Formal Analysis of Rational Exchange Protocols Based on the Improved Buttyan Model

Abstract

A rational exchange protocol is a type of e-commerce protocol that aims to maximize the participants’ own interests. The Buttyan model is commonly used to analyze the security of such protocols. However, this model has limitations in dealing with uncertainties and false messages in rational exchanges. To address these shortcomings, this paper proposes a formal analysis method based on Bayesian games. By incorporating participants’ types and beliefs, the Buttyan model is extended to enhance its ability to express uncertainties. Additionally, attack messages are introduced to simulate the potential fraudulent behaviors that participants may exploit through the security vulnerabilities in the protocol. Finally, the improved model is applied to conduct a formal analysis of a rational electronic contract signing protocol, and it is found that the protocol meets the usability requirements. The results show that this method can be effectively applied to the security analysis of rational exchange protocols, thereby enhancing the security of the e-commerce transaction process.

1. Introduction

Rational exchange protocols are a special type of cryptographic protocol [1]. In the absence of a trusted third party (TTP), they ensure secure and fair transactions among self-interested participants through game theory. These protocols are widely used in various fields such as electronic contracts [2,3], micropayment systems, secure communications, online voting, and auctions. They improve transaction efficiency and security while reducing dependence on trusted third parties. Currently, research on game theory-based cryptography mainly focuses on three areas: rational exchange protocols, rational secret sharing [4,5], and rational secure multi-party computation [6,7].

In [8], Syverson first proposed the concept of rational exchange and designed the Syverson protocol, a rational exchange protocol based on weak bit commitment functions. Buttyan [9] analyzed rational exchange protocols using a basic game-theoretic formal model, defining rational exchange and exploring its relationship with fair exchange. They also proved the rationality of the Syverson protocol under the assumption of a reliable network. Subsequently, Almudena Alcaide [10,11] proposed a rational exchange protocol model based on the Bayesian game theory, extending the Buttyan model and first proposing a rational fair exchange protocol for multiple parties. These studies mainly focused on the fairness of the exchange results, without covering the fairness during the protocol process.

Bayesian games are games of incomplete information. Munyque Mittelmann [12] first studied the formal verification of Bayesian mechanisms through strategy reasoning, using the probabilistic strategy logic (PSL) framework to transform the verification problem into a PSL model checking problem. Liu [13] proposed a generalized method to solve the Perfect Bayesian Nash Equilibrium (PBNE) in practical network attack and defense scenarios. Many researchers have designed a series of effective incentive schemes based on Bayesian games [14,15]. In addition, some scholars have applied Bayesian games to LoRa networks to defend against link flooding attacks [16,17].

The Buttyan model has built a game-theoretic mathematical framework for the analysis of rational exchange protocols. However, it has certain limitations in dealing with uncertainties and false messages in rational exchanges. These limitations may lead to inaccurate assessments of the protocol’s robustness, reliability, and adaptability and may even cause incorrect decisions and behavioral deviations during the protocol execution process. Therefore, this paper improves the Buttyan model based on its shortcomings. The main contributions are as follows:

• Based on Bayesian games, the Buttyan model is extended by incorporating participant types and beliefs, enhancing the expression of uncertainties.
• Introduce attack messages $a{m}^{*}$ to simulate the potential fraudulent behaviors that participants may exploit through security vulnerabilities in the protocol.

• Taking the rational electronic contract signing protocol as an example, the improved model is used to formally analyze it, resulting in a set of clear judgment conditions to assess whether users follow the protocol agreement for transactions.

The rest of this paper is arranged as follows: Section 2 reviews the rational exchange protocol model and the application of game theory in network security. Section 3 introduces the basic knowledge of game theory and the Buttyan model. Section 4 proposes an improved Buttyan model. Based on the Bayesian game, the Buttyan model is extended and improved by incorporating participant types and beliefs and introducing attack messages $a{m}^{*}$. Section 5 applies the improved model to formally analyze the rational electronic contract signing protocol. Section 6 compares it with other existing security models and discusses the limitations of the model. Section 7 summarizes the research results and elaborates on future research directions.

2. Related Work

This section introduces the application of the rational exchange protocol model and game theory in network security, which provides the theoretical basis and research background for the improved Buttyan model proposed in this paper.

2.1. Rational Exchange Protocol Model

The rational exchange protocol model is an important research direction in the field of e-commerce and network security. The early model proposed by Buttyan and Alcaide did not involve the fairness analysis of the protocol process. To this end, Ding et al. [18] proposed a rational exchange protocol model based on a mixed strategy, which used the mixed strategy theory of an extended game to simulate the exchange protocol and entropy theory to describe the fairness in the exchange process. However, it did not consider the situation where the network is unreliable and the process is not strictly fair. Tao et al. [19] proposed a model for analyzing the Internet of Things (IoT) protocol based on an incomplete information extended game, defined rationality and fairness properties, and verified these properties using tree analysis methods and linear time algorithms. Although the aforementioned studies provide an important theoretical basis for understanding the security and fairness of rational exchange protocols, none of them consider the risks posed by attack messages.

2.2. Application of Game Theory in Network Security

Game theory is widely used in network security, especially in blockchain [20], wireless sensor networks [21,22], and multi-agent systems [23]. Existing blockchain-related reviews do not discuss the application of game theory in depth. Some reviews only focus on blockchain security and privacy issues or the combination of blockchain with the Internet of Things and edge computing. In this regard, the literature [24] classified and reviewed the specific models and application scenarios of game theory in blockchain, filling the gap in the systematic analysis of the application of game theory in blockchain, mining management, and economic models. Chen [25] proposed an incentive-compatible rational secret sharing scheme based on blockchain and smart contracts. By redesigning the secret-sharing process, introducing incentive mechanisms, and adding verifiers, it solved the prisoner’s dilemma problem faced by rational participants in secret sharing. The application of game theory in wireless sensor networks has involved clustering and power control but has not combined state-switching thresholds and penalty mechanisms. Therefore, Yan [26] proposed an idle listening-sleep state switching model based on game theory and introduced a penalty mechanism to suppress node selfish behavior. Tian [27] proposed a one-time rational secret sharing scheme based on a Bayesian game, which solved the cooperation problem in one-time rational secret sharing and achieved perfect Bayesian equilibrium. Although this method has advantages in dealing with information asymmetry and participant uncertainty, it has high communication overhead. These studies show that game theory provides a powerful tool for the design and analysis of network security protocols.

3. Fundamentals

3.1. Game Theory

Game theory is a mathematical theory that studies the strategic interactions among decision-makers (participants or players) with characteristics of conflict and cooperation, where each participant attempts to maximize their own interests by selecting the optimal strategy. The main concepts related to game theory are as follows:

1.

Utility Function

The utility function is a measure of the payoff or degree of satisfaction for each participant given a combination of strategies, usually denoted by $u_i$. For a given sequence of terminal actions $q$, the utility function of participant $i$ can be expressed as

$$u_i(q)={u_i}^{+}(q)-{u_i}^{-}(q)$$

(1)

where ${u_i}^{+}(q)$ and ${u_i}^{-}(q)$ are the payoff and loss (cost) of participant $i$ when executing the sequence of terminal actions $q$, respectively.

2.

Nash Equilibrium

In a game, if each participant’s strategy is optimal given the strategies of the other participants, this combination of strategies constitutes a Nash equilibrium. It can be formally represented as: for a game with $n$ participants, if the strategy combination $(s_1^{*},s_2^{*},\dots ,s_n^{*})$ is a Nash equilibrium, then for the participant $i$, there is

$$u_i(s_i^{*},s_{-i}^{*})\ge u_i(s_i,s_{-i}^{*})$$

(2)

where $u_i$ is the utility function of participant $i$, $s_i^{*}$ is the strategy combination of participant $i$ in the equilibrium state, $s_{-i}^{*}$ is the strategy combination of the other participants in the equilibrium state, and $S_i$ is the strategy set of participant $i$.

3.2. The Buttyan Model

The Buttyan model [9] is a mathematical model based on game theory, proposed by Levente Buttyan et al., to analyze and define rational exchange protocols, especially for the analysis of the Syverson protocol. The model constructs an extensive-form game [28] through a series of elements to describe the interactions between protocol participants, which can be represented by a six-tuple ${\mathrm{G}}_{\pi }=\langle P,A,Q,{(I_i)}_{i\in P},p,{({\le }_i)}_{i\in P}\rangle$ to indicate a rational exchange protocol $\pi$, where

• $P$ is the set of participants, including all individuals involved in the protocol. It can be expressed as $P=\{P_1,P_2,net\}$, where $P_1$ and $P_2$ represent the two parties involved in the protocol, and $net$ represents the network used by participants for communication, which is assumed to be fully reliable in this model.

• $A$ is the set of actions for participants, including all possible actions that participants can take at each stage of the game. Protocol participants face three basic strategic choices: first, to follow the protocol and send honest messages $m$; second, to engage in deceptive behavior by sending false messages $m^{*}$; and third, to withdraw from the protocol $quit$.

• $Q$ is the set of action sequences. For any action $a$, $q.a$ indicates the action $a$ following the non-terminal action sequence $q$, and $A_i(q)$ represents the set of optional actions for participant $i$ following the non-terminal action sequence $q$. If $q.a$ is a terminal action sequence, it indicating the end of the protocol execution. The empty sequence $\varnothing$ is also a subset of the action sequence set, representing the starting point of the game. The Buttyan model does not allow protocol parties to run multiple protocol instances simultaneously; that is, it does not consider interleaving attacks.

• ${(I_i)}_{i\in P}$ is the information set for participant $i$. For any two non-terminal action sequences $q_1$ and $q_2$, if $p(q_1)=p(q_2)$ and $A(q_1)=A(q_2)$, then $q_1$ and $q_2$ belong to the same information set of participant $i$.

• $p$ is the participant function used to determine which participant should take the next action following a non-terminal action sequence. It can be expressed as: $p:\{Q\backslash Z\}\to P$, where $Z$ is the terminal action sequence. For any non-terminal action sequence $q$, $p(q)$ indicates which participant will take the next action following sequence $q$.

• ${({\le }_i)}_{i\in P}$ is the preference relation for participant $i$. It indicates the preference ranking of each participant $i\in P$ for different outcomes, describing the rational behavior of participants in the protocol, that is, the tendency to choose actions that can maximize their own interests.

4. The Extension of the Buttyan Model

4.1. The Shortcomings of the Buttyan Model

Although the Buttyan model has demonstrated certain capabilities in formally analyzing rational exchange protocols, a deeper investigation reveals that it is essentially a framework with many limitations. Its shortcomings are mainly reflected in the following two aspects:

1.

Lack of ability to handle uncertainties.

First, in the Buttyan model, action sequences are indistinguishable to participants and belong to the same information set. This means that the protocol participants have complete information about the structure of the game. However, in reality, information is often asymmetric. Participants may not fully understand the strategies or payoff functions of other participants. Therefore, using a complete information game is not realistic in actual operation. Second, the model assumes that the network is reliable, meaning that all messages can be accurately delivered within the scheduled time. However, in practical applications, the network may be unreliable. Messages may be delayed, lost, or tampered with. Therefore, when conducting security analysis, the trust level in other participants and the reliability of the network are two key factors that must be considered comprehensively to ensure the comprehensiveness and accuracy of the analysis.

2.

There are certain limitations in describing the malicious behaviors of participants, and the handling of false messages is not sufficient.

Figure 1 shows the interaction process of the Syverson protocol, where $A$ and $B$ represent the sender and receiver of the protocol, respectively. In this protocol, the items exchanged by the two parties are marked as $itemA$ and $itemB$, where $des{c}_{itemA}$ is a description of $itemA$, $enc(•)$ is an encryption algorithm that encrypts the message with key $k$, and $w(•)$ is a temporary secret commitment function used to keep the message confidential for a certain period of time (see reference [11] for details).

Figure 2 shows the game tree description of the Syverson protocol by the Buttyan model. The nodes represent the participants of the protocol, and the lines between the nodes represent the actions taken (sending messages or exiting the protocol). Participants will have corresponding benefits at each leaf node (see reference [11] for details). In the first round of interaction of the Buttyan model analysis protocol, participant $A$ can not only transmit true information $m_1$ to participant $B$ but also send false message $m_1^{*}$. Once $A$ sends a false message to $B$, $A$ will always be punished by $F_A$. This means that the Buttyan model presupposes that participants can identify all false messages. It only focuses on those false messages that participants can detect, without fully considering those that are not identified. In the actual operation of the protocol, participants’ detection capabilities may be limited by technology. At the same time, attackers continuously develop new attack methods and tools. These new methods and tools may not be widely recognized for a period of time, making it difficult for participants to update their detection mechanisms in time to identify these new types of false messages. Therefore, in reality, it is not possible to expect all false messages to be identified by participants $B$. This limitation means that the Buttyan model needs further development and improvement.

The following are the main notational representations of the Buttyan model and the improved Buttyan model, as shown in

Table 1. Notational Representation.

Notations	The Meaning of Notations
$m,m_1,m_2,m_3$	message false message
$m^{*}$
$a{m}^{*}$	attack message
$itemA,itemB$	items
$enc(•)$	encryption algorithm
$des{c}_{itemA}$	description of item A
$k$	key
$w(•)$	secret commitment function
$N$	Nature
$A,B,i,j$	protocol participant
$\rho$	belief set
$\phi ,\alpha ,\beta ,\mu$	probability distribution
$F_A$	Participant $A$’s penalty value
$F$	penalty value
$u_i(·)$	utility function
${u_B}^{+},{u_A}^{+}$	The payoffs for participants $A$ and $B$
${u_B}^{-},{u_A}^{-}$	The costs for participants $A$ and $B$
$pr(•)$	probability function
$\Theta (•)$	belief function
$S_i$	strategy set of participant $i$
$s$	strategy profile
$T_i$	type space of participant $i$
$t_i$	type of participant $i$

.

4.2. The Improved Buttyan Model

4.2.1. Bayesian Game

To address the aforementioned shortcomings, a formal analysis method based on Bayesian games is proposed, which can more accurately simulate uncertainty and information asymmetry in the real world. The Buttyan model can be extended to an octuple: $\langle P,A,Q,{(I_i)}_{i\in P},p,{({\le }_i)}_{i\in P},t,\rho \rangle$.

Definition 1.

Participant types and type spaces: If participant $i$ has a type $t_i\in T_i$ , then $t=(t_1,t_2,\dots t_n)$ is the type of combination of participants, and $T=T_1*T_2*\dots *T_n$ is the type combination space of participants, where $T_i$ is the type space of participant$i$ . Each participant may have multiple types, which determine their utility functions.

Definition 2.

Beliefs: Participants’ beliefs are represented in the form of probability distributions, which can be expressed using Greek letters such as $\alpha$ , $\mu$ , $\beta$ , etc. Participant $i$’s belief about the types of other participants $j$ is expressed through a probability distribution over the type space $\Theta (T_j)$ of $j$ , and the set of all beliefs can be denoted by the letter $\rho$.

The Bayesian game proposed in this paper is based on the framework of Bayesian rationality [11,29], which is used to reason and analyze rational exchange protocols. By introducing the concepts of participant types and beliefs, it can simultaneously incorporate the complete information game adopted by the Buttyan model and the unreliable network factors, thereby constructing a more complex and realistic model. Under this framework, participants do not fully understand the types of other participants. This uncertainty enhances the realism of the model. The types of participants are key factors in determining the payoffs participants receive in the protocol. Different types of participants may achieve different payoff outcomes under the same strategy choices, reflecting the impact of individual differences and information asymmetry in the real world on the decision-making process.

Moreover, “Nature” $N$, as an abstract entity, is responsible for assigning a type to each participant. This process is randomly conducted based on the probability distribution over each participant’s type space, enabling the Bayesian game to more realistically reflect participants’ decision-making under uncertainty. Compared with the basic game-theoretic framework in the Buttyan model, the Bayesian game provides a richer and more realistic analytical tool.

To highlight the improvements of the model, we introduce the types and beliefs of the participants based on Figure 1, as shown in Figure 3. Nature $N$ randomly assigns types to participant $A$, where ${\phi }_{(t_{A1})}$, ${\phi }_{(t_{A2})}$, …, ${\phi }_{(t_{An})}$ represents the probability of assigning each type (Equation (3)), $A_{(t_{A1})}$, $A_{(t_{A2})}$, …, $A_{(t_{An})}$ indicates that participant $A$ has $n$ types, and $\alpha$, $\mu$, $\beta$ represent the probabilities of sending messages $m_1$, $m_2$ and $m_3$. During the protocol analysis, the network can be regarded as a participant of a specific type, and its behavior (such as the reliability of message transmission) can be uncertain. In the game tree, the leaf nodes symbolize the end of the protocol, while the other nodes (except for leaf nodes and Nature $N$) represent the decision points of the participants in the game process. The dashed lines indicate that participant $B$ does not know the actions or strategy choices of participant $A$, reflecting the uncertainty of the game.

The probability distribution over $T_A$ is represented by $\phi$, which can be expressed as

$$\begin{array}{c}{\phi }_{(t_{A1})}=pr(A_{t_{A1}}\left|B\right.)\\ {\phi }_{(t_{A2})}=pr(A_{t_{A2}}\left|B\right.)\\ \dots \\ {\phi }_{(t_{An})}=pr(A_{t_{An}}\left|B\right.)\\ s.t. {\phi }_{(t_{A1})}+{\phi }_{(t_{A2})}+\dots +{\phi }_{(t_{An})}=1\end{array}$$

(3)

During the interaction of the protocol, participant $A$ may exploit the potential unknown vulnerabilities [30] in the protocol to send fraudulent messages to $B$. Therefore:

Definition 3.

Attack message $a{m}^{*}$ : During the transaction, a participant may send an attack message (such as a forged message) to another participant. Attack messages include false messages that the participant can identify and false messages that the participant cannot identify.

When $A$ sends an attack message $a{m}^{*}$ to $B$, for the recognizable false messages,$B$ can choose to exit the protocol $qui{t}_B$. However, to ensure that $A$ does not commit fraud against $B$ again in the future, a certain punishment $F$ ($F>{u_A}^{+}$) will be given to $A$. For the false messages that are not recognized by participant $B$, since the content and specific form of the false messages are unknown to $B$, $B$ may choose to continue the transaction $send(m_2)$ or exit the protocol $qui{t}_B$. In rational exchange protocols, $A$ and $B$ are rational participants who maximize their own interests. Therefore, in the third round of the interaction, $A$ will not send $m_3$ or $m_3^{*}$ to $B$, but will directly exit the protocol $qui{t}_A$. The introduction of the attack message $a{m}^{*}$ not only enhances the model’s adaptability to reality but also provides a more comprehensive perspective for analyzing participants’ behavior when facing potential fraud, more accurately reflecting the content of the messages. The interaction diagram with the introduction of the attack message $a{m}^{*}$ is shown in Figure 4.

4.2.2. Analysis Method

Based on the Buttyan model, this paper proposes two key improvements. The following is the flowchart of the improved Buttyan model for rational exchange protocol analysis, as shown in Figure 5. Appendix A shows a brief analysis process of the payment protocol based on the improved Buttyan model.

The flowchart describes the process of protocol analysis: starting from the “Start” node, first define the participant type and belief, then determine the sequence of actions and information sets, then build the utility function and calculate the expected return, and then check whether participants $A$ and $B$ meet the conditions for complying with the protocol. If they do, the agreement is reached and the process ends; if not, it is necessary to adjust or re-evaluate the participant type and belief and then return to redetermine the sequence of actions and information sets until the conditions are met.

5. Formal Analysis of the Protocol

5.1. Description of the Rational Electronic Contract Signing Protocol

To further illustrate the improved Buttyan model, this paper takes the rational electronic contract signing protocol as an example [31] and provides a detailed analysis. It is assumed that user $A$ and user $B$ each have a private key $K_A^{-1}$ and $K_B^{-1}$, and both are rational participants who do not rely on the involvement of the Contract Management Party (CMP). The specific content of the protocol is shown in Figure 6. Item $des{c}_{Si{g}_A(E-contract)}$ is the description related to the contract signature $Si{g}_A(E-contract)$. User $A$ encrypts $Si{g}_A(E-contract)$ with a random number $k$ to obtain $enc(k,Si{g}_A(E-contract))$. Items ${\sigma }_1$, ${\sigma }_2$, and ${\sigma }_3$ represent the operation of the sender signing the message with their own private key. Essentially, this protocol is a rational exchange protocol aimed at achieving the exchange between $Si{g}_A(E-contract)$ and $Si{g}_B(E-contract)$. It should be noted that during the signature transaction, $A$ may send an attack message (forged signature information) to $B$.

Table 2. Abbreviations/main notations.

Abbreviations/Notations	The Meaning of Abbreviations/Notations
$K_A^{-1},K_B^{-1}$	private keys of $A$ and $B$
$des{c}_{Si{g}_A(E-contract)}$	contract signature description
$Si{g}_A(E-contract),Si{g}_B(E-contract)$	contract signatures of $A$ and $B$
$k$	random number
$A_c,A_{nc}$	cooperative type $A$, non-cooperative type $A$
$B_c$	cooperative type $B$
$T_A,T_B$	the type spaces of $A$ and $B$
$A_A,A_B$	the action sets of $A$ and $B$
${\phi }_c,{\alpha }_c,{\beta }_c$	probability of the cooperative type
${\phi }_{nc},{\alpha }_{nc},{\beta }_{nc}$	probability of the non-cooperative type
$\mu$	the probability of participant $B$ sending $m_2$
$E$	expected payoff
$pr(•)$	probability function
$S_A,S_B$	strategy set of $A$ and $B$
$s$	strategy profile
$s_A,s_B$	pure strategies of $A$ and $B$
$I_A,I_B$	Information sets of $A$ and $B$
$\wedge$	and
$\vee$	or
$send(•)$	send message
TTP	Trusted Third Party
PSL	Probabilistic Strategy Logic
PBNE	Perfect Bayesian Nash Equilibrium
IoT	Internet of Things
CMP	Contract Management Party

shows the abbreviations and the meanings of some of the main notations in this chapter.

• Step 1 ($m_1$): Participant $A$ sends $des{c}_{Si{g}_A(E-contract)}$ and $enc(k,Si{g}_A(E-contract))$ to $B$, signs these pieces of information with $K_A^{-1}$, and then sends the entire message $m_1$ to $B$.

• Step 2 ($m_2$): Participant $B$ sends $Si{g}_B(E-contract)$ to $A$. Since $m_2$ contains a copy of $m_1$, $A$ can confirm that $B$ has received message $m_1$.

• Step 3 ($m_3$): Participant $A$ sends $k$ to $B$. $B$ receives $k$ and uses it to decrypt the signature of the contract $A$, thereby obtaining $Si{g}_A(E-contract)$.

After the three-step electronic contract signing protocol is executed, both parties can obtain the contract signature from the other party, and the transaction is completed. As shown in Figure 5, participant $B$ takes on more unknown risks in the transaction process compared to $A$. This is because $B$ first lose control of their digital signature, so $B$ should carefully evaluate factors such as the type and reputation of $A$.

5.2. Participant Types and Action Sets

To facilitate the analysis of the protocol, this paper only considers the types of $A$ and $B$. The participant $A$ can be divided into two categories: cooperative type $A_c$ and non-cooperative type $A_{nc}$. Participant $B$ has only one cooperative type, denoted as $B_c$. It should be noted that the cooperative type may send false messages, and the non-cooperative type may also send true messages. Since sending message $m_2$ from $B$ to $A$ is agreed upon in advance by both parties of the protocol, and $A$ can also verify the correctness of $m_2$, $B$ is always honest. The participant set of this protocol is $P=\{A,B\}$, and the type combination space can be represented as $T=T_A*T_B$.$T_A=\{A_c,A_{nc}\}$ and $T_B=\left\{B_c\right\}$ represent the type spaces of participants $A$ and $B$, respectively.

The action set of participants is composed of the action set $A_A$ of participant $A$ and the action set $A_B$ of participant $B$, which can be represented as

$$\begin{array}{c} A=\{A_A,A_B\}\\ A_A=\{send(m_1),send(a{m}_1^{*}),send(m_3),qui{t}_A\}\\ A_B=\{send(m_2),qui{t}_B\}\end{array}$$

(4)

Among them, $send(m_i)$ represents the sending message $m_i$, $qui{t}_A$ and $qui{t}_B$ represent the protocol exit operations executed by participants $A$ and $B$, respectively, and $a{m}_1^{*}$ indicates that the first message in the protocol is an attack message.

5.3. Beliefs and Strategies

Suppose $\phi$ is a probability distribution over $T_A$, which can be represented as

$$\begin{array}{l}{\phi }_c=pr(A_c | B)\\ {\phi }_{nc}=pr(A_{nc} | B)\\ s.t. {\phi }_c+{\phi }_{nc}=1\end{array}$$

(5)

Since $T_B$ has only one element, we have $pr(B | A_c)=pr(B | A_{nc})=1$.

The belief of $A$ is represented by a probability distribution over $T_B$:

$$\mu =pr(send(m_2)) 1-\mu =pr(qui{t}_B)$$

(6)

The belief of $B$ is represented by a probability distribution over $T_A$:

$$\begin{array}{l}{\alpha }_c=pr(send(m_1)) 1-{\alpha }_c=pr(send(a{m}_1^{*}))\\ {\alpha }_{nc}=pr(send(m_1)) 1-{\alpha }_{nc}=pr(send(a{m}_1^{*}))\\ and\\ {\beta }_c=pr(send(m_3) | send(m_1)) 1-{\beta }_c=pr(qui{t}_A | send(m_1))\\ {\beta }_{nc}=pr(send(m_3) | send(m_1)) 1-{\beta }_{nc}=pr(qui{t}_A | send(m_1)) \end{array}$$

(7)

In addition, based on maximizing its own interests, participant $B$ should also have the following belief:

$$\begin{array}{l}pr[qui{t}_A | send(a{m}_1^{*})\wedge A_c]=1\\ pr[m_3 | send(a{m}_1^{*})\wedge A_c]=0\\ pr[qui{t}_A | send(a{m}_1^{*})\wedge A_{nc}]=1\\ pr[m_3 | send(a{m}_1^{*})\wedge A_{nc}]=0\end{array}$$

(8)

In game theory, a strategy refers to the course of action that a participant takes during the game. The strategy profile $s$ can be represented as: $s=(s_A,s_B)$.

The pure strategy $s_A$ of participant $A$ can be represented by a tuple:

$$\begin{array}{c}{s}_A\in S_A=\{{(s_1,s_3)}_c,{(s_1,s_3)}_{nc}\}\\ s_1\in \{send(m_1),send(a{m}_1^{*}),qui{t}_A\}\\ s_3\in \{send(m_3),qui{t}_A\}\end{array}$$

(9)

where the elements in $s_1$ and $s_3$ represent the optional actions of participant $A$ in the first and third steps of the protocol, respectively, and the elements in $S_A$ represent the pure strategies of participant $A$ for the cooperative and non-cooperative types, respectively. When expanded, it can be obtained as

$$\begin{array}{l}{s}_A\in S_A=\{{(send(m_1),send(m_3))}_c,{(send(m_1),qui{t}_A)}_c,{(send(a{m}_1^{*}),qui{t}_A)}_c,{(qui{t}_A,•)}_c,\\ {(send(m_1),send(m_3))}_{nc},{(send(m_1),qui{t}_A)}_{nc},{(send(a{m}_1^{*}),qui{t}_A)}_{nc},{(qui{t}_A,•)}_{nc}\}\end{array}$$

(10)

The pure strategy $s_B$ of participant $B$ can be represented as

$$s_B\in S_B=\{send(m_2),qui{t}_B\}$$

(11)

where the elements in $S_B$ represent the optional actions of participant $B$ in the second step of the protocol.

5.4. Action Sequences and Information Sets

In this paper, taking the cooperative type $A_c$ as an example, the action sequence $Q_c$ can be represented as

$$\begin{array}{ll}{Q}_c=& \{\varnothing ,qui{t}_A,send(m_1),send(a{m}_1^{*}),send(m_1).send(m_2),\\ & send(a{m}_1^{*}).send(m_2),send(m_1).qui{t}_B,send(a{m}_1^{*}).qui{t}_B,\\ & send(m_1).send(m_2).send(m_3),send(m_1).send(m_2).qui{t}_A,\\ & send(a{m}_1^{*}).send(m_2).qui{t}_A\}\end{array}$$

(12)

Then, the set of non-terminal sequences $Q_c\backslash Z$ can be represented as

$$Q_c\backslash Z=\{\varnothing ,send(m_1),send(a{m}_1^{*}),send(m_1).send(m_2), send(a{m}_1^{*}).send(m_2)\}$$

(13)

The participant function $p$ is used to determine the next participant in a nonterminal sequence, which can be represented as follows:

$$\begin{array}{c}{A}_c=p(\varnothing )=p(send(m_1).send(m_2))=p(send(a{m}_1^{*}).send(m_2))\\ B=p(send(m_1))=p(send(a{m}_1^{*}))\end{array}$$

(14)

In this protocol, $A$ only takes actions in the first and third steps. Since $A$ has no prior information to refer to in the first step, the information set $I_A=\{\varnothing \}$ of $A$ is, and $A$ can only update its own information set after observing $B$ execute $send(m_2)$ in the third step:

$$I_A\in \{send(m_1).send(m_2),send(a{m}_1^{*}).send(m_2)\}$$

(15)

Participant $B$ takes action in the second step and cannot know the type of $A$, so the information set of $B$ is represented as

$$I_B\in \{send{(m_1)}_c,send{(m_1)}_{nc},send{(a{m}_1^{*})}_c,send{(a{m}_1^{*})}_{nc}\}$$

(16)

5.5. Utility Functions and Expected Payoffs

In the rational electronic contract signing protocol mentioned above, to maintain the authenticity of the information, it can be assumed that: if $A$ sends an attack message $a{m}^{*}$ to $B$, and it is recognized by $B$, then $A$ should be given a certain punishment $F$; if it is not recognized by $B$, there will be no punishment. If $B$ sends a signature to $A$, then $A$ will gain a profit ${u_A}^{+}$ ($B$ will suffer a loss of profit ${u_B}^{-}$). If $A$ sends $m_1$ to $B$, then $A$ will incur certain costs and suffer a certain loss of profit ${u_A}^{-}$. Since $B$ is always honest, there is no punishment value for $B$. If $A$ sends $m_3$ to $B$, $B$ will gain a profit ${u_B}^{+}$. Note that

$$F>{u_A}^{+}>{u_A}^{-}>0,{u_B}^{+}>{u_B}^{-}>0$$

(17)

For this protocol, the utility function can be represented as

$$u_A,u_B:T_A\times q\to R$$

(18)

where $u_A$ and $u_B$ are the profits of participants $A$ and $B$, respectively, $T_A$ is the type space of $A$, and $q$ is the terminal action sequence.

In each terminal action sequence $q$, the pure profit of the cooperative type $A_c$ is as follows:

$$\begin{array}{l}{u}_A(A_c,q)=u_A(A_c,qui{t}_A)=0\\ u_A(A_c,q)=u_A(A_c,send(m_1).qui{t}_B)=-{u_{A_c}}^{-}\\ u_A(A_c,q)=u_A(A_c,send(a{m}_1^{*}).qui{t}_B)=-F\\ u_A(A_c,q)=u_A(A_c,send(m_1).send(m_2).send(m_3))={u_{A_c}}^{+}-{u_{A_c}}^{-}\\ u_A(A_c,q)=u_A(A_c,send(m_1).send(m_2).qui{t}_A)={u_{A_c}}^{+}-{u_{A_c}}^{-}\\ u_A(A_c,q)=u_A(A_c,send(a{m}_1^{*}).send(m_2).qui{t}_A)={u_{A_c}}^{+}\end{array}$$

(19)

Table 3. The payoff matrix of $A_c$ and $B$.

	$A_c$	${(send(m_1),send(m_3))}_c$ $({\alpha }_c{\beta }_c)$	${(send(m_1),qui{t}_A)}_c$ $({\alpha }_c(1-{\beta }_c))$	${(send(a{m}_1^{*}),qui{t}_A)}_c$ $((1-{\alpha }_c)(1-{\beta }_c))$
$B$
$m_2$$(\mu )$		$({u_{A_c}}^{+}-{u_{A_c}}^{-},{u_B}^{+}-{u_B}^{-})$	$({u_{A_c}}^{+}-{u_{A_c}}^{-},-u_B^{-})$	$({u_{A_c}}^{+},-{u_B}^{-})$
$qui{t}_B$$(1-\mu )$		$(-{u_{A_c}}^{-},0)$	$(-{u_{A_c}}^{-},0)$	$(-F,0)$

and

Table 4. The payoff matrix of $A_{nc}$ and $B$.

	$A_{nc}$	${(send(m_1),send(m_3))}_{nc}$ $({\alpha }_c{\beta }_c)$	${(send(m_1),qui{t}_A)}_{nc}$ $({\alpha }_c(1-{\beta }_c))$	${(send(a{m}_1^{*}),qui{t}_A)}_{nc}$ $((1-{\alpha }_c)(1-{\beta }_c))$
$B$
$m_2$$(\mu )$		$({u_{A_c}}^{+}-{u_{A_c}}^{-},{u_B}^{+}-{u_B}^{-})$	$({u_{A_c}}^{+}-{u_{A_c}}^{-},-{u_B}^{-})$	$({u_{A_c}}^{+},-{u_B}^{-})$
$qui{t}_B$$(1-\mu )$		$(-{u_{A_c}}^{-},0)$	$(-{u_{A_c}}^{-},0)$	$(-F,0)$

show the payoff matrices of the cooperative types $A_c$ and $B$, and non-cooperative types $A_{nc}$ and $B$, respectively. The horizontal axis represents the different pure strategies of $A_c$ and $A_{nc}$ in the protocol, and the vertical axis represents the different pure strategies of $B$ in the protocol. The pure strategies of $A$ and $B$ together constitute each terminal action sequence in the protocol, and the table corresponds to the pure payoffs of each terminal action sequence $A_c$ and $B$, and $A_{nc}$ and $B$, respectively.

Based on the improved Buttyan model, by setting the types and beliefs of participants and elaborately describing the action sequences, information sets, and payoffs, we can precisely represent the rational electronic contract signing protocol as a game tree, as shown in Figure 7.

In the Buttyan model, the payoffs for $A$ when taking action sequences $send(m_1^{*}).send(m_2).qui{t}_A$ and $send(m_1^{*}).qui{t}_B$ are ${u_A}^{+}-F$ and $-F$, respectively. Participant $A$ will be penalized for sending the false message $m_1^{*}$ to $B$, and the false information $m_1^{*}$ is assumed to be recognizable by $B$. From the perspective of rational participants, false messages $m_1^{*}$ that can be recognized by $B$ do not need to be emphasized because $B$ will always choose to exit the protocol to safeguard their own interests. On the contrary, false messages that are not recognized by participant $B$ pose a potential threat to $B$. Therefore, the focus of the analysis in this paper is on the false messages that are not recognized.

Different strategies correspond to different payoffs. The following will discuss the expected payoffs of participants $A$ and $B$ under different pure strategies. For participant $A$:

$$\begin{array}{c}E(A_c,{(send(m_1),send(m_3))}_c)=\mu ({u_{A_c}}^{+}-{u_{A_c}}^{-})+(1-\mu )(-{u_{A_c}}^{-})=\mu {u_{A_c}}^{+}-{u_{A_c}}^{-}\\ E(A_c,{(send(m_1),qui{t}_A)}_c)=\mu ({u_{A_c}}^{+}-{u_{A_c}}^{-})+(1-\mu )(-{u_{A_c}}^{-})=\mu {u_{A_c}}^{+}-{u_{A_c}}^{-}\\ E(A_c,{(send(a{m}_1^{*}),qui{t}_A)}_c)=\mu {u_{A_c}}^{+}+(1-\mu )(-F)=\mu {u_{A_c}}^{+}+\mu F-F\\ E(A_c,{(qui{t}_A,•)}_c)=0\\ E(A_{nc},{(send(m_1),send(m_3))}_{nc})=\mu ({u_{A_c}}^{+}-{u_{A_c}}^{-})+(1-\mu )(-{u_{A_c}}^{-})=\mu {u_{A_c}}^{+}-{u_{A_c}}^{-}\\ E(A_{nc},{(send(m_1),qui{t}_A)}_{nc})=\mu ({u_{A_c}}^{+}-{u_{A_c}}^{-})+(1-\mu )(-{u_{A_c}}^{-})=\mu {u_{A_c}}^{+}-{u_{A_c}}^{-}\\ E(A_{nc},{(send(a{m}_1^{*}),qui{t}_A)}_{nc})=\mu {u_{A_c}}^{+}+(1-\mu )(-F)=\mu {u_{A_c}}^{+}+\mu F-F\\ E(A_{nc},{(qui{t}_A,•)}_{nc})=0\end{array}$$

(20)

From the expected payoffs mentioned above, when the type of $A$ is $A_c$, to ensure that participant $A$ complies with the protocol rules and does not engage in fraudulent behavior, it is only necessary that:

$$E(A_c,{(send(m_1),send(m_3))}_c)\ge E(A_c,{(send(a{m}_1^{*}),qui{t}_A)}_c)$$

(21)

$$\mu {u_{A_c}}^{+}-{u_{A_c}}^{-}\ge \mu {u_{A_c}}^{+}+\mu F-F$$

(22)

That is,

$$\mu \le 1-{\displaystyle \frac{{u_{A_c}}^{-}}{F}} (\mu >0)$$

(23)

When ${u_{A_c}}^{-}$ remains constant, increasing the penalty value $F$ means that the value of $\mu$ becomes larger. In other words, the probability of $B$ sending message $m_2$ will increase, which is more conducive to the successful completion of the protocol. Therefore, during the contract signing process, appropriately increasing the penalty for sending attack messages can effectively encourage users to comply with the protocol. However, an excessively large penalty may backfire, as participants may be deterred by the high penalty and become reluctant to participate, thereby affecting the success rate of the protocol.

When the penalty value $F$ remains unchanged, reducing the cost ${u_{A_c}}^{-}$ means that the value of $\mu$ becomes larger. Therefore, in the signing of small contracts (where the cost $A$ is low), user $B$ is more likely to comply with the protocol. However, in the signing of large contracts, user $B$ should be more cautious and improve their ability to identify false messages to ensure that both parties in the protocol comply as much as possible. This not only helps protect their own interests but also helps maintain the fairness and effectiveness of the contract.

Similarly, when the type of $A$ is $A_{nc}$, they will be more willing to comply with the protocol rules and avoid fraudulent behavior only when condition $\mu \le 1-{\displaystyle \frac{{u_{A_c}}^{-}}{F}} (\mu >0)$ is satisfied. For participant $B$:

$$\begin{array}{c}E(B,qui{t}_B)=0\\ E(B,m_2)={\phi }_c((1-{\alpha }_c)(-{u_B}^{-})+{\alpha }_c({\beta }_c({u_B}^{+}-{u_B}^{-})+(1-{\beta }_c)(-{u_B}^{-})))\\ +{\phi }_{nc}((1-{\alpha }_{nc})(-{u_B}^{-})+{\alpha }_{nc}({\beta }_{nc}({u_B}^{+}-{u_B}^{-})+(1-{\beta }_{nc})(-{u_B}^{-})))\\ ={u_B}^{+}({\phi }_c{\alpha }_c{\beta }_c+{\phi }_{nc}{\alpha }_{nc}{\beta }_{nc})-{u_B}^{-}\end{array}$$

(24)

It can be denoted that $({\phi }_c{\alpha }_c{\beta }_c+{\phi }_{nc}{\alpha }_{nc}{\beta }_{nc})$ is represented by $l$. To ensure that participant $B$ complies with the protocol rules, it is only necessary that $E(B,m_2)\ge E(B,qui{t}_B)$, that is,

$$l\ge {\displaystyle \frac{{u_B}^{-}}{{u_B}^{+}}} (l>0)$$

(25)

Assign a set of values to ${\phi }_c$, ${\alpha }_c$, ${\beta }_c$, ${\phi }_{nc}$, ${\alpha }_{nc}$, ${\beta }_{nc}$, namely ${\phi }_c=0.80$, ${\alpha }_c=0.85$, ${\beta }_c=0.80$, ${\phi }_{nc}=0.2$, ${\alpha }_{nc}=0.65$, ${\beta }_{nc}=0.65$. The calculated result is $l$$=$ 0.6285. The five groups of strategies for $B$’s instances are shown in

Table 5. Strategy Table for $B$’s Instances.

Instance Number	${{\mathit{u}}_{\mathit{B}}}^{-}$	${{\mathit{u}}_{\mathit{B}}}^{+}$	$\frac{{{\mathit{u}}_{\mathit{B}}}^{-}}{{{\mathit{u}}_{\mathit{B}}}^{+}}$	${\mathit{s}}_{\mathit{B}}$
1	3	8	0.375	$send(m_2)$
2	4	8	0.5	$send(m_2)$
3	6	8	0.75	$qui{t}_B$
4	6	10	0.6	$send(m_2)$
5	6	12	0.5	$send(m_2)$

. The table shows the specific values of ${u_B}^{-}$ and ${u_B}^{+}$ under different instance numbers, as well as the ratio of ${\displaystyle \frac{{u_B}^{-}}{{u_B}^{+}}}$ and the corresponding strategy $s_B$. For example, the value of ${u_B}^{-}$ in instance 1 is 3, the value of ${u_B}^{+}$ is 8, and the ratio is 0.375. At this time, $l$ $=$ 0.6285 > 0.3750, so $B$’s strategy is $send(m_2)$. In the first three groups of instances, ${u_B}^{+}$ is 8. As ${u_B}^{-}$ increases, the value of ${\displaystyle \frac{{u_B}^{-}}{{u_B}^{+}}}$ increases, and the possibility of $B$ choosing $qui{t}_B$ increases, which is not conducive to the agreement. In the last three groups of instances, ${u_B}^{-}$ is 6. As ${u_B}^{+}$ increases, the value of ${\displaystyle \frac{{u_B}^{-}}{{u_B}^{+}}}$ decreases, and $B$ is more willing to choose $send(m_2)$, which is more conducive to the agreement.

The following conclusions can be drawn from the table:

When $l$ is fixed, the ratio of cost to benefit ${\displaystyle \frac{{u_B}^{-}}{{u_B}^{+}}}$ should be minimized as much as possible; that is, increasing the benefit ${u_B}^{+}$ and reducing the cost ${u_B}^{-}$. When the ratio of cost to benefit $B$ decreases, $B$ will be more inclined to exchange signatures after weighing the pros and cons. On the one hand, increasing the benefit lets $B$ see more room for profit and development opportunities, enhancing the motivation to participate; on the other hand, reducing the cost lowers the participation threshold and potential risks for $B$, alleviating concerns. This combined effect will effectively increase the success rate and execution efficiency of the protocol, promoting cooperation and win-win outcomes for both parties.

When ${\displaystyle \frac{{u_B}^{-}}{{u_B}^{+}}}$ is fixed, increasing the value of $l$, that is, enhancing $B$’s trust in $A$, makes $B$ more willing to exchange signatures, which is another important factor in promoting the successful conclusion of the protocol.

The following are the strategy diagrams for participant $A$ under parameter $\mu$ and participant $B$ under parameter $l$, as shown in Figure 8. (a): When $\mu \le 1-{\displaystyle \frac{{u_A}^{-}}{F}}$, participant $A$ adopts the pure strategy $send(m_1),send(m_3)$. (b): When $l\ge {\displaystyle \frac{{u_B}^{-}}{{u_B}^{+}}}$, participant $B$ adopts the pure strategy $send(m_2)$. Both parties interactively sign and reach an agreement.

In summary, both parties are willing to comply with the protocol rules only when $\mu \le 1-{\displaystyle \frac{{u_A}^{-}}{F}} (\mu >0)$ and $l\ge {\displaystyle \frac{{u_B}^{-}}{{u_B}^{+}}}(l>0)$ are satisfied simultaneously. In the process of signing electronic contract agreements, to ensure the cooperation and willingness of both parties, the agreement should include an appropriate penalty mechanism for sending false messages. In addition to this, it is also essential to enhance users’ ability to identify false messages. Furthermore, establishing a trust mechanism within the agreement can further strengthen both parties’ willingness to comply with the protocol.

6. Discussion

To better illustrate the advantages and unique features of our improved Buttyan model, we compare it with several existing security models, including the original Buttyan model, Alcaide’s rational exchange protocol model (referred to as the Alcaide model in this paper), Ding’s mixed strategy rational exchange protocol model (referred to as the Ding model in this paper), and Tao’s IoT protocol model (referred to as the Tao model in this paper). The comparison is conducted from multiple dimensions, such as handling uncertainty, handling false information, outcome fairness, process fairness, fraud prevention ability, and computational complexity.

Table 6. Comparison results of different security models.

Comparison Dimensions	Original Buttyan Model	Alcaide Model	Ding Model	Tao Model	Our Model
Handling uncertainty	×	√	×	×	√
Handling attack messages	×	×	×	×	√
Result fairness	√	√	√	√	√
Process fairness	×	×	√	×	√
Fraud prevention capability	×	×	×	×	√

shows the results of the comparison of different security models in multiple dimensions.

• Handling uncertainty: The original Buttyan model assumes complete information and reliable networks, which is not realistic in real-life scenarios. Our model solves the problems of uncertainty and information asymmetry by introducing Bayesian games and increasing participant types and beliefs.
• Handling attack messages: None of the existing models adequately handle attack messages or potential fraud. Our model introduces attack messages to simulate and analyze potential vulnerabilities, enhancing the robustness of the protocol.
• Result and process fairness: While the original Buttyan and Alcaide models focus on outcome fairness, they ignore fairness in the protocol process. Our model ensures fairness of the results and processes by introducing Bayesian game and attack messages.
• Fraud prevention capability: The original model lacks processing of false messages. Our model enhances fraud prevention capabilities by introducing attack messages and penalties for sending false information.

This study proposes an improved Buttyan model that aims to formally analyze rational exchange protocols, with a particular focus on improving the model’s ability to handle uncertainty and potential fraud. By introducing participant types and beliefs, the model is extended to more accurately reflect the complexity of real-world scenarios. In addition, the introduction of attack messages further enhances the model’s ability to simulate and analyze potential security vulnerabilities. The improved model is applied to rational electronic contract signing protocols, and a set of judgment conditions for evaluating whether users follow the protocol is obtained.

However, an important limitation of our model is the assumption that participant $B$ is always honest. Although this assumption simplifies the analysis process, in real scenarios, participant $B$ may have an incentive to deviate from honest behavior. This limitation limits the applicability of the model in dealing with scenarios where participant $B$ may engage in fraudulent activities. Future research should consider relaxing this assumption and exploring mechanisms to deal with $B$’s dishonest behavior, such as introducing reputation mechanisms or additional cryptographic techniques to ensure the integrity of the protocol. In addition, the current model is only applicable to two-party protocols, and extending it to multi-party scenarios can provide a more comprehensive framework for analyzing complex e-commerce transactions. Through experiments and actual tests, the effectiveness of the model can be verified, and the direction of improvement can be further determined.

7. Conclusions and Future Work

This paper proposes an improved Buttyan model. Through Bayesian game theory, it incorporates participant types and beliefs, expands the Buttyan model, and enhances the model’s ability to express real-world uncertainties. In addition, attack messages are introduced to simulate the potential fraudulent behavior of participants exploiting protocol security vulnerabilities. Finally, taking the rational electronic contract signing protocol as an example, the paper demonstrates how to apply the improved model for formal analysis and derives clear judgment conditions to assess whether users follow the protocol for transactions. The improved model is more in line with actual operating conditions and provides theoretical support for the design and optimization of e-commerce protocols.

In future research, there are two main directions for development: First, the analysis method can be extended to multi-party exchange protocols to enhance the security of e-commerce protocols [32,33]. Second, while the existing model has achieved certain results in theoretical design, there are still some shortcomings in practical application. For example, when facing complex real-world scenarios, the current model may not fully consider practical factors such as network latency and irrational behavior of participants, thereby affecting its adaptability and stability. To further improve the model’s practical adaptability, it can be verified and tested through experiments and practical applications.