Secure E-Commerce Protocol with Complex Trading Capabilities of

Intermediaries

alin V. B

ırjoveanu

and Mirela B

ırjoveanu

Department of Computer Science, “Al.I.Cuza” University of Ias¸i, Ias¸i, Romania

Vitesco Technologies, Ias¸i, Romania

Keywords:

Security Protocols, Formal Veriﬁcation, Multi-Party E-Commerce, Complex Transactions, Strong Fairness.

Abstract:

Up to now, there are many multi-party fair exchange protocols with applications in buying physical/digital

goods, digital signature of contracts and certiﬁed e-mail, but there is no e-commerce protocol that allows

multiple intermediaries to perform aggregate, chained or optional transactions. In this paper, we propose the

ﬁrst multi-party e-commerce complex transaction protocol that allows the customer to acquire some physical

products through many intermediaries and providers. Considering complex transactions rise new challenges

for assuring strong fairness, that are not appearing in two-party transactions. The objective of our proposal is to

ensure strong fairness, effectiveness, timeliness, non-repudiation and conﬁdentiality in a multi-party scenario.

The formal veriﬁcation of our proposal using Cl-AtSe model checker proves that all security requirements

mentioned above are satisﬁed.

1 INTRODUCTION

E-commerce is a widely used term that is an umbrella

which includes many types of commercial activities.

The security threats to e-commerce and the growing

losses they cause lead to the need of secure protocols

to protect from them.

In this paper, we propose a secure e-commerce

protocol with applications in supply chain, consider-

ing intermediaries with complex trading capabilities.

In our proposal, the customer plans to acquire some

physical products through many intermediaries and

providers. An intermediary is a party which to ful-

ﬁll a buying request received from customer or an-

other intermediary, has the capability to perform a

chained, aggregate or optional transaction with other

intermediaries/providers. An intermediary is engaged

in a chained transaction if he receives a request for a

product, and to fulﬁll it, in his turn requests the prod-

uct from a provider or another intermediary. When an

intermediary wants to acquire an entire pack of prod-

ucts, he is engaged in an aggregate transaction. There

are situations in which the buying request can not be

fulﬁlled in terms of delivery time, quantity, etc. In

these cases, is useful for the party that requested the

product to be able to express more options for prod-

ucts with similar features, engaging in this way in an

optional transaction (only one product from the ex-

pressed options is acquired). The complex trading ca-

pabilities of the intermediaries lead to a new business

model in which a complex transaction is a composi-

tion of chained, aggregate and optional transactions.

Aggregate and optional transactions are very im-

portant for robust procurement strategy in supply

chain. Optional transactions are important because

they minimize the risk of relying on a single interme-

diary or provider, which can cause a disruption fol-

lowing a natural disaster or geopolitical events. Com-

panies that source from different providers create re-

silience in their procurement process. On the other

hand, aggregate transactions allow the companies not

to remain with temporary unnecessary stocks (parts

that they cannot use due to other parts that are miss-

ing), so reducing the inventory carrying costs.

Commonly, an e-commerce protocol involving

multiple parties ensures strong fairness if after the

protocol execution all parties will receive their ex-

pected items or none do.

In the literature, we ﬁnd multi-party fair exchange

e-commerce protocols with applications in buying

physical products (AlTawy et al., 2017), digital prod-

ucts (Liu, 2009) and digital signature of contracts

(Ferrer-Gomila and Hinarejos, 2021). These propos-

als do not consider any intermediaries.

Instead, there are few solutions that consider inter-

mediaries in different multi-party scenarios: consid-

Bîrjoveanu, C. and Bîrjoveanu, M.

Secure E-Commerce Protocol with Complex Trading Capabilities of Intermediaries.

DOI: 10.5220/0012127100003555

In Proceedings of the 20th International Conference on Security and Cryptography (SECRYPT 2023), pages 495-502

ISBN: 978-989-758-666-8; ISSN: 2184-7711

 2023 by SCITEPRESS – Science and Technology Publications, Lda. Under CC license (CC BY-NC-ND 4.0)

495

ering only one intermediary (Carbonell et al., 2009;

Onieva et al., 2004), and considering more inter-

mediaries (Draper-Gil et al., 2013), (B

ırjoveanu and

ırjoveanu, 2020). In (Carbonell et al., 2009), a

customer can buy products from several providers

through an intermediary agent integrated in 3-D Se-

cure Protocol. In this solution, the intermediary can

not perform aggregate transactions, because in the

same transaction (in which the customer buys many

products), the authorization process is realized sepa-

rately for each individual buying request. Also, the

optional transactions are not considered. In (Onieva

et al., 2004) is proposed a protocol for exchange of

non-repudiation evidences, but without dealing with

aggregate or optional transactions. In (B

ırjoveanu

and B

ırjoveanu, 2020), a multi-party protocol that al-

lows a customer to fairly acquire physical products

from different providers through many intermediaries

is proposed. However, in this solution the intermedi-

aries are restricted to perform only chained transac-

tions, without the capability to perform aggregate or

optional transactions. In (Draper-Gil et al., 2013), the

intermediaries are used to enable contract signing be-

tween multiple parties ensuring only weak fairness, in

a different scenario then the one approached in our pa-

per. Although this solution considers aggregate trans-

action, it does not consider optional transaction.

The complex transactions rise new challenges for

assuring strong fairness, that are not appearing in two-

party transactions. An issue appears when the cus-

tomer successfully buys only a part of the components

of an aggregate product. In this case, strong fairness is

ensured for all transactions composing the aggregate

transaction, but strong fairness for the entire aggre-

gate transaction is not guaranteed. Another issue ap-

pears when the customer successfully buys more than

one product in an optional transaction. Strong fairness

for the optional transaction is not assured, although

strong fairness is guaranteed for all transactions com-

posing the optional transaction. In a chained trans-

action an intermediary can buy a product on demand,

but afterward he cannot provide it to the customer or

intermediary who requested it due to various reasons

(insufﬁcient funds, malicious behavior, etc). In this

case, strong fairness for all transactions belonging to

the chained transaction is satisﬁed, even if strong fair-

ness for the chained transaction is not satisﬁed.

Contributions The related work presented above

emphasizes the absence of multi-party e-commerce

protocols considering intermediaries with complex

trading capabilities. In this paper, we propose the ﬁrst

multi-party e-commerce protocol that allows inter-

mediaries to perform aggregate, chained or optional

transactions depending on the received request. These

complex trading capabilities of the intermediaries are

more appropriate to the real world applications, such

as supply chain scenarios. Ensuring strong fairness

is a challenging issue in environments where multiple

parties are involved, as we showed above. We design

the complex transaction protocol using a modular ap-

proach by designing a sub-protocol for each type of

transaction from the complex transaction.

This design approach allows us to demonstrate

the correctness of our complex transaction protocol

proposal by demonstrating the correctness of each

sub-protocol using Cl-AtSe model checker. The for-

mal speciﬁcation and veriﬁcation is challenging be-

cause we must take into consideration the communi-

cations performed between sub-protocols when they

are integrated in the complex transaction protocol.

The veriﬁcation results prove that our complex trans-

action protocol satisﬁes all aimed security require-

ments: strong fairness, effectiveness, timeliness, non-

repudiation and conﬁdentiality.

The paper is structured as follows: Sect. 2 presents

an use case of our protocol, Sect. 3 deﬁnes security

requirements, Sect. 4 describes our protocol. Sect. 5

sketches the security analysis of our protocol and

Sect. 6 contains the conclusion.

2 APPLICATIONS

A toy company KidsBots (KB) is preparing the pro-

duction for a new toy robot. To start the production, it

needs the following components: motherboard, 32 led

panel, 12V DC motors, and body plastic parts (bp).

KB identify the necessary components from the on-

line catalog of MasterBroker (MB) intermediary. For

the motherboard, KB identiﬁed two options having

similar features: Motherboard ITX (mb

), and if it is

not available, Motherboard 4 (mb

). For 32 led panel,

KB needs the model 32LP (l p). The toy company

has three options for 12V DC motors: FastDC (m

)

or HpDC (m

) or MetalDC (m

). So, KB prepares

its order to acquire from MB the needed parts, as a

complex transaction: ((mb

∨mb

)∧l p) ∧(m

∨m

∨

) ∧ bp. ∧ represents an aggregate transaction, and

∨ an optional one. The complex transaction is an ag-

gregate transaction in which the ﬁrst component is an

aggregate transaction, the second is an optional trans-

action and third is an individual product. The complex

transaction is illustrated in Fig. 1.

After MB receives the request from KB, it splits

it in three components: places the order for (mb

∨

) ∧ l p to PCBShop, the order for (m

∨ m

)

to SensorActuatorComp (SensA), and the order for bp

to PlasticRoboP. When receiving the order for (mb

∨

SECRYPT 2023 - 20th International Conference on Security and Cryptography

496

KidsBots (B

)

((mb

\/mb

) /\ lp) /\ (m

\/m

) /\ bp

MasterBroker (B

)

PCBShop (B

)

MBest (B

)

Robotix

ITMaster

MLed (B

)

\/mb

(mb

\/mb

) /\ lp

LedP

SensA (B

)

MotorC (B

)

SGear

\/m

MCHPMotor

PlasticRoboP (B

)

QPieces (B

)

SPiecesC

)

Figure 1: Supply chain applications.

) ∧ l p, PCBShop places an order for (mb

∨ mb

)

to MBest that initiates in its turn an order to the

provider Robotix to acquire mb1, but if this is not

available, afterward initiates an order to the provider

ITMaster for mb

. To acquire l p, PCBShop initiates

a transaction with MLed that in its turn initiates a

chained transaction with the provider LedP.

In Fig. 1, the intermediaries colored in blue per-

form aggregate transactions, the one colored in red

perform optional transactions and the one colored in

magenta perform chained transactions. The green

color is associated to the providers.

3 SECURITY REQUIREMENTS

In our Protocol with Complex Trading Capabilities of

Intermediaries (PCTCI) we want to ensure the fol-

lowing security requirements: strong fairness, effec-

tiveness, timeliness, non-repudiation, and conﬁden-

tiality. We will introduce these security requirements.

Strong Fairness. We will gradually deﬁne it,

from two-party to multi-party scenarios. A two-party

e-commerce sub-protocol ensures strong fairness if

after its execution, the party that initiates the sub-

protocol receives a successful payment evidence from

the corresponding receiver and the receiver receives

the payment for the product from the correspond-

ing initiator (successful subtransaction), or none do

(aborted subtransaction). A chained e-commerce sub-

protocol ensures strong fairness if after its execu-

tion, either all subtransactions from chain are suc-

cessfully completed, or all are aborted. An aggre-

gate e-commerce sub-protocol ensures strong fairness

if after its execution, either all component subtransac-

tions of aggregate transaction are successfully com-

pleted, or all are aborted. An optional e-commerce

sub-protocol ensures strong fairness if after its exe-

cution, either only one component subtransaction of

optional transaction is successful, or all are aborted.

PCTCI ensures strong fairness if after its execu-

tion, any instance of two-party, aggregate, optional

and chained sub-protocol ensures strong fairness and

all of them provides the same fairness level (either all

aggregate, optional and chained transactions are suc-

cessful, or all are aborted).

Effectiveness requires that if every party involved

in PCTCI behaves honestly and no communication er-

ror occurs, then after protocol execution strong fair-

ness is guaranteed, with success of complex transac-

tion, without Trusted Third Party (TTP) mediation.

PCTCI guarantees timeliness if any party in-

volved in PCTCI can be sure that protocol execution

will be ﬁnished at a certain ﬁnite point of time without

losing strong fairness.

Non-repudiation in PCTCI prevents any party to

falsely deny its involvement in PCTCI.

PCTCI ensures conﬁdentiality if the message’s

content communicated between the participating par-

ties is not accessible to unauthorized parties.

4 THE PROTOCOL

The following participants are involved in PCTCI: the

customer, the intermediaries, the providers, the pay-

ment gateway and the bank. The payment gateway

is used as interface between intermediaries/providers

and the bank to facilitate making payments. Ta-

ble 1 presents the notations used in the description

of PCTCI, and Table 2 provides the detailed struc-

ture of the protocol’s messages. The communication

channels between PG and any other party are con-

sidered resilient, through which messages can be de-

layed but not lost (Onieva et al., 2009). The commu-

nication channels between any other parties are un-

reliable, meaning that the messages can be lost. We

consider that each participant has the digital certiﬁ-

cates for the public keys of each participant he com-

municates with. C searches the needed products in the

intermediary’s online catalog, order them as a com-

plex transaction and send it to the intermediary when

C clicks the ”submit” button. The intermediary ac-

quires the products requested by C from many others

intermediaries/providers, any intermediary acquiring

in his turn the products by performing any type of

transaction: aggregate, optional or chained.

Next, we give an overview about the protocol’s

functionality. C initiates PCTCI sending PO

0,1

to B

To accomplish C’s request, B

initiates a transaction

1,k

, sending PO

1,m

to the intermediary/provider B

where 2 ≤ m ≤ k. The transaction t

1,k

can be at

1,k

or s

1,k

. Each intermediary B

can initiate an ag-

gregate, optional or chained transaction. This pro-

cess continue until the providers are reached. The

complex transaction is completed backwards from the

providers through intermediaries until C, as follows.

Each provider sends to the intermediary from which

received the purchase request, the corresponding pay-

Secure E-Commerce Protocol with Complex Trading Capabilities of Intermediaries

497

Table 1: Notations used in the protocol description.

Notation Interpretation

P, C, PG, B

Set of providers, Identity of Customer, Payment Gateway, Intermediary (Broker) i; B

= C;

i, j

One-to-one subtransaction initiated by B

with B

i, j

/ ot

i, j

One-to-many aggregate / optional transaction initiated by B

with B

i+1

,...,B

i, j

Transaction s

i, j

, at

i, j

or ot

i, j

/ PR

i, j

Purchase Order of B

to B

/ Payment Request of B

to get payment from B

i, j

/ APE

i, j

Payment Evidence of B

and B

in s

i, j

/ Aborted Payment Evidence of B

and B

in s

i, j

j,k

Payment Evidence in t

j,k

that B

sends to B

in s

i, j

X → Z : m A party X sends the message m to a party Z

X ⇒ B

: m

A party X simultaneously sends the messages m

to the set of parties {B

/1 ≤ i ≤ n}

{m}

PkX

{m}

,{K}

PkX

- hybrid encryption of m with PkX using the AES session symmetric key K

SigX(m); Y /A RSA digital signature of X on h(m), where h is a hash function; Y ES/ABORT

Table 2: Protocol messages details.

i, j

= {PM

, OI

}

PkB

= {PI

, SigB

(PI

}

PkPG

= B

, Cn

, Ot p

, Id

i, j

, Am

i, j

, B

= B

, B

, Pid

i, j

, Id

i, j

, Am

i, j

, SigB

, B

, Pid

i, j

, Id

i, j

, Am

i, j

)

i, j

= {PM

, Pid

i, j

, SigB

(Pid

i, j

, Id

i, j

, B

, Am

i, j

)}

PkPG

Pid

i, j











Pid

i, j

, if B

∈ P (1.1)

j,k

.Pid, if t

j,k

= s

j,k

and PE

j,k

.Resp = Y (1.2)

j, j+1

.Pid,..., PE

j,k

.Pid, if t

j,k

= at

j,k

and PE

j,m

.Resp = Y , for all j + 1 ≤ m ≤ k (1.3)

j,m

.Pid, if t

j,k

= ot

j,k

and PE

j,m

is the ﬁrst evidence with PE

j,m

.Resp = Y , j+1≤ m ≤ k (1.4)

i, j

= Resp,B

,Id

i, j

,Pid

i, j

,SigPG(Resp, B

,Id

i, j

,Pid

i, j

,Am

i, j

),E

i, j

= Resp,Id

i, j

,Pid

i, j

,SigPG(Resp, Id

i, j

,Pid

i, j

)

i, j

.Pid/PE

i, j

.Am - The product identiﬁer Pid/ amount Am from PE

i, j

.Resp/E

i, j

.Resp - The response Resp in PE

i, j

is deﬁned in a similar manner as Pid

i, j

by replacing Pid with Am in the deﬁnition of Pid

i, j

above

j,k











Cert(B

), if B

∈ P (2.1)

j,k

, if t

j,k

= s

j,k

and E

j,k

.Resp = Y (2.2)

j, j+1

,...,E

j,k

, if t

j,k

= at

j,k

and E

j,m

.Resp = Y , for all j + 1 ≤ m ≤ k (2.3)

j,m

, if t

j,k

= ot

j,k

and E

j,m

is the ﬁrst evidence with E

j,m

.Resp = Y , j+1≤ m ≤ k (2.4)

j,k

.Resp - The sequence of responses from all evidences from E

j,k

.Resp = Y - The responses from all evidences from E

j,k

are Y

APE

i, j

= A,B

,Id

i, j

,Pid

i, j

,SigPG(A,B

,Id

i, j

,Pid

i, j

,Am

i, j

,PE

i, j

),AE

i, j

= A,Id

i, j

,Pid

i, j

,SigPG(A,Id

i, j

,Pid

i, j

)

ment evidence obtained from PG. The success or

abortion of each s

i, j

depends not only on the success-

ful/aborted PE

i, j

corresponding to s

i, j

, but also on the

success/abortion of the transaction t

j,k

that follows s

i, j

(meaning successful/aborted payment evidence E

j,k

computed by B

in t

j,k

). Thus, B

is ensured that s

i, j

successfully completed only if it receives from B

two

successful payment evidences: PE

i, j

and E

j,k

. Conse-

quently, B

is assured that either the whole sequence

of transactions starting with s

i, j

is successfully com-

pleted or aborted. Finally, C receives from B

the cor-

responding PE

0,1

and E

1,k

, assuring him about suc-

cess or abortion the entire complex transaction. In

PCTCI we identify 3 possible behaviors of B

1. B

receives a request from B

in s

i, j

and to fulﬁll

it, he decides to send a new request to B

in s

j,k

2. B

receives an aggregate request from B

in s

i, j

and to fulﬁll it, he decides to send k − j requests

to B

j+1

,.. .,B

in an aggregate transaction at

j,k

3. B

receives an optional request from B

in s

i, j

and

to fulﬁll it, he sends at most k − j requests to

j+1

,.. .,B

in an optional transaction ot

j,k

For each of the above behaviors of B

, we describe a

sub-protocol played by him. So, the Chained Trans-

action sub-protocol (CTP) corresponds to case 1, Ag-

gregate Transaction sub-protocol (ATP) to case 2, and

Optional Transaction sub-protocol (OTP) to case 3.

PCTCI consists of CTP, ATP, OTP, Resolution 1 sub-

protocol (Res1) and Resolution 2 sub-protocol (Res2)

that will be described in the next sections.

SECRYPT 2023 - 20th International Conference on Security and Cryptography

498

Table 3: Chained Transaction sub-protocol played by B

1. B

→ B

: PO

i, j

2. if (B

∈ P) B

→ PG : PR

i, j

3. PG → B

: {PE

i, j

}

PkB

4. B

→ B

: {PE

i, j

, Cert(B

)}

PkB

5. else B

→ B

: PO

j,k

6. if (B

→ B

: {PE

j,k

, E

k,l

}

PkB

in s

j,k

7. with PE

j,k

.Resp = Y and

k,l

.Resp = Y )

8. B

→ PG : PR

i, j

9. PG → B

: {PE

i, j

}

PkB

10. if (PE

i, j

.Resp=Y ) B

→ B

: {PE

i, j

, E

j,k

}

PkB

11. else B

→ B

: {PE

i, j

}

PkB

; Res1(B

) end if

12. else if (B

→ B

: {PE

j,k

k,l

}

PkB

, with

13. PE

j,k

.Resp ̸= A) Res2(B

) end if

14. B

→ PG : {PE

j,k

, PM

, OI

}

PkPG

15. PG → B

: {PE

i, j

}

PkB

16. PG → B

: {PE

i, j

}

PkB

17. end if end if

4.1 Chained Transaction Sub-Protocol

In this section, we will describe CTP played by an in-

termediary or provider B

that receives a product pur-

chase request from C or other intermediary B

in s

i, j

CTP played by B

is presented in Table 3. We con-

sider that in any subtransaction, a provider supplies

only one individual product. If B

is a provider, then

in s

i, j

he delivers to B

the product requested by him.

If B

is an intermediary, then he can receive from B

request for an individual, aggregate or optional prod-

uct. In this case, B

initiates a new s

j,k

with B

acquire the product requested by B

In s

i, j

, B

sends PO

i, j

to B

to buy a physical prod-

uct. B

builds PO

i, j

by encrypting with B

’s public

key of the payment message PM

and the order infor-

mation OI

. PM

contains the payment information

provided by B

and the signature of B

on PI

, both

encrypted with PG’s public key. PI

consists of card

number Cn

, one-time password Ot p

issued by bank,

the identiﬁer Id

i, j

and the amount Am

i, j

. Each s

i, j

uniquely identiﬁed by an identiﬁer Id

i, j

generated as

follows: Id

i, j

= Id

r,i

i, j

, where N

i, j

is a fresh random

number generated by B

and Id

r,i

is the identiﬁer of the

previous subtransaction s

r,i

. If i = 0, then Id

r,i

is the

empty string. So, the identiﬁer of a subtransaction is

the sequence of all numbers generated in all previous

subtransactions until it. OI

includes the identities of

the intermediaries, the product identiﬁer Pid

i, j

, Id

i, j

and B

’s signature on these information.

Upon reception of PO

i, j

, B

checks the order in-

formation. If B

is provider (line 2), then he sends

i, j

to PG to get payment from B

. PR

i, j

is built from

, Pid

i, j

and B

’s signature on the information de-

scribed in Table 2. PG checks PI

’s authenticity, and

checks Cn

and Ot p

to verify that B

is authorized to

use the card. By verifying B

’s signature, PG is en-

sured that B

and B

agreed on Pid

i, j

, Am

i, j

and Id

i, j

PG sends to B

an aborted PE

i, j

(Resp=A) in case

some of above checks are failed. If all checks are suc-

cessful, PG sends the payment message to the bank.

Depending on B

’s account balance, the bank makes

or not the transfer in the B

’s account providing to

PG a successful (Resp=Y ) or aborted PE

i, j

. PG sends

i, j

to B

(line 3) and stores it together with PR

i, j

decrypts {PE

i, j

}

PkB

, checks PE

i, j

’s authen-

ticity and sends {PE

i, j

,Cert(B

)}

PkB

to B

, where

Cert(B

) is the provider certiﬁcate. Upon reception,

checks the authenticity of Cert(B

) and PE

i, j

If B

is not the provider (line 5), then he stores

i, j

and initiates s

j,k

with B

by sending PO

j,k

buy Pid

i, j

requested by B

. In this case, to respond the

request received from B

, B

must ensure that either

all the transactions that follows s

i, j

have been success-

fully completed, or all have been aborted.

j,k

is aborted if B

and B

received the aborted

j,k

. s

j,k

is successful if B

received a successful

j,k

and B

received two successful evidences: PE

j,k

and E

k,l

. E

k,l

is the evidence in t

k,l

that B

sends to B

to inform it that t

k,l

was successfully ﬁnished.

j,k

is deﬁned depending on the type of transac-

tion initiated by B

with B

. As we can see in def.

(2.1) Table 2, if B

is provider, then E

j,k

is Cert(B

In case B

initiates s

j,k

with B

, then E

j,k

is E

j,k

from

the successful PE

j,k

(def. (2.2) Table 2).

We remark that the role of E

k,l

is essential in the

way the sequence of transactions starting with s

i, j

ﬁnished. Therefore (at line 6) in s

j,k

, B

waits to re-

ceive PE

j,k

and E

k,l

from B

. The success of both

j,k

and E

k,l

(line 7) ensures B

that the sequence of

transactions starting with s

j,k

is successfully ﬁnished

and consequently (line 8) B

sends PR

i, j

to PG in s

i, j

includes the identiﬁer Pid

i, j

of the product suc-

cessfully purchased by B

in s

j,k

(def. (1.2) Table 2),

and the amount Am

i, j

(see Table 2). B

checks PE

i, j

and if it is successful, then sends it together with E

j,k

to B

(line 10). B

checks the success of PE

i, j

, PG’s

signatures to verify the evidence’s authenticity and

also the corresponding identiﬁers to ensure the fresh-

ness of evidences and their belonging to successive

subtransactions. If all checks are satisﬁed, then PE

i, j

ensures B

that s

i, j

was successful and the successful

j,k

ensures B

that s

j,k

was successful. If B

receives

from PG an aborted PE

i, j

, then he sends it to B

(line

11) as a proof of s

i, j

abortion, and applies Res1 to

abort the sequence of transactions starting with s

i, j

Res1 will be detailed below in Sect. 4.4.

Secure E-Commerce Protocol with Complex Trading Capabilities of Intermediaries

499

Table 4: Aggregate Transaction sub-protocol played by B

1. B

→ B

: PO

i, j

2. a = 0;

3. B

⇒ {B

/ j + 1 ≤ m ≤ k} : PO

j,m

4. B

→ B

: {PE

j,m

, E

m,l

}

PkB

in s

j,m

, j+1≤m≤k

5. for (m = j + 1; m ≤ k; m = m + 1)

6. if (not (PE

j,m

.Resp = Y and E

m,l

.Resp = Y ))

7. a = m; break; end if end for

8. if (a = 0)

9. B

→ PG : PR

i, j

10. PG → B

: {PE

i, j

}

PkB

11. if (PE

i, j

.Resp = Y ) B

→ B

: {PE

i, j

, E

j,k

}

PkB

12. else B

→ B

: {PE

i, j

}

PkB

; Res1(B

) end if

13. else B

→ PG : {PE

j, j+1

,..., PE

j,k

,PM

,OI

}

PkPG

14. for (m = j + 1; m ≤ k; m = m + 1)

15. if (PE

j,m

.Resp=Y ) PG → B

: {APE

j,m

}

PkB

16. PG → B

: {APE

j,m

}

PkB

17. Res1(B

) end if

18. else if (PE

j,m

.Resp ̸= A) Res2(B

) end if

19. end if end for

20. PG → B

: {PE

i, j

}

PkB

21. PG → B

: {PE

i, j

}

PkB

22. end if

If B

receives from B

an invalid message, or a

successful PE

j,k

but E

k,l

is missing or contains at least

an aborted evidence (lines 12 − 13), then he applies

Res2 sub-protocol to abort the sequence of transac-

tions starting with s

j,k

. Res2 sub-protocol will be de-

tailed in Sect. 4.5. Further, to abort s

i, j

, B

sends to

PG (line 14) a request containing PM

, OI

and the

aborted PE

j,k

. PG checks PE

j,k

, PM

and OI

for their

authenticity, and aborts s

i, j

by generating the aborted

i, j

and sends it to B

and B

Therefore, after applying CTP by B

, either all

transactions starting with s

i, j

are successfully ﬁn-

ished, or all aborted.

4.2 Aggregate Transaction Sub-Protocol

Table 4 describes ATP played by B

that receives an

aggregate request PO

i, j

from B

in s

i, j

and to fulﬁll it,

he initiates an aggregate transaction at

j,k

. ATP’s mes-

sages are represented in Fig. 2. After B

checks PO

i, j

he initiates at

j,k

by simultaneously sending PO

j,m

the set of intermediaries {B

/ j + 1 ≤ m ≤ k} (line 3).

The product required by B

to B

in each s

j,m

, is a

component of the aggregate product required by B

How B

responds to the request from B

depends

on the success/failure of all transactions that follows

i, j

. So, before responding to B

’s request, B

must

ensure that at

j,k

is successful or aborted. Thus, at the

line 4, B

receives from B

, the payment evidences

{PE

i,j

, E

j,k

}

PkB

i,j

{PE

i,j

}

PkB

i,j

k,l

j,j+1

{

j,j+1

j+1,l

}

PkB

j+1

{PE

j,j+1

}

PkB

j+1

j,j+1

j,k

{

j,k

, E

k,l

}

PkB

{

j,k

}

PkB

j,k

j+1,l

Figure 2: ATP’s messages ﬂow played by B

corresponding to the request sent by him to B

j,m

. In this step, either B

receives the evidences

from all B

j+1

,.. .,B

or only from a part of them, or

from none (e.g., due to network communication er-

rors). The variable a is used to store the ﬁrst aborted

substransaction from at

j,k

, if it exists. In the for loop

(lines 5-7), B

checks if all s

j,m

from at

j,k

are success-

ful. If in iteration m of the for loop, both evidences

received by B

from B

in s

j,m

are successful (PE

j,m

in s

j,m

and E

m,l

from t

m,l

), then B

is ensured that all

transactions starting with s

j,m

are successful. Other-

wise, a will store m (line 7).

If after for loop, a is 0, then at

j,k

is successful and

sends PR

i, j

to PG in s

i, j

(line 9). PR

i, j

includes

Pid

i, j

that contains the sequence of product’s iden-

tiﬁers successfully purchased by B

in all successful

subtransactions from at

j,k

(def. (1.3) Table 2). On re-

ception of a successful PE

i, j

from PG, B

sends it to-

gether with E

j,k

to B

(line 11). In this case, E

j,k

is the

sequence of all successful evidences E

j, j+1

,.. .,E

j,k

(def. (2.3), Table 2). Upon reception, B

is ensured

that s

i, j

and at

j,k

are successful. If B

receives from

PG an aborted PE

i, j

, then s

i, j

is aborted. In this case,

sends PE

i, j

to B

(line 12) and applies Res1 to abort

the sequence of transactions starting with s

i, j

If after for loop, a ̸= 0, then a will store a value

m such that s

j,m

is the ﬁrst aborted subtransaction

from at

j,k

. In this case, at least s

j,m

from at

j,k

aborted. But, there are subtransactions of at

j,k

that are

successfully completed (at least s

j, j+1

,.. .,s

j,m−1

Consequently, at

j,k

has both aborted and successful

subtransactions. To obtain fairness, we must en-

sure that all sequences of transactions starting with

j, j+1

,.. .,s

j,k

are aborted. For this, B

sends to PG

(line 13) a request containing PE

j, j+1

,.. .,PE

j,k

, PM

and OI

. PG checks the authenticity of all received

components, and if checks are passed, he sends to the

bank B

’s request to abort each successful s

j,m

(line

15). The bank cancels the transfer from B

into B

’s

account, aborts the successful PE

j,m

by generating the

corresponding APE

j,m

as in Table 2, and sends it to

PG. Also, PG forwards APE

j,m

to B

and B

as a

proof of s

j,m

’s abortion (lines 15-16). Further, Res1

SECRYPT 2023 - 20th International Conference on Security and Cryptography

500

Table 5: Optional Transaction sub-protocol played by B

1. B

→ B

: PO

i, j

2. a = 0;

3. for (m = j + 1; m ≤ k; m = m + 1)

4. B

→ B

: PO

j,m

5. if (B

→ B

: {PE

j,m

m,l

}

PkB

6. with PE

j,m

.Resp = Y and E

m,l

.Resp = Y )

7. B

→ PG : PR

i, j

8. PG → B

: {PE

i, j

}

PkB

9. if (PE

i, j

.Resp=Y ) B

→ B

: {PE

i, j

j,k

}

PkB

10. else B

→ B

: {PE

i, j

}

PkB

; Res1(B

) end if

11. a = m; break;

12. else if (B

→ B

: {PE

j,m

m,l

}

PkB

13. with PE

j,m

.Resp ̸= A) Res2(B

) end if

14. end if end for

15. if (a = 0)

16. B

→ PG : {PE

j, j+1

,..., PE

j,k

,PM

,OI

}

PkPG

17. PG → B

: {PE

i, j

}

PkB

18. PG → B

: {PE

i, j

}

PkB

end if

is applied by B

to abort the sequence of transactions

starting with s

j,m

(line 17). In case of PE

j,m

is missing

or cannot be understood by PG (line 18), then Res2

sub-protocol is applied by B

to abort the sequence

of transactions starting with s

j,m

. PG aborts s

i, j

generating the aborted PE

i, j

and sends it to B

and B

Therefore, after applying ATP by B

, either all

transactions starting with s

i, j

are successfully ﬁn-

ished, or all aborted.

4.3 Optional Transaction Sub-Protocol

OTP played by B

is described in Table 5. B

receives

an optional request PO

i, j

from B

in s

i, j

(line 1) and

he initiates the optional transaction ot

j,k

(for loop). B

initiates s

j, j+1

,.. .,s

j,k

, in this order (line 4), until one

of these is successfully completed or all of them are

aborted. The variable a is used to store the ﬁrst suc-

cessful substransaction from ot

j,k

, if it exists. If in the

mth iteration of for loop, B

receives both successful

j,m

and

m,l

from B

(lines 5-6), then B

is ensured

that s

j,m

is successfully completed. This corresponds

to the success of ot

j,k

. In this case, B

sends PR

i, j

to PG (line 7). If B

receives a successful PE

i, j

from

PG, then he sends it together with E

j,k

(=E

j,m

) to B

(line 9). Upon reception, B

is ensured that s

i, j

and

j,k

were successful. Otherwise, if B

receives from

PG an aborted PE

i, j

, then he sends it to B

(line 10)

and applies Res1 to abort the sequence of transactions

starting with s

i, j

. If in mth iteration, B

receives from

an invalid message, or a successful PE

j,m

but E

m,l

is missing or aborted (lines 12-13), then he applies

Res2 sub-protocol.

Table 6: Resolution 1 Sub-protocol.

Res1(B

)

for (r = j + 1; r ≤ j + n; r = r + 1)

if (PE

i, j

.Resp = A and PE

j,r

.Resp = Y )

→ PG : {PE

i, j

,PE

j,r

}

PkPG

else if (exists APE

i, j

and PE

j,r

.Resp = Y )

→ PG : {APE

i, j

,PE

j,r

}

PkPG

end if end if

PG → B

: {APE

j,r

}

PkB

PG → B

: {APE

j,r

}

PkB

Res1(B

)

end for

If the value of a is 0 after for loop, then ot

j,k

aborted. In this case, to maintain fairness, B

sends to

PG (line 16) a request to abort s

i, j

. PG checks the re-

ceived request, generates the aborted PE

i, j

and sends

it to B

and B

to abort s

i, j

. As a result, after apply-

ing OTP by B

, either s

i, j

and exactly one option from

j,k

are successfully ﬁnished, or all subtransactions

starting with s

i, j

are aborted.

4.4 Resolution 1 Sub-Protocol

Let be n, the maximum number of subtransactions in

any aggregate or optional transaction. If in the com-

plex transaction, s

i, j

is the ﬁrst aborted subtransaction

from the sequence of transactions starting with s

i, j

then fairness in PCTCI is not ensured. This is because

all the transactions t

j, j+n

j+1, j+n+1

,.. .,t

j+n, j+2n

,.. .,

from the transactions sequence that follows s

i, j

are

successful, and s

i, j

is aborted. So, there is an unfair

case for B

: he has paid for products in the success-

ful t

j, j+n

, but he cannot supply them to B

. To ensure

fairness, B

applies Res1 described in Table 6 to abort

the sequence of transactions starting with s

i, j

Each iteration r of the for loop recursively aborts

the sequence of transactions starting with s

j,r

, where

j + 1 ≤ r ≤ j + n. For the aborted s

i, j

, B

has ei-

ther an aborted PE

i, j

or an APE

i, j

. To abort s

j,r

, B

sends PE

i, j

/APE

i, j

and the successful PE

j,r

to PG.

PG checks them, aborts s

j,r

by generating APE

j,r

, and

sends it to B

and B

. Next, Res1 is recursively ap-

plied by each next intermediary B

4.5 Resolution 2 Sub-Protocol

If in s

i, j

, B

sends PO

i, j

, but he receives from B

in-

valid evidences, or a successful PE

i, j

but E

j,k

is miss-

ing or contains at least an aborted evidence, then fair-

ness is not ensured. In this scenario, there is an unfair

case for B

: after he sends PO

i, j

, he waits from B

ev-

idences that ensures him about successful or aborted

i, j

, but he does not receive evidences to conﬁrm that.

In this case, for any s

i, j

, we deﬁne a timeout t in which

Secure E-Commerce Protocol with Complex Trading Capabilities of Intermediaries

501

waits the payment evidences from B

. If t expires

and B

receives from B

invalid evidences, or a suc-

cessful PE

i, j

but E

j,k

is missing or contains at least

an aborted evidence, then B

initiates Res2 with PG to

abort the sequence of transactions starting with s

i, j

For this, B

sends to PG a request containing PM

, OI

and the invalid evidences (if these are received).

PG checks PM

, OI

and any invalid evidences. If PG

ﬁnds in its database a successful PE

i, j

, then PG aborts

it by generating APE

i, j

. If PG ﬁnds in its database an

aborted PE

i, j

, then will send it to B

and B

. If PG

doesn’t ﬁnd PE

i, j

, then he generates an aborted PE

i, j

In all cases, PG sends the aborted evidence to B

and

as a proof of aborting s

i, j

. Further, B

applies Res1

to abort the sequence of transactions starting with s

i, j

As a result, fairness is also ensured for B

5 FORMAL VERIFICATION

To formally verify PCTCI, we use Cl-AtSe

(Constraint-Logic based Attack Searcher) model

checker (Turuani, 2006) from AVISPA (Automated

Validation of Internet Security Protocols and Appli-

cations) (Vigano, 2006), widely used by academic

and industry researchers in the ﬁeld of security

protocols. An overview of the AVISPA tool and

how to use it to formally verify complex protocols

is provided in (B

ırjoveanu and B

ırjoveanu, 2022).

The formal proof that PCTCI satisﬁes the security

requirements demands the formal proof that each

of the sub-protocols ATP, OTP and CTP of PCTCI

satisﬁes the corresponding security requirements. A

detailed description of PCTCI’s formal veriﬁcation

and full speciﬁcation can be found at (B

ırjoveanu and

ırjoveanu, 2023)). Our speciﬁcation includes also

use cases that require application of Res1 and Res2

sub-protocols.

Our results regarding the formal veriﬁcation

of ATP, OTP and CTP using Cl-AtSe prove that

the following security requirements are satisﬁed:

strong fairness, strong authentication, conﬁdential-

ity, non-repudiation and integrity. In (B

ırjoveanu and

ırjoveanu, 2023), we show how PCTCI derives its

security requirements based on security requirements

guaranteed in each of its sub-protocols.

6 CONCLUSIONS

In this paper, we proposed an e-commerce protocol

with applications in supply chain, that distinguishes

from the existing solutions by enabling the intermedi-

ary agents to perform aggregate, chained and optional

transactions. All these features add complexity com-

pared to the tradition e-commerce model. So, guar-

anteeing security requirements like strong fairness,

effectiveness, timeliness, non-repudiation and conﬁ-

dentiality is challenging. We overcome this challenge

and formally proved using AVISPA that our proposal

ensures the required security properties.

REFERENCES

AlTawy, R., ElSheikh, M., Youssef, A., and Gong, G.

(2017). Lelantos: A blockchain-based anonymous

physical delivery system. In PST’17, 15th Annual

Conference on Privacy, Security and Trust. IEEE.

ırjoveanu, C. V. and B

ırjoveanu, M. (2020). Fair ex-

change e-commerce protocol for multi-chained com-

plex transactions. In 17th International Joint Confer-

ence on e-Business and Telecommunications - Volume

2: ICE-B. SCITEPRESS.

ırjoveanu, C. V. and B

ırjoveanu, M. (2022). Formal Ver-

iﬁcation of Multi-party Fair Exchange E-Commerce

Protocols. In: Secure Multi-Party E-Commerce Pro-

tocols. SpringerBriefs in Computer Science. Springer.

ırjoveanu, C. V. and B

ırjoveanu, M.

(2023). Formal Veriﬁcation of PCTCI.

https://github.com/PCTCIDevelopers/PCTCI-

Veriﬁcation Last accessed May 23, 2023.

Carbonell, M., Sierra, J. M., and Lopez, J. (2009). Secure

multiparty payment with an intermediary entity. Com-

puters & Security.

Draper-Gil, G., Zhou, J., Ferrer-Gomila, J. L., and Hinare-

jos, M. F. (2013). An optimistic fair exchange proto-

col with active intermediaries. International Journal

of Information Security.

Ferrer-Gomila, J. L. and Hinarejos, M. F. (2021). A multi-

party contract signing solution based on blockchain.

Electronics.

Liu, Y. (2009). An optimistic fair protocol for aggregate ex-

change. In FITME’09, 2nd International Conference

on Future Information Technology and Management

Engineering. IEEE.

Onieva, J., Zhou, J., Lopez, J., and Carbonell, M. (2004).

Agent-mediated non-repudiation protocols. Elec-

tronic Commerce Research and Applications.

Onieva, J. A., Lopez, J., and Zhou, J. (2009). Secure Multi-

Party Non-Repudiation Protocols and Applications.

Springer.

Turuani, M. (2006). The cl-atse protocol analyser. In

17th International Conference on Rewriting Tech-

niques and Applications. Springer.

Vigano, L. (2006). Automated security protocol analysis

with the avispa tool. Electronic Notes in Theoretical

Computer Science.

SECRYPT 2023 - 20th International Conference on Security and Cryptography

502