What Is a Mixnet? Mix Networks vs Tor for Metadata Privacy
Encrypting the contents of a message is the easy part. The hard part is hiding the fact of the message — that you sent something, to someone, at a particular moment, of a particular size. An adversary who can watch the network doesn’t need to break your AES-256-GCM. They just need to notice that a packet left your machine at 14:32:07.123 and an indistinguishable packet arrived at your contact’s machine 769 milliseconds later, and to watch that pattern repeat. That correlation is the message. A mixnet — short for mix network — is the class of system designed specifically to destroy it, by batching traffic from many senders, shuffling its order, holding each packet for a randomized delay, and burying the real traffic under a steady stream of indistinguishable cover. It is the oldest idea in anonymous communication, and it attacks a problem that ordinary encryption, and even Tor, leave partly open.
Why content encryption isn’t enough
End-to-end encryption protects the what. It does nothing about the who, when, how often, and how much. Those four properties are metadata, and metadata is frequently more revealing than content. The EFF’s Surveillance Self-Defense project puts it bluntly: metadata is “everything except the content of your communications,” and a pattern of it can expose that “you called the suicide prevention hotline from the Golden Gate Bridge” without a single word of the call being known. Former NSA director Michael Hayden’s line is the version everyone remembers: “We kill people based on metadata.”
The attack that harvests this is traffic analysis — see the glossary entry on traffic analysis — and its sharpest tool is timing correlation. Suppose two observers, one at your ISP and one at your contact’s, each see only encrypted, identically-sized packets. They cannot read anything. But if your sends and your contact’s receives line up in time, message after message, the statistical case that you two are talking approaches certainty within a few dozen exchanges. We worked an example of exactly this in our docs on the mixnet: over a long enough window, “>99.99% probability” that Alice is messaging Bob, with no decryption at all.
Encryption hides the letter. Metadata hides nothing — unless you actively reshape the traffic itself.
This is why hiding sender identity at the application layer (sealed sender, which encrypts who-sent-it inside the envelope so the relay never learns it) and hiding your IP at the network layer (Tor) are necessary but not sufficient. Both still leak timing. A packet that goes in must come out, and when it comes out is observable.
What a mix network actually does
The mixnet was invented by David Chaum in his 1981 paper “Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms” (Communications of the ACM, vol. 24, pp. 84–90) — the founding document of the entire field. Chaum’s insight was that a relay (a “mix”) could accept encrypted messages from many senders, decrypt and re-encrypt each one so it looks different coming out than going in, and then reorder the whole batch before forwarding. An observer watching one mix sees N items enter and N items leave, but cannot match any input to any output. Chain several mixes operated by different parties and no single one knows both ends.
Modern mixnets add three more defenses on top of Chaum’s batch-and-shuffle:
- Independent random delays. Each packet is held for a randomized time — often drawn from an exponential (Poisson) distribution — so that even within a batch, the order and spacing of outputs carries no information about the inputs. The delay is the active ingredient against timing correlation.
- Fixed-size packets. If packets vary in size, an adversary correlates by length instead of timing. Mixnets force every packet to one uniform size. Nym’s implementation, which uses the Sphinx packet format, fixes “a fixed payload size of 2048 bytes” precisely so that no node can infer its position in the route or match packets by their dimensions.
- Cover traffic. The network sends a steady stream of dummy packets — indistinguishable from real ones — whether or not you have anything to say. An observer sees constant activity, so the presence of a real message is itself hidden. The whole point of a mixnet, as Nym frames it, is to protect “who is talking to whom, when, and how often”, not just the payload.
Put together: batch, reorder, delay, pad to a fixed size, and drown in cover noise. That is the mixnet recipe, essentially unchanged in spirit from 1981, now realized in systems like Nym’s Loopix design.
Mixnet vs Tor: the latency–metadata tradeoff
This is the distinction that confuses people, because Tor and mixnets look superficially similar — both route through multiple relays, both peel layers of encryption like an onion. The difference is what they optimize for.
Onion routing, which Tor implements, is a low-latency anonymity system. Tor relays forward your traffic essentially as fast as they can. They do not deliberately delay packets, and they do not batch-and-reorder across users to break timing. That is a feature: it’s what makes Tor fast enough to browse the web and hold a real-time conversation. The cost is that Tor is explicitly not designed to defend against an adversary who can watch both ends of a circuit at once. The Tor Project has always said so. A mixnet is a higher-latency system that trades responsiveness for exactly that timing resistance.
| Property | Tor (onion routing) | Mixnet (mix network) |
|---|---|---|
| Optimized for | Low latency, interactivity | Metadata / timing resistance |
| Per-hop behavior | Forward immediately | Batch, reorder, delay |
| Cover traffic | Minimal / none by default | Continuous, structural |
| Packet sizes | Fixed Tor cells (514 B) | Fixed mix packets (e.g. 2048 B Sphinx) |
| Defends against end-to-end timing? | No (by design) | Yes (its whole purpose) |
| Typical added latency | ~200–800 ms | seconds to (classically) hours |
Neither is strictly “better.” A high-latency mix cascade with hours of delay gives the strongest anonymity ever built — and is useless for a chat app. A pure low-latency network is responsive and leaks timing. The interesting engineering lives in between.
How RVNT layers a mixnet over Tor
RVNT does not make you choose. It runs a low-latency mixnet on top of Tor, so each layer covers the other’s weakness. Tor (via the embedded arti client) hides your IP address and which destination you’re reaching — see Tor integration and our explainer on what Tor is and how it works. The mixnet layer then attacks the timing and volume that Tor leaves exposed. The full mechanics are in the mixnet docs; the shape of it:
- Batch shuffling. In maximum-privacy mode, outgoing messages accumulate during a randomized window (roughly 500–2000 ms), get 1–3 cover messages injected, are Fisher-Yates shuffled, and transmitted one at a time with random inter-message gaps. An observer can’t tell which message was queued first, or whether a batch even contained a real one.
- Randomized delays. Delays are drawn from a truncated exponential distribution (mean ~200 ms), chosen so the artificial delay is statistically indistinguishable from ordinary network jitter.
- Cover traffic. When idle, the app still emits one dummy message every 15–30 seconds in max-privacy mode. Each cover message is a real sealed-sender envelope addressed to yourself, padded to the standard fixed size, and silently discarded on receipt — byte-for-byte indistinguishable from a genuine message. This is the same property that makes sealed sender hide who talks to whom actually hold up at the network level.
- Fixed-size padding. Every message — real or cover — is padded to a uniform size, closing the door on length-correlation.
There’s an honest cost, and we list it: latency rises from roughly 200–800 ms (Tor only) to roughly 700–3000 ms (Tor plus batching), with a moderate battery and bandwidth hit from the continuous cover traffic. That is the latency-for-metadata trade in concrete numbers. Standard mode keeps cover traffic light and skips batching for everyday use; max-privacy mode is the dial you turn when timing correlation by a nation-state is a realistic threat.
The honest caveat: the global passive adversary
Here is the limitation we will not paper over. RVNT’s mixnet is a low-latency design, built for interactive messaging. A low-latency mixnet does not defeat a global passive adversary (GPA) — an entity that can observe all relevant network links simultaneously and correlate over a long time horizon. Given enough messages, statistical methods grind through the random delays and cover noise and recover a probabilistic model of who talks to whom. Related intersection attacks narrow candidates by noticing who happens to be online when messages flow. This is not a bug in our implementation; it is a known, fundamental property of low-latency mix designs, and the same ceiling that constrains every interactive anonymity system including Tor. Only a high-latency mix cascade — measured in hours — meaningfully resists a true GPA, and that is incompatible with a messenger people will actually use.
So the accurate claim is the modest one: layering a mixnet over Tor makes traffic analysis enormously more expensive than encryption alone, defeats casual and even fairly determined observers, and forces a serious adversary into long, costly, statistical attacks rather than trivial 1:1 timing correlation. It does not make you invisible to an omniscient watcher with unlimited time. And the usual disclaimer applies with full weight: RVNT is pre-release and has not been independently audited — treat the numbers here as design targets, not certified guarantees, and judge the system on review, not on this blog.
That gap between “much harder” and “impossible” is exactly where the next decade of anonymity research lives. Chaum’s mix is forty-five years old and still the sharpest tool we have for the metadata problem; the open work is making its high-latency strength survive contact with a real-time chat app. RVNT’s answer — a tunable mixnet over Tor, with the costs stated plainly — is one honest point on that curve, not the end of it.
Keep reading
All posts →-
Cryptographic Deniability: Why an Encrypted Message Can't Be Proven in Court
How cryptographic deniability lets an encrypted chat authenticate its participants yet prove nothing to a third party — the OTR origin, Signal's offline deniability, and the legal caveat.
9 min read -
Panic Mode and Remote Wipe: Surviving Device Seizure
How cryptographic self-destruct destroys keys to make ciphertext noise instantly, why crypto-erase beats file deletion, the Cellebrite/GrayKey threat, and honest limits.
9 min read -
Prekey Bundles: How Encrypted Chat Works When You're Offline
How prekey bundles let encrypted chat work when the recipient is offline: what they contain, how a sender derives a shared secret alone, and the key-substitution risk.
9 min read -
What Is a Duress PIN? How a Decoy Unlock Protects You Under Coercion
A duress PIN unlocks a believable decoy vault instead of your real data when you're forced to open your device. How it works, how it differs from a panic wipe, and where it fails.
9 min read -
X3DH, Explained: The Handshake Behind Asynchronous Encryption
How X3DH lets two people share an encryption key when one is offline — the four Diffie-Hellman operations, what each provides, and the post-quantum upgrade.
9 min read -
The Anthropic Recall: How Centralized AI Threatens Decentralized Privacy
A breakdown of today's US government export control directive targeting Anthropic, the vulnerabilities of centralized AI architectures, and why decentralized, sovereign communications are vital.
5 min read -
Sealed Sender: Hiding Who Talks to Whom
A technical deep-dive on RVNT's sealed sender: how encrypting the sender certificate to the recipient hides the from-to routing pair, and how forgery, replay, and abuse are handled.
9 min read -
Chat Control, Explained: The EU's Fight Over Scanning Your Messages
EU Chat Control explained: what the CSA Regulation proposes, why client-side scanning breaks end-to-end encryption, the 2025-2026 timeline, and its current status.
11 min read