XChaCha20-Poly1305 with key ratcheting and key commitment DEM.
[cm/encrypted/]'s "/dem/a" equals to "xchapoly-krkc".
CEK is 64 bytes long.
Data is split on 128 KiB chunks, each of which is encrypted the following way:
H = BLAKE2b
CK0 = CEK
CKi = HKDF-Extract(H, salt="", ikm=CK{i-1})
KEY = HKDF-Expand(H, prk=CKi, info="cm/encrypted/xchapoly-krkc/key")
IV = HKDF-Expand(H, prk=CKi, info="cm/encrypted/xchapoly-krkc/iv", len=24)
if {last chunk} then { IV[23] |= 0x01 } else { IV[23] &= 0xFE }
CIPHERTEXT || TAG = XChaCha20-Poly1305(key=KEY, ad="", nonce=IV, data=chunk)
COMMITMENT = BLAKE2b-256(KEY || IV || TAG)
CIPHERTEXT || TAG || COMMITMENT
Chaining key (CK) advances with every chunk. 256-bit encryption key and
randomised 192-bit nonce (initialisation vector) are derived from it.
Nonce's lowest bit is set only if this is the last chunk we encrypting.
"/payload"'s chunk length equals to 128KiB+16+32 bytes.
=> RFC 5869, HKDF
=> RFC 7693, BLAKE2b
=> XChaCha20-Poly1305 AEAD
=> RFC 8439