Merge commits '9a8d65f0 75d7b7f5 665ba77e 3f57b9f7 eacad90f 01b819a8 31ed5386 2a39ac16 0eb30004 cbe41ac1 cc3b8a4f ' into temp-merge-1187

2023-07-19 19:58:09 +00:00 · 2023-07-19 19:58:09 +00:00 · 304fc88557
commit 304fc88557
parent 6c54db1987 cc3b8a4f40
41 changed files with 1933 additions and 1897 deletions
--- a/.cirrus.yml
+++ b/.cirrus.yml
@ -1,6 +1,7 @@
 env:
  ### compiler options
  HOST:
  WRAPPER_CMD:
  # Specific warnings can be disabled with -Wno-error=foo.
  # -pedantic-errors is not equivalent to -Werror=pedantic and thus not implied by -Werror according to the GCC manual.
  WERROR_CFLAGS: -Werror -pedantic-errors
@ -41,6 +42,8 @@ cat_logs_snippet: &CAT_LOGS
  always:
    cat_tests_log_script:
      - cat tests.log || true
    cat_noverify_tests_log_script:
      - cat noverify_tests.log || true
    cat_exhaustive_tests_log_script:
      - cat exhaustive_tests.log || true
    cat_valgrind_ctime_test_log_script:
--- a/.gitignore
+++ b/.gitignore
@ -47,8 +47,6 @@ coverage.*.html
 *.gcno
 *.gcov
 src/libsecp256k1-config.h
 src/libsecp256k1-config.h.in
 build-aux/ar-lib
 build-aux/config.guess
 build-aux/config.sub
@ -63,7 +61,6 @@ build-aux/m4/ltversion.m4
 build-aux/missing
 build-aux/compile
 build-aux/test-driver
 src/stamp-h1
 libsecp256k1.pc
 contrib/gh-pr-create.sh
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -3,29 +3,40 @@ Instead, it is the changelog of the upstream library [libsecp256k1](https://gith
 # Changelog
-The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
+All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 ## [Unreleased]
 ## [0.2.0] - 2022-12-12
-### Added
+#### Added
 - Added usage examples for common use cases in a new `examples/` directory.
 - Added `secp256k1_selftest`, to be used in conjunction with `secp256k1_context_static`.
 - Added support for 128-bit wide multiplication on MSVC for x86_64 and arm64, giving roughly a 20% speedup on those platforms.
-### Changed
+#### Changed
- - Enabled modules schnorrsig, extrakeys and ECDH by default in `./configure`.
+ - Enabled modules `schnorrsig`, `extrakeys` and `ecdh` by default in `./configure`.
 - The `secp256k1_nonce_function_rfc6979` nonce function, used by default by `secp256k1_ecdsa_sign`, now reduces the message hash modulo the group order to match the specification. This only affects improper use of ECDSA signing API.
-### Deprecated
+#### Deprecated
 - Deprecated context flags `SECP256K1_CONTEXT_VERIFY` and `SECP256K1_CONTEXT_SIGN`. Use `SECP256K1_CONTEXT_NONE` instead.
 - Renamed `secp256k1_context_no_precomp` to `secp256k1_context_static`.
 - Module `schnorrsig`: renamed `secp256k1_schnorrsig_sign` to `secp256k1_schnorrsig_sign32`.
-### ABI Compatibility
+#### ABI Compatibility
 Since this is the first release, we do not compare application binary interfaces.
-However, there are unreleased versions of libsecp256k1 that are *not* ABI compatible with this version.
+However, there are earlier unreleased versions of libsecp256k1 that are *not* ABI compatible with this version.
 ## [0.1.0] - 2013-03-05 to 2021-12-25
 This version was in fact never released.
 The number was given by the build system since the introduction of autotools in Jan 2014 (ea0fe5a5bf0c04f9cc955b2966b614f5f378c6f6).
 Therefore, this version number does not uniquely identify a set of source files.
 [unreleased]: https://github.com/bitcoin-core/secp256k1/compare/v0.2.0...HEAD
 [0.2.0]: https://github.com/bitcoin-core/secp256k1/compare/423b6d19d373f1224fd671a982584d7e7900bc93..v0.2.0
 [0.1.0]: https://github.com/bitcoin-core/secp256k1/commit/423b6d19d373f1224fd671a982584d7e7900bc93
--- a/Makefile.am
+++ b/Makefile.am
@ -75,7 +75,7 @@ noinst_HEADERS += examples/random.h
 PRECOMPUTED_LIB = libsecp256k1_precomputed.la
 noinst_LTLIBRARIES = $(PRECOMPUTED_LIB)
 libsecp256k1_precomputed_la_SOURCES =  src/precomputed_ecmult.c src/precomputed_ecmult_gen.c
-libsecp256k1_precomputed_la_CPPFLAGS = $(SECP_INCLUDES)
+libsecp256k1_precomputed_la_CPPFLAGS = $(SECP_INCLUDES) $(SECP_CONFIG_DEFINES)
 if USE_EXTERNAL_ASM
 COMMON_LIB = libsecp256k1_common.la
@ -94,7 +94,7 @@ endif
 endif
 libsecp256k1_la_SOURCES = src/secp256k1.c
-libsecp256k1_la_CPPFLAGS = $(SECP_INCLUDES)
+libsecp256k1_la_CPPFLAGS = $(SECP_INCLUDES) $(SECP_CONFIG_DEFINES)
 libsecp256k1_la_LIBADD = $(SECP_LIBS) $(COMMON_LIB) $(PRECOMPUTED_LIB)
 libsecp256k1_la_LDFLAGS = -no-undefined -version-info $(LIB_VERSION_CURRENT):$(LIB_VERSION_REVISION):$(LIB_VERSION_AGE)
@ -107,37 +107,43 @@ if USE_BENCHMARK
 noinst_PROGRAMS += bench bench_internal bench_ecmult
 bench_SOURCES = src/bench.c
 bench_LDADD = libsecp256k1.la $(SECP_LIBS) $(SECP_TEST_LIBS) $(COMMON_LIB)
 bench_CPPFLAGS = $(SECP_CONFIG_DEFINES)
 bench_internal_SOURCES = src/bench_internal.c
 bench_internal_LDADD = $(SECP_LIBS) $(COMMON_LIB) $(PRECOMPUTED_LIB)
-bench_internal_CPPFLAGS = $(SECP_INCLUDES)
+bench_internal_CPPFLAGS = $(SECP_INCLUDES) $(SECP_CONFIG_DEFINES)
 bench_ecmult_SOURCES = src/bench_ecmult.c
 bench_ecmult_LDADD = $(SECP_LIBS) $(COMMON_LIB) $(PRECOMPUTED_LIB)
-bench_ecmult_CPPFLAGS = $(SECP_INCLUDES)
+bench_ecmult_CPPFLAGS = $(SECP_INCLUDES) $(SECP_CONFIG_DEFINES)
 endif
 TESTS =
 if USE_TESTS
-noinst_PROGRAMS += tests
+TESTS += noverify_tests
-tests_SOURCES = src/tests.c
+noinst_PROGRAMS += noverify_tests
-tests_CPPFLAGS = $(SECP_INCLUDES) $(SECP_TEST_INCLUDES)
+noverify_tests_SOURCES = src/tests.c
 noverify_tests_CPPFLAGS = $(SECP_INCLUDES) $(SECP_TEST_INCLUDES) $(SECP_CONFIG_DEFINES)
 noverify_tests_LDADD = $(SECP_LIBS) $(SECP_TEST_LIBS) $(COMMON_LIB) $(PRECOMPUTED_LIB)
 noverify_tests_LDFLAGS = -static
 if VALGRIND_ENABLED
-tests_CPPFLAGS += -DVALGRIND
+noverify_tests_CPPFLAGS += -DVALGRIND
 noinst_PROGRAMS += valgrind_ctime_test
 valgrind_ctime_test_SOURCES = src/valgrind_ctime_test.c
 valgrind_ctime_test_LDADD = libsecp256k1.la $(SECP_LIBS) $(COMMON_LIB)
 endif
 if !ENABLE_COVERAGE
 tests_CPPFLAGS += -DVERIFY
 endif
 tests_LDADD = $(SECP_LIBS) $(SECP_TEST_LIBS) $(COMMON_LIB) $(PRECOMPUTED_LIB)
 tests_LDFLAGS = -static
 TESTS += tests
 noinst_PROGRAMS += tests
 tests_SOURCES  = $(noverify_tests_SOURCES)
 tests_CPPFLAGS = $(noverify_tests_CPPFLAGS) -DVERIFY
 tests_LDADD    = $(noverify_tests_LDADD)
 tests_LDFLAGS  = $(noverify_tests_LDFLAGS)
 endif
 endif
 if USE_EXHAUSTIVE_TESTS
 noinst_PROGRAMS += exhaustive_tests
 exhaustive_tests_SOURCES = src/tests_exhaustive.c
-exhaustive_tests_CPPFLAGS = $(SECP_INCLUDES)
+exhaustive_tests_CPPFLAGS = $(SECP_INCLUDES) $(SECP_CONFIG_DEFINES)
 if !ENABLE_COVERAGE
 exhaustive_tests_CPPFLAGS += -DVERIFY
 endif
@ -197,11 +203,11 @@ EXTRA_PROGRAMS = precompute_ecmult precompute_ecmult_gen
 CLEANFILES = $(EXTRA_PROGRAMS)
 precompute_ecmult_SOURCES = src/precompute_ecmult.c
-precompute_ecmult_CPPFLAGS = $(SECP_INCLUDES)
+precompute_ecmult_CPPFLAGS = $(SECP_INCLUDES) $(SECP_CONFIG_DEFINES)
 precompute_ecmult_LDADD = $(SECP_LIBS) $(COMMON_LIB)
 precompute_ecmult_gen_SOURCES = src/precompute_ecmult_gen.c
-precompute_ecmult_gen_CPPFLAGS = $(SECP_INCLUDES)
+precompute_ecmult_gen_CPPFLAGS = $(SECP_INCLUDES) $(SECP_CONFIG_DEFINES)
 precompute_ecmult_gen_LDADD = $(SECP_LIBS) $(COMMON_LIB)
 # See Automake manual, Section "Errors with distclean".
--- a/build-aux/m4/bitcoin_secp.m4
+++ b/build-aux/m4/bitcoin_secp.m4
@ -20,7 +20,7 @@ if test x"$has_valgrind" != x"yes"; then
    #if defined(NVALGRIND)
    #  error "Valgrind does not support this platform."
    #endif
-  ]])], [has_valgrind=yes; AC_DEFINE(HAVE_VALGRIND,1,[Define this symbol if valgrind is installed, and it supports the host platform])])
+  ]])], [has_valgrind=yes])
 fi
 AC_MSG_RESULT($has_valgrind)
 ])
--- a/ci/cirrus.sh
+++ b/ci/cirrus.sh
@ -1,7 +1,6 @@
 #!/bin/sh
-set -e
+set -eux
 set -x
 export LC_ALL=C
@ -11,15 +10,21 @@ print_environment() {
    set +x
    # There are many ways to print variable names and their content. This one
    # does not rely on bash.
-    for i in WERROR_CFLAGS MAKEFLAGS BUILD \
+    for var in WERROR_CFLAGS MAKEFLAGS BUILD \
            ECMULTWINDOW ECMULTGENPRECISION ASM WIDEMUL WITH_VALGRIND EXTRAFLAGS \
            EXPERIMENTAL ECDH RECOVERY SCHNORRSIG \
            ECDSA_S2C GENERATOR RANGEPROOF WHITELIST MUSIG ECDSAADAPTOR BPPP \
            SECP256K1_TEST_ITERS BENCH SECP256K1_BENCH_ITERS CTIMETEST\
            EXAMPLES \
-            WRAPPER_CMD CC AR NM HOST
+            HOST WRAPPER_CMD \
            CC CFLAGS CPPFLAGS AR NM
    do
-        eval 'printf "%s %s " "$i=\"${'"$i"'}\""'
+        eval "isset=\${$var+x}"
        if [ -n "$isset" ]; then
            eval "val=\${$var}"
            # shellcheck disable=SC2154
            printf '%s="%s" ' "$var" "$val"
        fi
    done
    echo "$0"
    set -x
@ -37,7 +42,7 @@ esac
 env >> test_env.log
-if [ -n "$CC" ]; then
+if [ -n "${CC+x}" ]; then
    # The MSVC compiler "cl" doesn't understand "-v"
    $CC -v || true
 fi
--- a/configure.ac
+++ b/configure.ac
@ -273,7 +273,7 @@ fi
 AM_CONDITIONAL([VALGRIND_ENABLED],[test "$enable_valgrind" = "yes"])
 if test x"$enable_coverage" = x"yes"; then
-    AC_DEFINE(COVERAGE, 1, [Define this symbol to compile out all VERIFY code])
+    SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DCOVERAGE=1"
    SECP_CFLAGS="-O0 --coverage $SECP_CFLAGS"
    LDFLAGS="--coverage $LDFLAGS"
 else
@ -285,13 +285,13 @@ fi
 AC_MSG_CHECKING([for __builtin_popcount])
 AC_LINK_IFELSE([AC_LANG_SOURCE([[void myfunc() {__builtin_popcount(0);}]])],
-    [ AC_MSG_RESULT([yes]);AC_DEFINE(HAVE_BUILTIN_POPCOUNT,1,[Define this symbol if __builtin_popcount is available]) ],
+    [ AC_MSG_RESULT([yes]); SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DHAVE_BUILTIN_POPCOUNT=1"],
    [ AC_MSG_RESULT([no])
    ])
 AC_MSG_CHECKING([for  __builtin_clzll])
 AC_LINK_IFELSE([AC_LANG_SOURCE([[void myfunc() { __builtin_clzll(1);}]])],
-    [ AC_MSG_RESULT([yes]);AC_DEFINE(HAVE_BUILTIN_CLZLL,1,[Define this symbol if  __builtin_clzll is available]) ],
+    [ AC_MSG_RESULT([yes]); SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DHAVE_BUILTIN_CLZLL=1"],
    [ AC_MSG_RESULT([no])
    ])
@ -327,7 +327,7 @@ enable_external_asm=no
 case $set_asm in
 x86_64)
-  AC_DEFINE(USE_ASM_X86_64, 1, [Define this symbol to enable x86_64 assembly optimizations])
+  SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DUSE_ASM_X86_64=1"
  ;;
 arm)
  enable_external_asm=yes
@ -340,20 +340,20 @@ no)
 esac
 if test x"$enable_external_asm" = x"yes"; then
-  AC_DEFINE(USE_EXTERNAL_ASM, 1, [Define this symbol if an external (non-inline) assembly implementation is used])
+  SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DUSE_EXTERNAL_ASM=1"
 fi
 # Select wide multiplication implementation
 case $set_widemul in
 int128_struct)
-  AC_DEFINE(USE_FORCE_WIDEMUL_INT128_STRUCT, 1, [Define this symbol to force the use of the structure for simulating (unsigned) int128 based wide multiplication])
+  SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DUSE_FORCE_WIDEMUL_INT128_STRUCT=1"
  ;;
 int128)
-  AC_DEFINE(USE_FORCE_WIDEMUL_INT128, 1, [Define this symbol to force the use of the (unsigned) __int128 based wide multiplication implementation])
+  SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DUSE_FORCE_WIDEMUL_INT128=1"
  ;;
 int64)
-  AC_DEFINE(USE_FORCE_WIDEMUL_INT64, 1, [Define this symbol to force the use of the (u)int64_t based wide multiplication implementation])
+  SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DUSE_FORCE_WIDEMUL_INT64=1"
  ;;
 auto)
  ;;
@ -380,7 +380,7 @@ case $set_ecmult_window in
    # not in range
    AC_MSG_ERROR($error_window_size)
  fi
-  AC_DEFINE_UNQUOTED(ECMULT_WINDOW_SIZE, $set_ecmult_window, [Set window size for ecmult precomputation])
+  SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DECMULT_WINDOW_SIZE=$set_ecmult_window"
  ;;
 esac
@ -393,7 +393,7 @@ fi
 case $set_ecmult_gen_precision in
 2|4|8)
-  AC_DEFINE_UNQUOTED(ECMULT_GEN_PREC_BITS, $set_ecmult_gen_precision, [Set ecmult gen precision bits])
+  SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DECMULT_GEN_PREC_BITS=$set_ecmult_gen_precision"
  ;;
 *)
  AC_MSG_ERROR(['ecmult gen precision not 2, 4, 8 or "auto"'])
@ -418,65 +418,65 @@ SECP_CFLAGS="$SECP_CFLAGS $WERROR_CFLAGS"
 # tested first.
 if test x"$enable_module_ecdh" = x"yes"; then
-  AC_DEFINE(ENABLE_MODULE_ECDH, 1, [Define this symbol to enable the ECDH module])
+  SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DENABLE_MODULE_ECDH=1"
 fi
 if test x"$enable_module_musig" = x"yes"; then
-  AC_DEFINE(ENABLE_MODULE_MUSIG, 1, [Define this symbol to enable the MuSig module])
+  SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DENABLE_MODULE_MUSIG=1"
  enable_module_schnorrsig=yes
 fi
 if test x"$enable_module_recovery" = x"yes"; then
-  AC_DEFINE(ENABLE_MODULE_RECOVERY, 1, [Define this symbol to enable the ECDSA pubkey recovery module])
+  SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DENABLE_MODULE_RECOVERY=1"
 fi
 if test x"$enable_module_whitelist" = x"yes"; then
  SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DENABLE_MODULE_WHITELIST=1"
  enable_module_rangeproof=yes
  AC_DEFINE(ENABLE_MODULE_WHITELIST, 1, [Define this symbol to enable the key whitelisting module])
 fi
 if test x"$enable_module_surjectionproof" = x"yes"; then
  SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DENABLE_MODULE_SURJECTIONPROOF=1"
  enable_module_rangeproof=yes
  AC_DEFINE(ENABLE_MODULE_SURJECTIONPROOF, 1, [Define this symbol to enable the surjection proof module])
 fi
 if test x"$enable_module_rangeproof" = x"yes"; then
  SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DENABLE_MODULE_RANGEPROOF=1"
  enable_module_generator=yes
  AC_DEFINE(ENABLE_MODULE_RANGEPROOF, 1, [Define this symbol to enable the Pedersen / zero knowledge range proof module])
 fi
 if test x"$enable_module_bppp" = x"yes"; then
  SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DENABLE_MODULE_BPPP=1"
  enable_module_generator=yes
  AC_DEFINE(ENABLE_MODULE_BPPP, 1, [Define this symbol to enable the Bulletproofs++ module])
 fi
 if test x"$enable_module_generator" = x"yes"; then
-  AC_DEFINE(ENABLE_MODULE_GENERATOR, 1, [Define this symbol to enable the NUMS generator module])
+  SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DENABLE_MODULE_GENERATOR=1"
 fi
 if test x"$enable_module_schnorrsig" = x"yes"; then
-  AC_DEFINE(ENABLE_MODULE_SCHNORRSIG, 1, [Define this symbol to enable the schnorrsig module])
+  SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DENABLE_MODULE_SCHNORRSIG=1"
  enable_module_extrakeys=yes
 fi
 if test x"$enable_module_extrakeys" = x"yes"; then
-  AC_DEFINE(ENABLE_MODULE_EXTRAKEYS, 1, [Define this symbol to enable the extrakeys module])
+  SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DENABLE_MODULE_EXTRAKEYS=1"
 fi
 if test x"$enable_module_ecdsa_s2c" = x"yes"; then
-  AC_DEFINE(ENABLE_MODULE_ECDSA_S2C, 1, [Define this symbol to enable the ECDSA sign-to-contract module])
+  SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DENABLE_MODULE_ECDSA_S2C=1"
 fi
 if test x"$enable_external_default_callbacks" = x"yes"; then
-  AC_DEFINE(USE_EXTERNAL_DEFAULT_CALLBACKS, 1, [Define this symbol if an external implementation of the default callbacks is used])
+  SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DUSE_EXTERNAL_DEFAULT_CALLBACKS=1"
 fi
 if test x"$use_reduced_surjection_proof_size" = x"yes"; then
-  AC_DEFINE(USE_REDUCED_SURJECTION_PROOF_SIZE, 1, [Define this symbol to reduce SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS to 16, disabling parsing and verification])
+  SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DUSE_REDUCED_SURJECTION_PROOF_SIZE=1"
 fi
 if test x"$enable_module_ecdsa_adaptor" = x"yes"; then
-  AC_DEFINE(ENABLE_MODULE_ECDSA_ADAPTOR, 1, [Define this symbol to enable the ECDSA adaptor module])
+  SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DENABLE_MODULE_ECDSA_ADAPTOR=1"
 fi
 ###
@ -526,13 +526,13 @@ fi
 ### Generate output
 ###
 AC_CONFIG_HEADERS([src/libsecp256k1-config.h])
 AC_CONFIG_FILES([Makefile libsecp256k1.pc])
 AC_SUBST(SECP_INCLUDES)
 AC_SUBST(SECP_LIBS)
 AC_SUBST(SECP_TEST_LIBS)
 AC_SUBST(SECP_TEST_INCLUDES)
 AC_SUBST(SECP_CFLAGS)
 AC_SUBST(SECP_CONFIG_DEFINES)
 AM_CONDITIONAL([ENABLE_COVERAGE], [test x"$enable_coverage" = x"yes"])
 AM_CONDITIONAL([USE_TESTS], [test x"$enable_tests" != x"no"])
 AM_CONDITIONAL([USE_EXHAUSTIVE_TESTS], [test x"$enable_exhaustive_tests" != x"no"])
--- a/doc/release-process.md
+++ b/doc/release-process.md
@ -23,7 +23,7 @@ This process also assumes that there will be no minor releases for old major rel
   git tag -s v$MAJOR.$MINOR.$PATCH -m "libsecp256k1 $MAJOR.$MINOR.$PATCH" $RELEASE_COMMIT
   git push git@github.com:bitcoin-core/secp256k1.git v$MAJOR.$MINOR.$PATCH
   ```
-3. Open a PR to the master branch with a commit (using message `"release: bump version after $MAJOR.$MINOR.$PATCH"`, for example) that sets `_PKG_VERSION_IS_RELEASE` to `false` and `_PKG_VERSION_PATCH` to `$PATCH + 1` and increases `_LIB_VERSION_REVISION`. If other maintainers are not present to approve the PR, it can be merged without ACKs.
+3. Open a PR to the master branch with a commit (using message `"release cleanup: bump version after $MAJOR.$MINOR.$PATCH"`, for example) that sets `_PKG_VERSION_IS_RELEASE` to `false` and `_PKG_VERSION_PATCH` to `$PATCH + 1` and increases `_LIB_VERSION_REVISION`. If other maintainers are not present to approve the PR, it can be merged without ACKs.
 4. Create a new GitHub release with a link to the corresponding entry in [CHANGELOG.md](../CHANGELOG.md).
 ## Maintenance release
--- a/include/secp256k1.h
+++ b/include/secp256k1.h
@ -849,7 +849,7 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_mul(
 * kind of elliptic curve point multiplication and thus does not benefit from
 * enhanced protection against side-channel leakage currently.
 *
- * It is safe call this function on a copy of secp256k1_context_static in writable
+ * It is safe to call this function on a copy of secp256k1_context_static in writable
 * memory (e.g., obtained via secp256k1_context_clone). In that case, this
 * function is guaranteed to return 1, but the call will have no effect because
 * the static context (or a copy thereof) is not meant to be randomized.
--- a/src/field.h
+++ b/src/field.h
@ -18,10 +18,6 @@
 *    imply normality.
 */
 #if defined HAVE_CONFIG_H
 #include "libsecp256k1-config.h"
 #endif
 #include "util.h"
 #if defined(SECP256K1_WIDEMUL_INT128)
--- a/src/field_5x52_impl.h
+++ b/src/field_5x52_impl.h
@ -7,10 +7,6 @@
 #ifndef SECP256K1_FIELD_REPR_IMPL_H
 #define SECP256K1_FIELD_REPR_IMPL_H
 #if defined HAVE_CONFIG_H
 #include "libsecp256k1-config.h"
 #endif
 #include "util.h"
 #include "field.h"
 #include "modinv64_impl.h"
--- a/src/field_impl.h
+++ b/src/field_impl.h
@ -7,10 +7,6 @@
 #ifndef SECP256K1_FIELD_IMPL_H
 #define SECP256K1_FIELD_IMPL_H
 #if defined HAVE_CONFIG_H
 #include "libsecp256k1-config.h"
 #endif
 #include "util.h"
 #if defined(SECP256K1_WIDEMUL_INT128)
--- a/src/int128.h
+++ b/src/int128.h
@ -66,7 +66,12 @@ static SECP256K1_INLINE void secp256k1_i128_det(secp256k1_int128 *r, int64_t a,
 */
 static SECP256K1_INLINE void secp256k1_i128_rshift(secp256k1_int128 *r, unsigned int b);
-/* Return the low 64-bits of a 128-bit value interpreted as an signed 64-bit value. */
+/* Return the input value modulo 2^64. */
 static SECP256K1_INLINE uint64_t secp256k1_i128_to_u64(const secp256k1_int128 *a);
 /* Return the value as a signed 64-bit value.
 * Requires the input to be between INT64_MIN and INT64_MAX.
 */
 static SECP256K1_INLINE int64_t secp256k1_i128_to_i64(const secp256k1_int128 *a);
 /* Write a signed 64-bit value to r. */
--- a/src/int128_native_impl.h
+++ b/src/int128_native_impl.h
@ -67,7 +67,12 @@ static SECP256K1_INLINE void secp256k1_i128_rshift(secp256k1_int128 *r, unsigned
   *r >>= n;
 }
 static SECP256K1_INLINE uint64_t secp256k1_i128_to_u64(const secp256k1_int128 *a) {
   return (uint64_t)*a;
 }
 static SECP256K1_INLINE int64_t secp256k1_i128_to_i64(const secp256k1_int128 *a) {
   VERIFY_CHECK(INT64_MIN <= *a && *a <= INT64_MAX);
   return *a;
 }
--- a/src/int128_struct_impl.h
+++ b/src/int128_struct_impl.h
@ -170,8 +170,14 @@ static SECP256K1_INLINE void secp256k1_i128_rshift(secp256k1_int128 *r, unsigned
   }
 }
 static SECP256K1_INLINE uint64_t secp256k1_i128_to_u64(const secp256k1_int128 *a) {
   return a->lo;
 }
 static SECP256K1_INLINE int64_t secp256k1_i128_to_i64(const secp256k1_int128 *a) {
-   return (int64_t)a->lo;
+   /* Verify that a represents a 64 bit signed value by checking that the high bits are a sign extension of the low bits. */
   VERIFY_CHECK(a->hi == -(a->lo >> 63));
   return (int64_t)secp256k1_i128_to_u64(a);
 }
 static SECP256K1_INLINE void secp256k1_i128_from_i64(secp256k1_int128 *r, int64_t a) {
--- a/src/modinv32.h
+++ b/src/modinv32.h
@ -7,10 +7,6 @@
 #ifndef SECP256K1_MODINV32_H
 #define SECP256K1_MODINV32_H
 #if defined HAVE_CONFIG_H
 #include "libsecp256k1-config.h"
 #endif
 #include "util.h"
 /* A signed 30-bit limb representation of integers.
--- a/src/modinv64.h
+++ b/src/modinv64.h
@ -7,10 +7,6 @@
 #ifndef SECP256K1_MODINV64_H
 #define SECP256K1_MODINV64_H
 #if defined HAVE_CONFIG_H
 #include "libsecp256k1-config.h"
 #endif
 #include "util.h"
 #ifndef SECP256K1_WIDEMUL_INT128
--- a/src/modinv64_impl.h
+++ b/src/modinv64_impl.h
@ -39,13 +39,13 @@ static const secp256k1_modinv64_signed62 SECP256K1_SIGNED62_ONE = {{1}};
 /* Compute a*factor and put it in r. All but the top limb in r will be in range [0,2^62). */
 static void secp256k1_modinv64_mul_62(secp256k1_modinv64_signed62 *r, const secp256k1_modinv64_signed62 *a, int alen, int64_t factor) {
-    const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
+    const uint64_t M62 = UINT64_MAX >> 2;
    secp256k1_int128 c, d;
    int i;
    secp256k1_i128_from_i64(&c, 0);
    for (i = 0; i < 4; ++i) {
        if (i < alen) secp256k1_i128_accum_mul(&c, a->v[i], factor);
-        r->v[i] = secp256k1_i128_to_i64(&c) & M62; secp256k1_i128_rshift(&c, 62);
+        r->v[i] = secp256k1_i128_to_u64(&c) & M62; secp256k1_i128_rshift(&c, 62);
    }
    if (4 < alen) secp256k1_i128_accum_mul(&c, a->v[4], factor);
    secp256k1_i128_from_i64(&d, secp256k1_i128_to_i64(&c));
@ -317,7 +317,7 @@ static int64_t secp256k1_modinv64_divsteps_62_var(int64_t eta, uint64_t f0, uint
 * This implements the update_de function from the explanation.
 */
 static void secp256k1_modinv64_update_de_62(secp256k1_modinv64_signed62 *d, secp256k1_modinv64_signed62 *e, const secp256k1_modinv64_trans2x2 *t, const secp256k1_modinv64_modinfo* modinfo) {
-    const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
+    const uint64_t M62 = UINT64_MAX >> 2;
    const int64_t d0 = d->v[0], d1 = d->v[1], d2 = d->v[2], d3 = d->v[3], d4 = d->v[4];
    const int64_t e0 = e->v[0], e1 = e->v[1], e2 = e->v[2], e3 = e->v[3], e4 = e->v[4];
    const int64_t u = t->u, v = t->v, q = t->q, r = t->r;
@ -330,8 +330,8 @@ static void secp256k1_modinv64_update_de_62(secp256k1_modinv64_signed62 *d, secp
    VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(e, 5, &modinfo->modulus, 1) < 0);  /* e <    modulus */
    VERIFY_CHECK((secp256k1_modinv64_abs(u) + secp256k1_modinv64_abs(v)) >= 0); /* |u|+|v| doesn't overflow */
    VERIFY_CHECK((secp256k1_modinv64_abs(q) + secp256k1_modinv64_abs(r)) >= 0); /* |q|+|r| doesn't overflow */
-    VERIFY_CHECK((secp256k1_modinv64_abs(u) + secp256k1_modinv64_abs(v)) <= M62 + 1); /* |u|+|v| <= 2^62 */
+    VERIFY_CHECK((secp256k1_modinv64_abs(u) + secp256k1_modinv64_abs(v)) <= (int64_t)1 << 62); /* |u|+|v| <= 2^62 */
-    VERIFY_CHECK((secp256k1_modinv64_abs(q) + secp256k1_modinv64_abs(r)) <= M62 + 1); /* |q|+|r| <= 2^62 */
+    VERIFY_CHECK((secp256k1_modinv64_abs(q) + secp256k1_modinv64_abs(r)) <= (int64_t)1 << 62); /* |q|+|r| <= 2^62 */
 #endif
    /* [md,me] start as zero; plus [u,q] if d is negative; plus [v,r] if e is negative. */
    sd = d4 >> 63;
@ -344,14 +344,14 @@ static void secp256k1_modinv64_update_de_62(secp256k1_modinv64_signed62 *d, secp
    secp256k1_i128_mul(&ce, q, d0);
    secp256k1_i128_accum_mul(&ce, r, e0);
    /* Correct md,me so that t*[d,e]+modulus*[md,me] has 62 zero bottom bits. */
-    md -= (modinfo->modulus_inv62 * (uint64_t)secp256k1_i128_to_i64(&cd) + md) & M62;
+    md -= (modinfo->modulus_inv62 * secp256k1_i128_to_u64(&cd) + md) & M62;
-    me -= (modinfo->modulus_inv62 * (uint64_t)secp256k1_i128_to_i64(&ce) + me) & M62;
+    me -= (modinfo->modulus_inv62 * secp256k1_i128_to_u64(&ce) + me) & M62;
    /* Update the beginning of computation for t*[d,e]+modulus*[md,me] now md,me are known. */
    secp256k1_i128_accum_mul(&cd, modinfo->modulus.v[0], md);
    secp256k1_i128_accum_mul(&ce, modinfo->modulus.v[0], me);
    /* Verify that the low 62 bits of the computation are indeed zero, and then throw them away. */
-    VERIFY_CHECK((secp256k1_i128_to_i64(&cd) & M62) == 0); secp256k1_i128_rshift(&cd, 62);
+    VERIFY_CHECK((secp256k1_i128_to_u64(&cd) & M62) == 0); secp256k1_i128_rshift(&cd, 62);
-    VERIFY_CHECK((secp256k1_i128_to_i64(&ce) & M62) == 0); secp256k1_i128_rshift(&ce, 62);
+    VERIFY_CHECK((secp256k1_i128_to_u64(&ce) & M62) == 0); secp256k1_i128_rshift(&ce, 62);
    /* Compute limb 1 of t*[d,e]+modulus*[md,me], and store it as output limb 0 (= down shift). */
    secp256k1_i128_accum_mul(&cd, u, d1);
    secp256k1_i128_accum_mul(&cd, v, e1);
@ -361,8 +361,8 @@ static void secp256k1_modinv64_update_de_62(secp256k1_modinv64_signed62 *d, secp
        secp256k1_i128_accum_mul(&cd, modinfo->modulus.v[1], md);
        secp256k1_i128_accum_mul(&ce, modinfo->modulus.v[1], me);
    }
-    d->v[0] = secp256k1_i128_to_i64(&cd) & M62; secp256k1_i128_rshift(&cd, 62);
+    d->v[0] = secp256k1_i128_to_u64(&cd) & M62; secp256k1_i128_rshift(&cd, 62);
-    e->v[0] = secp256k1_i128_to_i64(&ce) & M62; secp256k1_i128_rshift(&ce, 62);
+    e->v[0] = secp256k1_i128_to_u64(&ce) & M62; secp256k1_i128_rshift(&ce, 62);
    /* Compute limb 2 of t*[d,e]+modulus*[md,me], and store it as output limb 1. */
    secp256k1_i128_accum_mul(&cd, u, d2);
    secp256k1_i128_accum_mul(&cd, v, e2);
@ -372,8 +372,8 @@ static void secp256k1_modinv64_update_de_62(secp256k1_modinv64_signed62 *d, secp
        secp256k1_i128_accum_mul(&cd, modinfo->modulus.v[2], md);
        secp256k1_i128_accum_mul(&ce, modinfo->modulus.v[2], me);
    }
-    d->v[1] = secp256k1_i128_to_i64(&cd) & M62; secp256k1_i128_rshift(&cd, 62);
+    d->v[1] = secp256k1_i128_to_u64(&cd) & M62; secp256k1_i128_rshift(&cd, 62);
-    e->v[1] = secp256k1_i128_to_i64(&ce) & M62; secp256k1_i128_rshift(&ce, 62);
+    e->v[1] = secp256k1_i128_to_u64(&ce) & M62; secp256k1_i128_rshift(&ce, 62);
    /* Compute limb 3 of t*[d,e]+modulus*[md,me], and store it as output limb 2. */
    secp256k1_i128_accum_mul(&cd, u, d3);
    secp256k1_i128_accum_mul(&cd, v, e3);
@ -383,8 +383,8 @@ static void secp256k1_modinv64_update_de_62(secp256k1_modinv64_signed62 *d, secp
        secp256k1_i128_accum_mul(&cd, modinfo->modulus.v[3], md);
        secp256k1_i128_accum_mul(&ce, modinfo->modulus.v[3], me);
    }
-    d->v[2] = secp256k1_i128_to_i64(&cd) & M62; secp256k1_i128_rshift(&cd, 62);
+    d->v[2] = secp256k1_i128_to_u64(&cd) & M62; secp256k1_i128_rshift(&cd, 62);
-    e->v[2] = secp256k1_i128_to_i64(&ce) & M62; secp256k1_i128_rshift(&ce, 62);
+    e->v[2] = secp256k1_i128_to_u64(&ce) & M62; secp256k1_i128_rshift(&ce, 62);
    /* Compute limb 4 of t*[d,e]+modulus*[md,me], and store it as output limb 3. */
    secp256k1_i128_accum_mul(&cd, u, d4);
    secp256k1_i128_accum_mul(&cd, v, e4);
@ -392,8 +392,8 @@ static void secp256k1_modinv64_update_de_62(secp256k1_modinv64_signed62 *d, secp
    secp256k1_i128_accum_mul(&ce, r, e4);
    secp256k1_i128_accum_mul(&cd, modinfo->modulus.v[4], md);
    secp256k1_i128_accum_mul(&ce, modinfo->modulus.v[4], me);
-    d->v[3] = secp256k1_i128_to_i64(&cd) & M62; secp256k1_i128_rshift(&cd, 62);
+    d->v[3] = secp256k1_i128_to_u64(&cd) & M62; secp256k1_i128_rshift(&cd, 62);
-    e->v[3] = secp256k1_i128_to_i64(&ce) & M62; secp256k1_i128_rshift(&ce, 62);
+    e->v[3] = secp256k1_i128_to_u64(&ce) & M62; secp256k1_i128_rshift(&ce, 62);
    /* What remains is limb 5 of t*[d,e]+modulus*[md,me]; store it as output limb 4. */
    d->v[4] = secp256k1_i128_to_i64(&cd);
    e->v[4] = secp256k1_i128_to_i64(&ce);
@ -410,7 +410,7 @@ static void secp256k1_modinv64_update_de_62(secp256k1_modinv64_signed62 *d, secp
 * This implements the update_fg function from the explanation.
 */
 static void secp256k1_modinv64_update_fg_62(secp256k1_modinv64_signed62 *f, secp256k1_modinv64_signed62 *g, const secp256k1_modinv64_trans2x2 *t) {
-    const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
+    const uint64_t M62 = UINT64_MAX >> 2;
    const int64_t f0 = f->v[0], f1 = f->v[1], f2 = f->v[2], f3 = f->v[3], f4 = f->v[4];
    const int64_t g0 = g->v[0], g1 = g->v[1], g2 = g->v[2], g3 = g->v[3], g4 = g->v[4];
    const int64_t u = t->u, v = t->v, q = t->q, r = t->r;
@ -421,36 +421,36 @@ static void secp256k1_modinv64_update_fg_62(secp256k1_modinv64_signed62 *f, secp
    secp256k1_i128_mul(&cg, q, f0);
    secp256k1_i128_accum_mul(&cg, r, g0);
    /* Verify that the bottom 62 bits of the result are zero, and then throw them away. */
-    VERIFY_CHECK((secp256k1_i128_to_i64(&cf) & M62) == 0); secp256k1_i128_rshift(&cf, 62);
+    VERIFY_CHECK((secp256k1_i128_to_u64(&cf) & M62) == 0); secp256k1_i128_rshift(&cf, 62);
-    VERIFY_CHECK((secp256k1_i128_to_i64(&cg) & M62) == 0); secp256k1_i128_rshift(&cg, 62);
+    VERIFY_CHECK((secp256k1_i128_to_u64(&cg) & M62) == 0); secp256k1_i128_rshift(&cg, 62);
    /* Compute limb 1 of t*[f,g], and store it as output limb 0 (= down shift). */
    secp256k1_i128_accum_mul(&cf, u, f1);
    secp256k1_i128_accum_mul(&cf, v, g1);
    secp256k1_i128_accum_mul(&cg, q, f1);
    secp256k1_i128_accum_mul(&cg, r, g1);
-    f->v[0] = secp256k1_i128_to_i64(&cf) & M62; secp256k1_i128_rshift(&cf, 62);
+    f->v[0] = secp256k1_i128_to_u64(&cf) & M62; secp256k1_i128_rshift(&cf, 62);
-    g->v[0] = secp256k1_i128_to_i64(&cg) & M62; secp256k1_i128_rshift(&cg, 62);
+    g->v[0] = secp256k1_i128_to_u64(&cg) & M62; secp256k1_i128_rshift(&cg, 62);
    /* Compute limb 2 of t*[f,g], and store it as output limb 1. */
    secp256k1_i128_accum_mul(&cf, u, f2);
    secp256k1_i128_accum_mul(&cf, v, g2);
    secp256k1_i128_accum_mul(&cg, q, f2);
    secp256k1_i128_accum_mul(&cg, r, g2);
-    f->v[1] = secp256k1_i128_to_i64(&cf) & M62; secp256k1_i128_rshift(&cf, 62);
+    f->v[1] = secp256k1_i128_to_u64(&cf) & M62; secp256k1_i128_rshift(&cf, 62);
-    g->v[1] = secp256k1_i128_to_i64(&cg) & M62; secp256k1_i128_rshift(&cg, 62);
+    g->v[1] = secp256k1_i128_to_u64(&cg) & M62; secp256k1_i128_rshift(&cg, 62);
    /* Compute limb 3 of t*[f,g], and store it as output limb 2. */
    secp256k1_i128_accum_mul(&cf, u, f3);
    secp256k1_i128_accum_mul(&cf, v, g3);
    secp256k1_i128_accum_mul(&cg, q, f3);
    secp256k1_i128_accum_mul(&cg, r, g3);
-    f->v[2] = secp256k1_i128_to_i64(&cf) & M62; secp256k1_i128_rshift(&cf, 62);
+    f->v[2] = secp256k1_i128_to_u64(&cf) & M62; secp256k1_i128_rshift(&cf, 62);
-    g->v[2] = secp256k1_i128_to_i64(&cg) & M62; secp256k1_i128_rshift(&cg, 62);
+    g->v[2] = secp256k1_i128_to_u64(&cg) & M62; secp256k1_i128_rshift(&cg, 62);
    /* Compute limb 4 of t*[f,g], and store it as output limb 3. */
    secp256k1_i128_accum_mul(&cf, u, f4);
    secp256k1_i128_accum_mul(&cf, v, g4);
    secp256k1_i128_accum_mul(&cg, q, f4);
    secp256k1_i128_accum_mul(&cg, r, g4);
-    f->v[3] = secp256k1_i128_to_i64(&cf) & M62; secp256k1_i128_rshift(&cf, 62);
+    f->v[3] = secp256k1_i128_to_u64(&cf) & M62; secp256k1_i128_rshift(&cf, 62);
-    g->v[3] = secp256k1_i128_to_i64(&cg) & M62; secp256k1_i128_rshift(&cg, 62);
+    g->v[3] = secp256k1_i128_to_u64(&cg) & M62; secp256k1_i128_rshift(&cg, 62);
    /* What remains is limb 5 of t*[f,g]; store it as output limb 4. */
    f->v[4] = secp256k1_i128_to_i64(&cf);
    g->v[4] = secp256k1_i128_to_i64(&cg);
@ -463,7 +463,7 @@ static void secp256k1_modinv64_update_fg_62(secp256k1_modinv64_signed62 *f, secp
 * This implements the update_fg function from the explanation.
 */
 static void secp256k1_modinv64_update_fg_62_var(int len, secp256k1_modinv64_signed62 *f, secp256k1_modinv64_signed62 *g, const secp256k1_modinv64_trans2x2 *t) {
-    const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
+    const uint64_t M62 = UINT64_MAX >> 2;
    const int64_t u = t->u, v = t->v, q = t->q, r = t->r;
    int64_t fi, gi;
    secp256k1_int128 cf, cg;
@ -477,8 +477,8 @@ static void secp256k1_modinv64_update_fg_62_var(int len, secp256k1_modinv64_sign
    secp256k1_i128_mul(&cg, q, fi);
    secp256k1_i128_accum_mul(&cg, r, gi);
    /* Verify that the bottom 62 bits of the result are zero, and then throw them away. */
-    VERIFY_CHECK((secp256k1_i128_to_i64(&cf) & M62) == 0); secp256k1_i128_rshift(&cf, 62);
+    VERIFY_CHECK((secp256k1_i128_to_u64(&cf) & M62) == 0); secp256k1_i128_rshift(&cf, 62);
-    VERIFY_CHECK((secp256k1_i128_to_i64(&cg) & M62) == 0); secp256k1_i128_rshift(&cg, 62);
+    VERIFY_CHECK((secp256k1_i128_to_u64(&cg) & M62) == 0); secp256k1_i128_rshift(&cg, 62);
    /* Now iteratively compute limb i=1..len of t*[f,g], and store them in output limb i-1 (shifting
     * down by 62 bits). */
    for (i = 1; i < len; ++i) {
@ -488,8 +488,8 @@ static void secp256k1_modinv64_update_fg_62_var(int len, secp256k1_modinv64_sign
        secp256k1_i128_accum_mul(&cf, v, gi);
        secp256k1_i128_accum_mul(&cg, q, fi);
        secp256k1_i128_accum_mul(&cg, r, gi);
-        f->v[i - 1] = secp256k1_i128_to_i64(&cf) & M62; secp256k1_i128_rshift(&cf, 62);
+        f->v[i - 1] = secp256k1_i128_to_u64(&cf) & M62; secp256k1_i128_rshift(&cf, 62);
-        g->v[i - 1] = secp256k1_i128_to_i64(&cg) & M62; secp256k1_i128_rshift(&cg, 62);
+        g->v[i - 1] = secp256k1_i128_to_u64(&cg) & M62; secp256k1_i128_rshift(&cg, 62);
    }
    /* What remains is limb (len) of t*[f,g]; store it as output limb (len-1). */
    f->v[len - 1] = secp256k1_i128_to_i64(&cf);
--- a/src/modules/bppp/tests_impl.h
+++ b/src/modules/bppp/tests_impl.h
@ -25,51 +25,51 @@ static void test_bppp_generators_api(void) {
    int32_t ecount = 0;
    /* The BP generator API requires no precomp */
-    secp256k1_context_set_error_callback(ctx, counting_illegal_callback_fn, &ecount);
+    secp256k1_context_set_error_callback(CTX, counting_illegal_callback_fn, &ecount);
-    secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
+    secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount);
    /* Create */
-    gens = secp256k1_bppp_generators_create(ctx, 10);
+    gens = secp256k1_bppp_generators_create(CTX, 10);
    CHECK(gens != NULL && ecount == 0);
    gens_orig = gens; /* Preserve for round-trip test */
    /* Serialize */
    ecount = 0;
-    CHECK(!secp256k1_bppp_generators_serialize(ctx, NULL, gens_ser, &len));
+    CHECK(!secp256k1_bppp_generators_serialize(CTX, NULL, gens_ser, &len));
    CHECK(ecount == 1);
-    CHECK(!secp256k1_bppp_generators_serialize(ctx, gens, NULL, &len));
+    CHECK(!secp256k1_bppp_generators_serialize(CTX, gens, NULL, &len));
    CHECK(ecount == 2);
-    CHECK(!secp256k1_bppp_generators_serialize(ctx, gens, gens_ser, NULL));
+    CHECK(!secp256k1_bppp_generators_serialize(CTX, gens, gens_ser, NULL));
    CHECK(ecount == 3);
    len = 0;
-    CHECK(!secp256k1_bppp_generators_serialize(ctx, gens, gens_ser, &len));
+    CHECK(!secp256k1_bppp_generators_serialize(CTX, gens, gens_ser, &len));
    CHECK(ecount == 4);
    len = sizeof(gens_ser) - 1;
-    CHECK(!secp256k1_bppp_generators_serialize(ctx, gens, gens_ser, &len));
+    CHECK(!secp256k1_bppp_generators_serialize(CTX, gens, gens_ser, &len));
    CHECK(ecount == 5);
    len = sizeof(gens_ser);
    {
        /* Output buffer can be greater than minimum needed */
        unsigned char gens_ser_tmp[331];
        size_t len_tmp = sizeof(gens_ser_tmp);
-        CHECK(secp256k1_bppp_generators_serialize(ctx, gens, gens_ser_tmp, &len_tmp));
+        CHECK(secp256k1_bppp_generators_serialize(CTX, gens, gens_ser_tmp, &len_tmp));
        CHECK(len_tmp == sizeof(gens_ser_tmp) - 1);
        CHECK(ecount == 5);
    }
    /* Parse */
-    CHECK(secp256k1_bppp_generators_serialize(ctx, gens, gens_ser, &len));
+    CHECK(secp256k1_bppp_generators_serialize(CTX, gens, gens_ser, &len));
    ecount = 0;
-    gens = secp256k1_bppp_generators_parse(ctx, NULL, sizeof(gens_ser));
+    gens = secp256k1_bppp_generators_parse(CTX, NULL, sizeof(gens_ser));
    CHECK(gens == NULL && ecount == 1);
    /* Not a multiple of 33 */
-    gens = secp256k1_bppp_generators_parse(ctx, gens_ser, sizeof(gens_ser) - 1);
+    gens = secp256k1_bppp_generators_parse(CTX, gens_ser, sizeof(gens_ser) - 1);
    CHECK(gens == NULL && ecount == 1);
-    gens = secp256k1_bppp_generators_parse(ctx, gens_ser, sizeof(gens_ser));
+    gens = secp256k1_bppp_generators_parse(CTX, gens_ser, sizeof(gens_ser));
    CHECK(gens != NULL && ecount == 1);
    /* Not valid generators */
    memset(gens_ser, 1, sizeof(gens_ser));
-    CHECK(secp256k1_bppp_generators_parse(ctx, gens_ser, sizeof(gens_ser)) == NULL);
+    CHECK(secp256k1_bppp_generators_parse(CTX, gens_ser, sizeof(gens_ser)) == NULL);
    CHECK(ecount == 1);
    /* Check that round-trip succeeded */
@ -80,14 +80,17 @@ static void test_bppp_generators_api(void) {
    /* Destroy (we allow destroying a NULL context, it's just a noop. like free().) */
    ecount = 0;
-    secp256k1_bppp_generators_destroy(ctx, NULL);
+    secp256k1_bppp_generators_destroy(CTX, NULL);
-    secp256k1_bppp_generators_destroy(ctx, gens);
+    secp256k1_bppp_generators_destroy(CTX, gens);
-    secp256k1_bppp_generators_destroy(ctx, gens_orig);
+    secp256k1_bppp_generators_destroy(CTX, gens_orig);
    CHECK(ecount == 0);
    secp256k1_context_set_error_callback(CTX, NULL, NULL);
    secp256k1_context_set_illegal_callback(CTX, NULL, NULL);
 }
 static void test_bppp_generators_fixed(void) {
-    secp256k1_bppp_generators *gens = secp256k1_bppp_generators_create(ctx, 3);
+    secp256k1_bppp_generators *gens = secp256k1_bppp_generators_create(CTX, 3);
    unsigned char gens_ser[330];
    const unsigned char fixed_first_3[99] = {
        0x0b,
@ -109,14 +112,14 @@ static void test_bppp_generators_fixed(void) {
    size_t len;
    len = 99;
-    CHECK(secp256k1_bppp_generators_serialize(ctx, gens, gens_ser, &len));
+    CHECK(secp256k1_bppp_generators_serialize(CTX, gens, gens_ser, &len));
    CHECK(memcmp(gens_ser, fixed_first_3, sizeof(fixed_first_3)) == 0);
    len = sizeof(gens_ser);
-    CHECK(secp256k1_bppp_generators_serialize(ctx, gens, gens_ser, &len));
+    CHECK(secp256k1_bppp_generators_serialize(CTX, gens, gens_ser, &len));
    CHECK(memcmp(gens_ser, fixed_first_3, sizeof(fixed_first_3)) == 0);
-    secp256k1_bppp_generators_destroy(ctx, gens);
+    secp256k1_bppp_generators_destroy(CTX, gens);
 }
 static void test_bppp_tagged_hash(void) {
@ -224,19 +227,19 @@ void test_serialize_two_points(void) {
    secp256k1_ge X, R;
    int i;
-    for (i = 0; i < count; i++) {
+    for (i = 0; i < COUNT; i++) {
        random_group_element_test(&X);
        random_group_element_test(&R);
        test_serialize_two_points_roundtrip(&X, &R);
    }
-    for (i = 0; i < count; i++) {
+    for (i = 0; i < COUNT; i++) {
        random_group_element_test(&X);
        secp256k1_ge_set_infinity(&R);
        test_serialize_two_points_roundtrip(&X, &R);
    }
-    for (i = 0; i < count; i++) {
+    for (i = 0; i < COUNT; i++) {
        secp256k1_ge_set_infinity(&X);
        random_group_element_test(&R);
        test_serialize_two_points_roundtrip(&X, &R);
@ -258,7 +261,7 @@ void test_serialize_two_points(void) {
        CHECK(!secp256k1_bppp_parse_one_of_points(&R_tmp, buf, 0));
    }
    /* Check that sign bit is 0 for point at infinity */
-    for (i = 0; i < count; i++) {
+    for (i = 0; i < COUNT; i++) {
        secp256k1_ge X_tmp, R_tmp;
        unsigned char buf[65];
        int expect;
@ -333,10 +336,10 @@ static void copy_vectors_into_scratch(secp256k1_scratch_space* scratch,
                                      const secp256k1_ge *gens_vec,
                                      size_t g_len,
                                      size_t h_len) {
-    *ns = (secp256k1_scalar*)secp256k1_scratch_alloc(&ctx->error_callback, scratch, g_len * sizeof(secp256k1_scalar));
+    *ns = (secp256k1_scalar*)secp256k1_scratch_alloc(&CTX->error_callback, scratch, g_len * sizeof(secp256k1_scalar));
-    *ls = (secp256k1_scalar*)secp256k1_scratch_alloc(&ctx->error_callback, scratch, h_len * sizeof(secp256k1_scalar));
+    *ls = (secp256k1_scalar*)secp256k1_scratch_alloc(&CTX->error_callback, scratch, h_len * sizeof(secp256k1_scalar));
-    *cs = (secp256k1_scalar*)secp256k1_scratch_alloc(&ctx->error_callback, scratch, h_len * sizeof(secp256k1_scalar));
+    *cs = (secp256k1_scalar*)secp256k1_scratch_alloc(&CTX->error_callback, scratch, h_len * sizeof(secp256k1_scalar));
-    *gs = (secp256k1_ge*)secp256k1_scratch_alloc(&ctx->error_callback, scratch, (g_len + h_len) * sizeof(secp256k1_ge));
+    *gs = (secp256k1_ge*)secp256k1_scratch_alloc(&CTX->error_callback, scratch, (g_len + h_len) * sizeof(secp256k1_ge));
    CHECK(ns != NULL && ls != NULL && cs != NULL && gs != NULL);
    memcpy(*ns, n_vec, g_len * sizeof(secp256k1_scalar));
    memcpy(*ls, l_vec, h_len * sizeof(secp256k1_scalar));
@ -366,10 +369,10 @@ static int secp256k1_bppp_rangeproof_norm_product_prove_const(
    size_t g_len = n_vec_len, h_len = l_vec_len;
    int res;
-    scratch_checkpoint = secp256k1_scratch_checkpoint(&ctx->error_callback, scratch);
+    scratch_checkpoint = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch);
    copy_vectors_into_scratch(scratch, &ns, &ls, &cs, &gs, n_vec, l_vec, c_vec, g_vec, g_len, h_len);
    res = secp256k1_bppp_rangeproof_norm_product_prove(
-        ctx,
+        CTX,
        scratch,
        proof,
        proof_len,
@ -384,7 +387,7 @@ static int secp256k1_bppp_rangeproof_norm_product_prove_const(
        cs,
        c_vec_len
    );
-    secp256k1_scratch_apply_checkpoint(&ctx->error_callback, scratch, scratch_checkpoint);
+    secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, scratch_checkpoint);
    return res;
 }
@ -434,7 +437,7 @@ static int secp256k1_norm_arg_verify(
    secp256k1_norm_arg_commit_initial_data(&transcript, rho, gens_vec, g_len, c_vec, c_vec_len, &comm);
    res = secp256k1_bppp_rangeproof_norm_product_verify(
-        ctx,
+        CTX,
        scratch,
        proof,
        proof_len,
@ -454,11 +457,11 @@ void norm_arg_verify_zero_len(void) {
    secp256k1_scalar n_vec[64], l_vec[64], c_vec[64];
    secp256k1_scalar rho, mu;
    secp256k1_ge commit;
-    secp256k1_scratch *scratch = secp256k1_scratch_space_create(ctx, 1000*10); /* shouldn't need much */
+    secp256k1_scratch *scratch = secp256k1_scratch_space_create(CTX, 1000*10); /* shouldn't need much */
    unsigned char proof[1000];
    unsigned int n_vec_len = 1;
    unsigned int c_vec_len = 1;
-    secp256k1_bppp_generators *gs = secp256k1_bppp_generators_create(ctx, n_vec_len + c_vec_len);
+    secp256k1_bppp_generators *gs = secp256k1_bppp_generators_create(CTX, n_vec_len + c_vec_len);
    size_t plen = sizeof(proof);
    random_scalar_order(&rho);
@ -467,14 +470,14 @@ void norm_arg_verify_zero_len(void) {
    random_scalar_order(&n_vec[0]);
    random_scalar_order(&c_vec[0]);
    random_scalar_order(&l_vec[0]);
-    CHECK(secp256k1_bppp_commit(ctx, scratch, &commit, gs, n_vec, n_vec_len, l_vec, c_vec_len, c_vec, c_vec_len, &mu));
+    CHECK(secp256k1_bppp_commit(CTX, scratch, &commit, gs, n_vec, n_vec_len, l_vec, c_vec_len, c_vec, c_vec_len, &mu));
    CHECK(secp256k1_norm_arg_prove(scratch, proof, &plen, &rho, gs, n_vec, n_vec_len, l_vec, c_vec_len, c_vec, c_vec_len, &commit));
    CHECK(secp256k1_norm_arg_verify(scratch, proof, plen, &rho, gs, n_vec_len, c_vec, c_vec_len, &commit));
    CHECK(!secp256k1_norm_arg_verify(scratch, proof, plen, &rho, gs, n_vec_len, c_vec, 0, &commit));
-    secp256k1_bppp_generators_destroy(ctx, gs);
+    secp256k1_bppp_generators_destroy(CTX, gs);
-    secp256k1_scratch_space_destroy(ctx, scratch);
+    secp256k1_scratch_space_destroy(CTX, scratch);
 }
 void norm_arg_test(unsigned int n, unsigned int m) {
@ -483,8 +486,8 @@ void norm_arg_test(unsigned int n, unsigned int m) {
    secp256k1_ge commit;
    size_t i, plen;
    int res;
-    secp256k1_bppp_generators *gs = secp256k1_bppp_generators_create(ctx, n + m);
+    secp256k1_bppp_generators *gs = secp256k1_bppp_generators_create(CTX, n + m);
-    secp256k1_scratch *scratch = secp256k1_scratch_space_create(ctx, 1000*1000); /* shouldn't need much */
+    secp256k1_scratch *scratch = secp256k1_scratch_space_create(CTX, 1000*1000); /* shouldn't need much */
    unsigned char proof[1000];
    plen = 1000;
    random_scalar_order(&rho);
@ -499,7 +502,7 @@ void norm_arg_test(unsigned int n, unsigned int m) {
        random_scalar_order(&c_vec[i]);
    }
-    res = secp256k1_bppp_commit(ctx, scratch, &commit, gs, n_vec, n, l_vec, m, c_vec, m, &mu);
+    res = secp256k1_bppp_commit(CTX, scratch, &commit, gs, n_vec, n, l_vec, m, c_vec, m, &mu);
    CHECK(res == 1);
    res = secp256k1_norm_arg_prove(scratch, proof, &plen, &rho, gs, n_vec, n, l_vec, m, c_vec, m, &commit);
    CHECK(res == 1);
@ -515,8 +518,8 @@ void norm_arg_test(unsigned int n, unsigned int m) {
    res = secp256k1_norm_arg_verify(scratch, proof, plen, &rho, gs, n, c_vec, m, &commit);
    CHECK(res == 0);
-    secp256k1_scratch_space_destroy(ctx, scratch);
+    secp256k1_scratch_space_destroy(CTX, scratch);
-    secp256k1_bppp_generators_destroy(ctx, gs);
+    secp256k1_bppp_generators_destroy(CTX, gs);
 }
 /* Parses generators from points compressed as pubkeys */
@ -524,19 +527,16 @@ secp256k1_bppp_generators* bppp_generators_parse_regular(const unsigned char* da
    size_t n = data_len / 33;
    secp256k1_bppp_generators* ret;
    VERIFY_CHECK(ctx != NULL);
    ARG_CHECK(data != NULL);
    if (data_len % 33 != 0) {
        return NULL;
    }
-    ret = (secp256k1_bppp_generators *)checked_malloc(&ctx->error_callback, sizeof(*ret));
+    ret = (secp256k1_bppp_generators *)checked_malloc(&CTX->error_callback, sizeof(*ret));
    if (ret == NULL) {
        return NULL;
    }
    ret->n = n;
-    ret->gens = (secp256k1_ge*)checked_malloc(&ctx->error_callback, n * sizeof(*ret->gens));
+    ret->gens = (secp256k1_ge*)checked_malloc(&CTX->error_callback, n * sizeof(*ret->gens));
    if (ret->gens == NULL) {
        free(ret);
        return NULL;
@ -572,16 +572,16 @@ int norm_arg_verify_vectors_helper(secp256k1_scratch *scratch, const unsigned ch
        CHECK(!overflow);
    }
    CHECK(secp256k1_ge_parse_ext(&commit, commit33));
-    ret = secp256k1_bppp_rangeproof_norm_product_verify(ctx, scratch, proof, plen, &transcript, &rho, gs, n_vec_len, c_vec, c_vec_len, &commit);
+    ret = secp256k1_bppp_rangeproof_norm_product_verify(CTX, scratch, proof, plen, &transcript, &rho, gs, n_vec_len, c_vec, c_vec_len, &commit);
-    secp256k1_bppp_generators_destroy(ctx, gs);
+    secp256k1_bppp_generators_destroy(CTX, gs);
    return ret;
 }
 #define IDX_TO_TEST(i) (norm_arg_verify_vectors_helper(scratch, verify_vector_gens, verify_vector_##i##_proof, sizeof(verify_vector_##i##_proof), verify_vector_##i##_r32, verify_vector_##i##_n_vec_len, verify_vector_##i##_c_vec32, verify_vector_##i##_c_vec, sizeof(verify_vector_##i##_c_vec)/sizeof(secp256k1_scalar), verify_vector_##i##_commit33) == verify_vector_##i##_result)
 void norm_arg_verify_vectors(void) {
-    secp256k1_scratch *scratch = secp256k1_scratch_space_create(ctx, 1000*1000); /* shouldn't need much */
+    secp256k1_scratch *scratch = secp256k1_scratch_space_create(CTX, 1000*1000); /* shouldn't need much */
    size_t alloc = scratch->alloc_size;
    CHECK(IDX_TO_TEST(0));
@ -599,7 +599,7 @@ void norm_arg_verify_vectors(void) {
    CHECK(IDX_TO_TEST(12));
    CHECK(alloc == scratch->alloc_size);
-    secp256k1_scratch_space_destroy(ctx, scratch);
+    secp256k1_scratch_space_destroy(CTX, scratch);
 }
 #undef IDX_TO_TEST
@ -632,16 +632,16 @@ void norm_arg_prove_vectors_helper(secp256k1_scratch *scratch, const unsigned ch
    CHECK(secp256k1_bppp_rangeproof_norm_product_prove_const(scratch, myproof, &myplen, &transcript, &rho, gs->gens, gs->n, n_vec, n_vec_len, l_vec, c_vec_len, c_vec, c_vec_len) == result);
    if (!result) {
-        secp256k1_bppp_generators_destroy(ctx, gs);
+        secp256k1_bppp_generators_destroy(CTX, gs);
        return;
    }
    CHECK(plen == myplen);
    CHECK(secp256k1_memcmp_var(proof, myproof, plen) == 0);
-    CHECK(secp256k1_bppp_commit(ctx, scratch, &commit, gs, n_vec, n_vec_len, l_vec, c_vec_len, c_vec, c_vec_len, &mu));
+    CHECK(secp256k1_bppp_commit(CTX, scratch, &commit, gs, n_vec, n_vec_len, l_vec, c_vec_len, c_vec, c_vec_len, &mu));
    secp256k1_sha256_initialize(&transcript);
-    CHECK(secp256k1_bppp_rangeproof_norm_product_verify(ctx, scratch, proof, plen, &transcript, &rho, gs, n_vec_len, c_vec, c_vec_len, &commit));
+    CHECK(secp256k1_bppp_rangeproof_norm_product_verify(CTX, scratch, proof, plen, &transcript, &rho, gs, n_vec_len, c_vec, c_vec_len, &commit));
-    secp256k1_bppp_generators_destroy(ctx, gs);
+    secp256k1_bppp_generators_destroy(CTX, gs);
 }
@ -652,7 +652,7 @@ void norm_arg_prove_vectors_helper(secp256k1_scratch *scratch, const unsigned ch
    prove_vector_##i##_result))
 void norm_arg_prove_vectors(void) {
-    secp256k1_scratch *scratch = secp256k1_scratch_space_create(ctx, 1000*1000); /* shouldn't need much */
+    secp256k1_scratch *scratch = secp256k1_scratch_space_create(CTX, 1000*1000); /* shouldn't need much */
    size_t alloc = scratch->alloc_size;
    IDX_TO_TEST(0);
@ -662,7 +662,7 @@ void norm_arg_prove_vectors(void) {
    IDX_TO_TEST(4);
    CHECK(alloc == scratch->alloc_size);
-    secp256k1_scratch_space_destroy(ctx, scratch);
+    secp256k1_scratch_space_destroy(CTX, scratch);
 }
 #undef IDX_TO_TEST
--- a/src/modules/ecdh/tests_impl.h
+++ b/src/modules/ecdh/tests_impl.h
@ -60,7 +60,7 @@ void test_ecdh_generator_basepoint(void) {
    s_one[31] = 1;
    /* Check against pubkey creation when the basepoint is the generator */
-    for (i = 0; i < 2 * count; ++i) {
+    for (i = 0; i < 2 * COUNT; ++i) {
        secp256k1_sha256 sha;
        unsigned char s_b32[32];
        unsigned char output_ecdh[65];
@ -72,20 +72,20 @@ void test_ecdh_generator_basepoint(void) {
        random_scalar_order(&s);
        secp256k1_scalar_get_b32(s_b32, &s);
-        CHECK(secp256k1_ec_pubkey_create(ctx, &point[0], s_one) == 1);
+        CHECK(secp256k1_ec_pubkey_create(CTX, &point[0], s_one) == 1);
-        CHECK(secp256k1_ec_pubkey_create(ctx, &point[1], s_b32) == 1);
+        CHECK(secp256k1_ec_pubkey_create(CTX, &point[1], s_b32) == 1);
        /* compute using ECDH function with custom hash function */
-        CHECK(secp256k1_ecdh(ctx, output_ecdh, &point[0], s_b32, ecdh_hash_function_custom, NULL) == 1);
+        CHECK(secp256k1_ecdh(CTX, output_ecdh, &point[0], s_b32, ecdh_hash_function_custom, NULL) == 1);
        /* compute "explicitly" */
-        CHECK(secp256k1_ec_pubkey_serialize(ctx, point_ser, &point_ser_len, &point[1], SECP256K1_EC_UNCOMPRESSED) == 1);
+        CHECK(secp256k1_ec_pubkey_serialize(CTX, point_ser, &point_ser_len, &point[1], SECP256K1_EC_UNCOMPRESSED) == 1);
        /* compare */
        CHECK(secp256k1_memcmp_var(output_ecdh, point_ser, 65) == 0);
        /* compute using ECDH function with default hash function */
-        CHECK(secp256k1_ecdh(ctx, output_ecdh, &point[0], s_b32, NULL, NULL) == 1);
+        CHECK(secp256k1_ecdh(CTX, output_ecdh, &point[0], s_b32, NULL, NULL) == 1);
        /* compute "explicitly" */
-        CHECK(secp256k1_ec_pubkey_serialize(ctx, point_ser, &point_ser_len, &point[1], SECP256K1_EC_COMPRESSED) == 1);
+        CHECK(secp256k1_ec_pubkey_serialize(CTX, point_ser, &point_ser_len, &point[1], SECP256K1_EC_COMPRESSED) == 1);
        secp256k1_sha256_initialize(&sha);
        secp256k1_sha256_write(&sha, point_ser, point_ser_len);
        secp256k1_sha256_finalize(&sha, output_ser);
@ -110,17 +110,17 @@ void test_bad_scalar(void) {
    /* Create random point */
    random_scalar_order(&rand);
    secp256k1_scalar_get_b32(s_rand, &rand);
-    CHECK(secp256k1_ec_pubkey_create(ctx, &point, s_rand) == 1);
+    CHECK(secp256k1_ec_pubkey_create(CTX, &point, s_rand) == 1);
    /* Try to multiply it by bad values */
-    CHECK(secp256k1_ecdh(ctx, output, &point, s_zero, NULL, NULL) == 0);
+    CHECK(secp256k1_ecdh(CTX, output, &point, s_zero, NULL, NULL) == 0);
-    CHECK(secp256k1_ecdh(ctx, output, &point, s_overflow, NULL, NULL) == 0);
+    CHECK(secp256k1_ecdh(CTX, output, &point, s_overflow, NULL, NULL) == 0);
    /* ...and a good one */
    s_overflow[31] -= 1;
-    CHECK(secp256k1_ecdh(ctx, output, &point, s_overflow, NULL, NULL) == 1);
+    CHECK(secp256k1_ecdh(CTX, output, &point, s_overflow, NULL, NULL) == 1);
    /* Hash function failure results in ecdh failure */
-    CHECK(secp256k1_ecdh(ctx, output, &point, s_overflow, ecdh_hash_function_test_fail, NULL) == 0);
+    CHECK(secp256k1_ecdh(CTX, output, &point, s_overflow, ecdh_hash_function_test_fail, NULL) == 0);
 }
 /** Test that ECDH(sG, 1/s) == ECDH((1/s)G, s) == ECDH(G, 1) for a few random s. */
@ -136,21 +136,21 @@ void test_result_basepoint(void) {
    unsigned char s_one[32] = { 0 };
    s_one[31] = 1;
-    CHECK(secp256k1_ec_pubkey_create(ctx, &point, s_one) == 1);
+    CHECK(secp256k1_ec_pubkey_create(CTX, &point, s_one) == 1);
-    CHECK(secp256k1_ecdh(ctx, out_base, &point, s_one, NULL, NULL) == 1);
+    CHECK(secp256k1_ecdh(CTX, out_base, &point, s_one, NULL, NULL) == 1);
-    for (i = 0; i < 2 * count; i++) {
+    for (i = 0; i < 2 * COUNT; i++) {
        random_scalar_order(&rand);
        secp256k1_scalar_get_b32(s, &rand);
        secp256k1_scalar_inverse(&rand, &rand);
        secp256k1_scalar_get_b32(s_inv, &rand);
-        CHECK(secp256k1_ec_pubkey_create(ctx, &point, s) == 1);
+        CHECK(secp256k1_ec_pubkey_create(CTX, &point, s) == 1);
-        CHECK(secp256k1_ecdh(ctx, out, &point, s_inv, NULL, NULL) == 1);
+        CHECK(secp256k1_ecdh(CTX, out, &point, s_inv, NULL, NULL) == 1);
        CHECK(secp256k1_memcmp_var(out, out_base, 32) == 0);
-        CHECK(secp256k1_ec_pubkey_create(ctx, &point, s_inv) == 1);
+        CHECK(secp256k1_ec_pubkey_create(CTX, &point, s_inv) == 1);
-        CHECK(secp256k1_ecdh(ctx, out_inv, &point, s, NULL, NULL) == 1);
+        CHECK(secp256k1_ecdh(CTX, out_inv, &point, s, NULL, NULL) == 1);
        CHECK(secp256k1_memcmp_var(out_inv, out_base, 32) == 0);
    }
 }
--- a/src/modules/ecdsa_adaptor/tests_impl.h
+++ b/src/modules/ecdsa_adaptor/tests_impl.h
@ -14,7 +14,7 @@ void rand_point(secp256k1_ge *point) {
    secp256k1_gej pointj;
    rand_scalar(&x);
-    secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pointj, &x);
+    secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &pointj, &x);
    secp256k1_ge_set_gej(point, &pointj);
 }
@ -41,8 +41,8 @@ void dleq_tests(void) {
    rand_point(&gen2);
    rand_scalar(&sk);
-    secp256k1_dleq_pair(&ctx->ecmult_gen_ctx, &p1, &p2, &sk, &gen2);
+    secp256k1_dleq_pair(&CTX->ecmult_gen_ctx, &p1, &p2, &sk, &gen2);
-    CHECK(secp256k1_dleq_prove(ctx, &s, &e, &sk, &gen2, &p1, &p2, NULL, NULL) == 1);
+    CHECK(secp256k1_dleq_prove(CTX, &s, &e, &sk, &gen2, &p1, &p2, NULL, NULL) == 1);
    CHECK(secp256k1_dleq_verify(&s, &e, &p1, &gen2, &p2) == 1);
    {
@ -61,9 +61,9 @@ void dleq_tests(void) {
    {
        secp256k1_ge p_inf;
        secp256k1_ge_set_infinity(&p_inf);
-        CHECK(secp256k1_dleq_prove(ctx, &s, &e, &sk, &p_inf, &p1, &p2, NULL, NULL) == 0);
+        CHECK(secp256k1_dleq_prove(CTX, &s, &e, &sk, &p_inf, &p1, &p2, NULL, NULL) == 0);
-        CHECK(secp256k1_dleq_prove(ctx, &s, &e, &sk, &gen2, &p_inf, &p2, NULL, NULL) == 0);
+        CHECK(secp256k1_dleq_prove(CTX, &s, &e, &sk, &gen2, &p_inf, &p2, NULL, NULL) == 0);
-        CHECK(secp256k1_dleq_prove(ctx, &s, &e, &sk, &gen2, &p1, &p_inf, NULL, NULL) == 0);
+        CHECK(secp256k1_dleq_prove(CTX, &s, &e, &sk, &gen2, &p1, &p_inf, NULL, NULL) == 0);
    }
    /* Nonce tests */
@ -85,7 +85,7 @@ void dleq_tests(void) {
    args[2] = p1_33;
    args[3] = p2_33;
    args[4] = aux_rand;
-    for (i = 0; i < count; i++) {
+    for (i = 0; i < COUNT; i++) {
        dleq_nonce_bitflip(args, 0, sizeof(sk32));
        dleq_nonce_bitflip(args, 1, sizeof(gen2_33));
        dleq_nonce_bitflip(args, 2, sizeof(p1_33));
@ -117,7 +117,7 @@ void test_ecdsa_adaptor_spec_vectors_check_verify(const unsigned char *adaptor_s
    CHECK(secp256k1_eckey_pubkey_parse(&pubkey_ge, pubkey33, 33) == 1);
    secp256k1_pubkey_save(&pubkey, &pubkey_ge);
-    CHECK(expected == secp256k1_ecdsa_adaptor_verify(ctx, adaptor_sig162, &pubkey, msg32, &encryption_key));
+    CHECK(expected == secp256k1_ecdsa_adaptor_verify(CTX, adaptor_sig162, &pubkey, msg32, &encryption_key));
 }
 /* Helper function for test_ecdsa_adaptor_spec_vectors
@ -126,8 +126,8 @@ void test_ecdsa_adaptor_spec_vectors_check_decrypt(const unsigned char *adaptor_
    unsigned char signature[64];
    secp256k1_ecdsa_signature s;
-    CHECK(secp256k1_ecdsa_adaptor_decrypt(ctx, &s, decryption_key32, adaptor_sig162) == 1);
+    CHECK(secp256k1_ecdsa_adaptor_decrypt(CTX, &s, decryption_key32, adaptor_sig162) == 1);
-    CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, &s) == 1);
+    CHECK(secp256k1_ecdsa_signature_serialize_compact(CTX, signature, &s) == 1);
    CHECK(expected == !(secp256k1_memcmp_var(signature, signature64, 64)));
 }
@ -143,8 +143,8 @@ void test_ecdsa_adaptor_spec_vectors_check_recover(const unsigned char *adaptor_
    CHECK(secp256k1_eckey_pubkey_parse(&encryption_key_ge, encryption_key33, 33) == 1);
    secp256k1_pubkey_save(&encryption_key, &encryption_key_ge);
-    CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature64) == 1);
+    CHECK(secp256k1_ecdsa_signature_parse_compact(CTX, &sig, signature64) == 1);
-    CHECK(expected == secp256k1_ecdsa_adaptor_recover(ctx, deckey32, &sig, adaptor_sig162, &encryption_key));
+    CHECK(expected == secp256k1_ecdsa_adaptor_recover(CTX, deckey32, &sig, adaptor_sig162, &encryption_key));
    if (decryption_key32 != NULL) {
        CHECK(expected == !(secp256k1_memcmp_var(deckey32, decryption_key32, 32)));
    }
@ -777,7 +777,7 @@ void run_nonce_function_ecdsa_adaptor_tests(void) {
    args[2] = pk;
    args[3] = algo;
    args[4] = aux_rand;
-    for (i = 0; i < count; i++) {
+    for (i = 0; i < COUNT; i++) {
        nonce_function_ecdsa_adaptor_bitflip(args, 0, sizeof(msg), algolen);
        nonce_function_ecdsa_adaptor_bitflip(args, 1, sizeof(key), algolen);
        nonce_function_ecdsa_adaptor_bitflip(args, 2, sizeof(pk), algolen);
@ -800,7 +800,7 @@ void run_nonce_function_ecdsa_adaptor_tests(void) {
    CHECK(nonce_function_ecdsa_adaptor(nonce, msg, key, pk, dleq_algo, sizeof(dleq_algo), NULL) == 1);
    /* Different algolen gives different nonce */
-    for (i = 0; i < count; i++) {
+    for (i = 0; i < COUNT; i++) {
        unsigned char nonce2[32];
        uint32_t offset = secp256k1_testrand_int(algolen - 1);
        size_t algolen_tmp = (algolen + offset) % algolen;
@ -824,83 +824,85 @@ void test_ecdsa_adaptor_api(void) {
    unsigned char deckey[32];
    /** setup **/
    secp256k1_context *sttc = secp256k1_context_clone(secp256k1_context_static);
    int ecount;
-    secp256k1_context_set_error_callback(ctx, counting_illegal_callback_fn, &ecount);
+    secp256k1_context_set_error_callback(CTX, counting_illegal_callback_fn, &ecount);
-    secp256k1_context_set_error_callback(sttc, counting_illegal_callback_fn, &ecount);
+    secp256k1_context_set_error_callback(STATIC_CTX, counting_illegal_callback_fn, &ecount);
-    secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
+    secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount);
-    secp256k1_context_set_illegal_callback(sttc, counting_illegal_callback_fn, &ecount);
+    secp256k1_context_set_illegal_callback(STATIC_CTX, counting_illegal_callback_fn, &ecount);
    secp256k1_testrand256(sk);
    secp256k1_testrand256(msg);
    secp256k1_testrand256(deckey);
-    CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, sk) == 1);
+    CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, sk) == 1);
-    CHECK(secp256k1_ec_pubkey_create(ctx, &enckey, deckey) == 1);
+    CHECK(secp256k1_ec_pubkey_create(CTX, &enckey, deckey) == 1);
    memset(&zero_pk, 0, sizeof(zero_pk));
    /** main test body **/
    ecount = 0;
-    CHECK(secp256k1_ecdsa_adaptor_encrypt(ctx, asig, sk, &enckey, msg, NULL, NULL) == 1);
+    CHECK(secp256k1_ecdsa_adaptor_encrypt(CTX, asig, sk, &enckey, msg, NULL, NULL) == 1);
    CHECK(ecount == 0);
-    CHECK(secp256k1_ecdsa_adaptor_encrypt(sttc, asig, sk, &enckey, msg, NULL, NULL) == 0);
+    CHECK(secp256k1_ecdsa_adaptor_encrypt(STATIC_CTX, asig, sk, &enckey, msg, NULL, NULL) == 0);
    CHECK(ecount == 1);
-    CHECK(secp256k1_ecdsa_adaptor_encrypt(ctx, NULL, sk, &enckey, msg, NULL, NULL) == 0);
+    CHECK(secp256k1_ecdsa_adaptor_encrypt(CTX, NULL, sk, &enckey, msg, NULL, NULL) == 0);
    CHECK(ecount == 2);
-    CHECK(secp256k1_ecdsa_adaptor_encrypt(ctx, asig, sk, &enckey, NULL, NULL, NULL) == 0);
+    CHECK(secp256k1_ecdsa_adaptor_encrypt(CTX, asig, sk, &enckey, NULL, NULL, NULL) == 0);
    CHECK(ecount == 3);
-    CHECK(secp256k1_ecdsa_adaptor_encrypt(ctx, asig, NULL, &enckey, msg, NULL, NULL) == 0);
+    CHECK(secp256k1_ecdsa_adaptor_encrypt(CTX, asig, NULL, &enckey, msg, NULL, NULL) == 0);
    CHECK(ecount == 4);
-    CHECK(secp256k1_ecdsa_adaptor_encrypt(ctx, asig, sk, NULL, msg, NULL, NULL) == 0);
+    CHECK(secp256k1_ecdsa_adaptor_encrypt(CTX, asig, sk, NULL, msg, NULL, NULL) == 0);
    CHECK(ecount == 5);
-    CHECK(secp256k1_ecdsa_adaptor_encrypt(ctx, asig, sk, &zero_pk, msg, NULL, NULL) == 0);
+    CHECK(secp256k1_ecdsa_adaptor_encrypt(CTX, asig, sk, &zero_pk, msg, NULL, NULL) == 0);
    CHECK(ecount == 6);
    ecount = 0;
-    CHECK(secp256k1_ecdsa_adaptor_encrypt(ctx, asig, sk, &enckey, msg, NULL, NULL) == 1);
+    CHECK(secp256k1_ecdsa_adaptor_encrypt(CTX, asig, sk, &enckey, msg, NULL, NULL) == 1);
-    CHECK(secp256k1_ecdsa_adaptor_verify(ctx, asig, &pubkey, msg, &enckey) == 1);
+    CHECK(secp256k1_ecdsa_adaptor_verify(CTX, asig, &pubkey, msg, &enckey) == 1);
    CHECK(ecount == 0);
-    CHECK(secp256k1_ecdsa_adaptor_verify(ctx, NULL, &pubkey, msg, &enckey) == 0);
+    CHECK(secp256k1_ecdsa_adaptor_verify(CTX, NULL, &pubkey, msg, &enckey) == 0);
    CHECK(ecount == 1);
-    CHECK(secp256k1_ecdsa_adaptor_verify(ctx, asig, &pubkey, NULL, &enckey) == 0);
+    CHECK(secp256k1_ecdsa_adaptor_verify(CTX, asig, &pubkey, NULL, &enckey) == 0);
    CHECK(ecount == 2);
-    CHECK(secp256k1_ecdsa_adaptor_verify(ctx, asig, &pubkey, msg, NULL) == 0);
+    CHECK(secp256k1_ecdsa_adaptor_verify(CTX, asig, &pubkey, msg, NULL) == 0);
    CHECK(ecount == 3);
-    CHECK(secp256k1_ecdsa_adaptor_verify(ctx, asig, NULL, msg, &enckey) == 0);
+    CHECK(secp256k1_ecdsa_adaptor_verify(CTX, asig, NULL, msg, &enckey) == 0);
    CHECK(ecount == 4);
-    CHECK(secp256k1_ecdsa_adaptor_verify(ctx, asig, &zero_pk, msg, &enckey) == 0);
+    CHECK(secp256k1_ecdsa_adaptor_verify(CTX, asig, &zero_pk, msg, &enckey) == 0);
    CHECK(ecount == 5);
-    CHECK(secp256k1_ecdsa_adaptor_verify(ctx, asig, &pubkey, msg, &zero_pk) == 0);
+    CHECK(secp256k1_ecdsa_adaptor_verify(CTX, asig, &pubkey, msg, &zero_pk) == 0);
    CHECK(ecount == 6);
    ecount = 0;
-    CHECK(secp256k1_ecdsa_adaptor_decrypt(ctx, &sig, deckey, asig) == 1);
+    CHECK(secp256k1_ecdsa_adaptor_decrypt(CTX, &sig, deckey, asig) == 1);
-    CHECK(secp256k1_ecdsa_adaptor_decrypt(ctx, &sig, deckey, asig) == 1);
+    CHECK(secp256k1_ecdsa_adaptor_decrypt(CTX, &sig, deckey, asig) == 1);
-    CHECK(secp256k1_ecdsa_adaptor_decrypt(ctx, NULL, deckey, asig) == 0);
+    CHECK(secp256k1_ecdsa_adaptor_decrypt(CTX, NULL, deckey, asig) == 0);
    CHECK(ecount == 1);
-    CHECK(secp256k1_ecdsa_adaptor_decrypt(ctx, &sig, NULL, asig) == 0);
+    CHECK(secp256k1_ecdsa_adaptor_decrypt(CTX, &sig, NULL, asig) == 0);
    CHECK(ecount == 2);
-    CHECK(secp256k1_ecdsa_adaptor_decrypt(ctx, &sig, deckey, NULL) == 0);
+    CHECK(secp256k1_ecdsa_adaptor_decrypt(CTX, &sig, deckey, NULL) == 0);
    CHECK(ecount == 3);
    ecount = 0;
-    CHECK(secp256k1_ecdsa_adaptor_decrypt(ctx, &sig, deckey, asig) == 1);
+    CHECK(secp256k1_ecdsa_adaptor_decrypt(CTX, &sig, deckey, asig) == 1);
-    CHECK(secp256k1_ecdsa_adaptor_recover(ctx, deckey, &sig, asig, &enckey) == 1);
+    CHECK(secp256k1_ecdsa_adaptor_recover(CTX, deckey, &sig, asig, &enckey) == 1);
    CHECK(ecount == 0);
-    CHECK(secp256k1_ecdsa_adaptor_recover(sttc, deckey, &sig, asig, &enckey) == 0);
+    CHECK(secp256k1_ecdsa_adaptor_recover(STATIC_CTX, deckey, &sig, asig, &enckey) == 0);
    CHECK(ecount == 1);
-    CHECK(secp256k1_ecdsa_adaptor_recover(ctx, NULL, &sig, asig, &enckey) == 0);
+    CHECK(secp256k1_ecdsa_adaptor_recover(CTX, NULL, &sig, asig, &enckey) == 0);
    CHECK(ecount == 2);
-    CHECK(secp256k1_ecdsa_adaptor_recover(ctx, deckey, NULL, asig, &enckey) == 0);
+    CHECK(secp256k1_ecdsa_adaptor_recover(CTX, deckey, NULL, asig, &enckey) == 0);
    CHECK(ecount == 3);
-    CHECK(secp256k1_ecdsa_adaptor_recover(ctx, deckey, &sig, NULL, &enckey) == 0);
+    CHECK(secp256k1_ecdsa_adaptor_recover(CTX, deckey, &sig, NULL, &enckey) == 0);
    CHECK(ecount == 4);
-    CHECK(secp256k1_ecdsa_adaptor_recover(ctx, deckey, &sig, asig, NULL) == 0);
+    CHECK(secp256k1_ecdsa_adaptor_recover(CTX, deckey, &sig, asig, NULL) == 0);
    CHECK(ecount == 5);
-    CHECK(secp256k1_ecdsa_adaptor_recover(ctx, deckey, &sig, asig, &zero_pk) == 0);
+    CHECK(secp256k1_ecdsa_adaptor_recover(CTX, deckey, &sig, asig, &zero_pk) == 0);
    CHECK(ecount == 6);
-    secp256k1_context_destroy(sttc);
+    secp256k1_context_set_error_callback(CTX, NULL, NULL);
    secp256k1_context_set_error_callback(STATIC_CTX, NULL, NULL);
    secp256k1_context_set_illegal_callback(CTX, NULL, NULL);
    secp256k1_context_set_illegal_callback(STATIC_CTX, NULL, NULL);
 }
 void adaptor_tests(void) {
@ -919,24 +921,24 @@ void adaptor_tests(void) {
    secp256k1_testrand256(msg);
    secp256k1_testrand256(deckey);
-    CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, seckey) == 1);
+    CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, seckey) == 1);
-    CHECK(secp256k1_ec_pubkey_create(ctx, &enckey, deckey) == 1);
+    CHECK(secp256k1_ec_pubkey_create(CTX, &enckey, deckey) == 1);
-    CHECK(secp256k1_ecdsa_adaptor_encrypt(ctx, adaptor_sig, seckey, &enckey, msg, NULL, NULL) == 1);
+    CHECK(secp256k1_ecdsa_adaptor_encrypt(CTX, adaptor_sig, seckey, &enckey, msg, NULL, NULL) == 1);
    {
        /* Test overflowing seckey */
        memset(big, 0xFF, 32);
-        CHECK(secp256k1_ecdsa_adaptor_encrypt(ctx, adaptor_sig, big, &enckey, msg, NULL, NULL) == 0);
+        CHECK(secp256k1_ecdsa_adaptor_encrypt(CTX, adaptor_sig, big, &enckey, msg, NULL, NULL) == 0);
        CHECK(secp256k1_memcmp_var(adaptor_sig, zeros162, sizeof(adaptor_sig)) == 0);
        /* Test different nonce functions */
        memset(adaptor_sig, 1, sizeof(adaptor_sig));
-        CHECK(secp256k1_ecdsa_adaptor_encrypt(ctx, adaptor_sig, seckey, &enckey, msg, ecdsa_adaptor_nonce_function_failing, NULL) == 0);
+        CHECK(secp256k1_ecdsa_adaptor_encrypt(CTX, adaptor_sig, seckey, &enckey, msg, ecdsa_adaptor_nonce_function_failing, NULL) == 0);
        CHECK(secp256k1_memcmp_var(adaptor_sig, zeros162, sizeof(adaptor_sig)) == 0);
        memset(&adaptor_sig, 1, sizeof(adaptor_sig));
-        CHECK(secp256k1_ecdsa_adaptor_encrypt(ctx, adaptor_sig, seckey, &enckey, msg, ecdsa_adaptor_nonce_function_0, NULL) == 0);
+        CHECK(secp256k1_ecdsa_adaptor_encrypt(CTX, adaptor_sig, seckey, &enckey, msg, ecdsa_adaptor_nonce_function_0, NULL) == 0);
        CHECK(secp256k1_memcmp_var(adaptor_sig, zeros162, sizeof(adaptor_sig)) == 0);
-        CHECK(secp256k1_ecdsa_adaptor_encrypt(ctx, adaptor_sig, seckey, &enckey, msg, ecdsa_adaptor_nonce_function_overflowing, NULL) == 1);
+        CHECK(secp256k1_ecdsa_adaptor_encrypt(CTX, adaptor_sig, seckey, &enckey, msg, ecdsa_adaptor_nonce_function_overflowing, NULL) == 1);
        CHECK(secp256k1_memcmp_var(adaptor_sig, zeros162, sizeof(adaptor_sig)) != 0);
    }
    {
@ -1008,14 +1010,14 @@ void adaptor_tests(void) {
    }
    /* Test adaptor_sig_verify */
-    CHECK(secp256k1_ecdsa_adaptor_verify(ctx, adaptor_sig, &pubkey, msg, &enckey) == 1);
+    CHECK(secp256k1_ecdsa_adaptor_verify(CTX, adaptor_sig, &pubkey, msg, &enckey) == 1);
-    CHECK(secp256k1_ecdsa_adaptor_verify(ctx, adaptor_sig, &enckey, msg, &enckey) == 0);
+    CHECK(secp256k1_ecdsa_adaptor_verify(CTX, adaptor_sig, &enckey, msg, &enckey) == 0);
-    CHECK(secp256k1_ecdsa_adaptor_verify(ctx, adaptor_sig, &pubkey, msg, &pubkey) == 0);
+    CHECK(secp256k1_ecdsa_adaptor_verify(CTX, adaptor_sig, &pubkey, msg, &pubkey) == 0);
    {
        /* Test failed adaptor sig deserialization */
        unsigned char adaptor_sig_tmp[162];
        memset(&adaptor_sig_tmp, 0xFF, 162);
-        CHECK(secp256k1_ecdsa_adaptor_verify(ctx, adaptor_sig_tmp, &pubkey, msg, &enckey) == 0);
+        CHECK(secp256k1_ecdsa_adaptor_verify(CTX, adaptor_sig_tmp, &pubkey, msg, &enckey) == 0);
    }
    {
        /* Test that any flipped bit in the adaptor signature will make
@ -1023,13 +1025,13 @@ void adaptor_tests(void) {
        unsigned char adaptor_sig_tmp[162];
        memcpy(adaptor_sig_tmp, adaptor_sig, sizeof(adaptor_sig_tmp));
        rand_flip_bit(&adaptor_sig_tmp[1], sizeof(adaptor_sig_tmp) - 1);
-        CHECK(secp256k1_ecdsa_adaptor_verify(ctx, adaptor_sig_tmp, &pubkey, msg, &enckey) == 0);
+        CHECK(secp256k1_ecdsa_adaptor_verify(CTX, adaptor_sig_tmp, &pubkey, msg, &enckey) == 0);
    }
    {
        unsigned char msg_tmp[32];
        memcpy(msg_tmp, msg, sizeof(msg_tmp));
        rand_flip_bit(msg_tmp, sizeof(msg_tmp));
-        CHECK(secp256k1_ecdsa_adaptor_verify(ctx, adaptor_sig, &pubkey, msg_tmp, &enckey) == 0);
+        CHECK(secp256k1_ecdsa_adaptor_verify(CTX, adaptor_sig, &pubkey, msg_tmp, &enckey) == 0);
    }
    {
        /* Verification must check that the derived R' is not equal to the point at
@ -1068,24 +1070,24 @@ void adaptor_tests(void) {
        /* X := G */
        seckey_tmp[31] = 1;
-        CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey_tmp, seckey_tmp) == 1);
+        CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey_tmp, seckey_tmp) == 1);
        /* sp := sigr */
        memcpy(adaptor_sig_tmp, adaptor_sig, sizeof(adaptor_sig_tmp));
        memcpy(&adaptor_sig_tmp[66], &adaptor_sig_tmp[1], 32);
-        CHECK(secp256k1_ecdsa_adaptor_verify(ctx, adaptor_sig_tmp, &pubkey_tmp, msg_tmp, &enckey) == 0);
+        CHECK(secp256k1_ecdsa_adaptor_verify(CTX, adaptor_sig_tmp, &pubkey_tmp, msg_tmp, &enckey) == 0);
    }
    /* Test decryption */
-    CHECK(secp256k1_ecdsa_adaptor_decrypt(ctx, &sig, deckey, adaptor_sig) == 1);
+    CHECK(secp256k1_ecdsa_adaptor_decrypt(CTX, &sig, deckey, adaptor_sig) == 1);
-    CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1);
+    CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg, &pubkey) == 1);
    {
        /* Test overflowing decryption key */
        secp256k1_ecdsa_signature s;
        memset(big, 0xFF, 32);
-        CHECK(secp256k1_ecdsa_adaptor_decrypt(ctx, &s, big, adaptor_sig) == 0);
+        CHECK(secp256k1_ecdsa_adaptor_decrypt(CTX, &s, big, adaptor_sig) == 0);
        CHECK(secp256k1_memcmp_var(&s.data[0], zeros64, sizeof(&s.data[0])) == 0);
    }
    {
@ -1093,13 +1095,13 @@ void adaptor_tests(void) {
        unsigned char decryption_key_tmp[32];
        unsigned char adaptor_sig_tmp[162];
-        CHECK(secp256k1_ecdsa_adaptor_recover(ctx, decryption_key_tmp, &sig, adaptor_sig, &enckey) == 1);
+        CHECK(secp256k1_ecdsa_adaptor_recover(CTX, decryption_key_tmp, &sig, adaptor_sig, &enckey) == 1);
        CHECK(secp256k1_memcmp_var(deckey, decryption_key_tmp, sizeof(deckey)) == 0);
        /* Test failed sp deserialization */
        memcpy(adaptor_sig_tmp, adaptor_sig, sizeof(adaptor_sig_tmp));
        memset(&adaptor_sig_tmp[66], 0xFF, 32);
-        CHECK(secp256k1_ecdsa_adaptor_recover(ctx, decryption_key_tmp, &sig, adaptor_sig_tmp, &enckey) == 0);
+        CHECK(secp256k1_ecdsa_adaptor_recover(CTX, decryption_key_tmp, &sig, adaptor_sig_tmp, &enckey) == 0);
    }
 }
@ -1123,13 +1125,13 @@ void multi_hop_lock_tests(void) {
    secp256k1_testrand256(seckey_a);
    secp256k1_testrand256(seckey_b);
-    CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey_a, seckey_a));
+    CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey_a, seckey_a));
-    CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey_b, seckey_b));
+    CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey_b, seckey_b));
    /* Carol setup */
    /* Proof of payment */
    secp256k1_testrand256(pop);
-    CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey_pop, pop));
+    CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey_pop, pop));
    /* Alice setup */
    secp256k1_testrand256(tx_ab);
@ -1137,39 +1139,39 @@ void multi_hop_lock_tests(void) {
    rand_scalar(&t2);
    secp256k1_scalar_add(&tp, &t1, &t2);
    /* Left lock */
-    secp256k1_pubkey_load(ctx, &l_ge, &pubkey_pop);
+    secp256k1_pubkey_load(CTX, &l_ge, &pubkey_pop);
    CHECK(secp256k1_eckey_pubkey_tweak_add(&l_ge, &t1));
    secp256k1_pubkey_save(&l, &l_ge);
    /* Right lock */
-    secp256k1_pubkey_load(ctx, &r_ge, &pubkey_pop);
+    secp256k1_pubkey_load(CTX, &r_ge, &pubkey_pop);
    CHECK(secp256k1_eckey_pubkey_tweak_add(&r_ge, &tp));
    secp256k1_pubkey_save(&r, &r_ge);
-    CHECK(secp256k1_ecdsa_adaptor_encrypt(ctx, asig_ab, seckey_a, &l, tx_ab, NULL, NULL));
+    CHECK(secp256k1_ecdsa_adaptor_encrypt(CTX, asig_ab, seckey_a, &l, tx_ab, NULL, NULL));
    /* Bob setup */
-    CHECK(secp256k1_ecdsa_adaptor_verify(ctx, asig_ab, &pubkey_a, tx_ab, &l));
+    CHECK(secp256k1_ecdsa_adaptor_verify(CTX, asig_ab, &pubkey_a, tx_ab, &l));
    secp256k1_testrand256(tx_bc);
-    CHECK(secp256k1_ecdsa_adaptor_encrypt(ctx, asig_bc, seckey_b, &r, tx_bc, NULL, NULL));
+    CHECK(secp256k1_ecdsa_adaptor_encrypt(CTX, asig_bc, seckey_b, &r, tx_bc, NULL, NULL));
    /* Carol decrypt */
-    CHECK(secp256k1_ecdsa_adaptor_verify(ctx, asig_bc, &pubkey_b, tx_bc, &r));
+    CHECK(secp256k1_ecdsa_adaptor_verify(CTX, asig_bc, &pubkey_b, tx_bc, &r));
    secp256k1_scalar_set_b32(&deckey, pop, NULL);
    secp256k1_scalar_add(&deckey, &deckey, &tp);
    secp256k1_scalar_get_b32(buf, &deckey);
-    CHECK(secp256k1_ecdsa_adaptor_decrypt(ctx, &sig_bc, buf, asig_bc));
+    CHECK(secp256k1_ecdsa_adaptor_decrypt(CTX, &sig_bc, buf, asig_bc));
-    CHECK(secp256k1_ecdsa_verify(ctx, &sig_bc, tx_bc, &pubkey_b));
+    CHECK(secp256k1_ecdsa_verify(CTX, &sig_bc, tx_bc, &pubkey_b));
    /* Bob recover and decrypt */
-    CHECK(secp256k1_ecdsa_adaptor_recover(ctx, buf, &sig_bc, asig_bc, &r));
+    CHECK(secp256k1_ecdsa_adaptor_recover(CTX, buf, &sig_bc, asig_bc, &r));
    secp256k1_scalar_set_b32(&deckey, buf, NULL);
    secp256k1_scalar_negate(&t2, &t2);
    secp256k1_scalar_add(&deckey, &deckey, &t2);
    secp256k1_scalar_get_b32(buf, &deckey);
-    CHECK(secp256k1_ecdsa_adaptor_decrypt(ctx, &sig_ab, buf, asig_ab));
+    CHECK(secp256k1_ecdsa_adaptor_decrypt(CTX, &sig_ab, buf, asig_ab));
-    CHECK(secp256k1_ecdsa_verify(ctx, &sig_ab, tx_ab, &pubkey_a));
+    CHECK(secp256k1_ecdsa_verify(CTX, &sig_ab, tx_ab, &pubkey_a));
    /* Alice recover and derive proof of payment */
-    CHECK(secp256k1_ecdsa_adaptor_recover(ctx, buf, &sig_ab, asig_ab, &l));
+    CHECK(secp256k1_ecdsa_adaptor_recover(CTX, buf, &sig_ab, asig_ab, &l));
    secp256k1_scalar_set_b32(&deckey, buf, NULL);
    secp256k1_scalar_negate(&t1, &t1);
    secp256k1_scalar_add(&deckey, &deckey, &t1);
@ -1183,13 +1185,13 @@ void run_ecdsa_adaptor_tests(void) {
    test_ecdsa_adaptor_api();
    test_ecdsa_adaptor_spec_vectors();
-    for (i = 0; i < count; i++) {
+    for (i = 0; i < COUNT; i++) {
        dleq_tests();
    }
-    for (i = 0; i < count; i++) {
+    for (i = 0; i < COUNT; i++) {
        adaptor_tests();
    }
-    for (i = 0; i < count; i++) {
+    for (i = 0; i < COUNT; i++) {
        multi_hop_lock_tests();
    }
 }
--- a/src/modules/ecdsa_s2c/tests_impl.h
+++ b/src/modules/ecdsa_s2c/tests_impl.h
@ -43,39 +43,39 @@ void run_s2c_opening_test(void) {
    secp256k1_ecdsa_s2c_opening opening;
    int32_t ecount = 0;
-    secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
+    secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount);
    /* First parsing, then serializing works */
-    CHECK(secp256k1_ecdsa_s2c_opening_parse(ctx, &opening, input) == 1);
+    CHECK(secp256k1_ecdsa_s2c_opening_parse(CTX, &opening, input) == 1);
-    CHECK(secp256k1_ecdsa_s2c_opening_serialize(ctx, output, &opening) == 1);
+    CHECK(secp256k1_ecdsa_s2c_opening_serialize(CTX, output, &opening) == 1);
-    CHECK(secp256k1_ecdsa_s2c_opening_parse(ctx, &opening, input) == 1);
+    CHECK(secp256k1_ecdsa_s2c_opening_parse(CTX, &opening, input) == 1);
    CHECK(ecount == 0);
-    CHECK(secp256k1_ecdsa_s2c_opening_parse(ctx, NULL, input) == 0);
+    CHECK(secp256k1_ecdsa_s2c_opening_parse(CTX, NULL, input) == 0);
    CHECK(ecount == 1);
-    CHECK(secp256k1_ecdsa_s2c_opening_parse(ctx, &opening, NULL) == 0);
+    CHECK(secp256k1_ecdsa_s2c_opening_parse(CTX, &opening, NULL) == 0);
    CHECK(ecount == 2);
-    CHECK(secp256k1_ecdsa_s2c_opening_parse(ctx, &opening, input) == 1);
+    CHECK(secp256k1_ecdsa_s2c_opening_parse(CTX, &opening, input) == 1);
-    CHECK(secp256k1_ecdsa_s2c_opening_serialize(ctx, NULL, &opening) == 0);
+    CHECK(secp256k1_ecdsa_s2c_opening_serialize(CTX, NULL, &opening) == 0);
    CHECK(ecount == 3);
-    CHECK(secp256k1_ecdsa_s2c_opening_serialize(ctx, output, NULL) == 0);
+    CHECK(secp256k1_ecdsa_s2c_opening_serialize(CTX, output, NULL) == 0);
    CHECK(ecount == 4);
    /* Invalid pubkey makes parsing fail */
    input[0] = 0;  /* bad oddness bit */
-    CHECK(secp256k1_ecdsa_s2c_opening_parse(ctx, &opening, input) == 0);
+    CHECK(secp256k1_ecdsa_s2c_opening_parse(CTX, &opening, input) == 0);
    input[0] = 2;
    input[31] = 1; /* point not on the curve */
-    CHECK(secp256k1_ecdsa_s2c_opening_parse(ctx, &opening, input) == 0);
+    CHECK(secp256k1_ecdsa_s2c_opening_parse(CTX, &opening, input) == 0);
    CHECK(ecount == 4); /* neither of the above are API errors */
    /* Try parsing and serializing a bunch of openings */
-    for (i = 0; i < count; i++) {
+    for (i = 0; i < COUNT; i++) {
        /* This is expected to fail in about 50% of iterations because the
         * points' x-coordinates are uniformly random */
-        if (secp256k1_ecdsa_s2c_opening_parse(ctx, &opening, input) == 1) {
+        if (secp256k1_ecdsa_s2c_opening_parse(CTX, &opening, input) == 1) {
-            CHECK(secp256k1_ecdsa_s2c_opening_serialize(ctx, output, &opening) == 1);
+            CHECK(secp256k1_ecdsa_s2c_opening_serialize(CTX, output, &opening) == 1);
            CHECK(secp256k1_memcmp_var(output, input, sizeof(output)) == 0);
        }
        secp256k1_testrand256(&input[1]);
@ -83,11 +83,10 @@ void run_s2c_opening_test(void) {
        input[0] = (input[1] & 1) + 2;
    }
    secp256k1_context_set_illegal_callback(CTX, NULL, NULL);
 }
 static void test_ecdsa_s2c_api(void) {
    secp256k1_context *sttc = secp256k1_context_clone(secp256k1_context_static);
    secp256k1_ecdsa_s2c_opening s2c_opening;
    secp256k1_ecdsa_signature sig;
    const unsigned char msg[32] = "mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm";
@ -98,96 +97,97 @@ static void test_ecdsa_s2c_api(void) {
    secp256k1_pubkey pk;
    int32_t ecount;
-    secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
+    secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount);
-    secp256k1_context_set_illegal_callback(sttc, counting_illegal_callback_fn, &ecount);
+    secp256k1_context_set_illegal_callback(STATIC_CTX, counting_illegal_callback_fn, &ecount);
-    CHECK(secp256k1_ec_pubkey_create(ctx, &pk, sec));
+    CHECK(secp256k1_ec_pubkey_create(CTX, &pk, sec));
    ecount = 0;
-    CHECK(secp256k1_ecdsa_s2c_sign(ctx, NULL, &s2c_opening, msg, sec, s2c_data) == 0);
+    CHECK(secp256k1_ecdsa_s2c_sign(CTX, NULL, &s2c_opening, msg, sec, s2c_data) == 0);
    CHECK(ecount == 1);
-    CHECK(secp256k1_ecdsa_s2c_sign(ctx, &sig, NULL, msg, sec, s2c_data) == 1);
+    CHECK(secp256k1_ecdsa_s2c_sign(CTX, &sig, NULL, msg, sec, s2c_data) == 1);
    CHECK(ecount == 1); /* NULL opening is not an API error */
-    CHECK(secp256k1_ecdsa_s2c_sign(ctx, &sig, &s2c_opening, NULL, sec, s2c_data) == 0);
+    CHECK(secp256k1_ecdsa_s2c_sign(CTX, &sig, &s2c_opening, NULL, sec, s2c_data) == 0);
    CHECK(ecount == 2);
-    CHECK(secp256k1_ecdsa_s2c_sign(ctx, &sig, &s2c_opening, msg, NULL, s2c_data) == 0);
+    CHECK(secp256k1_ecdsa_s2c_sign(CTX, &sig, &s2c_opening, msg, NULL, s2c_data) == 0);
    CHECK(ecount == 3);
-    CHECK(secp256k1_ecdsa_s2c_sign(ctx, &sig, &s2c_opening, msg, sec, NULL) == 0);
+    CHECK(secp256k1_ecdsa_s2c_sign(CTX, &sig, &s2c_opening, msg, sec, NULL) == 0);
    CHECK(ecount == 4);
-    CHECK(secp256k1_ecdsa_s2c_sign(ctx, &sig, &s2c_opening, msg, sec, s2c_data) == 1);
+    CHECK(secp256k1_ecdsa_s2c_sign(CTX, &sig, &s2c_opening, msg, sec, s2c_data) == 1);
    CHECK(ecount == 4);
-    CHECK(secp256k1_ecdsa_s2c_sign(sttc, &sig, &s2c_opening, msg, sec, s2c_data) == 0);
+    CHECK(secp256k1_ecdsa_s2c_sign(STATIC_CTX, &sig, &s2c_opening, msg, sec, s2c_data) == 0);
    CHECK(ecount == 5);
-    CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pk) == 1);
+    CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg, &pk) == 1);
    ecount = 0;
-    CHECK(secp256k1_ecdsa_s2c_verify_commit(ctx, NULL, s2c_data, &s2c_opening) == 0);
+    CHECK(secp256k1_ecdsa_s2c_verify_commit(CTX, NULL, s2c_data, &s2c_opening) == 0);
    CHECK(ecount == 1);
-    CHECK(secp256k1_ecdsa_s2c_verify_commit(ctx, &sig, NULL, &s2c_opening) == 0);
+    CHECK(secp256k1_ecdsa_s2c_verify_commit(CTX, &sig, NULL, &s2c_opening) == 0);
    CHECK(ecount == 2);
-    CHECK(secp256k1_ecdsa_s2c_verify_commit(ctx, &sig, s2c_data, NULL) == 0);
+    CHECK(secp256k1_ecdsa_s2c_verify_commit(CTX, &sig, s2c_data, NULL) == 0);
    CHECK(ecount == 3);
-    CHECK(secp256k1_ecdsa_s2c_verify_commit(ctx, &sig, s2c_data, &s2c_opening) == 1);
+    CHECK(secp256k1_ecdsa_s2c_verify_commit(CTX, &sig, s2c_data, &s2c_opening) == 1);
    CHECK(ecount == 3);
-    CHECK(secp256k1_ecdsa_s2c_verify_commit(ctx, &sig, sec, &s2c_opening) == 0);
+    CHECK(secp256k1_ecdsa_s2c_verify_commit(CTX, &sig, sec, &s2c_opening) == 0);
    CHECK(ecount == 3); /* wrong data is not an API error */
    /* Signing with NULL s2c_opening gives the same result */
-    CHECK(secp256k1_ecdsa_s2c_sign(ctx, &sig, NULL, msg, sec, s2c_data) == 1);
+    CHECK(secp256k1_ecdsa_s2c_sign(CTX, &sig, NULL, msg, sec, s2c_data) == 1);
-    CHECK(secp256k1_ecdsa_s2c_verify_commit(ctx, &sig, s2c_data, &s2c_opening) == 1);
+    CHECK(secp256k1_ecdsa_s2c_verify_commit(CTX, &sig, s2c_data, &s2c_opening) == 1);
    /* anti-exfil */
    ecount = 0;
-    CHECK(secp256k1_ecdsa_anti_exfil_host_commit(ctx, NULL, hostrand) == 0);
+    CHECK(secp256k1_ecdsa_anti_exfil_host_commit(CTX, NULL, hostrand) == 0);
    CHECK(ecount == 1);
-    CHECK(secp256k1_ecdsa_anti_exfil_host_commit(ctx, hostrand_commitment, NULL) == 0);
+    CHECK(secp256k1_ecdsa_anti_exfil_host_commit(CTX, hostrand_commitment, NULL) == 0);
    CHECK(ecount == 2);
-    CHECK(secp256k1_ecdsa_anti_exfil_host_commit(ctx, hostrand_commitment, hostrand) == 1);
+    CHECK(secp256k1_ecdsa_anti_exfil_host_commit(CTX, hostrand_commitment, hostrand) == 1);
    CHECK(ecount == 2);
    ecount = 0;
-    CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(ctx, NULL, msg, sec, hostrand_commitment) == 0);
+    CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(CTX, NULL, msg, sec, hostrand_commitment) == 0);
    CHECK(ecount == 1);
-    CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(ctx, &s2c_opening, NULL, sec, hostrand_commitment) == 0);
+    CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(CTX, &s2c_opening, NULL, sec, hostrand_commitment) == 0);
    CHECK(ecount == 2);
-    CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(ctx, &s2c_opening, msg, NULL, hostrand_commitment) == 0);
+    CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(CTX, &s2c_opening, msg, NULL, hostrand_commitment) == 0);
    CHECK(ecount == 3);
-    CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(ctx, &s2c_opening, msg, sec, NULL) == 0);
+    CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(CTX, &s2c_opening, msg, sec, NULL) == 0);
    CHECK(ecount == 4);
-    CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(ctx, &s2c_opening, msg, sec, hostrand_commitment) == 1);
+    CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(CTX, &s2c_opening, msg, sec, hostrand_commitment) == 1);
    CHECK(ecount == 4);
-    CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(sttc, &s2c_opening, msg, sec, hostrand_commitment) == 0);
+    CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(STATIC_CTX, &s2c_opening, msg, sec, hostrand_commitment) == 0);
    CHECK(ecount == 5);
    ecount = 0;
-    CHECK(secp256k1_anti_exfil_sign(ctx, NULL, msg, sec, hostrand) == 0);
+    CHECK(secp256k1_anti_exfil_sign(CTX, NULL, msg, sec, hostrand) == 0);
    CHECK(ecount == 1);
-    CHECK(secp256k1_anti_exfil_sign(ctx, &sig, NULL, sec, hostrand) == 0);
+    CHECK(secp256k1_anti_exfil_sign(CTX, &sig, NULL, sec, hostrand) == 0);
    CHECK(ecount == 2);
-    CHECK(secp256k1_anti_exfil_sign(ctx, &sig, msg, NULL, hostrand) == 0);
+    CHECK(secp256k1_anti_exfil_sign(CTX, &sig, msg, NULL, hostrand) == 0);
    CHECK(ecount == 3);
-    CHECK(secp256k1_anti_exfil_sign(ctx, &sig, msg, sec, NULL) == 0);
+    CHECK(secp256k1_anti_exfil_sign(CTX, &sig, msg, sec, NULL) == 0);
    CHECK(ecount == 4);
-    CHECK(secp256k1_anti_exfil_sign(ctx, &sig, msg, sec, hostrand) == 1);
+    CHECK(secp256k1_anti_exfil_sign(CTX, &sig, msg, sec, hostrand) == 1);
    CHECK(ecount == 4);
-    CHECK(secp256k1_anti_exfil_sign(sttc, &sig, msg, sec, hostrand) == 0);
+    CHECK(secp256k1_anti_exfil_sign(STATIC_CTX, &sig, msg, sec, hostrand) == 0);
    CHECK(ecount == 5);
    ecount = 0;
-    CHECK(secp256k1_anti_exfil_host_verify(ctx, NULL, msg, &pk, hostrand, &s2c_opening) == 0);
+    CHECK(secp256k1_anti_exfil_host_verify(CTX, NULL, msg, &pk, hostrand, &s2c_opening) == 0);
    CHECK(ecount == 1);
-    CHECK(secp256k1_anti_exfil_host_verify(ctx, &sig, NULL, &pk, hostrand, &s2c_opening) == 0);
+    CHECK(secp256k1_anti_exfil_host_verify(CTX, &sig, NULL, &pk, hostrand, &s2c_opening) == 0);
    CHECK(ecount == 2);
-    CHECK(secp256k1_anti_exfil_host_verify(ctx, &sig, msg, NULL, hostrand, &s2c_opening) == 0);
+    CHECK(secp256k1_anti_exfil_host_verify(CTX, &sig, msg, NULL, hostrand, &s2c_opening) == 0);
    CHECK(ecount == 3);
-    CHECK(secp256k1_anti_exfil_host_verify(ctx, &sig, msg, &pk, NULL, &s2c_opening) == 0);
+    CHECK(secp256k1_anti_exfil_host_verify(CTX, &sig, msg, &pk, NULL, &s2c_opening) == 0);
    CHECK(ecount == 4);
-    CHECK(secp256k1_anti_exfil_host_verify(ctx, &sig, msg, &pk, hostrand, NULL) == 0);
+    CHECK(secp256k1_anti_exfil_host_verify(CTX, &sig, msg, &pk, hostrand, NULL) == 0);
    CHECK(ecount == 5);
-    CHECK(secp256k1_anti_exfil_host_verify(ctx, &sig, msg, &pk, hostrand, &s2c_opening) == 1);
+    CHECK(secp256k1_anti_exfil_host_verify(CTX, &sig, msg, &pk, hostrand, &s2c_opening) == 1);
    CHECK(ecount == 5);
-    secp256k1_context_destroy(sttc);
+    secp256k1_context_set_illegal_callback(CTX, NULL, NULL);
    secp256k1_context_set_illegal_callback(STATIC_CTX, NULL, NULL);
 }
 /* When using sign-to-contract commitments, the nonce function is fixed, so we can use fixtures to test. */
@ -229,10 +229,10 @@ static void test_ecdsa_s2c_fixed_vectors(void) {
        unsigned char opening_ser[33];
        const ecdsa_s2c_test *test = &ecdsa_s2c_tests[i];
        secp256k1_ecdsa_signature signature;
-        CHECK(secp256k1_ecdsa_s2c_sign(ctx, &signature, &s2c_opening, message, privkey, test->s2c_data) == 1);
+        CHECK(secp256k1_ecdsa_s2c_sign(CTX, &signature, &s2c_opening, message, privkey, test->s2c_data) == 1);
-        CHECK(secp256k1_ecdsa_s2c_opening_serialize(ctx, opening_ser, &s2c_opening) == 1);
+        CHECK(secp256k1_ecdsa_s2c_opening_serialize(CTX, opening_ser, &s2c_opening) == 1);
        CHECK(secp256k1_memcmp_var(test->expected_s2c_opening, opening_ser, sizeof(opening_ser)) == 0);
-        CHECK(secp256k1_ecdsa_s2c_verify_commit(ctx, &signature, test->s2c_data, &s2c_opening) == 1);
+        CHECK(secp256k1_ecdsa_s2c_verify_commit(CTX, &signature, test->s2c_data, &s2c_opening) == 1);
    }
 }
@ -251,7 +251,7 @@ static void test_ecdsa_s2c_sign_verify(void) {
        secp256k1_scalar key;
        random_scalar_order_test(&key);
        secp256k1_scalar_get_b32(privkey, &key);
-        CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
+        CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, privkey) == 1);
        secp256k1_testrand256_test(message);
        secp256k1_testrand256_test(noncedata);
@ -262,28 +262,28 @@ static void test_ecdsa_s2c_sign_verify(void) {
    { /* invalid privkeys */
        unsigned char zero_privkey[32] = {0};
        unsigned char overflow_privkey[32] = "\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff";
-        CHECK(secp256k1_ecdsa_s2c_sign(ctx, &signature, NULL, message, zero_privkey, s2c_data) == 0);
+        CHECK(secp256k1_ecdsa_s2c_sign(CTX, &signature, NULL, message, zero_privkey, s2c_data) == 0);
-        CHECK(secp256k1_ecdsa_s2c_sign(ctx, &signature, NULL, message, overflow_privkey, s2c_data) == 0);
+        CHECK(secp256k1_ecdsa_s2c_sign(CTX, &signature, NULL, message, overflow_privkey, s2c_data) == 0);
    }
    /* Check that the sign-to-contract signature is valid, with s2c_data. Also check the commitment. */
    {
-        CHECK(secp256k1_ecdsa_s2c_sign(ctx, &signature, &s2c_opening, message, privkey, s2c_data) == 1);
+        CHECK(secp256k1_ecdsa_s2c_sign(CTX, &signature, &s2c_opening, message, privkey, s2c_data) == 1);
-        CHECK(secp256k1_ecdsa_verify(ctx, &signature, message, &pubkey) == 1);
+        CHECK(secp256k1_ecdsa_verify(CTX, &signature, message, &pubkey) == 1);
-        CHECK(secp256k1_ecdsa_s2c_verify_commit(ctx, &signature, s2c_data, &s2c_opening) == 1);
+        CHECK(secp256k1_ecdsa_s2c_verify_commit(CTX, &signature, s2c_data, &s2c_opening) == 1);
    }
    /* Check that an invalid commitment does not verify */
    {
        unsigned char sigbytes[64];
        size_t i;
-        CHECK(secp256k1_ecdsa_s2c_sign(ctx, &signature, &s2c_opening, message, privkey, s2c_data) == 1);
+        CHECK(secp256k1_ecdsa_s2c_sign(CTX, &signature, &s2c_opening, message, privkey, s2c_data) == 1);
-        CHECK(secp256k1_ecdsa_verify(ctx, &signature, message, &pubkey) == 1);
+        CHECK(secp256k1_ecdsa_verify(CTX, &signature, message, &pubkey) == 1);
-        CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, sigbytes, &signature) == 1);
+        CHECK(secp256k1_ecdsa_signature_serialize_compact(CTX, sigbytes, &signature) == 1);
        for(i = 0; i < 32; i++) {
            /* change one byte */
            sigbytes[i] = (((int)sigbytes[i]) + 1) % 256;
-            CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &signature, sigbytes) == 1);
+            CHECK(secp256k1_ecdsa_signature_parse_compact(CTX, &signature, sigbytes) == 1);
-            CHECK(secp256k1_ecdsa_s2c_verify_commit(ctx, &signature, s2c_data, &s2c_opening) == 0);
+            CHECK(secp256k1_ecdsa_s2c_verify_commit(CTX, &signature, s2c_data, &s2c_opening) == 0);
            /* revert */
            sigbytes[i] = (((int)sigbytes[i]) + 255) % 256;
        }
@ -305,8 +305,8 @@ static void test_ecdsa_anti_exfil_signer_commit(void) {
        secp256k1_ecdsa_s2c_opening s2c_opening;
        unsigned char buf[33];
        const ecdsa_s2c_test *test = &ecdsa_s2c_tests[i];
-        CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(ctx, &s2c_opening, message, privkey, test->s2c_data) == 1);
+        CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(CTX, &s2c_opening, message, privkey, test->s2c_data) == 1);
-        CHECK(secp256k1_ecdsa_s2c_opening_serialize(ctx, buf, &s2c_opening) == 1);
+        CHECK(secp256k1_ecdsa_s2c_opening_serialize(CTX, buf, &s2c_opening) == 1);
        CHECK(secp256k1_memcmp_var(test->expected_s2c_exfil_opening, buf, sizeof(buf)) == 0);
    }
 }
@ -326,53 +326,53 @@ static void test_ecdsa_anti_exfil(void) {
        secp256k1_scalar key;
        random_scalar_order_test(&key);
        secp256k1_scalar_get_b32(signer_privkey, &key);
-        CHECK(secp256k1_ec_pubkey_create(ctx, &signer_pubkey, signer_privkey) == 1);
+        CHECK(secp256k1_ec_pubkey_create(CTX, &signer_pubkey, signer_privkey) == 1);
        secp256k1_testrand256_test(host_msg);
        secp256k1_testrand256_test(host_nonce_contribution);
    }
    /* Protocol step 1. */
-    CHECK(secp256k1_ecdsa_anti_exfil_host_commit(ctx, host_commitment, host_nonce_contribution) == 1);
+    CHECK(secp256k1_ecdsa_anti_exfil_host_commit(CTX, host_commitment, host_nonce_contribution) == 1);
    /* Protocol step 2. */
-    CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(ctx, &s2c_opening, host_msg, signer_privkey, host_commitment) == 1);
+    CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(CTX, &s2c_opening, host_msg, signer_privkey, host_commitment) == 1);
    /* Protocol step 3: host_nonce_contribution send to signer to be used in step 4. */
    /* Protocol step 4. */
-    CHECK(secp256k1_anti_exfil_sign(ctx, &signature, host_msg, signer_privkey, host_nonce_contribution) == 1);
+    CHECK(secp256k1_anti_exfil_sign(CTX, &signature, host_msg, signer_privkey, host_nonce_contribution) == 1);
    /* Protocol step 5. */
-    CHECK(secp256k1_anti_exfil_host_verify(ctx, &signature, host_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 1);
+    CHECK(secp256k1_anti_exfil_host_verify(CTX, &signature, host_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 1);
    /* Protocol step 5 (explicitly) */
-    CHECK(secp256k1_ecdsa_s2c_verify_commit(ctx, &signature, host_nonce_contribution, &s2c_opening) == 1);
+    CHECK(secp256k1_ecdsa_s2c_verify_commit(CTX, &signature, host_nonce_contribution, &s2c_opening) == 1);
-    CHECK(secp256k1_ecdsa_verify(ctx, &signature, host_msg, &signer_pubkey) == 1);
+    CHECK(secp256k1_ecdsa_verify(CTX, &signature, host_msg, &signer_pubkey) == 1);
    { /* host_verify: commitment does not match */
        unsigned char sigbytes[64];
        size_t i;
-        CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, sigbytes, &signature) == 1);
+        CHECK(secp256k1_ecdsa_signature_serialize_compact(CTX, sigbytes, &signature) == 1);
        for(i = 0; i < 32; i++) {
            /* change one byte */
            sigbytes[i] += 1;
-            CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &signature, sigbytes) == 1);
+            CHECK(secp256k1_ecdsa_signature_parse_compact(CTX, &signature, sigbytes) == 1);
-            CHECK(secp256k1_ecdsa_s2c_verify_commit(ctx, &signature, host_nonce_contribution, &s2c_opening) == 0);
+            CHECK(secp256k1_ecdsa_s2c_verify_commit(CTX, &signature, host_nonce_contribution, &s2c_opening) == 0);
-            CHECK(secp256k1_anti_exfil_host_verify(ctx, &signature, host_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 0);
+            CHECK(secp256k1_anti_exfil_host_verify(CTX, &signature, host_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 0);
            /* revert */
            sigbytes[i] -= 1;
        }
-        CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &signature, sigbytes) == 1);
+        CHECK(secp256k1_ecdsa_signature_parse_compact(CTX, &signature, sigbytes) == 1);
    }
    { /* host_verify: message does not match */
        unsigned char bad_msg[32];
        secp256k1_testrand256_test(bad_msg);
-        CHECK(secp256k1_anti_exfil_host_verify(ctx, &signature, host_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 1);
+        CHECK(secp256k1_anti_exfil_host_verify(CTX, &signature, host_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 1);
-        CHECK(secp256k1_anti_exfil_host_verify(ctx, &signature, bad_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 0);
+        CHECK(secp256k1_anti_exfil_host_verify(CTX, &signature, bad_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 0);
    }
    { /* s2c_sign: host provided data that didn't match commitment */
        secp256k1_ecdsa_s2c_opening orig_opening = s2c_opening;
        unsigned char bad_nonce_contribution[32] = { 1, 2, 3, 4 };
-        CHECK(secp256k1_ecdsa_s2c_sign(ctx, &signature, &s2c_opening, host_msg, signer_privkey, bad_nonce_contribution) == 1);
+        CHECK(secp256k1_ecdsa_s2c_sign(CTX, &signature, &s2c_opening, host_msg, signer_privkey, bad_nonce_contribution) == 1);
        /* good signature but the opening (original public nonce does not match the original */
-        CHECK(secp256k1_ecdsa_verify(ctx, &signature, host_msg, &signer_pubkey) == 1);
+        CHECK(secp256k1_ecdsa_verify(CTX, &signature, host_msg, &signer_pubkey) == 1);
-        CHECK(secp256k1_anti_exfil_host_verify(ctx, &signature, host_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 0);
+        CHECK(secp256k1_anti_exfil_host_verify(CTX, &signature, host_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 0);
-        CHECK(secp256k1_anti_exfil_host_verify(ctx, &signature, host_msg, &signer_pubkey, bad_nonce_contribution, &s2c_opening) == 1);
+        CHECK(secp256k1_anti_exfil_host_verify(CTX, &signature, host_msg, &signer_pubkey, bad_nonce_contribution, &s2c_opening) == 1);
        CHECK(secp256k1_memcmp_var(&s2c_opening, &orig_opening, sizeof(s2c_opening)) != 0);
    }
 }
--- a/src/modules/extrakeys/tests_impl.h
+++ b/src/modules/extrakeys/tests_impl.h
@ -30,52 +30,52 @@ void test_xonly_pubkey(void) {
    int ecount;
-    set_counting_callbacks(ctx, &ecount);
+    set_counting_callbacks(CTX, &ecount);
    secp256k1_testrand256(sk);
    memset(ones32, 0xFF, 32);
    secp256k1_testrand256(xy_sk);
-    CHECK(secp256k1_ec_pubkey_create(ctx, &pk, sk) == 1);
+    CHECK(secp256k1_ec_pubkey_create(CTX, &pk, sk) == 1);
-    CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &xonly_pk, &pk_parity, &pk) == 1);
+    CHECK(secp256k1_xonly_pubkey_from_pubkey(CTX, &xonly_pk, &pk_parity, &pk) == 1);
    /* Test xonly_pubkey_from_pubkey */
    ecount = 0;
-    CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &xonly_pk, &pk_parity, &pk) == 1);
+    CHECK(secp256k1_xonly_pubkey_from_pubkey(CTX, &xonly_pk, &pk_parity, &pk) == 1);
-    CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, NULL, &pk_parity, &pk) == 0);
+    CHECK(secp256k1_xonly_pubkey_from_pubkey(CTX, NULL, &pk_parity, &pk) == 0);
    CHECK(ecount == 1);
-    CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &xonly_pk, NULL, &pk) == 1);
+    CHECK(secp256k1_xonly_pubkey_from_pubkey(CTX, &xonly_pk, NULL, &pk) == 1);
-    CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &xonly_pk, &pk_parity, NULL) == 0);
+    CHECK(secp256k1_xonly_pubkey_from_pubkey(CTX, &xonly_pk, &pk_parity, NULL) == 0);
    CHECK(ecount == 2);
    memset(&pk, 0, sizeof(pk));
-    CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &xonly_pk, &pk_parity, &pk) == 0);
+    CHECK(secp256k1_xonly_pubkey_from_pubkey(CTX, &xonly_pk, &pk_parity, &pk) == 0);
    CHECK(ecount == 3);
    /* Choose a secret key such that the resulting pubkey and xonly_pubkey match. */
    memset(sk, 0, sizeof(sk));
    sk[0] = 1;
-    CHECK(secp256k1_ec_pubkey_create(ctx, &pk, sk) == 1);
+    CHECK(secp256k1_ec_pubkey_create(CTX, &pk, sk) == 1);
-    CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &xonly_pk, &pk_parity, &pk) == 1);
+    CHECK(secp256k1_xonly_pubkey_from_pubkey(CTX, &xonly_pk, &pk_parity, &pk) == 1);
    CHECK(secp256k1_memcmp_var(&pk, &xonly_pk, sizeof(pk)) == 0);
    CHECK(pk_parity == 0);
    /* Choose a secret key such that pubkey and xonly_pubkey are each others
     * negation. */
    sk[0] = 2;
-    CHECK(secp256k1_ec_pubkey_create(ctx, &pk, sk) == 1);
+    CHECK(secp256k1_ec_pubkey_create(CTX, &pk, sk) == 1);
-    CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &xonly_pk, &pk_parity, &pk) == 1);
+    CHECK(secp256k1_xonly_pubkey_from_pubkey(CTX, &xonly_pk, &pk_parity, &pk) == 1);
    CHECK(secp256k1_memcmp_var(&xonly_pk, &pk, sizeof(xonly_pk)) != 0);
    CHECK(pk_parity == 1);
-    secp256k1_pubkey_load(ctx, &pk1, &pk);
+    secp256k1_pubkey_load(CTX, &pk1, &pk);
-    secp256k1_pubkey_load(ctx, &pk2, (secp256k1_pubkey *) &xonly_pk);
+    secp256k1_pubkey_load(CTX, &pk2, (secp256k1_pubkey *) &xonly_pk);
    CHECK(secp256k1_fe_equal(&pk1.x, &pk2.x) == 1);
    secp256k1_fe_negate(&y, &pk2.y, 1);
    CHECK(secp256k1_fe_equal(&pk1.y, &y) == 1);
    /* Test xonly_pubkey_serialize and xonly_pubkey_parse */
    ecount = 0;
-    CHECK(secp256k1_xonly_pubkey_serialize(ctx, NULL, &xonly_pk) == 0);
+    CHECK(secp256k1_xonly_pubkey_serialize(CTX, NULL, &xonly_pk) == 0);
    CHECK(ecount == 1);
-    CHECK(secp256k1_xonly_pubkey_serialize(ctx, buf32, NULL) == 0);
+    CHECK(secp256k1_xonly_pubkey_serialize(CTX, buf32, NULL) == 0);
    CHECK(secp256k1_memcmp_var(buf32, zeros64, 32) == 0);
    CHECK(ecount == 2);
    {
@ -83,46 +83,46 @@ void test_xonly_pubkey(void) {
         * special casing. */
        secp256k1_xonly_pubkey pk_tmp;
        memset(&pk_tmp, 0, sizeof(pk_tmp));
-        CHECK(secp256k1_xonly_pubkey_serialize(ctx, buf32, &pk_tmp) == 0);
+        CHECK(secp256k1_xonly_pubkey_serialize(CTX, buf32, &pk_tmp) == 0);
    }
    /* pubkey_load called illegal callback */
    CHECK(ecount == 3);
-    CHECK(secp256k1_xonly_pubkey_serialize(ctx, buf32, &xonly_pk) == 1);
+    CHECK(secp256k1_xonly_pubkey_serialize(CTX, buf32, &xonly_pk) == 1);
    ecount = 0;
-    CHECK(secp256k1_xonly_pubkey_parse(ctx, NULL, buf32) == 0);
+    CHECK(secp256k1_xonly_pubkey_parse(CTX, NULL, buf32) == 0);
    CHECK(ecount == 1);
-    CHECK(secp256k1_xonly_pubkey_parse(ctx, &xonly_pk, NULL) == 0);
+    CHECK(secp256k1_xonly_pubkey_parse(CTX, &xonly_pk, NULL) == 0);
    CHECK(ecount == 2);
    /* Serialization and parse roundtrip */
-    CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &xonly_pk, NULL, &pk) == 1);
+    CHECK(secp256k1_xonly_pubkey_from_pubkey(CTX, &xonly_pk, NULL, &pk) == 1);
-    CHECK(secp256k1_xonly_pubkey_serialize(ctx, buf32, &xonly_pk) == 1);
+    CHECK(secp256k1_xonly_pubkey_serialize(CTX, buf32, &xonly_pk) == 1);
-    CHECK(secp256k1_xonly_pubkey_parse(ctx, &xonly_pk_tmp, buf32) == 1);
+    CHECK(secp256k1_xonly_pubkey_parse(CTX, &xonly_pk_tmp, buf32) == 1);
    CHECK(secp256k1_memcmp_var(&xonly_pk, &xonly_pk_tmp, sizeof(xonly_pk)) == 0);
    /* Test parsing invalid field elements */
    memset(&xonly_pk, 1, sizeof(xonly_pk));
    /* Overflowing field element */
-    CHECK(secp256k1_xonly_pubkey_parse(ctx, &xonly_pk, ones32) == 0);
+    CHECK(secp256k1_xonly_pubkey_parse(CTX, &xonly_pk, ones32) == 0);
    CHECK(secp256k1_memcmp_var(&xonly_pk, zeros64, sizeof(xonly_pk)) == 0);
    memset(&xonly_pk, 1, sizeof(xonly_pk));
    /* There's no point with x-coordinate 0 on secp256k1 */
-    CHECK(secp256k1_xonly_pubkey_parse(ctx, &xonly_pk, zeros64) == 0);
+    CHECK(secp256k1_xonly_pubkey_parse(CTX, &xonly_pk, zeros64) == 0);
    CHECK(secp256k1_memcmp_var(&xonly_pk, zeros64, sizeof(xonly_pk)) == 0);
    /* If a random 32-byte string can not be parsed with ec_pubkey_parse
     * (because interpreted as X coordinate it does not correspond to a point on
     * the curve) then xonly_pubkey_parse should fail as well. */
-    for (i = 0; i < count; i++) {
+    for (i = 0; i < COUNT; i++) {
        unsigned char rand33[33];
        secp256k1_testrand256(&rand33[1]);
        rand33[0] = SECP256K1_TAG_PUBKEY_EVEN;
-        if (!secp256k1_ec_pubkey_parse(ctx, &pk, rand33, 33)) {
+        if (!secp256k1_ec_pubkey_parse(CTX, &pk, rand33, 33)) {
            memset(&xonly_pk, 1, sizeof(xonly_pk));
-            CHECK(secp256k1_xonly_pubkey_parse(ctx, &xonly_pk, &rand33[1]) == 0);
+            CHECK(secp256k1_xonly_pubkey_parse(CTX, &xonly_pk, &rand33[1]) == 0);
            CHECK(secp256k1_memcmp_var(&xonly_pk, zeros64, sizeof(xonly_pk)) == 0);
        } else {
-            CHECK(secp256k1_xonly_pubkey_parse(ctx, &xonly_pk, &rand33[1]) == 1);
+            CHECK(secp256k1_xonly_pubkey_parse(CTX, &xonly_pk, &rand33[1]) == 1);
        }
    }
    CHECK(ecount == 2);
@ -141,26 +141,26 @@ void test_xonly_pubkey_comparison(void) {
    secp256k1_xonly_pubkey pk2;
    int ecount = 0;
-    set_counting_callbacks(ctx, &ecount);
+    set_counting_callbacks(CTX, &ecount);
-    CHECK(secp256k1_xonly_pubkey_parse(ctx, &pk1, pk1_ser) == 1);
+    CHECK(secp256k1_xonly_pubkey_parse(CTX, &pk1, pk1_ser) == 1);
-    CHECK(secp256k1_xonly_pubkey_parse(ctx, &pk2, pk2_ser) == 1);
+    CHECK(secp256k1_xonly_pubkey_parse(CTX, &pk2, pk2_ser) == 1);
-    CHECK(secp256k1_xonly_pubkey_cmp(ctx, NULL, &pk2) < 0);
+    CHECK(secp256k1_xonly_pubkey_cmp(CTX, NULL, &pk2) < 0);
    CHECK(ecount == 1);
-    CHECK(secp256k1_xonly_pubkey_cmp(ctx, &pk1, NULL) > 0);
+    CHECK(secp256k1_xonly_pubkey_cmp(CTX, &pk1, NULL) > 0);
    CHECK(ecount == 2);
-    CHECK(secp256k1_xonly_pubkey_cmp(ctx, &pk1, &pk2) < 0);
+    CHECK(secp256k1_xonly_pubkey_cmp(CTX, &pk1, &pk2) < 0);
-    CHECK(secp256k1_xonly_pubkey_cmp(ctx, &pk2, &pk1) > 0);
+    CHECK(secp256k1_xonly_pubkey_cmp(CTX, &pk2, &pk1) > 0);
-    CHECK(secp256k1_xonly_pubkey_cmp(ctx, &pk1, &pk1) == 0);
+    CHECK(secp256k1_xonly_pubkey_cmp(CTX, &pk1, &pk1) == 0);
-    CHECK(secp256k1_xonly_pubkey_cmp(ctx, &pk2, &pk2) == 0);
+    CHECK(secp256k1_xonly_pubkey_cmp(CTX, &pk2, &pk2) == 0);
    CHECK(ecount == 2);
    memset(&pk1, 0, sizeof(pk1)); /* illegal pubkey */
-    CHECK(secp256k1_xonly_pubkey_cmp(ctx, &pk1, &pk2) < 0);
+    CHECK(secp256k1_xonly_pubkey_cmp(CTX, &pk1, &pk2) < 0);
    CHECK(ecount == 3);
-    CHECK(secp256k1_xonly_pubkey_cmp(ctx, &pk1, &pk1) == 0);
+    CHECK(secp256k1_xonly_pubkey_cmp(CTX, &pk1, &pk1) == 0);
    CHECK(ecount == 5);
-    CHECK(secp256k1_xonly_pubkey_cmp(ctx, &pk2, &pk1) > 0);
+    CHECK(secp256k1_xonly_pubkey_cmp(CTX, &pk2, &pk1) > 0);
    CHECK(ecount == 6);
 }
@ -177,48 +177,48 @@ void test_xonly_pubkey_tweak(void) {
    int ecount;
-    set_counting_callbacks(ctx, &ecount);
+    set_counting_callbacks(CTX, &ecount);
    memset(overflows, 0xff, sizeof(overflows));
    secp256k1_testrand256(tweak);
    secp256k1_testrand256(sk);
-    CHECK(secp256k1_ec_pubkey_create(ctx, &internal_pk, sk) == 1);
+    CHECK(secp256k1_ec_pubkey_create(CTX, &internal_pk, sk) == 1);
-    CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &internal_xonly_pk, &pk_parity, &internal_pk) == 1);
+    CHECK(secp256k1_xonly_pubkey_from_pubkey(CTX, &internal_xonly_pk, &pk_parity, &internal_pk) == 1);
    ecount = 0;
-    CHECK(secp256k1_xonly_pubkey_tweak_add(ctx, &output_pk, &internal_xonly_pk, tweak) == 1);
+    CHECK(secp256k1_xonly_pubkey_tweak_add(CTX, &output_pk, &internal_xonly_pk, tweak) == 1);
    CHECK(ecount == 0);
-    CHECK(secp256k1_xonly_pubkey_tweak_add(ctx, &output_pk, &internal_xonly_pk, tweak) == 1);
+    CHECK(secp256k1_xonly_pubkey_tweak_add(CTX, &output_pk, &internal_xonly_pk, tweak) == 1);
    CHECK(ecount == 0);
-    CHECK(secp256k1_xonly_pubkey_tweak_add(ctx, &output_pk, &internal_xonly_pk, tweak) == 1);
+    CHECK(secp256k1_xonly_pubkey_tweak_add(CTX, &output_pk, &internal_xonly_pk, tweak) == 1);
-    CHECK(secp256k1_xonly_pubkey_tweak_add(ctx, NULL, &internal_xonly_pk, tweak) == 0);
+    CHECK(secp256k1_xonly_pubkey_tweak_add(CTX, NULL, &internal_xonly_pk, tweak) == 0);
    CHECK(ecount == 1);
-    CHECK(secp256k1_xonly_pubkey_tweak_add(ctx, &output_pk, NULL, tweak) == 0);
+    CHECK(secp256k1_xonly_pubkey_tweak_add(CTX, &output_pk, NULL, tweak) == 0);
    CHECK(ecount == 2);
    /* NULL internal_xonly_pk zeroes the output_pk */
    CHECK(secp256k1_memcmp_var(&output_pk, zeros64, sizeof(output_pk)) == 0);
-    CHECK(secp256k1_xonly_pubkey_tweak_add(ctx, &output_pk, &internal_xonly_pk, NULL) == 0);
+    CHECK(secp256k1_xonly_pubkey_tweak_add(CTX, &output_pk, &internal_xonly_pk, NULL) == 0);
    CHECK(ecount == 3);
    /* NULL tweak zeroes the output_pk */
    CHECK(secp256k1_memcmp_var(&output_pk, zeros64, sizeof(output_pk)) == 0);
    /* Invalid tweak zeroes the output_pk */
-    CHECK(secp256k1_xonly_pubkey_tweak_add(ctx, &output_pk, &internal_xonly_pk, overflows) == 0);
+    CHECK(secp256k1_xonly_pubkey_tweak_add(CTX, &output_pk, &internal_xonly_pk, overflows) == 0);
    CHECK(secp256k1_memcmp_var(&output_pk, zeros64, sizeof(output_pk))  == 0);
    /* A zero tweak is fine */
-    CHECK(secp256k1_xonly_pubkey_tweak_add(ctx, &output_pk, &internal_xonly_pk, zeros64) == 1);
+    CHECK(secp256k1_xonly_pubkey_tweak_add(CTX, &output_pk, &internal_xonly_pk, zeros64) == 1);
    /* Fails if the resulting key was infinity */
-    for (i = 0; i < count; i++) {
+    for (i = 0; i < COUNT; i++) {
        secp256k1_scalar scalar_tweak;
        /* Because sk may be negated before adding, we need to try with tweak =
         * sk as well as tweak = -sk. */
        secp256k1_scalar_set_b32(&scalar_tweak, sk, NULL);
        secp256k1_scalar_negate(&scalar_tweak, &scalar_tweak);
        secp256k1_scalar_get_b32(tweak, &scalar_tweak);
-        CHECK((secp256k1_xonly_pubkey_tweak_add(ctx, &output_pk, &internal_xonly_pk, sk) == 0)
+        CHECK((secp256k1_xonly_pubkey_tweak_add(CTX, &output_pk, &internal_xonly_pk, sk) == 0)
-              || (secp256k1_xonly_pubkey_tweak_add(ctx, &output_pk, &internal_xonly_pk, tweak) == 0));
+              || (secp256k1_xonly_pubkey_tweak_add(CTX, &output_pk, &internal_xonly_pk, tweak) == 0));
        CHECK(secp256k1_memcmp_var(&output_pk, zeros64, sizeof(output_pk)) == 0);
    }
@ -226,7 +226,7 @@ void test_xonly_pubkey_tweak(void) {
    memset(&internal_xonly_pk, 0, sizeof(internal_xonly_pk));
    secp256k1_testrand256(tweak);
    ecount = 0;
-    CHECK(secp256k1_xonly_pubkey_tweak_add(ctx, &output_pk, &internal_xonly_pk, tweak) == 0);
+    CHECK(secp256k1_xonly_pubkey_tweak_add(CTX, &output_pk, &internal_xonly_pk, tweak) == 0);
    CHECK(ecount == 1);
    CHECK(secp256k1_memcmp_var(&output_pk, zeros64, sizeof(output_pk))  == 0);
 }
@ -246,49 +246,49 @@ void test_xonly_pubkey_tweak_check(void) {
    int ecount;
-    set_counting_callbacks(ctx, &ecount);
+    set_counting_callbacks(CTX, &ecount);
    memset(overflows, 0xff, sizeof(overflows));
    secp256k1_testrand256(tweak);
    secp256k1_testrand256(sk);
-    CHECK(secp256k1_ec_pubkey_create(ctx, &internal_pk, sk) == 1);
+    CHECK(secp256k1_ec_pubkey_create(CTX, &internal_pk, sk) == 1);
-    CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &internal_xonly_pk, &pk_parity, &internal_pk) == 1);
+    CHECK(secp256k1_xonly_pubkey_from_pubkey(CTX, &internal_xonly_pk, &pk_parity, &internal_pk) == 1);
    ecount = 0;
-    CHECK(secp256k1_xonly_pubkey_tweak_add(ctx, &output_pk, &internal_xonly_pk, tweak) == 1);
+    CHECK(secp256k1_xonly_pubkey_tweak_add(CTX, &output_pk, &internal_xonly_pk, tweak) == 1);
-    CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &output_xonly_pk, &pk_parity, &output_pk) == 1);
+    CHECK(secp256k1_xonly_pubkey_from_pubkey(CTX, &output_xonly_pk, &pk_parity, &output_pk) == 1);
-    CHECK(secp256k1_xonly_pubkey_serialize(ctx, buf32, &output_xonly_pk) == 1);
+    CHECK(secp256k1_xonly_pubkey_serialize(CTX, buf32, &output_xonly_pk) == 1);
-    CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, buf32, pk_parity, &internal_xonly_pk, tweak) == 1);
+    CHECK(secp256k1_xonly_pubkey_tweak_add_check(CTX, buf32, pk_parity, &internal_xonly_pk, tweak) == 1);
    CHECK(ecount == 0);
-    CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, buf32, pk_parity, &internal_xonly_pk, tweak) == 1);
+    CHECK(secp256k1_xonly_pubkey_tweak_add_check(CTX, buf32, pk_parity, &internal_xonly_pk, tweak) == 1);
    CHECK(ecount == 0);
-    CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, buf32, pk_parity, &internal_xonly_pk, tweak) == 1);
+    CHECK(secp256k1_xonly_pubkey_tweak_add_check(CTX, buf32, pk_parity, &internal_xonly_pk, tweak) == 1);
-    CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, NULL, pk_parity, &internal_xonly_pk, tweak) == 0);
+    CHECK(secp256k1_xonly_pubkey_tweak_add_check(CTX, NULL, pk_parity, &internal_xonly_pk, tweak) == 0);
    CHECK(ecount == 1);
    /* invalid pk_parity value */
-    CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, buf32, 2, &internal_xonly_pk, tweak) == 0);
+    CHECK(secp256k1_xonly_pubkey_tweak_add_check(CTX, buf32, 2, &internal_xonly_pk, tweak) == 0);
    CHECK(ecount == 1);
-    CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, buf32, pk_parity, NULL, tweak) == 0);
+    CHECK(secp256k1_xonly_pubkey_tweak_add_check(CTX, buf32, pk_parity, NULL, tweak) == 0);
    CHECK(ecount == 2);
-    CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, buf32, pk_parity, &internal_xonly_pk, NULL) == 0);
+    CHECK(secp256k1_xonly_pubkey_tweak_add_check(CTX, buf32, pk_parity, &internal_xonly_pk, NULL) == 0);
    CHECK(ecount == 3);
    memset(tweak, 1, sizeof(tweak));
-    CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &internal_xonly_pk, NULL, &internal_pk) == 1);
+    CHECK(secp256k1_xonly_pubkey_from_pubkey(CTX, &internal_xonly_pk, NULL, &internal_pk) == 1);
-    CHECK(secp256k1_xonly_pubkey_tweak_add(ctx, &output_pk, &internal_xonly_pk, tweak) == 1);
+    CHECK(secp256k1_xonly_pubkey_tweak_add(CTX, &output_pk, &internal_xonly_pk, tweak) == 1);
-    CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &output_xonly_pk, &pk_parity, &output_pk) == 1);
+    CHECK(secp256k1_xonly_pubkey_from_pubkey(CTX, &output_xonly_pk, &pk_parity, &output_pk) == 1);
-    CHECK(secp256k1_xonly_pubkey_serialize(ctx, output_pk32, &output_xonly_pk) == 1);
+    CHECK(secp256k1_xonly_pubkey_serialize(CTX, output_pk32, &output_xonly_pk) == 1);
-    CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, output_pk32, pk_parity, &internal_xonly_pk, tweak) == 1);
+    CHECK(secp256k1_xonly_pubkey_tweak_add_check(CTX, output_pk32, pk_parity, &internal_xonly_pk, tweak) == 1);
    /* Wrong pk_parity */
-    CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, output_pk32, !pk_parity, &internal_xonly_pk, tweak) == 0);
+    CHECK(secp256k1_xonly_pubkey_tweak_add_check(CTX, output_pk32, !pk_parity, &internal_xonly_pk, tweak) == 0);
    /* Wrong public key */
-    CHECK(secp256k1_xonly_pubkey_serialize(ctx, buf32, &internal_xonly_pk) == 1);
+    CHECK(secp256k1_xonly_pubkey_serialize(CTX, buf32, &internal_xonly_pk) == 1);
-    CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, buf32, pk_parity, &internal_xonly_pk, tweak) == 0);
+    CHECK(secp256k1_xonly_pubkey_tweak_add_check(CTX, buf32, pk_parity, &internal_xonly_pk, tweak) == 0);
    /* Overflowing tweak not allowed */
-    CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, output_pk32, pk_parity, &internal_xonly_pk, overflows) == 0);
+    CHECK(secp256k1_xonly_pubkey_tweak_add_check(CTX, output_pk32, pk_parity, &internal_xonly_pk, overflows) == 0);
-    CHECK(secp256k1_xonly_pubkey_tweak_add(ctx, &output_pk, &internal_xonly_pk, overflows) == 0);
+    CHECK(secp256k1_xonly_pubkey_tweak_add(CTX, &output_pk, &internal_xonly_pk, overflows) == 0);
    CHECK(secp256k1_memcmp_var(&output_pk, zeros64, sizeof(output_pk)) == 0);
    CHECK(ecount == 3);
 }
@ -305,23 +305,23 @@ void test_xonly_pubkey_tweak_recursive(void) {
    int i;
    secp256k1_testrand256(sk);
-    CHECK(secp256k1_ec_pubkey_create(ctx, &pk[0], sk) == 1);
+    CHECK(secp256k1_ec_pubkey_create(CTX, &pk[0], sk) == 1);
    /* Add tweaks */
    for (i = 0; i < N_PUBKEYS - 1; i++) {
        secp256k1_xonly_pubkey xonly_pk;
        memset(tweak[i], i + 1, sizeof(tweak[i]));
-        CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &xonly_pk, NULL, &pk[i]) == 1);
+        CHECK(secp256k1_xonly_pubkey_from_pubkey(CTX, &xonly_pk, NULL, &pk[i]) == 1);
-        CHECK(secp256k1_xonly_pubkey_tweak_add(ctx, &pk[i + 1], &xonly_pk, tweak[i]) == 1);
+        CHECK(secp256k1_xonly_pubkey_tweak_add(CTX, &pk[i + 1], &xonly_pk, tweak[i]) == 1);
    }
    /* Verify tweaks */
    for (i = N_PUBKEYS - 1; i > 0; i--) {
        secp256k1_xonly_pubkey xonly_pk;
        int pk_parity;
-        CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &xonly_pk, &pk_parity, &pk[i]) == 1);
+        CHECK(secp256k1_xonly_pubkey_from_pubkey(CTX, &xonly_pk, &pk_parity, &pk[i]) == 1);
-        CHECK(secp256k1_xonly_pubkey_serialize(ctx, pk_serialized, &xonly_pk) == 1);
+        CHECK(secp256k1_xonly_pubkey_serialize(CTX, pk_serialized, &xonly_pk) == 1);
-        CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &xonly_pk, NULL, &pk[i - 1]) == 1);
+        CHECK(secp256k1_xonly_pubkey_from_pubkey(CTX, &xonly_pk, NULL, &pk[i - 1]) == 1);
-        CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, pk_serialized, pk_parity, &xonly_pk, tweak[i - 1]) == 1);
+        CHECK(secp256k1_xonly_pubkey_tweak_add_check(CTX, pk_serialized, pk_parity, &xonly_pk, tweak[i - 1]) == 1);
    }
 }
 #undef N_PUBKEYS
@ -336,10 +336,9 @@ void test_keypair(void) {
    secp256k1_xonly_pubkey xonly_pk, xonly_pk_tmp;
    int pk_parity, pk_parity_tmp;
    int ecount;
    secp256k1_context *sttc = secp256k1_context_clone(secp256k1_context_static);
-    set_counting_callbacks(ctx, &ecount);
+    set_counting_callbacks(CTX, &ecount);
-    set_counting_callbacks(sttc, &ecount);
+    set_counting_callbacks(STATIC_CTX, &ecount);
    CHECK(sizeof(zeros96) == sizeof(keypair));
    memset(overflows, 0xFF, sizeof(overflows));
@ -347,100 +346,102 @@ void test_keypair(void) {
    /* Test keypair_create */
    ecount = 0;
    secp256k1_testrand256(sk);
-    CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
+    CHECK(secp256k1_keypair_create(CTX, &keypair, sk) == 1);
    CHECK(secp256k1_memcmp_var(zeros96, &keypair, sizeof(keypair)) != 0);
    CHECK(ecount == 0);
-    CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
+    CHECK(secp256k1_keypair_create(CTX, &keypair, sk) == 1);
    CHECK(secp256k1_memcmp_var(zeros96, &keypair, sizeof(keypair)) != 0);
    CHECK(ecount == 0);
-    CHECK(secp256k1_keypair_create(ctx, NULL, sk) == 0);
+    CHECK(secp256k1_keypair_create(CTX, NULL, sk) == 0);
    CHECK(ecount == 1);
-    CHECK(secp256k1_keypair_create(ctx, &keypair, NULL) == 0);
+    CHECK(secp256k1_keypair_create(CTX, &keypair, NULL) == 0);
    CHECK(secp256k1_memcmp_var(zeros96, &keypair, sizeof(keypair)) == 0);
    CHECK(ecount == 2);
-    CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
+    CHECK(secp256k1_keypair_create(CTX, &keypair, sk) == 1);
    CHECK(ecount == 2);
-    CHECK(secp256k1_keypair_create(sttc, &keypair, sk) == 0);
+    CHECK(secp256k1_keypair_create(STATIC_CTX, &keypair, sk) == 0);
    CHECK(secp256k1_memcmp_var(zeros96, &keypair, sizeof(keypair)) == 0);
    CHECK(ecount == 3);
    /* Invalid secret key */
-    CHECK(secp256k1_keypair_create(ctx, &keypair, zeros96) == 0);
+    CHECK(secp256k1_keypair_create(CTX, &keypair, zeros96) == 0);
    CHECK(secp256k1_memcmp_var(zeros96, &keypair, sizeof(keypair)) == 0);
-    CHECK(secp256k1_keypair_create(ctx, &keypair, overflows) == 0);
+    CHECK(secp256k1_keypair_create(CTX, &keypair, overflows) == 0);
    CHECK(secp256k1_memcmp_var(zeros96, &keypair, sizeof(keypair)) == 0);
    /* Test keypair_pub */
    ecount = 0;
    secp256k1_testrand256(sk);
-    CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
+    CHECK(secp256k1_keypair_create(CTX, &keypair, sk) == 1);
-    CHECK(secp256k1_keypair_pub(ctx, &pk, &keypair) == 1);
+    CHECK(secp256k1_keypair_pub(CTX, &pk, &keypair) == 1);
-    CHECK(secp256k1_keypair_pub(ctx, NULL, &keypair) == 0);
+    CHECK(secp256k1_keypair_pub(CTX, NULL, &keypair) == 0);
    CHECK(ecount == 1);
-    CHECK(secp256k1_keypair_pub(ctx, &pk, NULL) == 0);
+    CHECK(secp256k1_keypair_pub(CTX, &pk, NULL) == 0);
    CHECK(ecount == 2);
    CHECK(secp256k1_memcmp_var(zeros96, &pk, sizeof(pk)) == 0);
    /* Using an invalid keypair is fine for keypair_pub */
    memset(&keypair, 0, sizeof(keypair));
-    CHECK(secp256k1_keypair_pub(ctx, &pk, &keypair) == 1);
+    CHECK(secp256k1_keypair_pub(CTX, &pk, &keypair) == 1);
    CHECK(secp256k1_memcmp_var(zeros96, &pk, sizeof(pk)) == 0);
    /* keypair holds the same pubkey as pubkey_create */
-    CHECK(secp256k1_ec_pubkey_create(ctx, &pk, sk) == 1);
+    CHECK(secp256k1_ec_pubkey_create(CTX, &pk, sk) == 1);
-    CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
+    CHECK(secp256k1_keypair_create(CTX, &keypair, sk) == 1);
-    CHECK(secp256k1_keypair_pub(ctx, &pk_tmp, &keypair) == 1);
+    CHECK(secp256k1_keypair_pub(CTX, &pk_tmp, &keypair) == 1);
    CHECK(secp256k1_memcmp_var(&pk, &pk_tmp, sizeof(pk)) == 0);
    /** Test keypair_xonly_pub **/
    ecount = 0;
    secp256k1_testrand256(sk);
-    CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
+    CHECK(secp256k1_keypair_create(CTX, &keypair, sk) == 1);
-    CHECK(secp256k1_keypair_xonly_pub(ctx, &xonly_pk, &pk_parity, &keypair) == 1);
+    CHECK(secp256k1_keypair_xonly_pub(CTX, &xonly_pk, &pk_parity, &keypair) == 1);
-    CHECK(secp256k1_keypair_xonly_pub(ctx, NULL, &pk_parity, &keypair) == 0);
+    CHECK(secp256k1_keypair_xonly_pub(CTX, NULL, &pk_parity, &keypair) == 0);
    CHECK(ecount == 1);
-    CHECK(secp256k1_keypair_xonly_pub(ctx, &xonly_pk, NULL, &keypair) == 1);
+    CHECK(secp256k1_keypair_xonly_pub(CTX, &xonly_pk, NULL, &keypair) == 1);
-    CHECK(secp256k1_keypair_xonly_pub(ctx, &xonly_pk, &pk_parity, NULL) == 0);
+    CHECK(secp256k1_keypair_xonly_pub(CTX, &xonly_pk, &pk_parity, NULL) == 0);
    CHECK(ecount == 2);
    CHECK(secp256k1_memcmp_var(zeros96, &xonly_pk, sizeof(xonly_pk)) == 0);
    /* Using an invalid keypair will set the xonly_pk to 0 (first reset
     * xonly_pk). */
-    CHECK(secp256k1_keypair_xonly_pub(ctx, &xonly_pk, &pk_parity, &keypair) == 1);
+    CHECK(secp256k1_keypair_xonly_pub(CTX, &xonly_pk, &pk_parity, &keypair) == 1);
    memset(&keypair, 0, sizeof(keypair));
-    CHECK(secp256k1_keypair_xonly_pub(ctx, &xonly_pk, &pk_parity, &keypair) == 0);
+    CHECK(secp256k1_keypair_xonly_pub(CTX, &xonly_pk, &pk_parity, &keypair) == 0);
    CHECK(secp256k1_memcmp_var(zeros96, &xonly_pk, sizeof(xonly_pk)) == 0);
    CHECK(ecount == 3);
    /** keypair holds the same xonly pubkey as pubkey_create **/
-    CHECK(secp256k1_ec_pubkey_create(ctx, &pk, sk) == 1);
+    CHECK(secp256k1_ec_pubkey_create(CTX, &pk, sk) == 1);
-    CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &xonly_pk, &pk_parity, &pk) == 1);
+    CHECK(secp256k1_xonly_pubkey_from_pubkey(CTX, &xonly_pk, &pk_parity, &pk) == 1);
-    CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
+    CHECK(secp256k1_keypair_create(CTX, &keypair, sk) == 1);
-    CHECK(secp256k1_keypair_xonly_pub(ctx, &xonly_pk_tmp, &pk_parity_tmp, &keypair) == 1);
+    CHECK(secp256k1_keypair_xonly_pub(CTX, &xonly_pk_tmp, &pk_parity_tmp, &keypair) == 1);
    CHECK(secp256k1_memcmp_var(&xonly_pk, &xonly_pk_tmp, sizeof(pk)) == 0);
    CHECK(pk_parity == pk_parity_tmp);
    /* Test keypair_seckey */
    ecount = 0;
    secp256k1_testrand256(sk);
-    CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
+    CHECK(secp256k1_keypair_create(CTX, &keypair, sk) == 1);
-    CHECK(secp256k1_keypair_sec(ctx, sk_tmp, &keypair) == 1);
+    CHECK(secp256k1_keypair_sec(CTX, sk_tmp, &keypair) == 1);
-    CHECK(secp256k1_keypair_sec(ctx, NULL, &keypair) == 0);
+    CHECK(secp256k1_keypair_sec(CTX, NULL, &keypair) == 0);
    CHECK(ecount == 1);
-    CHECK(secp256k1_keypair_sec(ctx, sk_tmp, NULL) == 0);
+    CHECK(secp256k1_keypair_sec(CTX, sk_tmp, NULL) == 0);
    CHECK(ecount == 2);
    CHECK(secp256k1_memcmp_var(zeros96, sk_tmp, sizeof(sk_tmp)) == 0);
    /* keypair returns the same seckey it got */
-    CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
+    CHECK(secp256k1_keypair_create(CTX, &keypair, sk) == 1);
-    CHECK(secp256k1_keypair_sec(ctx, sk_tmp, &keypair) == 1);
+    CHECK(secp256k1_keypair_sec(CTX, sk_tmp, &keypair) == 1);
    CHECK(secp256k1_memcmp_var(sk, sk_tmp, sizeof(sk_tmp)) == 0);
    /* Using an invalid keypair is fine for keypair_seckey */
    memset(&keypair, 0, sizeof(keypair));
-    CHECK(secp256k1_keypair_sec(ctx, sk_tmp, &keypair) == 1);
+    CHECK(secp256k1_keypair_sec(CTX, sk_tmp, &keypair) == 1);
    CHECK(secp256k1_memcmp_var(zeros96, sk_tmp, sizeof(sk_tmp)) == 0);
-    secp256k1_context_destroy(sttc);
+
    secp256k1_context_set_error_callback(STATIC_CTX, NULL, NULL);
    secp256k1_context_set_illegal_callback(STATIC_CTX, NULL, NULL);
 }
 void test_keypair_add(void) {
@ -452,49 +453,49 @@ void test_keypair_add(void) {
    int i;
    int ecount = 0;
-    set_counting_callbacks(ctx, &ecount);
+    set_counting_callbacks(CTX, &ecount);
    CHECK(sizeof(zeros96) == sizeof(keypair));
    secp256k1_testrand256(sk);
    secp256k1_testrand256(tweak);
    memset(overflows, 0xFF, 32);
-    CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
+    CHECK(secp256k1_keypair_create(CTX, &keypair, sk) == 1);
-    CHECK(secp256k1_keypair_xonly_tweak_add(ctx, &keypair, tweak) == 1);
+    CHECK(secp256k1_keypair_xonly_tweak_add(CTX, &keypair, tweak) == 1);
    CHECK(ecount == 0);
-    CHECK(secp256k1_keypair_xonly_tweak_add(ctx, &keypair, tweak) == 1);
+    CHECK(secp256k1_keypair_xonly_tweak_add(CTX, &keypair, tweak) == 1);
    CHECK(ecount == 0);
-    CHECK(secp256k1_keypair_xonly_tweak_add(ctx, &keypair, tweak) == 1);
+    CHECK(secp256k1_keypair_xonly_tweak_add(CTX, &keypair, tweak) == 1);
-    CHECK(secp256k1_keypair_xonly_tweak_add(ctx, NULL, tweak) == 0);
+    CHECK(secp256k1_keypair_xonly_tweak_add(CTX, NULL, tweak) == 0);
    CHECK(ecount == 1);
-    CHECK(secp256k1_keypair_xonly_tweak_add(ctx, &keypair, NULL) == 0);
+    CHECK(secp256k1_keypair_xonly_tweak_add(CTX, &keypair, NULL) == 0);
    CHECK(ecount == 2);
    /* This does not set the keypair to zeroes */
    CHECK(secp256k1_memcmp_var(&keypair, zeros96, sizeof(keypair)) != 0);
    /* Invalid tweak zeroes the keypair */
-    CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
+    CHECK(secp256k1_keypair_create(CTX, &keypair, sk) == 1);
-    CHECK(secp256k1_keypair_xonly_tweak_add(ctx, &keypair, overflows) == 0);
+    CHECK(secp256k1_keypair_xonly_tweak_add(CTX, &keypair, overflows) == 0);
    CHECK(secp256k1_memcmp_var(&keypair, zeros96, sizeof(keypair))  == 0);
    /* A zero tweak is fine */
-    CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
+    CHECK(secp256k1_keypair_create(CTX, &keypair, sk) == 1);
-    CHECK(secp256k1_keypair_xonly_tweak_add(ctx, &keypair, zeros96) == 1);
+    CHECK(secp256k1_keypair_xonly_tweak_add(CTX, &keypair, zeros96) == 1);
    /* Fails if the resulting keypair was (sk=0, pk=infinity) */
-    for (i = 0; i < count; i++) {
+    for (i = 0; i < COUNT; i++) {
        secp256k1_scalar scalar_tweak;
        secp256k1_keypair keypair_tmp;
        secp256k1_testrand256(sk);
-        CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
+        CHECK(secp256k1_keypair_create(CTX, &keypair, sk) == 1);
        memcpy(&keypair_tmp, &keypair, sizeof(keypair));
        /* Because sk may be negated before adding, we need to try with tweak =
         * sk as well as tweak = -sk. */
        secp256k1_scalar_set_b32(&scalar_tweak, sk, NULL);
        secp256k1_scalar_negate(&scalar_tweak, &scalar_tweak);
        secp256k1_scalar_get_b32(tweak, &scalar_tweak);
-        CHECK((secp256k1_keypair_xonly_tweak_add(ctx, &keypair, sk) == 0)
+        CHECK((secp256k1_keypair_xonly_tweak_add(CTX, &keypair, sk) == 0)
-              || (secp256k1_keypair_xonly_tweak_add(ctx, &keypair_tmp, tweak) == 0));
+              || (secp256k1_keypair_xonly_tweak_add(CTX, &keypair_tmp, tweak) == 0));
        CHECK(secp256k1_memcmp_var(&keypair, zeros96, sizeof(keypair)) == 0
              || secp256k1_memcmp_var(&keypair_tmp, zeros96, sizeof(keypair_tmp)) == 0);
    }
@ -503,23 +504,23 @@ void test_keypair_add(void) {
    memset(&keypair, 0, sizeof(keypair));
    secp256k1_testrand256(tweak);
    ecount = 0;
-    CHECK(secp256k1_keypair_xonly_tweak_add(ctx, &keypair, tweak) == 0);
+    CHECK(secp256k1_keypair_xonly_tweak_add(CTX, &keypair, tweak) == 0);
    CHECK(ecount == 1);
    CHECK(secp256k1_memcmp_var(&keypair, zeros96, sizeof(keypair))  == 0);
    /* Only seckey part of keypair invalid */
-    CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
+    CHECK(secp256k1_keypair_create(CTX, &keypair, sk) == 1);
    memset(&keypair, 0, 32);
-    CHECK(secp256k1_keypair_xonly_tweak_add(ctx, &keypair, tweak) == 0);
+    CHECK(secp256k1_keypair_xonly_tweak_add(CTX, &keypair, tweak) == 0);
    CHECK(ecount == 2);
    /* Only pubkey part of keypair invalid */
-    CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
+    CHECK(secp256k1_keypair_create(CTX, &keypair, sk) == 1);
    memset(&keypair.data[32], 0, 64);
-    CHECK(secp256k1_keypair_xonly_tweak_add(ctx, &keypair, tweak) == 0);
+    CHECK(secp256k1_keypair_xonly_tweak_add(CTX, &keypair, tweak) == 0);
    CHECK(ecount == 3);
    /* Check that the keypair_tweak_add implementation is correct */
-    CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
+    CHECK(secp256k1_keypair_create(CTX, &keypair, sk) == 1);
-    for (i = 0; i < count; i++) {
+    for (i = 0; i < COUNT; i++) {
        secp256k1_xonly_pubkey internal_pk;
        secp256k1_xonly_pubkey output_pk;
        secp256k1_pubkey output_pk_xy;
@ -529,22 +530,22 @@ void test_keypair_add(void) {
        int pk_parity;
        secp256k1_testrand256(tweak);
-        CHECK(secp256k1_keypair_xonly_pub(ctx, &internal_pk, NULL, &keypair) == 1);
+        CHECK(secp256k1_keypair_xonly_pub(CTX, &internal_pk, NULL, &keypair) == 1);
-        CHECK(secp256k1_keypair_xonly_tweak_add(ctx, &keypair, tweak) == 1);
+        CHECK(secp256k1_keypair_xonly_tweak_add(CTX, &keypair, tweak) == 1);
-        CHECK(secp256k1_keypair_xonly_pub(ctx, &output_pk, &pk_parity, &keypair) == 1);
+        CHECK(secp256k1_keypair_xonly_pub(CTX, &output_pk, &pk_parity, &keypair) == 1);
        /* Check that it passes xonly_pubkey_tweak_add_check */
-        CHECK(secp256k1_xonly_pubkey_serialize(ctx, pk32, &output_pk) == 1);
+        CHECK(secp256k1_xonly_pubkey_serialize(CTX, pk32, &output_pk) == 1);
-        CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, pk32, pk_parity, &internal_pk, tweak) == 1);
+        CHECK(secp256k1_xonly_pubkey_tweak_add_check(CTX, pk32, pk_parity, &internal_pk, tweak) == 1);
        /* Check that the resulting pubkey matches xonly_pubkey_tweak_add */
-        CHECK(secp256k1_keypair_pub(ctx, &output_pk_xy, &keypair) == 1);
+        CHECK(secp256k1_keypair_pub(CTX, &output_pk_xy, &keypair) == 1);
-        CHECK(secp256k1_xonly_pubkey_tweak_add(ctx, &output_pk_expected, &internal_pk, tweak) == 1);
+        CHECK(secp256k1_xonly_pubkey_tweak_add(CTX, &output_pk_expected, &internal_pk, tweak) == 1);
        CHECK(secp256k1_memcmp_var(&output_pk_xy, &output_pk_expected, sizeof(output_pk_xy)) == 0);
        /* Check that the secret key in the keypair is tweaked correctly */
-        CHECK(secp256k1_keypair_sec(ctx, sk32, &keypair) == 1);
+        CHECK(secp256k1_keypair_sec(CTX, sk32, &keypair) == 1);
-        CHECK(secp256k1_ec_pubkey_create(ctx, &output_pk_expected, sk32) == 1);
+        CHECK(secp256k1_ec_pubkey_create(CTX, &output_pk_expected, sk32) == 1);
        CHECK(secp256k1_memcmp_var(&output_pk_xy, &output_pk_expected, sizeof(output_pk_xy)) == 0);
    }
 }
@ -577,7 +578,7 @@ void test_hsort(void) {
    /* Test hsort with length n array and random elements in
     * [-interval/2, interval/2] */
-    for (i = 0; i < count; i++) {
+    for (i = 0; i < COUNT; i++) {
        int n = secp256k1_testrand_int(NUM);
        int interval = secp256k1_testrand_int(64);
        for (j = 0; j < n; j++) {
@ -604,26 +605,26 @@ void test_pubkey_comparison(void) {
    secp256k1_pubkey pk2;
    int ecount = 0;
-    set_counting_callbacks(ctx, &ecount);
+    set_counting_callbacks(CTX, &ecount);
-    CHECK(secp256k1_ec_pubkey_parse(ctx, &pk1, pk1_ser, sizeof(pk1_ser)) == 1);
+    CHECK(secp256k1_ec_pubkey_parse(CTX, &pk1, pk1_ser, sizeof(pk1_ser)) == 1);
-    CHECK(secp256k1_ec_pubkey_parse(ctx, &pk2, pk2_ser, sizeof(pk2_ser)) == 1);
+    CHECK(secp256k1_ec_pubkey_parse(CTX, &pk2, pk2_ser, sizeof(pk2_ser)) == 1);
-    CHECK(secp256k1_pubkey_cmp(ctx, NULL, &pk2) < 0);
+    CHECK(secp256k1_pubkey_cmp(CTX, NULL, &pk2) < 0);
    CHECK(ecount == 1);
-    CHECK(secp256k1_pubkey_cmp(ctx, &pk1, NULL) > 0);
+    CHECK(secp256k1_pubkey_cmp(CTX, &pk1, NULL) > 0);
    CHECK(ecount == 2);
-    CHECK(secp256k1_pubkey_cmp(ctx, &pk1, &pk2) < 0);
+    CHECK(secp256k1_pubkey_cmp(CTX, &pk1, &pk2) < 0);
-    CHECK(secp256k1_pubkey_cmp(ctx, &pk2, &pk1) > 0);
+    CHECK(secp256k1_pubkey_cmp(CTX, &pk2, &pk1) > 0);
-    CHECK(secp256k1_pubkey_cmp(ctx, &pk1, &pk1) == 0);
+    CHECK(secp256k1_pubkey_cmp(CTX, &pk1, &pk1) == 0);
-    CHECK(secp256k1_pubkey_cmp(ctx, &pk2, &pk2) == 0);
+    CHECK(secp256k1_pubkey_cmp(CTX, &pk2, &pk2) == 0);
    CHECK(ecount == 2);
    memset(&pk1, 0, sizeof(pk1)); /* illegal pubkey */
-    CHECK(secp256k1_pubkey_cmp(ctx, &pk1, &pk2) < 0);
+    CHECK(secp256k1_pubkey_cmp(CTX, &pk1, &pk2) < 0);
    CHECK(ecount == 3);
-    CHECK(secp256k1_pubkey_cmp(ctx, &pk1, &pk1) == 0);
+    CHECK(secp256k1_pubkey_cmp(CTX, &pk1, &pk1) == 0);
    CHECK(ecount == 5);
-    CHECK(secp256k1_pubkey_cmp(ctx, &pk2, &pk1) > 0);
+    CHECK(secp256k1_pubkey_cmp(CTX, &pk2, &pk1) > 0);
    CHECK(ecount == 6);
 }
@ -635,7 +636,7 @@ void test_sort_helper(secp256k1_pubkey *pk, size_t *pk_order, size_t n_pk) {
    for (i = 0; i < n_pk; i++) {
        pk_test[i] = &pk[pk_order[i]];
    }
-    secp256k1_pubkey_sort(ctx, pk_test, n_pk);
+    secp256k1_pubkey_sort(CTX, pk_test, n_pk);
    for (i = 0; i < n_pk; i++) {
        CHECK(secp256k1_memcmp_var(pk_test[i], &pk[i], sizeof(*pk_test[i])) == 0);
    }
@ -656,8 +657,8 @@ void rand_pk(secp256k1_pubkey *pk) {
    unsigned char seckey[32];
    secp256k1_keypair keypair;
    secp256k1_testrand256(seckey);
-    CHECK(secp256k1_keypair_create(ctx, &keypair, seckey) == 1);
+    CHECK(secp256k1_keypair_create(CTX, &keypair, seckey) == 1);
-    CHECK(secp256k1_keypair_pub(ctx, pk, &keypair) == 1);
+    CHECK(secp256k1_keypair_pub(CTX, pk, &keypair) == 1);
 }
 void test_sort_api(void) {
@ -665,7 +666,7 @@ void test_sort_api(void) {
    secp256k1_pubkey pks[2];
    const secp256k1_pubkey *pks_ptr[2];
-    set_counting_callbacks(ctx, &ecount);
+    set_counting_callbacks(CTX, &ecount);
    pks_ptr[0] = &pks[0];
    pks_ptr[1] = &pks[1];
@ -673,16 +674,16 @@ void test_sort_api(void) {
    rand_pk(&pks[0]);
    rand_pk(&pks[1]);
-    CHECK(secp256k1_pubkey_sort(ctx, pks_ptr, 2) == 1);
+    CHECK(secp256k1_pubkey_sort(CTX, pks_ptr, 2) == 1);
-    CHECK(secp256k1_pubkey_sort(ctx, NULL, 2) == 0);
+    CHECK(secp256k1_pubkey_sort(CTX, NULL, 2) == 0);
    CHECK(ecount == 1);
-    CHECK(secp256k1_pubkey_sort(ctx, pks_ptr, 0) == 1);
+    CHECK(secp256k1_pubkey_sort(CTX, pks_ptr, 0) == 1);
    /* Test illegal public keys */
    memset(&pks[0], 0, sizeof(pks[0]));
-    CHECK(secp256k1_pubkey_sort(ctx, pks_ptr, 2) == 1);
+    CHECK(secp256k1_pubkey_sort(CTX, pks_ptr, 2) == 1);
    CHECK(ecount == 2);
    memset(&pks[1], 0, sizeof(pks[1]));
-    CHECK(secp256k1_pubkey_sort(ctx, pks_ptr, 2) == 1);
+    CHECK(secp256k1_pubkey_sort(CTX, pks_ptr, 2) == 1);
    CHECK(ecount > 2);
 }
@ -700,7 +701,7 @@ void test_sort(void) {
    size_t pk_order[5] = { 0, 1, 2, 3, 4 };
    for (i = 0; i < 5; i++) {
-        CHECK(secp256k1_ec_pubkey_parse(ctx, &pk[i], pk_ser[i], sizeof(pk_ser[i])));
+        CHECK(secp256k1_ec_pubkey_parse(CTX, &pk[i], pk_ser[i], sizeof(pk_ser[i])));
    }
    permute(pk_order, 1);
@ -709,25 +710,25 @@ void test_sort(void) {
    test_sort_helper(pk, pk_order, 2);
    permute(pk_order, 3);
    test_sort_helper(pk, pk_order, 3);
-    for (i = 0; i < count; i++) {
+    for (i = 0; i < COUNT; i++) {
        permute(pk_order, 4);
        test_sort_helper(pk, pk_order, 4);
    }
-    for (i = 0; i < count; i++) {
+    for (i = 0; i < COUNT; i++) {
        permute(pk_order, 5);
        test_sort_helper(pk, pk_order, 5);
    }
    /* Check that sorting also works for random pubkeys */
-    for (i = 0; i < count; i++) {
+    for (i = 0; i < COUNT; i++) {
        int j;
        const secp256k1_pubkey *pk_ptr[5];
        for (j = 0; j < 5; j++) {
            rand_pk(&pk[j]);
            pk_ptr[j] = &pk[j];
        }
-        secp256k1_pubkey_sort(ctx, pk_ptr, 5);
+        secp256k1_pubkey_sort(CTX, pk_ptr, 5);
        for (j = 1; j < 5; j++) {
-            CHECK(secp256k1_pubkey_sort_cmp(&pk_ptr[j - 1], &pk_ptr[j], ctx) <= 0);
+            CHECK(secp256k1_pubkey_sort_cmp(&pk_ptr[j - 1], &pk_ptr[j], CTX) <= 0);
        }
    }
 }
@ -768,10 +769,10 @@ void test_sort_vectors(void) {
    sorted[5] = &pubkeys[2];
    for (i = 0; i < N_PUBKEYS; i++) {
-        CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkeys[i], pk_ser[i], sizeof(pk_ser[i])));
+        CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkeys[i], pk_ser[i], sizeof(pk_ser[i])));
        pks_ptr[i] = &pubkeys[i];
    }
-    CHECK(secp256k1_pubkey_sort(ctx, pks_ptr, N_PUBKEYS) == 1);
+    CHECK(secp256k1_pubkey_sort(CTX, pks_ptr, N_PUBKEYS) == 1);
    for (i = 0; i < N_PUBKEYS; i++) {
        CHECK(secp256k1_memcmp_var(pks_ptr[i], sorted[i], sizeof(secp256k1_pubkey)) == 0);
    }
--- a/src/modules/generator/tests_impl.h
+++ b/src/modules/generator/tests_impl.h
@ -21,51 +21,53 @@ void test_generator_api(void) {
    unsigned char key[32];
    unsigned char blind[32];
    unsigned char sergen[33];
    secp256k1_context *sttc = secp256k1_context_clone(secp256k1_context_static);
    secp256k1_generator gen;
    int32_t ecount = 0;
-    secp256k1_context_set_error_callback(ctx, counting_illegal_callback_fn, &ecount);
+    secp256k1_context_set_error_callback(CTX, counting_illegal_callback_fn, &ecount);
-    secp256k1_context_set_error_callback(sttc, counting_illegal_callback_fn, &ecount);
+    secp256k1_context_set_error_callback(STATIC_CTX, counting_illegal_callback_fn, &ecount);
-    secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
+    secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount);
-    secp256k1_context_set_illegal_callback(sttc, counting_illegal_callback_fn, &ecount);
+    secp256k1_context_set_illegal_callback(STATIC_CTX, counting_illegal_callback_fn, &ecount);
    secp256k1_testrand256(key);
    secp256k1_testrand256(blind);
-    CHECK(secp256k1_generator_generate(ctx, &gen, key) == 1);
+    CHECK(secp256k1_generator_generate(CTX, &gen, key) == 1);
    CHECK(ecount == 0);
-    CHECK(secp256k1_generator_generate(ctx, NULL, key) == 0);
+    CHECK(secp256k1_generator_generate(CTX, NULL, key) == 0);
    CHECK(ecount == 1);
-    CHECK(secp256k1_generator_generate(ctx, &gen, NULL) == 0);
+    CHECK(secp256k1_generator_generate(CTX, &gen, NULL) == 0);
    CHECK(ecount == 2);
-    CHECK(secp256k1_generator_generate_blinded(ctx, &gen, key, blind) == 1);
+    CHECK(secp256k1_generator_generate_blinded(CTX, &gen, key, blind) == 1);
    CHECK(ecount == 2);
-    CHECK(secp256k1_generator_generate_blinded(sttc, &gen, key, blind) == 0);
+    CHECK(secp256k1_generator_generate_blinded(STATIC_CTX, &gen, key, blind) == 0);
    CHECK(ecount == 3);
-    CHECK(secp256k1_generator_generate_blinded(ctx, NULL, key, blind) == 0);
+    CHECK(secp256k1_generator_generate_blinded(CTX, NULL, key, blind) == 0);
    CHECK(ecount == 4);
-    CHECK(secp256k1_generator_generate_blinded(ctx, &gen, NULL, blind) == 0);
+    CHECK(secp256k1_generator_generate_blinded(CTX, &gen, NULL, blind) == 0);
    CHECK(ecount == 5);
-    CHECK(secp256k1_generator_generate_blinded(ctx, &gen, key, NULL) == 0);
+    CHECK(secp256k1_generator_generate_blinded(CTX, &gen, key, NULL) == 0);
    CHECK(ecount == 6);
-    CHECK(secp256k1_generator_serialize(ctx, sergen, &gen) == 1);
+    CHECK(secp256k1_generator_serialize(CTX, sergen, &gen) == 1);
    CHECK(ecount == 6);
-    CHECK(secp256k1_generator_serialize(ctx, NULL, &gen) == 0);
+    CHECK(secp256k1_generator_serialize(CTX, NULL, &gen) == 0);
    CHECK(ecount == 7);
-    CHECK(secp256k1_generator_serialize(ctx, sergen, NULL) == 0);
+    CHECK(secp256k1_generator_serialize(CTX, sergen, NULL) == 0);
    CHECK(ecount == 8);
-    CHECK(secp256k1_generator_serialize(ctx, sergen, &gen) == 1);
+    CHECK(secp256k1_generator_serialize(CTX, sergen, &gen) == 1);
-    CHECK(secp256k1_generator_parse(ctx, &gen, sergen) == 1);
+    CHECK(secp256k1_generator_parse(CTX, &gen, sergen) == 1);
    CHECK(ecount == 8);
-    CHECK(secp256k1_generator_parse(ctx, NULL, sergen) == 0);
+    CHECK(secp256k1_generator_parse(CTX, NULL, sergen) == 0);
    CHECK(ecount == 9);
-    CHECK(secp256k1_generator_parse(ctx, &gen, NULL) == 0);
+    CHECK(secp256k1_generator_parse(CTX, &gen, NULL) == 0);
    CHECK(ecount == 10);
-    secp256k1_context_destroy(sttc);
+    secp256k1_context_set_error_callback(CTX, NULL, NULL);
    secp256k1_context_set_error_callback(STATIC_CTX, NULL, NULL);
    secp256k1_context_set_illegal_callback(CTX, NULL, NULL);
    secp256k1_context_set_illegal_callback(STATIC_CTX, NULL, NULL);
 }
 void test_shallue_van_de_woestijne(void) {
@ -171,11 +173,11 @@ void test_generator_generate(void) {
    for (i = 1; i <= 32; i++) {
        memset(v, 0, 31);
        v[31] = i;
-        CHECK(secp256k1_generator_generate_blinded(ctx, &gen, v, s));
+        CHECK(secp256k1_generator_generate_blinded(CTX, &gen, v, s));
        secp256k1_generator_load(&ge, &gen);
        secp256k1_ge_to_storage(&ges, &ge);
        CHECK(secp256k1_memcmp_var(&ges, &results[i - 1], sizeof(secp256k1_ge_storage)) == 0);
-        CHECK(secp256k1_generator_generate(ctx, &gen, v));
+        CHECK(secp256k1_generator_generate(CTX, &gen, v));
        secp256k1_generator_load(&ge, &gen);
        secp256k1_ge_to_storage(&ges, &ge);
        CHECK(secp256k1_memcmp_var(&ges, &results[i - 1], sizeof(secp256k1_ge_storage)) == 0);
@ -185,9 +187,9 @@ void test_generator_generate(void) {
     * valid scalar. Check that an invalid blinder causes the call to fail
     * but not crash. */
    memset(v, 0xff, 32);
-    CHECK(secp256k1_generator_generate(ctx, &gen, v));
+    CHECK(secp256k1_generator_generate(CTX, &gen, v));
    memset(s, 0xff, 32);
-    CHECK(!secp256k1_generator_generate_blinded(ctx, &gen, v, s));
+    CHECK(!secp256k1_generator_generate_blinded(CTX, &gen, v, s));
 }
 void test_generator_fixed_vector(void) {
@ -199,18 +201,17 @@ void test_generator_fixed_vector(void) {
    unsigned char result[33];
    secp256k1_generator parse;
-    CHECK(secp256k1_generator_parse(ctx, &parse, two_g));
+    CHECK(secp256k1_generator_parse(CTX, &parse, two_g));
-    CHECK(secp256k1_generator_serialize(ctx, result, &parse));
+    CHECK(secp256k1_generator_serialize(CTX, result, &parse));
    CHECK(secp256k1_memcmp_var(two_g, result, 33) == 0);
    result[0] = 0x0a;
-    CHECK(secp256k1_generator_parse(ctx, &parse, result));
+    CHECK(secp256k1_generator_parse(CTX, &parse, result));
    result[0] = 0x08;
-    CHECK(!secp256k1_generator_parse(ctx, &parse, result));
+    CHECK(!secp256k1_generator_parse(CTX, &parse, result));
 }
 static void test_pedersen_api(void) {
    secp256k1_context *sttc = secp256k1_context_clone(secp256k1_context_static);
    secp256k1_pedersen_commitment commit;
    const secp256k1_pedersen_commitment *commit_ptr = &commit;
    unsigned char blind[32];
@ -220,60 +221,63 @@ static void test_pedersen_api(void) {
    uint64_t val = secp256k1_testrand32();
    int32_t ecount = 0;
-    secp256k1_context_set_error_callback(ctx, counting_illegal_callback_fn, &ecount);
+    secp256k1_context_set_error_callback(CTX, counting_illegal_callback_fn, &ecount);
-    secp256k1_context_set_error_callback(sttc, counting_illegal_callback_fn, &ecount);
+    secp256k1_context_set_error_callback(STATIC_CTX, counting_illegal_callback_fn, &ecount);
-    secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
+    secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount);
-    secp256k1_context_set_illegal_callback(sttc, counting_illegal_callback_fn, &ecount);
+    secp256k1_context_set_illegal_callback(STATIC_CTX, counting_illegal_callback_fn, &ecount);
    secp256k1_testrand256(blind);
-    CHECK(secp256k1_pedersen_commit(ctx, &commit, blind, val, secp256k1_generator_h) != 0);
+    CHECK(secp256k1_pedersen_commit(CTX, &commit, blind, val, secp256k1_generator_h) != 0);
    CHECK(ecount == 0);
-    CHECK(secp256k1_pedersen_commit(sttc, &commit, blind, val, secp256k1_generator_h) == 0);
+    CHECK(secp256k1_pedersen_commit(STATIC_CTX, &commit, blind, val, secp256k1_generator_h) == 0);
    CHECK(ecount == 1);
-    CHECK(secp256k1_pedersen_commit(ctx, NULL, blind, val, secp256k1_generator_h) == 0);
+    CHECK(secp256k1_pedersen_commit(CTX, NULL, blind, val, secp256k1_generator_h) == 0);
    CHECK(ecount == 2);
-    CHECK(secp256k1_pedersen_commit(ctx, &commit, NULL, val, secp256k1_generator_h) == 0);
+    CHECK(secp256k1_pedersen_commit(CTX, &commit, NULL, val, secp256k1_generator_h) == 0);
    CHECK(ecount == 3);
-    CHECK(secp256k1_pedersen_commit(ctx, &commit, blind, val, NULL) == 0);
+    CHECK(secp256k1_pedersen_commit(CTX, &commit, blind, val, NULL) == 0);
    CHECK(ecount == 4);
-    CHECK(secp256k1_pedersen_blind_sum(ctx, blind_out, &blind_ptr, 1, 1) != 0);
+    CHECK(secp256k1_pedersen_blind_sum(CTX, blind_out, &blind_ptr, 1, 1) != 0);
    CHECK(ecount == 4);
-    CHECK(secp256k1_pedersen_blind_sum(ctx, NULL, &blind_ptr, 1, 1) == 0);
+    CHECK(secp256k1_pedersen_blind_sum(CTX, NULL, &blind_ptr, 1, 1) == 0);
    CHECK(ecount == 5);
-    CHECK(secp256k1_pedersen_blind_sum(ctx, blind_out, NULL, 1, 1) == 0);
+    CHECK(secp256k1_pedersen_blind_sum(CTX, blind_out, NULL, 1, 1) == 0);
    CHECK(ecount == 6);
-    CHECK(secp256k1_pedersen_blind_sum(ctx, blind_out, &blind_ptr, 0, 1) == 0);
+    CHECK(secp256k1_pedersen_blind_sum(CTX, blind_out, &blind_ptr, 0, 1) == 0);
    CHECK(ecount == 7);
-    CHECK(secp256k1_pedersen_blind_sum(ctx, blind_out, &blind_ptr, 0, 0) != 0);
+    CHECK(secp256k1_pedersen_blind_sum(CTX, blind_out, &blind_ptr, 0, 0) != 0);
    CHECK(ecount == 7);
-    CHECK(secp256k1_pedersen_commit(ctx, &commit, blind, val, secp256k1_generator_h) != 0);
+    CHECK(secp256k1_pedersen_commit(CTX, &commit, blind, val, secp256k1_generator_h) != 0);
-    CHECK(secp256k1_pedersen_verify_tally(ctx, &commit_ptr, 1, &commit_ptr, 1) != 0);
+    CHECK(secp256k1_pedersen_verify_tally(CTX, &commit_ptr, 1, &commit_ptr, 1) != 0);
-    CHECK(secp256k1_pedersen_verify_tally(ctx, NULL, 0, &commit_ptr, 1) == 0);
+    CHECK(secp256k1_pedersen_verify_tally(CTX, NULL, 0, &commit_ptr, 1) == 0);
-    CHECK(secp256k1_pedersen_verify_tally(ctx, &commit_ptr, 1, NULL, 0) == 0);
+    CHECK(secp256k1_pedersen_verify_tally(CTX, &commit_ptr, 1, NULL, 0) == 0);
-    CHECK(secp256k1_pedersen_verify_tally(ctx, NULL, 0, NULL, 0) != 0);
+    CHECK(secp256k1_pedersen_verify_tally(CTX, NULL, 0, NULL, 0) != 0);
    CHECK(ecount == 7);
-    CHECK(secp256k1_pedersen_verify_tally(ctx, NULL, 1, &commit_ptr, 1) == 0);
+    CHECK(secp256k1_pedersen_verify_tally(CTX, NULL, 1, &commit_ptr, 1) == 0);
    CHECK(ecount == 8);
-    CHECK(secp256k1_pedersen_verify_tally(ctx, &commit_ptr, 1, NULL, 1) == 0);
+    CHECK(secp256k1_pedersen_verify_tally(CTX, &commit_ptr, 1, NULL, 1) == 0);
    CHECK(ecount == 9);
-    CHECK(secp256k1_pedersen_blind_generator_blind_sum(ctx, &val, &blind_ptr, &blind_out_ptr, 1, 0) != 0);
+    CHECK(secp256k1_pedersen_blind_generator_blind_sum(CTX, &val, &blind_ptr, &blind_out_ptr, 1, 0) != 0);
    CHECK(ecount == 9);
-    CHECK(secp256k1_pedersen_blind_generator_blind_sum(ctx, &val, &blind_ptr, &blind_out_ptr, 1, 1) == 0);
+    CHECK(secp256k1_pedersen_blind_generator_blind_sum(CTX, &val, &blind_ptr, &blind_out_ptr, 1, 1) == 0);
    CHECK(ecount == 10);
-    CHECK(secp256k1_pedersen_blind_generator_blind_sum(ctx, &val, &blind_ptr, &blind_out_ptr, 0, 0) == 0);
+    CHECK(secp256k1_pedersen_blind_generator_blind_sum(CTX, &val, &blind_ptr, &blind_out_ptr, 0, 0) == 0);
    CHECK(ecount == 11);
-    CHECK(secp256k1_pedersen_blind_generator_blind_sum(ctx, NULL, &blind_ptr, &blind_out_ptr, 1, 0) == 0);
+    CHECK(secp256k1_pedersen_blind_generator_blind_sum(CTX, NULL, &blind_ptr, &blind_out_ptr, 1, 0) == 0);
    CHECK(ecount == 12);
-    CHECK(secp256k1_pedersen_blind_generator_blind_sum(ctx, &val, NULL, &blind_out_ptr, 1, 0) == 0);
+    CHECK(secp256k1_pedersen_blind_generator_blind_sum(CTX, &val, NULL, &blind_out_ptr, 1, 0) == 0);
    CHECK(ecount == 13);
-    CHECK(secp256k1_pedersen_blind_generator_blind_sum(ctx, &val, &blind_ptr, NULL, 1, 0) == 0);
+    CHECK(secp256k1_pedersen_blind_generator_blind_sum(CTX, &val, &blind_ptr, NULL, 1, 0) == 0);
    CHECK(ecount == 14);
-    secp256k1_context_destroy(sttc);
+    secp256k1_context_set_error_callback(CTX, NULL, NULL);
    secp256k1_context_set_error_callback(STATIC_CTX, NULL, NULL);
    secp256k1_context_set_illegal_callback(CTX, NULL, NULL);
    secp256k1_context_set_illegal_callback(STATIC_CTX, NULL, NULL);
 }
 static void test_pedersen(void) {
@ -310,14 +314,14 @@ static void test_pedersen(void) {
        random_scalar_order(&s);
        secp256k1_scalar_get_b32(&blinds[i * 32], &s);
    }
-    CHECK(secp256k1_pedersen_blind_sum(ctx, &blinds[(total - 1) * 32], bptr, total - 1, inputs));
+    CHECK(secp256k1_pedersen_blind_sum(CTX, &blinds[(total - 1) * 32], bptr, total - 1, inputs));
    for (i = 0; i < total; i++) {
-        CHECK(secp256k1_pedersen_commit(ctx, &commits[i], &blinds[i * 32], values[i], secp256k1_generator_h));
+        CHECK(secp256k1_pedersen_commit(CTX, &commits[i], &blinds[i * 32], values[i], secp256k1_generator_h));
    }
-    CHECK(secp256k1_pedersen_verify_tally(ctx, cptr, inputs, &cptr[inputs], outputs));
+    CHECK(secp256k1_pedersen_verify_tally(CTX, cptr, inputs, &cptr[inputs], outputs));
-    CHECK(secp256k1_pedersen_verify_tally(ctx, &cptr[inputs], outputs, cptr, inputs));
+    CHECK(secp256k1_pedersen_verify_tally(CTX, &cptr[inputs], outputs, cptr, inputs));
    if (inputs > 0 && values[0] > 0) {
-        CHECK(!secp256k1_pedersen_verify_tally(ctx, cptr, inputs - 1, &cptr[inputs], outputs));
+        CHECK(!secp256k1_pedersen_verify_tally(CTX, cptr, inputs - 1, &cptr[inputs], outputs));
    }
    random_scalar_order(&s);
    for (i = 0; i < 4; i++) {
@ -327,10 +331,10 @@ static void test_pedersen(void) {
    values[1] = 0;
    values[2] = 1;
    for (i = 0; i < 3; i++) {
-        CHECK(secp256k1_pedersen_commit(ctx, &commits[i], &blinds[i * 32], values[i], secp256k1_generator_h));
+        CHECK(secp256k1_pedersen_commit(CTX, &commits[i], &blinds[i * 32], values[i], secp256k1_generator_h));
    }
-    CHECK(secp256k1_pedersen_verify_tally(ctx, &cptr[0], 1, &cptr[0], 1));
+    CHECK(secp256k1_pedersen_verify_tally(CTX, &cptr[0], 1, &cptr[0], 1));
-    CHECK(secp256k1_pedersen_verify_tally(ctx, &cptr[1], 1, &cptr[1], 1));
+    CHECK(secp256k1_pedersen_verify_tally(CTX, &cptr[1], 1, &cptr[1], 1));
 }
 void test_pedersen_commitment_fixed_vector(void) {
@ -342,14 +346,14 @@ void test_pedersen_commitment_fixed_vector(void) {
    unsigned char result[33];
    secp256k1_pedersen_commitment parse;
-    CHECK(secp256k1_pedersen_commitment_parse(ctx, &parse, two_g));
+    CHECK(secp256k1_pedersen_commitment_parse(CTX, &parse, two_g));
-    CHECK(secp256k1_pedersen_commitment_serialize(ctx, result, &parse));
+    CHECK(secp256k1_pedersen_commitment_serialize(CTX, result, &parse));
    CHECK(secp256k1_memcmp_var(two_g, result, 33) == 0);
    result[0] = 0x08;
-    CHECK(secp256k1_pedersen_commitment_parse(ctx, &parse, result));
+    CHECK(secp256k1_pedersen_commitment_parse(CTX, &parse, result));
    result[0] = 0x0c;
-    CHECK(!secp256k1_pedersen_commitment_parse(ctx, &parse, result));
+    CHECK(!secp256k1_pedersen_commitment_parse(CTX, &parse, result));
 }
@ -362,7 +366,7 @@ void run_generator_tests(void) {
    test_generator_generate();
    test_pedersen_api();
    test_pedersen_commitment_fixed_vector();
-    for (i = 0; i < count / 2 + 1; i++) {
+    for (i = 0; i < COUNT / 2 + 1; i++) {
        test_pedersen();
    }
 }
--- a/src/modules/musig/tests_impl.h
+++ b/src/modules/musig/tests_impl.h
--- a/src/modules/rangeproof/tests_impl.h
+++ b/src/modules/rangeproof/tests_impl.h
@ -16,7 +16,7 @@
 #include "../../../include/secp256k1_rangeproof.h"
-static void test_rangeproof_api(const secp256k1_context *sttc, const int32_t *ecount) {
+static void test_rangeproof_api(const int32_t *ecount) {
    unsigned char proof[5134];
    unsigned char blind[32];
    secp256k1_pedersen_commitment commit;
@ -30,83 +30,83 @@ static void test_rangeproof_api(const secp256k1_context *sttc, const int32_t *ec
    size_t ext_commit_len = sizeof(ext_commit);
    secp256k1_testrand256(blind);
-    CHECK(secp256k1_pedersen_commit(ctx, &commit, blind, val, secp256k1_generator_h));
+    CHECK(secp256k1_pedersen_commit(CTX, &commit, blind, val, secp256k1_generator_h));
-    CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, message, mlen, ext_commit, ext_commit_len, secp256k1_generator_h) == 1);
+    CHECK(secp256k1_rangeproof_sign(CTX, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, message, mlen, ext_commit, ext_commit_len, secp256k1_generator_h) == 1);
    CHECK(*ecount == 0);
-    CHECK(secp256k1_rangeproof_sign(sttc, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, message, mlen, ext_commit, ext_commit_len, secp256k1_generator_h) == 0);
+    CHECK(secp256k1_rangeproof_sign(STATIC_CTX, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, message, mlen, ext_commit, ext_commit_len, secp256k1_generator_h) == 0);
    CHECK(*ecount == 1);
-    CHECK(secp256k1_rangeproof_sign(ctx, NULL, &len, vmin, &commit, blind, commit.data, 0, 0, val, message, mlen, ext_commit, ext_commit_len, secp256k1_generator_h) == 0);
+    CHECK(secp256k1_rangeproof_sign(CTX, NULL, &len, vmin, &commit, blind, commit.data, 0, 0, val, message, mlen, ext_commit, ext_commit_len, secp256k1_generator_h) == 0);
    CHECK(*ecount == 2);
-    CHECK(secp256k1_rangeproof_sign(ctx, proof, NULL, vmin, &commit, blind, commit.data, 0, 0, val, message, mlen, ext_commit, ext_commit_len, secp256k1_generator_h) == 0);
+    CHECK(secp256k1_rangeproof_sign(CTX, proof, NULL, vmin, &commit, blind, commit.data, 0, 0, val, message, mlen, ext_commit, ext_commit_len, secp256k1_generator_h) == 0);
    CHECK(*ecount == 3);
-    CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, vmin, NULL, blind, commit.data, 0, 0, val, message, mlen, ext_commit, ext_commit_len, secp256k1_generator_h) == 0);
+    CHECK(secp256k1_rangeproof_sign(CTX, proof, &len, vmin, NULL, blind, commit.data, 0, 0, val, message, mlen, ext_commit, ext_commit_len, secp256k1_generator_h) == 0);
    CHECK(*ecount == 4);
-    CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, vmin, &commit, NULL, commit.data, 0, 0, val, message, mlen, ext_commit, ext_commit_len, secp256k1_generator_h) == 0);
+    CHECK(secp256k1_rangeproof_sign(CTX, proof, &len, vmin, &commit, NULL, commit.data, 0, 0, val, message, mlen, ext_commit, ext_commit_len, secp256k1_generator_h) == 0);
    CHECK(*ecount == 5);
-    CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, vmin, &commit, blind, NULL, 0, 0, val, message, mlen, ext_commit, ext_commit_len, secp256k1_generator_h) == 0);
+    CHECK(secp256k1_rangeproof_sign(CTX, proof, &len, vmin, &commit, blind, NULL, 0, 0, val, message, mlen, ext_commit, ext_commit_len, secp256k1_generator_h) == 0);
    CHECK(*ecount == 6);
-    CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, vmin, &commit, blind, commit.data, 0, 0, vmin - 1, message, mlen, ext_commit, ext_commit_len, secp256k1_generator_h) == 0);
+    CHECK(secp256k1_rangeproof_sign(CTX, proof, &len, vmin, &commit, blind, commit.data, 0, 0, vmin - 1, message, mlen, ext_commit, ext_commit_len, secp256k1_generator_h) == 0);
    CHECK(*ecount == 6);
-    CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, NULL, mlen, ext_commit, ext_commit_len, secp256k1_generator_h) == 0);
+    CHECK(secp256k1_rangeproof_sign(CTX, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, NULL, mlen, ext_commit, ext_commit_len, secp256k1_generator_h) == 0);
    CHECK(*ecount == 7);
-    CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, NULL, 0, ext_commit, ext_commit_len, secp256k1_generator_h) != 0);
+    CHECK(secp256k1_rangeproof_sign(CTX, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, NULL, 0, ext_commit, ext_commit_len, secp256k1_generator_h) != 0);
    CHECK(*ecount == 7);
-    CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, NULL, 0, NULL, ext_commit_len, secp256k1_generator_h) == 0);
+    CHECK(secp256k1_rangeproof_sign(CTX, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, NULL, 0, NULL, ext_commit_len, secp256k1_generator_h) == 0);
    CHECK(*ecount == 8);
-    CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, NULL, 0, NULL, 0, secp256k1_generator_h) != 0);
+    CHECK(secp256k1_rangeproof_sign(CTX, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, NULL, 0, NULL, 0, secp256k1_generator_h) != 0);
    CHECK(*ecount == 8);
-    CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, NULL, 0, NULL, 0, NULL) == 0);
+    CHECK(secp256k1_rangeproof_sign(CTX, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, NULL, 0, NULL, 0, NULL) == 0);
    CHECK(*ecount == 9);
-    CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, message, mlen, ext_commit, ext_commit_len, secp256k1_generator_h) != 0);
+    CHECK(secp256k1_rangeproof_sign(CTX, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, message, mlen, ext_commit, ext_commit_len, secp256k1_generator_h) != 0);
    {
        int exp;
        int mantissa;
        uint64_t min_value;
        uint64_t max_value;
-        CHECK(secp256k1_rangeproof_info(ctx, &exp, &mantissa, &min_value, &max_value, proof, len) != 0);
+        CHECK(secp256k1_rangeproof_info(CTX, &exp, &mantissa, &min_value, &max_value, proof, len) != 0);
        CHECK(exp == 0);
        CHECK(((uint64_t) 1 << mantissa) > val - vmin);
        CHECK(((uint64_t) 1 << (mantissa - 1)) <= val - vmin);
        CHECK(min_value == vmin);
        CHECK(max_value >= val);
-        CHECK(secp256k1_rangeproof_info(ctx, NULL, &mantissa, &min_value, &max_value, proof, len) == 0);
+        CHECK(secp256k1_rangeproof_info(CTX, NULL, &mantissa, &min_value, &max_value, proof, len) == 0);
        CHECK(*ecount == 10);
-        CHECK(secp256k1_rangeproof_info(ctx, &exp, NULL, &min_value, &max_value, proof, len) == 0);
+        CHECK(secp256k1_rangeproof_info(CTX, &exp, NULL, &min_value, &max_value, proof, len) == 0);
        CHECK(*ecount == 11);
-        CHECK(secp256k1_rangeproof_info(ctx, &exp, &mantissa, NULL, &max_value, proof, len) == 0);
+        CHECK(secp256k1_rangeproof_info(CTX, &exp, &mantissa, NULL, &max_value, proof, len) == 0);
        CHECK(*ecount == 12);
-        CHECK(secp256k1_rangeproof_info(ctx, &exp, &mantissa, &min_value, NULL, proof, len) == 0);
+        CHECK(secp256k1_rangeproof_info(CTX, &exp, &mantissa, &min_value, NULL, proof, len) == 0);
        CHECK(*ecount == 13);
-        CHECK(secp256k1_rangeproof_info(ctx, &exp, &mantissa, &min_value, &max_value, NULL, len) == 0);
+        CHECK(secp256k1_rangeproof_info(CTX, &exp, &mantissa, &min_value, &max_value, NULL, len) == 0);
        CHECK(*ecount == 14);
-        CHECK(secp256k1_rangeproof_info(ctx, &exp, &mantissa, &min_value, &max_value, proof, 0) == 0);
+        CHECK(secp256k1_rangeproof_info(CTX, &exp, &mantissa, &min_value, &max_value, proof, 0) == 0);
        CHECK(*ecount == 14);
    }
    {
        uint64_t min_value;
        uint64_t max_value;
-        CHECK(secp256k1_rangeproof_verify(ctx, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 1);
+        CHECK(secp256k1_rangeproof_verify(CTX, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 1);
        CHECK(*ecount == 14);
-        CHECK(secp256k1_rangeproof_verify(ctx, NULL, &max_value, &commit, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 0);
+        CHECK(secp256k1_rangeproof_verify(CTX, NULL, &max_value, &commit, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 0);
        CHECK(*ecount == 15);
-        CHECK(secp256k1_rangeproof_verify(ctx, &min_value, NULL, &commit, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 0);
+        CHECK(secp256k1_rangeproof_verify(CTX, &min_value, NULL, &commit, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 0);
        CHECK(*ecount == 16);
-        CHECK(secp256k1_rangeproof_verify(ctx, &min_value, &max_value, NULL, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 0);
+        CHECK(secp256k1_rangeproof_verify(CTX, &min_value, &max_value, NULL, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 0);
        CHECK(*ecount == 17);
-        CHECK(secp256k1_rangeproof_verify(ctx, &min_value, &max_value, &commit, NULL, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 0);
+        CHECK(secp256k1_rangeproof_verify(CTX, &min_value, &max_value, &commit, NULL, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 0);
        CHECK(*ecount == 18);
-        CHECK(secp256k1_rangeproof_verify(ctx, &min_value, &max_value, &commit, proof, 0, ext_commit, ext_commit_len, secp256k1_generator_h) == 0);
+        CHECK(secp256k1_rangeproof_verify(CTX, &min_value, &max_value, &commit, proof, 0, ext_commit, ext_commit_len, secp256k1_generator_h) == 0);
        CHECK(*ecount == 18);
-        CHECK(secp256k1_rangeproof_verify(ctx, &min_value, &max_value, &commit, proof, len, NULL, ext_commit_len, secp256k1_generator_h) == 0);
+        CHECK(secp256k1_rangeproof_verify(CTX, &min_value, &max_value, &commit, proof, len, NULL, ext_commit_len, secp256k1_generator_h) == 0);
        CHECK(*ecount == 19);
-        CHECK(secp256k1_rangeproof_verify(ctx, &min_value, &max_value, &commit, proof, len, NULL, 0, secp256k1_generator_h) == 0);
+        CHECK(secp256k1_rangeproof_verify(CTX, &min_value, &max_value, &commit, proof, len, NULL, 0, secp256k1_generator_h) == 0);
        CHECK(*ecount == 19);
-        CHECK(secp256k1_rangeproof_verify(ctx, &min_value, &max_value, &commit, proof, len, NULL, 0, NULL) == 0);
+        CHECK(secp256k1_rangeproof_verify(CTX, &min_value, &max_value, &commit, proof, len, NULL, 0, NULL) == 0);
        CHECK(*ecount == 20);
    }
    {
@ -117,9 +117,9 @@ static void test_rangeproof_api(const secp256k1_context *sttc, const int32_t *ec
        uint64_t max_value;
        size_t message_len = sizeof(message_out);
-        CHECK(secp256k1_rangeproof_rewind(ctx, blind_out, &value_out, message_out, &message_len, commit.data, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 1);
+        CHECK(secp256k1_rangeproof_rewind(CTX, blind_out, &value_out, message_out, &message_len, commit.data, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 1);
        CHECK(*ecount == 20);
-        CHECK(secp256k1_rangeproof_rewind(sttc, blind_out, &value_out, message_out, &message_len, commit.data, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 0);
+        CHECK(secp256k1_rangeproof_rewind(STATIC_CTX, blind_out, &value_out, message_out, &message_len, commit.data, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 0);
        CHECK(*ecount == 21);
        CHECK(min_value == vmin);
@ -128,56 +128,58 @@ static void test_rangeproof_api(const secp256k1_context *sttc, const int32_t *ec
        CHECK(message_len == sizeof(message_out));
        CHECK(secp256k1_memcmp_var(message, message_out, sizeof(message_out)) == 0);
-        CHECK(secp256k1_rangeproof_rewind(ctx, NULL, &value_out, message_out, &message_len, commit.data, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) != 0);
+        CHECK(secp256k1_rangeproof_rewind(CTX, NULL, &value_out, message_out, &message_len, commit.data, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) != 0);
        CHECK(*ecount == 21);  /* blindout may be NULL */
-        CHECK(secp256k1_rangeproof_rewind(ctx, blind_out, NULL, message_out, &message_len, commit.data, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) != 0);
+        CHECK(secp256k1_rangeproof_rewind(CTX, blind_out, NULL, message_out, &message_len, commit.data, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) != 0);
        CHECK(*ecount == 21);  /* valueout may be NULL */
-        CHECK(secp256k1_rangeproof_rewind(ctx, blind_out, &value_out, NULL, &message_len, commit.data, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 0);
+        CHECK(secp256k1_rangeproof_rewind(CTX, blind_out, &value_out, NULL, &message_len, commit.data, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 0);
        CHECK(*ecount == 22);
-        CHECK(secp256k1_rangeproof_rewind(ctx, blind_out, &value_out, NULL, 0, commit.data, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) != 0);
+        CHECK(secp256k1_rangeproof_rewind(CTX, blind_out, &value_out, NULL, 0, commit.data, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) != 0);
        CHECK(*ecount == 22);
-        CHECK(secp256k1_rangeproof_rewind(ctx, blind_out, &value_out, NULL, 0, NULL, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 0);
+        CHECK(secp256k1_rangeproof_rewind(CTX, blind_out, &value_out, NULL, 0, NULL, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 0);
        CHECK(*ecount == 23);
-        CHECK(secp256k1_rangeproof_rewind(ctx, blind_out, &value_out, NULL, 0, commit.data, NULL, &max_value, &commit, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 0);
+        CHECK(secp256k1_rangeproof_rewind(CTX, blind_out, &value_out, NULL, 0, commit.data, NULL, &max_value, &commit, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 0);
        CHECK(*ecount == 24);
-        CHECK(secp256k1_rangeproof_rewind(ctx, blind_out, &value_out, NULL, 0, commit.data, &min_value, NULL, &commit, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 0);
+        CHECK(secp256k1_rangeproof_rewind(CTX, blind_out, &value_out, NULL, 0, commit.data, &min_value, NULL, &commit, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 0);
        CHECK(*ecount == 25);
-        CHECK(secp256k1_rangeproof_rewind(ctx, blind_out, &value_out, NULL, 0, commit.data, &min_value, &max_value, NULL, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 0);
+        CHECK(secp256k1_rangeproof_rewind(CTX, blind_out, &value_out, NULL, 0, commit.data, &min_value, &max_value, NULL, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 0);
        CHECK(*ecount == 26);
-        CHECK(secp256k1_rangeproof_rewind(ctx, blind_out, &value_out, NULL, 0, commit.data, &min_value, &max_value, &commit, NULL, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 0);
+        CHECK(secp256k1_rangeproof_rewind(CTX, blind_out, &value_out, NULL, 0, commit.data, &min_value, &max_value, &commit, NULL, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 0);
        CHECK(*ecount == 27);
-        CHECK(secp256k1_rangeproof_rewind(ctx, blind_out, &value_out, NULL, 0, commit.data, &min_value, &max_value, &commit, proof, 0, ext_commit, ext_commit_len, secp256k1_generator_h) == 0);
+        CHECK(secp256k1_rangeproof_rewind(CTX, blind_out, &value_out, NULL, 0, commit.data, &min_value, &max_value, &commit, proof, 0, ext_commit, ext_commit_len, secp256k1_generator_h) == 0);
        CHECK(*ecount == 27);
-        CHECK(secp256k1_rangeproof_rewind(ctx, blind_out, &value_out, NULL, 0, commit.data, &min_value, &max_value, &commit, proof, len, NULL, ext_commit_len, secp256k1_generator_h) == 0);
+        CHECK(secp256k1_rangeproof_rewind(CTX, blind_out, &value_out, NULL, 0, commit.data, &min_value, &max_value, &commit, proof, len, NULL, ext_commit_len, secp256k1_generator_h) == 0);
        CHECK(*ecount == 28);
-        CHECK(secp256k1_rangeproof_rewind(ctx, blind_out, &value_out, NULL, 0, commit.data, &min_value, &max_value, &commit, proof, len, NULL, 0, secp256k1_generator_h) == 0);
+        CHECK(secp256k1_rangeproof_rewind(CTX, blind_out, &value_out, NULL, 0, commit.data, &min_value, &max_value, &commit, proof, len, NULL, 0, secp256k1_generator_h) == 0);
        CHECK(*ecount == 28);
-        CHECK(secp256k1_rangeproof_rewind(ctx, blind_out, &value_out, NULL, 0, commit.data, &min_value, &max_value, &commit, proof, len, NULL, 0, NULL) == 0);
+        CHECK(secp256k1_rangeproof_rewind(CTX, blind_out, &value_out, NULL, 0, commit.data, &min_value, &max_value, &commit, proof, len, NULL, 0, NULL) == 0);
        CHECK(*ecount == 29);
    }
    /* This constant is hardcoded in these tests and elsewhere, so we
     * consider it to be part of the API and test it here. */
-    CHECK(secp256k1_rangeproof_max_size(ctx, 0, 64) == 5134);
+    CHECK(secp256k1_rangeproof_max_size(CTX, 0, 64) == 5134);
-    CHECK(secp256k1_rangeproof_max_size(ctx, UINT64_MAX, 0) == 5134);
+    CHECK(secp256k1_rangeproof_max_size(CTX, UINT64_MAX, 0) == 5134);
 }
 static void test_api(void) {
    secp256k1_context *sttc = secp256k1_context_clone(secp256k1_context_static);
    int32_t ecount;
    int i;
-    secp256k1_context_set_error_callback(ctx, counting_illegal_callback_fn, &ecount);
+    secp256k1_context_set_error_callback(CTX, counting_illegal_callback_fn, &ecount);
-    secp256k1_context_set_error_callback(sttc, counting_illegal_callback_fn, &ecount);
+    secp256k1_context_set_error_callback(STATIC_CTX, counting_illegal_callback_fn, &ecount);
-    secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
+    secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount);
-    secp256k1_context_set_illegal_callback(sttc, counting_illegal_callback_fn, &ecount);
+    secp256k1_context_set_illegal_callback(STATIC_CTX, counting_illegal_callback_fn, &ecount);
-    for (i = 0; i < count; i++) {
+    for (i = 0; i < COUNT; i++) {
        ecount = 0;
-        test_rangeproof_api(sttc, &ecount);
+        test_rangeproof_api(&ecount);
    }
-    secp256k1_context_destroy(sttc);
+    secp256k1_context_set_error_callback(CTX, NULL, NULL);
    secp256k1_context_set_error_callback(STATIC_CTX, NULL, NULL);
    secp256k1_context_set_illegal_callback(CTX, NULL, NULL);
    secp256k1_context_set_illegal_callback(STATIC_CTX, NULL, NULL);
 }
 static void test_borromean(void) {
@ -219,7 +221,7 @@ static void test_borromean(void) {
                s[i] = one;
            }
            if (j == secidx[i]) {
-                secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubs[c + j], &sec[i]);
+                secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &pubs[c + j], &sec[i]);
            } else {
                random_group_element_test(&ge);
                random_group_element_jacobian_test(&pubs[c + j],&ge);
@ -227,7 +229,7 @@ static void test_borromean(void) {
        }
        c += rsizes[i];
    }
-    CHECK(secp256k1_borromean_sign(&ctx->ecmult_gen_ctx, e0, s, pubs, k, sec, rsizes, secidx, nrings, m, 32));
+    CHECK(secp256k1_borromean_sign(&CTX->ecmult_gen_ctx, e0, s, pubs, k, sec, rsizes, secidx, nrings, m, 32));
    CHECK(secp256k1_borromean_verify(NULL, e0, s, pubs, rsizes, nrings, m, 32));
    i = secp256k1_testrand32() % c;
    secp256k1_scalar_negate(&s[i],&s[i]);
@ -275,7 +277,7 @@ static void test_rangeproof(void) {
    secp256k1_testrand256(blind);
    for (i = 0; i < 11; i++) {
        v = testvs[i];
-        CHECK(secp256k1_pedersen_commit(ctx, &commit, blind, v, secp256k1_generator_h));
+        CHECK(secp256k1_pedersen_commit(CTX, &commit, blind, v, secp256k1_generator_h));
        for (vmin = 0; vmin < (i<9 && i > 0 ? 2 : 1); vmin++) {
            const unsigned char *input_message = NULL;
            size_t input_message_len = 0;
@ -291,11 +293,11 @@ static void test_rangeproof(void) {
                input_message_len = sizeof(message_long);
            }
            len = 5134;
-            CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, vmin, &commit, blind, commit.data, 0, 0, v, input_message, input_message_len, NULL, 0, secp256k1_generator_h));
+            CHECK(secp256k1_rangeproof_sign(CTX, proof, &len, vmin, &commit, blind, commit.data, 0, 0, v, input_message, input_message_len, NULL, 0, secp256k1_generator_h));
            CHECK(len <= 5134);
-            CHECK(len <= secp256k1_rangeproof_max_size(ctx, v, 0));
+            CHECK(len <= secp256k1_rangeproof_max_size(CTX, v, 0));
            mlen = 4096;
-            CHECK(secp256k1_rangeproof_rewind(ctx, blindout, &vout, message, &mlen, commit.data, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h));
+            CHECK(secp256k1_rangeproof_rewind(CTX, blindout, &vout, message, &mlen, commit.data, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h));
            if (input_message != NULL) {
                CHECK(secp256k1_memcmp_var(message, input_message, input_message_len) == 0);
            }
@ -308,10 +310,10 @@ static void test_rangeproof(void) {
            CHECK(minv <= v);
            CHECK(maxv >= v);
            len = 5134;
-            CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, v, &commit, blind, commit.data, -1, 64, v, NULL, 0, NULL, 0, secp256k1_generator_h));
+            CHECK(secp256k1_rangeproof_sign(CTX, proof, &len, v, &commit, blind, commit.data, -1, 64, v, NULL, 0, NULL, 0, secp256k1_generator_h));
            CHECK(len <= 73);
-            CHECK(len <= secp256k1_rangeproof_max_size(ctx, v, 0));
+            CHECK(len <= secp256k1_rangeproof_max_size(CTX, v, 0));
-            CHECK(secp256k1_rangeproof_rewind(ctx, blindout, &vout, NULL, NULL, commit.data, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h));
+            CHECK(secp256k1_rangeproof_rewind(CTX, blindout, &vout, NULL, NULL, commit.data, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h));
            CHECK(secp256k1_memcmp_var(blindout, blind, 32) == 0);
            CHECK(vout == v);
            CHECK(minv == v);
@ -319,12 +321,12 @@ static void test_rangeproof(void) {
            /* Check with a committed message */
            len = 5134;
-            CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, v, &commit, blind, commit.data, -1, 64, v, NULL, 0, message_short, sizeof(message_short), secp256k1_generator_h));
+            CHECK(secp256k1_rangeproof_sign(CTX, proof, &len, v, &commit, blind, commit.data, -1, 64, v, NULL, 0, message_short, sizeof(message_short), secp256k1_generator_h));
            CHECK(len <= 73);
-            CHECK(len <= secp256k1_rangeproof_max_size(ctx, v, 0));
+            CHECK(len <= secp256k1_rangeproof_max_size(CTX, v, 0));
-            CHECK(!secp256k1_rangeproof_rewind(ctx, blindout, &vout, NULL, NULL, commit.data, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h));
+            CHECK(!secp256k1_rangeproof_rewind(CTX, blindout, &vout, NULL, NULL, commit.data, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h));
-            CHECK(!secp256k1_rangeproof_rewind(ctx, blindout, &vout, NULL, NULL, commit.data, &minv, &maxv, &commit, proof, len, message_long, sizeof(message_long), secp256k1_generator_h));
+            CHECK(!secp256k1_rangeproof_rewind(CTX, blindout, &vout, NULL, NULL, commit.data, &minv, &maxv, &commit, proof, len, message_long, sizeof(message_long), secp256k1_generator_h));
-            CHECK(secp256k1_rangeproof_rewind(ctx, blindout, &vout, NULL, NULL, commit.data, &minv, &maxv, &commit, proof, len, message_short, sizeof(message_short), secp256k1_generator_h));
+            CHECK(secp256k1_rangeproof_rewind(CTX, blindout, &vout, NULL, NULL, commit.data, &minv, &maxv, &commit, proof, len, message_short, sizeof(message_short), secp256k1_generator_h));
            CHECK(secp256k1_memcmp_var(blindout, blind, 32) == 0);
            CHECK(vout == v);
            CHECK(minv == v);
@ -333,41 +335,41 @@ static void test_rangeproof(void) {
    }
    secp256k1_testrand256(blind);
    v = INT64_MAX - 1;
-    CHECK(secp256k1_pedersen_commit(ctx, &commit, blind, v, secp256k1_generator_h));
+    CHECK(secp256k1_pedersen_commit(CTX, &commit, blind, v, secp256k1_generator_h));
    for (i = 0; i < 19; i++) {
        len = 5134;
-        CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, 0, &commit, blind, commit.data, i, 0, v, NULL, 0, NULL, 0, secp256k1_generator_h));
+        CHECK(secp256k1_rangeproof_sign(CTX, proof, &len, 0, &commit, blind, commit.data, i, 0, v, NULL, 0, NULL, 0, secp256k1_generator_h));
-        CHECK(len <= secp256k1_rangeproof_max_size(ctx, v, 0));
+        CHECK(len <= secp256k1_rangeproof_max_size(CTX, v, 0));
-        CHECK(secp256k1_rangeproof_verify(ctx, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h));
+        CHECK(secp256k1_rangeproof_verify(CTX, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h));
        CHECK(len <= 5134);
        CHECK(minv <= v);
        CHECK(maxv >= v);
        /* Make sure it fails when validating with a committed message */
-        CHECK(!secp256k1_rangeproof_verify(ctx, &minv, &maxv, &commit, proof, len, message_short, sizeof(message_short), secp256k1_generator_h));
+        CHECK(!secp256k1_rangeproof_verify(CTX, &minv, &maxv, &commit, proof, len, message_short, sizeof(message_short), secp256k1_generator_h));
    }
    secp256k1_testrand256(blind);
    {
        /*Malleability test.*/
        v = secp256k1_testrandi64(0, 255);
-        CHECK(secp256k1_pedersen_commit(ctx, &commit, blind, v, secp256k1_generator_h));
+        CHECK(secp256k1_pedersen_commit(CTX, &commit, blind, v, secp256k1_generator_h));
        len = 5134;
-        CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, 0, &commit, blind, commit.data, 0, 3, v, NULL, 0, NULL, 0, secp256k1_generator_h));
+        CHECK(secp256k1_rangeproof_sign(CTX, proof, &len, 0, &commit, blind, commit.data, 0, 3, v, NULL, 0, NULL, 0, secp256k1_generator_h));
        CHECK(len <= 5134);
-        CHECK(len <= secp256k1_rangeproof_max_size(ctx, v, 3));
+        CHECK(len <= secp256k1_rangeproof_max_size(CTX, v, 3));
        /* Test if trailing bytes are rejected. */
        proof[len] = v;
-        CHECK(!secp256k1_rangeproof_verify(ctx, &minv, &maxv, &commit, proof, len + 1, NULL, 0, secp256k1_generator_h));
+        CHECK(!secp256k1_rangeproof_verify(CTX, &minv, &maxv, &commit, proof, len + 1, NULL, 0, secp256k1_generator_h));
        for (i = 0; i < len*8; i++) {
            proof[i >> 3] ^= 1 << (i & 7);
-            CHECK(!secp256k1_rangeproof_verify(ctx, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h));
+            CHECK(!secp256k1_rangeproof_verify(CTX, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h));
            proof[i >> 3] ^= 1 << (i & 7);
        }
-        CHECK(secp256k1_rangeproof_verify(ctx, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h));
+        CHECK(secp256k1_rangeproof_verify(CTX, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h));
        CHECK(minv <= v);
        CHECK(maxv >= v);
    }
    memcpy(&commit2, &commit, sizeof(commit));
-    for (i = 0; i < (size_t) count; i++) {
+    for (i = 0; i < (size_t) COUNT; i++) {
        int exp;
        int min_bits;
        v = secp256k1_testrandi64(0, UINT64_MAX >> (secp256k1_testrand32()&63));
@ -376,7 +378,7 @@ static void test_rangeproof(void) {
            vmin = secp256k1_testrandi64(0, v);
        }
        secp256k1_testrand256(blind);
-        CHECK(secp256k1_pedersen_commit(ctx, &commit, blind, v, secp256k1_generator_h));
+        CHECK(secp256k1_pedersen_commit(CTX, &commit, blind, v, secp256k1_generator_h));
        len = 5134;
        exp = (int)secp256k1_testrandi64(0,18)-(int)secp256k1_testrandi64(0,18);
        if (exp < 0) {
@ -386,11 +388,11 @@ static void test_rangeproof(void) {
        if (min_bits < 0) {
            min_bits = -min_bits;
        }
-        CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, vmin, &commit, blind, commit.data, exp, min_bits, v, NULL, 0, NULL, 0, secp256k1_generator_h));
+        CHECK(secp256k1_rangeproof_sign(CTX, proof, &len, vmin, &commit, blind, commit.data, exp, min_bits, v, NULL, 0, NULL, 0, secp256k1_generator_h));
        CHECK(len <= 5134);
-        CHECK(len <= secp256k1_rangeproof_max_size(ctx, v, min_bits));
+        CHECK(len <= secp256k1_rangeproof_max_size(CTX, v, min_bits));
        mlen = 4096;
-        CHECK(secp256k1_rangeproof_rewind(ctx, blindout, &vout, message, &mlen, commit.data, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h));
+        CHECK(secp256k1_rangeproof_rewind(CTX, blindout, &vout, message, &mlen, commit.data, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h));
        for (j = 0; j < mlen; j++) {
            CHECK(message[j] == 0);
        }
@ -399,7 +401,7 @@ static void test_rangeproof(void) {
        CHECK(minv <= v);
        CHECK(maxv >= v);
-        CHECK(secp256k1_rangeproof_rewind(ctx, blindout, &vout, NULL, NULL, commit.data, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h));
+        CHECK(secp256k1_rangeproof_rewind(CTX, blindout, &vout, NULL, NULL, commit.data, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h));
        memcpy(&commit2, &commit, sizeof(commit));
    }
    for (j = 0; j < 3; j++) {
@ -408,10 +410,10 @@ static void test_rangeproof(void) {
        }
        for (k = 0; k < 128; k += 3) {
            len = k;
-            CHECK(!secp256k1_rangeproof_verify(ctx, &minv, &maxv, &commit2, proof, len, NULL, 0, secp256k1_generator_h));
+            CHECK(!secp256k1_rangeproof_verify(CTX, &minv, &maxv, &commit2, proof, len, NULL, 0, secp256k1_generator_h));
        }
        len = secp256k1_testrandi64(0, 3072);
-        CHECK(!secp256k1_rangeproof_verify(ctx, &minv, &maxv, &commit2, proof, len, NULL, 0, secp256k1_generator_h));
+        CHECK(!secp256k1_rangeproof_verify(CTX, &minv, &maxv, &commit2, proof, len, NULL, 0, secp256k1_generator_h));
    }
 }
@ -423,26 +425,26 @@ static void test_rangeproof_null_blinder(void) {
    secp256k1_pedersen_commitment commit;
    size_t len;
-    CHECK(secp256k1_pedersen_commit(ctx, &commit, blind, v, secp256k1_generator_h));
+    CHECK(secp256k1_pedersen_commit(CTX, &commit, blind, v, secp256k1_generator_h));
    /* Try a 32-bit proof; should work */
    len = 5134;
-    CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, 1, &commit, blind, commit.data, 0, 32, v, NULL, 0, NULL, 0, secp256k1_generator_h));
+    CHECK(secp256k1_rangeproof_sign(CTX, proof, &len, 1, &commit, blind, commit.data, 0, 32, v, NULL, 0, NULL, 0, secp256k1_generator_h));
-    CHECK(secp256k1_rangeproof_verify(ctx, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h));
+    CHECK(secp256k1_rangeproof_verify(CTX, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h));
    CHECK(minv == 1);
    CHECK(maxv == 1ULL << 32);
    /* Try a 3-bit proof; should work */
    len = 5134;
-    CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, v - 1, &commit, blind, commit.data, 0, 3, v, NULL, 0, NULL, 0, secp256k1_generator_h));
+    CHECK(secp256k1_rangeproof_sign(CTX, proof, &len, v - 1, &commit, blind, commit.data, 0, 3, v, NULL, 0, NULL, 0, secp256k1_generator_h));
-    CHECK(secp256k1_rangeproof_verify(ctx, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h));
+    CHECK(secp256k1_rangeproof_verify(CTX, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h));
    CHECK(minv == 1110);
    CHECK(maxv == 1117);
    /* But a 2-bits will not because then it does not have any subcommitments (which rerandomize
     * the blinding factors that get passed into the borromean logic ... passing 0s will fail) */
    len = 5134;
-    CHECK(!secp256k1_rangeproof_sign(ctx, proof, &len, v - 1, &commit, blind, commit.data, 0, 2, v, NULL, 0, NULL, 0, secp256k1_generator_h));
+    CHECK(!secp256k1_rangeproof_sign(CTX, proof, &len, v - 1, &commit, blind, commit.data, 0, 2, v, NULL, 0, NULL, 0, secp256k1_generator_h));
    /* Rewinding with 3-bits works */
    {
@ -457,8 +459,8 @@ static void test_rangeproof_null_blinder(void) {
        secp256k1_testrand256(&msg[32]);
        secp256k1_testrand256(&msg[64]);
        secp256k1_testrand256(&msg[96]);
-        CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, v, &commit, blind, commit.data, 0, 3, v, msg, sizeof(msg), NULL, 0, secp256k1_generator_h));
+        CHECK(secp256k1_rangeproof_sign(CTX, proof, &len, v, &commit, blind, commit.data, 0, 3, v, msg, sizeof(msg), NULL, 0, secp256k1_generator_h));
-        CHECK(secp256k1_rangeproof_rewind(ctx, blind_out, &value_out, msg_out, &msg_len, commit.data, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h) != 0);
+        CHECK(secp256k1_rangeproof_rewind(CTX, blind_out, &value_out, msg_out, &msg_len, commit.data, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h) != 0);
        CHECK(secp256k1_memcmp_var(blind, blind_out, sizeof(blind)) == 0);
        CHECK(secp256k1_memcmp_var(msg, msg_out, sizeof(msg)) == 0);
        CHECK(value_out == v);
@ -484,10 +486,10 @@ static void test_single_value_proof(uint64_t val) {
    secp256k1_testrand256(blind);
    secp256k1_testrand256(nonce);
-    CHECK(secp256k1_pedersen_commit(ctx, &commit, blind, val, secp256k1_generator_h));
+    CHECK(secp256k1_pedersen_commit(CTX, &commit, blind, val, secp256k1_generator_h));
    CHECK(secp256k1_rangeproof_sign(
-        ctx,
+        CTX,
        proof, &plen,
        val, /* min_val */
        &commit, blind, nonce,
@ -501,7 +503,7 @@ static void test_single_value_proof(uint64_t val) {
    plen = sizeof(proof);
    CHECK(secp256k1_rangeproof_sign(
-        ctx,
+        CTX,
        proof, &plen,
        val, /* min_val */
        &commit, blind, nonce,
@ -512,7 +514,7 @@ static void test_single_value_proof(uint64_t val) {
        NULL, 0,
        secp256k1_generator_h
    ) == 1);
-    CHECK(plen <= secp256k1_rangeproof_max_size(ctx, val, 0));
+    CHECK(plen <= secp256k1_rangeproof_max_size(CTX, val, 0));
    /* Different proof sizes are unfortunate but is caused by `min_value` of
     * zero being special-cased and encoded more efficiently. */
@ -523,7 +525,7 @@ static void test_single_value_proof(uint64_t val) {
    }
    CHECK(secp256k1_rangeproof_verify(
-        ctx,
+        CTX,
        &min_val_out, &max_val_out,
        &commit,
        proof, plen,
@ -536,7 +538,7 @@ static void test_single_value_proof(uint64_t val) {
    memset(message_out, 0, sizeof(message_out));
    m_len_out = sizeof(message_out);
    CHECK(secp256k1_rangeproof_rewind(
-        ctx,
+        CTX,
        blind_out, &val_out,
        message_out, &m_len_out,
        nonce,
@ -585,7 +587,7 @@ static void test_multiple_generators(void) {
        random_scalar_order(&s);
        secp256k1_scalar_get_b32(pedersen_blind[i], &s);
-        CHECK(secp256k1_generator_generate_blinded(ctx, &generator[i], generator_seed, generator_blind[i]));
+        CHECK(secp256k1_generator_generate_blinded(CTX, &generator[i], generator_seed, generator_blind[i]));
        commit_ptr[i] = &commit[i];
    }
@ -603,13 +605,13 @@ static void test_multiple_generators(void) {
    value[i] = total_value;
    /* Correct for blinding factors and do the commitments */
-    CHECK(secp256k1_pedersen_blind_generator_blind_sum(ctx, value, (const unsigned char * const *) generator_blind, pedersen_blind, n_generators, n_inputs));
+    CHECK(secp256k1_pedersen_blind_generator_blind_sum(CTX, value, (const unsigned char * const *) generator_blind, pedersen_blind, n_generators, n_inputs));
    for (i = 0; i < n_generators; i++) {
-        CHECK(secp256k1_pedersen_commit(ctx, &commit[i], pedersen_blind[i], value[i], &generator[i]));
+        CHECK(secp256k1_pedersen_commit(CTX, &commit[i], pedersen_blind[i], value[i], &generator[i]));
    }
    /* Verify */
-    CHECK(secp256k1_pedersen_verify_tally(ctx, &commit_ptr[0], n_inputs, &commit_ptr[n_inputs], n_outputs));
+    CHECK(secp256k1_pedersen_verify_tally(CTX, &commit_ptr[0], n_inputs, &commit_ptr[n_inputs], n_outputs));
    /* Cleanup */
    for (i = 0; i < n_generators; i++) {
@ -683,9 +685,9 @@ void test_rangeproof_fixed_vectors(void) {
        0x77, 0x47, 0xa4, 0xd3, 0x53, 0x17, 0xc6, 0x44, 0x30, 0x73, 0x84, 0xeb, 0x1f, 0xbe, 0xa1, 0xfb
    };
-    CHECK(secp256k1_pedersen_commitment_parse(ctx, &pc, commit_1));
+    CHECK(secp256k1_pedersen_commitment_parse(CTX, &pc, commit_1));
    CHECK(secp256k1_rangeproof_verify(
-        ctx,
+        CTX,
        &min_value, &max_value,
        &pc,
        vector_1, sizeof(vector_1),
@ -696,7 +698,7 @@ void test_rangeproof_fixed_vectors(void) {
    CHECK(max_value == 25586);
    CHECK(secp256k1_rangeproof_rewind(
-        ctx,
+        CTX,
        blind, &value,
        message, &m_len,
        pc.data,
@ -754,9 +756,9 @@ void test_rangeproof_fixed_vectors(void) {
    };
    static const unsigned char message_2[] = "When I see my own likeness in the depths of someone else's consciousness,  I always experience a moment of panic.";
-    CHECK(secp256k1_pedersen_commitment_parse(ctx, &pc, commit_2));
+    CHECK(secp256k1_pedersen_commitment_parse(CTX, &pc, commit_2));
    CHECK(secp256k1_rangeproof_verify(
-        ctx,
+        CTX,
        &min_value, &max_value,
        &pc,
        vector_2, sizeof(vector_2),
@ -767,7 +769,7 @@ void test_rangeproof_fixed_vectors(void) {
    CHECK(max_value == 15);
    CHECK(secp256k1_rangeproof_rewind(
-        ctx,
+        CTX,
        blind, &value,
        message, &m_len,
        pc.data,
@ -812,9 +814,9 @@ void test_rangeproof_fixed_vectors(void) {
        0xc0, 0x6b, 0x9b, 0x4c, 0x02, 0xa6, 0xc8, 0xf6, 0xc0, 0x34, 0xea, 0x35, 0x57, 0xf4, 0xe1, 0x37
    };
-    CHECK(secp256k1_pedersen_commitment_parse(ctx, &pc, commit_3));
+    CHECK(secp256k1_pedersen_commitment_parse(CTX, &pc, commit_3));
    CHECK(secp256k1_rangeproof_verify(
-        ctx,
+        CTX,
        &min_value, &max_value,
        &pc,
        vector_3, sizeof(vector_3),
@ -825,7 +827,7 @@ void test_rangeproof_fixed_vectors(void) {
    CHECK(max_value == UINT64_MAX);
    CHECK(secp256k1_rangeproof_rewind(
-        ctx,
+        CTX,
        blind, &value,
        message, &m_len,
        nonce_3,
@ -866,7 +868,7 @@ static void print_vector(int i, unsigned char *proof, size_t p_len, secp256k1_pe
    printf("unsigned char vector_%d[] = {\n", i);
    print_vector_helper(proof, p_len);
-    CHECK(secp256k1_pedersen_commitment_serialize(ctx, commit_output, commit));
+    CHECK(secp256k1_pedersen_commitment_serialize(CTX, commit_output, commit));
    printf("unsigned char commit_%d[] = {\n", i);
    print_vector_helper(commit_output, sizeof(commit_output));
 }
@ -887,9 +889,9 @@ void test_rangeproof_fixed_vectors_reproducible_helper(unsigned char *vector, si
    secp256k1_pedersen_commitment pc;
    unsigned char blind_r[32];
-    CHECK(secp256k1_pedersen_commitment_parse(ctx, &pc, commit));
+    CHECK(secp256k1_pedersen_commitment_parse(CTX, &pc, commit));
    CHECK(secp256k1_rangeproof_verify(
-        ctx,
+        CTX,
        min_value_r, max_value_r,
        &pc,
        vector, vector_len,
@ -899,7 +901,7 @@ void test_rangeproof_fixed_vectors_reproducible_helper(unsigned char *vector, si
    *m_len_r = SECP256K1_RANGEPROOF_MAX_MESSAGE_LEN;
    CHECK(secp256k1_rangeproof_rewind(
-        ctx,
+        CTX,
        blind_r, value_r,
        message_r, m_len_r,
        vector_nonce,
@ -1261,9 +1263,9 @@ void test_rangeproof_fixed_vectors_reproducible(void) {
            0xef,
        };
-        CHECK(secp256k1_pedersen_commit(ctx, &pc, vector_blind, value, secp256k1_generator_h));
+        CHECK(secp256k1_pedersen_commit(CTX, &pc, vector_blind, value, secp256k1_generator_h));
-        CHECK(secp256k1_rangeproof_sign(ctx, proof, &p_len, min_value, &pc, vector_blind, vector_nonce, exp, min_bits, value, message, m_len, NULL, 0, secp256k1_generator_h));
+        CHECK(secp256k1_rangeproof_sign(CTX, proof, &p_len, min_value, &pc, vector_blind, vector_nonce, exp, min_bits, value, message, m_len, NULL, 0, secp256k1_generator_h));
-        CHECK(p_len <= secp256k1_rangeproof_max_size(ctx, value, min_bits));
+        CHECK(p_len <= secp256k1_rangeproof_max_size(CTX, value, min_bits));
        CHECK(p_len == sizeof(proof));
        /* Uncomment the next line to print the test vector */
        /* print_vector(0, proof, p_len, &pc); */
@ -1315,9 +1317,9 @@ void test_rangeproof_fixed_vectors_reproducible(void) {
            0x66, 0x16, 0x2e, 0x44, 0xc8, 0x65, 0x8e, 0xe6, 0x3a, 0x1a, 0x57, 0x2c, 0xb9, 0x6c, 0x07, 0x85,
            0xf0,
        };
-        CHECK(secp256k1_pedersen_commit(ctx, &pc, vector_blind, value, secp256k1_generator_h));
+        CHECK(secp256k1_pedersen_commit(CTX, &pc, vector_blind, value, secp256k1_generator_h));
-        CHECK(secp256k1_rangeproof_sign(ctx, proof, &p_len, min_value, &pc, vector_blind, vector_nonce, exp, min_bits, value, message, m_len, NULL, 0, secp256k1_generator_h));
+        CHECK(secp256k1_rangeproof_sign(CTX, proof, &p_len, min_value, &pc, vector_blind, vector_nonce, exp, min_bits, value, message, m_len, NULL, 0, secp256k1_generator_h));
-        CHECK(p_len <= secp256k1_rangeproof_max_size(ctx, value, min_bits));
+        CHECK(p_len <= secp256k1_rangeproof_max_size(CTX, value, min_bits));
        CHECK(p_len == sizeof(proof));
        /* Uncomment the next line to print the test vector */
        /* print_vector(1, proof, p_len, &pc); */
@ -1361,9 +1363,9 @@ void test_rangeproof_fixed_vectors_reproducible(void) {
            0x70,
        };
-        CHECK(secp256k1_pedersen_commit(ctx, &pc, vector_blind, value, secp256k1_generator_h));
+        CHECK(secp256k1_pedersen_commit(CTX, &pc, vector_blind, value, secp256k1_generator_h));
-        CHECK(secp256k1_rangeproof_sign(ctx, proof, &p_len, min_value, &pc, vector_blind, vector_nonce, exp, min_bits, value, message, m_len, NULL, 0, secp256k1_generator_h));
+        CHECK(secp256k1_rangeproof_sign(CTX, proof, &p_len, min_value, &pc, vector_blind, vector_nonce, exp, min_bits, value, message, m_len, NULL, 0, secp256k1_generator_h));
-        CHECK(p_len <= secp256k1_rangeproof_max_size(ctx, value, min_bits));
+        CHECK(p_len <= secp256k1_rangeproof_max_size(CTX, value, min_bits));
        CHECK(p_len == sizeof(proof));
        /* Uncomment the next line to print the test vector */
        /* print_vector(2, proof, p_len, &pc); */
@ -1390,7 +1392,7 @@ void run_rangeproof_tests(void) {
    test_rangeproof_fixed_vectors();
    test_rangeproof_fixed_vectors_reproducible();
-    for (i = 0; i < count / 2 + 1; i++) {
+    for (i = 0; i < COUNT / 2 + 1; i++) {
        test_borromean();
    }
    test_rangeproof();
--- a/src/modules/recovery/tests_impl.h
+++ b/src/modules/recovery/tests_impl.h
@ -30,7 +30,6 @@ static int recovery_test_nonce_function(unsigned char *nonce32, const unsigned c
 void test_ecdsa_recovery_api(void) {
    /* Setup contexts that just count errors */
    secp256k1_context *sttc = secp256k1_context_clone(secp256k1_context_static);
    secp256k1_pubkey pubkey;
    secp256k1_pubkey recpubkey;
    secp256k1_ecdsa_signature normal_sig;
@ -46,85 +45,86 @@ void test_ecdsa_recovery_api(void) {
                                       0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
                                       0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
-    secp256k1_context_set_error_callback(ctx, counting_illegal_callback_fn, &ecount);
+    secp256k1_context_set_error_callback(CTX, counting_illegal_callback_fn, &ecount);
-    secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
+    secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount);
-    secp256k1_context_set_error_callback(sttc, counting_illegal_callback_fn, &ecount);
+    secp256k1_context_set_error_callback(STATIC_CTX, counting_illegal_callback_fn, &ecount);
-    secp256k1_context_set_illegal_callback(sttc, counting_illegal_callback_fn, &ecount);
+    secp256k1_context_set_illegal_callback(STATIC_CTX, counting_illegal_callback_fn, &ecount);
    /* Construct and verify corresponding public key. */
-    CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
+    CHECK(secp256k1_ec_seckey_verify(CTX, privkey) == 1);
-    CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
+    CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, privkey) == 1);
    /* Check bad contexts and NULLs for signing */
    ecount = 0;
-    CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &recsig, message, privkey, NULL, NULL) == 1);
+    CHECK(secp256k1_ecdsa_sign_recoverable(CTX, &recsig, message, privkey, NULL, NULL) == 1);
    CHECK(ecount == 0);
-    CHECK(secp256k1_ecdsa_sign_recoverable(ctx, NULL, message, privkey, NULL, NULL) == 0);
+    CHECK(secp256k1_ecdsa_sign_recoverable(CTX, NULL, message, privkey, NULL, NULL) == 0);
    CHECK(ecount == 1);
-    CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &recsig, NULL, privkey, NULL, NULL) == 0);
+    CHECK(secp256k1_ecdsa_sign_recoverable(CTX, &recsig, NULL, privkey, NULL, NULL) == 0);
    CHECK(ecount == 2);
-    CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &recsig, message, NULL, NULL, NULL) == 0);
+    CHECK(secp256k1_ecdsa_sign_recoverable(CTX, &recsig, message, NULL, NULL, NULL) == 0);
    CHECK(ecount == 3);
-    CHECK(secp256k1_ecdsa_sign_recoverable(sttc, &recsig, message, privkey, NULL, NULL) == 0);
+    CHECK(secp256k1_ecdsa_sign_recoverable(STATIC_CTX, &recsig, message, privkey, NULL, NULL) == 0);
    CHECK(ecount == 4);
    /* This will fail or succeed randomly, and in either case will not ARG_CHECK failure */
-    secp256k1_ecdsa_sign_recoverable(ctx, &recsig, message, privkey, recovery_test_nonce_function, NULL);
+    secp256k1_ecdsa_sign_recoverable(CTX, &recsig, message, privkey, recovery_test_nonce_function, NULL);
    CHECK(ecount == 4);
    /* These will all fail, but not in ARG_CHECK way */
-    CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &recsig, message, zero_privkey, NULL, NULL) == 0);
+    CHECK(secp256k1_ecdsa_sign_recoverable(CTX, &recsig, message, zero_privkey, NULL, NULL) == 0);
-    CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &recsig, message, over_privkey, NULL, NULL) == 0);
+    CHECK(secp256k1_ecdsa_sign_recoverable(CTX, &recsig, message, over_privkey, NULL, NULL) == 0);
    /* This one will succeed. */
-    CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &recsig, message, privkey, NULL, NULL) == 1);
+    CHECK(secp256k1_ecdsa_sign_recoverable(CTX, &recsig, message, privkey, NULL, NULL) == 1);
    CHECK(ecount == 4);
    /* Check signing with a goofy nonce function */
    /* Check bad contexts and NULLs for recovery */
    ecount = 0;
-    CHECK(secp256k1_ecdsa_recover(ctx, &recpubkey, &recsig, message) == 1);
+    CHECK(secp256k1_ecdsa_recover(CTX, &recpubkey, &recsig, message) == 1);
    CHECK(ecount == 0);
-    CHECK(secp256k1_ecdsa_recover(ctx, NULL, &recsig, message) == 0);
+    CHECK(secp256k1_ecdsa_recover(CTX, NULL, &recsig, message) == 0);
    CHECK(ecount == 1);
-    CHECK(secp256k1_ecdsa_recover(ctx, &recpubkey, NULL, message) == 0);
+    CHECK(secp256k1_ecdsa_recover(CTX, &recpubkey, NULL, message) == 0);
    CHECK(ecount == 2);
-    CHECK(secp256k1_ecdsa_recover(ctx, &recpubkey, &recsig, NULL) == 0);
+    CHECK(secp256k1_ecdsa_recover(CTX, &recpubkey, &recsig, NULL) == 0);
    CHECK(ecount == 3);
    /* Check NULLs for conversion */
-    CHECK(secp256k1_ecdsa_sign(ctx, &normal_sig, message, privkey, NULL, NULL) == 1);
+    CHECK(secp256k1_ecdsa_sign(CTX, &normal_sig, message, privkey, NULL, NULL) == 1);
    ecount = 0;
-    CHECK(secp256k1_ecdsa_recoverable_signature_convert(ctx, NULL, &recsig) == 0);
+    CHECK(secp256k1_ecdsa_recoverable_signature_convert(CTX, NULL, &recsig) == 0);
    CHECK(ecount == 1);
-    CHECK(secp256k1_ecdsa_recoverable_signature_convert(ctx, &normal_sig, NULL) == 0);
+    CHECK(secp256k1_ecdsa_recoverable_signature_convert(CTX, &normal_sig, NULL) == 0);
    CHECK(ecount == 2);
-    CHECK(secp256k1_ecdsa_recoverable_signature_convert(ctx, &normal_sig, &recsig) == 1);
+    CHECK(secp256k1_ecdsa_recoverable_signature_convert(CTX, &normal_sig, &recsig) == 1);
    /* Check NULLs for de/serialization */
-    CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &recsig, message, privkey, NULL, NULL) == 1);
+    CHECK(secp256k1_ecdsa_sign_recoverable(CTX, &recsig, message, privkey, NULL, NULL) == 1);
    ecount = 0;
-    CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(ctx, NULL, &recid, &recsig) == 0);
+    CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(CTX, NULL, &recid, &recsig) == 0);
    CHECK(ecount == 1);
-    CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(ctx, sig, NULL, &recsig) == 0);
+    CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(CTX, sig, NULL, &recsig) == 0);
    CHECK(ecount == 2);
-    CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(ctx, sig, &recid, NULL) == 0);
+    CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(CTX, sig, &recid, NULL) == 0);
    CHECK(ecount == 3);
-    CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(ctx, sig, &recid, &recsig) == 1);
+    CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(CTX, sig, &recid, &recsig) == 1);
-    CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, NULL, sig, recid) == 0);
+    CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, NULL, sig, recid) == 0);
    CHECK(ecount == 4);
-    CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &recsig, NULL, recid) == 0);
+    CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &recsig, NULL, recid) == 0);
    CHECK(ecount == 5);
-    CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &recsig, sig, -1) == 0);
+    CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &recsig, sig, -1) == 0);
    CHECK(ecount == 6);
-    CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &recsig, sig, 5) == 0);
+    CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &recsig, sig, 5) == 0);
    CHECK(ecount == 7);
    /* overflow in signature will fail but not affect ecount */
    memcpy(sig, over_privkey, 32);
-    CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &recsig, sig, recid) == 0);
+    CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &recsig, sig, recid) == 0);
    CHECK(ecount == 7);
    /* cleanup */
-    secp256k1_context_destroy(sttc);
+    secp256k1_context_set_error_callback(STATIC_CTX, NULL, NULL);
    secp256k1_context_set_illegal_callback(STATIC_CTX, NULL, NULL);
 }
 void test_ecdsa_recovery_end_to_end(void) {
@ -148,40 +148,40 @@ void test_ecdsa_recovery_end_to_end(void) {
    }
    /* Construct and verify corresponding public key. */
-    CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
+    CHECK(secp256k1_ec_seckey_verify(CTX, privkey) == 1);
-    CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
+    CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, privkey) == 1);
    /* Serialize/parse compact and verify/recover. */
    extra[0] = 0;
-    CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &rsignature[0], message, privkey, NULL, NULL) == 1);
+    CHECK(secp256k1_ecdsa_sign_recoverable(CTX, &rsignature[0], message, privkey, NULL, NULL) == 1);
-    CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1);
+    CHECK(secp256k1_ecdsa_sign(CTX, &signature[0], message, privkey, NULL, NULL) == 1);
-    CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &rsignature[4], message, privkey, NULL, NULL) == 1);
+    CHECK(secp256k1_ecdsa_sign_recoverable(CTX, &rsignature[4], message, privkey, NULL, NULL) == 1);
-    CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &rsignature[1], message, privkey, NULL, extra) == 1);
+    CHECK(secp256k1_ecdsa_sign_recoverable(CTX, &rsignature[1], message, privkey, NULL, extra) == 1);
    extra[31] = 1;
-    CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &rsignature[2], message, privkey, NULL, extra) == 1);
+    CHECK(secp256k1_ecdsa_sign_recoverable(CTX, &rsignature[2], message, privkey, NULL, extra) == 1);
    extra[31] = 0;
    extra[0] = 1;
-    CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &rsignature[3], message, privkey, NULL, extra) == 1);
+    CHECK(secp256k1_ecdsa_sign_recoverable(CTX, &rsignature[3], message, privkey, NULL, extra) == 1);
-    CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(ctx, sig, &recid, &rsignature[4]) == 1);
+    CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(CTX, sig, &recid, &rsignature[4]) == 1);
-    CHECK(secp256k1_ecdsa_recoverable_signature_convert(ctx, &signature[4], &rsignature[4]) == 1);
+    CHECK(secp256k1_ecdsa_recoverable_signature_convert(CTX, &signature[4], &rsignature[4]) == 1);
    CHECK(secp256k1_memcmp_var(&signature[4], &signature[0], 64) == 0);
-    CHECK(secp256k1_ecdsa_verify(ctx, &signature[4], message, &pubkey) == 1);
+    CHECK(secp256k1_ecdsa_verify(CTX, &signature[4], message, &pubkey) == 1);
    memset(&rsignature[4], 0, sizeof(rsignature[4]));
-    CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsignature[4], sig, recid) == 1);
+    CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &rsignature[4], sig, recid) == 1);
-    CHECK(secp256k1_ecdsa_recoverable_signature_convert(ctx, &signature[4], &rsignature[4]) == 1);
+    CHECK(secp256k1_ecdsa_recoverable_signature_convert(CTX, &signature[4], &rsignature[4]) == 1);
-    CHECK(secp256k1_ecdsa_verify(ctx, &signature[4], message, &pubkey) == 1);
+    CHECK(secp256k1_ecdsa_verify(CTX, &signature[4], message, &pubkey) == 1);
    /* Parse compact (with recovery id) and recover. */
-    CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsignature[4], sig, recid) == 1);
+    CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &rsignature[4], sig, recid) == 1);
-    CHECK(secp256k1_ecdsa_recover(ctx, &recpubkey, &rsignature[4], message) == 1);
+    CHECK(secp256k1_ecdsa_recover(CTX, &recpubkey, &rsignature[4], message) == 1);
    CHECK(secp256k1_memcmp_var(&pubkey, &recpubkey, sizeof(pubkey)) == 0);
    /* Serialize/destroy/parse signature and verify again. */
-    CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(ctx, sig, &recid, &rsignature[4]) == 1);
+    CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(CTX, sig, &recid, &rsignature[4]) == 1);
    sig[secp256k1_testrand_bits(6)] += 1 + secp256k1_testrand_int(255);
-    CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsignature[4], sig, recid) == 1);
+    CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &rsignature[4], sig, recid) == 1);
-    CHECK(secp256k1_ecdsa_recoverable_signature_convert(ctx, &signature[4], &rsignature[4]) == 1);
+    CHECK(secp256k1_ecdsa_recoverable_signature_convert(CTX, &signature[4], &rsignature[4]) == 1);
-    CHECK(secp256k1_ecdsa_verify(ctx, &signature[4], message, &pubkey) == 0);
+    CHECK(secp256k1_ecdsa_verify(CTX, &signature[4], message, &pubkey) == 0);
    /* Recover again */
-    CHECK(secp256k1_ecdsa_recover(ctx, &recpubkey, &rsignature[4], message) == 0 ||
+    CHECK(secp256k1_ecdsa_recover(CTX, &recpubkey, &rsignature[4], message) == 0 ||
          secp256k1_memcmp_var(&pubkey, &recpubkey, sizeof(pubkey)) != 0);
 }
@ -222,14 +222,14 @@ void test_ecdsa_recovery_edge_cases(void) {
    secp256k1_ecdsa_signature sig;
    int recid;
-    CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sig64, 0));
+    CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &rsig, sig64, 0));
-    CHECK(!secp256k1_ecdsa_recover(ctx, &pubkey, &rsig, msg32));
+    CHECK(!secp256k1_ecdsa_recover(CTX, &pubkey, &rsig, msg32));
-    CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sig64, 1));
+    CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &rsig, sig64, 1));
-    CHECK(secp256k1_ecdsa_recover(ctx, &pubkey, &rsig, msg32));
+    CHECK(secp256k1_ecdsa_recover(CTX, &pubkey, &rsig, msg32));
-    CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sig64, 2));
+    CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &rsig, sig64, 2));
-    CHECK(!secp256k1_ecdsa_recover(ctx, &pubkey, &rsig, msg32));
+    CHECK(!secp256k1_ecdsa_recover(CTX, &pubkey, &rsig, msg32));
-    CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sig64, 3));
+    CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &rsig, sig64, 3));
-    CHECK(!secp256k1_ecdsa_recover(ctx, &pubkey, &rsig, msg32));
+    CHECK(!secp256k1_ecdsa_recover(CTX, &pubkey, &rsig, msg32));
    for (recid = 0; recid < 4; recid++) {
        int i;
@ -274,40 +274,40 @@ void test_ecdsa_recovery_edge_cases(void) {
            0xE6, 0xAF, 0x48, 0xA0, 0x3B, 0xBF, 0xD2, 0x5E,
            0x8C, 0xD0, 0x36, 0x41, 0x45, 0x02, 0x01, 0x04
        };
-        CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigb64, recid) == 1);
+        CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &rsig, sigb64, recid) == 1);
-        CHECK(secp256k1_ecdsa_recover(ctx, &pubkeyb, &rsig, msg32) == 1);
+        CHECK(secp256k1_ecdsa_recover(CTX, &pubkeyb, &rsig, msg32) == 1);
-        CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbder, sizeof(sigbder)) == 1);
+        CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigbder, sizeof(sigbder)) == 1);
-        CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 1);
+        CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg32, &pubkeyb) == 1);
        for (recid2 = 0; recid2 < 4; recid2++) {
            secp256k1_pubkey pubkey2b;
-            CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigb64, recid2) == 1);
+            CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &rsig, sigb64, recid2) == 1);
-            CHECK(secp256k1_ecdsa_recover(ctx, &pubkey2b, &rsig, msg32) == 1);
+            CHECK(secp256k1_ecdsa_recover(CTX, &pubkey2b, &rsig, msg32) == 1);
            /* Verifying with (order + r,4) should always fail. */
-            CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderlong, sizeof(sigbderlong)) == 1);
+            CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigbderlong, sizeof(sigbderlong)) == 1);
-            CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0);
+            CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg32, &pubkeyb) == 0);
        }
        /* DER parsing tests. */
        /* Zero length r/s. */
-        CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigcder_zr, sizeof(sigcder_zr)) == 0);
+        CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigcder_zr, sizeof(sigcder_zr)) == 0);
-        CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigcder_zs, sizeof(sigcder_zs)) == 0);
+        CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigcder_zs, sizeof(sigcder_zs)) == 0);
        /* Leading zeros. */
-        CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt1, sizeof(sigbderalt1)) == 0);
+        CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigbderalt1, sizeof(sigbderalt1)) == 0);
-        CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt2, sizeof(sigbderalt2)) == 0);
+        CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigbderalt2, sizeof(sigbderalt2)) == 0);
-        CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt3, sizeof(sigbderalt3)) == 0);
+        CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigbderalt3, sizeof(sigbderalt3)) == 0);
-        CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt4, sizeof(sigbderalt4)) == 0);
+        CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigbderalt4, sizeof(sigbderalt4)) == 0);
        sigbderalt3[4] = 1;
-        CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt3, sizeof(sigbderalt3)) == 1);
+        CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigbderalt3, sizeof(sigbderalt3)) == 1);
-        CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0);
+        CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg32, &pubkeyb) == 0);
        sigbderalt4[7] = 1;
-        CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt4, sizeof(sigbderalt4)) == 1);
+        CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigbderalt4, sizeof(sigbderalt4)) == 1);
-        CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0);
+        CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg32, &pubkeyb) == 0);
        /* Damage signature. */
        sigbder[7]++;
-        CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbder, sizeof(sigbder)) == 1);
+        CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigbder, sizeof(sigbder)) == 1);
-        CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0);
+        CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg32, &pubkeyb) == 0);
        sigbder[7]--;
-        CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbder, 6) == 0);
+        CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigbder, 6) == 0);
-        CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbder, sizeof(sigbder) - 1) == 0);
+        CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigbder, sizeof(sigbder) - 1) == 0);
        for(i = 0; i < 8; i++) {
            int c;
            unsigned char orig = sigbder[i];
@ -317,7 +317,7 @@ void test_ecdsa_recovery_edge_cases(void) {
                    continue;
                }
                sigbder[i] = c;
-                CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbder, sizeof(sigbder)) == 0 || secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0);
+                CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigbder, sizeof(sigbder)) == 0 || secp256k1_ecdsa_verify(CTX, &sig, msg32, &pubkeyb) == 0);
            }
            sigbder[i] = orig;
        }
@ -338,33 +338,33 @@ void test_ecdsa_recovery_edge_cases(void) {
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
        };
        secp256k1_pubkey pubkeyc;
-        CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigc64, 0) == 1);
+        CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &rsig, sigc64, 0) == 1);
-        CHECK(secp256k1_ecdsa_recover(ctx, &pubkeyc, &rsig, msg32) == 1);
+        CHECK(secp256k1_ecdsa_recover(CTX, &pubkeyc, &rsig, msg32) == 1);
-        CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigcder, sizeof(sigcder)) == 1);
+        CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigcder, sizeof(sigcder)) == 1);
-        CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyc) == 1);
+        CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg32, &pubkeyc) == 1);
        sigcder[4] = 0;
        sigc64[31] = 0;
-        CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigc64, 0) == 1);
+        CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &rsig, sigc64, 0) == 1);
-        CHECK(secp256k1_ecdsa_recover(ctx, &pubkeyb, &rsig, msg32) == 0);
+        CHECK(secp256k1_ecdsa_recover(CTX, &pubkeyb, &rsig, msg32) == 0);
-        CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigcder, sizeof(sigcder)) == 1);
+        CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigcder, sizeof(sigcder)) == 1);
-        CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyc) == 0);
+        CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg32, &pubkeyc) == 0);
        sigcder[4] = 1;
        sigcder[7] = 0;
        sigc64[31] = 1;
        sigc64[63] = 0;
-        CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigc64, 0) == 1);
+        CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &rsig, sigc64, 0) == 1);
-        CHECK(secp256k1_ecdsa_recover(ctx, &pubkeyb, &rsig, msg32) == 0);
+        CHECK(secp256k1_ecdsa_recover(CTX, &pubkeyb, &rsig, msg32) == 0);
-        CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigcder, sizeof(sigcder)) == 1);
+        CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigcder, sizeof(sigcder)) == 1);
-        CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyc) == 0);
+        CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg32, &pubkeyc) == 0);
    }
 }
 void run_recovery_tests(void) {
    int i;
-    for (i = 0; i < count; i++) {
+    for (i = 0; i < COUNT; i++) {
        test_ecdsa_recovery_api();
    }
-    for (i = 0; i < 64*count; i++) {
+    for (i = 0; i < 64*COUNT; i++) {
        test_ecdsa_recovery_end_to_end();
    }
    test_ecdsa_recovery_edge_cases();
--- a/src/modules/schnorrsig/tests_impl.h
+++ b/src/modules/schnorrsig/tests_impl.h
@ -72,7 +72,7 @@ void run_nonce_function_bip340_tests(void) {
    args[2] = pk;
    args[3] = algo;
    args[4] = aux_rand;
-    for (i = 0; i < count; i++) {
+    for (i = 0; i < COUNT; i++) {
        nonce_function_bip340_bitflip(args, 0, 32, msglen, algolen);
        nonce_function_bip340_bitflip(args, 1, 32, msglen, algolen);
        nonce_function_bip340_bitflip(args, 2, 32, msglen, algolen);
@ -90,7 +90,7 @@ void run_nonce_function_bip340_tests(void) {
    secp256k1_testrand_bytes_test(algo, algolen);
    CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
-    for (i = 0; i < count; i++) {
+    for (i = 0; i < COUNT; i++) {
        unsigned char nonce2[32];
        uint32_t offset = secp256k1_testrand_int(msglen - 1);
        size_t msglen_tmp = (msglen + offset) % msglen;
@ -128,77 +128,77 @@ void test_schnorrsig_api(void) {
    secp256k1_schnorrsig_extraparams invalid_extraparams = {{ 0 }, NULL, NULL};
    /** setup **/
-    secp256k1_context *sttc = secp256k1_context_clone(secp256k1_context_static);
+    int ecount = 0;
    int ecount;
-    secp256k1_context_set_error_callback(ctx, counting_illegal_callback_fn, &ecount);
+    secp256k1_context_set_error_callback(CTX, counting_illegal_callback_fn, &ecount);
-    secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
+    secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount);
-    secp256k1_context_set_error_callback(sttc, counting_illegal_callback_fn, &ecount);
+    secp256k1_context_set_error_callback(STATIC_CTX, counting_illegal_callback_fn, &ecount);
-    secp256k1_context_set_illegal_callback(sttc, counting_illegal_callback_fn, &ecount);
+    secp256k1_context_set_illegal_callback(STATIC_CTX, counting_illegal_callback_fn, &ecount);
    secp256k1_testrand256(sk1);
    secp256k1_testrand256(sk2);
    secp256k1_testrand256(sk3);
    secp256k1_testrand256(msg);
-    CHECK(secp256k1_keypair_create(ctx, &keypairs[0], sk1) == 1);
+    CHECK(secp256k1_keypair_create(CTX, &keypairs[0], sk1) == 1);
-    CHECK(secp256k1_keypair_create(ctx, &keypairs[1], sk2) == 1);
+    CHECK(secp256k1_keypair_create(CTX, &keypairs[1], sk2) == 1);
-    CHECK(secp256k1_keypair_create(ctx, &keypairs[2], sk3) == 1);
+    CHECK(secp256k1_keypair_create(CTX, &keypairs[2], sk3) == 1);
-    CHECK(secp256k1_keypair_xonly_pub(ctx, &pk[0], NULL, &keypairs[0]) == 1);
+    CHECK(secp256k1_keypair_xonly_pub(CTX, &pk[0], NULL, &keypairs[0]) == 1);
-    CHECK(secp256k1_keypair_xonly_pub(ctx, &pk[1], NULL, &keypairs[1]) == 1);
+    CHECK(secp256k1_keypair_xonly_pub(CTX, &pk[1], NULL, &keypairs[1]) == 1);
-    CHECK(secp256k1_keypair_xonly_pub(ctx, &pk[2], NULL, &keypairs[2]) == 1);
+    CHECK(secp256k1_keypair_xonly_pub(CTX, &pk[2], NULL, &keypairs[2]) == 1);
    memset(&zero_pk, 0, sizeof(zero_pk));
    /** main test body **/
    ecount = 0;
-    CHECK(secp256k1_schnorrsig_sign32(ctx, sig, msg, &keypairs[0], NULL) == 1);
+    CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypairs[0], NULL) == 1);
    CHECK(ecount == 0);
-    CHECK(secp256k1_schnorrsig_sign32(ctx, NULL, msg, &keypairs[0], NULL) == 0);
+    CHECK(secp256k1_schnorrsig_sign32(CTX, NULL, msg, &keypairs[0], NULL) == 0);
    CHECK(ecount == 1);
-    CHECK(secp256k1_schnorrsig_sign32(ctx, sig, NULL, &keypairs[0], NULL) == 0);
+    CHECK(secp256k1_schnorrsig_sign32(CTX, sig, NULL, &keypairs[0], NULL) == 0);
    CHECK(ecount == 2);
-    CHECK(secp256k1_schnorrsig_sign32(ctx, sig, msg, NULL, NULL) == 0);
+    CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, NULL, NULL) == 0);
    CHECK(ecount == 3);
-    CHECK(secp256k1_schnorrsig_sign32(ctx, sig, msg, &invalid_keypair, NULL) == 0);
+    CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &invalid_keypair, NULL) == 0);
    CHECK(ecount == 4);
-    CHECK(secp256k1_schnorrsig_sign32(sttc, sig, msg, &keypairs[0], NULL) == 0);
+    CHECK(secp256k1_schnorrsig_sign32(STATIC_CTX, sig, msg, &keypairs[0], NULL) == 0);
    CHECK(ecount == 5);
    ecount = 0;
-    CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypairs[0], &extraparams) == 1);
+    CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypairs[0], &extraparams) == 1);
    CHECK(ecount == 0);
-    CHECK(secp256k1_schnorrsig_sign_custom(ctx, NULL, msg, sizeof(msg), &keypairs[0], &extraparams) == 0);
+    CHECK(secp256k1_schnorrsig_sign_custom(CTX, NULL, msg, sizeof(msg), &keypairs[0], &extraparams) == 0);
    CHECK(ecount == 1);
-    CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, NULL, sizeof(msg), &keypairs[0], &extraparams) == 0);
+    CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, NULL, sizeof(msg), &keypairs[0], &extraparams) == 0);
    CHECK(ecount == 2);
-    CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, NULL, 0, &keypairs[0], &extraparams) == 1);
+    CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, NULL, 0, &keypairs[0], &extraparams) == 1);
    CHECK(ecount == 2);
-    CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), NULL, &extraparams) == 0);
+    CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), NULL, &extraparams) == 0);
    CHECK(ecount == 3);
-    CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &invalid_keypair, &extraparams) == 0);
+    CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &invalid_keypair, &extraparams) == 0);
    CHECK(ecount == 4);
-    CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypairs[0], NULL) == 1);
+    CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypairs[0], NULL) == 1);
    CHECK(ecount == 4);
-    CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypairs[0], &invalid_extraparams) == 0);
+    CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypairs[0], &invalid_extraparams) == 0);
    CHECK(ecount == 5);
-    CHECK(secp256k1_schnorrsig_sign_custom(sttc, sig, msg, sizeof(msg), &keypairs[0], &extraparams) == 0);
+    CHECK(secp256k1_schnorrsig_sign_custom(STATIC_CTX, sig, msg, sizeof(msg), &keypairs[0], &extraparams) == 0);
    CHECK(ecount == 6);
    ecount = 0;
-    CHECK(secp256k1_schnorrsig_sign32(ctx, sig, msg, &keypairs[0], NULL) == 1);
+    CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypairs[0], NULL) == 1);
-    CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, sizeof(msg), &pk[0]) == 1);
+    CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk[0]) == 1);
    CHECK(ecount == 0);
-    CHECK(secp256k1_schnorrsig_verify(ctx, NULL, msg, sizeof(msg), &pk[0]) == 0);
+    CHECK(secp256k1_schnorrsig_verify(CTX, NULL, msg, sizeof(msg), &pk[0]) == 0);
    CHECK(ecount == 1);
-    CHECK(secp256k1_schnorrsig_verify(ctx, sig, NULL, sizeof(msg), &pk[0]) == 0);
+    CHECK(secp256k1_schnorrsig_verify(CTX, sig, NULL, sizeof(msg), &pk[0]) == 0);
    CHECK(ecount == 2);
-    CHECK(secp256k1_schnorrsig_verify(ctx, sig, NULL, 0, &pk[0]) == 0);
+    CHECK(secp256k1_schnorrsig_verify(CTX, sig, NULL, 0, &pk[0]) == 0);
    CHECK(ecount == 2);
-    CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, sizeof(msg), NULL) == 0);
+    CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), NULL) == 0);
    CHECK(ecount == 3);
-    CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, sizeof(msg), &zero_pk) == 0);
+    CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &zero_pk) == 0);
    CHECK(ecount == 4);
-    secp256k1_context_destroy(sttc);
+    secp256k1_context_set_error_callback(STATIC_CTX, NULL, NULL);
    secp256k1_context_set_illegal_callback(STATIC_CTX, NULL, NULL);
 }
 /* Checks that hash initialized by secp256k1_schnorrsig_sha256_tagged has the
@ -220,14 +220,14 @@ void test_schnorrsig_bip_vectors_check_signing(const unsigned char *sk, const un
    secp256k1_keypair keypair;
    secp256k1_xonly_pubkey pk, pk_expected;
-    CHECK(secp256k1_keypair_create(ctx, &keypair, sk));
+    CHECK(secp256k1_keypair_create(CTX, &keypair, sk));
-    CHECK(secp256k1_schnorrsig_sign32(ctx, sig, msg32, &keypair, aux_rand));
+    CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg32, &keypair, aux_rand));
    CHECK(secp256k1_memcmp_var(sig, expected_sig, 64) == 0);
-    CHECK(secp256k1_xonly_pubkey_parse(ctx, &pk_expected, pk_serialized));
+    CHECK(secp256k1_xonly_pubkey_parse(CTX, &pk_expected, pk_serialized));
-    CHECK(secp256k1_keypair_xonly_pub(ctx, &pk, NULL, &keypair));
+    CHECK(secp256k1_keypair_xonly_pub(CTX, &pk, NULL, &keypair));
    CHECK(secp256k1_memcmp_var(&pk, &pk_expected, sizeof(pk)) == 0);
-    CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg32, 32, &pk));
+    CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg32, 32, &pk));
 }
 /* Helper function for schnorrsig_bip_vectors
@ -235,8 +235,8 @@ void test_schnorrsig_bip_vectors_check_signing(const unsigned char *sk, const un
 void test_schnorrsig_bip_vectors_check_verify(const unsigned char *pk_serialized, const unsigned char *msg32, const unsigned char *sig, int expected) {
    secp256k1_xonly_pubkey pk;
-    CHECK(secp256k1_xonly_pubkey_parse(ctx, &pk, pk_serialized));
+    CHECK(secp256k1_xonly_pubkey_parse(CTX, &pk, pk_serialized));
-    CHECK(expected == secp256k1_schnorrsig_verify(ctx, sig, msg32, 32, &pk));
+    CHECK(expected == secp256k1_schnorrsig_verify(CTX, sig, msg32, 32, &pk));
 }
 /* Test vectors according to BIP-340 ("Schnorr Signatures for secp256k1"). See
@ -434,7 +434,7 @@ void test_schnorrsig_bip_vectors(void) {
        };
        secp256k1_xonly_pubkey pk_parsed;
        /* No need to check the signature of the test vector as parsing the pubkey already fails */
-        CHECK(!secp256k1_xonly_pubkey_parse(ctx, &pk_parsed, pk));
+        CHECK(!secp256k1_xonly_pubkey_parse(CTX, &pk_parsed, pk));
    }
    {
        /* Test vector 6 */
@ -654,7 +654,7 @@ void test_schnorrsig_bip_vectors(void) {
        };
        secp256k1_xonly_pubkey pk_parsed;
        /* No need to check the signature of the test vector as parsing the pubkey already fails */
-        CHECK(!secp256k1_xonly_pubkey_parse(ctx, &pk_parsed, pk));
+        CHECK(!secp256k1_xonly_pubkey_parse(CTX, &pk_parsed, pk));
    }
 }
@ -712,36 +712,36 @@ void test_schnorrsig_sign(void) {
    secp256k1_testrand256(sk);
    secp256k1_testrand256(aux_rand);
-    CHECK(secp256k1_keypair_create(ctx, &keypair, sk));
+    CHECK(secp256k1_keypair_create(CTX, &keypair, sk));
-    CHECK(secp256k1_keypair_xonly_pub(ctx, &pk, NULL, &keypair));
+    CHECK(secp256k1_keypair_xonly_pub(CTX, &pk, NULL, &keypair));
-    CHECK(secp256k1_schnorrsig_sign32(ctx, sig, msg, &keypair, NULL) == 1);
+    CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypair, NULL) == 1);
-    CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, sizeof(msg), &pk));
+    CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk));
    /* Check that deprecated alias gives the same result */
-    CHECK(secp256k1_schnorrsig_sign(ctx, sig2, msg, &keypair, NULL) == 1);
+    CHECK(secp256k1_schnorrsig_sign(CTX, sig2, msg, &keypair, NULL) == 1);
    CHECK(secp256k1_memcmp_var(sig, sig2, sizeof(sig)) == 0);
    /* Test different nonce functions */
-    CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
+    CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
-    CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, sizeof(msg), &pk));
+    CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk));
    memset(sig, 1, sizeof(sig));
    extraparams.noncefp = nonce_function_failing;
-    CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypair, &extraparams) == 0);
+    CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 0);
    CHECK(secp256k1_memcmp_var(sig, zeros64, sizeof(sig)) == 0);
    memset(&sig, 1, sizeof(sig));
    extraparams.noncefp = nonce_function_0;
-    CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypair, &extraparams) == 0);
+    CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 0);
    CHECK(secp256k1_memcmp_var(sig, zeros64, sizeof(sig)) == 0);
    memset(&sig, 1, sizeof(sig));
    extraparams.noncefp = nonce_function_overflowing;
-    CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
+    CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
-    CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, sizeof(msg), &pk));
+    CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk));
    /* When using the default nonce function, schnorrsig_sign_custom produces
     * the same result as schnorrsig_sign with aux_rand = extraparams.ndata */
    extraparams.noncefp = NULL;
    extraparams.ndata = aux_rand;
-    CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
+    CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
-    CHECK(secp256k1_schnorrsig_sign32(ctx, sig2, msg, &keypair, extraparams.ndata) == 1);
+    CHECK(secp256k1_schnorrsig_sign32(CTX, sig2, msg, &keypair, extraparams.ndata) == 1);
    CHECK(secp256k1_memcmp_var(sig, sig2, sizeof(sig)) == 0);
 }
@ -759,13 +759,13 @@ void test_schnorrsig_sign_verify(void) {
    secp256k1_scalar s;
    secp256k1_testrand256(sk);
-    CHECK(secp256k1_keypair_create(ctx, &keypair, sk));
+    CHECK(secp256k1_keypair_create(CTX, &keypair, sk));
-    CHECK(secp256k1_keypair_xonly_pub(ctx, &pk, NULL, &keypair));
+    CHECK(secp256k1_keypair_xonly_pub(CTX, &pk, NULL, &keypair));
    for (i = 0; i < N_SIGS; i++) {
        secp256k1_testrand256(msg[i]);
-        CHECK(secp256k1_schnorrsig_sign32(ctx, sig[i], msg[i], &keypair, NULL));
+        CHECK(secp256k1_schnorrsig_sign32(CTX, sig[i], msg[i], &keypair, NULL));
-        CHECK(secp256k1_schnorrsig_verify(ctx, sig[i], msg[i], sizeof(msg[i]), &pk));
+        CHECK(secp256k1_schnorrsig_verify(CTX, sig[i], msg[i], sizeof(msg[i]), &pk));
    }
    {
@ -775,40 +775,40 @@ void test_schnorrsig_sign_verify(void) {
        size_t byte_idx = secp256k1_testrand_bits(5);
        unsigned char xorbyte = secp256k1_testrand_int(254)+1;
        sig[sig_idx][byte_idx] ^= xorbyte;
-        CHECK(!secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
+        CHECK(!secp256k1_schnorrsig_verify(CTX, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
        sig[sig_idx][byte_idx] ^= xorbyte;
        byte_idx = secp256k1_testrand_bits(5);
        sig[sig_idx][32+byte_idx] ^= xorbyte;
-        CHECK(!secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
+        CHECK(!secp256k1_schnorrsig_verify(CTX, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
        sig[sig_idx][32+byte_idx] ^= xorbyte;
        byte_idx = secp256k1_testrand_bits(5);
        msg[sig_idx][byte_idx] ^= xorbyte;
-        CHECK(!secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
+        CHECK(!secp256k1_schnorrsig_verify(CTX, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
        msg[sig_idx][byte_idx] ^= xorbyte;
        /* Check that above bitflips have been reversed correctly */
-        CHECK(secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
+        CHECK(secp256k1_schnorrsig_verify(CTX, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
    }
    /* Test overflowing s */
-    CHECK(secp256k1_schnorrsig_sign32(ctx, sig[0], msg[0], &keypair, NULL));
+    CHECK(secp256k1_schnorrsig_sign32(CTX, sig[0], msg[0], &keypair, NULL));
-    CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], sizeof(msg[0]), &pk));
+    CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], msg[0], sizeof(msg[0]), &pk));
    memset(&sig[0][32], 0xFF, 32);
-    CHECK(!secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], sizeof(msg[0]), &pk));
+    CHECK(!secp256k1_schnorrsig_verify(CTX, sig[0], msg[0], sizeof(msg[0]), &pk));
    /* Test negative s */
-    CHECK(secp256k1_schnorrsig_sign32(ctx, sig[0], msg[0], &keypair, NULL));
+    CHECK(secp256k1_schnorrsig_sign32(CTX, sig[0], msg[0], &keypair, NULL));
-    CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], sizeof(msg[0]), &pk));
+    CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], msg[0], sizeof(msg[0]), &pk));
    secp256k1_scalar_set_b32(&s, &sig[0][32], NULL);
    secp256k1_scalar_negate(&s, &s);
    secp256k1_scalar_get_b32(&sig[0][32], &s);
-    CHECK(!secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], sizeof(msg[0]), &pk));
+    CHECK(!secp256k1_schnorrsig_verify(CTX, sig[0], msg[0], sizeof(msg[0]), &pk));
    /* The empty message can be signed & verified */
-    CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig[0], NULL, 0, &keypair, NULL) == 1);
+    CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig[0], NULL, 0, &keypair, NULL) == 1);
-    CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], NULL, 0, &pk) == 1);
+    CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], NULL, 0, &pk) == 1);
    {
        /* Test varying message lengths */
@ -817,11 +817,11 @@ void test_schnorrsig_sign_verify(void) {
        for (i = 0; i < sizeof(msg_large); i += 32) {
            secp256k1_testrand256(&msg_large[i]);
        }
-        CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig[0], msg_large, msglen, &keypair, NULL) == 1);
+        CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig[0], msg_large, msglen, &keypair, NULL) == 1);
-        CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], msg_large, msglen, &pk) == 1);
+        CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], msg_large, msglen, &pk) == 1);
        /* Verification for a random wrong message length fails */
        msglen = (msglen + (sizeof(msg_large) - 1)) % sizeof(msg_large);
-        CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], msg_large, msglen, &pk) == 0);
+        CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], msg_large, msglen, &pk) == 0);
    }
 }
 #undef N_SIGS
@ -840,26 +840,26 @@ void test_schnorrsig_taproot(void) {
    /* Create output key */
    secp256k1_testrand256(sk);
-    CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
+    CHECK(secp256k1_keypair_create(CTX, &keypair, sk) == 1);
-    CHECK(secp256k1_keypair_xonly_pub(ctx, &internal_pk, NULL, &keypair) == 1);
+    CHECK(secp256k1_keypair_xonly_pub(CTX, &internal_pk, NULL, &keypair) == 1);
    /* In actual taproot the tweak would be hash of internal_pk */
-    CHECK(secp256k1_xonly_pubkey_serialize(ctx, tweak, &internal_pk) == 1);
+    CHECK(secp256k1_xonly_pubkey_serialize(CTX, tweak, &internal_pk) == 1);
-    CHECK(secp256k1_keypair_xonly_tweak_add(ctx, &keypair, tweak) == 1);
+    CHECK(secp256k1_keypair_xonly_tweak_add(CTX, &keypair, tweak) == 1);
-    CHECK(secp256k1_keypair_xonly_pub(ctx, &output_pk, &pk_parity, &keypair) == 1);
+    CHECK(secp256k1_keypair_xonly_pub(CTX, &output_pk, &pk_parity, &keypair) == 1);
-    CHECK(secp256k1_xonly_pubkey_serialize(ctx, output_pk_bytes, &output_pk) == 1);
+    CHECK(secp256k1_xonly_pubkey_serialize(CTX, output_pk_bytes, &output_pk) == 1);
    /* Key spend */
    secp256k1_testrand256(msg);
-    CHECK(secp256k1_schnorrsig_sign32(ctx, sig, msg, &keypair, NULL) == 1);
+    CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypair, NULL) == 1);
    /* Verify key spend */
-    CHECK(secp256k1_xonly_pubkey_parse(ctx, &output_pk, output_pk_bytes) == 1);
+    CHECK(secp256k1_xonly_pubkey_parse(CTX, &output_pk, output_pk_bytes) == 1);
-    CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, sizeof(msg), &output_pk) == 1);
+    CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &output_pk) == 1);
    /* Script spend */
-    CHECK(secp256k1_xonly_pubkey_serialize(ctx, internal_pk_bytes, &internal_pk) == 1);
+    CHECK(secp256k1_xonly_pubkey_serialize(CTX, internal_pk_bytes, &internal_pk) == 1);
    /* Verify script spend */
-    CHECK(secp256k1_xonly_pubkey_parse(ctx, &internal_pk, internal_pk_bytes) == 1);
+    CHECK(secp256k1_xonly_pubkey_parse(CTX, &internal_pk, internal_pk_bytes) == 1);
-    CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, output_pk_bytes, pk_parity, &internal_pk, tweak) == 1);
+    CHECK(secp256k1_xonly_pubkey_tweak_add_check(CTX, output_pk_bytes, pk_parity, &internal_pk, tweak) == 1);
 }
 void run_schnorrsig_tests(void) {
@ -869,7 +869,7 @@ void run_schnorrsig_tests(void) {
    test_schnorrsig_api();
    test_schnorrsig_sha256_tagged();
    test_schnorrsig_bip_vectors();
-    for (i = 0; i < count; i++) {
+    for (i = 0; i < COUNT; i++) {
        test_schnorrsig_sign();
        test_schnorrsig_sign_verify();
    }
--- a/src/modules/surjection/tests_impl.h
+++ b/src/modules/surjection/tests_impl.h
@ -15,7 +15,6 @@
 static void test_surjectionproof_api(void) {
    unsigned char seed[32];
    secp256k1_context *sttc = secp256k1_context_clone(secp256k1_context_static);
    secp256k1_fixed_asset_tag fixed_input_tags[10];
    secp256k1_fixed_asset_tag fixed_output_tag;
    secp256k1_generator ephemeral_input_tags[10];
@ -32,54 +31,54 @@ static void test_surjectionproof_api(void) {
    size_t i;
    secp256k1_testrand256(seed);
-    secp256k1_context_set_error_callback(ctx, counting_illegal_callback_fn, &ecount);
+    secp256k1_context_set_error_callback(CTX, counting_illegal_callback_fn, &ecount);
-    secp256k1_context_set_error_callback(sttc, counting_illegal_callback_fn, &ecount);
+    secp256k1_context_set_error_callback(STATIC_CTX, counting_illegal_callback_fn, &ecount);
-    secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
+    secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount);
-    secp256k1_context_set_illegal_callback(sttc, counting_illegal_callback_fn, &ecount);
+    secp256k1_context_set_illegal_callback(STATIC_CTX, counting_illegal_callback_fn, &ecount);
    for (i = 0; i < n_inputs; i++) {
        secp256k1_testrand256(input_blinding_key[i]);
        secp256k1_testrand256(fixed_input_tags[i].data);
-        CHECK(secp256k1_generator_generate_blinded(ctx, &ephemeral_input_tags[i], fixed_input_tags[i].data, input_blinding_key[i]));
+        CHECK(secp256k1_generator_generate_blinded(CTX, &ephemeral_input_tags[i], fixed_input_tags[i].data, input_blinding_key[i]));
    }
    secp256k1_testrand256(output_blinding_key);
    memcpy(&fixed_output_tag, &fixed_input_tags[0], sizeof(fixed_input_tags[0]));
-    CHECK(secp256k1_generator_generate_blinded(ctx, &ephemeral_output_tag, fixed_output_tag.data, output_blinding_key));
+    CHECK(secp256k1_generator_generate_blinded(CTX, &ephemeral_output_tag, fixed_output_tag.data, output_blinding_key));
    /* check allocate_initialized */
-    CHECK(secp256k1_surjectionproof_allocate_initialized(ctx, &proof_on_heap, &input_index, fixed_input_tags, n_inputs, 0, &fixed_input_tags[0], 100, seed) == 0);
+    CHECK(secp256k1_surjectionproof_allocate_initialized(CTX, &proof_on_heap, &input_index, fixed_input_tags, n_inputs, 0, &fixed_input_tags[0], 100, seed) == 0);
    CHECK(proof_on_heap == 0);
    CHECK(ecount == 0);
-    CHECK(secp256k1_surjectionproof_allocate_initialized(ctx, &proof_on_heap, &input_index, fixed_input_tags, n_inputs, 3, &fixed_input_tags[0], 100, seed) != 0);
+    CHECK(secp256k1_surjectionproof_allocate_initialized(CTX, &proof_on_heap, &input_index, fixed_input_tags, n_inputs, 3, &fixed_input_tags[0], 100, seed) != 0);
    CHECK(proof_on_heap != 0);
    secp256k1_surjectionproof_destroy(proof_on_heap);
    CHECK(ecount == 0);
-    CHECK(secp256k1_surjectionproof_allocate_initialized(ctx, NULL, &input_index, fixed_input_tags, n_inputs, 3, &fixed_input_tags[0], 100, seed) == 0);
+    CHECK(secp256k1_surjectionproof_allocate_initialized(CTX, NULL, &input_index, fixed_input_tags, n_inputs, 3, &fixed_input_tags[0], 100, seed) == 0);
    CHECK(ecount == 1);
-    CHECK(secp256k1_surjectionproof_allocate_initialized(ctx, &proof_on_heap, NULL, fixed_input_tags, n_inputs, 3, &fixed_input_tags[0], 100, seed) == 0);
+    CHECK(secp256k1_surjectionproof_allocate_initialized(CTX, &proof_on_heap, NULL, fixed_input_tags, n_inputs, 3, &fixed_input_tags[0], 100, seed) == 0);
    CHECK(proof_on_heap == 0);
    CHECK(ecount == 2);
-    CHECK(secp256k1_surjectionproof_allocate_initialized(ctx, &proof_on_heap, &input_index, NULL, n_inputs, 3, &fixed_input_tags[0], 100, seed) == 0);
+    CHECK(secp256k1_surjectionproof_allocate_initialized(CTX, &proof_on_heap, &input_index, NULL, n_inputs, 3, &fixed_input_tags[0], 100, seed) == 0);
    CHECK(proof_on_heap == 0);
    CHECK(ecount == 3);
-    CHECK(secp256k1_surjectionproof_allocate_initialized(ctx, &proof_on_heap, &input_index, fixed_input_tags, SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS + 1, 3, &fixed_input_tags[0], 100, seed) == 0);
+    CHECK(secp256k1_surjectionproof_allocate_initialized(CTX, &proof_on_heap, &input_index, fixed_input_tags, SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS + 1, 3, &fixed_input_tags[0], 100, seed) == 0);
    CHECK(proof_on_heap == 0);
    CHECK(ecount == 4);
-    CHECK(secp256k1_surjectionproof_allocate_initialized(ctx, &proof_on_heap, &input_index, fixed_input_tags, n_inputs, n_inputs, &fixed_input_tags[0], 100, seed) != 0);
+    CHECK(secp256k1_surjectionproof_allocate_initialized(CTX, &proof_on_heap, &input_index, fixed_input_tags, n_inputs, n_inputs, &fixed_input_tags[0], 100, seed) != 0);
    CHECK(proof_on_heap != 0);
    secp256k1_surjectionproof_destroy(proof_on_heap);
    CHECK(ecount == 4);
-    CHECK(secp256k1_surjectionproof_allocate_initialized(ctx, &proof_on_heap, &input_index, fixed_input_tags, n_inputs, n_inputs + 1, &fixed_input_tags[0], 100, seed) == 0);
+    CHECK(secp256k1_surjectionproof_allocate_initialized(CTX, &proof_on_heap, &input_index, fixed_input_tags, n_inputs, n_inputs + 1, &fixed_input_tags[0], 100, seed) == 0);
    CHECK(proof_on_heap == 0);
    CHECK(ecount == 5);
-    CHECK(secp256k1_surjectionproof_allocate_initialized(ctx, &proof_on_heap, &input_index, fixed_input_tags, n_inputs, 3, NULL, 100, seed) == 0);
+    CHECK(secp256k1_surjectionproof_allocate_initialized(CTX, &proof_on_heap, &input_index, fixed_input_tags, n_inputs, 3, NULL, 100, seed) == 0);
    CHECK(proof_on_heap == 0);
    CHECK(ecount == 6);
-    CHECK((secp256k1_surjectionproof_allocate_initialized(ctx, &proof_on_heap, &input_index, fixed_input_tags, n_inputs, 0, &fixed_input_tags[0], 0, seed) & 1) == 0);
+    CHECK((secp256k1_surjectionproof_allocate_initialized(CTX, &proof_on_heap, &input_index, fixed_input_tags, n_inputs, 0, &fixed_input_tags[0], 0, seed) & 1) == 0);
    CHECK(proof_on_heap == 0);
    CHECK(ecount == 6);
-    CHECK(secp256k1_surjectionproof_allocate_initialized(ctx, &proof_on_heap, &input_index, fixed_input_tags, n_inputs, 0, &fixed_input_tags[0], 100, NULL) == 0);
+    CHECK(secp256k1_surjectionproof_allocate_initialized(CTX, &proof_on_heap, &input_index, fixed_input_tags, n_inputs, 0, &fixed_input_tags[0], 100, NULL) == 0);
    CHECK(proof_on_heap == 0);
    CHECK(ecount == 7);
@ -88,114 +87,117 @@ static void test_surjectionproof_api(void) {
    ecount = 0;
    /* check initialize */
-    CHECK(secp256k1_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_inputs, 0, &fixed_input_tags[0], 100, seed) == 0);
+    CHECK(secp256k1_surjectionproof_initialize(CTX, &proof, &input_index, fixed_input_tags, n_inputs, 0, &fixed_input_tags[0], 100, seed) == 0);
    CHECK(ecount == 0);
-    CHECK(secp256k1_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_inputs, 3, &fixed_input_tags[0], 100, seed) != 0);
+    CHECK(secp256k1_surjectionproof_initialize(CTX, &proof, &input_index, fixed_input_tags, n_inputs, 3, &fixed_input_tags[0], 100, seed) != 0);
    CHECK(ecount == 0);
-    CHECK(secp256k1_surjectionproof_initialize(ctx, NULL, &input_index, fixed_input_tags, n_inputs, 3, &fixed_input_tags[0], 100, seed) == 0);
+    CHECK(secp256k1_surjectionproof_initialize(CTX, NULL, &input_index, fixed_input_tags, n_inputs, 3, &fixed_input_tags[0], 100, seed) == 0);
    CHECK(ecount == 1);
-    CHECK(secp256k1_surjectionproof_initialize(ctx, &proof, NULL, fixed_input_tags, n_inputs, 3, &fixed_input_tags[0], 100, seed) == 0);
+    CHECK(secp256k1_surjectionproof_initialize(CTX, &proof, NULL, fixed_input_tags, n_inputs, 3, &fixed_input_tags[0], 100, seed) == 0);
    CHECK(ecount == 2);
-    CHECK(secp256k1_surjectionproof_initialize(ctx, &proof, &input_index, NULL, n_inputs, 3, &fixed_input_tags[0], 100, seed) == 0);
+    CHECK(secp256k1_surjectionproof_initialize(CTX, &proof, &input_index, NULL, n_inputs, 3, &fixed_input_tags[0], 100, seed) == 0);
    CHECK(ecount == 3);
-    CHECK(secp256k1_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS + 1, 3, &fixed_input_tags[0], 100, seed) == 0);
+    CHECK(secp256k1_surjectionproof_initialize(CTX, &proof, &input_index, fixed_input_tags, SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS + 1, 3, &fixed_input_tags[0], 100, seed) == 0);
    CHECK(ecount == 4);
-    CHECK(secp256k1_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_inputs, n_inputs, &fixed_input_tags[0], 100, seed) != 0);
+    CHECK(secp256k1_surjectionproof_initialize(CTX, &proof, &input_index, fixed_input_tags, n_inputs, n_inputs, &fixed_input_tags[0], 100, seed) != 0);
    CHECK(ecount == 4);
-    CHECK(secp256k1_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_inputs, n_inputs + 1, &fixed_input_tags[0], 100, seed) == 0);
+    CHECK(secp256k1_surjectionproof_initialize(CTX, &proof, &input_index, fixed_input_tags, n_inputs, n_inputs + 1, &fixed_input_tags[0], 100, seed) == 0);
    CHECK(ecount == 5);
-    CHECK(secp256k1_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_inputs, 3, NULL, 100, seed) == 0);
+    CHECK(secp256k1_surjectionproof_initialize(CTX, &proof, &input_index, fixed_input_tags, n_inputs, 3, NULL, 100, seed) == 0);
    CHECK(ecount == 6);
-    CHECK((secp256k1_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_inputs, 0, &fixed_input_tags[0], 0, seed) & 1) == 0);
+    CHECK((secp256k1_surjectionproof_initialize(CTX, &proof, &input_index, fixed_input_tags, n_inputs, 0, &fixed_input_tags[0], 0, seed) & 1) == 0);
    CHECK(ecount == 6);
-    CHECK(secp256k1_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_inputs, 0, &fixed_input_tags[0], 100, NULL) == 0);
+    CHECK(secp256k1_surjectionproof_initialize(CTX, &proof, &input_index, fixed_input_tags, n_inputs, 0, &fixed_input_tags[0], 100, NULL) == 0);
    CHECK(ecount == 7);
-    CHECK(secp256k1_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_inputs, 3, &fixed_input_tags[0], 100, seed) != 0);
+    CHECK(secp256k1_surjectionproof_initialize(CTX, &proof, &input_index, fixed_input_tags, n_inputs, 3, &fixed_input_tags[0], 100, seed) != 0);
    /* check generate */
-    CHECK(secp256k1_surjectionproof_generate(ctx, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) != 0);
+    CHECK(secp256k1_surjectionproof_generate(CTX, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) != 0);
    CHECK(ecount == 7);
-    CHECK(secp256k1_surjectionproof_generate(sttc, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 0);
+    CHECK(secp256k1_surjectionproof_generate(STATIC_CTX, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 0);
    CHECK(ecount == 8);
-    CHECK(secp256k1_surjectionproof_generate(ctx, NULL, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 0);
+    CHECK(secp256k1_surjectionproof_generate(CTX, NULL, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 0);
    CHECK(ecount == 9);
-    CHECK(secp256k1_surjectionproof_generate(ctx, &proof, NULL, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 0);
+    CHECK(secp256k1_surjectionproof_generate(CTX, &proof, NULL, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 0);
    CHECK(ecount == 10);
-    CHECK(secp256k1_surjectionproof_generate(ctx, &proof, ephemeral_input_tags, n_inputs + 1, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 0);
+    CHECK(secp256k1_surjectionproof_generate(CTX, &proof, ephemeral_input_tags, n_inputs + 1, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 0);
    CHECK(ecount == 10);
-    CHECK(secp256k1_surjectionproof_generate(ctx, &proof, ephemeral_input_tags, n_inputs - 1, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 0);
+    CHECK(secp256k1_surjectionproof_generate(CTX, &proof, ephemeral_input_tags, n_inputs - 1, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 0);
    CHECK(ecount == 10);
-    CHECK(secp256k1_surjectionproof_generate(ctx, &proof, ephemeral_input_tags, 0, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 0);
+    CHECK(secp256k1_surjectionproof_generate(CTX, &proof, ephemeral_input_tags, 0, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 0);
    CHECK(ecount == 10);
-    CHECK(secp256k1_surjectionproof_generate(ctx, &proof, ephemeral_input_tags, n_inputs, NULL, 0, input_blinding_key[0], output_blinding_key) == 0);
+    CHECK(secp256k1_surjectionproof_generate(CTX, &proof, ephemeral_input_tags, n_inputs, NULL, 0, input_blinding_key[0], output_blinding_key) == 0);
    CHECK(ecount == 11);
-    CHECK(secp256k1_surjectionproof_generate(ctx, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 1, input_blinding_key[0], output_blinding_key) != 0);
+    CHECK(secp256k1_surjectionproof_generate(CTX, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 1, input_blinding_key[0], output_blinding_key) != 0);
    CHECK(ecount == 11);  /* the above line "succeeds" but generates an invalid proof as the input_index is wrong. it is fairly expensive to detect this. should we? */
-    CHECK(secp256k1_surjectionproof_generate(ctx, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, n_inputs + 1, input_blinding_key[0], output_blinding_key) != 0);
+    CHECK(secp256k1_surjectionproof_generate(CTX, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, n_inputs + 1, input_blinding_key[0], output_blinding_key) != 0);
    CHECK(ecount == 11);
-    CHECK(secp256k1_surjectionproof_generate(ctx, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, NULL, output_blinding_key) == 0);
+    CHECK(secp256k1_surjectionproof_generate(CTX, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, NULL, output_blinding_key) == 0);
    CHECK(ecount == 12);
-    CHECK(secp256k1_surjectionproof_generate(ctx, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], NULL) == 0);
+    CHECK(secp256k1_surjectionproof_generate(CTX, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], NULL) == 0);
    CHECK(ecount == 13);
-    CHECK(secp256k1_surjectionproof_generate(ctx, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) != 0);
+    CHECK(secp256k1_surjectionproof_generate(CTX, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) != 0);
    /* check verify */
-    CHECK(secp256k1_surjectionproof_verify(ctx, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag) == 1);
+    CHECK(secp256k1_surjectionproof_verify(CTX, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag) == 1);
    CHECK(ecount == 13);
-    CHECK(secp256k1_surjectionproof_verify(ctx, NULL, ephemeral_input_tags, n_inputs, &ephemeral_output_tag) == 0);
+    CHECK(secp256k1_surjectionproof_verify(CTX, NULL, ephemeral_input_tags, n_inputs, &ephemeral_output_tag) == 0);
    CHECK(ecount == 14);
-    CHECK(secp256k1_surjectionproof_verify(ctx, &proof, NULL, n_inputs, &ephemeral_output_tag) == 0);
+    CHECK(secp256k1_surjectionproof_verify(CTX, &proof, NULL, n_inputs, &ephemeral_output_tag) == 0);
    CHECK(ecount == 15);
-    CHECK(secp256k1_surjectionproof_verify(ctx, &proof, ephemeral_input_tags, n_inputs - 1, &ephemeral_output_tag) == 0);
+    CHECK(secp256k1_surjectionproof_verify(CTX, &proof, ephemeral_input_tags, n_inputs - 1, &ephemeral_output_tag) == 0);
    CHECK(ecount == 15);
-    CHECK(secp256k1_surjectionproof_verify(ctx, &proof, ephemeral_input_tags, n_inputs + 1, &ephemeral_output_tag) == 0);
+    CHECK(secp256k1_surjectionproof_verify(CTX, &proof, ephemeral_input_tags, n_inputs + 1, &ephemeral_output_tag) == 0);
    CHECK(ecount == 15);
-    CHECK(secp256k1_surjectionproof_verify(ctx, &proof, ephemeral_input_tags, n_inputs, NULL) == 0);
+    CHECK(secp256k1_surjectionproof_verify(CTX, &proof, ephemeral_input_tags, n_inputs, NULL) == 0);
    CHECK(ecount == 16);
    /* Test how surjectionproof_generate fails when the proof was not created
     * with surjectionproof_initialize */
    ecount = 0;
-    CHECK(secp256k1_surjectionproof_generate(ctx, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 1);
+    CHECK(secp256k1_surjectionproof_generate(CTX, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 1);
    {
        secp256k1_surjectionproof tmp_proof = proof;
        tmp_proof.n_inputs = 0;
-        CHECK(secp256k1_surjectionproof_generate(ctx, &tmp_proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 0);
+        CHECK(secp256k1_surjectionproof_generate(CTX, &tmp_proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 0);
    }
    CHECK(ecount == 1);
-    CHECK(secp256k1_surjectionproof_generate(ctx, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 1);
+    CHECK(secp256k1_surjectionproof_generate(CTX, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 1);
    /* Check serialize */
    ecount = 0;
    serialized_len = sizeof(serialized_proof);
-    CHECK(secp256k1_surjectionproof_serialize(ctx, serialized_proof, &serialized_len, &proof) != 0);
+    CHECK(secp256k1_surjectionproof_serialize(CTX, serialized_proof, &serialized_len, &proof) != 0);
    CHECK(ecount == 0);
    serialized_len = sizeof(serialized_proof);
-    CHECK(secp256k1_surjectionproof_serialize(ctx, NULL, &serialized_len, &proof) == 0);
+    CHECK(secp256k1_surjectionproof_serialize(CTX, NULL, &serialized_len, &proof) == 0);
    CHECK(ecount == 1);
    serialized_len = sizeof(serialized_proof);
-    CHECK(secp256k1_surjectionproof_serialize(ctx, serialized_proof, NULL, &proof) == 0);
+    CHECK(secp256k1_surjectionproof_serialize(CTX, serialized_proof, NULL, &proof) == 0);
    CHECK(ecount == 2);
    serialized_len = sizeof(serialized_proof);
-    CHECK(secp256k1_surjectionproof_serialize(ctx, serialized_proof, &serialized_len, NULL) == 0);
+    CHECK(secp256k1_surjectionproof_serialize(CTX, serialized_proof, &serialized_len, NULL) == 0);
    CHECK(ecount == 3);
    serialized_len = sizeof(serialized_proof);
-    CHECK(secp256k1_surjectionproof_serialize(ctx, serialized_proof, &serialized_len, &proof) != 0);
+    CHECK(secp256k1_surjectionproof_serialize(CTX, serialized_proof, &serialized_len, &proof) != 0);
    /* Check parse */
-    CHECK(secp256k1_surjectionproof_parse(ctx, &proof, serialized_proof, serialized_len) != 0);
+    CHECK(secp256k1_surjectionproof_parse(CTX, &proof, serialized_proof, serialized_len) != 0);
    CHECK(ecount == 3);
-    CHECK(secp256k1_surjectionproof_parse(ctx, NULL, serialized_proof, serialized_len) == 0);
+    CHECK(secp256k1_surjectionproof_parse(CTX, NULL, serialized_proof, serialized_len) == 0);
    CHECK(ecount == 4);
-    CHECK(secp256k1_surjectionproof_parse(ctx, &proof, NULL, serialized_len) == 0);
+    CHECK(secp256k1_surjectionproof_parse(CTX, &proof, NULL, serialized_len) == 0);
    CHECK(ecount == 5);
-    CHECK(secp256k1_surjectionproof_parse(ctx, &proof, serialized_proof, 0) == 0);
+    CHECK(secp256k1_surjectionproof_parse(CTX, &proof, serialized_proof, 0) == 0);
    CHECK(ecount == 5);
-    secp256k1_context_destroy(sttc);
+    secp256k1_context_set_error_callback(CTX, NULL, NULL);
    secp256k1_context_set_error_callback(STATIC_CTX, NULL, NULL);
    secp256k1_context_set_illegal_callback(CTX, NULL, NULL);
    secp256k1_context_set_illegal_callback(STATIC_CTX, NULL, NULL);
 }
 static void test_input_selection(size_t n_inputs) {
@ -216,50 +218,50 @@ static void test_input_selection(size_t n_inputs) {
    }
    /* cannot match output when told to use zero keys */
-    result = secp256k1_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_inputs, 0, &fixed_input_tags[0], try_count, seed);
+    result = secp256k1_surjectionproof_initialize(CTX, &proof, &input_index, fixed_input_tags, n_inputs, 0, &fixed_input_tags[0], try_count, seed);
    CHECK(result == 0);
-    CHECK(secp256k1_surjectionproof_n_used_inputs(ctx, &proof) == 0);
+    CHECK(secp256k1_surjectionproof_n_used_inputs(CTX, &proof) == 0);
-    CHECK(secp256k1_surjectionproof_n_total_inputs(ctx, &proof) == n_inputs);
+    CHECK(secp256k1_surjectionproof_n_total_inputs(CTX, &proof) == n_inputs);
-    CHECK(secp256k1_surjectionproof_serialized_size(ctx, &proof) == 34 + (n_inputs + 7) / 8);
+    CHECK(secp256k1_surjectionproof_serialized_size(CTX, &proof) == 34 + (n_inputs + 7) / 8);
    if (n_inputs > 0) {
        /* succeed in 100*n_inputs tries (probability of failure e^-100) */
-        result = secp256k1_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_inputs, 1, &fixed_input_tags[0], try_count, seed);
+        result = secp256k1_surjectionproof_initialize(CTX, &proof, &input_index, fixed_input_tags, n_inputs, 1, &fixed_input_tags[0], try_count, seed);
        CHECK(result > 0);
        CHECK(result < n_inputs * 10);
-        CHECK(secp256k1_surjectionproof_n_used_inputs(ctx, &proof) == 1);
+        CHECK(secp256k1_surjectionproof_n_used_inputs(CTX, &proof) == 1);
-        CHECK(secp256k1_surjectionproof_n_total_inputs(ctx, &proof) == n_inputs);
+        CHECK(secp256k1_surjectionproof_n_total_inputs(CTX, &proof) == n_inputs);
-        CHECK(secp256k1_surjectionproof_serialized_size(ctx, &proof) == 66 + (n_inputs + 7) / 8);
+        CHECK(secp256k1_surjectionproof_serialized_size(CTX, &proof) == 66 + (n_inputs + 7) / 8);
        CHECK(input_index == 0);
    }
    if (n_inputs >= 3) {
        /* succeed in 10*n_inputs tries (probability of failure e^-10) */
-        result = secp256k1_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_inputs, 3, &fixed_input_tags[1], try_count, seed);
+        result = secp256k1_surjectionproof_initialize(CTX, &proof, &input_index, fixed_input_tags, n_inputs, 3, &fixed_input_tags[1], try_count, seed);
        CHECK(result > 0);
-        CHECK(secp256k1_surjectionproof_n_used_inputs(ctx, &proof) == 3);
+        CHECK(secp256k1_surjectionproof_n_used_inputs(CTX, &proof) == 3);
-        CHECK(secp256k1_surjectionproof_n_total_inputs(ctx, &proof) == n_inputs);
+        CHECK(secp256k1_surjectionproof_n_total_inputs(CTX, &proof) == n_inputs);
-        CHECK(secp256k1_surjectionproof_serialized_size(ctx, &proof) == 130 + (n_inputs + 7) / 8);
+        CHECK(secp256k1_surjectionproof_serialized_size(CTX, &proof) == 130 + (n_inputs + 7) / 8);
        CHECK(input_index == 1);
        /* fail, key not found */
-        result = secp256k1_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_inputs, 3, &fixed_input_tags[n_inputs], try_count, seed);
+        result = secp256k1_surjectionproof_initialize(CTX, &proof, &input_index, fixed_input_tags, n_inputs, 3, &fixed_input_tags[n_inputs], try_count, seed);
        CHECK(result == 0);
        /* succeed on first try when told to use all keys */
-        result = secp256k1_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_inputs, n_inputs, &fixed_input_tags[0], try_count, seed);
+        result = secp256k1_surjectionproof_initialize(CTX, &proof, &input_index, fixed_input_tags, n_inputs, n_inputs, &fixed_input_tags[0], try_count, seed);
        CHECK(result == 1);
-        CHECK(secp256k1_surjectionproof_n_used_inputs(ctx, &proof) == n_inputs);
+        CHECK(secp256k1_surjectionproof_n_used_inputs(CTX, &proof) == n_inputs);
-        CHECK(secp256k1_surjectionproof_n_total_inputs(ctx, &proof) == n_inputs);
+        CHECK(secp256k1_surjectionproof_n_total_inputs(CTX, &proof) == n_inputs);
-        CHECK(secp256k1_surjectionproof_serialized_size(ctx, &proof) == 2 + 32 * (n_inputs + 1) + (n_inputs + 7) / 8);
+        CHECK(secp256k1_surjectionproof_serialized_size(CTX, &proof) == 2 + 32 * (n_inputs + 1) + (n_inputs + 7) / 8);
        CHECK(input_index == 0);
        /* succeed in less than 64 tries when told to use half keys. (probability of failure 2^-64) */
-        result = secp256k1_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_inputs, n_inputs / 2, &fixed_input_tags[0], 64, seed);
+        result = secp256k1_surjectionproof_initialize(CTX, &proof, &input_index, fixed_input_tags, n_inputs, n_inputs / 2, &fixed_input_tags[0], 64, seed);
        CHECK(result > 0);
        CHECK(result < 64);
-        CHECK(secp256k1_surjectionproof_n_used_inputs(ctx, &proof) == n_inputs / 2);
+        CHECK(secp256k1_surjectionproof_n_used_inputs(CTX, &proof) == n_inputs / 2);
-        CHECK(secp256k1_surjectionproof_n_total_inputs(ctx, &proof) == n_inputs);
+        CHECK(secp256k1_surjectionproof_n_total_inputs(CTX, &proof) == n_inputs);
-        CHECK(secp256k1_surjectionproof_serialized_size(ctx, &proof) == 2 + 32 * (n_inputs / 2 + 1) + (n_inputs + 7) / 8);
+        CHECK(secp256k1_surjectionproof_serialized_size(CTX, &proof) == 2 + 32 * (n_inputs / 2 + 1) + (n_inputs + 7) / 8);
        CHECK(input_index == 0);
    }
 }
@ -278,7 +280,7 @@ static void test_input_selection_distribution_helper(const secp256k1_fixed_asset
    }
    for(j = 0; j < 10000; j++) {
        secp256k1_testrand256(seed);
-        result = secp256k1_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_input_tags, n_input_tags_to_use, &fixed_input_tags[0], 64, seed);
+        result = secp256k1_surjectionproof_initialize(CTX, &proof, &input_index, fixed_input_tags, n_input_tags, n_input_tags_to_use, &fixed_input_tags[0], 64, seed);
        CHECK(result > 0);
        for (i = 0; i < n_input_tags; i++) {
@ -396,11 +398,11 @@ static void test_gen_verify(size_t n_inputs, size_t n_used) {
        } else {
            memcpy(&fixed_input_tags[i], &fixed_input_tags[key_index], sizeof(fixed_input_tags[i]));
        }
-        CHECK(secp256k1_generator_generate_blinded(ctx, &ephemeral_input_tags[i], fixed_input_tags[i].data, input_blinding_key[i]));
+        CHECK(secp256k1_generator_generate_blinded(CTX, &ephemeral_input_tags[i], fixed_input_tags[i].data, input_blinding_key[i]));
    }
    /* test */
-    result = secp256k1_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_inputs, n_used, &fixed_input_tags[key_index], try_count, seed);
+    result = secp256k1_surjectionproof_initialize(CTX, &proof, &input_index, fixed_input_tags, n_inputs, n_used, &fixed_input_tags[key_index], try_count, seed);
    if (n_used == 0) {
        CHECK(result == 0);
        return;
@ -408,32 +410,32 @@ static void test_gen_verify(size_t n_inputs, size_t n_used) {
    CHECK(result > 0);
    CHECK(input_index == key_index);
-    result = secp256k1_surjectionproof_generate(ctx, &proof, ephemeral_input_tags, n_inputs, &ephemeral_input_tags[n_inputs], input_index, input_blinding_key[input_index], input_blinding_key[n_inputs]);
+    result = secp256k1_surjectionproof_generate(CTX, &proof, ephemeral_input_tags, n_inputs, &ephemeral_input_tags[n_inputs], input_index, input_blinding_key[input_index], input_blinding_key[n_inputs]);
    CHECK(result == 1);
-    CHECK(secp256k1_surjectionproof_serialize(ctx, serialized_proof, &serialized_len, &proof));
+    CHECK(secp256k1_surjectionproof_serialize(CTX, serialized_proof, &serialized_len, &proof));
-    CHECK(serialized_len == secp256k1_surjectionproof_serialized_size(ctx, &proof));
+    CHECK(serialized_len == secp256k1_surjectionproof_serialized_size(CTX, &proof));
    CHECK(serialized_len == SECP256K1_SURJECTIONPROOF_SERIALIZATION_BYTES(n_inputs, n_used));
    /* trailing garbage */
    memcpy(&serialized_proof_trailing, &serialized_proof, serialized_len);
    serialized_proof_trailing[serialized_len] = seed[0];
-    CHECK(secp256k1_surjectionproof_parse(ctx, &proof, serialized_proof_trailing, serialized_len + 1) == 0);
+    CHECK(secp256k1_surjectionproof_parse(CTX, &proof, serialized_proof_trailing, serialized_len + 1) == 0);
-    CHECK(secp256k1_surjectionproof_parse(ctx, &proof, serialized_proof, serialized_len));
+    CHECK(secp256k1_surjectionproof_parse(CTX, &proof, serialized_proof, serialized_len));
-    result = secp256k1_surjectionproof_verify(ctx, &proof, ephemeral_input_tags, n_inputs, &ephemeral_input_tags[n_inputs]);
+    result = secp256k1_surjectionproof_verify(CTX, &proof, ephemeral_input_tags, n_inputs, &ephemeral_input_tags[n_inputs]);
    CHECK(result == 1);
    /* various fail cases */
    if (n_inputs > 1) {
-        result = secp256k1_surjectionproof_verify(ctx, &proof, ephemeral_input_tags, n_inputs, &ephemeral_input_tags[n_inputs - 1]);
+        result = secp256k1_surjectionproof_verify(CTX, &proof, ephemeral_input_tags, n_inputs, &ephemeral_input_tags[n_inputs - 1]);
        CHECK(result == 0);
        /* number of entries in ephemeral_input_tags array is less than proof.n_inputs */
        n_inputs -= 1;
-        result = secp256k1_surjectionproof_generate(ctx, &proof, ephemeral_input_tags, n_inputs, &ephemeral_input_tags[n_inputs], input_index, input_blinding_key[input_index], input_blinding_key[n_inputs]);
+        result = secp256k1_surjectionproof_generate(CTX, &proof, ephemeral_input_tags, n_inputs, &ephemeral_input_tags[n_inputs], input_index, input_blinding_key[input_index], input_blinding_key[n_inputs]);
        CHECK(result == 0);
-        result = secp256k1_surjectionproof_verify(ctx, &proof, ephemeral_input_tags, n_inputs, &ephemeral_input_tags[n_inputs - 1]);
+        result = secp256k1_surjectionproof_verify(CTX, &proof, ephemeral_input_tags, n_inputs, &ephemeral_input_tags[n_inputs - 1]);
        CHECK(result == 0);
        n_inputs += 1;
    }
@ -441,7 +443,7 @@ static void test_gen_verify(size_t n_inputs, size_t n_used) {
    for (i = 0; i < n_inputs; i++) {
        /* flip bit */
        proof.used_inputs[i / 8] ^= (1 << (i % 8));
-        result = secp256k1_surjectionproof_verify(ctx, &proof, ephemeral_input_tags, n_inputs, &ephemeral_input_tags[n_inputs]);
+        result = secp256k1_surjectionproof_verify(CTX, &proof, ephemeral_input_tags, n_inputs, &ephemeral_input_tags[n_inputs]);
        CHECK(result == 0);
        /* reset the bit */
        proof.used_inputs[i / 8] ^= (1 << (i % 8));
@ -477,8 +479,8 @@ static void test_no_used_inputs_verify(void) {
    /* blind fixed output tags with random blinding key */
    secp256k1_testrand256(blinding_key);
-    CHECK(secp256k1_generator_generate_blinded(ctx, &ephemeral_input_tags[0], fixed_input_tag.data, blinding_key));
+    CHECK(secp256k1_generator_generate_blinded(CTX, &ephemeral_input_tags[0], fixed_input_tag.data, blinding_key));
-    CHECK(secp256k1_generator_generate_blinded(ctx, &ephemeral_output_tag, fixed_output_tag.data, blinding_key));
+    CHECK(secp256k1_generator_generate_blinded(CTX, &ephemeral_output_tag, fixed_output_tag.data, blinding_key));
    /* create "borromean signature" which is just a hash of metadata (pubkeys, etc) in this case */
    secp256k1_generator_load(&output, &ephemeral_output_tag);
@ -487,7 +489,7 @@ static void test_no_used_inputs_verify(void) {
    secp256k1_sha256_write(&sha256_e0, proof.data, 32);
    secp256k1_sha256_finalize(&sha256_e0, proof.data);
-    result = secp256k1_surjectionproof_verify(ctx, &proof, ephemeral_input_tags, n_ephemeral_input_tags, &ephemeral_output_tag);
+    result = secp256k1_surjectionproof_verify(CTX, &proof, ephemeral_input_tags, n_ephemeral_input_tags, &ephemeral_output_tag);
    CHECK(result == 0);
 }
@ -499,7 +501,7 @@ void test_bad_serialize(void) {
    proof.n_inputs = 0;
    serialized_len = 2 + 31;
    /* e0 is one byte too short */
-    CHECK(secp256k1_surjectionproof_serialize(ctx, serialized_proof, &serialized_len, &proof) == 0);
+    CHECK(secp256k1_surjectionproof_serialize(CTX, serialized_proof, &serialized_len, &proof) == 0);
 }
 void test_bad_parse(void) {
@ -509,11 +511,11 @@ void test_bad_parse(void) {
    unsigned char serialized_proof2[33] = { 0 };
    /* Missing total input count */
-    CHECK(secp256k1_surjectionproof_parse(ctx, &proof, serialized_proof0, sizeof(serialized_proof0)) == 0);
+    CHECK(secp256k1_surjectionproof_parse(CTX, &proof, serialized_proof0, sizeof(serialized_proof0)) == 0);
    /* Missing bitmap */
-    CHECK(secp256k1_surjectionproof_parse(ctx, &proof, serialized_proof1, sizeof(serialized_proof1)) == 0);
+    CHECK(secp256k1_surjectionproof_parse(CTX, &proof, serialized_proof1, sizeof(serialized_proof1)) == 0);
    /* Missing e0 value */
-    CHECK(secp256k1_surjectionproof_parse(ctx, &proof, serialized_proof2, sizeof(serialized_proof2)) == 0);
+    CHECK(secp256k1_surjectionproof_parse(CTX, &proof, serialized_proof2, sizeof(serialized_proof2)) == 0);
 }
 void test_input_eq_output(void) {
@ -528,17 +530,17 @@ void test_input_eq_output(void) {
    secp256k1_testrand256(blinding_key);
    secp256k1_testrand256(entropy);
-    CHECK(secp256k1_surjectionproof_initialize(ctx, &proof, &input_index, &fixed_tag, 1, 1, &fixed_tag, 100, entropy) == 1);
+    CHECK(secp256k1_surjectionproof_initialize(CTX, &proof, &input_index, &fixed_tag, 1, 1, &fixed_tag, 100, entropy) == 1);
    CHECK(input_index == 0);
    /* Generation should fail */
-    CHECK(secp256k1_generator_generate_blinded(ctx, &ephemeral_tag, fixed_tag.data, blinding_key));
+    CHECK(secp256k1_generator_generate_blinded(CTX, &ephemeral_tag, fixed_tag.data, blinding_key));
-    CHECK(!secp256k1_surjectionproof_generate(ctx, &proof, &ephemeral_tag, 1, &ephemeral_tag, input_index, blinding_key, blinding_key));
+    CHECK(!secp256k1_surjectionproof_generate(CTX, &proof, &ephemeral_tag, 1, &ephemeral_tag, input_index, blinding_key, blinding_key));
    /* ...even when the blinding key is zero */
    memset(blinding_key, 0, 32);
-    CHECK(secp256k1_generator_generate_blinded(ctx, &ephemeral_tag, fixed_tag.data, blinding_key));
+    CHECK(secp256k1_generator_generate_blinded(CTX, &ephemeral_tag, fixed_tag.data, blinding_key));
-    CHECK(!secp256k1_surjectionproof_generate(ctx, &proof, &ephemeral_tag, 1, &ephemeral_tag, input_index, blinding_key, blinding_key));
+    CHECK(!secp256k1_surjectionproof_generate(CTX, &proof, &ephemeral_tag, 1, &ephemeral_tag, input_index, blinding_key, blinding_key));
 }
 void test_fixed_vectors(void) {
@ -638,53 +640,53 @@ void test_fixed_vectors(void) {
    secp256k1_generator output_tag;
    secp256k1_surjectionproof proof;
-    CHECK(secp256k1_generator_parse(ctx, &input_tags[0], tag0_ser));
+    CHECK(secp256k1_generator_parse(CTX, &input_tags[0], tag0_ser));
-    CHECK(secp256k1_generator_parse(ctx, &input_tags[1], tag1_ser));
+    CHECK(secp256k1_generator_parse(CTX, &input_tags[1], tag1_ser));
-    CHECK(secp256k1_generator_parse(ctx, &input_tags[2], tag2_ser));
+    CHECK(secp256k1_generator_parse(CTX, &input_tags[2], tag2_ser));
-    CHECK(secp256k1_generator_parse(ctx, &input_tags[3], tag3_ser));
+    CHECK(secp256k1_generator_parse(CTX, &input_tags[3], tag3_ser));
-    CHECK(secp256k1_generator_parse(ctx, &input_tags[4], tag4_ser));
+    CHECK(secp256k1_generator_parse(CTX, &input_tags[4], tag4_ser));
-    CHECK(secp256k1_generator_parse(ctx, &output_tag, output_tag_ser));
+    CHECK(secp256k1_generator_parse(CTX, &output_tag, output_tag_ser));
    /* check 1-of-1 */
-    CHECK(secp256k1_surjectionproof_parse(ctx, &proof, total1_used1, total1_used1_len));
+    CHECK(secp256k1_surjectionproof_parse(CTX, &proof, total1_used1, total1_used1_len));
-    CHECK(secp256k1_surjectionproof_verify(ctx, &proof, input_tags, 1, &output_tag));
+    CHECK(secp256k1_surjectionproof_verify(CTX, &proof, input_tags, 1, &output_tag));
    /* check 1-of-2 */
-    CHECK(secp256k1_surjectionproof_parse(ctx, &proof, total2_used1, total2_used1_len));
+    CHECK(secp256k1_surjectionproof_parse(CTX, &proof, total2_used1, total2_used1_len));
-    CHECK(secp256k1_surjectionproof_verify(ctx, &proof, input_tags, 2, &output_tag));
+    CHECK(secp256k1_surjectionproof_verify(CTX, &proof, input_tags, 2, &output_tag));
    /* check 2-of-3 */
-    CHECK(secp256k1_surjectionproof_parse(ctx, &proof, total3_used2, total3_used2_len));
+    CHECK(secp256k1_surjectionproof_parse(CTX, &proof, total3_used2, total3_used2_len));
-    CHECK(secp256k1_surjectionproof_verify(ctx, &proof, input_tags, 3, &output_tag));
+    CHECK(secp256k1_surjectionproof_verify(CTX, &proof, input_tags, 3, &output_tag));
    /* check 3-of-5 */
-    CHECK(secp256k1_surjectionproof_parse(ctx, &proof, total5_used3, total5_used3_len));
+    CHECK(secp256k1_surjectionproof_parse(CTX, &proof, total5_used3, total5_used3_len));
-    CHECK(secp256k1_surjectionproof_verify(ctx, &proof, input_tags, 5, &output_tag));
+    CHECK(secp256k1_surjectionproof_verify(CTX, &proof, input_tags, 5, &output_tag));
    /* check 5-of-5 */
-    CHECK(secp256k1_surjectionproof_parse(ctx, &proof, total5_used5, total5_used5_len));
+    CHECK(secp256k1_surjectionproof_parse(CTX, &proof, total5_used5, total5_used5_len));
-    CHECK(secp256k1_surjectionproof_verify(ctx, &proof, input_tags, 5, &output_tag));
+    CHECK(secp256k1_surjectionproof_verify(CTX, &proof, input_tags, 5, &output_tag));
    /* check invalid length fails */
-    CHECK(!secp256k1_surjectionproof_parse(ctx, &proof, total5_used5, total5_used3_len));
+    CHECK(!secp256k1_surjectionproof_parse(CTX, &proof, total5_used5, total5_used3_len));
    /* check invalid keys fail */
-    CHECK(secp256k1_surjectionproof_parse(ctx, &proof, total1_used1, total1_used1_len));
+    CHECK(secp256k1_surjectionproof_parse(CTX, &proof, total1_used1, total1_used1_len));
-    CHECK(!secp256k1_surjectionproof_verify(ctx, &proof, &input_tags[1], 1, &output_tag));
+    CHECK(!secp256k1_surjectionproof_verify(CTX, &proof, &input_tags[1], 1, &output_tag));
-    CHECK(!secp256k1_surjectionproof_verify(ctx, &proof, input_tags, 1, &input_tags[0]));
+    CHECK(!secp256k1_surjectionproof_verify(CTX, &proof, input_tags, 1, &input_tags[0]));
    /* Try setting 6 bits on the total5-used-5; check that parsing fails */
    memcpy(bad, total5_used5, total5_used5_len);
    bad[2] = 0x3f;  /* 0x1f -> 0x3f */
-    CHECK(!secp256k1_surjectionproof_parse(ctx, &proof, bad, total5_used5_len));
+    CHECK(!secp256k1_surjectionproof_parse(CTX, &proof, bad, total5_used5_len));
    /* Correct for the length */
-    CHECK(!secp256k1_surjectionproof_parse(ctx, &proof, bad, total5_used5_len + 32));
+    CHECK(!secp256k1_surjectionproof_parse(CTX, &proof, bad, total5_used5_len + 32));
    /* Alternately just turn off one of the "legit" bits */
    bad[2] = 0x37;  /* 0x1f -> 0x37 */
-    CHECK(!secp256k1_surjectionproof_parse(ctx, &proof, bad, total5_used5_len));
+    CHECK(!secp256k1_surjectionproof_parse(CTX, &proof, bad, total5_used5_len));
    /* Similarly try setting 4 bits on the total5-used-3, with one bit out of range */
    memcpy(bad, total5_used3, total5_used3_len);
    bad[2] = 0x35;  /* 0x15 -> 0x35 */
-    CHECK(!secp256k1_surjectionproof_parse(ctx, &proof, bad, total5_used3_len));
+    CHECK(!secp256k1_surjectionproof_parse(CTX, &proof, bad, total5_used3_len));
-    CHECK(!secp256k1_surjectionproof_parse(ctx, &proof, bad, total5_used3_len + 32));
+    CHECK(!secp256k1_surjectionproof_parse(CTX, &proof, bad, total5_used3_len + 32));
    bad[2] = 0x34;  /* 0x15 -> 0x34 */
-    CHECK(!secp256k1_surjectionproof_parse(ctx, &proof, bad, total5_used3_len));
+    CHECK(!secp256k1_surjectionproof_parse(CTX, &proof, bad, total5_used3_len));
 }
 void run_surjection_tests(void) {
--- a/src/modules/whitelist/tests_impl.h
+++ b/src/modules/whitelist/tests_impl.h
@ -15,21 +15,21 @@ void test_whitelist_end_to_end_internal(const unsigned char *summed_seckey, cons
        secp256k1_whitelist_signature sig;
        secp256k1_whitelist_signature sig1;
-        CHECK(secp256k1_whitelist_sign(ctx, &sig, online_pubkeys, offline_pubkeys, n_keys, sub_pubkey, online_seckey, summed_seckey, signer_i));
+        CHECK(secp256k1_whitelist_sign(CTX, &sig, online_pubkeys, offline_pubkeys, n_keys, sub_pubkey, online_seckey, summed_seckey, signer_i));
-        CHECK(secp256k1_whitelist_verify(ctx, &sig, online_pubkeys, offline_pubkeys, n_keys, sub_pubkey) == 1);
+        CHECK(secp256k1_whitelist_verify(CTX, &sig, online_pubkeys, offline_pubkeys, n_keys, sub_pubkey) == 1);
        /* Check that exchanging keys causes a failure */
-        CHECK(secp256k1_whitelist_verify(ctx, &sig, offline_pubkeys, online_pubkeys, n_keys, sub_pubkey) != 1);
+        CHECK(secp256k1_whitelist_verify(CTX, &sig, offline_pubkeys, online_pubkeys, n_keys, sub_pubkey) != 1);
        /* Serialization round trip */
-        CHECK(secp256k1_whitelist_signature_serialize(ctx, serialized, &slen, &sig) == 1);
+        CHECK(secp256k1_whitelist_signature_serialize(CTX, serialized, &slen, &sig) == 1);
        CHECK(slen == 33 + 32 * n_keys);
-        CHECK(secp256k1_whitelist_signature_parse(ctx, &sig1, serialized, slen) == 1);
+        CHECK(secp256k1_whitelist_signature_parse(CTX, &sig1, serialized, slen) == 1);
        /* (Check various bad-length conditions) */
-        CHECK(secp256k1_whitelist_signature_parse(ctx, &sig1, serialized, slen + 32) == 0);
+        CHECK(secp256k1_whitelist_signature_parse(CTX, &sig1, serialized, slen + 32) == 0);
-        CHECK(secp256k1_whitelist_signature_parse(ctx, &sig1, serialized, slen + 1) == 0);
+        CHECK(secp256k1_whitelist_signature_parse(CTX, &sig1, serialized, slen + 1) == 0);
-        CHECK(secp256k1_whitelist_signature_parse(ctx, &sig1, serialized, slen - 1) == 0);
+        CHECK(secp256k1_whitelist_signature_parse(CTX, &sig1, serialized, slen - 1) == 0);
-        CHECK(secp256k1_whitelist_signature_parse(ctx, &sig1, serialized, 0) == 0);
+        CHECK(secp256k1_whitelist_signature_parse(CTX, &sig1, serialized, 0) == 0);
-        CHECK(secp256k1_whitelist_verify(ctx, &sig1, online_pubkeys, offline_pubkeys, n_keys, sub_pubkey) == 1);
+        CHECK(secp256k1_whitelist_verify(CTX, &sig1, online_pubkeys, offline_pubkeys, n_keys, sub_pubkey) == 1);
-        CHECK(secp256k1_whitelist_verify(ctx, &sig1, offline_pubkeys, online_pubkeys, n_keys, sub_pubkey) != 1);
+        CHECK(secp256k1_whitelist_verify(CTX, &sig1, offline_pubkeys, online_pubkeys, n_keys, sub_pubkey) != 1);
        /* Test n_keys */
        CHECK(secp256k1_whitelist_signature_n_keys(&sig) == n_keys);
@ -37,7 +37,7 @@ void test_whitelist_end_to_end_internal(const unsigned char *summed_seckey, cons
        /* Test bad number of keys in signature */
        sig.n_keys = n_keys + 1;
-        CHECK(secp256k1_whitelist_verify(ctx, &sig, offline_pubkeys, online_pubkeys, n_keys, sub_pubkey) != 1);
+        CHECK(secp256k1_whitelist_verify(CTX, &sig, offline_pubkeys, online_pubkeys, n_keys, sub_pubkey) != 1);
        sig.n_keys = n_keys;
 }
@ -56,8 +56,8 @@ void test_whitelist_end_to_end(const size_t n_keys, int test_all_keys) {
    /* Start with subkey */
    random_scalar_order_test(&ssub);
    secp256k1_scalar_get_b32(csub, &ssub);
-    CHECK(secp256k1_ec_seckey_verify(ctx, csub) == 1);
+    CHECK(secp256k1_ec_seckey_verify(CTX, csub) == 1);
-    CHECK(secp256k1_ec_pubkey_create(ctx, &sub_pubkey, csub) == 1);
+    CHECK(secp256k1_ec_pubkey_create(CTX, &sub_pubkey, csub) == 1);
    /* Then offline and online whitelist keys */
    for (i = 0; i < n_keys; i++) {
        secp256k1_scalar son, soff;
@ -68,18 +68,18 @@ void test_whitelist_end_to_end(const size_t n_keys, int test_all_keys) {
        /* Create two keys */
        random_scalar_order_test(&son);
        secp256k1_scalar_get_b32(online_seckey[i], &son);
-        CHECK(secp256k1_ec_seckey_verify(ctx, online_seckey[i]) == 1);
+        CHECK(secp256k1_ec_seckey_verify(CTX, online_seckey[i]) == 1);
-        CHECK(secp256k1_ec_pubkey_create(ctx, &online_pubkeys[i], online_seckey[i]) == 1);
+        CHECK(secp256k1_ec_pubkey_create(CTX, &online_pubkeys[i], online_seckey[i]) == 1);
        random_scalar_order_test(&soff);
        secp256k1_scalar_get_b32(summed_seckey[i], &soff);
-        CHECK(secp256k1_ec_seckey_verify(ctx, summed_seckey[i]) == 1);
+        CHECK(secp256k1_ec_seckey_verify(CTX, summed_seckey[i]) == 1);
-        CHECK(secp256k1_ec_pubkey_create(ctx, &offline_pubkeys[i], summed_seckey[i]) == 1);
+        CHECK(secp256k1_ec_pubkey_create(CTX, &offline_pubkeys[i], summed_seckey[i]) == 1);
        /* Make summed_seckey correspond to the sum of offline_pubkey and sub_pubkey */
        secp256k1_scalar_add(&soff, &soff, &ssub);
        secp256k1_scalar_get_b32(summed_seckey[i], &soff);
-        CHECK(secp256k1_ec_seckey_verify(ctx, summed_seckey[i]) == 1);
+        CHECK(secp256k1_ec_seckey_verify(CTX, summed_seckey[i]) == 1);
    }
    /* Sign/verify with each one */
@ -124,11 +124,11 @@ void test_whitelist_bad_parse(void) {
    };
    /* Empty input */
-    CHECK(secp256k1_whitelist_signature_parse(ctx, &sig, serialized0, 0) == 0);
+    CHECK(secp256k1_whitelist_signature_parse(CTX, &sig, serialized0, 0) == 0);
    /* Misses one byte of e0 */
-    CHECK(secp256k1_whitelist_signature_parse(ctx, &sig, serialized1, sizeof(serialized1)) == 0);
+    CHECK(secp256k1_whitelist_signature_parse(CTX, &sig, serialized1, sizeof(serialized1)) == 0);
    /* Enough bytes for e0, but there is no s value */
-    CHECK(secp256k1_whitelist_signature_parse(ctx, &sig, serialized2, sizeof(serialized2)) == 0);
+    CHECK(secp256k1_whitelist_signature_parse(CTX, &sig, serialized2, sizeof(serialized2)) == 0);
 }
 void test_whitelist_bad_serialize(void) {
@ -142,17 +142,17 @@ void test_whitelist_bad_serialize(void) {
    size_t serialized_len;
    secp256k1_whitelist_signature sig;
-    CHECK(secp256k1_whitelist_signature_parse(ctx, &sig, serialized, sizeof(serialized)) == 1);
+    CHECK(secp256k1_whitelist_signature_parse(CTX, &sig, serialized, sizeof(serialized)) == 1);
    serialized_len = sizeof(serialized) - 1;
    /* Output buffer is one byte too short */
-    CHECK(secp256k1_whitelist_signature_serialize(ctx, serialized, &serialized_len, &sig) == 0);
+    CHECK(secp256k1_whitelist_signature_serialize(CTX, serialized, &serialized_len, &sig) == 0);
 }
 void run_whitelist_tests(void) {
    int i;
    test_whitelist_bad_parse();
    test_whitelist_bad_serialize();
-    for (i = 0; i < count; i++) {
+    for (i = 0; i < COUNT; i++) {
        test_whitelist_end_to_end(1, 1);
        test_whitelist_end_to_end(10, 1);
        test_whitelist_end_to_end(50, 1);
--- a/src/precompute_ecmult.c
+++ b/src/precompute_ecmult.c
@ -7,12 +7,6 @@
 #include <inttypes.h>
 #include <stdio.h>
 /* Autotools creates libsecp256k1-config.h, of which ECMULT_WINDOW_SIZE is needed.
   ifndef guard so downstream users can define their own if they do not use autotools. */
 #if !defined(ECMULT_WINDOW_SIZE)
 #include "libsecp256k1-config.h"
 #endif
 #include "../include/secp256k1.h"
 #include "assumptions.h"
@ -74,9 +68,6 @@ int main(void) {
    fprintf(fp, "/* This file contains an array secp256k1_pre_g with odd multiples of the base point G and\n");
    fprintf(fp, " * an array secp256k1_pre_g_128 with odd multiples of 2^128*G for accelerating the computation of a*P + b*G.\n");
    fprintf(fp, " */\n");
    fprintf(fp, "#if defined HAVE_CONFIG_H\n");
    fprintf(fp, "#    include \"libsecp256k1-config.h\"\n");
    fprintf(fp, "#endif\n");
    fprintf(fp, "#include \"../include/secp256k1.h\"\n");
    fprintf(fp, "#include \"group.h\"\n");
    fprintf(fp, "#include \"ecmult.h\"\n");
--- a/src/precompute_ecmult_gen.c
+++ b/src/precompute_ecmult_gen.c
@ -33,9 +33,6 @@ int main(int argc, char **argv) {
    fprintf(fp, "/* This file was automatically generated by precompute_ecmult_gen. */\n");
    fprintf(fp, "/* See ecmult_gen_impl.h for details about the contents of this file. */\n");
    fprintf(fp, "#if defined HAVE_CONFIG_H\n");
    fprintf(fp, "#    include \"libsecp256k1-config.h\"\n");
    fprintf(fp, "#endif\n");
    fprintf(fp, "#include \"../include/secp256k1.h\"\n");
    fprintf(fp, "#include \"group.h\"\n");
    fprintf(fp, "#include \"ecmult_gen.h\"\n");
--- a/src/precomputed_ecmult.c
+++ b/src/precomputed_ecmult.c
@ -2,9 +2,6 @@
 /* This file contains an array secp256k1_pre_g with odd multiples of the base point G and
 * an array secp256k1_pre_g_128 with odd multiples of 2^128*G for accelerating the computation of a*P + b*G.
 */
 #if defined HAVE_CONFIG_H
 #    include "libsecp256k1-config.h"
 #endif
 #include "../include/secp256k1.h"
 #include "group.h"
 #include "ecmult.h"
--- a/src/precomputed_ecmult_gen.c
+++ b/src/precomputed_ecmult_gen.c
@ -1,8 +1,5 @@
 /* This file was automatically generated by precompute_ecmult_gen. */
 /* See ecmult_gen_impl.h for details about the contents of this file. */
 #if defined HAVE_CONFIG_H
 #    include "libsecp256k1-config.h"
 #endif
 #include "../include/secp256k1.h"
 #include "group.h"
 #include "ecmult_gen.h"
--- a/src/scalar.h
+++ b/src/scalar.h
@ -9,10 +9,6 @@
 #include "util.h"
 #if defined HAVE_CONFIG_H
 #include "libsecp256k1-config.h"
 #endif
 #if defined(EXHAUSTIVE_TEST_ORDER)
 #include "scalar_low.h"
 #elif defined(SECP256K1_WIDEMUL_INT128)
--- a/src/scalar_impl.h
+++ b/src/scalar_impl.h
@ -14,10 +14,6 @@
 #include "scalar.h"
 #include "util.h"
 #if defined HAVE_CONFIG_H
 #include "libsecp256k1-config.h"
 #endif
 #if defined(EXHAUSTIVE_TEST_ORDER)
 #include "scalar_low_impl.h"
 #elif defined(SECP256K1_WIDEMUL_INT128)
--- a/src/secp256k1.c
+++ b/src/secp256k1.c
@ -72,9 +72,10 @@ static void secp256k1_ecdsa_s2c_opening_save(secp256k1_ecdsa_s2c_opening* openin
    } \
 } while(0)
-#define ARG_CHECK_NO_RETURN(cond) do { \
+#define ARG_CHECK_VOID(cond) do { \
    if (EXPECT(!(cond), 0)) { \
        secp256k1_callback_call(&ctx->illegal_callback, #cond); \
        return; \
    } \
 } while(0)
@ -96,6 +97,15 @@ static const secp256k1_context secp256k1_context_static_ = {
 const secp256k1_context *secp256k1_context_static = &secp256k1_context_static_;
 const secp256k1_context *secp256k1_context_no_precomp = &secp256k1_context_static_;
 /* Helper function that determines if a context is proper, i.e., is not the static context or a copy thereof.
 *
 * This is intended for "context" functions such as secp256k1_context_clone. Function which need specific
 * features of a context should still check for these features directly. For example, a function that needs
 * ecmult_gen should directly check for the existence of the ecmult_gen context. */
 static int secp256k1_context_is_proper(const secp256k1_context* ctx) {
    return secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx);
 }
 void secp256k1_selftest(void) {
    if (!secp256k1_selftest_passes()) {
        secp256k1_callback_call(&default_error_callback, "self test failed");
@ -178,7 +188,7 @@ secp256k1_context* secp256k1_context_clone(const secp256k1_context* ctx) {
 }
 void secp256k1_context_preallocated_destroy(secp256k1_context* ctx) {
-    ARG_CHECK_NO_RETURN(ctx != secp256k1_context_static);
+    ARG_CHECK_VOID(ctx != secp256k1_context_static);
    if (ctx != NULL) {
        secp256k1_ecmult_gen_context_clear(&ctx->ecmult_gen_ctx);
    }
@ -192,7 +202,10 @@ void secp256k1_context_destroy(secp256k1_context* ctx) {
 }
 void secp256k1_context_set_illegal_callback(secp256k1_context* ctx, void (*fun)(const char* message, void* data), const void* data) {
-    ARG_CHECK_NO_RETURN(ctx != secp256k1_context_static);
+    /* We compare pointers instead of checking secp256k1_context_is_proper() here
       because setting callbacks is allowed on *copies* of the static context:
       it's harmless and makes testing easier. */
    ARG_CHECK_VOID(ctx != secp256k1_context_static);
    if (fun == NULL) {
        fun = secp256k1_default_illegal_callback_fn;
    }
@ -201,7 +214,10 @@ void secp256k1_context_set_illegal_callback(secp256k1_context* ctx, void (*fun)(
 }
 void secp256k1_context_set_error_callback(secp256k1_context* ctx, void (*fun)(const char* message, void* data), const void* data) {
-    ARG_CHECK_NO_RETURN(ctx != secp256k1_context_static);
+    /* We compare pointers instead of checking secp256k1_context_is_proper() here
       because setting callbacks is allowed on *copies* of the static context:
       it's harmless and makes testing easier. */
    ARG_CHECK_VOID(ctx != secp256k1_context_static);
    if (fun == NULL) {
        fun = secp256k1_default_error_callback_fn;
    }
--- a/src/testrand.h
+++ b/src/testrand.h
@ -7,10 +7,6 @@
 #ifndef SECP256K1_TESTRAND_H
 #define SECP256K1_TESTRAND_H
 #if defined HAVE_CONFIG_H
 #include "libsecp256k1-config.h"
 #endif
 /* A non-cryptographic RNG used only for test infrastructure. */
 /** Seed the pseudorandom number generator for testing. */
--- a/src/tests.c
+++ b/src/tests.c
--- a/src/tests_exhaustive.c
+++ b/src/tests_exhaustive.c
@ -4,10 +4,6 @@
 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
 ***********************************************************************/
 #if defined HAVE_CONFIG_H
 #include "libsecp256k1-config.h"
 #endif
 #include <stdio.h>
 #include <stdlib.h>
 #include <time.h>
--- a/src/util.h
+++ b/src/util.h
@ -7,10 +7,6 @@
 #ifndef SECP256K1_UTIL_H
 #define SECP256K1_UTIL_H
 #if defined HAVE_CONFIG_H
 #include "libsecp256k1-config.h"
 #endif
 #include <stdlib.h>
 #include <stdint.h>
 #include <stdio.h>