Let's see how we can help you!
Leave a message and our dedicated advisor will contact you.
Send us a message
0/10000
In-depth analysis of Tor changes: CGO, or how 2025 cryptography crushes 2002 standards
Published: 00:00 12/09/2025
Cyberbezpieczeństwo
In my last post, I hinted at a revolution coming to the Tor network. But for those of you who like to know "how it works under the hood," I’ve prepared a deeper analysis. The change in the relay encryption algorithm from the veteran "tor1" to Counter Galois Onion (CGO) is a fascinating piece of engineering.
Here is exactly what is changing and why you should be excited (or at least feel safer).
Why "tor1" had to die: Anatomy of an attack
The old protocol, which the creators have only now named "tor1" (just to have something to put in the documentation for its deprecation), was created around 2002. It was based on the AES-128-CTR stream cipher.
The main problem was the so-called malleability of the stream cipher. In counter mode (CTR), the ciphertext ($C$) is created by XORing the keystream ($S$) with the plaintext ($P$), i.e., $C = S \oplus P$. This is elementary school math that served as the nail in the coffin for anonymity:
- If an attacker (let's call him Mr. Nosy) intercepts an encrypted packet and XORs it with his own pattern ($M$), the plaintext—once decrypted by the victim—will also contain that pattern.
- The attacker can therefore "tag" traffic at the entry to the network and listen for where this corrupted pattern emerges at the exit.
- The result? Total deanonymization of the circuit before we even send any data.
Worse still, users often confused the effects of these attacks (dropped connections) with DDoS attacks, causing false alarms in Tor client logs.
CGO: Cryptographic "All or Nothing"
The new standard, Counter Galois Onion (CGO), is based on the UIV+ construction and the concept of Rugged Pseudorandom Permutation (RPRP). Instead of a simple stream, we are dealing with a wide-block cipher design that is resistant to malleability.
How does it work in practice?
- Domino Effect: Every cell is encrypted in such a way that it depends on the previous ones. CGO uses a 16-byte tag $T$, which is passed ("chained") to the next cell as $T'$.
- Destruction instead of modification: If an attacker changes even a single bit in the transmitted packet, the decryption algorithm will "explode." The entire message, and all subsequent ones in that circuit, will become unreadable garbage. The attacker can no longer "draw a dot" on the traffic—they can only burn the packet, which is easy to detect and does not reveal the sender's identity.
- Forward Secrecy: In "tor1", AES keys lived for the entire duration of the circuit. In CGO, with every cell sent or received, the keys are updated via an
Updatefunction. If someone steals the key at minute 5 of the connection, they cannot decrypt what happened in minute 4.
Performance: Where do we gain, and where do we lose?
This is perhaps the biggest surprise. Usually, "safer" means "slower." Here, we have an interesting anomaly. The old protocol used SHA-1 for integrity verification. SHA-1 is slow. CGO eliminates this overhead.
Benchmarks (conducted on Intel Cascade Lake processors) show the following results:
- Endpoints (Client/Proxy and Exit Node): Here, CGO is 3 times faster than the old Tor! This is a huge relief for overloaded exit nodes.
- Intermediate Nodes (Relays): Here we see a slowdown of 20-50%. This stems from the fact that the old Tor only performed very fast AES-CTR on middle nodes, whereas now they must perform the slightly more complex CGO math.
However, the creators reassure us—the gain at the edges of the network is more important, and modern processors with AES-NI and PCLMUL instructions (used to optimize CGO) will handle the overhead on intermediate nodes.
What next?
The implementation of CGO is already ready in Arti (the Tor client written in Rust) as well as in the classic C implementation. The next steps include enabling CGO by default in Arti and deploying CGO negotiation for onion services.
It is a fascinating moment where we see how academic cryptography (research by Degabriele, Melloni, Münch, Stam) is realistically fixing the internet.
Aleksander
Sources:
- Tor Project Blog: Counter Galois Onion
- Paper: Counter Galois Onion: Fast Non-Malleable Onion Encryption for Tor
- Tagging Attack Details (based on the "Problem 1: Tagging attacks" section)
- Implementation specs in Arti
About the Author
Aleksander Zębrowski
Chief Technology Officer at SecurHub.pl
PhD candidate in neuroscience. Psychologist and IT expert specializing in cybersecurity.
Related Articles
Cyberbezpieczeństwo
GDPR and Cybersecurity: A Practical Guide - Strategies, Technology, and Operationalizing Compliance
The modern digital ecosystem operates under an unprecedented convergence of legal requirements and technological challenges. The General Data Protection Regulation (GDPR), which came into effect in May 2018, has permanently changed the way organizations must perceive information security.
06.11.2025
19 min
Cyberbezpieczeństwo
2025 Zero-Day Report: What the Record Number of Chrome Flaws Says About Your Corporate Security
Eight critical vulnerabilities in a single year. We analyze how sophisticated APT groups exploit the V8 engine and why traditional sandboxing is no longer enough in 2025.
13:01 23.12.2025
7 min
Cyberbezpieczeństwo
Cloud Security 2025: Best Practices for AWS, Azure, and GCP - Zero Trust, IAM, CSPM, and Shared Responsibility Model
IAM misconfiguration is the leading cause of cloud incidents. Discover differences between AWS, Azure, and GCP in Shared Responsibility Model, how to implement Zero Trust, avoid "toxic combinations" of permissions, secure CMK keys, and automate CSPM for NIS2 compliance.
07.11.2025
35 min
Comments
Loading comments...