People who rely on Tor expect their traffic to move through the network without giving away who they are. That trust depends on the strength of the encryption that protects each hop. Tor developers are preparing a major upgrade called Counter Galois Onion, or CGO, which replaces the long-standing relay encryption method used across the network.
Why Tor is changing how relays handle encryption
The older tor1 relay encryption scheme has been in use for many years and shows its age. One long known problem is the risk of tagging attacks. In this scenario, an attacker who controls a relay can alter encrypted data in small ways. If the same attacker controls another relay later in the circuit, those changes might appear again and reveal a link between a user and their activity. Tor developers describe this as “the most important attack we are solving with CGO.”
There are other weaknesses. Tor1 maintains the same symmetric key for the entire life of a circuit, which weakens forward secrecy. It also includes only a 4 byte authenticator on each relay cell, which limits tamper detection.
What CGO brings to the network
CGO introduces a new structure known as a rigid pseudorandom permutation, built from a component called UIV+. This reshapes how each cell is protected as it passes from relay to relay. The approach is designed to detect tampering more reliably and limit what an attacker can learn from any compromised keys.
Several changes stand out:
- A 16 byte authenticator replaces the old 4 byte digest.
- Keys evolve as each cell is processed. Once a cell moves through a relay, the local key state changes, which makes it harder to study earlier traffic through later compromise.
- Tag chaining links the integrity of each cell to the next one. If a single cell is altered, later cells cannot be recovered.
Together, these updates aim to raise the cost of active attacks along a circuit and strengthen the privacy protections that users depend on.
How deployment is progressing
CGO is still under active development in both Arti, Tor’s Rust based implementation, and the C Tor codebase. It is present in Arti, though marked as experimental. Developers plan to enable it by default once testing is complete.
Work is also underway to support CGO for onion services. This addition is expected to appear first in Arti before it reaches other components. Because relays and clients need to share a common method, rollout will take time and depends on wide adoption across the network.
The Tor Project notes that CGO is a new design and invites scrutiny. The developers write, “It is reasonable to ask whether there could be weaknesses in it,” while also describing the steps taken to evaluate the construction.
CGO represents one of the most significant changes to Tor’s core cryptography in years. As development continues, users and operators should watch for upcoming releases and prepare for the transition once CGO is ready for general use.