diff --git a/crypto/edhoc-crypto-cryptocell310-sys/src/lib.rs b/crypto/edhoc-crypto-cryptocell310-sys/src/lib.rs
index 9b09803c..460ea8fc 100644
--- a/crypto/edhoc-crypto-cryptocell310-sys/src/lib.rs
+++ b/crypto/edhoc-crypto-cryptocell310-sys/src/lib.rs
@@ -23,7 +23,7 @@ fn convert_array(input: &[u32]) -> [u8; SHA256_DIGEST_LEN] {
 pub struct Crypto;
 
 impl CryptoTrait for Crypto {
-    fn sha256_digest(message: &BytesMaxBuffer, message_len: usize) -> BytesHashLen {
+    fn sha256_digest(&mut self, message: &BytesMaxBuffer, message_len: usize) -> BytesHashLen {
         let mut buffer: [u32; 64 / 4] = [0x00; 64 / 4];
 
         unsafe {
@@ -39,6 +39,7 @@ impl CryptoTrait for Crypto {
     }
 
     fn hkdf_expand(
+        &mut self,
         prk: &BytesHashLen,
         info: &BytesMaxInfoBuffer,
         info_len: usize,
@@ -63,7 +64,7 @@ impl CryptoTrait for Crypto {
         buffer
     }
 
-    fn hkdf_extract(salt: &BytesHashLen, ikm: &BytesP256ElemLen) -> BytesHashLen {
+    fn hkdf_extract(&mut self, salt: &BytesHashLen, ikm: &BytesP256ElemLen) -> BytesHashLen {
         // Implementation of HKDF-Extract as per RFC 5869
 
         // TODO generalize if salt is not provided
@@ -73,6 +74,7 @@ impl CryptoTrait for Crypto {
     }
 
     fn aes_ccm_encrypt_tag_8(
+        &mut self,
         key: &BytesCcmKeyLen,
         iv: &BytesCcmIvLen,
         ad: &BytesEncStructureLen,
@@ -110,6 +112,7 @@ impl CryptoTrait for Crypto {
     }
 
     fn aes_ccm_decrypt_tag_8(
+        &mut self,
         key: &BytesCcmKeyLen,
         iv: &BytesCcmIvLen,
         ad: &BytesEncStructureLen,
@@ -148,6 +151,7 @@ impl CryptoTrait for Crypto {
     }
 
     fn p256_ecdh(
+        &mut self,
         private_key: &BytesP256ElemLen,
         public_key: &BytesP256ElemLen,
     ) -> BytesP256ElemLen {
@@ -200,7 +204,7 @@ impl CryptoTrait for Crypto {
         output
     }
 
-    fn get_random_byte() -> u8 {
+    fn get_random_byte(&mut self) -> u8 {
         let mut rnd_context = CRYS_RND_State_t::default();
         let mut rnd_work_buffer = CRYS_RND_WorkBuff_t::default();
         unsafe {
@@ -221,7 +225,7 @@ impl CryptoTrait for Crypto {
         buffer[0]
     }
 
-    fn p256_generate_key_pair() -> (BytesP256ElemLen, BytesP256ElemLen) {
+    fn p256_generate_key_pair(&mut self) -> (BytesP256ElemLen, BytesP256ElemLen) {
         let mut rnd_context = CRYS_RND_State_t::default();
         let mut rnd_work_buffer = CRYS_RND_WorkBuff_t::default();
         unsafe {
diff --git a/crypto/edhoc-crypto-hacspec/src/lib.rs b/crypto/edhoc-crypto-hacspec/src/lib.rs
index f35b9372..a7a46ea9 100644
--- a/crypto/edhoc-crypto-hacspec/src/lib.rs
+++ b/crypto/edhoc-crypto-hacspec/src/lib.rs
@@ -75,7 +75,7 @@ type BufferPlaintext3Hacspec = EdhocMessageBufferHacspec;
 pub struct Crypto;
 
 impl CryptoTrait for Crypto {
-    fn sha256_digest(message: &BytesMaxBuffer, message_len: usize) -> BytesHashLen {
+    fn sha256_digest(&mut self, message: &BytesMaxBuffer, message_len: usize) -> BytesHashLen {
         let message: BytesMaxBufferHacspec = BytesMaxBufferHacspec::from_public_slice(message);
 
         let output =
@@ -85,6 +85,7 @@ impl CryptoTrait for Crypto {
     }
 
     fn hkdf_expand(
+        &mut self,
         prk: &BytesHashLen,
         info: &BytesMaxInfoBuffer,
         info_len: usize,
@@ -107,7 +108,7 @@ impl CryptoTrait for Crypto {
         output.to_public_array()
     }
 
-    fn hkdf_extract(salt: &BytesHashLen, ikm: &BytesP256ElemLen) -> BytesHashLen {
+    fn hkdf_extract(&mut self, salt: &BytesHashLen, ikm: &BytesP256ElemLen) -> BytesHashLen {
         let output = BytesHashLenHacspec::from_seq(&extract(
             &ByteSeq::from_slice(&BytesHashLenHacspec::from_public_slice(salt), 0, salt.len()),
             &ByteSeq::from_slice(
@@ -120,6 +121,7 @@ impl CryptoTrait for Crypto {
     }
 
     fn aes_ccm_encrypt_tag_8(
+        &mut self,
         key: &BytesCcmKeyLen,
         iv: &BytesCcmIvLen,
         ad: &BytesEncStructureLen,
@@ -143,6 +145,7 @@ impl CryptoTrait for Crypto {
     }
 
     fn aes_ccm_decrypt_tag_8(
+        &mut self,
         key: &BytesCcmKeyLen,
         iv: &BytesCcmIvLen,
         ad: &BytesEncStructureLen,
@@ -168,6 +171,7 @@ impl CryptoTrait for Crypto {
     }
 
     fn p256_ecdh(
+        &mut self,
         private_key: &BytesP256ElemLen,
         public_key: &BytesP256ElemLen,
     ) -> BytesP256ElemLen {
@@ -189,12 +193,12 @@ impl CryptoTrait for Crypto {
     }
 
     #[cfg(not(feature = "hacspec-pure"))]
-    fn get_random_byte() -> u8 {
+    fn get_random_byte(&mut self) -> u8 {
         rand::thread_rng().gen::<u8>()
     }
 
     #[cfg(not(feature = "hacspec-pure"))]
-    fn p256_generate_key_pair() -> (BytesP256ElemLen, BytesP256ElemLen) {
+    fn p256_generate_key_pair(&mut self) -> (BytesP256ElemLen, BytesP256ElemLen) {
         // generate a private key
         let mut private_key = BytesP256ElemLenHacspec::new();
         loop {
@@ -221,14 +225,14 @@ mod tests {
 
     #[test]
     fn test_p256_keys() {
-        let (x, g_x) = Crypto::p256_generate_key_pair();
+        let (x, g_x) = Crypto.p256_generate_key_pair();
         assert_eq!(x.len(), 32);
         assert_eq!(g_x.len(), 32);
 
-        let (y, g_y) = p256_generate_key_pair();
+        let (y, g_y) = Crypto.p256_generate_key_pair();
 
-        let g_xy = p256_ecdh(&x, &g_y);
-        let g_yx = p256_ecdh(&y, &g_x);
+        let g_xy = Crypto.p256_ecdh(&x, &g_y);
+        let g_yx = Crypto.p256_ecdh(&y, &g_x);
 
         assert_eq!(g_xy, g_yx);
     }
diff --git a/crypto/edhoc-crypto-psa/src/lib.rs b/crypto/edhoc-crypto-psa/src/lib.rs
index 2c54d925..a8ed7cb6 100644
--- a/crypto/edhoc-crypto-psa/src/lib.rs
+++ b/crypto/edhoc-crypto-psa/src/lib.rs
@@ -25,7 +25,7 @@ pub extern "C" fn mbedtls_hardware_poll(
 pub struct Crypto;
 
 impl CryptoTrait for Crypto {
-    fn sha256_digest(message: &BytesMaxBuffer, message_len: usize) -> BytesHashLen {
+    fn sha256_digest(&mut self, message: &BytesMaxBuffer, message_len: usize) -> BytesHashLen {
         let hash_alg = Hash::Sha256;
         let mut hash: [u8; SHA256_DIGEST_LEN] = [0; SHA256_DIGEST_LEN];
         psa_crypto::init().unwrap();
@@ -37,6 +37,7 @@ impl CryptoTrait for Crypto {
     // FIXME: Together with hkdf_extract, and the hmac_sha256 helper, this could be a provided
     // function.
     fn hkdf_expand(
+        &mut self,
         prk: &BytesHashLen,
         info: &BytesMaxInfoBuffer,
         info_len: usize,
@@ -76,7 +77,7 @@ impl CryptoTrait for Crypto {
         output
     }
 
-    fn hkdf_extract(salt: &BytesHashLen, ikm: &BytesP256ElemLen) -> BytesHashLen {
+    fn hkdf_extract(&mut self, salt: &BytesHashLen, ikm: &BytesP256ElemLen) -> BytesHashLen {
         // Implementation of HKDF-Extract as per RFC 5869
 
         // TODO generalize if salt is not provided
@@ -86,6 +87,7 @@ impl CryptoTrait for Crypto {
     }
 
     fn aes_ccm_encrypt_tag_8(
+        &mut self,
         key: &BytesCcmKeyLen,
         iv: &BytesCcmIvLen,
         ad: &BytesEncStructureLen,
@@ -127,6 +129,7 @@ impl CryptoTrait for Crypto {
     }
 
     fn aes_ccm_decrypt_tag_8(
+        &mut self,
         key: &BytesCcmKeyLen,
         iv: &BytesCcmIvLen,
         ad: &BytesEncStructureLen,
@@ -170,6 +173,7 @@ impl CryptoTrait for Crypto {
     }
 
     fn p256_ecdh(
+        &mut self,
         private_key: &BytesP256ElemLen,
         public_key: &BytesP256ElemLen,
     ) -> BytesP256ElemLen {
@@ -202,14 +206,14 @@ impl CryptoTrait for Crypto {
         output_buffer
     }
 
-    fn get_random_byte() -> u8 {
+    fn get_random_byte(&mut self) -> u8 {
         psa_crypto::init().unwrap();
         let mut buffer = [0u8; 1];
         generate_random(&mut buffer); // TODO: check return value
         buffer[0]
     }
 
-    fn p256_generate_key_pair() -> (BytesP256ElemLen, BytesP256ElemLen) {
+    fn p256_generate_key_pair(&mut self) -> (BytesP256ElemLen, BytesP256ElemLen) {
         let alg = RawKeyAgreement::Ecdh;
         let mut usage_flags: UsageFlags = UsageFlags::default();
         usage_flags.set_export();
@@ -264,7 +268,7 @@ fn hmac_sha256(message: &[u8], key: &[u8; SHA256_DIGEST_LEN]) -> BytesHashLen {
     s2[64..64 + message.len()].copy_from_slice(message);
 
     //    (4) apply H to the stream generated in step (3)
-    let ih = Crypto::sha256_digest(&s2, 64 + message.len());
+    let ih = Crypto.sha256_digest(&s2, 64 + message.len());
 
     //    (5) XOR (bitwise exclusive-OR) the B byte string computed in
     //        step (1) with opad
@@ -278,7 +282,7 @@ fn hmac_sha256(message: &[u8], key: &[u8; SHA256_DIGEST_LEN]) -> BytesHashLen {
 
     //    (7) apply H to the stream generated in step (6) and output
     //        the result
-    let oh = Crypto::sha256_digest(&s5, 3 * SHA256_DIGEST_LEN);
+    let oh = Crypto.sha256_digest(&s5, 3 * SHA256_DIGEST_LEN);
 
     oh
 }
diff --git a/crypto/edhoc-crypto-trait/src/lib.rs b/crypto/edhoc-crypto-trait/src/lib.rs
index 9863b7be..a3030c4c 100644
--- a/crypto/edhoc-crypto-trait/src/lib.rs
+++ b/crypto/edhoc-crypto-trait/src/lib.rs
@@ -4,28 +4,34 @@
 use edhoc_consts::*;
 
 pub trait Crypto {
-    fn sha256_digest(message: &BytesMaxBuffer, message_len: usize) -> BytesHashLen;
+    fn sha256_digest(&mut self, message: &BytesMaxBuffer, message_len: usize) -> BytesHashLen;
     fn hkdf_expand(
+        &mut self,
         prk: &BytesHashLen,
         info: &BytesMaxInfoBuffer,
         info_len: usize,
         length: usize,
     ) -> BytesMaxBuffer;
-    fn hkdf_extract(salt: &BytesHashLen, ikm: &BytesP256ElemLen) -> BytesHashLen;
+    fn hkdf_extract(&mut self, salt: &BytesHashLen, ikm: &BytesP256ElemLen) -> BytesHashLen;
     fn aes_ccm_encrypt_tag_8(
+        &mut self,
         key: &BytesCcmKeyLen,
         iv: &BytesCcmIvLen,
         ad: &BytesEncStructureLen,
         plaintext: &BufferPlaintext3,
     ) -> BufferCiphertext3;
     fn aes_ccm_decrypt_tag_8(
+        &mut self,
         key: &BytesCcmKeyLen,
         iv: &BytesCcmIvLen,
         ad: &BytesEncStructureLen,
         ciphertext: &BufferCiphertext3,
     ) -> Result<BufferPlaintext3, EDHOCError>;
-    fn p256_ecdh(private_key: &BytesP256ElemLen, public_key: &BytesP256ElemLen)
-        -> BytesP256ElemLen;
-    fn get_random_byte() -> u8;
-    fn p256_generate_key_pair() -> (BytesP256ElemLen, BytesP256ElemLen);
+    fn p256_ecdh(
+        &mut self,
+        private_key: &BytesP256ElemLen,
+        public_key: &BytesP256ElemLen,
+    ) -> BytesP256ElemLen;
+    fn get_random_byte(&mut self) -> u8;
+    fn p256_generate_key_pair(&mut self) -> (BytesP256ElemLen, BytesP256ElemLen);
 }
diff --git a/crypto/src/lib.rs b/crypto/src/lib.rs
index 2ab28510..09e0f6b6 100644
--- a/crypto/src/lib.rs
+++ b/crypto/src/lib.rs
@@ -12,6 +12,11 @@ pub use edhoc_crypto_trait::Crypto as CryptoTrait;
 #[cfg(feature = "hacspec")]
 pub type Crypto = edhoc_crypto_hacspec::Crypto;
 
+#[cfg(feature = "hacspec")]
+pub const fn default_crypto() -> Crypto {
+    edhoc_crypto_hacspec::Crypto
+}
+
 // FIXME: Does not work with crypto-as-trait yet
 #[cfg(feature = "cc2538")]
 pub use edhoc_crypto_cc2538::*;
@@ -19,9 +24,19 @@ pub use edhoc_crypto_cc2538::*;
 #[cfg(any(feature = "psa", feature = "psa-rust",))]
 pub type Crypto = edhoc_crypto_psa::Crypto;
 
+#[cfg(any(feature = "psa", feature = "psa-rust",))]
+pub const fn default_crypto() -> Crypto {
+    edhoc_crypto_psa::Crypto
+}
+
 #[cfg(any(feature = "cryptocell310", feature = "cryptocell310-rust"))]
 pub type Crypto = edhoc_crypto_cryptocell310::Crypto;
 
+#[cfg(any(feature = "cryptocell310", feature = "cryptocell310-rust"))]
+pub const fn default_crypto() -> Crypto {
+    edhoc_crypto_cryptocell310::Crypto
+}
+
 /// See test_implements_crypto
 #[allow(dead_code)]
 fn test_helper<T: CryptoTrait>() {}
diff --git a/examples/edhoc-rs-no_std/src/main.rs b/examples/edhoc-rs-no_std/src/main.rs
index d6be5370..a6d02734 100644
--- a/examples/edhoc-rs-no_std/src/main.rs
+++ b/examples/edhoc-rs-no_std/src/main.rs
@@ -13,7 +13,7 @@ use panic_semihosting as _;
 #[cfg(feature = "rtt")]
 use rtt_target::{rprintln as println, rtt_init_print};
 
-use edhoc_crypto::{Crypto, CryptoTrait};
+use edhoc_crypto::{default_crypto, CryptoTrait};
 use edhoc_rs::*;
 
 extern crate alloc;
@@ -81,11 +81,11 @@ fn main() -> ! {
     println!("Test test_new_initiator passed.");
 
     fn test_p256_keys() {
-        let (x, g_x) = Crypto::p256_generate_key_pair();
-        let (y, g_y) = Crypto::p256_generate_key_pair();
+        let (x, g_x) = default_crypto().p256_generate_key_pair();
+        let (y, g_y) = default_crypto().p256_generate_key_pair();
 
-        let g_xy = Crypto::p256_ecdh(&x, &g_y);
-        let g_yx = Crypto::p256_ecdh(&y, &g_x);
+        let g_xy = default_crypto().p256_ecdh(&x, &g_y);
+        let g_yx = default_crypto().p256_ecdh(&y, &g_x);
 
         assert_eq!(g_xy, g_yx);
     }
diff --git a/lib/src/c_wrapper.rs b/lib/src/c_wrapper.rs
index c394c7f1..a6a7be0f 100644
--- a/lib/src/c_wrapper.rs
+++ b/lib/src/c_wrapper.rs
@@ -3,7 +3,7 @@ use core::{slice, str};
 use edhoc_consts::*;
 use hexlit::hex;
 
-use edhoc_crypto::{Crypto, CryptoTrait};
+use edhoc_crypto::{default_crypto, CryptoTrait};
 
 // Panic handler for cortex-m targets
 #[cfg(any(feature = "crypto-cryptocell310", feature = "crypto-psa-baremetal"))]
@@ -12,7 +12,7 @@ use panic_semihosting as _;
 // This function is mainly used to test the C wrapper
 #[no_mangle]
 pub extern "C" fn p256_generate_key_pair_from_c(out_private_key: *mut u8, out_public_key: *mut u8) {
-    let (private_key, public_key) = Crypto::p256_generate_key_pair();
+    let (private_key, public_key) = default_crypto().p256_generate_key_pair();
 
     unsafe {
         // copy the arrays to the pointers received from C
diff --git a/lib/src/edhoc.rs b/lib/src/edhoc.rs
index 5ca68cc7..e5f31ddb 100644
--- a/lib/src/edhoc.rs
+++ b/lib/src/edhoc.rs
@@ -6,6 +6,7 @@ use edhoc_ead::*;
 
 pub fn edhoc_exporter<Crypto: CryptoTrait>(
     state: State,
+    crypto: &mut Crypto,
     label: u8,
     context: &BytesMaxContextBuffer,
     context_len: usize,
@@ -28,7 +29,7 @@ pub fn edhoc_exporter<Crypto: CryptoTrait>(
     let mut error = EDHOCError::UnknownError;
 
     if current_state == EDHOCState::Completed {
-        output = edhoc_kdf::<Crypto>(&prk_exporter, label, context, context_len, length);
+        output = crypto.edhoc_kdf(&prk_exporter, label, context, context_len, length);
         Ok((state, output))
     } else {
         Err(EDHOCError::WrongState)
@@ -37,6 +38,7 @@ pub fn edhoc_exporter<Crypto: CryptoTrait>(
 
 pub fn edhoc_key_update<Crypto: CryptoTrait>(
     mut state: State,
+    crypto: &mut Crypto,
     context: &BytesMaxContextBuffer,
     context_len: usize,
 ) -> Result<(State, BytesHashLen), EDHOCError> {
@@ -58,11 +60,11 @@ pub fn edhoc_key_update<Crypto: CryptoTrait>(
 
     if current_state == EDHOCState::Completed {
         // new PRK_out
-        prk_new_buf = edhoc_kdf::<Crypto>(&prk_out, 11u8, context, context_len, SHA256_DIGEST_LEN);
+        prk_new_buf = crypto.edhoc_kdf(&prk_out, 11u8, context, context_len, SHA256_DIGEST_LEN);
         prk_out[..SHA256_DIGEST_LEN].copy_from_slice(&prk_new_buf[..SHA256_DIGEST_LEN]);
 
         // new PRK_exporter
-        prk_new_buf = edhoc_kdf::<Crypto>(
+        prk_new_buf = crypto.edhoc_kdf(
             &prk_out,
             10u8,
             &[0x00; MAX_KDF_CONTEXT_LEN],
@@ -92,6 +94,7 @@ pub fn edhoc_key_update<Crypto: CryptoTrait>(
 
 pub fn r_process_message_1<Crypto: CryptoTrait>(
     mut state: State,
+    crypto: &mut Crypto,
     message_1: &BufferMessage1,
 ) -> Result<State, EDHOCError> {
     let State(
@@ -131,7 +134,7 @@ pub fn r_process_message_1<Crypto: CryptoTrait>(
                         let mut message_1_buf: BytesMaxBuffer = [0x00; MAX_BUFFER_LEN];
                         message_1_buf[..message_1.len]
                             .copy_from_slice(&message_1.content[..message_1.len]);
-                        h_message_1 = Crypto::sha256_digest(&message_1_buf, message_1.len);
+                        h_message_1 = crypto.sha256_digest(&message_1_buf, message_1.len);
 
                         error = EDHOCError::Success;
                         current_state = EDHOCState::ProcessedMessage1;
@@ -172,6 +175,7 @@ pub fn r_process_message_1<Crypto: CryptoTrait>(
 
 pub fn r_prepare_message_2<Crypto: CryptoTrait>(
     mut state: State,
+    crypto: &mut Crypto,
     id_cred_r: &BytesIdCred,
     cred_r: &[u8],
     r: &BytesP256ElemLen, // R's static private DH key
@@ -197,15 +201,15 @@ pub fn r_prepare_message_2<Crypto: CryptoTrait>(
 
     if current_state == EDHOCState::ProcessedMessage1 {
         // compute TH_2
-        let th_2 = compute_th_2::<Crypto>(&g_y, &h_message_1);
+        let th_2 = crypto.compute_th_2(&g_y, &h_message_1);
 
         // compute prk_3e2m
-        let prk_2e = compute_prk_2e::<Crypto>(&y, &g_x, &th_2);
-        let salt_3e2m = compute_salt_3e2m::<Crypto>(&prk_2e, &th_2);
-        prk_3e2m = compute_prk_3e2m::<Crypto>(&salt_3e2m, r, &g_x);
+        let prk_2e = crypto.compute_prk_2e(&y, &g_x, &th_2);
+        let salt_3e2m = crypto.compute_salt_3e2m(&prk_2e, &th_2);
+        prk_3e2m = crypto.compute_prk_3e2m(&salt_3e2m, r, &g_x);
 
         // compute MAC_2
-        let mac_2 = compute_mac_2::<Crypto>(&prk_3e2m, id_cred_r, cred_r, &th_2);
+        let mac_2 = crypto.compute_mac_2(&prk_3e2m, id_cred_r, cred_r, &th_2);
 
         let ead_2 = r_prepare_ead_2();
 
@@ -214,14 +218,14 @@ pub fn r_prepare_message_2<Crypto: CryptoTrait>(
 
         // step is actually from processing of message_3
         // but we do it here to avoid storing plaintext_2 in State
-        th_3 = compute_th_3::<Crypto>(&th_2, &plaintext_2, cred_r);
+        th_3 = crypto.compute_th_3(&th_2, &plaintext_2, cred_r);
 
         let mut ct: BufferCiphertext2 = BufferCiphertext2::new();
         ct.len = plaintext_2.len;
         ct.content[..ct.len].copy_from_slice(&plaintext_2.content[..ct.len]);
 
         let (ciphertext_2, ciphertext_2_len) =
-            encrypt_decrypt_ciphertext_2::<Crypto>(&prk_2e, &th_2, &ct);
+            crypto.encrypt_decrypt_ciphertext_2(&prk_2e, &th_2, &ct);
 
         ct.content[..ct.len].copy_from_slice(&ciphertext_2[..ct.len]);
 
@@ -255,6 +259,7 @@ pub fn r_prepare_message_2<Crypto: CryptoTrait>(
 // FIXME fetch ID_CRED_I and CRED_I based on kid
 pub fn r_process_message_3<Crypto: CryptoTrait>(
     mut state: State,
+    crypto: &mut Crypto,
     message_3: &BufferMessage3,
     id_cred_i_expected: &BytesIdCred,
     cred_i_expected: &[u8],
@@ -276,7 +281,7 @@ pub fn r_process_message_3<Crypto: CryptoTrait>(
     let mut error = EDHOCError::UnknownError;
 
     if current_state == EDHOCState::WaitMessage3 {
-        let plaintext_3 = decrypt_message_3::<Crypto>(&prk_3e2m, &th_3, message_3);
+        let plaintext_3 = crypto.decrypt_message_3(&prk_3e2m, &th_3, message_3);
 
         if plaintext_3.is_ok() {
             let plaintext_3 = plaintext_3.unwrap();
@@ -295,12 +300,12 @@ pub fn r_process_message_3<Crypto: CryptoTrait>(
                     // compare the kid received with the kid expected in id_cred_i
                     if kid == id_cred_i_expected[id_cred_i_expected.len() - 1] {
                         // compute salt_4e3m
-                        let salt_4e3m = compute_salt_4e3m::<Crypto>(&prk_3e2m, &th_3);
+                        let salt_4e3m = crypto.compute_salt_4e3m(&prk_3e2m, &th_3);
                         // TODO compute prk_4e3m
-                        prk_4e3m = compute_prk_4e3m::<Crypto>(&salt_4e3m, &y, g_i);
+                        prk_4e3m = crypto.compute_prk_4e3m(&salt_4e3m, &y, g_i);
 
                         // compute mac_3
-                        let expected_mac_3 = compute_mac_3::<Crypto>(
+                        let expected_mac_3 = crypto.compute_mac_3(
                             &prk_4e3m,
                             &th_3,
                             id_cred_i_expected,
@@ -310,13 +315,13 @@ pub fn r_process_message_3<Crypto: CryptoTrait>(
                         // verify mac_3
                         if mac_3 == expected_mac_3 {
                             error = EDHOCError::Success;
-                            let th_4 = compute_th_4::<Crypto>(&th_3, &plaintext_3, cred_i_expected);
+                            let th_4 = crypto.compute_th_4(&th_3, &plaintext_3, cred_i_expected);
 
                             let mut th_4_buf: BytesMaxContextBuffer = [0x00; MAX_KDF_CONTEXT_LEN];
                             th_4_buf[..th_4.len()].copy_from_slice(&th_4[..]);
                             // compute prk_out
                             // PRK_out = EDHOC-KDF( PRK_4e3m, 7, TH_4, hash_length )
-                            let prk_out_buf = edhoc_kdf::<Crypto>(
+                            let prk_out_buf = crypto.edhoc_kdf(
                                 &prk_4e3m,
                                 7u8,
                                 &th_4_buf,
@@ -328,7 +333,7 @@ pub fn r_process_message_3<Crypto: CryptoTrait>(
 
                             // compute prk_exporter from prk_out
                             // PRK_exporter  = EDHOC-KDF( PRK_out, 10, h'', hash_length )
-                            let prk_exporter_buf = edhoc_kdf::<Crypto>(
+                            let prk_exporter_buf = crypto.edhoc_kdf(
                                 &prk_out,
                                 10u8,
                                 &[0x00u8; MAX_KDF_CONTEXT_LEN],
@@ -381,6 +386,7 @@ pub fn r_process_message_3<Crypto: CryptoTrait>(
 
 pub fn i_prepare_message_1<Crypto: CryptoTrait>(
     mut state: State,
+    crypto: &mut Crypto,
     x: BytesP256ElemLen,
     g_x: BytesP256ElemLen,
     c_i: u8,
@@ -423,7 +429,7 @@ pub fn i_prepare_message_1<Crypto: CryptoTrait>(
         message_1_buf[..message_1.len].copy_from_slice(&message_1.content[..message_1.len]);
 
         // hash message_1 here to avoid saving the whole message in the state
-        h_message_1 = Crypto::sha256_digest(&message_1_buf, message_1.len);
+        h_message_1 = crypto.sha256_digest(&message_1_buf, message_1.len);
         error = EDHOCError::Success;
         current_state = EDHOCState::WaitMessage2;
 
@@ -452,6 +458,7 @@ pub fn i_prepare_message_1<Crypto: CryptoTrait>(
 // returns c_r
 pub fn i_process_message_2<Crypto: CryptoTrait>(
     mut state: State,
+    crypto: &mut Crypto,
     message_2: &BufferMessage2,
     id_cred_r_expected: &BytesIdCred,
     cred_r_expected: &[u8],
@@ -481,13 +488,13 @@ pub fn i_process_message_2<Crypto: CryptoTrait>(
         if res.is_ok() {
             let (g_y, ciphertext_2) = res.unwrap();
 
-            let th_2 = compute_th_2::<Crypto>(&g_y, &h_message_1);
+            let th_2 = crypto.compute_th_2(&g_y, &h_message_1);
 
             // compute prk_2e
-            let prk_2e = compute_prk_2e::<Crypto>(&x, &g_y, &th_2);
+            let prk_2e = crypto.compute_prk_2e(&x, &g_y, &th_2);
 
             let (plaintext_2, plaintext_2_len) =
-                encrypt_decrypt_ciphertext_2::<Crypto>(&prk_2e, &th_2, &ciphertext_2);
+                crypto.encrypt_decrypt_ciphertext_2(&prk_2e, &th_2, &ciphertext_2);
 
             // decode plaintext_2
             let plaintext_2_decoded = decode_plaintext_2(&plaintext_2, plaintext_2_len);
@@ -504,11 +511,11 @@ pub fn i_process_message_2<Crypto: CryptoTrait>(
                 };
                 if ead_success {
                     // verify mac_2
-                    let salt_3e2m = compute_salt_3e2m::<Crypto>(&prk_2e, &th_2);
+                    let salt_3e2m = crypto.compute_salt_3e2m(&prk_2e, &th_2);
 
-                    prk_3e2m = compute_prk_3e2m::<Crypto>(&salt_3e2m, &x, g_r);
+                    prk_3e2m = crypto.compute_prk_3e2m(&salt_3e2m, &x, g_r);
 
-                    let expected_mac_2 = compute_mac_2::<Crypto>(
+                    let expected_mac_2 = crypto.compute_mac_2(
                         &prk_3e2m,
                         id_cred_r_expected,
                         cred_r_expected,
@@ -523,12 +530,12 @@ pub fn i_process_message_2<Crypto: CryptoTrait>(
                             pt2.content[..plaintext_2_len]
                                 .copy_from_slice(&plaintext_2[..plaintext_2_len]);
                             pt2.len = plaintext_2_len;
-                            th_3 = compute_th_3::<Crypto>(&th_2, &pt2, cred_r_expected);
+                            th_3 = crypto.compute_th_3(&th_2, &pt2, cred_r_expected);
                             // message 3 processing
 
-                            let salt_4e3m = compute_salt_4e3m::<Crypto>(&prk_3e2m, &th_3);
+                            let salt_4e3m = crypto.compute_salt_4e3m(&prk_3e2m, &th_3);
 
-                            prk_4e3m = compute_prk_4e3m::<Crypto>(&salt_4e3m, i, &g_y);
+                            prk_4e3m = crypto.compute_prk_4e3m(&salt_4e3m, i, &g_y);
 
                             error = EDHOCError::Success;
                             current_state = EDHOCState::ProcessedMessage2;
@@ -573,6 +580,7 @@ pub fn i_process_message_2<Crypto: CryptoTrait>(
 
 pub fn i_prepare_message_3<Crypto: CryptoTrait>(
     mut state: State,
+    crypto: &mut Crypto,
     id_cred_i: &BytesIdCred,
     cred_i: &[u8],
 ) -> Result<(State, BufferMessage3, BytesHashLen), EDHOCError> {
@@ -593,14 +601,14 @@ pub fn i_prepare_message_3<Crypto: CryptoTrait>(
     let mut message_3: BufferMessage3 = BufferMessage3::new();
 
     if current_state == EDHOCState::ProcessedMessage2 {
-        let mac_3 = compute_mac_3::<Crypto>(&prk_4e3m, &th_3, id_cred_i, cred_i);
+        let mac_3 = crypto.compute_mac_3(&prk_4e3m, &th_3, id_cred_i, cred_i);
 
         let ead_3 = i_prepare_ead_3();
 
         let plaintext_3 = encode_plaintext_3(id_cred_i, &mac_3, &ead_3);
-        message_3 = encrypt_message_3::<Crypto>(&prk_3e2m, &th_3, &plaintext_3);
+        message_3 = crypto.encrypt_message_3(&prk_3e2m, &th_3, &plaintext_3);
 
-        let th_4 = compute_th_4::<Crypto>(&th_3, &plaintext_3, cred_i);
+        let th_4 = crypto.compute_th_4(&th_3, &plaintext_3, cred_i);
 
         let mut th_4_buf: BytesMaxContextBuffer = [0x00; MAX_KDF_CONTEXT_LEN];
         th_4_buf[..th_4.len()].copy_from_slice(&th_4[..]);
@@ -608,12 +616,12 @@ pub fn i_prepare_message_3<Crypto: CryptoTrait>(
         // compute prk_out
         // PRK_out = EDHOC-KDF( PRK_4e3m, 7, TH_4, hash_length )
         let prk_out_buf =
-            edhoc_kdf::<Crypto>(&prk_4e3m, 7u8, &th_4_buf, th_4.len(), SHA256_DIGEST_LEN);
+            crypto.edhoc_kdf(&prk_4e3m, 7u8, &th_4_buf, th_4.len(), SHA256_DIGEST_LEN);
         prk_out[..SHA256_DIGEST_LEN].copy_from_slice(&prk_out_buf[..SHA256_DIGEST_LEN]);
 
         // compute prk_exporter from prk_out
         // PRK_exporter  = EDHOC-KDF( PRK_out, 10, h'', hash_length )
-        let prk_exporter_buf = edhoc_kdf::<Crypto>(
+        let prk_exporter_buf = crypto.edhoc_kdf(
             &prk_out,
             10u8,
             &[0x00; MAX_KDF_CONTEXT_LEN],
@@ -1007,7 +1015,18 @@ fn encode_message_2(g_y: &BytesP256ElemLen, ciphertext_2: &BufferCiphertext2) ->
     output
 }
 
-fn compute_th_2<Crypto: CryptoTrait>(
+// All these functions that are generally pure functions without any state they handle are
+// expressed as an extension to the Crypto trait, because this gives the easiest invocation
+// semantics -- any code outside them can just call `crypto.compute_th_2()`, code inside calls
+// `self.some_function()`.
+//
+// It's easier to write because it allows the Crypto generics to sit on the trait instead of being
+// repeated for each function. (Other than that, they could all just as well be called
+// `computed_th_2(crypto, ...)` etc).
+trait CryptoExt: CryptoTrait {
+
+fn compute_th_2(
+    &mut self,
     g_y: &BytesP256ElemLen,
     h_message_1: &BytesHashLen,
 ) -> BytesHashLen {
@@ -1022,12 +1041,13 @@ fn compute_th_2<Crypto: CryptoTrait>(
 
     let len = 4 + P256_ELEM_LEN + SHA256_DIGEST_LEN;
 
-    let th_2 = Crypto::sha256_digest(&message, len);
+    let th_2 = self.sha256_digest(&message, len);
 
     th_2
 }
 
-fn compute_th_3<Crypto: CryptoTrait>(
+fn compute_th_3(
+    &mut self,
     th_2: &BytesHashLen,
     plaintext_2: &BufferPlaintext2,
     cred_r: &[u8],
@@ -1042,12 +1062,13 @@ fn compute_th_3<Crypto: CryptoTrait>(
     message[2 + th_2.len() + plaintext_2.len..2 + th_2.len() + plaintext_2.len + cred_r.len()]
         .copy_from_slice(cred_r);
 
-    let output = Crypto::sha256_digest(&message, th_2.len() + 2 + plaintext_2.len + cred_r.len());
+    let output = self.sha256_digest(&message, th_2.len() + 2 + plaintext_2.len + cred_r.len());
 
     output
 }
 
-fn compute_th_4<Crypto: CryptoTrait>(
+fn compute_th_4(
+    &mut self,
     th_3: &BytesHashLen,
     plaintext_3: &BufferPlaintext3,
     cred_i: &[u8],
@@ -1062,12 +1083,13 @@ fn compute_th_4<Crypto: CryptoTrait>(
     message[2 + th_3.len() + plaintext_3.len..2 + th_3.len() + plaintext_3.len + cred_i.len()]
         .copy_from_slice(cred_i);
 
-    let output = Crypto::sha256_digest(&message, th_3.len() + 2 + plaintext_3.len + cred_i.len());
+    let output = self.sha256_digest(&message, th_3.len() + 2 + plaintext_3.len + cred_i.len());
 
     output
 }
 
-fn edhoc_kdf<Crypto: CryptoTrait>(
+fn edhoc_kdf(
+    &mut self,
     prk: &BytesHashLen,
     label: u8,
     context: &BytesMaxContextBuffer,
@@ -1098,12 +1120,13 @@ fn edhoc_kdf<Crypto: CryptoTrait>(
         info_len = info_len + 2;
     }
 
-    let output = Crypto::hkdf_expand(prk, &info, info_len, length);
+    let output = self.hkdf_expand(prk, &info, info_len, length);
 
     output
 }
 
-fn compute_k_3_iv_3<Crypto: CryptoTrait>(
+fn compute_k_3_iv_3(
+    &mut self,
     prk_3e2m: &BytesHashLen,
     th_3: &BytesHashLen,
 ) -> (BytesCcmKeyLen, BytesCcmIvLen) {
@@ -1111,19 +1134,20 @@ fn compute_k_3_iv_3<Crypto: CryptoTrait>(
     let mut k_3: BytesCcmKeyLen = [0x00; AES_CCM_KEY_LEN];
     let mut th_3_buf: BytesMaxContextBuffer = [0x00; MAX_KDF_CONTEXT_LEN];
     th_3_buf[..th_3.len()].copy_from_slice(&th_3[..]);
-    let k_3_buf = edhoc_kdf::<Crypto>(prk_3e2m, 3u8, &th_3_buf, th_3.len(), AES_CCM_KEY_LEN);
+    let k_3_buf = self.edhoc_kdf(prk_3e2m, 3u8, &th_3_buf, th_3.len(), AES_CCM_KEY_LEN);
     k_3[..].copy_from_slice(&k_3_buf[..AES_CCM_KEY_LEN]);
 
     // IV_3 = EDHOC-KDF( PRK_3e2m, 4, TH_3,      iv_length )
     let mut iv_3: BytesCcmIvLen = [0x00; AES_CCM_IV_LEN];
-    let iv_3_buf = edhoc_kdf::<Crypto>(prk_3e2m, 4u8, &th_3_buf, th_3.len(), AES_CCM_IV_LEN);
+    let iv_3_buf = self.edhoc_kdf(prk_3e2m, 4u8, &th_3_buf, th_3.len(), AES_CCM_IV_LEN);
     iv_3[..].copy_from_slice(&iv_3_buf[..AES_CCM_IV_LEN]);
 
     (k_3, iv_3)
 }
 
 // calculates ciphertext_3 wrapped in a cbor byte string
-fn encrypt_message_3<Crypto: CryptoTrait>(
+fn encrypt_message_3(
+    &mut self,
     prk_3e2m: &BytesHashLen,
     th_3: &BytesHashLen,
     plaintext_3: &BufferPlaintext3,
@@ -1134,16 +1158,17 @@ fn encrypt_message_3<Crypto: CryptoTrait>(
 
     let enc_structure = encode_enc_structure(th_3);
 
-    let (k_3, iv_3) = compute_k_3_iv_3::<Crypto>(prk_3e2m, th_3);
+    let (k_3, iv_3) = self.compute_k_3_iv_3(prk_3e2m, th_3);
 
-    let ciphertext_3 = Crypto::aes_ccm_encrypt_tag_8(&k_3, &iv_3, &enc_structure, plaintext_3);
+    let ciphertext_3 = self.aes_ccm_encrypt_tag_8(&k_3, &iv_3, &enc_structure, plaintext_3);
 
     output.content[1..output.len].copy_from_slice(&ciphertext_3.content[..ciphertext_3.len]);
 
     output
 }
 
-fn decrypt_message_3<Crypto: CryptoTrait>(
+fn decrypt_message_3(
+    &mut self,
     prk_3e2m: &BytesHashLen,
     th_3: &BytesHashLen,
     message_3: &BufferMessage3,
@@ -1158,11 +1183,11 @@ fn decrypt_message_3<Crypto: CryptoTrait>(
     ciphertext_3.len = len;
     ciphertext_3.content[..len].copy_from_slice(&message_3.content[1..1 + len]);
 
-    let (k_3, iv_3) = compute_k_3_iv_3::<Crypto>(prk_3e2m, th_3);
+    let (k_3, iv_3) = self.compute_k_3_iv_3(prk_3e2m, th_3);
 
     let enc_structure = encode_enc_structure(th_3);
 
-    let p3 = Crypto::aes_ccm_decrypt_tag_8(&k_3, &iv_3, &enc_structure, &ciphertext_3);
+    let p3 = self.aes_ccm_decrypt_tag_8(&k_3, &iv_3, &enc_structure, &ciphertext_3);
 
     if p3.is_ok() {
         error = EDHOCError::Success;
@@ -1179,7 +1204,8 @@ fn decrypt_message_3<Crypto: CryptoTrait>(
     }
 }
 
-fn compute_mac_3<Crypto: CryptoTrait>(
+fn compute_mac_3(
+    &mut self,
     prk_4e3m: &BytesHashLen,
     th_3: &BytesHashLen,
     id_cred_i: &BytesIdCred,
@@ -1189,7 +1215,7 @@ fn compute_mac_3<Crypto: CryptoTrait>(
     let (context, context_len) = encode_kdf_context(id_cred_i, th_3, cred_i);
 
     // compute mac_3
-    let output_buf = edhoc_kdf::<Crypto>(
+    let output_buf = self.edhoc_kdf(
         prk_4e3m,
         6u8, // registered label for "MAC_3"
         &context,
@@ -1202,7 +1228,8 @@ fn compute_mac_3<Crypto: CryptoTrait>(
     output
 }
 
-fn compute_mac_2<Crypto: CryptoTrait>(
+fn compute_mac_2(
+    &mut self,
     prk_3e2m: &BytesHashLen,
     id_cred_r: &BytesIdCred,
     cred_r: &[u8],
@@ -1214,14 +1241,15 @@ fn compute_mac_2<Crypto: CryptoTrait>(
     // MAC_2 = EDHOC-KDF( PRK_3e2m, 2, context_2, mac_length_2 )
     let mut mac_2: BytesMac2 = [0x00; MAC_LENGTH_2];
     mac_2[..].copy_from_slice(
-        &edhoc_kdf::<Crypto>(prk_3e2m, 2 as u8, &context, context_len, MAC_LENGTH_2)
+        &self.edhoc_kdf(prk_3e2m, 2 as u8, &context, context_len, MAC_LENGTH_2)
             [..MAC_LENGTH_2],
     );
 
     mac_2
 }
 
-fn encrypt_decrypt_ciphertext_2<Crypto: CryptoTrait>(
+fn encrypt_decrypt_ciphertext_2(
+    &mut self,
     prk_2e: &BytesHashLen,
     th_2: &BytesHashLen,
     ciphertext_2: &BufferCiphertext2,
@@ -1231,7 +1259,7 @@ fn encrypt_decrypt_ciphertext_2<Crypto: CryptoTrait>(
     th_2_context[..th_2.len()].copy_from_slice(&th_2[..]);
 
     // KEYSTREAM_2 = EDHOC-KDF( PRK_2e,   0, TH_2,      plaintext_length )
-    let keystream_2 = edhoc_kdf::<Crypto>(
+    let keystream_2 = self.edhoc_kdf(
         prk_2e,
         0u8,
         &th_2_context,
@@ -1248,40 +1276,43 @@ fn encrypt_decrypt_ciphertext_2<Crypto: CryptoTrait>(
     (plaintext_2, ciphertext_2.len)
 }
 
-fn compute_salt_4e3m<Crypto: CryptoTrait>(
+fn compute_salt_4e3m(
+    &mut self,
     prk_3e2m: &BytesHashLen,
     th_3: &BytesHashLen,
 ) -> BytesHashLen {
     let mut th_3_context: BytesMaxContextBuffer = [0x00; MAX_KDF_CONTEXT_LEN];
     th_3_context[..th_3.len()].copy_from_slice(&th_3[..]);
     let salt_4e3m_buf =
-        edhoc_kdf::<Crypto>(prk_3e2m, 5u8, &th_3_context, th_3.len(), SHA256_DIGEST_LEN);
+        self.edhoc_kdf(prk_3e2m, 5u8, &th_3_context, th_3.len(), SHA256_DIGEST_LEN);
     let mut salt_4e3m: BytesHashLen = [0x00; SHA256_DIGEST_LEN];
     salt_4e3m[..].copy_from_slice(&salt_4e3m_buf[..SHA256_DIGEST_LEN]);
 
     salt_4e3m
 }
 
-fn compute_prk_4e3m<Crypto: CryptoTrait>(
+fn compute_prk_4e3m(
+    &mut self,
     salt_4e3m: &BytesHashLen,
     i: &BytesP256ElemLen,
     g_y: &BytesP256ElemLen,
 ) -> BytesHashLen {
     // compute g_rx from static R's public key and private ephemeral key
-    let g_iy = Crypto::p256_ecdh(i, g_y);
-    let prk_4e3m = Crypto::hkdf_extract(salt_4e3m, &g_iy);
+    let g_iy = self.p256_ecdh(i, g_y);
+    let prk_4e3m = self.hkdf_extract(salt_4e3m, &g_iy);
 
     prk_4e3m
 }
 
-fn compute_salt_3e2m<Crypto: CryptoTrait>(
+fn compute_salt_3e2m(
+    &mut self,
     prk_2e: &BytesHashLen,
     th_2: &BytesHashLen,
 ) -> BytesHashLen {
     let mut th_2_context: BytesMaxContextBuffer = [0x00; MAX_KDF_CONTEXT_LEN];
     th_2_context[..th_2.len()].copy_from_slice(&th_2[..]);
 
-    let salt_3e2m_buf = edhoc_kdf::<Crypto>(
+    let salt_3e2m_buf = self.edhoc_kdf(
         prk_2e,
         1u8,
         &th_2_context,
@@ -1295,31 +1326,37 @@ fn compute_salt_3e2m<Crypto: CryptoTrait>(
     salt_3e2m
 }
 
-fn compute_prk_3e2m<Crypto: CryptoTrait>(
+fn compute_prk_3e2m(
+    &mut self,
     salt_3e2m: &BytesHashLen,
     x: &BytesP256ElemLen,
     g_r: &BytesP256ElemLen,
 ) -> BytesHashLen {
     // compute g_rx from static R's public key and private ephemeral key
-    let g_rx = Crypto::p256_ecdh(x, g_r);
-    let prk_3e2m = Crypto::hkdf_extract(salt_3e2m, &g_rx);
+    let g_rx = self.p256_ecdh(x, g_r);
+    let prk_3e2m = self.hkdf_extract(salt_3e2m, &g_rx);
 
     prk_3e2m
 }
 
-fn compute_prk_2e<Crypto: CryptoTrait>(
+fn compute_prk_2e(
+    &mut self,
     x: &BytesP256ElemLen,
     g_y: &BytesP256ElemLen,
     th_2: &BytesHashLen,
 ) -> BytesHashLen {
     // compute the shared secret
-    let g_xy = Crypto::p256_ecdh(x, g_y);
+    let g_xy = self.p256_ecdh(x, g_y);
     // compute prk_2e as PRK_2e = HMAC-SHA-256( salt, G_XY )
-    let prk_2e = Crypto::hkdf_extract(th_2, &g_xy);
+    let prk_2e = self.hkdf_extract(th_2, &g_xy);
 
     prk_2e
 }
 
+}
+
+impl<Crypto: CryptoTrait> CryptoExt for Crypto {}
+
 fn decode_plaintext_3(
     plaintext_3: &BufferPlaintext3,
 ) -> Result<(u8, BytesMac3, Option<EADItem>), EDHOCError> {
@@ -1509,7 +1546,7 @@ mod tests {
     use super::*;
     use hexlit::hex;
 
-    use edhoc_crypto::Crypto;
+    use edhoc_crypto::default_crypto;
     // test vectors (TV)
 
     // message_1 (first_time)
@@ -1618,7 +1655,7 @@ mod tests {
 
     #[test]
     fn test_ecdh() {
-        let g_xy = Crypto::p256_ecdh(&X_TV, &G_Y_TV);
+        let g_xy = default_crypto().p256_ecdh(&X_TV, &G_Y_TV);
 
         assert_eq!(g_xy, G_XY_TV);
     }
@@ -1756,7 +1793,7 @@ mod tests {
 
     #[test]
     fn test_compute_th_2() {
-        let th_2 = compute_th_2::<Crypto>(&G_Y_TV, &H_MESSAGE_1_TV);
+        let th_2 = default_crypto().compute_th_2(&G_Y_TV, &H_MESSAGE_1_TV);
         assert_eq!(th_2, TH_2_TV);
     }
 
@@ -1764,7 +1801,7 @@ mod tests {
     fn test_compute_th_3() {
         let plaintext_2_tv = BufferPlaintext2::from_hex(PLAINTEXT_2_TV);
 
-        let th_3 = compute_th_3::<Crypto>(&TH_2_TV, &plaintext_2_tv, &CRED_R_TV);
+        let th_3 = default_crypto().compute_th_3(&TH_2_TV, &plaintext_2_tv, &CRED_R_TV);
         assert_eq!(th_3, TH_3_TV);
     }
 
@@ -1772,7 +1809,7 @@ mod tests {
     fn test_compute_th_4() {
         let plaintext_3_tv = BufferPlaintext3::from_hex(PLAINTEXT_3_TV);
 
-        let th_4 = compute_th_4::<Crypto>(&TH_3_TV, &plaintext_3_tv, &CRED_I_TV);
+        let th_4 = default_crypto().compute_th_4(&TH_3_TV, &plaintext_3_tv, &CRED_I_TV);
         assert_eq!(th_4, TH_4_TV);
     }
 
@@ -1783,7 +1820,7 @@ mod tests {
         const LEN_TV: usize = PLAINTEXT_2_LEN_TV;
 
         let output =
-            edhoc_kdf::<Crypto>(&PRK_2E_TV, 0u8, &th_2_context_tv, SHA256_DIGEST_LEN, LEN_TV);
+            default_crypto().edhoc_kdf(&PRK_2E_TV, 0u8, &th_2_context_tv, SHA256_DIGEST_LEN, LEN_TV);
         for i in 0..KEYSTREAM_2_TV.len() {
             assert_eq!(KEYSTREAM_2_TV[i], output[i]);
         }
@@ -1792,7 +1829,7 @@ mod tests {
         context_info_mac_2[..CONTEXT_INFO_MAC_2_TV.len()]
             .copy_from_slice(&CONTEXT_INFO_MAC_2_TV[..]);
 
-        let output_2 = edhoc_kdf::<Crypto>(
+        let output_2 = default_crypto().edhoc_kdf(
             &PRK_3E2M_TV,
             2u8,
             &context_info_mac_2,
@@ -1810,7 +1847,7 @@ mod tests {
         let plaintext_3_tv = BufferPlaintext3::from_hex(PLAINTEXT_3_TV);
         let message_3_tv = BufferMessage3::from_hex(MESSAGE_3_TV);
 
-        let message_3 = encrypt_message_3::<Crypto>(&PRK_3E2M_TV, &TH_3_TV, &plaintext_3_tv);
+        let message_3 = default_crypto().encrypt_message_3(&PRK_3E2M_TV, &TH_3_TV, &plaintext_3_tv);
         assert_eq!(message_3, message_3_tv);
     }
 
@@ -1819,20 +1856,20 @@ mod tests {
         let plaintext_3_tv = BufferPlaintext3::from_hex(PLAINTEXT_3_TV);
         let message_3_tv = BufferMessage3::from_hex(MESSAGE_3_TV);
 
-        let plaintext_3 = decrypt_message_3::<Crypto>(&PRK_3E2M_TV, &TH_3_TV, &message_3_tv);
+        let plaintext_3 = default_crypto().decrypt_message_3(&PRK_3E2M_TV, &TH_3_TV, &message_3_tv);
         assert!(plaintext_3.is_ok());
         assert_eq!(plaintext_3.unwrap(), plaintext_3_tv);
     }
 
     #[test]
     fn test_compute_mac_3() {
-        let mac_3 = compute_mac_3::<Crypto>(&PRK_4E3M_TV, &TH_3_TV, &ID_CRED_I_TV, &CRED_I_TV);
+        let mac_3 = default_crypto().compute_mac_3(&PRK_4E3M_TV, &TH_3_TV, &ID_CRED_I_TV, &CRED_I_TV);
         assert_eq!(mac_3, MAC_3_TV);
     }
 
     #[test]
     fn test_compute_and_verify_mac_2() {
-        let rcvd_mac_2 = compute_mac_2::<Crypto>(&PRK_3E2M_TV, &ID_CRED_R_TV, &CRED_R_TV, &TH_2_TV);
+        let rcvd_mac_2 = default_crypto().compute_mac_2(&PRK_3E2M_TV, &ID_CRED_R_TV, &CRED_R_TV, &TH_2_TV);
 
         assert_eq!(rcvd_mac_2, MAC_2_TV);
     }
@@ -1885,7 +1922,7 @@ mod tests {
         let ciphertext_2_tv = BufferPlaintext2::from_hex(CIPHERTEXT_2_TV);
         // test decryption
         let (plaintext_2, plaintext_2_len) =
-            encrypt_decrypt_ciphertext_2::<Crypto>(&PRK_2E_TV, &TH_2_TV, &ciphertext_2_tv);
+            default_crypto().encrypt_decrypt_ciphertext_2(&PRK_2E_TV, &TH_2_TV, &ciphertext_2_tv);
 
         assert_eq!(plaintext_2_len, PLAINTEXT_2_LEN_TV);
         for i in 0..PLAINTEXT_2_LEN_TV {
@@ -1898,7 +1935,7 @@ mod tests {
 
         // test encryption
         let (ciphertext_2, ciphertext_2_len) =
-            encrypt_decrypt_ciphertext_2::<Crypto>(&PRK_2E_TV, &TH_2_TV, &plaintext_2_tmp);
+            default_crypto().encrypt_decrypt_ciphertext_2(&PRK_2E_TV, &TH_2_TV, &plaintext_2_tmp);
 
         assert_eq!(ciphertext_2_len, CIPHERTEXT_2_LEN_TV);
         for i in 0..CIPHERTEXT_2_LEN_TV {
@@ -1908,19 +1945,19 @@ mod tests {
 
     #[test]
     fn test_compute_prk_4e3m() {
-        let prk_4e3m = compute_prk_4e3m::<Crypto>(&SALT_4E3M_TV, &SK_I_TV, &G_Y_TV);
+        let prk_4e3m = default_crypto().compute_prk_4e3m(&SALT_4E3M_TV, &SK_I_TV, &G_Y_TV);
         assert_eq!(prk_4e3m, PRK_4E3M_TV);
     }
 
     #[test]
     fn test_compute_prk_3e2m() {
-        let prk_3e2m = compute_prk_3e2m::<Crypto>(&SALT_3E2M_TV, &X_TV, &G_R_TV);
+        let prk_3e2m = default_crypto().compute_prk_3e2m(&SALT_3E2M_TV, &X_TV, &G_R_TV);
         assert_eq!(prk_3e2m, PRK_3E2M_TV);
     }
 
     #[test]
     fn test_compute_prk_2e() {
-        let prk_2e = compute_prk_2e::<Crypto>(&X_TV, &G_Y_TV, &TH_2_TV);
+        let prk_2e = default_crypto().compute_prk_2e(&X_TV, &G_Y_TV, &TH_2_TV);
         assert_eq!(prk_2e, PRK_2E_TV);
     }
 
@@ -2032,7 +2069,7 @@ mod tests {
         let mut th_4_context: BytesMaxContextBuffer = [0x00; MAX_KDF_CONTEXT_LEN];
         th_4_context[..TH_4_TV.len()].copy_from_slice(&TH_4_TV[..]);
 
-        let prk_out_buf = edhoc_kdf::<Crypto>(
+        let prk_out_buf = default_crypto().edhoc_kdf(
             &PRK_4E3M_TV,
             7u8,
             &th_4_context,
@@ -2047,7 +2084,7 @@ mod tests {
     #[test]
     fn test_compute_prk_exporter() {
         let mut prk_exporter: BytesHashLen = [0x00; SHA256_DIGEST_LEN];
-        let prk_exporter_buf = edhoc_kdf::<Crypto>(
+        let prk_exporter_buf = default_crypto().edhoc_kdf(
             &PRK_OUT_TV,
             10u8,
             &[0x00; MAX_KDF_CONTEXT_LEN],
@@ -2061,7 +2098,7 @@ mod tests {
 
     #[test]
     fn test_compute_oscore_master_secret_salt() {
-        let oscore_master_secret_buf = edhoc_kdf::<Crypto>(
+        let oscore_master_secret_buf = default_crypto().edhoc_kdf(
             &PRK_EXPORTER_TV,
             0u8,
             &[0x00; MAX_KDF_CONTEXT_LEN],
@@ -2073,7 +2110,7 @@ mod tests {
             &OSCORE_MASTER_SECRET_TV[..]
         );
 
-        let oscore_master_salt_buf = edhoc_kdf::<Crypto>(
+        let oscore_master_salt_buf = default_crypto().edhoc_kdf(
             &PRK_EXPORTER_TV,
             1u8,
             &[0x00; MAX_KDF_CONTEXT_LEN],
diff --git a/lib/src/lib.rs b/lib/src/lib.rs
index f285c7c4..3938d7e6 100644
--- a/lib/src/lib.rs
+++ b/lib/src/lib.rs
@@ -1,7 +1,7 @@
 #![cfg_attr(not(test), no_std)]
 
 pub use {
-    edhoc_consts::State as EdhocState, edhoc_consts::*, edhoc_crypto::Crypto,
+    edhoc_consts::State as EdhocState, edhoc_consts::*, edhoc_crypto::default_crypto,
     edhoc_crypto::CryptoTrait, EdhocInitiatorState as EdhocInitiator,
     EdhocResponderState as EdhocResponder,
 };
@@ -87,7 +87,7 @@ impl<'a> EdhocResponderState<'a> {
         self: &mut EdhocResponderState<'a>,
         message_1: &BufferMessage1,
     ) -> Result<(), EDHOCError> {
-        let state = r_process_message_1::<Crypto>(self.state, message_1)?;
+        let state = r_process_message_1(self.state, &mut default_crypto(), message_1)?;
         self.state = state;
 
         Ok(())
@@ -97,10 +97,11 @@ impl<'a> EdhocResponderState<'a> {
         self: &mut EdhocResponderState<'a>,
         c_r: u8,
     ) -> Result<BufferMessage2, EDHOCError> {
-        let (y, g_y) = Crypto::p256_generate_key_pair();
+        let (y, g_y) = default_crypto().p256_generate_key_pair();
 
-        match r_prepare_message_2::<Crypto>(
+        match r_prepare_message_2(
             self.state,
+            &mut default_crypto(),
             &self
                 .id_cred_r
                 .try_into()
@@ -123,8 +124,9 @@ impl<'a> EdhocResponderState<'a> {
         self: &mut EdhocResponderState<'a>,
         message_3: &BufferMessage3,
     ) -> Result<[u8; SHA256_DIGEST_LEN], EDHOCError> {
-        match r_process_message_3::<Crypto>(
+        match r_process_message_3(
             self.state,
+            &mut default_crypto(),
             message_3,
             &self
                 .id_cred_i
@@ -150,7 +152,7 @@ impl<'a> EdhocResponderState<'a> {
         let mut context_buf: BytesMaxContextBuffer = [0x00u8; MAX_KDF_CONTEXT_LEN];
         context_buf[..context.len()].copy_from_slice(context);
 
-        match edhoc_exporter::<Crypto>(self.state, label, &context_buf, context.len(), length) {
+        match edhoc_exporter(self.state, &mut default_crypto(), label, &context_buf, context.len(), length) {
             Ok((state, output)) => {
                 self.state = state;
                 Ok(output)
@@ -166,7 +168,7 @@ impl<'a> EdhocResponderState<'a> {
         let mut context_buf = [0x00u8; MAX_KDF_CONTEXT_LEN];
         context_buf[..context.len()].copy_from_slice(context);
 
-        match edhoc_key_update::<Crypto>(self.state, &context_buf, context.len()) {
+        match edhoc_key_update(self.state, &mut default_crypto(), &context_buf, context.len()) {
             Ok((state, prk_out_new)) => {
                 self.state = state;
                 Ok(prk_out_new)
@@ -224,9 +226,9 @@ impl<'a> EdhocInitiatorState<'a> {
         self: &mut EdhocInitiatorState<'a>,
         c_i: u8,
     ) -> Result<BufferMessage1, EDHOCError> {
-        let (x, g_x) = Crypto::p256_generate_key_pair();
+        let (x, g_x) = default_crypto().p256_generate_key_pair();
 
-        match i_prepare_message_1::<Crypto>(self.state, x, g_x, c_i) {
+        match i_prepare_message_1(self.state, &mut default_crypto(), x, g_x, c_i) {
             Ok((state, message_1)) => {
                 self.state = state;
                 Ok(message_1)
@@ -239,8 +241,9 @@ impl<'a> EdhocInitiatorState<'a> {
         self: &mut EdhocInitiatorState<'a>,
         message_2: &BufferMessage2,
     ) -> Result<u8, EDHOCError> {
-        match i_process_message_2::<Crypto>(
+        match i_process_message_2(
             self.state,
+            &mut default_crypto(),
             message_2,
             &self
                 .id_cred_r
@@ -263,8 +266,9 @@ impl<'a> EdhocInitiatorState<'a> {
     pub fn prepare_message_3(
         self: &mut EdhocInitiatorState<'a>,
     ) -> Result<(BufferMessage3, [u8; SHA256_DIGEST_LEN]), EDHOCError> {
-        match i_prepare_message_3::<Crypto>(
+        match i_prepare_message_3(
             self.state,
+            &mut default_crypto(),
             &self
                 .id_cred_i
                 .try_into()
@@ -288,7 +292,7 @@ impl<'a> EdhocInitiatorState<'a> {
         let mut context_buf: BytesMaxContextBuffer = [0x00u8; MAX_KDF_CONTEXT_LEN];
         context_buf[..context.len()].copy_from_slice(context);
 
-        match edhoc_exporter::<Crypto>(self.state, label, &context_buf, context.len(), length) {
+        match edhoc_exporter(self.state, &mut default_crypto(), label, &context_buf, context.len(), length) {
             Ok((state, output)) => {
                 self.state = state;
                 Ok(output)
@@ -304,7 +308,7 @@ impl<'a> EdhocInitiatorState<'a> {
         let mut context_buf = [0x00u8; MAX_KDF_CONTEXT_LEN];
         context_buf[..context.len()].copy_from_slice(context);
 
-        match edhoc_key_update::<Crypto>(self.state, &context_buf, context.len()) {
+        match edhoc_key_update(self.state, &mut default_crypto(), &context_buf, context.len()) {
             Ok((state, prk_out_new)) => {
                 self.state = state;
                 Ok(prk_out_new)
@@ -328,9 +332,9 @@ pub fn generate_connection_identifier_cbor() -> u8 {
 
 /// generates an identifier that can be serialized as a single CBOR integer, i.e. -24 <= x <= 23
 pub fn generate_connection_identifier() -> i8 {
-    let mut conn_id = Crypto::get_random_byte() as i8;
+    let mut conn_id = default_crypto().get_random_byte() as i8;
     while conn_id < -24 || conn_id > 23 {
-        conn_id = Crypto::get_random_byte() as i8;
+        conn_id = default_crypto().get_random_byte() as i8;
     }
     conn_id
 }