+/* --- Encrypted data format --- *
+ *
+ * Let %$p_i$% be the %$i$%-th plaintext message, with type %$t$%. We first
+ * compute
+ *
+ * %$c_i = \mathcal{E}\textrm{-CBC}_{K_{\text{E}}}(p_i)$%
+ *
+ * as the CBC-ciphertext of %$p_i$%, and then
+ *
+ * %$\sigma_i = \mathcal{T}_{K_{\text{M}}}(t, i, c_i)$%
+ *
+ * as a MAC on the %%\emph{ciphertext}%%. The message sent is then the pair
+ * %$(\sigma_i, c_i)$%. This construction is provably secure in the NM-CCA
+ * sense (assuming that the cipher is IND-CPA, and the MAC is SUF-CMA)
+ * [Bellare and Namprempre].
+ *
+ * This also ensures that, assuming the key is good, we have a secure channel
+ * [Krawczyk]. Actually, [Krawczyk] shows that, if the cipher is either a
+ * simple stream cipher or a block cipher in CBC mode, we can use the MAC-
+ * then-encrypt scheme and still have a secure channel. However, I like the
+ * NM-CCA guarantee from [Bellare and Namprempre]. I'm less worried about
+ * the Horton Principle [Wagner and Schneier].
+ */
+