Skip to Content
Traffic Analysis Protection

Traffic Analysis Protection

Comprehensive documentation on Zentalk’s defenses against traffic analysis attacks.

Overview

Even when message contents are encrypted, an adversary observing network traffic can extract significant intelligence from metadata: who communicates with whom, when, how often, and how much data is exchanged. Zentalk implements multiple layers of traffic analysis protection to prevent these correlation attacks.

The Threat Landscape

What Traffic Analysis Reveals

Without protection, network observers can determine:

ObservableIntelligence Extracted
IP addressesPhysical location, ISP, organization
TimingCommunication patterns, work hours, time zones
Message sizeType of content (text, image, file)
FrequencyRelationship strength, urgency
DirectionInitiator vs responder
Session durationConversation length, engagement

Adversary Capabilities

Adversary TypeObservation PointThreat Level
Local network adminLAN trafficHigh
ISPAll user trafficHigh
Nation-stateInternet backboneCritical
Malicious relaySingle hopMedium
Colluding relaysMultiple hopsHigh

Timing Attacks

Timing attacks correlate message sending and receiving times:

Attack Scenario:
  Observer watches Alice's outbound traffic
  Observer watches Bob's inbound traffic

  If message leaves Alice at T1
  And message arrives at Bob at T1 + network_delay
  Then: Alice → Bob correlation established
Attack VariantDescription
Direct timingCorrelate send/receive with network delay
Statistical timingAggregate timing patterns over time
Burst correlationMatch traffic bursts across endpoints
Idle period analysisCorrelate quiet periods

Volume Analysis

Message sizes reveal content types:

Size RangeLikely Content
< 256 bytesShort text message
256B - 1KBLong text, metadata
1KB - 100KBCompressed image
100KB - 10MBHigh-res image, audio
> 10MBVideo, file transfer

Communication Pattern Analysis

Long-term observation reveals:

PatternIntelligence
Consistent daily timingWork schedule, time zone
Weekly patternsWork vs personal contacts
Response latencyRelationship closeness
Burst conversationsReal-time chat vs async
Silence periodsSleep schedule, travel

Traffic Padding

Constant-Rate Dummy Traffic

Zentalk maintains constant traffic flow regardless of actual communication:

ParameterValuePurpose
Base rate2 cells/secondMinimum constant traffic
Active rate10 cells/secondDuring active conversation
Idle rate1 cell/secondWhen app backgrounded
Burst absorptionQueue depth 50Smooth traffic spikes

Padding Frequency

Traffic Generation Algorithm:

Every 500ms:
  If real_message_queue not empty:
    Send real_message from queue
  Else:
    Send dummy_message

Maintains: Constant 2 messages/second minimum
ModeIntervalCells/SecondBandwidth
Low power1000ms1~0.5 KB/s
Normal500ms2~1 KB/s
Active100ms10~5 KB/s
Maximum privacy50ms20~10 KB/s

Dummy Message Format

Dummy messages are cryptographically indistinguishable from real messages:

PropertyReal MessageDummy Message
Size542 bytes542 bytes
EncryptionAES-256-GCMAES-256-GCM
Header formatIdenticalIdentical
NonceRandom 12 bytesRandom 12 bytes
Auth tagValid 16 bytesValid 16 bytes
Dummy Message Construction:

1. Generate random payload (509 bytes)
2. Set cell command to PADDING (0x07)
3. Encrypt with current circuit keys
4. Add valid authentication tag

Result: Indistinguishable from RELAY cell to observer

Bandwidth Overhead

Privacy LevelReal TrafficPadding OverheadTotal
MinimumVariable+50%1.5x
NormalVariable+100%2x
HighVariable+200%3x
MaximumVariable+400%5x

Message Size Padding

Fixed-Size Buckets

All messages are padded to predetermined sizes:

BucketSizeTypical Content
Tiny256 bytesText ≤ 200 chars
Small1 KBText ≤ 900 chars
Medium4 KBFormatted text, small data
Large16 KBImages (thumbnail)
XLarge64 KBImages (preview)
Jumbo256 KBFull images
Stream1 MB chunksVideo, large files

Bucket Selection Algorithm

Select_Bucket(message_size):
  buckets = [256, 1024, 4096, 16384, 65536, 262144, 1048576]

  For each bucket in buckets:
    If message_size ≤ bucket:
      Return bucket

  Return STREAM_MODE (chunked)

Padding Implementation

ComponentImplementation
Padding bytesCryptographically random
Length fieldEncrypted, authenticated
Padding positionEnd of message
VerificationHMAC over original length
Pad_Message(plaintext):
  target_size = Select_Bucket(length(plaintext))
  padding_needed = target_size - length(plaintext) - 4  // 4 bytes for length

  padding = SecureRandom(padding_needed)
  length_field = Encode_U32(length(plaintext))

  Return plaintext || padding || length_field

Size Correlation Prevention

AttackWithout PaddingWith Padding
Message type inferenceHigh accuracyBucket-level only
Conversation matchingPossibleInfeasible
User identificationBy message patternsIndistinguishable

Timing Obfuscation

Random Delay Injection

Messages experience intentional random delays:

ParameterValuePurpose
Minimum delay0 msPreserve usability
Maximum delay500 msBound latency
DistributionExponentialNatural traffic pattern
Mean delay100 msBalance privacy/latency

Delay Distribution Analysis

DistributionProsConsUsed For
UniformSimpleDetectable patternNot used
ExponentialNatural, unbounded tailVariable latencyDefault
GaussianBounded, predictableTruncation artifactsHigh-priority
LaplacianPrivacy-optimalImplementation complexityResearch

Exponential Delay Implementation

Generate_Delay():
  lambda = 1 / mean_delay  // mean_delay = 100ms
  u = SecureRandom_Float(0, 1)
  delay = -ln(u) / lambda

  Return min(delay, max_delay)  // Cap at 500ms

Latency vs Privacy Tradeoff

SettingMean DelayMax DelayPrivacyUX Impact
Realtime10 ms50 msLowNone
Balanced100 ms500 msMediumMinimal
Private300 ms2000 msHighNoticeable
Maximum1000 ms5000 msVery HighSignificant

Cover Traffic Generation

Cover Traffic Principles

Cover traffic ensures observers cannot distinguish real communication:

RequirementImplementation
IndistinguishabilitySame encryption, size, timing
UnpredictabilityRandom destinations
PersistenceContinuous, not burst
AuthenticityValid circuit traversal

When Cover Traffic Is Sent

Cover Traffic Decision:

If time_since_last_send ≥ padding_interval:
  If real_message_available:
    Send real_message
  Else:
    Generate cover_traffic
    Send to random_destination
TriggerAction
Idle timeoutGenerate cover message
Below rate thresholdFill with cover traffic
App backgroundedReduced cover traffic
App foregroundedResume full rate

Distinguishing Real from Cover

From observer perspective: Impossible

PropertyReal MessageCover Message
SourceYour deviceYour device
DestinationReal recipient circuitRandom circuit
Size542 bytes542 bytes
EncryptionAES-256-GCMAES-256-GCM
TimingWithin padding windowWithin padding window
Path3-hop circuit3-hop circuit

Cover Traffic Destinations

Destination TypePercentagePurpose
Known contacts30%Hide active conversations
Random nodes50%Prevent destination analysis
Loopback circuits20%Prevent volume analysis
Select_Cover_Destination():
  r = SecureRandom_Float(0, 1)

  If r < 0.3:
    Return random_contact()
  Else If r < 0.8:
    Return random_node()
  Else:
    Return self_loopback()

3-Hop Relay Integration

Per-Hop Padding

Each relay adds its own padding layer:

HopPadding AddedPurpose
Guard+16 bytes overheadCircuit ID, command
Middle+16 bytes overheadRelay header
Exit+16 bytes overheadDestination header

Circuit-Level Timing Protection

Per-Hop Delay:

Guard Node:
  delay = Exponential(mean=30ms)
  Apply delay before forwarding

Middle Node:
  delay = Exponential(mean=30ms)
  Apply delay before forwarding

Exit Node:
  delay = Exponential(mean=30ms)
  Apply delay before delivery

Total added latency: ~90ms mean
Protection LayerMechanism
Entry timingGuard adds random delay
Transit timingMiddle adds random delay
Exit timingExit adds random delay
Aggregate3 independent delay sources

Multi-Path Routing for Large Messages

Large files are split across multiple circuits:

File SizeCircuits UsedChunks Per Circuit
≤ 256 KB1All
256 KB - 1 MB2Interleaved
1 MB - 10 MB4Round-robin
> 10 MB8Parallel streams
Multi-Path Chunking:

chunks = Split_File(file, chunk_size=64KB)
circuits = Build_Circuits(count=4)

For i, chunk in enumerate(chunks):
  circuit = circuits[i mod 4]
  Send(chunk, circuit)

Reassemble at destination using sequence numbers

Benefits of Multi-Path

BenefitDescription
Volume obfuscationSingle circuit doesn’t show total size
Timing distributionParallel paths prevent timing signature
ResiliencePartial delivery on circuit failure
BandwidthAggregate throughput of all paths

Bandwidth Considerations

Overhead Breakdown

ComponentOverheadJustification
Onion headers48 bytes/message16 bytes × 3 hops
Size padding0-100%Bucket rounding
Traffic padding50-400%Constant rate maintenance
Delay buffersVariableTiming obfuscation queuing

Total Bandwidth Multiplier

Privacy ModeMultiplierEffective Bandwidth
Economy1.5x67% of raw
Standard2.5x40% of raw
Enhanced4x25% of raw
Maximum6x17% of raw

User-Configurable Padding Levels

SettingConstant RateSize BucketsTiming Delay
OffNo paddingMinimalNone
Low1 msg/sec4 buckets50ms mean
Medium2 msg/sec7 buckets100ms mean
High5 msg/sec7 buckets200ms mean
Paranoid10 msg/sec7 buckets500ms mean

Low-Bandwidth Mode Tradeoffs

FeatureFull ModeLow-Bandwidth Mode
Cover traffic2/second0.2/second
Size paddingAll buckets4 buckets only
Timing delaysExponentialMinimal
Privacy levelMaximumReduced
VulnerabilityNoneTiming, volume analysis
Low-Bandwidth Recommendations:

If connection_type == "metered" or bandwidth < 100kbps:
  Enable low_bandwidth_mode
  Warn user about reduced privacy

If sensitive_communication:
  Recommend waiting for better connection

Effectiveness Analysis

Attacks Prevented

AttackWithout ProtectionWith ProtectionEffectiveness
Simple timing correlationTrivialInfeasible99%+
Message countingTrivialInfeasible99%+
Size-based classificationEasyBucket-level only95%+
Burst detectionEasySmoothed90%+
Long-term pattern analysisPossibleSignificantly harder80%+
Active probingPossibleDetectable70%+

Attacks Remaining Possible

AttackDifficultyMitigation
Long-term statistical analysisHardRotate circuits frequently
Intersection attackVery HardLarge anonymity set
Confirmation attackHardRequires endpoint compromise
Machine learning classificationMediumAdaptive padding algorithms
Side-channel attacksHardHardware isolation

Intersection Attack Analysis

Intersection Attack:

Observer monitors over time T
Tracks when Alice is online: Set_A
Tracks when Bob receives messages: Set_B

Intersection = Set_A ∩ Set_B

If Intersection consistently matches:
  Probable link established

Mitigation:
  - Large user base (anonymity set)
  - Cover traffic even when offline
  - Delayed message delivery

Academic Research References

PaperYearContribution
Timing Attacks on Low-Latency Anonymity Systems2014Quantified timing attack effectiveness
Website Fingerprinting Defenses2016Traffic padding strategies
Tamaraw2014Constant-rate traffic analysis defense
WTF-PAD2016Adaptive padding for Tor
TrafficSliver2020Multi-path traffic analysis resistance
DeepCorr2018ML-based correlation attacks

Protection Strength Summary

AdversaryProtection LevelNotes
Passive local observerVery StrongCannot correlate traffic
Passive global observerStrongStatistical attacks remain
Active local observerStrongProbing detectable
Active global observerMediumConfirmation attacks possible
Compromised relayStrongSingle hop reveals little
Multiple compromised relaysMediumDepends on positions

Configuration Recommendations

By Use Case

Use CasePadding LevelDelay SettingBandwidth
Casual privacyLowMinimal~1 KB/s overhead
Journalist/activistHighMaximum~10 KB/s overhead
WhistleblowerParanoidMaximum~50 KB/s overhead
General useMediumBalanced~5 KB/s overhead

By Network Condition

ConditionRecommended Setting
Unlimited broadbandMaximum privacy
Limited broadbandStandard privacy
Mobile dataLow-bandwidth mode
Metered connectionEconomy mode + warnings
Last updated on
3-Hop Relay RoutingDHT & Kademlia