The Tor Project has announced an upgrade to the anonymity network’s core cryptographic design, replacing the long-standing tor1 relay encryption system with a new scheme called Counter Galois Onion (CGO).
According to The Tor Project’s announcement, tor1 dates back to a time when cryptographic tools were far less advanced. Modern standards have evolved significantly, and the older design no longer meets contemporary security expectations.
Tor1 relied on AES-CTR encryption without hop-by-hop authentication, making relay traffic malleable. Attackers controlling multiple relays could subtly alter traffic and observe predictable outcomes in a form of tagging attack.
“An attacker can use this attack to ensure that they control both ends of the circuit. They XOR a pattern onto a cell at one end, and then see if any garbled cells at the other end become clear when whey remove that same pattern. Any circuits with an honest endpoint will fail (and not be deanonymized), but the client will retry them until they eventually choose a malicious endpoint,” The Tor Project explained.
The new CGO design is based on a Rugged Pseudorandom Permutation (RPRP) construction called UIV+.
CGO introduces wide-block encryption and tag chaining to thwart tagging attacks, ensuring that any unauthorized modification renders the entire cell stream unrecoverable. It also updates cryptographic keys after every cell, providing strong forward secrecy even if a key is compromised. SHA-1 is removed completely from relay encryption, replaced with a 16-byte authenticator that offers significantly stronger protection. Additionally, the chaining of encrypted tags and nonces ensures that each packet in a circuit depends on all previous ones, enhancing tamper resistance.
Work is already underway to integrate CGO into both Tor’s C implementation and its Rust-based client Arti. The feature is currently marked experimental and there’s no timeline then the new function will be the default option for users.