Public-key based [cm/kem/]s provides sender authentication
*only* if "/kem/*/from" field is specified. It should contain public
key's "/load/v/id", but may be equal to 256-bit zeros, to explicitly
specify that sender's public key is used, but it is anonymous and
hidden. It is not specified how recipient should find corresponding
sender's key that way -- implementation/protocol specific.

Optional "/pubs" is a list public keys, which may be used to supply
sender's public key(s). Public keys may be encrypted, to hide the actual
deanonymisation contents.

It is *highly* recommended to use multi-recipient safe DEM when
encrypting to multiple recipients. For example [cm/dem/xchapoly-krmr]
instead of [cm/dem/xchapoly-krkc], but unfortunately with the price of
more expensive double pass authentication scheme.