diff --git a/hkexnet/consts.go b/hkexnet/consts.go
index 4a732fa..25a91a6 100644
--- a/hkexnet/consts.go
+++ b/hkexnet/consts.go
@@ -61,6 +61,7 @@ const (
 	CAlgAES256     = iota
 	CAlgTwofish128 // golang.org/x/crypto/twofish
 	CAlgBlowfish64 // golang.org/x/crypto/blowfish
+	CAlgCryptMT1   //cryptmt using mtwist64
 	CAlgNoneDisallowed
 )
 
diff --git a/hkexnet/hkexchan.go b/hkexnet/hkexchan.go
index d007728..8fbf47b 100644
--- a/hkexnet/hkexchan.go
+++ b/hkexnet/hkexchan.go
@@ -22,6 +22,7 @@ import (
 
 	"golang.org/x/crypto/blowfish"
 	"golang.org/x/crypto/twofish"
+	"blitter.com/go/cryptmt"
 	// hash algos must be manually imported thusly:
 	// (Would be nice if the golang pkg docs were more clear
 	// on this...)
@@ -34,6 +35,9 @@ import (
 // This is occasionally necessary for smaller modes of KEX algorithms
 // (eg., KEX_HERRADURA256); perhaps an indication these should be
 // avoided in favour of larger modes.
+//
+// This is used for block ciphers; stream ciphers should do their
+// own key expansion.
 func expandKeyMat(keymat []byte, blocksize int) []byte {
 	if len(keymat) < 2*blocksize {
 		halg := crypto.SHA256
@@ -99,6 +103,10 @@ func (hc Conn) getStream(keymat []byte) (rc cipher.Stream, mc hash.Hash, err err
 		rc = cipher.NewOFB(block, iv)
 		log.Printf("[cipher BLOWFISH_64 (%d)]\n", copts)
 		break
+	case CAlgCryptMT1:
+		rc = cryptmt.NewCipher(keymat)
+		log.Printf("[cipher CRYPTMT1 (%d)]\n", copts)
+		break
 	default:
 		log.Printf("[invalid cipher (%d)]\n", copts)
 		fmt.Printf("DOOFUS SET A VALID CIPHER ALG (%d)\n", copts)
diff --git a/hkexnet/hkexnet.go b/hkexnet/hkexnet.go
index c6a97e6..73c814e 100644
--- a/hkexnet/hkexnet.go
+++ b/hkexnet/hkexnet.go
@@ -230,6 +230,10 @@ func (hc *Conn) applyConnExtensions(extensions ...string) {
 			log.Println("[extension arg = C_BLOWFISH_64]")
 			hc.cipheropts &= (0xFFFFFF00)
 			hc.cipheropts |= CAlgBlowfish64
+		case "C_CRYPTMT1":
+			log.Println("[extension arg = C_CRYPTMT1]")
+			hc.cipheropts &= (0xFFFFFF00)
+			hc.cipheropts |= CAlgCryptMT1
 		case "H_SHA256":
 			log.Println("[extension arg = H_SHA256]")
 			hc.cipheropts &= (0xFFFF00FF)
diff --git a/hkexsh/hkexsh.go b/hkexsh/hkexsh.go
index 9600141..daac731 100755
--- a/hkexsh/hkexsh.go
+++ b/hkexsh/hkexsh.go
@@ -372,7 +372,7 @@ func main() {
 
 	flag.BoolVar(&vopt, "v", false, "show version")
 	flag.BoolVar(&dbg, "d", false, "debug logging")
-	flag.StringVar(&cAlg, "c", "C_AES_256", "`cipher` [\"C_AES_256\" | \"C_TWOFISH_128\" | \"C_BLOWFISH_64\"]")
+	flag.StringVar(&cAlg, "c", "C_AES_256", "`cipher` [\"C_AES_256\" | \"C_TWOFISH_128\" | \"C_BLOWFISH_64\" | \"C_CRYPTMT1\"]")
 	flag.StringVar(&hAlg, "m", "H_SHA256", "`hmac` [\"H_SHA256\"]")
 	flag.StringVar(&kAlg, "k", "KEX_HERRADURA256", "`kex` [\"KEX_HERRADURA{256/512/1024/2048}\" | \"KEX_KYBER{512/768/1024}\"]")
 	flag.UintVar(&port, "p", 2000, "`port`")