Attempting a little "mathematical prose" here ;)

I'm trying to implement semiprivate keys. These expand the normal idea
of symmetric keys, which have a public/private keypair, to N keys which
can each represent a different capability level.

For the purposes of getting started, I'd like to have 3 capability levels:
one for creating new ciphertexts, one for decrypting and verifying them,
and one which can only verify or not decrypt. So the goal here is to
produce keys with 3 capability levels (the degenerate form of semi-private
keys, as anything lower would be a typical keypair)

I'm trying to implement semi-private keys as defined in the Tahoe paper:
http://eprint.iacr.org/2012/524.pdf

The problem is Tahoe's description of semi-private keys is intended
for DSA, however I would like to implement semi-private keys for
use with NaCl. NaCl uses elliptic curve cryptography, so the
implementation is slightly different.

This is, as best I understand it, how to implement it in terms of NaCl:

P = NaCl base point (standard group element)
O = Order(P)
x = original private scalar (i.e. random number + some bitflipping)
s = x*P (semiprivate key)
y = H(s) mod O
a = x*y mod O (computed Ed25519 private scalar)
A = y*s (Ed25519 public key)

assert(A == a*P)