For each recipient, it will generate a random 240 bit number, uniformly
distributed in the range between 1 and the order of G. This secret
number is known only to the sender, and will be immediately thrown away.
Call this secret number *r*. It is different for each recipient

The sender generates a shared secret elliptic curve point, by multiplying the recipients public key by that number. This secret will become known to the intended recipient, but not to any other recipients.

Call this shared secret elliptic point R

Call the recipients public key B

The sender calculates the shared secrete elliptic curve point *r**B.

The sender then takes the SHA hash of that shared secret elliptic curve point, to obtain a random 160 bit number. This random number will become known to the recipient. Any recipient will be able to discover this value, but only the particular recipient for whom it is intended will be interested in discovering it.

Call this number *p*

*p* =Hash(*r**B)

The sender's computer then calcates the exclusive-or of that number,
with the shared secret key *m*.

It then prefixes the message with the recipients public key, the elliptic
point constructed by multiplying the generator by r, and the exclusive-or
of the hash of the shared secret and *m*: *m*^*p*

For each recipient, the message is prefixed with

B

*r**G

*m*^*p*

Each recipient, or rather his computer, then calculates his shared secret
elliptic curve point by multiplying (*r**G) by

his secret key *b*.

Remember the recipients public key B = *b**G

Thus by associativity *b**(*r**G) = *r**B

He then hashes the resulting elliptic point, to discover *p*, and
then can discover *m* by
*m* = (*m*^*p*)^*p*

He now has the same secret as all the recipients, which he then uses
to decrypt the message using RC4.

A document encrypted to multiple recipients will look something like this:

--ManyKeys 9Xjp1N+QDtXR9Mw1S0gJTnwliGM3rQpuzdogeqOLqii aV23RlHXoLkd5slji39nXSp7dhBg4jkxpI3JVnGJeq CkcGZ1ME8F1XB8lnA6hM1N8aRYk F9KBGIfyizpoyo8i8NS/Dqe/eP4WVNcXcRJuS14QPXn 6qYWJQJyziwMCPnL3GGPsb5N+JQ0HRYDNDmhJqVizIH 3W165eyH3wYrd7SPKgRIRH5JaKY 8hka+J2LaM6chAuRTWz+jXw6JXv2WR1jGi/CuuZr41X 85PCQXHXhKNN9Ftcq+t3Vh/gMifcgg7wudJObXT9ffC TR9EHgQtqIZ32Slg/OMWblsg3c --Cryptotext W3Vpd9EF4/3F60/6QBdsyOTPjNLCfmTthLKAIU3yWN0NMDPW1pulozTeTJTW P1I4i7VvEDguh/bWhGZwDCyFhXinRl18HgQ4PJ29FzDX4Yhb/798kNzvCbB9 6ICSIcwrch7cNr4O4JOJcYDkxx5rAn9R3UBfH7+G0pHc0GWDpmF8hcbwd/0N TJJ/6xDD4qYTYqutyKFRdcdMlLKr4QNl7XdnvYKsLWpa8i3wttM7b0pg4Zvw q/fGShraQXhMWoly8UAHsqECUR6dgj9SzS0dge10/n+dqkszwAi8hn9aHFpn MSODtBQ17iDmN9HGtc73NKGHUzc5uTNtxWsi |

Each group of three lines following the line "--ManyKeys" corresponds to
a single recipient. The first line in the group is same as the first
line in the recipients signature, it is the recipients public key B.
The three lines in each group are the three values:

B

*r**G

*m*^*p*

by jamesd@echeque.com