Communication protocols are the computational basis for distributed el
ectronic commerce systems, and thus the properties of these protocols
define the forms of commerce possible in electronic systems. Existing
protocols used for electronic commerce focus primarily on security pro
perties, including message integrity, privacy and non-repudiation, and
on basic transaction properties, usually just atomicity; their struct
ural properties are limited to supporting two-party transactions with
fixed semantics. We believe that the properties provided by these prot
ocols limit their use to simple forms of commerce. In this paper we de
fine the properties we believe are necessary for electronic commerce p
rotocols. These include the security properties of existing protocols,
and extend the transactional properties to include isolation and caus
ality. Causality is a new property for transactions. It allows the ord
er of the messages in a completed transaction to be independently veri
fied, and thus inferences can be made about causal relationships betwe
en messages. We also extend the structural properties to support scala
bility, layering and separation of roles. Scalable protocols allow sev
eral parties to join each transaction. Protocol layering enables arbit
rary transaction semantics and greater system modularity. Separation o
f roles provides independent adjudication of disputes between transact
ion participants and allows the use of varied exchange media. We term
a protocol with the above properties a secure transaction protocol. La
stly, we present a protocol that provides these properties. We believe
that this protocol can be used to support more complex and extended f
orms of electronic commerce than existing protocols. (C) 1997 Elsevier
Science B.V.