The Gostcrypt project has been launched at the end of 2013 as fork of the (late) Truecrypt project. Snowden's leaks have made clear more than ever that the massive use of encryption by citizens must become a reality. This is possible only if there is a vast, rich offer of trusted, open source products like Truecrypt, with the strong support of the hacker community. However, at that time we did not foresee the unprecedented upheaval of terrible shock with the recent Truecrypt disappearance. More than ever we all need more and more projects to replace it. Gostcrypt is one among (we hope) many others. The variety and richness of encryption solutions is THE solution.

But with Gostcrypt, we intend to go farther than ever. Since the late 70s, most of the algorithms used (not to say all) are UKUSA encryption systems that have been chosen, promoted and standardized under the control of the USA and its satellite countries. It is more than likely that among the different levels of control, mathematical trapdoors are part of the game or a minima that there exist unidentified weaknesses that are however known but non disclosed by the entities that have organized or supported the choice of encryption standards (mainly NSA in relationsship with NIST and possibly standardization organizations, the recent case of the Dual_EC_DRBG algorithms, revealed by Snowden is more than illustrative). We would stress on the point that we can accept the idea that neither V. Rijmen nor J. Daemen have intendly put any mathematical backdoor in the Rijndael algorithm. However it is likely that the choice of this finalist (by the NSA and the NIST) may have been driven by the knowledge of weaknesses that are still unsuspected by the Rijndael authors(they however admit that they could exist, refer to their book [The Design of Rijndael, Chap. 9, page 124, paragraph 2]) but identified by the technical prescribers of the AES contest.. We thus decided to used strong encryption systems (as far as we know and despite a few recent 'manipulation papers' that are mistaken operational security with fantasy and which have been rejected recently again as non valid [Babenko & Maro, 2014]). Moreover these systems are not invasive as UKUSA ciphers are (mostly AES) by now. The Gost cipher and hash functions are not everywhere, have not invaded our systems and have been designed by the former USSR for its own need. Aside the fact that it is indeed a very strong cipher (when correctly implemented and a suitable key management), this feature of non-aggressive technological expansion is a key point. GOST algorithms have never sought to spread and to impose on anyone. It has even been rejected from the ISO standardization process in 2012 as a consequence of fallacious, non-reproducible allegations of weakness.

Whatever may be the quality and features of a security project, it can be valid in the long run with trust only. Trust is only possible with open source code and above all with the active support of the hacking community, which will analyze the security, report bugs, make comments and contribute to the project. So welcome on board to everybody.

The new Grasshopper algorithm (GOST Kuznyechik) has been implemented in the new version of GostCrypt. If you want more detail about it, please read this documentation.

Security rationales

The GOST 28147-89 block cipher uses 256-bit keys for encryption or decryption. Internally, this key is divided into eight 32-bit subkeys. In the process of setting the GOST 28147-89 key in preparation for encryption and decryption, the S-Box is modified based on the supplied key, providing a first degree of diversification of the algorithm (and thus provides resistance to known attacks).

For this process, the 'GOST R 34.11-94 CryptoProParamSet' S-Box from RFC 4357 is used as initial S-Box. The 256-bit encryption key is hashed using the GOST R 34.11-2012 hash function, which produces a 512-bit digest. As both the initial S-Box and the digest contain 512 bits of information, a bitwise addition modulo two is used on of the 4-bit S-Box entries (see the diagram below). The resulting key-dependent S-Box is used for encryption and decryption. During encryption and decryption, the GOST 28147-89 block cipher is used with the XTS mode of operation. The data unit number, a disk offset used in the XTS algorithm, is combined with the GOST 28147-89 key using bitwise addition modulo two. This operation ensures that a different key is used for each 512-byte section of the disk. Given how small changes in the used key result in large changes in the resulting ciphertext, this mechanism provides an additional challenge for a potential adversary.