diff --git a/CHANGELOG.md b/CHANGELOG.md
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,18 @@
+## 0.25
+
+* Improve digest binary conversion efficiency
+* AES CCM support
+* Add MonadFailure instance for CryptoFailable
+* Various misc improvements on documentation
+* Edwards25519 lowlevel arithmetic support
+* P256 add point negation
+* Improvement in ECC (benchmark, better normalization)
+* Blake2 improvements to context size
+* Use gauge instead of criterion
+* Use haskell-ci for CI scripts
+* Improve Digest memory representation to be 2 less Ints and one less boxing
+  moving from `UArray` to `Block`
+
 ## 0.24
 
 * Ed25519: generateSecret & Documentation updates
diff --git a/Crypto/Cipher/AES.hs b/Crypto/Cipher/AES.hs
--- a/Crypto/Cipher/AES.hs
+++ b/Crypto/Cipher/AES.hs
@@ -59,6 +59,7 @@
     ; ctrCombine (CSTR aes) (IV iv) = encryptCTR aes (IV iv) \
     ; aeadInit AEAD_GCM (CSTR aes) iv = CryptoPassed $ AEAD (gcmMode aes) (gcmInit aes iv) \
     ; aeadInit AEAD_OCB (CSTR aes) iv = CryptoPassed $ AEAD (ocbMode aes) (ocbInit aes iv) \
+    ; aeadInit (AEAD_CCM n m l) (CSTR aes) iv = AEAD (ccmMode aes) <$> ccmInit aes iv n m l \
     ; aeadInit _        _          _  = CryptoFailed CryptoError_AEADModeNotSupported \
     }; \
 instance BlockCipher128 CSTR where \
diff --git a/Crypto/Cipher/AES/Primitive.hs b/Crypto/Cipher/AES/Primitive.hs
--- a/Crypto/Cipher/AES/Primitive.hs
+++ b/Crypto/Cipher/AES/Primitive.hs
@@ -11,39 +11,43 @@
 --
 module Crypto.Cipher.AES.Primitive
     (
-    -- * block cipher data types
+    -- * Block cipher data types
       AES
 
     -- * Authenticated encryption block cipher types
     , AESGCM
     , AESOCB
 
-    -- * creation
+    -- * Creation
     , initAES
 
-    -- * misc
+    -- * Miscellanea
     , genCTR
     , genCounter
 
-    -- * encryption
+    -- * Encryption
     , encryptECB
     , encryptCBC
     , encryptCTR
     , encryptXTS
 
-    -- * decryption
+    -- * Decryption
     , decryptECB
     , decryptCBC
     , decryptCTR
     , decryptXTS
 
-    -- * incremental GCM
+    -- * Incremental GCM
     , gcmMode
     , gcmInit
 
-    -- * incremental OCB
+    -- * Incremental OCB
     , ocbMode
     , ocbInit
+
+    -- * CCM
+    , ccmMode
+    , ccmInit
     ) where
 
 import           Data.Word
@@ -73,6 +77,7 @@
     ctrCombine = encryptCTR
     aeadInit AEAD_GCM aes iv = CryptoPassed $ AEAD (gcmMode aes) (gcmInit aes iv)
     aeadInit AEAD_OCB aes iv = CryptoPassed $ AEAD (ocbMode aes) (ocbInit aes iv)
+    aeadInit (AEAD_CCM n m l) aes iv = AEAD (ccmMode aes) <$> ccmInit aes iv n m l
     aeadInit _        _   _  = CryptoFailed CryptoError_AEADModeNotSupported
 instance BlockCipher128 AES where
     xtsEncrypt = encryptXTS
@@ -96,7 +101,16 @@
     , aeadImplFinalize     = ocbFinish aes
     }
 
+-- | Create an AES AEAD implementation for CCM
+ccmMode :: AES -> AEADModeImpl AESCCM
+ccmMode aes = AEADModeImpl
+    { aeadImplAppendHeader = ccmAppendAAD aes
+    , aeadImplEncrypt      = ccmEncrypt aes
+    , aeadImplDecrypt      = ccmDecrypt aes
+    , aeadImplFinalize     = ccmFinish aes
+    }
 
+
 -- | AES Context (pre-processed key)
 newtype AES = AES ScrubbedBytes
     deriving (NFData)
@@ -109,12 +123,19 @@
 newtype AESOCB = AESOCB ScrubbedBytes
     deriving (NFData)
 
+-- | AESCCM State
+newtype AESCCM = AESCCM ScrubbedBytes
+    deriving (NFData)
+
 sizeGCM :: Int
 sizeGCM = 80
 
 sizeOCB :: Int
 sizeOCB = 160
 
+sizeCCM :: Int
+sizeCCM = 80
+
 keyToPtr :: AES -> (Ptr AES -> IO a) -> IO a
 keyToPtr (AES b) f = withByteArray b (f . castPtr)
 
@@ -152,6 +173,13 @@
         a     <- withByteArray newSt $ \gcmStPtr -> f (castPtr gcmStPtr) aesPtr
         return (a, AESOCB newSt)
 
+withCCMKeyAndCopySt :: AES -> AESCCM -> (Ptr AESCCM -> Ptr AES -> IO a) -> IO (a, AESCCM)
+withCCMKeyAndCopySt aes (AESCCM ccmSt) f =
+    keyToPtr aes $ \aesPtr -> do
+        newSt <- B.copy ccmSt (\_ -> return ())
+        a     <- withByteArray newSt $ \ccmStPtr -> f (castPtr ccmStPtr) aesPtr
+        return (a, AESCCM newSt)
+
 -- | Initialize a new context with a key
 --
 -- Key needs to be of length 16, 24 or 32 bytes. Any other values will return failure
@@ -447,6 +475,78 @@
   where computeTag = B.allocAndFreeze 16 $ \t ->
                         withOCBKeyAndCopySt ctx ocb (c_aes_ocb_finish (castPtr t)) >> return ()
 
+ccmGetM :: CCM_M -> Int
+ccmGetL :: CCM_L -> Int
+ccmGetM m = case m of
+  CCM_M4 -> 4
+  CCM_M6 -> 6
+  CCM_M8 -> 8
+  CCM_M10 -> 10
+  CCM_M12 -> 12
+  CCM_M14 -> 14
+  CCM_M16 -> 16
+
+ccmGetL l = case l of
+  CCM_L2 -> 2
+  CCM_L3 -> 3
+  CCM_L4 -> 4
+
+-- | initialize a ccm context
+{-# NOINLINE ccmInit #-}
+ccmInit :: ByteArrayAccess iv => AES -> iv -> Int -> CCM_M -> CCM_L -> CryptoFailable AESCCM
+ccmInit ctx iv n m l
+    | 15 - li /= B.length iv = CryptoFailed CryptoError_IvSizeInvalid
+    | otherwise = unsafeDoIO $ do
+          sm <- B.alloc sizeCCM $ \ccmStPtr ->
+            withKeyAndIV ctx iv $ \k v ->
+            c_aes_ccm_init (castPtr ccmStPtr) k v (fromIntegral $ B.length iv) (fromIntegral n) (fromIntegral mi) (fromIntegral li)
+          return $ CryptoPassed (AESCCM sm)
+  where
+    mi = ccmGetM m
+    li = ccmGetL l
+
+-- | append data which is only going to be authenticated to the CCM context.
+--
+-- needs to happen after initialization and before appending encryption/decryption data.
+{-# NOINLINE ccmAppendAAD #-}
+ccmAppendAAD :: ByteArrayAccess aad => AES -> AESCCM -> aad -> AESCCM
+ccmAppendAAD ctx ccm input = unsafeDoIO $ snd <$> withCCMKeyAndCopySt ctx ccm doAppend
+  where doAppend ccmStPtr aesPtr =
+            withByteArray input $ \i -> c_aes_ccm_aad ccmStPtr aesPtr i (fromIntegral $ B.length input)
+
+-- | append data to encrypt and append to the CCM context
+--
+-- the bytearray needs to be a multiple of AES block size, unless it's the last call to this function.
+-- needs to happen after AAD appending, or after initialization if no AAD data.
+{-# NOINLINE ccmEncrypt #-}
+ccmEncrypt :: ByteArray ba => AES -> AESCCM -> ba -> (ba, AESCCM)
+ccmEncrypt ctx ccm input = unsafeDoIO $ withCCMKeyAndCopySt ctx ccm cbcmacAndIv
+  where len = B.length input
+        cbcmacAndIv ccmStPtr aesPtr =
+            B.alloc len $ \o ->
+            withByteArray input $ \i ->
+            c_aes_ccm_encrypt (castPtr o) ccmStPtr aesPtr i (fromIntegral len)
+
+-- | append data to decrypt and append to the CCM context
+--
+-- the bytearray needs to be a multiple of AES block size, unless it's the last call to this function.
+-- needs to happen after AAD appending, or after initialization if no AAD data.
+{-# NOINLINE ccmDecrypt #-}
+ccmDecrypt :: ByteArray ba => AES -> AESCCM -> ba -> (ba, AESCCM)
+ccmDecrypt ctx ccm input = unsafeDoIO $ withCCMKeyAndCopySt ctx ccm cbcmacAndIv
+  where len = B.length input
+        cbcmacAndIv ccmStPtr aesPtr =
+            B.alloc len $ \o ->
+            withByteArray input $ \i ->
+            c_aes_ccm_decrypt (castPtr o) ccmStPtr aesPtr i (fromIntegral len)
+
+-- | Generate the Tag from CCM context
+{-# NOINLINE ccmFinish #-}
+ccmFinish :: AES -> AESCCM -> Int -> AuthTag
+ccmFinish ctx ccm taglen = AuthTag $ B.take taglen computeTag
+  where computeTag = B.allocAndFreeze 16 $ \t ->
+                        withCCMKeyAndCopySt ctx ccm (c_aes_ccm_finish (castPtr t)) >> return ()
+
 ------------------------------------------------------------------------
 foreign import ccall "cryptonite_aes.h cryptonite_aes_initkey"
     c_aes_init :: Ptr AES -> CString -> CUInt -> IO ()
@@ -508,3 +608,17 @@
 foreign import ccall "cryptonite_aes.h cryptonite_aes_ocb_finish"
     c_aes_ocb_finish :: CString -> Ptr AESOCB -> Ptr AES -> IO ()
 
+foreign import ccall "cryptonite_aes.h cryptonite_aes_ccm_init"
+    c_aes_ccm_init :: Ptr AESCCM -> Ptr AES -> Ptr Word8 -> CUInt -> CUInt -> CInt -> CInt -> IO ()
+
+foreign import ccall "cryptonite_aes.h cryptonite_aes_ccm_aad"
+    c_aes_ccm_aad :: Ptr AESCCM -> Ptr AES -> CString -> CUInt -> IO ()
+
+foreign import ccall "cryptonite_aes.h cryptonite_aes_ccm_encrypt"
+    c_aes_ccm_encrypt :: CString -> Ptr AESCCM -> Ptr AES -> CString -> CUInt -> IO ()
+
+foreign import ccall "cryptonite_aes.h cryptonite_aes_ccm_decrypt"
+    c_aes_ccm_decrypt :: CString -> Ptr AESCCM -> Ptr AES -> CString -> CUInt -> IO ()
+
+foreign import ccall "cryptonite_aes.h cryptonite_aes_ccm_finish"
+    c_aes_ccm_finish :: CString -> Ptr AESCCM -> Ptr AES -> IO ()
diff --git a/Crypto/Cipher/CAST5.hs b/Crypto/Cipher/CAST5.hs
new file mode 100644
--- /dev/null
+++ b/Crypto/Cipher/CAST5.hs
@@ -0,0 +1,43 @@
+-- |
+-- Module      : Crypto.Cipher.CAST5
+-- License     : BSD-style
+-- Maintainer  : Olivier Chéron <olivier.cheron@gmail.com>
+-- Stability   : stable
+-- Portability : good
+--
+module Crypto.Cipher.CAST5
+    ( CAST5
+    ) where
+
+import           Crypto.Error
+import           Crypto.Cipher.Types
+import           Crypto.Cipher.CAST5.Primitive
+import           Crypto.Internal.ByteArray (ByteArrayAccess)
+import qualified Crypto.Internal.ByteArray as B
+
+-- | CAST5 block cipher (also known as CAST-128).  Key is between
+-- 40 and 128 bits.
+newtype CAST5 = CAST5 Key
+
+instance Cipher CAST5 where
+    cipherName    _ = "CAST5"
+    cipherKeySize _ = KeySizeRange 5 16
+    cipherInit      = initCAST5
+
+instance BlockCipher CAST5 where
+    blockSize _ = 8
+    ecbEncrypt (CAST5 k) = B.mapAsWord64 (encrypt k)
+    ecbDecrypt (CAST5 k) = B.mapAsWord64 (decrypt k)
+
+initCAST5 :: ByteArrayAccess key => key -> CryptoFailable CAST5
+initCAST5 bs
+    | len <   5 = CryptoFailed CryptoError_KeySizeInvalid
+    | len <  16 = CryptoPassed (CAST5 $ buildKey short padded)
+    | len == 16 = CryptoPassed (CAST5 $ buildKey False bs)
+    | otherwise = CryptoFailed CryptoError_KeySizeInvalid
+  where
+    len   = B.length bs
+    short = len <= 10
+
+    padded :: B.Bytes
+    padded = B.convert bs `B.append` B.replicate (16 - len) 0
diff --git a/Crypto/Cipher/CAST5/Primitive.hs b/Crypto/Cipher/CAST5/Primitive.hs
new file mode 100644
--- /dev/null
+++ b/Crypto/Cipher/CAST5/Primitive.hs
@@ -0,0 +1,573 @@
+{-# LANGUAGE MagicHash #-}
+
+-----------------------------------------------------------------------------
+-- |
+-- Module      :  Crypto.Cipher.CAST5.Primitive
+-- License     :  BSD-style
+--
+-- Haskell implementation of the CAST-128 Encryption Algorithm
+--
+-----------------------------------------------------------------------------
+
+
+module Crypto.Cipher.CAST5.Primitive
+    ( encrypt
+    , decrypt
+    , Key()
+    , buildKey
+    ) where
+
+import Control.Monad (void, (>=>))
+
+import Data.Bits
+import Data.Memory.Endian
+import Data.Word
+
+import           Crypto.Internal.ByteArray (ByteArrayAccess)
+import qualified Crypto.Internal.ByteArray as B
+import           Crypto.Internal.WordArray
+
+
+-- Data Types
+
+data P = P {-# UNPACK #-} !Word32 -- left word
+           {-# UNPACK #-} !Word32 -- right word
+
+data Q = Q {-# UNPACK #-} !Word32 {-# UNPACK #-} !Word32
+           {-# UNPACK #-} !Word32 {-# UNPACK #-} !Word32
+
+-- | All subkeys for 12 or 16 rounds
+data Key = K12 {-# UNPACK #-} !Array32 -- [ km1, kr1, km2, kr2, ..., km12, kr12 ]
+         | K16 {-# UNPACK #-} !Array32 -- [ km1, kr1, km2, kr2, ..., km16, kr16 ]
+
+
+-- Big-endian Transformations
+
+decomp64 :: Word64 -> P
+decomp64 x = P (fromIntegral (x `shiftR` 32)) (fromIntegral x)
+
+comp64 :: P -> Word64
+comp64 (P l r) = (fromIntegral l `shiftL` 32) .|. fromIntegral r
+
+decomp32 :: Word32 -> (Word8, Word8, Word8, Word8)
+decomp32 x =
+    let a = fromIntegral (x `shiftR` 24)
+        b = fromIntegral (x `shiftR` 16)
+        c = fromIntegral (x `shiftR`  8)
+        d = fromIntegral x
+    in (a, b, c, d)
+
+
+-- Encryption
+
+-- | Encrypts a block using the specified key
+encrypt :: Key -> Word64 -> Word64
+encrypt k = comp64 . cast_enc k . decomp64
+
+cast_enc :: Key -> P -> P
+cast_enc (K12 a) (P l0 r0) = P r12 r11
+  where
+    r1  = type1 a 0  l0  r0
+    r2  = type2 a 2  r0  r1
+    r3  = type3 a 4  r1  r2
+    r4  = type1 a 6  r2  r3
+    r5  = type2 a 8  r3  r4
+    r6  = type3 a 10 r4  r5
+    r7  = type1 a 12 r5  r6
+    r8  = type2 a 14 r6  r7
+    r9  = type3 a 16 r7  r8
+    r10 = type1 a 18 r8  r9
+    r11 = type2 a 20 r9  r10
+    r12 = type3 a 22 r10 r11
+
+cast_enc (K16 a) p = P r16 r15
+  where
+    P r12 r11 = cast_enc (K12 a) p
+
+    r13 = type1 a 24 r11 r12
+    r14 = type2 a 26 r12 r13
+    r15 = type3 a 28 r13 r14
+    r16 = type1 a 30 r14 r15
+
+-- Decryption
+
+-- | Decrypts a block using the specified key
+decrypt :: Key -> Word64 -> Word64
+decrypt k = comp64 . cast_dec k . decomp64
+
+cast_dec :: Key -> P -> P
+cast_dec (K12 a) (P r12 r11) = P l0 r0
+  where
+    r10 = type3 a 22 r12 r11
+    r9  = type2 a 20 r11 r10
+    r8  = type1 a 18 r10 r9
+    r7  = type3 a 16 r9  r8
+    r6  = type2 a 14 r8  r7
+    r5  = type1 a 12 r7  r6
+    r4  = type3 a 10 r6  r5
+    r3  = type2 a 8  r5  r4
+    r2  = type1 a 6  r4  r3
+    r1  = type3 a 4  r3  r2
+    r0  = type2 a 2  r2  r1
+    l0  = type1 a 0  r1  r0
+
+cast_dec (K16 a) (P r16 r15) = cast_dec (K12 a) (P r12 r11)
+  where
+    r14 = type1 a 30 r16 r15
+    r13 = type3 a 28 r15 r14
+    r12 = type2 a 26 r14 r13
+    r11 = type1 a 24 r13 r12
+
+
+-- Non-Identical Rounds
+
+type1 :: Array32 -> Int -> Word32 -> Word32 -> Word32
+type1 arr idx l r =
+    let km = arrayRead32 arr idx
+        kr = arrayRead32 arr (idx + 1)
+        j = (km + r) `rotateL` fromIntegral kr
+        (ja, jb, jc, jd) = decomp32 j
+     in l `xor` (((sbox_s1 ja `xor` sbox_s2 jb) - sbox_s3 jc) + sbox_s4 jd)
+
+type2 :: Array32 -> Int -> Word32 -> Word32 -> Word32
+type2 arr idx l r =
+    let km = arrayRead32 arr idx
+        kr = arrayRead32 arr (idx + 1)
+        j = (km `xor` r) `rotateL` fromIntegral kr
+        (ja, jb, jc, jd) = decomp32 j
+     in l `xor` (((sbox_s1 ja - sbox_s2 jb) + sbox_s3 jc) `xor` sbox_s4 jd)
+
+type3 :: Array32 -> Int -> Word32 -> Word32 -> Word32
+type3 arr idx l r =
+    let km = arrayRead32 arr idx
+        kr = arrayRead32 arr (idx + 1)
+        j = (km - r) `rotateL` fromIntegral kr
+        (ja, jb, jc, jd) = decomp32 j
+     in l `xor` (((sbox_s1 ja + sbox_s2 jb) `xor` sbox_s3 jc) - sbox_s4 jd)
+
+
+-- Key Schedule
+
+-- | Precompute "masking" and "rotation" subkeys
+buildKey :: ByteArrayAccess key
+         => Bool -- ^ @True@ for short keys that only need 12 rounds
+         -> key  -- ^ Input key padded to 16 bytes
+         -> Key  -- ^ Output data structure
+buildKey isShort key =
+    let P x0123 x4567 = decomp64 (fromBE $ B.toW64BE key 0)
+        P x89AB xCDEF = decomp64 (fromBE $ B.toW64BE key 8)
+     in keySchedule isShort (Q x0123 x4567 x89AB xCDEF)
+
+keySchedule :: Bool -> Q -> Key
+keySchedule isShort x
+    | isShort   = K12 $ allocArray32AndFreeze 24 $ \ma ->
+        void (steps123 ma 0 x >>= skip4 >>= steps123 ma 1)
+
+    | otherwise = K16 $ allocArray32AndFreeze 32 $ \ma ->
+        void (steps123 ma 0 x >>= step4 ma 24 >>= steps123 ma 1 >>= step4 ma 25)
+
+  where
+    sbox_s56785 a b c d e = sbox_s5 a `xor` sbox_s6 b `xor` sbox_s7 c `xor` sbox_s8 d `xor` sbox_s5 e
+    sbox_s56786 a b c d e = sbox_s5 a `xor` sbox_s6 b `xor` sbox_s7 c `xor` sbox_s8 d `xor` sbox_s6 e
+    sbox_s56787 a b c d e = sbox_s5 a `xor` sbox_s6 b `xor` sbox_s7 c `xor` sbox_s8 d `xor` sbox_s7 e
+    sbox_s56788 a b c d e = sbox_s5 a `xor` sbox_s6 b `xor` sbox_s7 c `xor` sbox_s8 d `xor` sbox_s8 e
+
+    steps123 ma off = step1 ma off >=> step2 ma (off + 8) >=> step3 ma (off + 16)
+
+    step1 :: MutableArray32 -> Int -> Q -> IO Q
+    step1 ma off (Q x0123 x4567 x89AB xCDEF) = do
+        let (x8, x9, xA, xB) = decomp32 x89AB
+            (xC, xD, xE, xF) = decomp32 xCDEF
+
+            z0123 = x0123 `xor` sbox_s56787 xD xF xC xE x8
+            z4567 = x89AB `xor` sbox_s56788 z0 z2 z1 z3 xA
+            z89AB = xCDEF `xor` sbox_s56785 z7 z6 z5 z4 x9
+            zCDEF = x4567 `xor` sbox_s56786 zA z9 zB z8 xB
+
+            (z0, z1, z2, z3) = decomp32 z0123
+            (z4, z5, z6, z7) = decomp32 z4567
+            (z8, z9, zA, zB) = decomp32 z89AB
+            (zC, zD, zE, zF) = decomp32 zCDEF
+
+        mutableArrayWrite32 ma (off + 0) $ sbox_s56785 z8 z9 z7 z6 z2
+        mutableArrayWrite32 ma (off + 2) $ sbox_s56786 zA zB z5 z4 z6
+        mutableArrayWrite32 ma (off + 4) $ sbox_s56787 zC zD z3 z2 z9
+        mutableArrayWrite32 ma (off + 6) $ sbox_s56788 zE zF z1 z0 zC
+        return (Q z0123 z4567 z89AB zCDEF)
+
+    step2 :: MutableArray32 -> Int -> Q -> IO Q
+    step2 ma off (Q z0123 z4567 z89AB zCDEF) = do
+        let (z0, z1, z2, z3) = decomp32 z0123
+            (z4, z5, z6, z7) = decomp32 z4567
+
+            x0123 = z89AB `xor` sbox_s56787 z5 z7 z4 z6 z0
+            x4567 = z0123 `xor` sbox_s56788 x0 x2 x1 x3 z2
+            x89AB = z4567 `xor` sbox_s56785 x7 x6 x5 x4 z1
+            xCDEF = zCDEF `xor` sbox_s56786 xA x9 xB x8 z3
+
+            (x0, x1, x2, x3) = decomp32 x0123
+            (x4, x5, x6, x7) = decomp32 x4567
+            (x8, x9, xA, xB) = decomp32 x89AB
+            (xC, xD, xE, xF) = decomp32 xCDEF
+
+        mutableArrayWrite32 ma (off + 0) $ sbox_s56785 x3 x2 xC xD x8
+        mutableArrayWrite32 ma (off + 2) $ sbox_s56786 x1 x0 xE xF xD
+        mutableArrayWrite32 ma (off + 4) $ sbox_s56787 x7 x6 x8 x9 x3
+        mutableArrayWrite32 ma (off + 6) $ sbox_s56788 x5 x4 xA xB x7
+        return (Q x0123 x4567 x89AB xCDEF)
+
+    step3 :: MutableArray32 -> Int -> Q -> IO Q
+    step3 ma off (Q x0123 x4567 x89AB xCDEF) = do
+        let (x8, x9, xA, xB) = decomp32 x89AB
+            (xC, xD, xE, xF) = decomp32 xCDEF
+
+            z0123 = x0123 `xor` sbox_s56787 xD xF xC xE x8
+            z4567 = x89AB `xor` sbox_s56788 z0 z2 z1 z3 xA
+            z89AB = xCDEF `xor` sbox_s56785 z7 z6 z5 z4 x9
+            zCDEF = x4567 `xor` sbox_s56786 zA z9 zB z8 xB
+
+            (z0, z1, z2, z3) = decomp32 z0123
+            (z4, z5, z6, z7) = decomp32 z4567
+            (z8, z9, zA, zB) = decomp32 z89AB
+            (zC, zD, zE, zF) = decomp32 zCDEF
+
+        mutableArrayWrite32 ma (off + 0) $ sbox_s56785 z3 z2 zC zD z9
+        mutableArrayWrite32 ma (off + 2) $ sbox_s56786 z1 z0 zE zF zC
+        mutableArrayWrite32 ma (off + 4) $ sbox_s56787 z7 z6 z8 z9 z2
+        mutableArrayWrite32 ma (off + 6) $ sbox_s56788 z5 z4 zA zB z6
+        return (Q z0123 z4567 z89AB zCDEF)
+
+    step4 :: MutableArray32 -> Int -> Q -> IO Q
+    step4 ma off (Q z0123 z4567 z89AB zCDEF) = do
+        let (z0, z1, z2, z3) = decomp32 z0123
+            (z4, z5, z6, z7) = decomp32 z4567
+
+            x0123 = z89AB `xor` sbox_s56787 z5 z7 z4 z6 z0
+            x4567 = z0123 `xor` sbox_s56788 x0 x2 x1 x3 z2
+            x89AB = z4567 `xor` sbox_s56785 x7 x6 x5 x4 z1
+            xCDEF = zCDEF `xor` sbox_s56786 xA x9 xB x8 z3
+
+            (x0, x1, x2, x3) = decomp32 x0123
+            (x4, x5, x6, x7) = decomp32 x4567
+            (x8, x9, xA, xB) = decomp32 x89AB
+            (xC, xD, xE, xF) = decomp32 xCDEF
+
+        mutableArrayWrite32 ma (off + 0) $ sbox_s56785 x8 x9 x7 x6 x3
+        mutableArrayWrite32 ma (off + 2) $ sbox_s56786 xA xB x5 x4 x7
+        mutableArrayWrite32 ma (off + 4) $ sbox_s56787 xC xD x3 x2 x8
+        mutableArrayWrite32 ma (off + 6) $ sbox_s56788 xE xF x1 x0 xD
+        return (Q x0123 x4567 x89AB xCDEF)
+
+    skip4 :: Q -> IO Q
+    skip4 (Q z0123 z4567 z89AB zCDEF) = do
+        let (z0, z1, z2, z3) = decomp32 z0123
+            (z4, z5, z6, z7) = decomp32 z4567
+
+            x0123 = z89AB `xor` sbox_s56787 z5 z7 z4 z6 z0
+            x4567 = z0123 `xor` sbox_s56788 x0 x2 x1 x3 z2
+            x89AB = z4567 `xor` sbox_s56785 x7 x6 x5 x4 z1
+            xCDEF = zCDEF `xor` sbox_s56786 xA x9 xB x8 z3
+
+            (x0, x1, x2, x3) = decomp32 x0123
+            (x4, x5, x6, x7) = decomp32 x4567
+            (x8, x9, xA, xB) = decomp32 x89AB
+
+        return (Q x0123 x4567 x89AB xCDEF)
+
+-- S-Boxes
+
+sbox_s1 :: Word8 -> Word32
+sbox_s1 i = arrayRead32 t (fromIntegral i)
+  where
+    t = array32FromAddrBE 256
+            "\x30\xfb\x40\xd4\x9f\xa0\xff\x0b\x6b\xec\xcd\x2f\x3f\x25\x8c\x7a\x1e\x21\x3f\x2f\x9c\x00\x4d\xd3\x60\x03\xe5\x40\xcf\x9f\xc9\x49\
+            \\xbf\xd4\xaf\x27\x88\xbb\xbd\xb5\xe2\x03\x40\x90\x98\xd0\x96\x75\x6e\x63\xa0\xe0\x15\xc3\x61\xd2\xc2\xe7\x66\x1d\x22\xd4\xff\x8e\
+            \\x28\x68\x3b\x6f\xc0\x7f\xd0\x59\xff\x23\x79\xc8\x77\x5f\x50\xe2\x43\xc3\x40\xd3\xdf\x2f\x86\x56\x88\x7c\xa4\x1a\xa2\xd2\xbd\x2d\
+            \\xa1\xc9\xe0\xd6\x34\x6c\x48\x19\x61\xb7\x6d\x87\x22\x54\x0f\x2f\x2a\xbe\x32\xe1\xaa\x54\x16\x6b\x22\x56\x8e\x3a\xa2\xd3\x41\xd0\
+            \\x66\xdb\x40\xc8\xa7\x84\x39\x2f\x00\x4d\xff\x2f\x2d\xb9\xd2\xde\x97\x94\x3f\xac\x4a\x97\xc1\xd8\x52\x76\x44\xb7\xb5\xf4\x37\xa7\
+            \\xb8\x2c\xba\xef\xd7\x51\xd1\x59\x6f\xf7\xf0\xed\x5a\x09\x7a\x1f\x82\x7b\x68\xd0\x90\xec\xf5\x2e\x22\xb0\xc0\x54\xbc\x8e\x59\x35\
+            \\x4b\x6d\x2f\x7f\x50\xbb\x64\xa2\xd2\x66\x49\x10\xbe\xe5\x81\x2d\xb7\x33\x22\x90\xe9\x3b\x15\x9f\xb4\x8e\xe4\x11\x4b\xff\x34\x5d\
+            \\xfd\x45\xc2\x40\xad\x31\x97\x3f\xc4\xf6\xd0\x2e\x55\xfc\x81\x65\xd5\xb1\xca\xad\xa1\xac\x2d\xae\xa2\xd4\xb7\x6d\xc1\x9b\x0c\x50\
+            \\x88\x22\x40\xf2\x0c\x6e\x4f\x38\xa4\xe4\xbf\xd7\x4f\x5b\xa2\x72\x56\x4c\x1d\x2f\xc5\x9c\x53\x19\xb9\x49\xe3\x54\xb0\x46\x69\xfe\
+            \\xb1\xb6\xab\x8a\xc7\x13\x58\xdd\x63\x85\xc5\x45\x11\x0f\x93\x5d\x57\x53\x8a\xd5\x6a\x39\x04\x93\xe6\x3d\x37\xe0\x2a\x54\xf6\xb3\
+            \\x3a\x78\x7d\x5f\x62\x76\xa0\xb5\x19\xa6\xfc\xdf\x7a\x42\x20\x6a\x29\xf9\xd4\xd5\xf6\x1b\x18\x91\xbb\x72\x27\x5e\xaa\x50\x81\x67\
+            \\x38\x90\x10\x91\xc6\xb5\x05\xeb\x84\xc7\xcb\x8c\x2a\xd7\x5a\x0f\x87\x4a\x14\x27\xa2\xd1\x93\x6b\x2a\xd2\x86\xaf\xaa\x56\xd2\x91\
+            \\xd7\x89\x43\x60\x42\x5c\x75\x0d\x93\xb3\x9e\x26\x18\x71\x84\xc9\x6c\x00\xb3\x2d\x73\xe2\xbb\x14\xa0\xbe\xbc\x3c\x54\x62\x37\x79\
+            \\x64\x45\x9e\xab\x3f\x32\x8b\x82\x77\x18\xcf\x82\x59\xa2\xce\xa6\x04\xee\x00\x2e\x89\xfe\x78\xe6\x3f\xab\x09\x50\x32\x5f\xf6\xc2\
+            \\x81\x38\x3f\x05\x69\x63\xc5\xc8\x76\xcb\x5a\xd6\xd4\x99\x74\xc9\xca\x18\x0d\xcf\x38\x07\x82\xd5\xc7\xfa\x5c\xf6\x8a\xc3\x15\x11\
+            \\x35\xe7\x9e\x13\x47\xda\x91\xd0\xf4\x0f\x90\x86\xa7\xe2\x41\x9e\x31\x36\x62\x41\x05\x1e\xf4\x95\xaa\x57\x3b\x04\x4a\x80\x5d\x8d\
+            \\x54\x83\x00\xd0\x00\x32\x2a\x3c\xbf\x64\xcd\xdf\xba\x57\xa6\x8e\x75\xc6\x37\x2b\x50\xaf\xd3\x41\xa7\xc1\x32\x75\x91\x5a\x0b\xf5\
+            \\x6b\x54\xbf\xab\x2b\x0b\x14\x26\xab\x4c\xc9\xd7\x44\x9c\xcd\x82\xf7\xfb\xf2\x65\xab\x85\xc5\xf3\x1b\x55\xdb\x94\xaa\xd4\xe3\x24\
+            \\xcf\xa4\xbd\x3f\x2d\xea\xa3\xe2\x9e\x20\x4d\x02\xc8\xbd\x25\xac\xea\xdf\x55\xb3\xd5\xbd\x9e\x98\xe3\x12\x31\xb2\x2a\xd5\xad\x6c\
+            \\x95\x43\x29\xde\xad\xbe\x45\x28\xd8\x71\x0f\x69\xaa\x51\xc9\x0f\xaa\x78\x6b\xf6\x22\x51\x3f\x1e\xaa\x51\xa7\x9b\x2a\xd3\x44\xcc\
+            \\x7b\x5a\x41\xf0\xd3\x7c\xfb\xad\x1b\x06\x95\x05\x41\xec\xe4\x91\xb4\xc3\x32\xe6\x03\x22\x68\xd4\xc9\x60\x0a\xcc\xce\x38\x7e\x6d\
+            \\xbf\x6b\xb1\x6c\x6a\x70\xfb\x78\x0d\x03\xd9\xc9\xd4\xdf\x39\xde\xe0\x10\x63\xda\x47\x36\xf4\x64\x5a\xd3\x28\xd8\xb3\x47\xcc\x96\
+            \\x75\xbb\x0f\xc3\x98\x51\x1b\xfb\x4f\xfb\xcc\x35\xb5\x8b\xcf\x6a\xe1\x1f\x0a\xbc\xbf\xc5\xfe\x4a\xa7\x0a\xec\x10\xac\x39\x57\x0a\
+            \\x3f\x04\x44\x2f\x61\x88\xb1\x53\xe0\x39\x7a\x2e\x57\x27\xcb\x79\x9c\xeb\x41\x8f\x1c\xac\xd6\x8d\x2a\xd3\x7c\x96\x01\x75\xcb\x9d\
+            \\xc6\x9d\xff\x09\xc7\x5b\x65\xf0\xd9\xdb\x40\xd8\xec\x0e\x77\x79\x47\x44\xea\xd4\xb1\x1c\x32\x74\xdd\x24\xcb\x9e\x7e\x1c\x54\xbd\
+            \\xf0\x11\x44\xf9\xd2\x24\x0e\xb1\x96\x75\xb3\xfd\xa3\xac\x37\x55\xd4\x7c\x27\xaf\x51\xc8\x5f\x4d\x56\x90\x75\x96\xa5\xbb\x15\xe6\
+            \\x58\x03\x04\xf0\xca\x04\x2c\xf1\x01\x1a\x37\xea\x8d\xbf\xaa\xdb\x35\xba\x3e\x4a\x35\x26\xff\xa0\xc3\x7b\x4d\x09\xbc\x30\x6e\xd9\
+            \\x98\xa5\x26\x66\x56\x48\xf7\x25\xff\x5e\x56\x9d\x0c\xed\x63\xd0\x7c\x63\xb2\xcf\x70\x0b\x45\xe1\xd5\xea\x50\xf1\x85\xa9\x28\x72\
+            \\xaf\x1f\xbd\xa7\xd4\x23\x48\x70\xa7\x87\x0b\xf3\x2d\x3b\x4d\x79\x42\xe0\x41\x98\x0c\xd0\xed\xe7\x26\x47\x0d\xb8\xf8\x81\x81\x4c\
+            \\x47\x4d\x6a\xd7\x7c\x0c\x5e\x5c\xd1\x23\x19\x59\x38\x1b\x72\x98\xf5\xd2\xf4\xdb\xab\x83\x86\x53\x6e\x2f\x1e\x23\x83\x71\x9c\x9e\
+            \\xbd\x91\xe0\x46\x9a\x56\x45\x6e\xdc\x39\x20\x0c\x20\xc8\xc5\x71\x96\x2b\xda\x1c\xe1\xe6\x96\xff\xb1\x41\xab\x08\x7c\xca\x89\xb9\
+            \\x1a\x69\xe7\x83\x02\xcc\x48\x43\xa2\xf7\xc5\x79\x42\x9e\xf4\x7d\x42\x7b\x16\x9c\x5a\xc9\xf0\x49\xdd\x8f\x0f\x00\x5c\x81\x65\xbf"#
+
+sbox_s2 :: Word8 -> Word32
+sbox_s2 i = arrayRead32 t (fromIntegral i)
+  where
+    t = array32FromAddrBE 256
+            "\x1f\x20\x10\x94\xef\x0b\xa7\x5b\x69\xe3\xcf\x7e\x39\x3f\x43\x80\xfe\x61\xcf\x7a\xee\xc5\x20\x7a\x55\x88\x9c\x94\x72\xfc\x06\x51\
+            \\xad\xa7\xef\x79\x4e\x1d\x72\x35\xd5\x5a\x63\xce\xde\x04\x36\xba\x99\xc4\x30\xef\x5f\x0c\x07\x94\x18\xdc\xdb\x7d\xa1\xd6\xef\xf3\
+            \\xa0\xb5\x2f\x7b\x59\xe8\x36\x05\xee\x15\xb0\x94\xe9\xff\xd9\x09\xdc\x44\x00\x86\xef\x94\x44\x59\xba\x83\xcc\xb3\xe0\xc3\xcd\xfb\
+            \\xd1\xda\x41\x81\x3b\x09\x2a\xb1\xf9\x97\xf1\xc1\xa5\xe6\xcf\x7b\x01\x42\x0d\xdb\xe4\xe7\xef\x5b\x25\xa1\xff\x41\xe1\x80\xf8\x06\
+            \\x1f\xc4\x10\x80\x17\x9b\xee\x7a\xd3\x7a\xc6\xa9\xfe\x58\x30\xa4\x98\xde\x8b\x7f\x77\xe8\x3f\x4e\x79\x92\x92\x69\x24\xfa\x9f\x7b\
+            \\xe1\x13\xc8\x5b\xac\xc4\x00\x83\xd7\x50\x35\x25\xf7\xea\x61\x5f\x62\x14\x31\x54\x0d\x55\x4b\x63\x5d\x68\x11\x21\xc8\x66\xc3\x59\
+            \\x3d\x63\xcf\x73\xce\xe2\x34\xc0\xd4\xd8\x7e\x87\x5c\x67\x2b\x21\x07\x1f\x61\x81\x39\xf7\x62\x7f\x36\x1e\x30\x84\xe4\xeb\x57\x3b\
+            \\x60\x2f\x64\xa4\xd6\x3a\xcd\x9c\x1b\xbc\x46\x35\x9e\x81\x03\x2d\x27\x01\xf5\x0c\x99\x84\x7a\xb4\xa0\xe3\xdf\x79\xba\x6c\xf3\x8c\
+            \\x10\x84\x30\x94\x25\x37\xa9\x5e\xf4\x6f\x6f\xfe\xa1\xff\x3b\x1f\x20\x8c\xfb\x6a\x8f\x45\x8c\x74\xd9\xe0\xa2\x27\x4e\xc7\x3a\x34\
+            \\xfc\x88\x4f\x69\x3e\x4d\xe8\xdf\xef\x0e\x00\x88\x35\x59\x64\x8d\x8a\x45\x38\x8c\x1d\x80\x43\x66\x72\x1d\x9b\xfd\xa5\x86\x84\xbb\
+            \\xe8\x25\x63\x33\x84\x4e\x82\x12\x12\x8d\x80\x98\xfe\xd3\x3f\xb4\xce\x28\x0a\xe1\x27\xe1\x9b\xa5\xd5\xa6\xc2\x52\xe4\x97\x54\xbd\
+            \\xc5\xd6\x55\xdd\xeb\x66\x70\x64\x77\x84\x0b\x4d\xa1\xb6\xa8\x01\x84\xdb\x26\xa9\xe0\xb5\x67\x14\x21\xf0\x43\xb7\xe5\xd0\x58\x60\
+            \\x54\xf0\x30\x84\x06\x6f\xf4\x72\xa3\x1a\xa1\x53\xda\xdc\x47\x55\xb5\x62\x5d\xbf\x68\x56\x1b\xe6\x83\xca\x6b\x94\x2d\x6e\xd2\x3b\
+            \\xec\xcf\x01\xdb\xa6\xd3\xd0\xba\xb6\x80\x3d\x5c\xaf\x77\xa7\x09\x33\xb4\xa3\x4c\x39\x7b\xc8\xd6\x5e\xe2\x2b\x95\x5f\x0e\x53\x04\
+            \\x81\xed\x6f\x61\x20\xe7\x43\x64\xb4\x5e\x13\x78\xde\x18\x63\x9b\x88\x1c\xa1\x22\xb9\x67\x26\xd1\x80\x49\xa7\xe8\x22\xb7\xda\x7b\
+            \\x5e\x55\x2d\x25\x52\x72\xd2\x37\x79\xd2\x95\x1c\xc6\x0d\x89\x4c\x48\x8c\xb4\x02\x1b\xa4\xfe\x5b\xa4\xb0\x9f\x6b\x1c\xa8\x15\xcf\
+            \\xa2\x0c\x30\x05\x88\x71\xdf\x63\xb9\xde\x2f\xcb\x0c\xc6\xc9\xe9\x0b\xee\xff\x53\xe3\x21\x45\x17\xb4\x54\x28\x35\x9f\x63\x29\x3c\
+            \\xee\x41\xe7\x29\x6e\x1d\x2d\x7c\x50\x04\x52\x86\x1e\x66\x85\xf3\xf3\x34\x01\xc6\x30\xa2\x2c\x95\x31\xa7\x08\x50\x60\x93\x0f\x13\
+            \\x73\xf9\x84\x17\xa1\x26\x98\x59\xec\x64\x5c\x44\x52\xc8\x77\xa9\xcd\xff\x33\xa6\xa0\x2b\x17\x41\x7c\xba\xd9\xa2\x21\x80\x03\x6f\
+            \\x50\xd9\x9c\x08\xcb\x3f\x48\x61\xc2\x6b\xd7\x65\x64\xa3\xf6\xab\x80\x34\x26\x76\x25\xa7\x5e\x7b\xe4\xe6\xd1\xfc\x20\xc7\x10\xe6\
+            \\xcd\xf0\xb6\x80\x17\x84\x4d\x3b\x31\xee\xf8\x4d\x7e\x08\x24\xe4\x2c\xcb\x49\xeb\x84\x6a\x3b\xae\x8f\xf7\x78\x88\xee\x5d\x60\xf6\
+            \\x7a\xf7\x56\x73\x2f\xdd\x5c\xdb\xa1\x16\x31\xc1\x30\xf6\x6f\x43\xb3\xfa\xec\x54\x15\x7f\xd7\xfa\xef\x85\x79\xcc\xd1\x52\xde\x58\
+            \\xdb\x2f\xfd\x5e\x8f\x32\xce\x19\x30\x6a\xf9\x7a\x02\xf0\x3e\xf8\x99\x31\x9a\xd5\xc2\x42\xfa\x0f\xa7\xe3\xeb\xb0\xc6\x8e\x49\x06\
+            \\xb8\xda\x23\x0c\x80\x82\x30\x28\xdc\xde\xf3\xc8\xd3\x5f\xb1\x71\x08\x8a\x1b\xc8\xbe\xc0\xc5\x60\x61\xa3\xc9\xe8\xbc\xa8\xf5\x4d\
+            \\xc7\x2f\xef\xfa\x22\x82\x2e\x99\x82\xc5\x70\xb4\xd8\xd9\x4e\x89\x8b\x1c\x34\xbc\x30\x1e\x16\xe6\x27\x3b\xe9\x79\xb0\xff\xea\xa6\
+            \\x61\xd9\xb8\xc6\x00\xb2\x48\x69\xb7\xff\xce\x3f\x08\xdc\x28\x3b\x43\xda\xf6\x5a\xf7\xe1\x97\x98\x76\x19\xb7\x2f\x8f\x1c\x9b\xa4\
+            \\xdc\x86\x37\xa0\x16\xa7\xd3\xb1\x9f\xc3\x93\xb7\xa7\x13\x6e\xeb\xc6\xbc\xc6\x3e\x1a\x51\x37\x42\xef\x68\x28\xbc\x52\x03\x65\xd6\
+            \\x2d\x6a\x77\xab\x35\x27\xed\x4b\x82\x1f\xd2\x16\x09\x5c\x6e\x2e\xdb\x92\xf2\xfb\x5e\xea\x29\xcb\x14\x58\x92\xf5\x91\x58\x4f\x7f\
+            \\x54\x83\x69\x7b\x26\x67\xa8\xcc\x85\x19\x60\x48\x8c\x4b\xac\xea\x83\x38\x60\xd4\x0d\x23\xe0\xf9\x6c\x38\x7e\x8a\x0a\xe6\xd2\x49\
+            \\xb2\x84\x60\x0c\xd8\x35\x73\x1d\xdc\xb1\xc6\x47\xac\x4c\x56\xea\x3e\xbd\x81\xb3\x23\x0e\xab\xb0\x64\x38\xbc\x87\xf0\xb5\xb1\xfa\
+            \\x8f\x5e\xa2\xb3\xfc\x18\x46\x42\x0a\x03\x6b\x7a\x4f\xb0\x89\xbd\x64\x9d\xa5\x89\xa3\x45\x41\x5e\x5c\x03\x83\x23\x3e\x5d\x3b\xb9\
+            \\x43\xd7\x95\x72\x7e\x6d\xd0\x7c\x06\xdf\xdf\x1e\x6c\x6c\xc4\xef\x71\x60\xa5\x39\x73\xbf\xbe\x70\x83\x87\x76\x05\x45\x23\xec\xf1"#
+
+sbox_s3 :: Word8 -> Word32
+sbox_s3 i = arrayRead32 t (fromIntegral i)
+  where
+    t = array32FromAddrBE 256
+            "\x8d\xef\xc2\x40\x25\xfa\x5d\x9f\xeb\x90\x3d\xbf\xe8\x10\xc9\x07\x47\x60\x7f\xff\x36\x9f\xe4\x4b\x8c\x1f\xc6\x44\xae\xce\xca\x90\
+            \\xbe\xb1\xf9\xbf\xee\xfb\xca\xea\xe8\xcf\x19\x50\x51\xdf\x07\xae\x92\x0e\x88\x06\xf0\xad\x05\x48\xe1\x3c\x8d\x83\x92\x70\x10\xd5\
+            \\x11\x10\x7d\x9f\x07\x64\x7d\xb9\xb2\xe3\xe4\xd4\x3d\x4f\x28\x5e\xb9\xaf\xa8\x20\xfa\xde\x82\xe0\xa0\x67\x26\x8b\x82\x72\x79\x2e\
+            \\x55\x3f\xb2\xc0\x48\x9a\xe2\x2b\xd4\xef\x97\x94\x12\x5e\x3f\xbc\x21\xff\xfc\xee\x82\x5b\x1b\xfd\x92\x55\xc5\xed\x12\x57\xa2\x40\
+            \\x4e\x1a\x83\x02\xba\xe0\x7f\xff\x52\x82\x46\xe7\x8e\x57\x14\x0e\x33\x73\xf7\xbf\x8c\x9f\x81\x88\xa6\xfc\x4e\xe8\xc9\x82\xb5\xa5\
+            \\xa8\xc0\x1d\xb7\x57\x9f\xc2\x64\x67\x09\x4f\x31\xf2\xbd\x3f\x5f\x40\xff\xf7\xc1\x1f\xb7\x8d\xfc\x8e\x6b\xd2\xc1\x43\x7b\xe5\x9b\
+            \\x99\xb0\x3d\xbf\xb5\xdb\xc6\x4b\x63\x8d\xc0\xe6\x55\x81\x9d\x99\xa1\x97\xc8\x1c\x4a\x01\x2d\x6e\xc5\x88\x4a\x28\xcc\xc3\x6f\x71\
+            \\xb8\x43\xc2\x13\x6c\x07\x43\xf1\x83\x09\x89\x3c\x0f\xed\xdd\x5f\x2f\x7f\xe8\x50\xd7\xc0\x7f\x7e\x02\x50\x7f\xbf\x5a\xfb\x9a\x04\
+            \\xa7\x47\xd2\xd0\x16\x51\x19\x2e\xaf\x70\xbf\x3e\x58\xc3\x13\x80\x5f\x98\x30\x2e\x72\x7c\xc3\xc4\x0a\x0f\xb4\x02\x0f\x7f\xef\x82\
+            \\x8c\x96\xfd\xad\x5d\x2c\x2a\xae\x8e\xe9\x9a\x49\x50\xda\x88\xb8\x84\x27\xf4\xa0\x1e\xac\x57\x90\x79\x6f\xb4\x49\x82\x52\xdc\x15\
+            \\xef\xbd\x7d\x9b\xa6\x72\x59\x7d\xad\xa8\x40\xd8\x45\xf5\x45\x04\xfa\x5d\x74\x03\xe8\x3e\xc3\x05\x4f\x91\x75\x1a\x92\x56\x69\xc2\
+            \\x23\xef\xe9\x41\xa9\x03\xf1\x2e\x60\x27\x0d\xf2\x02\x76\xe4\xb6\x94\xfd\x65\x74\x92\x79\x85\xb2\x82\x76\xdb\xcb\x02\x77\x81\x76\
+            \\xf8\xaf\x91\x8d\x4e\x48\xf7\x9e\x8f\x61\x6d\xdf\xe2\x9d\x84\x0e\x84\x2f\x7d\x83\x34\x0c\xe5\xc8\x96\xbb\xb6\x82\x93\xb4\xb1\x48\
+            \\xef\x30\x3c\xab\x98\x4f\xaf\x28\x77\x9f\xaf\x9b\x92\xdc\x56\x0d\x22\x4d\x1e\x20\x84\x37\xaa\x88\x7d\x29\xdc\x96\x27\x56\xd3\xdc\
+            \\x8b\x90\x7c\xee\xb5\x1f\xd2\x40\xe7\xc0\x7c\xe3\xe5\x66\xb4\xa1\xc3\xe9\x61\x5e\x3c\xf8\x20\x9d\x60\x94\xd1\xe3\xcd\x9c\xa3\x41\
+            \\x5c\x76\x46\x0e\x00\xea\x98\x3b\xd4\xd6\x78\x81\xfd\x47\x57\x2c\xf7\x6c\xed\xd9\xbd\xa8\x22\x9c\x12\x7d\xad\xaa\x43\x8a\x07\x4e\
+            \\x1f\x97\xc0\x90\x08\x1b\xdb\x8a\x93\xa0\x7e\xbe\xb9\x38\xca\x15\x97\xb0\x3c\xff\x3d\xc2\xc0\xf8\x8d\x1a\xb2\xec\x64\x38\x0e\x51\
+            \\x68\xcc\x7b\xfb\xd9\x0f\x27\x88\x12\x49\x01\x81\x5d\xe5\xff\xd4\xdd\x7e\xf8\x6a\x76\xa2\xe2\x14\xb9\xa4\x03\x68\x92\x5d\x95\x8f\
+            \\x4b\x39\xff\xfa\xba\x39\xae\xe9\xa4\xff\xd3\x0b\xfa\xf7\x93\x3b\x6d\x49\x86\x23\x19\x3c\xbc\xfa\x27\x62\x75\x45\x82\x5c\xf4\x7a\
+            \\x61\xbd\x8b\xa0\xd1\x1e\x42\xd1\xce\xad\x04\xf4\x12\x7e\xa3\x92\x10\x42\x8d\xb7\x82\x72\xa9\x72\x92\x70\xc4\xa8\x12\x7d\xe5\x0b\
+            \\x28\x5b\xa1\xc8\x3c\x62\xf4\x4f\x35\xc0\xea\xa5\xe8\x05\xd2\x31\x42\x89\x29\xfb\xb4\xfc\xdf\x82\x4f\xb6\x6a\x53\x0e\x7d\xc1\x5b\
+            \\x1f\x08\x1f\xab\x10\x86\x18\xae\xfc\xfd\x08\x6d\xf9\xff\x28\x89\x69\x4b\xcc\x11\x23\x6a\x5c\xae\x12\xde\xca\x4d\x2c\x3f\x8c\xc5\
+            \\xd2\xd0\x2d\xfe\xf8\xef\x58\x96\xe4\xcf\x52\xda\x95\x15\x5b\x67\x49\x4a\x48\x8c\xb9\xb6\xa8\x0c\x5c\x8f\x82\xbc\x89\xd3\x6b\x45\
+            \\x3a\x60\x94\x37\xec\x00\xc9\xa9\x44\x71\x52\x53\x0a\x87\x4b\x49\xd7\x73\xbc\x40\x7c\x34\x67\x1c\x02\x71\x7e\xf6\x4f\xeb\x55\x36\
+            \\xa2\xd0\x2f\xff\xd2\xbf\x60\xc4\xd4\x3f\x03\xc0\x50\xb4\xef\x6d\x07\x47\x8c\xd1\x00\x6e\x18\x88\xa2\xe5\x3f\x55\xb9\xe6\xd4\xbc\
+            \\xa2\x04\x80\x16\x97\x57\x38\x33\xd7\x20\x7d\x67\xde\x0f\x8f\x3d\x72\xf8\x7b\x33\xab\xcc\x4f\x33\x76\x88\xc5\x5d\x7b\x00\xa6\xb0\
+            \\x94\x7b\x00\x01\x57\x00\x75\xd2\xf9\xbb\x88\xf8\x89\x42\x01\x9e\x42\x64\xa5\xff\x85\x63\x02\xe0\x72\xdb\xd9\x2b\xee\x97\x1b\x69\
+            \\x6e\xa2\x2f\xde\x5f\x08\xae\x2b\xaf\x7a\x61\x6d\xe5\xc9\x87\x67\xcf\x1f\xeb\xd2\x61\xef\xc8\xc2\xf1\xac\x25\x71\xcc\x82\x39\xc2\
+            \\x67\x21\x4c\xb8\xb1\xe5\x83\xd1\xb7\xdc\x3e\x62\x7f\x10\xbd\xce\xf9\x0a\x5c\x38\x0f\xf0\x44\x3d\x60\x6e\x6d\xc6\x60\x54\x3a\x49\
+            \\x57\x27\xc1\x48\x2b\xe9\x8a\x1d\x8a\xb4\x17\x38\x20\xe1\xbe\x24\xaf\x96\xda\x0f\x68\x45\x84\x25\x99\x83\x3b\xe5\x60\x0d\x45\x7d\
+            \\x28\x2f\x93\x50\x83\x34\xb3\x62\xd9\x1d\x11\x20\x2b\x6d\x8d\xa0\x64\x2b\x1e\x31\x9c\x30\x5a\x00\x52\xbc\xe6\x88\x1b\x03\x58\x8a\
+            \\xf7\xba\xef\xd5\x41\x42\xed\x9c\xa4\x31\x5c\x11\x83\x32\x3e\xc5\xdf\xef\x46\x36\xa1\x33\xc5\x01\xe9\xd3\x53\x1c\xee\x35\x37\x83"#
+
+sbox_s4 :: Word8 -> Word32
+sbox_s4 i = arrayRead32 t (fromIntegral i)
+  where
+    t = array32FromAddrBE 256
+            "\x9d\xb3\x04\x20\x1f\xb6\xe9\xde\xa7\xbe\x7b\xef\xd2\x73\xa2\x98\x4a\x4f\x7b\xdb\x64\xad\x8c\x57\x85\x51\x04\x43\xfa\x02\x0e\xd1\
+            \\x7e\x28\x7a\xff\xe6\x0f\xb6\x63\x09\x5f\x35\xa1\x79\xeb\xf1\x20\xfd\x05\x9d\x43\x64\x97\xb7\xb1\xf3\x64\x1f\x63\x24\x1e\x4a\xdf\
+            \\x28\x14\x7f\x5f\x4f\xa2\xb8\xcd\xc9\x43\x00\x40\x0c\xc3\x22\x20\xfd\xd3\x0b\x30\xc0\xa5\x37\x4f\x1d\x2d\x00\xd9\x24\x14\x7b\x15\
+            \\xee\x4d\x11\x1a\x0f\xca\x51\x67\x71\xff\x90\x4c\x2d\x19\x5f\xfe\x1a\x05\x64\x5f\x0c\x13\xfe\xfe\x08\x1b\x08\xca\x05\x17\x01\x21\
+            \\x80\x53\x01\x00\xe8\x3e\x5e\xfe\xac\x9a\xf4\xf8\x7f\xe7\x27\x01\xd2\xb8\xee\x5f\x06\xdf\x42\x61\xbb\x9e\x9b\x8a\x72\x93\xea\x25\
+            \\xce\x84\xff\xdf\xf5\x71\x88\x01\x3d\xd6\x4b\x04\xa2\x6f\x26\x3b\x7e\xd4\x84\x00\x54\x7e\xeb\xe6\x44\x6d\x4c\xa0\x6c\xf3\xd6\xf5\
+            \\x26\x49\xab\xdf\xae\xa0\xc7\xf5\x36\x33\x8c\xc1\x50\x3f\x7e\x93\xd3\x77\x20\x61\x11\xb6\x38\xe1\x72\x50\x0e\x03\xf8\x0e\xb2\xbb\
+            \\xab\xe0\x50\x2e\xec\x8d\x77\xde\x57\x97\x1e\x81\xe1\x4f\x67\x46\xc9\x33\x54\x00\x69\x20\x31\x8f\x08\x1d\xbb\x99\xff\xc3\x04\xa5\
+            \\x4d\x35\x18\x05\x7f\x3d\x5c\xe3\xa6\xc8\x66\xc6\x5d\x5b\xcc\xa9\xda\xec\x6f\xea\x9f\x92\x6f\x91\x9f\x46\x22\x2f\x39\x91\x46\x7d\
+            \\xa5\xbf\x6d\x8e\x11\x43\xc4\x4f\x43\x95\x83\x02\xd0\x21\x4e\xeb\x02\x20\x83\xb8\x3f\xb6\x18\x0c\x18\xf8\x93\x1e\x28\x16\x58\xe6\
+            \\x26\x48\x6e\x3e\x8b\xd7\x8a\x70\x74\x77\xe4\xc1\xb5\x06\xe0\x7c\xf3\x2d\x0a\x25\x79\x09\x8b\x02\xe4\xea\xbb\x81\x28\x12\x3b\x23\
+            \\x69\xde\xad\x38\x15\x74\xca\x16\xdf\x87\x1b\x62\x21\x1c\x40\xb7\xa5\x1a\x9e\xf9\x00\x14\x37\x7b\x04\x1e\x8a\xc8\x09\x11\x40\x03\
+            \\xbd\x59\xe4\xd2\xe3\xd1\x56\xd5\x4f\xe8\x76\xd5\x2f\x91\xa3\x40\x55\x7b\xe8\xde\x00\xea\xe4\xa7\x0c\xe5\xc2\xec\x4d\xb4\xbb\xa6\
+            \\xe7\x56\xbd\xff\xdd\x33\x69\xac\xec\x17\xb0\x35\x06\x57\x23\x27\x99\xaf\xc8\xb0\x56\xc8\xc3\x91\x6b\x65\x81\x1c\x5e\x14\x61\x19\
+            \\x6e\x85\xcb\x75\xbe\x07\xc0\x02\xc2\x32\x55\x77\x89\x3f\xf4\xec\x5b\xbf\xc9\x2d\xd0\xec\x3b\x25\xb7\x80\x1a\xb7\x8d\x6d\x3b\x24\
+            \\x20\xc7\x63\xef\xc3\x66\xa5\xfc\x9c\x38\x28\x80\x0a\xce\x32\x05\xaa\xc9\x54\x8a\xec\xa1\xd7\xc7\x04\x1a\xfa\x32\x1d\x16\x62\x5a\
+            \\x67\x01\x90\x2c\x9b\x75\x7a\x54\x31\xd4\x77\xf7\x91\x26\xb0\x31\x36\xcc\x6f\xdb\xc7\x0b\x8b\x46\xd9\xe6\x6a\x48\x56\xe5\x5a\x79\
+            \\x02\x6a\x4c\xeb\x52\x43\x7e\xff\x2f\x8f\x76\xb4\x0d\xf9\x80\xa5\x86\x74\xcd\xe3\xed\xda\x04\xeb\x17\xa9\xbe\x04\x2c\x18\xf4\xdf\
+            \\xb7\x74\x7f\x9d\xab\x2a\xf7\xb4\xef\xc3\x4d\x20\x2e\x09\x6b\x7c\x17\x41\xa2\x54\xe5\xb6\xa0\x35\x21\x3d\x42\xf6\x2c\x1c\x7c\x26\
+            \\x61\xc2\xf5\x0f\x65\x52\xda\xf9\xd2\xc2\x31\xf8\x25\x13\x0f\x69\xd8\x16\x7f\xa2\x04\x18\xf2\xc8\x00\x1a\x96\xa6\x0d\x15\x26\xab\
+            \\x63\x31\x5c\x21\x5e\x0a\x72\xec\x49\xba\xfe\xfd\x18\x79\x08\xd9\x8d\x0d\xbd\x86\x31\x11\x70\xa7\x3e\x9b\x64\x0c\xcc\x3e\x10\xd7\
+            \\xd5\xca\xd3\xb6\x0c\xae\xc3\x88\xf7\x30\x01\xe1\x6c\x72\x8a\xff\x71\xea\xe2\xa1\x1f\x9a\xf3\x6e\xcf\xcb\xd1\x2f\xc1\xde\x84\x17\
+            \\xac\x07\xbe\x6b\xcb\x44\xa1\xd8\x8b\x9b\x0f\x56\x01\x39\x88\xc3\xb1\xc5\x2f\xca\xb4\xbe\x31\xcd\xd8\x78\x28\x06\x12\xa3\xa4\xe2\
+            \\x6f\x7d\xe5\x32\x58\xfd\x7e\xb6\xd0\x1e\xe9\x00\x24\xad\xff\xc2\xf4\x99\x0f\xc5\x97\x11\xaa\xc5\x00\x1d\x7b\x95\x82\xe5\xe7\xd2\
+            \\x10\x98\x73\xf6\x00\x61\x30\x96\xc3\x2d\x95\x21\xad\xa1\x21\xff\x29\x90\x84\x15\x7f\xbb\x97\x7f\xaf\x9e\xb3\xdb\x29\xc9\xed\x2a\
+            \\x5c\xe2\xa4\x65\xa7\x30\xf3\x2c\xd0\xaa\x3f\xe8\x8a\x5c\xc0\x91\xd4\x9e\x2c\xe7\x0c\xe4\x54\xa9\xd6\x0a\xcd\x86\x01\x5f\x19\x19\
+            \\x77\x07\x91\x03\xde\xa0\x3a\xf6\x78\xa8\x56\x5e\xde\xe3\x56\xdf\x21\xf0\x5c\xbe\x8b\x75\xe3\x87\xb3\xc5\x06\x51\xb8\xa5\xc3\xef\
+            \\xd8\xee\xb6\xd2\xe5\x23\xbe\x77\xc2\x15\x45\x29\x2f\x69\xef\xdf\xaf\xe6\x7a\xfb\xf4\x70\xc4\xb2\xf3\xe0\xeb\x5b\xd6\xcc\x98\x76\
+            \\x39\xe4\x46\x0c\x1f\xda\x85\x38\x19\x87\x83\x2f\xca\x00\x73\x67\xa9\x91\x44\xf8\x29\x6b\x29\x9e\x49\x2f\xc2\x95\x92\x66\xbe\xab\
+            \\xb5\x67\x6e\x69\x9b\xd3\xdd\xda\xdf\x7e\x05\x2f\xdb\x25\x70\x1c\x1b\x5e\x51\xee\xf6\x53\x24\xe6\x6a\xfc\xe3\x6c\x03\x16\xcc\x04\
+            \\x86\x44\x21\x3e\xb7\xdc\x59\xd0\x79\x65\x29\x1f\xcc\xd6\xfd\x43\x41\x82\x39\x79\x93\x2b\xcd\xf6\xb6\x57\xc3\x4d\x4e\xdf\xd2\x82\
+            \\x7a\xe5\x29\x0c\x3c\xb9\x53\x6b\x85\x1e\x20\xfe\x98\x33\x55\x7e\x13\xec\xf0\xb0\xd3\xff\xb3\x72\x3f\x85\xc5\xc1\x0a\xef\x7e\xd2"#
+
+sbox_s5 :: Word8 -> Word32
+sbox_s5 i = arrayRead32 t (fromIntegral i)
+  where
+    t = array32FromAddrBE 256
+            "\x7e\xc9\x0c\x04\x2c\x6e\x74\xb9\x9b\x0e\x66\xdf\xa6\x33\x79\x11\xb8\x6a\x7f\xff\x1d\xd3\x58\xf5\x44\xdd\x9d\x44\x17\x31\x16\x7f\
+            \\x08\xfb\xf1\xfa\xe7\xf5\x11\xcc\xd2\x05\x1b\x00\x73\x5a\xba\x00\x2a\xb7\x22\xd8\x38\x63\x81\xcb\xac\xf6\x24\x3a\x69\xbe\xfd\x7a\
+            \\xe6\xa2\xe7\x7f\xf0\xc7\x20\xcd\xc4\x49\x48\x16\xcc\xf5\xc1\x80\x38\x85\x16\x40\x15\xb0\xa8\x48\xe6\x8b\x18\xcb\x4c\xaa\xde\xff\
+            \\x5f\x48\x0a\x01\x04\x12\xb2\xaa\x25\x98\x14\xfc\x41\xd0\xef\xe2\x4e\x40\xb4\x8d\x24\x8e\xb6\xfb\x8d\xba\x1c\xfe\x41\xa9\x9b\x02\
+            \\x1a\x55\x0a\x04\xba\x8f\x65\xcb\x72\x51\xf4\xe7\x95\xa5\x17\x25\xc1\x06\xec\xd7\x97\xa5\x98\x0a\xc5\x39\xb9\xaa\x4d\x79\xfe\x6a\
+            \\xf2\xf3\xf7\x63\x68\xaf\x80\x40\xed\x0c\x9e\x56\x11\xb4\x95\x8b\xe1\xeb\x5a\x88\x87\x09\xe6\xb0\xd7\xe0\x71\x56\x4e\x29\xfe\xa7\
+            \\x63\x66\xe5\x2d\x02\xd1\xc0\x00\xc4\xac\x8e\x05\x93\x77\xf5\x71\x0c\x05\x37\x2a\x57\x85\x35\xf2\x22\x61\xbe\x02\xd6\x42\xa0\xc9\
+            \\xdf\x13\xa2\x80\x74\xb5\x5b\xd2\x68\x21\x99\xc0\xd4\x21\xe5\xec\x53\xfb\x3c\xe8\xc8\xad\xed\xb3\x28\xa8\x7f\xc9\x3d\x95\x99\x81\
+            \\x5c\x1f\xf9\x00\xfe\x38\xd3\x99\x0c\x4e\xff\x0b\x06\x24\x07\xea\xaa\x2f\x4f\xb1\x4f\xb9\x69\x76\x90\xc7\x95\x05\xb0\xa8\xa7\x74\
+            \\xef\x55\xa1\xff\xe5\x9c\xa2\xc2\xa6\xb6\x2d\x27\xe6\x6a\x42\x63\xdf\x65\x00\x1f\x0e\xc5\x09\x66\xdf\xdd\x55\xbc\x29\xde\x06\x55\
+            \\x91\x1e\x73\x9a\x17\xaf\x89\x75\x32\xc7\x91\x1c\x89\xf8\x94\x68\x0d\x01\xe9\x80\x52\x47\x55\xf4\x03\xb6\x3c\xc9\x0c\xc8\x44\xb2\
+            \\xbc\xf3\xf0\xaa\x87\xac\x36\xe9\xe5\x3a\x74\x26\x01\xb3\xd8\x2b\x1a\x9e\x74\x49\x64\xee\x2d\x7e\xcd\xdb\xb1\xda\x01\xc9\x49\x10\
+            \\xb8\x68\xbf\x80\x0d\x26\xf3\xfd\x93\x42\xed\xe7\x04\xa5\xc2\x84\x63\x67\x37\xb6\x50\xf5\xb6\x16\xf2\x47\x66\xe3\x8e\xca\x36\xc1\
+            \\x13\x6e\x05\xdb\xfe\xf1\x83\x91\xfb\x88\x7a\x37\xd6\xe7\xf7\xd4\xc7\xfb\x7d\xc9\x30\x63\xfc\xdf\xb6\xf5\x89\xde\xec\x29\x41\xda\
+            \\x26\xe4\x66\x95\xb7\x56\x64\x19\xf6\x54\xef\xc5\xd0\x8d\x58\xb7\x48\x92\x54\x01\xc1\xba\xcb\x7f\xe5\xff\x55\x0f\xb6\x08\x30\x49\
+            \\x5b\xb5\xd0\xe8\x87\xd7\x2e\x5a\xab\x6a\x6e\xe1\x22\x3a\x66\xce\xc6\x2b\xf3\xcd\x9e\x08\x85\xf9\x68\xcb\x3e\x47\x08\x6c\x01\x0f\
+            \\xa2\x1d\xe8\x20\xd1\x8b\x69\xde\xf3\xf6\x57\x77\xfa\x02\xc3\xf6\x40\x7e\xda\xc3\xcb\xb3\xd5\x50\x17\x93\x08\x4d\xb0\xd7\x0e\xba\
+            \\x0a\xb3\x78\xd5\xd9\x51\xfb\x0c\xde\xd7\xda\x56\x41\x24\xbb\xe4\x94\xca\x0b\x56\x0f\x57\x55\xd1\xe0\xe1\xe5\x6e\x61\x84\xb5\xbe\
+            \\x58\x0a\x24\x9f\x94\xf7\x4b\xc0\xe3\x27\x88\x8e\x9f\x7b\x55\x61\xc3\xdc\x02\x80\x05\x68\x77\x15\x64\x6c\x6b\xd7\x44\x90\x4d\xb3\
+            \\x66\xb4\xf0\xa3\xc0\xf1\x64\x8a\x69\x7e\xd5\xaf\x49\xe9\x2f\xf6\x30\x9e\x37\x4f\x2c\xb6\x35\x6a\x85\x80\x85\x73\x49\x91\xf8\x40\
+            \\x76\xf0\xae\x02\x08\x3b\xe8\x4d\x28\x42\x1c\x9a\x44\x48\x94\x06\x73\x6e\x4c\xb8\xc1\x09\x29\x10\x8b\xc9\x5f\xc6\x7d\x86\x9c\xf4\
+            \\x13\x4f\x61\x6f\x2e\x77\x11\x8d\xb3\x1b\x2b\xe1\xaa\x90\xb4\x72\x3c\xa5\xd7\x17\x7d\x16\x1b\xba\x9c\xad\x90\x10\xaf\x46\x2b\xa2\
+            \\x9f\xe4\x59\xd2\x45\xd3\x45\x59\xd9\xf2\xda\x13\xdb\xc6\x54\x87\xf3\xe4\xf9\x4e\x17\x6d\x48\x6f\x09\x7c\x13\xea\x63\x1d\xa5\xc7\
+            \\x44\x5f\x73\x82\x17\x56\x83\xf4\xcd\xc6\x6a\x97\x70\xbe\x02\x88\xb3\xcd\xcf\x72\x6e\x5d\xd2\xf3\x20\x93\x60\x79\x45\x9b\x80\xa5\
+            \\xbe\x60\xe2\xdb\xa9\xc2\x31\x01\xeb\xa5\x31\x5c\x22\x4e\x42\xf2\x1c\x5c\x15\x72\xf6\x72\x1b\x2c\x1a\xd2\xff\xf3\x8c\x25\x40\x4e\
+            \\x32\x4e\xd7\x2f\x40\x67\xb7\xfd\x05\x23\x13\x8e\x5c\xa3\xbc\x78\xdc\x0f\xd6\x6e\x75\x92\x22\x83\x78\x4d\x6b\x17\x58\xeb\xb1\x6e\
+            \\x44\x09\x4f\x85\x3f\x48\x1d\x87\xfc\xfe\xae\x7b\x77\xb5\xff\x76\x8c\x23\x02\xbf\xaa\xf4\x75\x56\x5f\x46\xb0\x2a\x2b\x09\x28\x01\
+            \\x3d\x38\xf5\xf7\x0c\xa8\x1f\x36\x52\xaf\x4a\x8a\x66\xd5\xe7\xc0\xdf\x3b\x08\x74\x95\x05\x51\x10\x1b\x5a\xd7\xa8\xf6\x1e\xd5\xad\
+            \\x6c\xf6\xe4\x79\x20\x75\x81\x84\xd0\xce\xfa\x65\x88\xf7\xbe\x58\x4a\x04\x68\x26\x0f\xf6\xf8\xf3\xa0\x9c\x7f\x70\x53\x46\xab\xa0\
+            \\x5c\xe9\x6c\x28\xe1\x76\xed\xa3\x6b\xac\x30\x7f\x37\x68\x29\xd2\x85\x36\x0f\xa9\x17\xe3\xfe\x2a\x24\xb7\x97\x67\xf5\xa9\x6b\x20\
+            \\xd6\xcd\x25\x95\x68\xff\x1e\xbf\x75\x55\x44\x2c\xf1\x9f\x06\xbe\xf9\xe0\x65\x9a\xee\xb9\x49\x1d\x34\x01\x07\x18\xbb\x30\xca\xb8\
+            \\xe8\x22\xfe\x15\x88\x57\x09\x83\x75\x0e\x62\x49\xda\x62\x7e\x55\x5e\x76\xff\xa8\xb1\x53\x45\x46\x6d\x47\xde\x08\xef\xe9\xe7\xd4"#
+
+sbox_s6 :: Word8 -> Word32
+sbox_s6 i = arrayRead32 t (fromIntegral i)
+  where
+    t = array32FromAddrBE 256
+            "\xf6\xfa\x8f\x9d\x2c\xac\x6c\xe1\x4c\xa3\x48\x67\xe2\x33\x7f\x7c\x95\xdb\x08\xe7\x01\x68\x43\xb4\xec\xed\x5c\xbc\x32\x55\x53\xac\
+            \\xbf\x9f\x09\x60\xdf\xa1\xe2\xed\x83\xf0\x57\x9d\x63\xed\x86\xb9\x1a\xb6\xa6\xb8\xde\x5e\xbe\x39\xf3\x8f\xf7\x32\x89\x89\xb1\x38\
+            \\x33\xf1\x49\x61\xc0\x19\x37\xbd\xf5\x06\xc6\xda\xe4\x62\x5e\x7e\xa3\x08\xea\x99\x4e\x23\xe3\x3c\x79\xcb\xd7\xcc\x48\xa1\x43\x67\
+            \\xa3\x14\x96\x19\xfe\xc9\x4b\xd5\xa1\x14\x17\x4a\xea\xa0\x18\x66\xa0\x84\xdb\x2d\x09\xa8\x48\x6f\xa8\x88\x61\x4a\x29\x00\xaf\x98\
+            \\x01\x66\x59\x91\xe1\x99\x28\x63\xc8\xf3\x0c\x60\x2e\x78\xef\x3c\xd0\xd5\x19\x32\xcf\x0f\xec\x14\xf7\xca\x07\xd2\xd0\xa8\x20\x72\
+            \\xfd\x41\x19\x7e\x93\x05\xa6\xb0\xe8\x6b\xe3\xda\x74\xbe\xd3\xcd\x37\x2d\xa5\x3c\x4c\x7f\x44\x48\xda\xb5\xd4\x40\x6d\xba\x0e\xc3\
+            \\x08\x39\x19\xa7\x9f\xba\xee\xd9\x49\xdb\xcf\xb0\x4e\x67\x0c\x53\x5c\x3d\x9c\x01\x64\xbd\xb9\x41\x2c\x0e\x63\x6a\xba\x7d\xd9\xcd\
+            \\xea\x6f\x73\x88\xe7\x0b\xc7\x62\x35\xf2\x9a\xdb\x5c\x4c\xdd\x8d\xf0\xd4\x8d\x8c\xb8\x81\x53\xe2\x08\xa1\x98\x66\x1a\xe2\xea\xc8\
+            \\x28\x4c\xaf\x89\xaa\x92\x82\x23\x93\x34\xbe\x53\x3b\x3a\x21\xbf\x16\x43\x4b\xe3\x9a\xea\x39\x06\xef\xe8\xc3\x6e\xf8\x90\xcd\xd9\
+            \\x80\x22\x6d\xae\xc3\x40\xa4\xa3\xdf\x7e\x9c\x09\xa6\x94\xa8\x07\x5b\x7c\x5e\xcc\x22\x1d\xb3\xa6\x9a\x69\xa0\x2f\x68\x81\x8a\x54\
+            \\xce\xb2\x29\x6f\x53\xc0\x84\x3a\xfe\x89\x36\x55\x25\xbf\xe6\x8a\xb4\x62\x8a\xbc\xcf\x22\x2e\xbf\x25\xac\x6f\x48\xa9\xa9\x93\x87\
+            \\x53\xbd\xdb\x65\xe7\x6f\xfb\xe7\xe9\x67\xfd\x78\x0b\xa9\x35\x63\x8e\x34\x2b\xc1\xe8\xa1\x1b\xe9\x49\x80\x74\x0d\xc8\x08\x7d\xfc\
+            \\x8d\xe4\xbf\x99\xa1\x11\x01\xa0\x7f\xd3\x79\x75\xda\x5a\x26\xc0\xe8\x1f\x99\x4f\x95\x28\xcd\x89\xfd\x33\x9f\xed\xb8\x78\x34\xbf\
+            \\x5f\x04\x45\x6d\x22\x25\x86\x98\xc9\xc4\xc8\x3b\x2d\xc1\x56\xbe\x4f\x62\x8d\xaa\x57\xf5\x5e\xc5\xe2\x22\x0a\xbe\xd2\x91\x6e\xbf\
+            \\x4e\xc7\x5b\x95\x24\xf2\xc3\xc0\x42\xd1\x5d\x99\xcd\x0d\x7f\xa0\x7b\x6e\x27\xff\xa8\xdc\x8a\xf0\x73\x45\xc1\x06\xf4\x1e\x23\x2f\
+            \\x35\x16\x23\x86\xe6\xea\x89\x26\x33\x33\xb0\x94\x15\x7e\xc6\xf2\x37\x2b\x74\xaf\x69\x25\x73\xe4\xe9\xa9\xd8\x48\xf3\x16\x02\x89\
+            \\x3a\x62\xef\x1d\xa7\x87\xe2\x38\xf3\xa5\xf6\x76\x74\x36\x48\x53\x20\x95\x10\x63\x45\x76\x69\x8d\xb6\xfa\xd4\x07\x59\x2a\xf9\x50\
+            \\x36\xf7\x35\x23\x4c\xfb\x6e\x87\x7d\xa4\xce\xc0\x6c\x15\x2d\xaa\xcb\x03\x96\xa8\xc5\x0d\xfe\x5d\xfc\xd7\x07\xab\x09\x21\xc4\x2f\
+            \\x89\xdf\xf0\xbb\x5f\xe2\xbe\x78\x44\x8f\x4f\x33\x75\x46\x13\xc9\x2b\x05\xd0\x8d\x48\xb9\xd5\x85\xdc\x04\x94\x41\xc8\x09\x8f\x9b\
+            \\x7d\xed\xe7\x86\xc3\x9a\x33\x73\x42\x41\x00\x05\x6a\x09\x17\x51\x0e\xf3\xc8\xa6\x89\x00\x72\xd6\x28\x20\x76\x82\xa9\xa9\xf7\xbe\
+            \\xbf\x32\x67\x9d\xd4\x5b\x5b\x75\xb3\x53\xfd\x00\xcb\xb0\xe3\x58\x83\x0f\x22\x0a\x1f\x8f\xb2\x14\xd3\x72\xcf\x08\xcc\x3c\x4a\x13\
+            \\x8c\xf6\x31\x66\x06\x1c\x87\xbe\x88\xc9\x8f\x88\x60\x62\xe3\x97\x47\xcf\x8e\x7a\xb6\xc8\x52\x83\x3c\xc2\xac\xfb\x3f\xc0\x69\x76\
+            \\x4e\x8f\x02\x52\x64\xd8\x31\x4d\xda\x38\x70\xe3\x1e\x66\x54\x59\xc1\x09\x08\xf0\x51\x30\x21\xa5\x6c\x5b\x68\xb7\x82\x2f\x8a\xa0\
+            \\x30\x07\xcd\x3e\x74\x71\x9e\xef\xdc\x87\x26\x81\x07\x33\x40\xd4\x7e\x43\x2f\xd9\x0c\x5e\xc2\x41\x88\x09\x28\x6c\xf5\x92\xd8\x91\
+            \\x08\xa9\x30\xf6\x95\x7e\xf3\x05\xb7\xfb\xff\xbd\xc2\x66\xe9\x6f\x6f\xe4\xac\x98\xb1\x73\xec\xc0\xbc\x60\xb4\x2a\x95\x34\x98\xda\
+            \\xfb\xa1\xae\x12\x2d\x4b\xd7\x36\x0f\x25\xfa\xab\xa4\xf3\xfc\xeb\xe2\x96\x91\x23\x25\x7f\x0c\x3d\x93\x48\xaf\x49\x36\x14\x00\xbc\
+            \\xe8\x81\x6f\x4a\x38\x14\xf2\x00\xa3\xf9\x40\x43\x9c\x7a\x54\xc2\xbc\x70\x4f\x57\xda\x41\xe7\xf9\xc2\x5a\xd3\x3a\x54\xf4\xa0\x84\
+            \\xb1\x7f\x55\x05\x59\x35\x7c\xbe\xed\xbd\x15\xc8\x7f\x97\xc5\xab\xba\x5a\xc7\xb5\xb6\xf6\xde\xaf\x3a\x47\x9c\x3a\x53\x02\xda\x25\
+            \\x65\x3d\x7e\x6a\x54\x26\x8d\x49\x51\xa4\x77\xea\x50\x17\xd5\x5b\xd7\xd2\x5d\x88\x44\x13\x6c\x76\x04\x04\xa8\xc8\xb8\xe5\xa1\x21\
+            \\xb8\x1a\x92\x8a\x60\xed\x58\x69\x97\xc5\x5b\x96\xea\xec\x99\x1b\x29\x93\x59\x13\x01\xfd\xb7\xf1\x08\x8e\x8d\xfa\x9a\xb6\xf6\xf5\
+            \\x3b\x4c\xbf\x9f\x4a\x5d\xe3\xab\xe6\x05\x1d\x35\xa0\xe1\xd8\x55\xd3\x6b\x4c\xf1\xf5\x44\xed\xeb\xb0\xe9\x35\x24\xbe\xbb\x8f\xbd\
+            \\xa2\xd7\x62\xcf\x49\xc9\x2f\x54\x38\xb5\xf3\x31\x71\x28\xa4\x54\x48\x39\x29\x05\xa6\x5b\x1d\xb8\x85\x1c\x97\xbd\xd6\x75\xcf\x2f"#
+
+sbox_s7 :: Word8 -> Word32
+sbox_s7 i = arrayRead32 t (fromIntegral i)
+  where
+    t = array32FromAddrBE 256
+            "\x85\xe0\x40\x19\x33\x2b\xf5\x67\x66\x2d\xbf\xff\xcf\xc6\x56\x93\x2a\x8d\x7f\x6f\xab\x9b\xc9\x12\xde\x60\x08\xa1\x20\x28\xda\x1f\
+            \\x02\x27\xbc\xe7\x4d\x64\x29\x16\x18\xfa\xc3\x00\x50\xf1\x8b\x82\x2c\xb2\xcb\x11\xb2\x32\xe7\x5c\x4b\x36\x95\xf2\xb2\x87\x07\xde\
+            \\xa0\x5f\xbc\xf6\xcd\x41\x81\xe9\xe1\x50\x21\x0c\xe2\x4e\xf1\xbd\xb1\x68\xc3\x81\xfd\xe4\xe7\x89\x5c\x79\xb0\xd8\x1e\x8b\xfd\x43\
+            \\x4d\x49\x50\x01\x38\xbe\x43\x41\x91\x3c\xee\x1d\x92\xa7\x9c\x3f\x08\x97\x66\xbe\xba\xee\xad\xf4\x12\x86\xbe\xcf\xb6\xea\xcb\x19\
+            \\x26\x60\xc2\x00\x75\x65\xbd\xe4\x64\x24\x1f\x7a\x82\x48\xdc\xa9\xc3\xb3\xad\x66\x28\x13\x60\x86\x0b\xd8\xdf\xa8\x35\x6d\x1c\xf2\
+            \\x10\x77\x89\xbe\xb3\xb2\xe9\xce\x05\x02\xaa\x8f\x0b\xc0\x35\x1e\x16\x6b\xf5\x2a\xeb\x12\xff\x82\xe3\x48\x69\x11\xd3\x4d\x75\x16\
+            \\x4e\x7b\x3a\xff\x5f\x43\x67\x1b\x9c\xf6\xe0\x37\x49\x81\xac\x83\x33\x42\x66\xce\x8c\x93\x41\xb7\xd0\xd8\x54\xc0\xcb\x3a\x6c\x88\
+            \\x47\xbc\x28\x29\x47\x25\xba\x37\xa6\x6a\xd2\x2b\x7a\xd6\x1f\x1e\x0c\x5c\xba\xfa\x44\x37\xf1\x07\xb6\xe7\x99\x62\x42\xd2\xd8\x16\
+            \\x0a\x96\x12\x88\xe1\xa5\xc0\x6e\x13\x74\x9e\x67\x72\xfc\x08\x1a\xb1\xd1\x39\xf7\xf9\x58\x37\x45\xcf\x19\xdf\x58\xbe\xc3\xf7\x56\
+            \\xc0\x6e\xba\x30\x07\x21\x1b\x24\x45\xc2\x88\x29\xc9\x5e\x31\x7f\xbc\x8e\xc5\x11\x38\xbc\x46\xe9\xc6\xe6\xfa\x14\xba\xe8\x58\x4a\
+            \\xad\x4e\xbc\x46\x46\x8f\x50\x8b\x78\x29\x43\x5f\xf1\x24\x18\x3b\x82\x1d\xba\x9f\xaf\xf6\x0f\xf4\xea\x2c\x4e\x6d\x16\xe3\x92\x64\
+            \\x92\x54\x4a\x8b\x00\x9b\x4f\xc3\xab\xa6\x8c\xed\x9a\xc9\x6f\x78\x06\xa5\xb7\x9a\xb2\x85\x6e\x6e\x1a\xec\x3c\xa9\xbe\x83\x86\x88\
+            \\x0e\x08\x04\xe9\x55\xf1\xbe\x56\xe7\xe5\x36\x3b\xb3\xa1\xf2\x5d\xf7\xde\xbb\x85\x61\xfe\x03\x3c\x16\x74\x62\x33\x3c\x03\x4c\x28\
+            \\xda\x6d\x0c\x74\x79\xaa\xc5\x6c\x3c\xe4\xe1\xad\x51\xf0\xc8\x02\x98\xf8\xf3\x5a\x16\x26\xa4\x9f\xee\xd8\x2b\x29\x1d\x38\x2f\xe3\
+            \\x0c\x4f\xb9\x9a\xbb\x32\x57\x78\x3e\xc6\xd9\x7b\x6e\x77\xa6\xa9\xcb\x65\x8b\x5c\xd4\x52\x30\xc7\x2b\xd1\x40\x8b\x60\xc0\x3e\xb7\
+            \\xb9\x06\x8d\x78\xa3\x37\x54\xf4\xf4\x30\xc8\x7d\xc8\xa7\x13\x02\xb9\x6d\x8c\x32\xeb\xd4\xe7\xbe\xbe\x8b\x9d\x2d\x79\x79\xfb\x06\
+            \\xe7\x22\x53\x08\x8b\x75\xcf\x77\x11\xef\x8d\xa4\xe0\x83\xc8\x58\x8d\x6b\x78\x6f\x5a\x63\x17\xa6\xfa\x5c\xf7\xa0\x5d\xda\x00\x33\
+            \\xf2\x8e\xbf\xb0\xf5\xb9\xc3\x10\xa0\xea\xc2\x80\x08\xb9\x76\x7a\xa3\xd9\xd2\xb0\x79\xd3\x42\x17\x02\x1a\x71\x8d\x9a\xc6\x33\x6a\
+            \\x27\x11\xfd\x60\x43\x80\x50\xe3\x06\x99\x08\xa8\x3d\x7f\xed\xc4\x82\x6d\x2b\xef\x4e\xeb\x84\x76\x48\x8d\xcf\x25\x36\xc9\xd5\x66\
+            \\x28\xe7\x4e\x41\xc2\x61\x0a\xca\x3d\x49\xa9\xcf\xba\xe3\xb9\xdf\xb6\x5f\x8d\xe6\x92\xae\xaf\x64\x3a\xc7\xd5\xe6\x9e\xa8\x05\x09\
+            \\xf2\x2b\x01\x7d\xa4\x17\x3f\x70\xdd\x1e\x16\xc3\x15\xe0\xd7\xf9\x50\xb1\xb8\x87\x2b\x9f\x4f\xd5\x62\x5a\xba\x82\x6a\x01\x79\x62\
+            \\x2e\xc0\x1b\x9c\x15\x48\x8a\xa9\xd7\x16\xe7\x40\x40\x05\x5a\x2c\x93\xd2\x9a\x22\xe3\x2d\xbf\x9a\x05\x87\x45\xb9\x34\x53\xdc\x1e\
+            \\xd6\x99\x29\x6e\x49\x6c\xff\x6f\x1c\x9f\x49\x86\xdf\xe2\xed\x07\xb8\x72\x42\xd1\x19\xde\x7e\xae\x05\x3e\x56\x1a\x15\xad\x6f\x8c\
+            \\x66\x62\x6c\x1c\x71\x54\xc2\x4c\xea\x08\x2b\x2a\x93\xeb\x29\x39\x17\xdc\xb0\xf0\x58\xd4\xf2\xae\x9e\xa2\x94\xfb\x52\xcf\x56\x4c\
+            \\x98\x83\xfe\x66\x2e\xc4\x05\x81\x76\x39\x53\xc3\x01\xd6\x69\x2e\xd3\xa0\xc1\x08\xa1\xe7\x16\x0e\xe4\xf2\xdf\xa6\x69\x3e\xd2\x85\
+            \\x74\x90\x46\x98\x4c\x2b\x0e\xdd\x4f\x75\x76\x56\x5d\x39\x33\x78\xa1\x32\x23\x4f\x3d\x32\x1c\x5d\xc3\xf5\xe1\x94\x4b\x26\x93\x01\
+            \\xc7\x9f\x02\x2f\x3c\x99\x7e\x7e\x5e\x4f\x95\x04\x3f\xfa\xfb\xbd\x76\xf7\xad\x0e\x29\x66\x93\xf4\x3d\x1f\xce\x6f\xc6\x1e\x45\xbe\
+            \\xd3\xb5\xab\x34\xf7\x2b\xf9\xb7\x1b\x04\x34\xc0\x4e\x72\xb5\x67\x55\x92\xa3\x3d\xb5\x22\x93\x01\xcf\xd2\xa8\x7f\x60\xae\xb7\x67\
+            \\x18\x14\x38\x6b\x30\xbc\xc3\x3d\x38\xa0\xc0\x7d\xfd\x16\x06\xf2\xc3\x63\x51\x9b\x58\x9d\xd3\x90\x54\x79\xf8\xe6\x1c\xb8\xd6\x47\
+            \\x97\xfd\x61\xa9\xea\x77\x59\xf4\x2d\x57\x53\x9d\x56\x9a\x58\xcf\xe8\x4e\x63\xad\x46\x2e\x1b\x78\x65\x80\xf8\x7e\xf3\x81\x79\x14\
+            \\x91\xda\x55\xf4\x40\xa2\x30\xf3\xd1\x98\x8f\x35\xb6\xe3\x18\xd2\x3f\xfa\x50\xbc\x3d\x40\xf0\x21\xc3\xc0\xbd\xae\x49\x58\xc2\x4c\
+            \\x51\x8f\x36\xb2\x84\xb1\xd3\x70\x0f\xed\xce\x83\x87\x8d\xda\xda\xf2\xa2\x79\xc7\x94\xe0\x1b\xe8\x90\x71\x6f\x4b\x95\x4b\x8a\xa3"#
+
+sbox_s8 :: Word8 -> Word32
+sbox_s8 i = arrayRead32 t (fromIntegral i)
+  where
+    t = array32FromAddrBE 256
+            "\xe2\x16\x30\x0d\xbb\xdd\xff\xfc\xa7\xeb\xda\xbd\x35\x64\x80\x95\x77\x89\xf8\xb7\xe6\xc1\x12\x1b\x0e\x24\x16\x00\x05\x2c\xe8\xb5\
+            \\x11\xa9\xcf\xb0\xe5\x95\x2f\x11\xec\xe7\x99\x0a\x93\x86\xd1\x74\x2a\x42\x93\x1c\x76\xe3\x81\x11\xb1\x2d\xef\x3a\x37\xdd\xdd\xfc\
+            \\xde\x9a\xde\xb1\x0a\x0c\xc3\x2c\xbe\x19\x70\x29\x84\xa0\x09\x40\xbb\x24\x3a\x0f\xb4\xd1\x37\xcf\xb4\x4e\x79\xf0\x04\x9e\xed\xfd\
+            \\x0b\x15\xa1\x5d\x48\x0d\x31\x68\x8b\xbb\xde\x5a\x66\x9d\xed\x42\xc7\xec\xe8\x31\x3f\x8f\x95\xe7\x72\xdf\x19\x1b\x75\x80\x33\x0d\
+            \\x94\x07\x42\x51\x5c\x7d\xcd\xfa\xab\xbe\x6d\x63\xaa\x40\x21\x64\xb3\x01\xd4\x0a\x02\xe7\xd1\xca\x53\x57\x1d\xae\x7a\x31\x82\xa2\
+            \\x12\xa8\xdd\xec\xfd\xaa\x33\x5d\x17\x6f\x43\xe8\x71\xfb\x46\xd4\x38\x12\x90\x22\xce\x94\x9a\xd4\xb8\x47\x69\xad\x96\x5b\xd8\x62\
+            \\x82\xf3\xd0\x55\x66\xfb\x97\x67\x15\xb8\x0b\x4e\x1d\x5b\x47\xa0\x4c\xfd\xe0\x6f\xc2\x8e\xc4\xb8\x57\xe8\x72\x6e\x64\x7a\x78\xfc\
+            \\x99\x86\x5d\x44\x60\x8b\xd5\x93\x6c\x20\x0e\x03\x39\xdc\x5f\xf6\x5d\x0b\x00\xa3\xae\x63\xaf\xf2\x7e\x8b\xd6\x32\x70\x10\x8c\x0c\
+            \\xbb\xd3\x50\x49\x29\x98\xdf\x04\x98\x0c\xf4\x2a\x9b\x6d\xf4\x91\x9e\x7e\xdd\x53\x06\x91\x85\x48\x58\xcb\x7e\x07\x3b\x74\xef\x2e\
+            \\x52\x2f\xff\xb1\xd2\x47\x08\xcc\x1c\x7e\x27\xcd\xa4\xeb\x21\x5b\x3c\xf1\xd2\xe2\x19\xb4\x7a\x38\x42\x4f\x76\x18\x35\x85\x60\x39\
+            \\x9d\x17\xde\xe7\x27\xeb\x35\xe6\xc9\xaf\xf6\x7b\x36\xba\xf5\xb8\x09\xc4\x67\xcd\xc1\x89\x10\xb1\xe1\x1d\xbf\x7b\x06\xcd\x1a\xf8\
+            \\x71\x70\xc6\x08\x2d\x5e\x33\x54\xd4\xde\x49\x5a\x64\xc6\xd0\x06\xbc\xc0\xc6\x2c\x3d\xd0\x0d\xb3\x70\x8f\x8f\x34\x77\xd5\x1b\x42\
+            \\x26\x4f\x62\x0f\x24\xb8\xd2\xbf\x15\xc1\xb7\x9e\x46\xa5\x25\x64\xf8\xd7\xe5\x4e\x3e\x37\x81\x60\x78\x95\xcd\xa5\x85\x9c\x15\xa5\
+            \\xe6\x45\x97\x88\xc3\x7b\xc7\x5f\xdb\x07\xba\x0c\x06\x76\xa3\xab\x7f\x22\x9b\x1e\x31\x84\x2e\x7b\x24\x25\x9f\xd7\xf8\xbe\xf4\x72\
+            \\x83\x5f\xfc\xb8\x6d\xf4\xc1\xf2\x96\xf5\xb1\x95\xfd\x0a\xf0\xfc\xb0\xfe\x13\x4c\xe2\x50\x6d\x3d\x4f\x9b\x12\xea\xf2\x15\xf2\x25\
+            \\xa2\x23\x73\x6f\x9f\xb4\xc4\x28\x25\xd0\x49\x79\x34\xc7\x13\xf8\xc4\x61\x81\x87\xea\x7a\x6e\x98\x7c\xd1\x6e\xfc\x14\x36\x87\x6c\
+            \\xf1\x54\x41\x07\xbe\xde\xee\x14\x56\xe9\xaf\x27\xa0\x4a\xa4\x41\x3c\xf7\xc8\x99\x92\xec\xba\xe6\xdd\x67\x01\x6d\x15\x16\x82\xeb\
+            \\xa8\x42\xee\xdf\xfd\xba\x60\xb4\xf1\x90\x7b\x75\x20\xe3\x03\x0f\x24\xd8\xc2\x9e\xe1\x39\x67\x3b\xef\xa6\x3f\xb8\x71\x87\x30\x54\
+            \\xb6\xf2\xcf\x3b\x9f\x32\x64\x42\xcb\x15\xa4\xcc\xb0\x1a\x45\x04\xf1\xe4\x7d\x8d\x84\x4a\x1b\xe5\xba\xe7\xdf\xdc\x42\xcb\xda\x70\
+            \\xcd\x7d\xae\x0a\x57\xe8\x5b\x7a\xd5\x3f\x5a\xf6\x20\xcf\x4d\x8c\xce\xa4\xd4\x28\x79\xd1\x30\xa4\x34\x86\xeb\xfb\x33\xd3\xcd\xdc\
+            \\x77\x85\x3b\x53\x37\xef\xfc\xb5\xc5\x06\x87\x78\xe5\x80\xb3\xe6\x4e\x68\xb8\xf4\xc5\xc8\xb3\x7e\x0d\x80\x9e\xa2\x39\x8f\xeb\x7c\
+            \\x13\x2a\x4f\x94\x43\xb7\x95\x0e\x2f\xee\x7d\x1c\x22\x36\x13\xbd\xdd\x06\xca\xa2\x37\xdf\x93\x2b\xc4\x24\x82\x89\xac\xf3\xeb\xc3\
+            \\x57\x15\xf6\xb7\xef\x34\x78\xdd\xf2\x67\x61\x6f\xc1\x48\xcb\xe4\x90\x52\x81\x5e\x5e\x41\x0f\xab\xb4\x8a\x24\x65\x2e\xda\x7f\xa4\
+            \\xe8\x7b\x40\xe4\xe9\x8e\xa0\x84\x58\x89\xe9\xe1\xef\xd3\x90\xfc\xdd\x07\xd3\x5b\xdb\x48\x56\x94\x38\xd7\xe5\xb2\x57\x72\x01\x01\
+            \\x73\x0e\xde\xbc\x5b\x64\x31\x13\x94\x91\x7e\x4f\x50\x3c\x2f\xba\x64\x6f\x12\x82\x75\x23\xd2\x4a\xe0\x77\x96\x95\xf9\xc1\x7a\x8f\
+            \\x7a\x5b\x21\x21\xd1\x87\xb8\x96\x29\x26\x3a\x4d\xba\x51\x0c\xdf\x81\xf4\x7c\x9f\xad\x11\x63\xed\xea\x7b\x59\x65\x1a\x00\x72\x6e\
+            \\x11\x40\x30\x92\x00\xda\x6d\x77\x4a\x0c\xdd\x61\xad\x1f\x46\x03\x60\x5b\xdf\xb0\x9e\xed\xc3\x64\x22\xeb\xe6\xa8\xce\xe7\xd2\x8a\
+            \\xa0\xe7\x36\xa0\x55\x64\xa6\xb9\x10\x85\x32\x09\xc7\xeb\x8f\x37\x2d\xe7\x05\xca\x89\x51\x57\x0f\xdf\x09\x82\x2b\xbd\x69\x1a\x6c\
+            \\xaa\x12\xe4\xf2\x87\x45\x1c\x0f\xe0\xf6\xa2\x7a\x3a\xda\x48\x19\x4c\xf1\x76\x4f\x0d\x77\x1c\x2b\x67\xcd\xb1\x56\x35\x0d\x83\x84\
+            \\x59\x38\xfa\x0f\x42\x39\x9e\xf3\x36\x99\x7b\x07\x0e\x84\x09\x3d\x4a\xa9\x3e\x61\x83\x60\xd8\x7b\x1f\xa9\x8b\x0c\x11\x49\x38\x2c\
+            \\xe9\x76\x25\xa5\x06\x14\xd1\xb7\x0e\x25\x24\x4b\x0c\x76\x83\x47\x58\x9e\x8d\x82\x0d\x20\x59\xd1\xa4\x66\xbb\x1e\xf8\xda\x0a\x82\
+            \\x04\xf1\x91\x30\xba\x6e\x4e\xc0\x99\x26\x51\x64\x1e\xe7\x23\x0d\x50\xb2\xad\x80\xea\xee\x68\x01\x8d\xb2\xa2\x83\xea\x8b\xf5\x9e"#
diff --git a/Crypto/Cipher/Camellia/Primitive.hs b/Crypto/Cipher/Camellia/Primitive.hs
--- a/Crypto/Cipher/Camellia/Primitive.hs
+++ b/Crypto/Cipher/Camellia/Primitive.hs
@@ -6,8 +6,8 @@
 -- Stability   : experimental
 -- Portability : Good
 --
--- this only cover Camellia 128 bits for now, API will change once
--- 192 and 256 mode are implemented too
+-- This only cover Camellia 128 bits for now. The API will change once
+-- 192 and 256 mode are implemented too.
 {-# LANGUAGE MagicHash #-}
 module Crypto.Cipher.Camellia.Primitive
     ( Camellia
diff --git a/Crypto/Cipher/ChaCha.hs b/Crypto/Cipher/ChaCha.hs
--- a/Crypto/Cipher/ChaCha.hs
+++ b/Crypto/Cipher/ChaCha.hs
@@ -12,7 +12,7 @@
     , combine
     , generate
     , State
-    -- * simple interface for DRG purpose
+    -- * Simple interface for DRG purpose
     , initializeSimple
     , generateSimple
     , StateSimple
diff --git a/Crypto/Cipher/Types.hs b/Crypto/Cipher/Types.hs
--- a/Crypto/Cipher/Types.hs
+++ b/Crypto/Cipher/Types.hs
@@ -5,7 +5,7 @@
 -- Stability   : Stable
 -- Portability : Excellent
 --
--- symmetric cipher basic types
+-- Symmetric cipher basic types
 --
 {-# LANGUAGE DeriveDataTypeable #-}
 module Crypto.Cipher.Types
@@ -21,6 +21,8 @@
     -- , cfb8Decrypt
     -- * AEAD functions
     , AEADMode(..)
+    , CCM_M(..)
+    , CCM_L(..)
     , module Crypto.Cipher.Types.AEAD
     -- * Initial Vector type and constructor
     , IV
diff --git a/Crypto/Cipher/Types/Base.hs b/Crypto/Cipher/Types/Base.hs
--- a/Crypto/Cipher/Types/Base.hs
+++ b/Crypto/Cipher/Types/Base.hs
@@ -5,7 +5,7 @@
 -- Stability   : Stable
 -- Portability : Excellent
 --
--- symmetric cipher basic types
+-- Symmetric cipher basic types
 --
 {-# LANGUAGE ExistentialQuantification #-}
 {-# LANGUAGE GeneralizedNewtypeDeriving #-}
@@ -14,6 +14,8 @@
     , Cipher(..)
     , AuthTag(..)
     , AEADMode(..)
+    , CCM_M(..)
+    , CCM_L(..)
     , DataUnitOffset
     ) where
 
@@ -39,10 +41,13 @@
 instance Eq AuthTag where
     (AuthTag a) == (AuthTag b) = B.constEq a b
 
+data CCM_M = CCM_M4 | CCM_M6 | CCM_M8 | CCM_M10 | CCM_M12 | CCM_M14 | CCM_M16 deriving (Show, Eq)
+data CCM_L = CCM_L2 | CCM_L3 | CCM_L4 deriving (Show, Eq)
+
 -- | AEAD Mode
 data AEADMode =
       AEAD_OCB -- OCB3
-    | AEAD_CCM
+    | AEAD_CCM Int CCM_M CCM_L
     | AEAD_EAX
     | AEAD_CWC
     | AEAD_GCM
diff --git a/Crypto/Cipher/Types/Block.hs b/Crypto/Cipher/Types/Block.hs
--- a/Crypto/Cipher/Types/Block.hs
+++ b/Crypto/Cipher/Types/Block.hs
@@ -5,7 +5,7 @@
 -- Stability   : Stable
 -- Portability : Excellent
 --
--- block cipher basic types
+-- Block cipher basic types
 --
 {-# LANGUAGE MultiParamTypeClasses #-}
 {-# LANGUAGE ExistentialQuantification #-}
@@ -16,7 +16,7 @@
     -- * BlockCipher
       BlockCipher(..)
     , BlockCipher128(..)
-    -- * initialization vector (IV)
+    -- * Initialization vector (IV)
     , IV(..)
     , makeIV
     , nullIV
diff --git a/Crypto/Cipher/Types/Stream.hs b/Crypto/Cipher/Types/Stream.hs
--- a/Crypto/Cipher/Types/Stream.hs
+++ b/Crypto/Cipher/Types/Stream.hs
@@ -5,7 +5,7 @@
 -- Stability   : Stable
 -- Portability : Excellent
 --
--- stream cipher basic types
+-- Stream cipher basic types
 --
 module Crypto.Cipher.Types.Stream
     ( StreamCipher(..)
diff --git a/Crypto/Cipher/Types/Utils.hs b/Crypto/Cipher/Types/Utils.hs
--- a/Crypto/Cipher/Types/Utils.hs
+++ b/Crypto/Cipher/Types/Utils.hs
@@ -5,7 +5,7 @@
 -- Stability   : Stable
 -- Portability : Excellent
 --
--- basic utility for cipher related stuff
+-- Basic utility for cipher related stuff
 --
 module Crypto.Cipher.Types.Utils where
 
diff --git a/Crypto/ConstructHash/MiyaguchiPreneel.hs b/Crypto/ConstructHash/MiyaguchiPreneel.hs
--- a/Crypto/ConstructHash/MiyaguchiPreneel.hs
+++ b/Crypto/ConstructHash/MiyaguchiPreneel.hs
@@ -5,7 +5,7 @@
 -- Stability   : experimental
 -- Portability : unknown
 --
--- provide the hash function construction method from block cipher
+-- Provide the hash function construction method from block cipher
 -- <https://en.wikipedia.org/wiki/One-way_compression_function>
 --
 {-# LANGUAGE GeneralizedNewtypeDeriving #-}
diff --git a/Crypto/Data/AFIS.hs b/Crypto/Data/AFIS.hs
--- a/Crypto/Data/AFIS.hs
+++ b/Crypto/Data/AFIS.hs
@@ -5,7 +5,7 @@
 -- Stability   : experimental
 -- Portability : unknown
 --
--- haskell implementation of the Anti-forensic information splitter
+-- Haskell implementation of the Anti-forensic information splitter
 -- available in LUKS. <http://clemens.endorphin.org/AFsplitter>
 --
 -- The algorithm bloats an arbitrary secret with many bits that are necessary for
diff --git a/Crypto/ECC.hs b/Crypto/ECC.hs
--- a/Crypto/ECC.hs
+++ b/Crypto/ECC.hs
@@ -17,6 +17,7 @@
     , Curve_P521R1(..)
     , Curve_X25519(..)
     , Curve_X448(..)
+    , Curve_Edwards25519(..)
     , EllipticCurve(..)
     , EllipticCurveDH(..)
     , EllipticCurveArith(..)
@@ -25,6 +26,7 @@
     ) where
 
 import qualified Crypto.PubKey.ECC.P256 as P256
+import qualified Crypto.ECC.Edwards25519 as Edwards25519
 import qualified Crypto.ECC.Simple.Types as Simple
 import qualified Crypto.ECC.Simple.Prim as Simple
 import           Crypto.Random
@@ -49,7 +51,7 @@
     }
 
 newtype SharedSecret = SharedSecret ScrubbedBytes
-    deriving (Eq, ByteArrayAccess)
+    deriving (Eq, ByteArrayAccess, NFData)
 
 class EllipticCurve curve where
     -- | Point on an Elliptic Curve
@@ -101,6 +103,9 @@
     -- | Add points on a curve
     pointAdd :: proxy curve -> Point curve -> Point curve -> Point curve
 
+    -- | Negate a curve point
+    pointNegate :: proxy curve -> Point curve -> Point curve
+
     -- | Scalar Multiplication on a curve
     pointSmul :: proxy curve -> Scalar curve -> Point curve -> Point curve
 
@@ -137,6 +142,7 @@
 
 instance EllipticCurveArith Curve_P256R1 where
     pointAdd  _ a b = P256.pointAdd a b
+    pointNegate _ p = P256.pointNegate p
     pointSmul _ s p = P256.pointMul s p
 
 instance EllipticCurveDH Curve_P256R1 where
@@ -158,6 +164,7 @@
 
 instance EllipticCurveArith Curve_P384R1 where
     pointAdd _ a b = Simple.pointAdd a b
+    pointNegate _ p = Simple.pointNegate p
     pointSmul _ s p = Simple.pointMul s p
 
 instance EllipticCurveDH Curve_P384R1 where
@@ -180,6 +187,7 @@
 
 instance EllipticCurveArith Curve_P521R1 where
     pointAdd _ a b = Simple.pointAdd a b
+    pointNegate _ p = Simple.pointNegate p
     pointSmul _ s p = Simple.pointMul s p
 
 instance EllipticCurveDH Curve_P521R1 where
@@ -224,6 +232,24 @@
     ecdhRaw _ s p = SharedSecret $ convert secret
       where secret = X448.dh p s
     ecdh prx s p = checkNonZeroDH (ecdhRaw prx s p)
+
+data Curve_Edwards25519 = Curve_Edwards25519
+    deriving (Show,Data,Typeable)
+
+instance EllipticCurve Curve_Edwards25519 where
+    type Point Curve_Edwards25519 = Edwards25519.Point
+    type Scalar Curve_Edwards25519 = Edwards25519.Scalar
+    curveSizeBits _ = 255
+    curveGenerateScalar _ = Edwards25519.scalarGenerate
+    curveGenerateKeyPair _ = toKeyPair <$> Edwards25519.scalarGenerate
+      where toKeyPair scalar = KeyPair (Edwards25519.toPoint scalar) scalar
+    encodePoint _ point = Edwards25519.pointEncode point
+    decodePoint _ bs = Edwards25519.pointDecode bs
+
+instance EllipticCurveArith Curve_Edwards25519 where
+    pointAdd _ a b = Edwards25519.pointAdd a b
+    pointNegate _ p = Edwards25519.pointNegate p
+    pointSmul _ s p = Edwards25519.pointMul s p
 
 checkNonZeroDH :: SharedSecret -> CryptoFailable SharedSecret
 checkNonZeroDH s@(SharedSecret b)
diff --git a/Crypto/ECC/Edwards25519.hs b/Crypto/ECC/Edwards25519.hs
new file mode 100644
--- /dev/null
+++ b/Crypto/ECC/Edwards25519.hs
@@ -0,0 +1,373 @@
+-- |
+-- Module      : Crypto.ECC.Edwards25519
+-- License     : BSD-style
+-- Maintainer  : Olivier Chéron <olivier.cheron@gmail.com>
+-- Stability   : experimental
+-- Portability : unknown
+--
+-- Arithmetic primitives over curve edwards25519.
+--
+-- Twisted Edwards curves are a familly of elliptic curves allowing
+-- complete addition formulas without any special case and no point at
+-- infinity.  Curve edwards25519 is based on prime 2^255 - 19 for
+-- efficient implementation.  Equation and parameters are given in
+-- <https://tools.ietf.org/html/rfc7748 RFC 7748>.
+--
+-- This module provides types and primitive operations that are useful
+-- to implement cryptographic schemes based on curve edwards25519:
+--
+-- - arithmetic functions for point addition, doubling, negation,
+-- scalar multiplication with an arbitrary point, with the base point,
+-- etc.
+--
+-- - arithmetic functions dealing with scalars modulo the prime order
+-- L of the base point
+--
+-- All functions run in constant time unless noted otherwise.
+--
+-- Warnings:
+--
+-- 1. Curve edwards25519 has a cofactor h = 8 so the base point does
+-- not generate the entire curve and points with order 2, 4, 8 exist.
+-- When implementing cryptographic algorithms, special care must be
+-- taken using one of the following methods:
+--
+--     - points must be checked for membership in the prime-order
+--     subgroup
+--
+--     - or cofactor must be cleared by multiplying points by 8
+--
+--     Utility functions are provided to implement this.  Testing
+--     subgroup membership with 'pointHasPrimeOrder' is 50-time slower
+--     than call 'pointMulByCofactor'.
+--
+-- 2. Scalar arithmetic is always reduced modulo L, allowing fixed
+-- length and constant execution time, but this reduction is valid
+-- only when points are in the prime-order subgroup.
+--
+-- 3. Because of modular reduction in this implementation it is not
+-- possible to multiply points directly by scalars like 8.s or L.
+-- This has to be decomposed into several steps.
+--
+{-# LANGUAGE GeneralizedNewtypeDeriving #-}
+module Crypto.ECC.Edwards25519
+    ( Scalar
+    , Point
+    -- * Scalars
+    , scalarGenerate
+    , scalarDecodeLong
+    , scalarEncode
+    -- * Points
+    , pointDecode
+    , pointEncode
+    , pointHasPrimeOrder
+    -- * Arithmetic functions
+    , toPoint
+    , scalarAdd
+    , scalarMul
+    , pointNegate
+    , pointAdd
+    , pointDouble
+    , pointMul
+    , pointMulByCofactor
+    , pointsMulVarTime
+    ) where
+
+import           Data.Bits
+import           Data.Word
+import           Foreign.C.Types
+import           Foreign.Ptr
+import           Foreign.Storable
+
+import           Crypto.Error
+import           Crypto.Internal.ByteArray (ByteArrayAccess, Bytes,
+                                            ScrubbedBytes, withByteArray)
+import qualified Crypto.Internal.ByteArray as B
+import           Crypto.Internal.Compat
+import           Crypto.Internal.Imports
+import           Crypto.Random
+
+
+scalarArraySize :: Int
+scalarArraySize = 40 -- maximum [9 * 4 {- 32 bits -}, 5 * 8 {- 64 bits -}]
+
+-- | A scalar modulo prime order of curve edwards25519.
+newtype Scalar = Scalar ScrubbedBytes
+    deriving (Show,NFData)
+
+instance Eq Scalar where
+    (Scalar s1) == (Scalar s2) = unsafeDoIO $
+        withByteArray s1 $ \ps1 ->
+        withByteArray s2 $ \ps2 ->
+            fmap (/= 0) (ed25519_scalar_eq ps1 ps2)
+    {-# NOINLINE (==) #-}
+
+pointArraySize :: Int
+pointArraySize = 160 -- maximum [4 * 10 * 4 {- 32 bits -}, 4 * 5 * 8 {- 64 bits -}]
+
+-- | A point on curve edwards25519.
+newtype Point = Point Bytes
+    deriving NFData
+
+instance Show Point where
+    showsPrec d p =
+        let bs = pointEncode p :: Bytes
+         in showParen (d > 10) $ showString "Point "
+                               . shows (B.convertToBase B.Base16 bs :: Bytes)
+
+instance Eq Point where
+    (Point p1) == (Point p2) = unsafeDoIO $
+        withByteArray p1 $ \pp1 ->
+        withByteArray p2 $ \pp2 ->
+            fmap (/= 0) (ed25519_point_eq pp1 pp2)
+    {-# NOINLINE (==) #-}
+
+-- | Generate a random scalar.
+scalarGenerate :: MonadRandom randomly => randomly Scalar
+scalarGenerate = throwCryptoError . scalarDecodeLong <$> generate
+  where
+    -- Scalar generation is based on a fixed number of bytes so that
+    -- there is no timing leak.  But because of modular reduction
+    -- distribution is not uniform.  We use many more bytes than
+    -- necessary so the probability bias is small.  With 512 bits we
+    -- get 22% of scalars with a higher frequency, but the relative
+    -- probability difference is only 2^(-260).
+    generate :: MonadRandom randomly => randomly ScrubbedBytes
+    generate = getRandomBytes 64
+
+-- | Serialize a scalar to binary, i.e. a 32-byte little-endian
+-- number.
+scalarEncode :: B.ByteArray bs => Scalar -> bs
+scalarEncode (Scalar s) =
+    B.allocAndFreeze 32 $ \out ->
+        withByteArray s $ \ps -> ed25519_scalar_encode out ps
+
+-- | Deserialize a little-endian number as a scalar.  Input array can
+-- have any length from 0 to 64 bytes.
+--
+-- Note: it is not advised to put secret information in the 3 lowest
+-- bits of a scalar if this scalar may be multiplied to untrusted
+-- points outside the prime-order subgroup.
+scalarDecodeLong :: B.ByteArrayAccess bs => bs -> CryptoFailable Scalar
+scalarDecodeLong bs
+    | B.length bs > 64 = CryptoFailed CryptoError_EcScalarOutOfBounds
+    | otherwise        = unsafeDoIO $ withByteArray bs initialize
+  where
+    len = fromIntegral $ B.length bs
+    initialize inp = do
+        s <- B.alloc scalarArraySize $ \ps ->
+                 ed25519_scalar_decode_long ps inp len
+        return $ CryptoPassed (Scalar s)
+{-# NOINLINE scalarDecodeLong #-}
+
+-- | Add two scalars.
+scalarAdd :: Scalar -> Scalar -> Scalar
+scalarAdd (Scalar a) (Scalar b) =
+    Scalar $ B.allocAndFreeze scalarArraySize $ \out ->
+        withByteArray a $ \pa ->
+        withByteArray b $ \pb ->
+             ed25519_scalar_add out pa pb
+
+-- | Multiply two scalars.
+scalarMul :: Scalar -> Scalar -> Scalar
+scalarMul (Scalar a) (Scalar b) =
+    Scalar $ B.allocAndFreeze scalarArraySize $ \out ->
+        withByteArray a $ \pa ->
+        withByteArray b $ \pb ->
+             ed25519_scalar_mul out pa pb
+
+-- | Multiplies a scalar with the curve base point.
+toPoint :: Scalar -> Point
+toPoint (Scalar scalar) =
+    Point $ B.allocAndFreeze pointArraySize $ \out ->
+        withByteArray scalar $ \pscalar ->
+            ed25519_point_base_scalarmul out pscalar
+
+-- | Serialize a point to a 32-byte array.
+--
+-- Format is binary compatible with 'Crypto.PubKey.Ed25519.PublicKey'
+-- from module "Crypto.PubKey.Ed25519".
+pointEncode :: B.ByteArray bs => Point -> bs
+pointEncode (Point p) =
+    B.allocAndFreeze 32 $ \out ->
+        withByteArray p $ \pp ->
+             ed25519_point_encode out pp
+
+-- | Deserialize a 32-byte array as a point, ensuring the point is
+-- valid on edwards25519.
+--
+-- /WARNING:/ variable time
+pointDecode :: B.ByteArrayAccess bs => bs -> CryptoFailable Point
+pointDecode bs
+    | B.length bs == 32 = unsafeDoIO $ withByteArray bs initialize
+    | otherwise         = CryptoFailed CryptoError_PointSizeInvalid
+  where
+    initialize inp = do
+        (res, p) <- B.allocRet pointArraySize $ \pp ->
+                        ed25519_point_decode_vartime pp inp
+        if res == 0 then return $ CryptoFailed CryptoError_PointCoordinatesInvalid
+                    else return $ CryptoPassed (Point p)
+{-# NOINLINE pointDecode #-}
+
+-- | Test whether a point belongs to the prime-order subgroup
+-- generated by the base point.  Result is 'True' for the identity
+-- point.
+--
+-- @
+-- pointHasPrimeOrder p = 'pointNegate' p == 'pointMul' l_minus_one p
+-- @
+pointHasPrimeOrder :: Point -> Bool
+pointHasPrimeOrder (Point p) = unsafeDoIO $
+    withByteArray p $ \pp ->
+        fmap (/= 0) (ed25519_point_has_prime_order pp)
+{-# NOINLINE pointHasPrimeOrder #-}
+
+-- | Negate a point.
+pointNegate :: Point -> Point
+pointNegate (Point a) =
+    Point $ B.allocAndFreeze pointArraySize $ \out ->
+        withByteArray a $ \pa ->
+             ed25519_point_negate out pa
+
+-- | Add two points.
+pointAdd :: Point -> Point -> Point
+pointAdd (Point a) (Point b) =
+    Point $ B.allocAndFreeze pointArraySize $ \out ->
+        withByteArray a $ \pa ->
+        withByteArray b $ \pb ->
+             ed25519_point_add out pa pb
+
+-- | Add a point to itself.
+--
+-- @
+-- pointDouble p = 'pointAdd' p p
+-- @
+pointDouble :: Point -> Point
+pointDouble (Point a) =
+    Point $ B.allocAndFreeze pointArraySize $ \out ->
+        withByteArray a $ \pa ->
+             ed25519_point_double out pa
+
+-- | Multiply a point by h = 8.
+--
+-- @
+-- pointMulByCofactor p = 'pointMul' scalar_8 p
+-- @
+pointMulByCofactor :: Point -> Point
+pointMulByCofactor (Point a) =
+    Point $ B.allocAndFreeze pointArraySize $ \out ->
+        withByteArray a $ \pa ->
+             ed25519_point_mul_by_cofactor out pa
+
+-- | Scalar multiplication over curve edwards25519.
+--
+-- Note: when the scalar had reduction modulo L and the input point
+-- has a torsion component, the output point may not be in the
+-- expected subgroup.
+pointMul :: Scalar -> Point -> Point
+pointMul (Scalar scalar) (Point base) =
+    Point $ B.allocAndFreeze pointArraySize $ \out ->
+        withByteArray scalar $ \pscalar ->
+        withByteArray base   $ \pbase   ->
+             ed25519_point_scalarmul out pbase pscalar
+
+-- | Multiply the point @p@ with @s2@ and add a lifted to curve value @s1@.
+--
+-- @
+-- pointsMulVarTime s1 s2 p = 'pointAdd' ('toPoint' s1) ('pointMul' s2 p)
+-- @
+--
+-- /WARNING:/ variable time
+pointsMulVarTime :: Scalar -> Scalar -> Point -> Point
+pointsMulVarTime (Scalar s1) (Scalar s2) (Point p) =
+    Point $ B.allocAndFreeze pointArraySize $ \out ->
+        withByteArray s1 $ \ps1 ->
+        withByteArray s2 $ \ps2 ->
+        withByteArray p  $ \pp  ->
+             ed25519_base_double_scalarmul_vartime out ps1 pp ps2
+
+foreign import ccall "cryptonite_ed25519_scalar_eq"
+    ed25519_scalar_eq :: Ptr Scalar
+                      -> Ptr Scalar
+                      -> IO CInt
+
+foreign import ccall "cryptonite_ed25519_scalar_encode"
+    ed25519_scalar_encode :: Ptr Word8
+                          -> Ptr Scalar
+                          -> IO ()
+
+foreign import ccall "cryptonite_ed25519_scalar_decode_long"
+    ed25519_scalar_decode_long :: Ptr Scalar
+                               -> Ptr Word8
+                               -> CSize
+                               -> IO ()
+
+foreign import ccall "cryptonite_ed25519_scalar_add"
+    ed25519_scalar_add :: Ptr Scalar -- sum
+                       -> Ptr Scalar -- a
+                       -> Ptr Scalar -- b
+                       -> IO ()
+
+foreign import ccall "cryptonite_ed25519_scalar_mul"
+    ed25519_scalar_mul :: Ptr Scalar -- out
+                       -> Ptr Scalar -- a
+                       -> Ptr Scalar -- b
+                       -> IO ()
+
+foreign import ccall "cryptonite_ed25519_point_encode"
+    ed25519_point_encode :: Ptr Word8
+                         -> Ptr Point
+                         -> IO ()
+
+foreign import ccall "cryptonite_ed25519_point_decode_vartime"
+    ed25519_point_decode_vartime :: Ptr Point
+                                 -> Ptr Word8
+                                 -> IO CInt
+
+foreign import ccall "cryptonite_ed25519_point_eq"
+    ed25519_point_eq :: Ptr Point
+                     -> Ptr Point
+                     -> IO CInt
+
+foreign import ccall "cryptonite_ed25519_point_has_prime_order"
+    ed25519_point_has_prime_order :: Ptr Point
+                                  -> IO CInt
+
+foreign import ccall "cryptonite_ed25519_point_negate"
+    ed25519_point_negate :: Ptr Point -- minus_a
+                         -> Ptr Point -- a
+                         -> IO ()
+
+foreign import ccall "cryptonite_ed25519_point_add"
+    ed25519_point_add :: Ptr Point -- sum
+                      -> Ptr Point -- a
+                      -> Ptr Point -- b
+                      -> IO ()
+
+foreign import ccall "cryptonite_ed25519_point_double"
+    ed25519_point_double :: Ptr Point -- two_a
+                         -> Ptr Point -- a
+                         -> IO ()
+
+foreign import ccall "cryptonite_ed25519_point_mul_by_cofactor"
+    ed25519_point_mul_by_cofactor :: Ptr Point -- eight_a
+                                  -> Ptr Point -- a
+                                  -> IO ()
+
+foreign import ccall "cryptonite_ed25519_point_base_scalarmul"
+    ed25519_point_base_scalarmul :: Ptr Point  -- scaled
+                                 -> Ptr Scalar -- scalar
+                                 -> IO ()
+
+foreign import ccall "cryptonite_ed25519_point_scalarmul"
+    ed25519_point_scalarmul :: Ptr Point  -- scaled
+                            -> Ptr Point  -- base
+                            -> Ptr Scalar -- scalar
+                            -> IO ()
+
+foreign import ccall "cryptonite_ed25519_base_double_scalarmul_vartime"
+    ed25519_base_double_scalarmul_vartime :: Ptr Point  -- combo
+                                          -> Ptr Scalar -- scalar1
+                                          -> Ptr Point  -- base2
+                                          -> Ptr Scalar -- scalar2
+                                          -> IO ()
diff --git a/Crypto/ECC/Simple/Prim.hs b/Crypto/ECC/Simple/Prim.hs
--- a/Crypto/ECC/Simple/Prim.hs
+++ b/Crypto/ECC/Simple/Prim.hs
@@ -6,6 +6,7 @@
     ( scalarGenerate
     , scalarFromInteger
     , pointAdd
+    , pointNegate
     , pointDouble
     , pointBaseMul
     , pointMul
@@ -49,7 +50,7 @@
 pointNegate        PointO     = PointO
 pointNegate point@(Point x y) =
     case curveType point of
-        CurvePrime {}  -> Point x (-y)
+        CurvePrime (CurvePrimeParam p) -> Point x (p - y)
         CurveBinary {} -> Point x (x `addF2m` y)
 
 -- | Elliptic Curve point addition.
diff --git a/Crypto/ECC/Simple/Types.hs b/Crypto/ECC/Simple/Types.hs
--- a/Crypto/ECC/Simple/Types.hs
+++ b/Crypto/ECC/Simple/Types.hs
@@ -1,4 +1,5 @@
 {-# LANGUAGE DeriveDataTypeable #-}
+{-# LANGUAGE GeneralizedNewtypeDeriving #-}
 -- |
 -- Module      : Crypto.ECC.Simple.Types
 -- License     : BSD-style
@@ -6,7 +7,7 @@
 -- Stability   : Experimental
 -- Portability : Excellent
 --
--- references:
+-- References:
 --   <https://tools.ietf.org/html/rfc5915>
 --
 {-# OPTIONS_GHC -fno-warn-missing-signatures #-}
@@ -20,7 +21,7 @@
     , curveSizeBits
     , curveSizeBytes
     , CurveParameters(..)
-    -- * specific curves definition
+    -- * Specific curves definition
     , SEC_p112r1(..)
     , SEC_p112r2(..)
     , SEC_p128r1(..)
@@ -98,7 +99,7 @@
 
 -- | ECC Private Number
 newtype Scalar curve = Scalar Integer
-    deriving (Show,Read,Eq,Data,Typeable)
+    deriving (Show,Read,Eq,Data,Typeable,NFData)
 
 -- | Define a point on a curve.
 data Point curve =
diff --git a/Crypto/Error/Types.hs b/Crypto/Error/Types.hs
--- a/Crypto/Error/Types.hs
+++ b/Crypto/Error/Types.hs
@@ -8,6 +8,7 @@
 -- Cryptographic Error enumeration and handling
 --
 {-# LANGUAGE DeriveDataTypeable #-}
+{-# LANGUAGE TypeFamilies       #-}
 module Crypto.Error.Types
     ( CryptoError(..)
     , CryptoFailable(..)
@@ -21,6 +22,7 @@
 import qualified Control.Exception as E
 import           Data.Data
 
+import           Basement.Monad (MonadFailure(..))
 import           Crypto.Internal.Imports
 
 -- | Enumeration of all possible errors that can be found in this library
@@ -86,6 +88,10 @@
         case m1 of
             CryptoPassed a -> m2 a
             CryptoFailed e -> CryptoFailed e
+
+instance MonadFailure CryptoFailable where
+    type Failure CryptoFailable = CryptoError
+    mFail = CryptoFailed
 
 -- | Throw an CryptoError as exception on CryptoFailed result,
 -- otherwise return the computed value
diff --git a/Crypto/Hash.hs b/Crypto/Hash.hs
--- a/Crypto/Hash.hs
+++ b/Crypto/Hash.hs
@@ -25,10 +25,10 @@
     , Digest
     -- * Functions
     , digestFromByteString
-    -- * hash methods parametrized by algorithm
+    -- * Hash methods parametrized by algorithm
     , hashInitWith
     , hashWith
-    -- * hash methods
+    -- * Hash methods
     , hashInit
     , hashUpdates
     , hashUpdate
@@ -41,13 +41,18 @@
     , module Crypto.Hash.Algorithms
     ) where
 
+import           Basement.Types.OffsetSize (CountOf (..))
+import           Basement.Block (Block, unsafeFreeze)
+import           Basement.Block.Mutable (copyFromPtr, new)
 import           Control.Monad
+import           Crypto.Internal.Compat (unsafeDoIO)
 import           Crypto.Hash.Types
 import           Crypto.Hash.Algorithms
 import           Foreign.Ptr (Ptr)
 import           Crypto.Internal.ByteArray (ByteArrayAccess)
 import qualified Crypto.Internal.ByteArray as B
 import qualified Data.ByteString.Lazy as L
+import           Data.Word (Word8)
 
 -- | Hash a strict bytestring into a digest.
 hash :: (ByteArrayAccess ba, HashAlgorithm a) => ba -> Digest a
@@ -102,10 +107,18 @@
 --
 -- If the digest is not the right size for the algorithm specified, then
 -- Nothing is returned.
-digestFromByteString :: (HashAlgorithm a, ByteArrayAccess ba) => ba -> Maybe (Digest a)
+digestFromByteString :: forall a ba . (HashAlgorithm a, ByteArrayAccess ba) => ba -> Maybe (Digest a)
 digestFromByteString = from undefined
   where
-        from :: (HashAlgorithm a, ByteArrayAccess ba) => a -> ba -> Maybe (Digest a)
+        from :: HashAlgorithm a => a -> ba -> Maybe (Digest a)
         from alg bs
-            | B.length bs == (hashDigestSize alg) = (Just $ Digest $ B.convert bs)
+            | B.length bs == (hashDigestSize alg) = Just $ Digest $ unsafeDoIO $ copyBytes bs
             | otherwise                           = Nothing
+
+        copyBytes :: ba -> IO (Block Word8)
+        copyBytes ba = do
+            muArray <- new count
+            B.withByteArray ba $ \ptr -> copyFromPtr ptr muArray 0 count
+            unsafeFreeze muArray
+          where
+            count = CountOf (B.length ba)
diff --git a/Crypto/Hash/Algorithms.hs b/Crypto/Hash/Algorithms.hs
--- a/Crypto/Hash/Algorithms.hs
+++ b/Crypto/Hash/Algorithms.hs
@@ -10,7 +10,7 @@
 --
 module Crypto.Hash.Algorithms
     ( HashAlgorithm
-    -- * hash algorithms
+    -- * Hash algorithms
     , Blake2s_160(..)
     , Blake2s_224(..)
     , Blake2s_256(..)
diff --git a/Crypto/Hash/Blake2.hs b/Crypto/Hash/Blake2.hs
--- a/Crypto/Hash/Blake2.hs
+++ b/Crypto/Hash/Blake2.hs
@@ -5,7 +5,7 @@
 -- Stability   : experimental
 -- Portability : unknown
 --
--- module containing the binding functions to work with the
+-- Module containing the binding functions to work with the
 -- Blake2
 --
 -- Implementation based from [RFC7693](https://tools.ietf.org/html/rfc7693)
@@ -51,7 +51,7 @@
 --
 -- It is espacially known to target 32bits architectures.
 --
--- known supported digest sizes:
+-- Known supported digest sizes:
 --
 -- * Blake2s 160
 -- * Blake2s 224
@@ -65,10 +65,10 @@
       where
     type HashBlockSize           (Blake2s bitlen) = 64
     type HashDigestSize          (Blake2s bitlen) = Div8 bitlen
-    type HashInternalContextSize (Blake2s bitlen) = 185
+    type HashInternalContextSize (Blake2s bitlen) = 136
     hashBlockSize  _          = 64
     hashDigestSize _          = byteLen (Proxy :: Proxy bitlen)
-    hashInternalContextSize _ = 185
+    hashInternalContextSize _ = 136
     hashInternalInit p        = c_blake2s_init p (integralNatVal (Proxy :: Proxy bitlen))
     hashInternalUpdate        = c_blake2s_update
     hashInternalFinalize p    = c_blake2s_finalize p (integralNatVal (Proxy :: Proxy bitlen))
@@ -100,10 +100,10 @@
       where
     type HashBlockSize           (Blake2b bitlen) = 128
     type HashDigestSize          (Blake2b bitlen) = Div8 bitlen
-    type HashInternalContextSize (Blake2b bitlen) = 361
+    type HashInternalContextSize (Blake2b bitlen) = 248
     hashBlockSize  _          = 128
     hashDigestSize _          = byteLen (Proxy :: Proxy bitlen)
-    hashInternalContextSize _ = 361
+    hashInternalContextSize _ = 248
     hashInternalInit p        = c_blake2b_init p (integralNatVal (Proxy :: Proxy bitlen))
     hashInternalUpdate        = c_blake2b_update
     hashInternalFinalize p    = c_blake2b_finalize p (integralNatVal (Proxy :: Proxy bitlen))
diff --git a/Crypto/Hash/Blake2b.hs b/Crypto/Hash/Blake2b.hs
--- a/Crypto/Hash/Blake2b.hs
+++ b/Crypto/Hash/Blake2b.hs
@@ -5,7 +5,7 @@
 -- Stability   : experimental
 -- Portability : unknown
 --
--- module containing the binding functions to work with the
+-- Module containing the binding functions to work with the
 -- Blake2b cryptographic hash.
 --
 {-# LANGUAGE ForeignFunctionInterface #-}
@@ -30,10 +30,10 @@
 instance HashAlgorithm Blake2b_160 where
     type HashBlockSize           Blake2b_160 = 128
     type HashDigestSize          Blake2b_160 = 20
-    type HashInternalContextSize Blake2b_160 = 361
+    type HashInternalContextSize Blake2b_160 = 248
     hashBlockSize  _          = 128
     hashDigestSize _          = 20
-    hashInternalContextSize _ = 361
+    hashInternalContextSize _ = 248
     hashInternalInit p        = c_blake2b_init p 160
     hashInternalUpdate        = c_blake2b_update
     hashInternalFinalize p    = c_blake2b_finalize p 160
@@ -45,10 +45,10 @@
 instance HashAlgorithm Blake2b_224 where
     type HashBlockSize           Blake2b_224 = 128
     type HashDigestSize          Blake2b_224 = 28
-    type HashInternalContextSize Blake2b_224 = 361
+    type HashInternalContextSize Blake2b_224 = 248
     hashBlockSize  _          = 128
     hashDigestSize _          = 28
-    hashInternalContextSize _ = 361
+    hashInternalContextSize _ = 248
     hashInternalInit p        = c_blake2b_init p 224
     hashInternalUpdate        = c_blake2b_update
     hashInternalFinalize p    = c_blake2b_finalize p 224
@@ -60,10 +60,10 @@
 instance HashAlgorithm Blake2b_256 where
     type HashBlockSize           Blake2b_256 = 128
     type HashDigestSize          Blake2b_256 = 32
-    type HashInternalContextSize Blake2b_256 = 361
+    type HashInternalContextSize Blake2b_256 = 248
     hashBlockSize  _          = 128
     hashDigestSize _          = 32
-    hashInternalContextSize _ = 361
+    hashInternalContextSize _ = 248
     hashInternalInit p        = c_blake2b_init p 256
     hashInternalUpdate        = c_blake2b_update
     hashInternalFinalize p    = c_blake2b_finalize p 256
@@ -75,10 +75,10 @@
 instance HashAlgorithm Blake2b_384 where
     type HashBlockSize           Blake2b_384 = 128
     type HashDigestSize          Blake2b_384 = 48
-    type HashInternalContextSize Blake2b_384 = 361
+    type HashInternalContextSize Blake2b_384 = 248
     hashBlockSize  _          = 128
     hashDigestSize _          = 48
-    hashInternalContextSize _ = 361
+    hashInternalContextSize _ = 248
     hashInternalInit p        = c_blake2b_init p 384
     hashInternalUpdate        = c_blake2b_update
     hashInternalFinalize p    = c_blake2b_finalize p 384
@@ -90,10 +90,10 @@
 instance HashAlgorithm Blake2b_512 where
     type HashBlockSize           Blake2b_512 = 128
     type HashDigestSize          Blake2b_512 = 64
-    type HashInternalContextSize Blake2b_512 = 361
+    type HashInternalContextSize Blake2b_512 = 248
     hashBlockSize  _          = 128
     hashDigestSize _          = 64
-    hashInternalContextSize _ = 361
+    hashInternalContextSize _ = 248
     hashInternalInit p        = c_blake2b_init p 512
     hashInternalUpdate        = c_blake2b_update
     hashInternalFinalize p    = c_blake2b_finalize p 512
diff --git a/Crypto/Hash/Blake2bp.hs b/Crypto/Hash/Blake2bp.hs
--- a/Crypto/Hash/Blake2bp.hs
+++ b/Crypto/Hash/Blake2bp.hs
@@ -5,7 +5,7 @@
 -- Stability   : experimental
 -- Portability : unknown
 --
--- module containing the binding functions to work with the
+-- Module containing the binding functions to work with the
 -- Blake2bp cryptographic hash.
 --
 {-# LANGUAGE ForeignFunctionInterface #-}
@@ -30,20 +30,20 @@
 instance HashAlgorithm Blake2bp_512 where
     type HashBlockSize           Blake2bp_512 = 128
     type HashDigestSize          Blake2bp_512 = 64
-    type HashInternalContextSize Blake2bp_512 = 2325
+    type HashInternalContextSize Blake2bp_512 = 1768
     hashBlockSize  _          = 128
     hashDigestSize _          = 64
-    hashInternalContextSize _ = 2325
-    hashInternalInit p        = c_blake2sp_init p 512
-    hashInternalUpdate        = c_blake2sp_update
-    hashInternalFinalize p    = c_blake2sp_finalize p 512
+    hashInternalContextSize _ = 1768
+    hashInternalInit p        = c_blake2bp_init p 512
+    hashInternalUpdate        = c_blake2bp_update
+    hashInternalFinalize p    = c_blake2bp_finalize p 512
 
 
-foreign import ccall unsafe "cryptonite_blake2sp_init"
-    c_blake2sp_init :: Ptr (Context a) -> Word32 -> IO ()
+foreign import ccall unsafe "cryptonite_blake2bp_init"
+    c_blake2bp_init :: Ptr (Context a) -> Word32 -> IO ()
 
-foreign import ccall "cryptonite_blake2sp_update"
-    c_blake2sp_update :: Ptr (Context a) -> Ptr Word8 -> Word32 -> IO ()
+foreign import ccall "cryptonite_blake2bp_update"
+    c_blake2bp_update :: Ptr (Context a) -> Ptr Word8 -> Word32 -> IO ()
 
-foreign import ccall unsafe "cryptonite_blake2sp_finalize"
-    c_blake2sp_finalize :: Ptr (Context a) -> Word32 -> Ptr (Digest a) -> IO ()
+foreign import ccall unsafe "cryptonite_blake2bp_finalize"
+    c_blake2bp_finalize :: Ptr (Context a) -> Word32 -> Ptr (Digest a) -> IO ()
diff --git a/Crypto/Hash/Blake2s.hs b/Crypto/Hash/Blake2s.hs
--- a/Crypto/Hash/Blake2s.hs
+++ b/Crypto/Hash/Blake2s.hs
@@ -5,7 +5,7 @@
 -- Stability   : experimental
 -- Portability : unknown
 --
--- module containing the binding functions to work with the
+-- Module containing the binding functions to work with the
 -- Blake2s cryptographic hash.
 --
 {-# LANGUAGE ForeignFunctionInterface #-}
@@ -30,10 +30,10 @@
 instance HashAlgorithm Blake2s_160 where
     type HashBlockSize           Blake2s_160 = 64
     type HashDigestSize          Blake2s_160 = 20
-    type HashInternalContextSize Blake2s_160 = 185
+    type HashInternalContextSize Blake2s_160 = 136
     hashBlockSize  _          = 64
     hashDigestSize _          = 20
-    hashInternalContextSize _ = 185
+    hashInternalContextSize _ = 136
     hashInternalInit p        = c_blake2s_init p 160
     hashInternalUpdate        = c_blake2s_update
     hashInternalFinalize p    = c_blake2s_finalize p 160
@@ -45,10 +45,10 @@
 instance HashAlgorithm Blake2s_224 where
     type HashBlockSize           Blake2s_224 = 64
     type HashDigestSize          Blake2s_224 = 28
-    type HashInternalContextSize Blake2s_224 = 185
+    type HashInternalContextSize Blake2s_224 = 136
     hashBlockSize  _          = 64
     hashDigestSize _          = 28
-    hashInternalContextSize _ = 185
+    hashInternalContextSize _ = 136
     hashInternalInit p        = c_blake2s_init p 224
     hashInternalUpdate        = c_blake2s_update
     hashInternalFinalize p    = c_blake2s_finalize p 224
@@ -60,10 +60,10 @@
 instance HashAlgorithm Blake2s_256 where
     type HashBlockSize           Blake2s_256 = 64
     type HashDigestSize          Blake2s_256 = 32
-    type HashInternalContextSize Blake2s_256 = 185
+    type HashInternalContextSize Blake2s_256 = 136
     hashBlockSize  _          = 64
     hashDigestSize _          = 32
-    hashInternalContextSize _ = 185
+    hashInternalContextSize _ = 136
     hashInternalInit p        = c_blake2s_init p 256
     hashInternalUpdate        = c_blake2s_update
     hashInternalFinalize p    = c_blake2s_finalize p 256
diff --git a/Crypto/Hash/Blake2sp.hs b/Crypto/Hash/Blake2sp.hs
--- a/Crypto/Hash/Blake2sp.hs
+++ b/Crypto/Hash/Blake2sp.hs
@@ -5,7 +5,7 @@
 -- Stability   : experimental
 -- Portability : unknown
 --
--- module containing the binding functions to work with the
+-- Module containing the binding functions to work with the
 -- Blake2sp cryptographic hash.
 --
 {-# LANGUAGE ForeignFunctionInterface #-}
@@ -30,10 +30,10 @@
 instance HashAlgorithm Blake2sp_224 where
     type HashBlockSize           Blake2sp_224 = 64
     type HashDigestSize          Blake2sp_224 = 28
-    type HashInternalContextSize Blake2sp_224 = 2185
+    type HashInternalContextSize Blake2sp_224 = 1752
     hashBlockSize  _          = 64
     hashDigestSize _          = 28
-    hashInternalContextSize _ = 2185
+    hashInternalContextSize _ = 1752
     hashInternalInit p        = c_blake2sp_init p 224
     hashInternalUpdate        = c_blake2sp_update
     hashInternalFinalize p    = c_blake2sp_finalize p 224
@@ -45,10 +45,10 @@
 instance HashAlgorithm Blake2sp_256 where
     type HashBlockSize           Blake2sp_256 = 64
     type HashDigestSize          Blake2sp_256 = 32
-    type HashInternalContextSize Blake2sp_256 = 2185
+    type HashInternalContextSize Blake2sp_256 = 1752
     hashBlockSize  _          = 64
     hashDigestSize _          = 32
-    hashInternalContextSize _ = 2185
+    hashInternalContextSize _ = 1752
     hashInternalInit p        = c_blake2sp_init p 256
     hashInternalUpdate        = c_blake2sp_update
     hashInternalFinalize p    = c_blake2sp_finalize p 256
diff --git a/Crypto/Hash/Keccak.hs b/Crypto/Hash/Keccak.hs
--- a/Crypto/Hash/Keccak.hs
+++ b/Crypto/Hash/Keccak.hs
@@ -5,7 +5,7 @@
 -- Stability   : experimental
 -- Portability : unknown
 --
--- module containing the binding functions to work with the
+-- Module containing the binding functions to work with the
 -- Keccak cryptographic hash.
 --
 {-# LANGUAGE ForeignFunctionInterface #-}
diff --git a/Crypto/Hash/MD2.hs b/Crypto/Hash/MD2.hs
--- a/Crypto/Hash/MD2.hs
+++ b/Crypto/Hash/MD2.hs
@@ -5,7 +5,7 @@
 -- Stability   : experimental
 -- Portability : unknown
 --
--- module containing the binding functions to work with the
+-- Module containing the binding functions to work with the
 -- MD2 cryptographic hash.
 --
 {-# LANGUAGE ForeignFunctionInterface #-}
diff --git a/Crypto/Hash/MD4.hs b/Crypto/Hash/MD4.hs
--- a/Crypto/Hash/MD4.hs
+++ b/Crypto/Hash/MD4.hs
@@ -5,7 +5,7 @@
 -- Stability   : experimental
 -- Portability : unknown
 --
--- module containing the binding functions to work with the
+-- Module containing the binding functions to work with the
 -- MD4 cryptographic hash.
 --
 {-# LANGUAGE ForeignFunctionInterface #-}
diff --git a/Crypto/Hash/MD5.hs b/Crypto/Hash/MD5.hs
--- a/Crypto/Hash/MD5.hs
+++ b/Crypto/Hash/MD5.hs
@@ -5,7 +5,7 @@
 -- Stability   : experimental
 -- Portability : unknown
 --
--- module containing the binding functions to work with the
+-- Module containing the binding functions to work with the
 -- MD5 cryptographic hash.
 --
 {-# LANGUAGE ForeignFunctionInterface #-}
diff --git a/Crypto/Hash/RIPEMD160.hs b/Crypto/Hash/RIPEMD160.hs
--- a/Crypto/Hash/RIPEMD160.hs
+++ b/Crypto/Hash/RIPEMD160.hs
@@ -5,7 +5,7 @@
 -- Stability   : experimental
 -- Portability : unknown
 --
--- module containing the binding functions to work with the
+-- Module containing the binding functions to work with the
 -- RIPEMD160 cryptographic hash.
 --
 {-# LANGUAGE ForeignFunctionInterface #-}
diff --git a/Crypto/Hash/SHA1.hs b/Crypto/Hash/SHA1.hs
--- a/Crypto/Hash/SHA1.hs
+++ b/Crypto/Hash/SHA1.hs
@@ -5,7 +5,7 @@
 -- Stability   : experimental
 -- Portability : unknown
 --
--- module containing the binding functions to work with the
+-- Module containing the binding functions to work with the
 -- SHA1 cryptographic hash.
 --
 {-# LANGUAGE ForeignFunctionInterface #-}
diff --git a/Crypto/Hash/SHA224.hs b/Crypto/Hash/SHA224.hs
--- a/Crypto/Hash/SHA224.hs
+++ b/Crypto/Hash/SHA224.hs
@@ -5,7 +5,7 @@
 -- Stability   : experimental
 -- Portability : unknown
 --
--- module containing the binding functions to work with the
+-- Module containing the binding functions to work with the
 -- SHA224 cryptographic hash.
 --
 {-# LANGUAGE ForeignFunctionInterface #-}
diff --git a/Crypto/Hash/SHA256.hs b/Crypto/Hash/SHA256.hs
--- a/Crypto/Hash/SHA256.hs
+++ b/Crypto/Hash/SHA256.hs
@@ -5,7 +5,7 @@
 -- Stability   : experimental
 -- Portability : unknown
 --
--- module containing the binding functions to work with the
+-- Module containing the binding functions to work with the
 -- SHA256 cryptographic hash.
 --
 {-# LANGUAGE ForeignFunctionInterface #-}
diff --git a/Crypto/Hash/SHA3.hs b/Crypto/Hash/SHA3.hs
--- a/Crypto/Hash/SHA3.hs
+++ b/Crypto/Hash/SHA3.hs
@@ -5,7 +5,7 @@
 -- Stability   : experimental
 -- Portability : unknown
 --
--- module containing the binding functions to work with the
+-- Module containing the binding functions to work with the
 -- SHA3 cryptographic hash.
 --
 {-# LANGUAGE ForeignFunctionInterface #-}
diff --git a/Crypto/Hash/SHA384.hs b/Crypto/Hash/SHA384.hs
--- a/Crypto/Hash/SHA384.hs
+++ b/Crypto/Hash/SHA384.hs
@@ -5,7 +5,7 @@
 -- Stability   : experimental
 -- Portability : unknown
 --
--- module containing the binding functions to work with the
+-- Module containing the binding functions to work with the
 -- SHA384 cryptographic hash.
 --
 {-# LANGUAGE ForeignFunctionInterface #-}
diff --git a/Crypto/Hash/SHA512.hs b/Crypto/Hash/SHA512.hs
--- a/Crypto/Hash/SHA512.hs
+++ b/Crypto/Hash/SHA512.hs
@@ -5,7 +5,7 @@
 -- Stability   : experimental
 -- Portability : unknown
 --
--- module containing the binding functions to work with the
+-- Module containing the binding functions to work with the
 -- SHA512 cryptographic hash.
 --
 {-# LANGUAGE ForeignFunctionInterface #-}
diff --git a/Crypto/Hash/SHA512t.hs b/Crypto/Hash/SHA512t.hs
--- a/Crypto/Hash/SHA512t.hs
+++ b/Crypto/Hash/SHA512t.hs
@@ -5,7 +5,7 @@
 -- Stability   : experimental
 -- Portability : unknown
 --
--- module containing the binding functions to work with the
+-- Module containing the binding functions to work with the
 -- SHA512t cryptographic hash.
 --
 {-# LANGUAGE ForeignFunctionInterface #-}
diff --git a/Crypto/Hash/SHAKE.hs b/Crypto/Hash/SHAKE.hs
--- a/Crypto/Hash/SHAKE.hs
+++ b/Crypto/Hash/SHAKE.hs
@@ -5,7 +5,7 @@
 -- Stability   : experimental
 -- Portability : unknown
 --
--- module containing the binding functions to work with the
+-- Module containing the binding functions to work with the
 -- SHA3 extendable output functions (SHAKE).
 --
 {-# LANGUAGE ForeignFunctionInterface #-}
diff --git a/Crypto/Hash/Skein256.hs b/Crypto/Hash/Skein256.hs
--- a/Crypto/Hash/Skein256.hs
+++ b/Crypto/Hash/Skein256.hs
@@ -5,7 +5,7 @@
 -- Stability   : experimental
 -- Portability : unknown
 --
--- module containing the binding functions to work with the
+-- Module containing the binding functions to work with the
 -- Skein256 cryptographic hash.
 --
 {-# LANGUAGE ForeignFunctionInterface #-}
diff --git a/Crypto/Hash/Skein512.hs b/Crypto/Hash/Skein512.hs
--- a/Crypto/Hash/Skein512.hs
+++ b/Crypto/Hash/Skein512.hs
@@ -5,7 +5,7 @@
 -- Stability   : experimental
 -- Portability : unknown
 --
--- module containing the binding functions to work with the
+-- Module containing the binding functions to work with the
 -- Skein512 cryptographic hash.
 --
 {-# LANGUAGE ForeignFunctionInterface #-}
diff --git a/Crypto/Hash/Tiger.hs b/Crypto/Hash/Tiger.hs
--- a/Crypto/Hash/Tiger.hs
+++ b/Crypto/Hash/Tiger.hs
@@ -5,7 +5,7 @@
 -- Stability   : experimental
 -- Portability : unknown
 --
--- module containing the binding functions to work with the
+-- Module containing the binding functions to work with the
 -- Tiger cryptographic hash.
 --
 {-# LANGUAGE ForeignFunctionInterface #-}
diff --git a/Crypto/Hash/Types.hs b/Crypto/Hash/Types.hs
--- a/Crypto/Hash/Types.hs
+++ b/Crypto/Hash/Types.hs
@@ -20,8 +20,8 @@
 import           Crypto.Internal.ByteArray (ByteArrayAccess, Bytes)
 import qualified Crypto.Internal.ByteArray as B
 import           Foreign.Ptr (Ptr)
-import qualified Foundation.Array as F
-import qualified Foundation       as F
+import           Basement.Block (Block)
+import           Basement.NormalForm (deepseq)
 import           GHC.TypeLits (Nat)
 
 -- | Class representing hashing algorithms.
@@ -62,11 +62,19 @@
     deriving (ByteArrayAccess,NFData)
 
 -- | Represent a digest for a given hash algorithm.
-newtype Digest a = Digest (F.UArray Word8)
+--
+-- This type is an instance of 'ByteArrayAccess' from package
+-- <https://hackage.haskell.org/package/memory memory>.
+-- Module "Data.ByteArray" provides many primitives to work with those values
+-- including conversion to other types.
+--
+-- Creating a digest from a bytearray is also possible with function
+-- 'Crypto.Hash.digestFromByteString'.
+newtype Digest a = Digest (Block Word8)
     deriving (Eq,Ord,ByteArrayAccess)
 
 instance NFData (Digest a) where
-    rnf (Digest u) = u `F.deepseq` ()
+    rnf (Digest u) = u `deepseq` ()
 
 instance Show (Digest a) where
     show (Digest bs) = map (toEnum . fromIntegral)
diff --git a/Crypto/Hash/Whirlpool.hs b/Crypto/Hash/Whirlpool.hs
--- a/Crypto/Hash/Whirlpool.hs
+++ b/Crypto/Hash/Whirlpool.hs
@@ -5,7 +5,7 @@
 -- Stability   : experimental
 -- Portability : unknown
 --
--- module containing the binding functions to work with the
+-- Module containing the binding functions to work with the
 -- Whirlpool cryptographic hash.
 --
 {-# LANGUAGE ForeignFunctionInterface #-}
diff --git a/Crypto/Internal/Compat.hs b/Crypto/Internal/Compat.hs
--- a/Crypto/Internal/Compat.hs
+++ b/Crypto/Internal/Compat.hs
@@ -5,8 +5,8 @@
 -- Stability   : stable
 -- Portability : Good
 --
--- This module try to keep all the difference between versions of base
--- or other needed packages, so that modules don't need to use CPP
+-- This module tries to keep all the difference between versions of base
+-- or other needed packages, so that modules don't need to use CPP.
 --
 {-# LANGUAGE CPP #-}
 module Crypto.Internal.Compat
@@ -19,10 +19,10 @@
 import Data.Word
 import Data.Bits
 
--- | perform io for hashes that do allocation and ffi.
--- unsafeDupablePerformIO is used when possible as the
+-- | Perform io for hashes that do allocation and FFI.
+-- 'unsafeDupablePerformIO' is used when possible as the
 -- computation is pure and the output is directly linked
--- to the input. we also do not modify anything after it has
+-- to the input. We also do not modify anything after it has
 -- been returned to the user.
 unsafeDoIO :: IO a -> a
 #if __GLASGOW_HASKELL__ > 704
diff --git a/Crypto/Internal/CompatPrim.hs b/Crypto/Internal/CompatPrim.hs
--- a/Crypto/Internal/CompatPrim.hs
+++ b/Crypto/Internal/CompatPrim.hs
@@ -5,11 +5,11 @@
 -- Stability   : stable
 -- Portability : Compat
 --
--- This module try to keep all the difference between versions of ghc primitive
+-- This module tries to keep all the difference between versions of ghc primitive
 -- or other needed packages, so that modules don't need to use CPP.
 --
 -- Note that MagicHash and CPP conflicts in places, making it "more interesting"
--- to write compat code for primitives
+-- to write compat code for primitives.
 --
 {-# LANGUAGE CPP #-}
 {-# LANGUAGE BangPatterns #-}
@@ -28,9 +28,9 @@
 import Data.Memory.Endian (getSystemEndianness, Endianness(..))
 #endif
 
--- | byteswap Word# to or from Big Endian
+-- | Byteswap Word# to or from Big Endian
 --
--- on a big endian machine, this function is a nop.
+-- On a big endian machine, this function is a nop.
 be32Prim :: Word# -> Word#
 #ifdef ARCH_IS_LITTLE_ENDIAN
 be32Prim = byteswap32Prim
@@ -40,9 +40,9 @@
 be32Prim w = if getSystemEndianness == LittleEndian then byteswap32Prim w else w
 #endif
 
--- | byteswap Word# to or from Little Endian
+-- | Byteswap Word# to or from Little Endian
 --
--- on a little endian machine, this function is a nop.
+-- On a little endian machine, this function is a nop.
 le32Prim :: Word# -> Word#
 #ifdef ARCH_IS_LITTLE_ENDIAN
 le32Prim w = w
@@ -66,7 +66,7 @@
      in or# a (or# b (or# c d))
 #endif
 
--- | combine 4 word8 [a,b,c,d] to a word32 representing [a,b,c,d]
+-- | Combine 4 word8 [a,b,c,d] to a word32 representing [a,b,c,d]
 convert4To32 :: Word# -> Word# -> Word# -> Word#
              -> Word#
 convert4To32 a b c d = or# (or# c1 c2) (or# c3 c4)
diff --git a/Crypto/Internal/WordArray.hs b/Crypto/Internal/WordArray.hs
--- a/Crypto/Internal/WordArray.hs
+++ b/Crypto/Internal/WordArray.hs
@@ -1,5 +1,5 @@
 -- |
--- Module      : Crypto.Internal.Compat
+-- Module      : Crypto.Internal.WordArray
 -- License     : BSD-style
 -- Maintainer  : Vincent Hanquez <vincent@snarc.org>
 -- Stability   : stable
@@ -8,7 +8,7 @@
 -- Small and self contained array representation
 -- with limited safety for internal use.
 --
--- the array produced should never be exposed to the user directly
+-- The array produced should never be exposed to the user directly.
 --
 {-# LANGUAGE BangPatterns #-}
 {-# LANGUAGE MagicHash #-}
@@ -20,6 +20,8 @@
     , MutableArray32
     , array8
     , array32
+    , array32FromAddrBE
+    , allocArray32AndFreeze
     , mutableArray32
     , array64
     , arrayRead8
@@ -58,20 +60,20 @@
 
 -- | Create an Array of Word32 of specific size from a list of Word32
 array32 :: Int -> [Word32] -> Array32
-array32 (I# n) l = unsafeDoIO $ IO $ \s ->
-    case newAlignedPinnedByteArray# (n *# 4#) 4# s of
-        (# s', mbarr #) -> loop 0# s' mbarr l
-  where
-        loop _ st mb [] = freezeArray mb st
-        loop i st mb ((W32# x):xs)
-            | booleanPrim (i ==# n) = freezeArray mb st
-            | otherwise =
-                let !st' = writeWord32Array# mb i x st
-                 in loop (i +# 1#) st' mb xs
-        freezeArray mb st =
-            case unsafeFreezeByteArray# mb st of
-                (# st', b #) -> (# st', Array32 b #)
+array32 n l = unsafeDoIO (mutableArray32 n l >>= mutableArray32Freeze)
 {-# NOINLINE array32 #-}
+
+-- | Create an Array of BE Word32 aliasing an Addr
+array32FromAddrBE :: Int -> Addr# -> Array32
+array32FromAddrBE n a =
+    unsafeDoIO (mutableArray32FromAddrBE n a >>= mutableArray32Freeze)
+{-# NOINLINE array32FromAddrBE #-}
+
+-- | Create an Array of Word32 using an initializer
+allocArray32AndFreeze :: Int -> (MutableArray32 -> IO ()) -> Array32
+allocArray32AndFreeze n f =
+    unsafeDoIO (mutableArray32 n [] >>= \m -> f m >> mutableArray32Freeze m)
+{-# NOINLINE allocArray32AndFreeze #-}
 
 -- | Create an Array of Word64 of specific size from a list of Word64
 array64 :: Int -> [Word64] -> Array64
diff --git a/Crypto/KDF/Argon2.hs b/Crypto/KDF/Argon2.hs
--- a/Crypto/KDF/Argon2.hs
+++ b/Crypto/KDF/Argon2.hs
@@ -63,7 +63,7 @@
 -- max 'FFI.ARGON2_MIN_MEMORY' (8 * 'hashParallelism') <= 'hashMemory' <= 'FFI.ARGON2_MAX_MEMORY'
 type MemoryCost = Word32
 
--- \ A parallelism degree, which defines the number of parallel threads.
+-- | A parallelism degree, which defines the number of parallel threads.
 --
 -- 'FFI.ARGON2_MIN_LANES' <= 'hashParallelism' <= 'FFI.ARGON2_MAX_LANES' && 'FFI.ARGON_MIN_THREADS' <= 'hashParallelism' <= 'FFI.ARGON2_MAX_THREADS'
 type Parallelism = Word32
diff --git a/Crypto/KDF/BCrypt.hs b/Crypto/KDF/BCrypt.hs
--- a/Crypto/KDF/BCrypt.hs
+++ b/Crypto/KDF/BCrypt.hs
@@ -27,13 +27,16 @@
 -- salt and hash bytes (each separately Base64 encoded. Incrementing the
 -- cost parameter approximately doubles the time taken to calculate the hash.
 --
--- The different version numbers have evolved because of bugs in the standard
--- C implementations. The most up to date version is @2b@ and this
--- implementation the @2b@ version prefix, but will also attempt to validate
+-- The different version numbers evolved to account for bugs in the standard
+-- C implementations. They don't represent different versions of the algorithm
+-- itself and in most cases should produce identical results.
+-- The most up to date version is @2b@ and this implementation uses the
+-- @2b@ version prefix, but will also attempt to validate
 -- against hashes with versions @2a@ and @2y@. Version @2@ or @2x@ will be
 -- rejected. No attempt is made to differentiate between the different versions
 -- when validating a password, but in practice this shouldn't cause any problems
--- if passwords are UTF-8 encoded (which they should be).
+-- if passwords are UTF-8 encoded (which they should be) and less than 256
+-- characters long.
 --
 -- The cost parameter can be between 4 and 31 inclusive, but anything less than
 -- 10 is probably not strong enough. High values may be prohibitively slow
@@ -93,7 +96,7 @@
 bcrypt cost salt password = B.concat [header, B.snoc costBytes dollar, b64 salt, b64 hash]
   where
     hash   = rawHash 'b' realCost salt password
-    header = B.pack [dollar, fromIntegral (ord '2'), fromIntegral (ord 'a'), dollar]
+    header = B.pack [dollar, fromIntegral (ord '2'), fromIntegral (ord 'b'), dollar]
     dollar = fromIntegral (ord '$')
     zero   = fromIntegral (ord '0')
     costBytes  = B.pack [zero + fromIntegral (realCost `div` 10), zero + fromIntegral (realCost `mod` 10)]
diff --git a/Crypto/MAC/CMAC.hs b/Crypto/MAC/CMAC.hs
--- a/Crypto/MAC/CMAC.hs
+++ b/Crypto/MAC/CMAC.hs
@@ -5,7 +5,7 @@
 -- Stability   : experimental
 -- Portability : unknown
 --
--- provide the CMAC (Cipher based Message Authentification Code) base algorithm.
+-- Provide the CMAC (Cipher based Message Authentification Code) base algorithm.
 -- <http://en.wikipedia.org/wiki/CMAC>
 -- <http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf>
 --
diff --git a/Crypto/MAC/HMAC.hs b/Crypto/MAC/HMAC.hs
--- a/Crypto/MAC/HMAC.hs
+++ b/Crypto/MAC/HMAC.hs
@@ -5,7 +5,7 @@
 -- Stability   : experimental
 -- Portability : unknown
 --
--- provide the HMAC (Hash based Message Authentification Code) base algorithm.
+-- Provide the HMAC (Hash based Message Authentification Code) base algorithm.
 -- <http://en.wikipedia.org/wiki/HMAC>
 --
 {-# LANGUAGE BangPatterns #-}
@@ -13,7 +13,7 @@
 module Crypto.MAC.HMAC
     ( hmac
     , HMAC(..)
-    -- * incremental
+    -- * Incremental
     , Context(..)
     , initialize
     , update
diff --git a/Crypto/Number/Basic.hs b/Crypto/Number/Basic.hs
--- a/Crypto/Number/Basic.hs
+++ b/Crypto/Number/Basic.hs
@@ -17,8 +17,8 @@
 
 import Crypto.Number.Compat
 
--- | sqrti returns two integer (l,b) so that l <= sqrt i <= b
--- the implementation is quite naive, use an approximation for the first number
+-- | @sqrti@ returns two integers @(l,b)@ so that @l <= sqrt i <= b@.
+-- The implementation is quite naive, use an approximation for the first number
 -- and use a dichotomy algorithm to compute the bound relatively efficiently.
 sqrti :: Integer -> (Integer, Integer)
 sqrti i
@@ -49,7 +49,7 @@
                         else iter (lb+d) ub
             sq a = a * a
 
--- | get the extended GCD of two integer using integer divMod
+-- | Get the extended GCD of two integer using integer divMod
 --
 -- gcde 'a' 'b' find (x,y,gcd(a,b)) where ax + by = d
 --
@@ -63,7 +63,7 @@
         let (q, r) = a' `divMod` b' in
         f t (r, sa - (q * sb), ta - (q * tb))
 
--- | check if a list of integer are all even
+-- | Check if a list of integer are all even
 areEven :: [Integer] -> Bool
 areEven = and . map even
 
diff --git a/Crypto/Number/ModArithmetic.hs b/Crypto/Number/ModArithmetic.hs
--- a/Crypto/Number/ModArithmetic.hs
+++ b/Crypto/Number/ModArithmetic.hs
@@ -9,10 +9,10 @@
 
 module Crypto.Number.ModArithmetic
     (
-    -- * exponentiation
+    -- * Exponentiation
       expSafe
     , expFast
-    -- * inverse computing
+    -- * Inverse computing
     , inverse
     , inverseCoprimes
     ) where
@@ -64,7 +64,7 @@
         -> Integer -- ^ result
 expFast b e m = gmpPowModInteger b e m `onGmpUnsupported` exponentiation b e m
 
--- | exponentiation computes modular exponentiation as b^e mod m
+-- | @exponentiation@ computes modular exponentiation as /b^e mod m/
 -- using repetitive squaring.
 exponentiation :: Integer -> Integer -> Integer -> Integer
 exponentiation b e m
@@ -75,7 +75,7 @@
                    in (p^(2::Integer)) `mod` m
     | otherwise = (b * exponentiation b (e-1) m) `mod` m
 
--- | inverse computes the modular inverse as in g^(-1) mod m
+-- | @inverse@ computes the modular inverse as in /g^(-1) mod m/.
 inverse :: Integer -> Integer -> Maybe Integer
 inverse g m = gmpInverse g m `onGmpUnsupported` v
   where
@@ -84,12 +84,12 @@
         | otherwise = Just (x `mod` m)
     (x,_,d) = gcde g m
 
--- | Compute the modular inverse of 2 coprime numbers.
+-- | Compute the modular inverse of two coprime numbers.
 -- This is equivalent to inverse except that the result
 -- is known to exists.
 --
--- if the numbers are not defined as coprime, this function
--- will raise a CoprimesAssertionError.
+-- If the numbers are not defined as coprime, this function
+-- will raise a 'CoprimesAssertionError'.
 inverseCoprimes :: Integer -> Integer -> Integer
 inverseCoprimes g m =
     case inverse g m of
diff --git a/Crypto/Number/Prime.hs b/Crypto/Number/Prime.hs
--- a/Crypto/Number/Prime.hs
+++ b/Crypto/Number/Prime.hs
@@ -31,10 +31,10 @@
 
 import Data.Bits
 
--- | returns if the number is probably prime.
--- first a list of small primes are implicitely tested for divisibility,
+-- | Returns if the number is probably prime.
+-- First a list of small primes are implicitely tested for divisibility,
 -- then a fermat primality test is used with arbitrary numbers and
--- then the Miller Rabin algorithm is used with an accuracy of 30 recursions
+-- then the Miller Rabin algorithm is used with an accuracy of 30 recursions.
 isProbablyPrime :: Integer -> Bool
 isProbablyPrime !n
     | any (\p -> p `divides` n) (filter (< n) firstPrimes) = False
@@ -42,14 +42,14 @@
     | primalityTestFermat 50 (n `div` 2) n                 = primalityTestMillerRabin 30 n
     | otherwise                                            = False
 
--- | generate a prime number of the required bitsize (i.e. in the range
---   [2^(b-1)+2^(b-2), 2^b)).
+-- | Generate a prime number of the required bitsize (i.e. in the range
+-- [2^(b-1)+2^(b-2), 2^b)).
 --
---   May throw a CryptoError_PrimeSizeInvalid if the requested size is less
---   than 5 bits, as the smallest prime meeting these conditions is 29.
---   This function requires that the two highest bits are set, so that when
---   multiplied with another prime to create a key, it is guaranteed to be of
---   the proper size.
+-- May throw a 'CryptoError_PrimeSizeInvalid' if the requested size is less
+-- than 5 bits, as the smallest prime meeting these conditions is 29.
+-- This function requires that the two highest bits are set, so that when
+-- multiplied with another prime to create a key, it is guaranteed to be of
+-- the proper size.
 generatePrime :: MonadRandom m => Int -> m Integer
 generatePrime bits = do
     if bits < 5 then
@@ -61,13 +61,13 @@
             return $ prime
         else generatePrime bits
 
--- | generate a prime number of the form 2p+1 where p is also prime.
+-- | Generate a prime number of the form 2p+1 where p is also prime.
 -- it is also knowed as a Sophie Germaine prime or safe prime.
 --
 -- The number of safe prime is significantly smaller to the number of prime,
 -- as such it shouldn't be used if this number is supposed to be kept safe.
 --
--- May throw a CryptoError_PrimeSizeInvalid if the requested size is less than
+-- May throw a 'CryptoError_PrimeSizeInvalid' if the requested size is less than
 -- 6 bits, as the smallest safe prime with the two highest bits set is 59.
 generateSafePrime :: MonadRandom m => Int -> m Integer
 generateSafePrime bits = do
@@ -81,7 +81,7 @@
             return $ val
         else generateSafePrime bits
 
--- | find a prime from a starting point where the property hold.
+-- | Find a prime from a starting point where the property hold.
 findPrimeFromWith :: (Integer -> Bool) -> Integer -> Integer
 findPrimeFromWith prop !n
     | even n        = findPrimeFromWith prop (n+1)
@@ -93,7 +93,7 @@
                     then n
                     else findPrimeFromWith prop (n+2)
 
--- | find a prime from a starting point with no specific property.
+-- | Find a prime from a starting point with no specific property.
 findPrimeFrom :: Integer -> Integer
 findPrimeFrom n =
     case gmpNextPrime n of
@@ -185,7 +185,7 @@
 isCoprime :: Integer -> Integer -> Bool
 isCoprime m n = case gcde m n of (_,_,d) -> d == 1
 
--- | list of the first primes till 2903..
+-- | List of the first primes till 2903.
 firstPrimes :: [Integer]
 firstPrimes =
     [ 2    , 3    , 5    , 7    , 11   , 13   , 17   , 19   , 23   , 29
diff --git a/Crypto/Number/Serialize.hs b/Crypto/Number/Serialize.hs
--- a/Crypto/Number/Serialize.hs
+++ b/Crypto/Number/Serialize.hs
@@ -5,7 +5,7 @@
 -- Stability   : experimental
 -- Portability : Good
 --
--- fast serialization primitives for integer
+-- Fast serialization primitives for integer
 {-# LANGUAGE BangPatterns #-}
 module Crypto.Number.Serialize
     ( i2osp
@@ -19,21 +19,21 @@
 import qualified Crypto.Internal.ByteArray as B
 import qualified Crypto.Number.Serialize.Internal as Internal
 
--- | os2ip converts a byte string into a positive integer
+-- | @os2ip@ converts a byte string into a positive integer.
 os2ip :: B.ByteArrayAccess ba => ba -> Integer
 os2ip bs = unsafeDoIO $ B.withByteArray bs (\p -> Internal.os2ip p (B.length bs))
 
--- | i2osp converts a positive integer into a byte string
+-- | @i2osp@ converts a positive integer into a byte string.
 --
--- first byte is MSB (most significant byte), last byte is the LSB (least significant byte)
+-- The first byte is MSB (most significant byte); the last byte is the LSB (least significant byte)
 i2osp :: B.ByteArray ba => Integer -> ba
 i2osp 0 = B.allocAndFreeze 1  (\p -> Internal.i2osp 0 p 1 >> return ())
 i2osp m = B.allocAndFreeze sz (\p -> Internal.i2osp m p sz >> return ())
   where
         !sz = numBytes m
 
--- | just like i2osp, but take an extra parameter for size.
--- if the number is too big to fit in @len@ bytes, 'Nothing' is returned
+-- | Just like 'i2osp', but takes an extra parameter for size.
+-- If the number is too big to fit in @len@ bytes, 'Nothing' is returned
 -- otherwise the number is padded with 0 to fit the @len@ required.
 i2ospOf :: B.ByteArray ba => Int -> Integer -> Maybe ba
 i2ospOf len m
@@ -44,10 +44,10 @@
   where
         !sz = numBytes m
 
--- | just like i2ospOf except that it doesn't expect a failure: i.e.
--- an integer larger than the number of output bytes requested
+-- | Just like 'i2ospOf' except that it doesn't expect a failure: i.e.
+-- an integer larger than the number of output bytes requested.
 --
--- for example if you just took a modulo of the number that represent
+-- For example if you just took a modulo of the number that represent
 -- the size (example the RSA modulo n).
 i2ospOf_ :: B.ByteArray ba => Int -> Integer -> ba
 i2ospOf_ len = maybe (error "i2ospOf_: integer is larger than expected") id . i2ospOf len
diff --git a/Crypto/Number/Serialize/Internal.hs b/Crypto/Number/Serialize/Internal.hs
--- a/Crypto/Number/Serialize/Internal.hs
+++ b/Crypto/Number/Serialize/Internal.hs
@@ -5,7 +5,7 @@
 -- Stability   : experimental
 -- Portability : Good
 --
--- fast serialization primitives for integer using raw pointers
+-- Fast serialization primitives for integer using raw pointers
 {-# LANGUAGE BangPatterns #-}
 module Crypto.Number.Serialize.Internal
     ( i2osp
@@ -21,12 +21,12 @@
 import           Foreign.Ptr
 import           Foreign.Storable
 
--- | fill a pointer with the big endian binary representation of an integer
+-- | Fill a pointer with the big endian binary representation of an integer
 --
--- if the room available @ptrSz is less than the number of bytes needed,
+-- If the room available @ptrSz is less than the number of bytes needed,
 -- 0 is returned. Likewise if a parameter is invalid, 0 is returned.
 --
--- returns the number of bytes written
+-- Returns the number of bytes written
 i2osp :: Integer -> Ptr Word8 -> Int -> IO Int
 i2osp m ptr ptrSz
     | ptrSz <= 0 = return 0
@@ -61,7 +61,7 @@
             pokeByteOff p ofs (fromIntegral b :: Word8)
             export (ofs-1) i'
 
--- | transform a big endian binary integer representation pointed by a pointer and a size
+-- | Transform a big endian binary integer representation pointed by a pointer and a size
 -- into an integer
 os2ip :: Ptr Word8 -> Int -> IO Integer
 os2ip ptr ptrSz
diff --git a/Crypto/PubKey/Curve25519.hs b/Crypto/PubKey/Curve25519.hs
--- a/Crypto/PubKey/Curve25519.hs
+++ b/Crypto/PubKey/Curve25519.hs
@@ -18,7 +18,7 @@
     , dhSecret
     , publicKey
     , secretKey
-    -- * methods
+    -- * Methods
     , dh
     , toPublic
     , generateSecretKey
diff --git a/Crypto/PubKey/Curve448.hs b/Crypto/PubKey/Curve448.hs
--- a/Crypto/PubKey/Curve448.hs
+++ b/Crypto/PubKey/Curve448.hs
@@ -21,7 +21,7 @@
     , dhSecret
     , publicKey
     , secretKey
-    -- * methods
+    -- * Methods
     , dh
     , toPublic
     , generateSecretKey
diff --git a/Crypto/PubKey/DH.hs b/Crypto/PubKey/DH.hs
--- a/Crypto/PubKey/DH.hs
+++ b/Crypto/PubKey/DH.hs
@@ -35,17 +35,20 @@
     , params_bits :: Int
     } deriving (Show,Read,Eq,Data,Typeable)
 
+instance NFData Params where
+    rnf (Params p g bits) = rnf p `seq` rnf g `seq` bits `seq` ()
+
 -- | Represent Diffie Hellman public number Y.
 newtype PublicNumber = PublicNumber Integer
-    deriving (Show,Read,Eq,Enum,Real,Num,Ord)
+    deriving (Show,Read,Eq,Enum,Real,Num,Ord,NFData)
 
 -- | Represent Diffie Hellman private number X.
 newtype PrivateNumber = PrivateNumber Integer
-    deriving (Show,Read,Eq,Enum,Real,Num,Ord)
+    deriving (Show,Read,Eq,Enum,Real,Num,Ord,NFData)
 
 -- | Represent Diffie Hellman shared secret.
 newtype SharedKey = SharedKey ScrubbedBytes
-    deriving (Show,Eq,ByteArrayAccess)
+    deriving (Show,Eq,ByteArrayAccess,NFData)
 
 -- | generate params from a specific generator (2 or 5 are common values)
 -- we generate a safe prime (a prime number of the form 2p+1 where p is also prime)
diff --git a/Crypto/PubKey/DSA.hs b/Crypto/PubKey/DSA.hs
--- a/Crypto/PubKey/DSA.hs
+++ b/Crypto/PubKey/DSA.hs
@@ -14,13 +14,13 @@
     , PrivateKey(..)
     , PublicNumber
     , PrivateNumber
-    -- * generation
+    -- * Generation
     , generatePrivate
     , calculatePublic
-    -- * signature primitive
+    -- * Signature primitive
     , sign
     , signWith
-    -- * verification primitive
+    -- * Verification primitive
     , verify
     -- * Key pair
     , KeyPair(..)
diff --git a/Crypto/PubKey/ECC/P256.hs b/Crypto/PubKey/ECC/P256.hs
--- a/Crypto/PubKey/ECC/P256.hs
+++ b/Crypto/PubKey/ECC/P256.hs
@@ -14,9 +14,10 @@
 module Crypto.PubKey.ECC.P256
     ( Scalar
     , Point
-    -- * point arithmetic
+    -- * Point arithmetic
     , pointBase
     , pointAdd
+    , pointNegate
     , pointMul
     , pointDh
     , pointsMulVarTime
@@ -27,7 +28,7 @@
     , pointToBinary
     , pointFromBinary
     , unsafePointFromBinary
-    -- * scalar arithmetic
+    -- * Scalar arithmetic
     , scalarGenerate
     , scalarZero
     , scalarIsZero
@@ -58,11 +59,11 @@
 
 -- | A P256 scalar
 newtype Scalar = Scalar ScrubbedBytes
-    deriving (Show,Eq,ByteArrayAccess)
+    deriving (Show,Eq,ByteArrayAccess,NFData)
 
 -- | A P256 point
 newtype Point = Point Bytes
-    deriving (Show,Eq)
+    deriving (Show,Eq,NFData)
 
 scalarSize :: Int
 scalarSize = 32
@@ -106,6 +107,12 @@
     withPoint a $ \ax ay -> withPoint b $ \bx by ->
         ccryptonite_p256e_point_add ax ay bx by dx dy
 
+-- | Negate a point
+pointNegate :: Point -> Point
+pointNegate a = withNewPoint $ \dx dy ->
+    withPoint a $ \ax ay -> do
+        ccryptonite_p256e_point_negate ax ay dx dy
+
 -- | Multiply a point by a scalar
 --
 -- warning: variable time
@@ -371,6 +378,11 @@
                                 -> Ptr P256X -> Ptr P256Y
                                 -> Ptr P256X -> Ptr P256Y
                                 -> IO ()
+
+foreign import ccall "cryptonite_p256e_point_negate"
+    ccryptonite_p256e_point_negate :: Ptr P256X -> Ptr P256Y
+                                   -> Ptr P256X -> Ptr P256Y
+                                   -> IO ()
 
 -- compute (out_x,out,y) = n1 * G + n2 * (in_x,in_y)
 foreign import ccall "cryptonite_p256_points_mul_vartime"
diff --git a/Crypto/PubKey/ECC/Prim.hs b/Crypto/PubKey/ECC/Prim.hs
--- a/Crypto/PubKey/ECC/Prim.hs
+++ b/Crypto/PubKey/ECC/Prim.hs
@@ -4,6 +4,7 @@
 module Crypto.PubKey.ECC.Prim
     ( scalarGenerate
     , pointAdd
+    , pointNegate
     , pointDouble
     , pointBaseMul
     , pointMul
@@ -30,9 +31,9 @@
 -- | Elliptic Curve point negation:
 -- @pointNegate c p@ returns point @q@ such that @pointAdd c p q == PointO@.
 pointNegate :: Curve -> Point -> Point
-pointNegate _           PointO     = PointO
-pointNegate CurveFP{}  (Point x y) = Point x (-y)
-pointNegate CurveF2m{} (Point x y) = Point x (x `addF2m` y)
+pointNegate _            PointO     = PointO
+pointNegate (CurveFP c) (Point x y) = Point x (ecc_p c - y)
+pointNegate CurveF2m{}  (Point x y) = Point x (x `addF2m` y)
 
 -- | Elliptic Curve point addition.
 --
diff --git a/Crypto/PubKey/ECC/Types.hs b/Crypto/PubKey/ECC/Types.hs
--- a/Crypto/PubKey/ECC/Types.hs
+++ b/Crypto/PubKey/ECC/Types.hs
@@ -6,7 +6,7 @@
 -- Stability   : Experimental
 -- Portability : Excellent
 --
--- references:
+-- References:
 --   <https://tools.ietf.org/html/rfc5915>
 --
 module Crypto.PubKey.ECC.Types
@@ -21,7 +21,7 @@
     , ecc_fx
     , ecc_p
     , CurveCommon(..)
-    -- * recommended curves definition
+    -- * Recommended curves definition
     , CurveName(..)
     , getCurveByName
     ) where
diff --git a/Crypto/PubKey/Ed25519.hs b/Crypto/PubKey/Ed25519.hs
--- a/Crypto/PubKey/Ed25519.hs
+++ b/Crypto/PubKey/Ed25519.hs
@@ -21,7 +21,7 @@
     , signature
     , publicKey
     , secretKey
-    -- * methods
+    -- * Methods
     , toPublic
     , sign
     , verify
diff --git a/Crypto/PubKey/Ed448.hs b/Crypto/PubKey/Ed448.hs
--- a/Crypto/PubKey/Ed448.hs
+++ b/Crypto/PubKey/Ed448.hs
@@ -25,7 +25,7 @@
     , signature
     , publicKey
     , secretKey
-    -- * methods
+    -- * Methods
     , toPublic
     , sign
     , verify
diff --git a/Crypto/PubKey/ElGamal.hs b/Crypto/PubKey/ElGamal.hs
--- a/Crypto/PubKey/ElGamal.hs
+++ b/Crypto/PubKey/ElGamal.hs
@@ -19,17 +19,17 @@
     , EphemeralKey(..)
     , SharedKey
     , Signature
-    -- * generation
+    -- * Generation
     , generatePrivate
     , generatePublic
-    -- * encryption and decryption with no scheme
+    -- * Encryption and decryption with no scheme
     , encryptWith
     , encrypt
     , decrypt
-    -- * signature primitives
+    -- * Signature primitives
     , signWith
     , sign
-    -- * verification primitives
+    -- * Verification primitives
     , verify
     ) where
 
diff --git a/Crypto/PubKey/RSA.hs b/Crypto/PubKey/RSA.hs
--- a/Crypto/PubKey/RSA.hs
+++ b/Crypto/PubKey/RSA.hs
@@ -10,7 +10,7 @@
     , PublicKey(..)
     , PrivateKey(..)
     , Blinder(..)
-    -- * generation function
+    -- * Generation function
     , generateWith
     , generate
     , generateBlinder
diff --git a/Crypto/PubKey/RSA/PKCS15.hs b/Crypto/PubKey/RSA/PKCS15.hs
--- a/Crypto/PubKey/RSA/PKCS15.hs
+++ b/Crypto/PubKey/RSA/PKCS15.hs
@@ -7,19 +7,19 @@
 --
 module Crypto.PubKey.RSA.PKCS15
     (
-    -- * padding and unpadding
+    -- * Padding and unpadding
       pad
     , padSignature
     , unpad
-    -- * private key operations
+    -- * Private key operations
     , decrypt
     , decryptSafer
     , sign
     , signSafer
-    -- * public key operations
+    -- * Public key operations
     , encrypt
     , verify
-    -- * hash ASN1 description
+    -- * Hash ASN1 description
     , HashAlgorithmASN1
     ) where
 
diff --git a/Crypto/PubKey/RSA/Prim.hs b/Crypto/PubKey/RSA/Prim.hs
--- a/Crypto/PubKey/RSA/Prim.hs
+++ b/Crypto/PubKey/RSA/Prim.hs
@@ -7,9 +7,9 @@
 --
 module Crypto.PubKey.RSA.Prim
     (
-    -- * decrypt primitive
+    -- * Decrypt primitive
       dp
-    -- * encrypt primitive
+    -- * Encrypt primitive
     , ep
     ) where
 
diff --git a/Crypto/Random/Entropy/Backend.hs b/Crypto/Random/Entropy/Backend.hs
--- a/Crypto/Random/Entropy/Backend.hs
+++ b/Crypto/Random/Entropy/Backend.hs
@@ -15,6 +15,7 @@
 
 import Foreign.Ptr
 import Data.Word (Word8)
+import Crypto.Internal.Proxy
 import Crypto.Random.Entropy.Source
 #ifdef SUPPORT_RDRAND
 import Crypto.Random.Entropy.RDRand
@@ -30,12 +31,12 @@
 supportedBackends =
     [
 #ifdef SUPPORT_RDRAND
-    openBackend (undefined :: RDRand),
+    openBackend (Proxy :: Proxy RDRand),
 #endif
 #ifdef WINDOWS
-    openBackend (undefined :: WinCryptoAPI)
+    openBackend (Proxy :: Proxy WinCryptoAPI)
 #else
-    openBackend (undefined :: DevRandom), openBackend (undefined :: DevURandom)
+    openBackend (Proxy :: Proxy DevRandom), openBackend (Proxy :: Proxy DevURandom)
 #endif
     ]
 
@@ -43,9 +44,9 @@
 data EntropyBackend = forall b . EntropySource b => EntropyBackend b
 
 -- | Open a backend handle
-openBackend :: EntropySource b => b -> IO (Maybe EntropyBackend)
+openBackend :: EntropySource b => Proxy b -> IO (Maybe EntropyBackend)
 openBackend b = fmap EntropyBackend `fmap` callOpen b
-  where callOpen :: EntropySource b => b -> IO (Maybe b)
+  where callOpen :: EntropySource b => Proxy b -> IO (Maybe b)
         callOpen _ = entropyOpen
 
 -- | Gather randomness from an open handle
diff --git a/Crypto/Random/Entropy/RDRand.hs b/Crypto/Random/Entropy/RDRand.hs
--- a/Crypto/Random/Entropy/RDRand.hs
+++ b/Crypto/Random/Entropy/RDRand.hs
@@ -21,7 +21,7 @@
 foreign import ccall unsafe "cryptonite_get_rand_bytes"
   c_get_rand_bytes :: Ptr Word8 -> CInt -> IO CInt
 
--- | fake handle to Intel RDRand entropy cpu instruction
+-- | Fake handle to Intel RDRand entropy CPU instruction
 data RDRand = RDRand
 
 instance EntropySource RDRand where
diff --git a/Crypto/Random/Entropy/Source.hs b/Crypto/Random/Entropy/Source.hs
--- a/Crypto/Random/Entropy/Source.hs
+++ b/Crypto/Random/Entropy/Source.hs
@@ -13,10 +13,10 @@
 -- | A handle to an entropy maker, either a system capability
 -- or a hardware generator.
 class EntropySource a where
-    -- | try to open an handle for this source
+    -- | Try to open an handle for this source
     entropyOpen   :: IO (Maybe a)
-    -- | try to gather a number of entropy bytes into a buffer.
-    -- return the number of actual bytes gathered
+    -- | Try to gather a number of entropy bytes into a buffer.
+    -- Return the number of actual bytes gathered
     entropyGather :: a -> Ptr Word8 -> Int -> IO Int
     -- | Close an open handle
     entropyClose  :: a -> IO ()
diff --git a/Crypto/Random/Entropy/Unix.hs b/Crypto/Random/Entropy/Unix.hs
--- a/Crypto/Random/Entropy/Unix.hs
+++ b/Crypto/Random/Entropy/Unix.hs
@@ -22,10 +22,10 @@
 type H = Handle
 type DeviceName = String
 
--- | Entropy device /dev/random on unix system 
+-- | Entropy device @/dev/random@ on unix system
 newtype DevRandom  = DevRandom DeviceName
 
--- | Entropy device /dev/urandom on unix system 
+-- | Entropy device @/dev/urandom@ on unix system
 newtype DevURandom = DevURandom DeviceName
 
 instance EntropySource DevRandom where
@@ -58,7 +58,7 @@
 withDev filepath f = openDev filepath >>= \h ->
     case h of
         Nothing -> error ("device " ++ filepath ++ " cannot be grabbed")
-        Just fd -> f fd >>= \r -> (closeDev fd >> return r)
+        Just fd -> f fd `E.finally` closeDev fd
 
 closeDev :: H -> IO ()
 closeDev h = hClose h
diff --git a/Crypto/Random/Entropy/Unsafe.hs b/Crypto/Random/Entropy/Unsafe.hs
--- a/Crypto/Random/Entropy/Unsafe.hs
+++ b/Crypto/Random/Entropy/Unsafe.hs
@@ -16,8 +16,8 @@
 
 -- | Refill the entropy in a buffer
 --
--- call each entropy backend in turn until the buffer has
--- been replenish.
+-- Call each entropy backend in turn until the buffer has
+-- been replenished.
 --
 -- If the buffer cannot be refill after 3 loopings, this will raise
 -- an User Error exception
diff --git a/Crypto/Random/Entropy/Windows.hs b/Crypto/Random/Entropy/Windows.hs
--- a/Crypto/Random/Entropy/Windows.hs
+++ b/Crypto/Random/Entropy/Windows.hs
@@ -5,7 +5,7 @@
 -- Stability   : experimental
 -- Portability : Good
 --
--- code originally from the entropy package and thus is:
+-- Code originally from the entropy package and thus is:
 --   Copyright (c) Thomas DuBuisson.
 --
 {-# LANGUAGE ForeignFunctionInterface #-}
@@ -26,7 +26,7 @@
 import Crypto.Random.Entropy.Source
 
 
--- | handle to windows crypto API for random generation
+-- | Handle to Windows crypto API for random generation
 data WinCryptoAPI = WinCryptoAPI
 
 instance EntropySource WinCryptoAPI where
diff --git a/Crypto/Random/Probabilistic.hs b/Crypto/Random/Probabilistic.hs
--- a/Crypto/Random/Probabilistic.hs
+++ b/Crypto/Random/Probabilistic.hs
@@ -20,7 +20,7 @@
 -- This is useful for probabilistic algorithm like Miller Rabin
 -- probably prime algorithm, given appropriate choice of the heuristic
 --
--- Generally, it's advise not to use this function.
+-- Generally, it's advised not to use this function.
 probabilistic :: MonadPseudoRandom ChaChaDRG a -> a
 probabilistic f = fst $ withDRG drg f
   where {-# NOINLINE drg #-}
diff --git a/Crypto/Tutorial.hs b/Crypto/Tutorial.hs
--- a/Crypto/Tutorial.hs
+++ b/Crypto/Tutorial.hs
@@ -1,8 +1,91 @@
 -- | Examples of how to use @cryptonite@.
 module Crypto.Tutorial
-    ( -- * Symmetric block ciphers
+    ( -- * API design
+      -- $api_design
+
+      -- * Hash algorithms
+      -- $hash_algorithms
+
+      -- * Symmetric block ciphers
       -- $symmetric_block_ciphers
     ) where
+
+-- $api_design
+--
+-- APIs in cryptonite are often based on type classes from package
+-- <https://hackage.haskell.org/package/memory memory>, notably
+-- 'Data.ByteArray.ByteArrayAccess' and 'Data.ByteArray.ByteArray'.
+-- Module "Data.ByteArray" provides many primitives that are useful to
+-- work with cryptonite types.  For example function 'Data.ByteArray.convert'
+-- can transform one 'Data.ByteArray.ByteArrayAccess' concrete type like
+-- 'Crypto.Hash.Digest' to a 'Data.ByteString.ByteString'.
+--
+-- Algorithms and functions needing random bytes are based on type class
+-- 'Crypto.Random.Types.MonadRandom'.  Implementation 'IO' uses a system source
+-- of entropy.  It is also possible to use a 'Crypto.Random.Types.DRG' with
+-- 'Crypto.Random.Types.MonadPseudoRandom'
+--
+-- Error conditions are returned with data type 'Crypto.Error.CryptoFailable'.
+-- Functions in module "Crypto.Error" can convert those values to runtime
+-- exceptions, 'Maybe' or 'Either' values.
+
+-- $hash_algorithms
+--
+-- Hashing a complete message:
+--
+-- > import Crypto.Hash
+-- >
+-- > import Data.ByteString (ByteString)
+-- >
+-- > exampleHashWith :: ByteString -> IO ()
+-- > exampleHashWith msg = do
+-- >     putStrLn $ "  sha1(" ++ show msg ++ ") = " ++ show (hashWith SHA1   msg)
+-- >     putStrLn $ "sha256(" ++ show msg ++ ") = " ++ show (hashWith SHA256 msg)
+--
+-- Hashing incrementally, with intermediate context allocations:
+--
+-- > {-# LANGUAGE OverloadedStrings #-}
+-- >
+-- > import Crypto.Hash
+-- >
+-- > import Data.ByteString (ByteString)
+-- >
+-- > exampleIncrWithAllocs :: IO ()
+-- > exampleIncrWithAllocs = do
+-- >     let ctx0 = hashInitWith SHA3_512
+-- >         ctx1 = hashUpdate ctx0 ("The "   :: ByteString)
+-- >         ctx2 = hashUpdate ctx1 ("quick " :: ByteString)
+-- >         ctx3 = hashUpdate ctx2 ("brown " :: ByteString)
+-- >         ctx4 = hashUpdate ctx3 ("fox "   :: ByteString)
+-- >         ctx5 = hashUpdate ctx4 ("jumps " :: ByteString)
+-- >         ctx6 = hashUpdate ctx5 ("over "  :: ByteString)
+-- >         ctx7 = hashUpdate ctx6 ("the "   :: ByteString)
+-- >         ctx8 = hashUpdate ctx7 ("lazy "  :: ByteString)
+-- >         ctx9 = hashUpdate ctx8 ("dog"    :: ByteString)
+-- >     print (hashFinalize ctx9)
+--
+-- Hashing incrementally, updating context in place:
+--
+-- > {-# LANGUAGE OverloadedStrings #-}
+-- >
+-- > import Crypto.Hash.Algorithms
+-- > import Crypto.Hash.IO
+-- >
+-- > import Data.ByteString (ByteString)
+-- >
+-- > exampleIncrInPlace :: IO ()
+-- > exampleIncrInPlace = do
+-- >     ctx <- hashMutableInitWith SHA3_512
+-- >     hashMutableUpdate ctx ("The "   :: ByteString)
+-- >     hashMutableUpdate ctx ("quick " :: ByteString)
+-- >     hashMutableUpdate ctx ("brown " :: ByteString)
+-- >     hashMutableUpdate ctx ("fox "   :: ByteString)
+-- >     hashMutableUpdate ctx ("jumps " :: ByteString)
+-- >     hashMutableUpdate ctx ("over "  :: ByteString)
+-- >     hashMutableUpdate ctx ("the "   :: ByteString)
+-- >     hashMutableUpdate ctx ("lazy "  :: ByteString)
+-- >     hashMutableUpdate ctx ("dog"    :: ByteString)
+-- >     hashMutableFinalize ctx >>= print
 
 -- $symmetric_block_ciphers
 --
diff --git a/README.md b/README.md
--- a/README.md
+++ b/README.md
@@ -16,13 +16,23 @@
 
 Documentation: [cryptonite on hackage](http://hackage.haskell.org/package/cryptonite)
 
+Stability
+---------
+
+Cryptonite APIs are stable, and we only strive to add, not change or remove.
+Note that because the API exposed is wide and also expose internals things (for
+power users and flexibility), certains APIs can be revised in extreme cases
+where we can't just add.
+
 Versioning
 ----------
 
-Development versions are an incremental number prefixed by 0. There is no
-API stability between development versions.
+Next version of `0.x` is `0.(x+1)`. There's no exceptions, or API related meaning
+behind the numbers.
 
-Production versions : TBD
+Each versions of stackage (going back 3 stable LTS) has a cryptonite version
+that we maintain with security fixes when necessary and are versioned with the
+following `0.x.y` scheme.
 
 Coding Style
 ------------
diff --git a/benchs/Bench.hs b/benchs/Bench.hs
--- a/benchs/Bench.hs
+++ b/benchs/Bench.hs
@@ -1,45 +1,48 @@
-{-# LANGUAGE PackageImports #-}
 {-# LANGUAGE OverloadedStrings #-}
 {-# LANGUAGE ExistentialQuantification #-}
+{-# LANGUAGE FlexibleContexts #-}
 module Main where
 
-import Criterion.Main
+import Gauge.Main
 
 import           Crypto.Cipher.AES
 import           Crypto.Cipher.Blowfish
+import           Crypto.Cipher.CAST5
 import qualified Crypto.Cipher.ChaChaPoly1305 as CP
 import           Crypto.Cipher.DES
+import           Crypto.Cipher.Twofish
 import           Crypto.Cipher.Types
+import           Crypto.ECC
 import           Crypto.Error
 import           Crypto.Hash
 import qualified Crypto.KDF.PBKDF2 as PBKDF2
+import           Crypto.Number.Basic (numBits)
+import           Crypto.Number.Generate
+import qualified Crypto.PubKey.DH as DH
 import qualified Crypto.PubKey.ECC.Types as ECC
 import qualified Crypto.PubKey.ECC.Prim as ECC
 import           Crypto.Random
 
+import           Control.DeepSeq (NFData)
 import           Data.ByteArray (ByteArray, Bytes)
 import qualified Data.ByteString as B
 
-import           System.IO.Unsafe (unsafePerformIO)
-
 import Number.F2m
 
 data HashAlg = forall alg . HashAlgorithm alg => HashAlg alg
 
 benchHash =
-    [ bgroup "1KB" $ map (doHashBench oneKB) hashAlgs
-    , bgroup "1MB" $ map (doHashBench oneMB) hashAlgs
+    [ env oneKB $ \b -> bgroup "1KB" $ map (doHashBench b) hashAlgs
+    , env oneMB $ \b -> bgroup "1MB" $ map (doHashBench b) hashAlgs
     ]
   where
     doHashBench b (name, HashAlg alg) = bench name $ nf (hashWith alg) b
 
-    oneKB :: Bytes
-    oneKB = unsafePerformIO (getRandomBytes 1024)
-    {-# NOINLINE oneKB #-}
+    oneKB :: IO Bytes
+    oneKB = getRandomBytes 1024
 
-    oneMB :: Bytes
-    oneMB = unsafePerformIO (getRandomBytes $ 1024 * 1024)
-    {-# NOINLINE oneMB #-}
+    oneMB :: IO Bytes
+    oneMB = getRandomBytes $ 1024 * 1024
 
     hashAlgs =
         [ ("MD2", HashAlg MD2)
@@ -110,23 +113,27 @@
         benchECB =
             [ bench "DES-input=1024" $ nf (run (undefined :: DES) cipherInit key8) input1024
             , bench "Blowfish128-input=1024" $ nf (run (undefined :: Blowfish128) cipherInit key16) input1024
+            , bench "Twofish128-input=1024" $ nf (run (undefined :: Twofish128) cipherInit key16) input1024
+            , bench "CAST5-128-input=1024" $ nf (run (undefined :: CAST5) cipherInit key16) input1024
             , bench "AES128-input=1024" $ nf (run (undefined :: AES128) cipherInit key16) input1024
             , bench "AES256-input=1024" $ nf (run (undefined :: AES256) cipherInit key32) input1024
             ]
           where run :: (ByteArray ba, ByteArray key, BlockCipher c)
                     => c -> (key -> CryptoFailable c) -> key -> ba -> ba
-                run witness initF key input =
+                run _witness initF key input =
                     (ecbEncrypt (throwCryptoError (initF key))) input
 
         benchCBC =
             [ bench "DES-input=1024" $ nf (run (undefined :: DES) cipherInit key8 iv8) input1024
             , bench "Blowfish128-input=1024" $ nf (run (undefined :: Blowfish128) cipherInit key16 iv8) input1024
+            , bench "Twofish128-input=1024" $ nf (run (undefined :: Twofish128) cipherInit key16 iv16) input1024
+            , bench "CAST5-128-input=1024" $ nf (run (undefined :: CAST5) cipherInit key16 iv8) input1024
             , bench "AES128-input=1024" $ nf (run (undefined :: AES128) cipherInit key16 iv16) input1024
             , bench "AES256-input=1024" $ nf (run (undefined :: AES256) cipherInit key32 iv16) input1024
             ]
           where run :: (ByteArray ba, ByteArray key, BlockCipher c)
                     => c -> (key -> CryptoFailable c) -> key -> IV c -> ba -> ba
-                run witness initF key iv input =
+                run _witness initF key iv input =
                     (cbcEncrypt (throwCryptoError (initF key))) iv input
 
         key8  = B.replicate 8 0
@@ -175,11 +182,61 @@
         n1 = 0x2ba9daf2363b2819e69b34a39cf496c2458a9b2a21505ea9e7b7cbca42dc7435
         n2 = 0xf054a7f60d10b8c2cf847ee90e9e029f8b0e971b09ca5f55c4d49921a11fadc1
 
+benchFFDH = map doFFDHBench primes
+  where
+    doFFDHBench (e, p) =
+        let bits = numBits p
+            params = DH.Params { DH.params_p = p, DH.params_g = 2, DH.params_bits = bits }
+         in env (generate e params) $ bench (show bits) . nf (run params)
+
+    generate e params = do
+        aPriv <- DH.PrivateNumber `fmap` generatePriv e
+        bPriv <- DH.PrivateNumber `fmap` generatePriv e
+        return (aPriv, DH.calculatePublic params bPriv)
+
+    generatePriv e = generateParams e (Just SetHighest) False
+
+    run params (priv, pub) = DH.getShared params priv pub
+
+    -- RFC 7919: prime p with minimal size of exponent
+    primes = [ (225, 0xFFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF97D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD65612433F51F5F066ED0856365553DED1AF3B557135E7F57C935984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE73530ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FBB96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB190B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F619172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD733BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA886B423861285C97FFFFFFFFFFFFFFFF)
+             , (275, 0xFFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF97D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD65612433F51F5F066ED0856365553DED1AF3B557135E7F57C935984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE73530ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FBB96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB190B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F619172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD733BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA886B4238611FCFDCDE355B3B6519035BBC34F4DEF99C023861B46FC9D6E6C9077AD91D2691F7F7EE598CB0FAC186D91CAEFE130985139270B4130C93BC437944F4FD4452E2D74DD364F2E21E71F54BFF5CAE82AB9C9DF69EE86D2BC522363A0DABC521979B0DEADA1DBF9A42D5C4484E0ABCD06BFA53DDEF3C1B20EE3FD59D7C25E41D2B66C62E37FFFFFFFFFFFFFFFF)
+             , (325, 0xFFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF97D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD65612433F51F5F066ED0856365553DED1AF3B557135E7F57C935984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE73530ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FBB96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB190B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F619172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD733BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA886B4238611FCFDCDE355B3B6519035BBC34F4DEF99C023861B46FC9D6E6C9077AD91D2691F7F7EE598CB0FAC186D91CAEFE130985139270B4130C93BC437944F4FD4452E2D74DD364F2E21E71F54BFF5CAE82AB9C9DF69EE86D2BC522363A0DABC521979B0DEADA1DBF9A42D5C4484E0ABCD06BFA53DDEF3C1B20EE3FD59D7C25E41D2B669E1EF16E6F52C3164DF4FB7930E9E4E58857B6AC7D5F42D69F6D187763CF1D5503400487F55BA57E31CC7A7135C886EFB4318AED6A1E012D9E6832A907600A918130C46DC778F971AD0038092999A333CB8B7A1A1DB93D7140003C2A4ECEA9F98D0ACC0A8291CDCEC97DCF8EC9B55A7F88A46B4DB5A851F44182E1C68A007E5E655F6AFFFFFFFFFFFFFFFF)
+             , (375, 0xFFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF97D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD65612433F51F5F066ED0856365553DED1AF3B557135E7F57C935984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE73530ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FBB96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB190B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F619172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD733BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA886B4238611FCFDCDE355B3B6519035BBC34F4DEF99C023861B46FC9D6E6C9077AD91D2691F7F7EE598CB0FAC186D91CAEFE130985139270B4130C93BC437944F4FD4452E2D74DD364F2E21E71F54BFF5CAE82AB9C9DF69EE86D2BC522363A0DABC521979B0DEADA1DBF9A42D5C4484E0ABCD06BFA53DDEF3C1B20EE3FD59D7C25E41D2B669E1EF16E6F52C3164DF4FB7930E9E4E58857B6AC7D5F42D69F6D187763CF1D5503400487F55BA57E31CC7A7135C886EFB4318AED6A1E012D9E6832A907600A918130C46DC778F971AD0038092999A333CB8B7A1A1DB93D7140003C2A4ECEA9F98D0ACC0A8291CDCEC97DCF8EC9B55A7F88A46B4DB5A851F44182E1C68A007E5E0DD9020BFD64B645036C7A4E677D2C38532A3A23BA4442CAF53EA63BB454329B7624C8917BDD64B1C0FD4CB38E8C334C701C3ACDAD0657FCCFEC719B1F5C3E4E46041F388147FB4CFDB477A52471F7A9A96910B855322EDB6340D8A00EF092350511E30ABEC1FFF9E3A26E7FB29F8C183023C3587E38DA0077D9B4763E4E4B94B2BBC194C6651E77CAF992EEAAC0232A281BF6B3A739C1226116820AE8DB5847A67CBEF9C9091B462D538CD72B03746AE77F5E62292C311562A846505DC82DB854338AE49F5235C95B91178CCF2DD5CACEF403EC9D1810C6272B045B3B71F9DC6B80D63FDD4A8E9ADB1E6962A69526D43161C1A41D570D7938DAD4A40E329CD0E40E65FFFFFFFFFFFFFFFF)
+             , (400, 0xFFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF97D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD65612433F51F5F066ED0856365553DED1AF3B557135E7F57C935984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE73530ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FBB96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB190B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F619172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD733BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA886B4238611FCFDCDE355B3B6519035BBC34F4DEF99C023861B46FC9D6E6C9077AD91D2691F7F7EE598CB0FAC186D91CAEFE130985139270B4130C93BC437944F4FD4452E2D74DD364F2E21E71F54BFF5CAE82AB9C9DF69EE86D2BC522363A0DABC521979B0DEADA1DBF9A42D5C4484E0ABCD06BFA53DDEF3C1B20EE3FD59D7C25E41D2B669E1EF16E6F52C3164DF4FB7930E9E4E58857B6AC7D5F42D69F6D187763CF1D5503400487F55BA57E31CC7A7135C886EFB4318AED6A1E012D9E6832A907600A918130C46DC778F971AD0038092999A333CB8B7A1A1DB93D7140003C2A4ECEA9F98D0ACC0A8291CDCEC97DCF8EC9B55A7F88A46B4DB5A851F44182E1C68A007E5E0DD9020BFD64B645036C7A4E677D2C38532A3A23BA4442CAF53EA63BB454329B7624C8917BDD64B1C0FD4CB38E8C334C701C3ACDAD0657FCCFEC719B1F5C3E4E46041F388147FB4CFDB477A52471F7A9A96910B855322EDB6340D8A00EF092350511E30ABEC1FFF9E3A26E7FB29F8C183023C3587E38DA0077D9B4763E4E4B94B2BBC194C6651E77CAF992EEAAC0232A281BF6B3A739C1226116820AE8DB5847A67CBEF9C9091B462D538CD72B03746AE77F5E62292C311562A846505DC82DB854338AE49F5235C95B91178CCF2DD5CACEF403EC9D1810C6272B045B3B71F9DC6B80D63FDD4A8E9ADB1E6962A69526D43161C1A41D570D7938DAD4A40E329CCFF46AAA36AD004CF600C8381E425A31D951AE64FDB23FCEC9509D43687FEB69EDD1CC5E0B8CC3BDF64B10EF86B63142A3AB8829555B2F747C932665CB2C0F1CC01BD70229388839D2AF05E454504AC78B7582822846C0BA35C35F5C59160CC046FD8251541FC68C9C86B022BB7099876A460E7451A8A93109703FEE1C217E6C3826E52C51AA691E0E423CFC99E9E31650C1217B624816CDAD9A95F9D5B8019488D9C0A0A1FE3075A577E23183F81D4A3F2FA4571EFC8CE0BA8A4FE8B6855DFE72B0A66EDED2FBABFBE58A30FAFABE1C5D71A87E2F741EF8C1FE86FEA6BBFDE530677F0D97D11D49F7A8443D0822E506A9F4614E011E2A94838FF88CD68C8BB7C5C6424CFFFFFFFFFFFFFFFF)
+             ]
+
+data CurveDH = forall c . (EllipticCurveDH c, NFData (Scalar c), NFData (Point c)) => CurveDH c
+
+benchECDH = map doECDHBench curves
+  where
+    doECDHBench (name, CurveDH c) =
+        let proxy = Just c -- using Maybe as Proxy
+         in env (generate proxy) $ bench name . nf (run proxy)
+
+    generate proxy = do
+        KeyPair _      aScalar <- curveGenerateKeyPair proxy
+        KeyPair bPoint _       <- curveGenerateKeyPair proxy
+        return (aScalar, bPoint)
+
+    run proxy (s, p) = throwCryptoError (ecdh proxy s p)
+
+    curves = [ ("P256R1", CurveDH Curve_P256R1)
+             , ("P384R1", CurveDH Curve_P384R1)
+             , ("P521R1", CurveDH Curve_P521R1)
+             , ("X25519", CurveDH Curve_X25519)
+             , ("X448",   CurveDH Curve_X448)
+             ]
+
 main = defaultMain
     [ bgroup "hash" benchHash
     , bgroup "block-cipher" benchBlockCipher
     , bgroup "AE" benchAE
     , bgroup "pbkdf2" benchPBKDF2
     , bgroup "ECC" benchECC
+    , bgroup "DH"
+          [ bgroup "FFDH" benchFFDH
+          , bgroup "ECDH" benchECDH
+          ]
     , bgroup "F2m" benchF2m
     ]
diff --git a/benchs/Number/F2m.hs b/benchs/Number/F2m.hs
--- a/benchs/Number/F2m.hs
+++ b/benchs/Number/F2m.hs
@@ -2,7 +2,7 @@
 
 module Number.F2m (benchF2m) where
 
-import Criterion.Main
+import Gauge.Main
 import System.Random
 
 import Crypto.Number.Basic (log2)
diff --git a/cbits/cryptonite_aes.c b/cbits/cryptonite_aes.c
--- a/cbits/cryptonite_aes.c
+++ b/cbits/cryptonite_aes.c
@@ -52,6 +52,8 @@
 void cryptonite_aes_generic_gcm_decrypt(uint8_t *output, aes_gcm *gcm, aes_key *key, uint8_t *input, uint32_t length);
 void cryptonite_aes_generic_ocb_encrypt(uint8_t *output, aes_ocb *ocb, aes_key *key, uint8_t *input, uint32_t length);
 void cryptonite_aes_generic_ocb_decrypt(uint8_t *output, aes_ocb *ocb, aes_key *key, uint8_t *input, uint32_t length);
+void cryptonite_aes_generic_ccm_encrypt(uint8_t *output, aes_ccm *ccm, aes_key *key, uint8_t *input, uint32_t length);
+void cryptonite_aes_generic_ccm_decrypt(uint8_t *output, aes_ccm *ccm, aes_key *key, uint8_t *input, uint32_t length);
 
 enum {
 	/* init */
@@ -76,6 +78,9 @@
 	/* ocb */
 	ENCRYPT_OCB_128, ENCRYPT_OCB_192, ENCRYPT_OCB_256,
 	DECRYPT_OCB_128, DECRYPT_OCB_192, DECRYPT_OCB_256,
+	/* ccm */
+	ENCRYPT_CCM_128, ENCRYPT_CCM_192, ENCRYPT_CCM_256,
+	DECRYPT_CCM_128, DECRYPT_CCM_192, DECRYPT_CCM_256,
 };
 
 void *cryptonite_aes_branch_table[] = {
@@ -129,6 +134,13 @@
 	[DECRYPT_OCB_128]   = cryptonite_aes_generic_ocb_decrypt,
 	[DECRYPT_OCB_192]   = cryptonite_aes_generic_ocb_decrypt,
 	[DECRYPT_OCB_256]   = cryptonite_aes_generic_ocb_decrypt,
+	/* CCM */
+	[ENCRYPT_CCM_128]   = cryptonite_aes_generic_ccm_encrypt,
+	[ENCRYPT_CCM_192]   = cryptonite_aes_generic_ccm_encrypt,
+	[ENCRYPT_CCM_256]   = cryptonite_aes_generic_ccm_encrypt,
+	[DECRYPT_CCM_128]   = cryptonite_aes_generic_ccm_decrypt,
+	[DECRYPT_CCM_192]   = cryptonite_aes_generic_ccm_decrypt,
+	[DECRYPT_CCM_256]   = cryptonite_aes_generic_ccm_decrypt,
 };
 
 typedef void (*init_f)(aes_key *, uint8_t *, uint8_t);
@@ -138,6 +150,7 @@
 typedef void (*xts_f)(aes_block *output, aes_key *k1, aes_key *k2, aes_block *dataunit, uint32_t spoint, aes_block *input, uint32_t nb_blocks);
 typedef void (*gcm_crypt_f)(uint8_t *output, aes_gcm *gcm, aes_key *key, uint8_t *input, uint32_t length);
 typedef void (*ocb_crypt_f)(uint8_t *output, aes_ocb *ocb, aes_key *key, uint8_t *input, uint32_t length);
+typedef void (*ccm_crypt_f)(uint8_t *output, aes_ccm *ccm, aes_key *key, uint8_t *input, uint32_t length);
 typedef void (*block_f)(aes_block *output, aes_key *key, aes_block *input);
 
 #ifdef WITH_AESNI
@@ -165,6 +178,10 @@
 	((ocb_crypt_f) (cryptonite_aes_branch_table[ENCRYPT_OCB_128 + strength]))
 #define GET_OCB_DECRYPT(strength) \
 	((ocb_crypt_f) (cryptonite_aes_branch_table[DECRYPT_OCB_128 + strength]))
+#define GET_CCM_ENCRYPT(strength) \
+	((ccm_crypt_f) (cryptonite_aes_branch_table[ENCRYPT_CCM_128 + strength]))
+#define GET_CCM_DECRYPT(strength) \
+	((ccm_crypt_f) (cryptonite_aes_branch_table[DECRYPT_CCM_128 + strength]))
 #define cryptonite_aes_encrypt_block(o,k,i) \
 	(((block_f) (cryptonite_aes_branch_table[ENCRYPT_BLOCK_128 + k->strength]))(o,k,i))
 #define cryptonite_aes_decrypt_block(o,k,i) \
@@ -182,6 +199,8 @@
 #define GET_GCM_DECRYPT(strength) cryptonite_aes_generic_gcm_decrypt
 #define GET_OCB_ENCRYPT(strength) cryptonite_aes_generic_ocb_encrypt
 #define GET_OCB_DECRYPT(strength) cryptonite_aes_generic_ocb_decrypt
+#define GET_CCM_ENCRYPT(strength) cryptonite_aes_generic_ccm_encrypt
+#define GET_CCM_DECRYPT(strength) cryptonite_aes_generic_ccm_decrypt
 #define cryptonite_aes_encrypt_block(o,k,i) cryptonite_aes_generic_encrypt_block(o,k,i)
 #define cryptonite_aes_decrypt_block(o,k,i) cryptonite_aes_generic_decrypt_block(o,k,i)
 #endif
@@ -321,6 +340,18 @@
 	d(output, gcm, key, input, length);
 }
 
+void cryptonite_aes_ccm_encrypt(uint8_t *output, aes_ccm *ccm, aes_key *key, uint8_t *input, uint32_t length)
+{
+	ccm_crypt_f e = GET_CCM_ENCRYPT(key->strength);
+	e(output, ccm, key, input, length);
+}
+
+void cryptonite_aes_ccm_decrypt(uint8_t *output, aes_ccm *ccm, aes_key *key, uint8_t *input, uint32_t length)
+{
+	ccm_crypt_f d = GET_CCM_DECRYPT(key->strength);
+	d(output, ccm, key, input, length);
+}
+
 void cryptonite_aes_ocb_encrypt(uint8_t *output, aes_ocb *ocb, aes_key *key, uint8_t *input, uint32_t length)
 {
 	ocb_crypt_f e = GET_OCB_ENCRYPT(key->strength);
@@ -406,6 +437,140 @@
 	}
 }
 
+static inline uint8_t ccm_b0_flags(uint32_t has_adata, uint32_t m, uint32_t l)
+{
+	return 8*m + l + (has_adata? 64: 0);
+}
+
+/* depends on input size */
+static void ccm_encode_b0(block128* output, aes_ccm* ccm, uint32_t has_adata)
+{
+	int last = 15;
+	uint32_t m = ccm->length_M;
+	uint32_t l = ccm->length_L;
+	uint32_t msg_len = ccm->length_input;
+
+	block128_zero(output);
+	block128_copy_aligned(output, &ccm->nonce);
+	output->b[0] = ccm_b0_flags(has_adata, (m-2)/2, l-1);
+	while (msg_len > 0) {
+		output->b[last--] = msg_len & 0xff;
+		msg_len >>= 8;
+	}
+}
+
+/* encode adata length */
+static int ccm_encode_la(block128* output, uint32_t la)
+{
+	if (la < ( (1 << 16) - (1 << 8)) ) {
+		output->b[0] = (la >> 8) & 0xff;
+		output->b[1] = la        & 0xff;
+		return 2;
+	} else {
+		output->b[0] = 0xff;
+		output->b[1] = 0xfe;
+		output->b[2] = (la >> 24) & 0xff;
+		output->b[3] = (la >> 16) & 0xff;
+		output->b[4] = (la >>  8) & 0xff;
+		output->b[5] = la         & 0xff;
+		return 6;
+	}
+}
+
+static void ccm_encode_ctr(block128* out, aes_ccm* ccm, unsigned int cnt)
+{
+	int last = 15;
+	block128_copy_aligned(out, &ccm->nonce);
+	out->b[0] = ccm->length_L - 1;
+
+	while (cnt > 0) {
+		out->b[last--] = cnt & 0xff;
+		cnt >>= 8;
+	}
+}
+
+static void ccm_cbcmac_add(aes_ccm* ccm, aes_key* key, block128* bi)
+{
+	block128_xor_aligned(&ccm->xi, bi);
+	cryptonite_aes_generic_encrypt_block(&ccm->xi, key, &ccm->xi);
+}
+
+/* even though it is possible to support message size as large as 2^64, we support up to 2^32 only */
+void cryptonite_aes_ccm_init(aes_ccm *ccm, aes_key *key, uint8_t *nonce, uint32_t nonce_len, uint32_t input_size, int m, int l)
+{
+	memset(ccm, 0, sizeof(aes_ccm));
+
+	if (l < 2 || l > 4) return;
+	if (m != 4 && m != 6 && m != 8 && m != 10
+		   && m != 12 && m != 14 && m != 16) return;
+
+	if (nonce_len > 15 - l) {
+		nonce_len = 15 - l;
+	}
+
+	if (l <= 4) {
+		if (input_size >= (1ull << (8*l))) return;
+	}
+
+	ccm->length_L = l;
+	ccm->length_M = m;
+	ccm->length_input = input_size;
+
+	memcpy(&ccm->nonce.b[1], nonce, nonce_len);
+
+	ccm_encode_b0(&ccm->b0, ccm, 1); /* assume aad is present */
+	cryptonite_aes_encrypt_block(&ccm->xi, key, &ccm->b0);
+}
+
+/* even though l(a) can be as large as 2^64, we only handle aad up to 2 ^ 32 for practical reasons.
+  Also we don't support incremental aad add, because the 1st encoded adata has length information
+ */
+void cryptonite_aes_ccm_aad(aes_ccm *ccm, aes_key *key, uint8_t *input, uint32_t length)
+{
+	block128 tmp;
+
+	if (ccm->length_aad != 0) return;
+
+	ccm->length_aad = length;
+	int len_len;
+
+	block128_zero(&tmp);
+	len_len = ccm_encode_la(&tmp, length);
+
+	if (length < 16 - len_len) {
+		memcpy(&tmp.b[len_len], input, length);
+		length = 0;
+	} else {
+		memcpy(&tmp.b[len_len], input, 16 - len_len);
+		input += 16 - len_len;
+		length -= 16 - len_len;
+	}
+
+	ccm_cbcmac_add(ccm, key, &tmp);
+
+	for (; length >= 16; input += 16, length -= 16) {
+		block128_copy(&tmp, (block128*)input);
+		ccm_cbcmac_add(ccm, key, &tmp);
+
+	}
+	if (length > 0) {
+		block128_zero(&tmp);
+		block128_copy_bytes(&tmp, input, length);
+		ccm_cbcmac_add(ccm, key, &tmp);
+	}
+	block128_copy_aligned(&ccm->header_cbcmac, &ccm->xi);
+}
+
+void cryptonite_aes_ccm_finish(uint8_t *tag, aes_ccm *ccm, aes_key *key)
+{
+	block128 iv, s0;
+
+	block128_zero(&iv);
+	ccm_encode_ctr(&iv, ccm, 0);
+	cryptonite_aes_encrypt_block(&s0, key, &iv);
+	block128_vxor((block128*)tag, &ccm->xi, &s0);
+}
+
 static inline void ocb_block_double(block128 *d, block128 *s)
 {
 	unsigned int i;
@@ -736,6 +901,66 @@
 			block128_xor_aligned(&ocb->sum_enc, &tmp);
 			input += length;
 		}
+	}
+}
+
+void cryptonite_aes_generic_ccm_encrypt(uint8_t *output, aes_ccm *ccm, aes_key *key, uint8_t *input, uint32_t length)
+{
+	block128 tmp, ctr;
+
+	/* when aad is absent, reset b0 block */
+	if (ccm->length_aad == 0) {
+		ccm_encode_b0(&ccm->b0, ccm, 0); /* assume aad is present */
+		cryptonite_aes_encrypt_block(&ccm->xi, key, &ccm->b0);
+		block128_copy_aligned(&ccm->header_cbcmac, &ccm->xi);
+	}
+
+	if (length != ccm->length_input) {
+		return;
+	}
+
+	ccm_encode_ctr(&ctr, ccm, 1);
+	cryptonite_aes_encrypt_ctr(output, key, &ctr, input, length);
+
+	for (;length >= 16; input += 16, length -= 16) {
+		block128_copy(&tmp, (block128*)input);
+		ccm_cbcmac_add(ccm, key, &tmp);
+	}
+	if (length > 0) {
+		block128_zero(&tmp);
+		block128_copy_bytes(&tmp, input, length);
+		ccm_cbcmac_add(ccm, key, &tmp);
+	}
+}
+
+void cryptonite_aes_generic_ccm_decrypt(uint8_t *output, aes_ccm *ccm, aes_key *key, uint8_t *input, uint32_t length)
+{
+	block128 tmp, ctr;
+
+	if (length != ccm->length_input) {
+		return;
+	}
+
+	/* when aad is absent, reset b0 block */
+	if (ccm->length_aad == 0) {
+		ccm_encode_b0(&ccm->b0, ccm, 0); /* assume aad is present */
+		cryptonite_aes_encrypt_block(&ccm->xi, key, &ccm->b0);
+		block128_copy_aligned(&ccm->header_cbcmac, &ccm->xi);
+	}
+
+	ccm_encode_ctr(&ctr, ccm, 1);
+	cryptonite_aes_encrypt_ctr(output, key, &ctr, input, length);
+	block128_copy_aligned(&ccm->xi, &ccm->header_cbcmac);
+	input = output;
+
+	for (;length >= 16; input += 16, length -= 16) {
+		block128_copy(&tmp, (block128*)input);
+		ccm_cbcmac_add(ccm, key, &tmp);
+	}
+	if (length > 0) {
+		block128_zero(&tmp);
+		block128_copy_bytes(&tmp, input, length);
+		ccm_cbcmac_add(ccm, key, &tmp);
 	}
 }
 
diff --git a/cbits/cryptonite_aes.h b/cbits/cryptonite_aes.h
--- a/cbits/cryptonite_aes.h
+++ b/cbits/cryptonite_aes.h
@@ -55,7 +55,19 @@
 	uint64_t length_input;
 } aes_gcm;
 
+/* size = 4*16+4*4= 80 */
 typedef struct {
+	aes_block xi;
+	aes_block header_cbcmac;
+	aes_block b0;
+	aes_block nonce;
+	uint32_t length_aad;
+	uint32_t length_input;
+	uint32_t length_M;
+	uint32_t length_L;
+} aes_ccm;
+
+typedef struct {
 	block128 offset_aad;
 	block128 offset_enc;
 	block128 sum_aad;
@@ -96,5 +108,11 @@
 void cryptonite_aes_ocb_encrypt(uint8_t *output, aes_ocb *ocb, aes_key *key, uint8_t *input, uint32_t length);
 void cryptonite_aes_ocb_decrypt(uint8_t *output, aes_ocb *ocb, aes_key *key, uint8_t *input, uint32_t length);
 void cryptonite_aes_ocb_finish(uint8_t *tag, aes_ocb *ocb, aes_key *key);
+
+void cryptonite_aes_ccm_init(aes_ccm *ccm, aes_key *key, uint8_t *nonce, uint32_t len, uint32_t msg_size, int m, int l);
+void cryptonite_aes_ccm_aad(aes_ccm *ccm, aes_key *key, uint8_t *input, uint32_t length);
+void cryptonite_aes_ccm_encrypt(uint8_t *output, aes_ccm *ccm, aes_key *key, uint8_t *input, uint32_t length);
+void cryptonite_aes_ccm_decrypt(uint8_t *output, aes_ccm *ccm, aes_key *key, uint8_t *input, uint32_t length);
+void cryptonite_aes_ccm_finish(uint8_t *tag, aes_ccm *ccm, aes_key *key);
 
 #endif
diff --git a/cbits/decaf/ed448goldilocks/decaf_all.c b/cbits/decaf/ed448goldilocks/decaf_all.c
new file mode 100644
--- /dev/null
+++ b/cbits/decaf/ed448goldilocks/decaf_all.c
@@ -0,0 +1,3 @@
+/* Combined to avoid link failure on OpenBSD with --strip-unneeded, see #186 */
+#include "decaf.c"
+#include "decaf_tables.c"
diff --git a/cbits/decaf/p448/arch_32/f_impl.h b/cbits/decaf/p448/arch_32/f_impl.h
--- a/cbits/decaf/p448/arch_32/f_impl.h
+++ b/cbits/decaf/p448/arch_32/f_impl.h
@@ -10,37 +10,22 @@
 #define LIMB_PLACE_VALUE(i) 28
 
 void cryptonite_gf_add_RAW (gf out, const gf a, const gf b) {
-    for (unsigned int i=0; i<sizeof(*out)/sizeof(uint32xn_t); i++) {
-        ((uint32xn_t*)out)[i] = ((const uint32xn_t*)a)[i] + ((const uint32xn_t*)b)[i];
-    }
-    /*
-    unsigned int i;
-    for (i=0; i<sizeof(*out)/sizeof(out->limb[0]); i++) {
+    for (unsigned int i=0; i<sizeof(*out)/sizeof(out->limb[0]); i++) {
         out->limb[i] = a->limb[i] + b->limb[i];
     }
-    */
 }
 
 void cryptonite_gf_sub_RAW (gf out, const gf a, const gf b) {
-    for (unsigned int i=0; i<sizeof(*out)/sizeof(uint32xn_t); i++) {
-        ((uint32xn_t*)out)[i] = ((const uint32xn_t*)a)[i] - ((const uint32xn_t*)b)[i];
-    }
-    /*
-    unsigned int i;
-    for (i=0; i<sizeof(*out)/sizeof(out->limb[0]); i++) {
+    for (unsigned int i=0; i<sizeof(*out)/sizeof(out->limb[0]); i++) {
         out->limb[i] = a->limb[i] - b->limb[i];
     }
-    */
 }
 
-void cryptonite_gf_bias (gf a, int amt) {
+void cryptonite_gf_bias (gf a, int amt) {    
     uint32_t co1 = ((1ull<<28)-1)*amt, co2 = co1-amt;
-    uint32x4_t lo = {co1,co1,co1,co1}, hi = {co2,co1,co1,co1};
-    uint32x4_t *aa = (uint32x4_t*) a;
-    aa[0] += lo;
-    aa[1] += lo;
-    aa[2] += hi;
-    aa[3] += lo;
+    for (unsigned int i=0; i<sizeof(*a)/sizeof(a->limb[0]); i++) {
+        a->limb[i] += (i==sizeof(*a)/sizeof(a->limb[0])/2) ? co2 : co1;
+    }
 }
 
 void cryptonite_gf_weak_reduce (gf a) {
diff --git a/cbits/decaf/p448/f_generic.c b/cbits/decaf/p448/f_generic.c
--- a/cbits/decaf/p448/f_generic.c
+++ b/cbits/decaf/p448/f_generic.c
@@ -106,14 +106,14 @@
     assert(word_is_zero(carry + scarry_0));
 }
 
-/** Add two gf elements */
+/** Subtract two gf elements d=a-b */
 void cryptonite_gf_sub (gf d, const gf a, const gf b) {
     cryptonite_gf_sub_RAW ( d, a, b );
     cryptonite_gf_bias( d, 2 );
     cryptonite_gf_weak_reduce ( d );
 }
 
-/** Subtract d = a-b */
+/** Add two field elements d = a+b */
 void cryptonite_gf_add (gf d, const gf a, const gf b) {
     cryptonite_gf_add_RAW ( d, a, b );
     cryptonite_gf_weak_reduce ( d );
diff --git a/cbits/ed25519/ed25519-cryptonite-exts.h b/cbits/ed25519/ed25519-cryptonite-exts.h
new file mode 100644
--- /dev/null
+++ b/cbits/ed25519/ed25519-cryptonite-exts.h
@@ -0,0 +1,246 @@
+/*
+    Public domain by Olivier Chéron <olivier.cheron@gmail.com>
+
+    Arithmetic extensions to Ed25519-donna
+*/
+
+
+/*
+    Scalar functions
+*/
+
+void
+ED25519_FN(ed25519_scalar_encode) (unsigned char out[32], const bignum256modm in) {
+    contract256_modm(out, in);
+}
+
+void
+ED25519_FN(ed25519_scalar_decode_long) (bignum256modm out, const unsigned char *in, size_t len) {
+    expand256_modm(out, in, len);
+}
+
+int
+ED25519_FN(ed25519_scalar_eq) (const bignum256modm a, const bignum256modm b) {
+    bignum256modm_element_t e = 0;
+
+    for (int i = 0; i < bignum256modm_limb_size; i++) {
+        e |= a[i] ^ b[i];
+    }
+
+    return (int) (1 & ((e - 1) >> bignum256modm_bits_per_limb));
+}
+
+void
+ED25519_FN(ed25519_scalar_add) (bignum256modm r, const bignum256modm x, const bignum256modm y) {
+    add256_modm(r, x, y);
+}
+
+void
+ED25519_FN(ed25519_scalar_mul) (bignum256modm r, const bignum256modm x, const bignum256modm y) {
+    mul256_modm(r, x, y);
+}
+
+
+/*
+    Point functions
+*/
+
+void
+ED25519_FN(ed25519_point_encode) (unsigned char r[32], const ge25519 *p) {
+    ge25519_pack(r, p);
+}
+
+int
+ED25519_FN(ed25519_point_decode_vartime) (ge25519 *r, const unsigned char p[32]) {
+    unsigned char p_neg[32];
+
+    // invert parity bit of X coordinate so the point is negated twice
+    // (once here, once in ge25519_unpack_negative_vartime)
+    for (int i = 0; i < 31; i++) {
+        p_neg[i] = p[i];
+    }
+    p_neg[31] = p[31] ^ 0x80;
+
+    return ge25519_unpack_negative_vartime(r, p_neg);
+}
+
+int
+ED25519_FN(ed25519_point_eq) (const ge25519 *p, const ge25519 *q) {
+    bignum25519 a, b;
+    unsigned char contract_a[32], contract_b[32];
+    int eq;
+
+    // pX * qZ = qX * pZ
+    curve25519_mul(a, p->x, q->z);
+    curve25519_contract(contract_a, a);
+    curve25519_mul(b, q->x, p->z);
+    curve25519_contract(contract_b, b);
+    eq = ed25519_verify(contract_a, contract_b, 32);
+
+    // pY * qZ = qY * pZ
+    curve25519_mul(a, p->y, q->z);
+    curve25519_contract(contract_a, a);
+    curve25519_mul(b, q->y, p->z);
+    curve25519_contract(contract_b, b);
+    eq &= ed25519_verify(contract_a, contract_b, 32);
+
+    return eq;
+}
+
+static int
+ED25519_FN(ed25519_point_is_identity) (const ge25519 *p) {
+    static const unsigned char zero[32] = {0};
+    unsigned char check[32];
+    bignum25519 d;
+    int eq;
+
+    // pX = 0
+    curve25519_contract(check, p->x);
+    eq = ed25519_verify(check, zero, 32);
+
+    // pY - pZ = 0
+    curve25519_sub_reduce(d, p->y, p->z);
+    curve25519_contract(check, d);
+    eq &= ed25519_verify(check, zero, 32);
+
+    return eq;
+}
+
+void
+ED25519_FN(ed25519_point_negate) (ge25519 *r, const ge25519 *p) {
+    curve25519_neg(r->x, p->x);
+    curve25519_copy(r->y, p->y);
+    curve25519_copy(r->z, p->z);
+    curve25519_neg(r->t, p->t);
+}
+
+void
+ED25519_FN(ed25519_point_add) (ge25519 *r, const ge25519 *p, const ge25519 *q) {
+    ge25519_add(r, p, q);
+}
+
+void
+ED25519_FN(ed25519_point_double) (ge25519 *r, const ge25519 *p) {
+    ge25519_double(r, p);
+}
+
+void
+ED25519_FN(ed25519_point_mul_by_cofactor) (ge25519 *r, const ge25519 *p) {
+    ge25519_double_partial(r, p);
+    ge25519_double_partial(r, r);
+    ge25519_double(r, r);
+}
+
+void
+ED25519_FN(ed25519_point_base_scalarmul) (ge25519 *r, const bignum256modm s) {
+    ge25519_scalarmult_base_niels(r, ge25519_niels_base_multiples, s);
+}
+
+#if defined(ED25519_64BIT)
+typedef uint64_t ed25519_move_cond_word;
+#else
+typedef uint32_t ed25519_move_cond_word;
+#endif
+
+/* out = (flag) ? in : out */
+DONNA_INLINE static void
+ed25519_move_cond_pniels(ge25519_pniels *out, const ge25519_pniels *in, uint32_t flag) {
+    const int word_count = sizeof(ge25519_pniels) / sizeof(ed25519_move_cond_word);
+    const ed25519_move_cond_word nb = (ed25519_move_cond_word) flag - 1, b = ~nb;
+
+    ed25519_move_cond_word *outw = (ed25519_move_cond_word *) out;
+    const ed25519_move_cond_word *inw  = (const ed25519_move_cond_word *) in;
+
+    // ge25519_pniels has 4 coordinates, so word_count is divisible by 4
+    for (int i = 0; i < word_count; i += 4) {
+        outw[i + 0] = (outw[i + 0] & nb) | (inw[i + 0] & b);
+        outw[i + 1] = (outw[i + 1] & nb) | (inw[i + 1] & b);
+        outw[i + 2] = (outw[i + 2] & nb) | (inw[i + 2] & b);
+        outw[i + 3] = (outw[i + 3] & nb) | (inw[i + 3] & b);
+    }
+}
+
+static void
+ed25519_point_scalarmul_w_choose_pniels(ge25519_pniels *t, const ge25519_pniels table[15], uint32_t pos) {
+    // initialize t to identity, i.e. (1, 1, 1, 0)
+    memset(t, 0, sizeof(ge25519_pniels));
+    t->ysubx[0] = 1;
+    t->xaddy[0] = 1;
+    t->z[0] = 1;
+
+    // move one entry from table matching requested position,
+    // scanning all table to avoid cache-timing attack
+    //
+    // when pos == 0, no entry matches and this returns
+    // identity as expected
+    for (uint32_t i = 1; i < 16; i++) {
+        uint32_t flag = ((i ^ pos) - 1) >> 31;
+        ed25519_move_cond_pniels(t, table + i - 1, flag);
+    }
+}
+
+void
+ED25519_FN(ed25519_point_scalarmul) (ge25519 *r, const ge25519 *p, const bignum256modm s) {
+    ge25519_pniels mult[15];
+    ge25519_pniels pn;
+    ge25519_p1p1 t;
+    unsigned char ss[32];
+
+    // transform scalar as little-endian number
+    contract256_modm(ss, s);
+
+    // initialize r to identity, i.e. ge25519 (0, 1, 1, 0)
+    memset(r, 0, sizeof(ge25519));
+    r->y[0] = 1;
+    r->z[0] = 1;
+
+    // precompute multiples of P: 1.P, 2.P, ..., 15.P
+    ge25519_full_to_pniels(&mult[0], p);
+    for (int i = 1; i < 15; i++) {
+        ge25519_pnielsadd(&mult[i], p, &mult[i-1]);
+    }
+
+    // 4-bit fixed window, still 256 doublings but 64 additions
+    for (int i = 31; i >= 0; i--) {
+        // higher bits in ss[i]
+        ed25519_point_scalarmul_w_choose_pniels(&pn, mult, ss[i] >> 4);
+        ge25519_pnielsadd_p1p1(&t, r, &pn, 0);
+        ge25519_p1p1_to_partial(r, &t);
+
+        ge25519_double_partial(r, r);
+        ge25519_double_partial(r, r);
+        ge25519_double_partial(r, r);
+        ge25519_double(r, r);
+
+        // lower bits in ss[i]
+        ed25519_point_scalarmul_w_choose_pniels(&pn, mult, ss[i] & 0x0F);
+        ge25519_pnielsadd_p1p1(&t, r, &pn, 0);
+        if (i > 0) {
+            ge25519_p1p1_to_partial(r, &t);
+
+            ge25519_double_partial(r, r);
+            ge25519_double_partial(r, r);
+            ge25519_double_partial(r, r);
+            ge25519_double(r, r);
+        } else {
+            ge25519_p1p1_to_full(r, &t);
+        }
+    }
+}
+
+void
+ED25519_FN(ed25519_base_double_scalarmul_vartime) (ge25519 *r, const bignum256modm s1, const ge25519 *p2, const bignum256modm s2) {
+    // computes [s1]basepoint + [s2]p2
+    ge25519_double_scalarmult_vartime(r, p2, s2, s1);
+}
+
+int
+ED25519_FN(ed25519_point_has_prime_order) (const ge25519 *p) {
+    static const bignum256modm sc_zero = {0};
+    ge25519 q;
+
+    // computes Q = m.P, vartime allowed because m is not secret
+    ED25519_FN(ed25519_base_double_scalarmul_vartime) (&q, sc_zero, p, modm_m);
+
+    return ED25519_FN(ed25519_point_is_identity) (&q);
+}
diff --git a/cbits/ed25519/ed25519-donna-impl-base.h b/cbits/ed25519/ed25519-donna-impl-base.h
--- a/cbits/ed25519/ed25519-donna-impl-base.h
+++ b/cbits/ed25519/ed25519-donna-impl-base.h
@@ -287,7 +287,13 @@
 			ge25519_nielsadd2_p1p1(&t, r, &ge25519_niels_sliding_multiples[abs(slide2[i]) / 2], (unsigned char)slide2[i] >> 7);
 		}
 
-		ge25519_p1p1_to_partial(r, &t);
+		// diverges from the original source code and resolves bug explained
+		// in <https://github.com/floodyberry/ed25519-donna/issues/31>
+		if (i == 0) {
+			ge25519_p1p1_to_full(r, &t);
+		} else {
+			ge25519_p1p1_to_partial(r, &t);
+		}
 	}
 }
 
diff --git a/cbits/ed25519/ed25519.c b/cbits/ed25519/ed25519.c
--- a/cbits/ed25519/ed25519.c
+++ b/cbits/ed25519/ed25519.c
@@ -11,6 +11,7 @@
 #include "ed25519.h"
 #include "ed25519-randombytes.h"
 #include "ed25519-hash.h"
+#include "ed25519-cryptonite-exts.h"
 
 /*
 	Generates a (extsk[0..31]) and aExt (extsk[32..63])
diff --git a/cbits/p256/p256_ec.c b/cbits/p256/p256_ec.c
--- a/cbits/p256/p256_ec.c
+++ b/cbits/p256/p256_ec.c
@@ -1303,3 +1303,14 @@
     from_montgomery(out_x, px1);
     from_montgomery(out_y, py1);
 }
+
+/* this function is not part of the original source
+   negate a point, i.e. (out_x, out_y) = (in_x, -in_y)
+ */
+void cryptonite_p256e_point_negate(
+    const cryptonite_p256_int *in_x, const cryptonite_p256_int *in_y,
+    cryptonite_p256_int *out_x, cryptonite_p256_int *out_y)
+{
+    memcpy(out_x, in_x, P256_NBYTES);
+    cryptonite_p256_sub(&cryptonite_SECP256r1_p, in_y, out_y);
+}
diff --git a/cryptonite.cabal b/cryptonite.cabal
--- a/cryptonite.cabal
+++ b/cryptonite.cabal
@@ -1,10 +1,10 @@
 Name:                cryptonite
-version:             0.24
+version:             0.25
 Synopsis:            Cryptography Primitives sink
 Description:
     A repository of cryptographic primitives.
     .
-    * Symmetric ciphers: AES, DES, 3DES, Blowfish, Camellia, RC4, Salsa, XSalsa, ChaCha.
+    * Symmetric ciphers: AES, DES, 3DES, CAST5, Blowfish, Twofish, Camellia, RC4, Salsa, XSalsa, ChaCha.
     .
     * Hash: SHA1, SHA2, SHA3, SHAKE, MD2, MD4, MD5, Keccak, Skein, Ripemd, Tiger, Whirlpool, Blake2
     .
@@ -48,6 +48,8 @@
                      cbits/decaf/p448/arch_32/*.h
                      cbits/decaf/p448/arch_ref64/*.h
                      cbits/decaf/p448/*.h
+                     cbits/decaf/ed448goldilocks/decaf_tables.c
+                     cbits/decaf/ed448goldilocks/decaf.c
                      cbits/p256/*.h
                      cbits/blake2/ref/*.h
                      cbits/blake2/sse/*.h
@@ -103,6 +105,7 @@
 Library
   Exposed-modules:   Crypto.Cipher.AES
                      Crypto.Cipher.Blowfish
+                     Crypto.Cipher.CAST5
                      Crypto.Cipher.Camellia
                      Crypto.Cipher.ChaCha
                      Crypto.Cipher.ChaChaPoly1305
@@ -118,6 +121,7 @@
                      Crypto.Data.AFIS
                      Crypto.Data.Padding
                      Crypto.ECC
+                     Crypto.ECC.Edwards25519
                      Crypto.Error
                      Crypto.MAC.CMAC
                      Crypto.MAC.Poly1305
@@ -167,6 +171,7 @@
   Other-modules:     Crypto.Cipher.AES.Primitive
                      Crypto.Cipher.Blowfish.Box
                      Crypto.Cipher.Blowfish.Primitive
+                     Crypto.Cipher.CAST5.Primitive
                      Crypto.Cipher.Camellia.Primitive
                      Crypto.Cipher.DES.Primitive
                      Crypto.Cipher.Twofish.Primitive
@@ -220,12 +225,14 @@
     Other-modules:   Crypto.Hash.SHAKE
                      Crypto.Hash.Blake2
                      Crypto.Internal.Nat
-  Build-depends:     base >= 4.3 && < 5
+  Build-depends:     base >= 4.6 && < 5
                    , bytestring
-                   , memory >= 0.14.5
-                   , foundation >= 0.0.8
+                   , memory >= 0.14.14
+                   , basement >= 0.0.6
                    , ghc-prim
   ghc-options:       -Wall -fwarn-tabs -optc-O3 -fno-warn-unused-imports
+  if os(linux)
+    extra-libraries: pthread
   default-language:  Haskell2010
   cc-options:        -std=gnu99
   if flag(old_toolchain_inliner)
@@ -235,7 +242,6 @@
                    , cbits/cryptonite_xsalsa.c
                    , cbits/cryptonite_rc4.c
                    , cbits/cryptonite_cpu.c
-                   , cbits/ed25519/ed25519.c
                    , cbits/p256/p256.c
                    , cbits/p256/p256_ec.c
                    , cbits/cryptonite_blake2s.c
@@ -257,6 +263,7 @@
                    , cbits/cryptonite_whirlpool.c
                    , cbits/cryptonite_scrypt.c
                    , cbits/cryptonite_pbkdf2.c
+                   , cbits/ed25519/ed25519.c
   include-dirs:      cbits
                    , cbits/ed25519
                    , cbits/decaf/include
@@ -268,8 +275,7 @@
                      , cbits/decaf/p448/f_arithmetic.c
                      , cbits/decaf/utils.c
                      , cbits/decaf/ed448goldilocks/scalar.c
-                     , cbits/decaf/ed448goldilocks/decaf_tables.c
-                     , cbits/decaf/ed448goldilocks/decaf.c
+                     , cbits/decaf/ed448goldilocks/decaf_all.c
                      , cbits/decaf/ed448goldilocks/eddsa.c
 
     include-dirs:      cbits/decaf/include/arch_ref64
@@ -280,8 +286,7 @@
                      , cbits/decaf/p448/f_arithmetic.c
                      , cbits/decaf/utils.c
                      , cbits/decaf/ed448goldilocks/scalar.c
-                     , cbits/decaf/ed448goldilocks/decaf_tables.c
-                     , cbits/decaf/ed448goldilocks/decaf.c
+                     , cbits/decaf/ed448goldilocks/decaf_all.c
                      , cbits/decaf/ed448goldilocks/eddsa.c
 
     include-dirs:      cbits/decaf/include/arch_32
@@ -366,17 +371,20 @@
                      ChaCha
                      BCrypt
                      ECC
+                     ECC.Edwards25519
                      Hash
                      Imports
                      KAT_AES.KATCBC
                      KAT_AES.KATECB
                      KAT_AES.KATGCM
+                     KAT_AES.KATCCM
                      KAT_AES.KATOCB3
                      KAT_AES.KATXTS
                      KAT_AES
                      KAT_AFIS
                      KAT_Argon2
                      KAT_Blowfish
+                     KAT_CAST5
                      KAT_Camellia
                      KAT_Curve25519
                      KAT_Curve448
@@ -426,8 +434,9 @@
   Other-modules:     Number.F2m
   Build-Depends:     base >= 3 && < 5
                    , bytestring
+                   , deepseq
                    , memory
-                   , criterion
+                   , gauge
                    , random
                    , cryptonite
   ghc-options:       -Wall -fno-warn-missing-signatures
diff --git a/tests/BlockCipher.hs b/tests/BlockCipher.hs
--- a/tests/BlockCipher.hs
+++ b/tests/BlockCipher.hs
@@ -16,8 +16,8 @@
 import           Data.Maybe
 import           Crypto.Error
 import           Crypto.Cipher.Types
-import           Data.ByteArray as B hiding (pack, null)
-import qualified Data.ByteString as B hiding (all)
+import           Data.ByteArray as B hiding (pack, null, length)
+import qualified Data.ByteString as B hiding (all, take, replicate)
 
 ------------------------------------------------------------------------
 -- KAT
@@ -161,7 +161,7 @@
      ++ maybeGroup makeCFBTest "CFB" (kat_CFB kats)
      ++ maybeGroup makeCTRTest "CTR" (kat_CTR kats)
      -- ++ maybeGroup makeXTSTest "XTS" (kat_XTS kats)
-     -- ++ maybeGroup makeAEADTest "AEAD" (kat_AEAD kats)
+     ++ maybeGroup makeAEADTest "AEAD" (kat_AEAD kats)
     )
   where makeECBTest i d =
             [ testCase ("E" ++ i) (ecbEncrypt ctx (ecbPlaintext d) @?= ecbCiphertext d)
@@ -191,25 +191,24 @@
             [ testCase ("E" ++ i) (xtsEncrypt ctx iv 0 (xtsPlaintext d) @?= xtsCiphertext d)
             , testCase ("D" ++ i) (xtsDecrypt ctx iv 0 (xtsCiphertext d) @?= xtsPlaintext d)
             ]
-          where ctx1 = cipherInit (cipherMakeKey cipher $ xtsKey1 d)
-                ctx2 = cipherInit (cipherMakeKey cipher $ xtsKey2 d)
+          where ctx1 = cipherInitNoErr (cipherMakeKey cipher $ xtsKey1 d)
+                ctx2 = cipherInitNoErr (cipherMakeKey cipher $ xtsKey2 d)
                 ctx  = (ctx1, ctx2)
                 iv   = cipherMakeIV cipher $ xtsIV d
+-}
         makeAEADTest i d =
-            [ testCase ("AE" ++ i) (etag @?= aeadTag d)
-            , testCase ("AD" ++ i) (dtag @?= aeadTag d)
+            [ testCase ("AE" ++ i) (etag @?= AuthTag (B.convert (aeadTag d)))
+            , testCase ("AD" ++ i) (dtag @?= AuthTag (B.convert (aeadTag d)))
             , testCase ("E" ++ i)  (ebs @?= aeadCiphertext d)
             , testCase ("D" ++ i)  (dbs @?= aeadPlaintext d)
             ]
-          where ctx  = cipherInit (cipherMakeKey cipher $ aeadKey d)
-                aead = maybe (error $ "cipher doesn't support aead mode: " ++ show (aeadMode d)) id
-                     $ aeadInit (aeadMode d) ctx (aeadIV d)
+          where ctx  = cipherInitNoErr (cipherMakeKey cipher $ aeadKey d)
+                aead = aeadInitNoErr (aeadMode d) ctx (aeadIV d)
                 aeadHeaded     = aeadAppendHeader aead (aeadHeader d)
                 (ebs,aeadEFinal) = aeadEncrypt aeadHeaded (aeadPlaintext d)
                 (dbs,aeadDFinal) = aeadDecrypt aeadHeaded (aeadCiphertext d)
                 etag = aeadFinalize aeadEFinal (aeadTaglen d)
                 dtag = aeadFinalize aeadDFinal (aeadTaglen d)
--}
 
         cipherInitNoErr :: BlockCipher c => Key c -> c
         cipherInitNoErr (Key k) =
@@ -217,6 +216,11 @@
                 CryptoPassed a -> a
                 CryptoFailed e -> error (show e)
 
+        aeadInitNoErr :: (ByteArrayAccess iv, BlockCipher cipher) => AEADMode -> cipher -> iv -> AEAD cipher
+        aeadInitNoErr mode ct iv =
+            case aeadInit mode ct iv of
+                CryptoPassed a -> a
+                CryptoFailed _ -> error $ "cipher doesn't support aead mode: " ++ show mode
 ------------------------------------------------------------------------
 -- Properties
 ------------------------------------------------------------------------
@@ -389,7 +393,7 @@
 testBlockCipherAEAD :: BlockCipher a => a -> [TestTree]
 testBlockCipherAEAD cipher =
     [ testProperty "OCB" (aeadProp AEAD_OCB)
-    , testProperty "CCM" (aeadProp AEAD_CCM)
+    , testProperty "CCM" (aeadProp (AEAD_CCM 0 CCM_M16 CCM_L2))
     , testProperty "EAX" (aeadProp AEAD_EAX)
     , testProperty "CWC" (aeadProp AEAD_CWC)
     , testProperty "GCM" (aeadProp AEAD_GCM)
@@ -398,7 +402,7 @@
         toTests :: BlockCipher a => a -> (AEADMode -> AEADUnit a -> Bool)
         toTests _ = testProperty_AEAD
         testProperty_AEAD mode (AEADUnit key testIV (unPlaintext -> aad) (unPlaintext -> plaintext)) = withCtx key $ \ctx ->
-            case aeadInit mode ctx testIV of
+            case aeadInit mode' ctx iv' of
                 CryptoPassed iniAead ->
                     let aead           = aeadAppendHeader iniAead aad
                         (eText, aeadE) = aeadEncrypt aead plaintext
@@ -409,6 +413,10 @@
                 CryptoFailed err
                     | err == CryptoError_AEADModeNotSupported -> True
                     | otherwise                               -> error ("testProperty_AEAD: " ++ show err)
+            where (mode', iv') = updateCcmInputSize mode (B.length plaintext) testIV
+                  updateCcmInputSize aeadmode k iv = case aeadmode of
+                    AEAD_CCM _ m l -> (AEAD_CCM k m l, B.take 13 (iv <> (B.replicate 15 0)))
+                    aeadOther      -> (aeadOther, iv)
 
 withCtx :: Cipher c => Key c -> (c -> a) -> a
 withCtx (Key key) f =
diff --git a/tests/ECC/Edwards25519.hs b/tests/ECC/Edwards25519.hs
new file mode 100644
--- /dev/null
+++ b/tests/ECC/Edwards25519.hs
@@ -0,0 +1,147 @@
+{-# LANGUAGE OverloadedStrings #-}
+module ECC.Edwards25519 ( tests ) where
+
+import           Crypto.Error
+import           Crypto.ECC.Edwards25519
+import qualified Data.ByteString as B
+import           Data.Word (Word8)
+import           Imports
+
+instance Arbitrary Scalar where
+    arbitrary = fmap (throwCryptoError . scalarDecodeLong)
+                     (arbitraryBS 64)
+
+smallScalar :: Word8 -> Scalar
+smallScalar = throwCryptoError . scalarDecodeLong . B.singleton
+
+newtype PrimeOrder = PrimeOrder Point
+    deriving Show
+
+-- points in the prime-order subgroup
+instance Arbitrary PrimeOrder where
+    arbitrary = (PrimeOrder . toPoint) `fmap` arbitrary
+
+-- arbitrary curve point, including points with a torsion component
+instance Arbitrary Point where
+    arbitrary = do a <- arbitrary
+                   b <- elements $ map smallScalar [0 .. 7]
+                   return (pointsMulVarTime a b torsion8)
+
+-- an 8-torsion point
+torsion8 :: Point
+torsion8 = throwCryptoError $ pointDecode ("\199\ETBjp=M\216O\186<\vv\r\DLEg\SI* S\250,9\204\198N\199\253w\146\172\ETXz" :: ByteString)
+
+tests = testGroup "ECC.Edwards25519"
+    [ testGroup "vectors"
+        [ testCase "11*G"         $ p011 @=? toPoint s011
+        , testCase "123*G"        $ p123 @=? toPoint s123
+        , testCase "134*G"        $ p134 @=? toPoint s134
+        , testCase "123*G + 11*G" $ p134 @=? pointAdd p123 p011
+        ]
+    , testGroup "scalar arithmetic"
+        [ testProperty "scalarDecodeLong.scalarEncode==id" $ \s ->
+            let bs = scalarEncode s :: ByteString
+                ss = scalarDecodeLong bs
+             in CryptoPassed s `propertyEq` ss
+        , testCase "curve order" $ s0 @=? sN
+        , testProperty "addition with zero" $ \s ->
+            propertyHold [ eqTest "zero left"  s (scalarAdd s0 s)
+                         , eqTest "zero right" s (scalarAdd s s0)
+                         ]
+        , testProperty "addition associative" $ \sa sb sc ->
+            scalarAdd sa (scalarAdd sb sc) === scalarAdd (scalarAdd sa sb) sc
+        , testProperty "addition commutative" $ \sa sb ->
+            scalarAdd sa sb === scalarAdd sb sa
+        , testProperty "multiplication with zero" $ \s ->
+            propertyHold [ eqTest "zero left"  s0 (scalarMul s0 s)
+                         , eqTest "zero right" s0 (scalarMul s s0)
+                         ]
+        , testProperty "multiplication with one" $ \s ->
+            propertyHold [ eqTest "one left"  s (scalarMul s1 s)
+                         , eqTest "one right" s (scalarMul s s1)
+                         ]
+        , testProperty "multiplication associative" $ \sa sb sc ->
+            scalarMul sa (scalarMul sb sc) === scalarMul (scalarMul sa sb) sc
+        , testProperty "multiplication commutative" $ \sa sb ->
+            scalarMul sa sb === scalarMul sb sa
+        , testProperty "multiplication distributive" $ \sa sb sc ->
+            propertyHold [ eqTest "distributive left"  ((sa `scalarMul` sb) `scalarAdd` (sa `scalarMul` sc))
+                                                       (sa `scalarMul` (sb `scalarAdd` sc))
+                         , eqTest "distributive right" ((sb `scalarMul` sa) `scalarAdd` (sc `scalarMul` sa))
+                                                       ((sb `scalarAdd` sc) `scalarMul` sa)
+                         ]
+        ]
+    , testGroup "point arithmetic"
+        [ testProperty "pointDecode.pointEncode==id" $ \p ->
+            let bs = pointEncode p :: ByteString
+                p' = pointDecode bs
+             in CryptoPassed p `propertyEq` p'
+        , testProperty "pointEncode.pointDecode==id" $ \p ->
+            let b  = pointEncode p :: ByteString
+                p' = pointDecode b
+                b' = pointEncode `fmap` p'
+             in CryptoPassed b `propertyEq` b'
+        , testProperty "addition with identity" $ \p ->
+            propertyHold [ eqTest "identity left"  p (pointAdd p0 p)
+                         , eqTest "identity right" p (pointAdd p p0)
+                         ]
+        , testProperty "addition associative" $ \pa pb pc ->
+            pointAdd pa (pointAdd pb pc) === pointAdd (pointAdd pa pb) pc
+        , testProperty "addition commutative" $ \pa pb ->
+            pointAdd pa pb === pointAdd pb pa
+        , testProperty "negation" $ \p ->
+            p0 `propertyEq` pointAdd p (pointNegate p)
+        , testProperty "doubling" $ \p ->
+            pointAdd p p `propertyEq` pointDouble p
+        , testProperty "multiplication by cofactor" $ \p ->
+            pointMul s8 p `propertyEq` pointMulByCofactor p
+        , testProperty "prime order" $ \(PrimeOrder p) ->
+            True `propertyEq` pointHasPrimeOrder p
+        , testCase "8-torsion point" $ do
+            assertBool "mul by 4" $ p0 /= pointMul s4 torsion8
+            assertBool "mul by 8" $ p0 == pointMul s8 torsion8
+        , testProperty "scalarmult with zero" $ \p ->
+            p0 `propertyEq` pointMul s0 p
+        , testProperty "scalarmult with one" $ \p ->
+            p `propertyEq` pointMul s1 p
+        , testProperty "scalarmult with two" $ \p ->
+            pointDouble p `propertyEq` pointMul s2 p
+        , testProperty "scalarmult with curve order - 1" $ \p ->
+            pointHasPrimeOrder p === (pointNegate p == pointMul sI p)
+        , testProperty "scalarmult commutative" $ \a b ->
+            pointMul a (toPoint b) === pointMul b (toPoint a)
+        , testProperty "scalarmult distributive" $ \x y (PrimeOrder p) ->
+            let pR = pointMul x p `pointAdd` pointMul y p
+             in pR `propertyEq` pointMul (x `scalarAdd` y) p
+        , testProperty "double scalarmult" $ \n1 n2 p ->
+            let pR = pointAdd (toPoint n1) (pointMul n2 p)
+             in pR `propertyEq` pointsMulVarTime n1 n2 p
+        ]
+    ]
+  where
+    p0 = toPoint s0
+    s0 = smallScalar 0
+    s1 = smallScalar 1
+    s2 = smallScalar 2
+    s4 = smallScalar 4
+    s8 = smallScalar 8
+    sI = throwCryptoError $ scalarDecodeLong ("\236\211\245\\\SUBc\DC2X\214\156\247\162\222\249\222\DC4\NUL\NUL\NUL\NUL\NUL\NUL\NUL\NUL\NUL\NUL\NUL\NUL\NUL\NUL\NUL\DLE" :: ByteString)
+    sN = throwCryptoError $ scalarDecodeLong ("\237\211\245\\\SUBc\DC2X\214\156\247\162\222\249\222\DC4\NUL\NUL\NUL\NUL\NUL\NUL\NUL\NUL\NUL\NUL\NUL\NUL\NUL\NUL\NUL\DLE" :: ByteString)
+
+    s011 = throwCryptoError $ scalarDecodeLong ("\011" :: ByteString)
+    s123 = throwCryptoError $ scalarDecodeLong ("\123" :: ByteString)
+    s134 = throwCryptoError $ scalarDecodeLong ("\134" :: ByteString)
+
+    p011 = throwCryptoError $ pointDecode ("\x13\x37\x03\x6a\xc3\x2d\x8f\x30\xd4\x58\x9c\x3c\x1c\x59\x58\x12\xce\x0f\xff\x40\xe3\x7c\x6f\x5a\x97\xab\x21\x3f\x31\x82\x90\xad" :: ByteString)
+    p123 = throwCryptoError $ pointDecode ("\xc4\xb8\x00\xc8\x70\x10\xf9\x46\x83\x03\xde\xea\x87\x65\x03\xe8\x86\xbf\xde\x19\x00\xe9\xe8\x46\xfd\x4c\x3c\xd0\x9c\x1c\xbc\x9f" :: ByteString)
+    p134 = throwCryptoError $ pointDecode ("\x51\x20\xab\xe0\x3c\xa2\xaf\x66\xc7\x7c\xa3\x20\xf0\xb2\x1f\xb5\x56\xf6\xb6\x5f\xdd\x7e\x32\x64\xc1\x4a\x30\xd9\x7b\xf7\xa7\x6f" :: ByteString)
+
+    -- Using <http://cr.yp.to/python/py>:
+    --
+    -- >>> import ed25519
+    -- >>> encodepoint(scalarmult(B, 11)).encode('hex')
+    -- '1337036ac32d8f30d4589c3c1c595812ce0fff40e37c6f5a97ab213f318290ad'
+    -- >>> encodepoint(scalarmult(B, 123)).encode('hex')
+    -- 'c4b800c87010f9468303deea876503e886bfde1900e9e846fd4c3cd09c1cbc9f'
+    -- >>> encodepoint(scalarmult(B, 134)).encode('hex')
+    -- '5120abe03ca2af66c77ca320f0b21fb556f6b65fdd7e3264c14a30d97bf7a76f'
diff --git a/tests/KAT_AES.hs b/tests/KAT_AES.hs
--- a/tests/KAT_AES.hs
+++ b/tests/KAT_AES.hs
@@ -3,13 +3,16 @@
 
 import Imports
 import BlockCipher
+import Data.Maybe
 import Crypto.Cipher.Types
 import qualified Crypto.Cipher.AES as AES
+import qualified Data.ByteString as B
 
 import qualified KAT_AES.KATECB as KATECB
 import qualified KAT_AES.KATCBC as KATCBC
 import qualified KAT_AES.KATXTS as KATXTS
 import qualified KAT_AES.KATGCM as KATGCM
+import qualified KAT_AES.KATCCM as KATCCM
 import qualified KAT_AES.KATOCB3 as KATOCB3
 
 {-
@@ -37,6 +40,23 @@
 toKatGCM = toKatAEAD AEAD_GCM
 toKatOCB = toKatAEAD AEAD_OCB
 
+toKatCCM (k,iv,h,i,o,m) =
+  KAT_AEAD { aeadMode = AEAD_CCM (B.length i) (ccmMVal m) CCM_L2
+           , aeadKey  = k
+           , aeadIV   = iv
+           , aeadHeader = h
+           , aeadPlaintext = i
+           , aeadCiphertext = ct
+           , aeadTaglen = m
+           , aeadTag = at
+           }
+  where ccmMVal x = fromMaybe (error $ "unsupported CCM tag length: " ++ show x) $
+                        lookup x [ (4, CCM_M4), (6, CCM_M6), (8, CCM_M8), (10, CCM_M10)
+                                 , (12, CCM_M12), (14, CCM_M14), (16, CCM_M16)
+                                 ]
+        ctWithTag = B.drop (B.length h) o
+        (ct, at)  = B.splitAt (B.length ctWithTag - m) ctWithTag
+
 kats128 = defaultKATs
     { kat_ECB  = map toKatECB KATECB.vectors_aes128_enc
     , kat_CBC  = map toKatCBC KATCBC.vectors_aes128_enc
@@ -48,7 +68,8 @@
                  ]
     , kat_XTS  = map toKatXTS KATXTS.vectors_aes128_enc
     , kat_AEAD = map toKatGCM KATGCM.vectors_aes128_enc ++
-                 map toKatOCB KATOCB3.vectors_aes128_enc
+                 map toKatOCB KATOCB3.vectors_aes128_enc ++
+                 map toKatCCM KATCCM.vectors_aes128_enc
     }
 
 kats192 = defaultKATs
diff --git a/tests/KAT_AES/KATCCM.hs b/tests/KAT_AES/KATCCM.hs
new file mode 100644
--- /dev/null
+++ b/tests/KAT_AES/KATCCM.hs
@@ -0,0 +1,155 @@
+{-# LANGUAGE OverloadedStrings #-}
+module KAT_AES.KATCCM where
+
+import qualified Data.ByteString as B
+
+-- (key, iv, header, in, out+atag, taglen)
+type KATCCM = (B.ByteString, B.ByteString, B.ByteString, B.ByteString, B.ByteString, Int)
+
+vectors_aes128_enc :: [KATCCM]
+vectors_aes128_enc =
+  [ ( {- key = -} "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf"
+    , {- iv  = -} "\x00\x00\x00\x03\x02\x01\x00\xa0\xa1\xa2\xa3\xa4\xa5"
+    , {- hdr = -} "\x00\x01\x02\x03\x04\x05\x06\x07"
+    , {- in  = -} "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e"
+    , {- out = -} "\x00\x01\x02\x03\x04\x05\x06\x07\x58\x8c\x97\x9a\x61\xc6\x63\xd2\xf0\x66\xd0\xc2\xc0\xf9\x89\x80\x6d\x5f\x6b\x61\xda\xc3\x84\x17\xe8\xd1\x2c\xfd\xf9\x26\xe0"
+    , {-  M  = -} 8)
+  , ( {- key = -} "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf"
+    , {- iv  = -} "\x00\x00\x00\x04\x03\x02\x01\xa0\xa1\xa2\xa3\xa4\xa5"
+    , {- hdr = -} "\x00\x01\x02\x03\x04\x05\x06\x07"
+    , {- in  = -} "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
+    , {- out = -} "\x00\x01\x02\x03\x04\x05\x06\x07\x72\xc9\x1a\x36\xe1\x35\xf8\xcf\x29\x1c\xa8\x94\x08\x5c\x87\xe3\xcc\x15\xc4\x39\xc9\xe4\x3a\x3b\xa0\x91\xd5\x6e\x10\x40\x09\x16"
+    , {-  M  = -} 8)
+  , ( {- key = -} "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf"
+    , {- iv  = -} "\x00\x00\x00\x05\x04\x03\x02\xa0\xa1\xa2\xa3\xa4\xa5"
+    , {- hdr = -} "\x00\x01\x02\x03\x04\x05\x06\x07"
+    , {- in  = -} "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
+    , {- out = -} "\x00\x01\x02\x03\x04\x05\x06\x07\x51\xb1\xe5\xf4\x4a\x19\x7d\x1d\xa4\x6b\x0f\x8e\x2d\x28\x2a\xe8\x71\xe8\x38\xbb\x64\xda\x85\x96\x57\x4a\xda\xa7\x6f\xbd\x9f\xb0\xc5"
+    , {-  M  = -} 8)
+  , ( {- key = -} "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf"
+    , {- iv  = -} "\x00\x00\x00\x06\x05\x04\x03\xa0\xa1\xa2\xa3\xa4\xa5"
+    , {- hdr = -} "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b"
+    , {- in  = -} "\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e"
+    , {- out = -} "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\xa2\x8c\x68\x65\x93\x9a\x9a\x79\xfa\xaa\x5c\x4c\x2a\x9d\x4a\x91\xcd\xac\x8c\x96\xc8\x61\xb9\xc9\xe6\x1e\xf1"
+    , {-  M  = -} 8)
+  , ( {- key = -} "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf"
+    , {- iv  = -} "\x00\x00\x00\x07\x06\x05\x04\xa0\xa1\xa2\xa3\xa4\xa5"
+    , {- hdr = -} "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b"
+    , {- in  = -} "\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
+    , {- out = -} "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\xdc\xf1\xfb\x7b\x5d\x9e\x23\xfb\x9d\x4e\x13\x12\x53\x65\x8a\xd8\x6e\xbd\xca\x3e\x51\xe8\x3f\x07\x7d\x9c\x2d\x93"
+    , {-  M  = -} 8)
+  , ( {- key = -} "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf"
+    , {- iv  = -} "\x00\x00\x00\x08\x07\x06\x05\xa0\xa1\xa2\xa3\xa4\xa5"
+    , {- hdr = -} "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b"
+    , {- in  = -} "\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
+    , {- out = -} "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x6f\xc1\xb0\x11\xf0\x06\x56\x8b\x51\x71\xa4\x2d\x95\x3d\x46\x9b\x25\x70\xa4\xbd\x87\x40\x5a\x04\x43\xac\x91\xcb\x94"
+    , {-  M  = -} 8)
+  , ( {- key = -} "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf"
+    , {- iv  = -} "\x00\x00\x00\x09\x08\x07\x06\xa0\xa1\xa2\xa3\xa4\xa5"
+    , {- hdr = -} "\x00\x01\x02\x03\x04\x05\x06\x07"
+    , {- in  = -} "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e"
+    , {- out = -} "\x00\x01\x02\x03\x04\x05\x06\x07\x01\x35\xd1\xb2\xc9\x5f\x41\xd5\xd1\xd4\xfe\xc1\x85\xd1\x66\xb8\x09\x4e\x99\x9d\xfe\xd9\x6c\x04\x8c\x56\x60\x2c\x97\xac\xbb\x74\x90"
+    , {-  M  = -} 10)
+  , ( {- key = -} "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf"
+    , {- iv  = -} "\x00\x00\x00\x0a\x09\x08\x07\xa0\xa1\xa2\xa3\xa4\xa5"
+    , {- hdr = -} "\x00\x01\x02\x03\x04\x05\x06\x07"
+    , {- in  = -} "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
+    , {- out = -} "\x00\x01\x02\x03\x04\x05\x06\x07\x7b\x75\x39\x9a\xc0\x83\x1d\xd2\xf0\xbb\xd7\x58\x79\xa2\xfd\x8f\x6c\xae\x6b\x6c\xd9\xb7\xdb\x24\xc1\x7b\x44\x33\xf4\x34\x96\x3f\x34\xb4"
+    , {-  M  = -} 10)
+  , ( {- key = -} "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf"
+    , {- iv  = -} "\x00\x00\x00\x0b\x0a\x09\x08\xa0\xa1\xa2\xa3\xa4\xa5"
+    , {- hdr = -} "\x00\x01\x02\x03\x04\x05\x06\x07"
+    , {- in  = -} "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
+    , {- out = -} "\x00\x01\x02\x03\x04\x05\x06\x07\x82\x53\x1a\x60\xcc\x24\x94\x5a\x4b\x82\x79\x18\x1a\xb5\xc8\x4d\xf2\x1c\xe7\xf9\xb7\x3f\x42\xe1\x97\xea\x9c\x07\xe5\x6b\x5e\xb1\x7e\x5f\x4e"
+    , {-  M  = -} 10)
+  , ( {- key = -} "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf"
+    , {- iv  = -} "\x00\x00\x00\x0c\x0b\x0a\x09\xa0\xa1\xa2\xa3\xa4\xa5"
+    , {- hdr = -} "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b"
+    , {- in  = -} "\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e"
+    , {- out = -} "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x07\x34\x25\x94\x15\x77\x85\x15\x2b\x07\x40\x98\x33\x0a\xbb\x14\x1b\x94\x7b\x56\x6a\xa9\x40\x6b\x4d\x99\x99\x88\xdd"
+    , {-  M  = -} 10)
+  , ( {- key = -} "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf"
+    , {- iv  = -} "\x00\x00\x00\x0d\x0c\x0b\x0a\xa0\xa1\xa2\xa3\xa4\xa5"
+    , {- hdr = -} "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b"
+    , {- in  = -} "\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
+    , {- out = -} "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x67\x6b\xb2\x03\x80\xb0\xe3\x01\xe8\xab\x79\x59\x0a\x39\x6d\xa7\x8b\x83\x49\x34\xf5\x3a\xa2\xe9\x10\x7a\x8b\x6c\x02\x2c"
+    , {-  M  = -} 10)
+  , ( {- key = -} "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf"
+    , {- iv  = -} "\x00\x00\x00\x0e\x0d\x0c\x0b\xa0\xa1\xa2\xa3\xa4\xa5"
+    , {- hdr = -} "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b"
+    , {- in  = -} "\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
+    , {- out = -} "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\xc0\xff\xa0\xd6\xf0\x5b\xdb\x67\xf2\x4d\x43\xa4\x33\x8d\x2a\xa4\xbe\xd7\xb2\x0e\x43\xcd\x1a\xa3\x16\x62\xe7\xad\x65\xd6\xdb"
+    , {-  M  = -} 10)
+  , ( {- key = -} "\xd7\x82\x8d\x13\xb2\xb0\xbd\xc3\x25\xa7\x62\x36\xdf\x93\xcc\x6b"
+    , {- iv  = -} "\x00\x41\x2b\x4e\xa9\xcd\xbe\x3c\x96\x96\x76\x6c\xfa"
+    , {- hdr = -} "\x0b\xe1\xa8\x8b\xac\xe0\x18\xb1"
+    , {- in  = -} "\x08\xe8\xcf\x97\xd8\x20\xea\x25\x84\x60\xe9\x6a\xd9\xcf\x52\x89\x05\x4d\x89\x5c\xea\xc4\x7c"
+    , {- out = -} "\x0b\xe1\xa8\x8b\xac\xe0\x18\xb1\x4c\xb9\x7f\x86\xa2\xa4\x68\x9a\x87\x79\x47\xab\x80\x91\xef\x53\x86\xa6\xff\xbd\xd0\x80\xf8\xe7\x8c\xf7\xcb\x0c\xdd\xd7\xb3"
+    , {-  M  = -} 8)
+  , ( {- key = -} "\xd7\x82\x8d\x13\xb2\xb0\xbd\xc3\x25\xa7\x62\x36\xdf\x93\xcc\x6b"
+    , {- iv  = -} "\x00\x33\x56\x8e\xf7\xb2\x63\x3c\x96\x96\x76\x6c\xfa"
+    , {- hdr = -} "\x63\x01\x8f\x76\xdc\x8a\x1b\xcb"
+    , {- in  = -} "\x90\x20\xea\x6f\x91\xbd\xd8\x5a\xfa\x00\x39\xba\x4b\xaf\xf9\xbf\xb7\x9c\x70\x28\x94\x9c\xd0\xec"
+    , {- out = -} "\x63\x01\x8f\x76\xdc\x8a\x1b\xcb\x4c\xcb\x1e\x7c\xa9\x81\xbe\xfa\xa0\x72\x6c\x55\xd3\x78\x06\x12\x98\xc8\x5c\x92\x81\x4a\xbc\x33\xc5\x2e\xe8\x1d\x7d\x77\xc0\x8a"
+    , {-  M  = -} 8)
+  , ( {- key = -} "\xd7\x82\x8d\x13\xb2\xb0\xbd\xc3\x25\xa7\x62\x36\xdf\x93\xcc\x6b"
+    , {- iv  = -} "\x00\x10\x3f\xe4\x13\x36\x71\x3c\x96\x96\x76\x6c\xfa"
+    , {- hdr = -} "\xaa\x6c\xfa\x36\xca\xe8\x6b\x40"
+    , {- in  = -} "\xb9\x16\xe0\xea\xcc\x1c\x00\xd7\xdc\xec\x68\xec\x0b\x3b\xbb\x1a\x02\xde\x8a\x2d\x1a\xa3\x46\x13\x2e"
+    , {- out = -} "\xaa\x6c\xfa\x36\xca\xe8\x6b\x40\xb1\xd2\x3a\x22\x20\xdd\xc0\xac\x90\x0d\x9a\xa0\x3c\x61\xfc\xf4\xa5\x59\xa4\x41\x77\x67\x08\x97\x08\xa7\x76\x79\x6e\xdb\x72\x35\x06"
+    , {-  M  = -} 8)
+  , ( {- key = -} "\xd7\x82\x8d\x13\xb2\xb0\xbd\xc3\x25\xa7\x62\x36\xdf\x93\xcc\x6b"
+    , {- iv  = -} "\x00\x76\x4c\x63\xb8\x05\x8e\x3c\x96\x96\x76\x6c\xfa"
+    , {- hdr = -} "\xd0\xd0\x73\x5c\x53\x1e\x1b\xec\xf0\x49\xc2\x44"
+    , {- in  = -} "\x12\xda\xac\x56\x30\xef\xa5\x39\x6f\x77\x0c\xe1\xa6\x6b\x21\xf7\xb2\x10\x1c"
+    , {- out = -} "\xd0\xd0\x73\x5c\x53\x1e\x1b\xec\xf0\x49\xc2\x44\x14\xd2\x53\xc3\x96\x7b\x70\x60\x9b\x7c\xbb\x7c\x49\x91\x60\x28\x32\x45\x26\x9a\x6f\x49\x97\x5b\xca\xde\xaf"
+    , {-  M  = -} 8)
+  , ( {- key = -} "\xd7\x82\x8d\x13\xb2\xb0\xbd\xc3\x25\xa7\x62\x36\xdf\x93\xcc\x6b"
+    , {- iv  = -} "\x00\xf8\xb6\x78\x09\x4e\x3b\x3c\x96\x96\x76\x6c\xfa"
+    , {- hdr = -} "\x77\xb6\x0f\x01\x1c\x03\xe1\x52\x58\x99\xbc\xae"
+    , {- in  = -} "\xe8\x8b\x6a\x46\xc7\x8d\x63\xe5\x2e\xb8\xc5\x46\xef\xb5\xde\x6f\x75\xe9\xcc\x0d"
+    , {- out = -} "\x77\xb6\x0f\x01\x1c\x03\xe1\x52\x58\x99\xbc\xae\x55\x45\xff\x1a\x08\x5e\xe2\xef\xbf\x52\xb2\xe0\x4b\xee\x1e\x23\x36\xc7\x3e\x3f\x76\x2c\x0c\x77\x44\xfe\x7e\x3c"
+    , {-  M  = -} 8)
+  , ( {- key = -} "\xd7\x82\x8d\x13\xb2\xb0\xbd\xc3\x25\xa7\x62\x36\xdf\x93\xcc\x6b"
+    , {- iv  = -} "\x00\xd5\x60\x91\x2d\x3f\x70\x3c\x96\x96\x76\x6c\xfa"
+    , {- hdr = -} "\xcd\x90\x44\xd2\xb7\x1f\xdb\x81\x20\xea\x60\xc0"
+    , {- in  = -} "\x64\x35\xac\xba\xfb\x11\xa8\x2e\x2f\x07\x1d\x7c\xa4\xa5\xeb\xd9\x3a\x80\x3b\xa8\x7f"
+    , {- out = -} "\xcd\x90\x44\xd2\xb7\x1f\xdb\x81\x20\xea\x60\xc0\x00\x97\x69\xec\xab\xdf\x48\x62\x55\x94\xc5\x92\x51\xe6\x03\x57\x22\x67\x5e\x04\xc8\x47\x09\x9e\x5a\xe0\x70\x45\x51"
+    , {-  M  = -} 8)
+  , ( {- key = -} "\xd7\x82\x8d\x13\xb2\xb0\xbd\xc3\x25\xa7\x62\x36\xdf\x93\xcc\x6b"
+    , {- iv  = -} "\x00\x42\xff\xf8\xf1\x95\x1c\x3c\x96\x96\x76\x6c\xfa"
+    , {- hdr = -} "\xd8\x5b\xc7\xe6\x9f\x94\x4f\xb8"
+    , {- in  = -} "\x8a\x19\xb9\x50\xbc\xf7\x1a\x01\x8e\x5e\x67\x01\xc9\x17\x87\x65\x98\x09\xd6\x7d\xbe\xdd\x18"
+    , {- out = -} "\xd8\x5b\xc7\xe6\x9f\x94\x4f\xb8\xbc\x21\x8d\xaa\x94\x74\x27\xb6\xdb\x38\x6a\x99\xac\x1a\xef\x23\xad\xe0\xb5\x29\x39\xcb\x6a\x63\x7c\xf9\xbe\xc2\x40\x88\x97\xc6\xba"
+    , {-  M  = -} 10)
+  , ( {- key = -} "\xd7\x82\x8d\x13\xb2\xb0\xbd\xc3\x25\xa7\x62\x36\xdf\x93\xcc\x6b"
+    , {- iv  = -} "\x00\x92\x0f\x40\xe5\x6c\xdc\x3c\x96\x96\x76\x6c\xfa"
+    , {- hdr = -} "\x74\xa0\xeb\xc9\x06\x9f\x5b\x37"
+    , {- in  = -} "\x17\x61\x43\x3c\x37\xc5\xa3\x5f\xc1\xf3\x9f\x40\x63\x02\xeb\x90\x7c\x61\x63\xbe\x38\xc9\x84\x37"
+    , {- out = -} "\x74\xa0\xeb\xc9\x06\x9f\x5b\x37\x58\x10\xe6\xfd\x25\x87\x40\x22\xe8\x03\x61\xa4\x78\xe3\xe9\xcf\x48\x4a\xb0\x4f\x44\x7e\xff\xf6\xf0\xa4\x77\xcc\x2f\xc9\xbf\x54\x89\x44"
+    , {-  M  = -} 10)
+  , ( {- key = -} "\xd7\x82\x8d\x13\xb2\xb0\xbd\xc3\x25\xa7\x62\x36\xdf\x93\xcc\x6b"
+    , {- iv  = -} "\x00\x27\xca\x0c\x71\x20\xbc\x3c\x96\x96\x76\x6c\xfa"
+    , {- hdr = -} "\x44\xa3\xaa\x3a\xae\x64\x75\xca"
+    , {- in  = -} "\xa4\x34\xa8\xe5\x85\x00\xc6\xe4\x15\x30\x53\x88\x62\xd6\x86\xea\x9e\x81\x30\x1b\x5a\xe4\x22\x6b\xfa"
+    , {- out = -} "\x44\xa3\xaa\x3a\xae\x64\x75\xca\xf2\xbe\xed\x7b\xc5\x09\x8e\x83\xfe\xb5\xb3\x16\x08\xf8\xe2\x9c\x38\x81\x9a\x89\xc8\xe7\x76\xf1\x54\x4d\x41\x51\xa4\xed\x3a\x8b\x87\xb9\xce"
+    , {-  M  = -} 10)
+  , ( {- key = -} "\xd7\x82\x8d\x13\xb2\xb0\xbd\xc3\x25\xa7\x62\x36\xdf\x93\xcc\x6b"
+    , {- iv  = -} "\x00\x5b\x8c\xcb\xcd\x9a\xf8\x3c\x96\x96\x76\x6c\xfa"
+    , {- hdr = -} "\xec\x46\xbb\x63\xb0\x25\x20\xc3\x3c\x49\xfd\x70"
+    , {- in  = -} "\xb9\x6b\x49\xe2\x1d\x62\x17\x41\x63\x28\x75\xdb\x7f\x6c\x92\x43\xd2\xd7\xc2"
+    , {- out = -} "\xec\x46\xbb\x63\xb0\x25\x20\xc3\x3c\x49\xfd\x70\x31\xd7\x50\xa0\x9d\xa3\xed\x7f\xdd\xd4\x9a\x20\x32\xaa\xbf\x17\xec\x8e\xbf\x7d\x22\xc8\x08\x8c\x66\x6b\xe5\xc1\x97"
+    , {-  M  = -} 10)
+  , ( {- key = -} "\xd7\x82\x8d\x13\xb2\xb0\xbd\xc3\x25\xa7\x62\x36\xdf\x93\xcc\x6b"
+    , {- iv  = -} "\x00\x3e\xbe\x94\x04\x4b\x9a\x3c\x96\x96\x76\x6c\xfa"
+    , {- hdr = -} "\x47\xa6\x5a\xc7\x8b\x3d\x59\x42\x27\xe8\x5e\x71"
+    , {- in  = -} "\xe2\xfc\xfb\xb8\x80\x44\x2c\x73\x1b\xf9\x51\x67\xc8\xff\xd7\x89\x5e\x33\x70\x76"
+    , {- out = -} "\x47\xa6\x5a\xc7\x8b\x3d\x59\x42\x27\xe8\x5e\x71\xe8\x82\xf1\xdb\xd3\x8c\xe3\xed\xa7\xc2\x3f\x04\xdd\x65\x07\x1e\xb4\x13\x42\xac\xdf\x7e\x00\xdc\xce\xc7\xae\x52\x98\x7d"
+    , {-  M  = -} 10)
+  , ( {- key = -} "\xd7\x82\x8d\x13\xb2\xb0\xbd\xc3\x25\xa7\x62\x36\xdf\x93\xcc\x6b"
+    , {- iv  = -} "\x00\x8d\x49\x3b\x30\xae\x8b\x3c\x96\x96\x76\x6c\xfa"
+    , {- hdr = -} "\x6e\x37\xa6\xef\x54\x6d\x95\x5d\x34\xab\x60\x59"
+    , {- in  = -} "\xab\xf2\x1c\x0b\x02\xfe\xb8\x8f\x85\x6d\xf4\xa3\x73\x81\xbc\xe3\xcc\x12\x85\x17\xd4"
+    , {- out = -} "\x6e\x37\xa6\xef\x54\x6d\x95\x5d\x34\xab\x60\x59\xf3\x29\x05\xb8\x8a\x64\x1b\x04\xb9\xc9\xff\xb5\x8c\xc3\x90\x90\x0f\x3d\xa1\x2a\xb1\x6d\xce\x9e\x82\xef\xa1\x6d\xa6\x20\x59"
+    , {-  M  = -} 10)
+  ]
diff --git a/tests/KAT_CAST5.hs b/tests/KAT_CAST5.hs
new file mode 100644
--- /dev/null
+++ b/tests/KAT_CAST5.hs
@@ -0,0 +1,16 @@
+{-# LANGUAGE OverloadedStrings #-}
+module KAT_CAST5 (tests) where
+
+import Imports
+import BlockCipher
+import qualified Crypto.Cipher.CAST5 as CAST5
+
+vectors_ecb = -- key plaintext ciphertext
+    [ KAT_ECB "\x01\x23\x45\x67\x12\x34\x56\x78\x23\x45\x67\x89\x34\x56\x78\x9A" "\x01\x23\x45\x67\x89\xAB\xCD\xEF" "\x23\x8B\x4F\xE5\x84\x7E\x44\xB2"
+    , KAT_ECB "\x01\x23\x45\x67\x12\x34\x56\x78\x23\x45"                         "\x01\x23\x45\x67\x89\xAB\xCD\xEF" "\xEB\x6A\x71\x1A\x2C\x02\x27\x1B"
+    , KAT_ECB "\x01\x23\x45\x67\x12"                                             "\x01\x23\x45\x67\x89\xAB\xCD\xEF" "\x7A\xC8\x16\xD1\x6E\x9B\x30\x2E"
+    ]
+
+kats = defaultKATs { kat_ECB = vectors_ecb }
+
+tests = testBlockCipher kats (undefined :: CAST5.CAST5)
diff --git a/tests/KAT_HMAC.hs b/tests/KAT_HMAC.hs
--- a/tests/KAT_HMAC.hs
+++ b/tests/KAT_HMAC.hs
@@ -132,17 +132,17 @@
 
 macIncrementalTests :: [TestTree]
 macIncrementalTests =
-    [ testProperties MD5
-    , testProperties SHA1
-    , testProperties SHA256
-    , testProperties SHA3_224
-    , testProperties SHA3_256
-    , testProperties SHA3_384
-    , testProperties SHA3_512
+    [ testIncrProperties MD5
+    , testIncrProperties SHA1
+    , testIncrProperties SHA256
+    , testIncrProperties SHA3_224
+    , testIncrProperties SHA3_256
+    , testIncrProperties SHA3_384
+    , testIncrProperties SHA3_512
     ]
   where
-        --testProperties :: HashAlgorithm a => a -> [Property]
-        testProperties a = testGroup (show a)
+        --testIncrProperties :: HashAlgorithm a => a -> [Property]
+        testIncrProperties a = testGroup (show a)
             [ testProperty "list-one" (prop_inc0 a)
             , testProperty "list-multi" (prop_inc1 a)
             ]
diff --git a/tests/KAT_PubKey/ECC.hs b/tests/KAT_PubKey/ECC.hs
--- a/tests/KAT_PubKey/ECC.hs
+++ b/tests/KAT_PubKey/ECC.hs
@@ -147,7 +147,7 @@
 
 eccTests = testGroup "ECC"
     [ testGroup "valid-point" $ map doPointValidTest (zip [katZero..] vectorsPoint)
-    , testGroup "property"
+    , localOption (QuickCheckTests 20) $ testGroup "property"
         [ testProperty "point-add" $ \aCurve (QAInteger r1) (QAInteger r2) ->
             let curveN   = ECC.ecc_n . ECC.common_curve $ aCurve
                 curveGen = ECC.ecc_g . ECC.common_curve $ aCurve
@@ -155,14 +155,19 @@
                 p2       = ECC.pointMul aCurve r2 curveGen
                 pR       = ECC.pointMul aCurve ((r1 + r2) `mod` curveN) curveGen
              in pR `propertyEq` ECC.pointAdd aCurve p1 p2
-        , localOption (QuickCheckTests 20) $
-          testProperty "point-mul-mul" $ \aCurve (QAInteger n1) (QAInteger n2) -> do
+        , testProperty "point-negate-add" $ \aCurve -> do
             p <- arbitraryPoint aCurve
+            let o = ECC.pointAdd aCurve p (ECC.pointNegate aCurve p)
+            return $ ECC.PointO `propertyEq` o
+        , testProperty "point-negate-negate" $ \aCurve -> do
+            p <- arbitraryPoint aCurve
+            return $ p `propertyEq` ECC.pointNegate aCurve (ECC.pointNegate aCurve p)
+        , testProperty "point-mul-mul" $ \aCurve (QAInteger n1) (QAInteger n2) -> do
+            p <- arbitraryPoint aCurve
             let pRes = ECC.pointMul aCurve (n1 * n2) p
             let pDef = ECC.pointMul aCurve n1 (ECC.pointMul aCurve n2 p)
             return $ pRes `propertyEq` pDef
-        , localOption (QuickCheckTests 20) $
-          testProperty "double-scalar-mult" $ \aCurve (QAInteger n1) (QAInteger n2) -> do
+        , testProperty "double-scalar-mult" $ \aCurve (QAInteger n1) (QAInteger n2) -> do
             p1 <- arbitraryPoint aCurve
             p2 <- arbitraryPoint aCurve
             let pRes = ECC.pointAddTwoMuls aCurve n1 p1 n2 p2
diff --git a/tests/KAT_PubKey/P256.hs b/tests/KAT_PubKey/P256.hs
--- a/tests/KAT_PubKey/P256.hs
+++ b/tests/KAT_PubKey/P256.hs
@@ -113,6 +113,7 @@
              in r @=? P256.pointAdd s t
         , testProperty "lift-to-curve" $ propertyLiftToCurve
         , testProperty "point-add" $ propertyPointAdd
+        , testProperty "point-negate" $ propertyPointNegate
         ]
     ]
   where
@@ -135,6 +136,12 @@
          in propertyHold [ eqTest "p256" pR (P256.pointAdd p1 p2)
                          , eqTest "ecc" peR (pointP256ToECC pR)
                          ]
+
+    propertyPointNegate r =
+        let p  = P256.toPoint (unP256Scalar r)
+            pe = ECC.pointMul curve (unP256 r) curveGen
+            pR = P256.pointNegate p
+         in ECC.pointNegate curve pe `propertyEq` (pointP256ToECC pR)
 
     i2ospScalar :: Integer -> Bytes
     i2ospScalar i =
diff --git a/tests/StressHash.hs b/tests/StressHash.hs
new file mode 100644
--- /dev/null
+++ b/tests/StressHash.hs
@@ -0,0 +1,61 @@
+{-# LANGUAGE TypeApplications #-}
+{-# LANGUAGE ScopedTypeVariables #-}
+{-# LANGUAGE BangPatterns #-}
+module Main where
+
+import Data.Proxy
+import Control.Concurrent
+import Control.Concurrent.Chan
+import Control.Monad
+import GHC.Conc
+import System.Environment
+import Data.Monoid
+
+import qualified Crypto.Hash as H
+import qualified Data.ByteString as B
+
+doHashRandom :: forall h . H.HashAlgorithm h
+             => Proxy h         -- hash algorithm
+             -> Chan (Int, Int) -- channel to report
+             -> Int             -- thread id
+             -> IO ()
+doHashRandom _ chan !tid = loop 0
+  where
+    loop !i = do
+        when (tid > 5) $ threadDelay 1200
+        when ((i `mod` 1000) == 0) $ writeChan chan (tid, i)
+
+        let lengthLimit n | n < 0     = 0
+                          | n > 257   = n `mod` 257
+                          | otherwise = n
+
+        let i' = i `mod` (tid * 1500)
+            (nbChunks,multi) = case i `mod` 4 of
+                        0 -> (1, False)
+                        1 -> (2, False)
+                        2 -> (1, True)
+                        3 -> (3, False)
+
+        let dat = take nbChunks $ [B.replicate (lengthLimit i') 1, B.replicate (lengthLimit (i' + 10)) 2, B.replicate (lengthLimit (i' + 20)) 3]
+
+        let h   = H.hashInit @ h
+            h2  = H.hashUpdates h dat
+            !digest = H.hashFinalize h2
+            !digest2 = if multi then H.hash digest else digest
+        digest2 `seq` loop (i+1)
+
+main = do
+    args <- getArgs
+    let caps = numCapabilities
+    putStrLn (show caps <> " capabilities")
+
+    let n = 10
+
+    let proxy = Proxy @ H.Blake2b_256
+
+    s <- newChan
+    mapM_ (forkIO . doHashRandom proxy s) (take n [1..])
+
+    forever $ do
+        (tid, progress) <- readChan s
+        putStrLn ("thread " <> show tid <> " at " <> show progress)
diff --git a/tests/Tests.hs b/tests/Tests.hs
--- a/tests/Tests.hs
+++ b/tests/Tests.hs
@@ -7,6 +7,7 @@
 import qualified Number.F2m
 import qualified BCrypt
 import qualified ECC
+import qualified ECC.Edwards25519
 import qualified Hash
 import qualified Poly1305
 import qualified Salsa
@@ -29,6 +30,7 @@
 -- symmetric cipher --------------------
 import qualified KAT_AES
 import qualified KAT_Blowfish
+import qualified KAT_CAST5
 import qualified KAT_Camellia
 import qualified KAT_DES
 import qualified KAT_RC4
@@ -67,6 +69,7 @@
     , testGroup "block-cipher"
         [ KAT_AES.tests
         , KAT_Blowfish.tests
+        , KAT_CAST5.tests
         , KAT_Camellia.tests
         , KAT_DES.tests
         , KAT_TripleDES.tests
@@ -81,6 +84,7 @@
         ]
     , KAT_AFIS.tests
     , ECC.tests
+    , ECC.Edwards25519.tests
     ]
 
 main = defaultMain tests
