The Tor Project has initiated a critical cryptographic overhaul of its anonymity network, replacing its legacy “tor1” relay encryption algorithm with a new research-backed protocol designated “Counter Galois Onion” (CGO). Announced in late November 2025, this transition addresses structural vulnerabilities in the network’s original design that allowed sophisticated adversaries to potentially de-anonymize users through traffic manipulation. The new system is built on a “Rugged Pseudorandom Permutation” (RPRP) construction known as UIV+, developed by cryptographers Jean Paul Degabriele, Alessandro Melloni, Jean-Pierre Münch, and Martijn Stam.
The primary driver for this update is the elimination of “tagging attacks,” a method where malicious relay operators modify encrypted packets to track them across the network. The deprecated tor1 algorithm relied on AES-CTR encryption without hop-by-hop authentication, making the traffic malleable; attackers could inject subtle patterns (tags) into the data stream that persisted through decryption layers, effectively marking a user’s traffic. CGO neutralizes this by implementing wide-block encryption with tag chaining. Under this new architecture, any attempt to tamper with a single packet garbles the entire subsequent stream, making the modification immediately detectable and rendering the traffic unrecoverable rather than traceable.
Beyond stopping active attacks, CGO introduces cryptographic rigor that was absent in the 2004-era tor1 design. The legacy system reused the same AES keys for the entire duration of a circuit, meaning a compromised key could expose all historical data from that session. CGO enforces “immediate forward secrecy” by updating encryption keys and nonces after every single cell (packet), ensuring that a stolen key cannot decrypt past traffic. Furthermore, the update retires the obsolete SHA-1 hashing algorithm—which offered a weak 4-byte authentication digest with a 1-in-4-billion forgery chance—replacing it with a robust 16-byte authenticator. The protocol is currently being integrated into Tor’s Rust-based Arti client and the classic C implementation, though it remains in an experimental phase with no required user action.
