I've been pondering if a more general function for the fast minting code might be as a fast partially-precomputed SHA1 library. There are places, eg HMAC-SHA1, which is used in IPSEC, SSL etc where they probably in addition to having a hardcoded key (which doesn't change between packets), and perhaps some hardcoded or more slowly changing set of bytes at the start of the MACced data. So I suppose this would be harder in the sense that the current code makes assumptions about being a hashcash minter. The "best" one could do I suppose would be to give the minter a bit-mask of bytes in the input set which are to be pre-computed, and have it output a sha1 context with as much of that precomputed as possible. Then another bitset would be stored in the state of the SHA1 with bytes still to be hashed, vs bytes yet to supplied. People would then copy that state, and continue that state with different follow on data to arrive at a final MAC output (or hash output in general, HMAC being just a double application of HMAC with some padding). Doing that full set sounds a bit hairy! As far as I know none of the other libraries attempt to do this. What people who are trying to be efficient do is just hash in the key part, and copy that state. So they are precomputing but only whole blocks. Anyway just musings. Adam