Public-key based [cm/kem/]s provides sender authentication
*only* if "/kem/*/from" field is specified. It should contain public
key's "/data/id", but may be equal to 256-bit zeros, to explicitly
specify that sender's public key is used, but it is anonymous and
hidden. It is not specified how recipient should find corresponding
sender's key that way -- implementation/protocol specific.

Optional "/pubs" is a list public keys, which may be used to supply
sender's public key(s). Public keys may be encrypted, to hide the actual
deanonymisation contents.