Tor switches to Counter Galois Onion: a major encryption upgrade for enhanced security

The Tor anonymity network’s development team has disclosed a significant upgrade to the way user data is encrypted as it traverses the network’s relays. The legacy “tor1” scheme, originally introduced in 2002, relies on AES‑128‑CTR and short 4‑byte SHA‑1 authenticators, both of which have become vulnerable to modern attacks such as traffic‑marking. In a marking attack, an adversary alters traffic at one point in the network and watches for predictable changes elsewhere, allowing them to link a user’s unique identifier without needing to solve probabilistic puzzles.

The new protocol, dubbed Counter Galois Onion (CGO), builds on a cryptographic construction called Rugged Pseudorandom Permutation, devised by Jean‑Paul Degabriele, Alessandro Melloni, Jean‑Pierre Münch, and Martijn Stam. CGO replaces the mutable AES keys with keys that are irrevocably transformed after each cell is sent or received, and expands the authenticator to 16 bytes (128 bits). This design guarantees immediate persistent confidentiality: any tampering with a portion of an encrypted cell renders the entire cell, and any subsequent cells, unrecoverable, effectively neutralizing marking attacks.

The transition is already underway in Arti, Tor’s Rust implementation, and work is progressing on integrating CGO into the classic C‑based codebase. While the upgrade promises stronger forward secrecy and resistance to replay or modification attempts, the Tor team has not yet announced a rollout schedule for the Tor Browser itself. Users can expect the change to roll out gradually as the updated relay software propagates through the network.