AES-GCM sensitivity to nonce reuse is a tricky implementation detail. Here they acknowledge it but then don’t share their solution - and in fact the header contains 16 bytes for the nonce instead of the expected 12 bytes and they do not share what bytes are random. Did I miss something, anyone know?
