Hi,
So here's the updated part of the proposal.
------------
§ Threat model & Security Considerations
Consider the adversary with the following powers:
- Has sufficient computational and storage power to brute force any method that can be brute forced.
- Can get the recurrent control of the concerned guard-node/bridge.
- Can interact with the concerned data structure that stores unique-IP- addresses/hash-values/bloom-filter/bitmaps etc.
- Can also log incoming connections and IP addresses outside the realm of Tor(i.e at the system level or at gateways etc.)
- Can manipulate the incoming connection with some made up IP address as to observe the working of our proposed solution.
- As a consequence of previous power, adversary can also inject pattern of IP addresses to observe any pattern in the stored data structure.
An ideal solution would not involve hashing or even if it does, it would manipulate that hash to before storing in such a way that adversary cannot learn about IP addresses even with brute force attack.
An ideal solution would not help the adversary observe any pattern in the stored data structure. This could be accomplished by incorporating salted hash or variations of it into the proposed solution. And the salt would be changed every time we start tracking unique IP addresses.
There is a fundamental limitation to what we can do and that is that we cannot stop an adversary from gaining knowledge of IP addresses at the system level or a gateways etc. But, the thing to cheer about is that in this way, the adversary cannot learn about the users retrospectively.
------------
Regards, Jaskaran