C.2. Decryption

Read the random nonce and the key commitment from the front of the ciphertext. • Hash the caller’s 32-byte key and the random nonce with SHA-512. The first 32 bytes of the hash are the one-time key. Assert that the second 32 bytes match the key commitment. • Split the remainder of the ciphertext into 16400-byte chunks (16 KiB plus 16 bytes for the GCM tag), with a short final chunk. • Decrypt each chunk with AES-GCM using the one-time key and the same chunk nonce schedule as above. • Concatenate all the plaintext chunks to form the original message. Or, since each chunk is independently authenticated, return chunks of plaintext to the caller as a stream.