Tor Switches to Counter Galois Onion Encryption Algorithm

The Tor Project has announced implementation of a new traffic encryption algorithm called Counter Galois Onion (CGO), which will replace the outdated tor1 cipher. The upgrade aims to strengthen the network's defense against current data interception methods and enhance user anonymity.

Per the project team, tor1 was developed when cryptographic standards were less mature. Modern analysis has exposed several weaknesses in the legacy algorithm's design.

Security Weaknesses in tor1

The primary vulnerability in tor1 stems from its use of AES-CTR encryption without authentication between nodes. This architecture leaves traffic exposed to tagging attacks—a technique where an attacker controlling multiple nodes can modify data and track predictable changes as packets traverse the network.

Additionally, tor1 implements only partial forward secrecy. The algorithm uses the same AES keys throughout a circuit's entire lifetime, meaning all traffic can be decrypted if these keys are compromised. The algorithm also employs a 4-byte SHA-1 digest for block authentication, creating a one-in-four-billion probability that an attacker could successfully forge a block.

CGO's Security Improvements

The new CGO algorithm is built on a cryptographic construction called UIV+ (a Rugged Pseudorandom Permutation, or RPRP) and has been verified against current security requirements. CGO provides several key enhancements:

Protection Against Tagging Attacks: CGO uses wide-block encryption combined with a chain of tags. Any modification attempt makes the current block and all subsequent blocks unrecoverable, completely neutralizing tagging attacks.

Immediate Forward Secrecy: Keys update after each block, ensuring that compromised current keys cannot decrypt past traffic.

Stronger Authentication: SHA-1 has been removed entirely from relay encryption. Instead, CGO uses a 16-byte authenticator—what the developers describe as the standard "sensible people rely on."

Block Interdependency: CGO links encrypted tags (T') and initial nonces (N) between data blocks. Each block depends on all previous blocks, making undetectable forgery impossible.

Implementation Timeline

The developers note that CGO addresses tor1's critical vulnerabilities without significant performance penalties. The algorithm represents a modern approach based on current cryptographic research.

Integration work for CGO is underway in both the Tor C implementation and the Arti Rust client, though the feature currently has experimental status. Developers are still configuring negotiation protocols for onion services and optimizing performance. The transition to CGO will occur automatically once the full rollout is complete, but precise timelines for when CGO becomes the default standard have not been announced.