diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am
index 233bfcf95..ba1e46f2f 100644
--- a/src/libstrongswan/Makefile.am
+++ b/src/libstrongswan/Makefile.am
@@ -11,7 +11,8 @@ crypto/prfs/prf.c crypto/prfs/mac_prf.c crypto/pkcs5.c \
 crypto/rngs/rng.c crypto/prf_plus.c crypto/signers/signer.c \
 crypto/signers/mac_signer.c crypto/crypto_factory.c crypto/crypto_tester.c \
 crypto/diffie_hellman.c crypto/aead.c crypto/transform.c \
-crypto/iv/iv_gen_rand.c crypto/iv/iv_gen_seq.c crypto/mgf1/mgf1.c \
+crypto/iv/iv_gen_rand.c crypto/iv/iv_gen_seq.c \
+crypto/mgf1/mgf1.c crypto/mgf1/mgf1_bitspender.c \
 credentials/credential_factory.c credentials/builder.c \
 credentials/cred_encoding.c credentials/keys/private_key.c \
 credentials/keys/public_key.c credentials/keys/shared_key.c \
@@ -66,7 +67,8 @@ crypto/prfs/prf.h crypto/prfs/mac_prf.h crypto/rngs/rng.h crypto/nonce_gen.h \
 crypto/prf_plus.h crypto/signers/signer.h crypto/signers/mac_signer.h \
 crypto/crypto_factory.h crypto/crypto_tester.h crypto/diffie_hellman.h \
 crypto/aead.h crypto/transform.h crypto/pkcs5.h crypto/iv/iv_gen.h \
-crypto/iv/iv_gen_rand.h crypto/iv/iv_gen_seq.h crypto/mgf1/mgf1.h \
+crypto/iv/iv_gen_rand.h crypto/iv/iv_gen_seq.h \
+crypto/mgf1/mgf1.h crypto/mgf1/mgf1_bitspender.h \
 credentials/credential_factory.h credentials/builder.h \
 credentials/cred_encoding.h credentials/keys/private_key.h \
 credentials/keys/public_key.h credentials/keys/shared_key.h \
diff --git a/src/libstrongswan/crypto/mgf1/mgf1.h b/src/libstrongswan/crypto/mgf1/mgf1.h
index 5b43d72af..9ebf60ae4 100644
--- a/src/libstrongswan/crypto/mgf1/mgf1.h
+++ b/src/libstrongswan/crypto/mgf1/mgf1.h
@@ -68,7 +68,7 @@ struct mgf1_t {
  *
  * @param alg			hash algorithm to be used by MGF1
  * @param seed			seed used by MGF1 to generate mask from
- * @param hash_seed		hash seed before using it as a seed from MGF1
+ * @param hash_seed		hash seed before using it as a seed for MGF1
  */
 mgf1_t *mgf1_create(hash_algorithm_t alg, chunk_t seed,
 							  bool hash_seed);
diff --git a/src/libstrongswan/crypto/mgf1/mgf1_bitspender.c b/src/libstrongswan/crypto/mgf1/mgf1_bitspender.c
new file mode 100644
index 000000000..1b3533f13
--- /dev/null
+++ b/src/libstrongswan/crypto/mgf1/mgf1_bitspender.c
@@ -0,0 +1,158 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "mgf1_bitspender.h"
+
+#include <crypto/mgf1/mgf1.h>
+
+typedef struct private_mgf1_bitspender_t private_mgf1_bitspender_t;
+
+/**
+ * Private data structure for mgf1_bitspender_t object
+ */
+struct private_mgf1_bitspender_t {
+	/**
+	 * Public interface.
+	 */
+	mgf1_bitspender_t public;
+
+	/**
+	 * MGF1 bit mask generator
+	 */
+	mgf1_t *mgf1;
+
+	/**
+	 * Octet storage (accommodates up to 64 octets)
+	 */
+	uint8_t octets[HASH_SIZE_SHA512];
+
+	/**
+	 * Length of the returned hash value in octets
+	 */
+	int hash_len;
+
+	/**
+	 * Number of generated octets
+	 */
+	int octets_count;
+
+	/**
+	 * Number of available octets
+	 */
+	int octets_left;
+
+	/**
+	 * Bit storage (accomodates up to 32 bits)
+	 */
+	uint32_t bits;
+
+	/**
+	 * Number of available bits
+	 */
+	int bits_left;
+};
+
+METHOD(mgf1_bitspender_t, get_bits, uint32_t,
+	private_mgf1_bitspender_t *this, int bits_needed)
+{
+	uint32_t bits = 0x00000000;
+	int bits_now;
+	
+	if (bits_needed > 31)
+	{
+		/* too many bits requested */
+		return MGF1_BITSPENDER_ERROR;
+	}
+
+	while (bits_needed)
+	{
+		if (this->bits_left == 0)
+		{
+			if (this->octets_left == 0)
+			{
+				/* get another block from MGF1 */
+				if (!this->mgf1->get_mask(this->mgf1, this->hash_len,
+													  this->octets))
+				{
+					/* no block available */
+					return MGF1_BITSPENDER_ERROR;
+				}
+				this->octets_left = this->hash_len;
+				this->octets_count += this->hash_len;
+			}
+			this->bits = untoh32(this->octets + this->hash_len -
+												this->octets_left);
+			this->bits_left = 32;
+			this->octets_left -= 4;
+		}
+		if (bits_needed > this->bits_left)
+		{
+			bits_now = this->bits_left;
+			this->bits_left = 0;
+			bits_needed -= bits_now;
+			bits <<= bits_now;
+			bits |= this->bits;
+		}
+		else
+		{
+			bits_now = bits_needed;
+			this->bits_left -= bits_needed;
+			bits_needed = 0;
+			bits <<= bits_now;
+			bits |= this->bits >> this->bits_left;
+			this->bits &= 0xffffffff >> (32 - this->bits_left);
+		}
+	}
+	return bits;
+}
+
+
+METHOD(mgf1_bitspender_t, destroy, void,
+	private_mgf1_bitspender_t *this)
+{
+	DBG2(DBG_LIB, "mgf1 generated %u octets", this->octets_count);
+	memwipe(this->octets, sizeof(this->octets));
+	this->mgf1->destroy(this->mgf1);
+	free(this);
+}
+
+/**
+ * See header.
+ */
+mgf1_bitspender_t *mgf1_bitspender_create(hash_algorithm_t alg, chunk_t seed,
+										  bool hash_seed)
+{
+	private_mgf1_bitspender_t *this;
+	mgf1_t *mgf1;
+
+	mgf1 = mgf1_create(alg, seed, hash_seed);
+	if (!mgf1)
+	{
+	    return NULL;
+	}
+	DBG2(DBG_LIB, "mgf1 based on %N is seeded with %u octets",
+				   hash_algorithm_short_names, alg, seed.len);
+
+	INIT(this,
+		.public = {
+			.get_bits = _get_bits,
+			.destroy = _destroy,
+		},
+		.mgf1 = mgf1,
+		.hash_len = mgf1->get_hash_size(mgf1),
+	);
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/crypto/mgf1/mgf1_bitspender.h b/src/libstrongswan/crypto/mgf1/mgf1_bitspender.h
new file mode 100644
index 000000000..a748695e5
--- /dev/null
+++ b/src/libstrongswan/crypto/mgf1/mgf1_bitspender.h
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup mgf1_bitspender mgf1_bitspender
+ * @{ @ingroup bliss_p
+ */
+
+#ifndef MGF1_BITSPENDER_H_
+#define MGF1_BITSPENDER_H_
+
+#include <library.h>
+#include <crypto/hashers/hasher.h>
+
+typedef struct mgf1_bitspender_t mgf1_bitspender_t;
+
+#define MGF1_BITSPENDER_ERROR	0xffffffff
+
+/**
+ * Generates a given number of pseudo-random bits at a time using MFG1
+ */
+struct mgf1_bitspender_t {
+
+	/**
+	 * Get pseudo-random bits
+	 *
+	 * @param bits_needed	Number of needed bits (1..31)
+	 * @result				Return between 1 and 31 pseudo-random bits
+	 */
+	uint32_t (*get_bits)(mgf1_bitspender_t *this, int bits_needed);
+
+	/**
+	 * Destroy mgf1_bitspender_t object
+	 */
+	void (*destroy)(mgf1_bitspender_t *this);
+};
+
+/**
+ * Create a mgf1_bitspender_t object
+ * 
+ * @param alg				Hash algorithm to be used with MGF1
+ * @param seed				Seed used to initialize MGF1
+ * @param hash_seed			Hash seed before using it as a seed for MFG1
+ */
+mgf1_bitspender_t *mgf1_bitspender_create(hash_algorithm_t alg, chunk_t seed,
+										  bool hash_seed);
+
+#endif /** MGF1_BITSPENDER_H_ @}*/