Suppose an intermediate node for onion routing were malicious, exposing the source and destination of communications it forwarded. Clearly the disclosure would damage the confidentiality onion routing was designed to achieve. If the malicious node were one of the two in the middle, what would be exposed. If it were one of three, what would be lost. Explain your answer in terms of the malicious node in each of the first, second, and third positions. How many nonmalicious nodes are necessary to preserve privacy?

What will be an ideal response?

In order to preserve anonymity, a nonmalicious intermediate node is needed on each side of the malicious intermediate node (e.g., if A communicates with B along the path A-­?>X-­?>Y-­?>Z-­?>B, X and Z must not be malicious). If a malicious node is on the end of the intermediate chain (either X or Z, in the previous example), then the anonymity of either the sender or recipient of the communication is compromised. Consequently, if a single intermediate node in a two-­?node system is malicious, either the sender’s or recipient’s anonymity is lost.