-
Build:
-
Unix/macOS: gcc gost2-128-gcm.c -o gost2gcm
-
Windows (MinGW): gcc gost2-128-gcm.c -o gost2gcm -lbcrypt
-
Usage:
-
gost2gcm c <input_file> // encrypt -> writes <input_file>.gost2
-
gost2gcm d <input_file> // decrypt -> strips .gost2 if present else adds .dec
-
Password is requested interactively (not on the command line) with echo off.
-
Output file (encryption): [IV(16 bytes)][CIPHERTEXT][TAG(16 bytes)]
-
Output file (decryption): plaintext is written block-by-block; at the end we print
-
whether authentication tag is OK or FAILED. -
GCM is implemented per NIST SP 800-38D:
-
- H = E_K(0^128)
-
- If IV length == 12, J0 = IV || 0x00000001
-
else J0 = GHASH_H(IV || pad || 0^64 || [len(IV) in bits]_64) -
- CTR starts from inc32(J0) for data blocks
-
- Tag T = E_K(J0) XOR GHASH_H(A||C||len(A)||len(C)), with AAD empty here
-
Randomness:
-
- Preferred: arc4random_buf (BSD/macOS)
-
- Else: /dev/urandom (Unix)
-
- Else: BCryptGenRandom (Windows)
-
- Else (LAST RESORT): srand(time(NULL))+rand()
-
NOTE: For decryption we stream plaintext out before tag verification
GOST 2-128 was released in 2016. It has exactly the same design as GOST but has twice as many S-tables and uses 64-bit integers instead of 32-bit integers. It no longer works on 64-bit blocks but on 128-bit blocks like AES. The two S-tables are those of the Central Bank of Russian Federation and that of the GOST R 34.12-2015 standard. GOST had 256-bit keys that were reused as subkeys. In GOST 2-128, subkeys are generated by a one-way hash function, representing 4096 bits. Thus, no weak keys exist and attacks against GOST do not work in GOST 2-128.