Tor Replaces Old Encryption — Counter Galois Onion (CGO) Now Active

The Tor Project has rolled out a major upgrade to its core relay-encryption system, replacing the old “tor1” algorithm with a modern new scheme called Counter Galois Onion (CGO). This change aims to make Tor’s network much more resistant to attacks that threaten user anonymity.

The previous encryption method (tor1) had been used for many years but carried serious weaknesses:

• An attacker controlling one relay could tweak encrypted traffic (“tagging attacks”) and later observe it on another relay — potentially linking a user’s identity to their activity.
• The same encryption key was used for the entire duration of a circuit. If that key were compromised, all past traffic could be decrypted — meaning poor “forward secrecy.”
• Integrity checks were weak: a small 4-byte digest was used to detect tampering, making it easier for attackers to forge or manipulate data stealthily.

What CGO Changes

CGO introduces strong cryptographic protections designed for modern threat environments:

• It treats each “cell” of traffic between relays as an atomic, encrypted block. If any bit is altered, the entire block becomes unreadable — meaning tampering is immediately detectable.
• Each cell is linked cryptographically to the previous one (“tag chaining”) and keys are updated continuously. This adds forward secrecy: even if current keys get exposed, past traffic stays safe.
• Authentication is strengthened: the outdated 4-byte digest is replaced with a 16-byte authentication tag, making forgery far more difficult.

CGO is already implemented in Tor’s newer Rust-based client (called Arti), and work is underway to integrate it into the legacy C-based Tor implementation to ensure compatibility. Once relay operators adopt CGO network-wide, this upgrade will significantly improve Tor’s resilience against active de-anonymization attacks.

The Tor Project acknowledges that CGO is new and invites further scrutiny from cryptographers — but considers it a major step forward in hardening the network’s core encryption against powerful attackers.