From b41772c045ca4268ee9946b3366c9dc45533db8f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rodolphe=20Br=C3=A9ard?= <v.code.ngyvz7vf@what.tf>
Date: Fri, 29 Mar 2024 22:11:39 +0100
Subject: [PATCH] Document the reason for the AES-GCM noce size

---
 src/scheme/aes.rs | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/scheme/aes.rs b/src/scheme/aes.rs
index f3d90bf..ee7fc9c 100644
--- a/src/scheme/aes.rs
+++ b/src/scheme/aes.rs
@@ -4,6 +4,10 @@ use aes_gcm::aead::{Aead, KeyInit, Payload};
 use aes_gcm::{Aes128Gcm, Key, Nonce};
 
 // 96 bits (12 bytes)
+// Reason: NIST Special Publication 800-38D
+// https://csrc.nist.gov/pubs/sp/800/38/d/final
+// Section 5.2.1.1 recommends that implementations restrict support to 96 bit.
+// Section 8.2 states that nonces of 96 bits and higher may be randomly generated.
 const NONCE_SIZE: usize = 12;
 
 pub(crate) fn aes128gcm_gen_nonce() -> Result<Vec<u8>> {