Macaroons, recently introduced by Birgisson et al. [BPUE+14], are authorization credentials that
provide support for controlled sharing in decentralized systems. Macaroons are similar to cookies in that
they are bearer credentials, but unlike cookies, macaroons include caveats that attenuate and contextually
confine when, where, by who, and for what purpose authorization should be granted.
In this work, we formally study the cryptographic security of macaroons. We define macaroon schemes,
introduce corresponding security definitions and provide several constructions. In particular, the MACbased
and certificate-based constructions outlined in [BPUE+14], can be seen as instantiations of our
definitions. We also present a new construction that is privately-verifiable (similar to the MAC-based
construction) but where the verifying party does not learn the intermediate keys of the macaroon, a problem
already observed in [BPUE+14].
We also formalize the notion of a protocol for “discharging” third-party caveats and present a security
definition for such a protocol. The encryption-based protocol outlined by Birgisson et al. [BPUE+14] can
be seen as an instantiation of our definition, and we also present a new signature-based construction.
Finally, we formally prove the security of all constructions in the given security models.