With this data structure it is possible to implement remote capabilities that are keyed to the proper owner which avoids unintended delegation by solely copying the data. For this I modify the algorithm a little bit.
First you have the points A and B which name the proverbial Alice and Bob, the items which should be connected. You need to compute the points K,R and C which make up the data structure.
- Choose a random point on the elliptic curve and name it R. (I said it was simple :-)
R isn't random anymore. It's the name point of the ressource the capability makes accessible.
- Choose a random scalar k, multiply it with the generator G and name the result K.
(Two points down and hardly a sweat. And independend of A or B!) 3. Compute R-kA and call it D. 4. Also compute R-kB and call it E. 5. Hash D (with possibly some identifying string for Alice) to a scalar d.
Here ^ I would use some Information private to Alice to make d computable only to Alice. That means to: Insert steps 4a after step 4 and step 5a after step 5. 4a. Send D (and R) to Alice 5a. Receive d back from Alice
- Hash E (with possibly some identifying string for Bob) to a scalar e.
Likewise for Bob.
- Compute k(eB+dA) and name this point C.
The data structure consists of the points K,R and C and the identifying information used in the hash (possibly implicit).
To use that information Alice (for example) computes this:
- Compute R-aK and call it D.
- Hash D (with identifying information) to scalar d.
- Compute C-daK (where 'a' is the private key to A) and call it F.
- Compute daF and call it M.
M is the same point for both A and B but not for other keys.
The knowledge of M is used to access the ressource. For instance by calculating a (keyed) MAC to the commands.
To copy a capability the old capability is used to ask the owner of the ressource to take part in the computing of a new KRC data structure. And the partner that is receiving the new KRC data structure must also take part in the calculation. Only if both take part correctly the result is a valid KRC data structure keyed to both partners (and never to the copier).