Consider a set of computers capable of transmitting data between each other. Peer-to-peer data transfer can occur between any two computers on this network. A host is defined as any computer on the network.
To obtain data from a host in the network, a request is made to the destination host, which sends the requested data to the host that requested the data. If, for any reason, the requesting host wants to conceal its identity, the requesting host can send the request through a proxy server. The proxy server obtains the requested data from the destination host, conceals the identity of the requesting host, and passes the request onto the requesting host. The anonymity of the requesting host is thus maintained.
If the security of the proxy server is compromised, all transactions that are processed by the proxy server may be monitored. Hence, any transaction can no longer be considered anonymous. This difficulty can be obviated by making each intermediate host act as a proxy for the other hosts. The requesting hosts no longer ask for information directly from the destination, but routes the request through a chain of intermediate hosts. Any intermediate host may send a request directly to the required destination, or route the request through other intermediate hosts.
The path taken by the request is essentially random, and the number of hops in the data route is variable. Even the host on the first hop cannot be sure of the identity of the requesting host, as a distinction cannot be made between an intermediate host and a requesting host. Consequently, the requesting host's anonymity is maintained.
A protocol that implements the above-described scheme for user anonymity in peer-to-peer networking has been developed as a research project of AT&T, under the name of “crowds”. A relevant publication is “Crowds: Anonymity for Web Transactions”, Michael K. Reit and Ariel D. Rubin, AT&T Labs—Research.
This security protocol for user anonymity in peer-to-peer networking raises the following concerns:    (i) The requesting host cannot determine if any data that the requesting host receives is genuine. A possibility exists of data being manipulated by intermediate hosts, and the requesting host is unable to detect any such possible data manipulation.    (ii) The route of requesting data cannot be determined by the requesting host, and is always random to any intermediate host. Consequently, a “best route” cannot be selected by the requesting host. Further, any host that is suspected to be compromised cannot be explicitly skipped.    (iii) Anonymity of the end-host that services the request is not maintained, which permits traffic monitoring in the network.
A view of the above observations, a need clearly exists to address limitations in existing anonymous peer-to-peer routing protocols.