Traffic Analysis
Also known as: timing correlation, traffic correlation, traffic-flow analysis
Traffic analysis is the practice of inferring relationships and activity from the observable shape of network traffic — the timing, size, direction, and volume of packets — even when the contents are fully encrypted. By correlating when one party sends and another receives, or by fingerprinting characteristic flow patterns, an observer can deduce who is talking to whom and what they are doing without ever decrypting a single byte.
Encryption scrambles content, but it does not hide the envelope's behavior: when packets leave, how big they are, which direction they flow, and how they cluster into bursts. Traffic analysis exploits exactly these residual signals. The classic attack is timing correlation: if an observer sees Alice transmit at 14:32:07.123 and Bob receive at 14:32:07.892, then again and again, the statistical link becomes near-certain over enough samples — no decryption required.
A related family is website fingerprinting, where a passive watcher classifies which encrypted site you are loading purely from the sequence of packet sizes and timings. Researchers have shown this works even against Tor, whose fixed 512-byte cells were supposed to blunt it; the 2020 Tik-Tok study demonstrated that fine-grained packet timing still leaks enough to identify pages. The 2019 ENISA report catalogs encrypted-traffic-analysis techniques used in both defense and surveillance.
This is why hiding the sender (via sealed sender) and the route (via onion routing) is not sufficient on its own. Defeating traffic analysis requires reshaping the traffic itself: padding messages to a uniform size, adding randomized delays, batching and reordering, and injecting cover traffic — the job of a mixnet. Even then, a global passive adversary with unlimited observation can never be fully ruled out for low-latency systems.
How it works
An adversary need not sit in the middle; observing the two endpoints (or all links, as a global passive adversary) suffices. They record packet timestamps, sizes, and directions and feed them to statistical or machine-learning classifiers. Correlation attacks match send/receive patterns across two flows to confirm a conversation. Fingerprinting attacks compare a flow's shape against a library of known patterns. Intersection attacks narrow candidates by who is online whenever messages arrive. All of these operate on metadata the encryption leaves untouched, which is why padding, delay, and cover traffic — not stronger ciphers — are the defenses.
How RVNT uses Traffic Analysis
RVNT's mixnet directly targets traffic analysis: it pads every message (real or cover) to a fixed size, applies randomized per-message and per-batch delays, Fisher-Yates-shuffles batches before sending, and emits cover traffic so volume stays roughly constant whether or not you are messaging. All of it rides over Tor. RVNT documents honestly that this raises the cost steeply but cannot defeat a global passive adversary outright. See the mixnet docs.
Frequently asked questions
How can someone learn anything if all my traffic is encrypted?
Encryption hides the content of packets but not their timing, size, direction, or volume. Traffic analysis correlates those observable signals — for example, matching when you send against when your contact receives — to infer who you talk to and what you do. It is a metadata attack, so a stronger cipher does not help against it.
Does Tor protect me from traffic analysis?
Tor hides your IP address and route, which defeats simple sender identification, but it does not fully stop traffic analysis. Studies including the 2020 Tik-Tok paper show website fingerprinting and timing correlation can still work against Tor. That is why RVNT layers a mixnet — padding, delays, batching, and cover traffic — on top of Tor.
What actually stops traffic analysis?
Reshaping the traffic so its timing and size leak little: fixed-size padding, randomized delays, batching and reordering messages, and continuous cover traffic to mask when you are really active. These are the mixnet techniques RVNT uses. No low-latency system makes traffic analysis impossible, but they raise its cost enormously.
Every definition here describes something RVNT actually ships — a post-quantum, end-to-end-encrypted, peer-to-peer messenger with no phone number and no servers.