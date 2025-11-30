Tor dumps tor1 and moves to a stronger, research-driven relay encryption system

CGO introduces modern protections that block tagging attacks across the network

Wide-block encryption makes modified cells unrecoverable and stops predictable interception attempts

Tor has introduced a new relay encryption system called Counter Galois Onion (CGO) to replace the older tor1 algorithm.

The change is intended to make the network more resilient against modern interception techniques that could compromise user privacy.

CGO is built on a Rugged Pseudorandom Permutation called UIV+, designed by cryptography researchers to meet rigorous security requirements.

Addressing vulnerabilities in tor1

Tor reports this system has been verified for tagging resistance, forward secrecy, longer authentication tags, and efficient operation without adding significant bandwidth overhead.

The previous tor1 relay encryption had multiple weaknesses by modern standards, mainly as it relied on AES-CTR encryption without hop-by-hop authentication, allowing a potential adversary controlling relays to modify traffic predictably, creating tagging attack opportunities.

It also reused AES keys throughout a circuit, offering only partial forward secrecy, and used a 4-byte SHA-1 digest for authentication, giving a small chance that a forged cell could go undetected.

Tor maintains while only the first issue is critical, all three represent areas requiring improvement as cryptography standards evolve.

CGO introduces wide-block encryption and tag chaining, which renders modified cells and future traffic unrecoverable, effectively blocking tagging attacks.

The keys are updated after each cell to prevent decryption of past traffic even if current keys are exposed.

SHA-1 has been removed entirely and replaced with a 16-byte authenticator, enhancing overall security.

Circuit integrity is strengthened by chaining encrypted tags and nonces across cells, making any tampering immediately detectable.

Tor emphasizes these measures address previous weaknesses while maintaining reasonable performance.

The CGO system is being integrated into both the C Tor implementation and the Rust-based Arti client.

The feature is currently experimental, with additional work planned for onion service negotiation and performance optimization.

Tor Browser users do not need to take any action to benefit from CGO, as the update will apply automatically once the system is fully deployed.

A timeline for when CGO will become the default encryption method has not yet been announced.

