diff --git a/CHANGELOG.md b/CHANGELOG.md
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,25 @@
+## 0.26
+
+* Add Rabin cryptosystem (and variants)
+* Add bcrypt_pbkdf key derivation function
+* Optimize Blowfish implementation
+* Add KMAC (Keccak Message Authentication Code)
+* Add ECDSA sign/verify digest APIs
+* Hash algorithms with runtime output length
+* Update blake2 to latest upstream version
+* RSA-PSS with arbitrary key size
+* SHAKE with output length not divisible by 8
+* Add Read and Data instances for Digest type
+* Improve P256 scalar primitives
+* Fix hash truncation bug in DSA
+* Fix cost parsing for bcrypt
+* Fix ECC failures on arm64
+* Correction to PKCS#1 v1.5 padding
+* Use powModSecInteger when available
+* Drop GHC 7.8 and GHC 7.10 support, refer to pkg-guidelines
+* Optimise GCM mode
+* Add little endian serialization of integer
+
 ## 0.25
 
 * Improve digest binary conversion efficiency
diff --git a/Crypto/Cipher/AES.hs b/Crypto/Cipher/AES.hs
--- a/Crypto/Cipher/AES.hs
+++ b/Crypto/Cipher/AES.hs
@@ -19,8 +19,6 @@
 import Crypto.Cipher.AES.Primitive
 import Crypto.Internal.Imports
 
-import Data.ByteArray as BA
-
 -- | AES with 128 bit key
 newtype AES128 = AES128 AES
     deriving (NFData)
diff --git a/Crypto/Cipher/Blowfish/Box.hs b/Crypto/Cipher/Blowfish/Box.hs
--- a/Crypto/Cipher/Blowfish/Box.hs
+++ b/Crypto/Cipher/Blowfish/Box.hs
@@ -5,15 +5,33 @@
 -- Portability : Good
 {-# LANGUAGE MagicHash #-}
 module Crypto.Cipher.Blowfish.Box
-    ( createKeySchedule
+    (   KeySchedule(..)
+    ,   createKeySchedule
+    ,   copyKeySchedule
     ) where
 
-import Crypto.Internal.WordArray (mutableArray32FromAddrBE, MutableArray32)
+import           Crypto.Internal.WordArray (MutableArray32,
+                                            mutableArray32FromAddrBE,
+                                            mutableArrayRead32,
+                                            mutableArrayWrite32)
 
+newtype KeySchedule = KeySchedule MutableArray32
+
+-- | Copy the state of one key schedule into the other.
+--   The first parameter is the destination and the second the source.
+copyKeySchedule :: KeySchedule -> KeySchedule -> IO ()
+copyKeySchedule (KeySchedule dst) (KeySchedule src) = loop 0
+  where
+    loop 1042 = return ()
+    loop i    = do
+        w32 <-mutableArrayRead32 src i
+        mutableArrayWrite32 dst i w32
+        loop (i + 1)
+
 -- | Create a key schedule mutable array of the pbox followed by
 -- all the sboxes.
-createKeySchedule :: IO MutableArray32
-createKeySchedule = mutableArray32FromAddrBE 1042 "\
+createKeySchedule :: IO KeySchedule
+createKeySchedule = KeySchedule `fmap` mutableArray32FromAddrBE 1042 "\
     \\x24\x3f\x6a\x88\x85\xa3\x08\xd3\x13\x19\x8a\x2e\x03\x70\x73\x44\
     \\xa4\x09\x38\x22\x29\x9f\x31\xd0\x08\x2e\xfa\x98\xec\x4e\x6c\x89\
     \\x45\x28\x21\xe6\x38\xd0\x13\x77\xbe\x54\x66\xcf\x34\xe9\x0c\x6c\
diff --git a/Crypto/Cipher/Blowfish/Primitive.hs b/Crypto/Cipher/Blowfish/Primitive.hs
--- a/Crypto/Cipher/Blowfish/Primitive.hs
+++ b/Crypto/Cipher/Blowfish/Primitive.hs
@@ -5,197 +5,254 @@
 -- Portability : Good
 
 -- Rewritten by Vincent Hanquez (c) 2015
+--              Lars Petersen (c) 2018
 --
 -- Original code:
 --      Crypto.Cipher.Blowfish.Primitive, copyright (c) 2012 Stijn van Drongelen
 --      based on: BlowfishAux.hs (C) 2002 HardCore SoftWare, Doug Hoyte
 --           (as found in Crypto-4.2.4)
-
+{-# LANGUAGE BangPatterns #-}
 module Crypto.Cipher.Blowfish.Primitive
     ( Context
     , initBlowfish
     , encrypt
     , decrypt
-    , eksBlowfish
+    , KeySchedule
+    , createKeySchedule
+    , freezeKeySchedule
+    , expandKey
+    , expandKeyWithSalt
+    , cipherBlockMutable
     ) where
 
-import           Control.Monad (when)
+import           Control.Monad              (when)
 import           Data.Bits
 import           Data.Memory.Endian
 import           Data.Word
 
+import           Crypto.Cipher.Blowfish.Box
 import           Crypto.Error
+import           Crypto.Internal.ByteArray  (ByteArray, ByteArrayAccess)
+import qualified Crypto.Internal.ByteArray  as B
 import           Crypto.Internal.Compat
 import           Crypto.Internal.Imports
-import           Crypto.Internal.ByteArray (ByteArrayAccess, ByteArray, Bytes)
-import qualified Crypto.Internal.ByteArray as B
-import           Crypto.Internal.Words
 import           Crypto.Internal.WordArray
-import           Crypto.Cipher.Blowfish.Box
 
--- | variable keyed blowfish state
-data Context = BF (Int -> Word32) -- p
-                  (Int -> Word32) -- sbox0
-                  (Int -> Word32) -- sbox1
-                  (Int -> Word32) -- sbox2
-                  (Int -> Word32) -- sbox2
+newtype Context = Context Array32
 
 instance NFData Context where
-    rnf (BF p a b c d) = p `seq` a `seq` b `seq` c `seq` d `seq` ()
+    rnf a = a `seq` ()
 
+-- | Initialize a new Blowfish context from a key.
+--
+-- key needs to be between 0 and 448 bits.
+initBlowfish :: ByteArrayAccess key => key -> CryptoFailable Context
+initBlowfish key
+    | B.length key > (448 `div` 8) = CryptoFailed CryptoError_KeySizeInvalid
+    | otherwise                    = CryptoPassed $ unsafeDoIO $ do
+        ks <- createKeySchedule
+        expandKey ks key
+        freezeKeySchedule ks
+
+-- | Get an immutable Blowfish context by freezing a mutable key schedule.
+freezeKeySchedule :: KeySchedule -> IO Context
+freezeKeySchedule (KeySchedule ma) = Context `fmap` mutableArray32Freeze ma
+
+expandKey :: (ByteArrayAccess key) => KeySchedule -> key -> IO ()
+expandKey ks@(KeySchedule ma) key = do
+    when (B.length key > 0) $ iterKeyStream key 0 0 $ \i l r a0 a1 cont-> do
+        mutableArrayWriteXor32 ma i l
+        mutableArrayWriteXor32 ma (i + 1) r
+        when (i + 2 < 18) (cont a0 a1)
+    loop 0 0 0
+    where
+        loop i l r = do
+            n <- cipherBlockMutable ks (fromIntegral l `shiftL` 32 .|. fromIntegral r)
+            let nl = fromIntegral (n `shiftR` 32)
+                nr = fromIntegral (n .&. 0xffffffff)
+            mutableArrayWrite32 ma i nl
+            mutableArrayWrite32 ma (i + 1) nr
+            when (i < 18 + 1024) (loop (i + 2) nl nr)
+
+expandKeyWithSalt :: (ByteArrayAccess key, ByteArrayAccess salt)
+    => KeySchedule
+    -> key
+    -> salt
+    -> IO ()
+expandKeyWithSalt ks key salt
+    | B.length salt == 16 = expandKeyWithSalt128 ks key (fromBE $ B.toW64BE salt 0) (fromBE $ B.toW64BE salt 8)
+    | otherwise           = expandKeyWithSaltAny ks key salt
+
+expandKeyWithSaltAny :: (ByteArrayAccess key, ByteArrayAccess salt)
+    => KeySchedule         -- ^ The key schedule
+    -> key                 -- ^ The key
+    -> salt                -- ^ The salt
+    -> IO ()
+expandKeyWithSaltAny ks@(KeySchedule ma) key salt = do
+    when (B.length key > 0) $ iterKeyStream key 0 0 $ \i l r a0 a1 cont-> do
+        mutableArrayWriteXor32 ma i l
+        mutableArrayWriteXor32 ma (i + 1) r
+        when (i + 2 < 18) (cont a0 a1)
+    -- Go through the entire key schedule overwriting the P-Array and S-Boxes
+    when (B.length salt > 0) $ iterKeyStream salt 0 0 $ \i l r a0 a1 cont-> do
+        let l' = xor l a0
+        let r' = xor r a1
+        n <- cipherBlockMutable ks (fromIntegral l' `shiftL` 32 .|. fromIntegral r')
+        let nl = fromIntegral (n `shiftR` 32)
+            nr = fromIntegral (n .&. 0xffffffff)
+        mutableArrayWrite32 ma i nl
+        mutableArrayWrite32 ma (i + 1) nr
+        when (i + 2 < 18 + 1024) (cont nl nr)
+
+expandKeyWithSalt128 :: ByteArrayAccess ba
+    => KeySchedule         -- ^ The key schedule
+    -> ba                  -- ^ The key
+    -> Word64              -- ^ First word of the salt
+    -> Word64              -- ^ Second word of the salt
+    -> IO ()
+expandKeyWithSalt128 ks@(KeySchedule ma) key salt1 salt2 = do
+    when (B.length key > 0) $ iterKeyStream key 0 0 $ \i l r a0 a1 cont-> do
+        mutableArrayWriteXor32 ma i l
+        mutableArrayWriteXor32 ma (i + 1) r
+        when (i + 2 < 18) (cont a0 a1)
+    -- Go through the entire key schedule overwriting the P-Array and S-Boxes
+    loop 0 salt1 salt1 salt2
+    where
+        loop i input slt1 slt2
+            | i == 1042   = return ()
+            | otherwise = do
+                n <- cipherBlockMutable ks input
+                let nl = fromIntegral (n `shiftR` 32)
+                    nr = fromIntegral (n .&. 0xffffffff)
+                mutableArrayWrite32 ma i     nl
+                mutableArrayWrite32 ma (i+1) nr
+                loop (i+2) (n `xor` slt2) slt2 slt1
+
 -- | Encrypt blocks
 --
 -- Input need to be a multiple of 8 bytes
 encrypt :: ByteArray ba => Context -> ba -> ba
-encrypt = cipher
+encrypt ctx ba
+    | B.length ba == 0         = B.empty
+    | B.length ba `mod` 8 /= 0 = error "invalid data length"
+    | otherwise                = B.mapAsWord64 (cipherBlock ctx False) ba
 
 -- | Decrypt blocks
 --
 -- Input need to be a multiple of 8 bytes
 decrypt :: ByteArray ba => Context -> ba -> ba
-decrypt = cipher . decryptContext
-
-decryptContext :: Context -> Context
-decryptContext (BF p s0 s1 s2 s3) = BF (\i -> p (17-i)) s0 s1 s2 s3
-
-cipher :: ByteArray ba => Context -> ba -> ba
-cipher ctx b
-    | B.length b == 0         = B.empty
-    | B.length b `mod` 8 /= 0 = error "invalid data length"
-    | otherwise               = B.mapAsWord64 (coreCrypto ctx) b
-
--- | Initialize a new Blowfish context from a key.
---
--- key needs to be between 0 and 448 bits.
-initBlowfish :: ByteArrayAccess key => key -> CryptoFailable Context
-initBlowfish key
-    | len > (448 `div` 8) = CryptoFailed CryptoError_KeySizeInvalid
-    | otherwise           = CryptoPassed $ makeKeySchedule key (Nothing :: Maybe (Bytes, Int))
-  where len = B.length key
+decrypt ctx ba
+    | B.length ba == 0         = B.empty
+    | B.length ba `mod` 8 /= 0 = error "invalid data length"
+    | otherwise                = B.mapAsWord64 (cipherBlock ctx True) ba
 
--- | The BCrypt "expensive key schedule" version of blowfish.
+-- | Encrypt or decrypt a single block of 64 bits.
 --
--- Salt must be 128 bits
--- Cost must be between 4 and 31 inclusive
--- See <https://www.usenix.org/conference/1999-usenix-annual-technical-conference/future-adaptable-password-scheme>
-eksBlowfish :: (ByteArrayAccess salt, ByteArrayAccess password) => Int -> salt -> password -> Context
-eksBlowfish cost salt key
-    | B.length salt /= 16 = error "bcrypt salt must be 16 bytes"
-    | otherwise           = makeKeySchedule key (Just (salt, cost))
-
-coreCrypto :: Context -> Word64 -> Word64
-coreCrypto (BF p s0 s1 s2 s3) input = doRound input 0
-  where
-    -- transform the input over 16 rounds
+-- The inverse argument decides whether to encrypt or decrypt.
+cipherBlock :: Context -> Bool -> Word64 -> Word64
+cipherBlock (Context ar) inverse input = doRound input 0
+    where
+    -- | Transform the input over 16 rounds
     doRound :: Word64 -> Int -> Word64
-    doRound i roundIndex
+    doRound !i roundIndex
         | roundIndex == 16 =
             let final = (fromIntegral (p 16) `shiftL` 32) .|. fromIntegral (p 17)
              in rotateL (i `xor` final) 32
         | otherwise     =
-            let newr = fromIntegral (i `shiftR` 32) `xor` (p roundIndex)
-                newi = ((i `shiftL` 32) `xor` (f newr)) .|. (fromIntegral newr)
+            let newr = fromIntegral (i `shiftR` 32) `xor` p roundIndex
+                newi = ((i `shiftL` 32) `xor` f newr) .|. fromIntegral newr
              in doRound newi (roundIndex+1)
+
+    -- | The Blowfish Feistel function F
     f   :: Word32 -> Word64
-    f t = let a = s0 (fromIntegral $ (t `shiftR` 24) .&. 0xff)
-              b = s1 (fromIntegral $ (t `shiftR` 16) .&. 0xff)
-              c = s2 (fromIntegral $ (t `shiftR` 8) .&. 0xff)
-              d = s3 (fromIntegral $ t .&. 0xff)
+    f t = let a = s0 (0xff .&. (t `shiftR` 24))
+              b = s1 (0xff .&. (t `shiftR` 16))
+              c = s2 (0xff .&. (t `shiftR` 8))
+              d = s3 (0xff .&.  t)
            in fromIntegral (((a + b) `xor` c) + d) `shiftL` 32
 
-
--- | Create a key schedule for either plain Blowfish or the BCrypt "EKS" version
--- For the expensive version, the salt and cost factor are supplied. Salt must be
--- a 128-bit byte array.
---
--- The standard case is just a single key expansion with the salt set to zero.
-makeKeySchedule :: (ByteArrayAccess key, ByteArrayAccess salt) => key-> Maybe (salt, Int) -> Context
-makeKeySchedule keyBytes saltCost =
-    let v = unsafeDoIO $ do
-              mv <- createKeySchedule
-              case saltCost of
-                  -- Standard blowfish
-                  Nothing -> expandKey mv 0 0 keyBytes
-                  -- The expensive case
-                  Just (s, cost)  -> do
-                      let (salt1, salt2) = splitSalt s
-                      expandKey mv salt1 salt2 keyBytes
-                      forM_ [1..2^cost :: Int] $ \_ -> do
-                          expandKey mv 0 0 keyBytes
-                          expandKey mv 0 0 s
-              mutableArray32Freeze mv
-     in BF (\i -> arrayRead32 v i)
-           (\i -> arrayRead32 v (s0+i))
-           (\i -> arrayRead32 v (s1+i))
-           (\i -> arrayRead32 v (s2+i))
-           (\i -> arrayRead32 v (s3+i))
-  where
-        splitSalt s = (fromBE (B.toW64BE s 0), fromBE (B.toW64BE s 8))
-
-        -- Indices of the S-Box arrays, each containing 256 32-bit words
-        -- The first 18 words contain the P-Array of subkeys
-        s0 = 18
-        s1 = 274
-        s2 = 530
-        s3 = 786
+    -- | S-Box arrays, each containing 256 32-bit words
+    --   The first 18 words contain the P-Array of subkeys
+    s0, s1, s2, s3 :: Word32 -> Word32
+    s0 i            = arrayRead32 ar (fromIntegral i + 18)
+    s1 i            = arrayRead32 ar (fromIntegral i + 274)
+    s2 i            = arrayRead32 ar (fromIntegral i + 530)
+    s3 i            = arrayRead32 ar (fromIntegral i + 786)
+    p              :: Int -> Word32
+    p i | inverse   = arrayRead32 ar (17 - i)
+        | otherwise = arrayRead32 ar i
 
-expandKey :: ByteArrayAccess ba
-          => MutableArray32      -- ^ The key schedule
-          -> Word64              -- ^ First word of the salt
-          -> Word64              -- ^ Second word of the salt
-          -> ba                  -- ^ The key
-          -> IO ()
-expandKey mv salt1 salt2 key = do
-    when (len > 0) $ forM_ [0..17] $ \i -> do
-        let a = B.index key ((i * 4 + 0) `mod` len)
-            b = B.index key ((i * 4 + 1) `mod` len)
-            c = B.index key ((i * 4 + 2) `mod` len)
-            d = B.index key ((i * 4 + 3) `mod` len)
-            k = (fromIntegral a `shiftL` 24) .|.
-                (fromIntegral b `shiftL` 16) .|.
-                (fromIntegral c `shiftL`  8) .|.
-                (fromIntegral d)
-        mutableArrayWriteXor32 mv i k
-    prepare mv
-    return ()
-  where
-        len = B.length key
+-- | Blowfish encrypt a Word using the current state of the key schedule
+cipherBlockMutable :: KeySchedule -> Word64 -> IO Word64
+cipherBlockMutable (KeySchedule ma) input = doRound input 0
+    where
+    -- | Transform the input over 16 rounds
+    doRound !i roundIndex
+        | roundIndex == 16 = do
+            pVal1 <- mutableArrayRead32 ma 16
+            pVal2 <- mutableArrayRead32 ma 17
+            let final = (fromIntegral pVal1 `shiftL` 32) .|. fromIntegral pVal2
+            return $ rotateL (i `xor` final) 32
+        | otherwise     = do
+            pVal <- mutableArrayRead32 ma roundIndex
+            let newr = fromIntegral (i `shiftR` 32) `xor` pVal
+            newr' <- f newr
+            let newi = ((i `shiftL` 32) `xor` newr') .|. fromIntegral newr
+            doRound newi (roundIndex+1)
 
-        -- | Go through the entire key schedule overwriting the P-Array and S-Boxes
-        prepare mctx = loop 0 salt1 salt1 salt2
-          where loop i input slt1 slt2
-                  | i == 1042   = return ()
-                  | otherwise = do
-                      ninput <- coreCryptoMutable input
-                      let (nl, nr) = w64to32 ninput
-                      mutableArrayWrite32 mctx i     nl
-                      mutableArrayWrite32 mctx (i+1) nr
-                      loop (i+2) (ninput `xor` slt2) slt2 slt1
+    -- | The Blowfish Feistel function F
+    f   :: Word32 -> IO Word64
+    f t = do
+        a <- s0 (0xff .&. (t `shiftR` 24))
+        b <- s1 (0xff .&. (t `shiftR` 16))
+        c <- s2 (0xff .&. (t `shiftR` 8))
+        d <- s3 (0xff .&.  t)
+        return (fromIntegral (((a + b) `xor` c) + d) `shiftL` 32)
 
-                -- | Blowfish encrypt a Word using the current state of the key schedule
-                coreCryptoMutable :: Word64 -> IO Word64
-                coreCryptoMutable input = doRound input 0
-                  where doRound i roundIndex
-                          | roundIndex == 16 = do
-                              pVal1 <- mutableArrayRead32 mctx 16
-                              pVal2 <- mutableArrayRead32 mctx 17
-                              let final = (fromIntegral pVal1 `shiftL` 32) .|. fromIntegral pVal2
-                              return $ rotateL (i `xor` final) 32
-                          | otherwise     = do
-                              pVal <- mutableArrayRead32 mctx roundIndex
-                              let newr = fromIntegral (i `shiftR` 32) `xor` pVal
-                              newr' <- f newr
-                              let newi = ((i `shiftL` 32) `xor` newr') .|. (fromIntegral newr)
-                              doRound newi (roundIndex+1)
+    -- | S-Box arrays, each containing 256 32-bit words
+    --   The first 18 words contain the P-Array of subkeys
+    s0, s1, s2, s3 :: Word32 -> IO Word32
+    s0 i = mutableArrayRead32 ma (fromIntegral i + 18)
+    s1 i = mutableArrayRead32 ma (fromIntegral i + 274)
+    s2 i = mutableArrayRead32 ma (fromIntegral i + 530)
+    s3 i = mutableArrayRead32 ma (fromIntegral i + 786)
 
-                -- The Blowfish Feistel function F
-                f   :: Word32 -> IO Word64
-                f t = do a <- mutableArrayRead32 mctx (s0 + fromIntegral ((t `shiftR` 24) .&. 0xff))
-                         b <- mutableArrayRead32 mctx (s1 + fromIntegral ((t `shiftR` 16) .&. 0xff))
-                         c <- mutableArrayRead32 mctx (s2 + fromIntegral ((t `shiftR` 8) .&. 0xff))
-                         d <- mutableArrayRead32 mctx (s3 + fromIntegral (t .&. 0xff))
-                         return (fromIntegral (((a + b) `xor` c) + d) `shiftL` 32)
-                  where s0 = 18
-                        s1 = 274
-                        s2 = 530
-                        s3 = 786
+iterKeyStream :: (ByteArrayAccess x)
+    => x
+    -> Word32
+    -> Word32
+    -> (Int -> Word32 -> Word32 -> Word32 -> Word32 -> (Word32 -> Word32 -> IO ()) -> IO ())
+    -> IO ()
+iterKeyStream x a0 a1 g = f 0 0 a0 a1
+    where
+        len          = B.length x
+        -- Avoiding the modulo operation when interating over the ring
+        -- buffer is assumed to be more efficient here. All other
+        -- implementations do this, too. The branch prediction shall prefer
+        -- the branch with the increment.
+        n j          = if j + 1 >= len then 0 else j + 1
+        f i j0 b0 b1 = g i l r b0 b1 (f (i + 2) j8)
+            where
+                j1 = n j0
+                j2 = n j1
+                j3 = n j2
+                j4 = n j3
+                j5 = n j4
+                j6 = n j5
+                j7 = n j6
+                j8 = n j7
+                x0 = fromIntegral (B.index x j0)
+                x1 = fromIntegral (B.index x j1)
+                x2 = fromIntegral (B.index x j2)
+                x3 = fromIntegral (B.index x j3)
+                x4 = fromIntegral (B.index x j4)
+                x5 = fromIntegral (B.index x j5)
+                x6 = fromIntegral (B.index x j6)
+                x7 = fromIntegral (B.index x j7)
+                l  = shiftL x0 24 .|. shiftL x1 16 .|. shiftL x2 8 .|. x3
+                r  = shiftL x4 24 .|. shiftL x5 16 .|. shiftL x6 8 .|. x7
+{-# INLINE iterKeyStream #-}
+-- Benchmarking shows that GHC considers this function too big to inline
+-- although forcing inlining causes an actual improvement.
+-- It is assumed that all function calls (especially the continuation)
+-- collapse into a tight loop after inlining.
diff --git a/Crypto/Cipher/ChaCha.hs b/Crypto/Cipher/ChaCha.hs
--- a/Crypto/Cipher/ChaCha.hs
+++ b/Crypto/Cipher/ChaCha.hs
@@ -48,7 +48,7 @@
         stPtr <- B.alloc 132 $ \stPtr ->
             B.withByteArray nonce $ \noncePtr  ->
             B.withByteArray key   $ \keyPtr ->
-                ccryptonite_chacha_init stPtr (fromIntegral nbRounds) kLen keyPtr nonceLen noncePtr
+                ccryptonite_chacha_init stPtr  nbRounds kLen keyPtr nonceLen noncePtr
         return $ State stPtr
   where kLen     = B.length key
         nonceLen = B.length nonce
diff --git a/Crypto/Cipher/Salsa.hs b/Crypto/Cipher/Salsa.hs
--- a/Crypto/Cipher/Salsa.hs
+++ b/Crypto/Cipher/Salsa.hs
@@ -40,7 +40,7 @@
         stPtr <- B.alloc 132 $ \stPtr ->
             B.withByteArray nonce $ \noncePtr  ->
             B.withByteArray key   $ \keyPtr ->
-                ccryptonite_salsa_init stPtr (fromIntegral nbRounds) kLen keyPtr nonceLen noncePtr
+                ccryptonite_salsa_init stPtr nbRounds kLen keyPtr nonceLen noncePtr
         return $ State stPtr
   where kLen     = B.length key
         nonceLen = B.length nonce
diff --git a/Crypto/Cipher/Twofish.hs b/Crypto/Cipher/Twofish.hs
--- a/Crypto/Cipher/Twofish.hs
+++ b/Crypto/Cipher/Twofish.hs
@@ -7,7 +7,6 @@
 import Crypto.Cipher.Twofish.Primitive
 import Crypto.Cipher.Types
 import Crypto.Cipher.Utils
-import Crypto.Internal.Imports
 
 newtype Twofish128 = Twofish128 Twofish
 
diff --git a/Crypto/Cipher/Twofish/Primitive.hs b/Crypto/Cipher/Twofish/Primitive.hs
--- a/Crypto/Cipher/Twofish/Primitive.hs
+++ b/Crypto/Cipher/Twofish/Primitive.hs
@@ -8,15 +8,12 @@
     ) where
 
 import           Crypto.Error
-import           Crypto.Internal.ByteArray (ByteArrayAccess, ByteArray, Bytes)
+import           Crypto.Internal.ByteArray (ByteArray)
 import qualified Crypto.Internal.ByteArray as B
 import           Crypto.Internal.WordArray
-import           Crypto.Internal.Words
 import           Data.Word
-import           Data.Int
 import           Data.Bits
 import           Data.List
-import           Control.Monad
 
 -- Based on the Golang referance implementation
 -- https://github.com/golang/crypto/blob/master/twofish/twofish.go
@@ -206,7 +203,7 @@
 
 data Column = Zero | One | Two | Three deriving (Show, Eq, Enum, Bounded)
 
-genSboxes :: ByteArray ba => KeyPackage ba -> [Word8] -> (Array32, Array32, Array32, Array32)
+genSboxes :: KeyPackage ba -> [Word8] -> (Array32, Array32, Array32, Array32)
 genSboxes keyPackage ws = (mkArray b0', mkArray b1', mkArray b2', mkArray b3')
     where range = [0..255]
           mkArray = array32 256
diff --git a/Crypto/Cipher/Types/Base.hs b/Crypto/Cipher/Types/Base.hs
--- a/Crypto/Cipher/Types/Base.hs
+++ b/Crypto/Cipher/Types/Base.hs
@@ -22,6 +22,7 @@
 import           Data.Word
 import           Crypto.Internal.ByteArray (Bytes, ByteArrayAccess, ByteArray)
 import qualified Crypto.Internal.ByteArray as B
+import           Crypto.Internal.DeepSeq
 import           Crypto.Error
 
 -- | Different specifier for key size in bytes
@@ -36,7 +37,7 @@
 
 -- | Authentication Tag for AE cipher mode
 newtype AuthTag = AuthTag { unAuthTag :: Bytes }
-    deriving (Show, ByteArrayAccess)
+    deriving (Show, ByteArrayAccess, NFData)
 
 instance Eq AuthTag where
     (AuthTag a) == (AuthTag b) = B.constEq a b
diff --git a/Crypto/Cipher/Types/Block.hs b/Crypto/Cipher/Types/Block.hs
--- a/Crypto/Cipher/Types/Block.hs
+++ b/Crypto/Cipher/Types/Block.hs
@@ -37,7 +37,6 @@
     ) where
 
 import           Data.Word
-import           Data.Monoid
 import           Crypto.Error
 import           Crypto.Cipher.Types.Base
 import           Crypto.Cipher.Types.GF
@@ -164,7 +163,7 @@
 -- | Increment an IV by a number.
 --
 -- Assume the IV is in Big Endian format.
-ivAdd :: BlockCipher c => IV c -> Int -> IV c
+ivAdd :: IV c -> Int -> IV c
 ivAdd (IV b) i = IV $ copy b
   where copy :: ByteArray bs => bs -> bs
         copy bs = B.copyAndFreeze bs $ loop i (B.length bs - 1)
diff --git a/Crypto/Cipher/Utils.hs b/Crypto/Cipher/Utils.hs
--- a/Crypto/Cipher/Utils.hs
+++ b/Crypto/Cipher/Utils.hs
@@ -4,7 +4,6 @@
 
 import Crypto.Error
 import Crypto.Cipher.Types
-import Crypto.Internal.Imports
 
 import Data.ByteArray as BA
 
diff --git a/Crypto/Cipher/XSalsa.hs b/Crypto/Cipher/XSalsa.hs
--- a/Crypto/Cipher/XSalsa.hs
+++ b/Crypto/Cipher/XSalsa.hs
@@ -17,13 +17,11 @@
     , State
     ) where
 
-import           Crypto.Internal.ByteArray (ByteArrayAccess, ByteArray, ScrubbedBytes)
+import           Crypto.Internal.ByteArray (ByteArrayAccess)
 import qualified Crypto.Internal.ByteArray as B
 import           Crypto.Internal.Compat
 import           Crypto.Internal.Imports
 import           Foreign.Ptr
-import           Foreign.Storable
-import           Foreign.C.Types
 import           Crypto.Cipher.Salsa hiding (initialize)
 
 -- | Initialize a new XSalsa context with the number of rounds,
@@ -41,7 +39,7 @@
         stPtr <- B.alloc 132 $ \stPtr ->
             B.withByteArray nonce $ \noncePtr  ->
             B.withByteArray key   $ \keyPtr ->
-                ccryptonite_xsalsa_init stPtr (fromIntegral nbRounds) kLen keyPtr nonceLen noncePtr
+                ccryptonite_xsalsa_init stPtr nbRounds kLen keyPtr nonceLen noncePtr
         return $ State stPtr
   where kLen     = B.length key
         nonceLen = B.length nonce
diff --git a/Crypto/Data/AFIS.hs b/Crypto/Data/AFIS.hs
--- a/Crypto/Data/AFIS.hs
+++ b/Crypto/Data/AFIS.hs
@@ -77,7 +77,7 @@
             diffuse hashAlg lastBlock blockSize
         fillRandomBlock g blockPtr = do
             let (rand :: Bytes, g') = randomBytesGenerate blockSize g
-            B.withByteArray rand $ \randPtr -> memCopy blockPtr randPtr (fromIntegral blockSize)
+            B.withByteArray rand $ \randPtr -> memCopy blockPtr randPtr blockSize
             return g'
 
 -- | Merge previously diffused data back to the original data.
diff --git a/Crypto/ECC.hs b/Crypto/ECC.hs
--- a/Crypto/ECC.hs
+++ b/Crypto/ECC.hs
@@ -31,17 +31,16 @@
 import qualified Crypto.ECC.Simple.Prim as Simple
 import           Crypto.Random
 import           Crypto.Error
-import           Crypto.Internal.Proxy
 import           Crypto.Internal.Imports
 import           Crypto.Internal.ByteArray (ByteArray, ByteArrayAccess, ScrubbedBytes)
 import qualified Crypto.Internal.ByteArray as B
 import           Crypto.Number.Serialize (i2ospOf_, os2ip)
 import qualified Crypto.PubKey.Curve25519 as X25519
 import qualified Crypto.PubKey.Curve448 as X448
-import           Data.Function (on)
 import           Data.ByteArray (convert)
 import           Data.Data (Data())
-import           Data.Typeable (Typeable())
+import           Data.Kind (Type)
+import           Data.Proxy
 
 -- | An elliptic curve key pair composed of the private part (a scalar), and
 -- the associated point.
@@ -55,10 +54,10 @@
 
 class EllipticCurve curve where
     -- | Point on an Elliptic Curve
-    type Point curve  :: *
+    type Point curve  :: Type
 
     -- | Scalar in the Elliptic Curve domain
-    type Scalar curve :: *
+    type Scalar curve :: Type
 
     -- | Generate a new random scalar on the curve.
     -- The scalar will represent a number between 1 and the order of the curve non included
@@ -116,7 +115,7 @@
 --
 -- also known as P256
 data Curve_P256R1 = Curve_P256R1
-    deriving (Show,Data,Typeable)
+    deriving (Show,Data)
 
 instance EllipticCurve Curve_P256R1 where
     type Point Curve_P256R1 = P256.Point
@@ -150,7 +149,7 @@
     ecdh  prx s p = checkNonZeroDH (ecdhRaw prx s p)
 
 data Curve_P384R1 = Curve_P384R1
-    deriving (Show,Data,Typeable)
+    deriving (Show,Data)
 
 instance EllipticCurve Curve_P384R1 where
     type Point Curve_P384R1 = Simple.Point Simple.SEC_p384r1
@@ -173,7 +172,7 @@
         prx = Proxy :: Proxy Simple.SEC_p384r1
 
 data Curve_P521R1 = Curve_P521R1
-    deriving (Show,Data,Typeable)
+    deriving (Show,Data)
 
 instance EllipticCurve Curve_P521R1 where
     type Point Curve_P521R1 = Simple.Point Simple.SEC_p521r1
@@ -196,7 +195,7 @@
         prx = Proxy :: Proxy Simple.SEC_p521r1
 
 data Curve_X25519 = Curve_X25519
-    deriving (Show,Data,Typeable)
+    deriving (Show,Data)
 
 instance EllipticCurve Curve_X25519 where
     type Point Curve_X25519 = X25519.PublicKey
@@ -215,7 +214,7 @@
     ecdh prx s p = checkNonZeroDH (ecdhRaw prx s p)
 
 data Curve_X448 = Curve_X448
-    deriving (Show,Data,Typeable)
+    deriving (Show,Data)
 
 instance EllipticCurve Curve_X448 where
     type Point Curve_X448 = X448.PublicKey
@@ -234,7 +233,7 @@
     ecdh prx s p = checkNonZeroDH (ecdhRaw prx s p)
 
 data Curve_Edwards25519 = Curve_Edwards25519
-    deriving (Show,Data,Typeable)
+    deriving (Show,Data)
 
 instance EllipticCurve Curve_Edwards25519 where
     type Point Curve_Edwards25519 = Edwards25519.Point
diff --git a/Crypto/ECC/Edwards25519.hs b/Crypto/ECC/Edwards25519.hs
--- a/Crypto/ECC/Edwards25519.hs
+++ b/Crypto/ECC/Edwards25519.hs
@@ -73,15 +73,12 @@
     , pointsMulVarTime
     ) where
 
-import           Data.Bits
 import           Data.Word
 import           Foreign.C.Types
 import           Foreign.Ptr
-import           Foreign.Storable
 
 import           Crypto.Error
-import           Crypto.Internal.ByteArray (ByteArrayAccess, Bytes,
-                                            ScrubbedBytes, withByteArray)
+import           Crypto.Internal.ByteArray (Bytes, ScrubbedBytes, withByteArray)
 import qualified Crypto.Internal.ByteArray as B
 import           Crypto.Internal.Compat
 import           Crypto.Internal.Imports
diff --git a/Crypto/ECC/Simple/Prim.hs b/Crypto/ECC/Simple/Prim.hs
--- a/Crypto/ECC/Simple/Prim.hs
+++ b/Crypto/ECC/Simple/Prim.hs
@@ -17,8 +17,7 @@
     ) where
 
 import Data.Maybe
-import Crypto.Internal.Imports
-import Crypto.Internal.Proxy
+import Data.Proxy
 import Crypto.Number.ModArithmetic
 import Crypto.Number.F2m
 import Crypto.Number.Generate (generateBetween)
diff --git a/Crypto/ECC/Simple/Types.hs b/Crypto/ECC/Simple/Types.hs
--- a/Crypto/ECC/Simple/Types.hs
+++ b/Crypto/ECC/Simple/Types.hs
@@ -84,28 +84,28 @@
     , curveEccG :: Point curve -- ^ base point
     , curveEccN :: Integer     -- ^ order of G
     , curveEccH :: Integer     -- ^ cofactor
-    } deriving (Show,Eq,Data,Typeable)
+    } deriving (Show,Eq,Data)
 
 newtype CurveBinaryParam = CurveBinaryParam Integer
-    deriving (Show,Read,Eq,Data,Typeable)
+    deriving (Show,Read,Eq,Data)
 
 newtype CurvePrimeParam = CurvePrimeParam Integer
-    deriving (Show,Read,Eq,Data,Typeable)
+    deriving (Show,Read,Eq,Data)
 
 data CurveType =
       CurveBinary CurveBinaryParam
     | CurvePrime CurvePrimeParam
-    deriving (Show,Read,Eq,Data,Typeable)
+    deriving (Show,Read,Eq,Data)
 
 -- | ECC Private Number
 newtype Scalar curve = Scalar Integer
-    deriving (Show,Read,Eq,Data,Typeable,NFData)
+    deriving (Show,Read,Eq,Data,NFData)
 
 -- | Define a point on a curve.
 data Point curve =
       Point Integer Integer
     | PointO -- ^ Point at Infinity
-    deriving (Show,Read,Eq,Data,Typeable)
+    deriving (Show,Read,Eq,Data)
 
 instance NFData (Point curve) where
     rnf (Point x y) = x `seq` y `seq` ()
diff --git a/Crypto/Error/Types.hs b/Crypto/Error/Types.hs
--- a/Crypto/Error/Types.hs
+++ b/Crypto/Error/Types.hs
@@ -23,7 +23,6 @@
 import           Data.Data
 
 import           Basement.Monad (MonadFailure(..))
-import           Crypto.Internal.Imports
 
 -- | Enumeration of all possible errors that can be found in this library
 data CryptoError =
@@ -53,7 +52,7 @@
     | CryptoError_SaltTooSmall
     | CryptoError_OutputLengthTooSmall
     | CryptoError_OutputLengthTooBig
-    deriving (Show,Eq,Enum,Data,Typeable)
+    deriving (Show,Eq,Enum,Data)
 
 instance E.Exception CryptoError
 
@@ -83,7 +82,7 @@
     pure a     = CryptoPassed a
     (<*>) fm m = fm >>= \p -> m >>= \r2 -> return (p r2)
 instance Monad CryptoFailable where
-    return a = CryptoPassed a
+    return = pure
     (>>=) m1 m2 = do
         case m1 of
             CryptoPassed a -> m2 a
diff --git a/Crypto/Hash.hs b/Crypto/Hash.hs
--- a/Crypto/Hash.hs
+++ b/Crypto/Hash.hs
@@ -44,7 +44,6 @@
 import           Basement.Types.OffsetSize (CountOf (..))
 import           Basement.Block (Block, unsafeFreeze)
 import           Basement.Block.Mutable (copyFromPtr, new)
-import           Control.Monad
 import           Crypto.Internal.Compat (unsafeDoIO)
 import           Crypto.Hash.Types
 import           Crypto.Hash.Algorithms
@@ -110,7 +109,7 @@
 digestFromByteString :: forall a ba . (HashAlgorithm a, ByteArrayAccess ba) => ba -> Maybe (Digest a)
 digestFromByteString = from undefined
   where
-        from :: HashAlgorithm a => a -> ba -> Maybe (Digest a)
+        from :: a -> ba -> Maybe (Digest a)
         from alg bs
             | B.length bs == (hashDigestSize alg) = Just $ Digest $ unsafeDoIO $ copyBytes bs
             | otherwise                           = Nothing
diff --git a/Crypto/Hash/Algorithms.hs b/Crypto/Hash/Algorithms.hs
--- a/Crypto/Hash/Algorithms.hs
+++ b/Crypto/Hash/Algorithms.hs
@@ -1,4 +1,3 @@
-{-# LANGUAGE CPP #-}
 -- |
 -- Module      : Crypto.Hash.Algorithms
 -- License     : BSD-style
@@ -42,12 +41,10 @@
     , SHA3_256(..)
     , SHA3_384(..)
     , SHA3_512(..)
-#if MIN_VERSION_base(4,7,0)
     , SHAKE128(..)
     , SHAKE256(..)
     , Blake2b(..), Blake2bp(..)
     , Blake2s(..), Blake2sp(..)
-#endif
     , Skein256_224(..)
     , Skein256_256(..)
     , Skein512_224(..)
@@ -78,7 +75,5 @@
 import           Crypto.Hash.Skein256
 import           Crypto.Hash.Skein512
 import           Crypto.Hash.Whirlpool
-#if MIN_VERSION_base(4,7,0)
 import           Crypto.Hash.SHAKE
 import           Crypto.Hash.Blake2
-#endif
diff --git a/Crypto/Hash/Blake2.hs b/Crypto/Hash/Blake2.hs
--- a/Crypto/Hash/Blake2.hs
+++ b/Crypto/Hash/Blake2.hs
@@ -42,9 +42,8 @@
 import           Crypto.Hash.Types
 import           Foreign.Ptr (Ptr)
 import           Data.Data
-import           Data.Typeable
 import           Data.Word (Word8, Word32)
-import           GHC.TypeLits (Nat, KnownNat, natVal)
+import           GHC.TypeLits (Nat, KnownNat)
 import           Crypto.Internal.Nat
 
 -- | Fast and secure alternative to SHA1 and HMAC-SHA1
@@ -58,7 +57,7 @@
 -- * Blake2s 256
 --
 data Blake2s (bitlen :: Nat) = Blake2s
-  deriving (Show, Typeable)
+    deriving (Show,Data)
 
 instance (IsDivisibleBy8 bitlen, KnownNat bitlen, IsAtLeast bitlen 8, IsAtMost bitlen 256)
       => HashAlgorithm (Blake2s bitlen)
@@ -93,7 +92,7 @@
 -- * Blake2b 512
 --
 data Blake2b (bitlen :: Nat) = Blake2b
-  deriving (Show, Typeable)
+    deriving (Show,Data)
 
 instance (IsDivisibleBy8 bitlen, KnownNat bitlen, IsAtLeast bitlen 8, IsAtMost bitlen 512)
       => HashAlgorithm (Blake2b bitlen)
@@ -116,7 +115,7 @@
     c_blake2b_finalize :: Ptr (Context a) -> Word32 -> Ptr (Digest a) -> IO ()
 
 data Blake2sp (bitlen :: Nat) = Blake2sp
-  deriving (Show, Typeable)
+    deriving (Show,Data)
 
 instance (IsDivisibleBy8 bitlen, KnownNat bitlen, IsAtLeast bitlen 8, IsAtMost bitlen 256)
       => HashAlgorithm (Blake2sp bitlen)
@@ -139,7 +138,7 @@
     c_blake2sp_finalize :: Ptr (Context a) -> Word32 -> Ptr (Digest a) -> IO ()
 
 data Blake2bp (bitlen :: Nat) = Blake2bp
-  deriving (Show, Typeable)
+    deriving (Show,Data)
 
 instance (IsDivisibleBy8 bitlen, KnownNat bitlen, IsAtLeast bitlen 8, IsAtMost bitlen 512)
       => HashAlgorithm (Blake2bp bitlen)
diff --git a/Crypto/Hash/Blake2b.hs b/Crypto/Hash/Blake2b.hs
--- a/Crypto/Hash/Blake2b.hs
+++ b/Crypto/Hash/Blake2b.hs
@@ -19,13 +19,12 @@
 import           Crypto.Hash.Types
 import           Foreign.Ptr (Ptr)
 import           Data.Data
-import           Data.Typeable
 import           Data.Word (Word8, Word32)
 
 
 -- | Blake2b (160 bits) cryptographic hash algorithm
 data Blake2b_160 = Blake2b_160
-    deriving (Show,Data,Typeable)
+    deriving (Show,Data)
 
 instance HashAlgorithm Blake2b_160 where
     type HashBlockSize           Blake2b_160 = 128
@@ -40,7 +39,7 @@
 
 -- | Blake2b (224 bits) cryptographic hash algorithm
 data Blake2b_224 = Blake2b_224
-    deriving (Show,Data,Typeable)
+    deriving (Show,Data)
 
 instance HashAlgorithm Blake2b_224 where
     type HashBlockSize           Blake2b_224 = 128
@@ -55,7 +54,7 @@
 
 -- | Blake2b (256 bits) cryptographic hash algorithm
 data Blake2b_256 = Blake2b_256
-    deriving (Show,Data,Typeable)
+    deriving (Show,Data)
 
 instance HashAlgorithm Blake2b_256 where
     type HashBlockSize           Blake2b_256 = 128
@@ -70,7 +69,7 @@
 
 -- | Blake2b (384 bits) cryptographic hash algorithm
 data Blake2b_384 = Blake2b_384
-    deriving (Show,Data,Typeable)
+    deriving (Show,Data)
 
 instance HashAlgorithm Blake2b_384 where
     type HashBlockSize           Blake2b_384 = 128
@@ -85,7 +84,7 @@
 
 -- | Blake2b (512 bits) cryptographic hash algorithm
 data Blake2b_512 = Blake2b_512
-    deriving (Show,Data,Typeable)
+    deriving (Show,Data)
 
 instance HashAlgorithm Blake2b_512 where
     type HashBlockSize           Blake2b_512 = 128
diff --git a/Crypto/Hash/Blake2bp.hs b/Crypto/Hash/Blake2bp.hs
--- a/Crypto/Hash/Blake2bp.hs
+++ b/Crypto/Hash/Blake2bp.hs
@@ -19,13 +19,12 @@
 import           Crypto.Hash.Types
 import           Foreign.Ptr (Ptr)
 import           Data.Data
-import           Data.Typeable
 import           Data.Word (Word8, Word32)
 
 
 -- | Blake2bp (512 bits) cryptographic hash algorithm
 data Blake2bp_512 = Blake2bp_512
-    deriving (Show,Data,Typeable)
+    deriving (Show,Data)
 
 instance HashAlgorithm Blake2bp_512 where
     type HashBlockSize           Blake2bp_512 = 128
diff --git a/Crypto/Hash/Blake2s.hs b/Crypto/Hash/Blake2s.hs
--- a/Crypto/Hash/Blake2s.hs
+++ b/Crypto/Hash/Blake2s.hs
@@ -19,13 +19,12 @@
 import           Crypto.Hash.Types
 import           Foreign.Ptr (Ptr)
 import           Data.Data
-import           Data.Typeable
 import           Data.Word (Word8, Word32)
 
 
 -- | Blake2s (160 bits) cryptographic hash algorithm
 data Blake2s_160 = Blake2s_160
-    deriving (Show,Data,Typeable)
+    deriving (Show,Data)
 
 instance HashAlgorithm Blake2s_160 where
     type HashBlockSize           Blake2s_160 = 64
@@ -40,7 +39,7 @@
 
 -- | Blake2s (224 bits) cryptographic hash algorithm
 data Blake2s_224 = Blake2s_224
-    deriving (Show,Data,Typeable)
+    deriving (Show,Data)
 
 instance HashAlgorithm Blake2s_224 where
     type HashBlockSize           Blake2s_224 = 64
@@ -55,7 +54,7 @@
 
 -- | Blake2s (256 bits) cryptographic hash algorithm
 data Blake2s_256 = Blake2s_256
-    deriving (Show,Data,Typeable)
+    deriving (Show,Data)
 
 instance HashAlgorithm Blake2s_256 where
     type HashBlockSize           Blake2s_256 = 64
diff --git a/Crypto/Hash/Blake2sp.hs b/Crypto/Hash/Blake2sp.hs
--- a/Crypto/Hash/Blake2sp.hs
+++ b/Crypto/Hash/Blake2sp.hs
@@ -19,13 +19,12 @@
 import           Crypto.Hash.Types
 import           Foreign.Ptr (Ptr)
 import           Data.Data
-import           Data.Typeable
 import           Data.Word (Word8, Word32)
 
 
 -- | Blake2sp (224 bits) cryptographic hash algorithm
 data Blake2sp_224 = Blake2sp_224
-    deriving (Show,Data,Typeable)
+    deriving (Show,Data)
 
 instance HashAlgorithm Blake2sp_224 where
     type HashBlockSize           Blake2sp_224 = 64
@@ -40,7 +39,7 @@
 
 -- | Blake2sp (256 bits) cryptographic hash algorithm
 data Blake2sp_256 = Blake2sp_256
-    deriving (Show,Data,Typeable)
+    deriving (Show,Data)
 
 instance HashAlgorithm Blake2sp_256 where
     type HashBlockSize           Blake2sp_256 = 64
diff --git a/Crypto/Hash/Keccak.hs b/Crypto/Hash/Keccak.hs
--- a/Crypto/Hash/Keccak.hs
+++ b/Crypto/Hash/Keccak.hs
@@ -19,13 +19,12 @@
 import           Crypto.Hash.Types
 import           Foreign.Ptr (Ptr)
 import           Data.Data
-import           Data.Typeable
 import           Data.Word (Word8, Word32)
 
 
 -- | Keccak (224 bits) cryptographic hash algorithm
 data Keccak_224 = Keccak_224
-    deriving (Show,Data,Typeable)
+    deriving (Show,Data)
 
 instance HashAlgorithm Keccak_224 where
     type HashBlockSize           Keccak_224 = 144
@@ -40,7 +39,7 @@
 
 -- | Keccak (256 bits) cryptographic hash algorithm
 data Keccak_256 = Keccak_256
-    deriving (Show,Data,Typeable)
+    deriving (Show,Data)
 
 instance HashAlgorithm Keccak_256 where
     type HashBlockSize           Keccak_256 = 136
@@ -55,7 +54,7 @@
 
 -- | Keccak (384 bits) cryptographic hash algorithm
 data Keccak_384 = Keccak_384
-    deriving (Show,Data,Typeable)
+    deriving (Show,Data)
 
 instance HashAlgorithm Keccak_384 where
     type HashBlockSize           Keccak_384 = 104
@@ -70,7 +69,7 @@
 
 -- | Keccak (512 bits) cryptographic hash algorithm
 data Keccak_512 = Keccak_512
-    deriving (Show,Data,Typeable)
+    deriving (Show,Data)
 
 instance HashAlgorithm Keccak_512 where
     type HashBlockSize           Keccak_512 = 72
diff --git a/Crypto/Hash/MD2.hs b/Crypto/Hash/MD2.hs
--- a/Crypto/Hash/MD2.hs
+++ b/Crypto/Hash/MD2.hs
@@ -17,12 +17,11 @@
 import           Crypto.Hash.Types
 import           Foreign.Ptr (Ptr)
 import           Data.Data
-import           Data.Typeable
 import           Data.Word (Word8, Word32)
 
 -- | MD2 cryptographic hash algorithm
 data MD2 = MD2
-    deriving (Show,Data,Typeable)
+    deriving (Show,Data)
 
 instance HashAlgorithm MD2 where
     type HashBlockSize           MD2 = 16
diff --git a/Crypto/Hash/MD4.hs b/Crypto/Hash/MD4.hs
--- a/Crypto/Hash/MD4.hs
+++ b/Crypto/Hash/MD4.hs
@@ -17,12 +17,11 @@
 import           Crypto.Hash.Types
 import           Foreign.Ptr (Ptr)
 import           Data.Data
-import           Data.Typeable
 import           Data.Word (Word8, Word32)
 
 -- | MD4 cryptographic hash algorithm
 data MD4 = MD4
-    deriving (Show,Data,Typeable)
+    deriving (Show,Data)
 
 instance HashAlgorithm MD4 where
     type HashBlockSize           MD4 = 64
diff --git a/Crypto/Hash/MD5.hs b/Crypto/Hash/MD5.hs
--- a/Crypto/Hash/MD5.hs
+++ b/Crypto/Hash/MD5.hs
@@ -17,12 +17,11 @@
 import           Crypto.Hash.Types
 import           Foreign.Ptr (Ptr)
 import           Data.Data
-import           Data.Typeable
 import           Data.Word (Word8, Word32)
 
 -- | MD5 cryptographic hash algorithm
 data MD5 = MD5
-    deriving (Show,Data,Typeable)
+    deriving (Show,Data)
 
 instance HashAlgorithm MD5 where
     type HashBlockSize           MD5 = 64
diff --git a/Crypto/Hash/RIPEMD160.hs b/Crypto/Hash/RIPEMD160.hs
--- a/Crypto/Hash/RIPEMD160.hs
+++ b/Crypto/Hash/RIPEMD160.hs
@@ -17,12 +17,11 @@
 import           Crypto.Hash.Types
 import           Foreign.Ptr (Ptr)
 import           Data.Data
-import           Data.Typeable
 import           Data.Word (Word8, Word32)
 
 -- | RIPEMD160 cryptographic hash algorithm
 data RIPEMD160 = RIPEMD160
-    deriving (Show,Data,Typeable)
+    deriving (Show,Data)
 
 instance HashAlgorithm RIPEMD160 where
     type HashBlockSize           RIPEMD160 = 64
diff --git a/Crypto/Hash/SHA1.hs b/Crypto/Hash/SHA1.hs
--- a/Crypto/Hash/SHA1.hs
+++ b/Crypto/Hash/SHA1.hs
@@ -17,12 +17,11 @@
 import           Crypto.Hash.Types
 import           Foreign.Ptr (Ptr)
 import           Data.Data
-import           Data.Typeable
 import           Data.Word (Word8, Word32)
 
 -- | SHA1 cryptographic hash algorithm
 data SHA1 = SHA1
-    deriving (Show,Data,Typeable)
+    deriving (Show,Data)
 
 instance HashAlgorithm SHA1 where
     type HashBlockSize           SHA1 = 64
diff --git a/Crypto/Hash/SHA224.hs b/Crypto/Hash/SHA224.hs
--- a/Crypto/Hash/SHA224.hs
+++ b/Crypto/Hash/SHA224.hs
@@ -17,12 +17,11 @@
 import           Crypto.Hash.Types
 import           Foreign.Ptr (Ptr)
 import           Data.Data
-import           Data.Typeable
 import           Data.Word (Word8, Word32)
 
 -- | SHA224 cryptographic hash algorithm
 data SHA224 = SHA224
-    deriving (Show,Data,Typeable)
+    deriving (Show,Data)
 
 instance HashAlgorithm SHA224 where
     type HashBlockSize           SHA224 = 64
diff --git a/Crypto/Hash/SHA256.hs b/Crypto/Hash/SHA256.hs
--- a/Crypto/Hash/SHA256.hs
+++ b/Crypto/Hash/SHA256.hs
@@ -17,12 +17,11 @@
 import           Crypto.Hash.Types
 import           Foreign.Ptr (Ptr)
 import           Data.Data
-import           Data.Typeable
 import           Data.Word (Word8, Word32)
 
 -- | SHA256 cryptographic hash algorithm
 data SHA256 = SHA256
-    deriving (Show,Data,Typeable)
+    deriving (Show,Data)
 
 instance HashAlgorithm SHA256 where
     type HashBlockSize           SHA256 = 64
diff --git a/Crypto/Hash/SHA3.hs b/Crypto/Hash/SHA3.hs
--- a/Crypto/Hash/SHA3.hs
+++ b/Crypto/Hash/SHA3.hs
@@ -19,13 +19,12 @@
 import           Crypto.Hash.Types
 import           Foreign.Ptr (Ptr)
 import           Data.Data
-import           Data.Typeable
 import           Data.Word (Word8, Word32)
 
 
 -- | SHA3 (224 bits) cryptographic hash algorithm
 data SHA3_224 = SHA3_224
-    deriving (Show,Data,Typeable)
+    deriving (Show,Data)
 
 instance HashAlgorithm SHA3_224 where
     type HashBlockSize           SHA3_224 = 144
@@ -40,7 +39,7 @@
 
 -- | SHA3 (256 bits) cryptographic hash algorithm
 data SHA3_256 = SHA3_256
-    deriving (Show,Data,Typeable)
+    deriving (Show,Data)
 
 instance HashAlgorithm SHA3_256 where
     type HashBlockSize           SHA3_256 = 136
@@ -55,7 +54,7 @@
 
 -- | SHA3 (384 bits) cryptographic hash algorithm
 data SHA3_384 = SHA3_384
-    deriving (Show,Data,Typeable)
+    deriving (Show,Data)
 
 instance HashAlgorithm SHA3_384 where
     type HashBlockSize           SHA3_384 = 104
@@ -70,7 +69,7 @@
 
 -- | SHA3 (512 bits) cryptographic hash algorithm
 data SHA3_512 = SHA3_512
-    deriving (Show,Data,Typeable)
+    deriving (Show,Data)
 
 instance HashAlgorithm SHA3_512 where
     type HashBlockSize           SHA3_512 = 72
diff --git a/Crypto/Hash/SHA384.hs b/Crypto/Hash/SHA384.hs
--- a/Crypto/Hash/SHA384.hs
+++ b/Crypto/Hash/SHA384.hs
@@ -17,12 +17,11 @@
 import           Crypto.Hash.Types
 import           Foreign.Ptr (Ptr)
 import           Data.Data
-import           Data.Typeable
 import           Data.Word (Word8, Word32)
 
 -- | SHA384 cryptographic hash algorithm
 data SHA384 = SHA384
-    deriving (Show,Data,Typeable)
+    deriving (Show,Data)
 
 instance HashAlgorithm SHA384 where
     type HashBlockSize           SHA384 = 128
diff --git a/Crypto/Hash/SHA512.hs b/Crypto/Hash/SHA512.hs
--- a/Crypto/Hash/SHA512.hs
+++ b/Crypto/Hash/SHA512.hs
@@ -17,12 +17,11 @@
 import           Crypto.Hash.Types
 import           Foreign.Ptr (Ptr)
 import           Data.Data
-import           Data.Typeable
 import           Data.Word (Word8, Word32)
 
 -- | SHA512 cryptographic hash algorithm
 data SHA512 = SHA512
-    deriving (Show,Data,Typeable)
+    deriving (Show,Data)
 
 instance HashAlgorithm SHA512 where
     type HashBlockSize           SHA512 = 128
diff --git a/Crypto/Hash/SHA512t.hs b/Crypto/Hash/SHA512t.hs
--- a/Crypto/Hash/SHA512t.hs
+++ b/Crypto/Hash/SHA512t.hs
@@ -19,13 +19,12 @@
 import           Crypto.Hash.Types
 import           Foreign.Ptr (Ptr)
 import           Data.Data
-import           Data.Typeable
 import           Data.Word (Word8, Word32)
 
 
 -- | SHA512t (224 bits) cryptographic hash algorithm
 data SHA512t_224 = SHA512t_224
-    deriving (Show,Data,Typeable)
+    deriving (Show,Data)
 
 instance HashAlgorithm SHA512t_224 where
     type HashBlockSize           SHA512t_224 = 128
@@ -40,7 +39,7 @@
 
 -- | SHA512t (256 bits) cryptographic hash algorithm
 data SHA512t_256 = SHA512t_256
-    deriving (Show,Data,Typeable)
+    deriving (Show,Data)
 
 instance HashAlgorithm SHA512t_256 where
     type HashBlockSize           SHA512t_256 = 128
diff --git a/Crypto/Hash/SHAKE.hs b/Crypto/Hash/SHAKE.hs
--- a/Crypto/Hash/SHAKE.hs
+++ b/Crypto/Hash/SHAKE.hs
@@ -12,37 +12,44 @@
 {-# LANGUAGE DeriveDataTypeable #-}
 {-# LANGUAGE KindSignatures #-}
 {-# LANGUAGE DataKinds #-}
-{-# LANGUAGE ConstraintKinds #-}
 {-# LANGUAGE ScopedTypeVariables #-}
 {-# LANGUAGE TypeOperators #-}
 {-# LANGUAGE TypeFamilies #-}
 {-# LANGUAGE UndecidableInstances #-}
 module Crypto.Hash.SHAKE
-    (  SHAKE128 (..), SHAKE256 (..)
+    (  SHAKE128 (..), SHAKE256 (..), HashSHAKE (..)
     ) where
 
+import           Control.Monad (when)
 import           Crypto.Hash.Types
-import           Foreign.Ptr (Ptr)
-import           Data.Typeable
+import           Foreign.Ptr (Ptr, castPtr)
+import           Foreign.Storable (Storable(..))
+import           Data.Bits
+import           Data.Data
 import           Data.Word (Word8, Word32)
 
-import           Data.Proxy (Proxy(..))
-import           GHC.TypeLits (Nat, KnownNat, natVal)
+import           GHC.TypeLits (Nat, KnownNat, type (+))
 import           Crypto.Internal.Nat
 
+-- | Type class of SHAKE algorithms.
+class HashAlgorithm a => HashSHAKE a where
+    -- | Alternate finalization needed for cSHAKE
+    cshakeInternalFinalize :: Ptr (Context a) -> Ptr (Digest a) -> IO ()
+    -- | Get the digest bit length
+    cshakeOutputLength :: a -> Int
+
 -- | SHAKE128 (128 bits) extendable output function.  Supports an arbitrary
--- digest size (multiple of 8 bits), to be specified as a type parameter
--- of kind 'Nat'.
+-- digest size, to be specified as a type parameter of kind 'Nat'.
 --
 -- Note: outputs from @'SHAKE128' n@ and @'SHAKE128' m@ for the same input are
 -- correlated (one being a prefix of the other).  Results are unrelated to
 -- 'SHAKE256' results.
 data SHAKE128 (bitlen :: Nat) = SHAKE128
-    deriving (Show, Typeable)
+    deriving (Show, Data)
 
-instance (IsDivisibleBy8 bitlen, KnownNat bitlen) => HashAlgorithm (SHAKE128 bitlen) where
+instance KnownNat bitlen => HashAlgorithm (SHAKE128 bitlen) where
     type HashBlockSize           (SHAKE128 bitlen)  = 168
-    type HashDigestSize          (SHAKE128 bitlen) = Div8 bitlen
+    type HashDigestSize          (SHAKE128 bitlen) = Div8 (bitlen + 7)
     type HashInternalContextSize (SHAKE128 bitlen) = 376
     hashBlockSize  _          = 168
     hashDigestSize _          = byteLen (Proxy :: Proxy bitlen)
@@ -51,19 +58,22 @@
     hashInternalUpdate        = c_sha3_update
     hashInternalFinalize      = shakeFinalizeOutput (Proxy :: Proxy bitlen)
 
+instance KnownNat bitlen => HashSHAKE (SHAKE128 bitlen) where
+    cshakeInternalFinalize = cshakeFinalizeOutput (Proxy :: Proxy bitlen)
+    cshakeOutputLength _ = integralNatVal (Proxy :: Proxy bitlen)
+
 -- | SHAKE256 (256 bits) extendable output function.  Supports an arbitrary
--- digest size (multiple of 8 bits), to be specified as a type parameter
--- of kind 'Nat'.
+-- digest size, to be specified as a type parameter of kind 'Nat'.
 --
 -- Note: outputs from @'SHAKE256' n@ and @'SHAKE256' m@ for the same input are
 -- correlated (one being a prefix of the other).  Results are unrelated to
 -- 'SHAKE128' results.
 data SHAKE256 (bitlen :: Nat) = SHAKE256
-    deriving (Show, Typeable)
+    deriving (Show, Data)
 
-instance (IsDivisibleBy8 bitlen, KnownNat bitlen) => HashAlgorithm (SHAKE256 bitlen) where
+instance KnownNat bitlen => HashAlgorithm (SHAKE256 bitlen) where
     type HashBlockSize           (SHAKE256 bitlen) = 136
-    type HashDigestSize          (SHAKE256 bitlen) = Div8 bitlen
+    type HashDigestSize          (SHAKE256 bitlen) = Div8 (bitlen + 7)
     type HashInternalContextSize (SHAKE256 bitlen) = 344
     hashBlockSize  _          = 136
     hashDigestSize _          = byteLen (Proxy :: Proxy bitlen)
@@ -72,7 +82,11 @@
     hashInternalUpdate        = c_sha3_update
     hashInternalFinalize      = shakeFinalizeOutput (Proxy :: Proxy bitlen)
 
-shakeFinalizeOutput :: (IsDivisibleBy8 bitlen, KnownNat bitlen)
+instance KnownNat bitlen => HashSHAKE (SHAKE256 bitlen) where
+    cshakeInternalFinalize = cshakeFinalizeOutput (Proxy :: Proxy bitlen)
+    cshakeOutputLength _ = integralNatVal (Proxy :: Proxy bitlen)
+
+shakeFinalizeOutput :: KnownNat bitlen
                     => proxy bitlen
                     -> Ptr (Context a)
                     -> Ptr (Digest a)
@@ -80,7 +94,27 @@
 shakeFinalizeOutput d ctx dig = do
     c_sha3_finalize_shake ctx
     c_sha3_output ctx dig (byteLen d)
+    shakeTruncate d (castPtr dig)
 
+cshakeFinalizeOutput :: KnownNat bitlen
+                     => proxy bitlen
+                     -> Ptr (Context a)
+                     -> Ptr (Digest a)
+                     -> IO ()
+cshakeFinalizeOutput d ctx dig = do
+    c_sha3_finalize_cshake ctx
+    c_sha3_output ctx dig (byteLen d)
+    shakeTruncate d (castPtr dig)
+
+shakeTruncate :: KnownNat bitlen => proxy bitlen -> Ptr Word8 -> IO ()
+shakeTruncate d ptr =
+    when (bits > 0) $ do
+        byte <- peekElemOff ptr index
+        pokeElemOff ptr index (byte .&. mask)
+  where
+    mask = (1 `shiftL` bits) - 1
+    (index, bits) = integralNatVal d `divMod` 8
+
 foreign import ccall unsafe "cryptonite_sha3_init"
     c_sha3_init :: Ptr (Context a) -> Word32 -> IO ()
 
@@ -89,6 +123,9 @@
 
 foreign import ccall unsafe "cryptonite_sha3_finalize_shake"
     c_sha3_finalize_shake :: Ptr (Context a) -> IO ()
+
+foreign import ccall unsafe "cryptonite_sha3_finalize_cshake"
+    c_sha3_finalize_cshake :: Ptr (Context a) -> IO ()
 
 foreign import ccall unsafe "cryptonite_sha3_output"
     c_sha3_output :: Ptr (Context a) -> Ptr (Digest a) -> Word32 -> IO ()
diff --git a/Crypto/Hash/Skein256.hs b/Crypto/Hash/Skein256.hs
--- a/Crypto/Hash/Skein256.hs
+++ b/Crypto/Hash/Skein256.hs
@@ -19,13 +19,12 @@
 import           Crypto.Hash.Types
 import           Foreign.Ptr (Ptr)
 import           Data.Data
-import           Data.Typeable
 import           Data.Word (Word8, Word32)
 
 
 -- | Skein256 (224 bits) cryptographic hash algorithm
 data Skein256_224 = Skein256_224
-    deriving (Show,Data,Typeable)
+    deriving (Show,Data)
 
 instance HashAlgorithm Skein256_224 where
     type HashBlockSize           Skein256_224 = 32
@@ -40,7 +39,7 @@
 
 -- | Skein256 (256 bits) cryptographic hash algorithm
 data Skein256_256 = Skein256_256
-    deriving (Show,Data,Typeable)
+    deriving (Show,Data)
 
 instance HashAlgorithm Skein256_256 where
     type HashBlockSize           Skein256_256 = 32
diff --git a/Crypto/Hash/Skein512.hs b/Crypto/Hash/Skein512.hs
--- a/Crypto/Hash/Skein512.hs
+++ b/Crypto/Hash/Skein512.hs
@@ -19,13 +19,12 @@
 import           Crypto.Hash.Types
 import           Foreign.Ptr (Ptr)
 import           Data.Data
-import           Data.Typeable
 import           Data.Word (Word8, Word32)
 
 
 -- | Skein512 (224 bits) cryptographic hash algorithm
 data Skein512_224 = Skein512_224
-    deriving (Show,Data,Typeable)
+    deriving (Show,Data)
 
 instance HashAlgorithm Skein512_224 where
     type HashBlockSize           Skein512_224 = 64
@@ -40,7 +39,7 @@
 
 -- | Skein512 (256 bits) cryptographic hash algorithm
 data Skein512_256 = Skein512_256
-    deriving (Show,Data,Typeable)
+    deriving (Show,Data)
 
 instance HashAlgorithm Skein512_256 where
     type HashBlockSize           Skein512_256 = 64
@@ -55,7 +54,7 @@
 
 -- | Skein512 (384 bits) cryptographic hash algorithm
 data Skein512_384 = Skein512_384
-    deriving (Show,Data,Typeable)
+    deriving (Show,Data)
 
 instance HashAlgorithm Skein512_384 where
     type HashBlockSize           Skein512_384 = 64
@@ -70,7 +69,7 @@
 
 -- | Skein512 (512 bits) cryptographic hash algorithm
 data Skein512_512 = Skein512_512
-    deriving (Show,Data,Typeable)
+    deriving (Show,Data)
 
 instance HashAlgorithm Skein512_512 where
     type HashBlockSize           Skein512_512 = 64
diff --git a/Crypto/Hash/Tiger.hs b/Crypto/Hash/Tiger.hs
--- a/Crypto/Hash/Tiger.hs
+++ b/Crypto/Hash/Tiger.hs
@@ -17,12 +17,11 @@
 import           Crypto.Hash.Types
 import           Foreign.Ptr (Ptr)
 import           Data.Data
-import           Data.Typeable
 import           Data.Word (Word8, Word32)
 
 -- | Tiger cryptographic hash algorithm
 data Tiger = Tiger
-    deriving (Show,Data,Typeable)
+    deriving (Show,Data)
 
 instance HashAlgorithm Tiger where
     type HashBlockSize           Tiger = 64
diff --git a/Crypto/Hash/Types.hs b/Crypto/Hash/Types.hs
--- a/Crypto/Hash/Types.hs
+++ b/Crypto/Hash/Types.hs
@@ -8,7 +8,9 @@
 -- Crypto hash types definitions
 --
 {-# LANGUAGE GeneralizedNewtypeDeriving #-}
+{-# LANGUAGE DeriveDataTypeable #-}
 {-# LANGUAGE DataKinds #-}
+{-# LANGUAGE ScopedTypeVariables #-}
 {-# LANGUAGE TypeFamilies #-}
 module Crypto.Hash.Types
     ( HashAlgorithm(..)
@@ -19,10 +21,15 @@
 import           Crypto.Internal.Imports
 import           Crypto.Internal.ByteArray (ByteArrayAccess, Bytes)
 import qualified Crypto.Internal.ByteArray as B
+import           Control.Monad.ST
+import           Data.Char (digitToInt, isHexDigit)
 import           Foreign.Ptr (Ptr)
-import           Basement.Block (Block)
+import           Basement.Block (Block, unsafeFreeze)
+import           Basement.Block.Mutable (MutableBlock, new, unsafeWrite)
 import           Basement.NormalForm (deepseq)
+import           Basement.Types.OffsetSize (CountOf(..), Offset(..))
 import           GHC.TypeLits (Nat)
+import           Data.Data (Data)
 
 -- | Class representing hashing algorithms.
 --
@@ -71,7 +78,7 @@
 -- Creating a digest from a bytearray is also possible with function
 -- 'Crypto.Hash.digestFromByteString'.
 newtype Digest a = Digest (Block Word8)
-    deriving (Eq,Ord,ByteArrayAccess)
+    deriving (Eq,Ord,ByteArrayAccess, Data)
 
 instance NFData (Digest a) where
     rnf (Digest u) = u `deepseq` ()
@@ -79,3 +86,21 @@
 instance Show (Digest a) where
     show (Digest bs) = map (toEnum . fromIntegral)
                      $ B.unpack (B.convertToBase B.Base16 bs :: Bytes)
+
+instance HashAlgorithm a => Read (Digest a) where
+    readsPrec _ str = runST $ do mut <- new (CountOf len)
+                                 loop mut len str
+      where
+        len = hashDigestSize (undefined :: a)
+
+        loop :: MutableBlock Word8 s -> Int -> String -> ST s [(Digest a, String)]
+        loop mut 0   cs          = (\b -> [(Digest b, cs)]) <$> unsafeFreeze mut
+        loop _   _   []          = return []
+        loop _   _   [_]         = return []
+        loop mut n   (c:(d:ds))
+            | not (isHexDigit c) = return []
+            | not (isHexDigit d) = return []
+            | otherwise          = do
+                let w8 = fromIntegral $ digitToInt c * 16 + digitToInt d
+                unsafeWrite mut (Offset $ len - n) w8
+                loop mut (n - 1) ds
diff --git a/Crypto/Hash/Whirlpool.hs b/Crypto/Hash/Whirlpool.hs
--- a/Crypto/Hash/Whirlpool.hs
+++ b/Crypto/Hash/Whirlpool.hs
@@ -17,12 +17,11 @@
 import           Crypto.Hash.Types
 import           Foreign.Ptr (Ptr)
 import           Data.Data
-import           Data.Typeable
 import           Data.Word (Word8, Word32)
 
 -- | Whirlpool cryptographic hash algorithm
 data Whirlpool = Whirlpool
-    deriving (Show,Data,Typeable)
+    deriving (Show,Data)
 
 instance HashAlgorithm Whirlpool where
     type HashBlockSize           Whirlpool = 64
diff --git a/Crypto/Internal/Nat.hs b/Crypto/Internal/Nat.hs
--- a/Crypto/Internal/Nat.hs
+++ b/Crypto/Internal/Nat.hs
@@ -9,20 +9,21 @@
     , type IsAtMost, type IsAtLeast
     , byteLen
     , integralNatVal
+    , type IsDiv8
     , type Div8
     , type Mod8
     ) where
 
 import           GHC.TypeLits
 
-byteLen :: (KnownNat bitlen, IsDivisibleBy8 bitlen, Num a) => proxy bitlen -> a
-byteLen d = fromInteger (natVal d `div` 8)
+byteLen :: (KnownNat bitlen, Num a) => proxy bitlen -> a
+byteLen d = fromInteger ((natVal d + 7) `div` 8)
 
 integralNatVal :: (KnownNat bitlen, Num a) => proxy bitlen -> a
 integralNatVal = fromInteger . natVal
 
 type family IsLE (bitlen :: Nat) (n :: Nat) (c :: Bool) where
-    IsLE bitlen n 'True  = 'True
+    IsLE _ _ 'True  = 'True
 #if MIN_VERSION_base(4,9,0)
     IsLE bitlen n 'False = TypeError
       (     ('Text "bitlen " ':<>: 'ShowType bitlen ':<>: 'Text " is greater than " ':<>: 'ShowType n)
@@ -37,7 +38,7 @@
 type IsAtMost  (bitlen :: Nat) (n :: Nat) = IsLE bitlen n (bitlen <=? n) ~ 'True
 
 type family IsGE (bitlen :: Nat) (n :: Nat) (c :: Bool) where
-    IsGE bitlen n 'True  = 'True
+    IsGE _ _ 'True  = 'True
 #if MIN_VERSION_base(4,9,0)
     IsGE bitlen n 'False = TypeError
       (     ('Text "bitlen " ':<>: 'ShowType bitlen ':<>: 'Text " is lesser than " ':<>: 'ShowType n)
@@ -120,7 +121,7 @@
     Div8 n  = 8 + Div8 (n - 64)
 
 type family IsDiv8 (bitLen :: Nat) (n :: Nat) where
-    IsDiv8 bitLen 0 = 'True
+    IsDiv8 _ 0 = 'True
 #if MIN_VERSION_base(4,9,0)
     IsDiv8 bitLen 1 = TypeError ('Text "bitLen " ':<>: 'ShowType bitLen ':<>: 'Text " is not divisible by 8")
     IsDiv8 bitLen 2 = TypeError ('Text "bitLen " ':<>: 'ShowType bitLen ':<>: 'Text " is not divisible by 8")
@@ -130,15 +131,15 @@
     IsDiv8 bitLen 6 = TypeError ('Text "bitLen " ':<>: 'ShowType bitLen ':<>: 'Text " is not divisible by 8")
     IsDiv8 bitLen 7 = TypeError ('Text "bitLen " ':<>: 'ShowType bitLen ':<>: 'Text " is not divisible by 8")
 #else
-    IsDiv8 bitLen 1 = 'False
-    IsDiv8 bitLen 2 = 'False
-    IsDiv8 bitLen 3 = 'False
-    IsDiv8 bitLen 4 = 'False
-    IsDiv8 bitLen 5 = 'False
-    IsDiv8 bitLen 6 = 'False
-    IsDiv8 bitLen 7 = 'False
+    IsDiv8 _ 1 = 'False
+    IsDiv8 _ 2 = 'False
+    IsDiv8 _ 3 = 'False
+    IsDiv8 _ 4 = 'False
+    IsDiv8 _ 5 = 'False
+    IsDiv8 _ 6 = 'False
+    IsDiv8 _ 7 = 'False
 #endif
-    IsDiv8 bitLen n = IsDiv8 n (Mod8 n)
+    IsDiv8 _ n = IsDiv8 n (Mod8 n)
 
 type family Mod8 (n :: Nat) where
     Mod8 0 = 0
@@ -207,4 +208,6 @@
     Mod8 63 = 7
     Mod8 n = Mod8 (n - 64)
 
+-- | ensure the given `bitlen` is divisible by 8
+--
 type IsDivisibleBy8 bitLen = IsDiv8 bitLen bitLen ~ 'True
diff --git a/Crypto/Internal/Proxy.hs b/Crypto/Internal/Proxy.hs
deleted file mode 100644
--- a/Crypto/Internal/Proxy.hs
+++ /dev/null
@@ -1,13 +0,0 @@
--- |
--- Module      : Crypto.Internal.Proxy
--- License     : BSD-style
--- Maintainer  : Vincent Hanquez <vincent@snarc.org>
--- Stability   : experimental
--- Portability : Good
---
-module Crypto.Internal.Proxy
-    ( Proxy(..)
-    ) where
-
--- | A type witness for 'a' as phantom type
-data Proxy a = Proxy
diff --git a/Crypto/KDF/Argon2.hs b/Crypto/KDF/Argon2.hs
--- a/Crypto/KDF/Argon2.hs
+++ b/Crypto/KDF/Argon2.hs
@@ -25,7 +25,7 @@
     , hash
     ) where
 
-import           Crypto.Internal.ByteArray (ScrubbedBytes, ByteArray, ByteArrayAccess)
+import           Crypto.Internal.ByteArray (ByteArray, ByteArrayAccess)
 import qualified Crypto.Internal.ByteArray as B
 import           Crypto.Error
 import           Control.Monad (when)
diff --git a/Crypto/KDF/BCrypt.hs b/Crypto/KDF/BCrypt.hs
--- a/Crypto/KDF/BCrypt.hs
+++ b/Crypto/KDF/BCrypt.hs
@@ -11,7 +11,7 @@
 -- >>> validatePassword password bcryptHash
 -- >>> True
 -- >>> let otherPassword = B.pack "otherpassword"
--- >>> otherHash <- hashPassword 12 otherPasssword :: IO B.ByteString
+-- >>> otherHash <- hashPassword 12 otherPassword :: IO B.ByteString
 -- >>> validatePassword otherPassword otherHash
 -- >>> True
 --
@@ -52,11 +52,16 @@
     )
 where
 
-import           Control.Monad (unless, when)
-import           Crypto.Cipher.Blowfish.Primitive (eksBlowfish, encrypt)
-import           Crypto.Random (MonadRandom, getRandomBytes)
-import           Data.ByteArray (ByteArrayAccess, ByteArray, Bytes)
-import qualified Data.ByteArray as B
+import           Control.Monad                    (forM_, unless, when)
+import           Crypto.Cipher.Blowfish.Primitive (Context, createKeySchedule,
+                                                   encrypt, expandKey,
+                                                   expandKeyWithSalt,
+                                                   freezeKeySchedule)
+import           Crypto.Internal.Compat
+import           Crypto.Random                    (MonadRandom, getRandomBytes)
+import           Data.ByteArray                   (ByteArray, ByteArrayAccess,
+                                                   Bytes)
+import qualified Data.ByteArray                   as B
 import           Data.ByteArray.Encoding
 import           Data.Char
 
@@ -136,7 +141,7 @@
     -- Truncate the password if necessary and append a null byte for C compatibility
     key = B.snoc (B.take 72 password) 0
 
-    ctx = eksBlowfish cost salt key
+    ctx = expensiveBlowfishContext key salt cost
 
     -- The BCrypt plaintext: "OrpheanBeholderScryDoubt"
     orpheanBeholder = B.pack [79,114,112,104,101,97,110,66,101,104,111,108,100,101,114,83,99,114,121,68,111,117,98,116]
@@ -159,10 +164,26 @@
     costTens  = fromIntegral (B.index bc 4) - zero
     costUnits = fromIntegral (B.index bc 5) - zero
     version   = chr (fromIntegral (B.index bc 2))
-    cost      = costUnits + (if costTens == 0 then 0 else 10^costTens) :: Int
+    cost      = costUnits + 10*costTens :: Int
 
     decodeSaltHash saltHash = do
         let (s, h) = B.splitAt 22 saltHash
         salt <- convertFromBase Base64OpenBSD s
         hash <- convertFromBase Base64OpenBSD h
         return (salt, hash)
+
+-- | Create a key schedule for the BCrypt "EKS" version.
+--
+-- Salt must be a 128-bit byte array.
+-- Cost must be between 4 and 31 inclusive
+-- See <https://www.usenix.org/conference/1999-usenix-annual-technical-conference/future-adaptable-password-scheme>
+expensiveBlowfishContext :: (ByteArrayAccess key, ByteArrayAccess salt) => key-> salt -> Int -> Context
+expensiveBlowfishContext keyBytes saltBytes cost
+  | B.length saltBytes /= 16 = error "bcrypt salt must be 16 bytes"
+  | otherwise = unsafeDoIO $ do
+        ks <- createKeySchedule
+        expandKeyWithSalt ks keyBytes saltBytes
+        forM_ [1..2^cost :: Int] $ \_ -> do
+            expandKey ks keyBytes
+            expandKey ks saltBytes
+        freezeKeySchedule ks
diff --git a/Crypto/KDF/BCryptPBKDF.hs b/Crypto/KDF/BCryptPBKDF.hs
new file mode 100644
--- /dev/null
+++ b/Crypto/KDF/BCryptPBKDF.hs
@@ -0,0 +1,187 @@
+-- |
+-- Module      : Crypto.KDF.BCryptPBKDF
+-- License     : BSD-style
+-- Stability   : experimental
+-- Portability : Good
+--
+-- Port of the bcrypt_pbkdf key derivation function from OpenBSD
+-- as described at <http://man.openbsd.org/bcrypt_pbkdf.3>.
+module Crypto.KDF.BCryptPBKDF
+    ( Parameters (..)
+    , generate
+    , hashInternal
+    )
+where
+
+import           Basement.Block                   (MutableBlock)
+import qualified Basement.Block                   as Block
+import qualified Basement.Block.Mutable           as Block
+import           Basement.Monad                   (PrimState)
+import           Basement.Types.OffsetSize        (CountOf (..), Offset (..))
+import           Control.Exception                (finally)
+import           Control.Monad                    (when)
+import qualified Crypto.Cipher.Blowfish.Box       as Blowfish
+import qualified Crypto.Cipher.Blowfish.Primitive as Blowfish
+import           Crypto.Hash.Algorithms           (SHA512 (..))
+import           Crypto.Hash.Types                (Context,
+                                                   hashDigestSize,
+                                                   hashInternalContextSize,
+                                                   hashInternalFinalize,
+                                                   hashInternalInit,
+                                                   hashInternalUpdate)
+import           Crypto.Internal.Compat           (unsafeDoIO)
+import           Data.Bits
+import qualified Data.ByteArray                   as B
+import           Data.Foldable                    (forM_)
+import           Data.Memory.PtrMethods           (memCopy, memSet, memXor)
+import           Data.Word
+import           Foreign.Ptr                      (Ptr, castPtr)
+import           Foreign.Storable                 (peekByteOff, pokeByteOff)
+
+data Parameters = Parameters
+  { iterCounts   :: Int -- ^ The number of user-defined iterations for the algorithm
+                        --   (must be > 0)
+  , outputLength :: Int -- ^ The number of bytes to generate out of BCryptPBKDF
+                        --   (must be in 1..1024)
+  } deriving (Eq, Ord, Show)
+
+-- | Derive a key of specified length using the bcrypt_pbkdf algorithm.
+generate :: (B.ByteArray pass, B.ByteArray salt, B.ByteArray output)
+       => Parameters
+       -> pass
+       -> salt
+       -> output
+generate params pass salt
+    | iterCounts params < 1       = error "BCryptPBKDF: iterCounts must be > 0"
+    | keyLen < 1 || keyLen > 1024 = error "BCryptPBKDF: outputLength must be in 1..1024"
+    | otherwise                   = B.unsafeCreate keyLen deriveKey
+  where
+    outLen, tmpLen, blkLen, keyLen, passLen, saltLen, ctxLen, hashLen, blocks :: Int
+    outLen  = 32
+    tmpLen  = 32
+    blkLen  = 4
+    passLen = B.length pass
+    saltLen = B.length salt
+    keyLen  = outputLength params
+    ctxLen  = hashInternalContextSize SHA512
+    hashLen = hashDigestSize SHA512 -- 64
+    blocks  = (keyLen + outLen - 1) `div` outLen
+
+    deriveKey :: Ptr Word8 -> IO ()
+    deriveKey keyPtr = do
+        -- Allocate all necessary memory. The algorihm shall not allocate
+        -- any more dynamic memory after this point. Blocks need to be pinned
+        -- as pointers to them are passed to the SHA512 implementation.
+        ksClean        <- Blowfish.createKeySchedule
+        ksDirty        <- Blowfish.createKeySchedule
+        ctxMBlock      <- Block.newPinned (CountOf ctxLen  :: CountOf Word8)
+        outMBlock      <- Block.newPinned (CountOf outLen  :: CountOf Word8)
+        tmpMBlock      <- Block.newPinned (CountOf tmpLen  :: CountOf Word8)
+        blkMBlock      <- Block.newPinned (CountOf blkLen  :: CountOf Word8)
+        passHashMBlock <- Block.newPinned (CountOf hashLen :: CountOf Word8)
+        saltHashMBlock <- Block.newPinned (CountOf hashLen :: CountOf Word8)
+        -- Finally erase all memory areas that contain information from
+        -- which the derived key could be reconstructed.
+        -- As all MutableBlocks are pinned it shall be guaranteed that
+        -- no temporary trampoline buffers are allocated.
+        finallyErase outMBlock $ finallyErase passHashMBlock $
+            B.withByteArray pass                $ \passPtr->
+            B.withByteArray salt                $ \saltPtr->
+            Block.withMutablePtr ctxMBlock      $ \ctxPtr->
+            Block.withMutablePtr outMBlock      $ \outPtr->
+            Block.withMutablePtr tmpMBlock      $ \tmpPtr->
+            Block.withMutablePtr blkMBlock      $ \blkPtr->
+            Block.withMutablePtr passHashMBlock $ \passHashPtr->
+            Block.withMutablePtr saltHashMBlock $ \saltHashPtr-> do
+                -- Hash the password.
+                let shaPtr = castPtr ctxPtr :: Ptr (Context SHA512)
+                hashInternalInit     shaPtr
+                hashInternalUpdate   shaPtr passPtr (fromIntegral passLen)
+                hashInternalFinalize shaPtr (castPtr passHashPtr)
+                passHashBlock <- Block.unsafeFreeze passHashMBlock
+                forM_ [1..blocks] $ \block-> do
+                    -- Poke the increased block counter.
+                    Block.unsafeWrite blkMBlock 0 (fromIntegral $ block `shiftR` 24)
+                    Block.unsafeWrite blkMBlock 1 (fromIntegral $ block `shiftR` 16)
+                    Block.unsafeWrite blkMBlock 2 (fromIntegral $ block `shiftR`  8)
+                    Block.unsafeWrite blkMBlock 3 (fromIntegral $ block `shiftR`  0)
+                    -- First round (slightly different).
+                    hashInternalInit     shaPtr
+                    hashInternalUpdate   shaPtr saltPtr (fromIntegral saltLen)
+                    hashInternalUpdate   shaPtr blkPtr  (fromIntegral blkLen)
+                    hashInternalFinalize shaPtr (castPtr saltHashPtr)
+                    Block.unsafeFreeze saltHashMBlock >>= \x-> do
+                        Blowfish.copyKeySchedule ksDirty ksClean
+                        hashInternalMutable ksDirty passHashBlock x tmpMBlock
+                    memCopy outPtr tmpPtr outLen
+                    -- Remaining rounds.
+                    forM_ [2..iterCounts params] $ const $ do
+                        hashInternalInit     shaPtr
+                        hashInternalUpdate   shaPtr tmpPtr (fromIntegral tmpLen)
+                        hashInternalFinalize shaPtr (castPtr saltHashPtr)
+                        Block.unsafeFreeze saltHashMBlock >>= \x-> do
+                            Blowfish.copyKeySchedule ksDirty ksClean
+                            hashInternalMutable ksDirty passHashBlock x tmpMBlock
+                        memXor outPtr outPtr tmpPtr outLen
+                    -- Spread the current out buffer evenly over the key buffer.
+                    -- After both loops have run every byte of the key buffer
+                    -- will have been written to exactly once and every byte
+                    -- of the output will have been used.
+                    forM_ [0..outLen - 1] $ \outIdx-> do
+                        let keyIdx = outIdx * blocks + block - 1
+                        when (keyIdx < keyLen) $ do
+                            w8 <- peekByteOff outPtr outIdx :: IO Word8
+                            pokeByteOff keyPtr keyIdx w8
+
+-- | Internal hash function used by `generate`.
+--
+-- Normal users should not need this.
+hashInternal :: (B.ByteArrayAccess pass, B.ByteArrayAccess salt, B.ByteArray output)
+    => pass
+    -> salt
+    -> output
+hashInternal passHash saltHash
+    | B.length passHash /= 64 = error "passHash must be 512 bits"
+    | B.length saltHash /= 64 = error "saltHash must be 512 bits"
+    | otherwise = unsafeDoIO $ do
+        ks0 <- Blowfish.createKeySchedule
+        outMBlock <- Block.newPinned 32
+        hashInternalMutable ks0 passHash saltHash outMBlock
+        B.convert `fmap` Block.freeze outMBlock
+
+hashInternalMutable :: (B.ByteArrayAccess pass, B.ByteArrayAccess salt)
+    => Blowfish.KeySchedule
+    -> pass
+    -> salt
+    -> MutableBlock Word8 (PrimState IO)
+    -> IO ()
+hashInternalMutable bfks passHash saltHash outMBlock = do
+    Blowfish.expandKeyWithSalt bfks passHash saltHash
+    forM_ [0..63 :: Int] $ const $ do
+        Blowfish.expandKey bfks saltHash
+        Blowfish.expandKey bfks passHash
+    -- "OxychromaticBlowfishSwatDynamite" represented as 4 Word64 in big-endian.
+    store  0 =<< cipher 64 0x4f78796368726f6d
+    store  8 =<< cipher 64 0x61746963426c6f77
+    store 16 =<< cipher 64 0x6669736853776174
+    store 24 =<< cipher 64 0x44796e616d697465
+    where
+        store :: Offset Word8 -> Word64 -> IO ()
+        store o w64 = do
+            Block.unsafeWrite outMBlock (o + 0) (fromIntegral $ w64 `shiftR` 32)
+            Block.unsafeWrite outMBlock (o + 1) (fromIntegral $ w64 `shiftR` 40)
+            Block.unsafeWrite outMBlock (o + 2) (fromIntegral $ w64 `shiftR` 48)
+            Block.unsafeWrite outMBlock (o + 3) (fromIntegral $ w64 `shiftR` 56)
+            Block.unsafeWrite outMBlock (o + 4) (fromIntegral $ w64 `shiftR`  0)
+            Block.unsafeWrite outMBlock (o + 5) (fromIntegral $ w64 `shiftR`  8)
+            Block.unsafeWrite outMBlock (o + 6) (fromIntegral $ w64 `shiftR` 16)
+            Block.unsafeWrite outMBlock (o + 7) (fromIntegral $ w64 `shiftR` 24)
+        cipher :: Int -> Word64 -> IO Word64
+        cipher 0 block = return block
+        cipher i block = Blowfish.cipherBlockMutable bfks block >>= cipher (i - 1)
+
+finallyErase :: MutableBlock Word8 (PrimState IO) -> IO () -> IO ()
+finallyErase mblock action =
+    action `finally` Block.withMutablePtr mblock (\ptr-> memSet ptr 0 len)
+    where
+        CountOf len = Block.mutableLengthBytes mblock
diff --git a/Crypto/KDF/PBKDF2.hs b/Crypto/KDF/PBKDF2.hs
--- a/Crypto/KDF/PBKDF2.hs
+++ b/Crypto/KDF/PBKDF2.hs
@@ -24,7 +24,7 @@
 import           Data.Bits
 import           Foreign.Marshal.Alloc
 import           Foreign.Ptr (plusPtr, Ptr)
-import           Foreign.C.Types (CUInt(..), CInt(..), CSize(..))
+import           Foreign.C.Types (CUInt(..), CSize(..))
 
 import           Crypto.Hash (HashAlgorithm)
 import qualified Crypto.MAC.HMAC as HMAC
diff --git a/Crypto/MAC/HMAC.hs b/Crypto/MAC/HMAC.hs
--- a/Crypto/MAC/HMAC.hs
+++ b/Crypto/MAC/HMAC.hs
@@ -24,15 +24,15 @@
 import           Crypto.Hash hiding (Context)
 import qualified Crypto.Hash as Hash (Context)
 import           Crypto.Hash.IO
-import           Crypto.Internal.ByteArray (ScrubbedBytes, ByteArray, ByteArrayAccess)
+import           Crypto.Internal.ByteArray (ScrubbedBytes, ByteArrayAccess)
 import qualified Crypto.Internal.ByteArray as B
 import           Data.Memory.PtrMethods
 import           Crypto.Internal.Compat
-import           Crypto.Internal.Imports
 
 -- | Represent an HMAC that is a phantom type with the hash used to produce the mac.
 --
--- The Eq instance is constant time.
+-- The Eq instance is constant time.  No Show instance is provided, to avoid
+-- printing by mistake.
 newtype HMAC a = HMAC { hmacGetDigest :: Digest a }
     deriving (ByteArrayAccess)
 
diff --git a/Crypto/MAC/KMAC.hs b/Crypto/MAC/KMAC.hs
new file mode 100644
--- /dev/null
+++ b/Crypto/MAC/KMAC.hs
@@ -0,0 +1,169 @@
+-- |
+-- Module      : Crypto.MAC.KMAC
+-- License     : BSD-style
+-- Maintainer  : Olivier Chéron <olivier.cheron@gmail.com>
+-- Stability   : experimental
+-- Portability : unknown
+--
+-- Provide the KMAC (Keccak Message Authentication Code) algorithm, derived from
+-- the SHA-3 base algorithm Keccak and defined in NIST SP800-185.
+--
+{-# LANGUAGE BangPatterns #-}
+{-# LANGUAGE GeneralizedNewtypeDeriving #-}
+{-# LANGUAGE ScopedTypeVariables #-}
+module Crypto.MAC.KMAC
+    ( HashSHAKE
+    , kmac
+    , KMAC(..)
+    -- * Incremental
+    , Context
+    , initialize
+    , update
+    , updates
+    , finalize
+    ) where
+
+import qualified Crypto.Hash as H
+import           Crypto.Hash.SHAKE (HashSHAKE(..))
+import           Crypto.Hash.Types (HashAlgorithm(..), Digest(..))
+import qualified Crypto.Hash.Types as H
+import           Foreign.Ptr (Ptr, plusPtr)
+import           Foreign.Storable (poke)
+import           Data.Bits (shiftR)
+import           Data.ByteArray (ByteArray, ByteArrayAccess)
+import qualified Data.ByteArray as B
+import           Data.Word (Word8)
+import           Data.Memory.PtrMethods (memSet)
+
+
+-- cSHAKE
+
+cshakeInit :: forall a name string prefix . (HashSHAKE a, ByteArrayAccess name, ByteArrayAccess string, ByteArrayAccess prefix)
+           => name -> string -> prefix -> H.Context a
+cshakeInit n s p = H.Context $ B.allocAndFreeze c $ \(ptr :: Ptr (H.Context a)) -> do
+    hashInternalInit ptr
+    B.withByteArray b $ \d -> hashInternalUpdate ptr d (fromIntegral $ B.length b)
+    B.withByteArray p $ \d -> hashInternalUpdate ptr d (fromIntegral $ B.length p)
+  where
+    c = hashInternalContextSize (undefined :: a)
+    w = hashBlockSize (undefined :: a)
+    x = encodeString n <+> encodeString s
+    b = builderAllocAndFreeze (bytepad x w) :: B.Bytes
+
+cshakeUpdate :: (HashSHAKE a, ByteArrayAccess ba)
+             => H.Context a -> ba -> H.Context a
+cshakeUpdate = H.hashUpdate
+
+cshakeUpdates :: (HashSHAKE a, ByteArrayAccess ba)
+              => H.Context a -> [ba] -> H.Context a
+cshakeUpdates = H.hashUpdates
+
+cshakeFinalize :: forall a suffix . (HashSHAKE a, ByteArrayAccess suffix)
+               => H.Context a -> suffix -> Digest a
+cshakeFinalize !c s =
+    Digest $ B.allocAndFreeze (hashDigestSize (undefined :: a)) $ \dig -> do
+        ((!_) :: B.Bytes) <- B.copy c $ \(ctx :: Ptr (H.Context a)) -> do
+            B.withByteArray s $ \d ->
+                hashInternalUpdate ctx d (fromIntegral $ B.length s)
+            cshakeInternalFinalize ctx dig
+        return ()
+
+
+-- KMAC
+
+-- | Represent a KMAC that is a phantom type with the hash used to produce the
+-- mac.
+--
+-- The Eq instance is constant time.  No Show instance is provided, to avoid
+-- printing by mistake.
+newtype KMAC a = KMAC { kmacGetDigest :: Digest a }
+    deriving ByteArrayAccess
+
+instance Eq (KMAC a) where
+    (KMAC b1) == (KMAC b2) = B.constEq b1 b2
+
+-- | Compute a KMAC using the supplied customization string and key.
+kmac :: (HashSHAKE a, ByteArrayAccess string, ByteArrayAccess key, ByteArrayAccess ba)
+     => string -> key -> ba -> KMAC a
+kmac str key msg = finalize $ updates (initialize str key) [msg]
+
+-- | Represent an ongoing KMAC state, that can be appended with 'update' and
+-- finalized to a 'KMAC' with 'finalize'.
+newtype Context a = Context (H.Context a)
+
+-- | Initialize a new incremental KMAC context with the supplied customization
+-- string and key.
+initialize :: forall a string key . (HashSHAKE a, ByteArrayAccess string, ByteArrayAccess key)
+           => string -> key -> Context a
+initialize str key = Context $ cshakeInit n str p
+  where
+    n = B.pack [75,77,65,67] :: B.Bytes  -- "KMAC"
+    w = hashBlockSize (undefined :: a)
+    p = builderAllocAndFreeze (bytepad (encodeString key) w) :: B.ScrubbedBytes
+
+-- | Incrementally update a KMAC context.
+update :: (HashSHAKE a, ByteArrayAccess ba) => Context a -> ba -> Context a
+update (Context ctx) = Context . cshakeUpdate ctx
+
+-- | Incrementally update a KMAC context with multiple inputs.
+updates :: (HashSHAKE a, ByteArrayAccess ba) => Context a -> [ba] -> Context a
+updates (Context ctx) = Context . cshakeUpdates ctx
+
+-- | Finalize a KMAC context and return the KMAC.
+finalize :: forall a . HashSHAKE a => Context a -> KMAC a
+finalize (Context ctx) = KMAC $ cshakeFinalize ctx suffix
+  where
+    l = cshakeOutputLength (undefined :: a)
+    suffix = builderAllocAndFreeze (rightEncode l) :: B.Bytes
+
+
+-- Utilities
+
+bytepad :: Builder -> Int -> Builder
+bytepad x w = prefix <+> x <+> zero padLen
+  where
+    prefix = leftEncode w
+    padLen = (w - builderLength prefix - builderLength x) `mod` w
+
+encodeString :: ByteArrayAccess bin => bin -> Builder
+encodeString s = leftEncode (8 * B.length s) <+> bytes s
+
+leftEncode :: Int -> Builder
+leftEncode x = byte len <+> digits
+  where
+    digits = i2osp x
+    len    = fromIntegral (builderLength digits)
+
+rightEncode :: Int -> Builder
+rightEncode x = digits <+> byte len
+  where
+    digits = i2osp x
+    len    = fromIntegral (builderLength digits)
+
+i2osp :: Int -> Builder
+i2osp i | i >= 256  = i2osp (shiftR i 8) <+> byte (fromIntegral i)
+        | otherwise = byte (fromIntegral i)
+
+
+-- Delaying and merging ByteArray allocations
+
+data Builder = Builder !Int (Ptr Word8 -> IO ())  -- size and initializer
+
+(<+>) :: Builder -> Builder -> Builder
+(Builder s1 f1) <+> (Builder s2 f2) = Builder (s1 + s2) f
+  where f p = f1 p >> f2 (p `plusPtr` s1)
+
+builderLength :: Builder -> Int
+builderLength (Builder s _) = s
+
+builderAllocAndFreeze :: ByteArray ba => Builder -> ba
+builderAllocAndFreeze (Builder s f) = B.allocAndFreeze s f
+
+byte :: Word8 -> Builder
+byte !b = Builder 1 (`poke` b)
+
+bytes :: ByteArrayAccess ba => ba -> Builder
+bytes bs = Builder (B.length bs) (B.copyByteArrayToPtr bs)
+
+zero :: Int -> Builder
+zero s = Builder s (\p -> memSet p 0 s)
diff --git a/Crypto/Number/Basic.hs b/Crypto/Number/Basic.hs
--- a/Crypto/Number/Basic.hs
+++ b/Crypto/Number/Basic.hs
@@ -13,8 +13,11 @@
     , log2
     , numBits
     , numBytes
+    , asPowerOf2AndOdd
     ) where
 
+import Data.Bits
+
 import Crypto.Number.Compat
 
 -- | @sqrti@ returns two integers @(l,b)@ so that @l <= sqrt i <= b@.
@@ -98,3 +101,16 @@
 -- | Compute the number of bytes for an integer
 numBytes :: Integer -> Int
 numBytes n = gmpSizeInBytes n `onGmpUnsupported` ((numBits n + 7) `div` 8)
+
+-- | Express an integer as an odd number and a power of 2
+asPowerOf2AndOdd :: Integer -> (Int, Integer)
+asPowerOf2AndOdd a
+    | a == 0       = (0, 0)
+    | odd a        = (0, a)
+    | a < 0        = let (e, a1) = asPowerOf2AndOdd $ abs a in (e, -a1)
+    | isPowerOf2 a = (log2 a, 1)
+    | otherwise    = loop a 0
+        where      
+          isPowerOf2 n = (n /= 0) && ((n .&. (n - 1)) == 0)
+          loop n pw = if n `mod` 2 == 0 then loop (n `div` 2) (pw + 1)
+                      else (pw, n)
diff --git a/Crypto/Number/Compat.hs b/Crypto/Number/Compat.hs
--- a/Crypto/Number/Compat.hs
+++ b/Crypto/Number/Compat.hs
@@ -22,7 +22,9 @@
     , gmpSizeInBytes
     , gmpSizeInBits
     , gmpExportInteger
+    , gmpExportIntegerLE
     , gmpImportInteger
+    , gmpImportIntegerLE
     ) where
 
 #ifndef MIN_VERSION_integer_gmp
@@ -70,7 +72,9 @@
 -- | Compute the power modulus using extra security to remain constant
 -- time wise through GMP
 gmpPowModSecInteger :: Integer -> Integer -> Integer -> GmpSupported Integer
-#if MIN_VERSION_integer_gmp(1,0,0)
+#if MIN_VERSION_integer_gmp(1,0,2)
+gmpPowModSecInteger b e m = GmpSupported (powModSecInteger b e m)
+#elif MIN_VERSION_integer_gmp(1,0,0)
 gmpPowModSecInteger _ _ _ = GmpUnsupported
 #elif MIN_VERSION_integer_gmp(0,5,1)
 gmpPowModSecInteger b e m = GmpSupported (powModSecInteger b e m)
@@ -132,7 +136,7 @@
 gmpSizeInBits _ = GmpUnsupported
 #endif
 
--- | Export an integer to a memory
+-- | Export an integer to a memory (big-endian)
 gmpExportInteger :: Integer -> Ptr Word8 -> GmpSupported (IO ())
 #if MIN_VERSION_integer_gmp(1,0,0)
 gmpExportInteger n (Ptr addr) = GmpSupported $ do
@@ -146,7 +150,21 @@
 gmpExportInteger _ _ = GmpUnsupported
 #endif
 
--- | Import an integer from a memory
+-- | Export an integer to a memory (little-endian)
+gmpExportIntegerLE :: Integer -> Ptr Word8 -> GmpSupported (IO ())
+#if MIN_VERSION_integer_gmp(1,0,0)
+gmpExportIntegerLE n (Ptr addr) = GmpSupported $ do
+    _ <- exportIntegerToAddr n addr 0#
+    return ()
+#elif MIN_VERSION_integer_gmp(0,5,1)
+gmpExportIntegerLE n (Ptr addr) = GmpSupported $ IO $ \s ->
+    case exportIntegerToAddr n addr 0# s of
+        (# s2, _ #) -> (# s2, () #)
+#else
+gmpExportIntegerLE _ _ = GmpUnsupported
+#endif
+
+-- | Import an integer from a memory (big-endian)
 gmpImportInteger :: Int -> Ptr Word8 -> GmpSupported (IO Integer)
 #if MIN_VERSION_integer_gmp(1,0,0)
 gmpImportInteger (I# n) (Ptr addr) = GmpSupported $
@@ -156,4 +174,16 @@
     importIntegerFromAddr addr (int2Word# n) 1# s
 #else
 gmpImportInteger _ _ = GmpUnsupported
+#endif
+
+-- | Import an integer from a memory (little-endian)
+gmpImportIntegerLE :: Int -> Ptr Word8 -> GmpSupported (IO Integer)
+#if MIN_VERSION_integer_gmp(1,0,0)
+gmpImportIntegerLE (I# n) (Ptr addr) = GmpSupported $
+    importIntegerFromAddr addr (int2Word# n) 0#
+#elif MIN_VERSION_integer_gmp(0,5,1)
+gmpImportIntegerLE (I# n) (Ptr addr) = GmpSupported $ IO $ \s ->
+    importIntegerFromAddr addr (int2Word# n) 0# s
+#else
+gmpImportIntegerLE _ _ = GmpUnsupported
 #endif
diff --git a/Crypto/Number/F2m.hs b/Crypto/Number/F2m.hs
--- a/Crypto/Number/F2m.hs
+++ b/Crypto/Number/F2m.hs
@@ -23,7 +23,6 @@
 
 import Data.Bits (xor, shift, testBit, setBit)
 import Data.List
-import Crypto.Internal.Imports
 import Crypto.Number.Basic
 
 -- | Binary Polynomial represented by an integer
diff --git a/Crypto/Number/ModArithmetic.hs b/Crypto/Number/ModArithmetic.hs
--- a/Crypto/Number/ModArithmetic.hs
+++ b/Crypto/Number/ModArithmetic.hs
@@ -15,20 +15,20 @@
     -- * Inverse computing
     , inverse
     , inverseCoprimes
+    , jacobi
     ) where
 
 import Control.Exception (throw, Exception)
-import Data.Typeable
 import Crypto.Number.Basic
 import Crypto.Number.Compat
 
 -- | Raised when two numbers are supposed to be coprimes but are not.
 data CoprimesAssertionError = CoprimesAssertionError
-    deriving (Show,Typeable)
+    deriving (Show)
 
 instance Exception CoprimesAssertionError
 
--- | Compute the modular exponentiation of base^exponant using
+-- | Compute the modular exponentiation of base^exponent using
 -- algorithms design to avoid side channels and timing measurement
 --
 -- Modulo need to be odd otherwise the normal fast modular exponentiation
@@ -38,11 +38,10 @@
 -- from expFast, and thus provide the same unstudied and dubious
 -- timing and side channels claims.
 --
--- with GHC 7.10, the powModSecInteger is missing from integer-gmp
--- (which is now integer-gmp2), so is has the same security as old
--- ghc version.
+-- Before GHC 8.4.2, powModSecInteger is missing from integer-gmp,
+-- so expSafe has the same security as expFast.
 expSafe :: Integer -- ^ base
-        -> Integer -- ^ exponant
+        -> Integer -- ^ exponent
         -> Integer -- ^ modulo
         -> Integer -- ^ result
 expSafe b e m
@@ -52,14 +51,14 @@
     | otherwise = gmpPowModInteger b e m    `onGmpUnsupported`
                   exponentiation b e m
 
--- | Compute the modular exponentiation of base^exponant using
+-- | Compute the modular exponentiation of base^exponent using
 -- the fastest algorithm without any consideration for
 -- hiding parameters.
 --
 -- Use this function when all the parameters are public,
 -- otherwise 'expSafe' should be prefered.
 expFast :: Integer -- ^ base
-        -> Integer -- ^ exponant
+        -> Integer -- ^ exponent
         -> Integer -- ^ modulo
         -> Integer -- ^ result
 expFast b e m = gmpPowModInteger b e m `onGmpUnsupported` exponentiation b e m
@@ -95,3 +94,29 @@
     case inverse g m of
         Nothing -> throw CoprimesAssertionError
         Just i  -> i
+
+-- | Computes the Jacobi symbol (a/n).
+-- 0 ≤ a < n; n ≥ 3 and odd.
+--  
+-- The Legendre and Jacobi symbols are indistinguishable exactly when the
+-- lower argument is an odd prime, in which case they have the same value.
+-- 
+-- See algorithm 2.149 in "Handbook of Applied Cryptography" by Alfred J. Menezes et al.
+jacobi :: Integer -> Integer -> Maybe Integer
+jacobi a n
+    | n < 3 || even n  = Nothing
+    | a == 0 || a == 1 = Just a
+    | n <= a           = jacobi (a `mod` n) n       
+    | a < 0            = 
+      let b = if n `mod` 4 == 1 then 1 else -1
+       in fmap (*b) (jacobi (-a) n)
+    | otherwise        =
+      let (e, a1) = asPowerOf2AndOdd a
+          nMod8   = n `mod` 8
+          nMod4   = n `mod` 4
+          a1Mod4  = a1 `mod` 4
+          s'      = if even e || nMod8 == 1 || nMod8 == 7 then 1 else -1
+          s       = if nMod4 == 3 && a1Mod4 == 3 then -s' else s'
+          n1      = n `mod` a1
+       in if a1 == 1 then Just s
+          else fmap (*s) (jacobi n1 a1)
diff --git a/Crypto/Number/Nat.hs b/Crypto/Number/Nat.hs
new file mode 100644
--- /dev/null
+++ b/Crypto/Number/Nat.hs
@@ -0,0 +1,63 @@
+-- |
+-- Module      : Crypto.Number.Nat
+-- License     : BSD-style
+-- Maintainer  : Vincent Hanquez <vincent@snarc.org>
+-- Stability   : experimental
+-- Portability : Good
+--
+-- Numbers at type level.
+--
+-- This module provides extensions to "GHC.TypeLits" and "GHC.TypeNats" useful
+-- to work with cryptographic algorithms parameterized with a variable bit
+-- length.  Constraints like @'IsDivisibleBy8' n@ ensure that the type-level
+-- parameter is applicable to the algorithm.
+--
+-- Functions are also provided to test whether constraints are satisfied from
+-- values known at runtime.  The following example shows how to discharge
+-- 'IsDivisibleBy8' in a computation @fn@ requiring this constraint:
+--
+-- > withDivisibleBy8 :: Integer
+-- >                  -> (forall proxy n . (KnownNat n, IsDivisibleBy8 n) => proxy n -> a)
+-- >                  -> Maybe a
+-- > withDivisibleBy8 len fn = do
+-- >     SomeNat p <- someNatVal len
+-- >     Refl <- isDivisibleBy8 p
+-- >     pure (fn p)
+--
+-- Function @withDivisibleBy8@ above returns 'Nothing' when the argument @len@
+-- is negative or not divisible by 8.
+{-# LANGUAGE DataKinds #-}
+{-# LANGUAGE TypeOperators #-}
+module Crypto.Number.Nat
+    ( type IsDivisibleBy8
+    , type IsAtMost, type IsAtLeast
+    , isDivisibleBy8
+    , isAtMost
+    , isAtLeast
+    ) where
+
+import           Data.Type.Equality
+import           GHC.TypeLits
+import           Unsafe.Coerce (unsafeCoerce)
+
+import           Crypto.Internal.Nat
+
+-- | get a runtime proof that the constraint @'IsDivisibleBy8' n@ is satified
+isDivisibleBy8 :: KnownNat n => proxy n -> Maybe (IsDiv8 n n :~: 'True)
+isDivisibleBy8 n
+    | mod (natVal n) 8 == 0 = Just (unsafeCoerce Refl)
+    | otherwise             = Nothing
+
+-- | get a runtime proof that the constraint @'IsAtMost' value bound@ is
+-- satified
+isAtMost :: (KnownNat value, KnownNat bound)
+         => proxy value -> proxy' bound -> Maybe ((value <=? bound) :~: 'True)
+isAtMost x y
+    | natVal x <= natVal y  = Just (unsafeCoerce Refl)
+    | otherwise             = Nothing
+
+-- | get a runtime proof that the constraint @'IsAtLeast' value bound@ is
+-- satified
+isAtLeast :: (KnownNat value, KnownNat bound)
+          => proxy value -> proxy' bound -> Maybe ((bound <=? value) :~: 'True)
+isAtLeast = flip isAtMost
diff --git a/Crypto/Number/Prime.hs b/Crypto/Number/Prime.hs
--- a/Crypto/Number/Prime.hs
+++ b/Crypto/Number/Prime.hs
@@ -19,8 +19,6 @@
     , isCoprime
     ) where
 
-import Crypto.Internal.Imports
-
 import Crypto.Number.Compat
 import Crypto.Number.Generate
 import Crypto.Number.Basic (sqrti, gcde)
diff --git a/Crypto/Number/Serialize.hs b/Crypto/Number/Serialize.hs
--- a/Crypto/Number/Serialize.hs
+++ b/Crypto/Number/Serialize.hs
@@ -35,6 +35,7 @@
 -- | Just like 'i2osp', but takes an extra parameter for size.
 -- If the number is too big to fit in @len@ bytes, 'Nothing' is returned
 -- otherwise the number is padded with 0 to fit the @len@ required.
+{-# INLINABLE i2ospOf #-}
 i2ospOf :: B.ByteArray ba => Int -> Integer -> Maybe ba
 i2ospOf len m
     | len <= 0  = Nothing
diff --git a/Crypto/Number/Serialize/Internal.hs b/Crypto/Number/Serialize/Internal.hs
--- a/Crypto/Number/Serialize/Internal.hs
+++ b/Crypto/Number/Serialize/Internal.hs
@@ -23,7 +23,7 @@
 
 -- | Fill a pointer with the big endian binary representation of an integer
 --
--- If the room available @ptrSz is less than the number of bytes needed,
+-- If the room available @ptrSz@ is less than the number of bytes needed,
 -- 0 is returned. Likewise if a parameter is invalid, 0 is returned.
 --
 -- Returns the number of bytes written
@@ -69,7 +69,7 @@
     | otherwise  = gmpImportInteger ptrSz ptr `onGmpUnsupported` loop 0 0 ptr
   where
     loop :: Integer -> Int -> Ptr Word8 -> IO Integer
-    loop !acc i p
+    loop !acc i !p
         | i == ptrSz = return acc
         | otherwise  = do
             w <- peekByteOff p i :: IO Word8
diff --git a/Crypto/Number/Serialize/Internal/LE.hs b/Crypto/Number/Serialize/Internal/LE.hs
new file mode 100644
--- /dev/null
+++ b/Crypto/Number/Serialize/Internal/LE.hs
@@ -0,0 +1,75 @@
+-- |
+-- Module      : Crypto.Number.Serialize.Internal.LE
+-- License     : BSD-style
+-- Maintainer  : Vincent Hanquez <vincent@snarc.org>
+-- Stability   : experimental
+-- Portability : Good
+--
+-- Fast serialization primitives for integer using raw pointers (little endian)
+{-# LANGUAGE BangPatterns #-}
+module Crypto.Number.Serialize.Internal.LE
+    ( i2osp
+    , i2ospOf
+    , os2ip
+    ) where
+
+import           Crypto.Number.Compat
+import           Crypto.Number.Basic
+import           Data.Bits
+import           Data.Memory.PtrMethods
+import           Data.Word (Word8)
+import           Foreign.Ptr
+import           Foreign.Storable
+
+-- | Fill a pointer with the little endian binary representation of an integer
+--
+-- If the room available @ptrSz@ is less than the number of bytes needed,
+-- 0 is returned. Likewise if a parameter is invalid, 0 is returned.
+--
+-- Returns the number of bytes written
+i2osp :: Integer -> Ptr Word8 -> Int -> IO Int
+i2osp m ptr ptrSz
+    | ptrSz <= 0 = return 0
+    | m < 0      = return 0
+    | m == 0     = pokeByteOff ptr 0 (0 :: Word8) >> return 1
+    | ptrSz < sz = return 0
+    | otherwise  = fillPtr ptr sz m >> return sz
+  where
+    !sz    = numBytes m
+
+-- | Similar to 'i2osp', except it will pad any remaining space with zero.
+i2ospOf :: Integer -> Ptr Word8 -> Int -> IO Int
+i2ospOf m ptr ptrSz
+    | ptrSz <= 0 = return 0
+    | m < 0      = return 0
+    | ptrSz < sz = return 0
+    | otherwise  = do
+        memSet ptr 0 ptrSz
+        fillPtr ptr sz m
+        return ptrSz
+  where
+    !sz    = numBytes m
+
+fillPtr :: Ptr Word8 -> Int -> Integer -> IO ()
+fillPtr p sz m = gmpExportIntegerLE m p `onGmpUnsupported` export 0 m
+  where
+    export ofs i
+        | ofs >= sz = return ()
+        | otherwise = do
+            let (i', b) = i `divMod` 256
+            pokeByteOff p ofs (fromIntegral b :: Word8)
+            export (ofs+1) i'
+
+-- | Transform a little endian binary integer representation pointed by a
+-- pointer and a size into an integer
+os2ip :: Ptr Word8 -> Int -> IO Integer
+os2ip ptr ptrSz
+    | ptrSz <= 0 = return 0
+    | otherwise  = gmpImportIntegerLE ptrSz ptr `onGmpUnsupported` loop 0 (ptrSz-1) ptr
+  where
+    loop :: Integer -> Int -> Ptr Word8 -> IO Integer
+    loop !acc i !p
+        | i < 0      = return acc
+        | otherwise  = do
+            w <- peekByteOff p i :: IO Word8
+            loop ((acc `shiftL` 8) .|. fromIntegral w) (i-1) p
diff --git a/Crypto/Number/Serialize/LE.hs b/Crypto/Number/Serialize/LE.hs
new file mode 100644
--- /dev/null
+++ b/Crypto/Number/Serialize/LE.hs
@@ -0,0 +1,54 @@
+-- |
+-- Module      : Crypto.Number.Serialize.LE
+-- License     : BSD-style
+-- Maintainer  : Vincent Hanquez <vincent@snarc.org>
+-- Stability   : experimental
+-- Portability : Good
+--
+-- Fast serialization primitives for integer (little endian)
+{-# LANGUAGE BangPatterns #-}
+module Crypto.Number.Serialize.LE
+    ( i2osp
+    , os2ip
+    , i2ospOf
+    , i2ospOf_
+    ) where
+
+import           Crypto.Number.Basic
+import           Crypto.Internal.Compat (unsafeDoIO)
+import qualified Crypto.Internal.ByteArray as B
+import qualified Crypto.Number.Serialize.Internal.LE as Internal
+
+-- | @os2ip@ converts a byte string into a positive integer.
+os2ip :: B.ByteArrayAccess ba => ba -> Integer
+os2ip bs = unsafeDoIO $ B.withByteArray bs (\p -> Internal.os2ip p (B.length bs))
+
+-- | @i2osp@ converts a positive integer into a byte string.
+--
+-- The first byte is LSB (least significant byte); the last byte is the MSB (most significant byte)
+i2osp :: B.ByteArray ba => Integer -> ba
+i2osp 0 = B.allocAndFreeze 1  (\p -> Internal.i2osp 0 p 1 >> return ())
+i2osp m = B.allocAndFreeze sz (\p -> Internal.i2osp m p sz >> return ())
+  where
+        !sz = numBytes m
+
+-- | Just like 'i2osp', but takes an extra parameter for size.
+-- If the number is too big to fit in @len@ bytes, 'Nothing' is returned
+-- otherwise the number is padded with 0 to fit the @len@ required.
+{-# INLINABLE i2ospOf #-}
+i2ospOf :: B.ByteArray ba => Int -> Integer -> Maybe ba
+i2ospOf len m
+    | len <= 0  = Nothing
+    | m < 0     = Nothing
+    | sz > len  = Nothing
+    | otherwise = Just $ B.unsafeCreate len (\p -> Internal.i2ospOf m p len >> return ())
+  where
+        !sz = numBytes m
+
+-- | Just like 'i2ospOf' except that it doesn't expect a failure: i.e.
+-- an integer larger than the number of output bytes requested.
+--
+-- For example if you just took a modulo of the number that represent
+-- the size (example the RSA modulo n).
+i2ospOf_ :: B.ByteArray ba => Int -> Integer -> ba
+i2ospOf_ len = maybe (error "i2ospOf_: integer is larger than expected") id . i2ospOf len
diff --git a/Crypto/OTP.hs b/Crypto/OTP.hs
--- a/Crypto/OTP.hs
+++ b/Crypto/OTP.hs
@@ -42,15 +42,14 @@
     )
 where
 
-import           Data.Bits (shiftL, shiftR, (.&.), (.|.))
+import           Data.Bits (shiftL, (.&.), (.|.))
 import           Data.ByteArray.Mapping (fromW64BE)
 import           Data.List (elemIndex)
 import           Data.Word
-import           Foreign.Storable (poke)
 import           Control.Monad (unless)
 import           Crypto.Hash (HashAlgorithm, SHA1(..))
 import           Crypto.MAC.HMAC
-import           Crypto.Internal.ByteArray (ByteArrayAccess, ByteArray, Bytes)
+import           Crypto.Internal.ByteArray (ByteArrayAccess, Bytes)
 import qualified Crypto.Internal.ByteArray as B
 
 
diff --git a/Crypto/PubKey/Curve25519.hs b/Crypto/PubKey/Curve25519.hs
--- a/Crypto/PubKey/Curve25519.hs
+++ b/Crypto/PubKey/Curve25519.hs
@@ -33,9 +33,8 @@
 import           Crypto.Error
 import           Crypto.Internal.Compat
 import           Crypto.Internal.Imports
-import           Crypto.Internal.ByteArray (ByteArrayAccess, ByteArray, ScrubbedBytes, Bytes, withByteArray)
+import           Crypto.Internal.ByteArray (ByteArrayAccess, ScrubbedBytes, Bytes, withByteArray)
 import qualified Crypto.Internal.ByteArray as B
-import           Crypto.Error (CryptoFailable(..))
 import           Crypto.Random
 
 -- | A Curve25519 Secret key
diff --git a/Crypto/PubKey/Curve448.hs b/Crypto/PubKey/Curve448.hs
--- a/Crypto/PubKey/Curve448.hs
+++ b/Crypto/PubKey/Curve448.hs
@@ -12,7 +12,6 @@
 -- data types are compatible with the encoding specified in RFC 7748.
 --
 {-# LANGUAGE GeneralizedNewtypeDeriving #-}
-{-# LANGUAGE MagicHash #-}
 module Crypto.PubKey.Curve448
     ( SecretKey
     , PublicKey
@@ -29,7 +28,6 @@
 
 import           Data.Word
 import           Foreign.Ptr
-import           GHC.Ptr
 
 import           Crypto.Error
 import           Crypto.Random
diff --git a/Crypto/PubKey/DH.hs b/Crypto/PubKey/DH.hs
--- a/Crypto/PubKey/DH.hs
+++ b/Crypto/PubKey/DH.hs
@@ -33,7 +33,7 @@
     { params_p :: Integer
     , params_g :: Integer
     , params_bits :: Int
-    } deriving (Show,Read,Eq,Data,Typeable)
+    } deriving (Show,Read,Eq,Data)
 
 instance NFData Params where
     rnf (Params p g bits) = rnf p `seq` rnf g `seq` bits `seq` ()
diff --git a/Crypto/PubKey/DSA.hs b/Crypto/PubKey/DSA.hs
--- a/Crypto/PubKey/DSA.hs
+++ b/Crypto/PubKey/DSA.hs
@@ -28,19 +28,18 @@
     , toPrivateKey
     ) where
 
-import           Crypto.Random.Types
-import           Data.Bits (testBit)
-import           Data.Data
-import           Data.Maybe
-import           Crypto.Number.Basic (numBits)
-import           Crypto.Number.ModArithmetic (expFast, expSafe, inverse)
-import           Crypto.Number.Serialize
-import           Crypto.Number.Generate
-import           Crypto.Internal.ByteArray (ByteArrayAccess(length), convert, index, dropView, takeView)
-import           Crypto.Internal.Imports
-import           Crypto.Hash
-import           Prelude hiding (length)
 
+import Data.Data
+import Data.Maybe
+
+import Crypto.Number.ModArithmetic (expFast, expSafe, inverse)
+import Crypto.Number.Generate
+import Crypto.Internal.ByteArray (ByteArrayAccess)
+import Crypto.Internal.Imports
+import Crypto.Hash
+import Crypto.PubKey.Internal (dsaTruncHash)
+import Crypto.Random.Types
+
 -- | DSA Public Number, usually embedded in DSA Public Key
 type PublicNumber = Integer
 
@@ -52,7 +51,7 @@
     { params_p :: Integer -- ^ DSA p
     , params_g :: Integer -- ^ DSA g
     , params_q :: Integer -- ^ DSA q
-    } deriving (Show,Read,Eq,Data,Typeable)
+    } deriving (Show,Read,Eq,Data)
 
 instance NFData Params where
     rnf (Params p g q) = p `seq` g `seq` q `seq` ()
@@ -61,7 +60,7 @@
 data Signature = Signature
     { sign_r :: Integer -- ^ DSA r
     , sign_s :: Integer -- ^ DSA s
-    } deriving (Show,Read,Eq,Data,Typeable)
+    } deriving (Show,Read,Eq,Data)
 
 instance NFData Signature where
     rnf (Signature r s) = r `seq` s `seq` ()
@@ -70,7 +69,7 @@
 data PublicKey = PublicKey
     { public_params :: Params       -- ^ DSA parameters
     , public_y      :: PublicNumber -- ^ DSA public Y
-    } deriving (Show,Read,Eq,Data,Typeable)
+    } deriving (Show,Read,Eq,Data)
 
 instance NFData PublicKey where
     rnf (PublicKey params y) = y `seq` params `seq` ()
@@ -82,14 +81,14 @@
 data PrivateKey = PrivateKey
     { private_params :: Params        -- ^ DSA parameters
     , private_x      :: PrivateNumber -- ^ DSA private X
-    } deriving (Show,Read,Eq,Data,Typeable)
+    } deriving (Show,Read,Eq,Data)
 
 instance NFData PrivateKey where
     rnf (PrivateKey params x) = x `seq` params `seq` ()
 
 -- | Represent a DSA key pair
 data KeyPair = KeyPair Params PublicNumber PrivateNumber
-    deriving (Show,Read,Eq,Data,Typeable)
+    deriving (Show,Read,Eq,Data)
 
 instance NFData KeyPair where
     rnf (KeyPair params y x) = x `seq` y `seq` params `seq` ()
@@ -126,7 +125,7 @@
           x              = private_x pk
           -- compute r,s
           kInv      = fromJust $ inverse k q
-          hm        = os2ip $ hashWith hashAlg msg
+          hm        = dsaTruncHash hashAlg msg q
           r         = expSafe g k p `mod` q
           s         = (kInv * (hm + x * r)) `mod` q
 
@@ -148,11 +147,8 @@
     | otherwise                            = v == r
     where (Params p g q) = public_params pk
           y       = public_y pk
-          hm      = os2ip . truncateHash $ hashWith hashAlg m
-
+          hm      = dsaTruncHash hashAlg m q
           w       = fromJust $ inverse s q
           u1      = (hm*w) `mod` q
           u2      = (r*w) `mod` q
           v       = ((expFast g u1 p) * (expFast y u2 p)) `mod` p `mod` q
-          -- if the hash is larger than the size of q, truncate it; FIXME: deal with the case of a q not evenly divisible by 8
-          truncateHash h = if numBits (os2ip h) > numBits q then takeView h (numBits q `div` 8) else dropView h 0
diff --git a/Crypto/PubKey/ECC/ECDSA.hs b/Crypto/PubKey/ECC/ECDSA.hs
--- a/Crypto/PubKey/ECC/ECDSA.hs
+++ b/Crypto/PubKey/ECC/ECDSA.hs
@@ -11,45 +11,46 @@
     , toPublicKey
     , toPrivateKey
     , signWith
+    , signDigestWith
     , sign
+    , signDigest
     , verify
+    , verifyDigest
     ) where
 
 import Control.Monad
-import Crypto.Random.Types
-import Data.Bits (shiftR)
-import Crypto.Internal.ByteArray (ByteArrayAccess)
 import Data.Data
-import Crypto.Number.Basic (numBits)
+
+import Crypto.Hash
+import Crypto.Internal.ByteArray (ByteArrayAccess)
 import Crypto.Number.ModArithmetic (inverse)
-import Crypto.Number.Serialize
 import Crypto.Number.Generate
 import Crypto.PubKey.ECC.Types
 import Crypto.PubKey.ECC.Prim
-import Crypto.Hash
-import Crypto.Hash.Types (hashDigestSize)
+import Crypto.PubKey.Internal (dsaTruncHashDigest)
+import Crypto.Random.Types
 
 -- | Represent a ECDSA signature namely R and S.
 data Signature = Signature
     { sign_r :: Integer -- ^ ECDSA r
     , sign_s :: Integer -- ^ ECDSA s
-    } deriving (Show,Read,Eq,Data,Typeable)
+    } deriving (Show,Read,Eq,Data)
 
 -- | ECDSA Private Key.
 data PrivateKey = PrivateKey
     { private_curve :: Curve
     , private_d     :: PrivateNumber
-    } deriving (Show,Read,Eq,Data,Typeable)
+    } deriving (Show,Read,Eq,Data)
 
 -- | ECDSA Public Key.
 data PublicKey = PublicKey
     { public_curve :: Curve
     , public_q     :: PublicPoint
-    } deriving (Show,Read,Eq,Data,Typeable)
+    } deriving (Show,Read,Eq,Data)
 
 -- | ECDSA Key Pair.
 data KeyPair = KeyPair Curve PublicPoint PrivateNumber
-    deriving (Show,Read,Eq,Data,Typeable)
+    deriving (Show,Read,Eq,Data)
 
 -- | Public key of a ECDSA Key pair.
 toPublicKey :: KeyPair -> PublicKey
@@ -59,17 +60,16 @@
 toPrivateKey :: KeyPair -> PrivateKey
 toPrivateKey (KeyPair curve _ priv) = PrivateKey curve priv
 
--- | Sign message using the private key and an explicit k number.
+-- | Sign digest using the private key and an explicit k number.
 --
 -- /WARNING:/ Vulnerable to timing attacks.
-signWith :: (ByteArrayAccess msg, HashAlgorithm hash)
-         => Integer    -- ^ k random number
-         -> PrivateKey -- ^ private key
-         -> hash       -- ^ hash function
-         -> msg        -- ^ message to sign
-         -> Maybe Signature
-signWith k (PrivateKey curve d) hashAlg msg = do
-    let z = tHash hashAlg msg n
+signDigestWith :: HashAlgorithm hash
+               => Integer     -- ^ k random number
+               -> PrivateKey  -- ^ private key
+               -> Digest hash -- ^ digest to sign
+               -> Maybe Signature
+signDigestWith k (PrivateKey curve d) digest = do
+    let z = dsaTruncHashDigest digest n
         CurveCommon _ _ g n _ = common_curve curve
     let point = pointMul curve k g
     r <- case point of
@@ -80,26 +80,44 @@
     when (r == 0 || s == 0) Nothing
     return $ Signature r s
 
--- | Sign message using the private key.
+-- | Sign message using the private key and an explicit k number.
 --
 -- /WARNING:/ Vulnerable to timing attacks.
-sign :: (ByteArrayAccess msg, HashAlgorithm hash, MonadRandom m)
-     => PrivateKey -> hash -> msg -> m Signature
-sign pk hashAlg msg = do
+signWith :: (ByteArrayAccess msg, HashAlgorithm hash)
+         => Integer    -- ^ k random number
+         -> PrivateKey -- ^ private key
+         -> hash       -- ^ hash function
+         -> msg        -- ^ message to sign
+         -> Maybe Signature
+signWith k pk hashAlg msg = signDigestWith k pk (hashWith hashAlg msg)
+
+-- | Sign digest using the private key.
+--
+-- /WARNING:/ Vulnerable to timing attacks.
+signDigest :: (HashAlgorithm hash, MonadRandom m)
+           => PrivateKey -> Digest hash -> m Signature
+signDigest pk digest = do
     k <- generateBetween 1 (n - 1)
-    case signWith k pk hashAlg msg of
-         Nothing  -> sign pk hashAlg msg
+    case signDigestWith k pk digest of
+         Nothing  -> signDigest pk digest
          Just sig -> return sig
   where n = ecc_n . common_curve $ private_curve pk
 
--- | Verify a bytestring using the public key.
-verify :: (ByteArrayAccess msg, HashAlgorithm hash) => hash -> PublicKey -> Signature -> msg -> Bool
-verify _       (PublicKey _ PointO) _ _ = False
-verify hashAlg pk@(PublicKey curve q) (Signature r s) msg
+-- | Sign message using the private key.
+--
+-- /WARNING:/ Vulnerable to timing attacks.
+sign :: (ByteArrayAccess msg, HashAlgorithm hash, MonadRandom m)
+     => PrivateKey -> hash -> msg -> m Signature
+sign pk hashAlg msg = signDigest pk (hashWith hashAlg msg)
+
+-- | Verify a digest using the public key.
+verifyDigest :: HashAlgorithm hash => PublicKey -> Signature -> Digest hash -> Bool
+verifyDigest (PublicKey _ PointO) _ _ = False
+verifyDigest pk@(PublicKey curve q) (Signature r s) digest
     | r < 1 || r >= n || s < 1 || s >= n = False
     | otherwise = maybe False (r ==) $ do
         w <- inverse s n
-        let z  = tHash hashAlg msg n
+        let z  = dsaTruncHashDigest digest n
             u1 = z * w `mod` n
             u2 = r * w `mod` n
             x  = pointAddTwoMuls curve u1 g u2 q
@@ -110,10 +128,6 @@
         g = ecc_g cc
         cc = common_curve $ public_curve pk
 
--- | Truncate and hash.
-tHash :: (ByteArrayAccess msg, HashAlgorithm hash) => hash -> msg -> Integer -> Integer
-tHash hashAlg m n
-    | d > 0 = shiftR e d
-    | otherwise = e
-  where e = os2ip $ hashWith hashAlg m
-        d = hashDigestSize hashAlg * 8 - numBits n
+-- | Verify a bytestring using the public key.
+verify :: (ByteArrayAccess msg, HashAlgorithm hash) => hash -> PublicKey -> Signature -> msg -> Bool
+verify hashAlg pk sig msg = verifyDigest pk sig (hashWith hashAlg msg)
diff --git a/Crypto/PubKey/ECC/P256.hs b/Crypto/PubKey/ECC/P256.hs
--- a/Crypto/PubKey/ECC/P256.hs
+++ b/Crypto/PubKey/ECC/P256.hs
@@ -45,7 +45,6 @@
 import           Data.Word
 import           Foreign.Ptr
 import           Foreign.C.Types
-import           Control.Monad
 
 import           Crypto.Internal.Compat
 import           Crypto.Internal.Imports
@@ -222,34 +221,21 @@
     result <- ccryptonite_p256_is_zero d
     return $ result /= 0
 
-scalarNeedReducing :: Ptr P256Scalar -> IO Bool
-scalarNeedReducing d = do
-    c <- ccryptonite_p256_cmp d ccryptonite_SECP256r1_n
-    return (c >= 0)
-
 -- | Perform addition between two scalars
 --
 -- > a + b
 scalarAdd :: Scalar -> Scalar -> Scalar
 scalarAdd a b =
-    withNewScalarFreeze $ \d -> withScalar a $ \pa -> withScalar b $ \pb -> do
-        carry <- ccryptonite_p256_add pa pb d
-        when (carry /= 0) $ void $ ccryptonite_p256_sub d ccryptonite_SECP256r1_n d
-        needReducing <- scalarNeedReducing d
-        when needReducing $ do
-            ccryptonite_p256_mod ccryptonite_SECP256r1_n d d
+    withNewScalarFreeze $ \d -> withScalar a $ \pa -> withScalar b $ \pb ->
+        ccryptonite_p256e_modadd ccryptonite_SECP256r1_n pa pb d
 
 -- | Perform subtraction between two scalars
 --
 -- > a - b
 scalarSub :: Scalar -> Scalar -> Scalar
 scalarSub a b =
-    withNewScalarFreeze $ \d -> withScalar a $ \pa -> withScalar b $ \pb -> do
-        borrow <- ccryptonite_p256_sub pa pb d
-        when (borrow /= 0) $ void $ ccryptonite_p256_add d ccryptonite_SECP256r1_n d
-        --needReducing <- scalarNeedReducing d
-        --when needReducing $ do
-        --    ccryptonite_p256_mod ccryptonite_SECP256r1_n d d
+    withNewScalarFreeze $ \d -> withScalar a $ \pa -> withScalar b $ \pb ->
+        ccryptonite_p256e_modsub ccryptonite_SECP256r1_n pa pb d
 
 -- | Give the inverse of the scalar
 --
@@ -352,12 +338,12 @@
     ccryptonite_p256_is_zero :: Ptr P256Scalar -> IO CInt
 foreign import ccall "cryptonite_p256_clear"
     ccryptonite_p256_clear :: Ptr P256Scalar -> IO ()
-foreign import ccall "cryptonite_p256_add"
-    ccryptonite_p256_add :: Ptr P256Scalar -> Ptr P256Scalar -> Ptr P256Scalar -> IO CInt
+foreign import ccall "cryptonite_p256e_modadd"
+    ccryptonite_p256e_modadd :: Ptr P256Scalar -> Ptr P256Scalar -> Ptr P256Scalar -> Ptr P256Scalar -> IO ()
 foreign import ccall "cryptonite_p256_add_d"
     ccryptonite_p256_add_d :: Ptr P256Scalar -> P256Digit -> Ptr P256Scalar -> IO CInt
-foreign import ccall "cryptonite_p256_sub"
-    ccryptonite_p256_sub :: Ptr P256Scalar -> Ptr P256Scalar -> Ptr P256Scalar -> IO CInt
+foreign import ccall "cryptonite_p256e_modsub"
+    ccryptonite_p256e_modsub :: Ptr P256Scalar -> Ptr P256Scalar -> Ptr P256Scalar -> Ptr P256Scalar -> IO ()
 foreign import ccall "cryptonite_p256_cmp"
     ccryptonite_p256_cmp :: Ptr P256Scalar -> Ptr P256Scalar -> IO CInt
 foreign import ccall "cryptonite_p256_mod"
diff --git a/Crypto/PubKey/ECC/Types.hs b/Crypto/PubKey/ECC/Types.hs
--- a/Crypto/PubKey/ECC/Types.hs
+++ b/Crypto/PubKey/ECC/Types.hs
@@ -33,7 +33,7 @@
 -- | Define either a binary curve or a prime curve.
 data Curve = CurveF2m CurveBinary -- ^ 𝔽(2^m)
            | CurveFP  CurvePrime  -- ^ 𝔽p
-           deriving (Show,Read,Eq,Data,Typeable)
+           deriving (Show,Read,Eq,Data)
 
 -- | ECC Public Point
 type PublicPoint = Point
@@ -44,7 +44,7 @@
 -- | Define a point on a curve.
 data Point = Point Integer Integer
            | PointO -- ^ Point at Infinity
-           deriving (Show,Read,Eq,Data,Typeable)
+           deriving (Show,Read,Eq,Data)
 
 instance NFData Point where
     rnf (Point x y) = x `seq` y `seq` ()
@@ -53,7 +53,7 @@
 -- | Define an elliptic curve in 𝔽(2^m).
 -- The firt parameter is the Integer representatioin of the irreducible polynomial f(x).
 data CurveBinary = CurveBinary Integer CurveCommon
-    deriving (Show,Read,Eq,Data,Typeable)
+    deriving (Show,Read,Eq,Data)
 
 instance NFData CurveBinary where
     rnf (CurveBinary i cc) = i `seq` cc `seq` ()
@@ -61,7 +61,7 @@
 -- | Define an elliptic curve in 𝔽p.
 -- The first parameter is the Prime Number.
 data CurvePrime = CurvePrime Integer CurveCommon
-    deriving (Show,Read,Eq,Data,Typeable)
+    deriving (Show,Read,Eq,Data)
 
 -- | Parameters in common between binary and prime curves.
 common_curve :: Curve -> CurveCommon
@@ -84,7 +84,7 @@
     , ecc_g :: Point   -- ^ base point
     , ecc_n :: Integer -- ^ order of G
     , ecc_h :: Integer -- ^ cofactor
-    } deriving (Show,Read,Eq,Data,Typeable)
+    } deriving (Show,Read,Eq,Data)
 
 -- | Define names for known recommended curves.
 data CurveName =
@@ -121,7 +121,7 @@
     | SEC_t409r1
     | SEC_t571k1
     | SEC_t571r1
-    deriving (Show,Read,Eq,Ord,Enum,Bounded,Data,Typeable)
+    deriving (Show,Read,Eq,Ord,Enum,Bounded,Data)
 
 {-
 curvesOIDs :: [ (CurveName, [Integer]) ]
diff --git a/Crypto/PubKey/ECIES.hs b/Crypto/PubKey/ECIES.hs
--- a/Crypto/PubKey/ECIES.hs
+++ b/Crypto/PubKey/ECIES.hs
@@ -27,7 +27,6 @@
 import           Crypto.ECC
 import           Crypto.Error
 import           Crypto.Random
-import           Crypto.Internal.Proxy
 
 -- | Generate random a new Shared secret and the associated point
 -- to do a ECIES style encryption
diff --git a/Crypto/PubKey/Internal.hs b/Crypto/PubKey/Internal.hs
--- a/Crypto/PubKey/Internal.hs
+++ b/Crypto/PubKey/Internal.hs
@@ -8,10 +8,18 @@
 module Crypto.PubKey.Internal
     ( and'
     , (&&!)
+    , dsaTruncHash
+    , dsaTruncHashDigest
     ) where
 
+import Data.Bits (shiftR)
 import Data.List (foldl')
 
+import Crypto.Hash
+import Crypto.Internal.ByteArray (ByteArrayAccess)
+import Crypto.Number.Basic (numBits)
+import Crypto.Number.Serialize
+
 -- | This is a strict version of and
 and' :: [Bool] -> Bool
 and' l = foldl' (&&!) True l
@@ -22,3 +30,18 @@
 True  &&! False = False
 False &&! True  = False
 False &&! False = False
+
+-- | Truncate and hash for DSA and ECDSA.
+dsaTruncHash :: (ByteArrayAccess msg, HashAlgorithm hash) => hash -> msg -> Integer -> Integer
+dsaTruncHash hashAlg = dsaTruncHashDigest . hashWith hashAlg
+
+-- | Truncate a digest for DSA and ECDSA.
+dsaTruncHashDigest :: HashAlgorithm hash => Digest hash -> Integer -> Integer
+dsaTruncHashDigest digest n
+    | d > 0 = shiftR e d
+    | otherwise = e
+  where e = os2ip digest
+        d = hashDigestSize (getHashAlg digest) * 8 - numBits n
+
+getHashAlg :: Digest hash -> hash
+getHashAlg _ = undefined
diff --git a/Crypto/PubKey/RSA.hs b/Crypto/PubKey/RSA.hs
--- a/Crypto/PubKey/RSA.hs
+++ b/Crypto/PubKey/RSA.hs
@@ -16,7 +16,6 @@
     , generateBlinder
     ) where
 
-import Crypto.Internal.Imports
 import Crypto.Random.Types
 import Crypto.Number.ModArithmetic (inverse, inverseCoprimes)
 import Crypto.Number.Generate (generateMax)
@@ -55,7 +54,7 @@
 --
 generateWith :: (Integer, Integer) -- ^ chosen distinct primes p and q
              -> Int                -- ^ size in bytes
-             -> Integer            -- ^ RSA public exponant 'e'
+             -> Integer            -- ^ RSA public exponent 'e'
              -> Maybe (PublicKey, PrivateKey)
 generateWith (p,q) size e =
     case inverse e phi of
@@ -81,7 +80,7 @@
 -- | generate a pair of (private, public) key of size in bytes.
 generate :: MonadRandom m
          => Int     -- ^ size in bytes
-         -> Integer -- ^ RSA public exponant 'e'
+         -> Integer -- ^ RSA public exponent 'e'
          -> m (PublicKey, PrivateKey)
 generate size e = loop
   where
diff --git a/Crypto/PubKey/RSA/PKCS15.hs b/Crypto/PubKey/RSA/PKCS15.hs
--- a/Crypto/PubKey/RSA/PKCS15.hs
+++ b/Crypto/PubKey/RSA/PKCS15.hs
@@ -111,8 +111,8 @@
 -- | Produce a standard PKCS1.5 padding for signature
 padSignature :: ByteArray signature => Int -> signature -> Either Error signature
 padSignature klen signature
-    | klen < siglen+1 = Left SignatureTooLong
-    | otherwise       = Right (B.pack padding `B.append` signature)
+    | klen < siglen + 11 = Left SignatureTooLong
+    | otherwise          = Right (B.pack padding `B.append` signature)
   where
         siglen    = B.length signature
         padding   = 0 : 1 : (replicate (klen - siglen - 3) 0xff ++ [0])
diff --git a/Crypto/PubKey/RSA/PSS.hs b/Crypto/PubKey/RSA/PSS.hs
--- a/Crypto/PubKey/RSA/PSS.hs
+++ b/Crypto/PubKey/RSA/PSS.hs
@@ -26,11 +26,12 @@
 import           Crypto.PubKey.RSA (generateBlinder)
 import           Crypto.PubKey.MaskGenFunction
 import           Crypto.Hash
+import           Crypto.Number.Basic (numBits)
 import           Data.Bits (xor, shiftR, (.&.))
 import           Data.Word
 
 import           Crypto.Internal.ByteArray (ByteArrayAccess, ByteArray)
-import qualified Crypto.Internal.ByteArray as B (convert)
+import qualified Crypto.Internal.ByteArray as B (convert, eq)
 
 import           Data.ByteString (ByteString)
 import qualified Data.ByteString as B
@@ -69,18 +70,19 @@
                    -> Digest hash   -- ^ Message digest
                    -> Either Error ByteString
 signDigestWithSalt salt blinder params pk digest
-    | k < hashLen + saltLen + 2 = Left InvalidParameters
-    | otherwise                 = Right $ dp blinder pk em
+    | emLen < hashLen + saltLen + 2 = Left InvalidParameters
+    | otherwise                     = Right $ dp blinder pk em
     where k        = private_size pk
+          emLen    = if emTruncate pubBits then k - 1 else k
           mHash    = B.convert digest
-          dbLen    = k - hashLen - 1
+          dbLen    = emLen - hashLen - 1
           saltLen  = B.length salt
           hashLen  = hashDigestSize (pssHash params)
-          pubBits  = private_size pk * 8 -- to change if public_size is converted in bytes
+          pubBits  = numBits (private_n pk)
           m'       = B.concat [B.replicate 8 0,mHash,salt]
           h        = B.convert $ hashWith (pssHash params) m'
           db       = B.concat [B.replicate (dbLen - saltLen - 1) 0,B.singleton 1,salt]
-          dbmask   = (pssMaskGenAlg params) h dbLen
+          dbmask   = pssMaskGenAlg params h dbLen
           maskedDB = B.pack $ normalizeToKeySize pubBits $ B.zipWith xor db dbmask
           em       = B.concat [maskedDB, h, B.singleton (pssTrailerField params)]
 
@@ -148,7 +150,7 @@
        -> ByteString -- ^ Message to verify
        -> ByteString -- ^ Signature
        -> Bool
-verify params pk m s = verifyDigest params pk mHash s
+verify params pk m = verifyDigest params pk mHash
   where mHash     = hashWith (pssHash params) m
 
 -- | Verify a signature using the PSS Parameters
@@ -161,30 +163,37 @@
              -> ByteString  -- ^ Signature
              -> Bool
 verifyDigest params pk digest s
-    | public_size pk /= B.length s        = False
+    | B.length s /= k                     = False
+    | B.any (/= 0) pre                    = False
     | B.last em /= pssTrailerField params = False
-    | not (B.all (== 0) ps0)              = False
+    | B.any (/= 0) ps0                    = False
     | b1 /= B.singleton 1                 = False
-    | otherwise                           = h == B.convert h'
+    | otherwise                           = B.eq h h'
         where -- parameters
               hashLen   = hashDigestSize (pssHash params)
               mHash     = B.convert digest
-              dbLen     = public_size pk - hashLen - 1
-              pubBits   = public_size pk * 8 -- to change if public_size is converted in bytes
+              k         = public_size pk
+              emLen     = if emTruncate pubBits then k - 1 else k
+              dbLen     = emLen - hashLen - 1
+              pubBits   = numBits (public_n pk)
               -- unmarshall fields
-              em        = ep pk s
-              maskedDB  = B.take (B.length em - hashLen - 1) em
+              (pre, em) = B.splitAt (k - emLen) (ep pk s) -- drop 0..1 byte
+              maskedDB  = B.take dbLen em
               h         = B.take hashLen $ B.drop (B.length maskedDB) em
-              dbmask    = (pssMaskGenAlg params) h dbLen
+              dbmask    = pssMaskGenAlg params h dbLen
               db        = B.pack $ normalizeToKeySize pubBits $ B.zipWith xor maskedDB dbmask
               (ps0,z)   = B.break (== 1) db
               (b1,salt) = B.splitAt 1 z
               m'        = B.concat [B.replicate 8 0,mHash,salt]
               h'        = hashWith (pssHash params) m'
 
+-- When the modulus has bit length 1 modulo 8 we drop the first byte.
+emTruncate :: Int -> Bool
+emTruncate bits = ((bits-1) .&. 0x7) == 0
+
 normalizeToKeySize :: Int -> [Word8] -> [Word8]
 normalizeToKeySize _    []     = [] -- very unlikely
 normalizeToKeySize bits (x:xs) = x .&. mask : xs
     where mask = if sh > 0 then 0xff `shiftR` (8-sh) else 0xff
-          sh   = ((bits-1) .&. 0x7)
+          sh   = (bits-1) .&. 0x7
 
diff --git a/Crypto/PubKey/RSA/Types.hs b/Crypto/PubKey/RSA/Types.hs
--- a/Crypto/PubKey/RSA/Types.hs
+++ b/Crypto/PubKey/RSA/Types.hs
@@ -41,8 +41,8 @@
 data PublicKey = PublicKey
     { public_size :: Int      -- ^ size of key in bytes
     , public_n    :: Integer  -- ^ public p*q
-    , public_e    :: Integer  -- ^ public exponant e
-    } deriving (Show,Read,Eq,Data,Typeable)
+    , public_e    :: Integer  -- ^ public exponent e
+    } deriving (Show,Read,Eq,Data)
 
 instance NFData PublicKey where
     rnf (PublicKey sz n e) = rnf n `seq` rnf e `seq` sz `seq` ()
@@ -59,13 +59,13 @@
 --
 data PrivateKey = PrivateKey
     { private_pub  :: PublicKey -- ^ public part of a private key (size, n and e)
-    , private_d    :: Integer   -- ^ private exponant d
+    , private_d    :: Integer   -- ^ private exponent d
     , private_p    :: Integer   -- ^ p prime number
     , private_q    :: Integer   -- ^ q prime number
     , private_dP   :: Integer   -- ^ d mod (p-1)
     , private_dQ   :: Integer   -- ^ d mod (q-1)
     , private_qinv :: Integer   -- ^ q^(-1) mod p
-    } deriving (Show,Read,Eq,Data,Typeable)
+    } deriving (Show,Read,Eq,Data)
 
 instance NFData PrivateKey where
     rnf (PrivateKey pub d p q dp dq qinv) =
@@ -87,7 +87,7 @@
 --
 -- note the RSA private key contains already an instance of public key for efficiency
 newtype KeyPair = KeyPair PrivateKey
-    deriving (Show,Read,Eq,Data,Typeable,NFData)
+    deriving (Show,Read,Eq,Data,NFData)
 
 -- | Public key of a RSA KeyPair
 toPublicKey :: KeyPair -> PublicKey
diff --git a/Crypto/PubKey/Rabin/Basic.hs b/Crypto/PubKey/Rabin/Basic.hs
new file mode 100644
--- /dev/null
+++ b/Crypto/PubKey/Rabin/Basic.hs
@@ -0,0 +1,230 @@
+-- |
+-- Module      : Crypto.PubKey.Rabin.Basic
+-- License     : BSD-style
+-- Maintainer  : Carlos Rodriguez-Vega <crodveg@yahoo.es>
+-- Stability   : experimental
+-- Portability : unknown
+--
+-- Rabin cryptosystem for public-key cryptography and digital signature.
+--
+{-# LANGUAGE DeriveDataTypeable #-}
+module Crypto.PubKey.Rabin.Basic
+    ( PublicKey(..)
+    , PrivateKey(..)
+    , Signature(..)
+    , generate
+    , encrypt
+    , encryptWithSeed
+    , decrypt
+    , sign
+    , signWith
+    , verify
+    ) where
+
+import           Data.ByteString (ByteString)
+import qualified Data.ByteString as B
+import           Data.Data
+import           Data.Either (rights)
+
+import           Crypto.Hash
+import           Crypto.Number.Basic (gcde, numBytes)
+import           Crypto.Number.ModArithmetic (expSafe, jacobi)
+import           Crypto.Number.Serialize (i2osp, i2ospOf_, os2ip)
+import           Crypto.PubKey.Rabin.OAEP 
+import           Crypto.PubKey.Rabin.Types
+import           Crypto.Random (MonadRandom, getRandomBytes)
+
+-- | Represent a Rabin public key.
+data PublicKey = PublicKey
+    { public_size :: Int      -- ^ size of key in bytes
+    , public_n    :: Integer  -- ^ public p*q
+    } deriving (Show, Read, Eq, Data)
+
+-- | Represent a Rabin private key.
+data PrivateKey = PrivateKey
+    { private_pub :: PublicKey
+    , private_p   :: Integer   -- ^ p prime number
+    , private_q   :: Integer   -- ^ q prime number
+    , private_a   :: Integer
+    , private_b   :: Integer
+    } deriving (Show, Read, Eq, Data)
+
+-- | Rabin Signature.
+data Signature = Signature (Integer, Integer) deriving (Show, Read, Eq, Data)
+
+-- | Generate a pair of (private, public) key of size in bytes.
+-- Primes p and q are both congruent 3 mod 4.
+--
+-- See algorithm 8.11 in "Handbook of Applied Cryptography" by Alfred J. Menezes et al.
+generate :: MonadRandom m
+         => Int
+         -> m (PublicKey, PrivateKey)
+generate size = do
+    (p, q) <- generatePrimes size (\p -> p `mod` 4 == 3) (\q -> q `mod` 4 == 3)
+    return $ generateKeys p q
+  where 
+    generateKeys p q =
+        let n = p*q
+            (a, b, _) = gcde p q 
+            publicKey = PublicKey { public_size = size
+                                    , public_n    = n }
+            privateKey = PrivateKey { private_pub = publicKey
+                                    , private_p   = p
+                                    , private_q   = q
+                                    , private_a   = a
+                                    , private_b   = b }
+            in (publicKey, privateKey)
+
+-- | Encrypt plaintext using public key an a predefined OAEP seed.
+--
+-- See algorithm 8.11 in "Handbook of Applied Cryptography" by Alfred J. Menezes et al.
+encryptWithSeed :: HashAlgorithm hash
+                => ByteString                               -- ^ Seed
+                -> OAEPParams hash ByteString ByteString    -- ^ OAEP padding
+                -> PublicKey                                -- ^ public key
+                -> ByteString                               -- ^ plaintext
+                -> Either Error ByteString
+encryptWithSeed seed oaep pk m =
+    let n  = public_n pk
+        k  = numBytes n
+     in do
+        m' <- pad seed oaep k m
+        let m'' = os2ip m'
+        return $ i2osp $ expSafe m'' 2 n
+
+-- | Encrypt plaintext using public key.
+encrypt :: (HashAlgorithm hash, MonadRandom m)
+        => OAEPParams hash ByteString ByteString    -- ^ OAEP padding parameters
+        -> PublicKey                                -- ^ public key
+        -> ByteString                               -- ^ plaintext 
+        -> m (Either Error ByteString)
+encrypt oaep pk m = do
+    seed <- getRandomBytes hashLen
+    return $ encryptWithSeed seed oaep pk m
+  where
+    hashLen = hashDigestSize (oaepHash oaep) 
+
+-- | Decrypt ciphertext using private key.
+--
+-- See algorithm 8.12 in "Handbook of Applied Cryptography" by Alfred J. Menezes et al.
+decrypt :: HashAlgorithm hash
+        => OAEPParams hash ByteString ByteString    -- ^ OAEP padding parameters
+        -> PrivateKey                               -- ^ private key
+        -> ByteString                               -- ^ ciphertext
+        -> Maybe ByteString
+decrypt oaep pk c =
+    let p  = private_p pk 
+        q  = private_q pk     
+        a  = private_a pk 
+        b  = private_b pk
+        n  = public_n $ private_pub pk
+        k  = numBytes n
+        c' = os2ip c
+        solutions = rights $ toList $ mapTuple (unpad oaep k . i2ospOf_ k) $ sqroot' c' p q a b n
+     in if length solutions /= 1 then Nothing
+        else Just $ head solutions
+      where toList (w, x, y, z) = w:x:y:z:[]
+            mapTuple f (w, x, y, z) = (f w, f x, f y, f z)
+
+-- | Sign message using padding, hash algorithm and private key.
+--
+-- See <https://en.wikipedia.org/wiki/Rabin_signature_algorithm>.
+signWith :: HashAlgorithm hash
+         => ByteString    -- ^ padding
+         -> PrivateKey    -- ^ private key
+         -> hash          -- ^ hash function
+         -> ByteString    -- ^ message to sign
+         -> Either Error Signature
+signWith padding pk hashAlg m = do
+    h <- calculateHash padding pk hashAlg m
+    signature <- calculateSignature h
+    return signature
+  where
+    calculateSignature h =
+        let p = private_p pk
+            q = private_q pk     
+            a = private_a pk 
+            b = private_b pk
+            n = public_n $ private_pub pk
+         in if h >= n then Left MessageTooLong
+            else let (r, _, _, _) = sqroot' h p q a b n
+                  in Right $ Signature (os2ip padding, r)
+
+-- | Sign message using hash algorithm and private key.
+--
+-- See <https://en.wikipedia.org/wiki/Rabin_signature_algorithm>.
+sign :: (MonadRandom m, HashAlgorithm hash)
+     => PrivateKey    -- ^ private key
+     -> hash          -- ^ hash function
+     -> ByteString    -- ^ message to sign
+     -> m (Either Error Signature)
+sign pk hashAlg m = do
+    padding <- findPadding
+    return $ signWith padding pk hashAlg m
+  where 
+    findPadding = do
+        padding <- getRandomBytes 8
+        case calculateHash padding pk hashAlg m of
+            Right _ -> return padding
+            _       -> findPadding
+
+-- | Calculate hash of message and padding.
+-- If the padding is valid, then the result of the hash operation is returned, otherwise an error.
+calculateHash :: HashAlgorithm hash
+              => ByteString    -- ^ padding
+              -> PrivateKey    -- ^ private key
+              -> hash          -- ^ hash function
+              -> ByteString    -- ^ message to sign
+              -> Either Error Integer
+calculateHash padding pk hashAlg m = 
+    let p = private_p pk
+        q = private_q pk
+        h = os2ip $ hashWith hashAlg $ B.append padding m
+     in case (jacobi (h `mod` p) p, jacobi (h `mod` q) q) of
+            (Just 1, Just 1) -> Right h
+            _                -> Left InvalidParameters
+
+-- | Verify signature using hash algorithm and public key.
+--
+-- See <https://en.wikipedia.org/wiki/Rabin_signature_algorithm>.
+verify :: HashAlgorithm hash
+       => PublicKey     -- ^ private key
+       -> hash          -- ^ hash function
+       -> ByteString    -- ^ message
+       -> Signature     -- ^ signature
+       -> Bool
+verify pk hashAlg m (Signature (padding, s)) =
+    let n  = public_n pk
+        p  = i2osp padding
+        h  = os2ip $ hashWith hashAlg $ B.append p m 
+        h' = expSafe s 2 n
+     in h' == h
+
+-- | Square roots modulo prime p where p is congruent 3 mod 4
+-- Value a must be a quadratic residue modulo p (i.e. jacobi symbol (a/n) = 1).
+--
+-- See algorithm 3.36 in "Handbook of Applied Cryptography" by Alfred J. Menezes et al.
+sqroot :: Integer
+       -> Integer   -- ^ prime p
+       -> (Integer, Integer)
+sqroot a p =
+    let r = expSafe a ((p + 1) `div` 4) p
+     in (r, -r)
+
+-- | Square roots modulo n given its prime factors p and q (both congruent 3 mod 4)
+-- Value a must be a quadratic residue of both modulo p and modulo q (i.e. jacobi symbols (a/p) = (a/q) = 1).
+-- 
+-- See algorithm 3.44 in "Handbook of Applied Cryptography" by Alfred J. Menezes et al.
+sqroot' :: Integer 
+        -> Integer  -- ^ prime p
+        -> Integer  -- ^ prime q
+        -> Integer  -- ^ c such that c*p + d*q = 1
+        -> Integer  -- ^ d such that c*p + d*q = 1
+        -> Integer  -- ^ n = p*q
+        -> (Integer, Integer, Integer, Integer)
+sqroot' a p q c d n =
+    let (r, _) = sqroot a p
+        (s, _) = sqroot a q
+        x      = (r*d*q + s*c*p) `mod` n
+        y      = (r*d*q - s*c*p) `mod` n
+     in (x, (-x) `mod` n, y, (-y) `mod` n)
diff --git a/Crypto/PubKey/Rabin/Modified.hs b/Crypto/PubKey/Rabin/Modified.hs
new file mode 100644
--- /dev/null
+++ b/Crypto/PubKey/Rabin/Modified.hs
@@ -0,0 +1,101 @@
+-- |
+-- Module      : Crypto.PubKey.Rabin.Modified
+-- License     : BSD-style
+-- Maintainer  : Carlos Rodriguez-Vega <crodveg@yahoo.es>
+-- Stability   : experimental
+-- Portability : unknown
+--
+-- Modified-Rabin public-key digital signature algorithm.
+-- See algorithm 11.30 in "Handbook of Applied Cryptography" by Alfred J. Menezes et al.
+--
+{-# LANGUAGE DeriveDataTypeable #-}
+module Crypto.PubKey.Rabin.Modified
+    ( PublicKey(..)
+    , PrivateKey(..)
+    , generate
+    , sign
+    , verify
+    ) where
+
+import           Data.ByteString
+import           Data.Data
+
+import           Crypto.Hash
+import           Crypto.Number.ModArithmetic (expSafe, jacobi)
+import           Crypto.Number.Serialize (os2ip)
+import           Crypto.PubKey.Rabin.Types
+import           Crypto.Random.Types
+
+-- | Represent a Modified-Rabin public key.
+data PublicKey = PublicKey
+    { public_size :: Int      -- ^ size of key in bytes
+    , public_n    :: Integer  -- ^ public p*q
+    } deriving (Show, Read, Eq, Data)
+
+-- | Represent a Modified-Rabin private key.
+data PrivateKey = PrivateKey
+    { private_pub :: PublicKey
+    , private_p   :: Integer   -- ^ p prime number
+    , private_q   :: Integer   -- ^ q prime number
+    , private_d   :: Integer
+    } deriving (Show, Read, Eq, Data)
+
+-- | Generate a pair of (private, public) key of size in bytes.
+-- Prime p is congruent 3 mod 8 and prime q is congruent 7 mod 8.
+generate :: MonadRandom m
+         => Int           
+         -> m (PublicKey, PrivateKey)
+generate size = do
+    (p, q) <- generatePrimes size (\p -> p `mod` 8 == 3) (\q -> q `mod` 8 == 7)
+    return $ generateKeys p q
+  where 
+    generateKeys p q =
+        let n = p*q   
+            d = (n - p - q + 5) `div` 8
+            publicKey = PublicKey { public_size = size
+                                    , public_n    = n }
+            privateKey = PrivateKey { private_pub = publicKey
+                                    , private_p   = p
+                                    , private_q   = q
+                                    , private_d   = d }
+            in (publicKey, privateKey)
+
+-- | Sign message using hash algorithm and private key.
+sign :: HashAlgorithm hash
+     => PrivateKey    -- ^ private key
+     -> hash          -- ^ hash function
+     -> ByteString    -- ^ message to sign
+     -> Either Error Integer
+sign pk hashAlg m =
+    let d = private_d pk
+        n = public_n $ private_pub pk
+        h = os2ip $ hashWith hashAlg m
+        limit = (n - 6) `div` 16
+     in if h > limit then Left MessageTooLong
+        else let h' = 16*h + 6
+              in case jacobi h' n of
+                    Just 1    -> Right $ expSafe h' d n
+                    Just (-1) -> Right $ expSafe (h' `div` 2) d n
+                    _         -> Left InvalidParameters
+
+-- | Verify signature using hash algorithm and public key.
+verify :: HashAlgorithm hash
+       => PublicKey     -- ^ public key
+       -> hash          -- ^ hash function
+       -> ByteString    -- ^ message
+       -> Integer       -- ^ signature
+       -> Bool
+verify pk hashAlg m s =
+    let n   = public_n pk
+        h   = os2ip $ hashWith hashAlg m
+        s'  = expSafe s 2 n
+        s'' = case s' `mod` 8 of
+            6 -> s'
+            3 -> 2*s'
+            7 -> n - s'
+            2 -> 2*(n - s')
+            _ -> 0
+     in case s'' `mod` 16 of
+            6 -> let h' = (s'' - 6) `div` 16
+                  in h' == h 
+            _ -> False
diff --git a/Crypto/PubKey/Rabin/OAEP.hs b/Crypto/PubKey/Rabin/OAEP.hs
new file mode 100644
--- /dev/null
+++ b/Crypto/PubKey/Rabin/OAEP.hs
@@ -0,0 +1,100 @@
+-- |
+-- Module      : Crypto.PubKey.Rabin.OAEP
+-- License     : BSD-style
+-- Maintainer  : Carlos Rodriguez-Vega <crodveg@yahoo.es>
+-- Stability   : experimental
+-- Portability : unknown
+--
+-- OAEP padding scheme.
+-- See <http://en.wikipedia.org/wiki/Optimal_asymmetric_encryption_padding>.
+--
+module Crypto.PubKey.Rabin.OAEP
+    ( OAEPParams(..)
+    , defaultOAEPParams
+    , pad
+    , unpad
+    ) where
+        
+import           Data.ByteString (ByteString)
+import qualified Data.ByteString as B
+import           Data.Bits (xor)
+
+import           Crypto.Hash
+import           Crypto.Internal.ByteArray (ByteArrayAccess, ByteArray)
+import qualified Crypto.Internal.ByteArray as B (convert)
+import           Crypto.PubKey.MaskGenFunction
+import           Crypto.PubKey.Internal (and')
+import           Crypto.PubKey.Rabin.Types
+
+-- | Parameters for OAEP padding.
+data OAEPParams hash seed output = OAEPParams
+    { oaepHash       :: hash                            -- ^ hash function to use
+    , oaepMaskGenAlg :: MaskGenAlgorithm seed output    -- ^ mask Gen algorithm to use
+    , oaepLabel      :: Maybe ByteString                -- ^ optional label prepended to message
+    }
+
+-- | Default Params with a specified hash function.
+defaultOAEPParams :: (ByteArrayAccess seed, ByteArray output, HashAlgorithm hash)
+                  => hash
+                  -> OAEPParams hash seed output
+defaultOAEPParams hashAlg =
+    OAEPParams { oaepHash       = hashAlg
+               , oaepMaskGenAlg = mgf1 hashAlg
+               , oaepLabel      = Nothing
+               }
+
+-- | Pad a message using OAEP.
+pad :: HashAlgorithm hash
+    => ByteString                               -- ^ Seed
+    -> OAEPParams hash ByteString ByteString    -- ^ OAEP params to use
+    -> Int                                      -- ^ size of public key in bytes
+    -> ByteString                               -- ^ Message pad
+    -> Either Error ByteString
+pad seed oaep k msg
+    | k < 2*hashLen+2          = Left InvalidParameters
+    | B.length seed /= hashLen = Left InvalidParameters
+    | mLen > k - 2*hashLen-2   = Left MessageTooLong
+    | otherwise                = Right em
+    where -- parameters
+        mLen       = B.length msg
+        mgf        = oaepMaskGenAlg oaep
+        labelHash  = hashWith (oaepHash oaep) (maybe B.empty id $ oaepLabel oaep)
+        hashLen    = hashDigestSize (oaepHash oaep)
+        -- put fields
+        ps         = B.replicate (k - mLen - 2*hashLen - 2) 0
+        db         = B.concat [B.convert labelHash, ps, B.singleton 0x1, msg]
+        dbmask     = mgf seed (k - hashLen - 1)
+        maskedDB   = B.pack $ B.zipWith xor db dbmask
+        seedMask   = mgf maskedDB hashLen
+        maskedSeed = B.pack $ B.zipWith xor seed seedMask
+        em         = B.concat [B.singleton 0x0, maskedSeed, maskedDB]
+
+-- | Un-pad a OAEP encoded message.
+unpad :: HashAlgorithm hash
+      => OAEPParams hash ByteString ByteString  -- ^ OAEP params to use
+      -> Int                                    -- ^ size of public key in bytes
+      -> ByteString                             -- ^ encoded message (not encrypted)
+      -> Either Error ByteString
+unpad oaep k em
+    | paddingSuccess = Right msg
+    | otherwise      = Left MessageNotRecognized
+    where -- parameters
+        mgf        = oaepMaskGenAlg oaep
+        labelHash  = B.convert $ hashWith (oaepHash oaep) (maybe B.empty id $ oaepLabel oaep)
+        hashLen    = hashDigestSize (oaepHash oaep)
+        -- getting em's fields
+        (pb, em0)  = B.splitAt 1 em
+        (maskedSeed, maskedDB) = B.splitAt hashLen em0
+        seedMask   = mgf maskedDB hashLen
+        seed       = B.pack $ B.zipWith xor maskedSeed seedMask
+        dbmask     = mgf seed (k - hashLen - 1)
+        db         = B.pack $ B.zipWith xor maskedDB dbmask
+        -- getting db's fields
+        (labelHash', db1) = B.splitAt hashLen db
+        (_, db2)   = B.break (/= 0) db1
+        (ps1, msg) = B.splitAt 1 db2
+
+        paddingSuccess = and' [ labelHash' == labelHash -- no need for constant eq
+                              , ps1        == B.replicate 1 0x1
+                              , pb         == B.replicate 1 0x0
+                              ]
diff --git a/Crypto/PubKey/Rabin/RW.hs b/Crypto/PubKey/Rabin/RW.hs
new file mode 100644
--- /dev/null
+++ b/Crypto/PubKey/Rabin/RW.hs
@@ -0,0 +1,166 @@
+-- |
+-- Module      : Crypto.PubKey.Rabin.RW
+-- License     : BSD-style
+-- Maintainer  : Carlos Rodriguez-Vega <crodveg@yahoo.es>
+-- Stability   : experimental
+-- Portability : unknown
+--
+-- Rabin-Williams cryptosystem for public-key encryption and digital signature. 
+-- See pages 323 - 324 in "Computational Number Theory and Modern Cryptography" by Song Y. Yan.
+-- Also inspired by https://github.com/vanilala/vncrypt/blob/master/vncrypt/vnrw_gmp.c.
+-- 
+{-# LANGUAGE DeriveDataTypeable #-}
+module Crypto.PubKey.Rabin.RW
+    ( PublicKey(..)
+    , PrivateKey(..)
+    , generate
+    , encrypt
+    , encryptWithSeed
+    , decrypt
+    , sign
+    , verify
+    ) where
+
+import           Data.ByteString
+import           Data.Data
+
+import           Crypto.Hash
+import           Crypto.Number.Basic (numBytes)
+import           Crypto.Number.ModArithmetic (expSafe, jacobi)
+import           Crypto.Number.Serialize (i2osp, i2ospOf_, os2ip)
+import           Crypto.PubKey.Rabin.OAEP
+import           Crypto.PubKey.Rabin.Types
+import           Crypto.Random.Types
+
+-- | Represent a Rabin-Williams public key.
+data PublicKey = PublicKey
+    { public_size :: Int      -- ^ size of key in bytes
+    , public_n    :: Integer  -- ^ public p*q
+    } deriving (Show, Read, Eq, Data)
+
+-- | Represent a Rabin-Williams private key.
+data PrivateKey = PrivateKey
+    { private_pub :: PublicKey
+    , private_p   :: Integer   -- ^ p prime number
+    , private_q   :: Integer   -- ^ q prime number
+    , private_d   :: Integer
+    } deriving (Show, Read, Eq, Data)
+
+-- | Generate a pair of (private, public) key of size in bytes.
+-- Prime p is congruent 3 mod 8 and prime q is congruent 7 mod 8.
+generate :: MonadRandom m
+         => Int           
+         -> m (PublicKey, PrivateKey)
+generate size = do
+    (p, q) <- generatePrimes size (\p -> p `mod` 8 == 3) (\q -> q `mod` 8 == 7) 
+    return (generateKeys p q)
+  where 
+    generateKeys p q =
+        let n = p*q   
+            d = ((p - 1)*(q - 1) `div` 4 + 1) `div` 2
+            publicKey = PublicKey { public_size = size
+                                    , public_n    = n }
+            privateKey = PrivateKey { private_pub = publicKey
+                                    , private_p   = p
+                                    , private_q   = q
+                                    , private_d   = d }
+            in (publicKey, privateKey)
+
+-- | Encrypt plaintext using public key an a predefined OAEP seed.
+--
+-- See algorithm 8.11 in "Handbook of Applied Cryptography" by Alfred J. Menezes et al.
+encryptWithSeed :: HashAlgorithm hash
+                => ByteString                               -- ^ Seed
+                -> OAEPParams hash ByteString ByteString    -- ^ OAEP padding
+                -> PublicKey                                -- ^ public key
+                -> ByteString                               -- ^ plaintext
+                -> Either Error ByteString
+encryptWithSeed seed oaep pk m =
+    let n = public_n pk
+        k = numBytes n
+     in do
+        m'  <- pad seed oaep k m
+        m'' <- ep1 n $ os2ip m'
+        return $ i2osp $ ep2 n m''
+
+-- | Encrypt plaintext using public key.
+encrypt :: (HashAlgorithm hash, MonadRandom m)
+        => OAEPParams hash ByteString ByteString    -- ^ OAEP padding parameters
+        -> PublicKey                                -- ^ public key
+        -> ByteString                               -- ^ plaintext 
+        -> m (Either Error ByteString)
+encrypt oaep pk m = do
+    seed <- getRandomBytes hashLen
+    return $ encryptWithSeed seed oaep pk m
+  where
+    hashLen = hashDigestSize (oaepHash oaep)   
+
+-- | Decrypt ciphertext using private key.
+decrypt :: HashAlgorithm hash
+        => OAEPParams hash ByteString ByteString    -- ^ OAEP padding parameters
+        -> PrivateKey                               -- ^ private key
+        -> ByteString                               -- ^ ciphertext
+        -> Maybe ByteString
+decrypt oaep pk c =
+    let d  = private_d pk    
+        n  = public_n $ private_pub pk
+        k  = numBytes n
+        c' = i2ospOf_ k $ dp2 n $ dp1 d n $ os2ip c
+     in case unpad oaep k c' of
+            Left _  -> Nothing
+            Right p -> Just p   
+
+-- | Sign message using hash algorithm and private key.
+sign :: HashAlgorithm hash
+     => PrivateKey  -- ^ private key
+     -> hash        -- ^ hash function
+     -> ByteString  -- ^ message to sign
+     -> Either Error Integer
+sign pk hashAlg m =
+    let d = private_d pk
+        n = public_n $ private_pub pk
+     in do
+        m' <- ep1 n $ os2ip $ hashWith hashAlg m
+        return $ dp1 d n m' 
+
+-- | Verify signature using hash algorithm and public key.
+verify :: HashAlgorithm hash
+       => PublicKey     -- ^ public key
+       -> hash          -- ^ hash function
+       -> ByteString    -- ^ message
+       -> Integer       -- ^ signature
+       -> Bool
+verify pk hashAlg m s =
+    let n  = public_n pk
+        h  = os2ip $ hashWith hashAlg m
+        h' = dp2 n $ ep2 n s
+     in h' == h
+
+-- | Encryption primitive 1
+ep1 :: Integer -> Integer -> Either Error Integer
+ep1 n m =
+    let m'   = 2*m + 1
+        m''  = 2*m'
+        m''' = 2*m''
+     in case jacobi m' n of
+            Just (-1) | m'' < n -> Right m''
+            Just 1 | m''' < n   -> Right m'''
+            _                   -> Left InvalidParameters
+
+-- | Encryption primitive 2
+ep2 :: Integer -> Integer -> Integer
+ep2 n m = expSafe m 2 n
+
+-- | Decryption primitive 1
+dp1 :: Integer -> Integer -> Integer -> Integer
+dp1 d n c = expSafe c d n
+
+-- | Decryption primitive 2
+dp2 :: Integer -> Integer -> Integer
+dp2 n c = let c'  = c `div` 2
+              c'' = (n - c) `div` 2
+           in case c `mod` 4 of
+                0 -> ((c' `div` 2 - 1) `div` 2)
+                1 -> ((c'' `div` 2 - 1) `div` 2)
+                2 -> ((c' - 1) `div` 2)
+                _ -> ((c'' - 1) `div` 2)
diff --git a/Crypto/PubKey/Rabin/Types.hs b/Crypto/PubKey/Rabin/Types.hs
new file mode 100644
--- /dev/null
+++ b/Crypto/PubKey/Rabin/Types.hs
@@ -0,0 +1,43 @@
+-- |
+-- Module      : Crypto.PubKey.Rabin.Types
+-- License     : BSD-style
+-- Maintainer  : Carlos Rodriguez-Vega <crodveg@yahoo.es>
+-- Stability   : experimental
+-- Portability : unknown
+--
+module Crypto.PubKey.Rabin.Types
+    ( Error(..)
+    , generatePrimes
+    ) where
+
+import Crypto.Number.Basic (numBits)
+import Crypto.Number.Prime (generatePrime, findPrimeFromWith)
+import Crypto.Random.Types
+
+type PrimeCondition = Integer -> Bool
+
+-- | Error possible during encryption, decryption or signing.
+data Error = MessageTooLong       -- ^ the message to encrypt is too long
+           | MessageNotRecognized -- ^ the message decrypted doesn't have a OAEP structure
+           | InvalidParameters    -- ^ some parameters lead to breaking assumptions
+           deriving (Show, Eq)
+
+-- | Generate primes p & q
+generatePrimes :: MonadRandom m 
+               => Int                   -- ^ size in bytes          
+               -> PrimeCondition        -- ^ condition prime p must satisfy
+               -> PrimeCondition        -- ^ condition prime q must satisfy
+               -> m (Integer, Integer)  -- ^ chosen distinct primes p and q
+generatePrimes size pCond qCond =
+    let pBits = (8*(size `div` 2))
+        qBits = (8*(size - (size `div` 2)))
+     in do
+        p <- generatePrime' pBits pCond
+        q <- generatePrime' qBits qCond
+        return (p, q)
+      where
+        generatePrime' bits cond = do
+            pr' <- generatePrime bits
+            let pr = findPrimeFromWith cond pr'
+            if numBits pr == bits then return pr
+            else generatePrime' bits cond
diff --git a/Crypto/Random/ChaChaDRG.hs b/Crypto/Random/ChaChaDRG.hs
--- a/Crypto/Random/ChaChaDRG.hs
+++ b/Crypto/Random/ChaChaDRG.hs
@@ -29,7 +29,7 @@
 
 -- | Initialize a new ChaCha context with the number of rounds,
 -- the key and the nonce associated.
-initialize :: B.ByteArrayAccess seed
+initialize :: ByteArrayAccess seed
            => seed        -- ^ 40 bytes of seed
            -> ChaChaDRG   -- ^ the initial ChaCha state
 initialize seed = ChaChaDRG $ C.initializeSimple seed
diff --git a/Crypto/Random/Entropy/Backend.hs b/Crypto/Random/Entropy/Backend.hs
--- a/Crypto/Random/Entropy/Backend.hs
+++ b/Crypto/Random/Entropy/Backend.hs
@@ -14,8 +14,8 @@
     ) where
 
 import Foreign.Ptr
+import Data.Proxy
 import Data.Word (Word8)
-import Crypto.Internal.Proxy
 import Crypto.Random.Entropy.Source
 #ifdef SUPPORT_RDRAND
 import Crypto.Random.Entropy.RDRand
diff --git a/Crypto/Random/SystemDRG.hs b/Crypto/Random/SystemDRG.hs
--- a/Crypto/Random/SystemDRG.hs
+++ b/Crypto/Random/SystemDRG.hs
@@ -14,7 +14,6 @@
 import           Crypto.Random.Types
 import           Crypto.Random.Entropy.Unsafe
 import           Crypto.Internal.Compat
-import           Crypto.Internal.Imports
 import           Data.ByteArray (ScrubbedBytes, ByteArray)
 import           Data.Memory.PtrMethods as B (memCopy)
 import           Data.Maybe (catMaybes)
diff --git a/Crypto/Random/Types.hs b/Crypto/Random/Types.hs
--- a/Crypto/Random/Types.hs
+++ b/Crypto/Random/Types.hs
@@ -15,7 +15,6 @@
 
 import Crypto.Random.Entropy
 import Crypto.Internal.ByteArray
-import Crypto.Internal.Imports
 
 -- | A monad constraint that allows to generate random bytes
 class (Functor m, Monad m) => MonadRandom m where
@@ -47,7 +46,7 @@
          in (f a, g3)
 
 instance DRG gen => Monad (MonadPseudoRandom gen) where
-    return a    = MonadPseudoRandom $ \g -> (a, g)
+    return      = pure
     (>>=) m1 m2 = MonadPseudoRandom $ \g1 ->
         let (a, g2) = runPseudoRandom m1 g1
          in runPseudoRandom (m2 a) g2
diff --git a/README.md b/README.md
--- a/README.md
+++ b/README.md
@@ -43,28 +43,7 @@
 Support
 -------
 
-cryptonite supports the following platforms:
-
-* Windows >= 8
-* OSX >= 10.8
-* Linux
-* BSDs
-
-On the following architectures:
-
-* x86-64
-* i386
-
-On the following haskell versions:
-
-* GHC 7.8.x
-* GHC 7.10.x
-* GHC 8.0.x
-* GHC 8.2.x
-
-Further platforms and architectures probably work too, but since the
-maintainer(s) don't have regular access to them, we can't commit to
-further support.
+See [Haskell packages guidelines](https://github.com/vincenthz/haskell-pkg-guidelines/blob/master/README.md#support)
 
 Known Building Issues
 ---------------------
diff --git a/benchs/Bench.hs b/benchs/Bench.hs
--- a/benchs/Bench.hs
+++ b/benchs/Bench.hs
@@ -15,6 +15,7 @@
 import           Crypto.ECC
 import           Crypto.Error
 import           Crypto.Hash
+import qualified Crypto.KDF.BCrypt as BCrypt
 import qualified Crypto.KDF.PBKDF2 as PBKDF2
 import           Crypto.Number.Basic (numBits)
 import           Crypto.Number.Generate
@@ -104,7 +105,20 @@
 
         params n iter = PBKDF2.Parameters iter n
 
+benchBCrypt =
+    [ bench "cryptonite-BCrypt-4"  $ nf bcrypt 4
+    , bench "cryptonite-BCrypt-5"  $ nf bcrypt 5
+    , bench "cryptonite-BCrypt-7"  $ nf bcrypt 7
+    , bench "cryptonite-BCrypt-11" $ nf bcrypt 11
+    ]
+  where
+        bcrypt :: Int -> B.ByteString
+        bcrypt cost = BCrypt.bcrypt cost mysalt mypass
 
+        mypass, mysalt :: B.ByteString
+        mypass = "password"
+        mysalt = "saltsaltsaltsalt"
+
 benchBlockCipher =
     [ bgroup "ECB" benchECB
     , bgroup "CBC" benchCBC
@@ -148,15 +162,28 @@
         iv16 = maybe (error "iv size 16") id $ makeIV key16
 
 benchAE =
-    [ bench "ChaChaPoly1305" $ nf (run key32) (input64, input1024)
+    [ bench "ChaChaPoly1305" $ nf (cp key32) (input64, input1024)
+    , bench "AES-GCM" $ nf (gcm key32) (input64, input1024)
+    , bench "AES-CCM" $ nf (ccm key32) (input64, input1024)
     ]
-  where run k (ini, plain) =
+  where cp k (ini, plain) =
             let iniState            = throwCryptoError $ CP.initialize k (throwCryptoError $ CP.nonce12 nonce12)
                 afterAAD            = CP.finalizeAAD (CP.appendAAD ini iniState)
                 (out, afterEncrypt) = CP.encrypt plain afterAAD
                 outtag              = CP.finalize afterEncrypt
-             in (out, outtag)
+             in (outtag, out)
 
+        gcm k (ini, plain) =
+            let ctx = throwCryptoError (cipherInit k) :: AES256
+                state = throwCryptoError $ aeadInit AEAD_GCM ctx nonce12
+             in aeadSimpleEncrypt state ini plain 16
+
+        ccm k (ini, plain) =
+            let ctx = throwCryptoError (cipherInit k) :: AES256
+                mode = AEAD_CCM 1024 CCM_M16 CCM_L3
+                state = throwCryptoError $ aeadInit mode ctx nonce12
+             in aeadSimpleEncrypt state ini plain 16
+
         input64 = B.replicate 64 0
         input1024 = B.replicate 1024 0
 
@@ -233,6 +260,7 @@
     , bgroup "block-cipher" benchBlockCipher
     , bgroup "AE" benchAE
     , bgroup "pbkdf2" benchPBKDF2
+    , bgroup "bcrypt" benchBCrypt
     , bgroup "ECC" benchECC
     , bgroup "DH"
           [ bgroup "FFDH" benchFFDH
diff --git a/cbits/aes/gf.c b/cbits/aes/gf.c
--- a/cbits/aes/gf.c
+++ b/cbits/aes/gf.c
@@ -39,7 +39,7 @@
  * to speed up the multiplication.
  * TODO: optimise with tables
  */
-void cryptonite_gf_mul(block128 *a, block128 *b)
+void cryptonite_aes_generic_gf_mul(block128 *a, block128 *b)
 {
 	uint64_t a0, a1, v0, v1;
 	int i, j;
@@ -62,7 +62,7 @@
 }
 
 /* inplace GFMUL for xts mode */
-void cryptonite_gf_mulx(block128 *a)
+void cryptonite_aes_generic_gf_mulx(block128 *a)
 {
 	const uint64_t gf_mask = cpu_to_le64(0x8000000000000000ULL);
 	uint64_t r = ((a->q[1] & gf_mask) ? cpu_to_le64(0x87) : 0);
diff --git a/cbits/aes/gf.h b/cbits/aes/gf.h
--- a/cbits/aes/gf.h
+++ b/cbits/aes/gf.h
@@ -32,7 +32,7 @@
 
 #include "aes/block128.h"
 
-void cryptonite_gf_mul(block128 *a, block128 *b);
-void cryptonite_gf_mulx(block128 *a);
+void cryptonite_aes_generic_gf_mul(block128 *a, block128 *b);
+void cryptonite_aes_generic_gf_mulx(block128 *a);
 
 #endif
diff --git a/cbits/aes/x86ni.c b/cbits/aes/x86ni.c
--- a/cbits/aes/x86ni.c
+++ b/cbits/aes/x86ni.c
@@ -35,6 +35,7 @@
 #include <string.h>
 #include <cryptonite_aes.h>
 #include <cryptonite_cpu.h>
+#include <aes/gf.h>
 #include <aes/x86ni.h>
 #include <aes/block128.h>
 
@@ -157,38 +158,101 @@
 	return v;
 }
 
-static void unopt_gf_mul(block128 *a, block128 *b)
+static __m128i gfmul_generic(__m128i tag, __m128i h)
 {
-	uint64_t a0, a1, v0, v1;
-	int i, j;
+	aes_block _t, _h;
+	_mm_store_si128((__m128i *) &_t, tag);
+	_mm_store_si128((__m128i *) &_h, h);
+	cryptonite_aes_generic_gf_mul(&_t, &_h);
+	tag = _mm_load_si128((__m128i *) &_t);
+	return tag;
+}
 
-	a0 = a1 = 0;
-	v0 = cpu_to_be64(a->q[0]);
-	v1 = cpu_to_be64(a->q[1]);
+#ifdef WITH_PCLMUL
 
-	for (i = 0; i < 16; i++)
-		for (j = 0x80; j != 0; j >>= 1) {
-			uint8_t x = b->b[i] & j;
-			a0 ^= x ? v0 : 0;
-			a1 ^= x ? v1 : 0;
-			x = (uint8_t) v1 & 1;
-			v1 = (v1 >> 1) | (v0 << 63);
-			v0 = (v0 >> 1) ^ (x ? (0xe1ULL << 56) : 0);
-		}
-	a->q[0] = cpu_to_be64(a0);
-	a->q[1] = cpu_to_be64(a1);
+__m128i (*gfmul_branch_ptr)(__m128i a, __m128i b) = gfmul_generic;
+#define gfmul(a,b) ((*gfmul_branch_ptr)(a,b))
+
+/* See Intel carry-less-multiplication-instruction-in-gcm-mode-paper.pdf
+ *
+ * Adapted from figure 5, with additional byte swapping so that interface
+ * is simimar to cryptonite_aes_generic_gf_mul.
+ */
+static __m128i gfmul_pclmuldq(__m128i a, __m128i b)
+{
+	__m128i tmp0, tmp1, tmp2, tmp3, tmp4, tmp5, tmp6, tmp7, tmp8, tmp9;
+	__m128i bswap_mask = _mm_set_epi8(0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15);
+
+	a = _mm_shuffle_epi8(a, bswap_mask);
+	b = _mm_shuffle_epi8(b, bswap_mask);
+
+	tmp3 = _mm_clmulepi64_si128(a, b, 0x00);
+	tmp4 = _mm_clmulepi64_si128(a, b, 0x10);
+	tmp5 = _mm_clmulepi64_si128(a, b, 0x01);
+	tmp6 = _mm_clmulepi64_si128(a, b, 0x11);
+
+	tmp4 = _mm_xor_si128(tmp4, tmp5);
+	tmp5 = _mm_slli_si128(tmp4, 8);
+	tmp4 = _mm_srli_si128(tmp4, 8);
+	tmp3 = _mm_xor_si128(tmp3, tmp5);
+	tmp6 = _mm_xor_si128(tmp6, tmp4);
+
+	tmp7 = _mm_srli_epi32(tmp3, 31);
+	tmp8 = _mm_srli_epi32(tmp6, 31);
+	tmp3 = _mm_slli_epi32(tmp3, 1);
+	tmp6 = _mm_slli_epi32(tmp6, 1);
+
+	tmp9 = _mm_srli_si128(tmp7, 12);
+	tmp8 = _mm_slli_si128(tmp8, 4);
+	tmp7 = _mm_slli_si128(tmp7, 4);
+	tmp3 = _mm_or_si128(tmp3, tmp7);
+	tmp6 = _mm_or_si128(tmp6, tmp8);
+	tmp6 = _mm_or_si128(tmp6, tmp9);
+
+	tmp7 = _mm_slli_epi32(tmp3, 31);
+	tmp8 = _mm_slli_epi32(tmp3, 30);
+	tmp9 = _mm_slli_epi32(tmp3, 25);
+
+	tmp7 = _mm_xor_si128(tmp7, tmp8);
+	tmp7 = _mm_xor_si128(tmp7, tmp9);
+	tmp8 = _mm_srli_si128(tmp7, 4);
+	tmp7 = _mm_slli_si128(tmp7, 12);
+	tmp3 = _mm_xor_si128(tmp3, tmp7);
+
+	tmp2 = _mm_srli_epi32(tmp3, 1);
+	tmp4 = _mm_srli_epi32(tmp3, 2);
+	tmp5 = _mm_srli_epi32(tmp3, 7);
+	tmp2 = _mm_xor_si128(tmp2, tmp4);
+	tmp2 = _mm_xor_si128(tmp2, tmp5);
+	tmp2 = _mm_xor_si128(tmp2, tmp8);
+	tmp3 = _mm_xor_si128(tmp3, tmp2);
+	tmp6 = _mm_xor_si128(tmp6, tmp3);
+
+	return _mm_shuffle_epi8(tmp6, bswap_mask);
 }
 
-static __m128i ghash_add(__m128i tag, __m128i h, __m128i m)
+void cryptonite_aesni_gf_mul(block128 *a, block128 *b)
 {
-	aes_block _t, _h;
-	tag = _mm_xor_si128(tag, m);
+	__m128i _a, _b, _c;
+	_a = _mm_loadu_si128((__m128i *) a);
+	_b = _mm_loadu_si128((__m128i *) b);
+	_c = gfmul_pclmuldq(_a, _b);
+	_mm_storeu_si128((__m128i *) a, _c);
+}
 
-	_mm_store_si128((__m128i *) &_t, tag);
-	_mm_store_si128((__m128i *) &_h, h);
-	unopt_gf_mul(&_t, &_h);
-	tag = _mm_load_si128((__m128i *) &_t);
-	return tag;
+void cryptonite_aesni_init_pclmul()
+{
+	gfmul_branch_ptr = gfmul_pclmuldq;
+}
+
+#else
+#define gfmul(a,b) (gfmul_generic(a,b))
+#endif
+
+static inline __m128i ghash_add(__m128i tag, __m128i h, __m128i m)
+{
+	tag = _mm_xor_si128(tag, m);
+	return gfmul(tag, h);
 }
 
 #define PRELOAD_ENC_KEYS128(k) \
diff --git a/cbits/aes/x86ni.h b/cbits/aes/x86ni.h
--- a/cbits/aes/x86ni.h
+++ b/cbits/aes/x86ni.h
@@ -72,7 +72,10 @@
 void cryptonite_aesni_gcm_encrypt128(uint8_t *out, aes_gcm *gcm, aes_key *key, uint8_t *in, uint32_t length);
 void cryptonite_aesni_gcm_encrypt256(uint8_t *out, aes_gcm *gcm, aes_key *key, uint8_t *in, uint32_t length);
 
-void gf_mul_x86ni(block128 *res, block128 *a_, block128 *b_);
+#ifdef WITH_PCLMUL
+void cryptonite_aesni_init_pclmul();
+void cryptonite_aesni_gf_mul(block128 *a, block128 *b);
+#endif
 
 #endif
 
diff --git a/cbits/blake2/ref/blake2-impl.h b/cbits/blake2/ref/blake2-impl.h
--- a/cbits/blake2/ref/blake2-impl.h
+++ b/cbits/blake2/ref/blake2-impl.h
@@ -72,8 +72,8 @@
   return w;
 #else
   const uint8_t *p = ( const uint8_t * )src;
-  return (( uint16_t )( p[0] ) <<  0) |
-         (( uint16_t )( p[1] ) <<  8) ;
+  return ( uint16_t )((( uint32_t )( p[0] ) <<  0) |
+                      (( uint32_t )( p[1] ) <<  8));
 #endif
 }
 
diff --git a/cbits/blake2/ref/blake2s-ref.c b/cbits/blake2/ref/blake2s-ref.c
--- a/cbits/blake2/ref/blake2s-ref.c
+++ b/cbits/blake2/ref/blake2s-ref.c
@@ -294,7 +294,7 @@
 #if defined(SUPERCOP)
 int crypto_hash( unsigned char *out, unsigned char *in, unsigned long long inlen )
 {
-  return blake2s( out, BLAKE2S_OUTBYTES in, inlen, NULL, 0 );
+  return blake2s( out, BLAKE2S_OUTBYTES, in, inlen, NULL, 0 );
 }
 #endif
 
diff --git a/cbits/blake2/sse/blake2-impl.h b/cbits/blake2/sse/blake2-impl.h
--- a/cbits/blake2/sse/blake2-impl.h
+++ b/cbits/blake2/sse/blake2-impl.h
@@ -72,8 +72,8 @@
   return w;
 #else
   const uint8_t *p = ( const uint8_t * )src;
-  return (( uint16_t )( p[0] ) <<  0) |
-         (( uint16_t )( p[1] ) <<  8) ;
+  return ( uint16_t )((( uint32_t )( p[0] ) <<  0) |
+                      (( uint32_t )( p[1] ) <<  8));
 #endif
 }
 
diff --git a/cbits/cryptonite_aes.c b/cbits/cryptonite_aes.c
--- a/cbits/cryptonite_aes.c
+++ b/cbits/cryptonite_aes.c
@@ -81,6 +81,8 @@
 	/* ccm */
 	ENCRYPT_CCM_128, ENCRYPT_CCM_192, ENCRYPT_CCM_256,
 	DECRYPT_CCM_128, DECRYPT_CCM_192, DECRYPT_CCM_256,
+	/* ghash */
+	GHASH_GF_MUL,
 };
 
 void *cryptonite_aes_branch_table[] = {
@@ -141,6 +143,8 @@
 	[DECRYPT_CCM_128]   = cryptonite_aes_generic_ccm_decrypt,
 	[DECRYPT_CCM_192]   = cryptonite_aes_generic_ccm_decrypt,
 	[DECRYPT_CCM_256]   = cryptonite_aes_generic_ccm_decrypt,
+	/* GHASH */
+	[GHASH_GF_MUL]      = cryptonite_aes_generic_gf_mul,
 };
 
 typedef void (*init_f)(aes_key *, uint8_t *, uint8_t);
@@ -152,6 +156,7 @@
 typedef void (*ocb_crypt_f)(uint8_t *output, aes_ocb *ocb, aes_key *key, uint8_t *input, uint32_t length);
 typedef void (*ccm_crypt_f)(uint8_t *output, aes_ccm *ccm, aes_key *key, uint8_t *input, uint32_t length);
 typedef void (*block_f)(aes_block *output, aes_key *key, aes_block *input);
+typedef void (*gf_mul_f)(aes_block *a, aes_block *b);
 
 #ifdef WITH_AESNI
 #define GET_INIT(strength) \
@@ -186,6 +191,8 @@
 	(((block_f) (cryptonite_aes_branch_table[ENCRYPT_BLOCK_128 + k->strength]))(o,k,i))
 #define cryptonite_aes_decrypt_block(o,k,i) \
 	(((block_f) (cryptonite_aes_branch_table[DECRYPT_BLOCK_128 + k->strength]))(o,k,i))
+#define cryptonite_gf_mul(a,b) \
+	(((gf_mul_f) (cryptonite_aes_branch_table[GHASH_GF_MUL]))(a,b))
 #else
 #define GET_INIT(strenght) cryptonite_aes_generic_init
 #define GET_ECB_ENCRYPT(strength) cryptonite_aes_generic_encrypt_ecb
@@ -203,6 +210,7 @@
 #define GET_CCM_DECRYPT(strength) cryptonite_aes_generic_ccm_decrypt
 #define cryptonite_aes_encrypt_block(o,k,i) cryptonite_aes_generic_encrypt_block(o,k,i)
 #define cryptonite_aes_decrypt_block(o,k,i) cryptonite_aes_generic_decrypt_block(o,k,i)
+#define cryptonite_gf_mul(a,b) cryptonite_aes_generic_gf_mul(a,b)
 #endif
 
 #if defined(ARCH_X86) && defined(WITH_AESNI)
@@ -241,6 +249,13 @@
 	cryptonite_aes_branch_table[ENCRYPT_OCB_128] = cryptonite_aesni_ocb_encrypt128;
 	cryptonite_aes_branch_table[ENCRYPT_OCB_256] = cryptonite_aesni_ocb_encrypt256;
 	*/
+#ifdef WITH_PCLMUL
+	if (!pclmul)
+		return;
+	/* GHASH */
+	cryptonite_aes_branch_table[GHASH_GF_MUL]    = cryptonite_aesni_gf_mul;
+	cryptonite_aesni_init_pclmul();
+#endif
 }
 #endif
 
@@ -761,9 +776,9 @@
 
 	/* TO OPTIMISE: this is really inefficient way to do that */
 	while (spoint-- > 0)
-		cryptonite_gf_mulx(&tweak);
+		cryptonite_aes_generic_gf_mulx(&tweak);
 
-	for ( ; nb_blocks-- > 0; input++, output++, cryptonite_gf_mulx(&tweak)) {
+	for ( ; nb_blocks-- > 0; input++, output++, cryptonite_aes_generic_gf_mulx(&tweak)) {
 		block128_vxor(&block, input, &tweak);
 		cryptonite_aes_encrypt_block(&block, k1, &block);
 		block128_vxor(output, &block, &tweak);
@@ -781,9 +796,9 @@
 
 	/* TO OPTIMISE: this is really inefficient way to do that */
 	while (spoint-- > 0)
-		cryptonite_gf_mulx(&tweak);
+		cryptonite_aes_generic_gf_mulx(&tweak);
 
-	for ( ; nb_blocks-- > 0; input++, output++, cryptonite_gf_mulx(&tweak)) {
+	for ( ; nb_blocks-- > 0; input++, output++, cryptonite_aes_generic_gf_mulx(&tweak)) {
 		block128_vxor(&block, input, &tweak);
 		cryptonite_aes_decrypt_block(&block, k1, &block);
 		block128_vxor(output, &block, &tweak);
diff --git a/cbits/cryptonite_sha3.c b/cbits/cryptonite_sha3.c
--- a/cbits/cryptonite_sha3.c
+++ b/cbits/cryptonite_sha3.c
@@ -99,8 +99,11 @@
 }
 
 /*
- * Initialize a SHA-3 / SHAKE context: hashlen is the security level (and
- * half the capacity) in bits
+ * Initialize a SHA-3 / SHAKE / cSHAKE context: hashlen is the security level
+ * (and half the capacity) in bits.
+ *
+ * In case of cSHAKE, the message prefix with encoded N and S must be added with
+ * cryptonite_sha3_update.
  */
 void cryptonite_sha3_init(struct sha3_ctx *ctx, uint32_t hashlen)
 {
@@ -110,7 +113,7 @@
 	ctx->bufsz = bufsz;
 }
 
-/* Update a SHA-3 / SHAKE context */
+/* Update a SHA-3 / SHAKE / cSHAKE context */
 void cryptonite_sha3_update(struct sha3_ctx *ctx, const uint8_t *data, uint32_t len)
 {
 	uint32_t to_fill;
@@ -171,7 +174,7 @@
 }
 
 /*
- * Extract some bytes from a finalized SHA-3 / SHAKE context.
+ * Extract some bytes from a finalized SHA-3 / SHAKE / cSHAKE context.
  * May be called multiple times.
  */
 void cryptonite_sha3_output(struct sha3_ctx *ctx, uint8_t *out, uint32_t len)
@@ -224,6 +227,12 @@
 void cryptonite_sha3_finalize_shake(struct sha3_ctx *ctx)
 {
 	cryptonite_sha3_finalize_with_pad_byte(ctx, 0x1F);
+}
+
+/* Finalize a cSHAKE context. Output is read using cryptonite_sha3_output. */
+void cryptonite_sha3_finalize_cshake(struct sha3_ctx *ctx)
+{
+	cryptonite_sha3_finalize_with_pad_byte(ctx, 0x04);
 }
 
 void cryptonite_keccak_init(struct sha3_ctx *ctx, uint32_t hashlen)
diff --git a/cbits/cryptonite_sha3.h b/cbits/cryptonite_sha3.h
--- a/cbits/cryptonite_sha3.h
+++ b/cbits/cryptonite_sha3.h
@@ -57,6 +57,7 @@
 void cryptonite_sha3_finalize(struct sha3_ctx *ctx, uint32_t hashlen, uint8_t *out);
 
 void cryptonite_sha3_finalize_shake(struct sha3_ctx *ctx);
+void cryptonite_sha3_finalize_cshake(struct sha3_ctx *ctx);
 void cryptonite_sha3_output(struct sha3_ctx *ctx, uint8_t *out, uint32_t len);
 
 void cryptonite_keccak_init(struct sha3_ctx *ctx, uint32_t hashlen);
diff --git a/cbits/p256/p256.c b/cbits/p256/p256.c
--- a/cbits/p256/p256.c
+++ b/cbits/p256/p256.c
@@ -386,3 +386,25 @@
 		p += 4;
 	}
 }
+
+/*
+  "p256e" functions are not part of the original source
+*/
+
+#define MSB_COMPLEMENT(x) (((x) >> (P256_BITSPERDIGIT - 1)) - 1)
+
+// c = a + b mod MOD
+void cryptonite_p256e_modadd(const cryptonite_p256_int* MOD, const cryptonite_p256_int* a, const cryptonite_p256_int* b, cryptonite_p256_int* c) {
+  cryptonite_p256_digit top = cryptonite_p256_add(a, b, c);
+  top = subM(MOD, top, P256_DIGITS(c), -1);
+  top = subM(MOD, top, P256_DIGITS(c), MSB_COMPLEMENT(top));
+  addM(MOD, 0, P256_DIGITS(c), top);
+}
+
+// c = a - b mod MOD
+void cryptonite_p256e_modsub(const cryptonite_p256_int* MOD, const cryptonite_p256_int* a, const cryptonite_p256_int* b, cryptonite_p256_int* c) {
+  cryptonite_p256_digit top = cryptonite_p256_sub(a, b, c);
+  top = addM(MOD, top, P256_DIGITS(c), ~MSB_COMPLEMENT(top));
+  top = subM(MOD, top, P256_DIGITS(c), MSB_COMPLEMENT(top));
+  addM(MOD, 0, P256_DIGITS(c), top);
+}
diff --git a/cryptonite.cabal b/cryptonite.cabal
--- a/cryptonite.cabal
+++ b/cryptonite.cabal
@@ -1,5 +1,5 @@
 Name:                cryptonite
-version:             0.25
+version:             0.26
 Synopsis:            Cryptography Primitives sink
 Description:
     A repository of cryptographic primitives.
@@ -8,11 +8,11 @@
     .
     * Hash: SHA1, SHA2, SHA3, SHAKE, MD2, MD4, MD5, Keccak, Skein, Ripemd, Tiger, Whirlpool, Blake2
     .
-    * MAC: HMAC, Poly1305
+    * MAC: HMAC, KMAC, Poly1305
     .
     * Asymmetric crypto: DSA, RSA, DH, ECDH, ECDSA, ECC, Curve25519, Curve448, Ed25519, Ed448
     .
-    * Key Derivation Function: PBKDF2, Scrypt, HKDF, Argon2
+    * Key Derivation Function: PBKDF2, Scrypt, HKDF, Argon2, BCrypt, BCryptPBKDF
     .
     * Cryptographic Random generation: System Entropy, Deterministic Random Generator
     .
@@ -35,8 +35,8 @@
 Build-Type:          Simple
 Homepage:            https://github.com/haskell-crypto/cryptonite
 Bug-reports:         https://github.com/haskell-crypto/cryptonite/issues
-Cabal-Version:       >=1.18
-tested-with:         GHC==8.0.2, GHC==7.10.3, GHC==7.8.4
+Cabal-Version:       1.18
+tested-with:         GHC==8.6.5, GHC==8.4.4, GHC==8.2.2, GHC==8.0.2
 extra-doc-files:     README.md CHANGELOG.md
 extra-source-files:  cbits/*.h
                      cbits/aes/*.h
@@ -126,17 +126,22 @@
                      Crypto.MAC.CMAC
                      Crypto.MAC.Poly1305
                      Crypto.MAC.HMAC
+                     Crypto.MAC.KMAC
                      Crypto.Number.Basic
                      Crypto.Number.F2m
                      Crypto.Number.Generate
                      Crypto.Number.ModArithmetic
+                     Crypto.Number.Nat
                      Crypto.Number.Prime
                      Crypto.Number.Serialize
+                     Crypto.Number.Serialize.LE
                      Crypto.Number.Serialize.Internal
+                     Crypto.Number.Serialize.Internal.LE
                      Crypto.KDF.Argon2
                      Crypto.KDF.PBKDF2
                      Crypto.KDF.Scrypt
                      Crypto.KDF.BCrypt
+                     Crypto.KDF.BCryptPBKDF
                      Crypto.KDF.HKDF
                      Crypto.Hash
                      Crypto.Hash.IO
@@ -162,6 +167,11 @@
                      Crypto.PubKey.RSA.PSS
                      Crypto.PubKey.RSA.OAEP
                      Crypto.PubKey.RSA.Types
+                     Crypto.PubKey.Rabin.OAEP
+                     Crypto.PubKey.Rabin.Basic
+                     Crypto.PubKey.Rabin.Modified
+                     Crypto.PubKey.Rabin.RW
+                     Crypto.PubKey.Rabin.Types
                      Crypto.Random
                      Crypto.Random.Types
                      Crypto.Random.Entropy
@@ -184,6 +194,7 @@
                      Crypto.Error.Types
                      Crypto.Number.Compat
                      Crypto.Hash.Types
+                     Crypto.Hash.Blake2
                      Crypto.Hash.Blake2s
                      Crypto.Hash.Blake2sp
                      Crypto.Hash.Blake2b
@@ -195,6 +206,7 @@
                      Crypto.Hash.SHA512
                      Crypto.Hash.SHA512t
                      Crypto.Hash.SHA3
+                     Crypto.Hash.SHAKE
                      Crypto.Hash.Keccak
                      Crypto.Hash.MD2
                      Crypto.Hash.MD4
@@ -213,24 +225,24 @@
                      Crypto.PubKey.ElGamal
                      Crypto.ECC.Simple.Types
                      Crypto.ECC.Simple.Prim
-                     Crypto.Internal.Proxy
                      Crypto.Internal.ByteArray
                      Crypto.Internal.Compat
                      Crypto.Internal.CompatPrim
                      Crypto.Internal.DeepSeq
                      Crypto.Internal.Imports
+                     Crypto.Internal.Nat
                      Crypto.Internal.Words
                      Crypto.Internal.WordArray
-  if impl(ghc >= 7.8)
-    Other-modules:   Crypto.Hash.SHAKE
-                     Crypto.Hash.Blake2
-                     Crypto.Internal.Nat
-  Build-depends:     base >= 4.6 && < 5
-                   , bytestring
-                   , memory >= 0.14.14
+  if impl(ghc < 8.0)
+    Buildable: False
+  else
+    Build-depends:   base
+
+  Build-depends:     bytestring
+                   , memory >= 0.14.18
                    , basement >= 0.0.6
                    , ghc-prim
-  ghc-options:       -Wall -fwarn-tabs -optc-O3 -fno-warn-unused-imports
+  ghc-options:       -Wall -fwarn-tabs -optc-O3
   if os(linux)
     extra-libraries: pthread
   default-language:  Haskell2010
@@ -269,7 +281,7 @@
                    , cbits/decaf/include
                    , cbits/decaf/p448
 
-  if arch(x86_64)
+  if arch(x86_64) || arch(aarch64)
     C-sources:         cbits/decaf/p448/arch_ref64/f_impl.c
                      , cbits/decaf/p448/f_generic.c
                      , cbits/decaf/p448/f_arithmetic.c
@@ -292,7 +304,7 @@
     include-dirs:      cbits/decaf/include/arch_32
                      , cbits/decaf/p448/arch_32
 
-  if arch(x86_64)
+  if arch(x86_64) || arch(aarch64)
     C-sources: cbits/curve25519/curve25519-donna-c64.c
   else
     C-sources: cbits/curve25519/curve25519-donna.c
@@ -370,6 +382,7 @@
   Other-modules:     BlockCipher
                      ChaCha
                      BCrypt
+                     BCryptPBKDF
                      ECC
                      ECC.Edwards25519
                      Hash
@@ -394,6 +407,7 @@
                      KAT_CMAC
                      KAT_HKDF
                      KAT_HMAC
+                     KAT_KMAC
                      KAT_MiyaguchiPreneel
                      KAT_PBKDF2
                      KAT_OTP
@@ -403,6 +417,8 @@
                      KAT_PubKey.OAEP
                      KAT_PubKey.PSS
                      KAT_PubKey.P256
+                     KAT_PubKey.RSA
+                     KAT_PubKey.Rabin
                      KAT_PubKey
                      KAT_RC4
                      KAT_Scrypt
@@ -416,7 +432,7 @@
                      Salsa
                      Utils
                      XSalsa
-  Build-Depends:     base >= 3 && < 5
+  Build-Depends:     base >= 0 && < 10
                    , bytestring
                    , memory
                    , tasty
@@ -424,7 +440,7 @@
                    , tasty-hunit
                    , tasty-kat
                    , cryptonite
-  ghc-options:       -Wall -fno-warn-orphans -fno-warn-missing-signatures -fno-warn-unused-imports -rtsopts
+  ghc-options:       -Wall -fno-warn-orphans -fno-warn-missing-signatures -rtsopts
   default-language:  Haskell2010
 
 Benchmark bench-cryptonite
@@ -432,7 +448,7 @@
   hs-source-dirs:    benchs
   Main-is:           Bench.hs
   Other-modules:     Number.F2m
-  Build-Depends:     base >= 3 && < 5
+  Build-Depends:     base
                    , bytestring
                    , deepseq
                    , memory
diff --git a/tests/BCrypt.hs b/tests/BCrypt.hs
--- a/tests/BCrypt.hs
+++ b/tests/BCrypt.hs
@@ -75,4 +75,8 @@
 tests = testGroup "bcrypt"
     [ testGroup "KATs" makeKATs
     , testCase "Invalid hash length" (assertEqual "" (Left "Invalid hash format") (validatePasswordEither B.empty ("$2a$06$DCq7YPn5Rq63x1Lad4cll.TV4S6ytwfsfvkgY8jIucDrjc8deX1s" :: B.ByteString)))
+    , testCase "Hash and validate" (assertBool "Hashed password should validate" (validatePassword somePassword (bcrypt 5 aSalt somePassword :: B.ByteString)))
     ]
+  where
+    somePassword = "some password" :: B.ByteString
+    aSalt = "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" :: B.ByteString
diff --git a/tests/BCryptPBKDF.hs b/tests/BCryptPBKDF.hs
new file mode 100644
--- /dev/null
+++ b/tests/BCryptPBKDF.hs
@@ -0,0 +1,75 @@
+{-# LANGUAGE OverloadedStrings #-}
+
+module BCryptPBKDF (tests) where
+
+import qualified Data.ByteString        as B
+
+import           Test.Tasty
+import           Test.Tasty.HUnit
+
+import           Crypto.KDF.BCryptPBKDF (Parameters (..), generate,
+                                         hashInternal)
+
+tests :: TestTree
+tests = testGroup "BCryptPBKDF"
+    [ testGroup "generate"
+        [ testCase "1" generate1
+        , testCase "2" generate2
+        , testCase "3" generate3
+        ]
+    , testGroup "hashInternal"
+        [ testCase "1" hashInternal1
+        ]
+    ]
+  where
+    -- test vector taken from the go implementation by @dchest
+    generate1 = expected @=? generate params pass salt
+        where
+            params   = Parameters 12 32
+            pass     = "password" :: B.ByteString
+            salt     = "salt"     :: B.ByteString
+            expected = B.pack
+                [ 0x1a, 0xe4, 0x2c, 0x05, 0xd4, 0x87, 0xbc, 0x02
+                , 0xf6, 0x49, 0x21, 0xa4, 0xeb, 0xe4, 0xea, 0x93
+                , 0xbc, 0xac, 0xfe, 0x13, 0x5f, 0xda, 0x99, 0x97
+                , 0x4c, 0x06, 0xb7, 0xb0, 0x1f, 0xae, 0x14, 0x9a
+                ] :: B.ByteString
+
+    -- test vector generated with the go implemenation by @dchest
+    generate2 = expected @=? generate params pass salt
+        where
+            params   = Parameters 7 71
+            pass     = "DieWuerdeDesMenschenIstUnantastbar" :: B.ByteString
+            salt     = "Tafelsalz"                          :: B.ByteString
+            expected = B.pack
+                [ 0x17, 0xb4, 0x76, 0xaa, 0xd7, 0x42, 0x33, 0x49
+                , 0x5c, 0xe8, 0x79, 0x49, 0x15, 0x74, 0x4c, 0x71
+                , 0xf9, 0x99, 0x66, 0x89, 0x7a, 0x60, 0xc3, 0x70
+                , 0xb4, 0x3c, 0xa8, 0x83, 0x80, 0x5a, 0x56, 0xde
+                , 0x38, 0xbc, 0x51, 0x8c, 0xd4, 0xeb, 0xd1, 0xcf
+                , 0x46, 0x0a, 0x68, 0x3d, 0xc8, 0x12, 0xcf, 0xf8
+                , 0x43, 0xce, 0x21, 0x9d, 0x98, 0x81, 0x20, 0x26
+                , 0x6e, 0x42, 0x0f, 0xaa, 0x75, 0x5d, 0x09, 0x8d
+                , 0x45, 0xda, 0xd5, 0x15, 0x6e, 0x65, 0x1d
+                ] :: B.ByteString
+
+    -- test vector generated with the go implemenation by @dchest
+    generate3 = expected @=? generate params pass salt
+        where
+            params    = Parameters 5 5
+            pass      = "ABC" :: B.ByteString
+            salt      = "DEF" :: B.ByteString
+            expected  = B.pack
+                [ 0xdd, 0x6e, 0xa0, 0x69, 0x29
+                ] :: B.ByteString
+
+    hashInternal1 = expected @=? hashInternal passHash saltHash
+        where
+            passHash = B.pack [ 0  ..  63 ] :: B.ByteString
+            saltHash = B.pack [ 64 .. 127 ] :: B.ByteString
+            expected = B.pack
+                [ 0x87, 0x90, 0x48, 0x70, 0xee, 0xf9, 0xde, 0xdd
+                , 0xf8, 0xe7, 0x61, 0x1a, 0x14, 0x01, 0x06, 0xe6
+                , 0xaa, 0xf1, 0xa3, 0x63, 0xd9, 0xa2, 0xc5, 0x04
+                , 0xdb, 0x35, 0x64, 0x43, 0x72, 0x1e, 0xb5, 0x55
+                ] :: B.ByteString
diff --git a/tests/ECC.hs b/tests/ECC.hs
--- a/tests/ECC.hs
+++ b/tests/ECC.hs
@@ -7,7 +7,6 @@
 import qualified Crypto.ECC as ECC
 
 import           Data.ByteArray.Encoding
-import           Data.ByteString (ByteString)
 
 import Imports
 
diff --git a/tests/Hash.hs b/tests/Hash.hs
--- a/tests/Hash.hs
+++ b/tests/Hash.hs
@@ -1,10 +1,6 @@
-{-# LANGUAGE CPP #-}
 {-# LANGUAGE OverloadedStrings #-}
-{-# LANGUAGE ViewPatterns #-}
 {-# LANGUAGE ExistentialQuantification #-}
-#if MIN_VERSION_base(4,7,0)
 {-# LANGUAGE DataKinds #-}
-#endif
 module Hash
     ( tests
     ) where
@@ -12,7 +8,9 @@
 import Crypto.Hash
 
 import qualified Data.ByteString as B
+import           Data.ByteArray (convert)
 import qualified Data.ByteArray.Encoding as B (convertToBase, Base(..))
+import           GHC.TypeLits
 import Imports
 
 v0,v1,v2 :: ByteString
@@ -174,7 +172,6 @@
         "69217a3079908094e11121d042354a7c1f55b6482ca1a51e1b250dfd1ed0eef9",
         "606beeec743ccbeff6cbcdf5d5302aa855c256c29b88c8ed331ea1a6bf3c8812",
         "94662583a600a12dff357c0a6f1b514a710ef0f587a38e8d2e4d7f67e9c81667" ])
-#if MIN_VERSION_base(4,7,0)
     , ("SHAKE128_4096", HashAlg (SHAKE128 :: SHAKE128 4096), [
         "7f9c2ba4e88f827d616045507605853ed73b8093f6efbc88eb1a6eacfa66ef263cb1eea988004b93103cfb0aeefd2a686e01fa4a58e8a3639ca8a1e3f9ae57e235b8cc873c23dc62b8d260169afa2f75ab916a58d974918835d25e6a435085b2badfd6dfaac359a5efbb7bcc4b59d538df9a04302e10c8bc1cbf1a0b3a5120ea17cda7cfad765f5623474d368ccca8af0007cd9f5e4c849f167a580b14aabdefaee7eef47cb0fca9767be1fda69419dfb927e9df07348b196691abaeb580b32def58538b8d23f87732ea63b02b4fa0f4873360e2841928cd60dd4cee8cc0d4c922a96188d032675c8ac850933c7aff1533b94c834adbb69c6115bad4692d8619f90b0cdf8a7b9c264029ac185b70b83f2801f2f4b3f70c593ea3aeeb613a7f1b1de33fd75081f592305f2e4526edc09631b10958f464d889f31ba010250fda7f1368ec2967fc84ef2ae9aff268e0b1700affc6820b523a3d917135f2dff2ee06bfe72b3124721d4a26c04e53a75e30e73a7a9c4a95d91c55d495e9f51dd0b5e9d83c6d5e8ce803aa62b8d654db53d09b8dcff273cdfeb573fad8bcd45578bec2e770d01efde86e721a3f7c6cce275dabe6e2143f1af18da7efddc4c7b70b5e345db93cc936bea323491ccb38a388f546a9ff00dd4e1300b9b2153d2041d205b443e41b45a653f2a5c4492c1add544512dda2529833462b71a41a45be97290b6f",
         "f4202e3c5852f9182a0430fd8144f0a74b95e7417ecae17db0f8cfeed0e3e66eb5585ec6f86021cacf272c798bcf97d368b886b18fec3a571f096086a523717a3732d50db2b0b7998b4117ae66a761ccf1847a1616f4c07d5178d0d965f9feba351420f8bfb6f5ab9a0cb102568eabf3dfa4e22279f8082dce8143eb78235a1a54914ab71abb07f2f3648468370b9fbb071e074f1c030a4030225f40c39480339f3dc71d0f04f71326de1381674cc89e259e219927fae8ea2799a03da862a55afafe670957a2af3318d919d0a3358f3b891236d6a8e8d19999d1076b529968faefbd880d77bb300829dca87e9c8e4c28e0800ff37490a5bd8c36c0b0bdb2701a5d58d03378b9dbd384389e3ef0fd4003b08998fd3f32fe1a0810fc0eccaad94bca8dd83b34559c333f0b16dfc2896ed87b30ba14c81f87cd8b4bb6317db89b0e7e94c0616f9a665fba5b0e6fb3549c9d7b68e66d08a86eb2faec05cc462a771806b93cc38b0a4feb9935c6c8945da6a589891ba5ee99753cfdd38e1abc7147fd74b7c7d1ce0609b6680a2e18888d84949b6e6cf6a2aa4113535aaee079459e3f257b569a9450523c41f5b5ba4b79b3ba5949140a74bb048de0657d04954bdd71dae76f61e2a1f88aecb91cfa5b36c1bf3350a798dc4dcf48628effe3a0c5340c756bd922f78d0e36ef7df12ce78c179cc721ad087e15ea496bf5f60b21b5822d",
@@ -215,7 +212,6 @@
         "69217a3079908094e11121d042354a7c1f55b6482ca1a51e1b250dfd1ed0eef9",
         "606beeec743ccbeff6cbcdf5d5302aa855c256c29b88c8ed331ea1a6bf3c8812",
         "94662583a600a12dff357c0a6f1b514a710ef0f587a38e8d2e4d7f67e9c81667" ])
-#endif
     ]
 
 runhash :: HashAlg -> ByteString -> ByteString
@@ -240,7 +236,25 @@
         runhash hashAlg inp `propertyEq` runhashinc hashAlg (chunkS ckLen inp)
     ]
 
+-- SHAKE128 truncation example with expected byte at final position
+-- <https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Standards-and-Guidelines/documents/examples/ShakeTruncation.pdf>
+shake128TruncationBytes = [0x01, 0x03, 0x07, 0x0f, 0x0f, 0x2f, 0x6f, 0x6f]
+
+makeTestSHAKE128Truncation i byte =
+    testCase (show i) $ xof 4088 `B.snoc` byte @=? xof (4088 + i)
+  where
+    hashEmpty :: KnownNat n => proxy n -> Digest (SHAKE128 n)
+    hashEmpty _ = hash B.empty
+
+    xof n = case someNatVal n of
+                Nothing          -> error ("invalid Nat: " ++ show n)
+                Just (SomeNat p) -> convert (hashEmpty p)
+
 tests = testGroup "hash"
     [ testGroup "KATs" (map makeTestAlg expected)
     , testGroup "Chunking" (concatMap makeTestChunk expected)
+    , testGroup "Truncating"
+        [ testGroup "SHAKE128"
+            (zipWith makeTestSHAKE128Truncation [1..] shake128TruncationBytes)
+        ]
     ]
diff --git a/tests/KAT_CAST5.hs b/tests/KAT_CAST5.hs
--- a/tests/KAT_CAST5.hs
+++ b/tests/KAT_CAST5.hs
@@ -1,7 +1,6 @@
 {-# LANGUAGE OverloadedStrings #-}
 module KAT_CAST5 (tests) where
 
-import Imports
 import BlockCipher
 import qualified Crypto.Cipher.CAST5 as CAST5
 
diff --git a/tests/KAT_HKDF.hs b/tests/KAT_HKDF.hs
--- a/tests/KAT_HKDF.hs
+++ b/tests/KAT_HKDF.hs
@@ -2,10 +2,7 @@
 module KAT_HKDF (tests) where
 
 import qualified Crypto.KDF.HKDF as HKDF
-import Crypto.Hash (MD5(..), SHA1(..), SHA256(..)
-                   , Keccak_224(..), Keccak_256(..), Keccak_384(..), Keccak_512(..)
-                   , SHA3_224(..), SHA3_256(..), SHA3_384(..), SHA3_512(..)
-                   , HashAlgorithm, digestFromByteString)
+import Crypto.Hash (SHA256(..), HashAlgorithm)
 import qualified Data.ByteString as B
 
 import Imports
diff --git a/tests/KAT_KMAC.hs b/tests/KAT_KMAC.hs
new file mode 100644
--- /dev/null
+++ b/tests/KAT_KMAC.hs
@@ -0,0 +1,129 @@
+{-# LANGUAGE DataKinds #-}
+{-# LANGUAGE FlexibleContexts #-}
+{-# LANGUAGE FlexibleInstances #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+module KAT_KMAC (tests) where
+
+import           Crypto.Hash (SHAKE128(..), SHAKE256(..),
+                              HashAlgorithm, digestFromByteString)
+import qualified Crypto.MAC.KMAC as KMAC
+
+import qualified Data.ByteString as B
+
+import Imports
+
+data MACVector hash = MACVector
+    { macString :: ByteString
+    , macKey    :: ByteString
+    , macSecret :: ByteString
+    , macResult :: KMAC.KMAC hash
+    }
+
+instance Show (KMAC.KMAC a) where
+    show (KMAC.KMAC d) = show d
+
+digest :: HashAlgorithm hash => ByteString -> KMAC.KMAC hash
+digest = maybe (error "cannot get digest") KMAC.KMAC . digestFromByteString
+
+vectors128 :: [MACVector (SHAKE128 256)]
+vectors128 =
+    [ MACVector
+        { macString = ""
+        , macKey    = B.pack [ 0x40 .. 0x5f ]
+        , macSecret = B.pack [ 0x00 .. 0x03 ]
+        , macResult = digest "\xe5\x78\x0b\x0d\x3e\xa6\xf7\xd3\xa4\x29\xc5\x70\x6a\xa4\x3a\x00\xfa\xdb\xd7\xd4\x96\x28\x83\x9e\x31\x87\x24\x3f\x45\x6e\xe1\x4e"
+        }
+    , MACVector
+        { macString = "My Tagged Application"
+        , macKey    = B.pack [ 0x40 .. 0x5f ]
+        , macSecret = B.pack [ 0x00 .. 0x03 ]
+        , macResult = digest "\x3b\x1f\xba\x96\x3c\xd8\xb0\xb5\x9e\x8c\x1a\x6d\x71\x88\x8b\x71\x43\x65\x1a\xf8\xba\x0a\x70\x70\xc0\x97\x9e\x28\x11\x32\x4a\xa5"
+        }
+    , MACVector
+        { macString = "My Tagged Application"
+        , macKey    = B.pack [ 0x40 .. 0x5f ]
+        , macSecret = B.pack [ 0x00 .. 0xc7 ]
+        , macResult = digest "\x1f\x5b\x4e\x6c\xca\x02\x20\x9e\x0d\xcb\x5c\xa6\x35\xb8\x9a\x15\xe2\x71\xec\xc7\x60\x07\x1d\xfd\x80\x5f\xaa\x38\xf9\x72\x92\x30"
+        }
+    ]
+
+vectors256 :: [MACVector (SHAKE256 512)]
+vectors256 =
+    [ MACVector
+        { macString = "My Tagged Application"
+        , macKey    = B.pack [ 0x40 .. 0x5f ]
+        , macSecret = B.pack [ 0x00 .. 0x03 ]
+        , macResult = digest "\x20\xc5\x70\xc3\x13\x46\xf7\x03\xc9\xac\x36\xc6\x1c\x03\xcb\x64\xc3\x97\x0d\x0c\xfc\x78\x7e\x9b\x79\x59\x9d\x27\x3a\x68\xd2\xf7\xf6\x9d\x4c\xc3\xde\x9d\x10\x4a\x35\x16\x89\xf2\x7c\xf6\xf5\x95\x1f\x01\x03\xf3\x3f\x4f\x24\x87\x10\x24\xd9\xc2\x77\x73\xa8\xdd"
+        }
+    , MACVector
+        { macString = ""
+        , macKey    = B.pack [ 0x40 .. 0x5f ]
+        , macSecret = B.pack [ 0x00 .. 0xc7 ]
+        , macResult = digest "\x75\x35\x8c\xf3\x9e\x41\x49\x4e\x94\x97\x07\x92\x7c\xee\x0a\xf2\x0a\x3f\xf5\x53\x90\x4c\x86\xb0\x8f\x21\xcc\x41\x4b\xcf\xd6\x91\x58\x9d\x27\xcf\x5e\x15\x36\x9c\xbb\xff\x8b\x9a\x4c\x2e\xb1\x78\x00\x85\x5d\x02\x35\xff\x63\x5d\xa8\x25\x33\xec\x6b\x75\x9b\x69"
+        }
+    , MACVector
+        { macString = "My Tagged Application"
+        , macKey    = B.pack [ 0x40 .. 0x5f ]
+        , macSecret = B.pack [ 0x00 .. 0xc7 ]
+        , macResult = digest "\xb5\x86\x18\xf7\x1f\x92\xe1\xd5\x6c\x1b\x8c\x55\xdd\xd7\xcd\x18\x8b\x97\xb4\xca\x4d\x99\x83\x1e\xb2\x69\x9a\x83\x7d\xa2\xe4\xd9\x70\xfb\xac\xfd\xe5\x00\x33\xae\xa5\x85\xf1\xa2\x70\x85\x10\xc3\x2d\x07\x88\x08\x01\xbd\x18\x28\x98\xfe\x47\x68\x76\xfc\x89\x65"
+        }
+    ]
+
+macTests :: [TestTree]
+macTests =
+    [ testGroup "SHAKE128" (concatMap toMACTest $ zip is vectors128)
+    , testGroup "SHAKE256" (concatMap toMACTest $ zip is vectors256)
+    ]
+    where toMACTest (i, MACVector{..}) =
+            [ testCase (show i) (macResult @=? KMAC.kmac macString macKey macSecret)
+            , testCase ("incr-" ++ show i) (macResult @=?
+                        KMAC.finalize (KMAC.update (KMAC.initialize macString macKey) macSecret))
+            ]
+          is :: [Int]
+          is = [1..]
+
+data MacIncremental a = MacIncremental ByteString ByteString ByteString (KMAC.KMAC a)
+    deriving (Show,Eq)
+
+instance KMAC.HashSHAKE a => Arbitrary (MacIncremental a) where
+    arbitrary = do
+        str <- arbitraryBSof 0 49
+        key <- arbitraryBSof 1 89
+        msg <- arbitraryBSof 1 99
+        return $ MacIncremental str key msg (KMAC.kmac str key msg)
+
+data MacIncrementalList a = MacIncrementalList ByteString ByteString [ByteString] (KMAC.KMAC a)
+    deriving (Show,Eq)
+
+instance KMAC.HashSHAKE a => Arbitrary (MacIncrementalList a) where
+    arbitrary = do
+        str  <- arbitraryBSof 0 49
+        key  <- arbitraryBSof 1 89
+        msgs <- choose (1,20) >>= \n -> replicateM n (arbitraryBSof 1 99)
+        return $ MacIncrementalList str key msgs (KMAC.kmac str key (B.concat msgs))
+
+macIncrementalTests :: [TestTree]
+macIncrementalTests =
+    [ testIncrProperties "SHAKE128_256" (SHAKE128 :: SHAKE128 256)
+    , testIncrProperties "SHAKE256_512" (SHAKE256 :: SHAKE256 512)
+    ]
+  where
+        testIncrProperties :: KMAC.HashSHAKE a => TestName -> a -> TestTree
+        testIncrProperties name a = testGroup name
+            [ testProperty "list-one" (prop_inc0 a)
+            , testProperty "list-multi" (prop_inc1 a)
+            ]
+
+        prop_inc0 :: KMAC.HashSHAKE a => a -> MacIncremental a -> Bool
+        prop_inc0 _ (MacIncremental str secret msg result) =
+            result `assertEq` KMAC.finalize (KMAC.update (KMAC.initialize str secret) msg)
+
+        prop_inc1 :: KMAC.HashSHAKE a => a -> MacIncrementalList a -> Bool
+        prop_inc1 _ (MacIncrementalList str secret msgs result) =
+            result `assertEq` KMAC.finalize (foldl' KMAC.update (KMAC.initialize str secret) msgs)
+
+tests = testGroup "KMAC"
+    [ testGroup "KATs" macTests
+    , testGroup "properties" macIncrementalTests
+    ]
diff --git a/tests/KAT_MiyaguchiPreneel.hs b/tests/KAT_MiyaguchiPreneel.hs
--- a/tests/KAT_MiyaguchiPreneel.hs
+++ b/tests/KAT_MiyaguchiPreneel.hs
@@ -6,7 +6,6 @@
 
 import           Imports
 
-import           Data.Char (digitToInt)
 import qualified Data.ByteString.Char8 as B8
 import qualified Data.ByteArray as B
 import Data.ByteArray.Encoding (Base (Base16), convertFromBase)
diff --git a/tests/KAT_OTP.hs b/tests/KAT_OTP.hs
--- a/tests/KAT_OTP.hs
+++ b/tests/KAT_OTP.hs
@@ -8,7 +8,6 @@
 
 import Crypto.Hash.Algorithms (SHA1(..), SHA256(..), SHA512(..))
 import Crypto.OTP
-import Data.ByteString (ByteString)
 import Imports
 
 -- | Test values from Appendix D of http://tools.ietf.org/html/rfc4226
@@ -94,9 +93,9 @@
         ]
     , testGroup "TOTP"
         [ testGroup "KATs"
-            [ testGroup "SHA1" (makeKATs (totp totpSHA1Params otpKey . fromIntegral) totpSHA1Expected)
-            , testGroup "SHA256" (makeKATs (totp totpSHA256Params totpSHA256Key . fromIntegral) totpSHA256Expected)
-            , testGroup "SHA512" (makeKATs (totp totpSHA512Params totpSHA512Key . fromIntegral) totpSHA512Expected)
+            [ testGroup "SHA1" (makeKATs (totp totpSHA1Params otpKey) totpSHA1Expected)
+            , testGroup "SHA256" (makeKATs (totp totpSHA256Params totpSHA256Key) totpSHA256Expected)
+            , testGroup "SHA512" (makeKATs (totp totpSHA512Params totpSHA512Key) totpSHA512Expected)
             ]
         ]
     ]
diff --git a/tests/KAT_PubKey.hs b/tests/KAT_PubKey.hs
--- a/tests/KAT_PubKey.hs
+++ b/tests/KAT_PubKey.hs
@@ -16,6 +16,8 @@
 import KAT_PubKey.DSA
 import KAT_PubKey.ECC
 import KAT_PubKey.ECDSA
+import KAT_PubKey.RSA
+import KAT_PubKey.Rabin
 import Utils
 import qualified KAT_PubKey.P256 as P256
 
@@ -35,12 +37,14 @@
 
 tests = testGroup "PubKey"
     [ testGroup "MGF1" $ map doMGFTest (zip [katZero..] vectorsMGF)
+    , rsaTests
     , pssTests
     , oaepTests
     , dsaTests
     , eccTests
     , ecdsaTests
     , P256.tests
+    , rabinTests
     ]
 
 --newKats = [ eccKatTests ]
diff --git a/tests/KAT_PubKey/DSA.hs b/tests/KAT_PubKey/DSA.hs
--- a/tests/KAT_PubKey/DSA.hs
+++ b/tests/KAT_PubKey/DSA.hs
@@ -106,7 +106,43 @@
         , r = 0x8c2fab489c34672140415d41a65cef1e70192e23
         , s = 0x3df86a9e2efe944a1c7ea9c30cac331d00599a0e
         , pgq = dsaParams
-        } 
+        }
+    , VectorDSA -- 1024-bit example from RFC 6979 with SHA-1
+        { msg = "sample"
+        , x = 0x411602CB19A6CCC34494D79D98EF1E7ED5AF25F7
+        , y = 0x5DF5E01DED31D0297E274E1691C192FE5868FEF9E19A84776454B100CF16F65392195A38B90523E2542EE61871C0440CB87C322FC4B4D2EC5E1E7EC766E1BE8D4CE935437DC11C3C8FD426338933EBFE739CB3465F4D3668C5E473508253B1E682F65CBDC4FAE93C2EA212390E54905A86E2223170B44EAA7DA5DD9FFCFB7F3B
+        , k = 0x7BDB6B0FF756E1BB5D53583EF979082F9AD5BD5B
+        , r = 0x2E1A0C2562B2912CAAF89186FB0F42001585DA55
+        , s = 0x29EFB6B0AFF2D7A68EB70CA313022253B9A88DF5
+        , pgq = rfc6979Params1024
+        }
+    , VectorDSA -- 1024-bit example from RFC 6979 with SHA-1
+        { msg = "test"
+        , x = 0x411602CB19A6CCC34494D79D98EF1E7ED5AF25F7
+        , y = 0x5DF5E01DED31D0297E274E1691C192FE5868FEF9E19A84776454B100CF16F65392195A38B90523E2542EE61871C0440CB87C322FC4B4D2EC5E1E7EC766E1BE8D4CE935437DC11C3C8FD426338933EBFE739CB3465F4D3668C5E473508253B1E682F65CBDC4FAE93C2EA212390E54905A86E2223170B44EAA7DA5DD9FFCFB7F3B
+        , k = 0x5C842DF4F9E344EE09F056838B42C7A17F4A6433
+        , r = 0x42AB2052FD43E123F0607F115052A67DCD9C5C77
+        , s = 0x183916B0230D45B9931491D4C6B0BD2FB4AAF088
+        , pgq = rfc6979Params1024
+        }
+    , VectorDSA -- 2048-bit example from RFC 6979 with SHA-1
+        { msg = "sample"
+        , x = 0x69C7548C21D0DFEA6B9A51C9EAD4E27C33D3B3F180316E5BCAB92C933F0E4DBC
+        , y = 0x667098C654426C78D7F8201EAC6C203EF030D43605032C2F1FA937E5237DBD949F34A0A2564FE126DC8B715C5141802CE0979C8246463C40E6B6BDAA2513FA611728716C2E4FD53BC95B89E69949D96512E873B9C8F8DFD499CC312882561ADECB31F658E934C0C197F2C4D96B05CBAD67381E7B768891E4DA3843D24D94CDFB5126E9B8BF21E8358EE0E0A30EF13FD6A664C0DCE3731F7FB49A4845A4FD8254687972A2D382599C9BAC4E0ED7998193078913032558134976410B89D2C171D123AC35FD977219597AA7D15C1A9A428E59194F75C721EBCBCFAE44696A499AFA74E04299F132026601638CB87AB79190D4A0986315DA8EEC6561C938996BEADF
+        , k = 0x888FA6F7738A41BDC9846466ABDB8174C0338250AE50CE955CA16230F9CBD53E
+        , r = 0x3A1B2DBD7489D6ED7E608FD036C83AF396E290DBD602408E8677DAABD6E7445A
+        , s = 0xD26FCBA19FA3E3058FFC02CA1596CDBB6E0D20CB37B06054F7E36DED0CDBBCCF
+        , pgq = rfc6979Params2048
+        }
+    , VectorDSA -- 2048-bit example from RFC 6979 with SHA-1
+        { msg = "test"
+        , x = 0x69C7548C21D0DFEA6B9A51C9EAD4E27C33D3B3F180316E5BCAB92C933F0E4DBC
+        , y = 0x667098C654426C78D7F8201EAC6C203EF030D43605032C2F1FA937E5237DBD949F34A0A2564FE126DC8B715C5141802CE0979C8246463C40E6B6BDAA2513FA611728716C2E4FD53BC95B89E69949D96512E873B9C8F8DFD499CC312882561ADECB31F658E934C0C197F2C4D96B05CBAD67381E7B768891E4DA3843D24D94CDFB5126E9B8BF21E8358EE0E0A30EF13FD6A664C0DCE3731F7FB49A4845A4FD8254687972A2D382599C9BAC4E0ED7998193078913032558134976410B89D2C171D123AC35FD977219597AA7D15C1A9A428E59194F75C721EBCBCFAE44696A499AFA74E04299F132026601638CB87AB79190D4A0986315DA8EEC6561C938996BEADF
+        , k = 0x6EEA486F9D41A037B2C640BC5645694FF8FF4B98D066A25F76BE641CCB24BA4F
+        , r = 0xC18270A93CFC6063F57A4DFA86024F700D980E4CF4E2CB65A504397273D98EA0
+        , s = 0x414F22E5F31A8B6D33295C7539C1C1BA3A6160D7D68D50AC0D3A5BEAC2884FAA
+        , pgq = rfc6979Params2048
+        }
     ]
     where -- (p,g,q)
           dsaParams = DSA.Params
@@ -115,6 +151,174 @@
             , DSA.params_q = 0xf85f0f83ac4df7ea0cdf8f469bfeeaea14156495
             }
 
+vectorsSHA224 =
+    [ VectorDSA
+        { msg = "sample"
+        , x = 0x411602CB19A6CCC34494D79D98EF1E7ED5AF25F7
+        , y = 0x5DF5E01DED31D0297E274E1691C192FE5868FEF9E19A84776454B100CF16F65392195A38B90523E2542EE61871C0440CB87C322FC4B4D2EC5E1E7EC766E1BE8D4CE935437DC11C3C8FD426338933EBFE739CB3465F4D3668C5E473508253B1E682F65CBDC4FAE93C2EA212390E54905A86E2223170B44EAA7DA5DD9FFCFB7F3B
+        , k = 0x562097C06782D60C3037BA7BE104774344687649
+        , r = 0x4BC3B686AEA70145856814A6F1BB53346F02101E
+        , s = 0x410697B92295D994D21EDD2F4ADA85566F6F94C1
+        , pgq = rfc6979Params1024
+        }
+    , VectorDSA
+        { msg = "test"
+        , x = 0x411602CB19A6CCC34494D79D98EF1E7ED5AF25F7
+        , y = 0x5DF5E01DED31D0297E274E1691C192FE5868FEF9E19A84776454B100CF16F65392195A38B90523E2542EE61871C0440CB87C322FC4B4D2EC5E1E7EC766E1BE8D4CE935437DC11C3C8FD426338933EBFE739CB3465F4D3668C5E473508253B1E682F65CBDC4FAE93C2EA212390E54905A86E2223170B44EAA7DA5DD9FFCFB7F3B
+        , k = 0x4598B8EFC1A53BC8AECD58D1ABBB0C0C71E67297
+        , r = 0x6868E9964E36C1689F6037F91F28D5F2C30610F2
+        , s = 0x49CEC3ACDC83018C5BD2674ECAAD35B8CD22940F
+        , pgq = rfc6979Params1024
+        }
+    , VectorDSA
+        { msg = "sample"
+        , x = 0x69C7548C21D0DFEA6B9A51C9EAD4E27C33D3B3F180316E5BCAB92C933F0E4DBC
+        , y = 0x667098C654426C78D7F8201EAC6C203EF030D43605032C2F1FA937E5237DBD949F34A0A2564FE126DC8B715C5141802CE0979C8246463C40E6B6BDAA2513FA611728716C2E4FD53BC95B89E69949D96512E873B9C8F8DFD499CC312882561ADECB31F658E934C0C197F2C4D96B05CBAD67381E7B768891E4DA3843D24D94CDFB5126E9B8BF21E8358EE0E0A30EF13FD6A664C0DCE3731F7FB49A4845A4FD8254687972A2D382599C9BAC4E0ED7998193078913032558134976410B89D2C171D123AC35FD977219597AA7D15C1A9A428E59194F75C721EBCBCFAE44696A499AFA74E04299F132026601638CB87AB79190D4A0986315DA8EEC6561C938996BEADF
+        , k = 0xBC372967702082E1AA4FCE892209F71AE4AD25A6DFD869334E6F153BD0C4D806
+        , r = 0xDC9F4DEADA8D8FF588E98FED0AB690FFCE858DC8C79376450EB6B76C24537E2C
+        , s = 0xA65A9C3BC7BABE286B195D5DA68616DA8D47FA0097F36DD19F517327DC848CEC
+        , pgq = rfc6979Params2048
+        }
+    , VectorDSA
+        { msg = "test"
+        , x = 0x69C7548C21D0DFEA6B9A51C9EAD4E27C33D3B3F180316E5BCAB92C933F0E4DBC
+        , y = 0x667098C654426C78D7F8201EAC6C203EF030D43605032C2F1FA937E5237DBD949F34A0A2564FE126DC8B715C5141802CE0979C8246463C40E6B6BDAA2513FA611728716C2E4FD53BC95B89E69949D96512E873B9C8F8DFD499CC312882561ADECB31F658E934C0C197F2C4D96B05CBAD67381E7B768891E4DA3843D24D94CDFB5126E9B8BF21E8358EE0E0A30EF13FD6A664C0DCE3731F7FB49A4845A4FD8254687972A2D382599C9BAC4E0ED7998193078913032558134976410B89D2C171D123AC35FD977219597AA7D15C1A9A428E59194F75C721EBCBCFAE44696A499AFA74E04299F132026601638CB87AB79190D4A0986315DA8EEC6561C938996BEADF
+        , k = 0x06BD4C05ED74719106223BE33F2D95DA6B3B541DAD7BFBD7AC508213B6DA6670
+        , r = 0x272ABA31572F6CC55E30BF616B7A265312018DD325BE031BE0CC82AA17870EA3
+        , s = 0xE9CC286A52CCE201586722D36D1E917EB96A4EBDB47932F9576AC645B3A60806
+        , pgq = rfc6979Params2048
+        }
+    ]
+
+vectorsSHA256 =
+    [ VectorDSA
+        { msg = "sample"
+        , x = 0x411602CB19A6CCC34494D79D98EF1E7ED5AF25F7
+        , y = 0x5DF5E01DED31D0297E274E1691C192FE5868FEF9E19A84776454B100CF16F65392195A38B90523E2542EE61871C0440CB87C322FC4B4D2EC5E1E7EC766E1BE8D4CE935437DC11C3C8FD426338933EBFE739CB3465F4D3668C5E473508253B1E682F65CBDC4FAE93C2EA212390E54905A86E2223170B44EAA7DA5DD9FFCFB7F3B
+        , k = 0x519BA0546D0C39202A7D34D7DFA5E760B318BCFB
+        , r = 0x81F2F5850BE5BC123C43F71A3033E9384611C545
+        , s = 0x4CDD914B65EB6C66A8AAAD27299BEE6B035F5E89
+        , pgq = rfc6979Params1024
+        }
+    , VectorDSA
+        { msg = "test"
+        , x = 0x411602CB19A6CCC34494D79D98EF1E7ED5AF25F7
+        , y = 0x5DF5E01DED31D0297E274E1691C192FE5868FEF9E19A84776454B100CF16F65392195A38B90523E2542EE61871C0440CB87C322FC4B4D2EC5E1E7EC766E1BE8D4CE935437DC11C3C8FD426338933EBFE739CB3465F4D3668C5E473508253B1E682F65CBDC4FAE93C2EA212390E54905A86E2223170B44EAA7DA5DD9FFCFB7F3B
+        , k = 0x5A67592E8128E03A417B0484410FB72C0B630E1A
+        , r = 0x22518C127299B0F6FDC9872B282B9E70D0790812
+        , s = 0x6837EC18F150D55DE95B5E29BE7AF5D01E4FE160
+        , pgq = rfc6979Params1024
+        }
+    , VectorDSA
+        { msg = "sample"
+        , x = 0x69C7548C21D0DFEA6B9A51C9EAD4E27C33D3B3F180316E5BCAB92C933F0E4DBC
+        , y = 0x667098C654426C78D7F8201EAC6C203EF030D43605032C2F1FA937E5237DBD949F34A0A2564FE126DC8B715C5141802CE0979C8246463C40E6B6BDAA2513FA611728716C2E4FD53BC95B89E69949D96512E873B9C8F8DFD499CC312882561ADECB31F658E934C0C197F2C4D96B05CBAD67381E7B768891E4DA3843D24D94CDFB5126E9B8BF21E8358EE0E0A30EF13FD6A664C0DCE3731F7FB49A4845A4FD8254687972A2D382599C9BAC4E0ED7998193078913032558134976410B89D2C171D123AC35FD977219597AA7D15C1A9A428E59194F75C721EBCBCFAE44696A499AFA74E04299F132026601638CB87AB79190D4A0986315DA8EEC6561C938996BEADF
+        , k = 0x8926A27C40484216F052F4427CFD5647338B7B3939BC6573AF4333569D597C52
+        , r = 0xEACE8BDBBE353C432A795D9EC556C6D021F7A03F42C36E9BC87E4AC7932CC809
+        , s = 0x7081E175455F9247B812B74583E9E94F9EA79BD640DC962533B0680793A38D53
+        , pgq = rfc6979Params2048
+        }
+    , VectorDSA
+        { msg = "test"
+        , x = 0x69C7548C21D0DFEA6B9A51C9EAD4E27C33D3B3F180316E5BCAB92C933F0E4DBC
+        , y = 0x667098C654426C78D7F8201EAC6C203EF030D43605032C2F1FA937E5237DBD949F34A0A2564FE126DC8B715C5141802CE0979C8246463C40E6B6BDAA2513FA611728716C2E4FD53BC95B89E69949D96512E873B9C8F8DFD499CC312882561ADECB31F658E934C0C197F2C4D96B05CBAD67381E7B768891E4DA3843D24D94CDFB5126E9B8BF21E8358EE0E0A30EF13FD6A664C0DCE3731F7FB49A4845A4FD8254687972A2D382599C9BAC4E0ED7998193078913032558134976410B89D2C171D123AC35FD977219597AA7D15C1A9A428E59194F75C721EBCBCFAE44696A499AFA74E04299F132026601638CB87AB79190D4A0986315DA8EEC6561C938996BEADF
+        , k = 0x1D6CE6DDA1C5D37307839CD03AB0A5CBB18E60D800937D67DFB4479AAC8DEAD7
+        , r = 0x8190012A1969F9957D56FCCAAD223186F423398D58EF5B3CEFD5A4146A4476F0
+        , s = 0x7452A53F7075D417B4B013B278D1BB8BBD21863F5E7B1CEE679CF2188E1AB19E
+        , pgq = rfc6979Params2048
+        }
+    ]
+
+vectorsSHA384 =
+    [ VectorDSA
+        { msg = "sample"
+        , x = 0x411602CB19A6CCC34494D79D98EF1E7ED5AF25F7
+        , y = 0x5DF5E01DED31D0297E274E1691C192FE5868FEF9E19A84776454B100CF16F65392195A38B90523E2542EE61871C0440CB87C322FC4B4D2EC5E1E7EC766E1BE8D4CE935437DC11C3C8FD426338933EBFE739CB3465F4D3668C5E473508253B1E682F65CBDC4FAE93C2EA212390E54905A86E2223170B44EAA7DA5DD9FFCFB7F3B
+        , k = 0x95897CD7BBB944AA932DBC579C1C09EB6FCFC595
+        , r = 0x07F2108557EE0E3921BC1774F1CA9B410B4CE65A
+        , s = 0x54DF70456C86FAC10FAB47C1949AB83F2C6F7595
+        , pgq = rfc6979Params1024
+        }
+    , VectorDSA
+        { msg = "test"
+        , x = 0x411602CB19A6CCC34494D79D98EF1E7ED5AF25F7
+        , y = 0x5DF5E01DED31D0297E274E1691C192FE5868FEF9E19A84776454B100CF16F65392195A38B90523E2542EE61871C0440CB87C322FC4B4D2EC5E1E7EC766E1BE8D4CE935437DC11C3C8FD426338933EBFE739CB3465F4D3668C5E473508253B1E682F65CBDC4FAE93C2EA212390E54905A86E2223170B44EAA7DA5DD9FFCFB7F3B
+        , k = 0x220156B761F6CA5E6C9F1B9CF9C24BE25F98CD89
+        , r = 0x854CF929B58D73C3CBFDC421E8D5430CD6DB5E66
+        , s = 0x91D0E0F53E22F898D158380676A871A157CDA622
+        , pgq = rfc6979Params1024
+        }
+    , VectorDSA
+        { msg = "sample"
+        , x = 0x69C7548C21D0DFEA6B9A51C9EAD4E27C33D3B3F180316E5BCAB92C933F0E4DBC
+        , y = 0x667098C654426C78D7F8201EAC6C203EF030D43605032C2F1FA937E5237DBD949F34A0A2564FE126DC8B715C5141802CE0979C8246463C40E6B6BDAA2513FA611728716C2E4FD53BC95B89E69949D96512E873B9C8F8DFD499CC312882561ADECB31F658E934C0C197F2C4D96B05CBAD67381E7B768891E4DA3843D24D94CDFB5126E9B8BF21E8358EE0E0A30EF13FD6A664C0DCE3731F7FB49A4845A4FD8254687972A2D382599C9BAC4E0ED7998193078913032558134976410B89D2C171D123AC35FD977219597AA7D15C1A9A428E59194F75C721EBCBCFAE44696A499AFA74E04299F132026601638CB87AB79190D4A0986315DA8EEC6561C938996BEADF
+        , k = 0xC345D5AB3DA0A5BCB7EC8F8FB7A7E96069E03B206371EF7D83E39068EC564920
+        , r = 0xB2DA945E91858834FD9BF616EBAC151EDBC4B45D27D0DD4A7F6A22739F45C00B
+        , s = 0x19048B63D9FD6BCA1D9BAE3664E1BCB97F7276C306130969F63F38FA8319021B
+        , pgq = rfc6979Params2048
+        }
+    , VectorDSA
+        { msg = "test"
+        , x = 0x69C7548C21D0DFEA6B9A51C9EAD4E27C33D3B3F180316E5BCAB92C933F0E4DBC
+        , y = 0x667098C654426C78D7F8201EAC6C203EF030D43605032C2F1FA937E5237DBD949F34A0A2564FE126DC8B715C5141802CE0979C8246463C40E6B6BDAA2513FA611728716C2E4FD53BC95B89E69949D96512E873B9C8F8DFD499CC312882561ADECB31F658E934C0C197F2C4D96B05CBAD67381E7B768891E4DA3843D24D94CDFB5126E9B8BF21E8358EE0E0A30EF13FD6A664C0DCE3731F7FB49A4845A4FD8254687972A2D382599C9BAC4E0ED7998193078913032558134976410B89D2C171D123AC35FD977219597AA7D15C1A9A428E59194F75C721EBCBCFAE44696A499AFA74E04299F132026601638CB87AB79190D4A0986315DA8EEC6561C938996BEADF
+        , k = 0x206E61F73DBE1B2DC8BE736B22B079E9DACD974DB00EEBBC5B64CAD39CF9F91C
+        , r = 0x239E66DDBE8F8C230A3D071D601B6FFBDFB5901F94D444C6AF56F732BEB954BE
+        , s = 0x6BD737513D5E72FE85D1C750E0F73921FE299B945AAD1C802F15C26A43D34961
+        , pgq = rfc6979Params2048
+        }
+    ]
+
+vectorsSHA512 =
+    [ VectorDSA
+        { msg = "sample"
+        , x = 0x411602CB19A6CCC34494D79D98EF1E7ED5AF25F7
+        , y = 0x5DF5E01DED31D0297E274E1691C192FE5868FEF9E19A84776454B100CF16F65392195A38B90523E2542EE61871C0440CB87C322FC4B4D2EC5E1E7EC766E1BE8D4CE935437DC11C3C8FD426338933EBFE739CB3465F4D3668C5E473508253B1E682F65CBDC4FAE93C2EA212390E54905A86E2223170B44EAA7DA5DD9FFCFB7F3B
+        , k = 0x09ECE7CA27D0F5A4DD4E556C9DF1D21D28104F8B
+        , r = 0x16C3491F9B8C3FBBDD5E7A7B667057F0D8EE8E1B
+        , s = 0x02C36A127A7B89EDBB72E4FFBC71DABC7D4FC69C
+        , pgq = rfc6979Params1024
+        }
+    , VectorDSA
+        { msg = "test"
+        , x = 0x411602CB19A6CCC34494D79D98EF1E7ED5AF25F7
+        , y = 0x5DF5E01DED31D0297E274E1691C192FE5868FEF9E19A84776454B100CF16F65392195A38B90523E2542EE61871C0440CB87C322FC4B4D2EC5E1E7EC766E1BE8D4CE935437DC11C3C8FD426338933EBFE739CB3465F4D3668C5E473508253B1E682F65CBDC4FAE93C2EA212390E54905A86E2223170B44EAA7DA5DD9FFCFB7F3B
+        , k = 0x65D2C2EEB175E370F28C75BFCDC028D22C7DBE9C
+        , r = 0x8EA47E475BA8AC6F2D821DA3BD212D11A3DEB9A0
+        , s = 0x7C670C7AD72B6C050C109E1790008097125433E8
+        , pgq = rfc6979Params1024
+        }
+    , VectorDSA
+        { msg = "sample"
+        , x = 0x69C7548C21D0DFEA6B9A51C9EAD4E27C33D3B3F180316E5BCAB92C933F0E4DBC
+        , y = 0x667098C654426C78D7F8201EAC6C203EF030D43605032C2F1FA937E5237DBD949F34A0A2564FE126DC8B715C5141802CE0979C8246463C40E6B6BDAA2513FA611728716C2E4FD53BC95B89E69949D96512E873B9C8F8DFD499CC312882561ADECB31F658E934C0C197F2C4D96B05CBAD67381E7B768891E4DA3843D24D94CDFB5126E9B8BF21E8358EE0E0A30EF13FD6A664C0DCE3731F7FB49A4845A4FD8254687972A2D382599C9BAC4E0ED7998193078913032558134976410B89D2C171D123AC35FD977219597AA7D15C1A9A428E59194F75C721EBCBCFAE44696A499AFA74E04299F132026601638CB87AB79190D4A0986315DA8EEC6561C938996BEADF
+        , k = 0x5A12994431785485B3F5F067221517791B85A597B7A9436995C89ED0374668FC
+        , r = 0x2016ED092DC5FB669B8EFB3D1F31A91EECB199879BE0CF78F02BA062CB4C942E
+        , s = 0xD0C76F84B5F091E141572A639A4FB8C230807EEA7D55C8A154A224400AFF2351
+        , pgq = rfc6979Params2048
+        }
+    , VectorDSA
+        { msg = "test"
+        , x = 0x69C7548C21D0DFEA6B9A51C9EAD4E27C33D3B3F180316E5BCAB92C933F0E4DBC
+        , y = 0x667098C654426C78D7F8201EAC6C203EF030D43605032C2F1FA937E5237DBD949F34A0A2564FE126DC8B715C5141802CE0979C8246463C40E6B6BDAA2513FA611728716C2E4FD53BC95B89E69949D96512E873B9C8F8DFD499CC312882561ADECB31F658E934C0C197F2C4D96B05CBAD67381E7B768891E4DA3843D24D94CDFB5126E9B8BF21E8358EE0E0A30EF13FD6A664C0DCE3731F7FB49A4845A4FD8254687972A2D382599C9BAC4E0ED7998193078913032558134976410B89D2C171D123AC35FD977219597AA7D15C1A9A428E59194F75C721EBCBCFAE44696A499AFA74E04299F132026601638CB87AB79190D4A0986315DA8EEC6561C938996BEADF
+        , k = 0xAFF1651E4CD6036D57AA8B2A05CCF1A9D5A40166340ECBBDC55BE10B568AA0AA
+        , r = 0x89EC4BB1400ECCFF8E7D9AA515CD1DE7803F2DAFF09693EE7FD1353E90A68307
+        , s = 0xC9F0BDABCC0D880BB137A994CC7F3980CE91CC10FAF529FC46565B15CEA854E1
+        , pgq = rfc6979Params2048
+        }
+    ]
+
+rfc6979Params1024 = DSA.Params
+    { DSA.params_p = 0x86F5CA03DCFEB225063FF830A0C769B9DD9D6153AD91D7CE27F787C43278B447E6533B86B18BED6E8A48B784A14C252C5BE0DBF60B86D6385BD2F12FB763ED8873ABFD3F5BA2E0A8C0A59082EAC056935E529DAF7C610467899C77ADEDFC846C881870B7B19B2B58F9BE0521A17002E3BDD6B86685EE90B3D9A1B02B782B1779
+    , DSA.params_g = 0x07B0F92546150B62514BB771E2A0C0CE387F03BDA6C56B505209FF25FD3C133D89BBCD97E904E09114D9A7DEFDEADFC9078EA544D2E401AEECC40BB9FBBF78FD87995A10A1C27CB7789B594BA7EFB5C4326A9FE59A070E136DB77175464ADCA417BE5DCE2F40D10A46A3A3943F26AB7FD9C0398FF8C76EE0A56826A8A88F1DBD
+    , DSA.params_q = 0x996F967F6C8E388D9E28D01E205FBA957A5698B1
+    }
+
+rfc6979Params2048 = DSA.Params
+    { DSA.params_p = 0x9DB6FB5951B66BB6FE1E140F1D2CE5502374161FD6538DF1648218642F0B5C48C8F7A41AADFA187324B87674FA1822B00F1ECF8136943D7C55757264E5A1A44FFE012E9936E00C1D3E9310B01C7D179805D3058B2A9F4BB6F9716BFE6117C6B5B3CC4D9BE341104AD4A80AD6C94E005F4B993E14F091EB51743BF33050C38DE235567E1B34C3D6A5C0CEAA1A0F368213C3D19843D0B4B09DCB9FC72D39C8DE41F1BF14D4BB4563CA28371621CAD3324B6A2D392145BEBFAC748805236F5CA2FE92B871CD8F9C36D3292B5509CA8CAA77A2ADFC7BFD77DDA6F71125A7456FEA153E433256A2261C6A06ED3693797E7995FAD5AABBCFBE3EDA2741E375404AE25B
+    , DSA.params_g = 0x5C7FF6B06F8F143FE8288433493E4769C4D988ACE5BE25A0E24809670716C613D7B0CEE6932F8FAA7C44D2CB24523DA53FBE4F6EC3595892D1AA58C4328A06C46A15662E7EAA703A1DECF8BBB2D05DBE2EB956C142A338661D10461C0D135472085057F3494309FFA73C611F78B32ADBB5740C361C9F35BE90997DB2014E2EF5AA61782F52ABEB8BD6432C4DD097BC5423B285DAFB60DC364E8161F4A2A35ACA3A10B1C4D203CC76A470A33AFDCBDD92959859ABD8B56E1725252D78EAC66E71BA9AE3F1DD2487199874393CD4D832186800654760E1E34C09E4D155179F9EC0DC4473F996BDCE6EED1CABED8B6F116F7AD9CF505DF0F998E34AB27514B0FFE7
+    , DSA.params_q = 0xF2C3119374CE76C9356990B465374A17F23F9ED35089BD969F61C6DDE9998C1F
+    }
+
 vectorToPrivate :: VectorDSA -> DSA.PrivateKey
 vectorToPrivate vector = DSA.PrivateKey
     { DSA.private_x      = x vector
@@ -127,16 +331,32 @@
     , DSA.public_params = pgq vector
     }
 
-doSignatureTest (i, vector) = testCase (show i) (expected @=? actual)
+doSignatureTest hashAlg (i, vector) = testCase (show i) (expected @=? actual)
     where expected = Just $ DSA.Signature (r vector) (s vector)
-          actual   = DSA.signWith (k vector) (vectorToPrivate vector) SHA1 (msg vector)
+          actual   = DSA.signWith (k vector) (vectorToPrivate vector) hashAlg (msg vector)
 
-doVerifyTest (i, vector) = testCase (show i) (True @=? actual)
-    where actual = DSA.verify SHA1 (vectorToPublic vector) (DSA.Signature (r vector) (s vector)) (msg vector)
+doVerifyTest hashAlg (i, vector) = testCase (show i) (True @=? actual)
+    where actual = DSA.verify hashAlg (vectorToPublic vector) (DSA.Signature (r vector) (s vector)) (msg vector)
 
 dsaTests = testGroup "DSA"
     [ testGroup "SHA1"
-        [ testGroup "signature" $ map doSignatureTest (zip [katZero..] vectorsSHA1)
-        , testGroup "verify" $ map doVerifyTest (zip [katZero..] vectorsSHA1)
+        [ testGroup "signature" $ map (doSignatureTest SHA1) (zip [katZero..] vectorsSHA1)
+        , testGroup "verify" $ map (doVerifyTest SHA1) (zip [katZero..] vectorsSHA1)
+        ]
+    , testGroup "SHA224"
+        [ testGroup "signature" $ map (doSignatureTest SHA224) (zip [katZero..] vectorsSHA224)
+        , testGroup "verify" $ map (doVerifyTest SHA224) (zip [katZero..] vectorsSHA224)
+        ]
+    , testGroup "SHA256"
+        [ testGroup "signature" $ map (doSignatureTest SHA256) (zip [katZero..] vectorsSHA256)
+        , testGroup "verify" $ map (doVerifyTest SHA256) (zip [katZero..] vectorsSHA256)
+        ]
+    , testGroup "SHA384"
+        [ testGroup "signature" $ map (doSignatureTest SHA384) (zip [katZero..] vectorsSHA384)
+        , testGroup "verify" $ map (doVerifyTest SHA384) (zip [katZero..] vectorsSHA384)
+        ]
+    , testGroup "SHA512"
+        [ testGroup "signature" $ map (doSignatureTest SHA512) (zip [katZero..] vectorsSHA512)
+        , testGroup "verify" $ map (doVerifyTest SHA512) (zip [katZero..] vectorsSHA512)
         ]
     ]
diff --git a/tests/KAT_PubKey/P256.hs b/tests/KAT_PubKey/P256.hs
--- a/tests/KAT_PubKey/P256.hs
+++ b/tests/KAT_PubKey/P256.hs
@@ -17,7 +17,19 @@
     deriving (Show,Eq,Ord)
 
 instance Arbitrary P256Scalar where
-    arbitrary = P256Scalar . getQAInteger <$> arbitrary
+    -- Cover the full range up to 2^256-1 except 0 and curveN.  To test edge
+    -- cases with arithmetic functions, some values close to 0, curveN and
+    -- 2^256 are given higher frequency.
+    arbitrary = P256Scalar <$> oneof
+        [ choose (1, w)
+        , choose (w + 1, curveN - w - 1)
+        , choose (curveN - w, curveN - 1)
+        , choose (curveN + 1, curveN + w)
+        , choose (curveN + w + 1, high - w - 1)
+        , choose (high - w, high - 1)
+        ]
+      where high = 2^(256 :: Int)
+            w    = 100
 
 curve  = ECC.getCurveByName ECC.SEC_p256r1
 curveN = ECC.ecc_n . ECC.common_curve $ curve
@@ -26,22 +38,21 @@
 pointP256ToECC :: P256.Point -> ECC.Point
 pointP256ToECC = uncurry ECC.Point . P256.pointToIntegers
 
+i2ospScalar :: Integer -> Bytes
+i2ospScalar i =
+    case i2ospOf 32 i of
+        Nothing -> error "invalid size of P256 scalar"
+        Just b  -> b
+
 unP256Scalar :: P256Scalar -> P256.Scalar
-unP256Scalar (P256Scalar r') =
-    let r = if r' == 0 then 0x2901 else (r' `mod` curveN)
-        rBytes = i2ospScalar r
+unP256Scalar (P256Scalar r) =
+    let rBytes = i2ospScalar r
      in case P256.scalarFromBinary rBytes of
                     CryptoFailed err    -> error ("cannot convert scalar: " ++ show err)
                     CryptoPassed scalar -> scalar
-  where
-    i2ospScalar :: Integer -> Bytes
-    i2ospScalar i =
-        case i2ospOf 32 i of
-            Nothing -> error "invalid size of P256 scalar"
-            Just b  -> b
 
 unP256 :: P256Scalar -> Integer
-unP256 (P256Scalar r') = if r' == 0 then 0x2901 else (r' `mod` curveN)
+unP256 (P256Scalar r) = r
 
 p256ScalarToInteger :: P256.Scalar -> Integer
 p256ScalarToInteger s = os2ip (P256.scalarToBinary s :: Bytes)
@@ -55,9 +66,8 @@
 
 tests = testGroup "P256"
     [ testGroup "scalar"
-        [ testProperty "marshalling" $ \(QAInteger r') ->
-            let r = r' `mod` curveN
-                rBytes = i2ospScalar r
+        [ testProperty "marshalling" $ \(QAInteger r) ->
+            let rBytes = i2ospScalar r
              in case P256.scalarFromBinary rBytes of
                     CryptoFailed err    -> error (show err)
                     CryptoPassed scalar -> rBytes `propertyEq` P256.scalarToBinary scalar
@@ -66,14 +76,9 @@
                 r' = P256.scalarAdd (unP256Scalar r1) (unP256Scalar r2)
              in r `propertyEq` p256ScalarToInteger r'
         , testProperty "add0" $ \r ->
-            let v = unP256 r
+            let v = unP256 r `mod` curveN
                 v' = P256.scalarAdd (unP256Scalar r) P256.scalarZero
              in v `propertyEq` p256ScalarToInteger v'
-        , testProperty "add-n-1" $ \r ->
-            let nm1 = throwCryptoError $ P256.scalarFromInteger (curveN - 1)
-                v   = unP256 r
-                v'  = P256.scalarAdd (unP256Scalar r) nm1
-             in (((curveN - 1) + v) `mod` curveN) `propertyEq` p256ScalarToInteger v'
         , testProperty "sub" $ \r1 r2 ->
             let r = (unP256 r1 - unP256 r2) `mod` curveN
                 r' = P256.scalarSub (unP256Scalar r1) (unP256Scalar r2)
@@ -83,11 +88,10 @@
                     [ eqTest "r1-r2" r (p256ScalarToInteger r')
                     , eqTest "r2-r1" v (p256ScalarToInteger v')
                     ]
-        , testProperty "sub-n-1" $ \r ->
-            let nm1 = throwCryptoError $ P256.scalarFromInteger (curveN - 1)
-                v = unP256 r
-                v' = P256.scalarSub (unP256Scalar r) nm1
-             in ((v - (curveN - 1)) `mod` curveN) `propertyEq` p256ScalarToInteger v'
+        , testProperty "sub0" $ \r ->
+            let v = unP256 r `mod` curveN
+                v' = P256.scalarSub (unP256Scalar r) P256.scalarZero
+             in v `propertyEq` p256ScalarToInteger v'
         , testProperty "inv" $ \r' ->
             let inv  = inverseCoprimes (unP256 r') curveN
                 inv' = P256.scalarInv (unP256Scalar r')
@@ -133,7 +137,8 @@
             pe2   = ECC.pointMul curve (unP256 r2) curveGen
             pR    = P256.toPoint (P256.scalarAdd (unP256Scalar r1) (unP256Scalar r2))
             peR   = ECC.pointAdd curve pe1 pe2
-         in propertyHold [ eqTest "p256" pR (P256.pointAdd p1 p2)
+         in (unP256 r1 + unP256 r2) `mod` curveN /= 0 ==>
+            propertyHold [ eqTest "p256" pR (P256.pointAdd p1 p2)
                          , eqTest "ecc" peR (pointP256ToECC pR)
                          ]
 
@@ -142,9 +147,3 @@
             pe = ECC.pointMul curve (unP256 r) curveGen
             pR = P256.pointNegate p
          in ECC.pointNegate curve pe `propertyEq` (pointP256ToECC pR)
-
-    i2ospScalar :: Integer -> Bytes
-    i2ospScalar i =
-        case i2ospOf 32 i of
-            Nothing -> error "invalid size of P256 scalar"
-            Just b  -> b
diff --git a/tests/KAT_PubKey/PSS.hs b/tests/KAT_PubKey/PSS.hs
--- a/tests/KAT_PubKey/PSS.hs
+++ b/tests/KAT_PubKey/PSS.hs
@@ -6,6 +6,9 @@
 
 import Imports
 
+-- Module contains one vector generated by the implementation itself and other
+-- vectors from <ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip>
+
 data VectorPSS = VectorPSS { message :: ByteString
                            , salt :: ByteString
                            , signature :: ByteString
@@ -149,313 +152,179 @@
         }
     ]
 
-{-
-# ===================================
-# Example 10: A 2048-bit RSA Key Pair
-# ===================================
-
-# ------------------------------
-# Components of the RSA Key Pair
-# ------------------------------
-
-# RSA modulus n: 
-a5 dd 86 7a c4 cb 02 f9 0b 94 57 d4 8c 14 a7 70 
-ef 99 1c 56 c3 9c 0e c6 5f d1 1a fa 89 37 ce a5 
-7b 9b e7 ac 73 b4 5c 00 17 61 5b 82 d6 22 e3 18 
-75 3b 60 27 c0 fd 15 7b e1 2f 80 90 fe e2 a7 ad 
-cd 0e ef 75 9f 88 ba 49 97 c7 a4 2d 58 c9 aa 12 
-cb 99 ae 00 1f e5 21 c1 3b b5 43 14 45 a8 d5 ae 
-4f 5e 4c 7e 94 8a c2 27 d3 60 40 71 f2 0e 57 7e 
-90 5f be b1 5d fa f0 6d 1d e5 ae 62 53 d6 3a 6a 
-21 20 b3 1a 5d a5 da bc 95 50 60 0e 20 f2 7d 37 
-39 e2 62 79 25 fe a3 cc 50 9f 21 df f0 4e 6e ea 
-45 49 c5 40 d6 80 9f f9 30 7e ed e9 1f ff 58 73 
-3d 83 85 a2 37 d6 d3 70 5a 33 e3 91 90 09 92 07 
-0d f7 ad f1 35 7c f7 e3 70 0c e3 66 7d e8 3f 17 
-b8 df 17 78 db 38 1d ce 09 cb 4a d0 58 a5 11 00 
-1a 73 81 98 ee 27 cf 55 a1 3b 75 45 39 90 65 82 
-ec 8b 17 4b d5 8d 5d 1f 3d 76 7c 61 37 21 ae 05 
-
-# RSA public exponent e: 
-01 00 01 
-
-# RSA private exponent d: 
-2d 2f f5 67 b3 fe 74 e0 61 91 b7 fd ed 6d e1 12 
-29 0c 67 06 92 43 0d 59 69 18 40 47 da 23 4c 96 
-93 de ed 16 73 ed 42 95 39 c9 69 d3 72 c0 4d 6b 
-47 e0 f5 b8 ce e0 84 3e 5c 22 83 5d bd 3b 05 a0 
-99 79 84 ae 60 58 b1 1b c4 90 7c bf 67 ed 84 fa 
-9a e2 52 df b0 d0 cd 49 e6 18 e3 5d fd fe 59 bc 
-a3 dd d6 6c 33 ce bb c7 7a d4 41 aa 69 5e 13 e3 
-24 b5 18 f0 1c 60 f5 a8 5c 99 4a d1 79 f2 a6 b5 
-fb e9 34 02 b1 17 67 be 01 bf 07 34 44 d6 ba 1d 
-d2 bc a5 bd 07 4d 4a 5f ae 35 31 ad 13 03 d8 4b 
-30 d8 97 31 8c bb ba 04 e0 3c 2e 66 de 6d 91 f8 
-2f 96 ea 1d 4b b5 4a 5a ae 10 2d 59 46 57 f5 c9 
-78 95 53 51 2b 29 6d ea 29 d8 02 31 96 35 7e 3e 
-3a 6e 95 8f 39 e3 c2 34 40 38 ea 60 4b 31 ed c6 
-f0 f7 ff 6e 71 81 a5 7c 92 82 6a 26 8f 86 76 8e 
-96 f8 78 56 2f c7 1d 85 d6 9e 44 86 12 f7 04 8f 
-
-# Prime p: 
-cf d5 02 83 fe ee b9 7f 6f 08 d7 3c bc 7b 38 36 
-f8 2b bc d4 99 47 9f 5e 6f 76 fd fc b8 b3 8c 4f 
-71 dc 9e 88 bd 6a 6f 76 37 1a fd 65 d2 af 18 62 
-b3 2a fb 34 a9 5f 71 b8 b1 32 04 3f fe be 3a 95 
-2b af 75 92 44 81 48 c0 3f 9c 69 b1 d6 8e 4c e5 
-cf 32 c8 6b af 46 fe d3 01 ca 1a b4 03 06 9b 32 
-f4 56 b9 1f 71 89 8a b0 81 cd 8c 42 52 ef 52 71 
-91 5c 97 94 b8 f2 95 85 1d a7 51 0f 99 cb 73 eb 
-
-# Prime q: 
-cc 4e 90 d2 a1 b3 a0 65 d3 b2 d1 f5 a8 fc e3 1b 
-54 44 75 66 4e ab 56 1d 29 71 b9 9f b7 be f8 44 
-e8 ec 1f 36 0b 8c 2a c8 35 96 92 97 1e a6 a3 8f 
-72 3f cc 21 1f 5d bc b1 77 a0 fd ac 51 64 a1 d4 
-ff 7f bb 4e 82 99 86 35 3c b9 83 65 9a 14 8c dd 
-42 0c 7d 31 ba 38 22 ea 90 a3 2b e4 6c 03 0e 8c 
-17 e1 fa 0a d3 78 59 e0 6b 0a a6 fa 3b 21 6d 9c 
-be 6c 0e 22 33 97 69 c0 a6 15 91 3e 5d a7 19 cf 
-
-# p's CRT exponent dP: 
-1c 2d 1f c3 2f 6b c4 00 4f d8 5d fd e0 fb bf 9a 
-4c 38 f9 c7 c4 e4 1d ea 1a a8 82 34 a2 01 cd 92 
-f3 b7 da 52 65 83 a9 8a d8 5b b3 60 fb 98 3b 71 
-1e 23 44 9d 56 1d 17 78 d7 a5 15 48 6b cb f4 7b 
-46 c9 e9 e1 a3 a1 f7 70 00 ef be b0 9a 8a fe 47 
-e5 b8 57 cd a9 9c b1 6d 7f ff 9b 71 2e 3b d6 0c 
-a9 6d 9c 79 73 d6 16 d4 69 34 a9 c0 50 28 1c 00 
-43 99 ce ff 1d b7 dd a7 87 66 a8 a9 b9 cb 08 73 
-
-# q's CRT exponent dQ: 
-cb 3b 3c 04 ca a5 8c 60 be 7d 9b 2d eb b3 e3 96 
-43 f4 f5 73 97 be 08 23 6a 1e 9e af aa 70 65 36 
-e7 1c 3a cf e0 1c c6 51 f2 3c 9e 05 85 8f ee 13 
-bb 6a 8a fc 47 df 4e dc 9a 4b a3 0b ce cb 73 d0 
-15 78 52 32 7e e7 89 01 5c 2e 8d ee 7b 9f 05 a0 
-f3 1a c9 4e b6 17 31 64 74 0c 5c 95 14 7c d5 f3 
-b5 ae 2c b4 a8 37 87 f0 1d 8a b3 1f 27 c2 d0 ee 
-a2 dd 8a 11 ab 90 6a ba 20 7c 43 c6 ee 12 53 31 
-
-# CRT coefficient qInv: 
-12 f6 b2 cf 13 74 a7 36 fa d0 56 16 05 0f 96 ab 
-4b 61 d1 17 7c 7f 9d 52 5a 29 f3 d1 80 e7 76 67 
-e9 9d 99 ab f0 52 5d 07 58 66 0f 37 52 65 5b 0f 
-25 b8 df 84 31 d9 a8 ff 77 c1 6c 12 a0 a5 12 2a 
-9f 0b f7 cf d5 a2 66 a3 5c 15 9f 99 12 08 b9 03 
-16 ff 44 4f 3e 0b 6b d0 e9 3b 8a 7a 24 48 e9 57 
-e3 dd a6 cf cf 22 66 b1 06 01 3a c4 68 08 d3 b3 
-88 7b 3b 00 34 4b aa c9 53 0b 4c e7 08 fc 32 b6 
-
-# ---------------------------------
-# RSASSA-PSS Signature Example 10.1
-# ---------------------------------
-
-# Message to be signed:
-88 31 77 e5 12 6b 9b e2 d9 a9 68 03 27 d5 37 0c 
-6f 26 86 1f 58 20 c4 3d a6 7a 3a d6 09 
-
-# Salt:
-04 e2 15 ee 6f f9 34 b9 da 70 d7 73 0c 87 34 ab 
-fc ec de 89 
-
-# Signature:
-82 c2 b1 60 09 3b 8a a3 c0 f7 52 2b 19 f8 73 54 
-06 6c 77 84 7a bf 2a 9f ce 54 2d 0e 84 e9 20 c5 
-af b4 9f fd fd ac e1 65 60 ee 94 a1 36 96 01 14 
-8e ba d7 a0 e1 51 cf 16 33 17 91 a5 72 7d 05 f2 
-1e 74 e7 eb 81 14 40 20 69 35 d7 44 76 5a 15 e7 
-9f 01 5c b6 6c 53 2c 87 a6 a0 59 61 c8 bf ad 74 
-1a 9a 66 57 02 28 94 39 3e 72 23 73 97 96 c0 2a 
-77 45 5d 0f 55 5b 0e c0 1d df 25 9b 62 07 fd 0f 
-d5 76 14 ce f1 a5 57 3b aa ff 4e c0 00 69 95 16 
-59 b8 5f 24 30 0a 25 16 0c a8 52 2d c6 e6 72 7e 
-57 d0 19 d7 e6 36 29 b8 fe 5e 89 e2 5c c1 5b eb 
-3a 64 75 77 55 92 99 28 0b 9b 28 f7 9b 04 09 00 
-0b e2 5b bd 96 40 8b a3 b4 3c c4 86 18 4d d1 c8 
-e6 25 53 fa 1a f4 04 0f 60 66 3d e7 f5 e4 9c 04 
-38 8e 25 7f 1c e8 9c 95 da b4 8a 31 5d 9b 66 b1 
-b7 62 82 33 87 6f f2 38 52 30 d0 70 d0 7e 16 66 
-
-# ---------------------------------
-# RSASSA-PSS Signature Example 10.2
-# ---------------------------------
-
-# Message to be signed:
-dd 67 0a 01 46 58 68 ad c9 3f 26 13 19 57 a5 0c 
-52 fb 77 7c db aa 30 89 2c 9e 12 36 11 64 ec 13 
-97 9d 43 04 81 18 e4 44 5d b8 7b ee 58 dd 98 7b 
-34 25 d0 20 71 d8 db ae 80 70 8b 03 9d bb 64 db 
-d1 de 56 57 d9 fe d0 c1 18 a5 41 43 74 2e 0f f3 
-c8 7f 74 e4 58 57 64 7a f3 f7 9e b0 a1 4c 9d 75 
-ea 9a 1a 04 b7 cf 47 8a 89 7a 70 8f d9 88 f4 8e 
-80 1e db 0b 70 39 df 8c 23 bb 3c 56 f4 e8 21 ac 
-
-# Salt:
-8b 2b dd 4b 40 fa f5 45 c7 78 dd f9 bc 1a 49 cb 
-57 f9 b7 1b 
-
-# Signature:
-14 ae 35 d9 dd 06 ba 92 f7 f3 b8 97 97 8a ed 7c 
-d4 bf 5f f0 b5 85 a4 0b d4 6c e1 b4 2c d2 70 30 
-53 bb 90 44 d6 4e 81 3d 8f 96 db 2d d7 00 7d 10 
-11 8f 6f 8f 84 96 09 7a d7 5e 1f f6 92 34 1b 28 
-92 ad 55 a6 33 a1 c5 5e 7f 0a 0a d5 9a 0e 20 3a 
-5b 82 78 ae c5 4d d8 62 2e 28 31 d8 71 74 f8 ca 
-ff 43 ee 6c 46 44 53 45 d8 4a 59 65 9b fb 92 ec 
-d4 c8 18 66 86 95 f3 47 06 f6 68 28 a8 99 59 63 
-7f 2b f3 e3 25 1c 24 bd ba 4d 4b 76 49 da 00 22 
-21 8b 11 9c 84 e7 9a 65 27 ec 5b 8a 5f 86 1c 15 
-99 52 e2 3e c0 5e 1e 71 73 46 fa ef e8 b1 68 68 
-25 bd 2b 26 2f b2 53 10 66 c0 de 09 ac de 2e 42 
-31 69 07 28 b5 d8 5e 11 5a 2f 6b 92 b7 9c 25 ab 
-c9 bd 93 99 ff 8b cf 82 5a 52 ea 1f 56 ea 76 dd 
-26 f4 3b aa fa 18 bf a9 2a 50 4c bd 35 69 9e 26 
-d1 dc c5 a2 88 73 85 f3 c6 32 32 f0 6f 32 44 c3 
-
-# ---------------------------------
-# RSASSA-PSS Signature Example 10.3
-# ---------------------------------
-
-# Message to be signed:
-48 b2 b6 a5 7a 63 c8 4c ea 85 9d 65 c6 68 28 4b 
-08 d9 6b dc aa be 25 2d b0 e4 a9 6c b1 ba c6 01 
-93 41 db 6f be fb 8d 10 6b 0e 90 ed a6 bc c6 c6 
-26 2f 37 e7 ea 9c 7e 5d 22 6b d7 df 85 ec 5e 71 
-ef ff 2f 54 c5 db 57 7f f7 29 ff 91 b8 42 49 1d 
-e2 74 1d 0c 63 16 07 df 58 6b 90 5b 23 b9 1a f1 
-3d a1 23 04 bf 83 ec a8 a7 3e 87 1f f9 db 
-
-# Salt:
-4e 96 fc 1b 39 8f 92 b4 46 71 01 0c 0d c3 ef d6 
-e2 0c 2d 73 
-
-# Signature:
-6e 3e 4d 7b 6b 15 d2 fb 46 01 3b 89 00 aa 5b bb 
-39 39 cf 2c 09 57 17 98 70 42 02 6e e6 2c 74 c5 
-4c ff d5 d7 d5 7e fb bf 95 0a 0f 5c 57 4f a0 9d 
-3f c1 c9 f5 13 b0 5b 4f f5 0d d8 df 7e df a2 01 
-02 85 4c 35 e5 92 18 01 19 a7 0c e5 b0 85 18 2a 
-a0 2d 9e a2 aa 90 d1 df 03 f2 da ae 88 5b a2 f5 
-d0 5a fd ac 97 47 6f 06 b9 3b 5b c9 4a 1a 80 aa 
-91 16 c4 d6 15 f3 33 b0 98 89 2b 25 ff ac e2 66 
-f5 db 5a 5a 3b cc 10 a8 24 ed 55 aa d3 5b 72 78 
-34 fb 8c 07 da 28 fc f4 16 a5 d9 b2 22 4f 1f 8b 
-44 2b 36 f9 1e 45 6f de a2 d7 cf e3 36 72 68 de 
-03 07 a4 c7 4e 92 41 59 ed 33 39 3d 5e 06 55 53 
-1c 77 32 7b 89 82 1b de df 88 01 61 c7 8c d4 19 
-6b 54 19 f7 ac c3 f1 3e 5e bf 16 1b 6e 7c 67 24 
-71 6c a3 3b 85 c2 e2 56 40 19 2a c2 85 96 51 d5 
-0b de 7e b9 76 e5 1c ec 82 8b 98 b6 56 3b 86 bb 
-
-# ---------------------------------
-# RSASSA-PSS Signature Example 10.4
-# ---------------------------------
-
-# Message to be signed:
-0b 87 77 c7 f8 39 ba f0 a6 4b bb db c5 ce 79 75 
-5c 57 a2 05 b8 45 c1 74 e2 d2 e9 05 46 a0 89 c4 
-e6 ec 8a df fa 23 a7 ea 97 ba e6 b6 5d 78 2b 82 
-db 5d 2b 5a 56 d2 2a 29 a0 5e 7c 44 33 e2 b8 2a 
-62 1a bb a9 0a dd 05 ce 39 3f c4 8a 84 05 42 45 
-1a 
-
-# Salt:
-c7 cd 69 8d 84 b6 51 28 d8 83 5e 3a 8b 1e b0 e0 
-1c b5 41 ec 
-
-# Signature:
-34 04 7f f9 6c 4d c0 dc 90 b2 d4 ff 59 a1 a3 61 
-a4 75 4b 25 5d 2e e0 af 7d 8b f8 7c 9b c9 e7 dd 
-ee de 33 93 4c 63 ca 1c 0e 3d 26 2c b1 45 ef 93 
-2a 1f 2c 0a 99 7a a6 a3 4f 8e ae e7 47 7d 82 cc 
-f0 90 95 a6 b8 ac ad 38 d4 ee c9 fb 7e ab 7a d0 
-2d a1 d1 1d 8e 54 c1 82 5e 55 bf 58 c2 a2 32 34 
-b9 02 be 12 4f 9e 90 38 a8 f6 8f a4 5d ab 72 f6 
-6e 09 45 bf 1d 8b ac c9 04 4c 6f 07 09 8c 9f ce 
-c5 8a 3a ab 10 0c 80 51 78 15 5f 03 0a 12 4c 45 
-0e 5a cb da 47 d0 e4 f1 0b 80 a2 3f 80 3e 77 4d 
-02 3b 00 15 c2 0b 9f 9b be 7c 91 29 63 38 d5 ec 
-b4 71 ca fb 03 20 07 b6 7a 60 be 5f 69 50 4a 9f 
-01 ab b3 cb 46 7b 26 0e 2b ce 86 0b e8 d9 5b f9 
-2c 0c 8e 14 96 ed 1e 52 85 93 a4 ab b6 df 46 2d 
-de 8a 09 68 df fe 46 83 11 68 57 a2 32 f5 eb f6 
-c8 5b e2 38 74 5a d0 f3 8f 76 7a 5f db f4 86 fb 
-
-# ---------------------------------
-# RSASSA-PSS Signature Example 10.5
-# ---------------------------------
+-- ==================================
+-- Example 2: A 1025-bit RSA Key Pair
+-- ==================================
 
-# Message to be signed:
-f1 03 6e 00 8e 71 e9 64 da dc 92 19 ed 30 e1 7f 
-06 b4 b6 8a 95 5c 16 b3 12 b1 ed df 02 8b 74 97 
-6b ed 6b 3f 6a 63 d4 e7 78 59 24 3c 9c cc dc 98 
-01 65 23 ab b0 24 83 b3 55 91 c3 3a ad 81 21 3b 
-b7 c7 bb 1a 47 0a ab c1 0d 44 25 6c 4d 45 59 d9 
-16 
+rsaKey2 = PrivateKey
+    { private_pub = PublicKey
+        { public_n = 0x01d40c1bcf97a68ae7cdbd8a7bf3e34fa19dcca4ef75a47454375f94514d88fed006fb829f8419ff87d6315da68a1ff3a0938e9abb3464011c303ad99199cf0c7c7a8b477dce829e8844f625b115e5e9c4a59cf8f8113b6834336a2fd2689b472cbb5e5cabe674350c59b6c17e176874fb42f8fc3d176a017edc61fd326c4b33c9
+        , public_e = 0x010001
+        , public_size = 129
+        }
+    , private_d = 0x027d147e4673057377fd1ea201565772176a7dc38358d376045685a2e787c23c15576bc16b9f444402d6bfc5d98a3e88ea13ef67c353eca0c0ddba9255bd7b8bb50a644afdfd1dd51695b252d22e7318d1b6687a1c10ff75545f3db0fe602d5f2b7f294e3601eab7b9d1cecd767f64692e3e536ca2846cb0c2dd486a39fa75b1
+    , private_p = 0x016601e926a0f8c9e26ecab769ea65a5e7c52cc9e080ef519457c644da6891c5a104d3ea7955929a22e7c68a7af9fcad777c3ccc2b9e3d3650bce404399b7e59d1
+    , private_q = 0x014eafa1d4d0184da7e31f877d1281ddda625664869e8379e67ad3b75eae74a580e9827abd6eb7a002cb5411f5266797768fb8e95ae40e3e8a01f35ff89e56c079
+    , private_dP = 0xe247cce504939b8f0a36090de200938755e2444b29539a7da7a902f6056835c0db7b52559497cfe2c61a8086d0213c472c78851800b171f6401de2e9c2756f31
+    , private_dQ = 0xb12fba757855e586e46f64c38a70c68b3f548d93d787b399999d4c8f0bbd2581c21e19ed0018a6d5d3df86424b3abcad40199d31495b61309f27c1bf55d487c1
+    , private_qinv = 0x564b1e1fa003bda91e89090425aac05b91da9ee25061e7628d5f51304a84992fdc33762bd378a59f030a334d532bd0dae8f298ea9ed844636ad5fb8cbdc03cad
+    }
 
-# Salt:
-ef a8 bf f9 62 12 b2 f4 a3 f3 71 a1 0d 57 41 52 
-65 5f 5d fb 
+vectorsKey2 =
+    [
+    -- Example 2.1
+      VectorPSS
+        { message = "\xda\xba\x03\x20\x66\x26\x3f\xae\xdb\x65\x98\x48\x11\x52\x78\xa5\x2c\x44\xfa\xa3\xa7\x6f\x37\x51\x5e\xd3\x36\x32\x10\x72\xc4\x0a\x9d\x9b\x53\xbc\x05\x01\x40\x78\xad\xf5\x20\x87\x51\x46\xaa\xe7\x0f\xf0\x60\x22\x6d\xcb\x7b\x1f\x1f\xc2\x7e\x93\x60"
+        , salt = "\x57\xbf\x16\x0b\xcb\x02\xbb\x1d\xc7\x28\x0c\xf0\x45\x85\x30\xb7\xd2\x83\x2f\xf7"
+        , signature = "\x01\x4c\x5b\xa5\x33\x83\x28\xcc\xc6\xe7\xa9\x0b\xf1\xc0\xab\x3f\xd6\x06\xff\x47\x96\xd3\xc1\x2e\x4b\x63\x9e\xd9\x13\x6a\x5f\xec\x6c\x16\xd8\x88\x4b\xdd\x99\xcf\xdc\x52\x14\x56\xb0\x74\x2b\x73\x68\x68\xcf\x90\xde\x09\x9a\xdb\x8d\x5f\xfd\x1d\xef\xf3\x9b\xa4\x00\x7a\xb7\x46\xce\xfd\xb2\x2d\x7d\xf0\xe2\x25\xf5\x46\x27\xdc\x65\x46\x61\x31\x72\x1b\x90\xaf\x44\x53\x63\xa8\x35\x8b\x9f\x60\x76\x42\xf7\x8f\xab\x0a\xb0\xf4\x3b\x71\x68\xd6\x4b\xae\x70\xd8\x82\x78\x48\xd8\xef\x1e\x42\x1c\x57\x54\xdd\xf4\x2c\x25\x89\xb5\xb3"
+        }
+    -- Example 2.2
+    , VectorPSS
+        { message = "\xe4\xf8\x60\x1a\x8a\x6d\xa1\xbe\x34\x44\x7c\x09\x59\xc0\x58\x57\x0c\x36\x68\xcf\xd5\x1d\xd5\xf9\xcc\xd6\xad\x44\x11\xfe\x82\x13\x48\x6d\x78\xa6\xc4\x9f\x93\xef\xc2\xca\x22\x88\xce\xbc\x2b\x9b\x60\xbd\x04\xb1\xe2\x20\xd8\x6e\x3d\x48\x48\xd7\x09\xd0\x32\xd1\xe8\xc6\xa0\x70\xc6\xaf\x9a\x49\x9f\xcf\x95\x35\x4b\x14\xba\x61\x27\xc7\x39\xde\x1b\xb0\xfd\x16\x43\x1e\x46\x93\x8a\xec\x0c\xf8\xad\x9e\xb7\x2e\x83\x2a\x70\x35\xde\x9b\x78\x07\xbd\xc0\xed\x8b\x68\xeb\x0f\x5a\xc2\x21\x6b\xe4\x0c\xe9\x20\xc0\xdb\x0e\xdd\xd3\x86\x0e\xd7\x88\xef\xac\xca\xca\x50\x2d\x8f\x2b\xd6\xd1\xa7\xc1\xf4\x1f\xf4\x6f\x16\x81\xc8\xf1\xf8\x18\xe9\xc4\xf6\xd9\x1a\x0c\x78\x03\xcc\xc6\x3d\x76\xa6\x54\x4d\x84\x3e\x08\x4e\x36\x3b\x8a\xcc\x55\xaa\x53\x17\x33\xed\xb5\xde\xe5\xb5\x19\x6e\x9f\x03\xe8\xb7\x31\xb3\x77\x64\x28\xd9\xe4\x57\xfe\x3f\xbc\xb3\xdb\x72\x74\x44\x2d\x78\x58\x90\xe9\xcb\x08\x54\xb6\x44\x4d\xac\xe7\x91\xd7\x27\x3d\xe1\x88\x97\x19\x33\x8a\x77\xfe"
+        , salt = "\x7f\x6d\xd3\x59\xe6\x04\xe6\x08\x70\xe8\x98\xe4\x7b\x19\xbf\x2e\x5a\x7b\x2a\x90"
+        , signature = "\x01\x09\x91\x65\x6c\xca\x18\x2b\x7f\x29\xd2\xdb\xc0\x07\xe7\xae\x0f\xec\x15\x8e\xb6\x75\x9c\xb9\xc4\x5c\x5f\xf8\x7c\x76\x35\xdd\x46\xd1\x50\x88\x2f\x4d\xe1\xe9\xae\x65\xe7\xf7\xd9\x01\x8f\x68\x36\x95\x4a\x47\xc0\xa8\x1a\x8a\x6b\x6f\x83\xf2\x94\x4d\x60\x81\xb1\xaa\x7c\x75\x9b\x25\x4b\x2c\x34\xb6\x91\xda\x67\xcc\x02\x26\xe2\x0b\x2f\x18\xb4\x22\x12\x76\x1d\xcd\x4b\x90\x8a\x62\xb3\x71\xb5\x91\x8c\x57\x42\xaf\x4b\x53\x7e\x29\x69\x17\x67\x4f\xb9\x14\x19\x47\x61\x62\x1c\xc1\x9a\x41\xf6\xfb\x95\x3f\xbc\xbb\x64\x9d\xea"
+        }
+    -- Example 2.3
+    , VectorPSS
+        { message = "\x52\xa1\xd9\x6c\x8a\xc3\x9e\x41\xe4\x55\x80\x98\x01\xb9\x27\xa5\xb4\x45\xc1\x0d\x90\x2a\x0d\xcd\x38\x50\xd2\x2a\x66\xd2\xbb\x07\x03\xe6\x7d\x58\x67\x11\x45\x95\xaa\xbf\x5a\x7a\xeb\x5a\x8f\x87\x03\x4b\xbb\x30\xe1\x3c\xfd\x48\x17\xa9\xbe\x76\x23\x00\x23\x60\x6d\x02\x86\xa3\xfa\xf8\xa4\xd2\x2b\x72\x8e\xc5\x18\x07\x9f\x9e\x64\x52\x6e\x3a\x0c\xc7\x94\x1a\xa3\x38\xc4\x37\x99\x7c\x68\x0c\xca\xc6\x7c\x66\xbf\xa1"
+        , salt = "\xfc\xa8\x62\x06\x8b\xce\x22\x46\x72\x4b\x70\x8a\x05\x19\xda\x17\xe6\x48\x68\x8c"
+        , signature = "\x00\x7f\x00\x30\x01\x8f\x53\xcd\xc7\x1f\x23\xd0\x36\x59\xfd\xe5\x4d\x42\x41\xf7\x58\xa7\x50\xb4\x2f\x18\x5f\x87\x57\x85\x20\xc3\x07\x42\xaf\xd8\x43\x59\xb6\xe6\xe8\xd3\xed\x95\x9d\xc6\xfe\x48\x6b\xed\xc8\xe2\xcf\x00\x1f\x63\xa7\xab\xe1\x62\x56\xa1\xb8\x4d\xf0\xd2\x49\xfc\x05\xd3\x19\x4c\xe5\xf0\x91\x27\x42\xdb\xbf\x80\xdd\x17\x4f\x6c\x51\xf6\xba\xd7\xf1\x6c\xf3\x36\x4e\xba\x09\x5a\x06\x26\x7d\xc3\x79\x38\x03\xac\x75\x26\xae\xbe\x0a\x47\x5d\x38\xb8\xc2\x24\x7a\xb5\x1c\x48\x98\xdf\x70\x47\xdc\x6a\xdf\x52\xc6\xc4"
+        }
+    -- Example 2.4
+    , VectorPSS
+        { message = "\xa7\x18\x2c\x83\xac\x18\xbe\x65\x70\xa1\x06\xaa\x9d\x5c\x4e\x3d\xbb\xd4\xaf\xae\xb0\xc6\x0c\x4a\x23\xe1\x96\x9d\x79\xff"
+        , salt = "\x80\x70\xef\x2d\xe9\x45\xc0\x23\x87\x68\x4b\xa0\xd3\x30\x96\x73\x22\x35\xd4\x40"
+        , signature = "\x00\x9c\xd2\xf4\xed\xbe\x23\xe1\x23\x46\xae\x8c\x76\xdd\x9a\xd3\x23\x0a\x62\x07\x61\x41\xf1\x6c\x15\x2b\xa1\x85\x13\xa4\x8e\xf6\xf0\x10\xe0\xe3\x7f\xd3\xdf\x10\xa1\xec\x62\x9a\x0c\xb5\xa3\xb5\xd2\x89\x30\x07\x29\x8c\x30\x93\x6a\x95\x90\x3b\x6b\xa8\x55\x55\xd9\xec\x36\x73\xa0\x61\x08\xfd\x62\xa2\xfd\xa5\x6d\x1c\xe2\xe8\x5c\x4d\xb6\xb2\x4a\x81\xca\x3b\x49\x6c\x36\xd4\xfd\x06\xeb\x7c\x91\x66\xd8\xe9\x48\x77\xc4\x2b\xea\x62\x2b\x3b\xfe\x92\x51\xfd\xc2\x1d\x8d\x53\x71\xba\xda\xd7\x8a\x48\x82\x14\x79\x63\x35\xb4\x0b"
+        }
+    -- Example 2.5
+    , VectorPSS
+        { message = "\x86\xa8\x3d\x4a\x72\xee\x93\x2a\x4f\x56\x30\xaf\x65\x79\xa3\x86\xb7\x8f\xe8\x89\x99\xe0\xab\xd2\xd4\x90\x34\xa4\xbf\xc8\x54\xdd\x94\xf1\x09\x4e\x2e\x8c\xd7\xa1\x79\xd1\x95\x88\xe4\xae\xfc\x1b\x1b\xd2\x5e\x95\xe3\xdd\x46\x1f"
+        , salt = "\x17\x63\x9a\x4e\x88\xd7\x22\xc4\xfc\xa2\x4d\x07\x9a\x8b\x29\xc3\x24\x33\xb0\xc9"
+        , signature = "\x00\xec\x43\x08\x24\x93\x1e\xbd\x3b\xaa\x43\x03\x4d\xae\x98\xba\x64\x6b\x8c\x36\x01\x3d\x16\x71\xc3\xcf\x1c\xf8\x26\x0c\x37\x4b\x19\xf8\xe1\xcc\x8d\x96\x50\x12\x40\x5e\x7e\x9b\xf7\x37\x86\x12\xdf\xcc\x85\xfc\xe1\x2c\xda\x11\xf9\x50\xbd\x0b\xa8\x87\x67\x40\x43\x6c\x1d\x25\x95\xa6\x4a\x1b\x32\xef\xcf\xb7\x4a\x21\xc8\x73\xb3\xcc\x33\xaa\xf4\xe3\xdc\x39\x53\xde\x67\xf0\x67\x4c\x04\x53\xb4\xfd\x9f\x60\x44\x06\xd4\x41\xb8\x16\x09\x8c\xb1\x06\xfe\x34\x72\xbc\x25\x1f\x81\x5f\x59\xdb\x2e\x43\x78\xa3\xad\xdc\x18\x1e\xcf"
+        }
+    -- Example 2.6
+    , VectorPSS
+        { message = "\x04\x9f\x91\x54\xd8\x71\xac\x4a\x7c\x7a\xb4\x53\x25\xba\x75\x45\xa1\xed\x08\xf7\x05\x25\xb2\x66\x7c\xf1"
+        , salt = "\x37\x81\x0d\xef\x10\x55\xed\x92\x2b\x06\x3d\xf7\x98\xde\x5d\x0a\xab\xf8\x86\xee"
+        , signature = "\x00\x47\x5b\x16\x48\xf8\x14\xa8\xdc\x0a\xbd\xc3\x7b\x55\x27\xf5\x43\xb6\x66\xbb\x6e\x39\xd3\x0e\x5b\x49\xd3\xb8\x76\xdc\xcc\x58\xea\xc1\x4e\x32\xa2\xd5\x5c\x26\x16\x01\x44\x56\xad\x2f\x24\x6f\xc8\xe3\xd5\x60\xda\x3d\xdf\x37\x9a\x1c\x0b\xd2\x00\xf1\x02\x21\xdf\x07\x8c\x21\x9a\x15\x1b\xc8\xd4\xec\x9d\x2f\xc2\x56\x44\x67\x81\x10\x14\xef\x15\xd8\xea\x01\xc2\xeb\xbf\xf8\xc2\xc8\xef\xab\x38\x09\x6e\x55\xfc\xbe\x32\x85\xc7\xaa\x55\x88\x51\x25\x4f\xaf\xfa\x92\xc1\xc7\x2b\x78\x75\x86\x63\xef\x45\x82\x84\x31\x39\xd7\xa6"
+        }
+    ]
 
-# Signature:
-7e 09 35 ea 18 f4 d6 c1 d1 7c e8 2e b2 b3 83 6c 
-55 b3 84 58 9c e1 9d fe 74 33 63 ac 99 48 d1 f3 
-46 b7 bf dd fe 92 ef d7 8a db 21 fa ef c8 9a de 
-42 b1 0f 37 40 03 fe 12 2e 67 42 9a 1c b8 cb d1 
-f8 d9 01 45 64 c4 4d 12 01 16 f4 99 0f 1a 6e 38 
-77 4c 19 4b d1 b8 21 32 86 b0 77 b0 49 9d 2e 7b 
-3f 43 4a b1 22 89 c5 56 68 4d ee d7 81 31 93 4b 
-b3 dd 65 37 23 6f 7c 6f 3d cb 09 d4 76 be 07 72 
-1e 37 e1 ce ed 9b 2f 7b 40 68 87 bd 53 15 73 05 
-e1 c8 b4 f8 4d 73 3b c1 e1 86 fe 06 cc 59 b6 ed 
-b8 f4 bd 7f fe fd f4 f7 ba 9c fb 9d 57 06 89 b5 
-a1 a4 10 9a 74 6a 69 08 93 db 37 99 25 5a 0c b9 
-21 5d 2d 1c d4 90 59 0e 95 2e 8c 87 86 aa 00 11 
-26 52 52 47 0c 04 1d fb c3 ee c7 c3 cb f7 1c 24 
-86 9d 11 5c 0c b4 a9 56 f5 6d 53 0b 80 ab 58 9a 
-cf ef c6 90 75 1d df 36 e8 d3 83 f8 3c ed d2 cc 
+-- ==================================
+-- Example 3: A 1026-bit RSA Key Pair
+-- ==================================
 
-# ---------------------------------
-# RSASSA-PSS Signature Example 10.6
-# ---------------------------------
+rsaKey3 = PrivateKey
+    { private_pub = PublicKey
+        { public_n = 0x02f246ef451ed3eebb9a310200cc25859c048e4be798302991112eb68ce6db674e280da21feded1ae74880ca522b18db249385012827c515f0e466a1ffa691d98170574e9d0eadb087586ca48933da3cc953d95bd0ed50de10ddcb6736107d6c831c7f663e833ca4c097e700ce0fb945f88fb85fe8e5a773172565b914a471a443
+        , public_e = 0x010001
+        , public_size = 129
+        }
+    , private_d = 0x651451733b56de5ac0a689a4aeb6e6894a69014e076c88dd7a667eab3232bbccd2fc44ba2fa9c31db46f21edd1fdb23c5c128a5da5bab91e7f952b67759c7cff705415ac9fa0907c7ca6178f668fb948d869da4cc3b7356f4008dfd5449d32ee02d9a477eb69fc29266e5d9070512375a50fbbcc27e238ad98425f6ebbf88991
+    , private_p = 0x01bd36e18ece4b0fdb2e9c9d548bd1a7d6e2c21c6fdc35074a1d05b1c6c8b3d558ea2639c9a9a421680169317252558bd148ad215aac550e2dcf12a82d0ebfe853
+    , private_q = 0x01b1b656ad86d8e19d5dc86292b3a192fdf6e0dd37877bad14822fa00190cab265f90d3f02057b6f54d6ecb14491e5adeacebc48bf0ebd2a2ad26d402e54f61651
+    , private_dP = 0x1f2779fd2e3e5e6bae05539518fba0cd0ead1aa4513a7cba18f1cf10e3f68195693d278a0f0ee72f89f9bc760d80e2f9d0261d516501c6ae39f14a476ce2ccf5
+    , private_dQ = 0x011a0d36794b04a854aab4b2462d439a5046c91d940b2bc6f75b62956fef35a2a6e63c5309817f307bbff9d59e7e331bd363f6d66849b18346adea169f0ae9aec1
+    , private_qinv = 0x0b30f0ecf558752fb3a6ce4ba2b8c675f659eba6c376585a1b39712d038ae3d2b46fcb418ae15d0905da6440e1513a30b9b7d6668fbc5e88e5ab7a175e73ba35
+    }
 
-# Message to be signed:
-25 f1 08 95 a8 77 16 c1 37 45 0b b9 51 9d fa a1 
-f2 07 fa a9 42 ea 88 ab f7 1e 9c 17 98 00 85 b5 
-55 ae ba b7 62 64 ae 2a 3a b9 3c 2d 12 98 11 91 
-dd ac 6f b5 94 9e b3 6a ee 3c 5d a9 40 f0 07 52 
-c9 16 d9 46 08 fa 7d 97 ba 6a 29 15 b6 88 f2 03 
-23 d4 e9 d9 68 01 d8 9a 72 ab 58 92 dc 21 17 c0 
-74 34 fc f9 72 e0 58 cf 8c 41 ca 4b 4f f5 54 f7 
-d5 06 8a d3 15 5f ce d0 f3 12 5b c0 4f 91 93 37 
-8a 8f 5c 4c 3b 8c b4 dd 6d 1c c6 9d 30 ec ca 6e 
-aa 51 e3 6a 05 73 0e 9e 34 2e 85 5b af 09 9d ef 
-b8 af d7 
+vectorsKey3 =
+    [
+    -- Example 3.1
+      VectorPSS
+        { message = "\x59\x4b\x37\x33\x3b\xbb\x2c\x84\x52\x4a\x87\xc1\xa0\x1f\x75\xfc\xec\x0e\x32\x56\xf1\x08\xe3\x8d\xca\x36\xd7\x0d\x00\x57"
+        , salt = "\xf3\x1a\xd6\xc8\xcf\x89\xdf\x78\xed\x77\xfe\xac\xbc\xc2\xf8\xb0\xa8\xe4\xcf\xaa"
+        , signature = "\x00\x88\xb1\x35\xfb\x17\x94\xb6\xb9\x6c\x4a\x3e\x67\x81\x97\xf8\xca\xc5\x2b\x64\xb2\xfe\x90\x7d\x6f\x27\xde\x76\x11\x24\x96\x4a\x99\xa0\x1a\x88\x27\x40\xec\xfa\xed\x6c\x01\xa4\x74\x64\xbb\x05\x18\x23\x13\xc0\x13\x38\xa8\xcd\x09\x72\x14\xcd\x68\xca\x10\x3b\xd5\x7d\x3b\xc9\xe8\x16\x21\x3e\x61\xd7\x84\xf1\x82\x46\x7a\xbf\x8a\x01\xcf\x25\x3e\x99\xa1\x56\xea\xa8\xe3\xe1\xf9\x0e\x3c\x6e\x4e\x3a\xa2\xd8\x3e\xd0\x34\x5b\x89\xfa\xfc\x9c\x26\x07\x7c\x14\xb6\xac\x51\x45\x4f\xa2\x6e\x44\x6e\x3a\x2f\x15\x3b\x2b\x16\x79\x7f"
+        }
+    -- Example 3.2
+    , VectorPSS
+        { message = "\x8b\x76\x95\x28\x88\x4a\x0d\x1f\xfd\x09\x0c\xf1\x02\x99\x3e\x79\x6d\xad\xcf\xbd\xdd\x38\xe4\x4f\xf6\x32\x4c\xa4\x51"
+        , salt = "\xfc\xf9\xf0\xe1\xf1\x99\xa3\xd1\xd0\xda\x68\x1c\x5b\x86\x06\xfc\x64\x29\x39\xf7"
+        , signature = "\x02\xa5\xf0\xa8\x58\xa0\x86\x4a\x4f\x65\x01\x7a\x7d\x69\x45\x4f\x3f\x97\x3a\x29\x99\x83\x9b\x7b\xbc\x48\xbf\x78\x64\x11\x69\x17\x95\x56\xf5\x95\xfa\x41\xf6\xff\x18\xe2\x86\xc2\x78\x30\x79\xbc\x09\x10\xee\x9c\xc3\x4f\x49\xba\x68\x11\x24\xf9\x23\xdf\xa8\x8f\x42\x61\x41\xa3\x68\xa5\xf5\xa9\x30\xc6\x28\xc2\xc3\xc2\x00\xe1\x8a\x76\x44\x72\x1a\x0c\xbe\xc6\xdd\x3f\x62\x79\xbd\xe3\xe8\xf2\xbe\x5e\x2d\x4e\xe5\x6f\x97\xe7\xce\xaf\x33\x05\x4b\xe7\x04\x2b\xd9\x1a\x63\xbb\x09\xf8\x97\xbd\x41\xe8\x11\x97\xde\xe9\x9b\x11\xaf"
+        }
+    -- Example 3.3
+    , VectorPSS
+        { message = "\x1a\xbd\xba\x48\x9c\x5a\xda\x2f\x99\x5e\xd1\x6f\x19\xd5\xa9\x4d\x9e\x6e\xc3\x4a\x8d\x84\xf8\x45\x57\xd2\x6e\x5e\xf9\xb0\x2b\x22\x88\x7e\x3f\x9a\x4b\x69\x0a\xd1\x14\x92\x09\xc2\x0c\x61\x43\x1f\x0c\x01\x7c\x36\xc2\x65\x7b\x35\xd7\xb0\x7d\x3f\x5a\xd8\x70\x85\x07\xa9\xc1\xb8\x31\xdf\x83\x5a\x56\xf8\x31\x07\x18\x14\xea\x5d\x3d\x8d\x8f\x6a\xde\x40\xcb\xa3\x8b\x42\xdb\x7a\x2d\x3d\x7a\x29\xc8\xf0\xa7\x9a\x78\x38\xcf\x58\xa9\x75\x7f\xa2\xfe\x4c\x40\xdf\x9b\xaa\x19\x3b\xfc\x6f\x92\xb1\x23\xad\x57\xb0\x7a\xce\x3e\x6a\xc0\x68\xc9\xf1\x06\xaf\xd9\xee\xb0\x3b\x4f\x37\xc2\x5d\xbf\xbc\xfb\x30\x71\xf6\xf9\x77\x17\x66\xd0\x72\xf3\xbb\x07\x0a\xf6\x60\x55\x32\x97\x3a\xe2\x50\x51"
+        , salt = "\x98\x6e\x7c\x43\xdb\xb6\x71\xbd\x41\xb9\xa7\xf4\xb6\xaf\xc8\x0e\x80\x5f\x24\x23"
+        , signature = "\x02\x44\xbc\xd1\xc8\xc1\x69\x55\x73\x6c\x80\x3b\xe4\x01\x27\x2e\x18\xcb\x99\x08\x11\xb1\x4f\x72\xdb\x96\x41\x24\xd5\xfa\x76\x06\x49\xcb\xb5\x7a\xfb\x87\x55\xdb\xb6\x2b\xf5\x1f\x46\x6c\xf2\x3a\x0a\x16\x07\x57\x6e\x98\x3d\x77\x8f\xce\xff\xa9\x2d\xf7\x54\x8a\xea\x8e\xa4\xec\xad\x2c\x29\xdd\x9f\x95\xbc\x07\xfe\x91\xec\xf8\xbe\xe2\x55\xbf\xe8\x76\x2f\xd7\x69\x0a\xa9\xbf\xa4\xfa\x08\x49\xef\x72\x8c\x2c\x42\xc4\x53\x23\x64\x52\x2d\xf2\xab\x7f\x9f\x8a\x03\xb6\x3f\x7a\x49\x91\x75\x82\x86\x68\xf5\xef\x5a\x29\xe3\x80\x2c"
+        }
+    -- Example 3.4
+    , VectorPSS
+        { message = "\x8f\xb4\x31\xf5\xee\x79\x2b\x6c\x2a\xc7\xdb\x53\xcc\x42\x86\x55\xae\xb3\x2d\x03\xf4\xe8\x89\xc5\xc2\x5d\xe6\x83\xc4\x61\xb5\x3a\xcf\x89\xf9\xf8\xd3\xaa\xbd\xf6\xb9\xf0\xc2\xa1\xde\x12\xe1\x5b\x49\xed\xb3\x91\x9a\x65\x2f\xe9\x49\x1c\x25\xa7\xfc\xe1\xf7\x22\xc2\x54\x36\x08\xb6\x9d\xc3\x75\xec"
+        , salt = "\xf8\x31\x2d\x9c\x8e\xea\x13\xec\x0a\x4c\x7b\x98\x12\x0c\x87\x50\x90\x87\xc4\x78"
+        , signature = "\x01\x96\xf1\x2a\x00\x5b\x98\x12\x9c\x8d\xf1\x3c\x4c\xb1\x6f\x8a\xa8\x87\xd3\xc4\x0d\x96\xdf\x3a\x88\xe7\x53\x2e\xf3\x9c\xd9\x92\xf2\x73\xab\xc3\x70\xbc\x1b\xe6\xf0\x97\xcf\xeb\xbf\x01\x18\xfd\x9e\xf4\xb9\x27\x15\x5f\x3d\xf2\x2b\x90\x4d\x90\x70\x2d\x1f\x7b\xa7\xa5\x2b\xed\x8b\x89\x42\xf4\x12\xcd\x7b\xd6\x76\xc9\xd1\x8e\x17\x03\x91\xdc\xd3\x45\xc0\x6a\x73\x09\x64\xb3\xf3\x0b\xcc\xe0\xbb\x20\xba\x10\x6f\x9a\xb0\xee\xb3\x9c\xf8\xa6\x60\x7f\x75\xc0\x34\x7f\x0a\xf7\x9f\x16\xaf\xa0\x81\xd2\xc9\x2d\x1e\xe6\xf8\x36\xb8"
+        }
+    -- Example 3.5
+    , VectorPSS
+        { message = "\xfe\xf4\x16\x1d\xfa\xaf\x9c\x52\x95\x05\x1d\xfc\x1f\xf3\x81\x0c\x8c\x9e\xc2\xe8\x66\xf7\x07\x54\x22\xc8\xec\x42\x16\xa9\xc4\xff\x49\x42\x7d\x48\x3c\xae\x10\xc8\x53\x4a\x41\xb2\xfd\x15\xfe\xe0\x69\x60\xec\x6f\xb3\xf7\xa7\xe9\x4a\x2f\x8a\x2e\x3e\x43\xdc\x4a\x40\x57\x6c\x30\x97\xac\x95\x3b\x1d\xe8\x6f\x0b\x4e\xd3\x6d\x64\x4f\x23\xae\x14\x42\x55\x29\x62\x24\x64\xca\x0c\xbf\x0b\x17\x41\x34\x72\x38\x15\x7f\xab\x59\xe4\xde\x55\x24\x09\x6d\x62\xba\xec\x63\xac\x64"
+        , salt = "\x50\x32\x7e\xfe\xc6\x29\x2f\x98\x01\x9f\xc6\x7a\x2a\x66\x38\x56\x3e\x9b\x6e\x2d"
+        , signature = "\x02\x1e\xca\x3a\xb4\x89\x22\x64\xec\x22\x41\x1a\x75\x2d\x92\x22\x10\x76\xd4\xe0\x1c\x0e\x6f\x0d\xde\x9a\xfd\x26\xba\x5a\xcf\x6d\x73\x9e\xf9\x87\x54\x5d\x16\x68\x3e\x56\x74\xc9\xe7\x0f\x1d\xe6\x49\xd7\xe6\x1d\x48\xd0\xca\xeb\x4f\xb4\xd8\xb2\x4f\xba\x84\xa6\xe3\x10\x8f\xee\x7d\x07\x05\x97\x32\x66\xac\x52\x4b\x4a\xd2\x80\xf7\xae\x17\xdc\x59\xd9\x6d\x33\x51\x58\x6b\x5a\x3b\xdb\x89\x5d\x1e\x1f\x78\x20\xac\x61\x35\xd8\x75\x34\x80\x99\x83\x82\xba\x32\xb7\x34\x95\x59\x60\x8c\x38\x74\x52\x90\xa8\x5e\xf4\xe9\xf9\xbd\x83"
+        }
+    -- Example 3.6
+    , VectorPSS
+        { message = "\xef\xd2\x37\xbb\x09\x8a\x44\x3a\xee\xb2\xbf\x6c\x3f\x8c\x81\xb8\xc0\x1b\x7f\xcb\x3f\xeb"
+        , salt = "\xb0\xde\x3f\xc2\x5b\x65\xf5\xaf\x96\xb1\xd5\xcc\x3b\x27\xd0\xc6\x05\x30\x87\xb3"
+        , signature = "\x01\x2f\xaf\xec\x86\x2f\x56\xe9\xe9\x2f\x60\xab\x0c\x77\x82\x4f\x42\x99\xa0\xca\x73\x4e\xd2\x6e\x06\x44\xd5\xd2\x22\xc7\xf0\xbd\xe0\x39\x64\xf8\xe7\x0a\x5c\xb6\x5e\xd4\x4e\x44\xd5\x6a\xe0\xed\xf1\xff\x86\xca\x03\x2c\xc5\xdd\x44\x04\xdb\xb7\x6a\xb8\x54\x58\x6c\x44\xee\xd8\x33\x6d\x08\xd4\x57\xce\x6c\x03\x69\x3b\x45\xc0\xf1\xef\xef\x93\x62\x4b\x95\xb8\xec\x16\x9c\x61\x6d\x20\xe5\x53\x8e\xbc\x0b\x67\x37\xa6\xf8\x2b\x4b\xc0\x57\x09\x24\xfc\x6b\x35\x75\x9a\x33\x48\x42\x62\x79\xf8\xb3\xd7\x74\x4e\x2d\x22\x24\x26\xce"
+        }
+    ]
 
-# Salt:
-ad 8b 15 23 70 36 46 22 4b 66 0b 55 08 85 91 7c 
-a2 d1 df 28 
+-- ==================================
+-- Example 8: A 1031-bit RSA Key Pair
+-- ==================================
 
-# Signature:
-6d 3b 5b 87 f6 7e a6 57 af 21 f7 54 41 97 7d 21 
-80 f9 1b 2c 5f 69 2d e8 29 55 69 6a 68 67 30 d9 
-b9 77 8d 97 07 58 cc b2 60 71 c2 20 9f fb d6 12 
-5b e2 e9 6e a8 1b 67 cb 9b 93 08 23 9f da 17 f7 
-b2 b6 4e cd a0 96 b6 b9 35 64 0a 5a 1c b4 2a 91 
-55 b1 c9 ef 7a 63 3a 02 c5 9f 0d 6e e5 9b 85 2c 
-43 b3 50 29 e7 3c 94 0f f0 41 0e 8f 11 4e ed 46 
-bb d0 fa e1 65 e4 2b e2 52 8a 40 1c 3b 28 fd 81 
-8e f3 23 2d ca 9f 4d 2a 0f 51 66 ec 59 c4 23 96 
-d6 c1 1d bc 12 15 a5 6f a1 71 69 db 95 75 34 3e 
-f3 4f 9d e3 2a 49 cd c3 17 49 22 f2 29 c2 3e 18 
-e4 5d f9 35 31 19 ec 43 19 ce dc e7 a1 7c 64 08 
-8c 1f 6f 52 be 29 63 41 00 b3 91 9d 38 f3 d1 ed 
-94 e6 89 1e 66 a7 3b 8f b8 49 f5 87 4d f5 94 59 
-e2 98 c7 bb ce 2e ee 78 2a 19 5a a6 6f e2 d0 73 
-2b 25 e5 95 f5 7d 3e 06 1b 1f c3 e4 06 3b f9 8f 
+rsaKey8 = PrivateKey
+    { private_pub = PublicKey
+        { public_n = 0x495370a1fb18543c16d3631e3163255df62be6eee890d5f25509e4f778a8ea6fbbbcdf85dff64e0d972003ab3681fbba6dd41fd541829b2e582de9f2a4a4e0a2d0900bef4753db3cee0ee06c7dfae8b1d53b5953218f9cceea695b08668edeaadced9463b1d790d5ebf27e9115b46cad4d9a2b8efab0561b0810344739ada0733f
+        , public_e = 0x010001
+        , public_size = 129
+        }
+    , private_d = 0x6c66ffe98980c38fcdeab5159898836165f4b4b817c4f6a8d486ee4ea9130fe9b9092bd136d184f95f504a607eac565846d2fdd6597a8967c7396ef95a6eeebb4578a643966dca4d8ee3de842de63279c618159c1ab54a89437b6a6120e4930afb52a4ba6ced8a4947ac64b30a3497cbe701c2d6266d517219ad0ec6d347dbe9
+    , private_p = 0x08dad7f11363faa623d5d6d5e8a319328d82190d7127d2846c439b0ab72619b0a43a95320e4ec34fc3a9cea876422305bd76c5ba7be9e2f410c8060645a1d29edb
+    , private_q = 0x0847e732376fc7900f898ea82eb2b0fc418565fdae62f7d9ec4ce2217b97990dd272db157f99f63c0dcbb9fbacdbd4c4dadb6df67756358ca4174825b48f49706d
+    , private_dP = 0x05c2a83c124b3621a2aa57ea2c3efe035eff4560f33ddebb7adab81fce69a0c8c2edc16520dda83d59a23be867963ac65f2cc710bbcfb96ee103deb771d105fd85
+    , private_dQ = 0x04cae8aa0d9faa165c87b682ec140b8ed3b50b24594b7a3b2c220b3669bb819f984f55310a1ae7823651d4a02e99447972595139363434e5e30a7e7d241551e1b9
+    , private_qinv = 0x07d3e47bf686600b11ac283ce88dbb3f6051e8efd04680e44c171ef531b80b2b7c39fc766320e2cf15d8d99820e96ff30dc69691839c4b40d7b06e45307dc91f3f
+    }
 
--}
+vectorsKey8 =
+    [
+    -- Example 8.1
+      VectorPSS
+        { message = "\x81\x33\x2f\x4b\xe6\x29\x48\x41\x5e\xa1\xd8\x99\x79\x2e\xea\xcf\x6c\x6e\x1d\xb1\xda\x8b\xe1\x3b\x5c\xea\x41\xdb\x2f\xed\x46\x70\x92\xe1\xff\x39\x89\x14\xc7\x14\x25\x97\x75\xf5\x95\xf8\x54\x7f\x73\x56\x92\xa5\x75\xe6\x92\x3a\xf7\x8f\x22\xc6\x99\x7d\xdb\x90\xfb\x6f\x72\xd7\xbb\x0d\xd5\x74\x4a\x31\xde\xcd\x3d\xc3\x68\x58\x49\x83\x6e\xd3\x4a\xec\x59\x63\x04\xad\x11\x84\x3c\x4f\x88\x48\x9f\x20\x97\x35\xf5\xfb\x7f\xda\xf7\xce\xc8\xad\xdc\x58\x18\x16\x8f\x88\x0a\xcb\xf4\x90\xd5\x10\x05\xb7\xa8\xe8\x4e\x43\xe5\x42\x87\x97\x75\x71\xdd\x99\xee\xa4\xb1\x61\xeb\x2d\xf1\xf5\x10\x8f\x12\xa4\x14\x2a\x83\x32\x2e\xdb\x05\xa7\x54\x87\xa3\x43\x5c\x9a\x78\xce\x53\xed\x93\xbc\x55\x08\x57\xd7\xa9\xfb"
+        , salt = "\x1d\x65\x49\x1d\x79\xc8\x64\xb3\x73\x00\x9b\xe6\xf6\xf2\x46\x7b\xac\x4c\x78\xfa"
+        , signature = "\x02\x62\xac\x25\x4b\xfa\x77\xf3\xc1\xac\xa2\x2c\x51\x79\xf8\xf0\x40\x42\x2b\x3c\x5b\xaf\xd4\x0a\x8f\x21\xcf\x0f\xa5\xa6\x67\xcc\xd5\x99\x3d\x42\xdb\xaf\xb4\x09\xc5\x20\xe2\x5f\xce\x2b\x1e\xe1\xe7\x16\x57\x7f\x1e\xfa\x17\xf3\xda\x28\x05\x2f\x40\xf0\x41\x9b\x23\x10\x6d\x78\x45\xaa\xf0\x11\x25\xb6\x98\xe7\xa4\xdf\xe9\x2d\x39\x67\xbb\x00\xc4\xd0\xd3\x5b\xa3\x55\x2a\xb9\xa8\xb3\xee\xf0\x7c\x7f\xec\xdb\xc5\x42\x4a\xc4\xdb\x1e\x20\xcb\x37\xd0\xb2\x74\x47\x69\x94\x0e\xa9\x07\xe1\x7f\xbb\xca\x67\x3b\x20\x52\x23\x80\xc5"
+        }
+    -- Example 8.2
+    , VectorPSS
+        { message = "\xe2\xf9\x6e\xaf\x0e\x05\xe7\xba\x32\x6e\xcc\xa0\xba\x7f\xd2\xf7\xc0\x23\x56\xf3\xce\xde\x9d\x0f\xaa\xbf\x4f\xcc\x8e\x60\xa9\x73\xe5\x59\x5f\xd9\xea\x08"
+        , salt = "\x43\x5c\x09\x8a\xa9\x90\x9e\xb2\x37\x7f\x12\x48\xb0\x91\xb6\x89\x87\xff\x18\x38"
+        , signature = "\x27\x07\xb9\xad\x51\x15\xc5\x8c\x94\xe9\x32\xe8\xec\x0a\x28\x0f\x56\x33\x9e\x44\xa1\xb5\x8d\x4d\xdc\xff\x2f\x31\x2e\x5f\x34\xdc\xfe\x39\xe8\x9c\x6a\x94\xdc\xee\x86\xdb\xbd\xae\x5b\x79\xba\x4e\x08\x19\xa9\xe7\xbf\xd9\xd9\x82\xe7\xee\x6c\x86\xee\x68\x39\x6e\x8b\x3a\x14\xc9\xc8\xf3\x4b\x17\x8e\xb7\x41\xf9\xd3\xf1\x21\x10\x9b\xf5\xc8\x17\x2f\xad\xa2\xe7\x68\xf9\xea\x14\x33\x03\x2c\x00\x4a\x8a\xa0\x7e\xb9\x90\x00\x0a\x48\xdc\x94\xc8\xba\xc8\xaa\xbe\x2b\x09\xb1\xaa\x46\xc0\xa2\xaa\x0e\x12\xf6\x3f\xbb\xa7\x75\xba\x7e"
+        }
+    -- Example 8.3
+    , VectorPSS
+        { message = "\xe3\x5c\x6e\xd9\x8f\x64\xa6\xd5\xa6\x48\xfc\xab\x8a\xdb\x16\x33\x1d\xb3\x2e\x5d\x15\xc7\x4a\x40\xed\xf9\x4c\x3d\xc4\xa4\xde\x79\x2d\x19\x08\x89\xf2\x0f\x1e\x24\xed\x12\x05\x4a\x6b\x28\x79\x8f\xcb\x42\xd1\xc5\x48\x76\x9b\x73\x4c\x96\x37\x31\x42\x09\x2a\xed\x27\x76\x03\xf4\x73\x8d\xf4\xdc\x14\x46\x58\x6d\x0e\xc6\x4d\xa4\xfb\x60\x53\x6d\xb2\xae\x17\xfc\x7e\x3c\x04\xbb\xfb\xbb\xd9\x07\xbf\x11\x7c\x08\x63\x6f\xa1\x6f\x95\xf5\x1a\x62\x16\x93\x4d\x3e\x34\xf8\x50\x30\xf1\x7b\xbb\xc5\xba\x69\x14\x40\x58\xaf\xf0\x81\xe0\xb1\x9c\xf0\x3c\x17\x19\x5c\x5e\x88\x8b\xa5\x8f\x6f\xe0\xa0\x2e\x5c\x3b\xda\x97\x19\xa7"
+        , salt = "\xc6\xeb\xbe\x76\xdf\x0c\x4a\xea\x32\xc4\x74\x17\x5b\x2f\x13\x68\x62\xd0\x45\x29"
+        , signature = "\x2a\xd2\x05\x09\xd7\x8c\xf2\x6d\x1b\x6c\x40\x61\x46\x08\x6e\x4b\x0c\x91\xa9\x1c\x2b\xd1\x64\xc8\x7b\x96\x6b\x8f\xaa\x42\xaa\x0c\xa4\x46\x02\x23\x23\xba\x4b\x1a\x1b\x89\x70\x6d\x7f\x4c\x3b\xe5\x7d\x7b\x69\x70\x2d\x16\x8a\xb5\x95\x5e\xe2\x90\x35\x6b\x8c\x4a\x29\xed\x46\x7d\x54\x7e\xc2\x3c\xba\xdf\x28\x6c\xcb\x58\x63\xc6\x67\x9d\xa4\x67\xfc\x93\x24\xa1\x51\xc7\xec\x55\xaa\xc6\xdb\x40\x84\xf8\x27\x26\x82\x5c\xfe\x1a\xa4\x21\xbc\x64\x04\x9f\xb4\x2f\x23\x14\x8f\x9c\x25\xb2\xdc\x30\x04\x37\xc3\x8d\x42\x8a\xa7\x5f\x96"
+        }
+    -- Example 8.4
+    , VectorPSS
+        { message = "\xdb\xc5\xf7\x50\xa7\xa1\x4b\xe2\xb9\x3e\x83\x8d\x18\xd1\x4a\x86\x95\xe5\x2e\x8a\xdd\x9c\x0a\xc7\x33\xb8\xf5\x6d\x27\x47\xe5\x29\xa0\xcc\xa5\x32\xdd\x49\xb9\x02\xae\xfe\xd5\x14\x44\x7f\x9e\x81\xd1\x61\x95\xc2\x85\x38\x68\xcb\x9b\x30\xf7\xd0\xd4\x95\xc6\x9d\x01\xb5\xc5\xd5\x0b\x27\x04\x5d\xb3\x86\x6c\x23\x24\xa4\x4a\x11\x0b\x17\x17\x74\x6d\xe4\x57\xd1\xc8\xc4\x5c\x3c\xd2\xa9\x29\x70\xc3\xd5\x96\x32\x05\x5d\x4c\x98\xa4\x1d\x6e\x99\xe2\xa3\xdd\xd5\xf7\xf9\x97\x9a\xb3\xcd\x18\xf3\x75\x05\xd2\x51\x41\xde\x2a\x1b\xff\x17\xb3\xa7\xdc\xe9\x41\x9e\xcc\x38\x5c\xf1\x1d\x72\x84\x0f\x19\x95\x3f\xd0\x50\x92\x51\xf6\xca\xfd\xe2\x89\x3d\x0e\x75\xc7\x81\xba\x7a\x50\x12\xca\x40\x1a\x4f\xa9\x9e\x04\xb3\xc3\x24\x9f\x92\x6d\x5a\xfe\x82\xcc\x87\xda\xb2\x2c\x3c\x1b\x10\x5d\xe4\x8e\x34\xac\xe9\xc9\x12\x4e\x59\x59\x7a\xc7\xeb\xf8"
+        , salt = "\x02\x1f\xdc\xc6\xeb\xb5\xe1\x9b\x1c\xb1\x6e\x9c\x67\xf2\x76\x81\x65\x7f\xe2\x0a"
+        , signature = "\x1e\x24\xe6\xe5\x86\x28\xe5\x17\x50\x44\xa9\xeb\x6d\x83\x7d\x48\xaf\x12\x60\xb0\x52\x0e\x87\x32\x7d\xe7\x89\x7e\xe4\xd5\xb9\xf0\xdf\x0b\xe3\xe0\x9e\xd4\xde\xa8\xc1\x45\x4f\xf3\x42\x3b\xb0\x8e\x17\x93\x24\x5a\x9d\xf8\xbf\x6a\xb3\x96\x8c\x8e\xdd\xc3\xb5\x32\x85\x71\xc7\x7f\x09\x1c\xc5\x78\x57\x69\x12\xdf\xeb\xd1\x64\xb9\xde\x54\x54\xfe\x0b\xe1\xc1\xf6\x38\x5b\x32\x83\x60\xce\x67\xec\x7a\x05\xf6\xe3\x0e\xb4\x5c\x17\xc4\x8a\xc7\x00\x41\xd2\xca\xb6\x7f\x0a\x2a\xe7\xaa\xfd\xcc\x8d\x24\x5e\xa3\x44\x2a\x63\x00\xcc\xc7"
+        }
+    -- Example 8.5
+    , VectorPSS
+        { message = "\x04\xdc\x25\x1b\xe7\x2e\x88\xe5\x72\x34\x85\xb6\x38\x3a\x63\x7e\x2f\xef\xe0\x76\x60\xc5\x19\xa5\x60\xb8\xbc\x18\xbd\xed\xb8\x6e\xae\x23\x64\xea\x53\xba\x9d\xca\x6e\xb3\xd2\xe7\xd6\xb8\x06\xaf\x42\xb3\xe8\x7f\x29\x1b\x4a\x88\x81\xd5\xbf\x57\x2c\xc9\xa8\x5e\x19\xc8\x6a\xcb\x28\xf0\x98\xf9\xda\x03\x83\xc5\x66\xd3\xc0\xf5\x8c\xfd\x8f\x39\x5d\xcf\x60\x2e\x5c\xd4\x0e\x8c\x71\x83\xf7\x14\x99\x6e\x22\x97\xef"
+        , salt = "\xc5\x58\xd7\x16\x7c\xbb\x45\x08\xad\xa0\x42\x97\x1e\x71\xb1\x37\x7e\xea\x42\x69"
+        , signature = "\x33\x34\x1b\xa3\x57\x6a\x13\x0a\x50\xe2\xa5\xcf\x86\x79\x22\x43\x88\xd5\x69\x3f\x5a\xcc\xc2\x35\xac\x95\xad\xd6\x8e\x5e\xb1\xee\xc3\x16\x66\xd0\xca\x7a\x1c\xda\x6f\x70\xa1\xaa\x76\x2c\x05\x75\x2a\x51\x95\x0c\xdb\x8a\xf3\xc5\x37\x9f\x18\xcf\xe6\xb5\xbc\x55\xa4\x64\x82\x26\xa1\x5e\x91\x2e\xf1\x9a\xd7\x7a\xde\xea\x91\x1d\x67\xcf\xef\xd6\x9b\xa4\x3f\xa4\x11\x91\x35\xff\x64\x21\x17\xba\x98\x5a\x7e\x01\x00\x32\x5e\x95\x19\xf1\xca\x6a\x92\x16\xbd\xa0\x55\xb5\x78\x50\x15\x29\x11\x25\xe9\x0d\xcd\x07\xa2\xca\x96\x73\xee"
+        }
+    -- Example 8.6
+    , VectorPSS
+        { message = "\x0e\xa3\x7d\xf9\xa6\xfe\xa4\xa8\xb6\x10\x37\x3c\x24\xcf\x39\x0c\x20\xfa\x6e\x21\x35\xc4\x00\xc8\xa3\x4f\x5c\x18\x3a\x7e\x8e\xa4\xc9\xae\x09\x0e\xd3\x17\x59\xf4\x2d\xc7\x77\x19\xcc\xa4\x00\xec\xdc\xc5\x17\xac\xfc\x7a\xc6\x90\x26\x75\xb2\xef\x30\xc5\x09\x66\x5f\x33\x21\x48\x2f\xc6\x9a\x9f\xb5\x70\xd1\x5e\x01\xc8\x45\xd0\xd8\xe5\x0d\x2a\x24\xcb\xf1\xcf\x0e\x71\x49\x75\xa5\xdb\x7b\x18\xd9\xe9\xe9\xcb\x91\xb5\xcb\x16\x86\x90\x60\xed\x18\xb7\xb5\x62\x45\x50\x3f\x0c\xaf\x90\x35\x2b\x8d\xe8\x1c\xb5\xa1\xd9\xc6\x33\x60\x92\xf0\xcd"
+        , salt = "\x76\xfd\x4e\x64\xfd\xc9\x8e\xb9\x27\xa0\x40\x3e\x35\xa0\x84\xe7\x6b\xa9\xf9\x2a"
+        , signature = "\x1e\xd1\xd8\x48\xfb\x1e\xdb\x44\x12\x9b\xd9\xb3\x54\x79\x5a\xf9\x7a\x06\x9a\x7a\x00\xd0\x15\x10\x48\x59\x3e\x0c\x72\xc3\x51\x7f\xf9\xff\x2a\x41\xd0\xcb\x5a\x0a\xc8\x60\xd7\x36\xa1\x99\x70\x4f\x7c\xb6\xa5\x39\x86\xa8\x8b\xbd\x8a\xbc\xc0\x07\x6a\x2c\xe8\x47\x88\x00\x31\x52\x5d\x44\x9d\xa2\xac\x78\x35\x63\x74\xc5\x36\xe3\x43\xfa\xa7\xcb\xa4\x2a\x5a\xaa\x65\x06\x08\x77\x91\xc0\x6a\x8e\x98\x93\x35\xae\xd1\x9b\xfa\xb2\xd5\xe6\x7e\x27\xfb\x0c\x28\x75\xaf\x89\x6c\x21\xb6\xe8\xe7\x30\x9d\x04\xe4\xf6\x72\x7e\x69\x46\x3e"
+        }
+    ]
 
 doSignTest key (i, vector) = testCase (show i) (Right (signature vector) @=? actual)
     where actual = PSS.signWithSalt (salt vector) Nothing PSS.defaultPSSParamsSHA1 key (message vector)
@@ -470,4 +339,10 @@
         [ doVerifyTest rsaKeyInt (katZero, vectorInt) ]
     , testGroup "signature key 1024" $ map (doSignTest rsaKey1) (zip [katZero..] vectorsKey1)
     , testGroup "verify key 1024" $ map (doVerifyTest rsaKey1) (zip [katZero..] vectorsKey1)
+    , testGroup "signature key 1025" $ map (doSignTest rsaKey2) (zip [katZero..] vectorsKey2)
+    , testGroup "verify key 1025" $ map (doVerifyTest rsaKey2) (zip [katZero..] vectorsKey2)
+    , testGroup "signature key 1026" $ map (doSignTest rsaKey3) (zip [katZero..] vectorsKey3)
+    , testGroup "verify key 1026" $ map (doVerifyTest rsaKey3) (zip [katZero..] vectorsKey3)
+    , testGroup "signature key 1031" $ map (doSignTest rsaKey8) (zip [katZero..] vectorsKey8)
+    , testGroup "verify key 1031" $ map (doVerifyTest rsaKey8) (zip [katZero..] vectorsKey8)
     ]
diff --git a/tests/KAT_PubKey/RSA.hs b/tests/KAT_PubKey/RSA.hs
new file mode 100644
--- /dev/null
+++ b/tests/KAT_PubKey/RSA.hs
@@ -0,0 +1,102 @@
+{-# LANGUAGE OverloadedStrings #-}
+module KAT_PubKey.RSA (rsaTests) where
+
+import qualified Crypto.PubKey.RSA        as RSA
+import qualified Crypto.PubKey.RSA.PKCS15 as RSA
+import           Crypto.Hash
+
+import           Imports
+
+import           Data.Either (isRight)
+
+data VectorRSA = VectorRSA
+    { size :: Int
+    , msg  :: ByteString
+    , n    :: Integer
+    , e    :: Integer
+    , d    :: Integer
+    , p    :: Integer
+    , q    :: Integer
+    , dP   :: Integer
+    , dQ   :: Integer
+    , qinv :: Integer
+    , sig  :: Either RSA.Error ByteString
+    }
+
+vectorsSHA1 =
+    [ VectorRSA
+        { size = 2048 `div` 8
+        , msg  = "The quick brown fox jumps over the lazy dog"
+        , n    = 0x00c896c245fcca81775346c5f4f958229cab1aee08196dab4ee5959018b856aab93e4486f37a32da1a6804403c88473ecf9f1b9266fc682400d45329b6ec195710c98d9ba728bc09d767e7e9d9b8b102c3b7e7529b87f649a2a5ebe165da21863ec7842de600a834a8be2227bc989145b52f84ba685d45484a3d530745598a5d8a9e7551b3278bf139a770929f776aed5d43559205fe937df93eeb8ff3fb3f2ce22d4b8a5c17aeafd19758ac5e6251df09ef6a2858e8558a7f476dde4efe859ff2fcb97767614563033fd1d2d300196b1abf256f7badb16c17def3804946d1bf9cd51760176b41bbd506b44ff2bfe5bcd5052180da3cfbbc6cd6f662c06a8baed9
+        , e    = 0x10001
+        , d    = 0x58aa533bae8f310536d95cdd796e5cf655a7f4b9bdcbbd62859743f7b95c0de10e462a44ebaa18c07d640ba4f6344fee648d427ca56bbf2662b45407187be70173a655bc6104257182eb7f720ef2a79f2de6619c804ffca299a7179df6fac4a57179daf4052c550295f0f111ab7ae38e406ff219f9c88b38cdbcaac51bdc4e961361b87e100d168fc08b298626a806b3bfeaa9579f400bbe6e3e6e4ae9b27446e1c5ce8c10c848b9ad7b6ed3a6b3871ad6a1a88af24e581da054845c197e8bae1582858410087c1180c4f0cc61689abfd0f61b8031910f3b3779e11a7fbe823d9a704c63c313f78c994975de834ee9ead5faf6c18b3e4248c51ba307776bf845
+        , p    = 0x00f85bfcfe55af59445f21f67ab1d8617d1f84360556eeb660d5c466f29e4d2228f9cc3fde4c594ea97069a19c666b68b6d905b65738ae63de6c11f9181ee9262313e5165591651bb3abec192abbc8c3694550bcffa451a2e2d1976bf3ecbc4480354f8d8646133298156aaa626b8807c5295850f93686400835466b6a5ccec61b
+        , q    = 0x00cec28b22b1d37c6c60d25e9747cb1bebd1270f0306db56ed8533f392d6a0cfe6b3dde13789758cf89febac214ba96667e46599f89ca210dced550ca6092a854ff95dff80ea48ff1a83455f4bb93f2ececa782da03b85a789239e8be5264130628724ceab57c8f76e4c7e822bf4fbf334c7d32610bec65047433e0e3b636afe1b
+        , dP   = 0x52fe0a50c339514f33ab19be6e67ac4c2f97f2a55e236ef674f8a89e329ffbe64d731f749d76ca7e7c7e0fef3f9a6ce78d260784a600408736fdda8b60e8f0419088612a3ee7d695f7c171b78200d8abf8e9bdfe7f5e785beb45fa610c9eed151abb76c383ef2e5cfbeb24fcb68a426e741e7b108c53d859e5d39e5970a1f839
+        , dQ   = 0x39ef91853b47038a6ae707d2642fa9b73e782f60adbf307085eeb4c5e496532b56234a4481a40ac870275da846c74506bf9d28b3dd501c618baf5548013185018fe2a301c0a48bb726297e367dc6129ba7685d8094ad32f0dea64295074f24fbb6dabd7e8daea686a5b09d512be89d91a09cae01eb332eb389480e3cddf2d119
+        , qinv = 0x09ce1fa29008ef4b9798e5b8ec213dbdfec4fab4403ebf4b8786ad401ef33bc880c40a990b0826f72415192a206a504b27d2ba45ca555706200ea8e7a9b42d4077e9e6e0d80d4144966c53a36d23d30d987322dcc0013efe8df3b6b5914a2ceefc22cc5de6d569731794e9894f18f11d36a79558dc4c3ae5db1ce9bd05e7bf2e
+        , sig  = Right "\x56\x66\x99\x0f\xd4\xea\x2b\xe0\x6d\x46\x3b\x10\x99\x5b\x06\x32\x5e\xec\x29\xfe\xa4\x63\x4d\x54\xf6\x31\x74\x5d\x01\x5a\x67\x09\x2e\xa7\x02\x8a\x48\x00\x3c\x0d\xef\x04\xe7\x52\x46\xe0\xfa\xb1\x42\x26\x89\xe7\xec\x25\x44\x76\xa0\x86\x33\xb0\xbe\x22\x17\x88\x9b\x18\x4d\x3e\xc2\x9b\xd4\x61\x2b\x9e\xde\x08\x56\xf8\xd5\xee\xb8\x38\xf4\x3d\xda\x9a\xbb\x34\x58\x87\x71\x1d\x1a\x7e\xc7\x3d\x46\x39\x01\x79\x29\x8b\xa4\xcd\xce\xd7\xab\xcb\x2e\x94\x5c\xfd\x54\xcc\xef\x80\x31\xfc\x5e\x8f\xc2\x4d\x76\x1e\x4c\xbc\x50\x7a\x9b\x08\xae\x85\xeb\x6a\xe0\x80\xdc\xff\x60\x13\xb0\x31\x94\x14\x9d\x8f\x9f\x48\x38\xcf\x4c\x82\x9d\x3b\x68\xc6\xe4\xe9\x5d\x94\x74\xa2\xac\x1f\xb9\x84\x41\x86\x11\xeb\x2c\x50\x64\xd7\x00\xe0\x85\x21\x5a\xd7\xae\x9b\x4c\x8e\x6a\x92\x97\xac\xcc\xb8\x38\x4f\x41\xb9\x3d\xa9\xfe\x69\x8b\x04\x81\xad\xfb\x0f\x49\x74\xfe\x26\x9c\x86\x0c\xf3\xd1\x8e\xa1\xb5\xaf\xef\x85\x3d\xfe\xd0\x7c\xcf\x18\xe4\x0f\x14\x99\xea\x93\x61\x79\x16\xbf\x38\xac\xa2\xa2\xac\xac\x2d\xae\x21\x85\x71\x94\xda\x5d\xa1\x82\xa8\x76\x82\xe5\x2f"
+        }
+    , VectorRSA
+        { size = 360 `div` 8
+        , msg  = "The quick brown fox jumps over the lazy dog"
+        , n    = 0x00bc2d7481c83c8be55da4caeaf1a30dbf9a1226ba7443c0a66213180d3eb8e29c3162401b7be067dff8f571a8eb
+        , e    = 0x10001
+        , d    = 0x726fb62d82c707507a2d5055a6934136270d28ce350c3a36d89066e26fb54f5b33da0bc9a05c2084f2b39be4e1
+        , p    = 0x0e3ff89e1f95a461c9f5ee480fd7b13529a225f3ee07fb
+        , q    = 0x0d349ebc89329b493c03451ad20155de9775df55c55fd1
+        , dP   = 0x00943adef9fb93a561967bab33f198c2c7414e777df997
+        , dQ   = 0x078de99ceb5392f7f327dfb97717a27ae2e4606dddaa71
+        , qinv = 0x0c54d59eaa029844fb3fe33a180161590b1cb103cc668e
+        , sig  = Left RSA.SignatureTooLong
+        }
+    , VectorRSA
+        { size = 368 `div` 8
+        , msg  = "The quick brown fox jumps over the lazy dog"
+        , n    = 0x009cff2fd20246e390d6860b48a3926e83086d1386f7147e9f195623cf8f18546ceb20d428b77e0748864c8f611cb7
+        , e    = 0x10001
+        , d    = 0x0097706cbf6624dd448c3a36ce35c27d49762a4948ca33804178d2ff826f8d336aaed622801c8d76d442be371da841
+        , p    = 0x00d12519f81441069ab1a86c38e0065e9578a46e655d5a17
+        , q    = 0x00c02b485ac3ee241d57b6b282f830d7d5bf6f4de75c1661
+        , dP   = 0x00a1af4611444f34f4d88d7504cf23fd711e70382c42ec07
+        , dQ   = 0x04226a4219a90bf9dda33e9ff6bb0649c0fea20c723cc1
+        , qinv = 0x5dd87bf3c1e295dcc8602859a7cd74f05a2fe91a9d5877
+        , sig  = Right "\x51\xe4\xdd\x98\xee\xd5\x06\xef\x7a\xa5\x3c\xaf\x29\x33\xa4\x91\xfa\x8b\xb8\x09\xcf\x3e\xa1\x64\x92\x71\xad\x7b\x3a\x83\xb2\xa0\x77\x94\x4e\x59\xdf\x69\x58\x2e\xc8\x8d\xa0\x70\xfe\x7d"
+        }
+    ]
+
+vectorToPrivate :: VectorRSA -> RSA.PrivateKey
+vectorToPrivate vector = RSA.PrivateKey
+    { RSA.private_pub  = vectorToPublic vector
+    , RSA.private_d    = d vector
+    , RSA.private_p    = p vector
+    , RSA.private_q    = q vector
+    , RSA.private_dP   = dP vector
+    , RSA.private_dQ   = dQ vector
+    , RSA.private_qinv = qinv vector
+    }
+
+vectorToPublic :: VectorRSA -> RSA.PublicKey
+vectorToPublic vector = RSA.PublicKey
+    { RSA.public_size = size vector
+    , RSA.public_n    = n vector
+    , RSA.public_e    = e vector
+    }
+
+vectorHasSignature :: VectorRSA -> Bool
+vectorHasSignature = isRight . sig
+
+doSignatureTest (i, vector) = testCase (show i) (expected @=? actual)
+    where expected = sig vector
+          actual   = RSA.sign Nothing (Just SHA1) (vectorToPrivate vector) (msg vector)
+
+doVerifyTest (i, vector) = testCase (show i) (True @=? actual)
+    where actual = RSA.verify (Just SHA1) (vectorToPublic vector) (msg vector) bs
+          Right bs = sig vector
+
+rsaTests = testGroup "RSA"
+    [ testGroup "SHA1"
+        [ testGroup "signature" $ map doSignatureTest (zip [katZero..] vectorsSHA1)
+        , testGroup "verify" $ map doVerifyTest $ filter (vectorHasSignature . snd) (zip [katZero..] vectorsSHA1)
+        ]
+    ]
diff --git a/tests/KAT_PubKey/Rabin.hs b/tests/KAT_PubKey/Rabin.hs
new file mode 100644
--- /dev/null
+++ b/tests/KAT_PubKey/Rabin.hs
@@ -0,0 +1,145 @@
+{-# LANGUAGE OverloadedStrings #-}
+module KAT_PubKey.Rabin (rabinTests) where
+
+import qualified Data.ByteString as B
+
+import           Crypto.Hash
+import           Crypto.Number.Serialize (os2ip)
+import qualified Crypto.PubKey.Rabin.Basic as BRabin
+import qualified Crypto.PubKey.Rabin.Modified as MRabin
+import qualified Crypto.PubKey.Rabin.OAEP as OAEP
+import qualified Crypto.PubKey.Rabin.RW as RW
+
+import           Imports
+
+basicRabinKey = BRabin.PrivateKey
+    { BRabin.private_pub = BRabin.PublicKey
+        { BRabin.public_n = 0xc9c4b0df9db989d93df4137fc2de2a9cee2610523f7a450ecbbf252babe98fba2f8e389c3e420c081e18f584c5746ca43f77f6af1fc79161f8bf8fbcb9564779986ecbe656dd16740cb8e399c33ff1dcc679e73c9c98a58c65a8673b7de57290a2d3191cb27e29d627f7ec6e874b1406051ffe9181e4d90d1b487b100ad30685 
+        , BRabin.public_size = 128
+        }
+    , BRabin.private_p = 0xe071f231ab5912285a1f8db199795f5efdea4c32f646a3436eaec091ba853a3092216f26b539bbac1fe2ab2e4fbb20aad272a434a1e909bf6d3028aecae2a7b7
+    , BRabin.private_q = 0xe6229470dc7da58bfcd962f1b3ddcf52304efbfb91d31c8ed84dbae2380c1ad2e338a523b4250863a689b3f262f949bd7a9f1a603c36634bb932dd71bf5daba3
+    , BRabin.private_a = 0x65956653f711a63b776ce45862d4cd78f1ad7b1f8ed118bb8b5ea5fffd59762da5dc7c5298e236a8e45d5c93477cbc51f214b1cd1a4980eda859c1cb05e55666
+    , BRabin.private_b = -0x63126dd9c5d6b5215f62012885570e1306b6a47ec1c46553f3b13ceae869149d14544438dbb976800cd62fbb52266f9a6405bc91f192a462c974bc8a6f832e03
+    }
+
+modifiedRabinKey = MRabin.PrivateKey
+    { MRabin.private_pub = MRabin.PublicKey
+        { MRabin.public_n = 0x9461a6e7c55cb610f20fd9af5d642404a63332a8d7c4fe7aa559cbcaec691e7216eed5d9322cb6a8619c220a0241b44e0d0a7cefda01fb84e59722b4e842ab5e190d214424bbdfed6d523426fc57a28045dfbb6e8159123077c542c0278ee2daf2d8993e286bf709a10a948da6b13008441581a22233f0ad3d5ebc5858ff7be5 
+        , MRabin.public_size = 128
+        }
+    , MRabin.private_p = 0xc401e0ddbe565a8797292389bebb561c35eb019116ba25cc6c865a8d3d7bc599626ddf0bc4f575c22f89144fe99fc3300dd497ec2b7acc0221e729a61756b3f3
+    , MRabin.private_q = 0xc1cc0e35f23f5086691a18c755881e3fe6937581948b109f47605b45d055e7b352e19ff729dfb33fbecb1d28b115e590449e5e4e228ab1876d889d3d41d87ec7 
+    , MRabin.private_d = 0x128c34dcf8ab96c21e41fb35ebac848094c666551af89fcf54ab39795d8d23ce42dddabb264596d50c33844140483689c1a14f9dfb403f709cb2e4569d08556b9267e6460e84c69beda1defabd0285c4852c288b7ac27b78987bd19da337a6b1c7b123476732d9c0f656cc62a17f70e8fe34516cfa85ce6475bddeae9ffa0926
+    }
+
+rwKey = RW.PrivateKey
+    { RW.private_pub = RW.PublicKey
+        { RW.public_n = 0x992db4c84564c68d4ee2fe0903d938b41e83bcac48dfe8f2219ccee2ccbdefda4cbeea9f1c98a515c5f39a458f5ea11bca97102aaa3d9ac69e000093024e7b968359287cdf57bdacff5df1893df3539c7e358f037d49b5c6ae7110ab8117220c73b6265987039c2c97078fccacdd3f5a560aff5076fdc3958c532db28ab9a855 
+        , RW.public_size = 128
+        }
+    , RW.private_p = 0xc144dd739c45397d61868ca944a9729a7ad34cf90466c8f5c98a88f5ab5e3288bcfd31d4af1d441d23a756a60abd4cf05c3e0b0053eb150166a327ae31e9347b
+    , RW.private_q = 0xcae5a381f25a27ae2c359068753118fc384471cd6027e88b8b910306fb940781261089259a3c569546677aebd268704c767a071dbd4f50cb9f15fe448788856f
+    , RW.private_d = 0x1325b69908ac98d1a9dc5fc1207b271683d07795891bfd1e443399dc5997bdfb4997dd53e39314a2b8be7348b1ebd4237952e2055547b358d3c000126049cf729ee5d4f0ea170b902e343a8ef0831900b963ba07a3176088ab2ab095db449d0052150d6be7b5402f459f17c759f6f043b06a5da64cb86bb910d340f7fa28fdce
+    }
+
+data EncryptionVector = EncryptionVector
+    { seed :: ByteString
+    , plainText :: ByteString
+    , cipherText :: ByteString
+    }
+
+data SignatureVector = SignatureVector 
+    { message :: ByteString
+    , padding :: ByteString
+    , signature :: Integer
+    }
+
+basicRabinEncryptionVectors =
+    [ EncryptionVector
+        { plainText = "\x75\x0c\x40\x47\xf5\x47\xe8\xe4\x14\x11\x85\x65\x23\x29\x8a\xc9\xba\xe2\x45\xef\xaf\x13\x97\xfb\xe5\x6f\x9d\xd5"
+        , seed = "\x0c\xc7\x42\xce\x4a\x9b\x7f\x32\xf9\x51\xbc\xb2\x51\xef\xd9\x25\xfe\x4f\xe3\x5f"
+        , cipherText = "\xaf\xc7\x03\xe3\x9d\x2f\x81\xc6\x3a\x80\x2a\xd1\x44\x26\x3f\x17\x0c\x0a\xe6\x48\x68\x98\x23\x14\x8f\x95\xd2\xce\xbb\xe7\x3f\x49\x34\x76\x1d\x99\x30\x7b\xeb\x84\xe5\x2a\x10\xd2\x1e\x11\x7e\x65\xe8\x88\x24\xc1\x12\xeb\x19\x0d\x97\xcd\x12\x25\x6b\x1f\x9b\x0c\x40\x40\xa3\x47\x00\xb7\x11\xf8\x50\x08\x51\x79\xe8\x1b\xd1\x77\xe0\x99\xa7\xe1\x5c\x63\xda\x29\xc7\xde\x28\x5d\x60\xed\x8e\xb2\x12\xd4\xfe\xb8\x1a\x5d\x17\x65\x80\x62\x6e\x65\x5c\x37\x07\x1c\xfa\xff\xe6\x21\xa5\x9f\xcd\x6a\x6a\xce\xa6\x96\xb2\xc5\x08\xe6"
+        }   
+    ]
+
+basicRabinSignatureVectors =
+    [ SignatureVector
+        { message = "\x75\x0c\x40\x47\xf5\x47\xe8\xe4\x14\x11\x85\x65\x23\x29\x8a\xc9\xba\xe2\x45\xef\xaf\x13\x97\xfb\xe5\x6f\x9d\xd5"
+        , padding = "\xe9\x87\x17\x15\xa2\xe4\x30\x15"
+        , signature = 0xac95807bdd03ca975690151d39d23d75e5db2731c4ba30b83c3f3ea74709e4d4e340d7dab952356a76c9b8705b214e28d59f5bdc7c7fdff4e104569e30359b5c65c2dcd5b94db58505cd8b188267121700beebd7edbee492e374514646471b5c3fa252a2580dc7343f455683815d6d7c590dd3bcaa7df41d8b08197ccb183408
+        }   
+    ]
+
+modifiedRabinSignatureVectors =
+    [ SignatureVector
+        { message = "\x75\x0c\x40\x47\xf5\x47\xe8\xe4\x14\x11\x85\x65\x23\x29\x8a\xc9\xba\xe2\x45\xef\xaf\x13\x97\xfb\xe5\x6f\x9d\xd5"
+        , padding = B.empty -- not used
+        , signature = 0x278c7c269119218ab7f501ea53a97ab15a3a5a263c6daed8980abec78291e9729e0e3457731cdea8ec31a7566e93d10fc9b2615fe3e54f4533a5506ac24a3bd286e270324e538066f0ddf503f9b5e0c18e18379659834906ebd99c0d31588c66e70fc653bc8865b9239999cbd35704917d8647d1199286c533233e3e03582dd
+        }   
+    ]
+    
+rwEncryptionVectors =
+    [ EncryptionVector
+        { plainText = "\x75\x0c\x40\x47\xf5\x47\xe8\xe4\x14\x11\x85\x65\x23\x29\x8a\xc9\xba\xe2\x45\xef\xaf\x13\x97\xfb\xe5\x6f\x9d\xd5"
+        , seed = "\x0c\xc7\x42\xce\x4a\x9b\x7f\x32\xf9\x51\xbc\xb2\x51\xef\xd9\x25\xfe\x4f\xe3\x5f"
+        , cipherText = "\x40\xc2\xe3\x36\xac\x46\x72\x8a\xaf\x33\x75\xe1\x27\xd0\x38\x40\xe2\x24\x4e\x20\xa7\x5d\x85\xd3\x74\x81\x21\xfd\xc9\x40\x90\x80\x8c\xed\x2d\xd3\x5b\xc4\xb7\xc9\x7c\x80\xa5\x2f\x63\x86\x34\x4e\x8c\x92\x07\x86\x9e\xda\xfd\xf8\x11\x83\x8a\x5a\x23\xc1\xe6\x77\x37\x5d\xf9\x5c\x60\xd1\x6d\xfd\x0c\x54\xd1\x00\xe9\xab\x97\x6d\x8e\x83\x8b\x6e\x1a\x38\x73\x43\xe2\x24\xc2\xe2\x4e\x74\x3f\xe4\x4d\xdd\x27\xed\xc7\x72\x88\xd3\x0f\x93\xb3\xdb\xa2\xb7\xaf\x6d\xe9\xab\x76\x53\x63\xf9\x62\xd7\x52\x44\x61\x60\x5d\x2e\x9b\xf7"
+        }   
+    ]
+
+rwSignatureVectors =
+    [ SignatureVector
+        { message = "\x75\x0c\x40\x47\xf5\x47\xe8\xe4\x14\x11\x85\x65\x23\x29\x8a\xc9\xba\xe2\x45\xef\xaf\x13\x97\xfb\xe5\x6f\x9d\xd5"
+        , padding = B.empty -- not used
+        , signature = 0x1e57b554a8e83aacd9d4067f9535991e7db47803250cded5cc8af5458a6bb11fea852139e0afe143f9339dd94a518e354e702134d1ae222460127829d92e8bf6441336f5ae7044ec7b6c3ad8b9aeeb1ea02a49798e020cb5b558120bbb51f060eb1608ba68f90cac7edb1051c177d3bdbb99d1ad92e8d75d6f72f1d06f1d25be
+        }   
+    ]
+
+doBasicRabinEncryptTest key (i, vector) = testCase (show i) (Right (cipherText vector) @=? actual)
+    where actual = BRabin.encryptWithSeed (seed vector) (OAEP.defaultOAEPParams SHA1) key (plainText vector)
+
+doBasicRabinDecryptTest key (i, vector) = testCase (show i) (Just (plainText vector) @=? actual)
+    where actual = BRabin.decrypt (OAEP.defaultOAEPParams SHA1) key (cipherText vector)
+
+doBasicRabinSignTest key (i, vector) = testCase (show i) (Right (BRabin.Signature ((os2ip $ padding vector), (signature vector))) @=? actual)
+    where actual = BRabin.signWith (padding vector) key SHA1 (message vector)
+
+doBasicRabinVerifyTest key (i, vector) = testCase (show i) (True @=? actual)
+    where actual = BRabin.verify key SHA1 (message vector) (BRabin.Signature ((os2ip $ padding vector), (signature vector)))
+
+doModifiedRabinSignTest key (i, vector) = testCase (show i) (Right (signature vector) @=? actual)
+    where actual = MRabin.sign key SHA1 (message vector)
+
+doModifiedRabinVerifyTest key (i, vector) = testCase (show i) (True @=? actual)
+    where actual = MRabin.verify key SHA1 (message vector) (signature vector)
+
+doRwEncryptTest key (i, vector) = testCase (show i) (Right (cipherText vector) @=? actual)
+    where actual = RW.encryptWithSeed (seed vector) (OAEP.defaultOAEPParams SHA1) key (plainText vector) 
+
+doRwDecryptTest key (i, vector) = testCase (show i) (Just (plainText vector) @=? actual)
+    where actual = RW.decrypt (OAEP.defaultOAEPParams SHA1) key (cipherText vector)
+
+doRwSignTest key (i, vector) = testCase (show i) (Right (signature vector) @=? actual)
+    where actual = RW.sign key SHA1 (message vector)
+
+doRwVerifyTest key (i, vector) = testCase (show i) (True @=? actual)
+    where actual = RW.verify key SHA1 (message vector) (signature vector)
+
+rabinTests = testGroup "Rabin"
+    [ testGroup "Basic"
+        [ testGroup "encrypt" $ map (doBasicRabinEncryptTest $ BRabin.private_pub basicRabinKey) (zip [katZero..] basicRabinEncryptionVectors)
+        , testGroup "decrypt" $ map (doBasicRabinDecryptTest $ basicRabinKey) (zip [katZero..] basicRabinEncryptionVectors)
+        , testGroup "sign" $ map (doBasicRabinSignTest $ basicRabinKey) (zip [katZero..] basicRabinSignatureVectors)
+        , testGroup "verify" $ map (doBasicRabinVerifyTest $ BRabin.private_pub basicRabinKey) (zip [katZero..] basicRabinSignatureVectors)
+        ]
+    , testGroup "Modified"
+        [ testGroup "sign" $ map (doModifiedRabinSignTest $ modifiedRabinKey) (zip [katZero..] modifiedRabinSignatureVectors)
+        , testGroup "verify" $ map (doModifiedRabinVerifyTest $ MRabin.private_pub modifiedRabinKey) (zip [katZero..] modifiedRabinSignatureVectors)
+        ]
+    , testGroup "RW"
+        [ testGroup "encrypt" $ map (doRwEncryptTest $ RW.private_pub rwKey) (zip [katZero..] rwEncryptionVectors)
+        , testGroup "decrypt" $ map (doRwDecryptTest $ rwKey) (zip [katZero..] rwEncryptionVectors)
+        , testGroup "sign" $ map (doRwSignTest $ rwKey) (zip [katZero..] rwSignatureVectors)
+        , testGroup "verify" $ map (doRwVerifyTest $ RW.private_pub rwKey) (zip [katZero..] rwSignatureVectors)
+        ]
+    ]
diff --git a/tests/Number.hs b/tests/Number.hs
--- a/tests/Number.hs
+++ b/tests/Number.hs
@@ -4,9 +4,11 @@
 import Imports
 
 import Data.ByteArray (Bytes)
+import qualified Data.ByteArray as B
 import Crypto.Number.Basic
 import Crypto.Number.Generate
-import Crypto.Number.Serialize
+import qualified Crypto.Number.Serialize    as BE
+import qualified Crypto.Number.Serialize.LE as LE
 import Crypto.Number.Prime
 import Data.Bits
 
@@ -50,11 +52,24 @@
             bits = 6 + baseBits
             prime = withTestDRG testDRG $ generateSafePrime bits
          in bits == numBits prime
-    , testProperty "marshalling" $ \qaInt ->
-        getQAInteger qaInt == os2ip (i2osp (getQAInteger qaInt) :: Bytes)
+    , testProperty "as-power-of-2-and-odd" $ \n ->
+        let (e, a1) = asPowerOf2AndOdd n
+         in n == (2^e)*a1
+    , testProperty "marshalling-be" $ \qaInt ->
+        getQAInteger qaInt == BE.os2ip (BE.i2osp (getQAInteger qaInt) :: Bytes)
+    , testProperty "marshalling-le" $ \qaInt ->
+        getQAInteger qaInt == LE.os2ip (LE.i2osp (getQAInteger qaInt) :: Bytes)
+    , testProperty "be-rev-le" $ \qaInt ->
+        getQAInteger qaInt == LE.os2ip (B.reverse (BE.i2osp (getQAInteger qaInt) :: Bytes))
+    , testProperty "be-rev-le-40" $ \qaInt ->
+        getQAInteger qaInt == LE.os2ip (B.reverse (BE.i2ospOf_ 40 (getQAInteger qaInt) :: Bytes))
+    , testProperty "le-rev-be" $ \qaInt ->
+        getQAInteger qaInt == BE.os2ip (B.reverse (LE.i2osp (getQAInteger qaInt) :: Bytes))
+    , testProperty "le-rev-be-40" $ \qaInt ->
+        getQAInteger qaInt == BE.os2ip (B.reverse (LE.i2ospOf_ 40 (getQAInteger qaInt) :: Bytes))
     , testGroup "marshalling-kat-to-bytearray" $ map toSerializationKat $ zip [katZero..] serializationVectors
     , testGroup "marshalling-kat-to-integer" $ map toSerializationKatInteger $ zip [katZero..] serializationVectors
     ]
   where
-    toSerializationKat (i, (sz, n, ba)) = testCase (show i) (ba @=? i2ospOf_ sz n)
-    toSerializationKatInteger (i, (_, n, ba)) = testCase (show i) (n @=? os2ip ba)
+    toSerializationKat (i, (sz, n, ba)) = testCase (show i) (ba @=? BE.i2ospOf_ sz n)
+    toSerializationKatInteger (i, (_, n, ba)) = testCase (show i) (n @=? BE.os2ip ba)
diff --git a/tests/Padding.hs b/tests/Padding.hs
--- a/tests/Padding.hs
+++ b/tests/Padding.hs
@@ -3,7 +3,6 @@
 
 import qualified Data.ByteString as B
 import Imports
-import Crypto.Error
 
 import Crypto.Data.Padding
 
diff --git a/tests/StressHash.hs b/tests/StressHash.hs
deleted file mode 100644
--- a/tests/StressHash.hs
+++ /dev/null
@@ -1,61 +0,0 @@
-{-# LANGUAGE TypeApplications #-}
-{-# LANGUAGE ScopedTypeVariables #-}
-{-# LANGUAGE BangPatterns #-}
-module Main where
-
-import Data.Proxy
-import Control.Concurrent
-import Control.Concurrent.Chan
-import Control.Monad
-import GHC.Conc
-import System.Environment
-import Data.Monoid
-
-import qualified Crypto.Hash as H
-import qualified Data.ByteString as B
-
-doHashRandom :: forall h . H.HashAlgorithm h
-             => Proxy h         -- hash algorithm
-             -> Chan (Int, Int) -- channel to report
-             -> Int             -- thread id
-             -> IO ()
-doHashRandom _ chan !tid = loop 0
-  where
-    loop !i = do
-        when (tid > 5) $ threadDelay 1200
-        when ((i `mod` 1000) == 0) $ writeChan chan (tid, i)
-
-        let lengthLimit n | n < 0     = 0
-                          | n > 257   = n `mod` 257
-                          | otherwise = n
-
-        let i' = i `mod` (tid * 1500)
-            (nbChunks,multi) = case i `mod` 4 of
-                        0 -> (1, False)
-                        1 -> (2, False)
-                        2 -> (1, True)
-                        3 -> (3, False)
-
-        let dat = take nbChunks $ [B.replicate (lengthLimit i') 1, B.replicate (lengthLimit (i' + 10)) 2, B.replicate (lengthLimit (i' + 20)) 3]
-
-        let h   = H.hashInit @ h
-            h2  = H.hashUpdates h dat
-            !digest = H.hashFinalize h2
-            !digest2 = if multi then H.hash digest else digest
-        digest2 `seq` loop (i+1)
-
-main = do
-    args <- getArgs
-    let caps = numCapabilities
-    putStrLn (show caps <> " capabilities")
-
-    let n = 10
-
-    let proxy = Proxy @ H.Blake2b_256
-
-    s <- newChan
-    mapM_ (forkIO . doHashRandom proxy s) (take n [1..])
-
-    forever $ do
-        (tid, progress) <- readChan s
-        putStrLn ("thread " <> show tid <> " at " <> show progress)
diff --git a/tests/Tests.hs b/tests/Tests.hs
--- a/tests/Tests.hs
+++ b/tests/Tests.hs
@@ -6,6 +6,7 @@
 import qualified Number
 import qualified Number.F2m
 import qualified BCrypt
+import qualified BCryptPBKDF
 import qualified ECC
 import qualified ECC.Edwards25519
 import qualified Hash
@@ -17,6 +18,7 @@
 import qualified KAT_MiyaguchiPreneel
 import qualified KAT_CMAC
 import qualified KAT_HMAC
+import qualified KAT_KMAC
 import qualified KAT_HKDF
 import qualified KAT_Argon2
 import qualified KAT_PBKDF2
@@ -52,6 +54,7 @@
         [ Poly1305.tests
         , KAT_CMAC.tests
         , KAT_HMAC.tests
+        , KAT_KMAC.tests
         ]
     , KAT_Curve25519.tests
     , KAT_Curve448.tests
@@ -63,6 +66,7 @@
         [ KAT_PBKDF2.tests
         , KAT_Scrypt.tests
         , BCrypt.tests
+        , BCryptPBKDF.tests
         , KAT_HKDF.tests
         , KAT_Argon2.tests
         ]
diff --git a/tests/Utils.hs b/tests/Utils.hs
--- a/tests/Utils.hs
+++ b/tests/Utils.hs
@@ -2,7 +2,6 @@
 module Utils where
 
 import Control.Applicative
-import Control.Monad (replicateM)
 import Data.Char
 import Data.Word
 import Data.List
@@ -28,13 +27,13 @@
     deriving (Show,Eq)
 
 instance Arbitrary ChunkingLen where
-    arbitrary = ChunkingLen `fmap` replicateM 16 (choose (0,14))
+    arbitrary = ChunkingLen `fmap` vectorOf 16 (choose (0,14))
 
 newtype ChunkingLen0_127 = ChunkingLen0_127 [Int]
     deriving (Show,Eq)
 
 instance Arbitrary ChunkingLen0_127 where
-    arbitrary = ChunkingLen0_127 `fmap` replicateM 16 (choose (0,127))
+    arbitrary = ChunkingLen0_127 `fmap` vectorOf 16 (choose (0,127))
 
 
 newtype ArbitraryBS0_2901 = ArbitraryBS0_2901 ByteString
@@ -63,7 +62,7 @@
     arbitrary = oneof
         [ QAInteger . fromIntegral <$> (choose (0, 65536) :: Gen Int)  -- small integer
         , larger <$> choose (0,4096) <*> choose (0, 65536) -- medium integer
-        , QAInteger . os2ip . B.pack <$> (choose (0,32) >>= \n -> replicateM n arbitrary) -- [ 0 .. 2^32 ] sized integer
+        , QAInteger . os2ip <$> arbitraryBSof 0 32 -- [ 0 .. 2^32 ] sized integer
         ]
       where
         larger :: Int -> Int -> QAInteger
@@ -73,10 +72,10 @@
         somePrime = 18446744073709551557
 
 arbitraryBS :: Int -> Gen ByteString
-arbitraryBS n = B.pack `fmap` replicateM n arbitrary
+arbitraryBS = fmap B.pack . vector
 
 arbitraryBSof :: Int -> Int -> Gen ByteString
-arbitraryBSof minSize maxSize = choose (minSize, maxSize) >>= \n -> (B.pack `fmap` replicateM n arbitrary)
+arbitraryBSof minSize maxSize = choose (minSize, maxSize) >>= arbitraryBS
 
 chunkS :: ChunkingLen -> ByteString -> [ByteString]
 chunkS (ChunkingLen originalChunks) = loop originalChunks
