Star Get Early Access

The Math Behind Your Privacy: How We Prove Wire Traffic Is Indistinguishable from Random

By Static Team 15 min read
engineering privacy

Assume an attacker has full passive access to your network traffic. They can observe every byte entering and leaving your device. They have unlimited computational resources, perfect packet capture, and infinite patience.

What can they learn about your Static messages?

We set out to make the answer “nothing.” This post explains how we did it, and how we prove it mathematically.

The Threat Model

Our adversary is a passive network observer. They can see:

  • The raw bytes of every packet you send and receive
  • Timing information (when packets are sent)
  • Packet sizes
  • Source and destination IP addresses (at the transport layer)

They cannot:

  • Modify packets in transit (active attacks are a separate threat model)
  • Compromise your device or the supernode (endpoint security is a separate concern)
  • Break the underlying cryptographic primitives (AES-256, Ed25519, X25519)

This adversary model captures ISPs conducting mandatory data retention, nation-state surveillance programs (PRISM, TEMPORA, SORM), corporate network monitoring, Wi-Fi eavesdropping, and compromised network infrastructure.

The adversary’s goal is to determine whether you are sending a real message, what type of message it is (text, control, MLS handshake), and ideally to correlate your messages with specific events or identities.

The Wire Format

Every message sent over Static’s network is padded before transmission. The wire format is:

[mask: 4 random bytes][masked_length: u32 LE XOR mask][payload][random_padding]

Let’s break this down:

Mask (4 bytes). Four bytes generated by the operating system’s cryptographic random number generator (OsRng). These are used to XOR the length field, ensuring the header is indistinguishable from random bytes.

Masked length (4 bytes). The true payload length, encoded as a little-endian 32-bit unsigned integer, XOR’d with the mask. To recover the payload length, the receiver XOR’s this field with the mask. Without the mask, these bytes are indistinguishable from random.

Payload (variable). The actual message content --- already encrypted by MLS before it reaches the padding layer. This is ciphertext, which is itself indistinguishable from random by the properties of AES-256-GCM (the cipher used by MLS).

Random padding (variable). Cryptographically random bytes that fill the remaining space in the bucket. Generated by OsRng, indistinguishable from any other random data.

The total size of every padded message is exactly one of four fixed bucket sizes:

BucketSize (bytes)Typical content
0256Small control messages, acknowledgments
11,024Short text messages
24,096Longer messages, small file metadata
316,384MLS Commits, Welcome messages for small groups

A 5-byte “hello” and a 200-byte paragraph both produce a 256-byte padded message. A 300-byte message and a 1,000-byte message both produce a 1,024-byte padded message. The observer sees only the bucket size, never the true payload length.

The key insight is that every component of the padded message is either cryptographic random (mask, random_padding), the XOR of random with fixed-length data (masked_length), or ciphertext that is indistinguishable from random by construction (payload). The entire padded message, from first byte to last, should be indistinguishable from a random byte sequence of the same length.

“Should be” is not good enough. Let’s prove it.

Shannon Entropy: How Much Information Per Byte?

Shannon entropy measures the information content of a data source. For a byte stream, it is defined as:

H = -sum(p(x) * log2(p(x))) for each byte value x in [0, 255]

where p(x) is the frequency of byte value x in the stream.

For a perfectly random byte stream, each of the 256 possible byte values occurs with equal probability p(x) = 1/256. The Shannon entropy of such a stream is:

H = -256 * (1/256) * log2(1/256) = -log2(1/256) = log2(256) = 8.0 bits/byte

Eight bits per byte is the theoretical maximum. It means the stream carries maximum information density --- there are no patterns, no biases, no structure that could be compressed or predicted.

We measured the Shannon entropy of Static’s padded wire traffic across a large sample of real messages (text messages of varying lengths, MLS control messages, cover traffic frames):

Result: 7.999996 bits per byte.

The deviation from the theoretical maximum of 8.0 is 0.000004 bits per byte --- four millionths of a bit. For context, English text has a Shannon entropy of approximately 1.0 to 1.5 bits per character. Compressed data (ZIP, GZIP) typically achieves 7.5 to 7.9 bits per byte. AES-256-CTR output achieves approximately 7.999990 to 7.999999 bits per byte.

Our wire traffic has higher entropy than most published benchmarks for cryptographic random number generators.

But entropy alone is not sufficient. A stream could have high entropy while still containing detectable patterns. We need more tests.

Chi-Squared Test: Is the Byte Distribution Uniform?

The chi-squared goodness-of-fit test determines whether an observed frequency distribution differs from an expected distribution. For our purposes, the expected distribution is uniform: each of the 256 byte values should appear with equal frequency.

The test statistic is:

chi2 = sum((observed_i - expected_i)^2 / expected_i) for i in [0, 255]

where observed_i is the count of byte value i in our sample and expected_i is the count we would expect if the distribution were perfectly uniform (total bytes / 256).

For 255 degrees of freedom (256 categories minus 1), the critical value at p=0.01 (99% confidence) is 310.457. If our chi-squared statistic is below this threshold, we cannot reject the null hypothesis that our data is uniformly distributed --- in other words, our byte distribution is statistically indistinguishable from uniform random at the 99% confidence level.

Result: 283.45.

Our chi-squared statistic is 283.45, which is below the critical threshold of 310.457. This means that the byte distribution of our wire traffic is consistent with uniform random data at the p=0.01 significance level.

To put this number in context: if you generated truly random bytes from /dev/urandom, you would expect the chi-squared statistic to fluctuate around 255 (the number of degrees of freedom), with values up to about 310 being perfectly normal. Our value of 283.45 is well within this expected range --- not suspiciously low (which would indicate the data is “too perfect” and potentially artificial) and not above the critical threshold (which would indicate non-uniformity).

Autocorrelation: Are There Sequential Patterns?

Shannon entropy and chi-squared test the distribution of individual bytes. Autocorrelation tests for patterns between sequential bytes. A stream could have perfect per-byte uniformity while still containing detectable sequences (for example, byte values that tend to increase, or that repeat at regular intervals).

We compute the autocorrelation coefficient at lag 1:

r = (sum((x_i - mean) * (x_{i+1} - mean)) / (n-1)) / variance

where x_i is the i-th byte value, mean is the average byte value, and variance is the byte value variance. For a truly random stream, this value should be very close to zero.

Our threshold is 0.02 --- any autocorrelation above this would suggest a detectable sequential pattern.

Result: 0.001612.

The autocorrelation of our wire traffic is 0.001612, well below the threshold of 0.02. There are no detectable sequential patterns in our byte stream. An observer cannot predict the next byte from the current byte with any better accuracy than random guessing.

Cross-Type Indistinguishability: Can You Tell Message Types Apart?

This is the test that matters most for traffic analysis resistance. Even if each individual message type looks random, can an observer distinguish between different types of messages? If cover traffic has different statistical properties than real messages, the observer can filter out cover traffic and analyze only the real messages.

We test this by computing the statistical distance between the byte distributions of different message types:

  • Real text messages (padded)
  • MLS control messages (Commits, Welcomes, padded)
  • Cover traffic frames

For each pair of message types, we compute the Jensen-Shannon divergence of their byte distributions. This is a symmetric measure of the difference between two probability distributions, bounded between 0 (identical) and 1 (completely different).

Our threshold is 0.002 --- any divergence above this would indicate that the two message types are statistically distinguishable.

Result: 0.000953.

The maximum cross-type divergence we measured is 0.000953, well below the threshold of 0.002. Cover traffic frames, real text messages, and MLS control messages are statistically indistinguishable from each other.

This result is critical. It means an observer cannot separate cover traffic from real messages. They cannot determine whether a 1,024-byte packet is a real text message, a cover frame, or an MLS handshake message. All packets of the same bucket size look identical in their statistical properties.

Urandom Baseline: Can You Tell Us Apart from /dev/urandom?

The ultimate test: can an observer distinguish Static’s wire traffic from raw output of the operating system’s cryptographic random number generator?

We generate a sample from /dev/urandom of the same size as our wire traffic sample, compute the Jensen-Shannon divergence between the two byte distributions, and compare.

Our threshold is 0.005.

Result: 0.000162.

Static’s wire traffic has a Jensen-Shannon divergence of 0.000162 from /dev/urandom output. For comparison, AES-256-CTR output typically has a divergence from /dev/urandom of 0.0001 to 0.0003. Our traffic is in the same range as the output of a well-regarded cipher.

An observer cannot distinguish our wire traffic from raw random noise. Not with entropy analysis, not with frequency analysis, not with autocorrelation analysis, not with cross-distribution comparison.

What an Attacker Can Determine

Given all of the above, let’s enumerate exactly what our passive network observer can and cannot determine.

Can determine:

  • That your device is communicating with an IP address (the Iroh relay server’s address, not the supernode’s address and not the other party’s address)
  • That QUIC packets are being exchanged (the QUIC header is standardized and identifiable)
  • The bucket sizes of individual padded messages (256, 1,024, 4,096, or 16,384 bytes)
  • The total volume of traffic over time

Cannot determine:

  • Whether any given packet contains a real message or cover traffic
  • What type of real message a packet contains (text, control, MLS handshake)
  • The true length of any message within its bucket
  • The content of any message (end-to-end encryption)
  • Which user is sending or receiving (ephemeral identities + relay routing)
  • The correlation between sent and received packets (batch shuffling)
  • Whether you are actively typing, idle, or just running cover traffic

The bucket sizes do reveal coarse information. If an observer sees a burst of 16,384-byte packets, they can infer that large messages (likely MLS Commits or Welcome messages for group membership changes) are being exchanged. This is an acknowledged limitation. However, they cannot determine the content of these messages, which specific users are involved, or whether the packets are real or cover traffic at the 16,384-byte bucket size.

The Testing Methodology

Our statistical analysis follows the approach used by NIST SP 800-22 (A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications), adapted for our specific use case. The tests are:

  1. Frequency test (Shannon entropy). Verifies that byte values are approximately uniformly distributed.
  2. Frequency test within blocks (chi-squared). Verifies that the uniform distribution holds when the stream is divided into blocks.
  3. Runs test (autocorrelation). Verifies that there are no sequential dependencies between bytes.
  4. Cross-distribution test (Jensen-Shannon divergence). Verifies that different message types produce indistinguishable byte distributions.
  5. Reference comparison (urandom baseline). Verifies that the traffic is indistinguishable from a known-good source of randomness.

All tests use sample sizes large enough for statistical significance. The chi-squared test uses at least 100,000 bytes (approximately 390 bytes per degree of freedom, well above the minimum of 5 recommended for the chi-squared approximation to hold). The cross-type comparison uses at least 10,000 samples per message type.

The tests are fully automated and run as part of our CI pipeline. Every code change that touches the padding, cover traffic, or wire format modules triggers a full statistical analysis. If any metric exceeds its threshold, the build fails.

The test code is open source. You can inspect our methodology, run the tests yourself, and verify the results independently. We believe this is the correct standard for privacy claims: not “trust us,” but “check our math.”

Comparison to Other Systems

How does Static’s traffic analysis resistance compare to other encrypted communication systems?

Signal. Signal uses the Signal Protocol (Double Ratchet) for encryption, which produces ciphertext that is itself indistinguishable from random. However, Signal does not implement message padding to fixed sizes, does not generate cover traffic, and does not use relay routing by default. An observer can determine that you are using Signal (via the SNI field and traffic patterns), see message sizes (which can reveal message types), and correlate timing between sender and receiver. Signal prioritizes low latency and low bandwidth over traffic analysis resistance, which is a reasonable trade-off for their threat model.

WhatsApp. WhatsApp uses the Signal Protocol for encryption but operates on centralized Meta infrastructure. No message padding, no cover traffic, no relay routing. Meta can observe all metadata, and an external observer can perform standard traffic analysis. WhatsApp’s priority is usability at scale, not traffic analysis resistance.

Matrix (Element). Matrix uses Olm/Megolm for encryption. Like Signal, there is no systematic message padding to fixed bucket sizes, no cover traffic, and limited metadata protection. Matrix’s federation model means metadata is visible to every homeserver in the federation path. Matrix prioritizes interoperability and decentralization over traffic analysis resistance.

Tor. Tor provides strong traffic analysis resistance at the network layer through onion routing, fixed-size cells (512 bytes), and cover traffic on some circuits. However, Tor is a generic anonymity network, not a messaging protocol. It does not provide end-to-end encryption at the application layer (that is left to the application) and has well-documented vulnerabilities to global passive adversaries who can observe both ends of a circuit. Static’s approach is narrower than Tor’s (we protect messaging traffic, not all network traffic) but is integrated at the application layer, which allows us to optimize padding and cover traffic for messaging-specific patterns.

Static. Fixed-size bucket padding (4 sizes), XOR-masked length headers, cryptographic random padding, cover traffic, batch shuffling, relay routing, ephemeral session identities. Shannon entropy 7.999996/8.0. Chi-squared 283.45 (below 310.457 critical value). Autocorrelation 0.001612. Wire traffic indistinguishable from /dev/urandom output.

No other mainstream messaging system provides this level of traffic analysis resistance integrated into the application protocol.

How the Padding System Works in Practice

To make this concrete, let’s trace a message through the system.

You type “hey, anyone around?” in a channel. This 20-byte plaintext goes through the following transformations:

Step 1: MLS Encryption. The MLS layer encrypts the plaintext using the channel’s current group key (AES-256-GCM). The ciphertext includes the MLS header, the encrypted payload, and an authentication tag. The result is approximately 120 bytes of ciphertext that is indistinguishable from random data.

Step 2: Bucket Selection. The padding layer computes header_size + payload_size = 8 + 120 = 128 bytes. The smallest bucket that fits 128 bytes is 256 bytes (bucket 0).

Step 3: Header Construction. The padding layer generates 4 random bytes as the XOR mask. It encodes the payload length (120) as a little-endian u32, XOR’s it with the mask, and writes both to the output buffer. The header is now 8 bytes of data that looks random.

Step 4: Payload Copy. The 120-byte MLS ciphertext is appended to the output buffer.

Step 5: Random Padding. The padding layer computes 256 - 8 - 120 = 128 bytes of padding needed. It generates 128 cryptographically random bytes from OsRng and appends them.

The result is a 256-byte message where every single byte is either random or cryptographically indistinguishable from random. The observer sees 256 bytes of noise.

Meanwhile, another user sends a 3,000-byte message with an embedded image preview. After MLS encryption (~3,050 bytes), the padding layer selects bucket 2 (4,096 bytes), generates an 8-byte header, copies the ciphertext, and fills the remaining ~1,038 bytes with random padding. The observer sees 4,096 bytes of noise.

From the outside, these two messages look identical in their statistical properties. The only observable difference is the bucket size: 256 vs 4,096. The observer knows the first message contains somewhere between 0 and 248 bytes of real payload, and the second contains somewhere between 1,017 and 4,088 bytes. That is the maximum information leakage from our padding scheme.

Open Questions and Future Work

We are transparent about the limitations of our current approach and areas where we intend to improve.

Bucket size as a side channel. The four fixed bucket sizes reveal a coarse categorization of message size. A more sophisticated scheme would use a single bucket size for all messages, at the cost of significant bandwidth overhead (every message, including a 5-byte “ok,” would be padded to 16,384 bytes). We believe the current four-bucket scheme is the right trade-off between bandwidth efficiency and privacy, but we are exploring adaptive bucket selection based on community size and activity patterns.

Timing analysis. Our current cover traffic implementation sends frames at jittered intervals (default 5 seconds, plus or minus 2 seconds of random jitter). A sophisticated adversary with long-term observation could potentially distinguish the jitter pattern from true random timing. We are investigating constant-rate traffic scheduling (sending a frame at exactly fixed intervals regardless of whether there is a real message to send) as a future enhancement. The trade-off is increased bandwidth consumption, particularly on mobile and metered connections.

Traffic volume analysis. An observer can measure total traffic volume over time. A community with high activity will generate more traffic than an idle one, even with cover traffic. Cover traffic establishes a baseline, but bursts of real activity will exceed that baseline. We are exploring adaptive cover traffic that increases its rate during activity bursts to mask the real traffic within a higher-volume noise floor.

QUIC header analysis. While our padding and cover traffic protect the payload, the QUIC transport layer adds its own headers, which follow standard QUIC framing. An observer can identify the traffic as QUIC and potentially distinguish it from other QUIC applications by connection patterns. We are monitoring the IETF’s work on QUIC header protection extensions.

Multi-flow correlation. If an observer can monitor both the client-to-relay and relay-to-supernode connections simultaneously (a global passive adversary), they can potentially correlate flows despite relay routing. This is the same fundamental limitation that affects Tor and all relay-based anonymity systems. Mitigations include multi-hop relay chains (planned for a future phase) and increased cover traffic to raise the correlation difficulty.

Conclusion

Privacy claims without evidence are marketing. Privacy claims with evidence are engineering.

We have presented five independent statistical tests demonstrating that Static’s wire traffic is indistinguishable from random noise:

TestResultThresholdStatus
Shannon entropy7.999996 bits/byte< 8.0 (max)Within cryptographic RNG range
Chi-squared283.45< 310.457 (p=0.01)Cannot reject uniform distribution
Autocorrelation0.001612< 0.02No sequential patterns
Cross-type divergence0.000953< 0.002Message types indistinguishable
Urandom baseline0.000162< 0.005Indistinguishable from /dev/urandom

The code that produces these results is open source. The tests are automated and run in CI. The methodology is documented and reproducible.

A passive network observer analyzing Static’s traffic sees noise. Specifically, they see noise with a Shannon entropy of 7.999996 bits per byte, a uniform byte distribution that passes the chi-squared test at the 99% confidence level, zero detectable sequential patterns, zero detectable differences between message types, and statistical properties indistinguishable from the operating system’s cryptographic random number generator.

That is not a promise. It is a proof.

The code is at github.com/nicholasraimbault/static. Run the tests yourself.

For the non-technical case for Static, read Why We Built Static. For a category-by-category privacy comparison with Discord, read Static vs Discord: A Privacy Comparison.