfec3cfa7bac0883b5983cc92;hpb=aa4bf29685ec8becb6dc0c0e1b78668fd15da384

diff --git a/doc/source/notes.rst b/doc/source/notes.rst
index 7397dcb..bf83ecb 100644
--- a/doc/source/notes.rst
+++ b/doc/source/notes.rst
@@ -1,7 +1,25 @@
+Implementation Notes
+====================
+
 Selection of Curves
-===================
+-------------------
 
 Note that the ciphertext contains elements in $G_1$ as well as $G_t$
 and therefore we need to be able to serialize them in a way that is
 (computationally) indistinguishable from random. As per Shermans
 comment and reference to https://ia.cr/2015/247
+
+Key derivation
+--------------
+
+We're using `HKDF <https://ia.cr/2010/264>`_ to extract the AES key
+and iv from the $G_t$ element.
+
+Encryption Mode
+---------------
+
+Ciphertext is `AES128` in `GCM` mode with 12 bit IV and 16 bit
+tag. The ciphertext-format is as follows::
+
+  compress(s) | compress(cx) | c
+  enc(4 byte len(ptxt) | ptxt | 0 padding) | tag