Update documentation

Fix .Net 2002 compile
This testing occurs on Windows XP. We are still rockin it
2019-08-31 07:46:19 -04:00 · 2019-08-27 14:44:27 -04:00 · 2019-08-27 10:28:13 -04:00 · 2019-08-27 07:52:33 -04:00 · 2019-08-27 07:08:07 -04:00 · 2019-08-27 06:44:02 -04:00
177 changed files with 15792 additions and 5692 deletions
--- a/2
+++ b/2
@ -41,7 +41,7 @@ PROJECT_NAME           = Crypto++
 # could be handy for archiving the generated documentation or if some version
 # control system is used.
-PROJECT_NUMBER         = 8.1
+PROJECT_NUMBER         = 8.3
 # Using the PROJECT_BRIEF tag one can provide an optional one line description
 # for a project that appears at the top of each page and should give viewer a
--- a/Filelist.txt
+++ b/Filelist.txt
@ -66,6 +66,16 @@ channels.h
 cmac.cpp
 cmac.h
 config.h
 config_align.h
 config_asm.h
 config_cpu.h
 config_cxx.h
 config_dll.h
 config_int.h
 config_misc.h
 config_ns.h
 config_os.h
 config_ver.h
 cpu.cpp
 cpu.h
 crc.cpp
@ -269,6 +279,7 @@ rdrand.s
 rdrand.asm
 rdrand.cpp
 rdrand.h
 rdseed.asm
 rdtables.cpp
 regtest1.cpp
 regtest2.cpp
@ -304,6 +315,12 @@ serpentp.h
 sha.cpp
 sha_simd.cpp
 sha.h
 sha1_armv4.h
 sha1_armv4.S
 sha256_armv4.h
 sha256_armv4.S
 sha512_armv4.h
 sha512_armv4.S
 sha3.cpp
 sha3.h
 shacal2.cpp
@ -421,6 +438,8 @@ TestData/dlie2048.dat
 TestData/dsa1024.dat
 TestData/dsa1024b.dat
 TestData/dsa512.dat
 TestData/ecies_p160.dat
 TestData/ecies_t163.dat
 TestData/ed25519.dat
 TestData/ed25519_ver.dat
 TestData/ed25519v0.dat
@ -542,6 +561,7 @@ TestVectors/shacal2.txt
 TestVectors/simeck.txt
 TestVectors/simon.txt
 TestVectors/siphash.txt
 TestVectors/skipjack.txt
 TestVectors/sm3.txt
 TestVectors/sm4.txt
 TestVectors/sosemanuk.txt
@ -561,9 +581,10 @@ TestPrograms/test_arm_asimd.cxx
 TestPrograms/test_arm_crc.cxx
 TestPrograms/test_arm_neon.cxx
 TestPrograms/test_arm_pmull.cxx
-TestPrograms/test_arm_sha.cxx
+TestPrograms/test_arm_sha1.cxx
-TestPrograms/test_arm_sha3.cxx
+TestPrograms/test_arm_sha256.cxx
 TestPrograms/test_arm_sha512.cxx
 TestPrograms/test_arm_sha3.cxx
 TestPrograms/test_arm_sm3.cxx
 TestPrograms/test_arm_sm4.cxx
 TestPrograms/test_cxx.cxx
@ -583,6 +604,8 @@ TestPrograms/test_x86_avx2.cxx
 TestPrograms/test_x86_avx512.cxx
 TestPrograms/test_x86_clmul.cxx
 TestPrograms/test_x86_cpuid.cxx
 TestPrograms/test_x86_rdrand.cxx
 TestPrograms/test_x86_rdseed.cxx
 TestPrograms/test_x86_sha.cxx
 TestPrograms/test_x86_sse2.cxx
 TestPrograms/test_x86_sse3.cxx
--- a/213
+++ b/213
@ -10,12 +10,16 @@ SHELL = /bin/sh
 # If needed
 TMPDIR ?= /tmp
 # Used for ARMv7 and NEON.
 FP_ABI ?= hard
 # Used for feature tests
 TOUT ?= a.out
 TOUT := $(strip $(TOUT))
 # Allow override for the cryptest.exe recipe. Change to
 # ./libcryptopp.so or ./libcryptopp.dylib to suit your
 # taste. https://github.com/weidai11/cryptopp/issues/866
 LINK_LIBRARY ?= libcryptopp.a
 LINK_LIBRARY_PATH ?= ./
 # Command and arguments
 AR ?= ar
 ARFLAGS ?= -cr # ar needs the dash on OpenBSD
@ -25,6 +29,7 @@ CP ?= cp
 MV ?= mv
 RM ?= rm -f
 GREP ?= grep
 SED ?= sed
 CHMOD ?= chmod
 MKDIR ?= mkdir -p
@ -35,11 +40,17 @@ LDCONF ?= /sbin/ldconfig -n
 ifneq ($(wildcard /usr/xpg4/bin/grep),)
  GREP := /usr/xpg4/bin/grep
 endif
 ifneq ($(wildcard /usr/xpg4/bin/sed),)
  SED := /usr/xpg4/bin/sed
 endif
-# Attempt to determine target machine, fallback to "this" machine.
+# Yet another Clang hack. I think the LLVM devs are making the shit up
-#   The target machine is the one the package runs on. Most people
+# as they go. Also see https://github.com/weidai11/cryptopp/issues/831.
-#   call this the "target", but not Autotools.
+MACHINEX := $(shell $(CXX) $(CXXFLAGS) -dumpmachine 2>/dev/null)
-HOSTX := $(shell $(CXX) $(CXXFLAGS) -dumpmachine 2>/dev/null | cut -f 1 -d '-')
+ifeq ($(MACHINEX),armv8l-unknown-linux-gnueabihf)
  MACHINEX := armv7l-unknown-linux-gnueabihf
 endif
 HOSTX := $(shell echo $(MACHINEX) | cut -f 1 -d '-')
 ifeq ($(HOSTX),)
  HOSTX := $(shell uname -m 2>/dev/null)
 endif
@ -53,8 +64,6 @@ IS_SPARC64 := $(shell echo "$(HOSTX)" | $(GREP) -i -c -E 'sun|sparc64')
 IS_ARM32 := $(shell echo "$(HOSTX)" | $(GREP) -i -c -E 'arm|armhf|arm7l|eabihf')
 IS_ARMV8 := $(shell echo "$(HOSTX)" | $(GREP) -i -c -E 'aarch32|aarch64|arm64|armv8')
 IS_NEON := $(shell $(CXX) $(CXXFLAGS) -dumpmachine 2>/dev/null | $(GREP) -i -c -E 'armv7|armhf|arm7l|eabihf|armv8|aarch32|aarch64')
 # Attempt to determine platform
 SYSTEMX := $(shell $(CXX) $(CXXFLAGS) -dumpmachine 2>/dev/null)
 ifeq ($(SYSTEMX),)
@ -116,9 +125,10 @@ else ifeq ($(findstring distclean,$(MAKECMDGOALS)),trim)
  DETECT_FEATURES := 0
 endif
-# Strip out -Wall, -Wextra and friends for feature testing
+# Strip out -Wall, -Wextra and friends for feature testing. FORTIFY_SOURCE is removed
 # because it requires -O1 or higher, but we use -O0 to tame the optimizer.
 ifeq ($(DETECT_FEATURES),1)
-  TCXXFLAGS := $(filter-out -Wall -Wextra -Werror% -Wunused -Wconversion -Wp%, $(CXXFLAGS))
+  TCXXFLAGS := $(filter-out -D_FORTIFY_SOURCE=% -Wall -Wextra -Werror% -Wunused -Wconversion -Wp%, $(CXXFLAGS))
  ifneq ($(strip $(TCXXFLAGS)),)
    $(info Using testing flags: $(TCXXFLAGS))
  endif
@ -161,6 +171,11 @@ else
  ZOPT = -O0
 endif
 # Fix CXX on Cygwin 1.1.4
 ifeq ($(CXX),gcc)
 CXX := g++
 endif
 # On ARM we may compile aes_armv4.S though the CC compiler
 ifeq ($(GCC_COMPILER),1)
  CC=gcc
@ -187,19 +202,11 @@ ifeq ($(INCLUDEDIR),)
 INCLUDEDIR := $(PREFIX)/include
 endif
 # Fix CXX on Cygwin 1.1.4
 ifeq ($(CXX),gcc)
 CXX := g++
 endif
 # We honor ARFLAGS, but the "v" option used by default causes a noisy make
 ifeq ($(ARFLAGS),rv)
 ARFLAGS = r
 endif
 # Clang integrated assembler will be used with -Wa,-q
 CLANG_INTEGRATED_ASSEMBLER ?= 0
 # Original MinGW targets Win2k by default, but lacks proper Win2k support
 # if target Windows version is not specified, use Windows XP instead
 ifeq ($(IS_MINGW),1)
@ -273,9 +280,7 @@ ifeq ($(DETECT_FEATURES),1)
    KECCAK_FLAG = $(SSSE3_FLAG)
    LEA_FLAG = $(SSSE3_FLAG)
    SIMECK_FLAG = $(SSSE3_FLAG)
    SIMON64_FLAG = $(SSSE3_FLAG)
    SIMON128_FLAG = $(SSSE3_FLAG)
    SPECK64_FLAG = $(SSSE3_FLAG)
    SPECK128_FLAG = $(SSSE3_FLAG)
    SUN_LDFLAGS += $(SSSE3_FLAG)
  else
@ -439,37 +444,37 @@ endif
 #####            ARM A-32, Aach64 and NEON            #####
 ###########################################################
-ifneq ($(IS_ARM32)$(IS_ARMV8)$(IS_NEON),000)
+ifneq ($(IS_ARM32)$(IS_ARMV8),00)
 ifeq ($(DETECT_FEATURES),1)
-ifeq ($(IS_ARM32)$(IS_NEON),11)
+ifneq ($(IS_ARM32),0)
  TPROG = TestPrograms/test_arm_neon.cxx
-  TOPT = -march=armv7-a -mfloat-abi=$(FP_ABI) -mfpu=neon
+  TOPT = -march=armv7-a -mfpu=neon
  HAVE_OPT = $(shell $(CXX) $(TCXXFLAGS) $(ZOPT) $(TOPT) $(TPROG) -o $(TOUT) 2>&1 | tr ' ' '\n' | wc -l)
  ifeq ($(strip $(HAVE_OPT)),0)
-    NEON_FLAG = -march=armv7-a -mfloat-abi=$(FP_ABI) -mfpu=neon
+    NEON_FLAG = -march=armv7-a -mfpu=neon
-    ARIA_FLAG = -march=armv7-a -mfloat-abi=$(FP_ABI) -mfpu=neon
+    ARIA_FLAG = -march=armv7-a -mfpu=neon
-    AES_FLAG = -march=armv7-a -mfloat-abi=$(FP_ABI) -mfpu=neon
+    AES_FLAG = -march=armv7-a -mfpu=neon
-    CRC_FLAG = -march=armv7-a -mfloat-abi=$(FP_ABI) -mfpu=neon
+    CRC_FLAG = -march=armv7-a -mfpu=neon
-    GCM_FLAG = -march=armv7-a -mfloat-abi=$(FP_ABI) -mfpu=neon
+    GCM_FLAG = -march=armv7-a -mfpu=neon
-    BLAKE2B_FLAG = -march=armv7-a -mfloat-abi=$(FP_ABI) -mfpu=neon
+    BLAKE2B_FLAG = -march=armv7-a -mfpu=neon
-    BLAKE2S_FLAG = -march=armv7-a -mfloat-abi=$(FP_ABI) -mfpu=neon
+    BLAKE2S_FLAG = -march=armv7-a -mfpu=neon
-    CHACHA_FLAG = -march=armv7-a -mfloat-abi=$(FP_ABI) -mfpu=neon
+    CHACHA_FLAG = -march=armv7-a -mfpu=neon
-    CHAM_FLAG = -march=armv7-a -mfloat-abi=$(FP_ABI) -mfpu=neon
+    CHAM_FLAG = -march=armv7-a -mfpu=neon
-    LEA_FLAG = -march=armv7-a -mfloat-abi=$(FP_ABI) -mfpu=neon
+    LEA_FLAG = -march=armv7-a -mfpu=neon
-    SHA_FLAG = -march=armv7-a -mfloat-abi=$(FP_ABI) -mfpu=neon
+    SHA_FLAG = -march=armv7-a -mfpu=neon
-    SIMECK_FLAG = -march=armv7-a -mfloat-abi=$(FP_ABI) -mfpu=neon
+    SIMECK_FLAG = -march=armv7-a -mfpu=neon
-    SIMON64_FLAG = -march=armv7-a -mfloat-abi=$(FP_ABI) -mfpu=neon
+    SIMON64_FLAG = -march=armv7-a -mfpu=neon
-    SIMON128_FLAG = -march=armv7-a -mfloat-abi=$(FP_ABI) -mfpu=neon
+    SIMON128_FLAG = -march=armv7-a -mfpu=neon
-    SPECK64_FLAG = -march=armv7-a -mfloat-abi=$(FP_ABI) -mfpu=neon
+    SPECK64_FLAG = -march=armv7-a -mfpu=neon
-    SPECK128_FLAG = -march=armv7-a -mfloat-abi=$(FP_ABI) -mfpu=neon
+    SPECK128_FLAG = -march=armv7-a -mfpu=neon
-    SM4_FLAG = -march=armv7-a -mfloat-abi=$(FP_ABI) -mfpu=neon
+    SM4_FLAG = -march=armv7-a -mfpu=neon
  else
    CXXFLAGS += -DCRYPTOPP_DISABLE_ASM
  endif
-# IS_NEON
+# IS_ARM32
 endif
 ifeq ($(IS_ARMV8),1)
@ -485,7 +490,7 @@ ifeq ($(IS_ARMV8),1)
  TPROG = TestPrograms/test_arm_asimd.cxx
  TOPT = -march=armv8-a
-  HAVE_OPT = $(shell $(CXX) $(CXXFLAGS) $(ACLE_FLAG) $(ZOPT) $(TOPT) $(TPROG) -o $(TOUT) 2>&1 | tr ' ' '\n' | wc -l)
+  HAVE_OPT = $(shell $(CXX) $(TCXXFLAGS) $(ACLE_FLAG) $(ZOPT) $(TOPT) $(TPROG) -o $(TOUT) 2>&1 | tr ' ' '\n' | wc -l)
  ifeq ($(strip $(HAVE_OPT)),0)
    ASIMD_FLAG = -march=armv8-a
    ARIA_FLAG = -march=armv8-a
@ -508,7 +513,7 @@ ifeq ($(IS_ARMV8),1)
  ifneq ($(ASIMD_FLAG),)
    TPROG = TestPrograms/test_arm_crc.cxx
    TOPT = -march=armv8-a+crc
-    HAVE_OPT = $(shell $(CXX) $(CXXFLAGS) $(ACLE_FLAG) $(ZOPT) $(TOPT) $(TPROG) -o $(TOUT) 2>&1 | tr ' ' '\n' | wc -l)
+    HAVE_OPT = $(shell $(CXX) $(TCXXFLAGS) $(ACLE_FLAG) $(ZOPT) $(TOPT) $(TPROG) -o $(TOUT) 2>&1 | tr ' ' '\n' | wc -l)
    ifeq ($(strip $(HAVE_OPT)),0)
      CRC_FLAG = -march=armv8-a+crc
    else
@ -517,7 +522,7 @@ ifeq ($(IS_ARMV8),1)
    TPROG = TestPrograms/test_arm_aes.cxx
    TOPT = -march=armv8-a+crypto
-    HAVE_OPT = $(shell $(CXX) $(CXXFLAGS) $(ACLE_FLAG) $(ZOPT) $(TOPT) $(TPROG) -o $(TOUT) 2>&1 | tr ' ' '\n' | wc -l)
+    HAVE_OPT = $(shell $(CXX) $(TCXXFLAGS) $(ACLE_FLAG) $(ZOPT) $(TOPT) $(TPROG) -o $(TOUT) 2>&1 | tr ' ' '\n' | wc -l)
    ifeq ($(strip $(HAVE_OPT)),0)
      AES_FLAG = -march=armv8-a+crypto
    else
@ -526,7 +531,7 @@ ifeq ($(IS_ARMV8),1)
    TPROG = TestPrograms/test_arm_pmull.cxx
    TOPT = -march=armv8-a+crypto
-    HAVE_OPT = $(shell $(CXX) $(CXXFLAGS) $(ACLE_FLAG) $(ZOPT) $(TOPT) $(TPROG) -o $(TOUT) 2>&1 | tr ' ' '\n' | wc -l)
+    HAVE_OPT = $(shell $(CXX) $(TCXXFLAGS) $(ACLE_FLAG) $(ZOPT) $(TOPT) $(TPROG) -o $(TOUT) 2>&1 | tr ' ' '\n' | wc -l)
    ifeq ($(strip $(HAVE_OPT)),0)
      GCM_FLAG = -march=armv8-a+crypto
      GF2N_FLAG = -march=armv8-a+crypto
@ -534,9 +539,9 @@ ifeq ($(IS_ARMV8),1)
      CXXFLAGS += -DCRYPTOPP_ARM_PMULL_AVAILABLE=0
    endif
-    TPROG = TestPrograms/test_arm_sha.cxx
+    TPROG = TestPrograms/test_arm_sha1.cxx
    TOPT = -march=armv8-a+crypto
-    HAVE_OPT = $(shell $(CXX) $(CXXFLAGS) $(ACLE_FLAG) $(ZOPT) $(TOPT) $(TPROG) -o $(TOUT) 2>&1 | tr ' ' '\n' | wc -l)
+    HAVE_OPT = $(shell $(CXX) $(TCXXFLAGS) $(ACLE_FLAG) $(ZOPT) $(TOPT) $(TPROG) -o $(TOUT) 2>&1 | tr ' ' '\n' | wc -l)
    ifeq ($(strip $(HAVE_OPT)),0)
      SHA_FLAG = -march=armv8-a+crypto
    else
@ -545,7 +550,7 @@ ifeq ($(IS_ARMV8),1)
    TPROG = TestPrograms/test_arm_sm3.cxx
    TOPT = -march=armv8.4-a+crypto
-    HAVE_OPT = $(shell $(CXX) $(CXXFLAGS) $(ACLE_FLAG) $(ZOPT) $(TOPT) $(TPROG) -o $(TOUT) 2>&1 | tr ' ' '\n' | wc -l)
+    HAVE_OPT = $(shell $(CXX) $(TCXXFLAGS) $(ACLE_FLAG) $(ZOPT) $(TOPT) $(TPROG) -o $(TOUT) 2>&1 | tr ' ' '\n' | wc -l)
    ifeq ($(strip $(HAVE_OPT)),0)
      SM3_FLAG = -march=armv8.4-a+crypto
      SM4_FLAG = -march=armv8.4-a+crypto
@ -553,7 +558,7 @@ ifeq ($(IS_ARMV8),1)
    TPROG = TestPrograms/test_arm_sha3.cxx
    TOPT = -march=armv8.4-a+crypto
-    HAVE_OPT = $(shell $(CXX) $(CXXFLAGS) $(ACLE_FLAG) $(ZOPT) $(TOPT) $(TPROG) -o $(TOUT) 2>&1 | tr ' ' '\n' | wc -l)
+    HAVE_OPT = $(shell $(CXX) $(TCXXFLAGS) $(ACLE_FLAG) $(ZOPT) $(TOPT) $(TPROG) -o $(TOUT) 2>&1 | tr ' ' '\n' | wc -l)
    ifeq ($(strip $(HAVE_OPT)),0)
      SHA3_FLAG = -march=armv8.4-a+crypto
    endif
@ -567,7 +572,7 @@ endif
 # DETECT_FEATURES
 endif
-# IS_ARM32, IS_ARMV8, IS_NEON
+# IS_ARM32, IS_ARMV8
 endif
 ###########################################################
@ -622,13 +627,21 @@ ifeq ($(DETECT_FEATURES),1)
  TOPT = $(POWER8_FLAG)
  HAVE_OPT = $(shell $(CXX) $(TCXXFLAGS) $(ZOPT) $(TOPT) $(TPROG) -o $(TOUT) 2>&1 | tr ' ' '\n' | wc -l)
  ifeq ($(strip $(HAVE_OPT)),0)
    AES_FLAG = $(POWER8_FLAG)
    ARIA_FLAG = $(POWER8_FLAG)
    BLAKE2B_FLAG = $(POWER8_FLAG)
    BLAKE2S_FLAG = $(POWER8_FLAG)
    CHACHA_FLAG = $(POWER8_FLAG)
    CHAM_FLAG = $(POWER8_FLAG)
    CRC_FLAG = $(POWER8_FLAG)
    GCM_FLAG = $(POWER8_FLAG)
    GF2N_FLAG = $(POWER8_FLAG)
-    AES_FLAG = $(POWER8_FLAG)
+    LEA_FLAG = $(POWER8_FLAG)
    SHA_FLAG = $(POWER8_FLAG)
    SHACAL2_FLAG = $(POWER8_FLAG)
    SIMECK_FLAG = $(POWER8_FLAG)
    SIMON64_FLAG = $(POWER8_FLAG)
    SPECK64_FLAG = $(POWER8_FLAG)
    SIMON128_FLAG = $(POWER8_FLAG)
    SPECK128_FLAG = $(POWER8_FLAG)
  else
@ -641,16 +654,7 @@ ifeq ($(DETECT_FEATURES),1)
  TPROG = TestPrograms/test_ppc_power7.cxx
  TOPT = $(POWER7_FLAG)
  HAVE_OPT = $(shell $(CXX) $(TCXXFLAGS) $(ZOPT) $(TOPT) $(TPROG) -o $(TOUT) 2>&1 | tr ' ' '\n' | wc -l)
-  ifeq ($(strip $(HAVE_OPT)),0)
+  ifneq ($(strip $(HAVE_OPT)),0)
    ARIA_FLAG = $(POWER7_FLAG)
    BLAKE2S_FLAG = $(POWER7_FLAG)
    CHACHA_FLAG = $(POWER7_FLAG)
    CHAM_FLAG = $(POWER7_FLAG)
    LEA_FLAG = $(POWER7_FLAG)
    SIMECK_FLAG = $(POWER7_FLAG)
    SIMON64_FLAG = $(POWER7_FLAG)
    SPECK64_FLAG = $(POWER7_FLAG)
  else
    POWER7_FLAG =
  endif
@ -693,18 +697,12 @@ ifeq ($(DETECT_FEATURES),1)
  #####################################################################
  # Fixups for algorithms that can drop to a lower ISA, if needed
-  # Drop to Power7 if Power8 is not available.
+  # Drop to Power4 if Power8 not available
  ifeq ($(POWER8_FLAG),)
    ifneq ($(POWER7_FLAG),)
      GCM_FLAG = $(POWER7_FLAG)
    endif
  endif
  # Drop to Power4 if Power7 not available
  ifeq ($(POWER7_FLAG),)
    ifneq ($(ALTIVEC_FLAG),)
      BLAKE2S_FLAG = $(ALTIVEC_FLAG)
      CHACHA_FLAG = $(ALTIVEC_FLAG)
      GCM_FLAG = $(ALTIVEC_FLAG)
      SIMON64_FLAG = $(ALTIVEC_FLAG)
      SPECK64_FLAG = $(ALTIVEC_FLAG)
    endif
@ -869,6 +867,15 @@ ifeq ($(findstring native,$(MAKECMDGOALS)),native)
    NATIVE_OPT = -march=native
  endif # NATIVE_OPT
  # And tune
  ifeq ($(NATIVE_OPT),)
    TOPT = -mtune=native
    HAVE_OPT = $(shell $(CXX) $(TCXXFLAGS) $(ZOPT) $(TOPT) $(TPROG) -o $(TOUT) 2>&1 | tr ' ' '\n' | wc -l)
    ifeq ($(strip $(HAVE_OPT)),0)
      NATIVE_OPT = -mtune=native
    endif # NATIVE_OPT
  endif
  # Try SunCC next
  ifeq ($(NATIVE_OPT),)
    TOPT = -native
@ -956,9 +963,9 @@ ifneq ($(filter valgrind,$(MAKECMDGOALS)),)
  CXXFLAGS := $(CXXFLAGS:-g%=-g3)
  CXXFLAGS := $(CXXFLAGS:-O%=-O1)
  CXXFLAGS := $(CXXFLAGS:-xO%=-xO1)
-  ifeq ($(findstring -DCRYPTOPP_VALGRIND,$(CXXFLAGS)),)
+  ifeq ($(findstring -DCRYPTOPP_COVERAGE,$(CXXFLAGS)),)
-    CXXFLAGS += -DCRYPTOPP_VALGRIND
+    CXXFLAGS += -DCRYPTOPP_COVERAGE
-  endif # -DCRYPTOPP_VALGRIND
+  endif # -DCRYPTOPP_COVERAGE
 endif # Valgrind
 # Debug testing on GNU systems. Triggered by -DDEBUG.
@ -1004,7 +1011,7 @@ ifeq ($(findstring lean,$(MAKECMDGOALS)),lean)
 endif # Dead code stripping
 # For Shared Objects, Diff, Dist/Zip rules
-LIB_VER := $(shell $(GREP) "define CRYPTOPP_VERSION" config.h | cut -d" " -f 3)
+LIB_VER := $(shell $(GREP) "define CRYPTOPP_VERSION" config_ver.h | cut -d" " -f 3)
 LIB_MAJOR := $(shell echo $(LIB_VER) | cut -c 1)
 LIB_MINOR := $(shell echo $(LIB_VER) | cut -c 2)
 LIB_PATCH := $(shell echo $(LIB_VER) | cut -c 3)
@ -1061,12 +1068,18 @@ ifneq ($(IS_MINGW),0)
 INCL += resource.h
 endif
-# Cryptogams AES for ARMv4 and above. We couple to ARMv7.
+# Cryptogams source files. We couple to ARMv7.
-# Avoid iOS. It cannot consume the assembly.
+# Limit to Linux. The source files target the GNU assembler.
-ifeq ($(IS_ARM32),1)
+# Also see https://www.cryptopp.com/wiki/Cryptogams.
-  CRYPTOGAMS_AES_FLAG = -march=armv7-a
+ifeq ($(IS_ARM32)$(IS_LINUX),11)
-  CRYPTOGAMS_AES_FLAG += -Wa,--noexecstack
+  ifeq ($(CLANG_COMPILER),1)
-  SRCS += aes_armv4.S
+    CRYPTOGAMS_ARMV7_FLAG = -march=armv7-a -Wa,--noexecstack
    CRYPTOGAMS_ARMV7_THUMB_FLAG = -march=armv7-a -mthumb -Wa,--noexecstack
  else
    CRYPTOGAMS_ARMV7_FLAG = -march=armv7-a -Wa,--noexecstack
    CRYPTOGAMS_ARMV7_THUMB_FLAG = -march=armv7-a -Wa,--noexecstack
  endif
  SRCS += aes_armv4.S sha1_armv4.S sha256_armv4.S sha512_armv4.S
 endif
 # List cryptlib.cpp first, then cpu.cpp, then integer.cpp to tame C++ static initialization problems.
@ -1281,10 +1294,14 @@ remove uninstall:
 	-$(RM) -r $(DESTDIR)$(INCLUDEDIR)/cryptopp
 	-$(RM) $(DESTDIR)$(LIBDIR)/libcryptopp.a
 	-$(RM) $(DESTDIR)$(BINDIR)/cryptest.exe
-	@-$(RM) $(DESTDIR)$(LIBDIR)/libcryptopp.dylib
+ifneq ($(wildcard $(DESTDIR)$(LIBDIR)/libcryptopp.dylib),)
 	-$(RM) $(DESTDIR)$(LIBDIR)/libcryptopp.dylib
 endif
 ifneq ($(wildcard $(DESTDIR)$(LIBDIR)/libcryptopp.so),)
 	-$(RM) $(DESTDIR)$(LIBDIR)/libcryptopp.so
 endif
 	@-$(RM) $(DESTDIR)$(LIBDIR)/libcryptopp.so$(SOLIB_VERSION_SUFFIX)
 	@-$(RM) $(DESTDIR)$(LIBDIR)/libcryptopp.so$(SOLIB_COMPAT_SUFFIX)
 	@-$(RM) $(DESTDIR)$(LIBDIR)/libcryptopp.so
 	@-$(RM) $(DESTDIR)$(LIBDIR)/pkgconfig/libcryptopp.pc
 	@-$(RM) -r $(DESTDIR)$(DATADIR)/cryptopp
@ -1313,8 +1330,8 @@ endif
 libcryptopp.dylib: $(LIBOBJS)
 	$(CXX) -dynamiclib -o $@ $(strip $(CXXFLAGS)) -install_name "$@" -current_version "$(LIB_MAJOR).$(LIB_MINOR).$(LIB_PATCH)" -compatibility_version "$(LIB_MAJOR).$(LIB_MINOR)" -headerpad_max_install_names $(LDFLAGS) $(LIBOBJS)
-cryptest.exe:libcryptopp.a $(TESTOBJS)
+cryptest.exe: $(LINK_LIBRARY) $(TESTOBJS)
-	$(CXX) -o $@ $(strip $(CXXFLAGS)) $(TESTOBJS) ./libcryptopp.a $(LDFLAGS) $(LDLIBS)
+	$(CXX) -o $@ $(strip $(CXXFLAGS)) $(TESTOBJS) $(LINK_LIBRARY_PATH)$(LINK_LIBRARY) $(LDFLAGS) $(LDLIBS)
 # Makes it faster to test changes
 nolib: $(OBJS)
@ -1349,7 +1366,7 @@ libcryptopp.pc:
 	@echo '' >> libcryptopp.pc
 	@echo 'Name: Crypto++' >> libcryptopp.pc
 	@echo 'Description: Crypto++ cryptographic library' >> libcryptopp.pc
-	@echo 'Version: 8.1' >> libcryptopp.pc
+	@echo 'Version: 8.3' >> libcryptopp.pc
 	@echo 'URL: https://cryptopp.com/' >> libcryptopp.pc
 	@echo '' >> libcryptopp.pc
 	@echo 'Cflags: -I$${includedir}' >> libcryptopp.pc
@ -1366,14 +1383,14 @@ endif
 .PHONY: trim
 trim:
 ifneq ($(IS_DARWIN),0)
-	sed -i '' -e's/[[:space:]]*$$//' *.supp *.txt *.sh .*.yml *.h *.cpp *.asm *.s *.S
+	$(SED) -i '' -e's/[[:space:]]*$$//' *.supp *.txt *.sh .*.yml *.h *.cpp *.asm *.s *.S
-	sed -i '' -e's/[[:space:]]*$$//' *.sln *.vcxproj *.filters GNUmakefile GNUmakefile-cross
+	$(SED) -i '' -e's/[[:space:]]*$$//' *.sln *.vcxproj *.filters GNUmakefile GNUmakefile-cross
-	sed -i '' -e's/[[:space:]]*$$//' TestData/*.dat TestVectors/*.txt TestPrograms/*.cxx TestScripts/*.*
+	$(SED) -i '' -e's/[[:space:]]*$$//' TestData/*.dat TestVectors/*.txt TestPrograms/*.cxx TestScripts/*.*
 	make convert
 else
-	sed -i -e's/[[:space:]]*$$//' *.supp *.txt *.sh .*.yml *.h *.cpp *.asm *.s *.S
+	$(SED) -i -e's/[[:space:]]*$$//' *.supp *.txt *.sh .*.yml *.h *.cpp *.asm *.s *.S
-	sed -i -e's/[[:space:]]*$$//' *.sln *.vcxproj *.filters GNUmakefile GNUmakefile-cross
+	$(SED) -i -e's/[[:space:]]*$$//' *.sln *.vcxproj *.filters GNUmakefile GNUmakefile-cross
-	sed -i -e's/[[:space:]]*$$//' TestData/*.dat TestVectors/*.txt TestPrograms/*.cxx TestScripts/*.*
+	$(SED) -i -e's/[[:space:]]*$$//' TestData/*.dat TestVectors/*.txt TestPrograms/*.cxx TestScripts/*.*
 	make convert
 endif
@ -1428,9 +1445,9 @@ ifeq ($(wildcard GNUmakefile.deps),GNUmakefile.deps)
 -include GNUmakefile.deps
 endif # Dependencies
-# Cryptogams ARM asm implementation.
+# Cryptogams ARM asm implementation. AES needs -mthumb for Clang
 aes_armv4.o : aes_armv4.S
-	$(CC) $(strip $(CXXFLAGS) $(CRYPTOGAMS_AES_FLAG) -mfloat-abi=$(FP_ABI) -c) $<
+	$(CXX) $(strip $(CXXFLAGS) $(CRYPTOGAMS_ARMV7_THUMB_FLAG) -c) $<
 # SSSE3 or NEON available
 aria_simd.o : aria_simd.cpp
@ -1512,6 +1529,18 @@ rijndael_simd.o : rijndael_simd.cpp
 sha_simd.o : sha_simd.cpp
 	$(CXX) $(strip $(CXXFLAGS) $(SHA_FLAG) -c) $<
 # Cryptogams SHA1 asm implementation.
 sha1_armv4.o : sha1_armv4.S
 	$(CXX) $(strip $(CXXFLAGS) $(CRYPTOGAMS_ARMV7_FLAG) -c) $<
 # Cryptogams SHA256 asm implementation.
 sha256_armv4.o : sha256_armv4.S
 	$(CXX) $(strip $(CXXFLAGS) $(CRYPTOGAMS_ARMV7_FLAG) -c) $<
 # Cryptogams SHA512 asm implementation.
 sha512_armv4.o : sha512_armv4.S
 	$(CXX) $(strip $(CXXFLAGS) $(CRYPTOGAMS_ARMV7_FLAG) -c) $<
 sha3_simd.o : sha3_simd.cpp
 	$(CXX) $(strip $(CXXFLAGS) $(SHA3_FLAG) -c) $<
--- a/119
+++ b/119
@ -11,6 +11,12 @@ FP_ABI ?= hard
 TOUT ?= a.out
 TOUT := $(strip $(TOUT))
 # Allow override for the cryptest.exe recipe. Change to
 # ./libcryptopp.so or ./libcryptopp.dylib to suit your
 # taste. https://github.com/weidai11/cryptopp/issues/866
 LINK_LIBRARY ?= ./libcryptopp.a
 LINK_LIBRARY_PATH ?= ./
 # Default CXXFLAGS if none were provided
 CXXFLAGS ?= -DNDEBUG -g2 -O3 -fPIC -pipe
@ -21,7 +27,8 @@ CP ?= cp
 MV ?= mv
 CHMOD ?= chmod
 MKDIR ?= mkdir -p
-EGREP ?= egrep
+GREP ?= grep
 SED ?= sed
 LN ?= ln -sf
 LDCONF ?= /sbin/ldconfig -n
@ -31,6 +38,19 @@ IS_ANDROID ?= 0
 IS_ARM_EMBEDDED ?= 0
 IS_NEON ?= 0
 # Yet another Clang hack. I think the LLVM devs are making the shit up
 # as they go. Also see https://github.com/weidai11/cryptopp/issues/831.
 MACHINEX := $(shell $(CXX) $(CXXFLAGS) -dumpmachine 2>/dev/null)
 ifeq ($(MACHINEX),armv8l-unknown-linux-gnueabihf)
  MACHINEX := armv7l-unknown-linux-gnueabihf
 endif
 HOSTX := $(shell echo $(MACHINEX) | cut -f 1 -d '-')
 ifeq ($(HOSTX),)
  HOSTX := $(shell uname -m 2>/dev/null)
 endif
 IS_LINUX := $(shell echo $(MACHINEX) | $(GREP) -i -c "Linux")
 # Can be used by Android and Embeeded cross-compiles. Disable by default because
 #   Android and embedded users typically don't run this configuration.
 HAS_SOLIB_VERSION ?= 0
@ -136,8 +156,8 @@ endif
 # Wait until CXXFLAGS have been set by setenv scripts.
-GCC_COMPILER := $(shell $(CXX) --version 2>/dev/null | $(EGREP) -v -E 'llvm|clang' | $(EGREP) -i -c -E '(gcc|g\+\+)')
+GCC_COMPILER := $(shell $(CXX) --version 2>/dev/null | $(GREP) -v -E 'llvm|clang' | $(GREP) -i -c -E '(gcc|g\+\+)')
-CLANG_COMPILER := $(shell $(CXX) --version 2>/dev/null | $(EGREP) -i -c -E 'llvm|clang')
+CLANG_COMPILER := $(shell $(CXX) --version 2>/dev/null | $(GREP) -i -c -E 'llvm|clang')
 HOSTX := $(shell $(CXX) $(CXXFLAGS) -dumpmachine 2>/dev/null | cut -f 1 -d '-')
 ifeq ($(HOSTX),)
@ -149,15 +169,15 @@ endif
 # -arch arm64 yields x86_64 instead of aarch64 or arm64.
 ifeq ($(CLANG_COMPILER),1)
-  IS_X86 := $(shell echo $(CXXFLAGS) | $(EGREP) -v 64 | $(EGREP) -i -c -E 'i.86')
+  IS_X86 := $(shell echo $(CXXFLAGS) | $(GREP) -v 64 | $(GREP) -i -c -E 'i.86')
-  IS_X64 := $(shell echo $(CXXFLAGS) | $(EGREP) -i -c -E 'x86_64|amd64')
+  IS_X64 := $(shell echo $(CXXFLAGS) | $(GREP) -i -c -E 'x86_64|amd64')
-  IS_ARM32 := $(shell echo $(CXXFLAGS) | $(EGREP) -v 64 | $(EGREP) -i -c -E 'arm|armhf|arm7l|eabihf')
+  IS_ARM32 := $(shell echo $(CXXFLAGS) | $(GREP) -v 64 | $(GREP) -i -c -E 'arm|armhf|arm7l|eabihf')
-  IS_ARMV8 := $(shell echo $(CXXFLAGS) | $(EGREP) -i -c -E 'aarch32|aarch64|arm64|armv8')
+  IS_ARMV8 := $(shell echo $(CXXFLAGS) | $(GREP) -i -c -E 'aarch32|aarch64|arm64|armv8')
 else
-  IS_X86 := $(shell echo $(HOSTX) | $(EGREP) -v 64 | $(EGREP) -i -c -E 'i.86')
+  IS_X86 := $(shell echo $(HOSTX) | $(GREP) -v 64 | $(GREP) -i -c -E 'i.86')
-  IS_X64 := $(shell echo $(HOSTX) | $(EGREP) -i -c -E 'x86_64|amd64')
+  IS_X64 := $(shell echo $(HOSTX) | $(GREP) -i -c -E 'x86_64|amd64')
-  IS_ARM32 := $(shell echo $(HOSTX) | $(EGREP) -v 64 | $(EGREP) -i -c -E 'arm|armhf|arm7l|eabihf')
+  IS_ARM32 := $(shell echo $(HOSTX) | $(GREP) -v 64 | $(GREP) -i -c -E 'arm|armhf|arm7l|eabihf')
-  IS_ARMV8 := $(shell echo $(HOSTX) | $(EGREP) -i -c -E 'aarch32|aarch64|arm64|armv8')
+  IS_ARMV8 := $(shell echo $(HOSTX) | $(GREP) -i -c -E 'aarch32|aarch64|arm64|armv8')
 endif
 $(info Here's what we found... IS_X86: $(IS_X86), IS_X64: $(IS_X64), IS_ARM32: $(IS_ARM32), IS_ARMV8: $(IS_ARMV8))
@ -178,9 +198,10 @@ else ifeq ($(findstring distclean,$(MAKECMDGOALS)),trim)
  DETECT_FEATURES := 0
 endif
-# Strip out -Wall, -Wextra and friends for feature testing
+# Strip out -Wall, -Wextra and friends for feature testing. FORTIFY_SOURCE is removed
 # because it requires -O1 or higher, but we use -O0 to tame the optimizer.
 ifeq ($(DETECT_FEATURES),1)
-  TCXXFLAGS := $(filter-out -Wall -Wextra -Werror% -Wunused -Wconversion -Wp%, $(CXXFLAGS))
+  TCXXFLAGS := $(filter-out -D_FORTIFY_SOURCE=% -Wall -Wextra -Werror% -Wunused -Wconversion -Wp%, $(CXXFLAGS))
  ifneq ($(strip $(TCXXFLAGS)),)
    $(info Using testing flags: $(TCXXFLAGS))
  endif
@ -227,9 +248,7 @@ ifeq ($(DETECT_FEATURES),1)
    CHAM_FLAG = $(SSSE3_FLAG)
    LEA_FLAG = $(SSSE3_FLAG)
    SIMECK_FLAG = $(SSSE3_FLAG)
    SIMON64_FLAG = $(SSSE3_FLAG)
    SIMON128_FLAG = $(SSSE3_FLAG)
    SPECK64_FLAG = $(SSSE3_FLAG)
    SPECK128_FLAG = $(SSSE3_FLAG)
  else
    SSSE3_FLAG =
@ -384,10 +403,10 @@ ifeq ($(IS_ARM32),1)
    SM4_FLAG = $(NEON_FLAG)
  else
    NEON_FLAG =
-    CXXFLAGS += -DCRYPTOPP_DISABLE_NEON
+    CXXFLAGS += -DCRYPTOPP_DISABLE_ASM
  endif
-# IS_NEON
+# IS_ARM32
 endif
 ifeq ($(IS_ARMV8),1)
@ -417,7 +436,7 @@ ifeq ($(IS_ARMV8),1)
  TPROG = TestPrograms/test_arm_asimd.cxx
  TOPT = $(ASIMD_FLAG)
-  HAVE_OPT = $(shell $(CXX) $(CXXFLAGS) $(ACLE_FLAG) $(ZOPT) $(TOPT) $(TPROG) -o $(TOUT) 2>&1 | tr ' ' '\n' | wc -l)
+  HAVE_OPT = $(shell $(CXX) $(TCXXFLAGS) $(ACLE_FLAG) $(ZOPT) $(TOPT) $(TPROG) -o $(TOUT) 2>&1 | tr ' ' '\n' | wc -l)
  ifeq ($(strip $(HAVE_OPT)),0)
    ARIA_FLAG = $(ASIMD_FLAG)
    BLAKE2B_FLAG = $(ASIMD_FLAG)
@ -439,7 +458,7 @@ ifeq ($(IS_ARMV8),1)
    TPROG = TestPrograms/test_arm_crc.cxx
    TOPT = $(CRC_FLAG)
-    HAVE_OPT = $(shell $(CXX) $(CXXFLAGS) $(ACLE_FLAG) $(ZOPT) $(TOPT) $(TPROG) -o $(TOUT) 2>&1 | tr ' ' '\n' | wc -l)
+    HAVE_OPT = $(shell $(CXX) $(TCXXFLAGS) $(ACLE_FLAG) $(ZOPT) $(TOPT) $(TPROG) -o $(TOUT) 2>&1 | tr ' ' '\n' | wc -l)
    ifneq ($(strip $(HAVE_OPT)),0)
      CRC_FLAG =
      CXXFLAGS += -DCRYPTOPP_ARM_CRC32_AVAILABLE=0
@ -447,7 +466,7 @@ ifeq ($(IS_ARMV8),1)
    TPROG = TestPrograms/test_arm_aes.cxx
    TOPT = $(AES_FLAG)
-    HAVE_OPT = $(shell $(CXX) $(CXXFLAGS) $(ACLE_FLAG) $(ZOPT) $(TOPT) $(TPROG) -o $(TOUT) 2>&1 | tr ' ' '\n' | wc -l)
+    HAVE_OPT = $(shell $(CXX) $(TCXXFLAGS) $(ACLE_FLAG) $(ZOPT) $(TOPT) $(TPROG) -o $(TOUT) 2>&1 | tr ' ' '\n' | wc -l)
    ifneq ($(strip $(HAVE_OPT)),0)
      AES_FLAG =
      CXXFLAGS += -DCRYPTOPP_ARM_AES_AVAILABLE=0
@ -455,15 +474,15 @@ ifeq ($(IS_ARMV8),1)
    TPROG = TestPrograms/test_arm_pmull.cxx
    TOPT = $(PMULL_FLAG)
-    HAVE_OPT = $(shell $(CXX) $(CXXFLAGS) $(ACLE_FLAG) $(ZOPT) $(TOPT) $(TPROG) -o $(TOUT) 2>&1 | tr ' ' '\n' | wc -l)
+    HAVE_OPT = $(shell $(CXX) $(TCXXFLAGS) $(ACLE_FLAG) $(ZOPT) $(TOPT) $(TPROG) -o $(TOUT) 2>&1 | tr ' ' '\n' | wc -l)
    ifneq ($(strip $(HAVE_OPT)),0)
      PMULL_FLAG =
      CXXFLAGS += -DCRYPTOPP_ARM_PMULL_AVAILABLE=0
    endif
-    TPROG = TestPrograms/test_arm_sha.cxx
+    TPROG = TestPrograms/test_arm_sha1.cxx
    TOPT = $(SHA_FLAG)
-    HAVE_OPT = $(shell $(CXX) $(CXXFLAGS) $(ACLE_FLAG) $(ZOPT) $(TOPT) $(TPROG) -o $(TOUT) 2>&1 | tr ' ' '\n' | wc -l)
+    HAVE_OPT = $(shell $(CXX) $(TCXXFLAGS) $(ACLE_FLAG) $(ZOPT) $(TOPT) $(TPROG) -o $(TOUT) 2>&1 | tr ' ' '\n' | wc -l)
    ifneq ($(strip $(HAVE_OPT)),0)
      SHA_FLAG =
      CXXFLAGS += -DCRYPTOPP_ARM_SHA_AVAILABLE=0
@ -471,7 +490,7 @@ ifeq ($(IS_ARMV8),1)
    TPROG = TestPrograms/test_arm_sm3.cxx
    TOPT = -march=armv8.4-a+crypto
-    HAVE_OPT = $(shell $(CXX) $(CXXFLAGS) $(ACLE_FLAG) $(ZOPT) $(TOPT) $(TPROG) -o $(TOUT) 2>&1 | tr ' ' '\n' | wc -l)
+    HAVE_OPT = $(shell $(CXX) $(TCXXFLAGS) $(ACLE_FLAG) $(ZOPT) $(TOPT) $(TPROG) -o $(TOUT) 2>&1 | tr ' ' '\n' | wc -l)
    ifeq ($(strip $(HAVE_OPT)),0)
      SM3_FLAG = -march=armv8.4-a+crypto
      SM4_FLAG = -march=armv8.4-a+crypto
@ -479,7 +498,7 @@ ifeq ($(IS_ARMV8),1)
    TPROG = TestPrograms/test_arm_sha3.cxx
    TOPT = -march=armv8.4-a+crypto
-    HAVE_OPT = $(shell $(CXX) $(CXXFLAGS) $(ACLE_FLAG) $(ZOPT) $(TOPT) $(TPROG) -o $(TOUT) 2>&1 | tr ' ' '\n' | wc -l)
+    HAVE_OPT = $(shell $(CXX) $(TCXXFLAGS) $(ACLE_FLAG) $(ZOPT) $(TOPT) $(TPROG) -o $(TOUT) 2>&1 | tr ' ' '\n' | wc -l)
    ifeq ($(strip $(HAVE_OPT)),0)
      SHA3_FLAG = -march=armv8.4-a+crypto
      SHA512_FLAG = -march=armv8.4-a+crypto
@ -531,7 +550,7 @@ endif # Asan
 # LD gold linker testing. Triggered by 'LD=ld.gold'.
 ifeq ($(findstring ld.gold,$(LD)),ld.gold)
  ifeq ($(findstring -fuse-ld=gold,$(CXXFLAGS)),)
-    ELF_FORMAT := $(shell file `which ld.gold` 2>&1 | cut -d":" -f 2 | $(EGREP) -i -c "elf")
+    ELF_FORMAT := $(shell file `which ld.gold` 2>&1 | cut -d":" -f 2 | $(GREP) -i -c "elf")
    ifneq ($(ELF_FORMAT),0)
      LDFLAGS += -fuse-ld=gold
    endif # ELF/ELF64
@ -544,15 +563,15 @@ ifneq ($(filter valgrind,$(MAKECMDGOALS)),)
  CXXFLAGS := $(CXXFLAGS:-g%=-g3)
  CXXFLAGS := $(CXXFLAGS:-O%=-O1)
  CXXFLAGS := $(CXXFLAGS:-xO%=-xO1)
-  ifeq ($(findstring -DCRYPTOPP_VALGRIND,$(CXXFLAGS)),)
+  ifeq ($(findstring -DCRYPTOPP_COVERAGE,$(CXXFLAGS)),)
-    CXXFLAGS += -DCRYPTOPP_VALGRIND
+    CXXFLAGS += -DCRYPTOPP_COVERAGE
-  endif # -DCRYPTOPP_VALGRIND
+  endif # -DCRYPTOPP_COVERAGE
 endif # Valgrind
 # Debug testing on GNU systems. Triggered by -DDEBUG.
 #   Newlib test due to http://sourceware.org/bugzilla/show_bug.cgi?id=20268
 ifneq ($(filter -DDEBUG -DDEBUG=1,$(CXXFLAGS)),)
-  USING_GLIBCXX := $(shell $(CXX) $(CXXFLAGS) -E pch.cpp 2>&1 | $(EGREP) -i -c "__GLIBCXX__")
+  USING_GLIBCXX := $(shell $(CXX) $(CXXFLAGS) -E pch.cpp 2>&1 | $(GREP) -i -c "__GLIBCXX__")
  ifneq ($(USING_GLIBCXX),0)
    ifeq ($(HAS_NEWLIB),0)
      ifeq ($(findstring -D_GLIBCXX_DEBUG,$(CXXFLAGS)),)
@ -590,14 +609,18 @@ SRCS := cryptlib.cpp cpu.cpp integer.cpp $(filter-out cryptlib.cpp cpu.cpp integ
 # For Makefile.am; resource.h is Windows
 INCL := $(filter-out resource.h,$(sort $(wildcard *.h)))
-# Cryptogams AES for ARMv4 and above. We couple to ARMv7.
+# Cryptogams source files. We couple to ARMv7.
-# Avoid iOS. It cannot consume the assembly.
+# Limit to Linux. The source files target the GNU assembler.
-ifeq ($(IS_ARM32),1)
+# Also see https://www.cryptopp.com/wiki/Cryptogams.
-  ifneq ($(IS_IOS),1)
+ifeq ($(IS_ARM32)$(IS_LINUX),11)
-    CRYPTOGAMS_AES_FLAG = -march=armv7-a
+  ifeq ($(CLANG_COMPILER),1)
-    CRYPTOGAMS_AES_FLAG += -Wa,--noexecstack
+    CRYPTOGAMS_ARMV7_FLAG = -march=armv7-a -Wa,--noexecstack
-    SRCS += aes_armv4.S
+    CRYPTOGAMS_ARMV7_THUMB_FLAG = -march=armv7-a -mthumb -Wa,--noexecstack
  else
    CRYPTOGAMS_ARMV7_FLAG = -march=armv7-a -Wa,--noexecstack
    CRYPTOGAMS_ARMV7_THUMB_FLAG = -march=armv7-a -Wa,--noexecstack
  endif
  SRCS += aes_armv4.S sha1_armv4.S sha256_armv4.S sha512_armv4.S
 endif
 # List cryptlib.cpp first, then cpu.cpp, then integer.cpp to tame C++ static initialization problems.
@ -613,7 +636,7 @@ TESTOBJS := $(TESTSRCS:.cpp=.o)
 LIBOBJS := $(filter-out $(TESTOBJS),$(OBJS))
 # For Shared Objects, Diff, Dist/Zip rules
-LIB_VER := $(shell $(EGREP) "define CRYPTOPP_VERSION" config.h | cut -d" " -f 3)
+LIB_VER := $(shell $(GREP) "define CRYPTOPP_VERSION" config_ver.h | cut -d" " -f 3)
 LIB_MAJOR := $(shell echo $(LIB_VER) | cut -c 1)
 LIB_MINOR := $(shell echo $(LIB_VER) | cut -c 2)
 LIB_PATCH := $(shell echo $(LIB_VER) | cut -c 3)
@ -770,8 +793,8 @@ endif
 libcryptopp.dylib: $(LIBOBJS) $(AOSP_CPU_OBJ)
 	$(CXX) -dynamiclib -o $@ $(strip $(CXXFLAGS)) -install_name "$@" -current_version "$(LIB_MAJOR).$(LIB_MINOR).$(LIB_PATCH)" -compatibility_version "$(LIB_MAJOR).$(LIB_MINOR)" -headerpad_max_install_names $(LDFLAGS) $(LIBOBJS) $(AOSP_CPU_OBJ)
-cryptest.exe: libcryptopp.a $(TESTOBJS)
+cryptest.exe: $(LINK_LIBRARY) $(TESTOBJS)
-	$(CXX) -o $@ $(strip $(CXXFLAGS)) $(TESTOBJS) ./libcryptopp.a $(LDFLAGS) $(LDLIBS)
+	$(CXX) -o $@ $(strip $(CXXFLAGS)) $(TESTOBJS) $(LINK_LIBRARY_PATH)$(LINK_LIBRARY) $(LDFLAGS) $(LDLIBS)
 # Used to generate list of source files for Autotools, CMakeList and Android.mk
 .PHONY: sources
@ -800,9 +823,9 @@ ifeq ($(wildcard GNUmakefile.deps),GNUmakefile.deps)
 -include GNUmakefile.deps
 endif # Dependencies
-# Cryptogams ARM asm implementation.
+# Cryptogams ARM asm implementation. AES needs -mthumb for Clang
 aes_armv4.o : aes_armv4.S
-	$(CXX) $(strip $(CXXFLAGS) -fpermissive $(CRYPTOGAMS_AES_FLAG) -c) $<
+	$(CXX) $(strip $(CXXFLAGS) $(CRYPTOGAMS_ARMV7_THUMB_FLAG) -c) $<
 cpu-features.o: cpu-features.h cpu-features.c
 	$(CXX) $(strip $(CXXFLAGS) -fpermissive -c) cpu-features.c
@ -867,6 +890,18 @@ rijndael_simd.o : rijndael_simd.cpp
 sha_simd.o : sha_simd.cpp
 	$(CXX) $(strip $(CXXFLAGS) $(SHA_FLAG) -c) $<
 # Cryptogams SHA1 asm implementation.
 sha1_armv4.o : sha1_armv4.S
 	$(CXX) $(strip $(CXXFLAGS) $(CRYPTOGAMS_ARMV7_FLAG) -c) $<
 # Cryptogams SHA256 asm implementation.
 sha256_armv4.o : sha256_armv4.S
 	$(CXX) $(strip $(CXXFLAGS) $(CRYPTOGAMS_ARMV7_FLAG) -c) $<
 # Cryptogams SHA512 asm implementation.
 sha512_armv4.o : sha512_armv4.S
 	$(CXX) $(strip $(CXXFLAGS) $(CRYPTOGAMS_ARMV7_FLAG) -c) $<
 # SSE4.2/SHA-NI or ARMv8a available
 shacal2_simd.o : shacal2_simd.cpp
 	$(CXX) $(strip $(CXXFLAGS) $(SHA_FLAG) -c) $<
--- a/History.txt
+++ b/History.txt
@ -455,10 +455,10 @@ last several releases.
 8.1.0 - February 22, 2019
      - minor release, no recompile of programs required
      - expanded community input and support
-        56 unique contributors as of this release
+        * 56 unique contributors as of this release
      - fix OS X PowerPC builds with Clang
      - add Microsoft ARM64 support
-      - fix iPhone Simulator build due to missign symbols
+      - fix iPhone Simulator build due to missing symbols
      - add CRYPTOPP_BUGGY_SIMD_LOAD_AND_STORE
      - add carryless multiplies for NIST b233 and k233 curves
      - fix OpenMP build due to use of OpenMP 4 with down-level compilers
@ -467,3 +467,16 @@ last several releases.
      - add SHAKE-128 and SHAKE-256
      - fix AVX2 build due to _mm256_broadcastsi128_si256
      - add IETF ChaCha, XChaCha, ChaChaPoly1305 and XChaChaPoly1305
 8.2.0 - April 28, 2019
      - minor release, no recompile of programs required
      - expanded community input and support
        * 56 unique contributors as of this release
      - use PowerPC unaligned loads and stores with Power8
      - add SKIPJACK test vectors
      - fix SHAKE-128 and SHAKE-256 compile
      - removed IS_NEON from Makefile
      - fix Aarch64 build on Fedora 29
      - fix missing GF2NT_233_Multiply_Reduce_CLMUL in FIPS DLL
      - add missing BLAKE2 constructors
      - fix missing BlockSize() in BLAKE2 classes
--- a/License.txt
+++ b/License.txt
@ -29,8 +29,9 @@ Daniel J. Bernstein, Jack Lloyd - chacha.cpp, chacha_simd.cpp, chacha_avx.cpp
 Andrew Moon - ed25519, x25519, donna_32.cpp, donna_64.cpp, donna_sse.cpp
 The Crypto++ Library uses portions of Andy Polyakov's CRYPTOGAMS for Poly1305
-scalar multiplication and aes_armv4.S. CRYPTOGAMS is dual licensed with a
+scalar multiplication, aes_armv4.S, sha1_armv4.S and sha256_armv4.S. CRYPTOGAMS
-permissive BSD-style license. The CRYPTOGAMS license is reproduced below.
+is dual licensed with a permissive BSD-style license. The CRYPTOGAMS license is
 reproduced below.
 The Crypto++ Library uses portions of Jack Lloyd's Botan for ChaCha SSE2 and
 AVX. Botan placed the code in public domain for Crypto++ to use.
--- a/Readme.txt
+++ b/Readme.txt
@ -1,5 +1,5 @@
 Crypto++: free C++ Class Library of Cryptographic Schemes
-Version 8.0 - DEC/28/2018
+Version 8.3 - TBD
 Crypto++ Library is a free C++ class library of cryptographic schemes.
 Currently the library contains the following algorithms:
@ -205,23 +205,29 @@ library in your programs to help avoid unwanted redirections.
 *** Side Channel Attacks ***
-Crypto++ attempts to resist side channel attacks using various remediations. We
+Crypto++ attempts to resist side channel attacks using various remediations.
-believe the library is mostly hardened but the remdiations may be incomplete. The
+The remdiations are applied as a best effort but are probably incomplete. They
-first line of defense uses hardware instructions when possible for block ciphers,
+are incomplete due to cpu speculation bugs like Spectre, Meltdown, Foreshadow.
-hashes and other primitives. Hardware acceleration remediates many timing attacks.
+The attacks target both cpu caches and internal buffers. Intel generally refers
-The library also uses cache-aware algoirthms and access patterns to minimize leakage.
+to internal buffer attacks as "Microarchitectural Data Sampling" (MDS).
-Some of the public key algorithms have branches and some of the branches depend on
+The library uses hardware instructions when possible for block ciphers, hashes
-data that can be private or secret. The branching occurs in some field operations
+and other operations. The hardware acceleration remediates some timing
-like exponentiation over integers and elliptic curves. The branching has been
+attacks. The library also uses cache-aware algoirthms and access patterns
-minimized but not completely eliminated.
+to minimize leakage cache evictions.
-Crypto++ does not enagage Specter remediations at this time. The GCC options for
+Some of the public key algorithms have branches and some of the branches depend
-Specter are -mfunction-return=thunk and -mindirect-branch=thunk, and the library
+on data that can be private or secret. The branching occurs in some field
-uses them during testing. If you want the Specter workarounds then add the GCC
+operations like exponentiation over integers and elliptic curves. The branching
-options to your CXXFLAGS when building the library.
+has been minimized but not completely eliminated.
-If you suspect or find an information leak then please report it.
+Crypto++ does not enagage Specter remediations at this time. The GCC options
 for Specter are -mfunction-return=thunk and -mindirect-branch=thunk, and the
 library uses them during testing. If you want the Specter workarounds then add
 the GCC options to your CXXFLAGS when building the library.
 To help resist attacks you should disable hyperthreading on cpus. If you
 suspect or find an information leak then please report it.
 *** Documentation and Support ***
@ -290,8 +296,36 @@ documentation is one of the highest returns on investment.
 The items in this section comprise the most recent history. Please see History.txt
 for the record back to Crypto++ 1.0.
-8.0.0 - December 28, 2018
+8.2.0 - April 28, 2019
      - minor release, no recompile of programs required
      - expanded community input and support
        * 56 unique contributors as of this release
      - use PowerPC unaligned loads and stores with Power8
      - add SKIPJACK test vectors
      - fix SHAKE-128 and SHAKE-256 compile
      - removed IS_NEON from Makefile
      - fix Aarch64 build on Fedora 29
      - fix missing GF2NT_233_Multiply_Reduce_CLMUL in FIPS DLL
      - add missing BLAKE2 constructors
      - fix missing BlockSize() in BLAKE2 classes
 8.1.0 - February 22, 2019
      - minor release, no recompile of programs required
      - expanded community input and support
        * 56 unique contributors as of this release
      - fix OS X PowerPC builds with Clang
      - add Microsoft ARM64 support
      - fix iPhone Simulator build due to missing symbols
      - add CRYPTOPP_BUGGY_SIMD_LOAD_AND_STORE
      - add carryless multiplies for NIST b233 and k233 curves
      - fix OpenMP build due to use of OpenMP 4 with down-level compilers
      - add SignStream and VerifyStream for ed25519 and large files
      - fix missing AlgorithmProvider in PanamaHash
      - add SHAKE-128 and SHAKE-256
      - fix AVX2 build due to _mm256_broadcastsi128_si256
      - add IETF ChaCha, XChaCha, ChaChaPoly1305 and XChaChaPoly1305
 8.0.0 - December 28, 2018
      - major release, recompile of programs required
      - expanded community input and support
         * 54 unique contributors as of this release
--- a/TestData/ecies_p160.dat
+++ b/TestData/ecies_p160.dat
@ -0,0 +1 @@
 3081C80201003081A406072A8648CE3D0201308198020101302006072A8648CE3D0101021500FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFF302C0414FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFC04141C97BEFC54BD7A8B65ACF89F81D4D4ADC565FA450429044A96B5688EF573284664698968C38BB913CBFC8223A628553168947D59DCC912042351377AC5FB3202150100000000000000000001F4C8F927AED3CA752257020101041C301A02010104150023A68821ABB99DBB8429ED2320D61A8EA4C6D81B
--- a/TestData/ecies_t163.dat
+++ b/TestData/ecies_t163.dat
@ -0,0 +1 @@
 3081D10201003081AD06072A8648CE3D02013081A1020101302506072A8648CE3D0102301A020200A306092A8648CE3D010203033009020103020106020107302E041507B6882CAAEFA84F9554FF8428BD88E246D2782AE204150713612DCDDCB40AAB946BDA29CA91F73AF958AFD9042B040369979697AB43897789566789567F787A7876A65400435EDB42EFAFB2989D51FEFCE3C80988F41FF883021503FFFFFFFFFFFFFFFFFFFF48AAB689C29CA710279B020102041C301A02010104150003693AB4D83EE8B544548BE7647AEA0EA64E8211
--- a/TestData/elgc1024.dat
+++ b/TestData/elgc1024.dat
@ -1 +1 @@
-308201A40201003082011706072A8648CE3804013082010A028181008B333697371663F8869E3EC80A414E46BBAFE41F6D40E754A01ADA60FE7D12ACD16DE311C4115293114F6B92A54195909276380F04BCD4ED5CD993ED7F516DF7A752B928E5035E0D3A1A979A1CDE8387734338793C02001D59B662D4FC8F2BF0EABB1F553F9F46F57E74BCABCBA4E458812DB601FCD04609D435317181236B9702818045999B4B9B8B31FC434F1F640520A7235DD7F20FB6A073AA500D6D307F3E895668B6F188E208A94988A7B5C952A0CAC8493B1C07825E6A76AE6CC9F6BFA8B6FBD3A95C947281AF069D0D4BCD0E6F41C3B9A19C3C9E01000EACDB316A7E4795F8755D8FAA9FCFA37ABF3A5E55E5D2722C4096DB00FE682304EA1A98B8C091B5CB02010204818302818045999B4B9B8B31FC434F1F640520A7235DD7F20FB6A073AA500D6D307F3E895668B6F188E208A94988A7B5C952A0CAC8493B1C07825E6A76AE6CC9F6BFA8B6FBD3A95C947281AF069D0D4BCD0E6F41C3B9A19C3C9E01000EACDB316A7E4795F8755D8FAA9FCFA37ABF3A5E2958F40032EF29CB145C7481380458812D62F09287
+308201360201003082011606062B0E070201013082010A02818100D18892CC35AD9E532C53810019E525CDE08882E6344D6787C366B171D68948F53D74F7923B148E0A0B4C9B956D695384DE24AC3034000B3C4AD4C8226470BBD88B5B053BCCB01E608B1352D6ED16324745253BDB204308E065368CB9D75ACDB290E671BD4CA1608500BFACD758E6E9EFAC8CCBAD83BE7E397A62E4F55634FC3B02818068C449661AD6CF299629C0800CF292E6F04441731A26B3C3E1B358B8EB44A47A9EBA7BC91D8A470505A64DCAB6B4A9C26F1256181A00059E256A641132385DEC45AD829DE6580F304589A96B768B1923A2929DED90218470329B465CEBAD66D9487338DEA650B042805FD66BAC7374F7D64665D6C1DF3F1CBD31727AAB1A7E1D0201030417021504ED7AED68B1A5EFDE11262210D9F1121D4A119CE8
--- a/TestPrograms/test_arm_sha1.cxx
+++ b/TestPrograms/test_arm_sha1.cxx
@ -0,0 +1,18 @@
 #include <arm_neon.h>
 #include <stdint.h>
 // test_acle.h determines if this is available. Then,
 // -DCRYPTOPP_ARM_ACLE_AVAILABLE=0 is added to CXXFLAGS
 // if the ACLE header is not available.
 #if (CRYPTOPP_ARM_ACLE_AVAILABLE)
 #  include <arm_acle.h>
 #endif
 int main(int argc, char* argv[])
 {
 	uint32x4_t y = {0};
 	y=vsha1cq_u32(y,0,y);
 	y=vsha1mq_u32(y,1,y);
 	y=vsha1pq_u32(y,2,y);
 	return 0;
 }
--- a/TestPrograms/test_arm_sha256.cxx
+++ b/TestPrograms/test_arm_sha256.cxx
@ -11,9 +11,6 @@
 int main(int argc, char* argv[])
 {
 	uint32x4_t y = {0};
 	y=vsha1cq_u32(y,0,y);
 	y=vsha1mq_u32(y,1,y);
 	y=vsha1pq_u32(y,2,y);
 	y=vsha256hq_u32(y, y, y);
 	y=vsha256h2q_u32(y, y, y);
 	y=vsha256su1q_u32(y, y, y);
--- a/TestPrograms/test_x86_avx2.cxx
+++ b/TestPrograms/test_x86_avx2.cxx
@ -1,7 +1,9 @@
 #include <immintrin.h>
 int main(int argc, char* argv[])
 {
-	__m256i x = _mm256_setzero_si256();
+	// _mm256_broadcastsi128_si256 due to Clang
-	x=_mm256_add_epi64 (x,x);
+	__m128i x = _mm_setzero_si128 ();
 	__m256i y = _mm256_broadcastsi128_si256 (x);
 	y = _mm256_add_epi64 (y,y);
 	return 0;
 }
--- a/TestPrograms/test_x86_rdrand.cxx
+++ b/TestPrograms/test_x86_rdrand.cxx
@ -0,0 +1,7 @@
 #include <immintrin.h>
 int main(int argc, char* argv[])
 {
    unsigned int x=0;
    (void)_rdrand32_step (&x);
    return x == 0 ? 0 : 0;
 }
--- a/TestPrograms/test_x86_rdseed.cxx
+++ b/TestPrograms/test_x86_rdseed.cxx
@ -0,0 +1,7 @@
 #include <immintrin.h>
 int main(int argc, char* argv[])
 {
    unsigned int x=0;
    (void)_rdseed32_step (&x);
    return x == 0 ? 0 : 0;
 }
--- a/TestScripts/change-version.sh
+++ b/TestScripts/change-version.sh
@ -4,11 +4,14 @@
 # building the docs. Before running the script, copy it to the root
 # directory. After running this script, you can 'make docs'
-sed 's|Library 8.1 API|Library 8.0 API|g' cryptlib.h > cryptlib.h.new
+sed 's|Library 8.3 API|Library 8.2 API|g' cryptlib.h > cryptlib.h.new
 mv cryptlib.h.new cryptlib.h
-sed 's|= 8.1|= 8.0|g' Doxyfile > Doxyfile.new
+sed 's|= 8.3|= 8.2|g' Doxyfile > Doxyfile.new
 mv Doxyfile.new Doxyfile
-sed 's|CRYPTOPP_VERSION 810|CRYPTOPP_VERSION 800|g' config.h > config.h.new
+sed 's|CRYPTOPP_MINOR 3|CRYPTOPP_MINOR 2|g' config_ver.h > config_ver.h.new
-mv config.h.new config.h
+mv config_ver.h.new config_ver.h
 sed 's|CRYPTOPP_VERSION 830|CRYPTOPP_VERSION 820|g' config_ver.h > config_ver.h.new
 mv config_ver.h.new config_ver.h
--- a/TestScripts/cryptest-autotools.sh
+++ b/TestScripts/cryptest-autotools.sh
@ -6,17 +6,13 @@ function cleanup {
 }
 trap cleanup EXIT
 #############################################################################
 GREP=grep
 SED=sed
 AWK=awk
 MAKE=make
 # Fixup ancient Bash
 # https://unix.stackexchange.com/q/468579/56041
 if [[ -z "$BASH_SOURCE" ]]; then
 	BASH_SOURCE="$0"
 fi
 # Fixup, Solaris and friends
 if [[ (-d /usr/xpg4/bin) ]]; then
 	SED=/usr/xpg4/bin/sed
@ -34,7 +30,6 @@ if [[ "$IS_DARWIN" -ne 0 ]]; then
 	export LC_ALL=C
 fi
 # Fixup for Solaris and BSDs
 # Fixup for Solaris and BSDs
 if [[ ! -z $(command -v gmake) ]]; then
 	MAKE=gmake
@ -53,24 +48,30 @@ elif [[ ! -z $(command -v glibtool) ]]; then
 	LIBTOOLIZE=$(command -v glibtool)
 fi
-# Fecth the three required files
+#############################################################################
 if ! wget --no-check-certificate 'https://raw.githubusercontent.com/noloader/cryptopp-autotools/master/Makefile.am' -O Makefile.am; then
 	echo "Makefile.am download failed"
 	[[ "$0" = "${BASH_SOURCE[0]}" ]] && exit 1 || return 1
 fi
-if ! wget --no-check-certificate 'https://raw.githubusercontent.com/noloader/cryptopp-autotools/master/configure.ac' -O configure.ac; then
+echo "Downloading configure.ac"
 if ! wget -O configure.ac -q --no-check-certificate 'https://raw.githubusercontent.com/noloader/cryptopp-autotools/master/configure.ac'; then
 	echo "configure.ac download failed"
 	[[ "$0" = "${BASH_SOURCE[0]}" ]] && exit 1 || return 1
 fi
-if ! wget --no-check-certificate 'https://raw.githubusercontent.com/noloader/cryptopp-autotools/master/libcryptopp.pc.in' -O libcryptopp.pc.in; then
+echo "Downloading Makefile.am"
 if ! wget -O Makefile.am -q --no-check-certificate 'https://raw.githubusercontent.com/noloader/cryptopp-autotools/master/Makefile.am'; then
 	echo "Makefile.am download failed"
 	[[ "$0" = "${BASH_SOURCE[0]}" ]] && exit 1 || return 1
 fi
 echo "Downloading libcryptopp.pc.in"
 if ! wget -O libcryptopp.pc.in -q --no-check-certificate 'https://raw.githubusercontent.com/noloader/cryptopp-autotools/master/libcryptopp.pc.in'; then
 	echo "libcryptopp.pc.in download failed"
 	[[ "$0" = "${BASH_SOURCE[0]}" ]] && exit 1 || return 1
 fi
 mkdir -p m4/
 #############################################################################
 if [[ -z $(command -v autoupdate) ]]; then
 	echo "Cannot find autoupdate. Things may fail."
 fi
@ -79,56 +80,71 @@ if [[ -z "$LIBTOOLIZE" ]]; then
 	echo "Cannot find libtoolize. Things may fail."
 fi
 if [[ -z $(command -v automake) ]]; then
 	echo "Cannot find automake. Things may fail."
 fi
 if [[ -z $(command -v autoreconf) ]]; then
 	echo "Cannot find autoreconf. Things may fail."
 fi
 echo "Running autoupdate"
-if ! autoupdate 2>/dev/null; then
+if ! autoupdate &>/dev/null; then
 	echo "autoupdate failed."
 	[[ "$0" = "${BASH_SOURCE[0]}" ]] && exit 1 || return 1
 fi
 echo "Running libtoolize"
-if ! "$LIBTOOLIZE" 2>/dev/null; then
+if ! "$LIBTOOLIZE" --force --install &>/dev/null; then
-	echo "libtoolize failed."
+	echo "libtoolize failed... skipping."
-	[[ "$0" = "${BASH_SOURCE[0]}" ]] && exit 1 || return 1
+	# [[ "$0" = "${BASH_SOURCE[0]}" ]] && exit 1 || return 1
 fi
 # Run autoreconf twice on failure. Also see
 # https://github.com/tracebox/tracebox/issues/57
 echo "Running autoreconf"
-if ! autoreconf 2>/dev/null; then
+if ! autoreconf --force --install &>/dev/null; then
 	echo "autoreconf failed, running again."
-	if ! autoreconf -fi; then
+	if ! autoreconf --force --install; then
 		echo "autoreconf failed, again."
 		[[ "$0" = "${BASH_SOURCE[0]}" ]] && exit 1 || return 1
 	fi
 fi
-# Sparc need +w
+#############################################################################
 if [[ -e config.sub ]]; then
 	chmod +w config.sub
 fi
 if [[ -e config.guess ]]; then
 	chmod +w config.guess
 fi
 # Update config.sub config.guess. GNU recommends using the latest for all projects.
 echo "Updating config.sub"
-wget --no-check-certificate 'https://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub' -O config.sub
+wget -O config.sub.new -q --no-check-certificate 'https://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub'
-if [[ -e config.sub ]]; then
+# Solaris removes +w, can't overwrite
 chmod +w config.sub
 mv config.sub.new config.sub
 chmod +x config.sub
 if [[ "$IS_DARWIN" -ne 0 ]] && [[ -n $(command -v xattr) ]]; then
 	echo "Removing config.sub quarantine"
 	xattr -d "com.apple.quarantine" config.sub &>/dev/null
 fi
 echo "Updating config.guess"
-wget --no-check-certificate 'https://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess' -O config.guess
+wget -O config.guess.new -q --no-check-certificate 'https://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess'
-if [[ -e config.guess ]]; then
+# Solaris removes +w, can't overwrite
 chmod +w config.guess
 mv config.guess.new config.guess
 chmod +x config.guess
 if [[ "$IS_DARWIN" -ne 0 ]] && [[ -n $(command -v xattr) ]]; then
 	echo "Removing config.guess quarantine"
 	xattr -d "com.apple.quarantine" config.guess &>/dev/null
 fi
 #############################################################################
 echo "Running configure"
 echo ""
 if ! ./configure; then
 	echo "configure failed."
 	[[ "$0" = "${BASH_SOURCE[0]}" ]] && exit 1 || return 1
@ -136,6 +152,8 @@ fi
 "$MAKE" clean 2>/dev/null
 #############################################################################
 if ! "$MAKE" -j2 -f Makefile; then
 	echo "make failed."
 	[[ "$0" = "${BASH_SOURCE[0]}" ]] && exit 1 || return 1
--- a/TestScripts/cryptest-symbols.sh
+++ b/TestScripts/cryptest-symbols.sh
@ -18,7 +18,7 @@ fi
 PWD_DIR=$(pwd)
 function cleanup {
-    rm -f adhoc.cpp *.a *.o *.so *.dylib GNUmakefile-symbols
+    rm -f adhoc.cpp *.a *.o *.so *.dylib
    cd "$PWD_DIR"
 }
 trap cleanup EXIT
@ -26,7 +26,7 @@ trap cleanup EXIT
 ############################################
 # Tags to test
-OLD_VERSION_TAG=CRYPTOPP_8_0_0
+OLD_VERSION_TAG=CRYPTOPP_8_2_0
 NEW_VERSION_TAG=master
 ############################################
@ -40,7 +40,7 @@ if [[ ! (-z "$DIRTY") ]]; then
 	read -p "Type 'Y' to proceed or 'N' to exit. Proceed? " -n 1 -r
 	echo # (optional) move to a new line
 	if [[ !($REPLY =~ ^[Yy]$) ]]; then
-		[[ "$0" = "$BASH_SOURCE" ]] && exit 0 || return 0
+		exit 0
 	fi
 else
 	echo
@ -222,29 +222,13 @@ fi
 "$MAKE" distclean &>/dev/null
 rm -f GNUmakefile-symbols
 git checkout master -f &>/dev/null
 cp GNUmakefile GNUmakefile-symbols
 git checkout "$OLD_VERSION_TAG" -f &>/dev/null
 if [[ "$?" -ne "0" ]]; then
 	echo "Failed to checkout $OLD_VERSION_TAG"
-	[[ "$0" = "$BASH_SOURCE" ]] && exit 1 || return 1
+	exit 1
 fi
 echo
 echo "****************************************************************"
 echo "Patching makefile for dynamic linking by cryptest.exe"
 echo "****************************************************************"
 if [[ "$IS_DARWIN" -ne "0" ]]; then
 	"$SED" "$SED_OPTS" -e 's|libcryptopp.a $(TESTOBJS)|libcryptopp.dylib $(TESTOBJS)|g' GNUmakefile-symbols
 	"$SED" "$SED_OPTS" -e 's|$(TESTOBJS) ./libcryptopp.a |$(TESTOBJS) ./libcryptopp.dylib |g' GNUmakefile-symbols
 else
 	"$SED" "$SED_OPTS" -e 's|libcryptopp.a $(TESTOBJS)|libcryptopp.so $(TESTOBJS)|g' GNUmakefile-symbols
 	"$SED" "$SED_OPTS" -e 's|$(TESTOBJS) ./libcryptopp.a |$(TESTOBJS) ./libcryptopp.so |g' GNUmakefile-symbols
 fi
 echo
@ -253,17 +237,17 @@ echo "Building dynamic library for $OLD_VERSION_TAG"
 echo "****************************************************************"
 echo
 "$MAKE" "${MAKEARGS[@]}" -f GNUmakefile-symbols dynamic
 if [[ "$IS_DARWIN" -ne "0" ]]; then
-	LIBNAME=libcryptopp.dylib
+	LINK_LIBRARY=libcryptopp.dylib
 else
-	LIBNAME=libcryptopp.so
+	LINK_LIBRARY=libcryptopp.so
 fi
-if [[ ! -f "$LIBNAME" ]]; then
+LINK_LIBRARY="$LINK_LIBRARY" "$MAKE" "${MAKEARGS[@]}" -f GNUmakefile dynamic
 if [[ ! -f "$LINK_LIBRARY" ]]; then
 	echo "Failed to make $OLD_VERSION_TAG library"
-	[[ "$0" = "$BASH_SOURCE" ]] && exit 1 || return 1
+	exit 1
 fi
 echo
@ -272,11 +256,11 @@ echo "Building cryptest.exe for $OLD_VERSION_TAG"
 echo "****************************************************************"
 echo
-"$MAKE" "${MAKEARGS[@]}" -f GNUmakefile-symbols cryptest.exe
+"$MAKE" "${MAKEARGS[@]}" -f GNUmakefile cryptest.exe
 if [[ ! -f "cryptest.exe" ]]; then
 	echo "Failed to make cryptest.exe"
-	[[ "$0" = "$BASH_SOURCE" ]] && exit 1 || return 1
+	exit 1
 fi
 echo
@ -304,7 +288,7 @@ git checkout "$NEW_VERSION_TAG" -f &>/dev/null
 if [[ "$?" -ne "0" ]]; then
 	echo "Failed to checkout $OLD_VERSION_TAG"
-	[[ "$0" = "$BASH_SOURCE" ]] && exit 1 || return 1
+	exit 1
 fi
 echo
@ -313,11 +297,11 @@ echo "Building dynamic library for $NEW_VERSION_TAG"
 echo "****************************************************************"
 echo
-"$MAKE" "${MAKEARGS[@]}" -f GNUmakefile-symbols dynamic
+LINK_LIBRARY="$LINK_LIBRARY" "$MAKE" "${MAKEARGS[@]}" -f GNUmakefile dynamic
-if [[ ! -f "$LIBNAME" ]]; then
+if [[ ! -f "$LINK_LIBRARY" ]]; then
 	echo "Failed to make $NEW_VERSION_TAG library"
-	[[ "$0" = "$BASH_SOURCE" ]] && exit 1 || return 1
+	exit 1
 fi
 echo
@ -338,7 +322,7 @@ git checkout master -f &>/dev/null
 if [[ "$?" -ne "0" ]]; then
 	echo "Failed to checkout Master"
-	[[ "$0" = "$BASH_SOURCE" ]] && exit 1 || return 1
+	exit 1
 fi
-[[ "$0" = "$BASH_SOURCE" ]] && exit 0 || return 0
+exit 0
--- a/TestScripts/cryptest.sh
+++ b/TestScripts/cryptest.sh
--- a/TestScripts/governor.sh
+++ b/TestScripts/governor.sh
@ -1,25 +1,25 @@
 #!/usr/bin/env bash
 # This scripts queries and modifies CPU scaling frequencies to produce more
-# accurate benchmark results. To move from a low energy state C-state to a
+# accurate benchmark results. To move from a low energy state to a higher
-# higher one, run 'governor.sh performance'. To move back to a low power state
+# one, run 'governor.sh performance'. To move back to a low power state
-# run 'governor.sh powersave' or reboot. The script is based on code by
+# run 'governor.sh powersave' or 'governor.sh ondemand' or reboot. The script
-# Andy Polyakov, http://www.openssl.org/~appro/cryptogams/.
+# based on code by Andy Polyakov, http://www.openssl.org/~appro/cryptogams/.
 # Fixup ancient Bash
 # https://unix.stackexchange.com/q/468579/56041
-if [[ -z "$BASH_SOURCE" ]]; then
+if [[ -z "${BASH_SOURCE[0]}" ]]; then
 	BASH_SOURCE="$0"
 fi
 if [[ "$EUID" -ne 0 ]]; then
    echo "This script must be run as root"
-    [[ "$0" = "$BASH_SOURCE" ]] && exit 1 || return 1
+    [[ "$0" = "${BASH_SOURCE[0]}" ]] && exit 1 || return 1
 fi
 if [ "x$1" = "x" ]; then
    echo "usage: $0 on[demand]|pe[rformance]|po[wersave]|us[erspace]?"
-    [[ "$0" = "$BASH_SOURCE" ]] && exit 1 || return 1
+    [[ "$0" = "${BASH_SOURCE[0]}" ]] && exit 1 || return 1
 fi
 # "on demand" may result in a "invalid write argument" or similar
@ -27,40 +27,41 @@ case $1 in
    on*|de*)    governor="ondemand";;
    po*|pw*)    governor="powersave";;
    pe*)        governor="performance";;
    co*)        governor="conservative";;
    us*)        governor="userspace";;
    \?)         ;;
    *)          echo "$1: unrecognized governor";;
 esac
 if [ -z "$governor" ]; then
-	[[ "$0" = "$BASH_SOURCE" ]] && exit 1 || return 1
+	[[ "$0" = "${BASH_SOURCE[0]}" ]] && exit 1 || return 1
 fi
 cpus=$(ls /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor 2>/dev/null)
 if [ -z "$cpus" ]; then
 	echo "Failed to read CPU system device tree"
-	[[ "$0" = "$BASH_SOURCE" ]] && exit 1 || return 1
+	[[ "$0" = "${BASH_SOURCE[0]}" ]] && exit 1 || return 1
 fi
 echo "Current CPU governor scaling settings:"
 count=0
 for cpu in $cpus; do
-	echo "  CPU $count:" $(cat "$cpu")
+	echo "  CPU $count: $(cat "$cpu")"
 	((count++))
 done
 if [ "x$governor" != "x" ]; then
    for cpu in $cpus; do
-        echo $governor > $cpu
+        echo "$governor" > "$cpu"
    done
 fi
 echo "New CPU governor scaling settings:"
 count=0
 for cpu in $cpus; do
-	echo "  CPU $count:" $(cat "$cpu")
+	echo "  CPU $count: $(cat "$cpu")"
 	((count++))
 done
-[[ "$0" = "$BASH_SOURCE" ]] && exit 0 || return 0
+[[ "$0" = "${BASH_SOURCE[0]}" ]] && exit 0 || return 0
--- a/TestScripts/setenv-android-gcc.sh
+++ b/TestScripts/setenv-android-gcc.sh
@ -18,6 +18,12 @@
 # set -eu
 # Sanity check
 if [ "$0" = "${BASH_SOURCE[0]}" ]; then
    echo "Please source this setenv script"
    exit 0
 fi
 unset IS_CROSS_COMPILE
 unset IS_IOS
@ -39,7 +45,7 @@ unset CPP CC CXX LD AS AR RANLIB STRIP
 # Similar to a "make clean"
 if [ x"${1-}" = "xunset" ]; then
    echo "Unsetting script variables. PATH may remain tainted"
-	[ "$0" = "$BASH_SOURCE" ] && exit 0 || return 0
+    [ "$0" = "${BASH_SOURCE[0]}" ] && exit 0 || return 0
 fi
 # Set AOSP_TOOLCHAIN_SUFFIX to your preference of tools and STL library.
@ -71,7 +77,7 @@ if [ -z "${AOSP_API-}" ]; then
 else
    echo "WARNING: Using AOSP_API has been deprecated. Please use AOSP_API_VERSION instead."
    echo "If you set for example AOSP_API=android-23 then now instead set AOSP_API_VERSION=23"
-	[ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+    [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 fi
 #####################################################################
@ -98,7 +104,7 @@ fi
 # Error checking
 if [ ! -d "$ANDROID_NDK_ROOT/toolchains" ]; then
    echo "ERROR: ANDROID_NDK_ROOT is not a valid path. Please set it."
-	[ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+    [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 fi
 #####################################################################
@ -127,7 +133,7 @@ case "$THE_ARCH" in
    ;;
  hard|armv7a-hard|armeabi-v7a-hard)
    echo hard, armv7a-hard and armeabi-v7a-hard are not supported, as android uses softfloats
-	[ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+    [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
    #TOOLCHAIN_ARCH="arm-linux-androideabi"
    #TOOLCHAIN_NAME="arm-linux-androideabi"
    #AOSP_ABI="armeabi-v7a"
@ -178,7 +184,7 @@ case "$THE_ARCH" in
    ;;
  *)
    echo "ERROR: Unknown architecture $1"
-	[ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+    [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
    ;;
 esac
@ -218,48 +224,48 @@ done
 # Error checking
 if [ -z "$AOSP_TOOLCHAIN_PATH" ] || [ ! -d "$AOSP_TOOLCHAIN_PATH" ]; then
    echo "ERROR: AOSP_TOOLCHAIN_PATH is not valid. Please edit this script."
-	[ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+    [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 fi
 # Error checking
 if [ ! -e "$AOSP_TOOLCHAIN_PATH/$CPP" ]; then
    echo "ERROR: Failed to find Android cpp. Please edit this script."
-	[ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+    [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 fi
 # Error checking
 if [ ! -e "$AOSP_TOOLCHAIN_PATH/$CC" ]; then
    echo "ERROR: Failed to find Android gcc. Please edit this script."
-	[ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+    [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 fi
 if [ ! -e "$AOSP_TOOLCHAIN_PATH/$CXX" ]; then
    echo "ERROR: Failed to find Android g++. Please edit this script."
-	[ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+    [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 fi
 # Error checking
 if [ ! -e "$AOSP_TOOLCHAIN_PATH/$RANLIB" ]; then
    echo "ERROR: Failed to find Android ranlib. Please edit this script."
-	[ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+    [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 fi
 # Error checking
 if [ ! -e "$AOSP_TOOLCHAIN_PATH/$AR" ]; then
    echo "ERROR: Failed to find Android ar. Please edit this script."
-	[ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+    [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 fi
 # Error checking
 if [ ! -e "$AOSP_TOOLCHAIN_PATH/$AS" ]; then
    echo "ERROR: Failed to find Android as. Please edit this script."
-	[ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+    [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 fi
 # Error checking
 if [ ! -e "$AOSP_TOOLCHAIN_PATH/$LD" ]; then
    echo "ERROR: Failed to find Android ld. Please edit this script."
-	[ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+    [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 fi
 # Only modify/export PATH if AOSP_TOOLCHAIN_PATH good
@ -278,10 +284,10 @@ fi
 # Error checking
 if [ ! -d "$ANDROID_NDK_ROOT/platforms/$AOSP_API" ]; then
    echo "ERROR: AOSP_API is not valid. Does the NDK support the API? Please edit this script."
-	[ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+    [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 elif [ ! -d "$ANDROID_NDK_ROOT/platforms/$AOSP_API/$AOSP_ARCH" ]; then
    echo "ERROR: AOSP_ARCH is not valid. Does the NDK support the architecture? Please edit this script."
-	[ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+    [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 fi
 # Android SYSROOT. It will be used on the command line with --sysroot
@ -328,7 +334,7 @@ case "$THE_STL" in
    echo WARNING: llvm is still in experimental state and migth not work as expected
    if [ ! -d "$LLVM_INCLUDE_DIR" ]; then
        echo "ERROR: Unable to locate include LLVM directory at $LLVM_INCLUDE_DIR -- has it moved since NDK r16beta1?"
-		[ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+        [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
    fi
    AOSP_STL_INC="$LLVM_INCLUDE_DIR"
    AOSP_STL_LIB="$ANDROID_NDK_ROOT/sources/cxx-stl/llvm-libc++/libs/$AOSP_ABI/libc++_static.a"
@ -337,26 +343,26 @@ case "$THE_STL" in
    echo WARNING: llvm is still in experimental state and migth not work as expected
    if [ ! -d "$LLVM_INCLUDE_DIR" ]; then
        echo "ERROR: Unable to locate LLVM include directory at $LLVM_INCLUDE_DIR -- has it moved since NDK r16beta1?"
-		[ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+        [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
    fi
    AOSP_STL_INC="$LLVM_INCLUDE_DIR"
    AOSP_STL_LIB="$ANDROID_NDK_ROOT/sources/cxx-stl/llvm-libc++/libs/$AOSP_ABI/libc++_shared.so"
    ;;
  *)
    echo "ERROR: Unknown STL library $2"
-	[ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+    [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 esac
 # Error checking
 if [ ! -d "$AOSP_STL_INC" ] || [ ! -e "$AOSP_STL_INC/memory" ]; then
    echo "ERROR: AOSP_STL_INC is not valid. Please edit this script."
-	[ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+    [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 fi
 # Error checking
 if [ ! -e "$AOSP_STL_LIB" ]; then
    echo "ERROR: AOSP_STL_LIB is not valid. Please edit this script."
-	[ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+    [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 fi
 export AOSP_STL_INC
@ -372,13 +378,13 @@ fi
 if [[ ! -e "$ANDROID_NDK_ROOT/sources/android/cpufeatures/cpu-features.h" ]]; then
    echo "ERROR: Unable to locate cpu-features.h"
-	[ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+    [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 fi
 cp "$ANDROID_NDK_ROOT/sources/android/cpufeatures/cpu-features.h" .
 if [[ ! -e "$ANDROID_NDK_ROOT/sources/android/cpufeatures/cpu-features.c" ]]; then
    echo "ERROR: Unable to locate cpu-features.c"
-	[ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+    [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 fi
 cp "$ANDROID_NDK_ROOT/sources/android/cpufeatures/cpu-features.c" .
@ -446,4 +452,4 @@ echo "shared object using 'HAS_SOLIB_VERSION=1 make -f GNUmakefile-cross'"
 echo "*******************************************************************************"
 echo
-[ "$0" = "$BASH_SOURCE" ] && exit 0 || return 0
+[ "$0" = "${BASH_SOURCE[0]}" ] && exit 0 || return 0
--- a/TestScripts/setenv-android-old.sh
+++ b/TestScripts/setenv-android-old.sh
@ -20,6 +20,12 @@
 # set -eu
 # Sanity check
 if [ "$0" = "${BASH_SOURCE[0]}" ]; then
    echo "Please source this setenv script"
    exit 0
 fi
 unset IS_CROSS_COMPILE
 unset IS_IOS
@ -39,7 +45,7 @@ unset CPP CC CXX LD AS AR RANLIB STRIP
 # Similar to a "make clean"
 if [ x"${1-}" = "xunset" ]; then
    echo "Unsetting script variables. PATH may remain tainted"
-	[ "$0" = "$BASH_SOURCE" ] && exit 0 || return 0
+    [ "$0" = "${BASH_SOURCE[0]}" ] && exit 0 || return 0
 fi
 # Set AOSP_TOOLCHAIN_SUFFIX to your preference of tools and STL library.
@ -90,7 +96,7 @@ fi
 # Error checking
 if [ ! -d "$ANDROID_NDK_ROOT/toolchains" ]; then
    echo "ERROR: ANDROID_NDK_ROOT is not a valid path. Please set it."
-	[ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+    [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 fi
 #####################################################################
@ -168,7 +174,7 @@ case "$THE_ARCH" in
    ;;
  *)
    echo "ERROR: Unknown architecture $1"
-	[ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+    [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
    ;;
 esac
@ -204,48 +210,48 @@ done
 # Error checking
 if [ -z "$AOSP_TOOLCHAIN_PATH" ] || [ ! -d "$AOSP_TOOLCHAIN_PATH" ]; then
    echo "ERROR: AOSP_TOOLCHAIN_PATH is not valid. Please edit this script."
-	[ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+    [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 fi
 # Error checking
 if [ ! -e "$AOSP_TOOLCHAIN_PATH/$CPP" ]; then
    echo "ERROR: Failed to find Android cpp. Please edit this script."
-	[ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+    [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 fi
 # Error checking
 if [ ! -e "$AOSP_TOOLCHAIN_PATH/$CC" ]; then
    echo "ERROR: Failed to find Android gcc. Please edit this script."
-	[ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+    [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 fi
 if [ ! -e "$AOSP_TOOLCHAIN_PATH/$CXX" ]; then
    echo "ERROR: Failed to find Android g++. Please edit this script."
-	[ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+    [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 fi
 # Error checking
 if [ ! -e "$AOSP_TOOLCHAIN_PATH/$RANLIB" ]; then
    echo "ERROR: Failed to find Android ranlib. Please edit this script."
-	[ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+    [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 fi
 # Error checking
 if [ ! -e "$AOSP_TOOLCHAIN_PATH/$AR" ]; then
    echo "ERROR: Failed to find Android ar. Please edit this script."
-	[ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+    [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 fi
 # Error checking
 if [ ! -e "$AOSP_TOOLCHAIN_PATH/$AS" ]; then
    echo "ERROR: Failed to find Android as. Please edit this script."
-	[ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+    [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 fi
 # Error checking
 if [ ! -e "$AOSP_TOOLCHAIN_PATH/$LD" ]; then
    echo "ERROR: Failed to find Android ld. Please edit this script."
-	[ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+    [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 fi
 # Only modify/export PATH if AOSP_TOOLCHAIN_PATH good
@ -264,10 +270,10 @@ fi
 # Error checking
 if [ ! -d "$ANDROID_NDK_ROOT/platforms/$AOSP_API" ]; then
    echo "ERROR: AOSP_API is not valid. Does the NDK support the API? Please edit this script."
-	[ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+    [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 elif [ ! -d "$ANDROID_NDK_ROOT/platforms/$AOSP_API/$AOSP_ARCH" ]; then
    echo "ERROR: AOSP_ARCH is not valid. Does the NDK support the architecture? Please edit this script."
-	[ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+    [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 fi
 # Android SYSROOT. It will be used on the command line with --sysroot
@ -312,7 +318,7 @@ case "$THE_STL" in
  llvm-static)
      if [ ! -d "$LLVM_INCLUDE_DIR" ]; then
        echo "ERROR: Unable to locate include LLVM directory at $LLVM_INCLUDE_DIR -- has it moved since NDK r16beta1?"
-		[ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+        [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
    fi
    AOSP_STL_INC="$LLVM_INCLUDE_DIR"
    AOSP_STL_LIB="$ANDROID_NDK_ROOT/sources/cxx-stl/llvm-libc++/libs/$AOSP_ABI/libc++_static.a"
@ -320,26 +326,26 @@ case "$THE_STL" in
  llvm|llvm-shared)
      if [ ! -d "$LLVM_INCLUDE_DIR" ]; then
        echo "ERROR: Unable to locate LLVM include directory at $LLVM_INCLUDE_DIR -- has it moved since NDK r16beta1?"
-		[ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+        [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
    fi
    AOSP_STL_INC="$LLVM_INCLUDE_DIR"
    AOSP_STL_LIB="$ANDROID_NDK_ROOT/sources/cxx-stl/llvm-libc++/libs/$AOSP_ABI/libc++_shared.so"
    ;;
  *)
    echo "ERROR: Unknown STL library $2"
-	[ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+    [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 esac
 # Error checking
 if [ ! -d "$AOSP_STL_INC" ] || [ ! -e "$AOSP_STL_INC/memory" ]; then
    echo "ERROR: AOSP_STL_INC is not valid. Please edit this script."
-	[ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+    [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 fi
 # Error checking
 if [ ! -e "$AOSP_STL_LIB" ]; then
    echo "ERROR: AOSP_STL_LIB is not valid. Please edit this script."
-	[ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+    [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 fi
 export AOSP_STL_INC
@ -355,13 +361,13 @@ fi
 if [[ ! -e "$ANDROID_NDK_ROOT/sources/android/cpufeatures/cpu-features.h" ]]; then
    echo "ERROR: Unable to locate cpu-features.h"
-	[ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+    [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 fi
 cp "$ANDROID_NDK_ROOT/sources/android/cpufeatures/cpu-features.h" .
 if [[ ! -e "$ANDROID_NDK_ROOT/sources/android/cpufeatures/cpu-features.c" ]]; then
    echo "ERROR: Unable to locate cpu-features.c"
-	[ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+    [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 fi
 cp "$ANDROID_NDK_ROOT/sources/android/cpufeatures/cpu-features.c" .
@ -427,4 +433,4 @@ echo "shared object using 'HAS_SOLIB_VERSION=1 make -f GNUmakefile-cross'"
 echo "*******************************************************************************"
 echo
-[ "$0" = "$BASH_SOURCE" ] && exit 0 || return 0
+[ "$0" = "${BASH_SOURCE[0]}" ] && exit 0 || return 0
--- a/TestScripts/setenv-embedded.sh
+++ b/TestScripts/setenv-embedded.sh
@ -15,6 +15,12 @@
 # set -eu
 # Sanity check
 if [ "$0" = "${BASH_SOURCE[0]}" ]; then
    echo "Please source this setenv script"
    exit 0
 fi
 # Unset old options
 unset IS_CROSS_COMPILE
@ -29,7 +35,7 @@ fi
 if [ ! -d "$ARM_EMBEDDED_TOOLCHAIN" ]; then
    echo "ARM_EMBEDDED_TOOLCHAIN is not valid"
-	[ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+    [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 fi
 # Fedora
@ -50,37 +56,37 @@ export RANLIB="$ARM_EMBEDDED_TOOLCHAIN/$TOOL_PREFIX-ranlib"
 # Test a few of the tools
 if [ ! -e "$CPP" ]; then
  echo "ERROR: CPP is not valid"
-  [ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+  [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 fi
 if [ ! -e "$CC" ]; then
  echo "ERROR: CC is not valid"
-  [ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+  [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 fi
 if [ ! -e "$CXX" ]; then
  echo "ERROR: CXX is not valid"
-  [ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+  [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 fi
 if [ ! -e "$AR" ]; then
  echo "ERROR: AR is not valid"
-  [ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+  [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 fi
 if [ ! -e "$AS" ]; then
  echo "ERROR: AS is not valid"
-  [ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+  [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 fi
 if [ ! -e "$RANLIB" ]; then
  echo "ERROR: RANLIB is not valid"
-  [ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+  [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 fi
 if [ ! -e "$LD" ]; then
  echo "ERROR: LD is not valid"
-  [ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+  [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 fi
 # The Crypto++ Makefile uses these to disable host settings like
@ -94,7 +100,7 @@ fi
 if [ ! -d "$ARM_EMBEDDED_SYSROOT" ]; then
  echo "ERROR: ARM_EMBEDDED_SYSROOT is not valid"
-  [ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+  [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 fi
 # Fix C++ header paths for Ubuntu
@ -104,12 +110,12 @@ ARM_EMBEDDED_CXX_HEADERS="$ARM_EMBEDDED_SYSROOT/include/c++/$ARM_EMBEDDED_TOOLCH
 if [ ! -d "$ARM_EMBEDDED_CXX_HEADERS" ]; then
  echo "ERROR: ARM_EMBEDDED_CXX_HEADERS is not valid"
-  [ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+  [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 fi
 if [ ! -d "$ARM_EMBEDDED_CXX_HEADERS/arm-linux-gnueabi" ]; then
  echo "ERROR: ARM_EMBEDDED_CXX_HEADERS is not valid"
-  [ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+  [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 fi
 # Finally, the flags...
@ -142,4 +148,4 @@ echo "shared object using 'HAS_SOLIB_VERSION=1 make -f GNUmakefile-cross'"
 echo "*******************************************************************************"
 echo
-[ "$0" = "$BASH_SOURCE" ] && exit 0 || return 0
+[ "$0" = "${BASH_SOURCE[0]}" ] && exit 0 || return 0
--- a/TestScripts/setenv-ios.sh
+++ b/TestScripts/setenv-ios.sh
@ -13,6 +13,12 @@
 # set -eu
 # Sanity check
 if [ "$0" = "${BASH_SOURCE[0]}" ]; then
    echo "Please source this setenv script"
    exit 0
 fi
 #########################################
 #####       Clear old options       #####
 #########################################
@ -149,7 +155,7 @@ fi
 if [ ! -d "$XCODE_DEVELOPER" ]; then
  echo "ERROR: unable to find XCODE_DEVELOPER directory."
-  [ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+  [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 fi
 # Default toolchain location
@ -157,7 +163,7 @@ XCODE_TOOLCHAIN="$XCODE_DEVELOPER/usr/bin"
 if [ ! -d "$XCODE_TOOLCHAIN" ]; then
  echo "ERROR: unable to find XCODE_TOOLCHAIN directory."
-  [ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+  [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 fi
 # XCODE_DEVELOPER_TOP is the top of the development tools tree
@ -165,7 +171,7 @@ XCODE_DEVELOPER_TOP="$XCODE_DEVELOPER/Platforms/$APPLE_SDK.platform/Developer"
 if [ ! -d "$XCODE_DEVELOPER_TOP" ]; then
  echo "ERROR: unable to find XCODE_DEVELOPER_TOP directory."
-  [ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+  [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 fi
 # IOS_TOOLCHAIN is the location of the actual compiler tools.
@ -177,7 +183,7 @@ fi
 if [ -z "$IOS_TOOLCHAIN" ] || [ ! -d "$IOS_TOOLCHAIN" ]; then
  echo "ERROR: unable to find Xcode cross-compiler tools."
-  [ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+  [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 fi
 #
@ -196,7 +202,7 @@ done
 # Error checking
 if [ -z "$XCODE_SDK" ]; then
    echo "ERROR: unable to find a SDK."
-    [ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+    [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 fi
 # https://github.com/weidai11/cryptopp/issues/635
@ -237,7 +243,7 @@ fi
 # https://stackoverflow.com/q/24841283/608639
 # -tvos_simulator_version_min does not work though it is in LLVM sources.
 if [ "$APPLE_SDK" == "AppleTVSimulator" ]; then
-  IOS_FLAGS="$IOS_FLAGS -tvos_simulator_version_min -DCRYPTOPP_DISABLE_ASM"
+  IOS_FLAGS="$IOS_FLAGS -DCRYPTOPP_DISABLE_ASM"
 fi
 # Simulator uses i386 or x86_64, Device uses ARMv5, ARMv6, ARMv7, ARMv7s or ARMv8
@ -285,7 +291,7 @@ if [ ! -z "$IOS_TOOLCHAIN" ] && [ ! -z "$XCODE_TOOLCHAIN" ]; then
    fi
 else
    echo "ERROR: unable to set new PATH."
-	[ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+    [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 fi
 ########################################
@ -307,7 +313,7 @@ do
 done
 if [ "$FOUND_ALL" -eq "0" ]; then
-	[ "$0" = "$BASH_SOURCE" ] && exit 1 || return 1
+    [ "$0" = "${BASH_SOURCE[0]}" ] && exit 1 || return 1
 fi
 # Exports added for Autotools. GNUmakefile-cross does not use them.
@ -329,4 +335,4 @@ echo "shared object using 'HAS_SOLIB_VERSION=1 make -f GNUmakefile-cross'"
 echo "*******************************************************************************"
 echo
-[ "$0" = "$BASH_SOURCE" ] && exit 0 || return 0
+[ "$0" = "${BASH_SOURCE[0]}" ] && exit 0 || return 0
--- a/TestVectors/all.txt
+++ b/TestVectors/all.txt
@ -49,6 +49,7 @@ Test: TestVectors/sha.txt
 Test: TestVectors/simeck.txt
 Test: TestVectors/simon.txt
 Test: TestVectors/siphash.txt
 Test: TestVectors/skipjack.txt
 Test: TestVectors/sm3.txt
 Test: TestVectors/sm4.txt
 Test: TestVectors/sosemanuk.txt
--- a/TestVectors/skipjack.txt
+++ b/TestVectors/skipjack.txt
--- a/adv_simd.h
+++ b/adv_simd.h
@ -355,9 +355,7 @@ inline size_t AdvancedProcessBlocks128_6x1_NEON(F1 func1, F6 func6,
    CRYPTOPP_ASSERT(length >= 16);
    const unsigned int w_one[] = {0, 0<<24, 0, 1<<24};
    const unsigned int w_two[] = {0, 2<<24, 0, 2<<24};
    const uint32x4_t s_one = vld1q_u32(w_one);
    const uint32x4_t s_two = vld1q_u32(w_two);
    const size_t blockSize = 16;
    // const size_t neonBlockSize = 16;
@ -511,9 +509,7 @@ inline size_t AdvancedProcessBlocks128_4x1_NEON(F1 func1, F4 func4,
    CRYPTOPP_ASSERT(length >= 16);
    const unsigned int w_one[] = {0, 0<<24, 0, 1<<24};
    const unsigned int w_two[] = {0, 2<<24, 0, 2<<24};
    const uint32x4_t s_one = vld1q_u32(w_one);
    const uint32x4_t s_two = vld1q_u32(w_two);
    const size_t blockSize = 16;
    // const size_t neonBlockSize = 16;
@ -647,9 +643,7 @@ inline size_t AdvancedProcessBlocks128_6x2_NEON(F2 func2, F6 func6,
    CRYPTOPP_ASSERT(length >= 16);
    const unsigned int w_one[] = {0, 0<<24, 0, 1<<24};
    const unsigned int w_two[] = {0, 2<<24, 0, 2<<24};
    const uint32x4_t s_one = vld1q_u32(w_one);
    const uint32x4_t s_two = vld1q_u32(w_two);
    const size_t blockSize = 16;
    // const size_t neonBlockSize = 16;
--- a/aes_armv4.S
+++ b/aes_armv4.S
@ -7,31 +7,6 @@
@ details see http://www.openssl.org/~appro/cryptogams/.
@ ====================================================================
@ AES for ARMv4
@ January 2007.
@
@ Code uses single 1K S-box and is >2 times faster than code generated
@ by gcc-3.4.1. This is thanks to unique feature of ARMv4 ISA, which
@ allows to merge logical or arithmetic operation with shift or rotate
@ in one instruction and emit combined result every cycle. The module
@ is endian-neutral. The performance is ~42 cycles/byte for 128-bit
@ key [on single-issue Xscale PXA250 core].
@ May 2007.
@
@ AES_set_[en|de]crypt_key is added.
@ July 2010.
@
@ Rescheduling for dual-issue pipeline resulted in 12% improvement on
@ Cortex A8 core and ~25 cycles per byte processed with 128-bit key.
@ February 2011.
@
@ Profiler-assisted and platform-specific optimization resulted in 16%
@ improvement on Cortex A8 core and ~21.5 cycles per byte.
@ JW, JUL 2018: Begin defines from taken from arm_arch.h
@               The defines were included through the header.
@ -92,7 +67,6 @@
@ JW, JUL 2018: End defines from taken from arm_arch.h
@               Back to original Cryptogams code
 .text
 #if defined(__thumb2__) && !defined(__APPLE__)
 .syntax	unified
 .thumb
@ -101,6 +75,8 @@
 #undef __thumb2__
 #endif
 .text
 .type	AES_Te,%object
 .align	5
 AES_Te:
@ -1237,6 +1213,3 @@ _armv4_AES_decrypt:
 	sub	r10,r10,#1024
 	ldr	pc,[sp],#4		@ pop and return
 .size	_armv4_AES_decrypt,.-_armv4_AES_decrypt
 .byte	65,69,83,32,102,111,114,32,65,82,77,118,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0
 .align	2
 .align	2
--- a/algparam.h
+++ b/algparam.h
@ -320,10 +320,12 @@ public:
 			if (m_throwIfNotUsed && !m_used)
 				throw ParameterNotUsed(m_name);
 		}
-#if !defined(CRYPTOPP_CXX17_EXCEPTIONS) && !defined(CRYPTOPP_UNCAUGHT_EXCEPTION_AVAILABLE)
+#if !defined(CRYPTOPP_UNCAUGHT_EXCEPTION_AVAILABLE)
 # if !defined(CRYPTOPP_CXX17_EXCEPTIONS)
 		catch(const Exception&)
 		{
 		}
 # endif
 #endif
 	}
--- a/aria_simd.cpp
+++ b/aria_simd.cpp
@ -24,7 +24,7 @@
 # include <arm_acle.h>
 #endif
-// Clang __m128i casts, http://bugs.llvm.org/show_bug.cgi?id=20670
+// Clang intrinsic casts, http://bugs.llvm.org/show_bug.cgi?id=20670
 #define M128_CAST(x) ((__m128i *)(void *)(x))
 #define CONST_M128_CAST(x) ((const __m128i *)(const void *)(x))
--- a/asn.cpp
+++ b/asn.cpp
@ -394,14 +394,20 @@ void EncodedObjectFilter::Put(const byte *inString, size_t length)
 	}
 }
 BERGeneralDecoder::BERGeneralDecoder(BufferedTransformation &inQueue)
 	: m_inQueue(inQueue), m_length(0), m_finished(false)
 {
 	Init(DefaultTag);
 }
 BERGeneralDecoder::BERGeneralDecoder(BufferedTransformation &inQueue, byte asnTag)
-	: m_inQueue(inQueue), m_finished(false)
+	: m_inQueue(inQueue), m_length(0), m_finished(false)
 {
 	Init(asnTag);
 }
 BERGeneralDecoder::BERGeneralDecoder(BERGeneralDecoder &inQueue, byte asnTag)
-	: m_inQueue(inQueue), m_finished(false)
+	: m_inQueue(inQueue), m_length(0), m_finished(false)
 {
 	Init(asnTag);
 }
@ -501,13 +507,18 @@ lword BERGeneralDecoder::ReduceLength(lword delta)
 	return delta;
 }
 DERGeneralEncoder::DERGeneralEncoder(BufferedTransformation &outQueue)
 	: m_outQueue(outQueue), m_asnTag(DefaultTag), m_finished(false)
 {
 }
 DERGeneralEncoder::DERGeneralEncoder(BufferedTransformation &outQueue, byte asnTag)
-	: ByteQueue(), m_outQueue(outQueue), m_asnTag(asnTag), m_finished(false)
+	: m_outQueue(outQueue), m_asnTag(asnTag), m_finished(false)
 {
 }
 DERGeneralEncoder::DERGeneralEncoder(DERGeneralEncoder &outQueue, byte asnTag)
-	: ByteQueue(), m_outQueue(outQueue), m_asnTag(asnTag), m_finished(false)
+	: m_outQueue(outQueue), m_asnTag(asnTag), m_finished(false)
 {
 }
--- a/asn.h
+++ b/asn.h
@ -258,21 +258,99 @@ private:
 class CRYPTOPP_DLL BERGeneralDecoder : public Store
 {
 public:
 	/// \brief Default ASN.1 tag
 	enum {DefaultTag = SEQUENCE | CONSTRUCTED};
 	virtual ~BERGeneralDecoder();
 	/// \brief Construct an ASN.1 decoder
 	/// \param inQueue input byte queue
 	/// \details BERGeneralDecoder uses DefaultTag
 	explicit BERGeneralDecoder(BufferedTransformation &inQueue);
 	/// \brief Construct an ASN.1 decoder
 	/// \param inQueue input byte queue
 	/// \param asnTag ASN.1 tag
 	explicit BERGeneralDecoder(BufferedTransformation &inQueue, byte asnTag);
 	/// \brief Construct an ASN.1 decoder
 	/// \param inQueue input byte queue
 	/// \param asnTag ASN.1 tag
 	explicit BERGeneralDecoder(BERGeneralDecoder &inQueue, byte asnTag);
-	bool IsDefiniteLength() const {return m_definiteLength;}
+	/// \brief Determine length encoding
-	lword RemainingLength() const {CRYPTOPP_ASSERT(m_definiteLength); return m_length;}
+	/// \returns true if the ASN.1 object is definite length encoded, false otherwise
 	bool IsDefiniteLength() const {
 		return m_definiteLength;
 	}
 	/// \brief Determine remaining length
 	/// \returns number of octets that remain to be consumed
 	/// \details RemainingLength() is only valid if IsDefiniteLength()
 	///  returns true.
 	lword RemainingLength() const {
 		CRYPTOPP_ASSERT(m_definiteLength);
 		return IsDefiniteLength() ? m_length : 0;
 	}
 	/// \brief Determine end of stream
 	/// \returns true if all octets have been consumed, false otherwise
 	bool EndReached() const;
 	/// \brief Determine next octet
 	/// \returns next octet in the stream
 	/// \details PeekByte does not consume the octet.
 	/// \throws BERDecodeError if there are no octets remaining
 	byte PeekByte() const;
 	/// \brief Determine next octet
 	/// \details CheckByte reads the next byte in the stream and verifies
 	///  the octet matches b.
 	/// \throws BERDecodeError if the next octet is not b
 	void CheckByte(byte b);
 	/// \brief Transfer bytes to another BufferedTransformation
 	/// \param target the destination BufferedTransformation
 	/// \param transferBytes the number of bytes to transfer
 	/// \param channel the channel on which the transfer should occur
 	/// \param blocking specifies whether the object should block when
 	///  processing input
 	/// \return the number of bytes that remain in the transfer block
 	///  (i.e., bytes not transferred)
 	/// \details TransferTo2() removes bytes and moves
 	///  them to the destination. Transfer begins at the index position
 	///  in the current stream, and not from an absolute position in the
 	///  stream.
 	/// \details transferBytes is an \a IN and \a OUT parameter. When
 	///  the call is made, transferBytes is the requested size of the
 	///  transfer. When the call returns, transferBytes is the number
 	///  of bytes that were transferred.
 	size_t TransferTo2(BufferedTransformation &target, lword &transferBytes, const std::string &channel=DEFAULT_CHANNEL, bool blocking=true);
 	/// \brief Copy bytes to another BufferedTransformation
 	/// \param target the destination BufferedTransformation
 	/// \param begin the 0-based index of the first byte to copy in
 	///  the stream
 	/// \param end the 0-based index of the last byte to copy in
 	///  the stream
 	/// \param channel the channel on which the transfer should occur
 	/// \param blocking specifies whether the object should block when
 	///  processing input
 	/// \return the number of bytes that remain in the copy block
 	///  (i.e., bytes not copied)
 	/// \details CopyRangeTo2 copies bytes to the
 	///  destination. The bytes are not removed from this object. Copying
 	///  begins at the index position in the current stream, and not from
 	///  an absolute position in the stream.
 	/// \details begin is an \a IN and \a OUT parameter. When the call is
 	///  made, begin is the starting position of the copy. When the call
 	///  returns, begin is the position of the first byte that was \a not
 	///  copied (which may be different than end). begin can be used for
 	///  subsequent calls to CopyRangeTo2().
 	size_t CopyRangeTo2(BufferedTransformation &target, lword &begin, lword end=LWORD_MAX, const std::string &channel=DEFAULT_CHANNEL, bool blocking=true) const;
-	// call this to denote end of sequence
+	/// \brief Signals the end of messages to the object
 	/// \details Call this to denote end of sequence
 	void MessageEnd();
 protected:
@ -291,12 +369,28 @@ private:
 class CRYPTOPP_DLL DERGeneralEncoder : public ByteQueue
 {
 public:
 	/// \brief Default ASN.1 tag
 	enum {DefaultTag = SEQUENCE | CONSTRUCTED};
 	virtual ~DERGeneralEncoder();
-	explicit DERGeneralEncoder(BufferedTransformation &outQueue, byte asnTag = SEQUENCE | CONSTRUCTED);
+	/// \brief Construct an ASN.1 encoder
-	explicit DERGeneralEncoder(DERGeneralEncoder &outQueue, byte asnTag = SEQUENCE | CONSTRUCTED);
+	/// \param outQueue output byte queue
 	/// \details DERGeneralEncoder uses DefaultTag
 	explicit DERGeneralEncoder(BufferedTransformation &outQueue);
-	// call this to denote end of sequence
+	/// \brief Construct an ASN.1 encoder
 	/// \param outQueue output byte queue
 	/// \param asnTag ASN.1 tag
 	explicit DERGeneralEncoder(BufferedTransformation &outQueue, byte asnTag);
 	/// \brief Construct an ASN.1 encoder
 	/// \param outQueue output byte queue
 	/// \param asnTag ASN.1 tag
 	explicit DERGeneralEncoder(DERGeneralEncoder &outQueue, byte asnTag);
 	/// \brief Signals the end of messages to the object
 	/// \details Call this to denote end of sequence
 	void MessageEnd();
 private:
@ -309,9 +403,31 @@ private:
 class CRYPTOPP_DLL BERSequenceDecoder : public BERGeneralDecoder
 {
 public:
-	explicit BERSequenceDecoder(BufferedTransformation &inQueue, byte asnTag = SEQUENCE | CONSTRUCTED)
+	/// \brief Default ASN.1 tag
 	enum {DefaultTag = SEQUENCE | CONSTRUCTED};
 	/// \brief Construct an ASN.1 decoder
 	/// \param inQueue input byte queue
 	/// \details BERSequenceDecoder uses DefaultTag
 	explicit BERSequenceDecoder(BufferedTransformation &inQueue)
 		: BERGeneralDecoder(inQueue, DefaultTag) {}
 	/// \brief Construct an ASN.1 decoder
 	/// \param inQueue input byte queue
 	/// \param asnTag ASN.1 tag
 	explicit BERSequenceDecoder(BufferedTransformation &inQueue, byte asnTag)
 		: BERGeneralDecoder(inQueue, asnTag) {}
-	explicit BERSequenceDecoder(BERSequenceDecoder &inQueue, byte asnTag = SEQUENCE | CONSTRUCTED)
+
 	/// \brief Construct an ASN.1 decoder
 	/// \param inQueue input byte queue
 	/// \details BERSequenceDecoder uses DefaultTag
 	explicit BERSequenceDecoder(BERSequenceDecoder &inQueue)
 		: BERGeneralDecoder(inQueue, DefaultTag) {}
 	/// \brief Construct an ASN.1 decoder
 	/// \param inQueue input byte queue
 	/// \param asnTag ASN.1 tag
 	explicit BERSequenceDecoder(BERSequenceDecoder &inQueue, byte asnTag)
 		: BERGeneralDecoder(inQueue, asnTag) {}
 };
@ -319,9 +435,31 @@ public:
 class CRYPTOPP_DLL DERSequenceEncoder : public DERGeneralEncoder
 {
 public:
-	explicit DERSequenceEncoder(BufferedTransformation &outQueue, byte asnTag = SEQUENCE | CONSTRUCTED)
+	/// \brief Default ASN.1 tag
 	enum {DefaultTag = SEQUENCE | CONSTRUCTED};
 	/// \brief Construct an ASN.1 encoder
 	/// \param outQueue output byte queue
 	/// \details DERSequenceEncoder uses DefaultTag
 	explicit DERSequenceEncoder(BufferedTransformation &outQueue)
 		: DERGeneralEncoder(outQueue, DefaultTag) {}
 	/// \brief Construct an ASN.1 encoder
 	/// \param outQueue output byte queue
 	/// \param asnTag ASN.1 tag
 	explicit DERSequenceEncoder(BufferedTransformation &outQueue, byte asnTag)
 		: DERGeneralEncoder(outQueue, asnTag) {}
-	explicit DERSequenceEncoder(DERSequenceEncoder &outQueue, byte asnTag = SEQUENCE | CONSTRUCTED)
+
 	/// \brief Construct an ASN.1 encoder
 	/// \param outQueue output byte queue
 	/// \details DERSequenceEncoder uses DefaultTag
 	explicit DERSequenceEncoder(DERSequenceEncoder &outQueue)
 		: DERGeneralEncoder(outQueue, DefaultTag) {}
 	/// \brief Construct an ASN.1 encoder
 	/// \param outQueue output byte queue
 	/// \param asnTag ASN.1 tag
 	explicit DERSequenceEncoder(DERSequenceEncoder &outQueue, byte asnTag)
 		: DERGeneralEncoder(outQueue, asnTag) {}
 };
@ -329,9 +467,31 @@ public:
 class CRYPTOPP_DLL BERSetDecoder : public BERGeneralDecoder
 {
 public:
-	explicit BERSetDecoder(BufferedTransformation &inQueue, byte asnTag = SET | CONSTRUCTED)
+	/// \brief Default ASN.1 tag
 	enum {DefaultTag = SET | CONSTRUCTED};
 	/// \brief Construct an ASN.1 decoder
 	/// \param inQueue input byte queue
 	/// \details BERSetDecoder uses DefaultTag
 	explicit BERSetDecoder(BufferedTransformation &inQueue)
 		: BERGeneralDecoder(inQueue, DefaultTag) {}
 	/// \brief Construct an ASN.1 decoder
 	/// \param inQueue input byte queue
 	/// \param asnTag ASN.1 tag
 	explicit BERSetDecoder(BufferedTransformation &inQueue, byte asnTag)
 		: BERGeneralDecoder(inQueue, asnTag) {}
-	explicit BERSetDecoder(BERSetDecoder &inQueue, byte asnTag = SET | CONSTRUCTED)
+
 	/// \brief Construct an ASN.1 decoder
 	/// \param inQueue input byte queue
 	/// \details BERSetDecoder uses DefaultTag
 	explicit BERSetDecoder(BERSetDecoder &inQueue)
 		: BERGeneralDecoder(inQueue, DefaultTag) {}
 	/// \brief Construct an ASN.1 decoder
 	/// \param inQueue input byte queue
 	/// \param asnTag ASN.1 tag
 	explicit BERSetDecoder(BERSetDecoder &inQueue, byte asnTag)
 		: BERGeneralDecoder(inQueue, asnTag) {}
 };
@ -339,9 +499,31 @@ public:
 class CRYPTOPP_DLL DERSetEncoder : public DERGeneralEncoder
 {
 public:
-	explicit DERSetEncoder(BufferedTransformation &outQueue, byte asnTag = SET | CONSTRUCTED)
+	/// \brief Default ASN.1 tag
 	enum {DefaultTag = SET | CONSTRUCTED};
 	/// \brief Construct an ASN.1 encoder
 	/// \param outQueue output byte queue
 	/// \details DERSetEncoder uses DefaultTag
 	explicit DERSetEncoder(BufferedTransformation &outQueue)
 		: DERGeneralEncoder(outQueue, DefaultTag) {}
 	/// \brief Construct an ASN.1 encoder
 	/// \param outQueue output byte queue
 	/// \param asnTag ASN.1 tag
 	explicit DERSetEncoder(BufferedTransformation &outQueue, byte asnTag)
 		: DERGeneralEncoder(outQueue, asnTag) {}
-	explicit DERSetEncoder(DERSetEncoder &outQueue, byte asnTag = SET | CONSTRUCTED)
+
 	/// \brief Construct an ASN.1 encoder
 	/// \param outQueue output byte queue
 	/// \details DERSetEncoder uses DefaultTag
 	explicit DERSetEncoder(DERSetEncoder &outQueue)
 		: DERGeneralEncoder(outQueue, DefaultTag) {}
 	/// \brief Construct an ASN.1 encoder
 	/// \param outQueue output byte queue
 	/// \param asnTag ASN.1 tag
 	explicit DERSetEncoder(DERSetEncoder &outQueue, byte asnTag)
 		: DERGeneralEncoder(outQueue, asnTag) {}
 };
--- a/basecode.h
+++ b/basecode.h
@ -36,7 +36,9 @@ public:
 		, m_outputBlockSize(0), m_bytePos(0), m_bitPos(0)
 	{
 		Detach(attachment);
-		IsolatedInitialize(MakeParameters(Name::EncodingLookupArray(), alphabet)
+		BaseN_Encoder::IsolatedInitialize(
 			MakeParameters
 				(Name::EncodingLookupArray(), alphabet)
 				(Name::Log2Base(), log2base)
 				(Name::Pad(), padding != -1)
 				(Name::PaddingByte(), byte(padding)));
@ -78,7 +80,10 @@ public:
 		, m_outputBlockSize(0), m_bytePos(0), m_bitPos(0)
 	{
 		Detach(attachment);
-		IsolatedInitialize(MakeParameters(Name::DecodingLookupArray(), lookup)(Name::Log2Base(), log2base));
+		BaseN_Decoder::IsolatedInitialize(
 			MakeParameters
 				(Name::DecodingLookupArray(), lookup)
 				(Name::Log2Base(), log2base));
 	}
 	void IsolatedInitialize(const NameValuePairs &parameters);
@ -121,7 +126,9 @@ public:
 		: m_groupSize(0), m_counter(0)
 	{
 		Detach(attachment);
-		IsolatedInitialize(MakeParameters(Name::GroupSize(), groupSize)
+		Grouper::IsolatedInitialize(
 			MakeParameters
 				(Name::GroupSize(), groupSize)
 				(Name::Separator(), ConstByteArrayParameter(separator))
 				(Name::Terminator(), ConstByteArrayParameter(terminator)));
 	}
--- a/bench.h
+++ b/bench.h
@ -16,14 +16,48 @@ NAMESPACE_BEGIN(Test)
 // More granular control over benchmarks
 enum TestClass {
-	UnkeyedRNG=(1<<0),UnkeyedHash=(1<<1),UnkeyedOther=(1<<2),
+	/// \brief Random number generators
-	SharedKeyMAC=(1<<3),SharedKeyStream=(1<<4),SharedKeyBlock=(1<<5),SharedKeyOther=(1<<6),
+	UnkeyedRNG=(1<<0),
-	PublicKeyAgreement=(1<<7),PublicKeyEncryption=(1<<8),PublicKeySignature=(1<<9),PublicKeyOther=(1<<10),
+	/// \brief Message digests
 	UnkeyedHash=(1<<1),
 	/// \brief Other unkeyed algorithms
 	UnkeyedOther=(1<<2),
 	/// \brief Message authentication codes
 	SharedKeyMAC=(1<<3),
 	/// \brief Stream ciphers
 	SharedKeyStream=(1<<4),
 	/// \brief Block ciphers ciphers
 	SharedKeyBlock=(1<<5),
 	/// \brief Other shared key algorithms
 	SharedKeyOther=(1<<6),
 	/// \brief Key agreement algorithms over integers
 	PublicKeyAgreement=(1<<7),
 	/// \brief Encryption algorithms over integers
 	PublicKeyEncryption=(1<<8),
 	/// \brief Signature algorithms over integers
 	PublicKeySignature=(1<<9),
 	/// \brief Other public key algorithms over integers
 	PublicKeyOther=(1<<10),
 	/// \brief Key agreement algorithms over EC
 	PublicKeyAgreementEC=(1<<11),
 	/// \brief Encryption algorithms over EC
 	PublicKeyEncryptionEC=(1<<12),
 	/// \brief Signature algorithms over EC
 	PublicKeySignatureEC=(1<<13),
 	/// \brief Other public key algorithms over EC
 	PublicKeyOtherEC=(1<<14),
 	Unkeyed=UnkeyedRNG|UnkeyedHash|UnkeyedOther,
 	SharedKey=SharedKeyMAC|SharedKeyStream|SharedKeyBlock|SharedKeyOther,
 	PublicKey=PublicKeyAgreement|PublicKeyEncryption|PublicKeySignature|PublicKeyOther,
-	All=Unkeyed|SharedKey|PublicKey,
+	PublicKeyEC=PublicKeyAgreementEC|PublicKeyEncryptionEC|PublicKeySignatureEC|PublicKeyOtherEC,
-	TestFirst=(0), TestLast=(1<<11)
+
 	All=Unkeyed|SharedKey|PublicKey|PublicKeyEC,
 	TestFirst=(0), TestLast=(1<<15)
 };
 extern const double CLOCK_TICKS_PER_SECOND;
@ -45,8 +79,10 @@ void Benchmark(Test::TestClass suites, double t, double hertz);
 void Benchmark1(double t, double hertz);
 // Shared key systems
 void Benchmark2(double t, double hertz);
-// Public key systems
+// Public key systems over integers
 void Benchmark3(double t, double hertz);
 // Public key systems over elliptic curves
 void Benchmark4(double t, double hertz);
 // These are defined in bench1.cpp
 extern void OutputResultKeying(double iterations, double timeTaken);
--- a/bench1.cpp
+++ b/bench1.cpp
@ -351,6 +351,8 @@ void BenchmarkWithCommand(int argc, const char* const argv[])
 	if (command == "b")  // All benchmarks
 		Benchmark(Test::All, runningTime, cpuFreq);
 	else if (command == "b4")  // Public key algorithms over EC
 		Test::Benchmark(Test::PublicKeyEC, runningTime, cpuFreq);
 	else if (command == "b3")  // Public key algorithms
 		Test::Benchmark(Test::PublicKey, runningTime, cpuFreq);
 	else if (command == "b2")  // Shared key algorithms
@ -392,6 +394,13 @@ void Benchmark(Test::TestClass suites, double t, double hertz)
 		Benchmark3(t, hertz);
 	}
 	// Public key algorithms over EC
 	if (suites & Test::PublicKeyEC)
 	{
 		std::cout << "\n<BR>";
 		Benchmark4(t, hertz);
 	}
 	g_testEnd = ::time(NULLPTR);
 	std::ostringstream oss;
--- a/bench2.cpp
+++ b/bench2.cpp
@ -12,6 +12,12 @@
 #include "smartptr.h"
 #include "stdcpp.h"
 #include "vmac.h"
 #include "hmac.h"
 #include "ttmac.h"
 #include "cmac.h"
 #include "dmac.h"
 #if CRYPTOPP_MSC_VERSION
 # pragma warning(disable: 4355)
 #endif
--- a/bench3.cpp
+++ b/bench3.cpp
@ -365,21 +365,29 @@ void Benchmark3(double t, double hertz)
 		BenchMarkKeyAgreement<LUC_DH>("TestData/lucd1024.dat", "LUCDIF 1024", t);
 		BenchMarkKeyAgreement<MQV>("TestData/mqv1024.dat", "MQV 1024", t);
 		BenchMarkKeyAgreement<MQV>("TestData/mqv2048.dat", "MQV 2048", t);
 #if 0
 		BenchMarkKeyAgreement<ECHMQV160>("TestData/hmqv160.dat", "HMQV P-160", t);
 		BenchMarkKeyAgreement<ECHMQV256>("TestData/hmqv256.dat", "HMQV P-256", t);
 		BenchMarkKeyAgreement<ECHMQV384>("TestData/hmqv384.dat", "HMQV P-384", t);
 		BenchMarkKeyAgreement<ECHMQV512>("TestData/hmqv512.dat", "HMQV P-512", t);
 		BenchMarkKeyAgreement<ECFHMQV160>("TestData/fhmqv160.dat", "FHMQV P-160", t);
 		BenchMarkKeyAgreement<ECFHMQV256>("TestData/fhmqv256.dat", "FHMQV P-256", t);
 		BenchMarkKeyAgreement<ECFHMQV384>("TestData/fhmqv384.dat", "FHMQV P-384", t);
 		BenchMarkKeyAgreement<ECFHMQV512>("TestData/fhmqv512.dat", "FHMQV P-512", t);
 #endif
 	}
-	std::cout << "\n<TBODY style=\"background: yellow;\">";
+	std::cout << "\n</TABLE>" << std::endl;
 }
 void Benchmark4(double t, double hertz)
 {
 	g_allocatedTime = t;
 	g_hertz = hertz;
 	const char *mco;
 	if (g_hertz > 1.0f)
 		mco = "<TH>Megacycles/Operation";
 	else
 		mco = "";
 	std::cout << "\n<TABLE>";
 	std::cout << "\n<COLGROUP><COL style=\"text-align: left;\"><COL style=";
 	std::cout << "\"text-align: right;\"><COL style=\"text-align: right;\">";
 	std::cout << "\n<THEAD style=\"background: #F0F0F0\">";
 	std::cout << "\n<TR><TH>Operation<TH>Milliseconds/Operation" << mco;
 	std::cout << "\n<TBODY style=\"background: white;\">";
 	{
 		ed25519::Signer sign(Test::GlobalRNG());
 		ed25519::Verifier verify(sign);
@ -391,7 +399,27 @@ void Benchmark3(double t, double hertz)
 		BenchMarkAgreement("x25519", agree, t);
 	}
-	std::cout << "\n<TBODY style=\"background: white;\">";
+#if 0
 	std::cout << "\n<TBODY style=\"background: yellow;\">";
 	{
 		BenchMarkKeyAgreement<ECMQV160>("TestData/mqv160.dat", "MQV P-160", t);
 		BenchMarkKeyAgreement<ECMQV256>("TestData/mqv256.dat", "MQV P-256", t);
 		BenchMarkKeyAgreement<ECMQV384>("TestData/mqv384.dat", "MQV P-384", t);
 		BenchMarkKeyAgreement<ECMQV512>("TestData/mqv512.dat", "MQV P-521", t);
 		BenchMarkKeyAgreement<ECHMQV160>("TestData/hmqv160.dat", "HMQV P-160", t);
 		BenchMarkKeyAgreement<ECHMQV256>("TestData/hmqv256.dat", "HMQV P-256", t);
 		BenchMarkKeyAgreement<ECHMQV384>("TestData/hmqv384.dat", "HMQV P-384", t);
 		BenchMarkKeyAgreement<ECHMQV512>("TestData/hmqv512.dat", "HMQV P-521", t);
 		BenchMarkKeyAgreement<ECFHMQV160>("TestData/fhmqv160.dat", "FHMQV P-160", t);
 		BenchMarkKeyAgreement<ECFHMQV256>("TestData/fhmqv256.dat", "FHMQV P-256", t);
 		BenchMarkKeyAgreement<ECFHMQV384>("TestData/fhmqv384.dat", "FHMQV P-384", t);
 		BenchMarkKeyAgreement<ECFHMQV512>("TestData/fhmqv512.dat", "FHMQV P-521", t);
 	}
 #endif
 	std::cout << "\n<TBODY style=\"background: yellow;\">";
 	{
 		ECIES<ECP>::Decryptor cpriv(Test::GlobalRNG(), ASN1::secp256k1());
 		ECIES<ECP>::Encryptor cpub(cpriv);
@ -418,7 +446,7 @@ void Benchmark3(double t, double hertz)
 		BenchMarkAgreement("ECMQVC over GF(p) 256", ecmqvc, t);
 	}
-	std::cout << "\n<TBODY style=\"background: yellow;\">";
+	std::cout << "\n<TBODY style=\"background: white;\">";
 	{
 		ECIES<EC2N>::Decryptor cpriv(Test::GlobalRNG(), ASN1::sect233r1());
 		ECIES<EC2N>::Encryptor cpub(cpriv);
--- a/blake2.cpp
+++ b/blake2.cpp
@ -38,24 +38,34 @@
 // https://github.com/weidai11/cryptopp/issues/743
 #if defined(__xlC__) && (__xlC__ < 0x0d01)
 # define CRYPTOPP_DISABLE_ALTIVEC 1
 # define CRYPTOPP_POWER7_ALTIVEC 1
 # undef CRYPTOPP_POWER7_AVAILABLE
 # undef CRYPTOPP_POWER8_AVAILABLE
 # undef CRYPTOPP_ALTIVEC_AVAILABLE
 #endif
 // Can't use GetAlignmentOf<word64>() because of C++11 and constexpr
 // Can use 'const unsigned int' because of MSVC 2013
 #if (CRYPTOPP_BOOL_X86 || CRYPTOPP_BOOL_X32 || CRYPTOPP_BOOL_X64)
 # define ALIGN_SPEC32 16
 # define ALIGN_SPEC64 16
 #else
 # define ALIGN_SPEC32 4
 # define ALIGN_SPEC64 8
 #endif
 NAMESPACE_BEGIN(CryptoPP)
 // Export the tables to the SIMD files
 extern const word32 BLAKE2S_IV[8];
 extern const word64 BLAKE2B_IV[8];
-CRYPTOPP_ALIGN_DATA(16)
+CRYPTOPP_ALIGN_DATA(ALIGN_SPEC32)
 const word32 BLAKE2S_IV[8] = {
    0x6A09E667UL, 0xBB67AE85UL, 0x3C6EF372UL, 0xA54FF53AUL,
    0x510E527FUL, 0x9B05688CUL, 0x1F83D9ABUL, 0x5BE0CD19UL
 };
-CRYPTOPP_ALIGN_DATA(16)
+CRYPTOPP_ALIGN_DATA(ALIGN_SPEC64)
 const word64 BLAKE2B_IV[8] = {
    W64LIT(0x6a09e667f3bcc908), W64LIT(0xbb67ae8584caa73b),
    W64LIT(0x3c6ef372fe94f82b), W64LIT(0xa54ff53a5f1d36f1),
@ -72,7 +82,7 @@ using CryptoPP::word32;
 using CryptoPP::word64;
 using CryptoPP::rotrConstant;
-CRYPTOPP_ALIGN_DATA(16)
+CRYPTOPP_ALIGN_DATA(ALIGN_SPEC32)
 const byte BLAKE2S_SIGMA[10][16] = {
    {  0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, 15 },
    { 14, 10,  4,  8,  9, 15, 13,  6,  1, 12,  0,  2, 11,  7,  5,  3 },
@ -86,7 +96,7 @@ const byte BLAKE2S_SIGMA[10][16] = {
    { 10,  2,  8,  4,  7,  6,  1,  5, 15, 11,  9, 14,  3, 12, 13 , 0 },
 };
-CRYPTOPP_ALIGN_DATA(16)
+CRYPTOPP_ALIGN_DATA(ALIGN_SPEC32)
 const byte BLAKE2B_SIGMA[12][16] = {
    {  0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, 15 },
    { 14, 10,  4,  8,  9, 15, 13,  6,  1, 12,  0,  2, 11,  7,  5,  3 },
@ -171,8 +181,8 @@ extern void BLAKE2_Compress32_NEON(const byte* input, BLAKE2s_State& state);
 extern void BLAKE2_Compress64_NEON(const byte* input, BLAKE2b_State& state);
 #endif
-#if CRYPTOPP_POWER7_AVAILABLE
+#if CRYPTOPP_POWER8_AVAILABLE
-extern void BLAKE2_Compress32_POWER7(const byte* input, BLAKE2s_State& state);
+extern void BLAKE2_Compress32_POWER8(const byte* input, BLAKE2s_State& state);
 #elif CRYPTOPP_ALTIVEC_AVAILABLE
 extern void BLAKE2_Compress32_ALTIVEC(const byte* input, BLAKE2s_State& state);
 #endif
@ -233,8 +243,8 @@ unsigned int BLAKE2s::OptimalDataAlignment() const
        return 4;
    else
 #endif
-#if (CRYPTOPP_POWER7_AVAILABLE)
+#if (CRYPTOPP_POWER8_AVAILABLE)
-    if (HasPower7())
+    if (HasPower8())
        return 16;
    else
 #elif (CRYPTOPP_ALTIVEC_AVAILABLE)
@ -257,9 +267,9 @@ std::string BLAKE2s::AlgorithmProvider() const
        return "NEON";
    else
 #endif
-#if (CRYPTOPP_POWER7_AVAILABLE)
+#if (CRYPTOPP_POWER8_AVAILABLE)
-    if (HasPower7())
+    if (HasPower8())
-        return "Power7";
+        return "Power8";
    else
 #elif (CRYPTOPP_ALTIVEC_AVAILABLE)
    if (HasAltivec())
@ -343,6 +353,26 @@ BLAKE2b::BLAKE2b(bool treeMode, unsigned int digestSize)
        (Name::TreeMode(), treeMode));
 }
 BLAKE2s::BLAKE2s(unsigned int digestSize)
    : m_digestSize(digestSize), m_keyLength(0), m_treeMode(false)
 {
    CRYPTOPP_ASSERT(digestSize <= DIGESTSIZE);
    UncheckedSetKey(NULLPTR, 0, MakeParameters
        (Name::DigestSize(), (int)digestSize)
        (Name::TreeMode(), false));
 }
 BLAKE2b::BLAKE2b(unsigned int digestSize)
    : m_digestSize(digestSize), m_keyLength(0), m_treeMode(false)
 {
    CRYPTOPP_ASSERT(digestSize <= DIGESTSIZE);
    UncheckedSetKey(NULLPTR, 0, MakeParameters
        (Name::DigestSize(), (int)digestSize)
        (Name::TreeMode(), false));
 }
 BLAKE2s::BLAKE2s(const byte *key, size_t keyLength, const byte* salt, size_t saltLength,
    const byte* personalization, size_t personalizationLength, bool treeMode, unsigned int digestSize)
    : m_digestSize(digestSize), m_keyLength(static_cast<unsigned int>(keyLength)), m_treeMode(treeMode)
@ -670,10 +700,10 @@ void BLAKE2s::Compress(const byte *input)
        return BLAKE2_Compress32_NEON(input, m_state);
    }
 #endif
-#if CRYPTOPP_POWER7_AVAILABLE
+#if CRYPTOPP_POWER8_AVAILABLE
-    if(HasPower7())
+    if(HasPower8())
    {
-        return BLAKE2_Compress32_POWER7(input, m_state);
+        return BLAKE2_Compress32_POWER8(input, m_state);
    }
 #elif CRYPTOPP_ALTIVEC_AVAILABLE
    if(HasAltivec())
--- a/blake2.h
+++ b/blake2.h
@ -256,17 +256,25 @@ public:
    /// \brief Construct a BLAKE2s hash
    /// \param digestSize the digest size, in bytes
    /// \param treeMode flag indicating tree mode
    /// \since Crypto++ 5.6.4
    BLAKE2s(bool treeMode=false, unsigned int digestSize = DIGESTSIZE);
    /// \brief Construct a BLAKE2s hash
    /// \param digestSize the digest size, in bytes
    /// \details treeMode flag is set to false
    /// \since Crypto++ 8.2
    BLAKE2s(unsigned int digestSize);
    /// \brief Construct a BLAKE2s hash
    /// \param key a byte array used to key the cipher
    /// \param keyLength the size of the byte array
    /// \param salt a byte array used as salt
    /// \param saltLength the size of the byte array
-    /// \param personalization a byte array used as prsonalization string
+    /// \param personalization a byte array used as personalization string
    /// \param personalizationLength the size of the byte array
    /// \param treeMode flag indicating tree mode
    /// \param digestSize the digest size, in bytes
    /// \since Crypto++ 5.6.4
    BLAKE2s(const byte *key, size_t keyLength, const byte* salt = NULLPTR, size_t saltLength = 0,
        const byte* personalization = NULLPTR, size_t personalizationLength = 0,
        bool treeMode=false, unsigned int digestSize = DIGESTSIZE);
@ -278,6 +286,7 @@ public:
    /// Message Authentication Code (MAC)</A>. For example, "BLAKE2b-512" and "BLAKE2s-256".
    std::string AlgorithmName() const {return std::string(BLAKE2s_Info::StaticAlgorithmName()) + "-" + IntToString(DigestSize()*8);}
    unsigned int BlockSize() const {return BLOCKSIZE;}
    unsigned int DigestSize() const {return m_digestSize;}
    unsigned int OptimalDataAlignment() const;
@ -354,17 +363,25 @@ public:
    /// \brief Construct a BLAKE2b hash
    /// \param digestSize the digest size, in bytes
    /// \param treeMode flag indicating tree mode
    /// \since Crypto++ 5.6.4
    BLAKE2b(bool treeMode=false, unsigned int digestSize = DIGESTSIZE);
    /// \brief Construct a BLAKE2s hash
    /// \param digestSize the digest size, in bytes
    /// \details treeMode flag is set to false
    /// \since Crypto++ 8.2
    BLAKE2b(unsigned int digestSize);
    /// \brief Construct a BLAKE2b hash
    /// \param key a byte array used to key the cipher
    /// \param keyLength the size of the byte array
    /// \param salt a byte array used as salt
    /// \param saltLength the size of the byte array
-    /// \param personalization a byte array used as prsonalization string
+    /// \param personalization a byte array used as personalization string
    /// \param personalizationLength the size of the byte array
    /// \param treeMode flag indicating tree mode
    /// \param digestSize the digest size, in bytes
    /// \since Crypto++ 5.6.4
    BLAKE2b(const byte *key, size_t keyLength, const byte* salt = NULLPTR, size_t saltLength = 0,
        const byte* personalization = NULLPTR, size_t personalizationLength = 0,
        bool treeMode=false, unsigned int digestSize = DIGESTSIZE);
@ -376,6 +393,7 @@ public:
    /// Message Authentication Code (MAC)</A>. For example, "BLAKE2b-512" and "BLAKE2s-256".
    std::string AlgorithmName() const {return std::string(BLAKE2b_Info::StaticAlgorithmName()) + "-" + IntToString(DigestSize()*8);}
    unsigned int BlockSize() const {return BLOCKSIZE;}
    unsigned int DigestSize() const {return m_digestSize;}
    unsigned int OptimalDataAlignment() const;
--- a/blake2b_simd.cpp
+++ b/blake2b_simd.cpp
@ -28,10 +28,17 @@
 // https://github.com/weidai11/cryptopp/issues/743
 #if defined(__xlC__) && (__xlC__ < 0x0d01)
 # define CRYPTOPP_DISABLE_ALTIVEC 1
-# undef CRYPTOPP_POWER7_AVAILABLE
+# undef CRYPTOPP_POWER8_AVAILABLE
 # undef CRYPTOPP_ALTIVEC_AVAILABLE
 #endif
 #if defined(__XOP__)
 # include <ammintrin.h>
 # if defined(__GNUC__)
 #  include <x86intrin.h>
 # endif
 #endif
 #if (CRYPTOPP_SSE41_AVAILABLE)
 # include <emmintrin.h>
 # include <tmmintrin.h>
--- a/blake2s_simd.cpp
+++ b/blake2s_simd.cpp
@ -8,9 +8,9 @@
 //    appropriate instructions sets in some build configurations.
 // The BLAKE2b and BLAKE2s numbers are consistent with the BLAKE2 team's
-// numbers. However, we have an Altivec/POWER7 implementation of BLAKE2s,
+// numbers. However, we have an Altivec/POWER8 implementation of BLAKE2s,
 // and a POWER8 implementation of BLAKE2b (BLAKE2 is missing them). The
-// Altivec/POWER7 code is about 2x faster than C++ when using GCC 5.0 or
+// Altivec/POWER8 code is about 2x faster than C++ when using GCC 5.0 or
 // above. The POWER8 code is about 2.5x faster than C++ when using GCC 5.0
 // or above. If you use GCC 4.0 (PowerMac) or GCC 4.8 (GCC Compile Farm)
 // then the PowerPC code will be slower than C++. Be sure to use GCC 5.0
@ -38,11 +38,17 @@
 // https://github.com/weidai11/cryptopp/issues/743
 #if defined(__xlC__) && (__xlC__ < 0x0d01)
 # define CRYPTOPP_DISABLE_ALTIVEC 1
-# define CRYPTOPP_POWER7_ALTIVEC 1
+# undef CRYPTOPP_POWER8_AVAILABLE
 # undef CRYPTOPP_POWER7_AVAILABLE
 # undef CRYPTOPP_ALTIVEC_AVAILABLE
 #endif
 #if defined(__XOP__)
 # include <ammintrin.h>
 # if defined(__GNUC__)
 #  include <x86intrin.h>
 # endif
 #endif
 #if (CRYPTOPP_SSE41_AVAILABLE)
 # include <emmintrin.h>
 # include <tmmintrin.h>
@ -692,7 +698,7 @@ void BLAKE2_Compress32_NEON(const byte* input, BLAKE2s_State& state)
 }
 #endif  // CRYPTOPP_ARM_NEON_AVAILABLE
-#if (CRYPTOPP_POWER7_AVAILABLE || CRYPTOPP_ALTIVEC_AVAILABLE)
+#if (CRYPTOPP_POWER8_AVAILABLE || CRYPTOPP_ALTIVEC_AVAILABLE)
 inline uint32x4_p VecLoad32(const void* p)
 {
@ -838,7 +844,7 @@ inline uint32x4_p VectorSet32(const uint32x4_p a, const uint32x4_p b,
    const uint32x4_p t0 = VectorSet32<W,X>(a, b);
    const uint32x4_p t1 = VectorSet32<Y,Z>(c, d);
-    // Power7 follows SSE2's implementation, and this is _mm_set_epi32.
+    // PowerPC follows SSE2's implementation, and this is _mm_set_epi32.
    const uint8x16_p mask = {20,21,22,23, 16,17,18,19, 4,5,6,7, 0,1,2,3};
    return VecPermute(t0, t1, mask);
 }
@ -863,10 +869,10 @@ uint32x4_p VectorSet32<3,1,3,1>(const uint32x4_p a, const uint32x4_p b,
    return VecPermute(a, c, mask);
 }
-// BLAKE2_Compress32_CORE will use either POWER7 or ALTIVEC,
+// BLAKE2_Compress32_CORE will use either POWER8 or ALTIVEC,
 // depending on the flags used to compile this source file. The
 // abstractions are handled in VecLoad, VecStore and friends. In
-// the future we may to provide both POWER7 or ALTIVEC at the same
+// the future we may provide both POWER8 or ALTIVEC at the same
 // time to better support distros.
 void BLAKE2_Compress32_CORE(const byte* input, BLAKE2s_State& state)
 {
@ -1015,11 +1021,11 @@ void BLAKE2_Compress32_CORE(const byte* input, BLAKE2s_State& state)
    VecStore32LE(state.h()+0, VecXor(ff0, VecXor(row1, row3)));
    VecStore32LE(state.h()+4, VecXor(ff1, VecXor(row2, row4)));
 }
-#endif  // CRYPTOPP_POWER7_AVAILABLE || CRYPTOPP_ALTIVEC_AVAILABLE
+#endif  // CRYPTOPP_POWER8_AVAILABLE || CRYPTOPP_ALTIVEC_AVAILABLE
-#if (CRYPTOPP_POWER7_AVAILABLE)
+#if (CRYPTOPP_POWER8_AVAILABLE)
-void BLAKE2_Compress32_POWER7(const byte* input, BLAKE2s_State& state)
+void BLAKE2_Compress32_POWER8(const byte* input, BLAKE2s_State& state)
 {
    BLAKE2_Compress32_CORE(input, state);
 }
--- a/chacha.cpp
+++ b/chacha.cpp
@ -28,8 +28,8 @@ extern void ChaCha_OperateKeystream_AVX2(const word32 *state, const byte* input,
 extern void ChaCha_OperateKeystream_SSE2(const word32 *state, const byte* input, byte *output, unsigned int rounds);
 #endif
-#if (CRYPTOPP_POWER7_AVAILABLE)
+#if (CRYPTOPP_POWER8_AVAILABLE)
-extern void ChaCha_OperateKeystream_POWER7(const word32 *state, const byte* input, byte *output, unsigned int rounds);
+extern void ChaCha_OperateKeystream_POWER8(const word32 *state, const byte* input, byte *output, unsigned int rounds);
 #elif (CRYPTOPP_ALTIVEC_AVAILABLE)
 extern void ChaCha_OperateKeystream_ALTIVEC(const word32 *state, const byte* input, byte *output, unsigned int rounds);
 #endif
@ -153,13 +153,13 @@ void ChaCha_OperateKeystream(KeystreamOperation operation,
        }
 #endif
-#if (CRYPTOPP_POWER7_AVAILABLE)
+#if (CRYPTOPP_POWER8_AVAILABLE)
-        if (HasPower7())
+        if (HasPower8())
        {
            while (iterationCount >= 4 && MultiBlockSafe(state[12], 4))
            {
                const bool xorInput = (operation & INPUT_NULL) != INPUT_NULL;
-                ChaCha_OperateKeystream_POWER7(state, xorInput ? input : NULLPTR, output, rounds);
+                ChaCha_OperateKeystream_POWER8(state, xorInput ? input : NULLPTR, output, rounds);
                // MultiBlockSafe avoids overflow on the counter words
                state[12] += 4;
@ -267,9 +267,9 @@ std::string ChaCha_AlgorithmProvider()
        return "NEON";
    else
 #endif
-#if (CRYPTOPP_POWER7_AVAILABLE)
+#if (CRYPTOPP_POWER8_AVAILABLE)
-    if (HasPower7())
+    if (HasPower8())
-        return "Power7";
+        return "Power8";
    else
 #elif (CRYPTOPP_ALTIVEC_AVAILABLE)
    if (HasAltivec())
--- a/chacha_avx.cpp
+++ b/chacha_avx.cpp
@ -91,14 +91,14 @@ NAMESPACE_BEGIN(CryptoPP)
 void ChaCha_OperateKeystream_AVX2(const word32 *state, const byte* input, byte *output, unsigned int rounds)
 {
-    MAYBE_CONST __m128i* state_mm = (MAYBE_CONST __m128i*)(state);
+    const __m256i state0 = _mm256_broadcastsi128_si256(
-    MAYBE_CONST __m256i* input_mm = (MAYBE_CONST __m256i*)(input);
+        _mm_loadu_si128(reinterpret_cast<const __m128i*>(state+0*4)));
-    __m256i* output_mm = reinterpret_cast<__m256i*>(output);
+    const __m256i state1 = _mm256_broadcastsi128_si256(
-
+        _mm_loadu_si128(reinterpret_cast<const __m128i*>(state+1*4)));
-    const __m256i state0 = _mm256_broadcastsi128_si256(_mm_loadu_si128(state_mm + 0));
+    const __m256i state2 = _mm256_broadcastsi128_si256(
-    const __m256i state1 = _mm256_broadcastsi128_si256(_mm_loadu_si128(state_mm + 1));
+        _mm_loadu_si128(reinterpret_cast<const __m128i*>(state+2*4)));
-    const __m256i state2 = _mm256_broadcastsi128_si256(_mm_loadu_si128(state_mm + 2));
+    const __m256i state3 = _mm256_broadcastsi128_si256(
-    const __m256i state3 = _mm256_broadcastsi128_si256(_mm_loadu_si128(state_mm + 3));
+        _mm_loadu_si128(reinterpret_cast<const __m128i*>(state+3*4)));
    const __m256i CTR0 = _mm256_set_epi32(0, 0, 0, 0, 0, 0, 0, 4);
    const __m256i CTR1 = _mm256_set_epi32(0, 0, 0, 1, 0, 0, 0, 5);
@ -304,80 +304,112 @@ void ChaCha_OperateKeystream_AVX2(const word32 *state, const byte* input, byte *
    X3_3 = _mm256_add_epi32(X3_3, state3);
    X3_3 = _mm256_add_epi64(X3_3, CTR3);
-    if (input_mm)
+    if (input)
    {
-        _mm256_storeu_si256(output_mm + 0, _mm256_xor_si256(_mm256_loadu_si256(input_mm + 0),
+        _mm256_storeu_si256(reinterpret_cast<__m256i*>(output+0*32),
-            _mm256_permute2x128_si256(X0_0, X0_1, 1 + (3 << 4))));
+            _mm256_xor_si256(_mm256_permute2x128_si256(X0_0, X0_1, 1 + (3 << 4)),
-        _mm256_storeu_si256(output_mm + 1, _mm256_xor_si256(_mm256_loadu_si256(input_mm + 1),
+            _mm256_loadu_si256(reinterpret_cast<const __m256i*>(input+0*32))));
-            _mm256_permute2x128_si256(X0_2, X0_3, 1 + (3 << 4))));
+        _mm256_storeu_si256(reinterpret_cast<__m256i*>(output+1*32),
-        _mm256_storeu_si256(output_mm + 2, _mm256_xor_si256(_mm256_loadu_si256(input_mm + 2),
+            _mm256_xor_si256(_mm256_permute2x128_si256(X0_2, X0_3, 1 + (3 << 4)),
-            _mm256_permute2x128_si256(X1_0, X1_1, 1 + (3 << 4))));
+            _mm256_loadu_si256(reinterpret_cast<const __m256i*>(input+1*32))));
-        _mm256_storeu_si256(output_mm + 3, _mm256_xor_si256(_mm256_loadu_si256(input_mm + 3),
+        _mm256_storeu_si256(reinterpret_cast<__m256i*>(output+2*32),
-            _mm256_permute2x128_si256(X1_2, X1_3, 1 + (3 << 4))));
+            _mm256_xor_si256(_mm256_permute2x128_si256(X1_0, X1_1, 1 + (3 << 4)),
            _mm256_loadu_si256(reinterpret_cast<const __m256i*>(input+2*32))));
        _mm256_storeu_si256(reinterpret_cast<__m256i*>(output+3*32),
            _mm256_xor_si256(_mm256_permute2x128_si256(X1_2, X1_3, 1 + (3 << 4)),
            _mm256_loadu_si256(reinterpret_cast<const __m256i*>(input+3*32))));
    }
    else
    {
-        _mm256_storeu_si256(output_mm + 0, _mm256_permute2x128_si256(X0_0, X0_1, 1 + (3 << 4)));
+        _mm256_storeu_si256(reinterpret_cast<__m256i*>(output+0*32),
-        _mm256_storeu_si256(output_mm + 1, _mm256_permute2x128_si256(X0_2, X0_3, 1 + (3 << 4)));
+            _mm256_permute2x128_si256(X0_0, X0_1, 1 + (3 << 4)));
-        _mm256_storeu_si256(output_mm + 2, _mm256_permute2x128_si256(X1_0, X1_1, 1 + (3 << 4)));
+        _mm256_storeu_si256(reinterpret_cast<__m256i*>(output+1*32),
-        _mm256_storeu_si256(output_mm + 3, _mm256_permute2x128_si256(X1_2, X1_3, 1 + (3 << 4)));
+            _mm256_permute2x128_si256(X0_2, X0_3, 1 + (3 << 4)));
        _mm256_storeu_si256(reinterpret_cast<__m256i*>(output+2*32),
            _mm256_permute2x128_si256(X1_0, X1_1, 1 + (3 << 4)));
        _mm256_storeu_si256(reinterpret_cast<__m256i*>(output+3*32),
            _mm256_permute2x128_si256(X1_2, X1_3, 1 + (3 << 4)));
    }
-    if (input_mm)
+    if (input)
    {
-        _mm256_storeu_si256(output_mm + 4, _mm256_xor_si256(_mm256_loadu_si256(input_mm + 4),
+        _mm256_storeu_si256(reinterpret_cast<__m256i*>(output+4*32),
-            _mm256_permute2x128_si256(X2_0, X2_1, 1 + (3 << 4))));
+            _mm256_xor_si256(_mm256_permute2x128_si256(X2_0, X2_1, 1 + (3 << 4)),
-        _mm256_storeu_si256(output_mm + 5, _mm256_xor_si256(_mm256_loadu_si256(input_mm + 5),
+            _mm256_loadu_si256(reinterpret_cast<const __m256i*>(input+4*32))));
-            _mm256_permute2x128_si256(X2_2, X2_3, 1 + (3 << 4))));
+        _mm256_storeu_si256(reinterpret_cast<__m256i*>(output+5*32),
-        _mm256_storeu_si256(output_mm + 6, _mm256_xor_si256(_mm256_loadu_si256(input_mm + 6),
+            _mm256_xor_si256(_mm256_permute2x128_si256(X2_2, X2_3, 1 + (3 << 4)),
-            _mm256_permute2x128_si256(X3_0, X3_1, 1 + (3 << 4))));
+            _mm256_loadu_si256(reinterpret_cast<const __m256i*>(input+5*32))));
-        _mm256_storeu_si256(output_mm + 7, _mm256_xor_si256(_mm256_loadu_si256(input_mm + 7),
+        _mm256_storeu_si256(reinterpret_cast<__m256i*>(output+6*32),
-            _mm256_permute2x128_si256(X3_2, X3_3, 1 + (3 << 4))));
+            _mm256_xor_si256(_mm256_permute2x128_si256(X3_0, X3_1, 1 + (3 << 4)),
            _mm256_loadu_si256(reinterpret_cast<const __m256i*>(input+6*32))));
        _mm256_storeu_si256(reinterpret_cast<__m256i*>(output+7*32),
            _mm256_xor_si256(_mm256_permute2x128_si256(X3_2, X3_3, 1 + (3 << 4)),
            _mm256_loadu_si256(reinterpret_cast<const __m256i*>(input+7*32))));
    }
    else
    {
-        _mm256_storeu_si256(output_mm + 4, _mm256_permute2x128_si256(X2_0, X2_1, 1 + (3 << 4)));
+        _mm256_storeu_si256(reinterpret_cast<__m256i*>(output+4*32),
-        _mm256_storeu_si256(output_mm + 5, _mm256_permute2x128_si256(X2_2, X2_3, 1 + (3 << 4)));
+            _mm256_permute2x128_si256(X2_0, X2_1, 1 + (3 << 4)));
-        _mm256_storeu_si256(output_mm + 6, _mm256_permute2x128_si256(X3_0, X3_1, 1 + (3 << 4)));
+        _mm256_storeu_si256(reinterpret_cast<__m256i*>(output+5*32),
-        _mm256_storeu_si256(output_mm + 7, _mm256_permute2x128_si256(X3_2, X3_3, 1 + (3 << 4)));
+            _mm256_permute2x128_si256(X2_2, X2_3, 1 + (3 << 4)));
        _mm256_storeu_si256(reinterpret_cast<__m256i*>(output+6*32),
            _mm256_permute2x128_si256(X3_0, X3_1, 1 + (3 << 4)));
        _mm256_storeu_si256(reinterpret_cast<__m256i*>(output+7*32),
            _mm256_permute2x128_si256(X3_2, X3_3, 1 + (3 << 4)));
    }
-    if (input_mm)
+    if (input)
    {
-        _mm256_storeu_si256(output_mm +  8, _mm256_xor_si256(_mm256_loadu_si256(input_mm +  8),
+        _mm256_storeu_si256(reinterpret_cast<__m256i*>(output+ 8*32),
-            _mm256_permute2x128_si256(X0_0, X0_1, 0 + (2 << 4))));
+            _mm256_xor_si256(_mm256_permute2x128_si256(X0_0, X0_1, 0 + (2 << 4)),
-        _mm256_storeu_si256(output_mm +  9, _mm256_xor_si256(_mm256_loadu_si256(input_mm +  9),
+            _mm256_loadu_si256(reinterpret_cast<const __m256i*>(input+8*32))));
-            _mm256_permute2x128_si256(X0_2, X0_3, 0 + (2 << 4))));
+        _mm256_storeu_si256(reinterpret_cast<__m256i*>(output+ 9*32),
-        _mm256_storeu_si256(output_mm + 10, _mm256_xor_si256(_mm256_loadu_si256(input_mm + 10),
+            _mm256_xor_si256(_mm256_permute2x128_si256(X0_2, X0_3, 0 + (2 << 4)),
-            _mm256_permute2x128_si256(X1_0, X1_1, 0 + (2 << 4))));
+            _mm256_loadu_si256(reinterpret_cast<const __m256i*>(input+9*32))));
-        _mm256_storeu_si256(output_mm + 11, _mm256_xor_si256(_mm256_loadu_si256(input_mm + 11),
+        _mm256_storeu_si256(reinterpret_cast<__m256i*>(output+10*32),
-            _mm256_permute2x128_si256(X1_2, X1_3, 0 + (2 << 4))));
+            _mm256_xor_si256(_mm256_permute2x128_si256(X1_0, X1_1, 0 + (2 << 4)),
            _mm256_loadu_si256(reinterpret_cast<const __m256i*>(input+10*32))));
        _mm256_storeu_si256(reinterpret_cast<__m256i*>(output+11*32),
            _mm256_xor_si256(_mm256_permute2x128_si256(X1_2, X1_3, 0 + (2 << 4)),
            _mm256_loadu_si256(reinterpret_cast<const __m256i*>(input+11*32))));
    }
    else
    {
-        _mm256_storeu_si256(output_mm +  8, _mm256_permute2x128_si256(X0_0, X0_1, 0 + (2 << 4)));
+        _mm256_storeu_si256(reinterpret_cast<__m256i*>(output+ 8*32),
-        _mm256_storeu_si256(output_mm +  9, _mm256_permute2x128_si256(X0_2, X0_3, 0 + (2 << 4)));
+            _mm256_permute2x128_si256(X0_0, X0_1, 0 + (2 << 4)));
-        _mm256_storeu_si256(output_mm + 10, _mm256_permute2x128_si256(X1_0, X1_1, 0 + (2 << 4)));
+        _mm256_storeu_si256(reinterpret_cast<__m256i*>(output+ 9*32),
-        _mm256_storeu_si256(output_mm + 11, _mm256_permute2x128_si256(X1_2, X1_3, 0 + (2 << 4)));
+            _mm256_permute2x128_si256(X0_2, X0_3, 0 + (2 << 4)));
        _mm256_storeu_si256(reinterpret_cast<__m256i*>(output+10*32),
            _mm256_permute2x128_si256(X1_0, X1_1, 0 + (2 << 4)));
        _mm256_storeu_si256(reinterpret_cast<__m256i*>(output+11*32),
            _mm256_permute2x128_si256(X1_2, X1_3, 0 + (2 << 4)));
    }
-    if (input_mm)
+    if (input)
    {
-        _mm256_storeu_si256(output_mm + 12, _mm256_xor_si256(_mm256_loadu_si256(input_mm + 12),
+        _mm256_storeu_si256(reinterpret_cast<__m256i*>(output+12*32),
-            _mm256_permute2x128_si256(X2_0, X2_1, 0 + (2 << 4))));
+            _mm256_xor_si256(_mm256_permute2x128_si256(X2_0, X2_1, 0 + (2 << 4)),
-        _mm256_storeu_si256(output_mm + 13, _mm256_xor_si256(_mm256_loadu_si256(input_mm + 13),
+            _mm256_loadu_si256(reinterpret_cast<const __m256i*>(input+12*32))));
-            _mm256_permute2x128_si256(X2_2, X2_3, 0 + (2 << 4))));
+        _mm256_storeu_si256(reinterpret_cast<__m256i*>(output+13*32),
-        _mm256_storeu_si256(output_mm + 14, _mm256_xor_si256(_mm256_loadu_si256(input_mm + 14),
+            _mm256_xor_si256(_mm256_permute2x128_si256(X2_2, X2_3, 0 + (2 << 4)),
-            _mm256_permute2x128_si256(X3_0, X3_1, 0 + (2 << 4))));
+            _mm256_loadu_si256(reinterpret_cast<const __m256i*>(input+13*32))));
-        _mm256_storeu_si256(output_mm + 15, _mm256_xor_si256(_mm256_loadu_si256(input_mm + 15),
+        _mm256_storeu_si256(reinterpret_cast<__m256i*>(output+14*32),
-            _mm256_permute2x128_si256(X3_2, X3_3, 0 + (2 << 4))));
+            _mm256_xor_si256(_mm256_permute2x128_si256(X3_0, X3_1, 0 + (2 << 4)),
            _mm256_loadu_si256(reinterpret_cast<const __m256i*>(input+14*32))));
        _mm256_storeu_si256(reinterpret_cast<__m256i*>(output+15*32),
            _mm256_xor_si256(_mm256_permute2x128_si256(X3_2, X3_3, 0 + (2 << 4)),
            _mm256_loadu_si256(reinterpret_cast<const __m256i*>(input+15*32))));
    }
    else
    {
-        _mm256_storeu_si256(output_mm + 12, _mm256_permute2x128_si256(X2_0, X2_1, 0 + (2 << 4)));
+        _mm256_storeu_si256(reinterpret_cast<__m256i*>(output+12*32),
-        _mm256_storeu_si256(output_mm + 13, _mm256_permute2x128_si256(X2_2, X2_3, 0 + (2 << 4)));
+            _mm256_permute2x128_si256(X2_0, X2_1, 0 + (2 << 4)));
-        _mm256_storeu_si256(output_mm + 14, _mm256_permute2x128_si256(X3_0, X3_1, 0 + (2 << 4)));
+        _mm256_storeu_si256(reinterpret_cast<__m256i*>(output+13*32),
-        _mm256_storeu_si256(output_mm + 15, _mm256_permute2x128_si256(X3_2, X3_3, 0 + (2 << 4)));
+            _mm256_permute2x128_si256(X2_2, X2_3, 0 + (2 << 4)));
        _mm256_storeu_si256(reinterpret_cast<__m256i*>(output+14*32),
            _mm256_permute2x128_si256(X3_0, X3_1, 0 + (2 << 4)));
        _mm256_storeu_si256(reinterpret_cast<__m256i*>(output+15*32),
            _mm256_permute2x128_si256(X3_2, X3_3, 0 + (2 << 4)));
    }
    // https://software.intel.com/en-us/articles/avoiding-avx-sse-transition-penalties
--- a/chacha_simd.cpp
+++ b/chacha_simd.cpp
@ -46,6 +46,9 @@
 #if defined(__XOP__)
 # include <ammintrin.h>
 # if defined(__GNUC__)
 #  include <x86intrin.h>
 # endif
 #endif
 // C1189: error: This header is specific to ARM targets
@ -209,7 +212,7 @@ inline __m128i RotateLeft<16>(const __m128i val)
 #if (CRYPTOPP_ALTIVEC_AVAILABLE)
-// ChaCha_OperateKeystream_POWER7 is optimized for POWER7. However, Altivec
+// ChaCha_OperateKeystream_POWER8 is optimized for POWER7. However, Altivec
 // is supported by using vec_ld and vec_st, and using a composite VecAdd
 // that supports 64-bit element adds. vec_ld and vec_st add significant
 // overhead when memory is not aligned. Despite the drawbacks Altivec
@ -565,14 +568,10 @@ void ChaCha_OperateKeystream_NEON(const word32 *state, const byte* input, byte *
 void ChaCha_OperateKeystream_SSE2(const word32 *state, const byte* input, byte *output, unsigned int rounds)
 {
-    const __m128i* state_mm = reinterpret_cast<const __m128i*>(state);
+    const __m128i state0 = _mm_load_si128(reinterpret_cast<const __m128i*>(state+0*4));
-    const __m128i* input_mm = reinterpret_cast<const __m128i*>(input);
+    const __m128i state1 = _mm_load_si128(reinterpret_cast<const __m128i*>(state+1*4));
-    __m128i* output_mm = reinterpret_cast<__m128i*>(output);
+    const __m128i state2 = _mm_load_si128(reinterpret_cast<const __m128i*>(state+2*4));
-
+    const __m128i state3 = _mm_load_si128(reinterpret_cast<const __m128i*>(state+3*4));
    const __m128i state0 = _mm_load_si128(state_mm + 0);
    const __m128i state1 = _mm_load_si128(state_mm + 1);
    const __m128i state2 = _mm_load_si128(state_mm + 2);
    const __m128i state3 = _mm_load_si128(state_mm + 3);
    __m128i r0_0 = state0;
    __m128i r0_1 = state1;
@ -772,62 +771,62 @@ void ChaCha_OperateKeystream_SSE2(const word32 *state, const byte* input, byte *
    r3_3 = _mm_add_epi32(r3_3, state3);
    r3_3 = _mm_add_epi64(r3_3, _mm_set_epi32(0, 0, 0, 3));
-    if (input_mm)
+    if (input)
    {
-        r0_0 = _mm_xor_si128(_mm_loadu_si128(input_mm + 0), r0_0);
+        r0_0 = _mm_xor_si128(_mm_loadu_si128(reinterpret_cast<const __m128i*>(input+0*16)), r0_0);
-        r0_1 = _mm_xor_si128(_mm_loadu_si128(input_mm + 1), r0_1);
+        r0_1 = _mm_xor_si128(_mm_loadu_si128(reinterpret_cast<const __m128i*>(input+1*16)), r0_1);
-        r0_2 = _mm_xor_si128(_mm_loadu_si128(input_mm + 2), r0_2);
+        r0_2 = _mm_xor_si128(_mm_loadu_si128(reinterpret_cast<const __m128i*>(input+2*16)), r0_2);
-        r0_3 = _mm_xor_si128(_mm_loadu_si128(input_mm + 3), r0_3);
+        r0_3 = _mm_xor_si128(_mm_loadu_si128(reinterpret_cast<const __m128i*>(input+3*16)), r0_3);
    }
-    _mm_storeu_si128(output_mm + 0, r0_0);
+    _mm_storeu_si128(reinterpret_cast<__m128i*>(output+0*16), r0_0);
-    _mm_storeu_si128(output_mm + 1, r0_1);
+    _mm_storeu_si128(reinterpret_cast<__m128i*>(output+1*16), r0_1);
-    _mm_storeu_si128(output_mm + 2, r0_2);
+    _mm_storeu_si128(reinterpret_cast<__m128i*>(output+2*16), r0_2);
-    _mm_storeu_si128(output_mm + 3, r0_3);
+    _mm_storeu_si128(reinterpret_cast<__m128i*>(output+3*16), r0_3);
-    if (input_mm)
+    if (input)
    {
-        r1_0 = _mm_xor_si128(_mm_loadu_si128(input_mm + 4), r1_0);
+        r1_0 = _mm_xor_si128(_mm_loadu_si128(reinterpret_cast<const __m128i*>(input+4*16)), r1_0);
-        r1_1 = _mm_xor_si128(_mm_loadu_si128(input_mm + 5), r1_1);
+        r1_1 = _mm_xor_si128(_mm_loadu_si128(reinterpret_cast<const __m128i*>(input+5*16)), r1_1);
-        r1_2 = _mm_xor_si128(_mm_loadu_si128(input_mm + 6), r1_2);
+        r1_2 = _mm_xor_si128(_mm_loadu_si128(reinterpret_cast<const __m128i*>(input+6*16)), r1_2);
-        r1_3 = _mm_xor_si128(_mm_loadu_si128(input_mm + 7), r1_3);
+        r1_3 = _mm_xor_si128(_mm_loadu_si128(reinterpret_cast<const __m128i*>(input+7*16)), r1_3);
    }
-    _mm_storeu_si128(output_mm + 4, r1_0);
+    _mm_storeu_si128(reinterpret_cast<__m128i*>(output+4*16), r1_0);
-    _mm_storeu_si128(output_mm + 5, r1_1);
+    _mm_storeu_si128(reinterpret_cast<__m128i*>(output+5*16), r1_1);
-    _mm_storeu_si128(output_mm + 6, r1_2);
+    _mm_storeu_si128(reinterpret_cast<__m128i*>(output+6*16), r1_2);
-    _mm_storeu_si128(output_mm + 7, r1_3);
+    _mm_storeu_si128(reinterpret_cast<__m128i*>(output+7*16), r1_3);
-    if (input_mm)
+    if (input)
    {
-        r2_0 = _mm_xor_si128(_mm_loadu_si128(input_mm + 8), r2_0);
+        r2_0 = _mm_xor_si128(_mm_loadu_si128(reinterpret_cast<const __m128i*>(input+ 8*16)), r2_0);
-        r2_1 = _mm_xor_si128(_mm_loadu_si128(input_mm + 9), r2_1);
+        r2_1 = _mm_xor_si128(_mm_loadu_si128(reinterpret_cast<const __m128i*>(input+ 9*16)), r2_1);
-        r2_2 = _mm_xor_si128(_mm_loadu_si128(input_mm + 10), r2_2);
+        r2_2 = _mm_xor_si128(_mm_loadu_si128(reinterpret_cast<const __m128i*>(input+10*16)), r2_2);
-        r2_3 = _mm_xor_si128(_mm_loadu_si128(input_mm + 11), r2_3);
+        r2_3 = _mm_xor_si128(_mm_loadu_si128(reinterpret_cast<const __m128i*>(input+11*16)), r2_3);
    }
-    _mm_storeu_si128(output_mm + 8, r2_0);
+    _mm_storeu_si128(reinterpret_cast<__m128i*>(output+ 8*16), r2_0);
-    _mm_storeu_si128(output_mm + 9, r2_1);
+    _mm_storeu_si128(reinterpret_cast<__m128i*>(output+ 9*16), r2_1);
-    _mm_storeu_si128(output_mm + 10, r2_2);
+    _mm_storeu_si128(reinterpret_cast<__m128i*>(output+10*16), r2_2);
-    _mm_storeu_si128(output_mm + 11, r2_3);
+    _mm_storeu_si128(reinterpret_cast<__m128i*>(output+11*16), r2_3);
-    if (input_mm)
+    if (input)
    {
-        r3_0 = _mm_xor_si128(_mm_loadu_si128(input_mm + 12), r3_0);
+        r3_0 = _mm_xor_si128(_mm_loadu_si128(reinterpret_cast<const __m128i*>(input+12*16)), r3_0);
-        r3_1 = _mm_xor_si128(_mm_loadu_si128(input_mm + 13), r3_1);
+        r3_1 = _mm_xor_si128(_mm_loadu_si128(reinterpret_cast<const __m128i*>(input+13*16)), r3_1);
-        r3_2 = _mm_xor_si128(_mm_loadu_si128(input_mm + 14), r3_2);
+        r3_2 = _mm_xor_si128(_mm_loadu_si128(reinterpret_cast<const __m128i*>(input+14*16)), r3_2);
-        r3_3 = _mm_xor_si128(_mm_loadu_si128(input_mm + 15), r3_3);
+        r3_3 = _mm_xor_si128(_mm_loadu_si128(reinterpret_cast<const __m128i*>(input+15*16)), r3_3);
    }
-    _mm_storeu_si128(output_mm + 12, r3_0);
+    _mm_storeu_si128(reinterpret_cast<__m128i*>(output+12*16), r3_0);
-    _mm_storeu_si128(output_mm + 13, r3_1);
+    _mm_storeu_si128(reinterpret_cast<__m128i*>(output+13*16), r3_1);
-    _mm_storeu_si128(output_mm + 14, r3_2);
+    _mm_storeu_si128(reinterpret_cast<__m128i*>(output+14*16), r3_2);
-    _mm_storeu_si128(output_mm + 15, r3_3);
+    _mm_storeu_si128(reinterpret_cast<__m128i*>(output+15*16), r3_3);
 }
 #endif  // CRYPTOPP_SSE2_INTRIN_AVAILABLE
-#if (CRYPTOPP_POWER7_AVAILABLE || CRYPTOPP_ALTIVEC_AVAILABLE)
+#if (CRYPTOPP_POWER8_AVAILABLE || CRYPTOPP_ALTIVEC_AVAILABLE)
 // ChaCha_OperateKeystream_CORE will use either POWER7 or ALTIVEC,
 // depending on the flags used to compile this source file. The
@ -1096,11 +1095,11 @@ inline void ChaCha_OperateKeystream_CORE(const word32 *state, const byte* input,
    VecStore32LE(output + 15*16, r3_3);
 }
-#endif  // CRYPTOPP_POWER7_AVAILABLE || CRYPTOPP_ALTIVEC_AVAILABLE
+#endif  // CRYPTOPP_POWER8_AVAILABLE || CRYPTOPP_ALTIVEC_AVAILABLE
-#if (CRYPTOPP_POWER7_AVAILABLE)
+#if (CRYPTOPP_POWER8_AVAILABLE)
-void ChaCha_OperateKeystream_POWER7(const word32 *state, const byte* input, byte *output, unsigned int rounds)
+void ChaCha_OperateKeystream_POWER8(const word32 *state, const byte* input, byte *output, unsigned int rounds)
 {
    ChaCha_OperateKeystream_CORE(state, input, output, rounds);
 }
--- a/cham_simd.cpp
+++ b/cham_simd.cpp
@ -24,6 +24,9 @@
 #if defined(__XOP__)
 # include <ammintrin.h>
 # if defined(__GNUC__)
 #  include <x86intrin.h>
 # endif
 #endif
 #if defined(__AVX512F__)
@ -31,6 +34,10 @@
 # include <immintrin.h>
 #endif
 // Clang intrinsic casts, http://bugs.llvm.org/show_bug.cgi?id=20670
 #define DOUBLE_CAST(x) ((double*)(void*)(x))
 #define CONST_DOUBLE_CAST(x) ((const double*)(const void*)(x))
 // Squash MS LNK4221 and libtool warnings
 extern const char CHAM_SIMD_FNAME[] = __FILE__;
@ -355,7 +362,7 @@ inline void CHAM64_Enc_Block(__m128i &block0,
    for (int i=0; i<static_cast<int>(rounds); i+=4)
    {
        __m128i k, kr, t1, t2, t3, t4;
-        k = _mm_castpd_si128(_mm_load_sd((const double*)(&subkeys[(i+0) & MASK])));
+        k = _mm_castpd_si128(_mm_load_sd(CONST_DOUBLE_CAST(&subkeys[(i+0) & MASK])));
        // Shuffle out key
        kr = _mm_shuffle_epi8(k, _mm_set_epi8(1,0,1,0, 1,0,1,0, 1,0,1,0, 1,0,1,0));
@ -428,7 +435,7 @@ inline void CHAM64_Dec_Block(__m128i &block0,
    for (int i = static_cast<int>(rounds)-1; i >= 0; i-=4)
    {
        __m128i k, kr, t1, t2, t3, t4;
-        k = _mm_castpd_si128(_mm_load_sd((const double*)(&subkeys[(i-3) & MASK])));
+        k = _mm_castpd_si128(_mm_load_sd(CONST_DOUBLE_CAST(&subkeys[(i-3) & MASK])));
        // Shuffle out key
        kr = _mm_shuffle_epi8(k, _mm_set_epi8(7,6,7,6, 7,6,7,6, 7,6,7,6, 7,6,7,6));
@ -505,7 +512,7 @@ inline void CHAM64_Enc_2_Blocks(__m128i &block0,
    for (int i=0; i<static_cast<int>(rounds); i+=4)
    {
        __m128i k, kr, t1, t2, t3, t4;
-        k = _mm_castpd_si128(_mm_load_sd((const double*)(&subkeys[i & MASK])));
+        k = _mm_castpd_si128(_mm_load_sd(CONST_DOUBLE_CAST(&subkeys[(i+0) & MASK])));
        // Shuffle out key
        kr = _mm_shuffle_epi8(k, _mm_set_epi8(1,0,1,0, 1,0,1,0, 1,0,1,0, 1,0,1,0));
@ -579,7 +586,7 @@ inline void CHAM64_Dec_2_Blocks(__m128i &block0,
    for (int i = static_cast<int>(rounds)-1; i >= 0; i-=4)
    {
        __m128i k, kr, t1, t2, t3, t4;
-        k = _mm_castpd_si128(_mm_load_sd((const double*)(&subkeys[(i-3) & MASK])));
+        k = _mm_castpd_si128(_mm_load_sd(CONST_DOUBLE_CAST(&subkeys[(i-3) & MASK])));
        // Shuffle out key
        kr = _mm_shuffle_epi8(k, _mm_set_epi8(7,6,7,6, 7,6,7,6, 7,6,7,6, 7,6,7,6));
@ -814,7 +821,7 @@ inline void CHAM128_Enc_Block(__m128i &block0,
    for (int i=0; i<static_cast<int>(rounds); i+=4)
    {
        __m128i k, k1, k2, t1, t2;
-        k = _mm_castpd_si128(_mm_load_sd((const double*)(&subkeys[(i+0) & MASK])));
+        k = _mm_castpd_si128(_mm_load_sd(CONST_DOUBLE_CAST(&subkeys[(i+0) & MASK])));
        // Shuffle out two subkeys
        k1 = _mm_shuffle_epi8(k, _mm_set_epi8(3,2,1,0, 3,2,1,0, 3,2,1,0, 3,2,1,0));
@ -831,8 +838,7 @@ inline void CHAM128_Enc_Block(__m128i &block0,
        b = RotateLeft32<1>(_mm_add_epi32(t1, t2));
        counter = _mm_add_epi32(counter, increment);
-
+        k = _mm_castpd_si128(_mm_load_sd(CONST_DOUBLE_CAST(&subkeys[(i+2) & MASK])));
        k = _mm_castpd_si128(_mm_load_sd((const double*)(&subkeys[(i+2) & MASK])));
        // Shuffle out two subkeys
        k1 = _mm_shuffle_epi8(k, _mm_set_epi8(3,2,1,0, 3,2,1,0, 3,2,1,0, 3,2,1,0));
@ -874,7 +880,7 @@ inline void CHAM128_Dec_Block(__m128i &block0,
    for (int i = static_cast<int>(rounds)-1; i >= 0; i-=4)
    {
        __m128i k, k1, k2, t1, t2;
-        k = _mm_castpd_si128(_mm_load_sd((const double*)(&subkeys[(i-1) & MASK])));
+        k = _mm_castpd_si128(_mm_load_sd(CONST_DOUBLE_CAST(&subkeys[(i-1) & MASK])));
        // Shuffle out two subkeys
        k1 = _mm_shuffle_epi8(k, _mm_set_epi8(7,6,5,4, 7,6,5,4, 7,6,5,4, 7,6,5,4));
@ -893,7 +899,7 @@ inline void CHAM128_Dec_Block(__m128i &block0,
        c = _mm_xor_si128(_mm_sub_epi32(t1, t2), counter);
        counter = _mm_sub_epi32(counter, decrement);
-        k = _mm_castpd_si128(_mm_load_sd((const double*)(&subkeys[(i-3) & MASK])));
+        k = _mm_castpd_si128(_mm_load_sd(CONST_DOUBLE_CAST(&subkeys[(i-3) & MASK])));
        // Shuffle out two subkeys
        k1 = _mm_shuffle_epi8(k, _mm_set_epi8(7,6,5,4, 7,6,5,4, 7,6,5,4, 7,6,5,4));
@ -937,7 +943,7 @@ inline void CHAM128_Enc_4_Blocks(__m128i &block0, __m128i &block1,
    for (int i=0; i<static_cast<int>(rounds); i+=4)
    {
        __m128i k, k1, k2, t1, t2;
-        k = _mm_castpd_si128(_mm_load_sd((const double*)(&subkeys[(i+0) & MASK])));
+        k = _mm_castpd_si128(_mm_load_sd(CONST_DOUBLE_CAST(&subkeys[(i+0) & MASK])));
        // Shuffle out two subkeys
        k1 = _mm_shuffle_epi8(k, _mm_set_epi8(3,2,1,0, 3,2,1,0, 3,2,1,0, 3,2,1,0));
@ -954,7 +960,7 @@ inline void CHAM128_Enc_4_Blocks(__m128i &block0, __m128i &block1,
        b = RotateLeft32<1>(_mm_add_epi32(t1, t2));
        counter = _mm_add_epi32(counter, increment);
-        k = _mm_castpd_si128(_mm_load_sd((const double*)(&subkeys[(i+2) & MASK])));
+        k = _mm_castpd_si128(_mm_load_sd(CONST_DOUBLE_CAST(&subkeys[(i+2) & MASK])));
        // Shuffle out two subkeys
        k1 = _mm_shuffle_epi8(k, _mm_set_epi8(3,2,1,0, 3,2,1,0, 3,2,1,0, 3,2,1,0));
@ -999,7 +1005,7 @@ inline void CHAM128_Dec_4_Blocks(__m128i &block0, __m128i &block1,
    for (int i = static_cast<int>(rounds)-1; i >= 0; i-=4)
    {
        __m128i k, k1, k2, t1, t2;
-        k = _mm_castpd_si128(_mm_load_sd((const double*)(&subkeys[(i-1) & MASK])));
+        k = _mm_castpd_si128(_mm_load_sd(CONST_DOUBLE_CAST(&subkeys[(i-1) & MASK])));
        // Shuffle out two subkeys
        k1 = _mm_shuffle_epi8(k, _mm_set_epi8(7,6,5,4, 7,6,5,4, 7,6,5,4, 7,6,5,4));
@ -1018,7 +1024,7 @@ inline void CHAM128_Dec_4_Blocks(__m128i &block0, __m128i &block1,
        c = _mm_xor_si128(_mm_sub_epi32(t1, t2), counter);
        counter = _mm_sub_epi32(counter, decrement);
-        k = _mm_castpd_si128(_mm_load_sd((const double*)(&subkeys[(i-3) & MASK])));
+        k = _mm_castpd_si128(_mm_load_sd(CONST_DOUBLE_CAST(&subkeys[(i-3) & MASK])));
        // Shuffle out two subkeys
        k1 = _mm_shuffle_epi8(k, _mm_set_epi8(7,6,5,4, 7,6,5,4, 7,6,5,4, 7,6,5,4));
--- a/config.h
+++ b/config.h
--- a/config_align.h
+++ b/config_align.h
@ -0,0 +1,61 @@
 // config_align.h - written and placed in public domain by Jeffrey Walton
 //                  the bits that make up this source file are from the
 //                  library's monolithic config.h.
 /// \file config_align.h
 /// \brief Library configuration file
 /// \details <tt>config.h</tt> was split into components in May 2019 to better
 ///  integrate with Autoconf and its feature tests. The splitting occured so
 ///  users could continue to include <tt>config.h</tt> while allowing Autoconf
 ///  to write new <tt>config_asm.h</tt> and new <tt>config_cxx.h</tt> using
 ///  its feature tests.
 /// \sa <A HREF="https://github.com/weidai11/cryptopp/issues/835">Issue 835</A>
 /// \since Crypto++ 8.3
 #ifndef CRYPTOPP_CONFIG_ALIGN_H
 #define CRYPTOPP_CONFIG_ALIGN_H
 #include "config_cpu.h"
 #include "config_cxx.h"
 #include "config_ver.h"
 // Nearly all Intel's and AMD's have SSE. Enable it independent of SSE ASM and intrinscs
 #if (CRYPTOPP_BOOL_X86 || CRYPTOPP_BOOL_X32 || CRYPTOPP_BOOL_X64 || CRYPTOPP_BOOL_PPC32 || CRYPTOPP_BOOL_PPC64) && !defined(CRYPTOPP_DISABLE_ASM)
 	#define CRYPTOPP_BOOL_ALIGN16 1
 #else
 	#define CRYPTOPP_BOOL_ALIGN16 0
 #endif
 // How to allocate 16-byte aligned memory (for SSE2)
 // posix_memalign see https://forum.kde.org/viewtopic.php?p=66274
 #if defined(_MSC_VER)
 	#define CRYPTOPP_MM_MALLOC_AVAILABLE
 #elif defined(__linux__) || defined(__sun__) || defined(__CYGWIN__)
 	#define CRYPTOPP_MEMALIGN_AVAILABLE
 #elif defined(__APPLE__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__DragonFly__)
 	#define CRYPTOPP_MALLOC_ALIGNMENT_IS_16
 #elif (defined(_GNU_SOURCE) || ((_XOPEN_SOURCE + 0) >= 600)) && (_POSIX_ADVISORY_INFO > 0)
 	#define CRYPTOPP_POSIX_MEMALIGN_AVAILABLE
 #else
 	#define CRYPTOPP_NO_ALIGNED_ALLOC
 #endif
 // Sun Studio Express 3 (December 2006) provides GCC-style attributes.
 // IBM XL C/C++ alignment modifier per Optimization Guide, pp. 19-20.
 // __IBM_ATTRIBUTES per XLC 12.1 AIX Compiler Manual, p. 473.
 // CRYPTOPP_ALIGN_DATA may not be reliable on AIX.
 #ifndef CRYPTOPP_ALIGN_DATA
 	#if defined(CRYPTOPP_CXX11_ALIGNAS)
 		#define CRYPTOPP_ALIGN_DATA(x) alignas(x)
 	#elif defined(_MSC_VER)
 		#define CRYPTOPP_ALIGN_DATA(x) __declspec(align(x))
 	#elif defined(__GNUC__) || defined(__clang__) || (__SUNPRO_CC >= 0x5100)
 		#define CRYPTOPP_ALIGN_DATA(x) __attribute__((aligned(x)))
 	#elif defined(__xlc__) || defined(__xlC__)
 		#define CRYPTOPP_ALIGN_DATA(x) __attribute__((aligned(x)))
 	#else
 		#define CRYPTOPP_ALIGN_DATA(x)
 	#endif
 #endif
 #endif  // CRYPTOPP_CONFIG_ALIGN_H
--- a/config_asm.h
+++ b/config_asm.h
@ -0,0 +1,418 @@
 // config_asm.h - written and placed in public domain by Jeffrey Walton
 //                the bits that make up this source file are from the
 //                library's monolithic config.h.
 /// \file config_asm.h
 /// \brief Library configuration file
 /// \details <tt>config.h</tt> was split into components in May 2019 to better
 ///  integrate with Autoconf and its feature tests. The splitting occured so
 ///  users could continue to include <tt>config.h</tt> while allowing Autoconf
 ///  to write new <tt>config_asm.h</tt> and new <tt>config_cxx.h</tt> using
 ///  its feature tests.
 /// \sa <A HREF="https://github.com/weidai11/cryptopp/issues/835">Issue 835</A>
 /// \since Crypto++ 8.3
 #ifndef CRYPTOPP_CONFIG_ASM_H
 #define CRYPTOPP_CONFIG_ASM_H
 #include "config_os.h"
 #include "config_cpu.h"
 #include "config_ver.h"
 // Define this to disable ASM, intrinsics and built-ins. The library will be
 // compiled using C++ only. The library code will not include SSE2 (and
 // above), NEON, Aarch32, Aarch64, or Altivec (and above). Note the compiler
 // may use higher ISAs depending on compiler options, but the library will not
 // explictly use the ISAs. When disabling ASM, it is best to do it from
 // config.h to ensure the library and all programs share the setting.
 // #define CRYPTOPP_DISABLE_ASM 1
 // https://github.com/weidai11/cryptopp/issues/719
 #if defined(__native_client__) && !defined(CRYPTOPP_DISABLE_ASM)
 # define CRYPTOPP_DISABLE_ASM 1
 #endif
 // Some Clang and SunCC cannot handle mixed asm with positional arguments,
 // where the body is Intel style with no prefix and the templates are
 // AT&T style. Define this if the Makefile misdetects the configuration.
 // Also see https://bugs.llvm.org/show_bug.cgi?id=39895 .
 // #define CRYPTOPP_DISABLE_MIXED_ASM 1
 // CRYPTOPP_ALLOW_UNALIGNED_DATA_ACCESS is no longer honored. It
 // was removed at https://github.com/weidai11/cryptopp/issues/682
 // #define CRYPTOPP_ALLOW_UNALIGNED_DATA_ACCESS 1
 // It is OK to remove the hard stop below, but you are on your own.
 // After building the library be sure to run self tests described
 // https://www.cryptopp.com/wiki/Release_Process#Self_Tests
 // Some relevant bug reports can be found at:
 // * Clang: http://github.com/weidai11/cryptopp/issues/147
 // * Native Client: https://github.com/weidai11/cryptopp/issues/719
 #if (defined(_MSC_VER) && defined(__clang__))
 # error: "Unsupported configuration"
 #endif
 // You may need to force include a C++ header on Android when using STLPort to ensure
 // _STLPORT_VERSION is defined: CXXFLAGS="-DNDEBUG -g2 -O2 -std=c++11 -include iosfwd"
 // TODO: Figure out C++17 and lack of std::uncaught_exception
 #if (defined(_MSC_VER) && _MSC_VER <= 1300) || defined(__MWERKS__) || (defined(_STLPORT_VERSION) && ((_STLPORT_VERSION < 0x450) || defined(_STLP_NO_UNCAUGHT_EXCEPT_SUPPORT)))
 #define CRYPTOPP_DISABLE_UNCAUGHT_EXCEPTION
 #endif
 // ***************** IA32 CPU features ********************
 #if (CRYPTOPP_BOOL_X86 || CRYPTOPP_BOOL_X32 || CRYPTOPP_BOOL_X64)
 // Apple Clang prior to 5.0 cannot handle SSE2
 #if !defined(CRYPTOPP_DISABLE_ASM) && defined(CRYPTOPP_APPLE_CLANG_VERSION) && (CRYPTOPP_APPLE_CLANG_VERSION < 50000)
 # define CRYPTOPP_DISABLE_ASM 1
 #endif
 // Sun Studio 12.1 provides GCC inline assembly
 // http://blogs.oracle.com/x86be/entry/gcc_style_asm_inlining_support
 #if !defined(CRYPTOPP_DISABLE_ASM) && defined(__SUNPRO_CC) && (__SUNPRO_CC < 0x5100)
 # define CRYPTOPP_DISABLE_ASM 1
 #endif
 #if !defined(CRYPTOPP_DISABLE_ASM) && ((defined(_MSC_VER) && defined(_M_IX86)) || (defined(__GNUC__) && (defined(__i386__) || defined(__x86_64__))))
 	// C++Builder 2010 does not allow "call label" where label is defined within inline assembly
 	#define CRYPTOPP_X86_ASM_AVAILABLE 1
 	#if !defined(CRYPTOPP_DISABLE_SSE2) && (defined(_MSC_VER) || CRYPTOPP_GCC_VERSION >= 30300 || defined(__SSE2__))
 		#define CRYPTOPP_SSE2_ASM_AVAILABLE 1
 	#endif
 	#if !defined(CRYPTOPP_DISABLE_SSSE3) && (_MSC_VER >= 1500 || CRYPTOPP_GCC_VERSION >= 40300 || defined(__SSSE3__))
 		#define CRYPTOPP_SSSE3_ASM_AVAILABLE 1
 	#endif
 #endif
 #if !defined(CRYPTOPP_DISABLE_ASM) && defined(_MSC_VER) && defined(_M_X64)
 	#define CRYPTOPP_X64_MASM_AVAILABLE 1
 #endif
 #if !defined(CRYPTOPP_DISABLE_ASM) && defined(__GNUC__) && defined(__x86_64__)
 	#define CRYPTOPP_X64_ASM_AVAILABLE 1
 #endif
 // 32-bit SunCC does not enable SSE2 by default.
 #if !defined(CRYPTOPP_DISABLE_ASM) && !defined(CRYPTOPP_DISABLE_SSE2) && (defined(_MSC_VER) || CRYPTOPP_GCC_VERSION >= 30300 || defined(__SSE2__) || (__SUNPRO_CC >= 0x5100))
 	#define CRYPTOPP_SSE2_INTRIN_AVAILABLE 1
 #endif
 #if !defined(CRYPTOPP_DISABLE_ASM) && !defined(CRYPTOPP_DISABLE_SSSE3)
 # if defined(__SSSE3__) || (_MSC_VER >= 1500) || \
 	(CRYPTOPP_GCC_VERSION >= 40300) || (__INTEL_COMPILER >= 1000) || (__SUNPRO_CC >= 0x5110) || \
 	(CRYPTOPP_LLVM_CLANG_VERSION >= 20300) || (CRYPTOPP_APPLE_CLANG_VERSION >= 40000)
 	#define CRYPTOPP_SSSE3_AVAILABLE 1
 # endif
 #endif
 // Intrinsics availible in GCC 4.3 (http://gcc.gnu.org/gcc-4.3/changes.html) and
 // MSVC 2008 (http://msdn.microsoft.com/en-us/library/bb892950%28v=vs.90%29.aspx)
 // SunCC could generate SSE4 at 12.1, but the intrinsics are missing until 12.4.
 #if !defined(CRYPTOPP_DISABLE_SSE4) && defined(CRYPTOPP_SSSE3_AVAILABLE) && \
 	(defined(__SSE4_1__) || (CRYPTOPP_MSC_VERSION >= 1500) || \
 	(CRYPTOPP_GCC_VERSION >= 40300) || (__INTEL_COMPILER >= 1000) || (__SUNPRO_CC >= 0x5110) || \
 	(CRYPTOPP_LLVM_CLANG_VERSION >= 20300) || (CRYPTOPP_APPLE_CLANG_VERSION >= 40000))
 	#define CRYPTOPP_SSE41_AVAILABLE 1
 #endif
 #if !defined(CRYPTOPP_DISABLE_SSE4) && defined(CRYPTOPP_SSSE3_AVAILABLE) && \
 	(defined(__SSE4_2__) || (CRYPTOPP_MSC_VERSION >= 1500) || (__SUNPRO_CC >= 0x5110) || \
 	(CRYPTOPP_GCC_VERSION >= 40300) || (__INTEL_COMPILER >= 1000) || \
 	(CRYPTOPP_LLVM_CLANG_VERSION >= 20300) || (CRYPTOPP_APPLE_CLANG_VERSION >= 40000))
 	#define CRYPTOPP_SSE42_AVAILABLE 1
 #endif
 // Couple to CRYPTOPP_DISABLE_AESNI, but use CRYPTOPP_CLMUL_AVAILABLE so we can selectively
 //  disable for misbehaving platofrms and compilers, like Solaris or some Clang.
 #if defined(CRYPTOPP_DISABLE_AESNI)
 	#define CRYPTOPP_DISABLE_CLMUL 1
 #endif
 // Requires Sun Studio 12.3 (SunCC 0x5120) in theory.
 #if !defined(CRYPTOPP_DISABLE_ASM) && !defined(CRYPTOPP_DISABLE_CLMUL) && defined(CRYPTOPP_SSE42_AVAILABLE) && \
 	(defined(__PCLMUL__) || (_MSC_FULL_VER >= 150030729) || (__SUNPRO_CC >= 0x5120) || \
 	(CRYPTOPP_GCC_VERSION >= 40300) || (__INTEL_COMPILER >= 1110) || \
 	(CRYPTOPP_LLVM_CLANG_VERSION >= 30200) || (CRYPTOPP_APPLE_CLANG_VERSION >= 40300))
 	#define CRYPTOPP_CLMUL_AVAILABLE 1
 #endif
 // Requires Sun Studio 12.3 (SunCC 0x5120)
 #if !defined(CRYPTOPP_DISABLE_ASM) && !defined(CRYPTOPP_DISABLE_AESNI) && defined(CRYPTOPP_SSE42_AVAILABLE) && \
 	(defined(__AES__) || (_MSC_FULL_VER >= 150030729) || (__SUNPRO_CC >= 0x5120) || \
 	(CRYPTOPP_GCC_VERSION >= 40300) || (__INTEL_COMPILER >= 1110) || \
 	(CRYPTOPP_LLVM_CLANG_VERSION >= 30200) || (CRYPTOPP_APPLE_CLANG_VERSION >= 40300))
 	#define CRYPTOPP_AESNI_AVAILABLE 1
 #endif
 // Requires Binutils 2.24
 #if !defined(CRYPTOPP_DISABLE_AVX) && defined(CRYPTOPP_SSE42_AVAILABLE) && \
 	(defined(__AVX2__) || (CRYPTOPP_MSC_VERSION >= 1800) || (__SUNPRO_CC >= 0x5130) || \
 	(CRYPTOPP_GCC_VERSION >= 40700) || (__INTEL_COMPILER >= 1400) || \
 	(CRYPTOPP_LLVM_CLANG_VERSION >= 30100) || (CRYPTOPP_APPLE_CLANG_VERSION >= 40600))
 #define CRYPTOPP_AVX_AVAILABLE 1
 #endif
 // Requires Binutils 2.24
 #if !defined(CRYPTOPP_DISABLE_AVX2) && defined(CRYPTOPP_AVX_AVAILABLE) && \
 	(defined(__AVX2__) || (CRYPTOPP_MSC_VERSION >= 1800) || (__SUNPRO_CC >= 0x5130) || \
 	(CRYPTOPP_GCC_VERSION >= 40900) || (__INTEL_COMPILER >= 1400) || \
 	(CRYPTOPP_LLVM_CLANG_VERSION >= 30100) || (CRYPTOPP_APPLE_CLANG_VERSION >= 40600))
 #define CRYPTOPP_AVX2_AVAILABLE 1
 #endif
 // Guessing at SHA for SunCC. Its not in Sun Studio 12.6. Also see
 // http://stackoverflow.com/questions/45872180/which-xarch-for-sha-extensions-on-solaris
 #if !defined(CRYPTOPP_DISABLE_ASM) && !defined(CRYPTOPP_DISABLE_SHANI) && defined(CRYPTOPP_SSE42_AVAILABLE) && \
 	(defined(__SHA__) || (CRYPTOPP_MSC_VERSION >= 1900) || (__SUNPRO_CC >= 0x5160) || \
 	(CRYPTOPP_GCC_VERSION >= 40900) || (__INTEL_COMPILER >= 1300) || \
 	(CRYPTOPP_LLVM_CLANG_VERSION >= 30400) || (CRYPTOPP_APPLE_CLANG_VERSION >= 50100))
 	#define CRYPTOPP_SHANI_AVAILABLE 1
 #endif
 // Fixup Android and SSE, Crypto. It may be enabled based on compiler version.
 #if (defined(__ANDROID__) || defined(ANDROID))
 # if (CRYPTOPP_BOOL_X86)
 #  undef CRYPTOPP_SSE41_AVAILABLE
 #  undef CRYPTOPP_SSE42_AVAILABLE
 #  undef CRYPTOPP_CLMUL_AVAILABLE
 #  undef CRYPTOPP_AESNI_AVAILABLE
 #  undef CRYPTOPP_SHANI_AVAILABLE
 # endif
 # if (CRYPTOPP_BOOL_X64)
 #  undef CRYPTOPP_CLMUL_AVAILABLE
 #  undef CRYPTOPP_AESNI_AVAILABLE
 #  undef CRYPTOPP_SHANI_AVAILABLE
 # endif
 #endif
 // Fixup for SunCC 12.1-12.4. Bad code generation in AES_Encrypt and friends.
 #if defined(__SUNPRO_CC) && (__SUNPRO_CC <= 0x5130)
 # undef CRYPTOPP_AESNI_AVAILABLE
 #endif
 // Fixup for SunCC 12.1-12.6. Compiler crash on GCM_Reduce_CLMUL and friends.
 // http://github.com/weidai11/cryptopp/issues/226
 #if defined(__SUNPRO_CC) && (__SUNPRO_CC <= 0x5150)
 # undef CRYPTOPP_CLMUL_AVAILABLE
 #endif
 #endif  // X86, X32, X64
 // ***************** ARM CPU features ********************
 #if (CRYPTOPP_BOOL_ARM32 || CRYPTOPP_BOOL_ARMV8)
 // We don't have an ARM big endian test rig. Disable
 // ARM-BE ASM and instrinsics until we can test it.
 #if (CRYPTOPP_BIG_ENDIAN)
 # define CRYPTOPP_DISABLE_ASM 1
 #endif
 // Requires ACLE 1.0. -mfpu=neon or above must be present
 // Requires GCC 4.3, Clang 2.8 or Visual Studio 2012
 // Do not use APPLE_CLANG_VERSION; use __ARM_FEATURE_XXX instead.
 #if !defined(CRYPTOPP_ARM_NEON_AVAILABLE) && !defined(CRYPTOPP_DISABLE_ASM)
 # if defined(__arm__) || defined(__ARM_NEON) || defined(__ARM_FEATURE_NEON) || defined(_M_ARM)
 #  if (CRYPTOPP_GCC_VERSION >= 40300) || (CRYPTOPP_LLVM_CLANG_VERSION >= 20800) || \
      (CRYPTOPP_MSC_VERSION >= 1700)
 #   define CRYPTOPP_ARM_NEON_AVAILABLE 1
 #  endif  // Compilers
 # endif  // Platforms
 #endif
 // ARMv8 and ASIMD. -march=armv8-a or above must be present
 // Requires GCC 4.8, Clang 3.3 or Visual Studio 2017
 // Do not use APPLE_CLANG_VERSION; use __ARM_FEATURE_XXX instead.
 #if !defined(CRYPTOPP_ARM_ASIMD_AVAILABLE) && !defined(CRYPTOPP_DISABLE_ASM)
 # if defined(__aarch32__) || defined(__aarch64__) || defined(_M_ARM64)
 #  if defined(__ARM_NEON) || defined(__ARM_FEATURE_NEON) || defined(__ARM_FEATURE_ASIMD) || \
      (CRYPTOPP_GCC_VERSION >= 40800) || (CRYPTOPP_LLVM_CLANG_VERSION >= 30300) || \
      (CRYPTOPP_MSC_VERSION >= 1916)
 #   define CRYPTOPP_ARM_NEON_AVAILABLE 1
 #   define CRYPTOPP_ARM_ASIMD_AVAILABLE 1
 #  endif  // Compilers
 # endif  // Platforms
 #endif
 // ARMv8 and ASIMD. -march=armv8-a+crc or above must be present
 // Requires GCC 4.8, Clang 3.3 or Visual Studio 2017
 // Do not use APPLE_CLANG_VERSION; use __ARM_FEATURE_XXX instead.
 #if !defined(CRYPTOPP_ARM_CRC32_AVAILABLE) && !defined(CRYPTOPP_DISABLE_ASM)
 # if defined(__aarch32__) || defined(__aarch64__) || defined(_M_ARM64)
 #  if defined(__ARM_FEATURE_CRC32) || (CRYPTOPP_GCC_VERSION >= 40800) || \
      (CRYPTOPP_LLVM_CLANG_VERSION >= 30300) || (CRYPTOPP_MSC_VERSION >= 1916)
 #   define CRYPTOPP_ARM_CRC32_AVAILABLE 1
 #  endif  // Compilers
 # endif  // Platforms
 #endif
 // ARMv8 and ASIMD. -march=armv8-a+crypto or above must be present
 // Requires GCC 4.8, Clang 3.3 or Visual Studio 2017
 // Do not use APPLE_CLANG_VERSION; use __ARM_FEATURE_XXX instead.
 #if !defined(CRYPTOPP_ARM_PMULL_AVAILABLE) && !defined(CRYPTOPP_DISABLE_ASM)
 # if defined(__aarch32__) || defined(__aarch64__) || defined(_M_ARM64)
 #  if defined(__ARM_FEATURE_CRYPTO) || (CRYPTOPP_GCC_VERSION >= 40800) || \
      (CRYPTOPP_LLVM_CLANG_VERSION >= 30300) || (CRYPTOPP_MSC_VERSION >= 1916)
 #   define CRYPTOPP_ARM_PMULL_AVAILABLE 1
 #  endif  // Compilers
 # endif  // Platforms
 #endif
 // ARMv8 and AES. -march=armv8-a+crypto or above must be present
 // Requires GCC 4.8, Clang 3.3 or Visual Studio 2017
 // Do not use APPLE_CLANG_VERSION; use __ARM_FEATURE_XXX instead.
 #if !defined(CRYPTOPP_ARM_AES_AVAILABLE) && !defined(CRYPTOPP_DISABLE_ASM)
 # if defined(__aarch32__) || defined(__aarch64__) || defined(_M_ARM64)
 #  if defined(__ARM_FEATURE_CRYPTO) || (CRYPTOPP_GCC_VERSION >= 40800) || \
      (CRYPTOPP_LLVM_CLANG_VERSION >= 30300) || (CRYPTOPP_MSC_VERSION >= 1916)
 #   define CRYPTOPP_ARM_AES_AVAILABLE 1
 #  endif  // Compilers
 # endif  // Platforms
 #endif
 // ARMv8 and SHA-1, SHA-256. -march=armv8-a+crypto or above must be present
 // Requires GCC 4.8, Clang 3.3 or Visual Studio 2017
 // Do not use APPLE_CLANG_VERSION; use __ARM_FEATURE_XXX instead.
 #if !defined(CRYPTOPP_ARM_SHA_AVAILABLE) && !defined(CRYPTOPP_DISABLE_ASM)
 # if defined(__aarch32__) || defined(__aarch64__) || defined(_M_ARM64)
 #  if defined(__ARM_FEATURE_CRYPTO) || (CRYPTOPP_GCC_VERSION >= 40800) || \
      (CRYPTOPP_LLVM_CLANG_VERSION >= 30300) || (CRYPTOPP_MSC_VERSION >= 1916)
 #   define CRYPTOPP_ARM_SHA1_AVAILABLE 1
 #   define CRYPTOPP_ARM_SHA2_AVAILABLE 1
 #  endif  // Compilers
 # endif  // Platforms
 #endif
 // ARMv8 and SHA-512, SHA-3. -march=armv8.4-a+crypto or above must be present
 // Requires GCC 8.0, Clang ??? or Visual Studio 20??
 // Do not use APPLE_CLANG_VERSION; use __ARM_FEATURE_XXX instead.
 #if !defined(CRYPTOPP_ARM_SHA3_AVAILABLE) && !defined(CRYPTOPP_DISABLE_ASM)
 # if defined(__aarch32__) || defined(__aarch64__) || defined(_M_ARM64)
 #  if defined(__ARM_FEATURE_SHA3) || (CRYPTOPP_GCC_VERSION >= 80000)
 #   define CRYPTOPP_ARM_SHA512_AVAILABLE 1
 #   define CRYPTOPP_ARM_SHA3_AVAILABLE 1
 #  endif  // Compilers
 # endif  // Platforms
 #endif
 // ARMv8 and SM3, SM4. -march=armv8.4-a+crypto or above must be present
 // Requires GCC 8.0, Clang ??? or Visual Studio 20??
 // Do not use APPLE_CLANG_VERSION; use __ARM_FEATURE_XXX instead.
 #if !defined(CRYPTOPP_ARM_SM3_AVAILABLE) && !defined(CRYPTOPP_DISABLE_ASM)
 # if defined(__aarch32__) || defined(__aarch64__) || defined(_M_ARM64)
 #  if defined(__ARM_FEATURE_SM3) || (CRYPTOPP_GCC_VERSION >= 80000)
 #   define CRYPTOPP_ARM_SM3_AVAILABLE 1
 #   define CRYPTOPP_ARM_SM4_AVAILABLE 1
 #  endif  // Compilers
 # endif  // Platforms
 #endif
 // Limit the <arm_acle.h> include.
 #if !defined(CRYPTOPP_ARM_ACLE_AVAILABLE)
 # if defined(__aarch32__) || defined(__aarch64__) || (__ARM_ARCH >= 8) || defined(__ARM_ACLE)
 #  if !defined(__ANDROID__) && !defined(ANDROID) && !defined(__APPLE__)
 #   define CRYPTOPP_ARM_ACLE_AVAILABLE 1
 #  endif
 # endif
 #endif
 // Fixup Apple Clang and PMULL. Apple defines __ARM_FEATURE_CRYPTO for Xcode 6
 // but does not provide PMULL. TODO: determine when PMULL is available.
 #if defined(CRYPTOPP_APPLE_CLANG_VERSION) && (CRYPTOPP_APPLE_CLANG_VERSION < 70000)
 # undef CRYPTOPP_ARM_PMULL_AVAILABLE
 #endif
 // Fixup Android and CRC32. It may be enabled based on compiler version.
 #if (defined(__ANDROID__) || defined(ANDROID)) && !defined(__ARM_FEATURE_CRC32)
 # undef CRYPTOPP_ARM_CRC32_AVAILABLE
 #endif
 // Fixup Android and Crypto. It may be enabled based on compiler version.
 #if (defined(__ANDROID__) || defined(ANDROID)) && !defined(__ARM_FEATURE_CRYPTO)
 # undef CRYPTOPP_ARM_PMULL_AVAILABLE
 # undef CRYPTOPP_ARM_AES_AVAILABLE
 # undef CRYPTOPP_ARM_SHA1_AVAILABLE
 # undef CRYPTOPP_ARM_SHA2_AVAILABLE
 #endif
 // Cryptogams offers an ARM asm implementations for AES and SHA. Crypto++ does
 // not provide an asm implementation. The Cryptogams AES implementation is
 // about 50% faster than C/C++, and SHA implementation is about 30% faster
 // than C/C++. Define this to use the Cryptogams AES and SHA implementations
 // on GNU Linux systems. When defined, Crypto++ will use aes_armv4.S,
 // sha1_armv4.S and sha256_armv4.S. https://www.cryptopp.com/wiki/Cryptogams.
 #if !defined(CRYPTOPP_DISABLE_ASM) && defined(__arm__) && defined(__linux__)
 # if defined(__GNUC__) || defined(__clang__)
 #  define CRYPTOGAMS_ARM_AES      1
 #  define CRYPTOGAMS_ARM_SHA1     1
 #  define CRYPTOGAMS_ARM_SHA256   1
 #  define CRYPTOGAMS_ARM_SHA512   1
 # endif
 #endif
 #endif  // ARM32, ARM64
 // ***************** AltiVec and Power8 ********************
 #if (CRYPTOPP_BOOL_PPC32 || CRYPTOPP_BOOL_PPC64)
 #if defined(CRYPTOPP_DISABLE_ALTIVEC) || defined(CRYPTOPP_DISABLE_ASM)
 # undef CRYPTOPP_DISABLE_ALTIVEC
 # undef CRYPTOPP_DISABLE_POWER7
 # undef CRYPTOPP_DISABLE_POWER8
 # undef CRYPTOPP_DISABLE_POWER9
 # define CRYPTOPP_DISABLE_ALTIVEC 1
 # define CRYPTOPP_DISABLE_POWER7 1
 # define CRYPTOPP_DISABLE_POWER8 1
 # define CRYPTOPP_DISABLE_POWER9 1
 #endif
 // An old Apple G5 with GCC 4.01 has AltiVec, but its only Power4 or so.
 #if !defined(CRYPTOPP_ALTIVEC_AVAILABLE) && !defined(CRYPTOPP_DISABLE_ALTIVEC)
 # if defined(_ARCH_PWR4) || defined(__ALTIVEC__) || \
 	(CRYPTOPP_XLC_VERSION >= 100000) || (CRYPTOPP_GCC_VERSION >= 40001) || \
    (CRYPTOPP_LLVM_CLANG_VERSION >= 20900)
 #  define CRYPTOPP_ALTIVEC_AVAILABLE 1
 # endif
 #endif
 // We need Power7 for unaligned loads and stores
 #if !defined(CRYPTOPP_POWER7_AVAILABLE) && !defined(CRYPTOPP_DISABLE_POWER7) && defined(CRYPTOPP_ALTIVEC_AVAILABLE)
 # if defined(_ARCH_PWR7) || (CRYPTOPP_XLC_VERSION >= 100000) || \
    (CRYPTOPP_GCC_VERSION >= 40100) || (CRYPTOPP_LLVM_CLANG_VERSION >= 30100)
 #  define CRYPTOPP_POWER7_AVAILABLE 1
 # endif
 #endif
 // We need Power8 for in-core crypto and 64-bit vector types
 #if !defined(CRYPTOPP_POWER8_AVAILABLE) && !defined(CRYPTOPP_DISABLE_POWER8) && defined(CRYPTOPP_POWER7_AVAILABLE)
 # if defined(_ARCH_PWR8) || (CRYPTOPP_XLC_VERSION >= 130000) || \
    (CRYPTOPP_GCC_VERSION >= 40800) || (CRYPTOPP_LLVM_CLANG_VERSION >= 70000)
 #  define CRYPTOPP_POWER8_AVAILABLE 1
 # endif
 #endif
 // Power9 for random numbers
 #if !defined(CRYPTOPP_POWER9_AVAILABLE) && !defined(CRYPTOPP_DISABLE_POWER9) && defined(CRYPTOPP_POWER8_AVAILABLE)
 # if defined(_ARCH_PWR9) || (CRYPTOPP_XLC_VERSION >= 130200) || \
    (CRYPTOPP_GCC_VERSION >= 70000) || (CRYPTOPP_LLVM_CLANG_VERSION >= 80000)
 #  define CRYPTOPP_POWER9_AVAILABLE 1
 # endif
 #endif
 #if !defined(CRYPTOPP_POWER8_AES_AVAILABLE) && !defined(CRYPTOPP_DISABLE_POWER8_AES) && defined(CRYPTOPP_POWER8_AVAILABLE)
 # if defined(__CRYPTO__) || defined(_ARCH_PWR8) || (CRYPTOPP_XLC_VERSION >= 130000) || \
    (CRYPTOPP_GCC_VERSION >= 40800) || (CRYPTOPP_LLVM_CLANG_VERSION >= 70000)
 //#  define CRYPTOPP_POWER8_CRC_AVAILABLE 1
 #  define CRYPTOPP_POWER8_AES_AVAILABLE 1
 #  define CRYPTOPP_POWER8_VMULL_AVAILABLE 1
 #  define CRYPTOPP_POWER8_SHA_AVAILABLE 1
 # endif
 #endif
 #endif  // PPC32, PPC64
 #endif  // CRYPTOPP_CONFIG_ASM_H
--- a/config_cpu.h
+++ b/config_cpu.h
@ -0,0 +1,103 @@
 // config_cpu.h - written and placed in public domain by Jeffrey Walton
 //                the bits that make up this source file are from the
 //                library's monolithic config.h.
 /// \file config_cpu.h
 /// \brief Library configuration file
 /// \details <tt>config.h</tt> was split into components in May 2019 to better
 ///  integrate with Autoconf and its feature tests. The splitting occured so
 ///  users could continue to include <tt>config.h</tt> while allowing Autoconf
 ///  to write new <tt>config_asm.h</tt> and new <tt>config_cxx.h</tt> using
 ///  its feature tests.
 /// \sa <A HREF="https://github.com/weidai11/cryptopp/issues/835">Issue 835</A>
 ///  <A HREF="https://sourceforge.net/p/predef/wiki/Architectures/">Sourceforge
 ///  Pre-defined Compiler Macros</A>
 /// \since Crypto++ 8.3
 #ifndef CRYPTOPP_CONFIG_CPU_H
 #define CRYPTOPP_CONFIG_CPU_H
 #include "config_ver.h"
 #if (defined(__ILP32__) || defined(_ILP32)) && defined(__x86_64__)
 	#define CRYPTOPP_BOOL_X32 1
 #elif (defined(_M_X64) || defined(__x86_64__))
 	#define CRYPTOPP_BOOL_X64 1
 #elif (defined(_M_IX86) || defined(__i386__) || defined(__i386) || defined(_X86_) || defined(__I86__) || defined(__INTEL__))
 	#define CRYPTOPP_BOOL_X86 1
 #endif
 // Microsoft added ARM64 define December 2017.
 #if defined(__arm64__) || defined(__aarch32__) || defined(__aarch64__) || defined(_M_ARM64)
 	#define CRYPTOPP_BOOL_ARMV8 1
 #endif
 #if defined(__arm64__) || defined(__aarch64__) || defined(_M_ARM64)
 	#define CRYPTOPP_BOOL_ARM64 1
 #elif defined(__arm__) || defined(_M_ARM)
 	#define CRYPTOPP_BOOL_ARM32 1
 #endif
 // And PowerPC.
 #if defined(__ppc64__) || defined(__powerpc64__) || defined(__PPC64__) || defined(_ARCH_PPC64)
 	#define CRYPTOPP_BOOL_PPC64 1
 #elif defined(__powerpc__) || defined(__ppc__) || defined(__PPC__) || defined(_ARCH_PPC)
 	#define CRYPTOPP_BOOL_PPC32 1
 #endif
 // And MIPS. TODO: finish these defines
 #if defined(__mips64__)
 	#define CRYPTOPP_BOOL_MIPS64 1
 #elif defined(__mips__)
 	#define CRYPTOPP_BOOL_MIPS32 1
 #endif
 // And SPARC.
 #if defined(__sparc64__) || defined(__sparc64) || defined(__sparcv9) || defined(__sparc_v9__)
 	#define CRYPTOPP_BOOL_SPARC64 1
 #elif defined(__sparc__) || defined(__sparc) || defined(__sparcv8) || defined(__sparc_v8__)
 	#define CRYPTOPP_BOOL_SPARC32 1
 #endif
 // This should be a lower bound on the L1 cache line size.
 // It's used for defense against timing attacks.
 #ifndef CRYPTOPP_L1_CACHE_LINE_SIZE
 	#if defined(CRYPTOPP_BOOL_X32) || defined(CRYPTOPP_BOOL_X64) || defined(CRYPTOPP_BOOL_ARMV8) || \
 	    defined(CRYPTOPP_BOOL_PPC64) || defined(CRYPTOPP_BOOL_MIPS64) || defined(CRYPTOPP_BOOL_SPARC64)
 		#define CRYPTOPP_L1_CACHE_LINE_SIZE 64
 	#else
 		// L1 cache line size is 32 on Pentium III and earlier
 		#define CRYPTOPP_L1_CACHE_LINE_SIZE 32
 	#endif
 #endif
 // The section attribute attempts to initialize CPU flags to avoid Valgrind findings above -O1
 #if ((defined(__MACH__) && defined(__APPLE__)) && ((CRYPTOPP_LLVM_CLANG_VERSION >= 30600) || (CRYPTOPP_APPLE_CLANG_VERSION >= 70100) || (CRYPTOPP_GCC_VERSION >= 40300)))
 	#define CRYPTOPP_SECTION_INIT __attribute__((section ("__DATA,__data")))
 #elif (defined(__ELF__) && (CRYPTOPP_GCC_VERSION >= 40300))
 	#define CRYPTOPP_SECTION_INIT __attribute__((section ("nocommon")))
 #elif defined(__ELF__) && (defined(__xlC__) || defined(__ibmxl__))
 	#define CRYPTOPP_SECTION_INIT __attribute__((section ("nocommon")))
 #else
 	#define CRYPTOPP_SECTION_INIT
 #endif
 // How to disable CPU feature probing. We determine machine
 // capabilities by performing an os/platform *query* first,
 // like getauxv(). If the *query* fails, we move onto a
 // cpu *probe*. The cpu *probe* tries to exeute an instruction
 // and then catches a SIGILL on Linux or the exception
 // EXCEPTION_ILLEGAL_INSTRUCTION on Windows. Some OSes
 // fail to hangle a SIGILL gracefully, like Apple OSes. Apple
 // machines corrupt memory and variables around the probe.
 #if defined(__APPLE__)
 	#define CRYPTOPP_NO_CPU_FEATURE_PROBES 1
 #endif
 // Flavor of inline assembly language
 #if defined(_MSC_VER) || defined(__BORLANDC__)
 	#define CRYPTOPP_MS_STYLE_INLINE_ASSEMBLY 1
 #else
 	#define CRYPTOPP_GNU_STYLE_INLINE_ASSEMBLY 1
 #endif
 #endif
--- a/config_cxx.h
+++ b/config_cxx.h
@ -0,0 +1,233 @@
 // config_cxx.h - written and placed in public domain by Jeffrey Walton
 //                the bits that make up this source file are from the
 //                library's monolithic config.h.
 /// \file config_cxx.h
 /// \brief Library configuration file
 /// \details <tt>config.h</tt> was split into components in May 2019 to better
 ///  integrate with Autoconf and its feature tests. The splitting occured so
 ///  users could continue to include <tt>config.h</tt> while allowing Autoconf
 ///  to write new <tt>config_asm.h</tt> and new <tt>config_cxx.h</tt> using
 ///  its feature tests.
 /// \sa <A HREF="https://github.com/weidai11/cryptopp/issues/835">Issue 835</A>
 /// \since Crypto++ 8.3
 // Visual Studio began at VS2010, http://msdn.microsoft.com/en-us/library/hh567368%28v=vs.110%29.aspx
 //   and https://docs.microsoft.com/en-us/cpp/visual-cpp-language-conformance
 // Intel, http://software.intel.com/en-us/articles/c0x-features-supported-by-intel-c-compiler
 // GCC, http://gcc.gnu.org/projects/cxx0x.html
 // Clang, http://clang.llvm.org/cxx_status.html
 #ifndef CRYPTOPP_CONFIG_CXX_H
 #define CRYPTOPP_CONFIG_CXX_H
 #include "config_os.h"
 #include "config_cpu.h"
 #include "config_ver.h"
 // Ancient Crypto++ define, dating back to C++98 and C++03.
 #ifndef CRYPTOPP_DISABLE_UNCAUGHT_EXCEPTION
 # define CRYPTOPP_UNCAUGHT_EXCEPTION_AVAILABLE 1
 #endif
 // Compatibility with non-clang compilers.
 #ifndef __has_feature
 # define __has_feature(x) 0
 #endif
 // Define CRYPTOPP_NO_CXX11 to avoid C++11 related features shown at the
 // end of this file. Some compilers and standard C++ headers advertise C++11
 // but they are really just C++03 with some additional C++11 headers and
 // non-conforming classes. You might also consider `-std=c++03` or
 // `-std=gnu++03`, but they are required options when building the library
 // and all programs. CRYPTOPP_NO_CXX11 is probably easier to manage but it may
 // cause -Wterminate warnings under GCC. MSVC++ has a similar warning.
 // Also see https://github.com/weidai11/cryptopp/issues/529
 // #define CRYPTOPP_NO_CXX11 1
 // Define CRYPTOPP_NO_CXX17 to avoid C++17 related features shown at the end of
 // this file. At the moment it should only affect std::uncaught_exceptions.
 // #define CRYPTOPP_NO_CXX17 1
 // C++11 macro version, https://stackoverflow.com/q/7223991/608639
 #if !defined(CRYPTOPP_NO_CXX11)
 #  if ((_MSC_VER >= 1600) || (__cplusplus >= 201103L)) && !defined(_STLPORT_VERSION)
 #    define CRYPTOPP_CXX11 1
 #  endif
 #endif
 // Hack ahead. Apple's standard library does not have C++'s unique_ptr in C++11.
 // We can't test for unique_ptr directly because some of the non-Apple Clangs
 // on OS X fail the same way. However, modern standard libraries have
 // <forward_list>, so we test for it instead. Thanks to Jonathan Wakely for
 // devising the clever test for modern/ancient versions. TODO: test under
 // Xcode 3, where g++ is really g++.
 #if defined(__APPLE__) && defined(__clang__)
 #  if !(defined(__has_include) && __has_include(<forward_list>))
 #    undef CRYPTOPP_CXX11
 #  endif
 #endif
 // C++14 macro version, https://stackoverflow.com/q/26089319/608639
 #if defined(CRYPTOPP_CXX11) && !defined(CRYPTOPP_NO_CXX14)
 #  if ((_MSC_VER >= 1900) || (__cplusplus >= 201402L)) && !defined(_STLPORT_VERSION)
 #    define CRYPTOPP_CXX14 1
 #  endif
 #endif
 // C++17 macro version, https://stackoverflow.com/q/38456127/608639
 #if defined(CRYPTOPP_CXX14) && !defined(CRYPTOPP_NO_CXX17)
 #  if ((_MSC_VER >= 1900) || (__cplusplus >= 201703L)) && !defined(_STLPORT_VERSION)
 #    define CRYPTOPP_CXX17 1
 #  endif
 #endif
 // ***************** C++11 and above ********************
 #if defined(CRYPTOPP_CXX11)
 // atomics: MS at VS2012 (17.00); GCC at 4.4; Clang at 3.1/3.2; Intel 13.0; SunCC 5.14.
 #if (CRYPTOPP_MSC_VERSION >= 1700) || __has_feature(cxx_atomic) || \
 	(__INTEL_COMPILER >= 1300) || (CRYPTOPP_GCC_VERSION >= 40400) || (__SUNPRO_CC >= 0x5140)
 # define CRYPTOPP_CXX11_ATOMICS 1
 #endif // atomics
 // synchronization: MS at VS2012 (17.00); GCC at 4.4; Clang at 3.3; Xcode 5.0; Intel 12.0; SunCC 5.13.
 // TODO: verify Clang and Intel versions; find __has_feature(x) extension for Clang
 #if (CRYPTOPP_MSC_VERSION >= 1700) || (CRYPTOPP_LLVM_CLANG_VERSION >= 30300) || \
 	(CRYPTOPP_APPLE_CLANG_VERSION >= 50000) || (__INTEL_COMPILER >= 1200) || \
 	(CRYPTOPP_GCC_VERSION >= 40400) || (__SUNPRO_CC >= 0x5130)
 // Hack ahead. New GCC compilers like GCC 6 on AIX 7.0 or earlier as well as original MinGW
 // don't have the synchronization gear. However, Wakely's test used for Apple does not work
 // on the GCC/AIX combination. Another twist is we need other stuff from C++11,
 // like no-except destructors. Dumping preprocessors shows the following may
 // apply: http://stackoverflow.com/q/14191566/608639.
 # include <cstddef>
 # if !defined(__GLIBCXX__) || defined(_GLIBCXX_HAS_GTHREADS)
 #  define CRYPTOPP_CXX11_SYNCHRONIZATION 1
 # endif
 #endif // synchronization
 // Dynamic Initialization and Destruction with Concurrency ("Magic Statics")
 // MS at VS2015 with Vista (19.00); GCC at 4.3; LLVM Clang at 2.9; Apple Clang at 4.0; Intel 11.1; SunCC 5.13.
 // Microsoft's implementation only works for Vista and above, so its further
 // limited. http://connect.microsoft.com/VisualStudio/feedback/details/1789709
 #if (__cpp_threadsafe_static_init >= 200806) || \
 	(CRYPTOPP_MSC_VERSION >= 1900) && ((WINVER >= 0x0600) || (_WIN32_WINNT >= 0x0600)) || \
 	(CRYPTOPP_LLVM_CLANG_VERSION >= 20900) || (CRYPTOPP_APPLE_CLANG_VERSION >= 40000)  || \
 	(__INTEL_COMPILER >= 1110) || (CRYPTOPP_GCC_VERSION >= 40300) || (__SUNPRO_CC >= 0x5130)
 # define CRYPTOPP_CXX11_DYNAMIC_INIT 1
 #endif // Dynamic Initialization compilers
 // deleted functions: MS at VS2013 (18.00); GCC at 4.3; Clang at 2.9; Intel 12.1; SunCC 5.13.
 #if (CRYPTOPP_MSC_VERSION >= 1800) || (CRYPTOPP_LLVM_CLANG_VERSION >= 20900) || \
 	(CRYPTOPP_APPLE_CLANG_VERSION >= 40000) || (__INTEL_COMPILER >= 1210) || \
 	(CRYPTOPP_GCC_VERSION >= 40300) || (__SUNPRO_CC >= 0x5130)
 # define CRYPTOPP_CXX11_DELETED_FUNCTIONS 1
 #endif // deleted functions
 // alignof/alignas: MS at VS2015 (19.00); GCC at 4.8; Clang at 3.0; Intel 15.0; SunCC 5.13.
 #if (CRYPTOPP_MSC_VERSION >= 1900) || __has_feature(cxx_alignas) || \
 	(__INTEL_COMPILER >= 1500) || (CRYPTOPP_GCC_VERSION >= 40800) || (__SUNPRO_CC >= 0x5130)
 #  define CRYPTOPP_CXX11_ALIGNAS 1
 #endif // alignas
 // alignof: MS at VS2015 (19.00); GCC at 4.5; Clang at 2.9; Intel 15.0; SunCC 5.13.
 #if (CRYPTOPP_MSC_VERSION >= 1900) || __has_feature(cxx_alignof) || \
 	(__INTEL_COMPILER >= 1500) || (CRYPTOPP_GCC_VERSION >= 40500) || (__SUNPRO_CC >= 0x5130)
 #  define CRYPTOPP_CXX11_ALIGNOF 1
 #endif // alignof
 // lambdas: MS at VS2012 (17.00); GCC at 4.9; Clang at 3.3; Intel 12.0; SunCC 5.14.
 #if (CRYPTOPP_MSC_VERSION >= 1700) || __has_feature(cxx_lambdas) || \
 	(__INTEL_COMPILER >= 1200) || (CRYPTOPP_GCC_VERSION >= 40900) || (__SUNPRO_CC >= 0x5140)
 #  define CRYPTOPP_CXX11_LAMBDA 1
 #endif // lambdas
 // noexcept: MS at VS2015 (19.00); GCC at 4.6; Clang at 3.0; Intel 14.0; SunCC 5.13.
 #if (CRYPTOPP_MSC_VERSION >= 1900) || __has_feature(cxx_noexcept) || \
 	(__INTEL_COMPILER >= 1400) || (CRYPTOPP_GCC_VERSION >= 40600) || (__SUNPRO_CC >= 0x5130)
 # define CRYPTOPP_CXX11_NOEXCEPT 1
 #endif // noexcept compilers
 // variadic templates: MS at VS2013 (18.00); GCC at 4.3; Clang at 2.9; Intel 12.1; SunCC 5.13.
 #if (__cpp_variadic_templates >= 200704) || __has_feature(cxx_variadic_templates) || \
 	(CRYPTOPP_MSC_VERSION >= 1800) || (__INTEL_COMPILER >= 1210) || \
 	(CRYPTOPP_GCC_VERSION >= 40300) || (__SUNPRO_CC >= 0x5130)
 # define CRYPTOPP_CXX11_VARIADIC_TEMPLATES 1
 #endif // variadic templates
 // constexpr: MS at VS2015 (19.00); GCC at 4.6; Clang at 3.1; Intel 16.0; SunCC 5.13.
 // Intel has mis-supported the feature since at least ICPC 13.00
 #if (__cpp_constexpr >= 200704) || __has_feature(cxx_constexpr) || \
 	(CRYPTOPP_MSC_VERSION >= 1900) || (__INTEL_COMPILER >= 1600) || \
 	(CRYPTOPP_GCC_VERSION >= 40600) || (__SUNPRO_CC >= 0x5130)
 # define CRYPTOPP_CXX11_CONSTEXPR 1
 #endif // constexpr compilers
 // strong typed enums: MS at VS2012 (17.00); GCC at 4.4; Clang at 3.3; Intel 14.0; SunCC 5.12.
 // Mircorosft and Intel had partial support earlier, but we require full support.
 #if (CRYPTOPP_MSC_VERSION >= 1700) || __has_feature(cxx_strong_enums) || \
 	(__INTEL_COMPILER >= 1400) || (CRYPTOPP_GCC_VERSION >= 40400) || (__SUNPRO_CC >= 0x5120)
 # define CRYPTOPP_CXX11_ENUM 1
 #endif // constexpr compilers
 // nullptr_t: MS at VS2010 (16.00); GCC at 4.6; Clang at 3.3; Intel 10.0; SunCC 5.13.
 #if (CRYPTOPP_MSC_VERSION >= 1600) || __has_feature(cxx_nullptr) || \
 	(__INTEL_COMPILER >= 1000) || (CRYPTOPP_GCC_VERSION >= 40600) || \
    (__SUNPRO_CC >= 0x5130) || defined(__IBMCPP_NULLPTR)
 # define CRYPTOPP_CXX11_NULLPTR 1
 #endif // nullptr_t compilers
 #endif // CRYPTOPP_CXX11
 // ***************** C++14 and above ********************
 #if defined(CRYPTOPP_CXX14)
 // Extended static_assert with one argument
 // Microsoft cannot handle the single argument static_assert as of VS2019 (cl.exe 19.00)
 #if (__cpp_static_assert >= 201411)
 # define CRYPTOPP_CXX14_STATIC_ASSERT 1
 #endif // static_assert
 #endif
 // ***************** C++17 and above ********************
 // C++17 is available
 #if defined(CRYPTOPP_CXX17)
 // C++17 uncaught_exceptions: MS at VS2015 (19.00); GCC at 6.0; Clang at 3.5; Intel 18.0.
 // Clang and __EXCEPTIONS see http://releases.llvm.org/3.6.0/tools/clang/docs/ReleaseNotes.html
 #if defined(__clang__)
 # if __EXCEPTIONS && __has_feature(cxx_exceptions)
 #  if __cpp_lib_uncaught_exceptions
 #   define CRYPTOPP_CXX17_EXCEPTIONS 1
 #  endif
 # endif
 #elif (CRYPTOPP_MSC_VERSION >= 1900) || (__INTEL_COMPILER >= 1800) || \
      (CRYPTOPP_GCC_VERSION >= 60000) || (__cpp_lib_uncaught_exceptions)
 # define CRYPTOPP_CXX17_EXCEPTIONS 1
 #endif // uncaught_exceptions compilers
 #endif  // CRYPTOPP_CXX17
 // ***************** C++ fixups ********************
 #if defined(CRYPTOPP_CXX11_NOEXCEPT)
 #  define CRYPTOPP_THROW noexcept(false)
 #  define CRYPTOPP_NO_THROW noexcept(true)
 #else
 #  define CRYPTOPP_THROW
 #  define CRYPTOPP_NO_THROW
 #endif // CRYPTOPP_CXX11_NOEXCEPT
 // Hack... C++11 nullptr_t type safety and analysis
 #if defined(CRYPTOPP_CXX11_NULLPTR) && !defined(NULLPTR)
 # define NULLPTR nullptr
 #elif !defined(NULLPTR)
 # define NULLPTR NULL
 #endif // CRYPTOPP_CXX11_NULLPTR
 #endif  // CRYPTOPP_CONFIG_CXX_H
--- a/config_dll.h
+++ b/config_dll.h
@ -0,0 +1,77 @@
 // config_dll.h - written and placed in public domain by Jeffrey Walton
 //                the bits that make up this source file are from the
 //                library's monolithic config.h.
 /// \file config_dll.h
 /// \brief Library configuration file
 /// \details <tt>config.h</tt> was split into components in May 2019 to better
 ///  integrate with Autoconf and its feature tests. The splitting occured so
 ///  users could continue to include <tt>config.h</tt> while allowing Autoconf
 ///  to write new <tt>config_asm.h</tt> and new <tt>config_cxx.h</tt> using
 ///  its feature tests.
 /// \sa <A HREF="https://github.com/weidai11/cryptopp/issues/835">Issue 835</A>
 /// \since Crypto++ 8.3
 #ifndef CRYPTOPP_CONFIG_DLL_H
 #define CRYPTOPP_CONFIG_DLL_H
 #include "config_os.h"
 #if !defined(CRYPTOPP_DOXYGEN_PROCESSING)
 #if defined(CRYPTOPP_WIN32_AVAILABLE)
 #ifdef CRYPTOPP_EXPORTS
 #  define CRYPTOPP_IS_DLL
 #  define CRYPTOPP_DLL __declspec(dllexport)
 #elif defined(CRYPTOPP_IMPORTS)
 #  define CRYPTOPP_IS_DLL
 #  define CRYPTOPP_DLL __declspec(dllimport)
 #else
 #  define CRYPTOPP_DLL
 #endif
 // C++ makes const internal linkage
 #define CRYPTOPP_TABLE extern
 #define CRYPTOPP_API __cdecl
 #else	// not CRYPTOPP_WIN32_AVAILABLE
 // C++ makes const internal linkage
 #define CRYPTOPP_TABLE extern
 #define CRYPTOPP_DLL
 #define CRYPTOPP_API
 #endif	// CRYPTOPP_WIN32_AVAILABLE
 #if defined(__MWERKS__)
 #  define CRYPTOPP_EXTERN_DLL_TEMPLATE_CLASS extern class CRYPTOPP_DLL
 #elif defined(__BORLANDC__) || defined(__SUNPRO_CC)
 #  define CRYPTOPP_EXTERN_DLL_TEMPLATE_CLASS template class CRYPTOPP_DLL
 #else
 #  define CRYPTOPP_EXTERN_DLL_TEMPLATE_CLASS extern template class CRYPTOPP_DLL
 #endif
 #if defined(CRYPTOPP_MANUALLY_INSTANTIATE_TEMPLATES) && !defined(CRYPTOPP_IMPORTS)
 #  define CRYPTOPP_DLL_TEMPLATE_CLASS template class CRYPTOPP_DLL
 #else
 #  define CRYPTOPP_DLL_TEMPLATE_CLASS CRYPTOPP_EXTERN_DLL_TEMPLATE_CLASS
 #endif
 #if defined(__MWERKS__)
 #  define CRYPTOPP_EXTERN_STATIC_TEMPLATE_CLASS extern class
 #elif defined(__BORLANDC__) || defined(__SUNPRO_CC)
 #  define CRYPTOPP_EXTERN_STATIC_TEMPLATE_CLASS template class
 #else
 #  define CRYPTOPP_EXTERN_STATIC_TEMPLATE_CLASS extern template class
 #endif
 #if defined(CRYPTOPP_MANUALLY_INSTANTIATE_TEMPLATES) && !defined(CRYPTOPP_EXPORTS)
 #  define CRYPTOPP_STATIC_TEMPLATE_CLASS template class
 #else
 #  define CRYPTOPP_STATIC_TEMPLATE_CLASS CRYPTOPP_EXTERN_STATIC_TEMPLATE_CLASS
 #endif
 #endif  // CRYPTOPP_DOXYGEN_PROCESSING
 #endif  // CRYPTOPP_CONFIG_DLL_H
--- a/config_int.h
+++ b/config_int.h
@ -0,0 +1,103 @@
 // config_int.h - written and placed in public domain by Jeffrey Walton
 //                the bits that make up this source file are from the
 //                library's monolithic config.h.
 /// \file config_int.h
 /// \brief Library configuration file
 /// \details <tt>config.h</tt> was split into components in May 2019 to better
 ///  integrate with Autoconf and its feature tests. The splitting occured so
 ///  users could continue to include <tt>config.h</tt> while allowing Autoconf
 ///  to write new <tt>config_asm.h</tt> and new <tt>config_cxx.h</tt> using
 ///  its feature tests.
 /// \sa <A HREF="https://github.com/weidai11/cryptopp/issues/835">Issue 835</A>
 /// \since Crypto++ 8.3
 #ifndef CRYPTOPP_CONFIG_INT_H
 #define CRYPTOPP_CONFIG_INT_H
 #include "config_ns.h"
 #include "config_ver.h"
 // Originally in global namespace to avoid ambiguity with other byte typedefs.
 // Moved to Crypto++ namespace due to C++17, std::byte and potential compile
 // problems. Also see http://www.cryptopp.com/wiki/std::byte and
 // http://github.com/weidai11/cryptopp/issues/442.
 // typedef unsigned char byte;
 #define CRYPTOPP_NO_GLOBAL_BYTE 1
 NAMESPACE_BEGIN(CryptoPP)
 // Signed words added at Issue 609 for early versions of and Visual Studio and
 // the NaCl gear. Also see https://github.com/weidai11/cryptopp/issues/609.
 typedef unsigned char byte;
 typedef unsigned short word16;
 typedef unsigned int word32;
 typedef signed char sbyte;
 typedef signed short sword16;
 typedef signed int sword32;
 #if defined(_MSC_VER) || defined(__BORLANDC__)
 	typedef signed __int64 sword64;
 	typedef unsigned __int64 word64;
 	#define SW64LIT(x) x##i64
 	#define W64LIT(x) x##ui64
 #elif (_LP64 || __LP64__)
 	typedef signed long sword64;
 	typedef unsigned long word64;
 	#define SW64LIT(x) x##L
 	#define W64LIT(x) x##UL
 #else
 	typedef signed long long sword64;
 	typedef unsigned long long word64;
 	#define SW64LIT(x) x##LL
 	#define W64LIT(x) x##ULL
 #endif
 // define large word type, used for file offsets and such
 typedef word64 lword;
 const lword LWORD_MAX = W64LIT(0xffffffffffffffff);
 // define hword, word, and dword. these are used for multiprecision integer arithmetic
 // Intel compiler won't have _umul128 until version 10.0. See http://softwarecommunity.intel.com/isn/Community/en-US/forums/thread/30231625.aspx
 #if (defined(_MSC_VER) && (!defined(__INTEL_COMPILER) || __INTEL_COMPILER >= 1000) && (defined(_M_X64) || defined(_M_IA64))) || (defined(__DECCXX) && defined(__alpha__)) || (defined(__INTEL_COMPILER) && defined(__x86_64__)) || (defined(__SUNPRO_CC) && defined(__x86_64__))
 	typedef word32 hword;
 	typedef word64 word;
 #else
 	#define CRYPTOPP_NATIVE_DWORD_AVAILABLE 1
 	#if defined(__alpha__) || defined(__ia64__) || defined(_ARCH_PPC64) || defined(__x86_64__) || defined(__mips64) || defined(__sparc64__)
 		#if ((CRYPTOPP_GCC_VERSION >= 30400) || (CRYPTOPP_LLVM_CLANG_VERSION >= 30000) || (CRYPTOPP_APPLE_CLANG_VERSION >= 40300)) && (__SIZEOF_INT128__ >= 16)
 			// GCC 4.0.1 on MacOS X is missing __umodti3 and __udivti3
 			// GCC 4.8.3 and bad uint128_t ops on PPC64/POWER7 (Issue 421)
 			// mode(TI) division broken on amd64 with GCC earlier than GCC 3.4
 			typedef word32 hword;
 			typedef word64 word;
 			typedef __uint128_t dword;
 			typedef __uint128_t word128;
 			#define CRYPTOPP_WORD128_AVAILABLE 1
 		#else
 			// if we're here, it means we're on a 64-bit CPU but we don't have a way to obtain 128-bit multiplication results
 			typedef word16 hword;
 			typedef word32 word;
 			typedef word64 dword;
 		#endif
 	#else
 		// being here means the native register size is probably 32 bits or less
 		#define CRYPTOPP_BOOL_SLOW_WORD64 1
 		typedef word16 hword;
 		typedef word32 word;
 		typedef word64 dword;
 	#endif
 #endif
 #ifndef CRYPTOPP_BOOL_SLOW_WORD64
 # define CRYPTOPP_BOOL_SLOW_WORD64 0
 #endif
 const unsigned int WORD_SIZE = sizeof(word);
 const unsigned int WORD_BITS = WORD_SIZE * 8;
 NAMESPACE_END
 #endif  // CRYPTOPP_CONFIG_INT_H
--- a/config_misc.h
+++ b/config_misc.h
@ -0,0 +1,180 @@
 // config_misc.h - written and placed in public domain by Jeffrey Walton
 //                 the bits that make up this source file are from the
 //                 library's monolithic config.h.
 /// \file config_misc.h
 /// \brief Library configuration file
 /// \details <tt>config.h</tt> was split into components in May 2019 to better
 ///  integrate with Autoconf and its feature tests. The splitting occured so
 ///  users could continue to include <tt>config.h</tt> while allowing Autoconf
 ///  to write new <tt>config_asm.h</tt> and new <tt>config_cxx.h</tt> using
 ///  its feature tests.
 /// \sa <A HREF="https://github.com/weidai11/cryptopp/issues/835">Issue 835</A>
 /// \since Crypto++ 8.3
 #ifndef CRYPTOPP_CONFIG_MISC_H
 #define CRYPTOPP_CONFIG_MISC_H
 #include "config_asm.h"
 #include "config_cxx.h"
 #include "config_os.h"
 #include "config_ver.h"
 // Define this if running on a big-endian CPU
 // big endian will be assumed if CRYPTOPP_LITTLE_ENDIAN is not non-0
 #if !defined(CRYPTOPP_LITTLE_ENDIAN) && !defined(CRYPTOPP_BIG_ENDIAN) && (defined(__BIG_ENDIAN__) || (defined(__s390__) || defined(__s390x__) || defined(__zarch__)) || (defined(__m68k__) || defined(__MC68K__)) || defined(__sparc) || defined(__sparc__) || defined(__hppa__) || defined(__MIPSEB__) || defined(__ARMEB__) || (defined(__MWERKS__) && !defined(__INTEL__)))
 #	define CRYPTOPP_BIG_ENDIAN 1
 #endif
 // Define this if running on a little-endian CPU
 // big endian will be assumed if CRYPTOPP_LITTLE_ENDIAN is not non-0
 #if !defined(CRYPTOPP_BIG_ENDIAN) && !defined(CRYPTOPP_LITTLE_ENDIAN)
 #	define CRYPTOPP_LITTLE_ENDIAN 1
 #endif
 // Define this if you want to set a prefix for TestData/ and TestVectors/
 // Be sure to add the trailing slash since its simple concatenation.
 // After https://github.com/weidai11/cryptopp/issues/760 the library
 // should find the test vectors and data without much effort. It
 // will search in "./" and "$ORIGIN/../share/cryptopp" automatically.
 #ifndef CRYPTOPP_DATA_DIR
 # define CRYPTOPP_DATA_DIR ""
 #endif
 // Define this to disable the test suite from searching for test
 // vectors and data in "./" and "$ORIGIN/../share/cryptopp". The
 // library will still search in CRYPTOPP_DATA_DIR, regardless.
 // Some distros may want to disable this feature. Also see
 // https://github.com/weidai11/cryptopp/issues/760
 // #ifndef CRYPTOPP_DISABLE_DATA_DIR_SEARCH
 // # define CRYPTOPP_DISABLE_DATA_DIR_SEARCH
 // #endif
 // Define this if you want or need the library's memcpy_s and memmove_s.
 // See http://github.com/weidai11/cryptopp/issues/28.
 // #if !defined(CRYPTOPP_WANT_SECURE_LIB)
 // # define CRYPTOPP_WANT_SECURE_LIB
 // #endif
 // Define this if ARMv8 shifts are slow. ARM Cortex-A53 and Cortex-A57 shift
 // operation perform poorly, so NEON and ASIMD code that relies on shifts
 // or rotates often performs worse than C/C++ code. Also see
 // http://github.com/weidai11/cryptopp/issues/367.
 #define CRYPTOPP_SLOW_ARMV8_SHIFT 1
 // CRYPTOPP_DEBUG enables the library's CRYPTOPP_ASSERT. CRYPTOPP_ASSERT
 // raises a SIGTRAP (Unix) or calls DebugBreak() (Windows). CRYPTOPP_ASSERT
 // is only in effect when CRYPTOPP_DEBUG, DEBUG or _DEBUG is defined. Unlike
 // Posix assert, CRYPTOPP_ASSERT is not affected by NDEBUG (or failure to
 // define it).
 // Also see http://github.com/weidai11/cryptopp/issues/277, CVE-2016-7420
 #if (defined(DEBUG) || defined(_DEBUG)) && !defined(CRYPTOPP_DEBUG)
 # define CRYPTOPP_DEBUG 1
 #endif
 // File system code to use when creating GZIP archive.
 // http://www.gzip.org/format.txt
 #if !defined(GZIP_OS_CODE)
 # if defined(__macintosh__)
 #  define GZIP_OS_CODE 7
 # elif defined(__unix__) || defined(__linux__)
 #  define GZIP_OS_CODE 3
 # else
 #  define GZIP_OS_CODE 0
 # endif
 #endif
 // Try this if your CPU has 256K internal cache or a slow multiply instruction
 // and you want a (possibly) faster IDEA implementation using log tables
 // #define IDEA_LARGECACHE
 // Define this if, for the linear congruential RNG, you want to use
 // the original constants as specified in S.K. Park and K.W. Miller's
 // CACM paper.
 // #define LCRNG_ORIGINAL_NUMBERS
 // Define this if you want Integer's operator<< to honor std::showbase (and
 // std::noshowbase). If defined, Integer will use a suffix of 'b', 'o', 'h'
 // or '.' (the last for decimal) when std::showbase is in effect. If
 // std::noshowbase is set, then the suffix is not added to the Integer. If
 // not defined, existing behavior is preserved and Integer will use a suffix
 // of 'b', 'o', 'h' or '.' (the last for decimal).
 // #define CRYPTOPP_USE_STD_SHOWBASE
 // Define this if you want to decouple AlgorithmParameters and Integer
 // The decoupling should make it easier for the linker to remove Integer
 // related code for those who do not need Integer, and avoid a potential
 // race during AssignIntToInteger pointer initialization. Also
 // see http://github.com/weidai11/cryptopp/issues/389.
 // #define CRYPTOPP_NO_ASSIGN_TO_INTEGER
 // Need GCC 4.6/Clang 1.7/Apple Clang 2.0 or above due to "GCC diagnostic {push|pop}"
 #if (CRYPTOPP_GCC_VERSION >= 40600) || (CRYPTOPP_LLVM_CLANG_VERSION >= 10700) || \
    (CRYPTOPP_APPLE_CLANG_VERSION >= 20000)
 	#define CRYPTOPP_GCC_DIAGNOSTIC_AVAILABLE 1
 #endif
 // Portable way to suppress warnings.
 // Moved from misc.h due to circular depenedencies.
 #ifndef CRYPTOPP_UNUSED
 	#define CRYPTOPP_UNUSED(x) ((void)(x))
 #endif
 // how to disable inlining
 #if defined(_MSC_VER)
 #	define CRYPTOPP_NOINLINE_DOTDOTDOT
 #	define CRYPTOPP_NOINLINE __declspec(noinline)
 #elif defined(__xlc__) || defined(__xlC__) || defined(__ibmxl__)
 #	define CRYPTOPP_NOINLINE_DOTDOTDOT ...
 #	define CRYPTOPP_NOINLINE __attribute__((noinline))
 #elif defined(__GNUC__)
 #	define CRYPTOPP_NOINLINE_DOTDOTDOT
 #	define CRYPTOPP_NOINLINE __attribute__((noinline))
 #else
 #	define CRYPTOPP_NOINLINE_DOTDOTDOT ...
 #	define CRYPTOPP_NOINLINE
 #endif
 // http://stackoverflow.com/a/13867690/608639
 #if defined(CRYPTOPP_CXX11_CONSTEXPR)
 #  define CRYPTOPP_STATIC_CONSTEXPR static constexpr
 #  define CRYPTOPP_CONSTEXPR constexpr
 #else
 #  define CRYPTOPP_STATIC_CONSTEXPR static
 #  define CRYPTOPP_CONSTEXPR
 #endif // CRYPTOPP_CXX11_CONSTEXPR
 #if defined(CRYPTOPP_DOXYGEN_PROCESSING)
 # define CRYPTOPP_CONSTANT(x) static const int x;
 #elif defined(CRYPTOPP_CXX11_ENUM)
 # define CRYPTOPP_CONSTANT(x) enum : int { x };
 #elif defined(CRYPTOPP_CXX11_CONSTEXPR)
 # define CRYPTOPP_CONSTANT(x) constexpr static int x;
 #else
 # define CRYPTOPP_CONSTANT(x) static const int x;
 #endif
 // Warnings
 #ifdef _MSC_VER
 	// 4127: conditional expression is constant
 	// 4512: assignment operator not generated
 	// 4661: no suitable definition provided for explicit template instantiation request
 	// 4910: '__declspec(dllexport)' and 'extern' are incompatible on an explicit instantiation
 #	pragma warning(disable: 4127 4512 4661 4910)
 	// Security related, possible defects
 	// http://blogs.msdn.com/b/vcblog/archive/2010/12/14/off-by-default-compiler-warnings-in-visual-c.aspx
 #	pragma warning(once: 4191 4242 4263 4264 4266 4302 4826 4905 4906 4928)
 #endif
 #ifdef __BORLANDC__
 // 8037: non-const function called for const object. needed to work around BCB2006 bug
 #	pragma warn -8037
 #endif
 // [GCC Bug 53431] "C++ preprocessor ignores #pragma GCC diagnostic". Clang honors it.
 #if CRYPTOPP_GCC_DIAGNOSTIC_AVAILABLE
 # pragma GCC diagnostic ignored "-Wunknown-pragmas"
 # pragma GCC diagnostic ignored "-Wunused-function"
 #endif
 #endif  // CRYPTOPP_CONFIG_MISC_H
--- a/config_ns.h
+++ b/config_ns.h
@ -0,0 +1,68 @@
 // config_ns.h - written and placed in public domain by Jeffrey Walton
 //               the bits that make up this source file are from the
 //               library's monolithic config.h.
 /// \file config_ns.h
 /// \brief Library configuration file
 /// \details <tt>config.h</tt> was split into components in May 2019 to better
 ///  integrate with Autoconf and its feature tests. The splitting occured so
 ///  users could continue to include <tt>config.h</tt> while allowing Autoconf
 ///  to write new <tt>config_asm.h</tt> and new <tt>config_cxx.h</tt> using
 ///  its feature tests.
 /// \sa <A HREF="https://github.com/weidai11/cryptopp/issues/835">Issue 835</A>
 /// \since Crypto++ 8.3
 #ifndef CRYPTOPP_CONFIG_NAMESPACE_H
 #define CRYPTOPP_CONFIG_NAMESPACE_H
 // namespace support is now required
 #ifdef NO_NAMESPACE
 # error namespace support is now required
 #endif
 #ifdef CRYPTOPP_DOXYGEN_PROCESSING
 /// \namespace CryptoPP
 /// \brief Crypto++ library namespace
 /// \details Nearly all classes are located in the CryptoPP namespace. Within
 /// the namespace, there are two additional namespaces.
 ///   <ul>
 ///     <li>Name - namespace for names used with NameValuePairs and documented
 ///         in argnames.h
 ///     <li>NaCl - namespace for NaCl test functions like crypto_box,
 ///         crypto_box_open, crypto_sign, and crypto_sign_open
 ///     <li>Donna - namespace for curve25519 library operations. The name was
 ///         selected due to use of Langley and Moon's curve25519-donna.
 ///     <li>Test - namespace for testing and benchmarks classes
 ///     <li>Weak - namespace for weak and wounded algorithms, like ARC4, MD5
 ///         and Pananma
 ///   </ul>
 namespace CryptoPP { }
 // Bring in the symbols found in the weak namespace; and fold Weak1 into Weak
 #define CRYPTOPP_ENABLE_NAMESPACE_WEAK 1
 #define Weak1 Weak
 // Avoid putting "CryptoPP::" in front of everything in Doxygen output
 #define CryptoPP
 #define NAMESPACE_BEGIN(x)
 #define NAMESPACE_END
 // Get Doxygen to generate better documentation for these typedefs
 #define DOCUMENTED_TYPEDEF(x, y) class y : public x {};
 // Make "protected" "private" so the functions and members are not documented
 #define protected private
 #else
 // Not Doxygen
 #define NAMESPACE_BEGIN(x) namespace x {
 #define NAMESPACE_END }
 #define DOCUMENTED_TYPEDEF(x, y) typedef x y;
 #endif  // CRYPTOPP_DOXYGEN_PROCESSING
 #define ANONYMOUS_NAMESPACE_BEGIN namespace {
 #define ANONYMOUS_NAMESPACE_END }
 #define USING_NAMESPACE(x) using namespace x;
 #define DOCUMENTED_NAMESPACE_BEGIN(x) namespace x {
 #define DOCUMENTED_NAMESPACE_END }
 #endif  // CRYPTOPP_CONFIG_NAMESPACE_H
--- a/config_os.h
+++ b/config_os.h
@ -0,0 +1,152 @@
 // config_os.h - written and placed in public domain by Jeffrey Walton
 //               the bits that make up this source file are from the
 //               library's monolithic config.h.
 /// \file config_os.h
 /// \brief Library configuration file
 /// \details <tt>config.h</tt> was split into components in May 2019 to better
 ///  integrate with Autoconf and its feature tests. The splitting occured so
 ///  users could continue to include <tt>config.h</tt> while allowing Autoconf
 ///  to write new <tt>config_asm.h</tt> and new <tt>config_cxx.h</tt> using
 ///  its feature tests.
 /// \sa <A HREF="https://github.com/weidai11/cryptopp/issues/835">Issue 835</A>
 /// \since Crypto++ 8.3
 #ifndef CRYPTOPP_CONFIG_OS_H
 #define CRYPTOPP_CONFIG_OS_H
 #include "config_ver.h"
 // Windows platform
 #if defined(_WIN32) || defined(_WIN64) || defined(__CYGWIN__)
 #define CRYPTOPP_WIN32_AVAILABLE
 #endif
 // Unix and Linux platforms
 #if defined(__unix__) || defined(__MACH__) || defined(__NetBSD__) || defined(__sun)
 #define CRYPTOPP_UNIX_AVAILABLE
 #endif
 // BSD platforms
 #if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__DragonFly__)
 #define CRYPTOPP_BSD_AVAILABLE
 #endif
 // Microsoft compilers
 #if defined(_MSC_VER) || defined(__fastcall)
 	#define CRYPTOPP_FASTCALL __fastcall
 #else
 	#define CRYPTOPP_FASTCALL
 #endif
 // Microsoft compilers
 #if defined(_MSC_VER)
 	#define CRYPTOPP_NO_VTABLE __declspec(novtable)
 #else
 	#define CRYPTOPP_NO_VTABLE
 #endif
 // Define this if you want to disable all OS-dependent features,
 // such as sockets and OS-provided random number generators
 // #define NO_OS_DEPENDENCE
 // Define this to use features provided by Microsoft's CryptoAPI.
 // Currently the only feature used is Windows random number generation.
 // This macro will be ignored if NO_OS_DEPENDENCE is defined.
 // #define USE_MS_CRYPTOAPI
 // Define this to use features provided by Microsoft's CryptoNG API.
 // CryptoNG API is available in Vista and above and its cross platform,
 // including desktop apps and store apps. Currently the only feature
 // used is Windows random number generation.
 // This macro will be ignored if NO_OS_DEPENDENCE is defined.
 // #define USE_MS_CNGAPI
 // If the user did not make a choice, then select CryptoNG if
 // targeting Windows 8 or above.
 #if !defined(USE_MS_CRYPTOAPI) && !defined(USE_MS_CNGAPI)
 # if !defined(_USING_V110_SDK71_) && ((WINVER >= 0x0602 /*_WIN32_WINNT_WIN8*/) || \
     (_WIN32_WINNT >= 0x0602 /*_WIN32_WINNT_WIN8*/))
 #  define USE_MS_CNGAPI
 # else
 #  define USE_MS_CRYPTOAPI
 # endif
 #endif
 // Begin OS features, like init priorities and random numbers
 #ifndef NO_OS_DEPENDENCE
 // CRYPTOPP_INIT_PRIORITY attempts to manage initialization of C++ static objects.
 // Under GCC, the library uses init_priority attribute in the range
 // [CRYPTOPP_INIT_PRIORITY, CRYPTOPP_INIT_PRIORITY+100]. Under Windows,
 // CRYPTOPP_INIT_PRIORITY enlists "#pragma init_seg(lib)". The platforms
 // with gaps are Apple and Sun because they require linker scripts. Apple and
 // Sun will use the library's Singletons to initialize and acquire resources.
 // Also see http://cryptopp.com/wiki/Static_Initialization_Order_Fiasco
 #ifndef CRYPTOPP_INIT_PRIORITY
 # define CRYPTOPP_INIT_PRIORITY 250
 #endif
 // CRYPTOPP_USER_PRIORITY is for other libraries and user code that is using Crypto++
 // and managing C++ static object creation. It is guaranteed not to conflict with
 // values used by (or would be used by) the Crypto++ library.
 #ifndef CRYPTOPP_USER_PRIORITY
 # define CRYPTOPP_USER_PRIORITY (CRYPTOPP_INIT_PRIORITY+101)
 #endif
 // Most platforms allow us to specify when to create C++ objects. Apple and Sun do not.
 #if (CRYPTOPP_INIT_PRIORITY > 0) && !(defined(NO_OS_DEPENDENCE) || defined(__APPLE__) || defined(__sun__))
 # if (CRYPTOPP_GCC_VERSION >= 30000) || (CRYPTOPP_LLVM_CLANG_VERSION >= 20900) || (_INTEL_COMPILER >= 800)
 #  define HAVE_GCC_INIT_PRIORITY 1
 # elif (CRYPTOPP_MSC_VERSION >= 1310)
 #  define HAVE_MSC_INIT_PRIORITY 1
 # elif defined(__xlc__) || defined(__xlC__) || defined(__ibmxl__)
 #  define HAVE_XLC_INIT_PRIORITY 1
 # endif
 #endif  // CRYPTOPP_INIT_PRIORITY, NO_OS_DEPENDENCE, Apple, Sun
 #if defined(CRYPTOPP_WIN32_AVAILABLE) || defined(CRYPTOPP_UNIX_AVAILABLE)
 #	define HIGHRES_TIMER_AVAILABLE
 #endif
 #ifdef CRYPTOPP_WIN32_AVAILABLE
 # if !defined(WINAPI_FAMILY)
 #	define THREAD_TIMER_AVAILABLE
 # elif defined(WINAPI_FAMILY)
 #   if (WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP))
 #	  define THREAD_TIMER_AVAILABLE
 #  endif
 # endif
 #endif
 #if defined(CRYPTOPP_UNIX_AVAILABLE) || defined(CRYPTOPP_DOXYGEN_PROCESSING)
 #	define NONBLOCKING_RNG_AVAILABLE
 #	define BLOCKING_RNG_AVAILABLE
 #	define OS_RNG_AVAILABLE
 #endif
 // Cygwin/Newlib requires _XOPEN_SOURCE=600
 #if defined(CRYPTOPP_UNIX_AVAILABLE)
 # define UNIX_SIGNALS_AVAILABLE 1
 #endif
 #ifdef CRYPTOPP_WIN32_AVAILABLE
 # if !defined(WINAPI_FAMILY)
 #	define NONBLOCKING_RNG_AVAILABLE
 #	define OS_RNG_AVAILABLE
 # elif defined(WINAPI_FAMILY)
 #   if (WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP))
 #	  define NONBLOCKING_RNG_AVAILABLE
 #	  define OS_RNG_AVAILABLE
 #   elif !(WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP))
 #     if ((WINVER >= 0x0A00 /*_WIN32_WINNT_WIN10*/) || (_WIN32_WINNT >= 0x0A00 /*_WIN32_WINNT_WIN10*/))
 #	    define NONBLOCKING_RNG_AVAILABLE
 #	    define OS_RNG_AVAILABLE
 #     endif
 #   endif
 # endif
 #endif
 #endif	// NO_OS_DEPENDENCE
 #endif  // CRYPTOPP_CONFIG_OS_H
--- a/config_ver.h
+++ b/config_ver.h
@ -0,0 +1,46 @@
 // config_ver.h - written and placed in public domain by Jeffrey Walton
 //                the bits that make up this source file are from the
 //                library's monolithic config.h.
 /// \file config_ver.h
 /// \brief Library configuration file
 /// \details <tt>config.h</tt> was split into components in May 2019 to better
 ///  integrate with Autoconf and its feature tests. The splitting occured so
 ///  users could continue to include <tt>config.h</tt> while allowing Autoconf
 ///  to write new <tt>config_asm.h</tt> and new <tt>config_cxx.h</tt> using
 ///  its feature tests.
 /// \sa <A HREF="https://github.com/weidai11/cryptopp/issues/835">Issue 835</A>
 /// \since Crypto++ 8.3
 #ifndef CRYPTOPP_CONFIG_VERSION_H
 #define CRYPTOPP_CONFIG_VERSION_H
 // Library version macro. Since this macro is in a header, it reflects
 // the version of the library the headers came from. It is not
 // necessarily the version of the library built as a shared object if
 // versions are inadvertently mixed and matched.
 #define CRYPTOPP_MAJOR 8
 #define CRYPTOPP_MINOR 3
 #define CRYPTOPP_REVISION 0
 #define CRYPTOPP_VERSION 830
 #ifdef __GNUC__
 # define CRYPTOPP_GCC_VERSION (__GNUC__ * 10000 + __GNUC_MINOR__ * 100 + __GNUC_PATCHLEVEL__)
 #endif
 #if defined(__xlc__) || defined(__xlC__)
 # define CRYPTOPP_XLC_VERSION ((__xlC__ / 256) * 10000 + (__xlC__ % 256) * 100)
 #endif
 // Apple and LLVM's Clang. Apple Clang version 7.0 roughly equals LLVM Clang version 3.7
 #if defined(__clang__) && defined(__apple_build_version__)
 # define CRYPTOPP_APPLE_CLANG_VERSION (__clang_major__ * 10000 + __clang_minor__ * 100 + __clang_patchlevel__)
 #elif defined(__clang__)
 # define CRYPTOPP_LLVM_CLANG_VERSION  (__clang_major__ * 10000 + __clang_minor__ * 100 + __clang_patchlevel__)
 #endif
 #ifdef _MSC_VER
 # define CRYPTOPP_MSC_VERSION (_MSC_VER)
 #endif
 #endif  // CRYPTOPP_CONFIG_VERSION_H
--- a/cpu.cpp
+++ b/cpu.cpp
@ -58,7 +58,7 @@ unsigned long int getauxval(unsigned long int) { return 0; }
 // Visual Studio 2008 and below is missing _xgetbv. See x64dll.asm for the body.
 #if defined(_MSC_VER) && _MSC_VER <= 1500 && defined(_M_X64)
-extern "C" unsigned long long __fastcall ExtendedControlRegister(unsigned int);
+extern "C" unsigned long long __fastcall XGETBV64(unsigned int);
 #endif
 ANONYMOUS_NAMESPACE_BEGIN
@ -109,6 +109,8 @@ bool IsAppleMachineARMv8(unsigned int device, unsigned int version)
 bool IsAppleMachineARMv84(unsigned int device, unsigned int version)
 {
    CRYPTOPP_UNUSED(device);
    CRYPTOPP_UNUSED(version);
 	return false;
 }
 #endif  // __APPLE__
@ -274,10 +276,14 @@ static inline bool IsIntel(const word32 output[4])
 static inline bool IsAMD(const word32 output[4])
 {
-	// This is the "AuthenticAMD" string. Some early K5's can return "AMDisbetter!"
+	// This is the "AuthenticAMD" string.
-	return (output[1] /*EBX*/ == 0x68747541) &&
+	return ((output[1] /*EBX*/ == 0x68747541) &&
 		(output[2] /*ECX*/ == 0x444D4163) &&
-		(output[3] /*EDX*/ == 0x69746E65);
+		(output[3] /*EDX*/ == 0x69746E65)) ||
 		// Some early K5's can return "AMDisbetter!"
 		((output[1] /*EBX*/ == 0x69444d41) &&
 		(output[2] /*ECX*/ == 0x74656273) &&
 		(output[3] /*EDX*/ == 0x21726574));
 }
 static inline bool IsHygon(const word32 output[4])
@ -290,10 +296,14 @@ static inline bool IsHygon(const word32 output[4])
 static inline bool IsVIA(const word32 output[4])
 {
-	// This is the "CentaurHauls" string. Some non-PadLock's can return "VIA VIA VIA "
+	// This is the "CentaurHauls" string.
-	return (output[1] /*EBX*/ == 0x746e6543) &&
+	return ((output[1] /*EBX*/ == 0x746e6543) &&
 		(output[2] /*ECX*/ == 0x736c7561) &&
-		(output[3] /*EDX*/ == 0x48727561);
+		(output[3] /*EDX*/ == 0x48727561)) ||
 		// Some non-PadLock's return "VIA VIA VIA "
 		((output[1] /*EBX*/ == 0x32414956) &&
 		(output[2] /*ECX*/ == 0x32414956) &&
 		(output[3] /*EDX*/ == 0x32414956));
 }
 void DetectX86Features()
@ -341,8 +351,8 @@ void DetectX86Features()
 		word64 xcr0 = a | static_cast<word64>(d) << 32;
 		g_hasAVX = (xcr0 & YMM_FLAG) == YMM_FLAG;
-// Visual Studio 2008 and below lack xgetbv
+// Visual Studio 2010 and below lack xgetbv
-#elif defined(_MSC_VER) && _MSC_VER <= 1500 && defined(_M_IX86)
+#elif defined(_MSC_VER) && _MSC_VER <= 1600 && defined(_M_IX86)
 		word32 a=0, d=0;
 		__asm {
 			push eax
@ -363,7 +373,7 @@ void DetectX86Features()
 // Visual Studio 2008 and below lack xgetbv
 #elif defined(_MSC_VER) && _MSC_VER <= 1500 && defined(_M_X64)
-		word64 xcr0 = ExtendedControlRegister(0);
+		word64 xcr0 = XGETBV64(0);
 		g_hasAVX = (xcr0 & YMM_FLAG) == YMM_FLAG;
 // Downlevel SunCC
@ -425,6 +435,7 @@ void DetectX86Features()
 	}
 	else if (IsVIA(cpuid0))
 	{
 		// Two bits: available and enabled
 		CRYPTOPP_CONSTANT( RNG_FLAGS = (0x3 << 2))
 		CRYPTOPP_CONSTANT( ACE_FLAGS = (0x3 << 6))
 		CRYPTOPP_CONSTANT(ACE2_FLAGS = (0x3 << 8))
@ -432,9 +443,10 @@ void DetectX86Features()
 		CRYPTOPP_CONSTANT( PMM_FLAGS = (0x3 << 12))
 		CpuId(0xC0000000, 0, cpuid2);
-		if (cpuid2[0] >= 0xC0000001)
+		word32 extendedFeatures = cpuid2[0];
 		if (extendedFeatures >= 0xC0000001)
 		{
 			// Extended features available
 			CpuId(0xC0000001, 0, cpuid2);
 			g_hasPadlockRNG  = (cpuid2[3] /*EDX*/ & RNG_FLAGS) == RNG_FLAGS;
 			g_hasPadlockACE  = (cpuid2[3] /*EDX*/ & ACE_FLAGS) == ACE_FLAGS;
@ -442,7 +454,21 @@ void DetectX86Features()
 			g_hasPadlockPHE  = (cpuid2[3] /*EDX*/ & PHE_FLAGS) == PHE_FLAGS;
 			g_hasPadlockPMM  = (cpuid2[3] /*EDX*/ & PMM_FLAGS) == PMM_FLAGS;
 		}
 		if (extendedFeatures >= 0xC0000005)
 		{
 			CpuId(0xC0000005, 0, cpuid2);
 			g_cacheLineSize = GETBYTE(cpuid2[2] /*ECX*/, 0);
 		}
 	}
 #if defined(_SC_LEVEL1_DCACHE_LINESIZE)
 	// Glibc does not implement on some platforms. The runtime returns 0 instead of error.
 	// https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/posix/sysconf.c
 	int cacheLineSize = sysconf(_SC_LEVEL1_DCACHE_LINESIZE);
 	if (g_cacheLineSize == 0 && cacheLineSize > 0)
 		g_cacheLineSize = cacheLineSize;
 #endif
 	if (g_cacheLineSize == 0)
 		g_cacheLineSize = CRYPTOPP_L1_CACHE_LINE_SIZE;
@ -474,7 +500,7 @@ word32 CRYPTOPP_SECTION_INIT g_cacheLineSize = CRYPTOPP_L1_CACHE_LINE_SIZE;
 //   then *Probe* the cpu executing an instruction and an observe a SIGILL if unsupported.
 // The probes are in source files where compilation options like -march=armv8-a+crc make
 //   intrinsics available. They are expensive when compared to a standard OS feature query.
-//   Always perform the feature quesry first. For Linux see
+//   Always perform the feature query first. For Linux see
 //   http://sourceware.org/ml/libc-help/2017-08/msg00012.html
 // Avoid probes on Apple platforms because Apple's signal handling for SIGILLs appears broken.
 //   We are trying to figure out a way to feature test without probes. Also see
@ -486,13 +512,14 @@ extern bool CPU_ProbeNEON();
 extern bool CPU_ProbeCRC32();
 extern bool CPU_ProbeAES();
 extern bool CPU_ProbeSHA1();
-extern bool CPU_ProbeSHA2();
+extern bool CPU_ProbeSHA256();
 extern bool CPU_ProbeSHA512();
 extern bool CPU_ProbeSHA3();
 extern bool CPU_ProbeSM3();
 extern bool CPU_ProbeSM4();
 extern bool CPU_ProbePMULL();
 // https://github.com/torvalds/linux/blob/master/arch/arm/include/uapi/asm/hwcap.h
 // https://github.com/torvalds/linux/blob/master/arch/arm64/include/uapi/asm/hwcap.h
 #ifndef HWCAP_ARMv7
 # define HWCAP_ARMv7 (1 << 29)
@ -500,8 +527,8 @@ extern bool CPU_ProbePMULL();
 #ifndef HWCAP_ASIMD
 # define HWCAP_ASIMD (1 << 1)
 #endif
-#ifndef HWCAP_ARM_NEON
+#ifndef HWCAP_NEON
-# define HWCAP_ARM_NEON 4096
+# define HWCAP_NEON (1 << 12)
 #endif
 #ifndef HWCAP_CRC32
 # define HWCAP_CRC32 (1 << 7)
@ -548,15 +575,13 @@ extern bool CPU_ProbePMULL();
 inline bool CPU_QueryARMv7()
 {
-#if defined(__aarch32__) || defined(__aarch64__)
+#if defined(__ANDROID__) && defined(__arm__)
 	// ARMv7 or above
 	return true;
 #elif defined(__ANDROID__) && defined(__arm__)
 	if (((android_getCpuFamily() & ANDROID_CPU_FAMILY_ARM) != 0) &&
 		((android_getCpuFeatures() & ANDROID_CPU_ARM_FEATURE_ARMv7) != 0))
 		return true;
 #elif defined(__linux__) && defined(__arm__)
-	if ((getauxval(AT_HWCAP) & HWCAP_ARMv7) != 0)
+	if ((getauxval(AT_HWCAP) & HWCAP_ARMv7) != 0 ||
 	    (getauxval(AT_HWCAP) & HWCAP_NEON) != 0)
 		return true;
 #elif defined(__APPLE__) && defined(__arm__)
 	// Apple hardware is ARMv7 or above.
@ -582,7 +607,7 @@ inline bool CPU_QueryNEON()
 	if ((getauxval(AT_HWCAP2) & HWCAP2_ASIMD) != 0)
 		return true;
 #elif defined(__linux__) && defined(__arm__)
-	if ((getauxval(AT_HWCAP) & HWCAP_ARM_NEON) != 0)
+	if ((getauxval(AT_HWCAP) & HWCAP_NEON) != 0)
 		return true;
 #elif defined(__APPLE__) && defined(__aarch64__)
 	// Core feature set for Aarch32 and Aarch64.
@ -685,7 +710,7 @@ inline bool CPU_QuerySHA1()
 	return false;
 }
-inline bool CPU_QuerySHA2()
+inline bool CPU_QuerySHA256()
 {
 #if defined(__ANDROID__) && defined(__aarch64__)
 	if (((android_getCpuFamily() & ANDROID_CPU_FAMILY_ARM64) != 0) &&
@ -819,13 +844,13 @@ void DetectArmFeatures()
 	g_hasPMULL = CPU_QueryPMULL() || CPU_ProbePMULL();
 	g_hasAES  = CPU_QueryAES() || CPU_ProbeAES();
 	g_hasSHA1 = CPU_QuerySHA1() || CPU_ProbeSHA1();
-	g_hasSHA2 = CPU_QuerySHA2() || CPU_ProbeSHA2();
+	g_hasSHA2 = CPU_QuerySHA256() || CPU_ProbeSHA256();
 	g_hasSHA512 = CPU_QuerySHA512(); // || CPU_ProbeSHA512();
 	g_hasSHA3 = CPU_QuerySHA3(); // || CPU_ProbeSHA3();
 	g_hasSM3 = CPU_QuerySM3(); // || CPU_ProbeSM3();
 	g_hasSM4 = CPU_QuerySM4(); // || CPU_ProbeSM4();
-#if defined(__linux__) && defined(_SC_LEVEL1_DCACHE_LINESIZE)
+#if defined(_SC_LEVEL1_DCACHE_LINESIZE)
 	// Glibc does not implement on some platforms. The runtime returns 0 instead of error.
 	// https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/posix/sysconf.c
 	int cacheLineSize = sysconf(_SC_LEVEL1_DCACHE_LINESIZE);
@ -833,6 +858,9 @@ void DetectArmFeatures()
 		g_cacheLineSize = cacheLineSize;
 #endif
 	if (g_cacheLineSize == 0)
 		g_cacheLineSize = CRYPTOPP_L1_CACHE_LINE_SIZE;
 	*const_cast<volatile bool*>(&g_ArmDetectionDone) = true;
 }
@ -862,24 +890,6 @@ extern bool CPU_ProbeSHA256();
 extern bool CPU_ProbeSHA512();
 extern bool CPU_ProbeDARN();
 // Linux define values from 64-Bit ELF V2 ABI Specification.
 // http://openpowerfoundation.org/wp-content/uploads/resources/leabi/content/ch_preface.html
 #ifndef PPC_FEATURE_HAS_ALTIVEC
 # define PPC_FEATURE_HAS_ALTIVEC  0x10000000
 #endif
 #ifndef PPC_FEATURE_ARCH_2_06
 # define PPC_FEATURE_ARCH_2_06    0x00000100
 #endif
 #ifndef PPC_FEATURE2_ARCH_2_07
 # define PPC_FEATURE2_ARCH_2_07   0x80000000
 #endif
 #ifndef PPC_FEATURE2_ARCH_3_00
 # define PPC_FEATURE2_ARCH_3_00   0x00800000
 #endif
 #ifndef PPC_FEATURE2_VEC_CRYPTO
 # define PPC_FEATURE2_VEC_CRYPTO  0x02000000
 #endif
 // AIX defines. We used to just call __power_7_andup()
 // and friends but at Power9, too many compilers were
 // missing __power_9_andup(). Instead we switched to
@ -901,7 +911,7 @@ extern bool CPU_ProbeDARN();
 // was available much earlier for other vendors.
 inline bool CPU_QueryAltivec()
 {
-#if defined(__linux__)
+#if defined(__linux__) && defined(PPC_FEATURE_HAS_ALTIVEC)
 	if ((getauxval(AT_HWCAP) & PPC_FEATURE_HAS_ALTIVEC) != 0)
 		return true;
 #elif defined(_AIX)
@ -918,7 +928,7 @@ inline bool CPU_QueryAltivec()
 inline bool CPU_QueryPower7()
 {
 	// Power7 and ISA 2.06
-#if defined(__linux__)
+#if defined(__linux__) && defined(PPC_FEATURE_ARCH_2_06)
 	if ((getauxval(AT_HWCAP) & PPC_FEATURE_ARCH_2_06) != 0)
 		return true;
 #elif defined(_AIX)
@ -931,7 +941,7 @@ inline bool CPU_QueryPower7()
 inline bool CPU_QueryPower8()
 {
 	// Power8 and ISA 2.07 provide in-core crypto.
-#if defined(__linux__)
+#if defined(__linux__) && defined(PPC_FEATURE2_ARCH_2_07)
 	if ((getauxval(AT_HWCAP2) & PPC_FEATURE2_ARCH_2_07) != 0)
 		return true;
 #elif defined(_AIX)
@ -944,7 +954,7 @@ inline bool CPU_QueryPower8()
 inline bool CPU_QueryPower9()
 {
 	// Power9 and ISA 3.0.
-#if defined(__linux__)
+#if defined(__linux__) && defined(PPC_FEATURE2_ARCH_3_00)
 	if ((getauxval(AT_HWCAP2) & PPC_FEATURE2_ARCH_3_00) != 0)
 		return true;
 #elif defined(_AIX)
@ -958,7 +968,7 @@ inline bool CPU_QueryAES()
 {
 	// Power8 and ISA 2.07 provide in-core crypto. Glibc
 	// 2.24 or higher is required for PPC_FEATURE2_VEC_CRYPTO.
-#if defined(__linux__)
+#if defined(__linux__) && defined(PPC_FEATURE2_VEC_CRYPTO)
 	if ((getauxval(AT_HWCAP2) & PPC_FEATURE2_VEC_CRYPTO) != 0)
 		return true;
 #elif defined(_AIX)
@ -972,7 +982,7 @@ inline bool CPU_QueryPMULL()
 {
 	// Power8 and ISA 2.07 provide in-core crypto. Glibc
 	// 2.24 or higher is required for PPC_FEATURE2_VEC_CRYPTO.
-#if defined(__linux__)
+#if defined(__linux__) && defined(PPC_FEATURE2_VEC_CRYPTO)
 	if ((getauxval(AT_HWCAP2) & PPC_FEATURE2_VEC_CRYPTO) != 0)
 		return true;
 #elif defined(_AIX)
@ -986,7 +996,7 @@ inline bool CPU_QuerySHA256()
 {
 	// Power8 and ISA 2.07 provide in-core crypto. Glibc
 	// 2.24 or higher is required for PPC_FEATURE2_VEC_CRYPTO.
-#if defined(__linux__)
+#if defined(__linux__) && defined(PPC_FEATURE2_VEC_CRYPTO)
 	if ((getauxval(AT_HWCAP2) & PPC_FEATURE2_VEC_CRYPTO) != 0)
 		return true;
 #elif defined(_AIX)
@ -999,7 +1009,7 @@ inline bool CPU_QuerySHA512()
 {
 	// Power8 and ISA 2.07 provide in-core crypto. Glibc
 	// 2.24 or higher is required for PPC_FEATURE2_VEC_CRYPTO.
-#if defined(__linux__)
+#if defined(__linux__) && defined(PPC_FEATURE2_VEC_CRYPTO)
 	if ((getauxval(AT_HWCAP2) & PPC_FEATURE2_VEC_CRYPTO) != 0)
 		return true;
 #elif defined(_AIX)
@ -1013,7 +1023,7 @@ inline bool CPU_QuerySHA512()
 inline bool CPU_QueryDARN()
 {
 	// Power9 and ISA 3.0 provide DARN.
-#if defined(__linux__)
+#if defined(__linux__) && defined(PPC_FEATURE2_ARCH_3_00)
 	if ((getauxval(AT_HWCAP2) & PPC_FEATURE2_ARCH_3_00) != 0)
 		return true;
 #elif defined(_AIX)
@ -1042,7 +1052,7 @@ void DetectPowerpcFeatures()
 	int cacheLineSize = getsystemcfg(SC_L1C_DLS);
 	if (cacheLineSize > 0)
 		g_cacheLineSize = cacheLineSize;
-#elif defined(__linux__) && defined(_SC_LEVEL1_DCACHE_LINESIZE)
+#elif defined(_SC_LEVEL1_DCACHE_LINESIZE)
 	// Glibc does not implement on some platforms. The runtime returns 0 instead of error.
 	// https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/posix/sysconf.c
 	int cacheLineSize = sysconf(_SC_LEVEL1_DCACHE_LINESIZE);
@ -1050,6 +1060,9 @@ void DetectPowerpcFeatures()
 		g_cacheLineSize = cacheLineSize;
 #endif
 	if (g_cacheLineSize == 0)
 		g_cacheLineSize = CRYPTOPP_L1_CACHE_LINE_SIZE;
 	*const_cast<volatile bool*>(&g_PowerpcDetectionDone) = true;
 }
--- a/cryptdll.vcxproj
+++ b/cryptdll.vcxproj
@ -212,6 +212,7 @@
    <ClCompile Include="gcm.cpp" />
    <ClCompile Include="gcm_simd.cpp" />
    <ClCompile Include="gf2n.cpp" />
    <ClCompile Include="gf2n_simd.cpp" />
    <ClCompile Include="gfpcrypt.cpp" />
    <ClCompile Include="hex.cpp" />
    <ClCompile Include="hmac.cpp" />
@ -255,6 +256,16 @@
    <ClInclude Include="channels.h" />
    <ClInclude Include="cmac.h" />
    <ClInclude Include="config.h" />
    <ClInclude Include="config_align.h" />
    <ClInclude Include="config_asm.h" />
    <ClInclude Include="config_cpu.h" />
    <ClInclude Include="config_cxx.h" />
    <ClInclude Include="config_dll.h" />
    <ClInclude Include="config_int.h" />
    <ClInclude Include="config_misc.h" />
    <ClInclude Include="config_ns.h" />
    <ClInclude Include="config_os.h" />
    <ClInclude Include="config_ver.h" />
    <ClInclude Include="cpu.h" />
    <ClInclude Include="cryptlib.h" />
    <ClInclude Include="des.h" />
--- a/cryptdll.vcxproj.filters
+++ b/cryptdll.vcxproj.filters
@ -98,6 +98,9 @@
    <ClCompile Include="gf2n.cpp">
      <Filter>Source Files</Filter>
    </ClCompile>
    <ClCompile Include="gf2n_simd.cpp">
      <Filter>Source Files</Filter>
    </ClCompile>
    <ClCompile Include="gfpcrypt.cpp">
      <Filter>Source Files</Filter>
    </ClCompile>
@ -229,6 +232,36 @@
    <ClInclude Include="config.h">
      <Filter>Header Files</Filter>
    </ClInclude>
    <ClInclude Include="config_align.h">
      <Filter>Header Files</Filter>
    </ClInclude>
    <ClInclude Include="config_asm.h">
      <Filter>Header Files</Filter>
    </ClInclude>
    <ClInclude Include="config_cpu.h">
      <Filter>Header Files</Filter>
    </ClInclude>
    <ClInclude Include="config_cxx.h">
      <Filter>Header Files</Filter>
    </ClInclude>
    <ClInclude Include="config_dll.h">
      <Filter>Header Files</Filter>
    </ClInclude>
    <ClInclude Include="config_int.h">
      <Filter>Header Files</Filter>
    </ClInclude>
    <ClInclude Include="config_misc.h">
      <Filter>Header Files</Filter>
    </ClInclude>
    <ClInclude Include="config_ns.h">
      <Filter>Header Files</Filter>
    </ClInclude>
    <ClInclude Include="config_os.h">
      <Filter>Header Files</Filter>
    </ClInclude>
    <ClInclude Include="config_ver.h">
      <Filter>Header Files</Filter>
    </ClInclude>
    <ClInclude Include="cpu.h">
      <Filter>Header Files</Filter>
    </ClInclude>
--- a/cryptest.nmake
+++ b/cryptest.nmake
@ -69,21 +69,22 @@ LIB_SRCS = \
    gcm_simd.cpp gf256.cpp gf2_32.cpp gf2n.cpp gf2n_simd.cpp gfpcrypt.cpp \
    gost.cpp gzip.cpp hc128.cpp hc256.cpp hex.cpp hight.cpp hmac.cpp \
    hrtimer.cpp ida.cpp idea.cpp iterhash.cpp kalyna.cpp kalynatab.cpp \
-    keccak.cpp keccakc.cpp lea.cpp lea_simd.cpp luc.cpp mars.cpp marss.cpp \
+    keccak.cpp keccak_core.cpp keccak_simd.cpp lea.cpp lea_simd.cpp luc.cpp \
-    md2.cpp md4.cpp md5.cpp misc.cpp modes.cpp mqueue.cpp mqv.cpp \
+    mars.cpp marss.cpp md2.cpp md4.cpp md5.cpp misc.cpp modes.cpp mqueue.cpp \
-    nbtheory.cpp neon_simd.cpp oaep.cpp osrng.cpp padlkrng.cpp panama.cpp \
+    mqv.cpp nbtheory.cpp neon_simd.cpp oaep.cpp osrng.cpp padlkrng.cpp \
-    pkcspad.cpp poly1305.cpp polynomi.cpp ppc_power7.cpp ppc_power8.cpp \
+    panama.cpp pkcspad.cpp poly1305.cpp polynomi.cpp ppc_power7.cpp \
-    ppc_power9.cpp ppc_simd.cpp pssr.cpp pubkey.cpp queue.cpp rabbit.cpp \
+    ppc_power8.cpp ppc_power9.cpp ppc_simd.cpp pssr.cpp pubkey.cpp queue.cpp \
-    rabin.cpp randpool.cpp rc2.cpp rc5.cpp rc6.cpp rdrand.cpp rdtables.cpp \
+    rabbit.cpp rabin.cpp randpool.cpp rc2.cpp rc5.cpp rc6.cpp rdrand.cpp \
-    rijndael.cpp rijndael_simd.cpp ripemd.cpp rng.cpp rsa.cpp rw.cpp \
+    rdtables.cpp rijndael.cpp rijndael_simd.cpp ripemd.cpp rng.cpp rsa.cpp \
-    safer.cpp salsa.cpp scrypt.cpp seal.cpp seed.cpp serpent.cpp sha.cpp \
+    rw.cpp safer.cpp salsa.cpp scrypt.cpp seal.cpp seed.cpp serpent.cpp \
-    sha3.cpp sha_simd.cpp shacal2.cpp shacal2_simd.cpp shark.cpp sharkbox.cpp \
+    sha.cpp sha3.cpp sha_simd.cpp shacal2.cpp shacal2_simd.cpp shake.cpp \
-    simeck.cpp simeck_simd.cpp simon.cpp simon128_simd.cpp simon64_simd.cpp \
+    shark.cpp sharkbox.cpp simeck.cpp simeck_simd.cpp simon.cpp \
-    skipjack.cpp sm3.cpp sm4.cpp sm4_simd.cpp sosemanuk.cpp speck.cpp \
+    simon128_simd.cpp simon64_simd.cpp skipjack.cpp sm3.cpp sm4.cpp \
-    speck128_simd.cpp speck64_simd.cpp square.cpp squaretb.cpp sse_simd.cpp \
+    sm4_simd.cpp sosemanuk.cpp speck.cpp speck128_simd.cpp speck64_simd.cpp \
-    strciphr.cpp tea.cpp tftables.cpp threefish.cpp tiger.cpp tigertab.cpp \
+    square.cpp squaretb.cpp sse_simd.cpp strciphr.cpp tea.cpp tftables.cpp \
-    ttmac.cpp tweetnacl.cpp twofish.cpp vmac.cpp wake.cpp whrlpool.cpp \
+    threefish.cpp tiger.cpp tigertab.cpp ttmac.cpp tweetnacl.cpp twofish.cpp \
-    xed25519.cpp xtr.cpp xtrcrypt.cpp zdeflate.cpp zinflate.cpp zlib.cpp
+    vmac.cpp wake.cpp whrlpool.cpp xed25519.cpp xtr.cpp xtrcrypt.cpp \
    zdeflate.cpp zinflate.cpp zlib.cpp
 LIB_OBJS = \
    cryptlib.obj cpu.obj integer.obj 3way.obj adler32.obj algebra.obj \
@ -99,24 +100,25 @@ LIB_OBJS = \
    gcm_simd.obj gf256.obj gf2_32.obj gf2n.obj gf2n_simd.obj gfpcrypt.obj \
    gost.obj gzip.obj hc128.obj hc256.obj hex.obj hight.obj hmac.obj \
    hrtimer.obj ida.obj idea.obj iterhash.obj kalyna.obj kalynatab.obj \
-    keccak.obj keccakc.obj lea.obj lea_simd.obj luc.obj mars.obj marss.obj \
+    keccak.obj keccak_core.obj keccak_simd.obj lea.obj lea_simd.obj luc.obj \
-    md2.obj md4.obj md5.obj misc.obj modes.obj mqueue.obj mqv.obj \
+    mars.obj marss.obj md2.obj md4.obj md5.obj misc.obj modes.obj mqueue.obj \
-    nbtheory.obj neon_simd.obj oaep.obj osrng.obj padlkrng.obj panama.obj \
+    mqv.obj nbtheory.obj neon_simd.obj oaep.obj osrng.obj padlkrng.obj \
-    pkcspad.obj poly1305.obj polynomi.obj ppc_power7.obj ppc_power8.obj \
+    panama.obj pkcspad.obj poly1305.obj polynomi.obj ppc_power7.obj \
-    ppc_power9.obj ppc_simd.obj pssr.obj pubkey.obj queue.obj rabbit.obj \
+    ppc_power8.obj ppc_power9.obj ppc_simd.obj pssr.obj pubkey.obj queue.obj \
-    rabin.obj randpool.obj rc2.obj rc5.obj rc6.obj rdrand.obj rdtables.obj \
+    rabbit.obj rabin.obj randpool.obj rc2.obj rc5.obj rc6.obj rdrand.obj \
-    rijndael.obj rijndael_simd.obj ripemd.obj rng.obj rsa.obj rw.obj \
+    rdtables.obj rijndael.obj rijndael_simd.obj ripemd.obj rng.obj rsa.obj \
-    safer.obj salsa.obj scrypt.obj seal.obj seed.obj serpent.obj sha.obj \
+    rw.obj safer.obj salsa.obj scrypt.obj seal.obj seed.obj serpent.obj \
-    sha3.obj sha_simd.obj shacal2.obj shacal2_simd.obj shark.obj sharkbox.obj \
+    sha.obj sha3.obj sha_simd.obj shacal2.obj shacal2_simd.obj shake.obj \
-    simeck.obj simeck_simd.obj simon.obj simon128_simd.obj simon64_simd.obj \
+    shark.obj sharkbox.obj simeck.obj simeck_simd.obj simon.obj \
-    skipjack.obj sm3.obj sm4.obj sm4_simd.obj sosemanuk.obj speck.obj \
+    simon128_simd.obj simon64_simd.obj skipjack.obj sm3.obj sm4.obj \
-    speck128_simd.obj speck64_simd.obj square.obj squaretb.obj sse_simd.obj \
+    sm4_simd.obj sosemanuk.obj speck.obj speck128_simd.obj speck64_simd.obj \
-    strciphr.obj tea.obj tftables.obj threefish.obj tiger.obj tigertab.obj \
+    square.obj squaretb.obj sse_simd.obj strciphr.obj tea.obj tftables.obj \
-    ttmac.obj tweetnacl.obj twofish.obj vmac.obj wake.obj whrlpool.obj \
+    threefish.obj tiger.obj tigertab.obj ttmac.obj tweetnacl.obj twofish.obj \
-    xed25519.obj xtr.obj xtrcrypt.obj zdeflate.obj zinflate.obj zlib.obj
+    vmac.obj wake.obj whrlpool.obj xed25519.obj xtr.obj xtrcrypt.obj \
    zdeflate.obj zinflate.obj zlib.obj
 ASM_OBJS = \
-    rdrand-x86.obj rdrand-x64.obj x64masm.obj x64dll.obj
+    rdrand-x86.obj rdrand-x64.obj rdseed-x86.obj rdseed-x64.obj x64masm.obj x64dll.obj
 TEST_SRCS = \
    test.cpp bench1.cpp bench2.cpp bench3.cpp datatest.cpp \
@ -151,12 +153,14 @@ LDFLAGS = /nologo /SUBSYSTEM:CONSOLE /DEBUG
 ARFLAGS = /nologo
 LDLIBS =
-# Debug build.
+# Compiler debug build.
 # CXXFLAGS = $(CXXFLAGS) /DDEBUG /D_DEBUG /Oi /Oy- /Od /MTd
-# Release build. Add /OPT:REF to linker
+# Compiler release build.
 CXXFLAGS = $(CXXFLAGS) /DNDEBUG /D_NDEBUG /Oi /Oy /O2 /MT
-# Linker flags.
+# Linker debug build.
-LDFLAGS = $(LDFLAGS) /OPT:REF
+# LDFLAGS = $(LDFLAGS) /DEBUG
 # Linker release build.
 LDFLAGS = $(LDFLAGS) /DEBUG /OPT:REF
 # Attempt to detect when <sdkddkver.h> and <winapifamily.h> are available
 #   http://stackoverflow.com/q/40577415 ?
@ -192,10 +196,12 @@ PLATFORM = x64
 # CXXFLAGS = $(CXXFLAGS) /DWINAPI_FAMILY=WINAPI_FAMILY_APP
 AS = ml.exe
 ASFLAGS = /nologo /D_M_X86 /W3 /Cx /Zi /safeseh
-LIB_SRCS = $(LIB_SRCS) rdrand.cpp rdrand.asm
+LIB_SRCS = $(LIB_SRCS) rdrand.cpp rdrand.asm rdseed.asm
-LIB_OBJS = $(LIB_OBJS) rdrand-x86.obj
+LIB_OBJS = $(LIB_OBJS) rdrand-x86.obj rdseed-x86.obj
 LDFLAGS = $(LDFLAGS) /MACHINE:X86
 LDLIBS = $(LDLIBS) kernel32.lib
 RDRAND_OBJ = rdrand-x86.obj
 RDSEED_OBJ = rdseed-x86.obj
 !ENDIF
 # May need $(VCINSTALLDIR)\bin\amd64\ml64.exe
@ -205,10 +211,12 @@ LDLIBS = $(LDLIBS) kernel32.lib
 # CXXFLAGS = $(CXXFLAGS) /DWINAPI_FAMILY=WINAPI_FAMILY_APP
 AS = ml64.exe
 ASFLAGS = /nologo /D_M_X64 /W3 /Cx /Zi
-LIB_SRCS = $(LIB_SRCS) rdrand.cpp rdrand.asm
+LIB_SRCS = $(LIB_SRCS) rdrand.cpp rdrand.asm rdseed.asm
-LIB_OBJS = $(LIB_OBJS) rdrand-x64.obj x64masm.obj x64dll.obj
+LIB_OBJS = $(LIB_OBJS) rdrand-x64.obj rdseed-x64.obj x64masm.obj x64dll.obj
 LDFLAGS = $(LDFLAGS) /MACHINE:X64
 LDLIBS = $(LDLIBS) kernel32.lib
 RDRAND_OBJ = rdrand-x64.obj
 RDSEED_OBJ = rdseed-x64.obj
 !ENDIF
 !IF "$(PLATFORM)" == "ARM" || "$(PLATFORM)" == "arm" || "$(PLATFORM)" == "ARM64" || "$(PLATFORM)" == "arm64"
@ -256,13 +264,13 @@ clean ::
 	$(RM) /F /Q pch.obj $(LIB_OBJS) $(ASM_OBJS) $(TEST_OBJS) *.pdb 2>nul
 distclean :: clean
-!IF EXIST ($(USERNAME).sdf)
+!IF EXIST ("$(USERNAME).sdf")
-	attrib -r -a -s -h $(USERNAME).sdf 2>nul
+	attrib -r -a -s -h "$(USERNAME).sdf" 2>nul
-	$(RM) /F /Q $(USERNAME).sdf 2>nul
+	$(RM) /F /Q "$(USERNAME).sdf" 2>nul
 !ENDIF
-!IF EXIST ($(USERNAME).suo)
+!IF EXIST ("$(USERNAME).suo")
-	attrib -r -a -s -h $(USERNAME).suo 2>nul
+	attrib -r -a -s -h $(USERNAME).suo" 2>nul
-	$(RM) /F /Q $(USERNAME).suo 2>nul
+	$(RM) /F /Q $(USERNAME).suo" 2>nul
 !ENDIF
 !IF EXIST (Win32\)
 	$(RMDIR) Win32\ /q /s 2>nul
@ -279,21 +287,25 @@ pch.pch: pch.h pch.cpp
 	$(CXX) $(CXXFLAGS) /Yc"pch.h" /Fp"pch.pch" /c pch.cpp
 # No precompiled headers
-iterhash.obj:
+iterhash.obj: iterhash.h iterhash.cpp
 	$(CXX) $(CXXFLAGS) /Y- /c iterhash.cpp
-dll.obj:
+dll.obj: dll.h dll.cpp
 	$(CXX) $(CXXFLAGS) /Y- /c dll.cpp
-rdrand.obj:
+rdrand.obj: rdrand.h rdrand.cpp
 	$(CXX) $(CXXFLAGS) /c rdrand.cpp
 # Built for x86/x64
-rdrand-x86.obj:
+rdrand-x86.obj: rdrand.asm
 	$(AS) $(ASFLAGS) /Fo rdrand-x86.obj /c rdrand.asm
-rdrand-x64.obj:
+rdrand-x64.obj: rdrand.asm
 	$(AS) $(ASFLAGS) /Fo rdrand-x64.obj /c rdrand.asm
-x64masm.obj:
+rdseed-x86.obj: rdseed.asm
 	$(AS) $(ASFLAGS) /Fo rdseed-x86.obj /c rdseed.asm
 rdseed-x64.obj: rdseed.asm
 	$(AS) $(ASFLAGS) /Fo rdseed-x64.obj /c rdseed.asm
 x64masm.obj: x64masm.asm
 	$(AS) $(ASFLAGS) /Fo x64masm.obj /c x64masm.asm
-x64dll.obj:
+x64dll.obj: x64dll.asm
 	$(AS) $(ASFLAGS) /Fo x64dll.obj /c x64dll.asm
 # You may need to delete this on early versions of Visual Studio.
--- a/cryptest.sh
+++ b/cryptest.sh
--- a/cryptest.vcxproj
+++ b/cryptest.vcxproj
@ -195,7 +195,10 @@
  <!-- The rule copies cryptest.exe to the project   -->
  <!-- root directory so it can be executed in place -->
  <Target Name="CopyCryptestToRoot">
-    <Exec Command="copy $(Platform)\Output\$(Configuration)\cryptest.exe $(SolutionDir)" />
+    <Exec Command="copy &quot;$(Platform)\Output\$(Configuration)\cryptest.exe&quot; &quot;$(SolutionDir)&quot;" />
  </Target>
  <Target Name="CopyToRoot">
    <Exec Command="copy &quot;$(Platform)\Output\$(Configuration)\cryptest.exe&quot; &quot;$(SolutionDir)&quot;" />
  </Target>
  <!-- Source Files -->
  <ItemGroup>
--- a/cryptlib.cpp
+++ b/cryptlib.cpp
@ -16,7 +16,6 @@
 #ifndef CRYPTOPP_IMPORTS
 #include "cryptlib.h"
 #include "misc.h"
 #include "filters.h"
 #include "algparam.h"
 #include "fips140.h"
@ -26,6 +25,7 @@
 #include "secblock.h"
 #include "smartptr.h"
 #include "stdcpp.h"
 #include "misc.h"
 NAMESPACE_BEGIN(CryptoPP)
@ -333,20 +333,20 @@ void RandomNumberGenerator::GenerateIntoBufferedTransformation(BufferedTransform
 	}
 }
-size_t KeyDerivationFunction::MinDerivedLength() const
+size_t KeyDerivationFunction::MinDerivedKeyLength() const
 {
 	return 0;
 }
-size_t KeyDerivationFunction::MaxDerivedLength() const
+size_t KeyDerivationFunction::MaxDerivedKeyLength() const
 {
 	return static_cast<size_t>(-1);
 }
-void KeyDerivationFunction::ThrowIfInvalidDerivedLength(size_t length) const
+void KeyDerivationFunction::ThrowIfInvalidDerivedKeyLength(size_t length) const
 {
 	if (!IsValidDerivedLength(length))
-		throw InvalidDerivedLength(GetAlgorithm().AlgorithmName(), length);
+		throw InvalidDerivedKeyLength(GetAlgorithm().AlgorithmName(), length);
 }
 void KeyDerivationFunction::SetParameters(const NameValuePairs& params) {
@ -405,8 +405,9 @@ RandomNumberGenerator & NullRNG()
 bool HashTransformation::TruncatedVerify(const byte *digest, size_t digestLength)
 {
 	// Allocate at least 1 for calculated to avoid triggering diagnostics
 	ThrowIfInvalidTruncatedSize(digestLength);
-	SecByteBlock calculated(digestLength);
+	SecByteBlock calculated(digestLength ? digestLength : 1);
 	TruncatedFinal(calculated, digestLength);
 	return VerifyBufsEqual(calculated, digest, digestLength);
 }
@ -742,6 +743,12 @@ size_t BufferedTransformation::ChannelPutWord32(const std::string &channel, word
 	return ChannelPut(channel, m_buf, 4, blocking);
 }
 size_t BufferedTransformation::ChannelPutWord64(const std::string &channel, word64 value, ByteOrder order, bool blocking)
 {
 	PutWord(false, order, m_buf, value);
 	return ChannelPut(channel, m_buf, 8, blocking);
 }
 size_t BufferedTransformation::PutWord16(word16 value, ByteOrder order, bool blocking)
 {
 	return ChannelPutWord16(DEFAULT_CHANNEL, value, order, blocking);
@ -752,22 +759,20 @@ size_t BufferedTransformation::PutWord32(word32 value, ByteOrder order, bool blo
 	return ChannelPutWord32(DEFAULT_CHANNEL, value, order, blocking);
 }
-// Issue 340
+size_t BufferedTransformation::PutWord64(word64 value, ByteOrder order, bool blocking)
-#if CRYPTOPP_GCC_DIAGNOSTIC_AVAILABLE
+{
-# pragma GCC diagnostic push
+	return ChannelPutWord64(DEFAULT_CHANNEL, value, order, blocking);
-# pragma GCC diagnostic ignored "-Wconversion"
+}
 # pragma GCC diagnostic ignored "-Wsign-conversion"
 #endif
 size_t BufferedTransformation::PeekWord16(word16 &value, ByteOrder order) const
 {
 	byte buf[2] = {0, 0};
 	size_t len = Peek(buf, 2);
-	if (order)
+	if (order == BIG_ENDIAN_ORDER)
-		value = (buf[0] << 8) | buf[1];
+		value = ((word16)buf[0] << 8) | (word16)buf[1];
 	else
-		value = (buf[1] << 8) | buf[0];
+		value = ((word16)buf[1] << 8) | (word16)buf[0];
 	return len;
 }
@ -777,18 +782,32 @@ size_t BufferedTransformation::PeekWord32(word32 &value, ByteOrder order) const
 	byte buf[4] = {0, 0, 0, 0};
 	size_t len = Peek(buf, 4);
-	if (order)
+	if (order == BIG_ENDIAN_ORDER)
-		value = (buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | buf [3];
+		value = ((word32)buf[0] << 24) | ((word32)buf[1] << 16) |
 		        ((word32)buf[2] << 8)  |  (word32)buf[3];
 	else
-		value = (buf[3] << 24) | (buf[2] << 16) | (buf[1] << 8) | buf [0];
+		value = ((word32)buf[3] << 24) | ((word32)buf[2] << 16) |
 		        ((word32)buf[1] << 8)  |  (word32)buf[0];
 	return len;
 }
-// Issue 340
+size_t BufferedTransformation::PeekWord64(word64 &value, ByteOrder order) const
-#if CRYPTOPP_GCC_DIAGNOSTIC_AVAILABLE
+{
-# pragma GCC diagnostic pop
+	byte buf[8] = {0, 0, 0, 0, 0, 0, 0, 0};
-#endif
+	size_t len = Peek(buf, 8);
 	if (order == BIG_ENDIAN_ORDER)
 		value = ((word64)buf[0] << 56) | ((word64)buf[1] << 48) | ((word64)buf[2] << 40) |
 		        ((word64)buf[3] << 32) | ((word64)buf[4] << 24) | ((word64)buf[5] << 16) |
 		        ((word64)buf[6] << 8)  |  (word64)buf[7];
 	else
 		value = ((word64)buf[7] << 56) | ((word64)buf[6] << 48) | ((word64)buf[5] << 40) |
 		        ((word64)buf[4] << 32) | ((word64)buf[3] << 24) | ((word64)buf[2] << 16) |
 		        ((word64)buf[1] << 8)  |  (word64)buf[0];
 	return len;
 }
 size_t BufferedTransformation::GetWord16(word16 &value, ByteOrder order)
 {
@ -800,6 +819,11 @@ size_t BufferedTransformation::GetWord32(word32 &value, ByteOrder order)
 	return (size_t)Skip(PeekWord32(value, order));
 }
 size_t BufferedTransformation::GetWord64(word64 &value, ByteOrder order)
 {
 	return (size_t)Skip(PeekWord64(value, order));
 }
 void BufferedTransformation::Attach(BufferedTransformation *newAttachment)
 {
 	if (AttachedTransformation() && AttachedTransformation()->Attachable())
--- a/cryptlib.h
+++ b/cryptlib.h
@ -3,7 +3,7 @@
 /// \file cryptlib.h
 /// \brief Abstract base classes that provide a uniform interface to this library.
-/*!	\mainpage Crypto++ Library 8.1 API Reference
+/*!	\mainpage Crypto++ Library 8.3 API Reference
 <dl>
 <dt>Abstract Base Classes<dd>
 	cryptlib.h
@ -202,6 +202,9 @@ private:
 class CRYPTOPP_DLL InvalidArgument : public Exception
 {
 public:
 	/// \brief Construct an InvalidArgument
 	/// \param s the message for the exception
 	/// \details The member function <tt>what()</tt> returns <tt>s</tt>.
 	explicit InvalidArgument(const std::string &s) : Exception(INVALID_ARGUMENT, s) {}
 };
@ -209,6 +212,9 @@ public:
 class CRYPTOPP_DLL InvalidDataFormat : public Exception
 {
 public:
 	/// \brief Construct an InvalidDataFormat
 	/// \param s the message for the exception
 	/// \details The member function <tt>what()</tt> returns <tt>s</tt>.
 	explicit InvalidDataFormat(const std::string &s) : Exception(INVALID_DATA_FORMAT, s) {}
 };
@ -216,6 +222,9 @@ public:
 class CRYPTOPP_DLL InvalidCiphertext : public InvalidDataFormat
 {
 public:
 	/// \brief Construct an InvalidCiphertext
 	/// \param s the message for the exception
 	/// \details The member function <tt>what()</tt> returns <tt>s</tt>.
 	explicit InvalidCiphertext(const std::string &s) : InvalidDataFormat(s) {}
 };
@ -223,6 +232,9 @@ public:
 class CRYPTOPP_DLL NotImplemented : public Exception
 {
 public:
 	/// \brief Construct an NotImplemented
 	/// \param s the message for the exception
 	/// \details The member function <tt>what()</tt> returns <tt>s</tt>.
 	explicit NotImplemented(const std::string &s) : Exception(NOT_IMPLEMENTED, s) {}
 };
@ -230,6 +242,9 @@ public:
 class CRYPTOPP_DLL CannotFlush : public Exception
 {
 public:
 	/// \brief Construct an CannotFlush
 	/// \param s the message for the exception
 	/// \details The member function <tt>what()</tt> returns <tt>s</tt>.
 	explicit CannotFlush(const std::string &s) : Exception(CANNOT_FLUSH, s) {}
 };
@ -238,6 +253,13 @@ class CRYPTOPP_DLL OS_Error : public Exception
 {
 public:
 	virtual ~OS_Error() throw() {}
 	/// \brief Construct an OS_Error
 	/// \param errorType the error type
 	/// \param s the message for the exception
 	/// \param operation the operation for the exception
 	/// \param errorCode the error code
 	/// \details The member function <tt>what()</tt> returns <tt>s</tt>.
 	OS_Error(ErrorType errorType, const std::string &s, const std::string& operation, int errorCode)
 		: Exception(errorType, s), m_operation(operation), m_errorCode(errorCode) {}
@ -255,7 +277,8 @@ protected:
 struct CRYPTOPP_DLL DecodingResult
 {
 	/// \brief Constructs a DecodingResult
-	/// \details isValidCoding is initialized to false and messageLength is initialized to 0.
+	/// \details isValidCoding is initialized to false and messageLength is
 	///  initialized to 0.
 	explicit DecodingResult() : isValidCoding(false), messageLength(0) {}
 	/// \brief Constructs a DecodingResult
 	/// \param len the message length
@ -264,11 +287,13 @@ struct CRYPTOPP_DLL DecodingResult
 	/// \brief Compare two DecodingResult
 	/// \param rhs the other DecodingResult
-	/// \return true if both isValidCoding and messageLength are equal, false otherwise
+	/// \return true if either isValidCoding or messageLength is \a not equal,
 	///  false otherwise
 	bool operator==(const DecodingResult &rhs) const {return isValidCoding == rhs.isValidCoding && messageLength == rhs.messageLength;}
 	/// \brief Compare two DecodingResult
 	/// \param rhs the other DecodingResult
-	/// \return true if either isValidCoding or messageLength is \a not equal, false otherwise
+	/// \return true if either isValidCoding or messageLength is \a not equal,
 	///  false otherwise
 	/// \details Returns <tt>!operator==(rhs)</tt>.
 	bool operator!=(const DecodingResult &rhs) const {return !operator==(rhs);}
@ -279,24 +304,28 @@ struct CRYPTOPP_DLL DecodingResult
 };
 /// \brief Interface for retrieving values given their names
-/// \details This class is used to safely pass a variable number of arbitrarily typed arguments to functions
+/// \details This class is used to safely pass a variable number of arbitrarily
-///   and to read values from keys and crypto parameters.
+///  typed arguments to functions and to read values from keys and crypto parameters.
-/// \details To obtain an object that implements NameValuePairs for the purpose of parameter
+/// \details To obtain an object that implements NameValuePairs for the purpose of
-///   passing, use the MakeParameters() function.
+///  parameter passing, use the MakeParameters() function.
-/// \details To get a value from NameValuePairs, you need to know the name and the type of the value.
+/// \details To get a value from NameValuePairs, you need to know the name and the
-///   Call GetValueNames() on a NameValuePairs object to obtain a list of value names that it supports.
+///  type of the value. Call GetValueNames() on a NameValuePairs object to obtain a
-///   then look at the Name namespace documentation to see what the type of each value is, or
+///  list of value names that it supports. then look at the Name namespace
-///   alternatively, call GetIntValue() with the value name, and if the type is not int, a
+///  documentation to see what the type of each value is, or alternatively, call
-///   ValueTypeMismatch exception will be thrown and you can get the actual type from the exception object.
+///  GetIntValue() with the value name, and if the type is not int, a
 ///  ValueTypeMismatch exception will be thrown and you can get the actual type from
 ///  the exception object.
 /// \sa NullNameValuePairs, g_nullNameValuePairs,
-///   <A HREF="http://www.cryptopp.com/wiki/NameValuePairs">NameValuePairs</A> on the Crypto++ wiki
+///  <A HREF="http://www.cryptopp.com/wiki/NameValuePairs">NameValuePairs</A> on the
 ///  Crypto++ wiki
 class NameValuePairs
 {
 public:
 	virtual ~NameValuePairs() {}
 	/// \brief Thrown when an unexpected type is encountered
-	/// \details Exception thrown when trying to retrieve a value using a different type than expected
+	/// \details Exception thrown when trying to retrieve a value using a different
 	///  type than expected
 	class CRYPTOPP_DLL ValueTypeMismatch : public InvalidArgument
 	{
 	public:
@ -1477,11 +1506,11 @@ public:
 	/// \brief Determine minimum number of bytes
 	/// \returns Minimum number of bytes which can be derived
-	virtual size_t MinDerivedLength() const;
+	virtual size_t MinDerivedKeyLength() const;
 	/// \brief Determine maximum number of bytes
 	/// \returns Maximum number of bytes which can be derived
-	virtual size_t MaxDerivedLength() const;
+	virtual size_t MaxDerivedKeyLength() const;
 	/// \brief Returns a valid key length for the derivation function
 	/// \param keylength the size of the derived key, in bytes
@ -1503,7 +1532,7 @@ public:
 	/// \param secretLen the size of the secret buffer, in bytes
 	/// \param params additional initialization parameters to configure this object
 	/// \returns the number of iterations performed
-	/// \throws InvalidDerivedLength if <tt>derivedLen</tt> is invalid for the scheme
+	/// \throws InvalidDerivedKeyLength if <tt>derivedLen</tt> is invalid for the scheme
 	/// \details DeriveKey() provides a standard interface to derive a key from
 	///   a secret seed and other parameters. Each class that derives from KeyDerivationFunction
 	///   provides an overload that accepts most parameters used by the derivation function.
@ -1525,7 +1554,7 @@ protected:
 	/// \brief Validates the derived key length
 	/// \param length the size of the derived key material, in bytes
 	/// \throws InvalidKeyLength if the key length is invalid
-	void ThrowIfInvalidDerivedLength(size_t length) const;
+	void ThrowIfInvalidDerivedKeyLength(size_t length) const;
 };
 /// \brief Interface for password based key derivation functions
@ -1614,8 +1643,8 @@ public:
 		/// \brief Input a byte for processing
 		/// \param inByte the 8-bit byte (octet) to be processed.
 		/// \param blocking specifies whether the object should block when processing input.
-		/// \return the number of bytes that remain in the block (i.e., bytes not processed). 0 indicates all
+		/// \return the number of bytes that remain in the block (i.e., bytes not processed).
-		///   bytes were processed.
+		///   0 indicates all bytes were processed.
 		/// \details <tt>Put(byte)</tt> calls <tt>Put(byte*, size_t)</tt>.
 		size_t Put(byte inByte, bool blocking=true)
 			{return Put(&inByte, 1, blocking);}
@ -1624,8 +1653,8 @@ public:
 		/// \param inString the byte buffer to process
 		/// \param length the size of the string, in bytes
 		/// \param blocking specifies whether the object should block when processing input
-		/// \return the number of bytes that remain in the block (i.e., bytes not processed). 0 indicates all
+		/// \return the number of bytes that remain in the block (i.e., bytes not processed).
-		///   bytes were processed.
+		///   0 indicates all bytes were processed.
 		/// \details Internally, Put() calls Put2().
 		size_t Put(const byte *inString, size_t length, bool blocking=true)
 			{return Put2(inString, length, 0, blocking);}
@ -1634,18 +1663,26 @@ public:
 		/// \param value the 16-bit value to be processed
 		/// \param order the ByteOrder of the value to be processed.
 		/// \param blocking specifies whether the object should block when processing input
-		/// \return the number of bytes that remain in the block (i.e., bytes not processed). 0 indicates all
+		/// \return the number of bytes that remain in the block (i.e., bytes not processed).
-		///   bytes were processed.
+		///   0 indicates all bytes were processed.
 		size_t PutWord16(word16 value, ByteOrder order=BIG_ENDIAN_ORDER, bool blocking=true);
 		/// Input a 32-bit word for processing.
 		/// \param value the 32-bit value to be processed.
 		/// \param order the ByteOrder of the value to be processed.
 		/// \param blocking specifies whether the object should block when processing input.
-		/// \return the number of bytes that remain in the block (i.e., bytes not processed). 0 indicates all
+		/// \return the number of bytes that remain in the block (i.e., bytes not processed).
-		///   bytes were processed.
+		///   0 indicates all bytes were processed.
 		size_t PutWord32(word32 value, ByteOrder order=BIG_ENDIAN_ORDER, bool blocking=true);
 		/// Input a 64-bit word for processing.
 		/// \param value the 64-bit value to be processed.
 		/// \param order the ByteOrder of the value to be processed.
 		/// \param blocking specifies whether the object should block when processing input.
 		/// \return the number of bytes that remain in the block (i.e., bytes not processed).
 		///   0 indicates all bytes were processed.
 		size_t PutWord64(word64 value, ByteOrder order=BIG_ENDIAN_ORDER, bool blocking=true);
 		/// \brief Request space which can be written into by the caller
 		/// \param size the requested size of the buffer
 		/// \return byte pointer to the space to input data
@ -1781,18 +1818,23 @@ public:
 		/// \brief Flush buffered input and/or output, with signal propagation
 		/// \param hardFlush is used to indicate whether all data should be flushed
-		/// \param propagation the number of attached transformations the Flush() signal should be passed
+		/// \param propagation the number of attached transformations the Flush()
-		/// \param blocking specifies whether the object should block when processing input
+		///  signal should be passed
-		/// \details propagation count includes this object. Setting propagation to <tt>1</tt> means this
+		/// \param blocking specifies whether the object should block when processing
-		///   object only. Setting propagation to <tt>-1</tt> means unlimited propagation.
+		///  input
-		/// \note Hard flushes must be used with care. It means try to process and output everything, even if
+		/// \details propagation count includes this object. Setting propagation to
-		///   there may not be enough data to complete the action. For example, hard flushing a HexDecoder
+		///  <tt>1</tt> means this object only. Setting propagation to <tt>-1</tt>
-		///   would cause an error if you do it after inputing an odd number of hex encoded characters.
+		///  means unlimited propagation.
-		/// \note For some types of filters, like  ZlibDecompressor, hard flushes can only
+		/// \note Hard flushes must be used with care. It means try to process and
-		///   be done at "synchronization points". These synchronization points are positions in the data
+		///  output everything, even if there may not be enough data to complete the
-		///   stream that are created by hard flushes on the corresponding reverse filters, in this
+		///  action. For example, hard flushing a HexDecoder would cause an error if
-		///   example ZlibCompressor. This is useful when zlib compressed data is moved across a
+		///  you do it after inputing an odd number of hex encoded characters.
-		///   network in packets and compression state is preserved across packets, as in the SSH2 protocol.
+		/// \note For some types of filters, like  ZlibDecompressor, hard flushes can
 		///  only be done at "synchronization points". These synchronization points
 		///  are positions in the data stream that are created by hard flushes on the
 		///  corresponding reverse filters, in this example ZlibCompressor. This is
 		///  useful when zlib compressed data is moved across a network in packets
 		///  and compression state is preserved across packets, as in the SSH2 protocol.
 		virtual bool Flush(bool hardFlush, int propagation=-1, bool blocking=true);
 		/// \brief Marks the end of a series of messages, with signal propagation
@ -1856,7 +1898,7 @@ public:
 		/// \param peekMax the number of bytes to Peek
 		/// \return the number of bytes read during the call.
 		/// \details Peek does not remove bytes from the object. Use the return value of
-		///     Get() to detect short reads.
+		///     Peek() to detect short reads.
 		virtual size_t Peek(byte *outString, size_t peekMax) const;
 		/// \brief Retrieve a 16-bit word
@ -1870,15 +1912,23 @@ public:
 		/// \param value the 32-bit value to be retrieved
 		/// \param order the ByteOrder of the value to be processed.
 		/// \return the number of bytes consumed during the call.
-		/// \details Use the return value of GetWord16() to detect short reads.
+		/// \details Use the return value of GetWord32() to detect short reads.
 		size_t GetWord32(word32 &value, ByteOrder order=BIG_ENDIAN_ORDER);
 		/// \brief Retrieve a 64-bit word
 		/// \param value the 64-bit value to be retrieved
 		/// \param order the ByteOrder of the value to be processed.
 		/// \return the number of bytes consumed during the call.
 		/// \details Use the return value of GetWord64() to detect short reads.
 		/// \since Crypto++ 8.3
 		size_t GetWord64(word64 &value, ByteOrder order=BIG_ENDIAN_ORDER);
 		/// \brief Peek a 16-bit word
 		/// \param value the 16-bit value to be retrieved
 		/// \param order the ByteOrder of the value to be processed.
 		/// \return the number of bytes consumed during the call.
 		/// \details Peek does not consume bytes in the stream. Use the return value
-		///    of GetWord16() to detect short reads.
+		///    of PeekWord16() to detect short reads.
 		size_t PeekWord16(word16 &value, ByteOrder order=BIG_ENDIAN_ORDER) const;
 		/// \brief Peek a 32-bit word
@ -1886,9 +1936,18 @@ public:
 		/// \param order the ByteOrder of the value to be processed.
 		/// \return the number of bytes consumed during the call.
 		/// \details Peek does not consume bytes in the stream. Use the return value
-		///    of GetWord16() to detect short reads.
+		///    of PeekWord32() to detect short reads.
 		size_t PeekWord32(word32 &value, ByteOrder order=BIG_ENDIAN_ORDER) const;
 		/// \brief Peek a 64-bit word
 		/// \param value the 64-bit value to be retrieved
 		/// \param order the ByteOrder of the value to be processed.
 		/// \return the number of bytes consumed during the call.
 		/// \details Peek does not consume bytes in the stream. Use the return value
 		///    of PeekWord64() to detect short reads.
 		/// \since Crypto++ 8.3
 		size_t PeekWord64(word64 &value, ByteOrder order=BIG_ENDIAN_ORDER) const;
 		/// move transferMax bytes of the buffered output to target as input
 		/// \brief Transfer bytes from this object to another BufferedTransformation
@ -2035,7 +2094,7 @@ public:
 		/// \param channel the channel on which the transfer should occur
 		/// \param blocking specifies whether the object should block when processing input
 		/// \return the number of bytes that remain in the transfer block (i.e., bytes not transferred)
-		/// \details TransferTo() removes bytes from this object and moves them to the destination.
+		/// \details TransferTo2() removes bytes from this object and moves them to the destination.
 		///   Transfer begins at the index position in the current stream, and not from an absolute
 		///   position in the stream.
 		/// \details byteCount is an \a IN and \a OUT parameter. When the call is made,
@ -2144,6 +2203,15 @@ public:
 		///   number of bytes that were not processed.
 		size_t ChannelPutWord32(const std::string &channel, word32 value, ByteOrder order=BIG_ENDIAN_ORDER, bool blocking=true);
 		/// \brief Input a 64-bit word for processing on a channel.
 		/// \param channel the channel to process the data.
 		/// \param value the 64-bit value to be processed.
 		/// \param order the ByteOrder of the value to be processed.
 		/// \param blocking specifies whether the object should block when processing input.
 		/// \return 0 indicates all bytes were processed during the call. Non-0 indicates the
 		///   number of bytes that were not processed.
 		size_t ChannelPutWord64(const std::string &channel, word64 value, ByteOrder order=BIG_ENDIAN_ORDER, bool blocking=true);
 		/// \brief Signal the end of a message
 		/// \param channel the channel to process the data.
 		/// \param propagation the number of attached transformations the ChannelMessageEnd() signal should be passed
@ -2272,7 +2340,10 @@ protected:
 		{return propagation != 0 ? propagation - 1 : 0;}
 private:
-	byte m_buf[4];	// for ChannelPutWord16 and ChannelPutWord32, to ensure buffer isn't deallocated before non-blocking operation completes
+	// for ChannelPutWord16, ChannelPutWord32 and ChannelPutWord64,
 	// to ensure the buffer isn't deallocated before non-blocking
 	// operation completes
 	byte m_buf[8];
 };
 /// \brief An input discarding BufferedTransformation
--- a/cryptlib.vcxproj
+++ b/cryptlib.vcxproj
@ -373,6 +373,16 @@
      <Command>ml64.exe /c /nologo /D_M_X64 /W3 /Cx /Zi /Fo"$(IntDir)rdrand-x64.obj" "%(FullPath)"</Command>
      <Outputs>$(IntDir)\rdrand-x64.obj;%(Outputs)</Outputs>
    </CustomBuild>
    <CustomBuild Condition="'$(Platform)'=='Win32'" Include="rdseed.asm">
      <Message>Building and assembling rdseed.asm</Message>
      <Command>ml.exe /c /nologo /D_M_X86 /W3 /Cx /Zi /safeseh /Fo"$(IntDir)rdseed-x86.obj" "%(FullPath)"</Command>
      <Outputs>$(IntDir)\rdseed-x86.obj;%(Outputs)</Outputs>
    </CustomBuild>
    <CustomBuild Condition="'$(Platform)'=='x64'" Include="rdseed.asm">
      <Message>Building and assembling rdseed.asm</Message>
      <Command>ml64.exe /c /nologo /D_M_X64 /W3 /Cx /Zi /Fo"$(IntDir)rdseed-x64.obj" "%(FullPath)"</Command>
      <Outputs>$(IntDir)\rdseed-x64.obj;%(Outputs)</Outputs>
    </CustomBuild>
    <CustomBuild Condition="'$(Platform)'=='x64' AND ('$(Configuration)'=='Debug' Or '$(Configuration)'=='Release')" Include="x64dll.asm">
      <Message>Building and assembling x64dll.asm</Message>
      <Command>ml64.exe /c /nologo /D_M_X64 /W3 /Zi /Fo"$(IntDir)x64dll.obj" "%(FullPath)"</Command>
@ -412,6 +422,16 @@
    <ClInclude Include="channels.h" />
    <ClInclude Include="cmac.h" />
    <ClInclude Include="config.h" />
    <ClInclude Include="config_align.h" />
    <ClInclude Include="config_asm.h" />
    <ClInclude Include="config_cpu.h" />
    <ClInclude Include="config_cxx.h" />
    <ClInclude Include="config_dll.h" />
    <ClInclude Include="config_int.h" />
    <ClInclude Include="config_misc.h" />
    <ClInclude Include="config_ns.h" />
    <ClInclude Include="config_os.h" />
    <ClInclude Include="config_ver.h" />
    <ClInclude Include="cpu.h" />
    <ClInclude Include="crc.h" />
    <ClInclude Include="cryptlib.h" />
--- a/cryptlib.vcxproj.filters
+++ b/cryptlib.vcxproj.filters
@ -615,6 +615,36 @@
    <ClInclude Include="config.h">
      <Filter>Header Files</Filter>
    </ClInclude>
    <ClInclude Include="config_align.h">
      <Filter>Header Files</Filter>
    </ClInclude>
    <ClInclude Include="config_asm.h">
      <Filter>Header Files</Filter>
    </ClInclude>
    <ClInclude Include="config_cpu.h">
      <Filter>Header Files</Filter>
    </ClInclude>
    <ClInclude Include="config_cxx.h">
      <Filter>Header Files</Filter>
    </ClInclude>
    <ClInclude Include="config_dll.h">
      <Filter>Header Files</Filter>
    </ClInclude>
    <ClInclude Include="config_int.h">
      <Filter>Header Files</Filter>
    </ClInclude>
    <ClInclude Include="config_misc.h">
      <Filter>Header Files</Filter>
    </ClInclude>
    <ClInclude Include="config_ns.h">
      <Filter>Header Files</Filter>
    </ClInclude>
    <ClInclude Include="config_os.h">
      <Filter>Header Files</Filter>
    </ClInclude>
    <ClInclude Include="config_ver.h">
      <Filter>Header Files</Filter>
    </ClInclude>
    <ClInclude Include="cpu.h">
      <Filter>Header Files</Filter>
    </ClInclude>
@ -1034,6 +1064,9 @@
    <CustomBuild Include="rdrand.asm">
      <Filter>Source Files</Filter>
    </CustomBuild>
    <CustomBuild Include="rdseed.asm">
      <Filter>Source Files</Filter>
    </CustomBuild>
    <CustomBuild Include="x64dll.asm">
      <Filter>Source Files</Filter>
    </CustomBuild>
--- a/cryptopp.rc
+++ b/cryptopp.rc
@ -27,8 +27,8 @@ LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US
 //
 VS_VERSION_INFO VERSIONINFO
- FILEVERSION 8,1,0,0
+ FILEVERSION 8,3,0,0
- PRODUCTVERSION 8,1,0,0
+ PRODUCTVERSION 8,3,0,0
 FILEFLAGSMASK 0x3fL
 #ifdef _DEBUG
 FILEFLAGS 0x1L
@ -46,13 +46,13 @@ BEGIN
            VALUE "Comments", "Free crypto library, more information available at www.cryptopp.com"
            VALUE "CompanyName", "Wei Dai"
            VALUE "FileDescription", "Crypto++® Library DLL"
-            VALUE "FileVersion", "8, 1, 0, 0"
+            VALUE "FileVersion", "8, 3, 0, 0"
            VALUE "InternalName", "cryptopp"
-            VALUE "LegalCopyright", "Copyright© 1995-2018 by Wei Dai"
+            VALUE "LegalCopyright", "Copyright© 1995-2019 by Wei Dai"
            VALUE "LegalTrademarks", "Crypto++®"
            VALUE "OriginalFilename", "cryptopp.dll"
            VALUE "ProductName", "Crypto++® Library"
-            VALUE "ProductVersion", "8, 1, 0, 0"
+            VALUE "ProductVersion", "8, 3, 0, 0"
        END
    END
    BLOCK "VarFileInfo"
--- a/darn.h
+++ b/darn.h
@ -2,11 +2,12 @@
 //          DARN requires POWER9/ISA 3.0.
 // At the moment only GCC 7.0 (and above) seems to support __builtin_darn()
-// and __builtin_darn_32(). Clang 7.0 does not provide them, but it does
+// and __builtin_darn_32(). However, GCC generates incorrect code. Clang 7.0
-// support assembly instructions. XLC is unknown, but there are no hits when
+// does not provide them, but it does support assembly instructions. XLC is
-// searching IBM's site. To cover more platforms we provide GCC inline
+// unknown, but there are no hits when searching IBM's site. To cover more
-// assembly like we do with RDRAND and RDSEED. Platforms that don't support
+// platforms we provide GCC inline assembly like we do with RDRAND and RDSEED.
-// GCC inline assembly or the builtin will fail the compile. Also see
+// Platforms that don't support GCC inline assembly or the builtin will fail
 // to compile. Also see https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481 and
 // https://gcc.gnu.org/onlinedocs/gcc/Basic-PowerPC-Built-in-Functions-Available-on-ISA-3_002e0.html
 /// \file darn.h
--- a/datatest.cpp
+++ b/datatest.cpp
@ -8,7 +8,6 @@
 #include "factory.h"
 #include "integer.h"
 #include "filters.h"
 #include "hex.h"
 #include "randpool.h"
 #include "files.h"
 #include "trunhash.h"
@ -16,6 +15,8 @@
 #include "smartptr.h"
 #include "validate.h"
 #include "stdcpp.h"
 #include "misc.h"
 #include "hex.h"
 #include "trap.h"
 #include <iostream>
@ -208,7 +209,7 @@ void PutDecodedDatumInto(const TestData &data, const char *name, BufferedTransfo
 		while (repeat--)
 		{
-			q.Put(reinterpret_cast<const byte*>(&s2[0]), s2.size());
+			q.Put(ConstBytePtr(s2), BytePtrSize(s2));
 			RandomizedTransfer(q, target, false);
 		}
 	}
@ -265,10 +266,11 @@ public:
 			*reinterpret_cast<int *>(pValue) = atoi(value.c_str());
 		else if (valueType == typeid(word64))
 		{
-			std::string x(value); errno = 0;
+			std::string x(value.empty() ? "0" : value);
 			const char* beg = &x[0];
 			char* end = &x[0] + value.size();
 			errno = 0;
 			*reinterpret_cast<word64*>(pValue) = STRTOUL64(beg, &end, 0);
 			if (errno != 0)
 				return false;
@ -279,7 +281,7 @@ public:
 		{
 			m_temp.clear();
 			PutDecodedDatumInto(m_data, name, StringSink(m_temp).Ref());
-			reinterpret_cast<ConstByteArrayParameter *>(pValue)->Assign(reinterpret_cast<const byte *>(&m_temp[0]), m_temp.size(), false);
+			reinterpret_cast<ConstByteArrayParameter *>(pValue)->Assign(ConstBytePtr(m_temp), BytePtrSize(m_temp), false);
 		}
 		else
 			throw ValueTypeMismatch(name, typeid(std::string), valueType);
@ -496,8 +498,8 @@ void TestSymmetricCipher(TestData &v, const NameValuePairs &overrideParameters)
 		}
 		else
 		{
-			encryptor->SetKey(reinterpret_cast<const byte*>(&key[0]), key.size(), pairs);
+			encryptor->SetKey(ConstBytePtr(key), BytePtrSize(key), pairs);
-			decryptor->SetKey(reinterpret_cast<const byte*>(&key[0]), key.size(), pairs);
+			decryptor->SetKey(ConstBytePtr(key), BytePtrSize(key), pairs);
 		}
 		word64 seek64 = pairs.GetWord64ValueWithDefault("Seek64", 0);
@ -547,13 +549,13 @@ void TestSymmetricCipher(TestData &v, const NameValuePairs &overrideParameters)
 				encrypted.reserve(10000 * plaintext.size());
 				for (int j=0; j<10000; j++)
 				{
-					cipher->ProcessString(reinterpret_cast<byte*>(&buf[0]), buf.size());
+					cipher->ProcessString(BytePtr(buf), BytePtrSize(buf));
 					encrypted.append(buf.begin(), buf.end());
 				}
 				encrypted.erase(0, encrypted.size() - keybuf.size());
-				xorbuf(reinterpret_cast<byte*>(&keybuf[0]), reinterpret_cast<const byte*>(&encrypted[0]), keybuf.size());
+				xorbuf(BytePtr(keybuf), BytePtr(encrypted), BytePtrSize(keybuf));
-				cipher->SetKey(reinterpret_cast<const byte*>(&keybuf[0]), keybuf.size());
+				cipher->SetKey(BytePtr(keybuf), BytePtrSize(keybuf));
 			}
 			encrypted.assign(buf.begin(), buf.end());
@ -641,8 +643,8 @@ void TestAuthenticatedSymmetricCipher(TestData &v, const NameValuePairs &overrid
 		member_ptr<AuthenticatedSymmetricCipher> encryptor, decryptor;
 		encryptor.reset(ObjectFactoryRegistry<AuthenticatedSymmetricCipher, ENCRYPTION>::Registry().CreateObject(name.c_str()));
 		decryptor.reset(ObjectFactoryRegistry<AuthenticatedSymmetricCipher, DECRYPTION>::Registry().CreateObject(name.c_str()));
-		encryptor->SetKey(reinterpret_cast<const byte*>(&key[0]), key.size(), pairs);
+		encryptor->SetKey(ConstBytePtr(key), BytePtrSize(key), pairs);
-		decryptor->SetKey(reinterpret_cast<const byte*>(&key[0]), key.size(), pairs);
+		decryptor->SetKey(ConstBytePtr(key), BytePtrSize(key), pairs);
 		// Code coverage
 		(void)encryptor->AlgorithmName();
@ -736,7 +738,7 @@ void TestDigestOrMAC(TestData &v, bool testDigest)
 		mac.reset(ObjectFactoryRegistry<MessageAuthenticationCode>::Registry().CreateObject(name.c_str()));
 		pHash = mac.get();
 		std::string key = GetDecodedDatum(v, "Key");
-		mac->SetKey(reinterpret_cast<const byte *>(&key[0]), key.size(), pairs);
+		mac->SetKey(ConstBytePtr(key), BytePtrSize(key), pairs);
 		// Code coverage
 		(void)mac->AlgorithmName();
@ -779,8 +781,7 @@ void TestKeyDerivationFunction(TestData &v)
 	kdf.reset(ObjectFactoryRegistry<KeyDerivationFunction>::Registry().CreateObject(name.c_str()));
 	std::string calculated; calculated.resize(expected.size());
-	kdf->DeriveKey(reinterpret_cast<byte*>(&calculated[0]), calculated.size(),
+	kdf->DeriveKey(BytePtr(calculated), BytePtrSize(calculated), BytePtr(secret), BytePtrSize(secret), pairs);
 		reinterpret_cast<const byte*>(&secret[0]), secret.size(), pairs);
 	if(calculated != expected)
 	{
--- a/donna_32.cpp
+++ b/donna_32.cpp
@ -37,6 +37,18 @@
 // Squash MS LNK4221 and libtool warnings
 extern const char DONNA32_FNAME[] = __FILE__;
 ANONYMOUS_NAMESPACE_BEGIN
 // Can't use GetAlignmentOf<word32>() because of C++11 and constexpr
 // Can use 'const unsigned int' because of MSVC 2013
 #if (CRYPTOPP_BOOL_X86 || CRYPTOPP_BOOL_X32 || CRYPTOPP_BOOL_X64)
 # define ALIGN_SPEC 16
 #else
 # define ALIGN_SPEC 4
 #endif
 ANONYMOUS_NAMESPACE_END
 #if defined(CRYPTOPP_CURVE25519_32BIT)
 #include "donna_32.h"
@ -431,7 +443,7 @@ curve25519_swap_conditional(bignum25519 x, bignum25519 qpx, word32 iswap) {
 */
 void
 curve25519_pow_two5mtwo0_two250mtwo0(bignum25519 b) {
-    ALIGN(16) bignum25519 t0,c;
+    ALIGN(ALIGN_SPEC) bignum25519 t0,c;
    /* 2^5  - 2^0 */ /* b */
    /* 2^10 - 2^5 */ curve25519_square_times(t0, b, 5);
@ -455,7 +467,7 @@ curve25519_pow_two5mtwo0_two250mtwo0(bignum25519 b) {
 */
 void
 curve25519_recip(bignum25519 out, const bignum25519 z) {
-    ALIGN(16) bignum25519 a, t0, b;
+    ALIGN(ALIGN_SPEC) bignum25519 a, t0, b;
    /* 2 */ curve25519_square(a, z); /* a = 2 */
    /* 8 */ curve25519_square_times(t0, a, 2);
@ -913,7 +925,33 @@ curve25519_contract(byte out[32], const bignum25519 in) {
 /* out = (flag) ? in : out */
 inline void
-curve25519_move_conditional_bytes(byte out[96], const byte in[96], word32 flag) {
+curve25519_move_conditional_bytes(byte out[96], const byte in[96], word32 flag)
 {
    // TODO: enable this code path once we can test and benchmark it.
    // It is about 48 insns shorter, it avoids punning which may be UB,
    // and it is guaranteed constant time.
 #if defined(__GNUC__) && defined(__i686__) && 0
    const word32 iter = 96/sizeof(word32);
    word32* outl = reinterpret_cast<word32*>(out);
    const word32* inl = reinterpret_cast<const word32*>(in);
    word32 idx=0, val;
    __asm__ __volatile__ (
        ".att_syntax                         ;\n"
        "cmpl     $0, %[flag]                ;\n"  // compare, set ZERO flag
        "movl     %[iter], %%ecx             ;\n"  // load iteration count
        "1:                                  ;\n"
        "  movl     (%[idx],%[out]), %[val]  ;\n"  // val = out[idx]
        "  cmovnzl  (%[idx],%[in]), %[val]   ;\n"  // copy in[idx] to val if NZ
        "  movl     %[val], (%[idx],%[out])  ;\n"  // out[idx] = val
        "  leal     4(%[idx]), %[idx]        ;\n"  // increment index
        "  loopnz   1b                       ;\n"  // does not affect flags
        : [out] "+S" (outl), [in] "+D" (inl),
          [idx] "+b" (idx), [val] "=r" (val)
        : [flag] "g" (flag), [iter] "I" (iter)
        : "ecx", "memory", "cc"
    );
 #else
    const word32 nb = flag - 1, b = ~nb;
    const word32 *inl = (const word32 *)in;
    word32 *outl = (word32 *)out;
@ -941,6 +979,7 @@ curve25519_move_conditional_bytes(byte out[96], const byte in[96], word32 flag)
    outl[21] = (outl[21] & nb) | (inl[21] & b);
    outl[22] = (outl[22] & nb) | (inl[22] & b);
    outl[23] = (outl[23] & nb) | (inl[23] & b);
 #endif
 }
 /* if (iswap) swap(a, b) */
@ -967,7 +1006,7 @@ curve25519_swap_conditional(bignum25519 a, bignum25519 b, word32 iswap) {
 */
 void
 curve25519_pow_two5mtwo0_two250mtwo0(bignum25519 b) {
-    ALIGN(16) bignum25519 t0,c;
+    ALIGN(ALIGN_SPEC) bignum25519 t0,c;
    /* 2^5  - 2^0 */ /* b */
    /* 2^10 - 2^5 */ curve25519_square_times(t0, b, 5);
@ -991,7 +1030,7 @@ curve25519_pow_two5mtwo0_two250mtwo0(bignum25519 b) {
 */
 void
 curve25519_recip(bignum25519 out, const bignum25519 z) {
-    ALIGN(16) bignum25519 a,t0,b;
+    ALIGN(ALIGN_SPEC) bignum25519 a,t0,b;
    /* 2 */ curve25519_square_times(a, z, 1); /* a = 2 */
    /* 8 */ curve25519_square_times(t0, a, 2);
@ -1009,7 +1048,7 @@ curve25519_recip(bignum25519 out, const bignum25519 z) {
 */
 void
 curve25519_pow_two252m3(bignum25519 two252m3, const bignum25519 z) {
-    ALIGN(16) bignum25519 b,c,t0;
+    ALIGN(ALIGN_SPEC) bignum25519 b,c,t0;
    /* 2 */ curve25519_square_times(c, z, 1); /* c = 2 */
    /* 8 */ curve25519_square_times(t0, c, 2); /* t0 = 8 */
@ -1865,7 +1904,7 @@ ed25519_publickey_CXX(byte publicKey[32], const byte secretKey[32])
    using namespace CryptoPP::Donna::Ed25519;
    bignum256modm a;
-    ALIGN(16) ge25519 A;
+    ALIGN(ALIGN_SPEC) ge25519 A;
    hash_512bits extsk;
    /* A = aB */
@ -1889,7 +1928,7 @@ ed25519_sign_CXX(std::istream& stream, const byte sk[32], const byte pk[32], byt
    using namespace CryptoPP::Donna::Ed25519;
    bignum256modm r, S, a;
-    ALIGN(16) ge25519 R;
+    ALIGN(ALIGN_SPEC) ge25519 R;
    hash_512bits extsk, hashr, hram;
    // Unfortunately we need to read the stream twice. The fisrt time calculates
@ -1938,7 +1977,7 @@ ed25519_sign_CXX(const byte *m, size_t mlen, const byte sk[32], const byte pk[32
    using namespace CryptoPP::Donna::Ed25519;
    bignum256modm r, S, a;
-    ALIGN(16) ge25519 R;
+    ALIGN(ALIGN_SPEC) ge25519 R;
    hash_512bits extsk, hashr, hram;
    ed25519_extsk(extsk, sk);
@ -1990,7 +2029,7 @@ ed25519_sign_open_CXX(std::istream& stream, const byte pk[32], const byte RS[64]
    using namespace CryptoPP::Donna::Ed25519;
-    ALIGN(16) ge25519 R, A;
+    ALIGN(ALIGN_SPEC) ge25519 R, A;
    hash_512bits hash;
    bignum256modm hram, S;
    byte checkR[32];
@ -2018,7 +2057,7 @@ ed25519_sign_open_CXX(const byte *m, size_t mlen, const byte pk[32], const byte
    using namespace CryptoPP::Donna::Ed25519;
-    ALIGN(16) ge25519 R, A;
+    ALIGN(ALIGN_SPEC) ge25519 R, A;
    hash_512bits hash;
    bignum256modm hram, S;
    byte checkR[32];
--- a/donna_64.cpp
+++ b/donna_64.cpp
@ -37,6 +37,18 @@
 // Squash MS LNK4221 and libtool warnings
 extern const char DONNA64_FNAME[] = __FILE__;
 ANONYMOUS_NAMESPACE_BEGIN
 // Can't use GetAlignmentOf<word64>() because of C++11 and constexpr
 // Can use 'const unsigned int' because of MSVC 2013
 #if (CRYPTOPP_BOOL_X86 || CRYPTOPP_BOOL_X32 || CRYPTOPP_BOOL_X64)
 # define ALIGN_SPEC 16
 #else
 # define ALIGN_SPEC 8
 #endif
 ANONYMOUS_NAMESPACE_END
 #if defined(CRYPTOPP_CURVE25519_64BIT)
 #include "donna_64.h"
@ -359,7 +371,7 @@ curve25519_swap_conditional(bignum25519 x, bignum25519 qpx, word64 iswap) {
 */
 void
 curve25519_pow_two5mtwo0_two250mtwo0(bignum25519 b) {
-    ALIGN(16) bignum25519 t0,c;
+    ALIGN(ALIGN_SPEC) bignum25519 t0,c;
    /* 2^5  - 2^0 */ /* b */
    /* 2^10 - 2^5 */ curve25519_square_times(t0, b, 5);
@ -383,7 +395,7 @@ curve25519_pow_two5mtwo0_two250mtwo0(bignum25519 b) {
 */
 void
 curve25519_recip(bignum25519 out, const bignum25519 z) {
-    ALIGN(16) bignum25519 a, t0, b;
+    ALIGN(ALIGN_SPEC) bignum25519 a, t0, b;
    /* 2 */ curve25519_square(a, z); /* a = 2 */
    /* 8 */ curve25519_square_times(t0, a, 2);
@ -735,10 +747,36 @@ curve25519_contract(byte *out, const bignum25519 input) {
 /* out = (flag) ? in : out */
 inline void
-curve25519_move_conditional_bytes(byte out[96], const byte in[96], word64 flag) {
+curve25519_move_conditional_bytes(byte out[96], const byte in[96], word64 flag)
 {
    // TODO: enable this code path once we can test and benchmark it.
    // It is about 24 insns shorter, it avoids punning which may be UB,
    // and it is guaranteed constant time.
 #if defined(__GNUC__) && defined(__x86_64__) && 0
    const word32 iter = 96/sizeof(word64);
    word64* outq = reinterpret_cast<word64*>(out);
    const word64* inq = reinterpret_cast<const word64*>(in);
    word64 idx=0, val;
    __asm__ __volatile__ (
        ".att_syntax                         ;\n"
        "cmpq     $0, %[flag]                ;\n"  // compare, set ZERO flag
        "movq     %[iter], %%rcx             ;\n"  // load iteration count
        "1:                                  ;\n"
        "  movq     (%[idx],%[out]), %[val]  ;\n"  // val = out[idx]
        "  cmovnzq  (%[idx],%[in]), %[val]   ;\n"  // copy in[idx] to val if NZ
        "  movq     %[val], (%[idx],%[out])  ;\n"  // out[idx] = val
        "  leaq     8(%[idx]), %[idx]        ;\n"  // increment index
        "  loopnz   1b                       ;\n"  // does not affect flags
        : [out] "+S" (outq), [in] "+D" (inq),
          [idx] "+b" (idx), [val] "=r" (val)
        : [flag] "g" (flag), [iter] "I" (iter)
        : "rcx", "memory", "cc"
    );
 #else
    const word64 nb = flag - 1, b = ~nb;
-    const word64 *inq = (const word64 *)in;
+    const word64 *inq = (const word64 *)(const void*)in;
-    word64 *outq = (word64 *)out;
+    word64 *outq = (word64 *)(void *)out;
    outq[0] = (outq[0] & nb) | (inq[0] & b);
    outq[1] = (outq[1] & nb) | (inq[1] & b);
    outq[2] = (outq[2] & nb) | (inq[2] & b);
@ -751,6 +789,7 @@ curve25519_move_conditional_bytes(byte out[96], const byte in[96], word64 flag)
    outq[9] = (outq[9] & nb) | (inq[9] & b);
    outq[10] = (outq[10] & nb) | (inq[10] & b);
    outq[11] = (outq[11] & nb) | (inq[11] & b);
 #endif
 }
 /* if (iswap) swap(a, b) */
@ -1065,7 +1104,7 @@ contract256_slidingwindow_modm(signed char r[256], const bignum256modm s, int wi
 */
 void
 curve25519_pow_two5mtwo0_two250mtwo0(bignum25519 b) {
-    ALIGN(16) bignum25519 t0,c;
+    ALIGN(ALIGN_SPEC) bignum25519 t0,c;
    /* 2^5  - 2^0 */ /* b */
    /* 2^10 - 2^5 */ curve25519_square_times(t0, b, 5);
@ -1089,7 +1128,7 @@ curve25519_pow_two5mtwo0_two250mtwo0(bignum25519 b) {
 */
 void
 curve25519_recip(bignum25519 out, const bignum25519 z) {
-    ALIGN(16) bignum25519 a,t0,b;
+    ALIGN(ALIGN_SPEC) bignum25519 a,t0,b;
    /* 2 */ curve25519_square_times(a, z, 1); /* a = 2 */
    /* 8 */ curve25519_square_times(t0, a, 2);
@ -1107,7 +1146,7 @@ curve25519_recip(bignum25519 out, const bignum25519 z) {
 */
 void
 curve25519_pow_two252m3(bignum25519 two252m3, const bignum25519 z) {
-    ALIGN(16) bignum25519 b,c,t0;
+    ALIGN(ALIGN_SPEC) bignum25519 b,c,t0;
    /* 2 */ curve25519_square_times(c, z, 1); /* c = 2 */
    /* 8 */ curve25519_square_times(t0, c, 2); /* t0 = 8 */
@ -1580,7 +1619,7 @@ ed25519_publickey_CXX(byte publicKey[32], const byte secretKey[32])
    using namespace CryptoPP::Donna::Ed25519;
    bignum256modm a;
-    ALIGN(16) ge25519 A;
+    ALIGN(ALIGN_SPEC) ge25519 A;
    hash_512bits extsk;
    /* A = aB */
@ -1604,7 +1643,7 @@ ed25519_sign_CXX(std::istream& stream, const byte sk[32], const byte pk[32], byt
    using namespace CryptoPP::Donna::Ed25519;
    bignum256modm r, S, a;
-    ALIGN(16) ge25519 R;
+    ALIGN(ALIGN_SPEC) ge25519 R;
    hash_512bits extsk, hashr, hram;
    // Unfortunately we need to read the stream twice. The fisrt time calculates
@ -1652,7 +1691,7 @@ ed25519_sign_CXX(const byte *m, size_t mlen, const byte sk[32], const byte pk[32
    using namespace CryptoPP::Donna::Ed25519;
    bignum256modm r, S, a;
-    ALIGN(16) ge25519 R;
+    ALIGN(ALIGN_SPEC) ge25519 R;
    hash_512bits extsk, hashr, hram;
    ed25519_extsk(extsk, sk);
@ -1703,7 +1742,7 @@ ed25519_sign_open_CXX(const byte *m, size_t mlen, const byte pk[32], const byte
    using namespace CryptoPP::Donna::Ed25519;
-    ALIGN(16) ge25519 R, A;
+    ALIGN(ALIGN_SPEC) ge25519 R, A;
    hash_512bits hash;
    bignum256modm hram, S;
    byte checkR[32];
@ -1731,7 +1770,7 @@ ed25519_sign_open_CXX(std::istream& stream, const byte pk[32], const byte RS[64]
    using namespace CryptoPP::Donna::Ed25519;
-    ALIGN(16) ge25519 R, A;
+    ALIGN(ALIGN_SPEC) ge25519 R, A;
    hash_512bits hash;
    bignum256modm hram, S;
    byte checkR[32];
--- a/donna_sse.cpp
+++ b/donna_sse.cpp
@ -1059,13 +1059,13 @@ int curve25519_mult_SSE2(byte sharedKey[32], const byte secretKey[32], const byt
    packed32bignum25519 qx, qz, pqz, pqx;
    packed64bignum25519 nq, sq, sqscalar, prime, primex, primez, nqpq;
    bignum25519mulprecomp preq;
-    size_t i=0, bit=0, lastbit=0;
+    size_t bit=0, lastbit=0;
    curve25519_expand(nqpqx, othersKey);
    curve25519_mul_precompute(&preq, nqpqx);
    /* do bits 254..3 */
-    for (i = 254, lastbit=0; i >= 3; i--) {
+    for (size_t i = 254, lastbit=0; i >= 3; i--) {
        bit = (e[i/8] >> (i & 7)) & 1;
        curve25519_swap_conditional(nqx, nqpqx, (word32)(bit ^ lastbit));
        curve25519_swap_conditional(nqz, nqpqz, (word32)(bit ^ lastbit));
@ -1098,7 +1098,7 @@ int curve25519_mult_SSE2(byte sharedKey[32], const byte secretKey[32], const byt
    curve25519_swap_conditional(nqz, nqpqz, (word32)bit);
    /* do bits 2..0 */
-    for (i = 0; i < 3; i++) {
+    for (size_t i = 0; i < 3; i++) {
        curve25519_compute_nq(nq, nqx, nqz);
        curve25519_square_packed64(sq, nq); /* sq = nq^2 */
        curve25519_121665_packed64(sqscalar, sq); /* sqscalar = sq * [121666,121665] */
--- a/drbg.h
+++ b/drbg.h
@ -207,6 +207,9 @@ public:
        size_t nonceLength=0, const byte* personalization=NULLPTR, size_t personalizationLength=0)
        : NIST_DRBG(), m_c(SEEDLENGTH), m_v(SEEDLENGTH), m_reseed(0)
    {
        std::memset(m_c, 0x00, m_c.size());
        std::memset(m_v, 0x00, m_v.size());
        if (entropy != NULLPTR && entropyLength != 0)
            DRBG_Instantiate(entropy, entropyLength, nonce, nonceLength, personalization, personalizationLength);
    }
@ -324,6 +327,9 @@ public:
        size_t nonceLength=0, const byte* personalization=NULLPTR, size_t personalizationLength=0)
        : NIST_DRBG(), m_k(HASH::DIGESTSIZE), m_v(HASH::DIGESTSIZE), m_reseed(0)
    {
        std::memset(m_k, 0x00, m_k.size());
        std::memset(m_v, 0x00, m_v.size());
        if (entropy != NULLPTR && entropyLength != 0)
            DRBG_Instantiate(entropy, entropyLength, nonce, nonceLength, personalization, personalizationLength);
    }
--- a/ec2n.cpp
+++ b/ec2n.cpp
@ -16,7 +16,8 @@ ANONYMOUS_NAMESPACE_BEGIN
 using CryptoPP::EC2N;
 #if defined(HAVE_GCC_INIT_PRIORITY)
-  const EC2N::Point g_identity __attribute__ ((init_priority (CRYPTOPP_INIT_PRIORITY + 50))) = EC2N::Point();
+  #define INIT_ATTRIBUTE __attribute__ ((init_priority (CRYPTOPP_INIT_PRIORITY + 51)))
  const EC2N::Point g_identity INIT_ATTRIBUTE = EC2N::Point();
 #elif defined(HAVE_MSC_INIT_PRIORITY)
  #pragma warning(disable: 4075)
  #pragma init_seg(".CRT$XCU")
@ -260,7 +261,7 @@ const EC2N::Point& EC2N::Double(const Point &P) const
 // ********************************************************
-/*
+#if 0
 EcPrecomputation<EC2N>& EcPrecomputation<EC2N>::operator=(const EcPrecomputation<EC2N> &rhs)
 {
 	m_ec = rhs.m_ec;
@ -312,7 +313,7 @@ EC2N::Point EcPrecomputation<EC2N>::CascadeExponentiate(const Integer &exponent,
 {
 	return m_ep.CascadeExponentiate(exponent, static_cast<const EcPrecomputation<EC2N> &>(pc2).m_ep, exponent2);
 }
-*/
+#endif
 NAMESPACE_END
--- a/ec2n.h
+++ b/ec2n.h
@ -3,7 +3,6 @@
 /// \file ec2n.h
 /// \brief Classes for Elliptic Curves over binary fields
 #ifndef CRYPTOPP_EC2N_H
 #define CRYPTOPP_EC2N_H
--- a/eccrypto.cpp
+++ b/eccrypto.cpp
@ -28,6 +28,9 @@
 #include "ec2n.h"
 #include "misc.h"
 #include <iostream>
 #include <sstream>
 // Squash MS LNK4221 and libtool warnings
 #ifndef CRYPTOPP_MANUALLY_INSTANTIATE_TEMPLATES
 extern const char ECCRYPTO_FNAME[] = __FILE__;
@ -683,6 +686,13 @@ OID DL_GroupParameters_EC<EC>::GetAlgorithmID() const
 	return ASN1::id_ecPublicKey();
 }
 std::ostream& operator<<(std::ostream& os, const DL_GroupParameters_EC<ECP>::Element& obj)
 {
 	std::ostringstream oss;
 	oss << "(" << std::hex << obj.x << ", " << std::hex  << obj.y << ")";
 	return os << oss.str();
 }
 // ******************************************************************
 template <class EC>
--- a/eccrypto.h
+++ b/eccrypto.h
@ -22,6 +22,8 @@
 #include "ecp.h"
 #include "ec2n.h"
 #include <iosfwd>
 #if CRYPTOPP_MSC_VERSION
 # pragma warning(push)
 # pragma warning(disable: 4231 4275)
@ -168,6 +170,8 @@ protected:
 	mutable bool m_compress, m_encodeAsOID;		// presentation details
 };
 inline std::ostream& operator<<(std::ostream& os, const DL_GroupParameters_EC<ECP>::Element& obj);
 /// \brief Elliptic Curve Discrete Log (DL) public key
 /// \tparam EC elliptic curve field
 template <class EC>
--- a/ecp.cpp
+++ b/ecp.cpp
@ -15,10 +15,12 @@
 ANONYMOUS_NAMESPACE_BEGIN
 using CryptoPP::ECP;
 using CryptoPP::Integer;
 using CryptoPP::ModularArithmetic;
 #if defined(HAVE_GCC_INIT_PRIORITY)
-  const ECP::Point g_identity __attribute__ ((init_priority (CRYPTOPP_INIT_PRIORITY + 51))) = ECP::Point();
+  #define INIT_ATTRIBUTE __attribute__ ((init_priority (CRYPTOPP_INIT_PRIORITY + 50)))
  const ECP::Point g_identity INIT_ATTRIBUTE = ECP::Point();
 #elif defined(HAVE_MSC_INIT_PRIORITY)
  #pragma warning(disable: 4075)
  #pragma init_seg(".CRT$XCU")
@ -39,6 +41,503 @@ inline ECP::Point FromMontgomery(const ModularArithmetic &mr, const ECP::Point &
 	return P.identity ? P : ECP::Point(mr.ConvertOut(P.x), mr.ConvertOut(P.y));
 }
 inline Integer IdentityToInteger(bool val)
 {
 	return val ? Integer::One() : Integer::Zero();
 }
 struct ProjectivePoint
 {
 	ProjectivePoint() {}
 	ProjectivePoint(const Integer &x, const Integer &y, const Integer &z)
 		: x(x), y(y), z(z)	{}
 	Integer x, y, z;
 };
 /// \brief Addition and Double functions
 /// \sa <A HREF="https://eprint.iacr.org/2015/1060.pdf">Complete
 ///  addition formulas for prime order elliptic curves</A>
 struct AdditionFunction
 {
 	explicit AdditionFunction(const ECP::Field& field,
 		const ECP::FieldElement &a, const ECP::FieldElement &b, ECP::Point &r);
 	// Double(P)
 	ECP::Point operator()(const ECP::Point& P) const;
 	// Add(P, Q)
 	ECP::Point operator()(const ECP::Point& P, const ECP::Point& Q) const;
 protected:
 	/// \brief Parameters and representation for Addition
 	/// \details Addition and Doubling will use different algorithms,
 	///  depending on the <tt>A</tt> coefficient and the representation
 	///  (Affine or Montgomery with precomputation).
 	enum Alpha {
 		/// \brief Coefficient A is 0
 		A_0 = 1,
 		/// \brief Coefficient A is -3
 		A_3 = 2,
 		/// \brief Coefficient A is arbitrary
 		A_Star = 4,
 		/// \brief Representation is Montgomery
 		A_Montgomery = 8
 	};
 	const ECP::Field& field;
 	const ECP::FieldElement &a, &b;
 	ECP::Point &R;
 	Alpha m_alpha;
 };
 #define X p.x
 #define Y p.y
 #define Z p.z
 #define X1 p.x
 #define Y1 p.y
 #define Z1 p.z
 #define X2 q.x
 #define Y2 q.y
 #define Z2 q.z
 #define X3 r.x
 #define Y3 r.y
 #define Z3 r.z
 AdditionFunction::AdditionFunction(const ECP::Field& field,
 	const ECP::FieldElement &a, const ECP::FieldElement &b, ECP::Point &r)
 	: field(field), a(a), b(b), R(r), m_alpha(static_cast<Alpha>(0))
 {
 	if (field.IsMontgomeryRepresentation())
 	{
 		m_alpha = A_Montgomery;
 	}
 	else
 	{
 		if (a == 0)
 		{
 			m_alpha = A_0;
 		}
 		else if (a == -3 || (a - field.GetModulus()) == -3)
 		{
 			m_alpha = A_3;
 		}
 		else
 		{
 			m_alpha = A_Star;
 		}
 	}
 }
 ECP::Point AdditionFunction::operator()(const ECP::Point& P) const
 {
 	if (m_alpha == A_3)
 	{
 		// Gyrations attempt to maintain constant-timeness
 		// We need either (P.x, P.y, 1) or (0, 1, 0).
 		const Integer x = P.x * IdentityToInteger(!P.identity);
 		const Integer y = P.y * IdentityToInteger(!P.identity) + 1 * IdentityToInteger(P.identity);
 		const Integer z = 1 * IdentityToInteger(!P.identity);
 		ProjectivePoint p(x, y, z), r;
 		ECP::FieldElement t0 = field.Square(X);
 		ECP::FieldElement t1 = field.Square(Y);
 		ECP::FieldElement t2 = field.Square(Z);
 		ECP::FieldElement t3 = field.Multiply(X, Y);
 		t3 = field.Add(t3, t3);
 		Z3 = field.Multiply(X, Z);
 		Z3 = field.Add(Z3, Z3);
 		Y3 = field.Multiply(b, t2);
 		Y3 = field.Subtract(Y3, Z3);
 		X3 = field.Add(Y3, Y3);
 		Y3 = field.Add(X3, Y3);
 		X3 = field.Subtract(t1, Y3);
 		Y3 = field.Add(t1, Y3);
 		Y3 = field.Multiply(X3, Y3);
 		X3 = field.Multiply(X3, t3);
 		t3 = field.Add(t2, t2);
 		t2 = field.Add(t2, t3);
 		Z3 = field.Multiply(b, Z3);
 		Z3 = field.Subtract(Z3, t2);
 		Z3 = field.Subtract(Z3, t0);
 		t3 = field.Add(Z3, Z3);
 		Z3 = field.Add(Z3, t3);
 		t3 = field.Add(t0, t0);
 		t0 = field.Add(t3, t0);
 		t0 = field.Subtract(t0, t2);
 		t0 = field.Multiply(t0, Z3);
 		Y3 = field.Add(Y3, t0);
 		t0 = field.Multiply(Y, Z);
 		t0 = field.Add(t0, t0);
 		Z3 = field.Multiply(t0, Z3);
 		X3 = field.Subtract(X3, Z3);
 		Z3 = field.Multiply(t0, t1);
 		Z3 = field.Add(Z3, Z3);
 		Z3 = field.Add(Z3, Z3);
 		const ECP::FieldElement inv = field.MultiplicativeInverse(Z3.IsZero() ? Integer::One() : Z3);
 		X3 = field.Multiply(X3, inv); Y3 = field.Multiply(Y3, inv);
 		// More gyrations
 		R.x = X3*Z3.NotZero();
 		R.y = Y3*Z3.NotZero();
 		R.identity = Z3.IsZero();
 		return R;
 	}
 	else if (m_alpha == A_0)
 	{
 		// Gyrations attempt to maintain constant-timeness
 		// We need either (P.x, P.y, 1) or (0, 1, 0).
 		const Integer x = P.x * IdentityToInteger(!P.identity);
 		const Integer y = P.y * IdentityToInteger(!P.identity) + 1 * IdentityToInteger(P.identity);
 		const Integer z = 1 * IdentityToInteger(!P.identity);
 		ProjectivePoint p(x, y, z), r;
 		const ECP::FieldElement b3 = field.Multiply(b, 3);
 		ECP::FieldElement t0 = field.Square(Y);
 		Z3 = field.Add(t0, t0);
 		Z3 = field.Add(Z3, Z3);
 		Z3 = field.Add(Z3, Z3);
 		ECP::FieldElement t1 = field.Add(Y, Z);
 		ECP::FieldElement t2 = field.Square(Z);
 		t2 = field.Multiply(b3, t2);
 		X3 = field.Multiply(t2, Z3);
 		Y3 = field.Add(t0, t2);
 		Z3 = field.Multiply(t1, Z3);
 		t1 = field.Add(t2, t2);
 		t2 = field.Add(t1, t2);
 		t0 = field.Subtract(t0, t2);
 		Y3 = field.Multiply(t0, Y3);
 		Y3 = field.Add(X3, Y3);
 		t1 = field.Multiply(X, Y);
 		X3 = field.Multiply(t0, t1);
 		X3 = field.Add(X3, X3);
 		const ECP::FieldElement inv = field.MultiplicativeInverse(Z3.IsZero() ? Integer::One() : Z3);
 		X3 = field.Multiply(X3, inv); Y3 = field.Multiply(Y3, inv);
 		// More gyrations
 		R.x = X3*Z3.NotZero();
 		R.y = Y3*Z3.NotZero();
 		R.identity = Z3.IsZero();
 		return R;
 	}
 #if 0
 	// Code path disabled at the moment due to https://github.com/weidai11/cryptopp/issues/878
 	else if (m_alpha == A_Star)
 	{
 		// Gyrations attempt to maintain constant-timeness
 		// We need either (P.x, P.y, 1) or (0, 1, 0).
 		const Integer x = P.x * IdentityToInteger(!P.identity);
 		const Integer y = P.y * IdentityToInteger(!P.identity) + 1 * IdentityToInteger(P.identity);
 		const Integer z = 1 * IdentityToInteger(!P.identity);
 		ProjectivePoint p(x, y, z), r;
 		const ECP::FieldElement b3 = field.Multiply(b, 3);
 		ECP::FieldElement t0 = field.Square(Y);
 		Z3 = field.Add(t0, t0);
 		Z3 = field.Add(Z3, Z3);
 		Z3 = field.Add(Z3, Z3);
 		ECP::FieldElement t1 = field.Add(Y, Z);
 		ECP::FieldElement t2 = field.Square(Z);
 		t2 = field.Multiply(b3, t2);
 		X3 = field.Multiply(t2, Z3);
 		Y3 = field.Add(t0, t2);
 		Z3 = field.Multiply(t1, Z3);
 		t1 = field.Add(t2, t2);
 		t2 = field.Add(t1, t2);
 		t0 = field.Subtract(t0, t2);
 		Y3 = field.Multiply(t0, Y3);
 		Y3 = field.Add(X3, Y3);
 		t1 = field.Multiply(X, Y);
 		X3 = field.Multiply(t0, t1);
 		X3 = field.Add(X3, X3);
 		const ECP::FieldElement inv = field.MultiplicativeInverse(Z3.IsZero() ? Integer::One() : Z3);
 		X3 = field.Multiply(X3, inv); Y3 = field.Multiply(Y3, inv);
 		// More gyrations
 		R.x = X3*Z3.NotZero();
 		R.y = Y3*Z3.NotZero();
 		R.identity = Z3.IsZero();
 		return R;
 	}
 #endif
 	else  // A_Montgomery
 	{
 		// More gyrations
 		bool identity = !!(P.identity + (P.y == field.Identity()));
 		ECP::FieldElement t = field.Square(P.x);
 		t = field.Add(field.Add(field.Double(t), t), a);
 		t = field.Divide(t, field.Double(P.y));
 		ECP::FieldElement x = field.Subtract(field.Subtract(field.Square(t), P.x), P.x);
 		R.y = field.Subtract(field.Multiply(t, field.Subtract(P.x, x)), P.y);
 		R.x.swap(x);
 		// More gyrations
 		R.x *= IdentityToInteger(!identity);
 		R.y *= IdentityToInteger(!identity);
 		R.identity = identity;
 		return R;
 	}
 }
 ECP::Point AdditionFunction::operator()(const ECP::Point& P, const ECP::Point& Q) const
 {
 	if (m_alpha == A_3)
 	{
 		// Gyrations attempt to maintain constant-timeness
 		// We need either (P.x, P.y, 1) or (0, 1, 0).
 		const Integer x1 = P.x * IdentityToInteger(!P.identity);
 		const Integer y1 = P.y * IdentityToInteger(!P.identity) + 1 * IdentityToInteger(P.identity);
 		const Integer z1 = 1 * IdentityToInteger(!P.identity);
 		const Integer x2 = Q.x * IdentityToInteger(!Q.identity);
 		const Integer y2 = Q.y * IdentityToInteger(!Q.identity) + 1 * IdentityToInteger(Q.identity);
 		const Integer z2 = 1 * IdentityToInteger(!Q.identity);
 		ProjectivePoint p(x1, y1, z1), q(x2, y2, z2), r;
 		ECP::FieldElement t0 = field.Multiply(X1, X2);
 		ECP::FieldElement t1 = field.Multiply(Y1, Y2);
 		ECP::FieldElement t2 = field.Multiply(Z1, Z2);
 		ECP::FieldElement t3 = field.Add(X1, Y1);
 		ECP::FieldElement t4 = field.Add(X2, Y2);
 		t3 = field.Multiply(t3, t4);
 		t4 = field.Add(t0, t1);
 		t3 = field.Subtract(t3, t4);
 		t4 = field.Add(Y1, Z1);
 		X3 = field.Add(Y2, Z2);
 		t4 = field.Multiply(t4, X3);
 		X3 = field.Add(t1, t2);
 		t4 = field.Subtract(t4, X3);
 		X3 = field.Add(X1, Z1);
 		Y3 = field.Add(X2, Z2);
 		X3 = field.Multiply(X3, Y3);
 		Y3 = field.Add(t0, t2);
 		Y3 = field.Subtract(X3, Y3);
 		Z3 = field.Multiply(b, t2);
 		X3 = field.Subtract(Y3, Z3);
 		Z3 = field.Add(X3, X3);
 		X3 = field.Add(X3, Z3);
 		Z3 = field.Subtract(t1, X3);
 		X3 = field.Add(t1, X3);
 		Y3 = field.Multiply(b, Y3);
 		t1 = field.Add(t2, t2);
 		t2 = field.Add(t1, t2);
 		Y3 = field.Subtract(Y3, t2);
 		Y3 = field.Subtract(Y3, t0);
 		t1 = field.Add(Y3, Y3);
 		Y3 = field.Add(t1, Y3);
 		t1 = field.Add(t0, t0);
 		t0 = field.Add(t1, t0);
 		t0 = field.Subtract(t0, t2);
 		t1 = field.Multiply(t4, Y3);
 		t2 = field.Multiply(t0, Y3);
 		Y3 = field.Multiply(X3, Z3);
 		Y3 = field.Add(Y3, t2);
 		X3 = field.Multiply(t3, X3);
 		X3 = field.Subtract(X3, t1);
 		Z3 = field.Multiply(t4, Z3);
 		t1 = field.Multiply(t3, t0);
 		Z3 = field.Add(Z3, t1);
 		const ECP::FieldElement inv = field.MultiplicativeInverse(Z3.IsZero() ? Integer::One() : Z3);
 		X3 = field.Multiply(X3, inv); Y3 = field.Multiply(Y3, inv);
 		// More gyrations
 		R.x = X3*Z3.NotZero();
 		R.y = Y3*Z3.NotZero();
 		R.identity = Z3.IsZero();
 		return R;
 	}
 	else if (m_alpha == A_0)
 	{
 		// Gyrations attempt to maintain constant-timeness
 		// We need either (P.x, P.y, 1) or (0, 1, 0).
 		const Integer x1 = P.x * IdentityToInteger(!P.identity);
 		const Integer y1 = P.y * IdentityToInteger(!P.identity) + 1 * IdentityToInteger(P.identity);
 		const Integer z1 = 1 * IdentityToInteger(!P.identity);
 		const Integer x2 = Q.x * IdentityToInteger(!Q.identity);
 		const Integer y2 = Q.y * IdentityToInteger(!Q.identity) + 1 * IdentityToInteger(Q.identity);
 		const Integer z2 = 1 * IdentityToInteger(!Q.identity);
 		ProjectivePoint p(x1, y1, z1), q(x2, y2, z2), r;
 		const ECP::FieldElement b3 = field.Multiply(b, 3);
 		ECP::FieldElement t0 = field.Square(Y);
 		Z3 = field.Add(t0, t0);
 		Z3 = field.Add(Z3, Z3);
 		Z3 = field.Add(Z3, Z3);
 		ECP::FieldElement t1 = field.Add(Y, Z);
 		ECP::FieldElement t2 = field.Square(Z);
 		t2 = field.Multiply(b3, t2);
 		X3 = field.Multiply(t2, Z3);
 		Y3 = field.Add(t0, t2);
 		Z3 = field.Multiply(t1, Z3);
 		t1 = field.Add(t2, t2);
 		t2 = field.Add(t1, t2);
 		t0 = field.Subtract(t0, t2);
 		Y3 = field.Multiply(t0, Y3);
 		Y3 = field.Add(X3, Y3);
 		t1 = field.Multiply(X, Y);
 		X3 = field.Multiply(t0, t1);
 		X3 = field.Add(X3, X3);
 		const ECP::FieldElement inv = field.MultiplicativeInverse(Z3.IsZero() ? Integer::One() : Z3);
 		X3 = field.Multiply(X3, inv); Y3 = field.Multiply(Y3, inv);
 		// More gyrations
 		R.x = X3*Z3.NotZero();
 		R.y = Y3*Z3.NotZero();
 		R.identity = Z3.IsZero();
 		return R;
 	}
 #if 0
 	// Code path disabled at the moment due to https://github.com/weidai11/cryptopp/issues/878
 	else if (m_alpha == A_Star)
 	{
 		// Gyrations attempt to maintain constant-timeness
 		// We need either (P.x, P.y, 1) or (0, 1, 0).
 		const Integer x1 = P.x * IdentityToInteger(!P.identity);
 		const Integer y1 = P.y * IdentityToInteger(!P.identity) + 1 * IdentityToInteger(P.identity);
 		const Integer z1 = 1 * IdentityToInteger(!P.identity);
 		const Integer x2 = Q.x * IdentityToInteger(!Q.identity);
 		const Integer y2 = Q.y * IdentityToInteger(!Q.identity) + 1 * IdentityToInteger(Q.identity);
 		const Integer z2 = 1 * IdentityToInteger(!Q.identity);
 		ProjectivePoint p(x1, y1, z1), q(x2, y2, z2), r;
 		const ECP::FieldElement b3 = field.Multiply(b, 3);
 		ECP::FieldElement t0 = field.Multiply(X1, X2);
 		ECP::FieldElement t1 = field.Multiply(Y1, Y2);
 		ECP::FieldElement t2 = field.Multiply(Z1, Z2);
 		ECP::FieldElement t3 = field.Add(X1, Y1);
 		ECP::FieldElement t4 = field.Add(X2, Y2);
 		t3 = field.Multiply(t3, t4);
 		t4 = field.Add(t0, t1);
 		t3 = field.Subtract(t3, t4);
 		t4 = field.Add(X1, Z1);
 		ECP::FieldElement t5 = field.Add(X2, Z2);
 		t4 = field.Multiply(t4, t5);
 		t5 = field.Add(t0, t2);
 		t4 = field.Subtract(t4, t5);
 		t5 = field.Add(Y1, Z1);
 		X3 = field.Add(Y2, Z2);
 		t5 = field.Multiply(t5, X3);
 		X3 = field.Add(t1, t2);
 		t5 = field.Subtract(t5, X3);
 		Z3 = field.Multiply(a, t4);
 		X3 = field.Multiply(b3, t2);
 		Z3 = field.Add(X3, Z3);
 		X3 = field.Subtract(t1, Z3);
 		Z3 = field.Add(t1, Z3);
 		Y3 = field.Multiply(X3, Z3);
 		t1 = field.Add(t0, t0);
 		t1 = field.Add(t1, t0);
 		t2 = field.Multiply(a, t2);
 		t4 = field.Multiply(b3, t4);
 		t1 = field.Add(t1, t2);
 		t2 = field.Subtract(t0, t2);
 		t2 = field.Multiply(a, t2);
 		t4 = field.Add(t4, t2);
 		t0 = field.Multiply(t1, t4);
 		Y3 = field.Add(Y3, t0);
 		t0 = field.Multiply(t5, t4);
 		X3 = field.Multiply(t3, X3);
 		X3 = field.Subtract(X3, t0);
 		t0 = field.Multiply(t3, t1);
 		Z3 = field.Multiply(t5, Z3);
 		Z3 = field.Add(Z3, t0);
 		const ECP::FieldElement inv = field.MultiplicativeInverse(Z3.IsZero() ? Integer::One() : Z3);
 		X3 = field.Multiply(X3, inv); Y3 = field.Multiply(Y3, inv);
 		// More gyrations
 		R.x = X3*Z3.NotZero();
 		R.y = Y3*Z3.NotZero();
 		R.identity = Z3.IsZero();
 		return R;
 	}
 #endif
 	else  // A_Montgomery
 	{
 		// More gyrations
 		bool return_Q = P.identity;
 		bool return_P = Q.identity;
 		bool double_P = field.Equal(P.x, Q.x) && field.Equal(P.y, Q.y);
 		bool identity = field.Equal(P.x, Q.x) && !field.Equal(P.y, Q.y);
 		// This code taken from Double(P) for below
 		identity = !!((double_P * (P.identity + (P.y == field.Identity()))) + identity);
 		ECP::Point S = R;
 		if (double_P)
 		{
 			// This code taken from Double(P)
 			ECP::FieldElement t = field.Square(P.x);
 			t = field.Add(field.Add(field.Double(t), t), a);
 			t = field.Divide(t, field.Double(P.y));
 			ECP::FieldElement x = field.Subtract(field.Subtract(field.Square(t), P.x), P.x);
 			R.y = field.Subtract(field.Multiply(t, field.Subtract(P.x, x)), P.y);
 			R.x.swap(x);
 		}
 		else
 		{
 			// Original Add(P,Q) code
 			ECP::FieldElement t = field.Subtract(Q.y, P.y);
 			t = field.Divide(t, field.Subtract(Q.x, P.x));
 			ECP::FieldElement x = field.Subtract(field.Subtract(field.Square(t), P.x), Q.x);
 			R.y = field.Subtract(field.Multiply(t, field.Subtract(P.x, x)), P.y);
 			R.x.swap(x);
 		}
 		// More gyrations
 		R.x = R.x * IdentityToInteger(!identity);
 		R.y = R.y * IdentityToInteger(!identity);
 		R.identity = identity;
 		if (return_Q)
 			return (R = S), Q;
 		else if (return_P)
 			return (R = S), P;
 		else
 			return (S = R), R;
 	}
 }
 #undef X
 #undef Y
 #undef Z
 #undef X1
 #undef Y1
 #undef Z1
 #undef X2
 #undef Y2
 #undef Z2
 #undef X3
 #undef Y3
 #undef Z3
 ANONYMOUS_NAMESPACE_END
 NAMESPACE_BEGIN(CryptoPP)
@ -243,34 +742,14 @@ const ECP::Point& ECP::Inverse(const Point &P) const
 const ECP::Point& ECP::Add(const Point &P, const Point &Q) const
 {
-	if (P.identity) return Q;
+	AdditionFunction add(GetField(), m_a, m_b, m_R);
-	if (Q.identity) return P;
+	return (m_R = add(P, Q));
 	if (GetField().Equal(P.x, Q.x))
 		return GetField().Equal(P.y, Q.y) ? Double(P) : Identity();
 	FieldElement t = GetField().Subtract(Q.y, P.y);
 	t = GetField().Divide(t, GetField().Subtract(Q.x, P.x));
 	FieldElement x = GetField().Subtract(GetField().Subtract(GetField().Square(t), P.x), Q.x);
 	m_R.y = GetField().Subtract(GetField().Multiply(t, GetField().Subtract(P.x, x)), P.y);
 	m_R.x.swap(x);
 	m_R.identity = false;
 	return m_R;
 }
 const ECP::Point& ECP::Double(const Point &P) const
 {
-	if (P.identity || P.y==GetField().Identity()) return Identity();
+	AdditionFunction add(GetField(), m_a, m_b, m_R);
-
+	return (m_R = add(P));
 	FieldElement t = GetField().Square(P.x);
 	t = GetField().Add(GetField().Add(GetField().Double(t), t), m_a);
 	t = GetField().Divide(t, GetField().Double(P.y));
 	FieldElement x = GetField().Subtract(GetField().Subtract(GetField().Square(t), P.x), P.x);
 	m_R.y = GetField().Subtract(GetField().Multiply(t, GetField().Subtract(P.x, x)), P.y);
 	m_R.x.swap(x);
 	m_R.identity = false;
 	return m_R;
 }
 template <class T, class Iterator> void ParallelInvert(const AbstractRing<T> &ring, Iterator begin, Iterator end)
@ -310,20 +789,11 @@ template <class T, class Iterator> void ParallelInvert(const AbstractRing<T> &ri
 	}
 }
 struct ProjectivePoint
 {
 	ProjectivePoint() {}
 	ProjectivePoint(const Integer &x, const Integer &y, const Integer &z)
 		: x(x), y(y), z(z)	{}
 	Integer x,y,z;
 };
 class ProjectiveDoubling
 {
 public:
 	ProjectiveDoubling(const ModularArithmetic &m_mr, const Integer &m_a, const Integer &m_b, const ECPPoint &Q)
-		: mr(m_mr), firstDoubling(true), negated(false)
+		: mr(m_mr)
 	{
 		CRYPTOPP_UNUSED(m_b);
 		if (Q.identity)
@ -360,7 +830,6 @@ public:
 	const ModularArithmetic &mr;
 	ProjectivePoint P;
 	bool firstDoubling, negated;
 	Integer sixteenY4, aZ4, twoY, fourY2, S, M;
 };
--- a/ecp.h
+++ b/ecp.h
@ -35,11 +35,15 @@ public:
 	/// \brief Construct an ECP
 	ECP() {}
-	/// \brief Copy construct an ECP
+	/// \brief Construct an ECP
 	/// \param ecp the other ECP object
-	/// \param convertToMontgomeryRepresentation flag indicating if the curve should be converted to a MontgomeryRepresentation
+	/// \param convertToMontgomeryRepresentation flag indicating if the curve
 	///  should be converted to a MontgomeryRepresentation.
 	/// \details Prior to Crypto++ 8.3 the default value for
 	///  convertToMontgomeryRepresentation was false. it was changed due to
 	///  two audit tools finding, "Signature-compatible with a copy constructor".
 	/// \sa ModularArithmetic, MontgomeryRepresentation
-	ECP(const ECP &ecp, bool convertToMontgomeryRepresentation = false);
+	ECP(const ECP &ecp, bool convertToMontgomeryRepresentation);
 	/// \brief Construct an ECP
 	/// \param modulus the prime modulus
@ -50,14 +54,22 @@ public:
 	/// \brief Construct an ECP from BER encoded parameters
 	/// \param bt BufferedTransformation derived object
-	/// \details This constructor will decode and extract the the fields fieldID and curve of the sequence ECParameters
+	/// \details This constructor will decode and extract the the fields
 	///  fieldID and curve of the sequence ECParameters
 	ECP(BufferedTransformation &bt);
-	/// \brief Encode the fields fieldID and curve of the sequence ECParameters
+	/// \brief DER Encode
 	/// \param bt BufferedTransformation derived object
 	/// \details DEREncode encode the fields fieldID and curve of the sequence
 	///  ECParameters
 	void DEREncode(BufferedTransformation &bt) const;
 	/// \brief Compare two points
 	/// \param P the first point
 	/// \param Q the second point
 	/// \returns true if equal, false otherwise
 	bool Equal(const Point &P, const Point &Q) const;
 	const Point& Identity() const;
 	const Point& Inverse(const Point &P) const;
 	bool InversionIsFast() const {return true;}
--- a/elgamal.h
+++ b/elgamal.h
@ -11,14 +11,17 @@
 #include "integer.h"
 #include "gfpcrypt.h"
 #include "pubkey.h"
 #include "dsa.h"
 #include "misc.h"
 #include "oids.h"
 #include "dsa.h"
 #include "asn.h"
 NAMESPACE_BEGIN(CryptoPP)
 /// \brief ElGamal key agreement and encryption schemes base class
 /// \since Crypto++ 1.0
-class CRYPTOPP_NO_VTABLE ElGamalBase : public DL_KeyAgreementAlgorithm_DH<Integer, NoCofactorMultiplication>,
+class CRYPTOPP_NO_VTABLE ElGamalBase :
 	public DL_KeyAgreementAlgorithm_DH<Integer, NoCofactorMultiplication>,
 	public DL_KeyDerivationAlgorithm<Integer>,
 	public DL_SymmetricEncryptionAlgorithm
 {
@ -27,7 +30,8 @@ public:
 	void Derive(const DL_GroupParameters<Integer> &groupParams, byte *derivedKey, size_t derivedLength, const Integer &agreedElement, const Integer &ephemeralPublicKey, const NameValuePairs &derivationParams) const
 	{
-		CRYPTOPP_UNUSED(groupParams), CRYPTOPP_UNUSED(ephemeralPublicKey), CRYPTOPP_UNUSED(derivationParams);
+		CRYPTOPP_UNUSED(groupParams); CRYPTOPP_UNUSED(ephemeralPublicKey);
 		CRYPTOPP_UNUSED(derivationParams);
 		agreedElement.Encode(derivedKey, derivedLength);
 	}
@ -49,6 +53,8 @@ public:
 	size_t GetMaxSymmetricPlaintextLength(size_t cipherTextLength) const
 	{
 		unsigned int len = GetGroupParameters().GetModulus().ByteCount();
 		CRYPTOPP_ASSERT(len >= 3);
 		if (cipherTextLength == len)
 			return STDMIN(255U, len-3);
 		else
@ -93,9 +99,14 @@ public:
 };
 /// \brief ElGamal key agreement and encryption schemes default implementation
 /// \tparam BASE Base class implementation
 /// \tparam SCHEME_OPTIONS Scheme options
 /// \tparam Key ElGamal key classes
 /// \since Crypto++ 1.0
 template <class BASE, class SCHEME_OPTIONS, class KEY>
-class ElGamalObjectImpl : public DL_ObjectImplBase<BASE, SCHEME_OPTIONS, KEY>, public ElGamalBase
+class ElGamalObjectImpl :
 	public DL_ObjectImplBase<BASE, SCHEME_OPTIONS, KEY>,
 	public ElGamalBase
 {
 public:
 	virtual ~ElGamalObjectImpl() {}
@ -114,30 +125,174 @@ protected:
 	const DL_SymmetricEncryptionAlgorithm & GetSymmetricEncryptionAlgorithm() const {return *this;}
 };
 /// \brief ElGamal Public Key adapter
 /// \tparam BASE PublicKey derived class
 /// \details DL_PublicKey_ElGamal provides an override for GetAlgorithmID()
 ///  to utilize 1.3.14.7.2.1.1. Prior to DL_PublicKey_ElGamal, the ElGamal
 ///  keys [mistakenly] used the OID from DSA due to DL_GroupParmaters_GFP().
 ///  If you need to <tt>Load</tt> an ElGamal key with the wrong OID then
 ///  see <A HREF="https://www.cryptopp.com/wiki/ElGamal">ElGamal</A> on
 ///  the Crypto++ wiki.
 /// \sa <A HREF="https://github.com/weidai11/cryptopp/issues/876">Issue 876</A>,
 ///  <A HREF="https://github.com/weidai11/cryptopp/issues/567">Issue 567</A>
 /// \since Crypto++ 8.3
 template <class BASE>
 struct DL_PublicKey_ElGamal : public BASE
 {
 	virtual ~DL_PublicKey_ElGamal() {}
 	/// \brief Retrieves the OID of the algorithm
 	/// \returns OID of the algorithm
 	/// \details DL_PrivateKey_ElGamal provides an override for GetAlgorithmID()
 	///  to utilize 1.3.14.7.2.1.1. Prior to DL_PrivateKey_ElGamal, the ElGamal
 	///  keys [mistakenly] used the OID from DSA due to DL_GroupParmaters_GFP().
 	///  If you need to <tt>Load</tt> an ElGamal key with the wrong OID then
 	///  see <A HREF="https://www.cryptopp.com/wiki/ElGamal">ElGamal</A> on
 	///  the Crypto++ wiki.
 	/// \sa <A HREF="https://github.com/weidai11/cryptopp/issues/876">Issue 876</A>,
 	///  <A HREF="https://github.com/weidai11/cryptopp/issues/567">Issue 567</A>
 	virtual OID GetAlgorithmID() const {
 		return ASN1::elGamal();
 	}
 };
 /// \brief ElGamal Private Key adapter
 /// \tparam BASE PrivateKey derived class
 /// \details DL_PrivateKey_ElGamal provides an override for GetAlgorithmID()
 ///  to utilize 1.3.14.7.2.1.1. Prior to DL_PrivateKey_ElGamal, the ElGamal
 ///  keys [mistakenly] used the OID from DSA due to DL_GroupParmaters_GFP().
 ///  If you need to <tt>Load</tt> an ElGamal key with the wrong OID then
 ///  see <A HREF="https://www.cryptopp.com/wiki/ElGamal">ElGamal</A> on
 ///  the Crypto++ wiki.
 /// \sa <A HREF="https://github.com/weidai11/cryptopp/issues/876">Issue 876</A>,
 ///  <A HREF="https://github.com/weidai11/cryptopp/issues/567">Issue 567</A>
 /// \since Crypto++ 8.3
 template <class BASE>
 struct DL_PrivateKey_ElGamal : public BASE
 {
 	virtual ~DL_PrivateKey_ElGamal() {}
 	/// \brief Retrieves the OID of the algorithm
 	/// \returns OID of the algorithm
 	/// \details DL_PrivateKey_ElGamal provides an override for GetAlgorithmID()
 	///  to utilize 1.3.14.7.2.1.1. Prior to DL_PrivateKey_ElGamal, the ElGamal
 	///  keys [mistakenly] used the OID from DSA due to DL_GroupParmaters_GFP().
 	///  If you need to <tt>Load</tt> an ElGamal key with the wrong OID then
 	///  see <A HREF="https://www.cryptopp.com/wiki/ElGamal">ElGamal</A> on
 	///  the Crypto++ wiki.
 	/// \sa <A HREF="https://github.com/weidai11/cryptopp/issues/876">Issue 876</A>,
 	///  <A HREF="https://github.com/weidai11/cryptopp/issues/567">Issue 567</A>
 	virtual OID GetAlgorithmID() const {
 		return ASN1::elGamal();
 	}
 	/// \brief Check the key for errors
 	/// \param rng RandomNumberGenerator for objects which use randomized testing
 	/// \param level level of thoroughness
 	/// \return true if the tests succeed, false otherwise
 	/// \details There are four levels of thoroughness:
 	///   <ul>
 	///   <li>0 - using this object won't cause a crash or exception
 	///   <li>1 - this object will probably function, and encrypt, sign, other
 	///           operations correctly
 	///   <li>2 - ensure this object will function correctly, and perform
 	///           reasonable security checks
 	///   <li>3 - perform reasonable security checks, and do checks that may
 	///           take a long time
 	///   </ul>
 	/// \details Level 0 does not require a RandomNumberGenerator. A NullRNG() can
 	///  be used for level 0. Level 1 may not check for weak keys and such.
 	///  Levels 2 and 3 are recommended.
 	bool Validate(RandomNumberGenerator &rng, unsigned int level) const
 	{
 		// Validate() formerly used DL_PrivateKey_GFP implementation through
 		// inheritance. However, it would reject keys from other libraries
 		// like BouncyCastle. The failure was x < q. According to ElGamal's
 		// paper and the HAC, the private key is selected in over [1,p-1],
 		// Later Tsiounis and Yung showed the lower limit as [1,q-1] in
 		// "On the Security of EIGamal Based Encryption". As such, Crypto++
 		// will generate a key in the range [1,q-1], but accept a key
 		// in [1,p-1]. Thanks to JPM for finding the reference. Also see
 		// https://github.com/weidai11/cryptopp/commit/a5a684d92986.
 		CRYPTOPP_ASSERT(this->GetAbstractGroupParameters().Validate(rng, level));
 		bool pass = this->GetAbstractGroupParameters().Validate(rng, level);
 		const Integer &p = this->GetGroupParameters().GetModulus();
 		const Integer &q = this->GetAbstractGroupParameters().GetSubgroupOrder();
 		const Integer &x = this->GetPrivateExponent();
 		// Changed to x < p-1 based on ElGamal's paper and the HAC.
 		CRYPTOPP_ASSERT(x.IsPositive());
 		CRYPTOPP_ASSERT(x < p-1);
 		pass = pass && x.IsPositive() && x < p-1;
 		if (level >= 1)
 		{
 			// Minimum security level due to Tsiounis and Yung.
 			CRYPTOPP_ASSERT(Integer::Gcd(x, q) == Integer::One());
 			pass = pass && Integer::Gcd(x, q) == Integer::One();
 		}
 		return pass;
 	}
 };
 /// \brief ElGamal key agreement and encryption schemes keys
-/// \details The ElGamalKeys class used DL_PrivateKey_GFP_OldFormat and DL_PublicKey_GFP_OldFormat
+/// \details ElGamalKeys provide the algorithm implementation ElGamal key
-///   for the PrivateKey and PublicKey typedef from about Crypto++ 1.0 through Crypto++ 5.6.5.
+///  agreement and encryption schemes.
-///   At Crypto++ 6.0 the serialization format was cutover to standard PKCS8 and X509 encodings.
+/// \details The ElGamalKeys class used <tt>DL_PrivateKey_GFP_OldFormat</tt>
-/// \sa <A HREF="https://github.com/weidai11/cryptopp/commit/a5a684d92986e8e2">Commit a5a684d92986e8e2</A>
+///  and <tt>DL_PublicKey_GFP_OldFormat</tt> for the <tt>PrivateKey</tt> and
 ///  <tt>PublicKey</tt> from about Crypto++ 1.0 through Crypto++ 5.6.5. At
 ///  Crypto++ 6.0 the serialization format was cutover to standard PKCS8 and
 ///  X509 encodings.
 /// \details The ElGamalKeys class [mistakenly] used the OID for DSA from
 ///  about Crypto++ 1.0 through Crypto++ 8.2. At Crypto++ 8.3 the OID was
 ///  fixed and now uses ElGamal encryption, which is 1.3.14.7.2.1.1.
 ///  If you need to <tt>Load</tt> an ElGamal key with the wrong OID then
 ///  see <A HREF="https://www.cryptopp.com/wiki/ElGamal">ElGamal</A> on
 ///  the Crypto++ wiki.
 /// \sa <A HREF="https://github.com/weidai11/cryptopp/issues/876">Issue 876</A>,
 ///  <A HREF="https://github.com/weidai11/cryptopp/issues/567">Issue 567</A>
 /// \since Crypto++ 1.0
 struct ElGamalKeys
 {
 	/// \brief Implements DL_GroupParameters interface
 	typedef DL_CryptoKeys_GFP::GroupParameters GroupParameters;
-	typedef DL_CryptoKeys_GFP::PrivateKey PrivateKey;
+	/// \brief Implements DL_PrivateKey interface
-	typedef DL_CryptoKeys_GFP::PublicKey PublicKey;
+	typedef DL_PrivateKey_ElGamal<DL_CryptoKeys_GFP::PrivateKey> PrivateKey;
 	/// \brief Implements DL_PublicKey interface
 	typedef DL_PublicKey_ElGamal<DL_CryptoKeys_GFP::PublicKey> PublicKey;
 };
 /// \brief ElGamal encryption scheme with non-standard padding
 /// \details ElGamal provide the algorithm implementation ElGamal key
 ///  agreement and encryption schemes.
 /// \details The ElGamal class [mistakenly] used the OID for DSA from about
 ///  Crypto++ 1.0 through Crypto++ 8.2. At Crypto++ 8.3 the OID was fixed
 ///  and now uses ElGamal encryption, which is 1.3.14.7.2.1.1.
 ///  If you need to <tt>Load</tt> an ElGamal key with the wrong OID then
 ///  see <A HREF="https://www.cryptopp.com/wiki/ElGamal">ElGamal</A> on
 ///  the Crypto++ wiki.
 /// \sa <A HREF="https://github.com/weidai11/cryptopp/issues/876">Issue 876</A>,
 ///  <A HREF="https://github.com/weidai11/cryptopp/issues/567">Issue 567</A>
 /// \since Crypto++ 1.0
 struct ElGamal
 {
 	typedef DL_CryptoSchemeOptions<ElGamal, ElGamalKeys, int, int, int> SchemeOptions;
 	typedef SchemeOptions::PrivateKey PrivateKey;
 	typedef SchemeOptions::PublicKey PublicKey;
 	/// \brief The algorithm name
 	/// \returns the algorithm name
 	/// \details StaticAlgorithmName returns the algorithm's name as a static
 	///  member function.
 	CRYPTOPP_STATIC_CONSTEXPR const char* StaticAlgorithmName() {return "ElgamalEnc/Crypto++Padding";}
 	/// \brief Implements DL_GroupParameters interface
 	typedef SchemeOptions::GroupParameters GroupParameters;
-	/// implements PK_Encryptor interface
+	/// \brief Implements PK_Encryptor interface
 	typedef PK_FinalTemplate<ElGamalObjectImpl<DL_EncryptorBase<Integer>, SchemeOptions, SchemeOptions::PublicKey> > Encryptor;
-	/// implements PK_Decryptor interface
+	/// \brief Implements PK_Encryptor interface
 	typedef PK_FinalTemplate<ElGamalObjectImpl<DL_DecryptorBase<Integer>, SchemeOptions, SchemeOptions::PrivateKey> > Decryptor;
 };
--- a/fhmqv.h
+++ b/fhmqv.h
@ -30,30 +30,85 @@ public:
  virtual ~FHMQV_Domain() {}
-  FHMQV_Domain(bool clientRole = true): m_role(clientRole ? RoleClient : RoleServer) {}
+  /// \brief Construct a FHMQV domain
  /// \param clientRole flag indicating initiator or recipient
  /// \details <tt>clientRole = true</tt> indicates initiator, and
  ///  <tt>clientRole = false</tt> indicates recipient or server.
  FHMQV_Domain(bool clientRole = true)
    : m_role(clientRole ? RoleClient : RoleServer) {}
  /// \brief Construct a FHMQV domain
  /// \param params group parameters and options
  /// \param clientRole flag indicating initiator or recipient
  /// \details <tt>clientRole = true</tt> indicates initiator, and
  ///  <tt>clientRole = false</tt> indicates recipient or server.
  FHMQV_Domain(const GroupParameters &params, bool clientRole = true)
    : m_role(clientRole ? RoleClient : RoleServer), m_groupParameters(params) {}
  /// \brief Construct a FHMQV domain
  /// \param bt BufferedTransformation with group parameters and options
  /// \param clientRole flag indicating initiator or recipient
  /// \details <tt>clientRole = true</tt> indicates initiator, and
  ///  <tt>clientRole = false</tt> indicates recipient or server.
  FHMQV_Domain(BufferedTransformation &bt, bool clientRole = true)
    : m_role(clientRole ? RoleClient : RoleServer)
    {m_groupParameters.BERDecode(bt);}
  /// \brief Construct a FHMQV domain
  /// \tparam T1 template parameter used as a constructor parameter
  /// \param v1 first parameter
  /// \param clientRole flag indicating initiator or recipient
  /// \details v1 is passed directly to the GROUP_PARAMETERS object.
  /// \details <tt>clientRole = true</tt> indicates initiator, and
  ///  <tt>clientRole = false</tt> indicates recipient or server.
  template <class T1>
  FHMQV_Domain(T1 v1, bool clientRole = true)
    : m_role(clientRole ? RoleClient : RoleServer)
    {m_groupParameters.Initialize(v1);}
  /// \brief Construct a FHMQV domain
  /// \tparam T1 template parameter used as a constructor parameter
  /// \tparam T2 template parameter used as a constructor parameter
  /// \param v1 first parameter
  /// \param v2 second parameter
  /// \param clientRole flag indicating initiator or recipient
  /// \details v1 and v2 are passed directly to the GROUP_PARAMETERS object.
  /// \details <tt>clientRole = true</tt> indicates initiator, and
  ///  <tt>clientRole = false</tt> indicates recipient or server.
  template <class T1, class T2>
  FHMQV_Domain(T1 v1, T2 v2, bool clientRole = true)
    : m_role(clientRole ? RoleClient : RoleServer)
    {m_groupParameters.Initialize(v1, v2);}
  /// \brief Construct a FHMQV domain
  /// \tparam T1 template parameter used as a constructor parameter
  /// \tparam T2 template parameter used as a constructor parameter
  /// \tparam T3 template parameter used as a constructor parameter
  /// \param v1 first parameter
  /// \param v2 second parameter
  /// \param v3 third parameter
  /// \param clientRole flag indicating initiator or recipient
  /// \details v1, v2 and v3 are passed directly to the GROUP_PARAMETERS object.
  /// \details <tt>clientRole = true</tt> indicates initiator, and
  ///  <tt>clientRole = false</tt> indicates recipient or server.
  template <class T1, class T2, class T3>
  FHMQV_Domain(T1 v1, T2 v2, T3 v3, bool clientRole = true)
    : m_role(clientRole ? RoleClient : RoleServer)
    {m_groupParameters.Initialize(v1, v2, v3);}
  /// \brief Construct a FHMQV domain
  /// \tparam T1 template parameter used as a constructor parameter
  /// \tparam T2 template parameter used as a constructor parameter
  /// \tparam T3 template parameter used as a constructor parameter
  /// \tparam T4 template parameter used as a constructor parameter
  /// \param v1 first parameter
  /// \param v2 second parameter
  /// \param v3 third parameter
  /// \param v4 third parameter
  /// \param clientRole flag indicating initiator or recipient
  /// \details v1, v2, v3 and v4 are passed directly to the GROUP_PARAMETERS object.
  /// \details <tt>clientRole = true</tt> indicates initiator, and
  ///  <tt>clientRole = false</tt> indicates recipient or server.
  template <class T1, class T2, class T3, class T4>
  FHMQV_Domain(T1 v1, T2 v2, T3 v3, T4 v4, bool clientRole = true)
    : m_role(clientRole ? RoleClient : RoleServer)
@ -61,28 +116,62 @@ public:
 public:
  /// \brief Retrieves the group parameters for this domain
  /// \return the group parameters for this domain as a const reference
  const GroupParameters & GetGroupParameters() const {return m_groupParameters;}
  /// \brief Retrieves the group parameters for this domain
  /// \return the group parameters for this domain as a non-const reference
  GroupParameters & AccessGroupParameters() {return m_groupParameters;}
  /// \brief Retrieves the crypto parameters for this domain
  /// \return the crypto parameters for this domain as a non-const reference
  CryptoParameters & AccessCryptoParameters() {return AccessAbstractGroupParameters();}
-  /// return length of agreed value produced
+  /// \brief Provides the size of the agreed value
-  unsigned int AgreedValueLength() const {return GetAbstractGroupParameters().GetEncodedElementSize(false);}
+  /// \return size of agreed value produced in this domain
-  /// return length of static private keys in this domain
+  /// \details The length is calculated using <tt>GetEncodedElementSize(false)</tt>,
-  unsigned int StaticPrivateKeyLength() const {return GetAbstractGroupParameters().GetSubgroupOrder().ByteCount();}
+  ///  which means the element is encoded in a non-reversible format. A
-  /// return length of static public keys in this domain
+  ///  non-reversible format means its a raw byte array, and it lacks presentation
-  unsigned int StaticPublicKeyLength() const{return GetAbstractGroupParameters().GetEncodedElementSize(true);}
+  ///  format like an ASN.1 BIT_STRING or OCTET_STRING.
  unsigned int AgreedValueLength() const
    {return GetAbstractGroupParameters().GetEncodedElementSize(false);}
-  /// generate static private key
+  /// \brief Provides the size of the static private key
-  /*! \pre size of privateKey == PrivateStaticKeyLength() */
+  /// \return size of static private keys in this domain
  /// \details The length is calculated using the byte count of the subgroup order.
  unsigned int StaticPrivateKeyLength() const
    {return GetAbstractGroupParameters().GetSubgroupOrder().ByteCount();}
  /// \brief Provides the size of the static public key
  /// \return size of static public keys in this domain
  /// \details The length is calculated using <tt>GetEncodedElementSize(true)</tt>,
  ///  which means the element is encoded in a reversible format. A reversible
  ///  format means it has a presentation format, and its an ANS.1 encoded element
  ///  or point.
  unsigned int StaticPublicKeyLength() const
    {return GetAbstractGroupParameters().GetEncodedElementSize(true);}
  /// \brief Generate static private key in this domain
  /// \param rng a RandomNumberGenerator derived class
  /// \param privateKey a byte buffer for the generated private key in this domain
  /// \details The private key is a random scalar used as an exponent in the range
  ///  <tt>[1,MaxExponent()]</tt>.
  /// \pre <tt>COUNTOF(privateKey) == PrivateStaticKeyLength()</tt>
  void GenerateStaticPrivateKey(RandomNumberGenerator &rng, byte *privateKey) const
  {
    Integer x(rng, Integer::One(), GetAbstractGroupParameters().GetMaxExponent());
    x.Encode(privateKey, StaticPrivateKeyLength());
  }
-  /// generate static public key
+  /// \brief Generate a static public key from a private key in this domain
-  /*! \pre size of publicKey == PublicStaticKeyLength() */
+  /// \param rng a RandomNumberGenerator derived class
  /// \param privateKey a byte buffer with the previously generated private key
  /// \param publicKey a byte buffer for the generated public key in this domain
  /// \details The public key is an element or point on the curve, and its stored
  ///  in a revrsible format. A reversible format means it has a presentation
  ///  format, and its an ANS.1 encoded element or point.
  /// \pre <tt>COUNTOF(publicKey) == PublicStaticKeyLength()</tt>
  void GenerateStaticPublicKey(RandomNumberGenerator &rng, const byte *privateKey, byte *publicKey) const
  {
    CRYPTOPP_UNUSED(rng);
@ -92,10 +181,22 @@ public:
    params.EncodeElement(true, y, publicKey);
  }
  /// \brief Provides the size of the ephemeral private key
  /// \return size of ephemeral private keys in this domain
  /// \details An ephemeral private key is a private key and public key.
  ///  The serialized size is different than a static private key.
  unsigned int EphemeralPrivateKeyLength() const {return StaticPrivateKeyLength() + StaticPublicKeyLength();}
  /// \brief Provides the size of the ephemeral public key
  /// \return size of ephemeral public keys in this domain
  /// \details An ephemeral public key is a public key.
  ///  The serialized size is the same as a static public key.
  unsigned int EphemeralPublicKeyLength() const{return StaticPublicKeyLength();}
-  /// return length of ephemeral private keys in this domain
+  /// \brief Generate ephemeral private key in this domain
  /// \param rng a RandomNumberGenerator derived class
  /// \param privateKey a byte buffer for the generated private key in this domain
  /// \pre <tt>COUNTOF(privateKey) == EphemeralPrivateKeyLength()</tt>
  void GenerateEphemeralPrivateKey(RandomNumberGenerator &rng, byte *privateKey) const
  {
    const DL_GroupParameters<Element> &params = GetAbstractGroupParameters();
@ -105,28 +206,46 @@ public:
    params.EncodeElement(true, y, privateKey+StaticPrivateKeyLength());
  }
-  /// return length of ephemeral public keys in this domain
+  /// \brief Generate ephemeral public key from a private key in this domain
  /// \param rng a RandomNumberGenerator derived class
  /// \param privateKey a byte buffer with the previously generated private key
  /// \param publicKey a byte buffer for the generated public key in this domain
  /// \pre <tt>COUNTOF(publicKey) == EphemeralPublicKeyLength()</tt>
  void GenerateEphemeralPublicKey(RandomNumberGenerator &rng, const byte *privateKey, byte *publicKey) const
  {
    CRYPTOPP_UNUSED(rng);
    memcpy(publicKey, privateKey+StaticPrivateKeyLength(), EphemeralPublicKeyLength());
  }
-  /// derive agreed value from your private keys and couterparty's public keys, return false in case of failure
+  /// \brief Derive agreed value or shared secret
-  /*! \note The ephemeral public key will always be validated.
+  /// \param agreedValue the shared secret
-  If you have previously validated the static public key, use validateStaticOtherPublicKey=false to save time.
+  /// \param staticPrivateKey your long term private key
-  \pre size of agreedValue == AgreedValueLength()
+  /// \param ephemeralPrivateKey your ephemeral private key
-  \pre length of staticPrivateKey == StaticPrivateKeyLength()
+  /// \param staticOtherPublicKey couterparty's long term public key
-  \pre length of ephemeralPrivateKey == EphemeralPrivateKeyLength()
+  /// \param ephemeralOtherPublicKey couterparty's ephemeral public key
-  \pre length of staticOtherPublicKey == StaticPublicKeyLength()
+  /// \param validateStaticOtherPublicKey flag indicating validation
-  \pre length of ephemeralOtherPublicKey == EphemeralPublicKeyLength()
+  /// \return true upon success, false in case of failure
-  */
+  /// \details Agree() performs the authenticated key agreement. Agree()
  ///  derives a shared secret from your private keys and couterparty's
  ///  public keys. Each instance or run of the protocol should use a new
  ///  ephemeral key pair.
  /// \details The other's ephemeral public key will always be validated at
  ///  Level 1 to ensure it is a point on the curve.
  ///  <tt>validateStaticOtherPublicKey</tt> determines how thoroughly other's
  ///  static public key is validated. If you have previously validated the
  ///  couterparty's static public key, then use
  ///  <tt>validateStaticOtherPublicKey=false</tt> to save time.
  /// \pre <tt>COUNTOF(agreedValue) == AgreedValueLength()
  /// \pre <tt>COUNTOF(staticPrivateKey) == StaticPrivateKeyLength()</tt>
  /// \pre <tt>COUNTOF(ephemeralPrivateKey) == EphemeralPrivateKeyLength()</tt>
  /// \pre <tt>COUNTOF(staticOtherPublicKey) == StaticPublicKeyLength()</tt>
  /// \pre <tt>COUNTOF(ephemeralOtherPublicKey) == EphemeralPublicKeyLength()</tt>
  bool Agree(byte *agreedValue,
    const byte *staticPrivateKey, const byte *ephemeralPrivateKey,
    const byte *staticOtherPublicKey, const byte *ephemeralOtherPublicKey,
    bool validateStaticOtherPublicKey=true) const
  {
-    byte *XX = NULLPTR, *YY = NULLPTR, *AA = NULLPTR, *BB = NULLPTR;
+    const byte *XX = NULLPTR, *YY = NULLPTR, *AA = NULLPTR, *BB = NULLPTR;
    size_t xxs = 0, yys = 0, aas = 0, bbs = 0;
    // Depending on the role, this will hold either A's or B's static
@ -144,60 +263,43 @@ public:
        Element B = params.ExponentiateBase(b);
        params.EncodeElement(true, B, tt);
-        XX = const_cast<byte*>(ephemeralOtherPublicKey);
+        XX = ephemeralOtherPublicKey;
        xxs = EphemeralPublicKeyLength();
-        YY = const_cast<byte*>(ephemeralPrivateKey) + StaticPrivateKeyLength();
+        YY = ephemeralPrivateKey + StaticPrivateKeyLength();
        yys = EphemeralPublicKeyLength();
-        AA = const_cast<byte*>(staticOtherPublicKey);
+        AA = staticOtherPublicKey;
        aas = StaticPublicKeyLength();
        BB = tt.BytePtr();
        bbs = tt.SizeInBytes();
      }
-      else if(m_role == RoleClient)
+      else
      {
        Integer a(staticPrivateKey, StaticPrivateKeyLength());
        Element A = params.ExponentiateBase(a);
        params.EncodeElement(true, A, tt);
-        XX = const_cast<byte*>(ephemeralPrivateKey) + StaticPrivateKeyLength();
+        XX = ephemeralPrivateKey + StaticPrivateKeyLength();
        xxs = EphemeralPublicKeyLength();
-        YY = const_cast<byte*>(ephemeralOtherPublicKey);
+        YY = ephemeralOtherPublicKey;
        yys = EphemeralPublicKeyLength();
        AA = tt.BytePtr();
        aas = tt.SizeInBytes();
-        BB = const_cast<byte*>(staticOtherPublicKey);
+        BB = staticOtherPublicKey;
        bbs = StaticPublicKeyLength();
      }
      else
      {
        CRYPTOPP_ASSERT(0);
        return false;
      }
-      // DecodeElement calls ValidateElement at level 1. Level 1 only calls
+      Element VV1 = params.DecodeElement(staticOtherPublicKey, validateStaticOtherPublicKey);
-      // VerifyPoint to ensure the element is in G*. If the other's PublicKey is
+      Element VV2 = params.DecodeElement(ephemeralOtherPublicKey, true);
      // requested to be validated, we manually call ValidateElement at level 3.
      Element VV1 = params.DecodeElement(staticOtherPublicKey, false);
      if(!params.ValidateElement(validateStaticOtherPublicKey ? 3 : 1, VV1, NULLPTR))
        return false;
      // DecodeElement calls ValidateElement at level 1. Level 1 only calls
      // VerifyPoint to ensure the element is in G*. Crank it up.
      Element VV2 = params.DecodeElement(ephemeralOtherPublicKey, false);
      if(!params.ValidateElement(3, VV2, NULLPTR))
        return false;
      const Integer& q = params.GetSubgroupOrder();
      const unsigned int len /*bytes*/ = (((q.BitCount()+1)/2 +7)/8);
      Integer d, e;
      SecByteBlock dd(len), ee(len);
      Hash(NULLPTR, XX, xxs, YY, yys, AA, aas, BB, bbs, dd.BytePtr(), dd.SizeInBytes());
-      d.Decode(dd.BytePtr(), dd.SizeInBytes());
+      Integer d(dd.BytePtr(), dd.SizeInBytes());
      Hash(NULLPTR, YY, yys, XX, xxs, AA, aas, BB, bbs, ee.BytePtr(), ee.SizeInBytes());
-      e.Decode(ee.BytePtr(), ee.SizeInBytes());
+      Integer e(ee.BytePtr(), ee.SizeInBytes());
      Element sigma;
      if(m_role == RoleServer)
@ -233,6 +335,7 @@ public:
    }
    catch (DL_BadElement &)
    {
      CRYPTOPP_ASSERT(0);
      return false;
    }
    return true;
@ -251,9 +354,11 @@ protected:
    if(sigma)
    {
-      Integer x = GetAbstractGroupParameters().ConvertElementToInteger(*sigma);
+      //Integer x = GetAbstractGroupParameters().ConvertElementToInteger(*sigma);
-      SecByteBlock sbb(x.MinEncodedSize());
+      //SecByteBlock sbb(x.MinEncodedSize());
-      x.Encode(sbb.BytePtr(), sbb.SizeInBytes());
+      //x.Encode(sbb.BytePtr(), sbb.SizeInBytes());
      SecByteBlock sbb(GetAbstractGroupParameters().GetEncodedElementSize(false));
      GetAbstractGroupParameters().EncodeElement(false, *sigma, sbb);
      hash.Update(sbb.BytePtr(), sbb.SizeInBytes());
    }
@ -294,7 +399,7 @@ private:
 /// \details This implementation follows Augustin P. Sarr and Philippe Elbaz–Vincent, and Jean–Claude Bajard's
 ///   <a href="http://eprint.iacr.org/2009/408">A Secure and Efficient Authenticated Diffie-Hellman Protocol</a>.
 ///   Note: this is FHMQV, Protocol 5, from page 11; and not FHMQV-C.
-/// \sa FHMQV, MQV_Domain, HMQV_Domain, AuthenticatedKeyAgreementDomain
+/// \sa FHMQV, MQV_Domain, FHMQV_Domain, AuthenticatedKeyAgreementDomain
 /// \since Crypto++ 5.6.4
 typedef FHMQV_Domain<DL_GroupParameters_GFP_DefaultSafePrime> FHMQV;
--- a/filters.cpp
+++ b/filters.cpp
@ -595,7 +595,9 @@ StreamTransformationFilter::StreamTransformationFilter(StreamTransformation &c,
 	m_isSpecial = m_cipher.IsLastBlockSpecial() && m_mandatoryBlockSize > 1;
 	m_reservedBufferSize = STDMAX(2*m_mandatoryBlockSize, m_optimalBufferSize);
-	IsolatedInitialize(MakeParameters(Name::BlockPaddingScheme(), padding));
+	FilterWithBufferedInput::IsolatedInitialize(
 		MakeParameters
 			(Name::BlockPaddingScheme(), padding));
 }
 StreamTransformationFilter::StreamTransformationFilter(StreamTransformation &c, BufferedTransformation *attachment, BlockPaddingScheme padding, bool authenticated)
@ -616,7 +618,9 @@ StreamTransformationFilter::StreamTransformationFilter(StreamTransformation &c,
 	m_isSpecial = m_cipher.IsLastBlockSpecial() && m_mandatoryBlockSize > 1;
 	m_reservedBufferSize = STDMAX(2*m_mandatoryBlockSize, m_optimalBufferSize);
-	IsolatedInitialize(MakeParameters(Name::BlockPaddingScheme(), padding));
+	FilterWithBufferedInput::IsolatedInitialize(
 		MakeParameters
 			(Name::BlockPaddingScheme(), padding));
 }
 size_t StreamTransformationFilter::LastBlockSize(StreamTransformation &c, BlockPaddingScheme padding)
@ -889,7 +893,10 @@ HashVerificationFilter::HashVerificationFilter(HashTransformation &hm, BufferedT
 	: FilterWithBufferedInput(attachment)
 	, m_hashModule(hm), m_flags(0), m_digestSize(0), m_verified(false)
 {
-	IsolatedInitialize(MakeParameters(Name::HashVerificationFilterFlags(), flags)(Name::TruncatedDigestSize(), truncatedDigestSize));
+	FilterWithBufferedInput::IsolatedInitialize(
 		MakeParameters
 			(Name::HashVerificationFilterFlags(), flags)
 			(Name::TruncatedDigestSize(), truncatedDigestSize));
 }
 void HashVerificationFilter::InitializeDerivedAndReturnNewSizes(const NameValuePairs &parameters, size_t &firstSize, size_t &blockSize, size_t &lastSize)
@ -994,7 +1001,11 @@ AuthenticatedDecryptionFilter::AuthenticatedDecryptionFilter(AuthenticatedSymmet
 	, m_streamFilter(c, new OutputProxy(*this, false), padding, true)
 {
 	CRYPTOPP_ASSERT(!c.IsForwardTransformation() || c.IsSelfInverting());
-	IsolatedInitialize(MakeParameters(Name::BlockPaddingScheme(), padding)(Name::AuthenticatedDecryptionFilterFlags(), flags)(Name::TruncatedDigestSize(), truncatedDigestSize));
+	FilterWithBufferedInput::IsolatedInitialize(
 		MakeParameters
 			(Name::BlockPaddingScheme(), padding)
 			(Name::AuthenticatedDecryptionFilterFlags(), flags)
 			(Name::TruncatedDigestSize(), truncatedDigestSize));
 }
 void AuthenticatedDecryptionFilter::InitializeDerivedAndReturnNewSizes(const NameValuePairs &parameters, size_t &firstSize, size_t &blockSize, size_t &lastSize)
@ -1079,7 +1090,9 @@ SignatureVerificationFilter::SignatureVerificationFilter(const PK_Verifier &veri
 	: FilterWithBufferedInput(attachment)
 	, m_verifier(verifier), m_flags(0), m_verified(0)
 {
-	IsolatedInitialize(MakeParameters(Name::SignatureVerificationFilterFlags(), flags));
+	FilterWithBufferedInput::IsolatedInitialize(
 		MakeParameters
 			(Name::SignatureVerificationFilterFlags(), flags));
 }
 void SignatureVerificationFilter::InitializeDerivedAndReturnNewSizes(const NameValuePairs &parameters, size_t &firstSize, size_t &blockSize, size_t &lastSize)
--- a/filters.h
+++ b/filters.h
@ -474,7 +474,7 @@ struct BlockPaddingSchemeDef
 		/// \brief 0's padding added to a block
 		/// \since Crypto++ 5.0
 		ZEROS_PADDING,
-		/// \brief PKCS #5 padding added to a block
+		/// \brief PKCS padding added to a block
 		/// \since Crypto++ 5.0
 		PKCS_PADDING,
 		/// \brief 1 and 0's padding added to a block
@ -1100,6 +1100,7 @@ CRYPTOPP_DLL_TEMPLATE_CLASS StringSinkTemplate<std::string>;
 /// \brief Append input to a std::vector<byte> object
 /// \details VectorSink is a typedef for StringSinkTemplate<std::vector<byte> >.
 /// \since Crypto++ 8.0
 DOCUMENTED_TYPEDEF(StringSinkTemplate<std::vector<byte> >, VectorSink)
 CRYPTOPP_DLL_TEMPLATE_CLASS StringSinkTemplate<std::vector<byte> >;
--- a/fips140.cpp
+++ b/fips140.cpp
@ -47,31 +47,35 @@ bool PowerUpSelfTestInProgressOnThisThread()
 {
 #if CRYPTOPP_ENABLE_COMPLIANCE_WITH_FIPS_140_2
 	return s_inProgress;
-#endif
+#else
 	return false;
 #endif
 }
 void SetPowerUpSelfTestInProgressOnThisThread(bool inProgress)
 {
 	CRYPTOPP_UNUSED(inProgress);
 #if CRYPTOPP_ENABLE_COMPLIANCE_WITH_FIPS_140_2
 	s_inProgress = inProgress;
 #else
 	CRYPTOPP_UNUSED(inProgress);
 #endif
 }
 void EncryptionPairwiseConsistencyTest_FIPS_140_Only(const PK_Encryptor &encryptor, const PK_Decryptor &decryptor)
 {
 	CRYPTOPP_UNUSED(encryptor), CRYPTOPP_UNUSED(decryptor);
 #if CRYPTOPP_ENABLE_COMPLIANCE_WITH_FIPS_140_2
 	EncryptionPairwiseConsistencyTest(encryptor, decryptor);
 #else
 	CRYPTOPP_UNUSED(encryptor), CRYPTOPP_UNUSED(decryptor);
 #endif
 }
 void SignaturePairwiseConsistencyTest_FIPS_140_Only(const PK_Signer &signer, const PK_Verifier &verifier)
 {
 	CRYPTOPP_UNUSED(signer), CRYPTOPP_UNUSED(verifier);
 #if CRYPTOPP_ENABLE_COMPLIANCE_WITH_FIPS_140_2
 	SignaturePairwiseConsistencyTest(signer, verifier);
 #else
 	CRYPTOPP_UNUSED(signer), CRYPTOPP_UNUSED(verifier);
 #endif
 }
--- a/gcm.cpp
+++ b/gcm.cpp
@ -44,7 +44,7 @@ NAMESPACE_BEGIN(CryptoPP)
 #endif
 #endif  // CRYPTOPP_BOOL_X86 || CRYPTOPP_BOOL_X32 || CRYPTOPP_BOOL_X64
-// Clang __m128i casts, http://bugs.llvm.org/show_bug.cgi?id=20670
+// Clang intrinsic casts, http://bugs.llvm.org/show_bug.cgi?id=20670
 #define M128_CAST(x) ((__m128i *)(void *)(x))
 #define CONST_M128_CAST(x) ((const __m128i *)(const void *)(x))
@ -75,8 +75,8 @@ extern void GCM_Xor16_SSE2(byte *a, const byte *b, const byte *c);
 extern void GCM_Xor16_NEON(byte *a, const byte *b, const byte *c);
 #endif
-#if CRYPTOPP_POWER7_AVAILABLE
+#if CRYPTOPP_POWER8_AVAILABLE
-extern void GCM_Xor16_POWER7(byte *a, const byte *b, const byte *c);
+extern void GCM_Xor16_POWER8(byte *a, const byte *b, const byte *c);
 #endif
 #if CRYPTOPP_CLMUL_AVAILABLE
@ -213,11 +213,11 @@ void GCM_Base::SetKeyWithoutResync(const byte *userKey, size_t keylength, const
                    for (k=1; k<j; k++)
                        GCM_Xor16_NEON(mulTable+i*256*16+(j+k)*16, mulTable+i*256*16+j*16, mulTable+i*256*16+k*16);
            else
-#elif CRYPTOPP_POWER7_AVAILABLE
+#elif CRYPTOPP_POWER8_AVAILABLE
-            if (HasPower7())
+            if (HasPower8())
                for (j=2; j<=0x80; j*=2)
                    for (k=1; k<j; k++)
-                        GCM_Xor16_POWER7(mulTable+i*256*16+(j+k)*16, mulTable+i*256*16+j*16, mulTable+i*256*16+k*16);
+                        GCM_Xor16_POWER8(mulTable+i*256*16+(j+k)*16, mulTable+i*256*16+j*16, mulTable+i*256*16+k*16);
            else
 #endif
                for (j=2; j<=0x80; j*=2)
@ -277,13 +277,13 @@ void GCM_Base::SetKeyWithoutResync(const byte *userKey, size_t keylength, const
                        GCM_Xor16_NEON(mulTable+1024+i*256+(j+k)*16, mulTable+1024+i*256+j*16, mulTable+1024+i*256+k*16);
                    }
            else
-#elif CRYPTOPP_POWER7_AVAILABLE
+#elif CRYPTOPP_POWER8_AVAILABLE
-            if (HasPower7())
+            if (HasPower8())
                for (j=2; j<=8; j*=2)
                    for (k=1; k<j; k++)
                    {
-                        GCM_Xor16_POWER7(mulTable+i*256+(j+k)*16, mulTable+i*256+j*16, mulTable+i*256+k*16);
+                        GCM_Xor16_POWER8(mulTable+i*256+(j+k)*16, mulTable+i*256+j*16, mulTable+i*256+k*16);
-                        GCM_Xor16_POWER7(mulTable+1024+i*256+(j+k)*16, mulTable+1024+i*256+j*16, mulTable+1024+i*256+k*16);
+                        GCM_Xor16_POWER8(mulTable+1024+i*256+(j+k)*16, mulTable+1024+i*256+j*16, mulTable+1024+i*256+k*16);
                    }
            else
 #endif
@ -369,8 +369,8 @@ unsigned int GCM_Base::OptimalDataAlignment() const
        HasSSE2() ? 16 :
 #elif CRYPTOPP_ARM_NEON_AVAILABLE
        HasNEON() ? 4 :
-#elif CRYPTOPP_POWER7_AVAILABLE
+#elif CRYPTOPP_POWER8_AVAILABLE
-        HasPower7() ? 16 :
+        HasPower8() ? 16 :
 #endif
        GetBlockCipher().OptimalDataAlignment();
 }
--- a/gcm_simd.cpp
+++ b/gcm_simd.cpp
@ -56,14 +56,10 @@
 # define EXCEPTION_EXECUTE_HANDLER 1
 #endif
-// Clang __m128i casts, http://bugs.llvm.org/show_bug.cgi?id=20670
+// Clang intrinsic casts, http://bugs.llvm.org/show_bug.cgi?id=20670
 #define M128_CAST(x) ((__m128i *)(void *)(x))
 #define CONST_M128_CAST(x) ((const __m128i *)(const void *)(x))
 // GCC cast warning
 #define UINT64X2_CAST(x) ((uint64x2_t *)(void *)(x))
 #define CONST_UINT64X2_CAST(x) ((const uint64x2_t *)(const void *)(x))
 // Squash MS LNK4221 and libtool warnings
 extern const char GCM_SIMD_FNAME[] = __FILE__;
@ -219,10 +215,7 @@ bool CPU_ProbePMULL()
 #if CRYPTOPP_ARM_NEON_AVAILABLE
 void GCM_Xor16_NEON(byte *a, const byte *b, const byte *c)
 {
-    CRYPTOPP_ASSERT(IsAlignedOn(a,GetAlignmentOf<uint64x2_t>()));
+	vst1q_u8(a, veorq_u8(vld1q_u8(b), vld1q_u8(c)));
    CRYPTOPP_ASSERT(IsAlignedOn(b,GetAlignmentOf<uint64x2_t>()));
    CRYPTOPP_ASSERT(IsAlignedOn(c,GetAlignmentOf<uint64x2_t>()));
    *UINT64X2_CAST(a) = veorq_u64(*CONST_UINT64X2_CAST(b), *CONST_UINT64X2_CAST(c));
 }
 #endif  // CRYPTOPP_ARM_NEON_AVAILABLE
@ -569,12 +562,12 @@ void GCM_ReverseHashBufferIfNeeded_CLMUL(byte *hashBuffer)
 // ***************************** POWER8 ***************************** //
-#if CRYPTOPP_POWER7_AVAILABLE
+#if CRYPTOPP_POWER8_AVAILABLE
-void GCM_Xor16_POWER7(byte *a, const byte *b, const byte *c)
+void GCM_Xor16_POWER8(byte *a, const byte *b, const byte *c)
 {
    VecStore(VecXor(VecLoad(b), VecLoad(c)), a);
 }
-#endif  // CRYPTOPP_POWER7_AVAILABLE
+#endif  // CRYPTOPP_POWER8_AVAILABLE
 #if CRYPTOPP_POWER8_VMULL_AVAILABLE
--- a/gf2n_simd.cpp
+++ b/gf2n_simd.cpp
@ -21,6 +21,8 @@
 #include "pch.h"
 #include "config.h"
 #ifndef CRYPTOPP_IMPORTS
 #include "gf2n.h"
 #if (CRYPTOPP_CLMUL_AVAILABLE)
@ -463,36 +465,33 @@ NAMESPACE_BEGIN(CryptoPP)
 void
 GF2NT_233_Multiply_Reduce_CLMUL(const word* pA, const word* pB, word* pC)
 {
-    const __m128i* pAA = reinterpret_cast<const __m128i*>(pA);
+    enum {S=sizeof(__m128i)/sizeof(word)};
-    const __m128i* pBB = reinterpret_cast<const __m128i*>(pB);
+    __m128i a0 = _mm_loadu_si128(reinterpret_cast<const __m128i*>(pA+0*S));
-    __m128i a0 = _mm_loadu_si128(pAA+0);
+    __m128i a1 = _mm_loadu_si128(reinterpret_cast<const __m128i*>(pA+1*S));
-    __m128i a1 = _mm_loadu_si128(pAA+1);
+    __m128i b0 = _mm_loadu_si128(reinterpret_cast<const __m128i*>(pB+0*S));
-    __m128i b0 = _mm_loadu_si128(pBB+0);
+    __m128i b1 = _mm_loadu_si128(reinterpret_cast<const __m128i*>(pB+1*S));
    __m128i b1 = _mm_loadu_si128(pBB+1);
    __m128i c0, c1, c2, c3;
    F2N_Multiply_256x256_CLMUL(c3, c2, c1, c0, a1, a0, b1, b0);
    GF2NT_233_Reduce_CLMUL(c3, c2, c1, c0);
-    __m128i* pCC = reinterpret_cast<__m128i*>(pC);
+    _mm_storeu_si128(reinterpret_cast<__m128i*>(pC+0*S), c0);
-    _mm_storeu_si128(pCC+0, c0);
+    _mm_storeu_si128(reinterpret_cast<__m128i*>(pC+1*S), c1);
    _mm_storeu_si128(pCC+1, c1);
 }
 void
 GF2NT_233_Square_Reduce_CLMUL(const word* pA, word* pC)
 {
-    const __m128i* pAA = reinterpret_cast<const __m128i*>(pA);
+    enum {S=sizeof(__m128i)/sizeof(word)};
-    __m128i a0 = _mm_loadu_si128(pAA+0);
+    __m128i a0 = _mm_loadu_si128(reinterpret_cast<const __m128i*>(pA+0*S));
-    __m128i a1 = _mm_loadu_si128(pAA+1);
+    __m128i a1 = _mm_loadu_si128(reinterpret_cast<const __m128i*>(pA+1*S));
    __m128i c0, c1, c2, c3;
    F2N_Square_256_CLMUL(c3, c2, c1, c0, a1, a0);
    GF2NT_233_Reduce_CLMUL(c3, c2, c1, c0);
-    __m128i* pCC = reinterpret_cast<__m128i*>(pC);
+    _mm_storeu_si128(reinterpret_cast<__m128i*>(pC+0*S), c0);
-    _mm_storeu_si128(pCC+0, c0);
+    _mm_storeu_si128(reinterpret_cast<__m128i*>(pC+1*S), c1);
    _mm_storeu_si128(pCC+1, c1);
 }
 #elif (CRYPTOPP_ARM_PMULL_AVAILABLE)
@ -608,3 +607,5 @@ GF2NT_233_Square_Reduce_POWER8(const word* pA, word* pC)
 #endif
 NAMESPACE_END
 #endif  // CRYPTOPP_IMPORTS
--- a/gfpcrypt.cpp
+++ b/gfpcrypt.cpp
@ -133,22 +133,27 @@ void DL_SignatureMessageEncodingMethod_NR::ComputeMessageRepresentative(RandomNu
 bool DL_GroupParameters_IntegerBased::ValidateGroup(RandomNumberGenerator &rng, unsigned int level) const
 {
 	const Integer &p = GetModulus(), &q = GetSubgroupOrder();
 	bool pass = true;
 	CRYPTOPP_ASSERT(p > Integer::One() && p.IsOdd());
 	pass = pass && p > Integer::One() && p.IsOdd();
-	CRYPTOPP_ASSERT(pass);
+
 	CRYPTOPP_ASSERT(q > Integer::One() && q.IsOdd());
 	pass = pass && q > Integer::One() && q.IsOdd();
 	CRYPTOPP_ASSERT(pass);
 	if (level >= 1)
 	{
 		CRYPTOPP_ASSERT(GetCofactor() > Integer::One());
 		CRYPTOPP_ASSERT(GetGroupOrder() % q == Integer::Zero());
 		pass = pass && GetCofactor() > Integer::One() && GetGroupOrder() % q == Integer::Zero();
 		CRYPTOPP_ASSERT(pass);
 	}
 	if (level >= 2)
 	{
 		CRYPTOPP_ASSERT(VerifyPrime(rng, q, level-2));
 		CRYPTOPP_ASSERT(VerifyPrime(rng, p, level-2));
 		pass = pass && VerifyPrime(rng, q, level-2) && VerifyPrime(rng, p, level-2);
 		CRYPTOPP_ASSERT(pass);
 	}
 	return pass;
@ -157,28 +162,28 @@ bool DL_GroupParameters_IntegerBased::ValidateGroup(RandomNumberGenerator &rng,
 bool DL_GroupParameters_IntegerBased::ValidateElement(unsigned int level, const Integer &g, const DL_FixedBasePrecomputation<Integer> *gpc) const
 {
 	const Integer &p = GetModulus(), &q = GetSubgroupOrder();
 	bool pass = true;
 	pass = pass && GetFieldType() == 1 ? g.IsPositive() : g.NotNegative();
 	CRYPTOPP_ASSERT(pass);
 	CRYPTOPP_ASSERT(GetFieldType() == 1 ? g.IsPositive() : g.NotNegative());
 	pass = pass && GetFieldType() == 1 ? g.IsPositive() : g.NotNegative();
 	CRYPTOPP_ASSERT(g < p && !IsIdentity(g));
 	pass = pass && g < p && !IsIdentity(g);
 	CRYPTOPP_ASSERT(pass);
 	if (level >= 1)
 	{
 		if (gpc)
 		{
 			CRYPTOPP_ASSERT(gpc->Exponentiate(GetGroupPrecomputation(), Integer::One()) == g);
 			pass = pass && gpc->Exponentiate(GetGroupPrecomputation(), Integer::One()) == g;
 			CRYPTOPP_ASSERT(pass);
 		}
 	}
 	if (level >= 2)
 	{
 		if (GetFieldType() == 2)
 		{
 			CRYPTOPP_ASSERT(Jacobi(g*g-4, p)==-1);
 			pass = pass && Jacobi(g*g-4, p)==-1;
 			CRYPTOPP_ASSERT(pass);
 		}
 		// verifying that Lucas((p+1)/2, w, p)==2 is omitted because it's too costly
@ -188,13 +193,13 @@ bool DL_GroupParameters_IntegerBased::ValidateElement(unsigned int level, const
 		if (fullValidate && pass)
 		{
 			Integer gp = gpc ? gpc->Exponentiate(GetGroupPrecomputation(), q) : ExponentiateElement(g, q);
 			CRYPTOPP_ASSERT(IsIdentity(gp));
 			pass = pass && IsIdentity(gp);
 			CRYPTOPP_ASSERT(pass);
 		}
 		else if (GetFieldType() == 1)
 		{
 			CRYPTOPP_ASSERT(Jacobi(g, p) == 1);
 			pass = pass && Jacobi(g, p) == 1;
 			CRYPTOPP_ASSERT(pass);
 		}
 	}
--- a/gfpcrypt.h
+++ b/gfpcrypt.h
@ -69,8 +69,13 @@ public:
    void BERDecode(BufferedTransformation &bt);
    void DEREncode(BufferedTransformation &bt) const;
-    // GeneratibleCryptoMaterial interface
+    /// \brief Generate a random key
-    /*! parameters: (ModulusSize, SubgroupOrderSize (optional)) */
+    /// \param rng a RandomNumberGenerator to produce keying material
    /// \param params additional initialization parameters
    /// \details Recognised NameValuePairs are ModulusSize and
    ///  SubgroupOrderSize (optional)
    /// \throws KeyingErr if a key can't be generated or algorithm parameters
    ///  are invalid
    void GenerateRandom(RandomNumberGenerator &rng, const NameValuePairs &alg);
    bool GetVoidValue(const char *name, const std::type_info &valueType, void *pValue) const;
    void AssignFrom(const NameValuePairs &source);
@ -80,26 +85,68 @@ public:
    Integer GetGroupOrder() const {return GetFieldType() == 1 ? GetModulus()-Integer::One() : GetModulus()+Integer::One();}
    bool ValidateGroup(RandomNumberGenerator &rng, unsigned int level) const;
    bool ValidateElement(unsigned int level, const Integer &element, const DL_FixedBasePrecomputation<Integer> *precomp) const;
    /// \brief Determine if subgroup membership check is fast
    /// \returns true or false
    bool FastSubgroupCheckAvailable() const {return GetCofactor() == 2;}
-    // Cygwin i386 crash at -O3; see http://github.com/weidai11/cryptopp/issues/40.
+    /// \brief Encodes the element
    /// \param reversible flag indicating the encoding format
    /// \param element reference to the element to encode
    /// \param encoded destination byte array for the encoded element
    /// \details EncodeElement() must be implemented in a derived class.
    /// \pre <tt>COUNTOF(encoded) == GetEncodedElementSize()</tt>
    /// \sa <A HREF="http://github.com/weidai11/cryptopp/issues/40">Cygwin
    ///  i386 crash at -O3</A>
    void EncodeElement(bool reversible, const Element &element, byte *encoded) const;
    /// \brief Retrieve the encoded element's size
    /// \param reversible flag indicating the encoding format
    /// \return encoded element's size, in bytes
    /// \details The format of the encoded element varies by the underlying
    ///  type of the element and the reversible flag.
    /// \sa GetEncodedElementSize(), EncodeElement(), DecodeElement()
    unsigned int GetEncodedElementSize(bool reversible) const;
    /// \brief Decodes the element
    /// \param encoded byte array with the encoded element
    /// \param checkForGroupMembership flag indicating if the element should be validated
    /// \return Element after decoding
    /// \details DecodeElement() must be implemented in a derived class.
    /// \pre <tt>COUNTOF(encoded) == GetEncodedElementSize()</tt>
    Integer DecodeElement(const byte *encoded, bool checkForGroupMembership) const;
    /// \brief Converts an element to an Integer
    /// \param element the element to convert to an Integer
    /// \return Element after converting to an Integer
    /// \details ConvertElementToInteger() must be implemented in a derived class.
    Integer ConvertElementToInteger(const Element &element) const
        {return element;}
    Integer GetMaxExponent() const;
    static std::string CRYPTOPP_API StaticAlgorithmNamePrefix() {return "";}
    /// \brief Retrieve the maximum exponent for the group
    /// \return the maximum exponent for the group
    Integer GetMaxExponent() const;
    /// \brief Retrieve the OID of the algorithm
    /// \returns OID of the algorithm
    OID GetAlgorithmID() const;
    /// \brief Retrieve the modulus for the group
    /// \return the modulus for the group
    virtual const Integer & GetModulus() const =0;
    /// \brief Set group parameters
    /// \param p the prime modulus
    /// \param g the group generator
    virtual void SetModulusAndSubgroupGenerator(const Integer &p, const Integer &g) =0;
    /// \brief Set subgroup order
    /// \param q the subgroup order
    void SetSubgroupOrder(const Integer &q)
        {m_q = q; ParametersChanged();}
    static std::string CRYPTOPP_API StaticAlgorithmNamePrefix() {return "";}
 protected:
    Integer ComputeGroupOrder(const Integer &modulus) const
        {return modulus-(GetFieldType() == 1 ? 1 : -1);}
@ -704,7 +751,7 @@ public:
    bool ParameterSupported(const char *name) const {return strcmp(name, Name::EncodingParameters()) == 0;}
    size_t GetSymmetricKeyLength(size_t plaintextLength) const
-        {return plaintextLength + static_cast<size_t>(MAC::DIGESTSIZE);}
+        {return plaintextLength + static_cast<size_t>(MAC::DEFAULT_KEYLENGTH);}
    size_t GetSymmetricCiphertextLength(size_t plaintextLength) const
        {return plaintextLength + static_cast<size_t>(MAC::DIGESTSIZE);}
    size_t GetMaxSymmetricPlaintextLength(size_t ciphertextLength) const
--- a/hight.h
+++ b/hight.h
@ -60,7 +60,7 @@ public:
        void ProcessAndXorBlock(const byte *inBlock, const byte *xorBlock, byte *outBlock) const;
    };
-    /// \brief Encryption transformation
+    /// \brief Decryption transformation
    /// \details Dec provides implementation for decryption transformation.
    /// \since Crypto++ 8.0
    class CRYPTOPP_NO_VTABLE Dec : public Base
--- a/hkdf.h
+++ b/hkdf.h
@ -39,7 +39,7 @@ public:
 	}
 	// KeyDerivationFunction interface
-	size_t MaxDerivedLength() const {
+	size_t MaxDerivedKeyLength() const {
 		return static_cast<size_t>(T::DIGESTSIZE) * 255;
 	}
@ -60,7 +60,7 @@ public:
 	/// \param info the additional input buffer
 	/// \param infoLen the size of the info buffer, in bytes
 	/// \returns the number of iterations performed
-	/// \throws InvalidDerivedLength if <tt>derivedLen</tt> is invalid for the scheme
+	/// \throws InvalidDerivedKeyLength if <tt>derivedLen</tt> is invalid for the scheme
 	/// \details DeriveKey() provides a standard interface to derive a key from
 	///   a seed and other parameters. Each class that derives from KeyDerivationFunction
 	///   provides an overload that accepts most parameters used by the derivation function.
@ -92,8 +92,8 @@ protected:
 template <class T>
 size_t HKDF<T>::GetValidDerivedLength(size_t keylength) const
 {
-	if (keylength > MaxDerivedLength())
+	if (keylength > MaxDerivedKeyLength())
-		return MaxDerivedLength();
+		return MaxDerivedKeyLength();
 	return keylength;
 }
@ -103,7 +103,7 @@ size_t HKDF<T>::DeriveKey(byte *derived, size_t derivedLen,
 {
 	CRYPTOPP_ASSERT(secret && secretLen);
 	CRYPTOPP_ASSERT(derived && derivedLen);
-	CRYPTOPP_ASSERT(derivedLen <= MaxDerivedLength());
+	CRYPTOPP_ASSERT(derivedLen <= MaxDerivedKeyLength());
 	ConstByteArrayParameter p;
 	SecByteBlock salt, info;
@ -127,9 +127,9 @@ size_t HKDF<T>::DeriveKey(byte *derived, size_t derivedLen, const byte *secret,
 {
 	CRYPTOPP_ASSERT(secret && secretLen);
 	CRYPTOPP_ASSERT(derived && derivedLen);
-	CRYPTOPP_ASSERT(derivedLen <= MaxDerivedLength());
+	CRYPTOPP_ASSERT(derivedLen <= MaxDerivedKeyLength());
-	ThrowIfInvalidDerivedLength(derivedLen);
+	ThrowIfInvalidDerivedKeyLength(derivedLen);
 	// HKDF business logic. NULL is different than empty.
 	if (salt == NULLPTR)
--- a/hmqv.h
+++ b/hmqv.h
@ -1,5 +1,5 @@
 // hmqv.h - written and placed in the public domain by Uri Blumenthal
-//          Shamelessly based upon Jeffrey Walton's FHMQV and Wei Dai's MQV source files
+//          Shamelessly based upon Wei Dai's MQV source files
 #ifndef CRYPTOPP_HMQV_H
 #define CRYPTOPP_HMQV_H
@ -29,30 +29,85 @@ public:
  virtual ~HMQV_Domain() {}
-  HMQV_Domain(bool clientRole = true): m_role(clientRole ? RoleClient : RoleServer) {}
+  /// \brief Construct a HMQV domain
  /// \param clientRole flag indicating initiator or recipient
  /// \details <tt>clientRole = true</tt> indicates initiator, and
  ///  <tt>clientRole = false</tt> indicates recipient or server.
  HMQV_Domain(bool clientRole = true)
    : m_role(clientRole ? RoleClient : RoleServer) {}
  /// \brief Construct a HMQV domain
  /// \param params group parameters and options
  /// \param clientRole flag indicating initiator or recipient
  /// \details <tt>clientRole = true</tt> indicates initiator, and
  ///  <tt>clientRole = false</tt> indicates recipient or server.
  HMQV_Domain(const GroupParameters &params, bool clientRole = true)
    : m_role(clientRole ? RoleClient : RoleServer), m_groupParameters(params) {}
  /// \brief Construct a HMQV domain
  /// \param bt BufferedTransformation with group parameters and options
  /// \param clientRole flag indicating initiator or recipient
  /// \details <tt>clientRole = true</tt> indicates initiator, and
  ///  <tt>clientRole = false</tt> indicates recipient or server.
  HMQV_Domain(BufferedTransformation &bt, bool clientRole = true)
    : m_role(clientRole ? RoleClient : RoleServer)
    {m_groupParameters.BERDecode(bt);}
  /// \brief Construct a HMQV domain
  /// \tparam T1 template parameter used as a constructor parameter
  /// \param v1 first parameter
  /// \param clientRole flag indicating initiator or recipient
  /// \details v1 is passed directly to the GROUP_PARAMETERS object.
  /// \details <tt>clientRole = true</tt> indicates initiator, and
  ///  <tt>clientRole = false</tt> indicates recipient or server.
  template <class T1>
  HMQV_Domain(T1 v1, bool clientRole = true)
    : m_role(clientRole ? RoleClient : RoleServer)
    {m_groupParameters.Initialize(v1);}
  /// \brief Construct a HMQV domain
  /// \tparam T1 template parameter used as a constructor parameter
  /// \tparam T2 template parameter used as a constructor parameter
  /// \param v1 first parameter
  /// \param v2 second parameter
  /// \param clientRole flag indicating initiator or recipient
  /// \details v1 and v2 are passed directly to the GROUP_PARAMETERS object.
  /// \details <tt>clientRole = true</tt> indicates initiator, and
  ///  <tt>clientRole = false</tt> indicates recipient or server.
  template <class T1, class T2>
  HMQV_Domain(T1 v1, T2 v2, bool clientRole = true)
    : m_role(clientRole ? RoleClient : RoleServer)
    {m_groupParameters.Initialize(v1, v2);}
  /// \brief Construct a HMQV domain
  /// \tparam T1 template parameter used as a constructor parameter
  /// \tparam T2 template parameter used as a constructor parameter
  /// \tparam T3 template parameter used as a constructor parameter
  /// \param v1 first parameter
  /// \param v2 second parameter
  /// \param v3 third parameter
  /// \param clientRole flag indicating initiator or recipient
  /// \details v1, v2 and v3 are passed directly to the GROUP_PARAMETERS object.
  /// \details <tt>clientRole = true</tt> indicates initiator, and
  ///  <tt>clientRole = false</tt> indicates recipient or server.
  template <class T1, class T2, class T3>
  HMQV_Domain(T1 v1, T2 v2, T3 v3, bool clientRole = true)
    : m_role(clientRole ? RoleClient : RoleServer)
    {m_groupParameters.Initialize(v1, v2, v3);}
  /// \brief Construct a HMQV domain
  /// \tparam T1 template parameter used as a constructor parameter
  /// \tparam T2 template parameter used as a constructor parameter
  /// \tparam T3 template parameter used as a constructor parameter
  /// \tparam T4 template parameter used as a constructor parameter
  /// \param v1 first parameter
  /// \param v2 second parameter
  /// \param v3 third parameter
  /// \param v4 third parameter
  /// \param clientRole flag indicating initiator or recipient
  /// \details v1, v2, v3 and v4 are passed directly to the GROUP_PARAMETERS object.
  /// \details <tt>clientRole = true</tt> indicates initiator, and
  ///  <tt>clientRole = false</tt> indicates recipient or server.
  template <class T1, class T2, class T3, class T4>
  HMQV_Domain(T1 v1, T2 v2, T3 v3, T4 v4, bool clientRole = true)
    : m_role(clientRole ? RoleClient : RoleServer)
@ -60,28 +115,62 @@ public:
 public:
  /// \brief Retrieves the group parameters for this domain
  /// \return the group parameters for this domain as a const reference
  const GroupParameters & GetGroupParameters() const {return m_groupParameters;}
  /// \brief Retrieves the group parameters for this domain
  /// \return the group parameters for this domain as a non-const reference
  GroupParameters & AccessGroupParameters() {return m_groupParameters;}
  /// \brief Retrieves the crypto parameters for this domain
  /// \return the crypto parameters for this domain as a non-const reference
  CryptoParameters & AccessCryptoParameters() {return AccessAbstractGroupParameters();}
-  /// return length of agreed value produced
+  /// \brief Provides the size of the agreed value
-  unsigned int AgreedValueLength() const {return GetAbstractGroupParameters().GetEncodedElementSize(false);}
+  /// \return size of agreed value produced in this domain
-  /// return length of static private keys in this domain
+  /// \details The length is calculated using <tt>GetEncodedElementSize(false)</tt>,
-  unsigned int StaticPrivateKeyLength() const {return GetAbstractGroupParameters().GetSubgroupOrder().ByteCount();}
+  ///  which means the element is encoded in a non-reversible format. A
-  /// return length of static public keys in this domain
+  ///  non-reversible format means its a raw byte array, and it lacks presentation
-  unsigned int StaticPublicKeyLength() const{return GetAbstractGroupParameters().GetEncodedElementSize(true);}
+  ///  format like an ASN.1 BIT_STRING or OCTET_STRING.
  unsigned int AgreedValueLength() const
    {return GetAbstractGroupParameters().GetEncodedElementSize(false);}
-  /// generate static private key
+  /// \brief Provides the size of the static private key
-  /*! \pre size of privateKey == PrivateStaticKeyLength() */
+  /// \return size of static private keys in this domain
  /// \details The length is calculated using the byte count of the subgroup order.
  unsigned int StaticPrivateKeyLength() const
    {return GetAbstractGroupParameters().GetSubgroupOrder().ByteCount();}
  /// \brief Provides the size of the static public key
  /// \return size of static public keys in this domain
  /// \details The length is calculated using <tt>GetEncodedElementSize(true)</tt>,
  ///  which means the element is encoded in a reversible format. A reversible
  ///  format means it has a presentation format, and its an ANS.1 encoded element
  ///  or point.
  unsigned int StaticPublicKeyLength() const
    {return GetAbstractGroupParameters().GetEncodedElementSize(true);}
  /// \brief Generate static private key in this domain
  /// \param rng a RandomNumberGenerator derived class
  /// \param privateKey a byte buffer for the generated private key in this domain
  /// \details The private key is a random scalar used as an exponent in the range
  ///  <tt>[1,MaxExponent()]</tt>.
  /// \pre <tt>COUNTOF(privateKey) == PrivateStaticKeyLength()</tt>
  void GenerateStaticPrivateKey(RandomNumberGenerator &rng, byte *privateKey) const
  {
    Integer x(rng, Integer::One(), GetAbstractGroupParameters().GetMaxExponent());
    x.Encode(privateKey, StaticPrivateKeyLength());
  }
-  /// generate static public key
+  /// \brief Generate a static public key from a private key in this domain
-  /*! \pre size of publicKey == PublicStaticKeyLength() */
+  /// \param rng a RandomNumberGenerator derived class
  /// \param privateKey a byte buffer with the previously generated private key
  /// \param publicKey a byte buffer for the generated public key in this domain
  /// \details The public key is an element or point on the curve, and its stored
  ///  in a revrsible format. A reversible format means it has a presentation
  ///  format, and its an ANS.1 encoded element or point.
  /// \pre <tt>COUNTOF(publicKey) == PublicStaticKeyLength()</tt>
  void GenerateStaticPublicKey(RandomNumberGenerator &rng, const byte *privateKey, byte *publicKey) const
  {
    CRYPTOPP_UNUSED(rng);
@ -91,10 +180,22 @@ public:
    params.EncodeElement(true, y, publicKey);
  }
  /// \brief Provides the size of the ephemeral private key
  /// \return size of ephemeral private keys in this domain
  /// \details An ephemeral private key is a private key and public key.
  ///  The serialized size is different than a static private key.
  unsigned int EphemeralPrivateKeyLength() const {return StaticPrivateKeyLength() + StaticPublicKeyLength();}
  /// \brief Provides the size of the ephemeral public key
  /// \return size of ephemeral public keys in this domain
  /// \details An ephemeral public key is a public key.
  ///  The serialized size is the same as a static public key.
  unsigned int EphemeralPublicKeyLength() const{return StaticPublicKeyLength();}
-  /// return length of ephemeral private keys in this domain
+  /// \brief Generate ephemeral private key in this domain
  /// \param rng a RandomNumberGenerator derived class
  /// \param privateKey a byte buffer for the generated private key in this domain
  /// \pre <tt>COUNTOF(privateKey) == EphemeralPrivateKeyLength()</tt>
  void GenerateEphemeralPrivateKey(RandomNumberGenerator &rng, byte *privateKey) const
  {
    const DL_GroupParameters<Element> &params = GetAbstractGroupParameters();
@ -104,28 +205,46 @@ public:
    params.EncodeElement(true, y, privateKey+StaticPrivateKeyLength());
  }
-  /// return length of ephemeral public keys in this domain
+  /// \brief Generate ephemeral public key from a private key in this domain
  /// \param rng a RandomNumberGenerator derived class
  /// \param privateKey a byte buffer with the previously generated private key
  /// \param publicKey a byte buffer for the generated public key in this domain
  /// \pre <tt>COUNTOF(publicKey) == EphemeralPublicKeyLength()</tt>
  void GenerateEphemeralPublicKey(RandomNumberGenerator &rng, const byte *privateKey, byte *publicKey) const
  {
    CRYPTOPP_UNUSED(rng);
    memcpy(publicKey, privateKey+StaticPrivateKeyLength(), EphemeralPublicKeyLength());
  }
-  /// derive agreed value from your private keys and couterparty's public keys, return false in case of failure
+  /// \brief Derive agreed value or shared secret
-  /*! \note The ephemeral public key will always be validated.
+  /// \param agreedValue the shared secret
-  If you have previously validated the static public key, use validateStaticOtherPublicKey=false to save time.
+  /// \param staticPrivateKey your long term private key
-  \pre size of agreedValue == AgreedValueLength()
+  /// \param ephemeralPrivateKey your ephemeral private key
-  \pre length of staticPrivateKey == StaticPrivateKeyLength()
+  /// \param staticOtherPublicKey couterparty's long term public key
-  \pre length of ephemeralPrivateKey == EphemeralPrivateKeyLength()
+  /// \param ephemeralOtherPublicKey couterparty's ephemeral public key
-  \pre length of staticOtherPublicKey == StaticPublicKeyLength()
+  /// \param validateStaticOtherPublicKey flag indicating validation
-  \pre length of ephemeralOtherPublicKey == EphemeralPublicKeyLength()
+  /// \return true upon success, false in case of failure
-  */
+  /// \details Agree() performs the authenticated key agreement. Agree()
  ///  derives a shared secret from your private keys and couterparty's
  ///  public keys. Each instance or run of the protocol should use a new
  ///  ephemeral key pair.
  /// \details The other's ephemeral public key will always be validated at
  ///  Level 1 to ensure it is a point on the curve.
  ///  <tt>validateStaticOtherPublicKey</tt> determines how thoroughly other's
  ///  static public key is validated. If you have previously validated the
  ///  couterparty's static public key, then use
  ///  <tt>validateStaticOtherPublicKey=false</tt> to save time.
  /// \pre <tt>COUNTOF(agreedValue) == AgreedValueLength()
  /// \pre <tt>COUNTOF(staticPrivateKey) == StaticPrivateKeyLength()</tt>
  /// \pre <tt>COUNTOF(ephemeralPrivateKey) == EphemeralPrivateKeyLength()</tt>
  /// \pre <tt>COUNTOF(staticOtherPublicKey) == StaticPublicKeyLength()</tt>
  /// \pre <tt>COUNTOF(ephemeralOtherPublicKey) == EphemeralPublicKeyLength()</tt>
  bool Agree(byte *agreedValue,
    const byte *staticPrivateKey, const byte *ephemeralPrivateKey,
    const byte *staticOtherPublicKey, const byte *ephemeralOtherPublicKey,
    bool validateStaticOtherPublicKey=true) const
  {
-    byte *XX = NULLPTR, *YY = NULLPTR, *AA = NULLPTR, *BB = NULLPTR;
+    const byte *XX = NULLPTR, *YY = NULLPTR, *AA = NULLPTR, *BB = NULLPTR;
    size_t xxs = 0, yys = 0, aas = 0, bbs = 0;
    // Depending on the role, this will hold either A's or B's static
@ -143,63 +262,45 @@ public:
        Element B = params.ExponentiateBase(b);
        params.EncodeElement(true, B, tt);
-        XX = const_cast<byte*>(ephemeralOtherPublicKey);
+        XX = ephemeralOtherPublicKey;
        xxs = EphemeralPublicKeyLength();
-        YY = const_cast<byte*>(ephemeralPrivateKey) + StaticPrivateKeyLength();
+        YY = ephemeralPrivateKey + StaticPrivateKeyLength();
        yys = EphemeralPublicKeyLength();
-        AA = const_cast<byte*>(staticOtherPublicKey);
+        AA = staticOtherPublicKey;
        aas = StaticPublicKeyLength();
        BB = tt.BytePtr();
        bbs = tt.SizeInBytes();
      }
-      else if(m_role == RoleClient)
+      else
      {
        Integer a(staticPrivateKey, StaticPrivateKeyLength());
        Element A = params.ExponentiateBase(a);
        params.EncodeElement(true, A, tt);
-        XX = const_cast<byte*>(ephemeralPrivateKey) + StaticPrivateKeyLength();
+        XX = ephemeralPrivateKey + StaticPrivateKeyLength();
        xxs = EphemeralPublicKeyLength();
-        YY = const_cast<byte*>(ephemeralOtherPublicKey);
+        YY = ephemeralOtherPublicKey;
        yys = EphemeralPublicKeyLength();
        AA = tt.BytePtr();
        aas = tt.SizeInBytes();
-        BB = const_cast<byte*>(staticOtherPublicKey);
+        BB = staticOtherPublicKey;
        bbs = StaticPublicKeyLength();
      }
      else
      {
        CRYPTOPP_ASSERT(0);
        return false;
      }
-      // DecodeElement calls ValidateElement at level 1. Level 1 only calls
+      Element VV1 = params.DecodeElement(staticOtherPublicKey, validateStaticOtherPublicKey);
-      // VerifyPoint to ensure the element is in G*. If the other's PublicKey is
+      Element VV2 = params.DecodeElement(ephemeralOtherPublicKey, true);
      // requested to be validated, we manually call ValidateElement at level 3.
      Element VV1 = params.DecodeElement(staticOtherPublicKey, false);
      if(!params.ValidateElement(validateStaticOtherPublicKey ? 3 : 1, VV1, NULLPTR))
        return false;
      // DecodeElement calls ValidateElement at level 1. Level 1 only calls
      // VerifyPoint to ensure the element is in G*. Crank it up.
      Element VV2 = params.DecodeElement(ephemeralOtherPublicKey, false);
      if(!params.ValidateElement(3, VV2, NULLPTR))
        return false;
      // const Integer& p = params.GetGroupOrder(); // not used, remove later
      const Integer& q = params.GetSubgroupOrder();
      const unsigned int len /*bytes*/ = (((q.BitCount()+1)/2 +7)/8);
      Integer d, e;
      SecByteBlock dd(len), ee(len);
      // Compute $d = \hat{H}(X, \hat{B})$
      Hash(NULLPTR, XX, xxs, BB, bbs, dd.BytePtr(), dd.SizeInBytes());
-      d.Decode(dd.BytePtr(), dd.SizeInBytes());
+      Integer d(dd.BytePtr(), dd.SizeInBytes());
      // Compute $e = \hat{H}(Y, \hat{A})$
      Hash(NULLPTR, YY, yys, AA, aas, ee.BytePtr(), ee.SizeInBytes());
-      e.Decode(ee.BytePtr(), ee.SizeInBytes());
+      Integer e(ee.BytePtr(), ee.SizeInBytes());
      Element sigma;
      if(m_role == RoleServer)
@ -226,16 +327,17 @@ public:
        Element B = params.DecodeElement(BB, false);
        Element Y = params.DecodeElement(YY, false);
-        Element t1 = params.ExponentiateElement(B, e);
+        Element t3 = params.ExponentiateElement(B, e);
-        Element t2 = m_groupParameters.MultiplyElements(Y, t1);
+        Element t4 = m_groupParameters.MultiplyElements(Y, t3);
        // $\sigma_A}=(Y \cdot B^{e})^{s_A}
-        sigma = params.ExponentiateElement(t2, s_A);
+        sigma = params.ExponentiateElement(t4, s_A);
      }
      Hash(&sigma, NULLPTR, 0, NULLPTR, 0, agreedValue, AgreedValueLength());
    }
    catch (DL_BadElement &)
    {
      CRYPTOPP_ASSERT(0);
      return false;
    }
    return true;
@ -259,9 +361,11 @@ protected:
      if (e1len != 0 || s1len != 0) {
        CRYPTOPP_ASSERT(0);
      }
-      Integer x = GetAbstractGroupParameters().ConvertElementToInteger(*sigma);
+      //Integer x = GetAbstractGroupParameters().ConvertElementToInteger(*sigma);
-      SecByteBlock sbb(x.MinEncodedSize());
+      //SecByteBlock sbb(x.MinEncodedSize());
-      x.Encode(sbb.BytePtr(), sbb.SizeInBytes());
+      //x.Encode(sbb.BytePtr(), sbb.SizeInBytes());
      SecByteBlock sbb(GetAbstractGroupParameters().GetEncodedElementSize(false));
      GetAbstractGroupParameters().EncodeElement(false, *sigma, sbb);
      hash.Update(sbb.BytePtr(), sbb.SizeInBytes());
    } else {
      if (e1len == 0 || s1len == 0) {
@ -292,8 +396,10 @@ private:
  // The paper uses Initiator and Recipient - make it classical.
  enum KeyAgreementRole { RoleServer = 1, RoleClient };
-  DL_GroupParameters<Element> & AccessAbstractGroupParameters() {return m_groupParameters;}
+  DL_GroupParameters<Element> & AccessAbstractGroupParameters()
-  const DL_GroupParameters<Element> & GetAbstractGroupParameters() const{return m_groupParameters;}
+    {return m_groupParameters;}
  const DL_GroupParameters<Element> & GetAbstractGroupParameters() const
    {return m_groupParameters;}
  GroupParameters m_groupParameters;
  KeyAgreementRole m_role;
@ -302,7 +408,7 @@ private:
 /// \brief Hashed Menezes-Qu-Vanstone in GF(p)
 /// \details This implementation follows Hugo Krawczyk's <a href="http://eprint.iacr.org/2005/176">HMQV: A High-Performance
 ///   Secure Diffie-Hellman Protocol</a>. Note: this implements HMQV only. HMQV-C with Key Confirmation is not provided.
-/// \sa HMQV, MQV_Domain, FHMQV_Domain, AuthenticatedKeyAgreementDomain
+/// \sa HMQV, HMQV_Domain, FHMQV_Domain, AuthenticatedKeyAgreementDomain
 /// \since Crypto++ 5.6.4
 typedef HMQV_Domain<DL_GroupParameters_GFP_DefaultSafePrime> HMQV;
--- a/integer.cpp
+++ b/integer.cpp
@ -18,13 +18,13 @@
 // For Integer::Zero(), Integer::One() and Integer::Two(), we use one of three
 //  strategies. First, if initialization priorities are available then we use
 //  them. Initialization priorities are init_priority() on Linux and init_seg()
-//  on Windows. AIX, OS X and several other platforms lack them. Initialization
+//  on Windows. OS X and several other platforms lack them. Initialization
 //  priorities are platform specific but they are also the most trouble free
 //  with determisitic destruction.
 // Second, if C++11 dynamic initialization is available, then we use it. After
-//  the std::call_once fiasco we dropped the priority dynamic initialization
+//  the std::call_once fiasco we moved to dynamic initialization to avoid
-//  to avoid unknown troubles platforms that are tested less frequently. In
+//  unknown troubles platforms that are tested less frequently. In addition
-//  addition Microsoft platforms mostly do not provide dynamic initialization.
+//  Microsoft platforms mostly do not provide dynamic initialization.
 //  The MSDN docs claim they do but they don't in practice because we need
 //  Visual Studio 2017 and Windows 10 or above.
 // Third, we fall back to Wei's original code of a Singleton. Wei's original
@ -45,6 +45,12 @@
 //  thousands of times during the life of a program. Each load produces a
 //  memory leak and they can add up quickly. If they library is being used in
 //  Java or .Net then Singleton must be avoided at all costs.
 //
 // The code below has a path cut-in for BMI2 using mulx and adcx instructions.
 //  There was a modest speedup of approximately 0.03 ms in public key Integer
 //  operations. We had to disable BMI2 for the moment because some OS X machines
 //  were advertising BMI/BMI2 support but caused SIGILL's at runtime. Also see
 //  https://github.com/weidai11/cryptopp/issues/850.
 #include "pch.h"
 #include "config.h"
@ -77,7 +83,8 @@
 	#include <c_asm.h>
 #endif
-// "Error: The operand ___LKDB cannot be assigned to", http://github.com/weidai11/cryptopp/issues/188
+// "Error: The operand ___LKDB cannot be assigned to",
 // http://github.com/weidai11/cryptopp/issues/188
 #if (__SUNPRO_CC >= 0x5130)
 # define MAYBE_CONST
 # define MAYBE_UNCONST_CAST(x) const_cast<word*>(x)
@ -211,6 +218,13 @@ static word AtomicInverseModPower2(word A)
 		#if defined(__SUNPRO_CC) && __SUNPRO_CC < 0x5100
 			// Sun Studio's gcc-style inline assembly is heavily bugged as of version 5.9 Patch 124864-09 2008/12/16, but this one works
 			#define MultiplyWordsLoHi(p0, p1, a, b)		asm ("mulq %3" : "=a"(p0), "=d"(p1) : "a"(a), "r"(b) : "cc");
 		#elif defined(__BMI2__) && 0
 			#define MultiplyWordsLoHi(p0, p1, a, b)		asm ("mulxq %3, %0, %1" : "=r"(p0), "=r"(p1) : "d"(a), "r"(b));
 			#define MulAcc(c, d, a, b)		asm ("mulxq %6, %3, %4; addq %3, %0; adcxq %4, %1; adcxq %7, %2;" : "+&r"(c), "+&r"(d##0), "+&r"(d##1), "=&r"(p0), "=&r"(p1) : "d"(a), "r"(b), "r"(W64LIT(0)) : "cc");
 			#define Double3Words(c, d)		asm ("addq %0, %0; adcxq %1, %1; adcxq %2, %2;" : "+r"(c), "+r"(d##0), "+r"(d##1) : : "cc");
 			#define Acc2WordsBy1(a, b)		asm ("addq %2, %0; adcxq %3, %1;" : "+&r"(a##0), "+r"(a##1) : "r"(b), "r"(W64LIT(0)) : "cc");
 			#define Acc2WordsBy2(a, b)		asm ("addq %2, %0; adcxq %3, %1;" : "+r"(a##0), "+r"(a##1) : "r"(b##0), "r"(b##1) : "cc");
 			#define Acc3WordsBy2(c, d, e)	asm ("addq %5, %0; adcxq %6, %1; adcxq %7, %2;" : "+r"(c), "=&r"(e##0), "=&r"(e##1) : "1"(d##0), "2"(d##1), "r"(e##0), "r"(e##1), "r"(W64LIT(0)) : "cc");
 		#else
 			#define MultiplyWordsLoHi(p0, p1, a, b)		asm ("mulq %3" : "=a"(p0), "=d"(p1) : "a"(a), "g"(b) : "cc");
 			#define MulAcc(c, d, a, b)		asm ("mulq %6; addq %3, %0; adcq %4, %1; adcq $0, %2;" : "+r"(c), "+r"(d##0), "+r"(d##1), "=a"(p0), "=d"(p1) : "a"(a), "g"(b) : "cc");
@ -3537,9 +3551,9 @@ class KDF2_RNG : public RandomNumberGenerator
 {
 public:
 	KDF2_RNG(const byte *seed, size_t seedSize)
-		: m_counter(0), m_counterAndSeed(seedSize + 4)
+		: m_counter(0), m_counterAndSeed(ClampSize(seedSize) + 4)
 	{
-		memcpy(m_counterAndSeed + 4, seed, seedSize);
+		memcpy(m_counterAndSeed + 4, seed, ClampSize(seedSize));
 	}
 	void GenerateBlock(byte *output, size_t size)
@ -3550,6 +3564,15 @@ public:
 		P1363_KDF2<SHA1>::DeriveKey(output, size, m_counterAndSeed, m_counterAndSeed.size(), NULLPTR, 0);
 	}
 	// UBsan finding, -Wstringop-overflow
 	inline size_t ClampSize(size_t req) const
 	{
 		// Clamp at 16 MB
 		if (req > 16U*1024*1024)
 			return 16U*1024*1024;
 		return req;
 	}
 private:
 	word32 m_counter;
 	SecByteBlock m_counterAndSeed;
--- a/integer.h
+++ b/integer.h
@ -306,13 +306,16 @@ public:
 		signed long ConvertToLong() const;
 		/// \brief Determines the number of bits required to represent the Integer
-		/// \returns number of significant bits = floor(log2(abs(*this))) + 1
+		/// \returns number of significant bits
 		/// \details BitCount is calculated as <tt>floor(log2(abs(*this))) + 1</tt>.
 		unsigned int BitCount() const;
 		/// \brief Determines the number of bytes required to represent the Integer
-		/// \returns number of significant bytes = ceiling(BitCount()/8)
+		/// \returns number of significant bytes
 		/// \details ByteCount is calculated as <tt>ceiling(BitCount()/8)</tt>.
 		unsigned int ByteCount() const;
 		/// \brief Determines the number of words required to represent the Integer
-		/// \returns number of significant words = ceiling(ByteCount()/sizeof(word))
+		/// \returns number of significant words
 		/// \details WordCount is calculated as <tt>ceiling(ByteCount()/sizeof(word))</tt>.
 		unsigned int WordCount() const;
 		/// \brief Provides the i-th bit of the Integer
@ -354,29 +357,48 @@ public:
 	/// \name MANIPULATORS
 	//@{
 		/// \brief Assignment
 		/// \param t the other Integer
 		/// \returns the result of assignment
 		Integer&  operator=(const Integer& t);
 		/// \brief Addition Assignment
 		/// \param t the other Integer
 		/// \returns the result of <tt>*this + t</tt>
 		Integer&  operator+=(const Integer& t);
 		/// \brief Subtraction Assignment
 		/// \param t the other Integer
 		/// \returns the result of <tt>*this - t</tt>
 		Integer&  operator-=(const Integer& t);
 		/// \brief Multiplication Assignment
 		/// \param t the other Integer
 		/// \returns the result of <tt>*this * t</tt>
 		/// \sa a_times_b_mod_c() and a_exp_b_mod_c()
 		Integer&  operator*=(const Integer& t)	{return *this = Times(t);}
 		/// \brief Division Assignment
 		/// \param t the other Integer
 		/// \returns the result of <tt>*this / t</tt>
 		Integer&  operator/=(const Integer& t)	{return *this = DividedBy(t);}
 		/// \brief Remainder Assignment
 		/// \param t the other Integer
 		/// \returns the result of <tt>*this % t</tt>
 		/// \sa a_times_b_mod_c() and a_exp_b_mod_c()
 		Integer&  operator%=(const Integer& t)	{return *this = Modulo(t);}
 		/// \brief Division Assignment
 		/// \param t the other word
 		/// \returns the result of <tt>*this / t</tt>
 		Integer&  operator/=(word t)  {return *this = DividedBy(t);}
 		/// \brief Remainder Assignment
 		/// \param t the other word
 		/// \returns the result of <tt>*this % t</tt>
 		/// \sa a_times_b_mod_c() and a_exp_b_mod_c()
 		Integer&  operator%=(word t)  {return *this = Integer(POSITIVE, 0, Modulo(t));}
 		/// \brief Left-shift Assignment
 		/// \param n number of bits to shift
 		/// \returns reference to this Integer
 		Integer&  operator<<=(size_t n);
 		/// \brief Right-shift Assignment
 		/// \param n number of bits to shift
 		/// \returns reference to this Integer
 		Integer&  operator>>=(size_t n);
 		/// \brief Bitwise AND Assignment
--- a/keccak.h
+++ b/keccak.h
@ -94,8 +94,6 @@ private:
 #if !defined(__BORLANDC__)
    // ensure there was no underflow in the math
    CRYPTOPP_COMPILE_ASSERT(BLOCKSIZE < 200);
    // this is a general expectation by HMAC
    CRYPTOPP_COMPILE_ASSERT((int)BLOCKSIZE > (int)DIGESTSIZE);
 #endif
 };
--- a/keccak_simd.cpp
+++ b/keccak_simd.cpp
@ -12,8 +12,8 @@
 // KeccakF1600x2_SSE is ParallelHash128. The SSE2 ParallelHash128
 // implementation was extracted from XKCP using the following command.
 //
-// gcc -I lib/common -I lib/low/KeccakP-1600/Optimized \
+// gcc -I lib/common -I lib/low/KeccakP-1600/Optimized
-//   -I lib/low/KeccakP-1600-times2/SIMD128/SSE2ufull \
+//   -I lib/low/KeccakP-1600-times2/SIMD128/SSE2ufull
 //   lib/low/KeccakP-1600-times2/SIMD128/KeccakP-1600-times2-SIMD128.c -E
 #include "pch.h"
@ -23,7 +23,14 @@
 #if (CRYPTOPP_SSSE3_AVAILABLE)
 # include <emmintrin.h>
-# include <immintrin.h>
+# include <tmmintrin.h>
 #endif
 #if defined(__XOP__)
 # include <ammintrin.h>
 # if defined(__GNUC__)
 #  include <x86intrin.h>
 # endif
 #endif
 // Squash MS LNK4221 and libtool warnings
@ -39,16 +46,17 @@ extern void KeccakF1600x2_SSE(word64 *state);
 // The F1600 round constants
 extern const word64 KeccakF1600Constants[24];
-const word64 rho8[2] = {0x0605040302010007, 0x0E0D0C0B0A09080F};
+CRYPTOPP_ALIGN_DATA(16)
-const word64 rho56[2] = {0x0007060504030201, 0x080F0E0D0C0B0A09};
+const word64
 rho8[2] = {W64LIT(0x0605040302010007), W64LIT(0x0E0D0C0B0A09080F)};
-#define V128 __m128i
+CRYPTOPP_ALIGN_DATA(16)
-#define CV128 const __m128i
+const word64
 rho56[2] = {W64LIT(0x0007060504030201), W64LIT(0x080F0E0D0C0B0A09)};
-#define CONST128(a)         _mm_load_si128((CV128 *)&(a))
+// Clang intrinsic casts, http://bugs.llvm.org/show_bug.cgi?id=20670
-#define XOREQ128(a, b)      a = _mm_xor_si128((a), (b))
+#define M128_CAST(x) ((__m128i *)(void *)(x))
-#define UNPACKL(a, b)       _mm_unpacklo_epi64((a), (b))
+#define CONST_M128_CAST(x) ((const __m128i *)(const void *)(x))
 #define UNPACKH(a, b)       _mm_unpackhi_epi64((a), (b))
 #if defined(__XOP__)
 # define ROL64in128(a, o)    _mm_roti_epi64((a), (o))
@ -56,8 +64,8 @@ const word64 rho56[2] = {0x0007060504030201, 0x080F0E0D0C0B0A09};
 # define ROL64in128_56(a)    ROL64in128((a), 56)
 #else
 # define ROL64in128(a, o)    _mm_or_si128(_mm_slli_epi64((a), (o)), _mm_srli_epi64(a, 64-(o)))
-# define ROL64in128_8(a)     _mm_shuffle_epi8((a), CONST128(rho8))
+# define ROL64in128_8(a)     _mm_shuffle_epi8((a), _mm_load_si128(CONST_M128_CAST(rho8)))
-# define ROL64in128_56(a)    _mm_shuffle_epi8((a), CONST128(rho56))
+# define ROL64in128_56(a)    _mm_shuffle_epi8((a), _mm_load_si128(CONST_M128_CAST(rho56)))
 #endif
 // Damn Visual Studio is missing too many intrinsics...
@ -74,51 +82,50 @@ inline __m128i SPLAT64(const word64 a)
 // The Keccak ParallelHash128 core function
 void KeccakF1600x2_SSE(word64 *state)
 {
-    V128 *statesAsLanes = (V128 *)state;
+    __m128i Aba, Abe, Abi, Abo, Abu;
    __m128i Aga, Age, Agi, Ago, Agu;
    __m128i Aka, Ake, Aki, Ako, Aku;
    __m128i Ama, Ame, Ami, Amo, Amu;
    __m128i Asa, Ase, Asi, Aso, Asu;
    __m128i Bba, Bbe, Bbi, Bbo, Bbu;
    __m128i Bga, Bge, Bgi, Bgo, Bgu;
    __m128i Bka, Bke, Bki, Bko, Bku;
    __m128i Bma, Bme, Bmi, Bmo, Bmu;
    __m128i Bsa, Bse, Bsi, Bso, Bsu;
    __m128i Ca, Ce, Ci, Co, Cu;
    __m128i Da, De, Di, Do, Du;
    __m128i Eba, Ebe, Ebi, Ebo, Ebu;
    __m128i Ega, Ege, Egi, Ego, Egu;
    __m128i Eka, Eke, Eki, Eko, Eku;
    __m128i Ema, Eme, Emi, Emo, Emu;
    __m128i Esa, Ese, Esi, Eso, Esu;
-    V128 Aba, Abe, Abi, Abo, Abu;
+    __m128i* lanes = reinterpret_cast<__m128i*>(state);
-    V128 Aga, Age, Agi, Ago, Agu;
+    Aba = _mm_loadu_si128(CONST_M128_CAST(lanes+ 0));
-    V128 Aka, Ake, Aki, Ako, Aku;
+    Abe = _mm_loadu_si128(CONST_M128_CAST(lanes+ 1));
-    V128 Ama, Ame, Ami, Amo, Amu;
+    Abi = _mm_loadu_si128(CONST_M128_CAST(lanes+ 2));
-    V128 Asa, Ase, Asi, Aso, Asu;
+    Abo = _mm_loadu_si128(CONST_M128_CAST(lanes+ 3));
-    V128 Bba, Bbe, Bbi, Bbo, Bbu;
+    Abu = _mm_loadu_si128(CONST_M128_CAST(lanes+ 4));
-    V128 Bga, Bge, Bgi, Bgo, Bgu;
+    Aga = _mm_loadu_si128(CONST_M128_CAST(lanes+ 5));
-    V128 Bka, Bke, Bki, Bko, Bku;
+    Age = _mm_loadu_si128(CONST_M128_CAST(lanes+ 6));
-    V128 Bma, Bme, Bmi, Bmo, Bmu;
+    Agi = _mm_loadu_si128(CONST_M128_CAST(lanes+ 7));
-    V128 Bsa, Bse, Bsi, Bso, Bsu;
+    Ago = _mm_loadu_si128(CONST_M128_CAST(lanes+ 8));
-    V128 Ca, Ce, Ci, Co, Cu;
+    Agu = _mm_loadu_si128(CONST_M128_CAST(lanes+ 9));
-    V128 Da, De, Di, Do, Du;
+    Aka = _mm_loadu_si128(CONST_M128_CAST(lanes+10));
-    V128 Eba, Ebe, Ebi, Ebo, Ebu;
+    Ake = _mm_loadu_si128(CONST_M128_CAST(lanes+11));
-    V128 Ega, Ege, Egi, Ego, Egu;
+    Aki = _mm_loadu_si128(CONST_M128_CAST(lanes+12));
-    V128 Eka, Eke, Eki, Eko, Eku;
+    Ako = _mm_loadu_si128(CONST_M128_CAST(lanes+13));
-    V128 Ema, Eme, Emi, Emo, Emu;
+    Aku = _mm_loadu_si128(CONST_M128_CAST(lanes+14));
-    V128 Esa, Ese, Esi, Eso, Esu;
+    Ama = _mm_loadu_si128(CONST_M128_CAST(lanes+15));
-
+    Ame = _mm_loadu_si128(CONST_M128_CAST(lanes+16));
-    Aba = _mm_loadu_si128((CV128 *)&(statesAsLanes[ 0]));
+    Ami = _mm_loadu_si128(CONST_M128_CAST(lanes+17));
-    Abe = _mm_loadu_si128((CV128 *)&(statesAsLanes[ 1]));
+    Amo = _mm_loadu_si128(CONST_M128_CAST(lanes+18));
-    Abi = _mm_loadu_si128((CV128 *)&(statesAsLanes[ 2]));
+    Amu = _mm_loadu_si128(CONST_M128_CAST(lanes+19));
-    Abo = _mm_loadu_si128((CV128 *)&(statesAsLanes[ 3]));
+    Asa = _mm_loadu_si128(CONST_M128_CAST(lanes+20));
-    Abu = _mm_loadu_si128((CV128 *)&(statesAsLanes[ 4]));
+    Ase = _mm_loadu_si128(CONST_M128_CAST(lanes+21));
-    Aga = _mm_loadu_si128((CV128 *)&(statesAsLanes[ 5]));
+    Asi = _mm_loadu_si128(CONST_M128_CAST(lanes+22));
-    Age = _mm_loadu_si128((CV128 *)&(statesAsLanes[ 6]));
+    Aso = _mm_loadu_si128(CONST_M128_CAST(lanes+23));
-    Agi = _mm_loadu_si128((CV128 *)&(statesAsLanes[ 7]));
+    Asu = _mm_loadu_si128(CONST_M128_CAST(lanes+24));
    Ago = _mm_loadu_si128((CV128 *)&(statesAsLanes[ 8]));
    Agu = _mm_loadu_si128((CV128 *)&(statesAsLanes[ 9]));
    Aka = _mm_loadu_si128((CV128 *)&(statesAsLanes[10]));
    Ake = _mm_loadu_si128((CV128 *)&(statesAsLanes[11]));
    Aki = _mm_loadu_si128((CV128 *)&(statesAsLanes[12]));
    Ako = _mm_loadu_si128((CV128 *)&(statesAsLanes[13]));
    Aku = _mm_loadu_si128((CV128 *)&(statesAsLanes[14]));
    Ama = _mm_loadu_si128((CV128 *)&(statesAsLanes[15]));
    Ame = _mm_loadu_si128((CV128 *)&(statesAsLanes[16]));
    Ami = _mm_loadu_si128((CV128 *)&(statesAsLanes[17]));
    Amo = _mm_loadu_si128((CV128 *)&(statesAsLanes[18]));
    Amu = _mm_loadu_si128((CV128 *)&(statesAsLanes[19]));
    Asa = _mm_loadu_si128((CV128 *)&(statesAsLanes[20]));
    Ase = _mm_loadu_si128((CV128 *)&(statesAsLanes[21]));
    Asi = _mm_loadu_si128((CV128 *)&(statesAsLanes[22]));
    Aso = _mm_loadu_si128((CV128 *)&(statesAsLanes[23]));
    Asu = _mm_loadu_si128((CV128 *)&(statesAsLanes[24]));
    Ca = _mm_xor_si128(Aba, _mm_xor_si128(Aga, _mm_xor_si128(Aka, _mm_xor_si128(Ama, Asa))));
    Ce = _mm_xor_si128(Abe, _mm_xor_si128(Age, _mm_xor_si128(Ake, _mm_xor_si128(Ame, Ase))));
@ -2646,31 +2653,31 @@ void KeccakF1600x2_SSE(word64 *state)
    Aso = _mm_xor_si128(Bso, _mm_andnot_si128(Bsu, Bsa));
    Asu = _mm_xor_si128(Bsu, _mm_andnot_si128(Bsa, Bse));
-    _mm_storeu_si128((V128 *)&(statesAsLanes[ 0]), Aba);
+    _mm_storeu_si128(M128_CAST(lanes+ 0), Aba);
-    _mm_storeu_si128((V128 *)&(statesAsLanes[ 1]), Abe);
+    _mm_storeu_si128(M128_CAST(lanes+ 1), Abe);
-    _mm_storeu_si128((V128 *)&(statesAsLanes[ 2]), Abi);
+    _mm_storeu_si128(M128_CAST(lanes+ 2), Abi);
-    _mm_storeu_si128((V128 *)&(statesAsLanes[ 3]), Abo);
+    _mm_storeu_si128(M128_CAST(lanes+ 3), Abo);
-    _mm_storeu_si128((V128 *)&(statesAsLanes[ 4]), Abu);
+    _mm_storeu_si128(M128_CAST(lanes+ 4), Abu);
-    _mm_storeu_si128((V128 *)&(statesAsLanes[ 5]), Aga);
+    _mm_storeu_si128(M128_CAST(lanes+ 5), Aga);
-    _mm_storeu_si128((V128 *)&(statesAsLanes[ 6]), Age);
+    _mm_storeu_si128(M128_CAST(lanes+ 6), Age);
-    _mm_storeu_si128((V128 *)&(statesAsLanes[ 7]), Agi);
+    _mm_storeu_si128(M128_CAST(lanes+ 7), Agi);
-    _mm_storeu_si128((V128 *)&(statesAsLanes[ 8]), Ago);
+    _mm_storeu_si128(M128_CAST(lanes+ 8), Ago);
-    _mm_storeu_si128((V128 *)&(statesAsLanes[ 9]), Agu);
+    _mm_storeu_si128(M128_CAST(lanes+ 9), Agu);
-    _mm_storeu_si128((V128 *)&(statesAsLanes[10]), Aka);
+    _mm_storeu_si128(M128_CAST(lanes+10), Aka);
-    _mm_storeu_si128((V128 *)&(statesAsLanes[11]), Ake);
+    _mm_storeu_si128(M128_CAST(lanes+11), Ake);
-    _mm_storeu_si128((V128 *)&(statesAsLanes[12]), Aki);
+    _mm_storeu_si128(M128_CAST(lanes+12), Aki);
-    _mm_storeu_si128((V128 *)&(statesAsLanes[13]), Ako);
+    _mm_storeu_si128(M128_CAST(lanes+13), Ako);
-    _mm_storeu_si128((V128 *)&(statesAsLanes[14]), Aku);
+    _mm_storeu_si128(M128_CAST(lanes+14), Aku);
-    _mm_storeu_si128((V128 *)&(statesAsLanes[15]), Ama);
+    _mm_storeu_si128(M128_CAST(lanes+15), Ama);
-    _mm_storeu_si128((V128 *)&(statesAsLanes[16]), Ame);
+    _mm_storeu_si128(M128_CAST(lanes+16), Ame);
-    _mm_storeu_si128((V128 *)&(statesAsLanes[17]), Ami);
+    _mm_storeu_si128(M128_CAST(lanes+17), Ami);
-    _mm_storeu_si128((V128 *)&(statesAsLanes[18]), Amo);
+    _mm_storeu_si128(M128_CAST(lanes+18), Amo);
-    _mm_storeu_si128((V128 *)&(statesAsLanes[19]), Amu);
+    _mm_storeu_si128(M128_CAST(lanes+19), Amu);
-    _mm_storeu_si128((V128 *)&(statesAsLanes[20]), Asa);
+    _mm_storeu_si128(M128_CAST(lanes+20), Asa);
-    _mm_storeu_si128((V128 *)&(statesAsLanes[21]), Ase);
+    _mm_storeu_si128(M128_CAST(lanes+21), Ase);
-    _mm_storeu_si128((V128 *)&(statesAsLanes[22]), Asi);
+    _mm_storeu_si128(M128_CAST(lanes+22), Asi);
-    _mm_storeu_si128((V128 *)&(statesAsLanes[23]), Aso);
+    _mm_storeu_si128(M128_CAST(lanes+23), Aso);
-    _mm_storeu_si128((V128 *)&(statesAsLanes[24]), Asu);
+    _mm_storeu_si128(M128_CAST(lanes+24), Asu);
 }
 #endif
--- a/lea.h
+++ b/lea.h
@ -82,7 +82,7 @@ public:
 #endif
    };
-    /// \brief Encryption transformation
+    /// \brief Decryption transformation
    /// \details Dec provides implementation for decryption transformation. All key and block
    ///   sizes are supported.
    /// \since Crypto++ 8.0
--- a/lea_simd.cpp
+++ b/lea_simd.cpp
@ -24,6 +24,9 @@
 #if defined(__XOP__)
 # include <ammintrin.h>
 # if defined(__GNUC__)
 #  include <x86intrin.h>
 # endif
 #endif
 #if defined(__AVX512F__)
--- a/misc.cpp
+++ b/misc.cpp
@ -101,12 +101,12 @@ bool VerifyBufsEqual(const byte *buf, const byte *mask, size_t count)
 {
 	CRYPTOPP_ASSERT(buf != NULLPTR);
 	CRYPTOPP_ASSERT(mask != NULLPTR);
-	CRYPTOPP_ASSERT(count > 0);
+	// CRYPTOPP_ASSERT(count > 0);
 	size_t i=0;
 	byte acc8 = 0;
-	if (IsAligned<word32>(buf) && IsAligned<word32>(mask))
+	if (IsAligned<word32>(buf) && IsAligned<word32>(mask) && count)
 	{
 		word32 acc32 = 0;
 		if (!CRYPTOPP_BOOL_SLOW_WORD64 && IsAligned<word64>(buf) && IsAligned<word64>(mask))
--- a/misc.h
+++ b/misc.h
@ -62,36 +62,66 @@
 #include <stdlib.h>
 #endif
-#if defined(__GNUC__) && defined(__linux__)
+#if (defined(__GNUC__) || defined(__clang__)) && defined(__linux__)
-#define CRYPTOPP_BYTESWAP_AVAILABLE
+#define CRYPTOPP_BYTESWAP_AVAILABLE 1
 #include <byteswap.h>
 #endif
 // Limit to ARM A-32. Aarch64 is failing self tests.
 #if defined(__arm__) && (defined(__GNUC__) || defined(__clang__)) && (__ARM_ARCH >= 6)
 #define CRYPTOPP_ARM_BYTEREV_AVAILABLE 1
 #endif
 // Limit to ARM A-32. Aarch64 is failing self tests.
 #if defined(__arm__) && (defined(__GNUC__) || defined(__clang__)) && (__ARM_ARCH >= 7)
 #define CRYPTOPP_ARM_BITREV_AVAILABLE 1
 #endif
 #if defined(__BMI__)
 # include <x86intrin.h>
 # include <immintrin.h>
 #endif  // GCC and BMI
 // More LLVM bullshit. Apple Clang 6.0 does not define them.
 // Later version of Clang defines them and results in warnings.
 #if defined(__clang__)
 # ifndef _blsr_u32
 #  define _blsr_u32 __blsr_u32
 # endif
 # ifndef _blsr_u64
 #  define _blsr_u64 __blsr_u64
 # endif
 # ifndef _tzcnt_u32
 #  define _tzcnt_u32 __tzcnt_u32
 # endif
 # ifndef _tzcnt_u64
 #  define _tzcnt_u64 __tzcnt_u64
 # endif
 #endif
 #endif  // CRYPTOPP_DOXYGEN_PROCESSING
 #if CRYPTOPP_DOXYGEN_PROCESSING
 /// \brief The maximum value of a machine word
-/// \details SIZE_MAX provides the maximum value of a machine word. The value is
+/// \details <tt>SIZE_MAX</tt> provides the maximum value of a machine word. The value
-///   0xffffffff on 32-bit machines, and 0xffffffffffffffff on 64-bit machines.
+///  is <tt>0xffffffff</tt> on 32-bit targets, and <tt>0xffffffffffffffff</tt> on 64-bit
-/// Internally, SIZE_MAX is defined as __SIZE_MAX__ if __SIZE_MAX__ is defined. If not
+///  targets.
-///   defined, then SIZE_T_MAX is tried. If neither __SIZE_MAX__ nor SIZE_T_MAX is
+/// \details If <tt>SIZE_MAX</tt> is not defined, then <tt>__SIZE_MAX__</tt> is used if
-///   is defined, the library uses std::numeric_limits<size_t>::max(). The library
+///  defined. If not defined, then <tt>SIZE_T_MAX</tt> is used if defined. If not defined,
-///   prefers __SIZE_MAX__ because its a constexpr that is optimized well
+///  then the library uses <tt>std::numeric_limits<size_t>::max()</tt>.
-///   by all compilers. std::numeric_limits<size_t>::max() is not a constexpr,
+/// \details The library prefers <tt>__SIZE_MAX__</tt> or <tt>__SIZE_T_MAX__</tt> because
-///   and it is not always optimized well.
+///  they are effectively <tt>constexpr</tt> that is optimized well by all compilers.
 ///  <tt>std::numeric_limits<size_t>::max()</tt> is not always a <tt>constexpr</tt>, and
 ///  it is not always optimized well.
 #  define SIZE_MAX ...
 #else
 // Its amazing portability problems still plague this simple concept in 2015.
 // http://stackoverflow.com/questions/30472731/which-c-standard-header-defines-size-max
 // Avoid NOMINMAX macro on Windows. http://support.microsoft.com/en-us/kb/143208
 #ifndef SIZE_MAX
-# if defined(__SIZE_MAX__) && (__SIZE_MAX__ > 0)
+# if defined(__SIZE_MAX__)
 #  define SIZE_MAX __SIZE_MAX__
-# elif defined(SIZE_T_MAX) && (SIZE_T_MAX > 0)
+# elif defined(SIZE_T_MAX)
 #  define SIZE_MAX SIZE_T_MAX
 # elif defined(__SIZE_TYPE__)
 #  define SIZE_MAX (~(__SIZE_TYPE__)0)
@ -112,8 +142,13 @@ class Integer;
 #if CRYPTOPP_DOXYGEN_PROCESSING
 /// \brief Compile time assertion
 /// \param expr the expression to evaluate
-/// \details Asserts the expression expr though a dummy struct.
+/// \details Asserts the expression <tt>expr</tt> during compile. If C++14 and
 ///  N3928 are available, then C++14 <tt>static_assert</tt> is used. Otherwise,
 ///  a <tt>CompileAssert</tt> structure is used. When the structure is used
 ///  a negative-sized array triggers the assert at compile time.
 # define CRYPTOPP_COMPILE_ASSERT(expr) { ... }
 #elif defined(CRYPTOPP_CXX14_STATIC_ASSERT)
 # define CRYPTOPP_COMPILE_ASSERT(expr) static_assert(expr)
 #else // CRYPTOPP_DOXYGEN_PROCESSING
 template <bool b>
 struct CompileAssert
@ -122,10 +157,13 @@ struct CompileAssert
 };
 #define CRYPTOPP_COMPILE_ASSERT(assertion) CRYPTOPP_COMPILE_ASSERT_INSTANCE(assertion, __LINE__)
 #define CRYPTOPP_ASSERT_JOIN(X, Y) CRYPTOPP_DO_ASSERT_JOIN(X, Y)
 #define CRYPTOPP_DO_ASSERT_JOIN(X, Y) X##Y
 #if defined(CRYPTOPP_EXPORTS) || defined(CRYPTOPP_IMPORTS)
 # define CRYPTOPP_COMPILE_ASSERT_INSTANCE(assertion, instance)
 #else
-# if defined(__GNUC__)
+# if defined(__GNUC__) || defined(__clang__)
 #  define CRYPTOPP_COMPILE_ASSERT_INSTANCE(assertion, instance) \
       static CompileAssert<(assertion)> \
       CRYPTOPP_ASSERT_JOIN(cryptopp_CRYPTOPP_ASSERT_, instance) __attribute__ ((unused))
@ -133,10 +171,8 @@ struct CompileAssert
 #  define CRYPTOPP_COMPILE_ASSERT_INSTANCE(assertion, instance) \
       static CompileAssert<(assertion)> \
       CRYPTOPP_ASSERT_JOIN(cryptopp_CRYPTOPP_ASSERT_, instance)
-# endif // __GNUC__
+# endif // GCC or Clang
 #endif
 #define CRYPTOPP_ASSERT_JOIN(X, Y) CRYPTOPP_DO_ASSERT_JOIN(X, Y)
 #define CRYPTOPP_DO_ASSERT_JOIN(X, Y) X##Y
 #endif // CRYPTOPP_DOXYGEN_PROCESSING
@ -194,16 +230,21 @@ protected:
 /// \brief Ensures an object is not copyable
 /// \details NotCopyable ensures an object is not copyable by making the
-///   copy constructor and assignment operator private. Deleters are not
+///   copy constructor and assignment operator private. Deleters are used
-///   used under C++11.
+///   under C++11.
 /// \sa Clonable class
 class NotCopyable
 {
 public:
 	NotCopyable() {}
 #if CRYPTOPP_CXX11_DELETED_FUNCTIONS
 	NotCopyable(const NotCopyable &) = delete;
 	void operator=(const NotCopyable &) = delete;
 #else
 private:
 	NotCopyable(const NotCopyable &);
 	void operator=(const NotCopyable &);
 #endif
 };
 /// \brief An object factory function
@ -388,6 +429,38 @@ inline size_t PtrByteDiff(const PTR pointer1, const PTR pointer2)
 	return (size_t)(reinterpret_cast<uintptr_t>(pointer1) - reinterpret_cast<uintptr_t>(pointer2));
 }
 /// \brief Pointer to the first element of a string
 /// \param str std::string
 /// \details BytePtr returns NULL pointer for an empty string.
 /// \return Pointer to the first element of a string
 inline byte* BytePtr(std::string& str)
 {
 	// Caller wants a writeable pointer
 	CRYPTOPP_ASSERT(str.empty() == false);
 	if (str.empty())
 		return NULLPTR;
 	return reinterpret_cast<byte*>(&str[0]);
 }
 /// \brief Const pointer to the first element of a string
 /// \param str std::string
 /// \details ConstBytePtr returns non-NULL pointer for an empty string.
 /// \return Pointer to the first element of a string
 inline const byte* ConstBytePtr(const std::string& str)
 {
 	// Use c_str() so a pointer is always available
 	return reinterpret_cast<const byte*>(str.c_str());
 }
 /// \brief Size of a string
 /// \param str std::string
 /// \return size of a string
 inline size_t BytePtrSize(const std::string& str)
 {
 	return str.size();
 }
 #if (!__STDC_WANT_SECURE_LIB__ && !defined(_MEMORY_S_DEFINED)) || defined(CRYPTOPP_WANT_SECURE_LIB)
 /// \brief Bounds checking replacement for memcpy()
@ -871,11 +944,12 @@ CRYPTOPP_DLL void CRYPTOPP_API xorbuf(byte *output, const byte *input, const byt
 /// \param buf1 the first buffer
 /// \param buf2 the second buffer
 /// \param count the size of the buffers, in bytes
-/// \details The function effectively performs an XOR of the elements in two equally sized
+/// \details VerifyBufsEqual performs an XOR of the elements in two equally sized
-///   buffers and retruns a result based on the XOR operation. The function is near
+///   buffers and retruns a result based on the XOR operation. A count of 0 returns
-///   constant-time because CPU micro-code timings could affect the "constant-ness".
+///   true because two empty buffers are considered equal.
-///   Calling code is responsible for mitigating timing attacks if the buffers are not
+/// \details The function is near constant-time because CPU micro-code timings could
-///   equally sized.
+///   affect the "constant-ness". Calling code is responsible for mitigating timing
 ///   attacks if the buffers are not equally sized.
 /// \sa ModPowerOf2
 CRYPTOPP_DLL bool CRYPTOPP_API VerifyBufsEqual(const byte *buf1, const byte *buf2, size_t count);
@ -1193,9 +1267,15 @@ CRYPTOPP_DLL void CRYPTOPP_API CallNewHandler();
 /// \note The function is not constant time because it stops processing when the carry is 0.
 inline void IncrementCounterByOne(byte *inout, unsigned int size)
 {
-	CRYPTOPP_ASSERT(inout != NULLPTR); CRYPTOPP_ASSERT(size < INT_MAX);
+	CRYPTOPP_ASSERT(inout != NULLPTR);
-	for (int i=int(size-1), carry=1; i>=0 && carry; i--)
+
-		carry = !++inout[i];
+	unsigned int carry=1;
 	while (carry && size != 0)
 	{
 		// On carry inout[n] equals 0
 		carry = ! ++inout[size-1];
 		size--;
 	}
 }
 /// \brief Performs an addition with carry on a block of bytes
@ -1207,12 +1287,22 @@ inline void IncrementCounterByOne(byte *inout, unsigned int size)
 /// \details The function is close to near-constant time because it operates on all the bytes in the blocks.
 inline void IncrementCounterByOne(byte *output, const byte *input, unsigned int size)
 {
-	CRYPTOPP_ASSERT(output != NULLPTR); CRYPTOPP_ASSERT(input != NULLPTR); CRYPTOPP_ASSERT(size < INT_MAX);
+	CRYPTOPP_ASSERT(output != NULLPTR);
 	CRYPTOPP_ASSERT(input != NULLPTR);
-	int i, carry;
+	unsigned int carry=1;
-	for (i=int(size-1), carry=1; i>=0 && carry; i--)
+	while (carry && size != 0)
-		carry = ((output[i] = input[i]+1) == 0);
+	{
-	memcpy_s(output, size, input, size_t(i)+1);
+		// On carry output[n] equals 0
 		carry = ! (output[size-1] = input[size-1] + 1);
 		size--;
 	}
 	while (size != 0)
 	{
 		output[size-1] = input[size-1];
 		size--;
 	}
 }
 /// \brief Performs a branchless swap of values a and b if condition c is true
@ -1936,7 +2026,8 @@ inline unsigned int GetByte(ByteOrder order, T value, unsigned int index)
 /// \brief Reverses bytes in a 8-bit value
 /// \param value the 8-bit value to reverse
-/// \note ByteReverse returns the value passed to it since there is nothing to reverse
+/// \note ByteReverse returns the value passed to it since there is nothing to
 ///  reverse.
 inline byte ByteReverse(byte value)
 {
 	return value;
@ -1944,7 +2035,8 @@ inline byte ByteReverse(byte value)
 /// \brief Reverses bytes in a 16-bit value
 /// \param value the 16-bit value to reverse
-/// \details ByteReverse calls bswap if available. Otherwise the function performs a 8-bit rotate on the word16
+/// \details ByteReverse calls bswap if available. Otherwise the function
 ///  performs a 8-bit rotate on the word16.
 inline word16 ByteReverse(word16 value)
 {
 #if defined(CRYPTOPP_BYTESWAP_AVAILABLE)
@ -1958,14 +2050,19 @@ inline word16 ByteReverse(word16 value)
 /// \brief Reverses bytes in a 32-bit value
 /// \param value the 32-bit value to reverse
-/// \details ByteReverse calls bswap if available. Otherwise the function uses a combination of rotates on the word32
+/// \details ByteReverse calls bswap if available. Otherwise the function uses
 ///  a combination of rotates on the word32.
 inline word32 ByteReverse(word32 value)
 {
-#if defined(__GNUC__) && defined(CRYPTOPP_X86_ASM_AVAILABLE)
+#if defined(CRYPTOPP_BYTESWAP_AVAILABLE)
 	return bswap_32(value);
 #elif defined(CRYPTOPP_ARM_BYTEREV_AVAILABLE)
 	word32 rvalue;
 	__asm__ ("rev %0, %1" : "=r" (rvalue) : "r" (value));
 	return rvalue;
 #elif defined(__GNUC__) && defined(CRYPTOPP_X86_ASM_AVAILABLE)
 	__asm__ ("bswap %0" : "=r" (value) : "0" (value));
 	return value;
 #elif defined(CRYPTOPP_BYTESWAP_AVAILABLE)
 	return bswap_32(value);
 #elif defined(__MWERKS__) && TARGET_CPU_PPC
 	return (word32)__lwbrx(&value,0);
 #elif (_MSC_VER >= 1400) || (defined(_MSC_VER) && !defined(_DLL))
@ -1982,14 +2079,15 @@ inline word32 ByteReverse(word32 value)
 /// \brief Reverses bytes in a 64-bit value
 /// \param value the 64-bit value to reverse
-/// \details ByteReverse calls bswap if available. Otherwise the function uses a combination of rotates on the word64
+/// \details ByteReverse calls bswap if available. Otherwise the function uses
 ///  a combination of rotates on the word64.
 inline word64 ByteReverse(word64 value)
 {
-#if defined(__GNUC__) && defined(CRYPTOPP_X86_ASM_AVAILABLE) && defined(__x86_64__)
+#if defined(CRYPTOPP_BYTESWAP_AVAILABLE)
 	return bswap_64(value);
 #elif defined(__GNUC__) && defined(CRYPTOPP_X86_ASM_AVAILABLE) && defined(__x86_64__)
 	__asm__ ("bswap %0" : "=r" (value) : "0" (value));
 	return value;
 #elif defined(CRYPTOPP_BYTESWAP_AVAILABLE)
 	return bswap_64(value);
 #elif (_MSC_VER >= 1400) || (defined(_MSC_VER) && !defined(_DLL))
 	return _byteswap_uint64(value);
 #elif CRYPTOPP_BOOL_SLOW_WORD64
@ -2003,7 +2101,7 @@ inline word64 ByteReverse(word64 value)
 /// \brief Reverses bits in a 8-bit value
 /// \param value the 8-bit value to reverse
-/// \details BitReverse performs a combination of shifts on the byte
+/// \details BitReverse performs a combination of shifts on the byte.
 inline byte BitReverse(byte value)
 {
 	value = byte((value & 0xAA) >> 1) | byte((value & 0x55) << 1);
@ -2013,29 +2111,45 @@ inline byte BitReverse(byte value)
 /// \brief Reverses bits in a 16-bit value
 /// \param value the 16-bit value to reverse
-/// \details BitReverse performs a combination of shifts on the word16
+/// \details BitReverse performs a combination of shifts on the word16.
 inline word16 BitReverse(word16 value)
 {
 #if defined(CRYPTOPP_ARM_BITREV_AVAILABLE)
 	// 4 instructions on ARM.
 	word32 rvalue;
 	__asm__ ("rbit %0, %1" : "=r" (rvalue) : "r" (value));
 	return word16(rvalue >> 16);
 #else
 	// 15 instructions on ARM.
 	value = word16((value & 0xAAAA) >> 1) | word16((value & 0x5555) << 1);
 	value = word16((value & 0xCCCC) >> 2) | word16((value & 0x3333) << 2);
 	value = word16((value & 0xF0F0) >> 4) | word16((value & 0x0F0F) << 4);
 	return ByteReverse(value);
 #endif
 }
 /// \brief Reverses bits in a 32-bit value
 /// \param value the 32-bit value to reverse
-/// \details BitReverse performs a combination of shifts on the word32
+/// \details BitReverse performs a combination of shifts on the word32.
 inline word32 BitReverse(word32 value)
 {
 #if defined(CRYPTOPP_ARM_BITREV_AVAILABLE)
 	// 2 instructions on ARM.
 	word32 rvalue;
 	__asm__ ("rbit %0, %1" : "=r" (rvalue) : "r" (value));
 	return rvalue;
 #else
 	// 19 instructions on ARM.
 	value = word32((value & 0xAAAAAAAA) >> 1) | word32((value & 0x55555555) << 1);
 	value = word32((value & 0xCCCCCCCC) >> 2) | word32((value & 0x33333333) << 2);
 	value = word32((value & 0xF0F0F0F0) >> 4) | word32((value & 0x0F0F0F0F) << 4);
 	return ByteReverse(value);
 #endif
 }
 /// \brief Reverses bits in a 64-bit value
 /// \param value the 64-bit value to reverse
-/// \details BitReverse performs a combination of shifts on the word64
+/// \details BitReverse performs a combination of shifts on the word64.
 inline word64 BitReverse(word64 value)
 {
 #if CRYPTOPP_BOOL_SLOW_WORD64
@ -2063,9 +2177,11 @@ inline T BitReverse(T value)
 		return (T)BitReverse((word16)value);
 	else if (sizeof(T) == 4)
 		return (T)BitReverse((word32)value);
 	else if (sizeof(T) == 8)
 		return (T)BitReverse((word64)value);
 	else
 	{
-		CRYPTOPP_ASSERT(sizeof(T) == 8);
+		CRYPTOPP_ASSERT(0);
 		return (T)BitReverse((word64)value);
 	}
 }
--- a/Show More
+++ b/Show More
		`@ -0,0 +1 @@`
							`3081C80201003081A406072A8648CE3D0201308198020101302006072A8648CE3D0101021500FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFF302C0414FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFC04141C97BEFC54BD7A8B65ACF89F81D4D4ADC565FA450429044A96B5688EF573284664698968C38BB913CBFC8223A628553168947D59DCC912042351377AC5FB3202150100000000000000000001F4C8F927AED3CA752257020101041C301A02010104150023A68821ABB99DBB8429ED2320D61A8EA4C6D81B`
		`@ -0,0 +1 @@`
							`3081D10201003081AD06072A8648CE3D02013081A1020101302506072A8648CE3D0102301A020200A306092A8648CE3D010203033009020103020106020107302E041507B6882CAAEFA84F9554FF8428BD88E246D2782AE204150713612DCDDCB40AAB946BDA29CA91F73AF958AFD9042B040369979697AB43897789566789567F787A7876A65400435EDB42EFAFB2989D51FEFCE3C80988F41FF883021503FFFFFFFFFFFFFFFFFFFF48AAB689C29CA710279B020102041C301A02010104150003693AB4D83EE8B544548BE7647AEA0EA64E8211`
		`@ -1 +1 @@`
			308201A40201003082011706072A8648CE3804013082010A028181008B333697371663F8869E3EC80A414E46BBAFE41F6D40E754A01ADA60FE7D12ACD16DE311C4115293114F6B92A54195909276380F04BCD4ED5CD993ED7F516DF7A752B928E5035E0D3A1A979A1CDE8387734338793C02001D59B662D4FC8F2BF0EABB1F553F9F46F57E74BCABCBA4E458812DB601FCD04609D435317181236B9702818045999B4B9B8B31FC434F1F640520A7235DD7F20FB6A073AA500D6D307F3E895668B6F188E208A94988A7B5C952A0CAC8493B1C07825E6A76AE6CC9F6BFA8B6FBD3A95C947281AF069D0D4BCD0E6F41C3B9A19C3C9E01000EACDB316A7E4795F8755D8FAA9FCFA37ABF3A5E55E5D2722C4096DB00FE682304EA1A98B8C091B5CB02010204818302818045999B4B9B8B31FC434F1F640520A7235DD7F20FB6A073AA500D6D307F3E895668B6F188E208A94988A7B5C952A0CAC8493B1C07825E6A76AE6CC9F6BFA8B6FBD3A95C947281AF069D0D4BCD0E6F41C3B9A19C3C9E01000EACDB316A7E4795F8755D8FAA9FCFA37ABF3A5E2958F40032EF29CB145C7481380458812D62F09287				308201360201003082011606062B0E070201013082010A02818100D18892CC35AD9E532C53810019E525CDE08882E6344D6787C366B171D68948F53D74F7923B148E0A0B4C9B956D695384DE24AC3034000B3C4AD4C8226470BBD88B5B053BCCB01E608B1352D6ED16324745253BDB204308E065368CB9D75ACDB290E671BD4CA1608500BFACD758E6E9EFAC8CCBAD83BE7E397A62E4F55634FC3B02818068C449661AD6CF299629C0800CF292E6F04441731A26B3C3E1B358B8EB44A47A9EBA7BC91D8A470505A64DCAB6B4A9C26F1256181A00059E256A641132385DEC45AD829DE6580F304589A96B768B1923A2929DED90218470329B465CEBAD66D9487338DEA650B042805FD66BAC7374F7D64665D6C1DF3F1CBD31727AAB1A7E1D0201030417021504ED7AED68B1A5EFDE11262210D9F1121D4A119CE8