There's currently 2 versions of construct_tag_hash(), and on of them seems incorrect:
|
fn construct_tag_hash(&self) -> Result<E::G2Affine> { |
|
let mut hash_input = Vec::<u8>::new(); |
|
self.commitment.serialize_compressed(&mut hash_input)?; |
|
hash_input.extend_from_slice(&self.ciphertext); |
|
|
|
hash_to_g2(&hash_input) |
|
} |
As you can see, the AAD is not there. It's also just used here:
|
let hash_g2 = E::G2Prepared::from(self.construct_tag_hash()?); |
This is part the function Ciphertext.check(), which is unused.
I propose removing both.