Kuznechik-CTR-HMAC with key ratcheting DEM.
[cm/encrypted/]'s "/dem/a" equals to "kuznechik-ctr-hmac-kr".
CEK is 64 bytes long.
Data is split on 128 KiB chunks, each of which is encrypted the following way:

    H = Streebog-512
    CK0 = CEK
    CKi = HKDF-Extract(H, salt="", ikm=CK{i-1})
    Kenc = HKDF-Expand(H, prk=CKi, info="cm/encrypted/kuznechik-ctr-hmac-kr/enc")
    IV = HKDF-Expand(H, prk=CKi, len=8, info="cm/encrypted/kuznechik-ctr-hmac-kr/iv")
    Kauth || KauthTail = HKDF-Expand(H, prk=CKi,
        info="cm/encrypted/kuznechik-ctr-hmac-kr/auth")
    KauthTail = HKDF-Expand(H, prk=CKi,
        info="cm/encrypted/kuznechik-ctr-hmac-kr/authTail")
    CT = Kuznechik-CTR(key=Kenc, ctr=IV, data=chunk)
    CT || HMAC(Streebog-256, key={Kauth|KauthTail}, data=CT)

KauthTail is used only in the last chunk to explicitly signal
that it is the last one.

"/payload"'s chunk length equals to 128KiB+32 bytes.

=> RFC 5869, HKDF
=> RFC 2104, HMAC
=> RFC 7801, Kuznechik, GOST R 34.12-2015 encryption algorithm
=> RFC 6986, Streebog, GOST R 34.11-2012 hashing algorithm