Tor Integration

Network anonymity without installing a separate Tor browser.

How Tor Is Embedded

RVNT embeds the arti Tor client directly into the application. Arti is the official Rust implementation of the Tor protocol, developed by the Tor Project. There is no dependency on the C tor binary, no external Tor Browser, and no system-wide Tor service. RVNT manages its own Tor circuits internally.

Dependency: arti-client (Rust crate)
Version:    Latest stable (pinned in Cargo.lock)
Features:   onion-service-client, onion-service-service
Transport:  SOCKS5 proxy interface (internal, not exposed)
Storage:    Tor state cached in app data directory (encrypted)

Initialization (first launch):
  1. Download Tor consensus document (~2 MB)
  2. Cache relay descriptors (~5 MB)
  3. Select guard nodes (persistent across sessions)
  4. Build initial circuits (2-3 circuits pre-built)
  5. Time to first circuit: ~5-15 seconds

Subsequent launches:
  1. Load cached consensus (if < 3 hours old)
  2. Refresh consensus in background
  3. Reconnect to guard nodes
  4. Time to first circuit: ~2-5 seconds

Circuit Establishment

A Tor circuit is a path through multiple Tor relays, each of which peels one layer of encryption (hence "onion routing"). RVNT builds circuits for different purposes:

Standard Mode: 3-Hop Circuits

Your device → Guard → Middle → Exit → Destination

Guard node:
  - First hop in the circuit
  - Knows your IP address
  - Does NOT know the destination
  - Persistent: same guard used for weeks/months
    (prevents Sybil-based guard rotation attacks)

Middle node:
  - Second hop
  - Does NOT know your IP (sees guard's IP)
  - Does NOT know the destination (sees exit's IP)
  - Rotated frequently

Exit node:
  - Final hop before the destination
  - Knows the destination
  - Does NOT know your IP (sees middle's IP)
  - Only relevant for clearnet destinations
    (not used for .onion hidden services)

No single relay knows both the source (your IP) and
the destination. This is the core anonymity property.

Maximum Privacy Mode: 5-Hop Circuits

Your device → Guard → Middle1 → Middle2 → Middle3 → Exit → Destination

Additional properties:
  - Two extra middle relays increase the cost of traffic correlation
  - Each hop adds ~100-300ms latency
  - Total latency: ~500ms-1500ms per circuit
  - Used when maximum anonymity is more important than latency
  - Cover traffic is increased (1 dummy message per 15-30 seconds)

When to use 5-hop mode:
  - Operating in a hostile network environment
  - Communicating from a country with pervasive surveillance
  - When timing correlation by a nation-state is a realistic threat
  - When you can tolerate higher latency for stronger anonymity

When Tor Is Used

OperationStandard ModeMax Privacy ModeTor Disabled
Identity server (key bundle fetch) 3-hop circuit 5-hop circuit Direct HTTPS
DHT queries 3-hop circuit 5-hop circuit Direct QUIC
Peer-to-peer messaging 3-hop circuit 5-hop circuit Direct QUIC
Bootstrap node connection 3-hop circuit 5-hop circuit Direct QUIC
Local network peers (LAN) Direct (no Tor) Direct (no Tor) Direct
Offline mesh (Bluetooth/WiFi) Direct (no Tor) Direct (no Tor) Direct

Local network and mesh connections do not use Tor because the peer is physically proximate -- Tor would add latency without meaningful anonymity benefit (the peer already knows you are nearby).

Hidden Services (.onion)

When both the sender and recipient are using Tor, RVNT can operate as a Tor hidden service. In this mode, neither party's IP address is ever exposed to any relay:

Hidden service connection:

  Alice (client)                                    Bob (hidden service)
       |                                                 |
       |→ Guard_A → Mid_A → Rendezvous ← Mid_B ← Guard_B ←|
       |                        ↕                        |
       |              Introduction Point                 |
       |                                                 |

  1. Bob publishes a hidden service descriptor to the Tor network
     (encrypted, uploaded to HSDir nodes)
  2. Alice fetches Bob's descriptor using his .onion address
  3. Alice builds a circuit to a Rendezvous Point (RP)
  4. Alice sends a RENDEZVOUS1 cell to Bob via his Introduction Point
  5. Bob builds a circuit to the same RP
  6. Alice and Bob communicate through the RP
  7. Neither Alice nor Bob reveals their IP to the RP

Properties:
  - Alice does not know Bob's IP
  - Bob does not know Alice's IP
  - The RP does not know either party's IP
  - No exit node is involved (traffic stays within Tor)
  - 6 total hops (3 on each side)

What Tor Hides

InformationHidden FromMechanism
Your IP address Destination server, middle/exit relays Onion routing (only guard knows your IP)
Destination Your ISP, guard relay Onion routing (only exit knows destination)
Message content All relays End-to-end encryption (RVNT layer, independent of Tor)
That you are using RVNT Destination, middle/exit relays Tor wrapping (traffic looks like generic Tor traffic)

What Tor Does NOT Hide

InformationVisible ToMitigation
That you are using Tor Your ISP, local network observer Pluggable transports (obfs4, meek) -- planned
Your IP address Guard relay Guard relay selection is persistent (reduces exposure)
Traffic volume Your ISP (encrypted, but visible volume) Cover traffic normalizes volume
Timing patterns Global passive adversary (theoretical) Mixnet batching, random delays, cover traffic
Tor is not magic. A sufficiently resourced adversary (nation-state with ISP-level access on both ends of the circuit) can potentially perform traffic correlation attacks. Tor increases the cost of such attacks enormously but does not make them impossible. RVNT's cover traffic and mixnet batching add additional defense layers. See the threat model for honest limitations.

Pluggable Transports (Planned)

In countries that block Tor, RVNT plans to support pluggable transports that disguise Tor traffic as ordinary HTTPS:

Planned transports:
  obfs4:  Scrambles Tor traffic to look like random noise
  meek:   Tunnels Tor through CDN fronts (Amazon, Azure, Google)
  snowflake: Uses WebRTC peers as Tor bridges

Status: Not yet implemented. Priority for users in censored regions.

Performance Impact

Latency overhead (approximate):
  No Tor:          ~10-50ms   (direct connection)
  3-hop standard:  ~200-800ms (typical Tor circuit)
  5-hop max priv:  ~500-1500ms (extended circuit)
  Hidden service:  ~800-2000ms (6 total hops)

Bandwidth overhead:
  Tor cell size:   514 bytes (fixed)
  Tor header:      ~5% overhead on message data
  Cover traffic:   ~1-5 KB/minute (standard mode)
                   ~5-20 KB/minute (max privacy mode)

Circuit lifetime:
  Messaging circuits: Rotated every 10 minutes
  HSDir circuits:     Rotated per lookup
  Guard selection:    Persistent for 2-3 months

Further Reading

Last updated: 2026-04-12

RVNT Documentation — Post-quantum encrypted communications