the toKeypair doesn't really need to be a keypair. upon encrypting, it merely needs to be a pubkey. and upon decrypting, it needs to be a privkey.
This code should be regarded as being a proof-of-concept, and needs more review before being used in production code. At least one thing is guaranteed to change, and that is the format of a stealth address.