XChaCha20-Poly1305 with key ratcheting and key commitment DEM.
[cm/encrypted/]'s "/dem/a" equals to "xchapoly-krkc".
CEK is 64 bytes long.
Data is split on 128 KiB chunks, each of which is encrypted the following way:

    H = BLAKE2b
    CK{-1} = CEK
    CKi = HKDF-Expand(H,
        prk=HKDF-Extract(H, salt="", ikm=CK{i-1}),
        info="cm/encrypted/xchapoly-krkc/kr")
    KEY = HKDF-Expand(H, prk=CKi, info="cm/encrypted/xchapoly-krkc/key")
    IV = HKDF-Expand(H, prk=CKi, info="cm/encrypted/xchapoly-krkc/iv", len=24)
    MAC = HKDF-Expand(H, prk=CKi, info="cm/encrypted/xchapoly-krkc/mac")
    if {last chunk} then { IV[23] |= 0x01 } else { IV[23] &= 0xFE }
    CIPHERTEXT = XChaCha20(key=KEY, nonce=IV, data=chunk)
    TAG = Poly1305(key=MAC, data=CIPHERTEXT)
    COMMITMENT = BLAKE2b-256(KEY || IV || MAC || TAG)
    CIPHERTEXT || COMMITMENT

Chaining key (CK) advances with every chunk. 256-bit encryption key and
randomised 192-bit nonce (initialisation vector) are derived from it.

Nonce's lowest bit is set only if this is the last chunk we encrypting.

"/payload"'s chunk length equals to 128KiB+16+32 bytes.

=> RFC 5869, HKDF
=> RFC 7693, BLAKE2b
=> XChaCha20-Poly1305 AEAD
=> RFC 8439