Counter Galois Onion (CGO) – A Safer Way to Encrypt Tor Traffic
The Problem with Tor’s Old Relay Encryption (tor1)
| Issue | Why it matters |
|---|---|
| Tagging attacks | An attacker can flip bits in a cell, embed an identifier, and trace the user across the circuit. |
| No forward secrecy | The same AES key is used for the whole circuit; if the key is stolen, all past traffic can be read. |
| 4‑byte digest | Only a 1‑in‑4 billion chance of catching a forged cell, and it uses the outdated SHA‑1 hash. |
These weaknesses let active adversaries deanonymize users or read old traffic.
What CGO Brings
- Tag‑resistant – a wide‑block cipher makes any bit‑flip corrupt the whole message, killing covert channels.
- Instant forward secrecy – keys and nonces are updated after every cell, so past cells can’t be decrypted later.
- Strong authentication – a 16‑byte tag (instead of 4 bytes) drops the forgery chance to 1 in 2¹²⁸.
- Acceptable performance – only two passes (tweakable block cipher + PRF) versus the many passes required by older wide‑block modes.
How CGO Works (Simplified)
-
Cell format
T (16‑byte tag) | C (493‑byte ciphertext) -
UIV+ building block
- Split the input into a short left part
X_Land a longer right partX_R. X_R+ a tweakHfeed a tweakable block cipher (LRW2) that encryptsX_L.- The result seeds a PRF; the PRF output XORs into
X_Rto produce the final ciphertext.
- Split the input into a short left part
-
Middle‑layer encryption – the tag
Tfrom the current cell becomes the tweak for the next cell, chaining them together.
-
Originating a cell – start with a nonce
N. After each cell, run the Update algorithm to changeNand the keys, then use the new values for the next cell.
Result: Any tampering destroys the current and all subsequent cells, and the keys used for earlier cells are gone forever.
Security Benefits at a Glance
| Threat | CGO Fix |
|---|---|
| Tagging / covert channels | Wide‑block + tag chaining = any change breaks the whole circuit |
| No forward secrecy | Per‑cell key/nonce update erases old keys immediately |
| Weak 4‑byte digest | 16‑byte tag → 1 in 2¹²⁸ forgery chance, modern hash functions |
Where We Are Now
- Arti (Rust) – core crypto done, behind an experimental flag.
- C Tor – prototype merged; cell‑layout code refactored.
Next steps
- Make CGO the default in Arti after performance tuning.
- Add CGO negotiation for onion services (initially Arti‑only).
- Optimize CPU usage with SIMD tricks from the authors’ reference implementation.
Bottom Line
CGO upgrades Tor’s relay encryption to modern standards: it blocks tagging attacks, gives immediate forward secrecy, and uses a strong 16‑byte authenticator—all while keeping the performance impact manageable. This makes Tor traffic harder for adversaries to tamper with or decrypt, strengthening anonymity for users of the dark‑web and beyond.
Read the Full Announcement
For the complete technical details, original diagrams, and full specification, see the Tor forum post:
Comments
0 commentsLeave a Comment