diff --git a/rsa-decrypt.c b/rsa-decrypt.c
index a4cef7ad8f4ac455633ebe09e2f61829dc59f8d8..dfdf089f8f91d292c502914efff8e29f9b1489de 100644
--- a/rsa-decrypt.c
+++ b/rsa-decrypt.c
@@ -32,7 +32,7 @@
 #include <string.h>
 
 int
-rsa_decrypt(struct rsa_private_key *key,
+rsa_decrypt(const struct rsa_private_key *key,
 	    unsigned *length, uint8_t *message,
 	    const mpz_t gibberish)
 {
diff --git a/rsa-encrypt.c b/rsa-encrypt.c
index 162bcd9b54fac5ef02d1e8842514c7ed0fe04d9e..285f974d9eb80daaa3587236aa84f1c7ee36b237 100644
--- a/rsa-encrypt.c
+++ b/rsa-encrypt.c
@@ -32,7 +32,7 @@
 #include <string.h>
 
 int
-rsa_encrypt(struct rsa_public_key *key,
+rsa_encrypt(const struct rsa_public_key *key,
 	    /* For padding */
 	    void *random_ctx, nettle_random_func random,
 	    unsigned length, const uint8_t *message,
diff --git a/rsa.c b/rsa.c
index ab4650561a67150963ce34f45b5abbbc1f84f792..16a94bd71d154366173be87e7d326fd0a30e0314 100644
--- a/rsa.c
+++ b/rsa.c
@@ -134,7 +134,8 @@ rsa_prepare_private_key(struct rsa_private_key *key)
 
 /* Computing an rsa root. */
 void
-rsa_compute_root(struct rsa_private_key *key, mpz_t x, const mpz_t m)
+rsa_compute_root(const struct rsa_private_key *key,
+		 mpz_t x, const mpz_t m)
 {
   mpz_t xp; /* modulo p */
   mpz_t xq; /* modulo q */
diff --git a/rsa.h b/rsa.h
index 9f98db1adc80523005b42a8943161a96276d6bfa..7ba9a4a04cb4f5dc864bd5bb6e4e6ef53b11ed13 100644
--- a/rsa.h
+++ b/rsa.h
@@ -133,23 +133,23 @@ rsa_prepare_private_key(struct rsa_private_key *key);
 
 /* PKCS#1 style signatures */
 void
-rsa_md5_sign(struct rsa_private_key *key,
+rsa_md5_sign(const struct rsa_private_key *key,
              struct md5_ctx *hash,
              mpz_t signature);
 
 
 int
-rsa_md5_verify(struct rsa_public_key *key,
+rsa_md5_verify(const struct rsa_public_key *key,
                struct md5_ctx *hash,
 	       const mpz_t signature);
 
 void
-rsa_sha1_sign(struct rsa_private_key *key,
+rsa_sha1_sign(const struct rsa_private_key *key,
               struct sha1_ctx *hash,
               mpz_t signature);
 
 int
-rsa_sha1_verify(struct rsa_public_key *key,
+rsa_sha1_verify(const struct rsa_public_key *key,
                 struct sha1_ctx *hash,
 		const mpz_t signature);
 
@@ -161,7 +161,7 @@ rsa_sha1_verify(struct rsa_public_key *key,
 /* Returns 1 on success, 0 on failure, which happens if the
  * message is too long for the key. */
 int
-rsa_encrypt(struct rsa_public_key *key,
+rsa_encrypt(const struct rsa_public_key *key,
 	    /* For padding */
 	    void *random_ctx, nettle_random_func random,
 	    unsigned length, const uint8_t *cleartext,
@@ -173,14 +173,15 @@ rsa_encrypt(struct rsa_public_key *key,
  * failure, which happens if decryption failed or if the message
  * didn't fit. */
 int
-rsa_decrypt(struct rsa_private_key *key,
+rsa_decrypt(const struct rsa_private_key *key,
 	    unsigned *length, uint8_t *cleartext,
 	    const mpz_t ciphertext);
 
 
 /* Compute x, the e:th root of m. Calling it with x == m is allowed. */
 void
-rsa_compute_root(struct rsa_private_key *key, mpz_t x, const mpz_t m);
+rsa_compute_root(const struct rsa_private_key *key,
+		 mpz_t x, const mpz_t m);
 
 
 /* Key generation */
diff --git a/rsa_md5.c b/rsa_md5.c
index 05487ef62add1b6fcb78f86c28f716472246b55f..32276172b3c01e198f145e5ad94671d7b61b5da1 100644
--- a/rsa_md5.c
+++ b/rsa_md5.c
@@ -42,7 +42,7 @@ static void
 pkcs1_encode_md5(mpz_t m, unsigned length, struct md5_ctx *hash);
 
 void
-rsa_md5_sign(struct rsa_private_key *key,
+rsa_md5_sign(const struct rsa_private_key *key,
              struct md5_ctx *hash,
              mpz_t s)
 {
@@ -54,7 +54,7 @@ rsa_md5_sign(struct rsa_private_key *key,
 }
 
 int
-rsa_md5_verify(struct rsa_public_key *key,
+rsa_md5_verify(const struct rsa_public_key *key,
                struct md5_ctx *hash,
                const mpz_t s)
 {
diff --git a/rsa_sha1.c b/rsa_sha1.c
index ecc697c4e28650f779a98226413069b6772d8064..52624d5eaf9b1b943d72090765a8dc8e7015ec9a 100644
--- a/rsa_sha1.c
+++ b/rsa_sha1.c
@@ -42,7 +42,7 @@ static void
 pkcs1_encode_sha1(mpz_t m, unsigned length, struct sha1_ctx *hash);
 
 void
-rsa_sha1_sign(struct rsa_private_key *key,
+rsa_sha1_sign(const struct rsa_private_key *key,
               struct sha1_ctx *hash,
               mpz_t s)
 {
@@ -54,7 +54,7 @@ rsa_sha1_sign(struct rsa_private_key *key,
 }
 
 int
-rsa_sha1_verify(struct rsa_public_key *key,
+rsa_sha1_verify(const struct rsa_public_key *key,
                 struct sha1_ctx *hash,
                 const mpz_t s)
 {