From 4fe3ff0d7d124b18985841ddfea75668cf760329 Mon Sep 17 00:00:00 2001
From: Coda Hale <coda.hale@gmail.com>
Date: Tue, 17 Oct 2023 12:37:11 -0600
Subject: [PATCH] docs(design): reference the CTX construction

---
 design.md | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/design.md b/design.md
index fbc3df2f..df39dd93 100644
--- a/design.md
+++ b/design.md
@@ -291,7 +291,10 @@ function Open(key, nonce, ad, ciphertext, tag):
 
 Unlike a standard AEAD, this can be easily extended to allow for multiple, independent pieces of
 associated data. Also unlike many standard AEADs (e.g. AES-GCM and ChaCha20Poly1305), it is fully
-context-committing.
+context-committing: the tag is a strong cryptographic commitment to all the inputs provided SHA2 is
+collision resistent. Similar to the [CTX construction](https://par.nsf.gov/servlets/purl/10391723),
+which replaces the tag of an existing AEAD with `H(K, N, A, T)`, this effectively uses
+`H(K, N, A, P)` as the tag.
 
 ## Complex Protocols