The Tor Project has announced a significant cryptographic overhaul, retiring its legacy relay encryption algorithm after decades of service and replacing it with Counter Galois Onion (CGO).
This research-backed encryption design defends against a broader class of sophisticated online attackers.
Tor’s relay encryption serves a specialized function distinct from the standard TLS protocol used between relays and clients.
This algorithm encrypts user data as it traverses multiple relays in a circuit, with clients sharing symmetric keys with each relay and progressively removing encryption layers.
The current system, now designated “tor1,” dates back to Tor’s early years when modern cryptographic practices were still emerging.
While functional, tor1’s design exhibits several vulnerabilities that researchers have successfully exploited in controlled settings.
Critical Vulnerabilities Addressed
The most severe threat is tagging attacks, in which active adversaries modify encrypted traffic at a single network point and observe predictable changes elsewhere.
Tor1’s reliance on AES-128-CTR encryption without hop-by-hop authentication creates a malleable ciphertext.
Attackers can XOR patterns into encrypted cells, knowing that modifications will persist through decryption layers.
By controlling both circuit endpoints, adversaries can inject identifiers such as IP addresses that traverse the entire path undetected.
This represents an “Internal Covert Channel” attack, enabling definite deanonymization before any application traffic flows.
Beyond tagging vulnerabilities, tor1 suffers from limited forward secrecy. Keys persist throughout a circuit’s lifetime, meaning stolen keys compromise all historical traffic.
The algorithm also employs only a 4-byte authentication digest roughly a 1-in-4-billion forgery probability relying on path-bias detection rather than cryptographic strength.
Additionally, tor1 uses SHA-1, an increasingly compromised hashing function.
Developed by cryptographers Jean Paul Degabriele, Alessandro Melloni, Jean-Pierre Münch, and Martijn Stam, CGO implements a Rugged Pseudorandom Permutation (RPRP) construction explicitly designed for Tor’s asymmetric encryption model.
Unlike full Strong Pseudorandom Permutations, which require two passes over the data, the UIV+ foundation enables one-directional tagging resistance at reduced computational cost.
Originating a CGO message
CGO addresses all identified vulnerabilities. Wide-block construction ensures that any tampering renders the entire message unrecoverable.
Chaining authentication tags across cells means that single-cell modifications garble all subsequent messages.
Immediate forward secrecy is provided by the Update algorithm, which irreversibly transforms keys after each cell, preventing decryption of historical traffic. Authentication now uses a robust 16-byte authenticator, replacing the deprecated digest.
The Tor Project has implemented CGO in Arti (Rust) and in C for relay compatibility. Development required extensive refactoring to eliminate assumptions about relay cell structure.
Next steps include enabling CGO by default in Arti, implementing onion service negotiation protocols, and optimizing performance for modern CPUs.
While CGO represents a relatively new cryptographic design still undergoing academic scrutiny, researchers emphasize that identified weaknesses are unlikely to exceed tor1’s vulnerabilities.
Adoption means a methodical progression toward stronger anonymity protections for millions of Tor users worldwide.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Tor Adopts Galois Onion Encryption to Strengthen Defense Against Online Attacks appeared first on Cyber Security News.
