Macaroons, recently introduced by Birgisson et al., are authorization
credentials that provide support for controlled sharing in decentralized
systems. Macaroons are similar to cookies in that they are bearer credentials,
but unlike cookies, macaroons include caveats that attenuate and contextually
confine when, where, by who, and for what purpose authorization should be
In this work, we formally study the cryptographic security of macaroons. We define macaroon schemes, introduce corresponding security definitions and provide several constructions. In particular, the MAC-based and certificate-based constructions outlined by Birgisson et al., can be seen as instantiations of our definitions. We also present a new construction that is privately-verifiable (similar to the MAC-based construction) but where the verifying party does not learn the intermediate keys of the macaroon, a problem already observed by Birgisson et al.
We also formalize the notion of a protocol for "discharging" third-party caveats and present a security definition for such a protocol. The encryption-based protocol outlined by Birgisson et al. can be seen as an instantiation of our definition, and we also present a new signature-based construction.
Finally, we formally prove the security of all constructions in the given security models.