Remove repeated schnorr flag from travis config

Merge pull request #118 from jonasnick/clarify-rangeproof-rewind
rangeproof: clarify rewind outlen argument
2021-01-05 16:09:04 -08:00 · 2021-01-05 19:16:09 +00:00 · 2021-01-05 13:42:58 +00:00 · 2021-01-04 14:56:47 +01:00 · 2020-12-21 20:50:19 +00:00 · 2020-12-21 20:50:19 +00:00
107 changed files with 7949 additions and 4894 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -11,6 +11,7 @@ bench_internal
 tests
 exhaustive_tests
 gen_context
+valgrind_ctime_test
 *.exe
 *.so
 *.a
@@ -32,6 +33,8 @@ libtool
 *.lo
 *.o
 *~
+*.log
+*.trs
 src/libsecp256k1-config.h
 src/libsecp256k1-config.h.in
 src/ecmult_static_context.h
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,70 +1,112 @@
 language: c
-os: linux
+os:
+  - linux
+  - osx
+
+dist: bionic
+# Valgrind currently supports upto macOS 10.13, the latest xcode of that version is 10.1
+osx_image: xcode10.1
 addons:
  apt:
-    packages: libgmp-dev
+    packages:
+      - libgmp-dev
+      - valgrind
+      - libtool-bin
 compiler:
  - clang
  - gcc
-cache:
-  directories:
-  - src/java/guava/
 env:
  global:
-    - FIELD=auto  BIGNUM=auto  SCALAR=auto  ENDOMORPHISM=no  STATICPRECOMPUTATION=yes  ASM=no  BUILD=check  EXTRAFLAGS=  HOST=  ECDH=no  RECOVERY=no  EXPERIMENTAL=no  JNI=no GENERATOR=no RANGEPROOF=no WHITELIST=no
-    - GUAVA_URL=https://search.maven.org/remotecontent?filepath=com/google/guava/guava/18.0/guava-18.0.jar GUAVA_JAR=src/java/guava/guava-18.0.jar
+    - WIDEMUL=auto  BIGNUM=auto  STATICPRECOMPUTATION=yes  ECMULTGENPRECISION=auto  ASM=no  BUILD=check  WITH_VALGRIND=yes RUN_VALGRIND=no EXTRAFLAGS=  HOST=  ECDH=no  RECOVERY=no ECDSA_S2C=no EXPERIMENTAL=no CTIMETEST=yes BENCH=yes ITERS=2 GENERATOR=no RANGEPROOF=no WHITELIST=no SCHNORRSIG=no MUSIG=no
  matrix:
-    - SCALAR=32bit    FIELD=32bit       EXPERIMENTAL=yes RANGEPROOF=yes WHITELIST=yes GENERATOR=yes
-    - FIELD=64bit     EXPERIMENTAL=yes RANGEPROOF=yes WHITELIST=yes GENERATOR=yes
-    - SCALAR=32bit    RECOVERY=yes
-    - SCALAR=32bit    FIELD=32bit       ECDH=yes  EXPERIMENTAL=yes
-    - SCALAR=64bit
-    - FIELD=64bit     RECOVERY=yes
-    - FIELD=64bit     ENDOMORPHISM=yes
-    - FIELD=64bit     ENDOMORPHISM=yes  ECDH=yes EXPERIMENTAL=yes
-    - FIELD=64bit                       ASM=x86_64
-    - FIELD=64bit     ENDOMORPHISM=yes  ASM=x86_64
-    - FIELD=32bit     ENDOMORPHISM=yes
+    - WIDEMUL=int64   EXPERIMENTAL=yes RANGEPROOF=yes WHITELIST=yes GENERATOR=yes SCHNORRSIG=yes MUSIG=yes
+    - WIDEMUL=int128  EXPERIMENTAL=yes RANGEPROOF=yes WHITELIST=yes GENERATOR=yes  SCHNORRSIG=yes MUSIG=yes
+    - WIDEMUL=int64   RECOVERY=yes
+    - WIDEMUL=int64   ECDH=yes  EXPERIMENTAL=yes ECDSA_S2C=yes SCHNORRSIG=yes MUSIG=yes
+    - WIDEMUL=int128
+    - WIDEMUL=int128  RECOVERY=yes EXPERIMENTAL=yes ECDSA_S2C=yes SCHNORRSIG=yes MUSIG=yes
+    - WIDEMUL=int128  ECDH=yes EXPERIMENTAL=yes ECDSA_S2C=yes SCHNORRSIG=yes MUSIG=yes
+    - WIDEMUL=int128                    ASM=x86_64
    - BIGNUM=no
-    - BIGNUM=no       ENDOMORPHISM=yes RECOVERY=yes EXPERIMENTAL=yes
+    - BIGNUM=no       RECOVERY=yes EXPERIMENTAL=yes SCHNORRSIG=yes MUSIG=yes
+    - BIGNUM=no       RECOVERY=yes EXPERIMENTAL=yes ECDSA_S2C=yes SCHNORRSIG=yes MUSIG=yes
    - BIGNUM=no       STATICPRECOMPUTATION=no
-    - BUILD=distcheck
-    - EXTRAFLAGS=CPPFLAGS=-DDETERMINISTIC
-    - EXTRAFLAGS=CFLAGS=-O0
-    - BUILD=check-java JNI=yes ECDH=yes EXPERIMENTAL=yes
+    - BUILD=distcheck WITH_VALGRIND=no CTIMETEST=no BENCH=no
+    - CPPFLAGS=-DDETERMINISTIC
+    - CFLAGS=-O0 CTIMETEST=no
+    - CFLAGS="-fsanitize=undefined -fno-omit-frame-pointer" LDFLAGS="-fsanitize=undefined -fno-omit-frame-pointer" UBSAN_OPTIONS="print_stacktrace=1:halt_on_error=1" BIGNUM=no ASM=x86_64 ECDH=yes RECOVERY=yes EXPERIMENTAL=yes SCHNORRSIG=yes MUSIG=yes CTIMETEST=no
+    - ECMULTGENPRECISION=2
+    - ECMULTGENPRECISION=8
+    - RUN_VALGRIND=yes BIGNUM=no ASM=x86_64 ECDH=yes  RECOVERY=yes EXPERIMENTAL=yes SCHNORRSIG=yes MUSIG=yes EXTRAFLAGS="--disable-openssl-tests" BUILD=
 matrix:
  fast_finish: true
  include:
    - compiler: clang
-      env: HOST=i686-linux-gnu ENDOMORPHISM=yes
+      os: linux
+      env: HOST=i686-linux-gnu
      addons:
        apt:
          packages:
            - gcc-multilib
            - libgmp-dev:i386
+            - valgrind
+            - libtool-bin
+            - libc6-dbg:i386
    - compiler: clang
      env: HOST=i686-linux-gnu
+      os: linux
      addons:
        apt:
          packages:
            - gcc-multilib
+            - valgrind
+            - libtool-bin
+            - libc6-dbg:i386
    - compiler: gcc
-      env: HOST=i686-linux-gnu ENDOMORPHISM=yes
+      env: HOST=i686-linux-gnu
+      os: linux
      addons:
        apt:
          packages:
            - gcc-multilib
+            - valgrind
+            - libtool-bin
+            - libc6-dbg:i386
    - compiler: gcc
+      os: linux
      env: HOST=i686-linux-gnu
      addons:
        apt:
          packages:
            - gcc-multilib
            - libgmp-dev:i386
-before_install: mkdir -p `dirname $GUAVA_JAR`
-install: if [ ! -f $GUAVA_JAR ]; then wget $GUAVA_URL -O $GUAVA_JAR; fi
+            - valgrind
+            - libtool-bin
+            - libc6-dbg:i386
+    # S390x build (big endian system)
+    - compiler: gcc
+      env: HOST=s390x-unknown-linux-gnu ECDH=yes RECOVERY=yes EXPERIMENTAL=yes SCHNORRSIG=yes MUSIG=yes CTIMETEST=
+      arch: s390x
+
+# We use this to install macOS dependencies instead of the built in `homebrew` plugin,
+# because in xcode earlier than 11 they have a bug requiring updating the system which overall takes ~8 minutes.
+# https://travis-ci.community/t/macos-build-fails-because-of-homebrew-bundle-unknown-command/7296
+before_install:
+ - if [ "${TRAVIS_OS_NAME}" = "osx" ]; then HOMEBREW_NO_AUTO_UPDATE=1 brew install gmp valgrind gcc@9; fi
+
 before_script: ./autogen.sh
+
+# travis auto terminates jobs that go for 10 minutes without printing to stdout, but travis_wait doesn't work well with forking programs like valgrind (https://docs.travis-ci.com/user/common-build-problems/#build-times-out-because-no-output-was-received https://github.com/bitcoin-core/secp256k1/pull/750#issuecomment-623476860)
 script:
- - if [ -n "$HOST" ]; then export USE_HOST="--host=$HOST"; fi
- - if [ "x$HOST" = "xi686-linux-gnu" ]; then export CC="$CC -m32"; fi
- - ./configure --enable-experimental=$EXPERIMENTAL --enable-endomorphism=$ENDOMORPHISM --with-field=$FIELD --with-bignum=$BIGNUM --with-scalar=$SCALAR --enable-ecmult-static-precomputation=$STATICPRECOMPUTATION --enable-module-ecdh=$ECDH --enable-module-recovery=$RECOVERY --enable-module-rangeproof=$RANGEPROOF --enable-module-whitelist=$WHITELIST --enable-module-generator=$GENERATOR --enable-jni=$JNI $EXTRAFLAGS $USE_HOST && make -j2 $BUILD
+  - function keep_alive() { while true; do echo -en "\a"; sleep 60; done }
+  - keep_alive &
+  - ./contrib/travis.sh
+  - kill %keep_alive
+
+after_script:
+    - cat ./tests.log
+    - cat ./exhaustive_tests.log
+    - cat ./valgrind_ctime_test.log
+    - cat ./bench.log
+    - $CC --version
+    - valgrind --version
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,12 +1,6 @@
 ACLOCAL_AMFLAGS = -I build-aux/m4

 lib_LTLIBRARIES = libsecp256k1.la
-if USE_JNI
-JNI_LIB = libsecp256k1_jni.la
-noinst_LTLIBRARIES = $(JNI_LIB)
-else
-JNI_LIB =
-endif
 include_HEADERS = include/secp256k1.h
 include_HEADERS += include/secp256k1_preallocated.h
 noinst_HEADERS =
@@ -22,6 +16,8 @@ noinst_HEADERS += src/group.h
 noinst_HEADERS += src/group_impl.h
 noinst_HEADERS += src/num_gmp.h
 noinst_HEADERS += src/num_gmp_impl.h
+noinst_HEADERS += src/eccommit.h
+noinst_HEADERS += src/eccommit_impl.h
 noinst_HEADERS += src/ecdsa.h
 noinst_HEADERS += src/ecdsa_impl.h
 noinst_HEADERS += src/eckey.h
@@ -40,11 +36,11 @@ noinst_HEADERS += src/field_5x52.h
 noinst_HEADERS += src/field_5x52_impl.h
 noinst_HEADERS += src/field_5x52_int128_impl.h
 noinst_HEADERS += src/field_5x52_asm_impl.h
-noinst_HEADERS += src/java/org_bitcoin_NativeSecp256k1.h
-noinst_HEADERS += src/java/org_bitcoin_Secp256k1Context.h
+noinst_HEADERS += src/assumptions.h
 noinst_HEADERS += src/util.h
 noinst_HEADERS += src/scratch.h
 noinst_HEADERS += src/scratch_impl.h
+noinst_HEADERS += src/selftest.h
 noinst_HEADERS += src/testrand.h
 noinst_HEADERS += src/testrand_impl.h
 noinst_HEADERS += src/hash.h
@@ -75,16 +71,19 @@ endif

 libsecp256k1_la_SOURCES = src/secp256k1.c
 libsecp256k1_la_CPPFLAGS = -DSECP256K1_BUILD -I$(top_srcdir)/include -I$(top_srcdir)/src $(SECP_INCLUDES)
-libsecp256k1_la_LIBADD = $(JNI_LIB) $(SECP_LIBS) $(COMMON_LIB)
+libsecp256k1_la_LIBADD = $(SECP_LIBS) $(COMMON_LIB)

-libsecp256k1_jni_la_SOURCES  = src/java/org_bitcoin_NativeSecp256k1.c src/java/org_bitcoin_Secp256k1Context.c
-libsecp256k1_jni_la_CPPFLAGS = -DSECP256K1_BUILD $(JNI_INCLUDES)
+if VALGRIND_ENABLED
+libsecp256k1_la_CPPFLAGS += -DVALGRIND
+endif

 noinst_PROGRAMS =
 if USE_BENCHMARK
 noinst_PROGRAMS += bench_verify bench_sign bench_internal bench_ecmult
 bench_verify_SOURCES = src/bench_verify.c
 bench_verify_LDADD = libsecp256k1.la $(SECP_LIBS) $(SECP_TEST_LIBS) $(COMMON_LIB)
+# SECP_TEST_INCLUDES are only used here for CRYPTO_CPPFLAGS
+bench_verify_CPPFLAGS = -DSECP256K1_BUILD $(SECP_TEST_INCLUDES)
 bench_sign_SOURCES = src/bench_sign.c
 bench_sign_LDADD = libsecp256k1.la $(SECP_LIBS) $(SECP_TEST_LIBS) $(COMMON_LIB)
 bench_internal_SOURCES = src/bench_internal.c
@@ -100,6 +99,12 @@ if USE_TESTS
 noinst_PROGRAMS += tests
 tests_SOURCES = src/tests.c
 tests_CPPFLAGS = -DSECP256K1_BUILD -I$(top_srcdir)/src -I$(top_srcdir)/include $(SECP_INCLUDES) $(SECP_TEST_INCLUDES)
+if VALGRIND_ENABLED
+tests_CPPFLAGS += -DVALGRIND
+noinst_PROGRAMS += valgrind_ctime_test
+valgrind_ctime_test_SOURCES = src/valgrind_ctime_test.c
+valgrind_ctime_test_LDADD = libsecp256k1.la $(SECP_LIBS) $(SECP_LIBS) $(COMMON_LIB)
+endif
 if !ENABLE_COVERAGE
 tests_CPPFLAGS += -DVERIFY
 endif
@@ -120,42 +125,12 @@ exhaustive_tests_LDFLAGS = -static
 TESTS += exhaustive_tests
 endif

-JAVAROOT=src/java
-JAVAORG=org/bitcoin
-JAVA_GUAVA=$(srcdir)/$(JAVAROOT)/guava/guava-18.0.jar
-CLASSPATH_ENV=CLASSPATH=$(JAVA_GUAVA)
-JAVA_FILES= \
-  $(JAVAROOT)/$(JAVAORG)/NativeSecp256k1.java \
-  $(JAVAROOT)/$(JAVAORG)/NativeSecp256k1Test.java \
-  $(JAVAROOT)/$(JAVAORG)/NativeSecp256k1Util.java \
-  $(JAVAROOT)/$(JAVAORG)/Secp256k1Context.java
-
-if USE_JNI
-
-$(JAVA_GUAVA):
-	@echo Guava is missing. Fetch it via: \
-	wget https://search.maven.org/remotecontent?filepath=com/google/guava/guava/18.0/guava-18.0.jar -O $(@)
-	@false
-
-.stamp-java: $(JAVA_FILES)
-	@echo   Compiling $^
-	$(AM_V_at)$(CLASSPATH_ENV) javac $^
-	@touch $@
-
-if USE_TESTS
-
-check-java: libsecp256k1.la $(JAVA_GUAVA) .stamp-java
-	$(AM_V_at)java -Djava.library.path="./:./src:./src/.libs:.libs/" -cp "$(JAVA_GUAVA):$(JAVAROOT)" $(JAVAORG)/NativeSecp256k1Test
-
-endif
-endif
-
 if USE_ECMULT_STATIC_PRECOMPUTATION
-CPPFLAGS_FOR_BUILD +=-I$(top_srcdir)
+CPPFLAGS_FOR_BUILD +=-I$(top_srcdir) -I$(builddir)/src

 gen_context_OBJECTS = gen_context.o
 gen_context_BIN = gen_context$(BUILD_EXEEXT)
-gen_%.o: src/gen_%.c
+gen_%.o: src/gen_%.c src/libsecp256k1-config.h
 	$(CC_FOR_BUILD) $(CPPFLAGS_FOR_BUILD) $(CFLAGS_FOR_BUILD) -c $< -o $@

 $(gen_context_BIN): $(gen_context_OBJECTS)
@@ -169,19 +144,15 @@ $(bench_ecmult_OBJECTS): src/ecmult_static_context.h
 src/ecmult_static_context.h: $(gen_context_BIN)
 	./$(gen_context_BIN)

-CLEANFILES = $(gen_context_BIN) src/ecmult_static_context.h $(JAVAROOT)/$(JAVAORG)/*.class .stamp-java
+CLEANFILES = $(gen_context_BIN) src/ecmult_static_context.h
 endif

-EXTRA_DIST = autogen.sh src/gen_context.c src/basic-config.h $(JAVA_FILES)
+EXTRA_DIST = autogen.sh src/gen_context.c src/basic-config.h

 if ENABLE_MODULE_ECDH
 include src/modules/ecdh/Makefile.am.include
 endif

-if ENABLE_MODULE_SCHNORRSIG
-include src/modules/schnorrsig/Makefile.am.include
-endif
-
 if ENABLE_MODULE_MUSIG
 include src/modules/musig/Makefile.am.include
 endif
@@ -205,3 +176,16 @@ endif
 if ENABLE_MODULE_SURJECTIONPROOF
 include src/modules/surjection/Makefile.am.include
 endif
+
+if ENABLE_MODULE_EXTRAKEYS
+include src/modules/extrakeys/Makefile.am.include
+endif
+
+if ENABLE_MODULE_SCHNORRSIG
+include src/modules/schnorrsig/Makefile.am.include
+endif
+
+if ENABLE_MODULE_ECDSA_S2C
+include src/modules/ecdsa_s2c/Makefile.am.include
+endif
+
--- a/README.md
+++ b/README.md
@@ -3,17 +3,22 @@ libsecp256k1

 [![Build Status](https://travis-ci.org/bitcoin-core/secp256k1.svg?branch=master)](https://travis-ci.org/bitcoin-core/secp256k1)

-Optimized C library for EC operations on curve secp256k1.
+Optimized C library for ECDSA signatures and secret/public key operations on curve secp256k1.

-This library is a work in progress and is being used to research best practices. Use at your own risk.
+This library is intended to be the highest quality publicly available library for cryptography on the secp256k1 curve. However, the primary focus of its development has been for usage in the Bitcoin system and usage unlike Bitcoin's may be less well tested, verified, or suffer from a less well thought out interface. Correct usage requires some care and consideration that the library is fit for your application's purpose.

 Features:
 * secp256k1 ECDSA signing/verification and key generation.
-* Adding/multiplying private/public keys.
-* Serialization/parsing of private keys, public keys, signatures.
-* Constant time, constant memory access signing and pubkey generation.
-* Derandomized DSA (via RFC6979 or with a caller provided function.)
+* Additive and multiplicative tweaking of secret/public keys.
+* Serialization/parsing of secret keys, public keys, signatures.
+* Constant time, constant memory access signing and public key generation.
+* Derandomized ECDSA (via RFC6979 or with a caller provided function.)
 * Very efficient implementation.
+* Suitable for embedded systems.
+* Optional module for public key recovery.
+* Optional module for ECDH key exchange.
+
+Experimental features have not received enough scrutiny to satisfy the standard of quality of this library but are made available for testing and review by the community. The APIs of these features should not be considered stable.

 Implementation details
 ----------------------
@@ -23,11 +28,12 @@ Implementation details
  * Extensive testing infrastructure.
  * Structured to facilitate review and analysis.
  * Intended to be portable to any system with a C89 compiler and uint64_t support.
+  * No use of floating types.
  * Expose only higher level interfaces to minimize the API surface and improve application security. ("Be difficult to use insecurely.")
 * Field operations
  * Optimized implementation of arithmetic modulo the curve's field size (2^256 - 0x1000003D1).
    * Using 5 52-bit limbs (including hand-optimized assembly for x86_64, by Diederik Huys).
-    * Using 10 26-bit limbs.
+    * Using 10 26-bit limbs (including hand-optimized assembly for 32-bit ARM, by Wladimir J. van der Laan).
  * Field inverses and square roots using a sliding window over blocks of 1s (by Peter Dettman).
 * Scalar operations
  * Optimized implementation without data-dependent branches of arithmetic modulo the curve's order.
@@ -42,14 +48,14 @@ Implementation details
  * Use wNAF notation for point multiplicands.
  * Use a much larger window for multiples of G, using precomputed multiples.
  * Use Shamir's trick to do the multiplication with the public key and the generator simultaneously.
-  * Optionally (off by default) use secp256k1's efficiently-computable endomorphism to split the P multiplicand into 2 half-sized ones.
+  * Use secp256k1's efficiently-computable endomorphism to split the P multiplicand into 2 half-sized ones.
 * Point multiplication for signing
  * Use a precomputed table of multiples of powers of 16 multiplied with the generator, so general multiplication becomes a series of additions.
  * Intended to be completely free of timing sidechannels for secret-key operations (on reasonable hardware/toolchains)
    * Access the table with branch-free conditional moves so memory access is uniform.
    * No data-dependent branches
  * Optional runtime blinding which attempts to frustrate differential power analysis.
-  * The precomputed tables add and eventually subtract points for which no known scalar (private key) is known, preventing even an attacker with control over the private key used to control the data internally.
+  * The precomputed tables add and eventually subtract points for which no known scalar (secret key) is known, preventing even an attacker with control over the secret key used to control the data internally.

 Build steps
 -----------
@@ -59,5 +65,40 @@ libsecp256k1 is built using autotools:
    $ ./autogen.sh
    $ ./configure
    $ make
-    $ ./tests
+    $ make check
    $ sudo make install  # optional
+
+Exhaustive tests
+-----------
+
+    $ ./exhaustive_tests
+
+With valgrind, you might need to increase the max stack size:
+
+    $ valgrind --max-stackframe=2500000 ./exhaustive_tests
+
+Test coverage
+-----------
+
+This library aims to have full coverage of the reachable lines and branches.
+
+To create a test coverage report, configure with `--enable-coverage` (use of GCC is necessary):
+
+    $ ./configure --enable-coverage
+
+Run the tests:
+
+    $ make check
+
+To create a report, `gcovr` is recommended, as it includes branch coverage reporting:
+
+    $ gcovr --exclude 'src/bench*' --print-summary
+
+To create a HTML report with coloured and annotated source code:
+
+    $ gcovr --exclude 'src/bench*' --html --html-details -o coverage.html
+
+Reporting a vulnerability
+------------
+
+See [SECURITY.md](SECURITY.md)
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -0,0 +1,15 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+To report security issues send an email to secp256k1-security@bitcoincore.org (not for support).
+
+The following keys may be used to communicate sensitive information to developers:
+
+| Name | Fingerprint |
+|------|-------------|
+| Pieter Wuille | 133E AC17 9436 F14A 5CF1  B794 860F EB80 4E66 9320 |
+| Andrew Poelstra | 699A 63EF C17A D3A9 A34C  FFC0 7AD0 A91C 40BD 0091 |
+| Tim Ruffing | 09E0 3F87 1092 E40E 106E  902B 33BC 86AB 80FF 5516 |
+
+You can import a key by running the following command with that individual’s fingerprint: `gpg --recv-keys "<fingerprint>"` Ensure that you put quotes around fingerprints containing spaces.
--- a/3
+++ b/3
@@ -1,3 +0,0 @@
-* Unit tests for fieldelem/groupelem, including ones intended to
-  trigger fieldelem's boundary cases.
-* Complete constant-time operations for signing/keygen
--- a/build-aux/m4/ax_jni_include_dir.m4
+++ b/build-aux/m4/ax_jni_include_dir.m4
@@ -1,145 +0,0 @@
-# ===========================================================================
-#    https://www.gnu.org/software/autoconf-archive/ax_jni_include_dir.html
-# ===========================================================================
-#
-# SYNOPSIS
-#
-#   AX_JNI_INCLUDE_DIR
-#
-# DESCRIPTION
-#
-#   AX_JNI_INCLUDE_DIR finds include directories needed for compiling
-#   programs using the JNI interface.
-#
-#   JNI include directories are usually in the Java distribution. This is
-#   deduced from the value of $JAVA_HOME, $JAVAC, or the path to "javac", in
-#   that order. When this macro completes, a list of directories is left in
-#   the variable JNI_INCLUDE_DIRS.
-#
-#   Example usage follows:
-#
-#     AX_JNI_INCLUDE_DIR
-#
-#     for JNI_INCLUDE_DIR in $JNI_INCLUDE_DIRS
-#     do
-#             CPPFLAGS="$CPPFLAGS -I$JNI_INCLUDE_DIR"
-#     done
-#
-#   If you want to force a specific compiler:
-#
-#   - at the configure.in level, set JAVAC=yourcompiler before calling
-#   AX_JNI_INCLUDE_DIR
-#
-#   - at the configure level, setenv JAVAC
-#
-#   Note: This macro can work with the autoconf M4 macros for Java programs.
-#   This particular macro is not part of the original set of macros.
-#
-# LICENSE
-#
-#   Copyright (c) 2008 Don Anderson <dda@sleepycat.com>
-#
-#   Copying and distribution of this file, with or without modification, are
-#   permitted in any medium without royalty provided the copyright notice
-#   and this notice are preserved. This file is offered as-is, without any
-#   warranty.
-
-#serial 14
-
-AU_ALIAS([AC_JNI_INCLUDE_DIR], [AX_JNI_INCLUDE_DIR])
-AC_DEFUN([AX_JNI_INCLUDE_DIR],[
-
-JNI_INCLUDE_DIRS=""
-
-if test "x$JAVA_HOME" != x; then
-	_JTOPDIR="$JAVA_HOME"
-else
-	if test "x$JAVAC" = x; then
-		JAVAC=javac
-	fi
-	AC_PATH_PROG([_ACJNI_JAVAC], [$JAVAC], [no])
-	if test "x$_ACJNI_JAVAC" = xno; then
-		AC_MSG_WARN([cannot find JDK; try setting \$JAVAC or \$JAVA_HOME])
-	fi
-	_ACJNI_FOLLOW_SYMLINKS("$_ACJNI_JAVAC")
-	_JTOPDIR=`echo "$_ACJNI_FOLLOWED" | sed -e 's://*:/:g' -e 's:/[[^/]]*$::'`
-fi
-
-case "$host_os" in
-        darwin*)        # Apple Java headers are inside the Xcode bundle.
-            macos_version=$(sw_vers -productVersion | sed -n -e 's/^@<:@0-9@:>@*.\(@<:@0-9@:>@*\).@<:@0-9@:>@*/\1/p')
-            if @<:@ "$macos_version" -gt "7" @:>@; then
-                _JTOPDIR="$(xcrun --show-sdk-path)/System/Library/Frameworks/JavaVM.framework"
-                _JINC="$_JTOPDIR/Headers"
-            else
-                _JTOPDIR="/System/Library/Frameworks/JavaVM.framework"
-                _JINC="$_JTOPDIR/Headers"
-            fi
-            ;;
-        *) _JINC="$_JTOPDIR/include";;
-esac
-_AS_ECHO_LOG([_JTOPDIR=$_JTOPDIR])
-_AS_ECHO_LOG([_JINC=$_JINC])
-
-# On Mac OS X 10.6.4, jni.h is a symlink:
-# /System/Library/Frameworks/JavaVM.framework/Versions/Current/Headers/jni.h
-# -> ../../CurrentJDK/Headers/jni.h.
-AC_CACHE_CHECK(jni headers, ac_cv_jni_header_path,
-[
-  if test -f "$_JINC/jni.h"; then
-    ac_cv_jni_header_path="$_JINC"
-    JNI_INCLUDE_DIRS="$JNI_INCLUDE_DIRS $ac_cv_jni_header_path"
-  else
-    _JTOPDIR=`echo "$_JTOPDIR" | sed -e 's:/[[^/]]*$::'`
-    if test -f "$_JTOPDIR/include/jni.h"; then
-      ac_cv_jni_header_path="$_JTOPDIR/include"
-      JNI_INCLUDE_DIRS="$JNI_INCLUDE_DIRS $ac_cv_jni_header_path"
-    else
-      ac_cv_jni_header_path=none
-    fi
-  fi
-])
-
-# get the likely subdirectories for system specific java includes
-case "$host_os" in
-bsdi*)          _JNI_INC_SUBDIRS="bsdos";;
-freebsd*)       _JNI_INC_SUBDIRS="freebsd";;
-darwin*)        _JNI_INC_SUBDIRS="darwin";;
-linux*)         _JNI_INC_SUBDIRS="linux genunix";;
-osf*)           _JNI_INC_SUBDIRS="alpha";;
-solaris*)       _JNI_INC_SUBDIRS="solaris";;
-mingw*)		_JNI_INC_SUBDIRS="win32";;
-cygwin*)	_JNI_INC_SUBDIRS="win32";;
-*)              _JNI_INC_SUBDIRS="genunix";;
-esac
-
-if test "x$ac_cv_jni_header_path" != "xnone"; then
-  # add any subdirectories that are present
-  for JINCSUBDIR in $_JNI_INC_SUBDIRS
-  do
-    if test -d "$_JTOPDIR/include/$JINCSUBDIR"; then
-         JNI_INCLUDE_DIRS="$JNI_INCLUDE_DIRS $_JTOPDIR/include/$JINCSUBDIR"
-    fi
-  done
-fi
-])
-
-# _ACJNI_FOLLOW_SYMLINKS <path>
-# Follows symbolic links on <path>,
-# finally setting variable _ACJNI_FOLLOWED
-# ----------------------------------------
-AC_DEFUN([_ACJNI_FOLLOW_SYMLINKS],[
-# find the include directory relative to the javac executable
-_cur="$1"
-while ls -ld "$_cur" 2>/dev/null | grep " -> " >/dev/null; do
-        AC_MSG_CHECKING([symlink for $_cur])
-        _slink=`ls -ld "$_cur" | sed 's/.* -> //'`
-        case "$_slink" in
-        /*) _cur="$_slink";;
-        # 'X' avoids triggering unwanted echo options.
-        *) _cur=`echo "X$_cur" | sed -e 's/^X//' -e 's:[[^/]]*$::'`"$_slink";;
-        esac
-        AC_MSG_RESULT([$_cur])
-done
-_ACJNI_FOLLOWED="$_cur"
-])# _ACJNI
--- a/build-aux/m4/bitcoin_secp.m4
+++ b/build-aux/m4/bitcoin_secp.m4
@@ -1,8 +1,3 @@
-dnl libsecp25k1 helper checks
-AC_DEFUN([SECP_INT128_CHECK],[
-has_int128=$ac_cv_type___int128
-])
-
 dnl escape "$0x" below using the m4 quadrigaph @S|@, and escape it again with a \ for the shell.
 AC_DEFUN([SECP_64BIT_ASM_CHECK],[
 AC_MSG_CHECKING(for x86_64 assembly availability)
@@ -38,19 +33,45 @@ AC_DEFUN([SECP_OPENSSL_CHECK],[
  fi
 if test x"$has_libcrypto" = x"yes" && test x"$has_openssl_ec" = x; then
  AC_MSG_CHECKING(for EC functions in libcrypto)
+  CPPFLAGS_TEMP="$CPPFLAGS"
+  CPPFLAGS="$CRYPTO_CPPFLAGS $CPPFLAGS"
  AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+    #include <openssl/bn.h>
    #include <openssl/ec.h>
    #include <openssl/ecdsa.h>
    #include <openssl/obj_mac.h>]],[[
-    EC_KEY *eckey = EC_KEY_new_by_curve_name(NID_secp256k1);
-    ECDSA_sign(0, NULL, 0, NULL, NULL, eckey);
+    # if OPENSSL_VERSION_NUMBER < 0x10100000L
+    void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {(void)sig->r; (void)sig->s;}
+    # endif
+
+    unsigned int zero = 0;
+    const unsigned char *zero_ptr = (unsigned char*)&zero;
+    EC_KEY_free(EC_KEY_new_by_curve_name(NID_secp256k1));
+    EC_KEY *eckey = EC_KEY_new();
+    EC_GROUP *group = EC_GROUP_new_by_curve_name(NID_secp256k1);
+    EC_KEY_set_group(eckey, group);
+    ECDSA_sign(0, NULL, 0, NULL, &zero, eckey);
    ECDSA_verify(0, NULL, 0, NULL, 0, eckey);
+    o2i_ECPublicKey(&eckey, &zero_ptr, 0);
+    d2i_ECPrivateKey(&eckey, &zero_ptr, 0);
+    EC_KEY_check_key(eckey);
    EC_KEY_free(eckey);
+    EC_GROUP_free(group);
    ECDSA_SIG *sig_openssl;
    sig_openssl = ECDSA_SIG_new();
+    d2i_ECDSA_SIG(&sig_openssl, &zero_ptr, 0);
+    i2d_ECDSA_SIG(sig_openssl, NULL);
+    ECDSA_SIG_get0(sig_openssl, NULL, NULL);
    ECDSA_SIG_free(sig_openssl);
+    const BIGNUM *bignum = BN_value_one();
+    BN_is_negative(bignum);
+    BN_num_bits(bignum);
+    if (sizeof(zero) >= BN_num_bytes(bignum)) {
+        BN_bn2bin(bignum, (unsigned char*)&zero);
+    }
  ]])],[has_openssl_ec=yes],[has_openssl_ec=no])
  AC_MSG_RESULT([$has_openssl_ec])
+  CPPFLAGS="$CPPFLAGS_TEMP"
 fi
 ])

--- a/configure.ac
+++ b/configure.ac
@@ -7,6 +7,11 @@ AH_TOP([#ifndef LIBSECP256K1_CONFIG_H])
 AH_TOP([#define LIBSECP256K1_CONFIG_H])
 AH_BOTTOM([#endif /*LIBSECP256K1_CONFIG_H*/])
 AM_INIT_AUTOMAKE([foreign subdir-objects])
+
+# Set -g if CFLAGS are not already set, which matches the default autoconf
+# behavior (see PROG_CC in the Autoconf manual) with the exception that we don't
+# set -O2 here because we set it in any case (see further down).
+: ${CFLAGS="-g"}
 LT_INIT

 dnl make the compilation flags quiet unless V=1 is used
@@ -19,10 +24,6 @@ AC_PATH_TOOL(RANLIB, ranlib)
 AC_PATH_TOOL(STRIP, strip)
 AX_PROG_CC_FOR_BUILD

-if test "x$CFLAGS" = "x"; then
-  CFLAGS="-g"
-fi
-
 AM_PROG_CC_C_O

 AC_PROG_CC_C89
@@ -45,6 +46,7 @@ case $host_os in
         if test x$openssl_prefix != x; then
           PKG_CONFIG_PATH="$openssl_prefix/lib/pkgconfig:$PKG_CONFIG_PATH"
           export PKG_CONFIG_PATH
+           CRYPTO_CPPFLAGS="-I$openssl_prefix/include"
         fi
         if test x$gmp_prefix != x; then
           GMP_CPPFLAGS="-I$gmp_prefix/include"
@@ -63,11 +65,11 @@ case $host_os in
   ;;
 esac

-CFLAGS="$CFLAGS -W"
+CFLAGS="-W $CFLAGS"

-warn_CFLAGS="-std=c89 -pedantic -Wall -Wextra -Wcast-align -Wnested-externs -Wshadow -Wstrict-prototypes -Wno-unused-function -Wno-long-long -Wno-overlength-strings"
+warn_CFLAGS="-std=c89 -pedantic -Wall -Wextra -Wcast-align -Wnested-externs -Wshadow -Wstrict-prototypes -Wundef -Wno-unused-function -Wno-long-long -Wno-overlength-strings"
 saved_CFLAGS="$CFLAGS"
-CFLAGS="$CFLAGS $warn_CFLAGS"
+CFLAGS="$warn_CFLAGS $CFLAGS"
 AC_MSG_CHECKING([if ${CC} supports ${warn_CFLAGS}])
 AC_COMPILE_IFELSE([AC_LANG_SOURCE([[char foo;]])],
    [ AC_MSG_RESULT([yes]) ],
@@ -76,7 +78,7 @@ AC_COMPILE_IFELSE([AC_LANG_SOURCE([[char foo;]])],
    ])

 saved_CFLAGS="$CFLAGS"
-CFLAGS="$CFLAGS -fvisibility=hidden"
+CFLAGS="-fvisibility=hidden $CFLAGS"
 AC_MSG_CHECKING([if ${CC} supports -fvisibility=hidden])
 AC_COMPILE_IFELSE([AC_LANG_SOURCE([[char foo;]])],
    [ AC_MSG_RESULT([yes]) ],
@@ -114,26 +116,16 @@ AC_ARG_ENABLE(exhaustive_tests,
    [use_exhaustive_tests=$enableval],
    [use_exhaustive_tests=yes])

-AC_ARG_ENABLE(endomorphism,
-    AS_HELP_STRING([--enable-endomorphism],[enable endomorphism [default=no]]),
-    [use_endomorphism=$enableval],
-    [use_endomorphism=no])
-
 AC_ARG_ENABLE(ecmult_static_precomputation,
    AS_HELP_STRING([--enable-ecmult-static-precomputation],[enable precomputed ecmult table for signing [default=auto]]),
    [use_ecmult_static_precomputation=$enableval],
    [use_ecmult_static_precomputation=auto])

 AC_ARG_ENABLE(module_ecdh,
-    AS_HELP_STRING([--enable-module-ecdh],[enable ECDH shared secret computation (experimental)]),
+    AS_HELP_STRING([--enable-module-ecdh],[enable ECDH shared secret computation]),
    [enable_module_ecdh=$enableval],
    [enable_module_ecdh=no])

-AC_ARG_ENABLE(module_schnorrsig,
-    AS_HELP_STRING([--enable-module-schnorrsig],[enable schnorrsig module (experimental)]),
-    [enable_module_schnorrsig=$enableval],
-    [enable_module_schnorrsig=no])
-
 AC_ARG_ENABLE(module_musig,
    AS_HELP_STRING([--enable-module-musig],[enable MuSig module (experimental)]),
    [enable_module_musig=$enableval],
@@ -159,50 +151,85 @@ AC_ARG_ENABLE(module_whitelist,
    [enable_module_whitelist=$enableval],
    [enable_module_whitelist=no])

+AC_ARG_ENABLE(module_extrakeys,
+    AS_HELP_STRING([--enable-module-extrakeys],[enable extrakeys module (experimental)]),
+    [enable_module_extrakeys=$enableval],
+    [enable_module_extrakeys=no])
+
+AC_ARG_ENABLE(module_schnorrsig,
+    AS_HELP_STRING([--enable-module-schnorrsig],[enable schnorrsig module (experimental)]),
+    [enable_module_schnorrsig=$enableval],
+    [enable_module_schnorrsig=no])
+
+AC_ARG_ENABLE(module_ecdsa_s2c,
+    AS_HELP_STRING([--enable-module-ecdsa-s2c],[enable ECDSA sign-to-contract module [default=no]]),
+    [enable_module_ecdsa_s2c=$enableval],
+    [enable_module_ecdsa_s2c=no])
+
 AC_ARG_ENABLE(external_default_callbacks,
    AS_HELP_STRING([--enable-external-default-callbacks],[enable external default callback functions [default=no]]),
    [use_external_default_callbacks=$enableval],
    [use_external_default_callbacks=no])

-AC_ARG_ENABLE(jni,
-    AS_HELP_STRING([--enable-jni],[enable libsecp256k1_jni [default=no]]),
-    [use_jni=$enableval],
-    [use_jni=no])
-
 AC_ARG_ENABLE(module_surjectionproof,
    AS_HELP_STRING([--enable-module-surjectionproof],[enable surjection proof module [default=no]]),
    [enable_module_surjectionproof=$enableval],
    [enable_module_surjectionproof=no])

-AC_ARG_WITH([field], [AS_HELP_STRING([--with-field=64bit|32bit|auto],
-[finite field implementation to use [default=auto]])],[req_field=$withval], [req_field=auto])
+AC_ARG_ENABLE(reduced_surjection_proof_size,
+    AS_HELP_STRING([--enable-reduced-surjection-proof-size],[use reduced surjection proof size (disabling parsing and verification) [default=no]]),
+    [use_reduced_surjection_proof_size=$enableval],
+    [use_reduced_surjection_proof_size=no])
+
+dnl Test-only override of the (autodetected by the C code) "widemul" setting.
+dnl Legal values are int64 (for [u]int64_t), int128 (for [unsigned] __int128), and auto (the default).
+AC_ARG_WITH([test-override-wide-multiply], [] ,[set_widemul=$withval], [set_widemul=auto])

 AC_ARG_WITH([bignum], [AS_HELP_STRING([--with-bignum=gmp|no|auto],
 [bignum implementation to use [default=auto]])],[req_bignum=$withval], [req_bignum=auto])

-AC_ARG_WITH([scalar], [AS_HELP_STRING([--with-scalar=64bit|32bit|auto],
-[scalar implementation to use [default=auto]])],[req_scalar=$withval], [req_scalar=auto])
-
 AC_ARG_WITH([asm], [AS_HELP_STRING([--with-asm=x86_64|arm|no|auto],
 [assembly optimizations to use (experimental: arm) [default=auto]])],[req_asm=$withval], [req_asm=auto])

 AC_ARG_WITH([ecmult-window], [AS_HELP_STRING([--with-ecmult-window=SIZE|auto],
 [window size for ecmult precomputation for verification, specified as integer in range [2..24].]
 [Larger values result in possibly better performance at the cost of an exponentially larger precomputed table.]
-[The table will store 2^(SIZE-2) * 64 bytes of data but can be larger in memory due to platform-specific padding and alignment.]
-[If the endomorphism optimization is enabled, two tables of this size are used instead of only one.]
+[The table will store 2^(SIZE-1) * 64 bytes of data but can be larger in memory due to platform-specific padding and alignment.]
 ["auto" is a reasonable setting for desktop machines (currently 15). [default=auto]]
 )],
 [req_ecmult_window=$withval], [req_ecmult_window=auto])

-AC_CHECK_TYPES([__int128])
+AC_ARG_WITH([ecmult-gen-precision], [AS_HELP_STRING([--with-ecmult-gen-precision=2|4|8|auto],
+[Precision bits to tune the precomputed table size for signing.]
+[The size of the table is 32kB for 2 bits, 64kB for 4 bits, 512kB for 8 bits of precision.]
+[A larger table size usually results in possible faster signing.]
+["auto" is a reasonable setting for desktop machines (currently 4). [default=auto]]
+)],
+[req_ecmult_gen_precision=$withval], [req_ecmult_gen_precision=auto])
+
+AC_ARG_WITH([valgrind], [AS_HELP_STRING([--with-valgrind=yes|no|auto],
+[Build with extra checks for running inside Valgrind [default=auto]]
+)],
+[req_valgrind=$withval], [req_valgrind=auto])
+
+if test x"$req_valgrind" = x"no"; then
+  enable_valgrind=no
+else
+  AC_CHECK_HEADER([valgrind/memcheck.h], [enable_valgrind=yes], [
+    if test x"$req_valgrind" = x"yes"; then
+      AC_MSG_ERROR([Valgrind support explicitly requested but valgrind/memcheck.h header not available])
+    fi
+    enable_valgrind=no
+  ], [])
+fi
+AM_CONDITIONAL([VALGRIND_ENABLED],[test "$enable_valgrind" = "yes"])

 if test x"$enable_coverage" = x"yes"; then
    AC_DEFINE(COVERAGE, 1, [Define this symbol to compile out all VERIFY code])
-    CFLAGS="$CFLAGS -O0 --coverage"
-    LDFLAGS="$LDFLAGS --coverage"
+    CFLAGS="-O0 --coverage $CFLAGS"
+    LDFLAGS="--coverage $LDFLAGS"
 else
-    CFLAGS="$CFLAGS -O3"
+    CFLAGS="-O2 $CFLAGS"
 fi

 AC_MSG_CHECKING([for __builtin_popcount])
@@ -226,7 +253,7 @@ if test x"$use_ecmult_static_precomputation" != x"no"; then

  warn_CFLAGS_FOR_BUILD="-Wall -Wextra -Wno-unused-function"
  saved_CFLAGS="$CFLAGS"
-  CFLAGS="$CFLAGS $warn_CFLAGS_FOR_BUILD"
+  CFLAGS="$warn_CFLAGS_FOR_BUILD $CFLAGS"
  AC_MSG_CHECKING([if native ${CC_FOR_BUILD} supports ${warn_CFLAGS_FOR_BUILD}])
  AC_COMPILE_IFELSE([AC_LANG_SOURCE([[char foo;]])],
      [ AC_MSG_RESULT([yes]) ],
@@ -238,7 +265,7 @@ if test x"$use_ecmult_static_precomputation" != x"no"; then
  AC_RUN_IFELSE(
    [AC_LANG_PROGRAM([], [])],
    [working_native_cc=yes],
-    [working_native_cc=no],[dnl])
+    [working_native_cc=no],[:])

  CFLAGS_FOR_BUILD="$CFLAGS"

@@ -299,63 +326,6 @@ else
  esac
 fi

-if test x"$req_field" = x"auto"; then
-  if test x"set_asm" = x"x86_64"; then
-    set_field=64bit
-  fi
-  if test x"$set_field" = x; then
-    SECP_INT128_CHECK
-    if test x"$has_int128" = x"yes"; then
-      set_field=64bit
-    fi
-  fi
-  if test x"$set_field" = x; then
-    set_field=32bit
-  fi
-else
-  set_field=$req_field
-  case $set_field in
-  64bit)
-    if test x"$set_asm" != x"x86_64"; then
-      SECP_INT128_CHECK
-      if test x"$has_int128" != x"yes"; then
-        AC_MSG_ERROR([64bit field explicitly requested but neither __int128 support or x86_64 assembly available])
-      fi
-    fi
-    ;;
-  32bit)
-    ;;
-  *)
-    AC_MSG_ERROR([invalid field implementation selection])
-    ;;
-  esac
-fi
-
-if test x"$req_scalar" = x"auto"; then
-  SECP_INT128_CHECK
-  if test x"$has_int128" = x"yes"; then
-    set_scalar=64bit
-  fi
-  if test x"$set_scalar" = x; then
-    set_scalar=32bit
-  fi
-else
-  set_scalar=$req_scalar
-  case $set_scalar in
-  64bit)
-    SECP_INT128_CHECK
-    if test x"$has_int128" != x"yes"; then
-      AC_MSG_ERROR([64bit scalar explicitly requested but __int128 support not available])
-    fi
-    ;;
-  32bit)
-    ;;
-  *)
-    AC_MSG_ERROR([invalid scalar implementation selected])
-    ;;
-  esac
-fi
-
 if test x"$req_bignum" = x"auto"; then
  SECP_GMP_CHECK
  if test x"$has_gmp" = x"yes"; then
@@ -399,16 +369,18 @@ no)
  ;;
 esac

-# select field implementation
-case $set_field in
-64bit)
-  AC_DEFINE(USE_FIELD_5X52, 1, [Define this symbol to use the FIELD_5X52 implementation])
+# select wide multiplication implementation
+case $set_widemul in
+int128)
+  AC_DEFINE(USE_FORCE_WIDEMUL_INT128, 1, [Define this symbol to force the use of the (unsigned) __int128 based wide multiplication implementation])
  ;;
-32bit)
-  AC_DEFINE(USE_FIELD_10X26, 1, [Define this symbol to use the FIELD_10X26 implementation])
+int64)
+  AC_DEFINE(USE_FORCE_WIDEMUL_INT64, 1, [Define this symbol to force the use of the (u)int64_t based wide multiplication implementation])
+  ;;
+auto)
  ;;
 *)
-  AC_MSG_ERROR([invalid field implementation])
+  AC_MSG_ERROR([invalid wide multiplication implementation])
  ;;
 esac

@@ -430,19 +402,6 @@ no)
  ;;
 esac

-#select scalar implementation
-case $set_scalar in
-64bit)
-  AC_DEFINE(USE_SCALAR_4X64, 1, [Define this symbol to use the 4x64 scalar implementation])
-  ;;
-32bit)
-  AC_DEFINE(USE_SCALAR_8X32, 1, [Define this symbol to use the 8x32 scalar implementation])
-  ;;
-*)
-  AC_MSG_ERROR([invalid scalar implementation])
-  ;;
-esac
-
 #set ecmult window size
 if test x"$req_ecmult_window" = x"auto"; then
  set_ecmult_window=15
@@ -465,12 +424,28 @@ case $set_ecmult_window in
  ;;
 esac

+#set ecmult gen precision
+if test x"$req_ecmult_gen_precision" = x"auto"; then
+  set_ecmult_gen_precision=4
+else
+  set_ecmult_gen_precision=$req_ecmult_gen_precision
+fi
+
+case $set_ecmult_gen_precision in
+2|4|8)
+  AC_DEFINE_UNQUOTED(ECMULT_GEN_PREC_BITS, $set_ecmult_gen_precision, [Set ecmult gen precision bits])
+  ;;
+*)
+  AC_MSG_ERROR(['ecmult gen precision not 2, 4, 8 or "auto"'])
+  ;;
+esac
+
 if test x"$use_tests" = x"yes"; then
  SECP_OPENSSL_CHECK
-  if test x"$has_openssl_ec" = x"yes"; then
-    if test x"$enable_openssl_tests" != x"no"; then
+  if test x"$enable_openssl_tests" != x"no" && test x"$has_openssl_ec" = x"yes"; then
+      enable_openssl_tests=yes
      AC_DEFINE(ENABLE_OPENSSL_TESTS, 1, [Define this symbol if OpenSSL EC functions are available])
-      SECP_TEST_INCLUDES="$SSL_CFLAGS $CRYPTO_CFLAGS"
+      SECP_TEST_INCLUDES="$SSL_CFLAGS $CRYPTO_CFLAGS $CRYPTO_CPPFLAGS"
      SECP_TEST_LIBS="$CRYPTO_LIBS"

      case $host in
@@ -478,39 +453,17 @@ if test x"$use_tests" = x"yes"; then
        SECP_TEST_LIBS="$SECP_TEST_LIBS -lgdi32"
        ;;
      esac
-    fi
  else
    if test x"$enable_openssl_tests" = x"yes"; then
      AC_MSG_ERROR([OpenSSL tests requested but OpenSSL with EC support is not available])
    fi
+    enable_openssl_tests=no
  fi
 else
  if test x"$enable_openssl_tests" = x"yes"; then
    AC_MSG_ERROR([OpenSSL tests requested but tests are not enabled])
  fi
-fi
-
-if test x"$use_jni" != x"no"; then
-  AX_JNI_INCLUDE_DIR
-  have_jni_dependencies=yes
-  if test x"$enable_module_ecdh" = x"no"; then
-    have_jni_dependencies=no
-  fi
-  if test "x$JNI_INCLUDE_DIRS" = "x"; then
-    have_jni_dependencies=no
-  fi
-  if test "x$have_jni_dependencies" = "xno"; then
-    if test x"$use_jni" = x"yes"; then
-      AC_MSG_ERROR([jni support explicitly requested but headers/dependencies were not found. Enable ECDH and try again.])
-    fi
-    AC_MSG_WARN([jni headers/dependencies not found. jni support disabled])
-    use_jni=no
-  else
-    use_jni=yes
-    for JNI_INCLUDE_DIR in $JNI_INCLUDE_DIRS; do
-      JNI_INCLUDES="$JNI_INCLUDES -I$JNI_INCLUDE_DIR"
-    done
-  fi
+  enable_openssl_tests=no
 fi

 if test x"$set_bignum" = x"gmp"; then
@@ -518,10 +471,6 @@ if test x"$set_bignum" = x"gmp"; then
  SECP_INCLUDES="$SECP_INCLUDES $GMP_CPPFLAGS"
 fi

-if test x"$use_endomorphism" = x"yes"; then
-  AC_DEFINE(USE_ENDOMORPHISM, 1, [Define this symbol to use endomorphism optimization])
-fi
-
 if test x"$set_precomp" = x"yes"; then
  AC_DEFINE(USE_ECMULT_STATIC_PRECOMPUTATION, 1, [Define this symbol to use a statically generated ecmult table])
 fi
@@ -530,10 +479,6 @@ if test x"$enable_module_ecdh" = x"yes"; then
  AC_DEFINE(ENABLE_MODULE_ECDH, 1, [Define this symbol to enable the ECDH module])
 fi

-if test x"$enable_module_schnorrsig" = x"yes"; then
-  AC_DEFINE(ENABLE_MODULE_SCHNORRSIG, 1, [Define this symbol to enable the schnorrsig module])
-fi
-
 if test x"$enable_module_musig" = x"yes"; then
  AC_DEFINE(ENABLE_MODULE_MUSIG, 1, [Define this symbol to enable the MuSig module])
 fi
@@ -558,7 +503,20 @@ if test x"$enable_module_surjectionproof" = x"yes"; then
  AC_DEFINE(ENABLE_MODULE_SURJECTIONPROOF, 1, [Define this symbol to enable the surjection proof module])
 fi

-AC_C_BIGENDIAN()
+if test x"$enable_module_schnorrsig" = x"yes"; then
+  AC_DEFINE(ENABLE_MODULE_SCHNORRSIG, 1, [Define this symbol to enable the schnorrsig module])
+  enable_module_extrakeys=yes
+fi
+
+# Test if extrakeys is set after the schnorrsig module to allow the schnorrsig
+# module to set enable_module_extrakeys=yes
+if test x"$enable_module_extrakeys" = x"yes"; then
+  AC_DEFINE(ENABLE_MODULE_EXTRAKEYS, 1, [Define this symbol to enable the extrakeys module])
+fi
+
+if test x"$enable_module_ecdsa_s2c" = x"yes"; then
+  AC_DEFINE(ENABLE_MODULE_ECDSA_S2C, 1, [Define this symbol to enable the ECDSA sign-to-contract module])
+fi

 if test x"$use_external_asm" = x"yes"; then
  AC_DEFINE(USE_EXTERNAL_ASM, 1, [Define this symbol if an external (non-inline) assembly implementation is used])
@@ -568,17 +526,22 @@ if test x"$use_external_default_callbacks" = x"yes"; then
  AC_DEFINE(USE_EXTERNAL_DEFAULT_CALLBACKS, 1, [Define this symbol if an external implementation of the default callbacks is used])
 fi

+if test x"$use_reduced_surjection_proof_size" = x"yes"; then
+  AC_DEFINE(USE_REDUCED_SURJECTION_PROOF_SIZE, 1, [Define this symbol to reduce SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS to 16, disabling parsing and verification])
+fi
+
 if test x"$enable_experimental" = x"yes"; then
  AC_MSG_NOTICE([******])
  AC_MSG_NOTICE([WARNING: experimental build])
  AC_MSG_NOTICE([Experimental features do not have stable APIs or properties, and may not be safe for production use.])
-  AC_MSG_NOTICE([Building ECDH module: $enable_module_ecdh])
  AC_MSG_NOTICE([Building NUMS generator module: $enable_module_generator])
  AC_MSG_NOTICE([Building range proof module: $enable_module_rangeproof])
  AC_MSG_NOTICE([Building key whitelisting module: $enable_module_whitelist])
  AC_MSG_NOTICE([Building surjection proof module: $enable_module_surjectionproof])
-  AC_MSG_NOTICE([Building schnorrsig module: $enable_module_schnorrsig])
  AC_MSG_NOTICE([Building MuSig module: $enable_module_musig])
+  AC_MSG_NOTICE([Building extrakeys module: $enable_module_extrakeys])
+  AC_MSG_NOTICE([Building schnorrsig module: $enable_module_schnorrsig])
+  AC_MSG_NOTICE([Building ECDSA sign-to-contract module: $enable_module_ecdsa_s2c])
  AC_MSG_NOTICE([******])


@@ -603,14 +566,17 @@ if test x"$enable_experimental" = x"yes"; then
    fi
  fi
 else
-  if test x"$enable_module_ecdh" = x"yes"; then
-    AC_MSG_ERROR([ECDH module is experimental. Use --enable-experimental to allow.])
+  if test x"$enable_module_musig" = x"yes"; then
+    AC_MSG_ERROR([MuSig module is experimental. Use --enable-experimental to allow.])
+  fi
+  if test x"$enable_module_extrakeys" = x"yes"; then
+    AC_MSG_ERROR([extrakeys module is experimental. Use --enable-experimental to allow.])
  fi
  if test x"$enable_module_schnorrsig" = x"yes"; then
    AC_MSG_ERROR([schnorrsig module is experimental. Use --enable-experimental to allow.])
  fi
-  if test x"$enable_module_musig" = x"yes"; then
-    AC_MSG_ERROR([MuSig module is experimental. Use --enable-experimental to allow.])
+  if test x"$enable_module_ecdsa_s2c" = x"yes"; then
+    AC_MSG_ERROR([ECDSA sign-to-contract module module is experimental. Use --enable-experimental to allow.])
  fi
  if test x"$set_asm" = x"arm"; then
    AC_MSG_ERROR([ARM assembly optimization is experimental. Use --enable-experimental to allow.])
@@ -631,7 +597,6 @@ fi

 AC_CONFIG_HEADERS([src/libsecp256k1-config.h])
 AC_CONFIG_FILES([Makefile libsecp256k1.pc])
-AC_SUBST(JNI_INCLUDES)
 AC_SUBST(SECP_INCLUDES)
 AC_SUBST(SECP_LIBS)
 AC_SUBST(SECP_TEST_LIBS)
@@ -642,16 +607,18 @@ AM_CONDITIONAL([USE_EXHAUSTIVE_TESTS], [test x"$use_exhaustive_tests" != x"no"])
 AM_CONDITIONAL([USE_BENCHMARK], [test x"$use_benchmark" = x"yes"])
 AM_CONDITIONAL([USE_ECMULT_STATIC_PRECOMPUTATION], [test x"$set_precomp" = x"yes"])
 AM_CONDITIONAL([ENABLE_MODULE_ECDH], [test x"$enable_module_ecdh" = x"yes"])
-AM_CONDITIONAL([ENABLE_MODULE_SCHNORRSIG], [test x"$enable_module_schnorrsig" = x"yes"])
 AM_CONDITIONAL([ENABLE_MODULE_MUSIG], [test x"$enable_module_musig" = x"yes"])
 AM_CONDITIONAL([ENABLE_MODULE_RECOVERY], [test x"$enable_module_recovery" = x"yes"])
 AM_CONDITIONAL([ENABLE_MODULE_GENERATOR], [test x"$enable_module_generator" = x"yes"])
 AM_CONDITIONAL([ENABLE_MODULE_RANGEPROOF], [test x"$enable_module_rangeproof" = x"yes"])
 AM_CONDITIONAL([ENABLE_MODULE_WHITELIST], [test x"$enable_module_whitelist" = x"yes"])
-AM_CONDITIONAL([USE_JNI], [test x"$use_jni" = x"yes"])
+AM_CONDITIONAL([ENABLE_MODULE_EXTRAKEYS], [test x"$enable_module_extrakeys" = x"yes"])
+AM_CONDITIONAL([ENABLE_MODULE_SCHNORRSIG], [test x"$enable_module_schnorrsig" = x"yes"])
+AM_CONDITIONAL([ENABLE_MODULE_ECDSA_S2C], [test x"$enable_module_ecdsa_s2c" = x"yes"])
 AM_CONDITIONAL([USE_EXTERNAL_ASM], [test x"$use_external_asm" = x"yes"])
 AM_CONDITIONAL([USE_ASM_ARM], [test x"$set_asm" = x"arm"])
 AM_CONDITIONAL([ENABLE_MODULE_SURJECTIONPROOF], [test x"$enable_module_surjectionproof" = x"yes"])
+AM_CONDITIONAL([USE_REDUCED_SURJECTION_PROOF_SIZE], [test x"$use_reduced_surjection_proof_size" = x"yes"])

 dnl make sure nothing new is exported so that we don't break the cache
 PKGCONFIG_PATH_TEMP="$PKG_CONFIG_PATH"
@@ -662,21 +629,28 @@ AC_OUTPUT

 echo
 echo "Build Options:"
-echo "  with endomorphism       = $use_endomorphism"
 echo "  with ecmult precomp     = $set_precomp"
 echo "  with external callbacks = $use_external_default_callbacks"
-echo "  with jni                = $use_jni"
 echo "  with benchmarks         = $use_benchmark"
+echo "  with tests              = $use_tests"
+echo "  with openssl tests      = $enable_openssl_tests"
 echo "  with coverage           = $enable_coverage"
 echo "  module ecdh             = $enable_module_ecdh"
 echo "  module recovery         = $enable_module_recovery"
+echo "  module extrakeys        = $enable_module_extrakeys"
+echo "  module schnorrsig       = $enable_module_schnorrsig"
+echo "  module ecdsa-s2c        = $enable_module_ecdsa_s2c"
 echo
 echo "  asm                     = $set_asm"
 echo "  bignum                  = $set_bignum"
-echo "  field                   = $set_field"
-echo "  scalar                  = $set_scalar"
 echo "  ecmult window size      = $set_ecmult_window"
+echo "  ecmult gen prec. bits   = $set_ecmult_gen_precision"
+dnl Hide test-only options unless they're used.
+if test x"$set_widemul" != xauto; then
+echo "  wide multiplication     = $set_widemul"
+fi
 echo
+echo "  valgrind                = $enable_valgrind"
 echo "  CC                      = $CC"
 echo "  CFLAGS                  = $CFLAGS"
 echo "  CPPFLAGS                = $CPPFLAGS"
--- a/contrib/lax_der_parsing.c
+++ b/contrib/lax_der_parsing.c
@@ -112,7 +112,6 @@ int ecdsa_signature_parse_der_lax(const secp256k1_context* ctx, secp256k1_ecdsa_
        return 0;
    }
    spos = pos;
-    pos += slen;

    /* Ignore leading zeroes in R */
    while (rlen > 0 && input[rpos] == 0) {
--- a/contrib/travis.sh
+++ b/contrib/travis.sh
@@ -0,0 +1,70 @@
+#!/bin/sh
+
+set -e
+set -x
+
+if [ "$HOST" = "i686-linux-gnu" ]
+then
+    export CC="$CC -m32"
+fi
+if [ "$TRAVIS_OS_NAME" = "osx" ] && [ "$TRAVIS_COMPILER" = "gcc" ]
+then
+    export CC="gcc-9"
+fi
+
+./configure \
+    --enable-experimental="$EXPERIMENTAL" \
+    --with-test-override-wide-multiply="$WIDEMUL" --with-bignum="$BIGNUM" --with-asm="$ASM" \
+    --enable-ecmult-static-precomputation="$STATICPRECOMPUTATION" --with-ecmult-gen-precision="$ECMULTGENPRECISION" \
+    --enable-module-ecdh="$ECDH" --enable-module-recovery="$RECOVERY" \
+    --enable-module-ecdsa-s2c="$ECDSA_S2C" \
+    --enable-module-rangeproof="$RANGEPROOF" --enable-module-whitelist="$WHITELIST" --enable-module-generator="$GENERATOR" \
+    --enable-module-schnorrsig="$SCHNORRSIG"  --enable-module-musig="$MUSIG"\
+    --with-valgrind="$WITH_VALGRIND" \
+    --host="$HOST" $EXTRAFLAGS
+
+if [ -n "$BUILD" ]
+then
+    make -j2 "$BUILD"
+fi
+if [ "$RUN_VALGRIND" = "yes" ]
+then
+    make -j2
+    # the `--error-exitcode` is required to make the test fail if valgrind found errors, otherwise it'll return 0 (http://valgrind.org/docs/manual/manual-core.html)
+    valgrind --error-exitcode=42 ./tests 16
+    valgrind --error-exitcode=42 ./exhaustive_tests
+fi
+if [ "$BENCH" = "yes" ]
+then
+    if [ "$RUN_VALGRIND" = "yes" ]
+    then
+        # Using the local `libtool` because on macOS the system's libtool has nothing to do with GNU libtool
+        EXEC='./libtool --mode=execute valgrind --error-exitcode=42'
+    else
+        EXEC=
+    fi
+    # This limits the iterations in the benchmarks below to ITER(set in .travis.yml) iterations.
+    export SECP256K1_BENCH_ITERS="$ITERS"
+    {
+        $EXEC ./bench_ecmult
+        $EXEC ./bench_internal
+        $EXEC ./bench_sign
+        $EXEC ./bench_verify
+    } >> bench.log 2>&1
+    if [ "$RECOVERY" = "yes" ]
+    then
+        $EXEC ./bench_recover >> bench.log 2>&1
+    fi
+    if [ "$ECDH" = "yes" ]
+    then
+        $EXEC ./bench_ecdh >> bench.log 2>&1
+    fi
+    if [ "$SCHNORRSIG" = "yes" ]
+    then
+        $EXEC ./bench_schnorrsig >> bench.log 2>&1
+    fi
+fi
+if [ "$CTIMETEST" = "yes" ]
+then
+    ./libtool --mode=execute valgrind --error-exitcode=42 ./valgrind_ctime_test > valgrind_ctime_test.log 2>&1
+fi
--- a/include/secp256k1.h
+++ b/include/secp256k1.h
@@ -14,7 +14,7 @@ extern "C" {
 * 2. Array lengths always immediately the follow the argument whose length
 *    they describe, even if this violates rule 1.
 * 3. Within the OUT/OUTIN/IN groups, pointers to data that is typically generated
- *    later go first. This means: signatures, public nonces, private nonces,
+ *    later go first. This means: signatures, public nonces, secret nonces,
 *    messages, public keys, secret keys, tweaks.
 * 4. Arguments that are not data pointers go last, from more complex to less
 *    complex: function pointers, algorithm names, messages, void pointers,
@@ -134,7 +134,7 @@ typedef int (*secp256k1_nonce_function)(
 #  else
 #   define SECP256K1_API
 #  endif
-# elif defined(__GNUC__) && defined(SECP256K1_BUILD)
+# elif defined(__GNUC__) && (__GNUC__ >= 4) && defined(SECP256K1_BUILD)
 #  define SECP256K1_API __attribute__ ((visibility ("default")))
 # else
 #  define SECP256K1_API
@@ -162,15 +162,17 @@ typedef int (*secp256k1_nonce_function)(
 /** The higher bits contain the actual data. Do not use directly. */
 #define SECP256K1_FLAGS_BIT_CONTEXT_VERIFY (1 << 8)
 #define SECP256K1_FLAGS_BIT_CONTEXT_SIGN (1 << 9)
+#define SECP256K1_FLAGS_BIT_CONTEXT_DECLASSIFY (1 << 10)
 #define SECP256K1_FLAGS_BIT_COMPRESSION (1 << 8)

 /** Flags to pass to secp256k1_context_create, secp256k1_context_preallocated_size, and
 *  secp256k1_context_preallocated_create. */
 #define SECP256K1_CONTEXT_VERIFY (SECP256K1_FLAGS_TYPE_CONTEXT | SECP256K1_FLAGS_BIT_CONTEXT_VERIFY)
 #define SECP256K1_CONTEXT_SIGN (SECP256K1_FLAGS_TYPE_CONTEXT | SECP256K1_FLAGS_BIT_CONTEXT_SIGN)
+#define SECP256K1_CONTEXT_DECLASSIFY (SECP256K1_FLAGS_TYPE_CONTEXT | SECP256K1_FLAGS_BIT_CONTEXT_DECLASSIFY)
 #define SECP256K1_CONTEXT_NONE (SECP256K1_FLAGS_TYPE_CONTEXT)

-/** Flag to pass to secp256k1_ec_pubkey_serialize and secp256k1_ec_privkey_export. */
+/** Flag to pass to secp256k1_ec_pubkey_serialize. */
 #define SECP256K1_EC_COMPRESSED (SECP256K1_FLAGS_TYPE_COMPRESSION | SECP256K1_FLAGS_BIT_COMPRESSION)
 #define SECP256K1_EC_UNCOMPRESSED (SECP256K1_FLAGS_TYPE_COMPRESSION)

@@ -258,7 +260,7 @@ SECP256K1_API void secp256k1_context_destroy(
 *   - void secp256k1_default_error_callback_fn(const char* message, void* data);
 *  The library can call these default handlers even before a proper callback data
 *  pointer could have been set using secp256k1_context_set_illegal_callback or
- *  secp256k1_context_set_illegal_callback, e.g., when the creation of a context
+ *  secp256k1_context_set_error_callback, e.g., when the creation of a context
 *  fails. In this case, the corresponding default handler will be called with
 *  the data pointer argument set to NULL.
 *
@@ -529,7 +531,7 @@ SECP256K1_API extern const secp256k1_nonce_function secp256k1_nonce_function_def
 /** Create an ECDSA signature.
 *
 *  Returns: 1: signature created
- *           0: the nonce generation function failed, or the private key was invalid.
+ *           0: the nonce generation function failed, or the secret key was invalid.
 *  Args:    ctx:    pointer to a context object, initialized for signing (cannot be NULL)
 *  Out:     sig:    pointer to an array where the signature will be placed (cannot be NULL)
 *  In:      msg32:  the 32-byte message hash being signed (cannot be NULL)
@@ -550,6 +552,11 @@ SECP256K1_API int secp256k1_ecdsa_sign(
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);

 /** Verify an ECDSA secret key.
+ *
+ *  A secret key is valid if it is not 0 and less than the secp256k1 curve order
+ *  when interpreted as an integer (most significant byte first). The
+ *  probability of choosing a 32-byte string uniformly at random which is an
+ *  invalid secret key is negligible.
 *
 *  Returns: 1: secret key is valid
 *           0: secret key is invalid
@@ -567,7 +574,7 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_verify(
 *           0: secret was invalid, try again
 *  Args:   ctx:        pointer to a context object, initialized for signing (cannot be NULL)
 *  Out:    pubkey:     pointer to the created public key (cannot be NULL)
- *  In:     seckey:     pointer to a 32-byte private key (cannot be NULL)
+ *  In:     seckey:     pointer to a 32-byte secret key (cannot be NULL)
 */
 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_create(
    const secp256k1_context* ctx,
@@ -575,12 +582,24 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_create(
    const unsigned char *seckey
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);

-/** Negates a private key in place.
+/** Negates a secret key in place.
 *
- *  Returns: 1 always
- *  Args:   ctx:        pointer to a context object
- *  In/Out: seckey:     pointer to the 32-byte private key to be negated (cannot be NULL)
+ *  Returns: 0 if the given secret key is invalid according to
+ *           secp256k1_ec_seckey_verify. 1 otherwise
+ *  Args:   ctx:    pointer to a context object
+ *  In/Out: seckey: pointer to the 32-byte secret key to be negated. If the
+ *                  secret key is invalid according to
+ *                  secp256k1_ec_seckey_verify, this function returns 0 and
+ *                  seckey will be set to some unspecified value. (cannot be
+ *                  NULL)
 */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_negate(
+    const secp256k1_context* ctx,
+    unsigned char *seckey
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2);
+
+/** Same as secp256k1_ec_seckey_negate, but DEPRECATED. Will be removed in
+ *  future versions. */
 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_negate(
    const secp256k1_context* ctx,
    unsigned char *seckey
@@ -597,15 +616,29 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_negate(
    secp256k1_pubkey *pubkey
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2);

-/** Tweak a private key by adding tweak to it.
- * Returns: 0 if the tweak was out of range (chance of around 1 in 2^128 for
- *          uniformly random 32-byte arrays, or if the resulting private key
- *          would be invalid (only when the tweak is the complement of the
- *          private key). 1 otherwise.
- * Args:    ctx:    pointer to a context object (cannot be NULL).
- * In/Out:  seckey: pointer to a 32-byte private key.
- * In:      tweak:  pointer to a 32-byte tweak.
+/** Tweak a secret key by adding tweak to it.
+ *
+ *  Returns: 0 if the arguments are invalid or the resulting secret key would be
+ *           invalid (only when the tweak is the negation of the secret key). 1
+ *           otherwise.
+ *  Args:    ctx:   pointer to a context object (cannot be NULL).
+ *  In/Out: seckey: pointer to a 32-byte secret key. If the secret key is
+ *                  invalid according to secp256k1_ec_seckey_verify, this
+ *                  function returns 0. seckey will be set to some unspecified
+ *                  value if this function returns 0. (cannot be NULL)
+ *  In:      tweak: pointer to a 32-byte tweak. If the tweak is invalid according to
+ *                  secp256k1_ec_seckey_verify, this function returns 0. For
+ *                  uniformly random 32-byte arrays the chance of being invalid
+ *                  is negligible (around 1 in 2^128) (cannot be NULL).
 */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_tweak_add(
+    const secp256k1_context* ctx,
+    unsigned char *seckey,
+    const unsigned char *tweak
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** Same as secp256k1_ec_seckey_tweak_add, but DEPRECATED. Will be removed in
+ *  future versions. */
 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_add(
    const secp256k1_context* ctx,
    unsigned char *seckey,
@@ -613,14 +646,18 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_add(
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);

 /** Tweak a public key by adding tweak times the generator to it.
- * Returns: 0 if the tweak was out of range (chance of around 1 in 2^128 for
- *          uniformly random 32-byte arrays, or if the resulting public key
- *          would be invalid (only when the tweak is the complement of the
- *          corresponding private key). 1 otherwise.
- * Args:    ctx:    pointer to a context object initialized for validation
+ *
+ *  Returns: 0 if the arguments are invalid or the resulting public key would be
+ *           invalid (only when the tweak is the negation of the corresponding
+ *           secret key). 1 otherwise.
+ *  Args:    ctx:   pointer to a context object initialized for validation
 *                  (cannot be NULL).
- * In/Out:  pubkey: pointer to a public key object.
- * In:      tweak:  pointer to a 32-byte tweak.
+ *  In/Out: pubkey: pointer to a public key object. pubkey will be set to an
+ *                  invalid value if this function returns 0 (cannot be NULL).
+ *  In:      tweak: pointer to a 32-byte tweak. If the tweak is invalid according to
+ *                  secp256k1_ec_seckey_verify, this function returns 0. For
+ *                  uniformly random 32-byte arrays the chance of being invalid
+ *                  is negligible (around 1 in 2^128) (cannot be NULL).
 */
 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_add(
    const secp256k1_context* ctx,
@@ -628,13 +665,27 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_add(
    const unsigned char *tweak
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);

-/** Tweak a private key by multiplying it by a tweak.
- * Returns: 0 if the tweak was out of range (chance of around 1 in 2^128 for
- *          uniformly random 32-byte arrays, or equal to zero. 1 otherwise.
- * Args:   ctx:    pointer to a context object (cannot be NULL).
- * In/Out: seckey: pointer to a 32-byte private key.
- * In:     tweak:  pointer to a 32-byte tweak.
+/** Tweak a secret key by multiplying it by a tweak.
+ *
+ *  Returns: 0 if the arguments are invalid. 1 otherwise.
+ *  Args:   ctx:    pointer to a context object (cannot be NULL).
+ *  In/Out: seckey: pointer to a 32-byte secret key. If the secret key is
+ *                  invalid according to secp256k1_ec_seckey_verify, this
+ *                  function returns 0. seckey will be set to some unspecified
+ *                  value if this function returns 0. (cannot be NULL)
+ *  In:      tweak: pointer to a 32-byte tweak. If the tweak is invalid according to
+ *                  secp256k1_ec_seckey_verify, this function returns 0. For
+ *                  uniformly random 32-byte arrays the chance of being invalid
+ *                  is negligible (around 1 in 2^128) (cannot be NULL).
 */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_tweak_mul(
+    const secp256k1_context* ctx,
+    unsigned char *seckey,
+    const unsigned char *tweak
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** Same as secp256k1_ec_seckey_tweak_mul, but DEPRECATED. Will be removed in
+ *  future versions. */
 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_mul(
    const secp256k1_context* ctx,
    unsigned char *seckey,
@@ -642,12 +693,16 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_mul(
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);

 /** Tweak a public key by multiplying it by a tweak value.
- * Returns: 0 if the tweak was out of range (chance of around 1 in 2^128 for
- *          uniformly random 32-byte arrays, or equal to zero. 1 otherwise.
- * Args:    ctx:    pointer to a context object initialized for validation
- *                 (cannot be NULL).
- * In/Out:  pubkey: pointer to a public key obkect.
- * In:      tweak:  pointer to a 32-byte tweak.
+ *
+ *  Returns: 0 if the arguments are invalid. 1 otherwise.
+ *  Args:    ctx:   pointer to a context object initialized for validation
+ *                  (cannot be NULL).
+ *  In/Out: pubkey: pointer to a public key object. pubkey will be set to an
+ *                  invalid value if this function returns 0 (cannot be NULL).
+ *  In:      tweak: pointer to a 32-byte tweak. If the tweak is invalid according to
+ *                  secp256k1_ec_seckey_verify, this function returns 0. For
+ *                  uniformly random 32-byte arrays the chance of being invalid
+ *                  is negligible (around 1 in 2^128) (cannot be NULL).
 */
 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_mul(
    const secp256k1_context* ctx,
@@ -686,6 +741,7 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_context_randomize(
 ) SECP256K1_ARG_NONNULL(1);

 /** Add a number of public keys together.
+ *
 *  Returns: 1: the sum of the public keys is valid.
 *           0: the sum of the public keys is not valid.
 *  Args:   ctx:        pointer to a context object
--- a/include/secp256k1_ecdh.h
+++ b/include/secp256k1_ecdh.h
@@ -7,43 +7,50 @@
 extern "C" {
 #endif

-/** A pointer to a function that applies hash function to a point
+/** A pointer to a function that hashes an EC point to obtain an ECDH secret
 *
- *  Returns: 1 if a point was successfully hashed. 0 will cause ecdh to fail
- *  Out:    output:     pointer to an array to be filled by the function
- *  In:     x:          pointer to a 32-byte x coordinate
- *          y:          pointer to a 32-byte y coordinate
- *          data:       Arbitrary data pointer that is passed through
+ *  Returns: 1 if the point was successfully hashed.
+ *           0 will cause secp256k1_ecdh to fail and return 0.
+ *           Other return values are not allowed, and the behaviour of
+ *           secp256k1_ecdh is undefined for other return values.
+ *  Out:     output:     pointer to an array to be filled by the function
+ *  In:      x32:        pointer to a 32-byte x coordinate
+ *           y32:        pointer to a 32-byte y coordinate
+ *           data:       arbitrary data pointer that is passed through
 */
 typedef int (*secp256k1_ecdh_hash_function)(
  unsigned char *output,
-  const unsigned char *x,
-  const unsigned char *y,
+  const unsigned char *x32,
+  const unsigned char *y32,
  void *data
 );

-/** An implementation of SHA256 hash function that applies to compressed public key. */
+/** An implementation of SHA256 hash function that applies to compressed public key.
+ * Populates the output parameter with 32 bytes. */
 SECP256K1_API extern const secp256k1_ecdh_hash_function secp256k1_ecdh_hash_function_sha256;

-/** A default ecdh hash function (currently equal to secp256k1_ecdh_hash_function_sha256). */
+/** A default ECDH hash function (currently equal to secp256k1_ecdh_hash_function_sha256).
+ * Populates the output parameter with 32 bytes. */
 SECP256K1_API extern const secp256k1_ecdh_hash_function secp256k1_ecdh_hash_function_default;

 /** Compute an EC Diffie-Hellman secret in constant time
+ *
 *  Returns: 1: exponentiation was successful
- *           0: scalar was invalid (zero or overflow)
+ *           0: scalar was invalid (zero or overflow) or hashfp returned 0
 *  Args:    ctx:        pointer to a context object (cannot be NULL)
- *  Out:     output:     pointer to an array to be filled by the function
+ *  Out:     output:     pointer to an array to be filled by hashfp
 *  In:      pubkey:     a pointer to a secp256k1_pubkey containing an
 *                       initialized public key
- *           privkey:    a 32-byte scalar with which to multiply the point
+ *           seckey:     a 32-byte scalar with which to multiply the point
 *           hashfp:     pointer to a hash function. If NULL, secp256k1_ecdh_hash_function_sha256 is used
- *           data:       Arbitrary data pointer that is passed through
+ *                       (in which case, 32 bytes will be written to output)
+ *           data:       arbitrary data pointer that is passed through to hashfp
 */
 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdh(
  const secp256k1_context* ctx,
  unsigned char *output,
  const secp256k1_pubkey *pubkey,
-  const unsigned char *privkey,
+  const unsigned char *seckey,
  secp256k1_ecdh_hash_function hashfp,
  void *data
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
--- a/include/secp256k1_ecdsa_s2c.h
+++ b/include/secp256k1_ecdsa_s2c.h
@@ -0,0 +1,234 @@
+#ifndef SECP256K1_ECDSA_S2C_H
+#define SECP256K1_ECDSA_S2C_H
+
+#include "secp256k1.h"
+
+/** This module implements the sign-to-contract scheme for ECDSA signatures, as
+ *  well as the "ECDSA Anti-Klepto Protocol" that is based on sign-to-contract
+ *  and is specified further down. The sign-to-contract scheme allows creating a
+ *  signature that also commits to some data. This works by offsetting the public
+ *  nonce point of the signature R by hash(R, data)*G where G is the secp256k1
+ *  group generator.
+ */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/** Data structure that holds a sign-to-contract ("s2c") opening information.
+ *  Sign-to-contract allows a signer to commit to some data as part of a signature. It
+ *  can be used as an Out-argument in certain signing functions.
+ *
+ *  The exact representation of data inside is implementation defined and not
+ *  guaranteed to be portable between different platforms or versions. It is
+ *  however guaranteed to be 64 bytes in size, and can be safely copied/moved.
+ *  If you need to convert to a format suitable for storage, transmission, or
+ *  comparison, use secp256k1_ecdsa_s2c_opening_serialize and secp256k1_ecdsa_s2c_opening_parse.
+ */
+typedef struct {
+    unsigned char data[64];
+} secp256k1_ecdsa_s2c_opening;
+
+/** Parse a sign-to-contract opening.
+ *
+ *  Returns: 1 if the opening could be parsed
+ *           0 if the opening could not be parsed
+ *  Args:    ctx: a secp256k1 context object.
+ *  Out: opening: pointer to an opening object. If 1 is returned, it is set to a
+ *                parsed version of input. If not, its value is unspecified.
+ *  In:  input33: pointer to 33-byte array with a serialized opening
+ *
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_s2c_opening_parse(
+    const secp256k1_context* ctx,
+    secp256k1_ecdsa_s2c_opening* opening,
+    const unsigned char* input33
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** Serialize a sign-to-contract opening into a byte sequence.
+ *
+ *  Returns: 1 if the opening was successfully serialized.
+ *           0 if the opening could not be serialized
+ *  Args:     ctx: a secp256k1 context object
+ *  Out: output33: pointer to a 33-byte array to place the serialized opening in
+ *  In:   opening: a pointer to an initialized `secp256k1_ecdsa_s2c_opening`
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_s2c_opening_serialize(
+    const secp256k1_context* ctx,
+    unsigned char* output33,
+    const secp256k1_ecdsa_s2c_opening* opening
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** Same as secp256k1_ecdsa_sign, but s2c_data32 is committed to inside the nonce
+ *
+ *  Returns: 1: signature created
+ *           0: the nonce generation function failed, or the private key was invalid.
+ *  Args:    ctx:  pointer to a context object, initialized for signing (cannot be NULL)
+ *  Out:     sig:  pointer to an array where the signature will be placed (cannot be NULL)
+ *   s2c_opening:  if non-NULL, pointer to an secp256k1_ecdsa_s2c_opening structure to populate
+ *  In:    msg32: the 32-byte message hash being signed (cannot be NULL)
+ *        seckey: pointer to a 32-byte secret key (cannot be NULL)
+ *    s2c_data32: pointer to a 32-byte data to commit to in the nonce (cannot be NULL)
+ */
+SECP256K1_API int secp256k1_ecdsa_s2c_sign(
+    const secp256k1_context* ctx,
+    secp256k1_ecdsa_signature* sig,
+    secp256k1_ecdsa_s2c_opening* s2c_opening,
+    const unsigned char* msg32,
+    const unsigned char* seckey,
+    const unsigned char* s2c_data32
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(6);
+
+/** Verify a sign-to-contract commitment.
+ *
+ *  Returns: 1: the signature contains a commitment to data32 (though it does
+ *              not necessarily need to be a valid siganture!)
+ *           0: incorrect opening
+ *  Args:    ctx: a secp256k1 context object, initialized for verification.
+ *  In:      sig: the signature containing the sign-to-contract commitment (cannot be NULL)
+ *        data32: the 32-byte data that was committed to (cannot be NULL)
+ *       opening: pointer to the opening created during signing (cannot be NULL)
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_s2c_verify_commit(
+    const secp256k1_context* ctx,
+    const secp256k1_ecdsa_signature *sig,
+    const unsigned char *data32,
+    const secp256k1_ecdsa_s2c_opening *opening
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
+
+
+/** ECDSA Anti-Klepto Protocol
+ *
+ *  The ecdsa_anti_klepto_* functions can be used to prevent a signing device from
+ *  exfiltrating the secret signing keys through biased signature nonces. The general
+ *  idea is that a host provides additional randomness to the signing device client
+ *  and the client commits to the randomness in the nonce using sign-to-contract.
+ *
+ *  The following scheme is described by Stepan Snigirev here:
+ *    https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-February/017655.html
+ *  and by Pieter Wuille (as "Scheme 6") here:
+ *    https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-March/017667.html
+ *
+ *  In order to ensure the host cannot trick the signing device into revealing its
+ *  keys, or the signing device to bias the nonce despite the host's contributions,
+ *  the host and client must engage in a commit-reveal protocol as follows:
+ *  1. The host draws randomness `rho` and computes a sha256 commitment to it using
+ *     `secp256k1_ecdsa_anti_klepto_host_commit`. It sends this to the signing device.
+ *  2. The signing device computes a public nonce `R` using the host's commitment
+ *     as auxiliary randomness, using `secp256k1_ecdsa_anti_klepto_signer_commit`.
+ *     The signing device sends the resulting `R` to the host as a s2c_opening.
+ *
+ *     If, at any point from this step onward, the hardware device fails, it is
+ *     okay to restart the protocol using **exactly the same `rho`** and checking
+ *     that the hardware device proposes **exactly the same** `R`. Otherwise, the
+ *     hardware device may be selectively aborting and thereby biasing the set of
+ *     nonces that are used in actual signatures.
+ *
+ *     It takes many (>100) such aborts before there is a plausible attack, given
+ *     current knowledge in 2020. However such aborts accumulate even across a total
+ *     replacement of all relevant devices (but not across replacement of the actual
+ *     signing keys with new independently random ones).
+ *
+ *     In case the hardware device cannot be made to sign with the given `rho`, `R`
+ *     pair, wallet authors should alert the user and present a very scary message
+ *     implying that if this happens more than even a few times, say 20 or more times
+ *     EVER, they should change hardware vendors and perhaps sweep their coins.
+ *
+ *  3. The host replies with `rho` generated in step 1.
+ *  4. The device signs with `secp256k1_anti_klepto_sign`, using `rho` as `host_data32`,
+ *     and sends the signature to the host.
+ *  5. The host verifies that the signature's public nonce matches the opening from
+ *     step 2 and its original randomness `rho`, using `secp256k1_anti_klepto_host_verify`.
+ *
+ *  Rationale:
+ *      - The reason for having a host commitment is to allow the signing device to
+ *        deterministically derive a unique nonce even if the host restarts the protocol
+ *        using the same message and keys. Otherwise the signer might reuse the original
+ *        nonce in two iterations of the protocol with different `rho`, which leaks the
+ *        the secret key.
+ *      - The signer does not need to check that the host commitment matches the host's
+ *        claimed `rho`. Instead it re-derives the commitment (and its original `R`) from
+ *        the provided `rho`. If this differs from the original commitment, the result
+ *        will be an invalid `s2c_opening`, but since `R` was unique there is no risk to
+ *        the signer's secret keys. Because of this, the signing device does not need to
+ *        maintain any state about the progress of the protocol.
+ */
+
+/** Create the initial host commitment to `rho`. Part of the ECDSA Anti-Klepto Protocol.
+ *
+ *  Returns 1 on success, 0 on failure.
+ *  Args:              ctx: pointer to a context object (cannot be NULL)
+ *  Out: rand_commitment32: pointer to 32-byte array to store the returned commitment (cannot be NULL)
+ *  In:             rand32: the 32-byte randomness to commit to (cannot be NULL). It must come from
+ *                          a cryptographically secure RNG. As per the protocol, this value must not
+ *                          be revealed to the client until after the host has received the client
+ *                          commitment.
+ */
+SECP256K1_API int secp256k1_ecdsa_anti_klepto_host_commit(
+    const secp256k1_context* ctx,
+    unsigned char* rand_commitment32,
+    const unsigned char* rand32
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** Compute signer's original nonce. Part of the ECDSA Anti-Klepto Protocol.
+ *
+ *  Returns 1 on success, 0 on failure.
+ *  Args:           ctx: pointer to a context object, initialized for signing (cannot be NULL)
+ *  Out:    s2c_opening: pointer to an s2c_opening where the signer's public nonce will be
+ *                       placed. (cannot be NULL)
+ *  In:           msg32: the 32-byte message hash to be signed (cannot be NULL)
+ *             seckey32: the 32-byte secret key used for signing (cannot be NULL)
+ *    rand_commitment32: the 32-byte randomness commitment from the host (cannot be NULL)
+ */
+SECP256K1_API int secp256k1_ecdsa_anti_klepto_signer_commit(
+    const secp256k1_context* ctx,
+    secp256k1_ecdsa_s2c_opening* s2c_opening,
+    const unsigned char* msg32,
+    const unsigned char* seckey32,
+    const unsigned char* rand_commitment32
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5);
+
+/** Same as secp256k1_ecdsa_sign, but commits to host randomness in the nonce. Part of the
+ *  ECDSA Anti-Klepto Protocol.
+ *
+ *  Returns: 1: signature created
+ *           0: the nonce generation function failed, or the private key was invalid.
+ *  Args:    ctx:  pointer to a context object, initialized for signing (cannot be NULL)
+ *  Out:     sig:  pointer to an array where the signature will be placed (cannot be NULL)
+ *  In:    msg32: the 32-byte message hash being signed (cannot be NULL)
+ *        seckey: pointer to a 32-byte secret key (cannot be NULL)
+ *   host_data32: pointer to 32-byte host-provided randomness (cannot be NULL)
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_anti_klepto_sign(
+    const secp256k1_context* ctx,
+    secp256k1_ecdsa_signature* sig,
+    const unsigned char* msg32,
+    const unsigned char* seckey,
+    const unsigned char* host_data32
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5);
+
+/** Verify a signature was correctly constructed using the ECDSA Anti-Klepto Protocol.
+ *
+ *  Returns: 1: the signature is valid and contains a commitment to host_data32
+ *           0: incorrect opening
+ *  Args:    ctx: a secp256k1 context object, initialized for verification.
+ *  In:      sig: the signature produced by the signer (cannot be NULL)
+ *     msghash32: the 32-byte message hash being verified (cannot be NULL)
+ *        pubkey: pointer to the signer's public key (cannot be NULL)
+ *   host_data32: the 32-byte data provided by the host (cannot be NULL)
+ *       opening: the s2c opening provided by the signer (cannot be NULL)
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_anti_klepto_host_verify(
+    const secp256k1_context* ctx,
+    const secp256k1_ecdsa_signature *sig,
+    const unsigned char *msg32,
+    const secp256k1_pubkey *pubkey,
+    const unsigned char *host_data32,
+    const secp256k1_ecdsa_s2c_opening *opening
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(6);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* SECP256K1_ECDSA_S2C_H */
--- a/include/secp256k1_extrakeys.h
+++ b/include/secp256k1_extrakeys.h
@@ -0,0 +1,236 @@
+#ifndef SECP256K1_EXTRAKEYS_H
+#define SECP256K1_EXTRAKEYS_H
+
+#include "secp256k1.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/** Opaque data structure that holds a parsed and valid "x-only" public key.
+ *  An x-only pubkey encodes a point whose Y coordinate is even. It is
+ *  serialized using only its X coordinate (32 bytes). See BIP-340 for more
+ *  information about x-only pubkeys.
+ *
+ *  The exact representation of data inside is implementation defined and not
+ *  guaranteed to be portable between different platforms or versions. It is
+ *  however guaranteed to be 64 bytes in size, and can be safely copied/moved.
+ *  If you need to convert to a format suitable for storage, transmission, or
+ *  comparison, use secp256k1_xonly_pubkey_serialize and
+ *  secp256k1_xonly_pubkey_parse.
+ */
+typedef struct {
+    unsigned char data[64];
+} secp256k1_xonly_pubkey;
+
+/** Opaque data structure that holds a keypair consisting of a secret and a
+ *  public key.
+ *
+ *  The exact representation of data inside is implementation defined and not
+ *  guaranteed to be portable between different platforms or versions. It is
+ *  however guaranteed to be 96 bytes in size, and can be safely copied/moved.
+ */
+typedef struct {
+    unsigned char data[96];
+} secp256k1_keypair;
+
+/** Parse a 32-byte sequence into a xonly_pubkey object.
+ *
+ *  Returns: 1 if the public key was fully valid.
+ *           0 if the public key could not be parsed or is invalid.
+ *
+ *  Args:   ctx: a secp256k1 context object (cannot be NULL).
+ *  Out: pubkey: pointer to a pubkey object. If 1 is returned, it is set to a
+ *               parsed version of input. If not, it's set to an invalid value.
+ *               (cannot be NULL).
+ *  In: input32: pointer to a serialized xonly_pubkey (cannot be NULL)
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_parse(
+    const secp256k1_context* ctx,
+    secp256k1_xonly_pubkey* pubkey,
+    const unsigned char *input32
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** Serialize an xonly_pubkey object into a 32-byte sequence.
+ *
+ *  Returns: 1 always.
+ *
+ *  Args:     ctx: a secp256k1 context object (cannot be NULL).
+ *  Out: output32: a pointer to a 32-byte array to place the serialized key in
+ *                 (cannot be NULL).
+ *  In:    pubkey: a pointer to a secp256k1_xonly_pubkey containing an
+ *                 initialized public key (cannot be NULL).
+ */
+SECP256K1_API int secp256k1_xonly_pubkey_serialize(
+    const secp256k1_context* ctx,
+    unsigned char *output32,
+    const secp256k1_xonly_pubkey* pubkey
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** Converts a secp256k1_pubkey into a secp256k1_xonly_pubkey.
+ *
+ *  Returns: 1 if the public key was successfully converted
+ *           0 otherwise
+ *
+ *  Args:         ctx: pointer to a context object (cannot be NULL)
+ *  Out: xonly_pubkey: pointer to an x-only public key object for placing the
+ *                     converted public key (cannot be NULL)
+ *          pk_parity: pointer to an integer that will be set to 1 if the point
+ *                     encoded by xonly_pubkey is the negation of the pubkey and
+ *                     set to 0 otherwise. (can be NULL)
+ *  In:        pubkey: pointer to a public key that is converted (cannot be NULL)
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_from_pubkey(
+    const secp256k1_context* ctx,
+    secp256k1_xonly_pubkey *xonly_pubkey,
+    int *pk_parity,
+    const secp256k1_pubkey *pubkey
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4);
+
+/** Tweak an x-only public key by adding the generator multiplied with tweak32
+ *  to it.
+ *
+ *  Note that the resulting point can not in general be represented by an x-only
+ *  pubkey because it may have an odd Y coordinate. Instead, the output_pubkey
+ *  is a normal secp256k1_pubkey.
+ *
+ *  Returns: 0 if the arguments are invalid or the resulting public key would be
+ *           invalid (only when the tweak is the negation of the corresponding
+ *           secret key). 1 otherwise.
+ *
+ *  Args:           ctx: pointer to a context object initialized for verification
+ *                       (cannot be NULL)
+ *  Out:  output_pubkey: pointer to a public key to store the result. Will be set
+ *                       to an invalid value if this function returns 0 (cannot
+ *                       be NULL)
+ *  In: internal_pubkey: pointer to an x-only pubkey to apply the tweak to.
+ *                       (cannot be NULL).
+ *              tweak32: pointer to a 32-byte tweak. If the tweak is invalid
+ *                       according to secp256k1_ec_seckey_verify, this function
+ *                       returns 0. For uniformly random 32-byte arrays the
+ *                       chance of being invalid is negligible (around 1 in
+ *                       2^128) (cannot be NULL).
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_tweak_add(
+    const secp256k1_context* ctx,
+    secp256k1_pubkey *output_pubkey,
+    const secp256k1_xonly_pubkey *internal_pubkey,
+    const unsigned char *tweak32
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
+
+/** Checks that a tweaked pubkey is the result of calling
+ *  secp256k1_xonly_pubkey_tweak_add with internal_pubkey and tweak32.
+ *
+ *  The tweaked pubkey is represented by its 32-byte x-only serialization and
+ *  its pk_parity, which can both be obtained by converting the result of
+ *  tweak_add to a secp256k1_xonly_pubkey.
+ *
+ *  Note that this alone does _not_ verify that the tweaked pubkey is a
+ *  commitment. If the tweak is not chosen in a specific way, the tweaked pubkey
+ *  can easily be the result of a different internal_pubkey and tweak.
+ *
+ *  Returns: 0 if the arguments are invalid or the tweaked pubkey is not the
+ *           result of tweaking the internal_pubkey with tweak32. 1 otherwise.
+ *  Args:            ctx: pointer to a context object initialized for verification
+ *                       (cannot be NULL)
+ *  In: tweaked_pubkey32: pointer to a serialized xonly_pubkey (cannot be NULL)
+ *     tweaked_pk_parity: the parity of the tweaked pubkey (whose serialization
+ *                        is passed in as tweaked_pubkey32). This must match the
+ *                        pk_parity value that is returned when calling
+ *                        secp256k1_xonly_pubkey with the tweaked pubkey, or
+ *                        this function will fail.
+ *       internal_pubkey: pointer to an x-only public key object to apply the
+ *                        tweak to (cannot be NULL)
+ *               tweak32: pointer to a 32-byte tweak (cannot be NULL)
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_xonly_pubkey_tweak_add_check(
+    const secp256k1_context* ctx,
+    const unsigned char *tweaked_pubkey32,
+    int tweaked_pk_parity,
+    const secp256k1_xonly_pubkey *internal_pubkey,
+    const unsigned char *tweak32
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5);
+
+/** Compute the keypair for a secret key.
+ *
+ *  Returns: 1: secret was valid, keypair is ready to use
+ *           0: secret was invalid, try again with a different secret
+ *  Args:    ctx: pointer to a context object, initialized for signing (cannot be NULL)
+ *  Out: keypair: pointer to the created keypair (cannot be NULL)
+ *  In:   seckey: pointer to a 32-byte secret key (cannot be NULL)
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_create(
+    const secp256k1_context* ctx,
+    secp256k1_keypair *keypair,
+    const unsigned char *seckey
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** Get the public key from a keypair.
+ *
+ *  Returns: 0 if the arguments are invalid. 1 otherwise.
+ *  Args:    ctx: pointer to a context object (cannot be NULL)
+ *  Out: pubkey: pointer to a pubkey object. If 1 is returned, it is set to
+ *               the keypair public key. If not, it's set to an invalid value.
+ *               (cannot be NULL)
+ *  In: keypair: pointer to a keypair (cannot be NULL)
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_pub(
+    const secp256k1_context* ctx,
+    secp256k1_pubkey *pubkey,
+    const secp256k1_keypair *keypair
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** Get the x-only public key from a keypair.
+ *
+ *  This is the same as calling secp256k1_keypair_pub and then
+ *  secp256k1_xonly_pubkey_from_pubkey.
+ *
+ *  Returns: 0 if the arguments are invalid. 1 otherwise.
+ *  Args:   ctx: pointer to a context object (cannot be NULL)
+ *  Out: pubkey: pointer to an xonly_pubkey object. If 1 is returned, it is set
+ *               to the keypair public key after converting it to an
+ *               xonly_pubkey. If not, it's set to an invalid value (cannot be
+ *               NULL).
+ *    pk_parity: pointer to an integer that will be set to the pk_parity
+ *               argument of secp256k1_xonly_pubkey_from_pubkey (can be NULL).
+ *  In: keypair: pointer to a keypair (cannot be NULL)
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_xonly_pub(
+    const secp256k1_context* ctx,
+    secp256k1_xonly_pubkey *pubkey,
+    int *pk_parity,
+    const secp256k1_keypair *keypair
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4);
+
+/** Tweak a keypair by adding tweak32 to the secret key and updating the public
+ *  key accordingly.
+ *
+ *  Calling this function and then secp256k1_keypair_pub results in the same
+ *  public key as calling secp256k1_keypair_xonly_pub and then
+ *  secp256k1_xonly_pubkey_tweak_add.
+ *
+ *  Returns: 0 if the arguments are invalid or the resulting keypair would be
+ *           invalid (only when the tweak is the negation of the keypair's
+ *           secret key). 1 otherwise.
+ *
+ *  Args:       ctx: pointer to a context object initialized for verification
+ *                   (cannot be NULL)
+ *  In/Out: keypair: pointer to a keypair to apply the tweak to. Will be set to
+ *                   an invalid value if this function returns 0 (cannot be
+ *                   NULL).
+ *  In:     tweak32: pointer to a 32-byte tweak. If the tweak is invalid according
+ *                   to secp256k1_ec_seckey_verify, this function returns 0. For
+ *                   uniformly random 32-byte arrays the chance of being invalid
+ *                   is negligible (around 1 in 2^128) (cannot be NULL).
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_keypair_xonly_tweak_add(
+    const secp256k1_context* ctx,
+    secp256k1_keypair *keypair,
+    const unsigned char *tweak32
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* SECP256K1_EXTRAKEYS_H */
--- a/include/secp256k1_musig.h
+++ b/include/secp256k1_musig.h
@@ -1,18 +1,46 @@
 #ifndef SECP256K1_MUSIG_H
 #define SECP256K1_MUSIG_H

+#include "secp256k1_extrakeys.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 #include <stdint.h>

 /** This module implements a Schnorr-based multi-signature scheme called MuSig
- * (https://eprint.iacr.org/2018/068.pdf). There's an example C source file in the
- * module's directory (src/modules/musig/example.c) that demonstrates how it can be
- * used.
+ * (https://eprint.iacr.org/2018/068.pdf). It is compatible with bip-schnorr.
+ * There's an example C source file in the module's directory
+ * (src/modules/musig/example.c) that demonstrates how it can be used.
 *
 * The documentation in this include file is for reference and may not be sufficient
 * for users to begin using the library. A full description of API usage can be found
 * in src/modules/musig/musig.md
 */

+/** Data structure containing auxiliary data generated in `pubkey_combine` and
+ *  required for `session_*_init`.
+ *  Fields:
+ *        magic: Set during initialization in `pubkey_combine` to allow
+ *               detecting an uninitialized object.
+ *      pk_hash: The 32-byte hash of the original public keys
+ *    pk_parity: Whether the MuSig-aggregated point was negated when
+ *               converting it to the combined xonly pubkey.
+ *     is_tweaked: Whether the combined pubkey was tweaked
+ *          tweak: If is_tweaked, array with the 32-byte tweak
+ * internal_key_parity: If is_tweaked, the parity of the combined pubkey
+ *                 before tweaking
+ */
+typedef struct {
+    uint64_t magic;
+    unsigned char pk_hash[32];
+    int pk_parity;
+    int is_tweaked;
+    unsigned char tweak[32];
+    int internal_key_parity;
+} secp256k1_musig_pre_session;
+
 /** Data structure containing data related to a signing session resulting in a single
 * signature.
 *
@@ -24,49 +52,49 @@
 * structure.
 *
 * Fields:
- *      combined_pk: MuSig-computed combined public key
+ *            magic: Set in `musig_session_init` to allow detecting an
+ *                   uninitialized object.
+ *            round: Current round of the session
+ *      pre_session: Auxiliary data created in `pubkey_combine`
+ *      combined_pk: MuSig-computed combined xonly public key
 *        n_signers: Number of signers
- *          pk_hash: The 32-byte hash of the original public keys
- *   combined_nonce: Summed combined public nonce (undefined if `nonce_is_set` is false)
- *     nonce_is_set: Whether the above nonce has been set
- * nonce_is_negated: If `nonce_is_set`, whether the above nonce was negated after
- *                   summing the participants' nonces. Needed to ensure the nonce's y
- *                   coordinate has a quadratic-residue y coordinate
 *              msg: The 32-byte message (hash) to be signed
- *       msg_is_set: Whether the above message has been set
+ *       is_msg_set: Whether the above message has been set
 *  has_secret_data: Whether this session object has a signers' secret data; if this
 *                   is `false`, it may still be used for verification purposes.
 *           seckey: If `has_secret_data`, the signer's secret key
 *         secnonce: If `has_secret_data`, the signer's secret nonce
 *            nonce: If `has_secret_data`, the signer's public nonce
- * nonce_commitments_hash: If `has_secret_data` and `nonce_commitments_hash_is_set`,
- *                   the hash of all signers' commitments
- * nonce_commitments_hash_is_set: If `has_secret_data`, whether the
- *                   nonce_commitments_hash has been set
+ * nonce_commitments_hash: If `has_secret_data` and round >= 1, the hash of all
+ *                   signers' commitments
+ *   combined_nonce: If round >= 2, the summed combined public nonce
+ * combined_nonce_parity: If round >= 2, the parity of the Y coordinate of above
+ *                   nonce.
 */
 typedef struct {
-    secp256k1_pubkey combined_pk;
+    uint64_t magic;
+    int round;
+    secp256k1_musig_pre_session pre_session;
+    secp256k1_xonly_pubkey combined_pk;
    uint32_t n_signers;
-    unsigned char pk_hash[32];
-    secp256k1_pubkey combined_nonce;
-    int nonce_is_set;
-    int nonce_is_negated;
+    int is_msg_set;
    unsigned char msg[32];
-    int msg_is_set;
    int has_secret_data;
    unsigned char seckey[32];
    unsigned char secnonce[32];
-    secp256k1_pubkey nonce;
+    secp256k1_xonly_pubkey nonce;
+    int partial_nonce_parity;
    unsigned char nonce_commitments_hash[32];
-    int nonce_commitments_hash_is_set;
+    secp256k1_xonly_pubkey combined_nonce;
+    int combined_nonce_parity;
 } secp256k1_musig_session;

 /** Data structure containing data on all signers in a single session.
 *
 * The workflow for this structure is as follows:
 *
- * 1. This structure is initialized with `musig_session_initialize` or
- *    `musig_session_initialize_verifier`, which set the `index` field, and zero out
+ * 1. This structure is initialized with `musig_session_init` or
+ *    `musig_session_init_verifier`, which set the `index` field, and zero out
 *    all other fields. The public session is initialized with the signers'
 *    nonce_commitments.
 *
@@ -91,7 +119,7 @@ typedef struct {
 typedef struct {
    int present;
    uint32_t index;
-    secp256k1_pubkey nonce;
+    secp256k1_xonly_pubkey nonce;
    unsigned char nonce_commitment[32];
 } secp256k1_musig_session_signer_data;

@@ -108,30 +136,67 @@ typedef struct {
    unsigned char data[32];
 } secp256k1_musig_partial_signature;

-/** Computes a combined public key and the hash of the given public keys
+/** Computes a combined public key and the hash of the given public keys.
+ *  Different orders of `pubkeys` result in different `combined_pk`s.
 *
 *  Returns: 1 if the public keys were successfully combined, 0 otherwise
 *  Args:        ctx: pointer to a context object initialized for verification
 *                    (cannot be NULL)
 *           scratch: scratch space used to compute the combined pubkey by
 *                    multiexponentiation. If NULL, an inefficient algorithm is used.
- *  Out: combined_pk: the MuSig-combined public key (cannot be NULL)
- *         pk_hash32: if non-NULL, filled with the 32-byte hash of all input public
- *                    keys in order to be used in `musig_session_initialize`.
+ *  Out: combined_pk: the MuSig-combined xonly public key (cannot be NULL)
+ *       pre_session: if non-NULL, pointer to a musig_pre_session struct to be used in
+ *                    `musig_session_init` or `musig_pubkey_tweak_add`.
 *   In:     pubkeys: input array of public keys to combine. The order is important;
 *                    a different order will result in a different combined public
 *                    key (cannot be NULL)
- *         n_pubkeys: length of pubkeys array
+ *         n_pubkeys: length of pubkeys array. Must be greater than 0.
 */
 SECP256K1_API int secp256k1_musig_pubkey_combine(
    const secp256k1_context* ctx,
    secp256k1_scratch_space *scratch,
-    secp256k1_pubkey *combined_pk,
-    unsigned char *pk_hash32,
-    const secp256k1_pubkey *pubkeys,
+    secp256k1_xonly_pubkey *combined_pk,
+    secp256k1_musig_pre_session *pre_session,
+    const secp256k1_xonly_pubkey *pubkeys,
    size_t n_pubkeys
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5);

+/** Tweak an x-only public key by adding the generator multiplied with tweak32
+ *  to it. The resulting output_pubkey with the given internal_pubkey and tweak
+ *  passes `secp256k1_xonly_pubkey_tweak_test`.
+ *
+ *  This function is only useful before initializing a signing session. If you
+ *  are only computing a public key, but not intending to create a signature for
+ *  it, you can just use `secp256k1_xonly_pubkey_tweak_add`. Can only be called
+ *  once with a given pre_session.
+ *
+ *  Returns: 0 if the arguments are invalid or the resulting public key would be
+ *           invalid (only when the tweak is the negation of the corresponding
+ *           secret key). 1 otherwise.
+ *  Args:          ctx: pointer to a context object initialized for verification
+ *                      (cannot be NULL)
+ *         pre_session: pointer to a `musig_pre_session` struct initialized in
+ *                      `musig_pubkey_combine` (cannot be NULL)
+ *  Out: output_pubkey: pointer to a public key to store the result. Will be set
+ *                      to an invalid value if this function returns 0 (cannot
+ *                      be NULL)
+ *  In: internal_pubkey: pointer to the `combined_pk` from
+ *                       `musig_pubkey_combine` to which the tweak is applied.
+ *                       (cannot be NULL).
+ *              tweak32: pointer to a 32-byte tweak. If the tweak is invalid
+ *                       according to secp256k1_ec_seckey_verify, this function
+ *                       returns 0. For uniformly random 32-byte arrays the
+ *                       chance of being invalid is negligible (around 1 in
+ *                       2^128) (cannot be NULL).
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_pubkey_tweak_add(
+    const secp256k1_context* ctx,
+    secp256k1_musig_pre_session *pre_session,
+    secp256k1_pubkey *output_pubkey,
+    const secp256k1_xonly_pubkey *internal_pubkey,
+    const unsigned char *tweak32
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5);
+
 /** Initializes a signing session for a signer
 *
 *  Returns: 1: session is successfully initialized
@@ -147,32 +212,37 @@ SECP256K1_API int secp256k1_musig_pubkey_combine(
 *                     NULL). If a non-unique session_id32 was given then a partial
 *                     signature will LEAK THE SECRET KEY.
 *              msg32: the 32-byte message to be signed. Shouldn't be NULL unless you
- *                     require sharing public nonces before the message is known
+ *                     require sharing nonce commitments before the message is known
 *                     because it reduces nonce misuse resistance. If NULL, must be
- *                     set with `musig_session_set_msg` before signing and verifying.
- *        combined_pk: the combined public key of all signers (cannot be NULL)
- *          pk_hash32: the 32-byte hash of the signers' individual keys (cannot be
- *                     NULL)
+ *                     set with `musig_session_get_public_nonce`.
+ *        combined_pk: the combined xonly public key of all signers (cannot be NULL)
+ *        pre_session: pointer to a musig_pre_session struct after initializing
+ *                     it with `musig_pubkey_combine` and optionally provided to
+ *                     `musig_pubkey_tweak_add` (cannot be NULL).
 *          n_signers: length of signers array. Number of signers participating in
 *                     the MuSig. Must be greater than 0 and at most 2^32 - 1.
- *           my_index: index of this signer in the signers array
+ *           my_index: index of this signer in the signers array. Must be less
+ *                     than `n_signers`.
 *             seckey: the signer's 32-byte secret key (cannot be NULL)
 */
-SECP256K1_API int secp256k1_musig_session_initialize(
+SECP256K1_API int secp256k1_musig_session_init(
    const secp256k1_context* ctx,
    secp256k1_musig_session *session,
    secp256k1_musig_session_signer_data *signers,
    unsigned char *nonce_commitment32,
    const unsigned char *session_id32,
    const unsigned char *msg32,
-    const secp256k1_pubkey *combined_pk,
-    const unsigned char *pk_hash32,
+    const secp256k1_xonly_pubkey *combined_pk,
+    const secp256k1_musig_pre_session *pre_session,
    size_t n_signers,
    size_t my_index,
    const unsigned char *seckey
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(7) SECP256K1_ARG_NONNULL(8) SECP256K1_ARG_NONNULL(11);

-/** Gets the signer's public nonce given a list of all signers' data with commitments
+/** Gets the signer's public nonce given a list of all signers' data with
+ *  commitments.  Called by participating signers after
+ *  `secp256k1_musig_session_init` and after all nonce commitments have
+ *  been collected
 *
 *  Returns: 1: public nonce is written in nonce
 *           0: signer data is missing commitments or session isn't initialized
@@ -180,20 +250,25 @@ SECP256K1_API int secp256k1_musig_session_initialize(
 *  Args:        ctx: pointer to a context object (cannot be NULL)
 *           session: the signing session to get the nonce from (cannot be NULL)
 *           signers: an array of signers' data initialized with
- *                    `musig_session_initialize`. Array length must equal to
+ *                    `musig_session_init`. Array length must equal to
 *                    `n_commitments` (cannot be NULL)
- *  Out:       nonce: the nonce (cannot be NULL)
- *  In:  commitments: array of 32-byte nonce commitments (cannot be NULL)
+ *  Out:     nonce32: filled with a 32-byte public nonce which is supposed to be
+ *                    sent to the other signers and then used in `musig_set nonce`
+ *                    (cannot be NULL)
+ *  In:  commitments: array of pointers to 32-byte nonce commitments (cannot be NULL)
 *     n_commitments: the length of commitments and signers array. Must be the total
 *                    number of signers participating in the MuSig.
+ *             msg32: the 32-byte message to be signed. Must be NULL if already
+ *                    set with `musig_session_init` otherwise can not be NULL.
 */
 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_session_get_public_nonce(
    const secp256k1_context* ctx,
    secp256k1_musig_session *session,
    secp256k1_musig_session_signer_data *signers,
-    secp256k1_pubkey *nonce,
+    unsigned char *nonce32,
    const unsigned char *const *commitments,
-    size_t n_commitments
+    size_t n_commitments,
+    const unsigned char *msg32
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5);

 /** Initializes a verifier session that can be used for verifying nonce commitments
@@ -205,27 +280,27 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_session_get_publi
 *  Out:     session: the session structure to initialize (cannot be NULL)
 *           signers: an array of signers' data to be initialized. Array length must
 *                    equal to `n_signers`(cannot be NULL)
- *  In:        msg32: the 32-byte message to be signed If NULL, must be set with
- *                    `musig_session_set_msg` before using the session for verifying
- *                    partial signatures.
- *       combined_pk: the combined public key of all signers (cannot be NULL)
+ *  In:        msg32: the 32-byte message to be signed (cannot be NULL)
+ *       combined_pk: the combined xonly public key of all signers (cannot be NULL)
+ *       pre_session: pointer to a musig_pre_session struct from
+ *                    `musig_pubkey_combine` (cannot be NULL)
 *         pk_hash32: the 32-byte hash of the signers' individual keys (cannot be NULL)
- *       commitments: array of 32-byte nonce commitments. Array length must equal to
- *                    `n_signers` (cannot be NULL)
+ *       commitments: array of pointers to 32-byte nonce commitments. Array
+ *                    length must equal to `n_signers` (cannot be NULL)
 *         n_signers: length of signers and commitments array. Number of signers
 *                    participating in the MuSig. Must be greater than 0 and at most
 *                    2^32 - 1.
 */
-SECP256K1_API int secp256k1_musig_session_initialize_verifier(
+SECP256K1_API int secp256k1_musig_session_init_verifier(
    const secp256k1_context* ctx,
    secp256k1_musig_session *session,
    secp256k1_musig_session_signer_data *signers,
    const unsigned char *msg32,
-    const secp256k1_pubkey *combined_pk,
-    const unsigned char *pk_hash32,
+    const secp256k1_xonly_pubkey *combined_pk,
+    const secp256k1_musig_pre_session *pre_session,
    const unsigned char *const *commitments,
    size_t n_signers
-) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(6) SECP256K1_ARG_NONNULL(7);
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(6) SECP256K1_ARG_NONNULL(7);

 /** Checks a signer's public nonce against a commitment to said nonce, and update
 *  data structure if they match
@@ -235,13 +310,13 @@ SECP256K1_API int secp256k1_musig_session_initialize_verifier(
 *  Args:      ctx: pointer to a context object (cannot be NULL)
 *          signer: pointer to the signer data to update (cannot be NULL). Must have
 *                  been used with `musig_session_get_public_nonce` or initialized
- *                  with `musig_session_initialize_verifier`.
- *  In:     nonce: signer's alleged public nonce (cannot be NULL)
+ *                  with `musig_session_init_verifier`.
+ *  In:    nonce32: signer's alleged public nonce (cannot be NULL)
 */
 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_set_nonce(
    const secp256k1_context* ctx,
    secp256k1_musig_session_signer_data *signer,
-    const secp256k1_pubkey *nonce
+    const unsigned char *nonce32
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);

 /** Updates a session with the combined public nonce of all signers. The combined
@@ -257,8 +332,9 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_set_nonce(
 *                    (cannot be NULL)
 *         n_signers: the length of the signers array. Must be the total number of
 *                    signers participating in the MuSig.
- *  Out: nonce_is_negated: a pointer to an integer that indicates if the combined
- *                    public nonce had to be negated.
+ *  Out: nonce_parity: if non-NULL, a pointer to an integer that indicates the
+ *                    parity of the combined public nonce. Used for adaptor
+ *                    signatures.
 *           adaptor: point to add to the combined public nonce. If NULL, nothing is
 *                    added to the combined nonce.
 */
@@ -267,22 +343,8 @@ SECP256K1_API int secp256k1_musig_session_combine_nonces(
    secp256k1_musig_session *session,
    const secp256k1_musig_session_signer_data *signers,
    size_t n_signers,
-    int *nonce_is_negated,
+    int *nonce_parity,
    const secp256k1_pubkey *adaptor
-) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4);
-
-/** Sets the message of a session if previously unset
- *
- *  Returns 1 if the message was not set yet and is now successfully set
- *          0 otherwise
- *  Args:    ctx: pointer to a context object (cannot be NULL)
- *       session: the session structure to update with the message (cannot be NULL)
- *  In:    msg32: the 32-byte message to be signed (cannot be NULL)
- */
-SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_session_set_msg(
-    const secp256k1_context* ctx,
-    secp256k1_musig_session *session,
-    const unsigned char *msg32
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);

 /** Serialize a MuSig partial signature or adaptor signature
@@ -352,25 +414,25 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_partial_sig_verif
    const secp256k1_musig_session *session,
    const secp256k1_musig_session_signer_data *signer,
    const secp256k1_musig_partial_signature *partial_sig,
-    const secp256k1_pubkey *pubkey
+    const secp256k1_xonly_pubkey *pubkey
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5);

 /** Combines partial signatures
 *
 *  Returns: 1: all partial signatures have values in range. Does NOT mean the
 *              resulting signature verifies.
- *           0: some partial signature had s/r out of range
+ *           0: some partial signature are missing or had s or r out of range
 *  Args:         ctx: pointer to a context object (cannot be NULL)
 *            session: initialized session for which the combined nonce has been
 *                     computed (cannot be NULL)
- *  Out:          sig: complete signature (cannot be NULL)
+ *  Out:        sig64: complete signature (cannot be NULL)
 *  In:  partial_sigs: array of partial signatures to combine (cannot be NULL)
 *             n_sigs: number of signatures in the partial_sigs array
 */
 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_partial_sig_combine(
    const secp256k1_context* ctx,
    const secp256k1_musig_session *session,
-    secp256k1_schnorrsig *sig,
+    unsigned char *sig64,
    const secp256k1_musig_partial_signature *partial_sigs,
    size_t n_sigs
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
@@ -385,14 +447,14 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_partial_sig_combi
 *  In:   partial_sig: partial signature to tweak with secret adaptor (cannot be NULL)
 *      sec_adaptor32: 32-byte secret adaptor to add to the partial signature (cannot
 *                     be NULL)
- *   nonce_is_negated: the `nonce_is_negated` output of `musig_session_combine_nonces`
+ *       nonce_parity: the `nonce_parity` output of `musig_session_combine_nonces`
 */
 SECP256K1_API int secp256k1_musig_partial_sig_adapt(
    const secp256k1_context* ctx,
    secp256k1_musig_partial_signature *adaptor_sig,
    const secp256k1_musig_partial_signature *partial_sig,
    const unsigned char *sec_adaptor32,
-    int nonce_is_negated
+    int nonce_parity
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);

 /** Extracts a secret adaptor from a MuSig, given all parties' partial
@@ -405,18 +467,22 @@ SECP256K1_API int secp256k1_musig_partial_sig_adapt(
 *           0: otherwise
 *  Args:         ctx: pointer to a context object (cannot be NULL)
 *  Out:sec_adaptor32: 32-byte secret adaptor (cannot be NULL)
- *  In:           sig: complete 2-of-2 signature (cannot be NULL)
+ *  In:         sig64: complete 2-of-2 signature (cannot be NULL)
 *       partial_sigs: array of partial signatures (cannot be NULL)
 *     n_partial_sigs: number of elements in partial_sigs array
- *   nonce_is_negated: the `nonce_is_negated` output of `musig_session_combine_nonces`
+ *   nonce_parity: the `nonce_parity` output of `musig_session_combine_nonces`
 */
 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_musig_extract_secret_adaptor(
    const secp256k1_context* ctx,
    unsigned char *sec_adaptor32,
-    const secp256k1_schnorrsig *sig,
+    const unsigned char *sig64,
    const secp256k1_musig_partial_signature *partial_sigs,
    size_t n_partial_sigs,
-    int nonce_is_negated
+    int nonce_parity
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);

+#ifdef __cplusplus
+}
+#endif
+
 #endif
--- a/include/secp256k1_preallocated.h
+++ b/include/secp256k1_preallocated.h
@@ -14,12 +14,12 @@ extern "C" {
 *
 * Context objects created by functions in this module can be used like contexts
 * objects created by functions in secp256k1.h, i.e., they can be passed to any
- * API function that excepts a context object (see secp256k1.h for details). The
+ * API function that expects a context object (see secp256k1.h for details). The
 * only exception is that context objects created by functions in this module
 * must be destroyed using secp256k1_context_preallocated_destroy (in this
 * module) instead of secp256k1_context_destroy (in secp256k1.h).
 *
- * It is guaranteed that functions in by this module will not call malloc or its
+ * It is guaranteed that functions in this module will not call malloc or its
 * friends realloc, calloc, and free.
 */

--- a/include/secp256k1_rangeproof.h
+++ b/include/secp256k1_rangeproof.h
@@ -55,9 +55,6 @@ SECP256K1_API int secp256k1_pedersen_commitment_serialize(
    const secp256k1_pedersen_commitment* commit
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);

-/** Initialize a context for usage with Pedersen commitments. */
-void secp256k1_pedersen_context_initialize(secp256k1_context* ctx);
-
 /** Generate a pedersen commitment.
 *  Returns 1: Commitment successfully created.
 *          0: Error. The blinding factor is larger than the group order
@@ -161,9 +158,6 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_pedersen_blind_generato
  size_t n_inputs
 );

-/** Initialize a context for usage with Pedersen commitments. */
-void secp256k1_rangeproof_context_initialize(secp256k1_context* ctx);
-
 /** Verify a proof that a committed value is within a range.
 * Returns 1: Value is within the range [0..2^64), the specifically proven range is in the min/max value outputs.
 *         0: Proof failed or other error.
@@ -203,7 +197,9 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_rangeproof_verify(
 *  In/Out: blind_out: storage for the 32-byte blinding factor used for the commitment
 *        value_out: pointer to an unsigned int64 which has the exact value of the commitment.
 *        message_out: pointer to a 4096 byte character array to receive message data from the proof author.
- *        outlen:  length of message data written to message_out.
+ *        outlen: length of message data written to message_out. This is generally not equal to the
+ *                msg_len used by the signer. However, for all i with msg_len <= i < outlen, it is
+ *                guaranteed that message_out[i] == 0.
 *        min_value: pointer to an unsigned int64 which will be updated with the minimum value that commit could have. (cannot be NULL)
 *        max_value: pointer to an unsigned int64 which will be updated with the maximum value that commit could have. (cannot be NULL)
 */
--- a/include/secp256k1_recovery.h
+++ b/include/secp256k1_recovery.h
@@ -70,7 +70,7 @@ SECP256K1_API int secp256k1_ecdsa_recoverable_signature_serialize_compact(
 /** Create a recoverable ECDSA signature.
 *
 *  Returns: 1: signature created
- *           0: the nonce generation function failed, or the private key was invalid.
+ *           0: the nonce generation function failed, or the secret key was invalid.
 *  Args:    ctx:    pointer to a context object, initialized for signing (cannot be NULL)
 *  Out:     sig:    pointer to an array where the signature will be placed (cannot be NULL)
 *  In:      msg32:  the 32-byte message hash being signed (cannot be NULL)
--- a/include/secp256k1_schnorrsig.h
+++ b/include/secp256k1_schnorrsig.h
@@ -1,118 +1,111 @@
 #ifndef SECP256K1_SCHNORRSIG_H
 #define SECP256K1_SCHNORRSIG_H

+#include "secp256k1.h"
+#include "secp256k1_extrakeys.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 /** This module implements a variant of Schnorr signatures compliant with
- * BIP-schnorr
- * (https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki).
+ *  Bitcoin Improvement Proposal 340 "Schnorr Signatures for secp256k1"
+ *  (https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki).
 */

-/** Opaque data structure that holds a parsed Schnorr signature.
+/** A pointer to a function to deterministically generate a nonce.
 *
- *  The exact representation of data inside is implementation defined and not
- *  guaranteed to be portable between different platforms or versions. It is
- *  however guaranteed to be 64 bytes in size, and can be safely copied/moved.
- *  If you need to convert to a format suitable for storage, transmission, or
- *  comparison, use the `secp256k1_schnorrsig_serialize` and
- *  `secp256k1_schnorrsig_parse` functions.
+ *  Same as secp256k1_nonce function with the exception of accepting an
+ *  additional pubkey argument and not requiring an attempt argument. The pubkey
+ *  argument can protect signature schemes with key-prefixed challenge hash
+ *  inputs against reusing the nonce when signing with the wrong precomputed
+ *  pubkey.
+ *
+ *  Returns: 1 if a nonce was successfully generated. 0 will cause signing to
+ *           return an error.
+ *  Out:     nonce32:   pointer to a 32-byte array to be filled by the function.
+ *  In:      msg32:     the 32-byte message hash being verified (will not be NULL)
+ *           key32:     pointer to a 32-byte secret key (will not be NULL)
+ *      xonly_pk32:     the 32-byte serialized xonly pubkey corresponding to key32
+ *                      (will not be NULL)
+ *           algo16:    pointer to a 16-byte array describing the signature
+ *                      algorithm (will not be NULL).
+ *           data:      Arbitrary data pointer that is passed through.
+ *
+ *  Except for test cases, this function should compute some cryptographic hash of
+ *  the message, the key, the pubkey, the algorithm description, and data.
 */
-typedef struct {
-    unsigned char data[64];
-} secp256k1_schnorrsig;
+typedef int (*secp256k1_nonce_function_hardened)(
+    unsigned char *nonce32,
+    const unsigned char *msg32,
+    const unsigned char *key32,
+    const unsigned char *xonly_pk32,
+    const unsigned char *algo16,
+    void *data
+);

-/** Serialize a Schnorr signature.
+/** An implementation of the nonce generation function as defined in Bitcoin
+ *  Improvement Proposal 340 "Schnorr Signatures for secp256k1"
+ *  (https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki).
 *
- *  Returns: 1
- *  Args:    ctx: a secp256k1 context object
- *  Out:   out64: pointer to a 64-byte array to store the serialized signature
- *  In:      sig: pointer to the signature
- *
- *  See secp256k1_schnorrsig_parse for details about the encoding.
+ *  If a data pointer is passed, it is assumed to be a pointer to 32 bytes of
+ *  auxiliary random data as defined in BIP-340. If the data pointer is NULL,
+ *  schnorrsig_sign does not produce BIP-340 compliant signatures. The algo16
+ *  argument must be non-NULL, otherwise the function will fail and return 0.
+ *  The hash will be tagged with algo16 after removing all terminating null
+ *  bytes. Therefore, to create BIP-340 compliant signatures, algo16 must be set
+ *  to "BIP0340/nonce\0\0\0"
 */
-SECP256K1_API int secp256k1_schnorrsig_serialize(
-    const secp256k1_context* ctx,
-    unsigned char *out64,
-    const secp256k1_schnorrsig* sig
-) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
-
-/** Parse a Schnorr signature.
- *
- *  Returns: 1 when the signature could be parsed, 0 otherwise.
- *  Args:    ctx: a secp256k1 context object
- *  Out:     sig: pointer to a signature object
- *  In:     in64: pointer to the 64-byte signature to be parsed
- *
- * The signature is serialized in the form R||s, where R is a 32-byte public
- * key (x-coordinate only; the y-coordinate is considered to be the unique
- * y-coordinate satisfying the curve equation that is a quadratic residue)
- * and s is a 32-byte big-endian scalar.
- *
- * After the call, sig will always be initialized. If parsing failed or the
- * encoded numbers are out of range, signature validation with it is
- * guaranteed to fail for every message and public key.
- */
-SECP256K1_API int secp256k1_schnorrsig_parse(
-    const secp256k1_context* ctx,
-    secp256k1_schnorrsig* sig,
-    const unsigned char *in64
-) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+SECP256K1_API extern const secp256k1_nonce_function_hardened secp256k1_nonce_function_bip340;

 /** Create a Schnorr signature.
 *
- * Returns 1 on success, 0 on failure.
+ *  Does _not_ strictly follow BIP-340 because it does not verify the resulting
+ *  signature. Instead, you can manually use secp256k1_schnorrsig_verify and
+ *  abort if it fails.
+ *
+ *  Otherwise BIP-340 compliant if the noncefp argument is NULL or
+ *  secp256k1_nonce_function_bip340 and the ndata argument is 32-byte auxiliary
+ *  randomness.
+ *
+ *  Returns 1 on success, 0 on failure.
 *  Args:    ctx: pointer to a context object, initialized for signing (cannot be NULL)
- *  Out:     sig: pointer to the returned signature (cannot be NULL)
- *       nonce_is_negated: a pointer to an integer indicates if signing algorithm negated the
- *                nonce (can be NULL)
- *  In:    msg32: the 32-byte message hash being signed (cannot be NULL)
- *        seckey: pointer to a 32-byte secret key (cannot be NULL)
- *       noncefp: pointer to a nonce generation function. If NULL, secp256k1_nonce_function_bipschnorr is used
- *         ndata: pointer to arbitrary data used by the nonce generation function (can be NULL)
+ *  Out:   sig64: pointer to a 64-byte array to store the serialized signature (cannot be NULL)
+ *  In:    msg32: the 32-byte message being signed (cannot be NULL)
+ *       keypair: pointer to an initialized keypair (cannot be NULL)
+ *       noncefp: pointer to a nonce generation function. If NULL, secp256k1_nonce_function_bip340 is used
+ *         ndata: pointer to arbitrary data used by the nonce generation
+ *                function (can be NULL). If it is non-NULL and
+ *                secp256k1_nonce_function_bip340 is used, then ndata must be a
+ *                pointer to 32-byte auxiliary randomness as per BIP-340.
 */
 SECP256K1_API int secp256k1_schnorrsig_sign(
    const secp256k1_context* ctx,
-    secp256k1_schnorrsig *sig,
-    int *nonce_is_negated,
+    unsigned char *sig64,
    const unsigned char *msg32,
-    const unsigned char *seckey,
-    secp256k1_nonce_function noncefp,
+    const secp256k1_keypair *keypair,
+    secp256k1_nonce_function_hardened noncefp,
    void *ndata
-) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5);
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);

 /** Verify a Schnorr signature.
 *
 *  Returns: 1: correct signature
- *           0: incorrect or unparseable signature
+ *           0: incorrect signature
 *  Args:    ctx: a secp256k1 context object, initialized for verification.
- *  In:      sig: the signature being verified (cannot be NULL)
- *         msg32: the 32-byte message hash being verified (cannot be NULL)
- *        pubkey: pointer to a public key to verify with (cannot be NULL)
+ *  In:    sig64: pointer to the 64-byte signature to verify (cannot be NULL)
+ *         msg32: the 32-byte message being verified (cannot be NULL)
+ *        pubkey: pointer to an x-only public key to verify with (cannot be NULL)
 */
 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorrsig_verify(
    const secp256k1_context* ctx,
-    const secp256k1_schnorrsig *sig,
+    const unsigned char *sig64,
    const unsigned char *msg32,
-    const secp256k1_pubkey *pubkey
+    const secp256k1_xonly_pubkey *pubkey
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);

-/** Verifies a set of Schnorr signatures.
- *
- * Returns 1 if all succeeded, 0 otherwise. In particular, returns 1 if n_sigs is 0.
- *
- *  Args:    ctx: a secp256k1 context object, initialized for verification.
- *       scratch: scratch space used for the multiexponentiation
- *  In:      sig: array of signatures, or NULL if there are no signatures
- *         msg32: array of messages, or NULL if there are no signatures
- *            pk: array of public keys, or NULL if there are no signatures
- *        n_sigs: number of signatures in above arrays. Must be smaller than
- *                2^31 and smaller than half the maximum size_t value. Must be 0
- *                if above arrays are NULL.
- */
-SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorrsig_verify_batch(
-    const secp256k1_context* ctx,
-    secp256k1_scratch_space *scratch,
-    const secp256k1_schnorrsig *const *sig,
-    const unsigned char *const *msg32,
-    const secp256k1_pubkey *const *pk,
-    size_t n_sigs
-) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2);
+#ifdef __cplusplus
+}
 #endif
+
+#endif /* SECP256K1_SCHNORRSIG_H */
--- a/include/secp256k1_surjectionproof.h
+++ b/include/secp256k1_surjectionproof.h
@@ -11,6 +11,9 @@ extern "C" {
 /** Maximum number of inputs that may be given in a surjection proof */
 #define SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS 256

+/** Maximum number of inputs that may be used in a surjection proof */
+#define SECP256K1_SURJECTIONPROOF_MAX_USED_INPUTS 256
+
 /** Number of bytes a serialized surjection proof requires given the
 *  number of inputs and the number of used inputs.
 */
@@ -19,7 +22,7 @@ extern "C" {

 /** Maximum number of bytes a serialized surjection proof requires. */
 #define SECP256K1_SURJECTIONPROOF_SERIALIZATION_BYTES_MAX \
-    SECP256K1_SURJECTIONPROOF_SERIALIZATION_BYTES(SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS, SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS)
+    SECP256K1_SURJECTIONPROOF_SERIALIZATION_BYTES(SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS, SECP256K1_SURJECTIONPROOF_MAX_USED_INPUTS)

 /** Opaque data structure that holds a parsed surjection proof
 *
@@ -46,9 +49,10 @@ typedef struct {
    /** Bitmap of which input tags are used in the surjection proof */
    unsigned char used_inputs[SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS / 8];
    /** Borromean signature: e0, scalars */
-    unsigned char data[32 * (1 + SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS)];
+    unsigned char data[32 * (1 + SECP256K1_SURJECTIONPROOF_MAX_USED_INPUTS)];
 } secp256k1_surjectionproof;

+#ifndef USE_REDUCED_SURJECTION_PROOF_SIZE
 /** Parse a surjection proof
 *
 *  Returns: 1 when the proof could be parsed, 0 otherwise.
@@ -70,6 +74,7 @@ SECP256K1_API int secp256k1_surjectionproof_parse(
  const unsigned char *input,
  size_t inputlen
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+#endif

 /** Serialize a surjection proof
 *
@@ -143,7 +148,8 @@ SECP256K1_API size_t secp256k1_surjectionproof_serialized_size(
 *                        e.g. in a coinjoin with others' inputs, an ephemeral tag can be given;
 *                        this won't match the output tag but might be used in the anonymity set.)
 *          n_input_tags: the number of entries in the fixed_input_tags array
- *      n_input_tags_to_use: the number of inputs to select randomly to put in the anonymity set
+ *   n_input_tags_to_use: the number of inputs to select randomly to put in the anonymity set
+ *                        Must be <= SECP256K1_SURJECTIONPROOF_MAX_USED_INPUTS
 *      fixed_output_tag: fixed output tag
 *      max_n_iterations: the maximum number of iterations to do before giving up. Because the
 *                        maximum number of inputs (SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS) is
@@ -237,6 +243,7 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_surjectionproof_generat
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5) SECP256K1_ARG_NONNULL(7) SECP256K1_ARG_NONNULL(8);


+#ifndef USE_REDUCED_SURJECTION_PROOF_SIZE
 /** Surjection proof verification function
 * Returns 0: proof was invalid
 *         1: proof was valid
@@ -254,6 +261,7 @@ SECP256K1_API int secp256k1_surjectionproof_verify(
  size_t n_ephemeral_input_tags,
  const secp256k1_generator* ephemeral_output_tag
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5);
+#endif

 #ifdef __cplusplus
 }
--- a/sage/gen_exhaustive_groups.sage
+++ b/sage/gen_exhaustive_groups.sage
@@ -0,0 +1,129 @@
+# Define field size and field
+P = 2^256 - 2^32 - 977
+F = GF(P)
+BETA = F(0x7ae96a2b657c07106e64479eac3434e99cf0497512f58995c1396c28719501ee)
+
+assert(BETA != F(1) and BETA^3 == F(1))
+
+orders_done = set()
+results = {}
+first = True
+for b in range(1, P):
+    # There are only 6 curves (up to isomorphism) of the form y^2=x^3+B. Stop once we have tried all.
+    if len(orders_done) == 6:
+        break
+
+    E = EllipticCurve(F, [0, b])
+    print("Analyzing curve y^2 = x^3 + %i" % b)
+    n = E.order()
+    # Skip curves with an order we've already tried
+    if n in orders_done:
+        print("- Isomorphic to earlier curve")
+        continue
+    orders_done.add(n)
+    # Skip curves isomorphic to the real secp256k1
+    if n.is_pseudoprime():
+        print(" - Isomorphic to secp256k1")
+        continue
+
+    print("- Finding subgroups")
+
+    # Find what prime subgroups exist
+    for f, _ in n.factor():
+        print("- Analyzing subgroup of order %i" % f)
+        # Skip subgroups of order >1000
+        if f < 4 or f > 1000:
+            print("  - Bad size")
+            continue
+
+        # Iterate over X coordinates until we find one that is on the curve, has order f,
+        # and for which curve isomorphism exists that maps it to X coordinate 1.
+        for x in range(1, P):
+            # Skip X coordinates not on the curve, and construct the full point otherwise.
+            if not E.is_x_coord(x):
+                continue
+            G = E.lift_x(F(x))
+
+            print("  - Analyzing (multiples of) point with X=%i" % x)
+
+            # Skip points whose order is not a multiple of f. Project the point to have
+            # order f otherwise.
+            if (G.order() % f):
+                print("    - Bad order")
+                continue
+            G = G * (G.order() // f)
+
+            # Find lambda for endomorphism. Skip if none can be found.
+            lam = None
+            for l in Integers(f)(1).nth_root(3, all=True):
+                if int(l)*G == E(BETA*G[0], G[1]):
+                    lam = int(l)
+                    break
+            if lam is None:
+                print("    - No endomorphism for this subgroup")
+                break
+
+            # Now look for an isomorphism of the curve that gives this point an X
+            # coordinate equal to 1.
+            # If (x,y) is on y^2 = x^3 + b, then (a^2*x, a^3*y) is on y^2 = x^3 + a^6*b.
+            # So look for m=a^2=1/x.
+            m = F(1)/G[0]
+            if not m.is_square():
+                print("    - No curve isomorphism maps it to a point with X=1")
+                continue
+            a = m.sqrt()
+            rb = a^6*b
+            RE = EllipticCurve(F, [0, rb])
+
+            # Use as generator twice the image of G under the above isormorphism.
+            # This means that generator*(1/2 mod f) will have X coordinate 1.
+            RG = RE(1, a^3*G[1]) * 2
+            # And even Y coordinate.
+            if int(RG[1]) % 2:
+                RG = -RG
+            assert(RG.order() == f)
+            assert(lam*RG == RE(BETA*RG[0], RG[1]))
+
+            # We have found curve RE:y^2=x^3+rb with generator RG of order f. Remember it
+            results[f] = {"b": rb, "G": RG, "lambda": lam}
+            print("    - Found solution")
+            break
+
+    print("")
+
+print("")
+print("")
+print("/* To be put in src/group_impl.h: */")
+first = True
+for f in sorted(results.keys()):
+    b = results[f]["b"]
+    G = results[f]["G"]
+    print("#  %s EXHAUSTIVE_TEST_ORDER == %i" % ("if" if first else "elif", f))
+    first = False
+    print("static const secp256k1_ge secp256k1_ge_const_g = SECP256K1_GE_CONST(")
+    print("    0x%08x, 0x%08x, 0x%08x, 0x%08x," % tuple((int(G[0]) >> (32 * (7 - i))) & 0xffffffff for i in range(4)))
+    print("    0x%08x, 0x%08x, 0x%08x, 0x%08x," % tuple((int(G[0]) >> (32 * (7 - i))) & 0xffffffff for i in range(4, 8)))
+    print("    0x%08x, 0x%08x, 0x%08x, 0x%08x," % tuple((int(G[1]) >> (32 * (7 - i))) & 0xffffffff for i in range(4)))
+    print("    0x%08x, 0x%08x, 0x%08x, 0x%08x" % tuple((int(G[1]) >> (32 * (7 - i))) & 0xffffffff for i in range(4, 8)))
+    print(");")
+    print("static const secp256k1_fe secp256k1_fe_const_b = SECP256K1_FE_CONST(")
+    print("    0x%08x, 0x%08x, 0x%08x, 0x%08x," % tuple((int(b) >> (32 * (7 - i))) & 0xffffffff for i in range(4)))
+    print("    0x%08x, 0x%08x, 0x%08x, 0x%08x" % tuple((int(b) >> (32 * (7 - i))) & 0xffffffff for i in range(4, 8)))
+    print(");")
+print("#  else")
+print("#    error No known generator for the specified exhaustive test group order.")
+print("#  endif")
+
+print("")
+print("")
+print("/* To be put in src/scalar_impl.h: */")
+first = True
+for f in sorted(results.keys()):
+    lam = results[f]["lambda"]
+    print("#  %s EXHAUSTIVE_TEST_ORDER == %i" % ("if" if first else "elif", f))
+    first = False
+    print("#    define EXHAUSTIVE_TEST_LAMBDA %i" % lam)
+print("#  else")
+print("#    error No known lambda for the specified exhaustive test group order.")
+print("#  endif")
+print("")
--- a/sage/group_prover.sage
+++ b/sage/group_prover.sage
@@ -65,7 +65,7 @@ class fastfrac:
    return self.top in I and self.bot not in I

  def reduce(self,assumeZero):
-    zero = self.R.ideal(map(numerator, assumeZero))
+    zero = self.R.ideal(list(map(numerator, assumeZero)))
    return fastfrac(self.R, zero.reduce(self.top)) / fastfrac(self.R, zero.reduce(self.bot))

  def __add__(self,other):
@@ -100,7 +100,7 @@ class fastfrac:
    """Multiply something else with a fraction."""
    return self.__mul__(other)

-  def __div__(self,other):
+  def __truediv__(self,other):
    """Divide two fractions."""
    if parent(other) == ZZ:
      return fastfrac(self.R,self.top,self.bot * other)
@@ -108,6 +108,11 @@ class fastfrac:
      return fastfrac(self.R,self.top * other.bot,self.bot * other.top)
    return NotImplemented

+  # Compatibility wrapper for Sage versions based on Python 2
+  def __div__(self,other):
+     """Divide two fractions."""
+     return self.__truediv__(other)
+
  def __pow__(self,other):
    """Compute a power of a fraction."""
    if parent(other) == ZZ:
@@ -175,7 +180,7 @@ class constraints:

 def conflicts(R, con):
  """Check whether any of the passed non-zero assumptions is implied by the zero assumptions"""
-  zero = R.ideal(map(numerator, con.zero))
+  zero = R.ideal(list(map(numerator, con.zero)))
  if 1 in zero:
    return True
  # First a cheap check whether any of the individual nonzero terms conflict on
@@ -195,7 +200,7 @@ def conflicts(R, con):

 def get_nonzero_set(R, assume):
  """Calculate a simple set of nonzero expressions"""
-  zero = R.ideal(map(numerator, assume.zero))
+  zero = R.ideal(list(map(numerator, assume.zero)))
  nonzero = set()
  for nz in map(numerator, assume.nonzero):
    for (f,n) in nz.factor():
@@ -208,7 +213,7 @@ def get_nonzero_set(R, assume):

 def prove_nonzero(R, exprs, assume):
  """Check whether an expression is provably nonzero, given assumptions"""
-  zero = R.ideal(map(numerator, assume.zero))
+  zero = R.ideal(list(map(numerator, assume.zero)))
  nonzero = get_nonzero_set(R, assume)
  expl = set()
  ok = True
@@ -250,7 +255,7 @@ def prove_zero(R, exprs, assume):
  r, e = prove_nonzero(R, dict(map(lambda x: (fastfrac(R, x.bot, 1), exprs[x]), exprs)), assume)
  if not r:
    return (False, map(lambda x: "Possibly zero denominator: %s" % x, e))
-  zero = R.ideal(map(numerator, assume.zero))
+  zero = R.ideal(list(map(numerator, assume.zero)))
  nonzero = prod(x for x in assume.nonzero)
  expl = []
  for expr in exprs:
@@ -265,8 +270,8 @@ def describe_extra(R, assume, assumeExtra):
  """Describe what assumptions are added, given existing assumptions"""
  zerox = assume.zero.copy()
  zerox.update(assumeExtra.zero)
-  zero = R.ideal(map(numerator, assume.zero))
-  zeroextra = R.ideal(map(numerator, zerox))
+  zero = R.ideal(list(map(numerator, assume.zero)))
+  zeroextra = R.ideal(list(map(numerator, zerox)))
  nonzero = get_nonzero_set(R, assume)
  ret = set()
  # Iterate over the extra zero expressions
--- a/sage/weierstrass_prover.sage
+++ b/sage/weierstrass_prover.sage
@@ -175,24 +175,24 @@ laws_jacobian_weierstrass = {
 def check_exhaustive_jacobian_weierstrass(name, A, B, branches, formula, p):
  """Verify an implementation of addition of Jacobian points on a Weierstrass curve, by executing and validating the result for every possible addition in a prime field"""
  F = Integers(p)
-  print "Formula %s on Z%i:" % (name, p)
+  print("Formula %s on Z%i:" % (name, p))
  points = []
-  for x in xrange(0, p):
-    for y in xrange(0, p):
+  for x in range(0, p):
+    for y in range(0, p):
      point = affinepoint(F(x), F(y))
      r, e = concrete_verify(on_weierstrass_curve(A, B, point))
      if r:
        points.append(point)

-  for za in xrange(1, p):
-    for zb in xrange(1, p):
+  for za in range(1, p):
+    for zb in range(1, p):
      for pa in points:
        for pb in points:
-          for ia in xrange(2):
-            for ib in xrange(2):
+          for ia in range(2):
+            for ib in range(2):
              pA = jacobianpoint(pa.x * F(za)^2, pa.y * F(za)^3, F(za), ia)
              pB = jacobianpoint(pb.x * F(zb)^2, pb.y * F(zb)^3, F(zb), ib)
-              for branch in xrange(0, branches):
+              for branch in range(0, branches):
                assumeAssert, assumeBranch, pC = formula(branch, pA, pB)
                pC.X = F(pC.X)
                pC.Y = F(pC.Y)
@@ -206,13 +206,13 @@ def check_exhaustive_jacobian_weierstrass(name, A, B, branches, formula, p):
                    r, e = concrete_verify(assumeLaw)
                    if r:
                      if match:
-                        print "  multiple branches for (%s,%s,%s,%s) + (%s,%s,%s,%s)" % (pA.X, pA.Y, pA.Z, pA.Infinity, pB.X, pB.Y, pB.Z, pB.Infinity)
+                        print("  multiple branches for (%s,%s,%s,%s) + (%s,%s,%s,%s)" % (pA.X, pA.Y, pA.Z, pA.Infinity, pB.X, pB.Y, pB.Z, pB.Infinity))
                      else:
                        match = True
                      r, e = concrete_verify(require)
                      if not r:
-                        print "  failure in branch %i for (%s,%s,%s,%s) + (%s,%s,%s,%s) = (%s,%s,%s,%s): %s" % (branch, pA.X, pA.Y, pA.Z, pA.Infinity, pB.X, pB.Y, pB.Z, pB.Infinity, pC.X, pC.Y, pC.Z, pC.Infinity, e)
-  print
+                        print("  failure in branch %i for (%s,%s,%s,%s) + (%s,%s,%s,%s) = (%s,%s,%s,%s): %s" % (branch, pA.X, pA.Y, pA.Z, pA.Infinity, pB.X, pB.Y, pB.Z, pB.Infinity, pC.X, pC.Y, pC.Z, pC.Infinity, e))
+  print()


 def check_symbolic_function(R, assumeAssert, assumeBranch, f, A, B, pa, pb, pA, pB, pC):
@@ -242,9 +242,9 @@ def check_symbolic_jacobian_weierstrass(name, A, B, branches, formula):
  for key in laws_jacobian_weierstrass:
    res[key] = []

-  print ("Formula " + name + ":")
+  print("Formula " + name + ":")
  count = 0
-  for branch in xrange(branches):
+  for branch in range(branches):
    assumeFormula, assumeBranch, pC = formula(branch, pA, pB)
    pC.X = lift(pC.X)
    pC.Y = lift(pC.Y)
@@ -255,10 +255,10 @@ def check_symbolic_jacobian_weierstrass(name, A, B, branches, formula):
      res[key].append((check_symbolic_function(R, assumeFormula, assumeBranch, laws_jacobian_weierstrass[key], A, B, pa, pb, pA, pB, pC), branch))

  for key in res:
-    print "  %s:" % key
+    print("  %s:" % key)
    val = res[key]
    for x in val:
      if x[0] is not None:
-        print "    branch %i: %s" % (x[1], x[0])
+        print("    branch %i: %s" % (x[1], x[0]))

-  print
+  print()
--- a/src/assumptions.h
+++ b/src/assumptions.h
@@ -0,0 +1,80 @@
+/**********************************************************************
+ * Copyright (c) 2020 Pieter Wuille                                   *
+ * Distributed under the MIT software license, see the accompanying   *
+ * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
+ **********************************************************************/
+
+#ifndef SECP256K1_ASSUMPTIONS_H
+#define SECP256K1_ASSUMPTIONS_H
+
+#include <limits.h>
+
+#include "util.h"
+
+/* This library, like most software, relies on a number of compiler implementation defined (but not undefined)
+   behaviours. Although the behaviours we require are essentially universal we test them specifically here to
+   reduce the odds of experiencing an unwelcome surprise.
+*/
+
+struct secp256k1_assumption_checker {
+    /* This uses a trick to implement a static assertion in C89: a type with an array of negative size is not
+       allowed. */
+    int dummy_array[(
+        /* Bytes are 8 bits. */
+        (CHAR_BIT == 8) &&
+
+        /* No integer promotion for uint32_t. This ensures that we can multiply uintXX_t values where XX >= 32
+           without signed overflow, which would be undefined behaviour. */
+        (UINT_MAX <= UINT32_MAX) &&
+
+        /* Conversions from unsigned to signed outside of the bounds of the signed type are
+           implementation-defined. Verify that they function as reinterpreting the lower
+           bits of the input in two's complement notation. Do this for conversions:
+           - from uint(N)_t to int(N)_t with negative result
+           - from uint(2N)_t to int(N)_t with negative result
+           - from int(2N)_t to int(N)_t with negative result
+           - from int(2N)_t to int(N)_t with positive result */
+
+        /* To int8_t. */
+        ((int8_t)(uint8_t)0xAB == (int8_t)-(int8_t)0x55) &&
+        ((int8_t)(uint16_t)0xABCD == (int8_t)-(int8_t)0x33) &&
+        ((int8_t)(int16_t)(uint16_t)0xCDEF == (int8_t)(uint8_t)0xEF) &&
+        ((int8_t)(int16_t)(uint16_t)0x9234 == (int8_t)(uint8_t)0x34) &&
+
+        /* To int16_t. */
+        ((int16_t)(uint16_t)0xBCDE == (int16_t)-(int16_t)0x4322) &&
+        ((int16_t)(uint32_t)0xA1B2C3D4 == (int16_t)-(int16_t)0x3C2C) &&
+        ((int16_t)(int32_t)(uint32_t)0xC1D2E3F4 == (int16_t)(uint16_t)0xE3F4) &&
+        ((int16_t)(int32_t)(uint32_t)0x92345678 == (int16_t)(uint16_t)0x5678) &&
+
+        /* To int32_t. */
+        ((int32_t)(uint32_t)0xB2C3D4E5 == (int32_t)-(int32_t)0x4D3C2B1B) &&
+        ((int32_t)(uint64_t)0xA123B456C789D012ULL == (int32_t)-(int32_t)0x38762FEE) &&
+        ((int32_t)(int64_t)(uint64_t)0xC1D2E3F4A5B6C7D8ULL == (int32_t)(uint32_t)0xA5B6C7D8) &&
+        ((int32_t)(int64_t)(uint64_t)0xABCDEF0123456789ULL == (int32_t)(uint32_t)0x23456789) &&
+
+        /* To int64_t. */
+        ((int64_t)(uint64_t)0xB123C456D789E012ULL == (int64_t)-(int64_t)0x4EDC3BA928761FEEULL) &&
+#if defined(SECP256K1_WIDEMUL_INT128)
+        ((int64_t)(((uint128_t)0xA1234567B8901234ULL << 64) + 0xC5678901D2345678ULL) == (int64_t)-(int64_t)0x3A9876FE2DCBA988ULL) &&
+        (((int64_t)(int128_t)(((uint128_t)0xB1C2D3E4F5A6B7C8ULL << 64) + 0xD9E0F1A2B3C4D5E6ULL)) == (int64_t)(uint64_t)0xD9E0F1A2B3C4D5E6ULL) &&
+        (((int64_t)(int128_t)(((uint128_t)0xABCDEF0123456789ULL << 64) + 0x0123456789ABCDEFULL)) == (int64_t)(uint64_t)0x0123456789ABCDEFULL) &&
+
+        /* To int128_t. */
+        ((int128_t)(((uint128_t)0xB1234567C8901234ULL << 64) + 0xD5678901E2345678ULL) == (int128_t)(-(int128_t)0x8E1648B3F50E80DCULL * 0x8E1648B3F50E80DDULL + 0x5EA688D5482F9464ULL)) &&
+#endif
+
+        /* Right shift on negative signed values is implementation defined. Verify that it
+           acts as a right shift in two's complement with sign extension (i.e duplicating
+           the top bit into newly added bits). */
+        ((((int8_t)0xE8) >> 2) == (int8_t)(uint8_t)0xFA) &&
+        ((((int16_t)0xE9AC) >> 4) == (int16_t)(uint16_t)0xFE9A) &&
+        ((((int32_t)0x937C918A) >> 9) == (int32_t)(uint32_t)0xFFC9BE48) &&
+        ((((int64_t)0xA8B72231DF9CF4B9ULL) >> 19) == (int64_t)(uint64_t)0xFFFFF516E4463BF3ULL) &&
+#if defined(SECP256K1_WIDEMUL_INT128)
+        ((((int128_t)(((uint128_t)0xCD833A65684A0DBCULL << 64) + 0xB349312F71EA7637ULL)) >> 39) == (int128_t)(((uint128_t)0xFFFFFFFFFF9B0674ULL << 64) + 0xCAD0941B79669262ULL)) &&
+#endif
+    1) * 2 - 1];
+};
+
+#endif /* SECP256K1_ASSUMPTIONS_H */
--- a/src/basic-config.h
+++ b/src/basic-config.h
@@ -11,25 +11,22 @@

 #undef USE_ASM_X86_64
 #undef USE_ECMULT_STATIC_PRECOMPUTATION
-#undef USE_ENDOMORPHISM
 #undef USE_EXTERNAL_ASM
 #undef USE_EXTERNAL_DEFAULT_CALLBACKS
-#undef USE_FIELD_10X26
-#undef USE_FIELD_5X52
 #undef USE_FIELD_INV_BUILTIN
 #undef USE_FIELD_INV_NUM
 #undef USE_NUM_GMP
 #undef USE_NUM_NONE
-#undef USE_SCALAR_4X64
-#undef USE_SCALAR_8X32
 #undef USE_SCALAR_INV_BUILTIN
 #undef USE_SCALAR_INV_NUM
+#undef USE_FORCE_WIDEMUL_INT64
+#undef USE_FORCE_WIDEMUL_INT128
+#undef ECMULT_WINDOW_SIZE

 #define USE_NUM_NONE 1
 #define USE_FIELD_INV_BUILTIN 1
 #define USE_SCALAR_INV_BUILTIN 1
-#define USE_FIELD_10X26 1
-#define USE_SCALAR_8X32 1
+#define USE_WIDEMUL_64 1
 #define ECMULT_WINDOW_SIZE 15

 #endif /* USE_BASIC_CONFIG */
--- a/src/bench.h
+++ b/src/bench.h
@@ -7,45 +7,87 @@
 #ifndef SECP256K1_BENCH_H
 #define SECP256K1_BENCH_H

+#include <stdint.h>
 #include <stdio.h>
 #include <string.h>
-#include <math.h>
 #include "sys/time.h"

-static double gettimedouble(void) {
+static int64_t gettime_i64(void) {
    struct timeval tv;
    gettimeofday(&tv, NULL);
-    return tv.tv_usec * 0.000001 + tv.tv_sec;
+    return (int64_t)tv.tv_usec + (int64_t)tv.tv_sec * 1000000LL;
 }

-void print_number(double x) {
-    double y = x;
-    int c = 0;
-    if (y < 0.0) {
-        y = -y;
+#define FP_EXP (6)
+#define FP_MULT (1000000LL)
+
+/* Format fixed point number. */
+void print_number(const int64_t x) {
+    int64_t x_abs, y;
+    int c, i, rounding;
+    size_t ptr;
+    char buffer[30];
+
+    if (x == INT64_MIN) {
+        /* Prevent UB. */
+        printf("ERR");
+        return;
    }
-    while (y > 0 && y < 100.0) {
-        y *= 10.0;
+    x_abs = x < 0 ? -x : x;
+
+    /* Determine how many decimals we want to show (more than FP_EXP makes no
+     * sense). */
+    y = x_abs;
+    c = 0;
+    while (y > 0LL && y < 100LL * FP_MULT && c < FP_EXP) {
+        y *= 10LL;
        c++;
    }
-    printf("%.*f", c, x);
+
+    /* Round to 'c' decimals. */
+    y = x_abs;
+    rounding = 0;
+    for (i = c; i < FP_EXP; ++i) {
+        rounding = (y % 10) >= 5;
+        y /= 10;
+    }
+    y += rounding;
+
+    /* Format and print the number. */
+    ptr = sizeof(buffer) - 1;
+    buffer[ptr] = 0;
+    if (c != 0) {
+        for (i = 0; i < c; ++i) {
+            buffer[--ptr] = '0' + (y % 10);
+            y /= 10;
+        }
+        buffer[--ptr] = '.';
+    }
+    do {
+        buffer[--ptr] = '0' + (y % 10);
+        y /= 10;
+    } while (y != 0);
+    if (x < 0) {
+        buffer[--ptr] = '-';
+    }
+    printf("%s", &buffer[ptr]);
 }

-void run_benchmark(char *name, void (*benchmark)(void*), void (*setup)(void*), void (*teardown)(void*), void* data, int count, int iter) {
+void run_benchmark(char *name, void (*benchmark)(void*, int), void (*setup)(void*), void (*teardown)(void*, int), void* data, int count, int iter) {
    int i;
-    double min = HUGE_VAL;
-    double sum = 0.0;
-    double max = 0.0;
+    int64_t min = INT64_MAX;
+    int64_t sum = 0;
+    int64_t max = 0;
    for (i = 0; i < count; i++) {
-        double begin, total;
+        int64_t begin, total;
        if (setup != NULL) {
            setup(data);
        }
-        begin = gettimedouble();
-        benchmark(data);
-        total = gettimedouble() - begin;
+        begin = gettime_i64();
+        benchmark(data, iter);
+        total = gettime_i64() - begin;
        if (teardown != NULL) {
-            teardown(data);
+            teardown(data, iter);
        }
        if (total < min) {
            min = total;
@@ -56,11 +98,11 @@ void run_benchmark(char *name, void (*benchmark)(void*), void (*setup)(void*), v
        sum += total;
    }
    printf("%s: min ", name);
-    print_number(min * 1000000.0 / iter);
+    print_number(min * FP_MULT / iter);
    printf("us / avg ");
-    print_number((sum / count) * 1000000.0 / iter);
+    print_number(((sum * FP_MULT) / count) / iter);
    printf("us / max ");
-    print_number(max * 1000000.0 / iter);
+    print_number(max * FP_MULT / iter);
    printf("us\n");
 }

@@ -79,4 +121,13 @@ int have_flag(int argc, char** argv, char *flag) {
    return 0;
 }

+int get_iters(int default_iters) {
+    char* env = getenv("SECP256K1_BENCH_ITERS");
+    if (env) {
+        return strtol(env, NULL, 0);
+    } else {
+        return default_iters;
+    }
+}
+
 #endif /* SECP256K1_BENCH_H */
--- a/src/bench_ecdh.c
+++ b/src/bench_ecdh.c
@@ -28,20 +28,18 @@ static void bench_ecdh_setup(void* arg) {
        0xa2, 0xba, 0xd1, 0x84, 0xf8, 0x83, 0xc6, 0x9f
    };

-    /* create a context with no capabilities */
-    data->ctx = secp256k1_context_create(SECP256K1_FLAGS_TYPE_CONTEXT);
    for (i = 0; i < 32; i++) {
        data->scalar[i] = i + 1;
    }
    CHECK(secp256k1_ec_pubkey_parse(data->ctx, &data->point, point, sizeof(point)) == 1);
 }

-static void bench_ecdh(void* arg) {
+static void bench_ecdh(void* arg, int iters) {
    int i;
    unsigned char res[32];
    bench_ecdh_data *data = (bench_ecdh_data*)arg;

-    for (i = 0; i < 20000; i++) {
+    for (i = 0; i < iters; i++) {
        CHECK(secp256k1_ecdh(data->ctx, res, &data->point, data->scalar, NULL, NULL) == 1);
    }
 }
@@ -49,6 +47,13 @@ static void bench_ecdh(void* arg) {
 int main(void) {
    bench_ecdh_data data;

-    run_benchmark("ecdh", bench_ecdh, bench_ecdh_setup, NULL, &data, 10, 20000);
+    int iters = get_iters(20000);
+
+    /* create a context with no capabilities */
+    data.ctx = secp256k1_context_create(SECP256K1_FLAGS_TYPE_CONTEXT);
+
+    run_benchmark("ecdh", bench_ecdh, bench_ecdh_setup, NULL, &data, 10, iters);
+
+    secp256k1_context_destroy(data.ctx);
    return 0;
 }
--- a/src/bench_ecmult.c
+++ b/src/bench_ecmult.c
@@ -18,7 +18,6 @@
 #include "secp256k1.c"

 #define POINTS 32768
-#define ITERS 10000

 typedef struct {
    /* Setup once in advance */
@@ -55,13 +54,13 @@ static int bench_callback(secp256k1_scalar* sc, secp256k1_ge* ge, size_t idx, vo
    return 1;
 }

-static void bench_ecmult(void* arg) {
+static void bench_ecmult(void* arg, int iters) {
    bench_data* data = (bench_data*)arg;

-    size_t count = data->count;
    int includes_g = data->includes_g;
-    size_t iters = 1 + ITERS / count;
-    size_t iter;
+    int iter;
+    int count = data->count;
+    iters = iters / data->count;

    for (iter = 0; iter < iters; ++iter) {
        data->ecmult_multi(&data->ctx->error_callback, &data->ctx->ecmult_ctx, data->scratch, &data->output[iter], data->includes_g ? &data->scalars[data->offset1] : NULL, bench_callback, arg, count - includes_g);
@@ -76,10 +75,10 @@ static void bench_ecmult_setup(void* arg) {
    data->offset2 = (data->count * 0x7f6f537b + 0x6a1a8f49) % POINTS;
 }

-static void bench_ecmult_teardown(void* arg) {
+static void bench_ecmult_teardown(void* arg, int iters) {
    bench_data* data = (bench_data*)arg;
-    size_t iters = 1 + ITERS / data->count;
-    size_t iter;
+    int iter;
+    iters = iters / data->count;
    /* Verify the results in teardown, to avoid doing comparisons while benchmarking. */
    for (iter = 0; iter < iters; ++iter) {
        secp256k1_gej tmp;
@@ -104,10 +103,10 @@ static void generate_scalar(uint32_t num, secp256k1_scalar* scalar) {
    CHECK(!overflow);
 }

-static void run_test(bench_data* data, size_t count, int includes_g) {
+static void run_test(bench_data* data, size_t count, int includes_g, int num_iters) {
    char str[32];
    static const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
-    size_t iters = 1 + ITERS / count;
+    size_t iters = 1 + num_iters / count;
    size_t iter;

    data->count = count;
@@ -130,7 +129,7 @@ static void run_test(bench_data* data, size_t count, int includes_g) {

    /* Run the benchmark. */
    sprintf(str, includes_g ? "ecmult_%ig" : "ecmult_%i", (int)count);
-    run_benchmark(str, bench_ecmult, bench_ecmult_setup, bench_ecmult_teardown, data, 10, count * (1 + ITERS / count));
+    run_benchmark(str, bench_ecmult, bench_ecmult_setup, bench_ecmult_teardown, data, 10, count * iters);
 }

 int main(int argc, char **argv) {
@@ -139,6 +138,8 @@ int main(int argc, char **argv) {
    secp256k1_gej* pubkeys_gej;
    size_t scratch_size;

+    int iters = get_iters(10000);
+
    data.ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
    scratch_size = secp256k1_strauss_scratch_size(POINTS) + STRAUSS_SCRATCH_OBJECTS*16;
    data.scratch = secp256k1_scratch_space_create(data.ctx, scratch_size);
@@ -167,8 +168,8 @@ int main(int argc, char **argv) {
    data.scalars = malloc(sizeof(secp256k1_scalar) * POINTS);
    data.seckeys = malloc(sizeof(secp256k1_scalar) * POINTS);
    data.pubkeys = malloc(sizeof(secp256k1_ge) * POINTS);
-    data.expected_output = malloc(sizeof(secp256k1_gej) * (ITERS + 1));
-    data.output = malloc(sizeof(secp256k1_gej) * (ITERS + 1));
+    data.expected_output = malloc(sizeof(secp256k1_gej) * (iters + 1));
+    data.output = malloc(sizeof(secp256k1_gej) * (iters + 1));

    /* Generate a set of scalars, and private/public keypairs. */
    pubkeys_gej = malloc(sizeof(secp256k1_gej) * POINTS);
@@ -185,14 +186,20 @@ int main(int argc, char **argv) {
    free(pubkeys_gej);

    for (i = 1; i <= 8; ++i) {
-        run_test(&data, i, 1);
+        run_test(&data, i, 1, iters);
    }

-    for (p = 0; p <= 11; ++p) {
-        for (i = 9; i <= 16; ++i) {
-            run_test(&data, i << p, 1);
+    /* This is disabled with low count of iterations because the loop runs 77 times even with iters=1
+    * and the higher it goes the longer the computation takes(more points)
+    * So we don't run this benchmark with low iterations to prevent slow down */
+     if (iters > 2) {
+        for (p = 0; p <= 11; ++p) {
+            for (i = 9; i <= 16; ++i) {
+                run_test(&data, i << p, 1, iters);
+            }
        }
    }
+
    if (data.scratch != NULL) {
        secp256k1_scratch_space_destroy(data.ctx, data.scratch);
    }
--- a/src/bench_generator.c
+++ b/src/bench_generator.c
@@ -23,22 +23,22 @@ static void bench_generator_setup(void* arg) {
    memset(data->blind, 0x13, 32);
 }

-static void bench_generator_generate(void* arg) {
+static void bench_generator_generate(void* arg, int iters) {
    int i;
    bench_generator_t *data = (bench_generator_t*)arg;

-    for (i = 0; i < 20000; i++) {
+    for (i = 0; i < iters; i++) {
        secp256k1_generator gen;
        CHECK(secp256k1_generator_generate(data->ctx, &gen, data->key));
        data->key[i & 31]++;
    }
 }

-static void bench_generator_generate_blinded(void* arg) {
+static void bench_generator_generate_blinded(void* arg, int iters) {
    int i;
    bench_generator_t *data = (bench_generator_t*)arg;

-    for (i = 0; i < 20000; i++) {
+    for (i = 0; i < iters; i++) {
        secp256k1_generator gen;
        CHECK(secp256k1_generator_generate_blinded(data->ctx, &gen, data->key, data->blind));
        data->key[1 + (i & 30)]++;
@@ -48,11 +48,12 @@ static void bench_generator_generate_blinded(void* arg) {

 int main(void) {
    bench_generator_t data;
+    int iters = get_iters(20000);

    data.ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);

-    run_benchmark("generator_generate", bench_generator_generate, bench_generator_setup, NULL, &data, 10, 20000);
-    run_benchmark("generator_generate_blinded", bench_generator_generate_blinded, bench_generator_setup, NULL, &data, 10, 20000);
+    run_benchmark("generator_generate", bench_generator_generate, bench_generator_setup, NULL, &data, 10, iters);
+    run_benchmark("generator_generate_blinded", bench_generator_generate_blinded, bench_generator_setup, NULL, &data, 10, iters);

    secp256k1_context_destroy(data.ctx);
    return 0;
--- a/src/bench_internal.c
+++ b/src/bench_internal.c
@@ -7,6 +7,7 @@

 #include "include/secp256k1.h"

+#include "assumptions.h"
 #include "util.h"
 #include "hash_impl.h"
 #include "num_impl.h"
@@ -19,10 +20,10 @@
 #include "secp256k1.c"

 typedef struct {
-    secp256k1_scalar scalar_x, scalar_y;
-    secp256k1_fe fe_x, fe_y;
-    secp256k1_ge ge_x, ge_y;
-    secp256k1_gej gej_x, gej_y;
+    secp256k1_scalar scalar[2];
+    secp256k1_fe fe[4];
+    secp256k1_ge ge[2];
+    secp256k1_gej gej[2];
    unsigned char data[64];
    int wnaf[256];
 } bench_inv;
@@ -30,340 +31,401 @@ typedef struct {
 void bench_setup(void* arg) {
    bench_inv *data = (bench_inv*)arg;

-    static const unsigned char init_x[32] = {
-        0x02, 0x03, 0x05, 0x07, 0x0b, 0x0d, 0x11, 0x13,
-        0x17, 0x1d, 0x1f, 0x25, 0x29, 0x2b, 0x2f, 0x35,
-        0x3b, 0x3d, 0x43, 0x47, 0x49, 0x4f, 0x53, 0x59,
-        0x61, 0x65, 0x67, 0x6b, 0x6d, 0x71, 0x7f, 0x83
+    static const unsigned char init[4][32] = {
+        /* Initializer for scalar[0], fe[0], first half of data, the X coordinate of ge[0],
+           and the (implied affine) X coordinate of gej[0]. */
+        {
+            0x02, 0x03, 0x05, 0x07, 0x0b, 0x0d, 0x11, 0x13,
+            0x17, 0x1d, 0x1f, 0x25, 0x29, 0x2b, 0x2f, 0x35,
+            0x3b, 0x3d, 0x43, 0x47, 0x49, 0x4f, 0x53, 0x59,
+            0x61, 0x65, 0x67, 0x6b, 0x6d, 0x71, 0x7f, 0x83
+        },
+        /* Initializer for scalar[1], fe[1], first half of data, the X coordinate of ge[1],
+           and the (implied affine) X coordinate of gej[1]. */
+        {
+            0x82, 0x83, 0x85, 0x87, 0x8b, 0x8d, 0x81, 0x83,
+            0x97, 0xad, 0xaf, 0xb5, 0xb9, 0xbb, 0xbf, 0xc5,
+            0xdb, 0xdd, 0xe3, 0xe7, 0xe9, 0xef, 0xf3, 0xf9,
+            0x11, 0x15, 0x17, 0x1b, 0x1d, 0xb1, 0xbf, 0xd3
+        },
+        /* Initializer for fe[2] and the Z coordinate of gej[0]. */
+        {
+            0x3d, 0x2d, 0xef, 0xf4, 0x25, 0x98, 0x4f, 0x5d,
+            0xe2, 0xca, 0x5f, 0x41, 0x3f, 0x3f, 0xce, 0x44,
+            0xaa, 0x2c, 0x53, 0x8a, 0xc6, 0x59, 0x1f, 0x38,
+            0x38, 0x23, 0xe4, 0x11, 0x27, 0xc6, 0xa0, 0xe7
+        },
+        /* Initializer for fe[3] and the Z coordinate of gej[1]. */
+        {
+            0xbd, 0x21, 0xa5, 0xe1, 0x13, 0x50, 0x73, 0x2e,
+            0x52, 0x98, 0xc8, 0x9e, 0xab, 0x00, 0xa2, 0x68,
+            0x43, 0xf5, 0xd7, 0x49, 0x80, 0x72, 0xa7, 0xf3,
+            0xd7, 0x60, 0xe6, 0xab, 0x90, 0x92, 0xdf, 0xc5
+        }
    };

-    static const unsigned char init_y[32] = {
-        0x82, 0x83, 0x85, 0x87, 0x8b, 0x8d, 0x81, 0x83,
-        0x97, 0xad, 0xaf, 0xb5, 0xb9, 0xbb, 0xbf, 0xc5,
-        0xdb, 0xdd, 0xe3, 0xe7, 0xe9, 0xef, 0xf3, 0xf9,
-        0x11, 0x15, 0x17, 0x1b, 0x1d, 0xb1, 0xbf, 0xd3
-    };
-
-    secp256k1_scalar_set_b32(&data->scalar_x, init_x, NULL);
-    secp256k1_scalar_set_b32(&data->scalar_y, init_y, NULL);
-    secp256k1_fe_set_b32(&data->fe_x, init_x);
-    secp256k1_fe_set_b32(&data->fe_y, init_y);
-    CHECK(secp256k1_ge_set_xo_var(&data->ge_x, &data->fe_x, 0));
-    CHECK(secp256k1_ge_set_xo_var(&data->ge_y, &data->fe_y, 1));
-    secp256k1_gej_set_ge(&data->gej_x, &data->ge_x);
-    secp256k1_gej_set_ge(&data->gej_y, &data->ge_y);
-    memcpy(data->data, init_x, 32);
-    memcpy(data->data + 32, init_y, 32);
+    secp256k1_scalar_set_b32(&data->scalar[0], init[0], NULL);
+    secp256k1_scalar_set_b32(&data->scalar[1], init[1], NULL);
+    secp256k1_fe_set_b32(&data->fe[0], init[0]);
+    secp256k1_fe_set_b32(&data->fe[1], init[1]);
+    secp256k1_fe_set_b32(&data->fe[2], init[2]);
+    secp256k1_fe_set_b32(&data->fe[3], init[3]);
+    CHECK(secp256k1_ge_set_xo_var(&data->ge[0], &data->fe[0], 0));
+    CHECK(secp256k1_ge_set_xo_var(&data->ge[1], &data->fe[1], 1));
+    secp256k1_gej_set_ge(&data->gej[0], &data->ge[0]);
+    secp256k1_gej_rescale(&data->gej[0], &data->fe[2]);
+    secp256k1_gej_set_ge(&data->gej[1], &data->ge[1]);
+    secp256k1_gej_rescale(&data->gej[1], &data->fe[3]);
+    memcpy(data->data, init[0], 32);
+    memcpy(data->data + 32, init[1], 32);
 }

-void bench_scalar_add(void* arg) {
+void bench_scalar_add(void* arg, int iters) {
+    int i, j = 0;
+    bench_inv *data = (bench_inv*)arg;
+
+    for (i = 0; i < iters; i++) {
+        j += secp256k1_scalar_add(&data->scalar[0], &data->scalar[0], &data->scalar[1]);
+    }
+    CHECK(j <= iters);
+}
+
+void bench_scalar_negate(void* arg, int iters) {
    int i;
    bench_inv *data = (bench_inv*)arg;

-    for (i = 0; i < 2000000; i++) {
-        secp256k1_scalar_add(&data->scalar_x, &data->scalar_x, &data->scalar_y);
+    for (i = 0; i < iters; i++) {
+        secp256k1_scalar_negate(&data->scalar[0], &data->scalar[0]);
    }
 }

-void bench_scalar_negate(void* arg) {
+void bench_scalar_sqr(void* arg, int iters) {
    int i;
    bench_inv *data = (bench_inv*)arg;

-    for (i = 0; i < 2000000; i++) {
-        secp256k1_scalar_negate(&data->scalar_x, &data->scalar_x);
+    for (i = 0; i < iters; i++) {
+        secp256k1_scalar_sqr(&data->scalar[0], &data->scalar[0]);
    }
 }

-void bench_scalar_sqr(void* arg) {
+void bench_scalar_mul(void* arg, int iters) {
    int i;
    bench_inv *data = (bench_inv*)arg;

-    for (i = 0; i < 200000; i++) {
-        secp256k1_scalar_sqr(&data->scalar_x, &data->scalar_x);
+    for (i = 0; i < iters; i++) {
+        secp256k1_scalar_mul(&data->scalar[0], &data->scalar[0], &data->scalar[1]);
    }
 }

-void bench_scalar_mul(void* arg) {
+void bench_scalar_split(void* arg, int iters) {
+    int i, j = 0;
+    bench_inv *data = (bench_inv*)arg;
+
+    for (i = 0; i < iters; i++) {
+        secp256k1_scalar_split_lambda(&data->scalar[0], &data->scalar[1], &data->scalar[0]);
+        j += secp256k1_scalar_add(&data->scalar[0], &data->scalar[0], &data->scalar[1]);
+    }
+    CHECK(j <= iters);
+}
+
+void bench_scalar_inverse(void* arg, int iters) {
+    int i, j = 0;
+    bench_inv *data = (bench_inv*)arg;
+
+    for (i = 0; i < iters; i++) {
+        secp256k1_scalar_inverse(&data->scalar[0], &data->scalar[0]);
+        j += secp256k1_scalar_add(&data->scalar[0], &data->scalar[0], &data->scalar[1]);
+    }
+    CHECK(j <= iters);
+}
+
+void bench_scalar_inverse_var(void* arg, int iters) {
+    int i, j = 0;
+    bench_inv *data = (bench_inv*)arg;
+
+    for (i = 0; i < iters; i++) {
+        secp256k1_scalar_inverse_var(&data->scalar[0], &data->scalar[0]);
+        j += secp256k1_scalar_add(&data->scalar[0], &data->scalar[0], &data->scalar[1]);
+    }
+    CHECK(j <= iters);
+}
+
+void bench_field_normalize(void* arg, int iters) {
    int i;
    bench_inv *data = (bench_inv*)arg;

-    for (i = 0; i < 200000; i++) {
-        secp256k1_scalar_mul(&data->scalar_x, &data->scalar_x, &data->scalar_y);
+    for (i = 0; i < iters; i++) {
+        secp256k1_fe_normalize(&data->fe[0]);
    }
 }

-#ifdef USE_ENDOMORPHISM
-void bench_scalar_split(void* arg) {
+void bench_field_normalize_weak(void* arg, int iters) {
    int i;
    bench_inv *data = (bench_inv*)arg;

-    for (i = 0; i < 20000; i++) {
-        secp256k1_scalar l, r;
-        secp256k1_scalar_split_lambda(&l, &r, &data->scalar_x);
-        secp256k1_scalar_add(&data->scalar_x, &data->scalar_x, &data->scalar_y);
+    for (i = 0; i < iters; i++) {
+        secp256k1_fe_normalize_weak(&data->fe[0]);
    }
 }
-#endif

-void bench_scalar_inverse(void* arg) {
+void bench_field_mul(void* arg, int iters) {
    int i;
    bench_inv *data = (bench_inv*)arg;

-    for (i = 0; i < 2000; i++) {
-        secp256k1_scalar_inverse(&data->scalar_x, &data->scalar_x);
-        secp256k1_scalar_add(&data->scalar_x, &data->scalar_x, &data->scalar_y);
+    for (i = 0; i < iters; i++) {
+        secp256k1_fe_mul(&data->fe[0], &data->fe[0], &data->fe[1]);
    }
 }

-void bench_scalar_inverse_var(void* arg) {
+void bench_field_sqr(void* arg, int iters) {
    int i;
    bench_inv *data = (bench_inv*)arg;

-    for (i = 0; i < 2000; i++) {
-        secp256k1_scalar_inverse_var(&data->scalar_x, &data->scalar_x);
-        secp256k1_scalar_add(&data->scalar_x, &data->scalar_x, &data->scalar_y);
+    for (i = 0; i < iters; i++) {
+        secp256k1_fe_sqr(&data->fe[0], &data->fe[0]);
    }
 }

-void bench_field_normalize(void* arg) {
+void bench_field_inverse(void* arg, int iters) {
    int i;
    bench_inv *data = (bench_inv*)arg;

-    for (i = 0; i < 2000000; i++) {
-        secp256k1_fe_normalize(&data->fe_x);
+    for (i = 0; i < iters; i++) {
+        secp256k1_fe_inv(&data->fe[0], &data->fe[0]);
+        secp256k1_fe_add(&data->fe[0], &data->fe[1]);
    }
 }

-void bench_field_normalize_weak(void* arg) {
+void bench_field_inverse_var(void* arg, int iters) {
    int i;
    bench_inv *data = (bench_inv*)arg;

-    for (i = 0; i < 2000000; i++) {
-        secp256k1_fe_normalize_weak(&data->fe_x);
+    for (i = 0; i < iters; i++) {
+        secp256k1_fe_inv_var(&data->fe[0], &data->fe[0]);
+        secp256k1_fe_add(&data->fe[0], &data->fe[1]);
    }
 }

-void bench_field_mul(void* arg) {
-    int i;
-    bench_inv *data = (bench_inv*)arg;
-
-    for (i = 0; i < 200000; i++) {
-        secp256k1_fe_mul(&data->fe_x, &data->fe_x, &data->fe_y);
-    }
-}
-
-void bench_field_sqr(void* arg) {
-    int i;
-    bench_inv *data = (bench_inv*)arg;
-
-    for (i = 0; i < 200000; i++) {
-        secp256k1_fe_sqr(&data->fe_x, &data->fe_x);
-    }
-}
-
-void bench_field_inverse(void* arg) {
-    int i;
-    bench_inv *data = (bench_inv*)arg;
-
-    for (i = 0; i < 20000; i++) {
-        secp256k1_fe_inv(&data->fe_x, &data->fe_x);
-        secp256k1_fe_add(&data->fe_x, &data->fe_y);
-    }
-}
-
-void bench_field_inverse_var(void* arg) {
-    int i;
-    bench_inv *data = (bench_inv*)arg;
-
-    for (i = 0; i < 20000; i++) {
-        secp256k1_fe_inv_var(&data->fe_x, &data->fe_x);
-        secp256k1_fe_add(&data->fe_x, &data->fe_y);
-    }
-}
-
-void bench_field_sqrt(void* arg) {
-    int i;
+void bench_field_sqrt(void* arg, int iters) {
+    int i, j = 0;
    bench_inv *data = (bench_inv*)arg;
    secp256k1_fe t;

-    for (i = 0; i < 20000; i++) {
-        t = data->fe_x;
-        secp256k1_fe_sqrt(&data->fe_x, &t);
-        secp256k1_fe_add(&data->fe_x, &data->fe_y);
+    for (i = 0; i < iters; i++) {
+        t = data->fe[0];
+        j += secp256k1_fe_sqrt(&data->fe[0], &t);
+        secp256k1_fe_add(&data->fe[0], &data->fe[1]);
    }
+    CHECK(j <= iters);
 }

-void bench_group_double_var(void* arg) {
+void bench_group_double_var(void* arg, int iters) {
    int i;
    bench_inv *data = (bench_inv*)arg;

-    for (i = 0; i < 200000; i++) {
-        secp256k1_gej_double_var(&data->gej_x, &data->gej_x, NULL);
+    for (i = 0; i < iters; i++) {
+        secp256k1_gej_double_var(&data->gej[0], &data->gej[0], NULL);
    }
 }

-void bench_group_add_var(void* arg) {
+void bench_group_add_var(void* arg, int iters) {
    int i;
    bench_inv *data = (bench_inv*)arg;

-    for (i = 0; i < 200000; i++) {
-        secp256k1_gej_add_var(&data->gej_x, &data->gej_x, &data->gej_y, NULL);
+    for (i = 0; i < iters; i++) {
+        secp256k1_gej_add_var(&data->gej[0], &data->gej[0], &data->gej[1], NULL);
    }
 }

-void bench_group_add_affine(void* arg) {
+void bench_group_add_affine(void* arg, int iters) {
    int i;
    bench_inv *data = (bench_inv*)arg;

-    for (i = 0; i < 200000; i++) {
-        secp256k1_gej_add_ge(&data->gej_x, &data->gej_x, &data->ge_y);
+    for (i = 0; i < iters; i++) {
+        secp256k1_gej_add_ge(&data->gej[0], &data->gej[0], &data->ge[1]);
    }
 }

-void bench_group_add_affine_var(void* arg) {
+void bench_group_add_affine_var(void* arg, int iters) {
    int i;
    bench_inv *data = (bench_inv*)arg;

-    for (i = 0; i < 200000; i++) {
-        secp256k1_gej_add_ge_var(&data->gej_x, &data->gej_x, &data->ge_y, NULL);
+    for (i = 0; i < iters; i++) {
+        secp256k1_gej_add_ge_var(&data->gej[0], &data->gej[0], &data->ge[1], NULL);
    }
 }

-void bench_group_jacobi_var(void* arg) {
+void bench_group_jacobi_var(void* arg, int iters) {
+    int i, j = 0;
+    bench_inv *data = (bench_inv*)arg;
+
+    for (i = 0; i < iters; i++) {
+        j += secp256k1_gej_has_quad_y_var(&data->gej[0]);
+        /* Vary the Y and Z coordinates of the input (the X coordinate doesn't matter to
+           secp256k1_gej_has_quad_y_var). Note that the resulting coordinates will
+           generally not correspond to a point on the curve, but this is not a problem
+           for the code being benchmarked here. Adding and normalizing have less
+           overhead than EC operations (which could guarantee the point remains on the
+           curve). */
+        secp256k1_fe_add(&data->gej[0].y, &data->fe[1]);
+        secp256k1_fe_add(&data->gej[0].z, &data->fe[2]);
+        secp256k1_fe_normalize_var(&data->gej[0].y);
+        secp256k1_fe_normalize_var(&data->gej[0].z);
+    }
+    CHECK(j <= iters);
+}
+
+void bench_group_to_affine_var(void* arg, int iters) {
    int i;
    bench_inv *data = (bench_inv*)arg;

-    for (i = 0; i < 20000; i++) {
-        secp256k1_gej_has_quad_y_var(&data->gej_x);
+    for (i = 0; i < iters; ++i) {
+        secp256k1_ge_set_gej_var(&data->ge[1], &data->gej[0]);
+        /* Use the output affine X/Y coordinates to vary the input X/Y/Z coordinates.
+           Similar to bench_group_jacobi_var, this approach does not result in
+           coordinates of points on the curve. */
+        secp256k1_fe_add(&data->gej[0].x, &data->ge[1].y);
+        secp256k1_fe_add(&data->gej[0].y, &data->fe[2]);
+        secp256k1_fe_add(&data->gej[0].z, &data->ge[1].x);
+        secp256k1_fe_normalize_var(&data->gej[0].x);
+        secp256k1_fe_normalize_var(&data->gej[0].y);
+        secp256k1_fe_normalize_var(&data->gej[0].z);
    }
 }

-void bench_ecmult_wnaf(void* arg) {
-    int i;
+void bench_ecmult_wnaf(void* arg, int iters) {
+    int i, bits = 0, overflow = 0;
    bench_inv *data = (bench_inv*)arg;

-    for (i = 0; i < 20000; i++) {
-        secp256k1_ecmult_wnaf(data->wnaf, 256, &data->scalar_x, WINDOW_A);
-        secp256k1_scalar_add(&data->scalar_x, &data->scalar_x, &data->scalar_y);
+    for (i = 0; i < iters; i++) {
+        bits += secp256k1_ecmult_wnaf(data->wnaf, 256, &data->scalar[0], WINDOW_A);
+        overflow += secp256k1_scalar_add(&data->scalar[0], &data->scalar[0], &data->scalar[1]);
    }
+    CHECK(overflow >= 0);
+    CHECK(bits <= 256*iters);
 }

-void bench_wnaf_const(void* arg) {
-    int i;
+void bench_wnaf_const(void* arg, int iters) {
+    int i, bits = 0, overflow = 0;
    bench_inv *data = (bench_inv*)arg;

-    for (i = 0; i < 20000; i++) {
-        secp256k1_wnaf_const(data->wnaf, &data->scalar_x, WINDOW_A, 256);
-        secp256k1_scalar_add(&data->scalar_x, &data->scalar_x, &data->scalar_y);
+    for (i = 0; i < iters; i++) {
+        bits += secp256k1_wnaf_const(data->wnaf, &data->scalar[0], WINDOW_A, 256);
+        overflow += secp256k1_scalar_add(&data->scalar[0], &data->scalar[0], &data->scalar[1]);
    }
+    CHECK(overflow >= 0);
+    CHECK(bits <= 256*iters);
 }


-void bench_sha256(void* arg) {
+void bench_sha256(void* arg, int iters) {
    int i;
    bench_inv *data = (bench_inv*)arg;
    secp256k1_sha256 sha;

-    for (i = 0; i < 20000; i++) {
+    for (i = 0; i < iters; i++) {
        secp256k1_sha256_initialize(&sha);
        secp256k1_sha256_write(&sha, data->data, 32);
        secp256k1_sha256_finalize(&sha, data->data);
    }
 }

-void bench_hmac_sha256(void* arg) {
+void bench_hmac_sha256(void* arg, int iters) {
    int i;
    bench_inv *data = (bench_inv*)arg;
    secp256k1_hmac_sha256 hmac;

-    for (i = 0; i < 20000; i++) {
+    for (i = 0; i < iters; i++) {
        secp256k1_hmac_sha256_initialize(&hmac, data->data, 32);
        secp256k1_hmac_sha256_write(&hmac, data->data, 32);
        secp256k1_hmac_sha256_finalize(&hmac, data->data);
    }
 }

-void bench_rfc6979_hmac_sha256(void* arg) {
+void bench_rfc6979_hmac_sha256(void* arg, int iters) {
    int i;
    bench_inv *data = (bench_inv*)arg;
    secp256k1_rfc6979_hmac_sha256 rng;

-    for (i = 0; i < 20000; i++) {
+    for (i = 0; i < iters; i++) {
        secp256k1_rfc6979_hmac_sha256_initialize(&rng, data->data, 64);
        secp256k1_rfc6979_hmac_sha256_generate(&rng, data->data, 32);
    }
 }

-void bench_context_verify(void* arg) {
+void bench_context_verify(void* arg, int iters) {
    int i;
    (void)arg;
-    for (i = 0; i < 20; i++) {
+    for (i = 0; i < iters; i++) {
        secp256k1_context_destroy(secp256k1_context_create(SECP256K1_CONTEXT_VERIFY));
    }
 }

-void bench_context_sign(void* arg) {
+void bench_context_sign(void* arg, int iters) {
    int i;
    (void)arg;
-    for (i = 0; i < 200; i++) {
+    for (i = 0; i < iters; i++) {
        secp256k1_context_destroy(secp256k1_context_create(SECP256K1_CONTEXT_SIGN));
    }
 }

 #ifndef USE_NUM_NONE
-void bench_num_jacobi(void* arg) {
-    int i;
+void bench_num_jacobi(void* arg, int iters) {
+    int i, j = 0;
    bench_inv *data = (bench_inv*)arg;
-    secp256k1_num nx, norder;
+    secp256k1_num nx, na, norder;

-    secp256k1_scalar_get_num(&nx, &data->scalar_x);
+    secp256k1_scalar_get_num(&nx, &data->scalar[0]);
    secp256k1_scalar_order_get_num(&norder);
-    secp256k1_scalar_get_num(&norder, &data->scalar_y);
+    secp256k1_scalar_get_num(&na, &data->scalar[1]);

-    for (i = 0; i < 200000; i++) {
-        secp256k1_num_jacobi(&nx, &norder);
+    for (i = 0; i < iters; i++) {
+        j += secp256k1_num_jacobi(&nx, &norder);
+        secp256k1_num_add(&nx, &nx, &na);
    }
+    CHECK(j <= iters);
 }
 #endif

 int main(int argc, char **argv) {
    bench_inv data;
-    if (have_flag(argc, argv, "scalar") || have_flag(argc, argv, "add")) run_benchmark("scalar_add", bench_scalar_add, bench_setup, NULL, &data, 10, 2000000);
-    if (have_flag(argc, argv, "scalar") || have_flag(argc, argv, "negate")) run_benchmark("scalar_negate", bench_scalar_negate, bench_setup, NULL, &data, 10, 2000000);
-    if (have_flag(argc, argv, "scalar") || have_flag(argc, argv, "sqr")) run_benchmark("scalar_sqr", bench_scalar_sqr, bench_setup, NULL, &data, 10, 200000);
-    if (have_flag(argc, argv, "scalar") || have_flag(argc, argv, "mul")) run_benchmark("scalar_mul", bench_scalar_mul, bench_setup, NULL, &data, 10, 200000);
-#ifdef USE_ENDOMORPHISM
-    if (have_flag(argc, argv, "scalar") || have_flag(argc, argv, "split")) run_benchmark("scalar_split", bench_scalar_split, bench_setup, NULL, &data, 10, 20000);
-#endif
+    int iters = get_iters(20000);
+
+    if (have_flag(argc, argv, "scalar") || have_flag(argc, argv, "add")) run_benchmark("scalar_add", bench_scalar_add, bench_setup, NULL, &data, 10, iters*100);
+    if (have_flag(argc, argv, "scalar") || have_flag(argc, argv, "negate")) run_benchmark("scalar_negate", bench_scalar_negate, bench_setup, NULL, &data, 10, iters*100);
+    if (have_flag(argc, argv, "scalar") || have_flag(argc, argv, "sqr")) run_benchmark("scalar_sqr", bench_scalar_sqr, bench_setup, NULL, &data, 10, iters*10);
+    if (have_flag(argc, argv, "scalar") || have_flag(argc, argv, "mul")) run_benchmark("scalar_mul", bench_scalar_mul, bench_setup, NULL, &data, 10, iters*10);
+    if (have_flag(argc, argv, "scalar") || have_flag(argc, argv, "split")) run_benchmark("scalar_split", bench_scalar_split, bench_setup, NULL, &data, 10, iters);
    if (have_flag(argc, argv, "scalar") || have_flag(argc, argv, "inverse")) run_benchmark("scalar_inverse", bench_scalar_inverse, bench_setup, NULL, &data, 10, 2000);
    if (have_flag(argc, argv, "scalar") || have_flag(argc, argv, "inverse")) run_benchmark("scalar_inverse_var", bench_scalar_inverse_var, bench_setup, NULL, &data, 10, 2000);

-    if (have_flag(argc, argv, "field") || have_flag(argc, argv, "normalize")) run_benchmark("field_normalize", bench_field_normalize, bench_setup, NULL, &data, 10, 2000000);
-    if (have_flag(argc, argv, "field") || have_flag(argc, argv, "normalize")) run_benchmark("field_normalize_weak", bench_field_normalize_weak, bench_setup, NULL, &data, 10, 2000000);
-    if (have_flag(argc, argv, "field") || have_flag(argc, argv, "sqr")) run_benchmark("field_sqr", bench_field_sqr, bench_setup, NULL, &data, 10, 200000);
-    if (have_flag(argc, argv, "field") || have_flag(argc, argv, "mul")) run_benchmark("field_mul", bench_field_mul, bench_setup, NULL, &data, 10, 200000);
-    if (have_flag(argc, argv, "field") || have_flag(argc, argv, "inverse")) run_benchmark("field_inverse", bench_field_inverse, bench_setup, NULL, &data, 10, 20000);
-    if (have_flag(argc, argv, "field") || have_flag(argc, argv, "inverse")) run_benchmark("field_inverse_var", bench_field_inverse_var, bench_setup, NULL, &data, 10, 20000);
-    if (have_flag(argc, argv, "field") || have_flag(argc, argv, "sqrt")) run_benchmark("field_sqrt", bench_field_sqrt, bench_setup, NULL, &data, 10, 20000);
+    if (have_flag(argc, argv, "field") || have_flag(argc, argv, "normalize")) run_benchmark("field_normalize", bench_field_normalize, bench_setup, NULL, &data, 10, iters*100);
+    if (have_flag(argc, argv, "field") || have_flag(argc, argv, "normalize")) run_benchmark("field_normalize_weak", bench_field_normalize_weak, bench_setup, NULL, &data, 10, iters*100);
+    if (have_flag(argc, argv, "field") || have_flag(argc, argv, "sqr")) run_benchmark("field_sqr", bench_field_sqr, bench_setup, NULL, &data, 10, iters*10);
+    if (have_flag(argc, argv, "field") || have_flag(argc, argv, "mul")) run_benchmark("field_mul", bench_field_mul, bench_setup, NULL, &data, 10, iters*10);
+    if (have_flag(argc, argv, "field") || have_flag(argc, argv, "inverse")) run_benchmark("field_inverse", bench_field_inverse, bench_setup, NULL, &data, 10, iters);
+    if (have_flag(argc, argv, "field") || have_flag(argc, argv, "inverse")) run_benchmark("field_inverse_var", bench_field_inverse_var, bench_setup, NULL, &data, 10, iters);
+    if (have_flag(argc, argv, "field") || have_flag(argc, argv, "sqrt")) run_benchmark("field_sqrt", bench_field_sqrt, bench_setup, NULL, &data, 10, iters);

-    if (have_flag(argc, argv, "group") || have_flag(argc, argv, "double")) run_benchmark("group_double_var", bench_group_double_var, bench_setup, NULL, &data, 10, 200000);
-    if (have_flag(argc, argv, "group") || have_flag(argc, argv, "add")) run_benchmark("group_add_var", bench_group_add_var, bench_setup, NULL, &data, 10, 200000);
-    if (have_flag(argc, argv, "group") || have_flag(argc, argv, "add")) run_benchmark("group_add_affine", bench_group_add_affine, bench_setup, NULL, &data, 10, 200000);
-    if (have_flag(argc, argv, "group") || have_flag(argc, argv, "add")) run_benchmark("group_add_affine_var", bench_group_add_affine_var, bench_setup, NULL, &data, 10, 200000);
-    if (have_flag(argc, argv, "group") || have_flag(argc, argv, "jacobi")) run_benchmark("group_jacobi_var", bench_group_jacobi_var, bench_setup, NULL, &data, 10, 20000);
+    if (have_flag(argc, argv, "group") || have_flag(argc, argv, "double")) run_benchmark("group_double_var", bench_group_double_var, bench_setup, NULL, &data, 10, iters*10);
+    if (have_flag(argc, argv, "group") || have_flag(argc, argv, "add")) run_benchmark("group_add_var", bench_group_add_var, bench_setup, NULL, &data, 10, iters*10);
+    if (have_flag(argc, argv, "group") || have_flag(argc, argv, "add")) run_benchmark("group_add_affine", bench_group_add_affine, bench_setup, NULL, &data, 10, iters*10);
+    if (have_flag(argc, argv, "group") || have_flag(argc, argv, "add")) run_benchmark("group_add_affine_var", bench_group_add_affine_var, bench_setup, NULL, &data, 10, iters*10);
+    if (have_flag(argc, argv, "group") || have_flag(argc, argv, "jacobi")) run_benchmark("group_jacobi_var", bench_group_jacobi_var, bench_setup, NULL, &data, 10, iters);
+    if (have_flag(argc, argv, "group") || have_flag(argc, argv, "to_affine")) run_benchmark("group_to_affine_var", bench_group_to_affine_var, bench_setup, NULL, &data, 10, iters);

-    if (have_flag(argc, argv, "ecmult") || have_flag(argc, argv, "wnaf")) run_benchmark("wnaf_const", bench_wnaf_const, bench_setup, NULL, &data, 10, 20000);
-    if (have_flag(argc, argv, "ecmult") || have_flag(argc, argv, "wnaf")) run_benchmark("ecmult_wnaf", bench_ecmult_wnaf, bench_setup, NULL, &data, 10, 20000);
+    if (have_flag(argc, argv, "ecmult") || have_flag(argc, argv, "wnaf")) run_benchmark("wnaf_const", bench_wnaf_const, bench_setup, NULL, &data, 10, iters);
+    if (have_flag(argc, argv, "ecmult") || have_flag(argc, argv, "wnaf")) run_benchmark("ecmult_wnaf", bench_ecmult_wnaf, bench_setup, NULL, &data, 10, iters);

-    if (have_flag(argc, argv, "hash") || have_flag(argc, argv, "sha256")) run_benchmark("hash_sha256", bench_sha256, bench_setup, NULL, &data, 10, 20000);
-    if (have_flag(argc, argv, "hash") || have_flag(argc, argv, "hmac")) run_benchmark("hash_hmac_sha256", bench_hmac_sha256, bench_setup, NULL, &data, 10, 20000);
-    if (have_flag(argc, argv, "hash") || have_flag(argc, argv, "rng6979")) run_benchmark("hash_rfc6979_hmac_sha256", bench_rfc6979_hmac_sha256, bench_setup, NULL, &data, 10, 20000);
+    if (have_flag(argc, argv, "hash") || have_flag(argc, argv, "sha256")) run_benchmark("hash_sha256", bench_sha256, bench_setup, NULL, &data, 10, iters);
+    if (have_flag(argc, argv, "hash") || have_flag(argc, argv, "hmac")) run_benchmark("hash_hmac_sha256", bench_hmac_sha256, bench_setup, NULL, &data, 10, iters);
+    if (have_flag(argc, argv, "hash") || have_flag(argc, argv, "rng6979")) run_benchmark("hash_rfc6979_hmac_sha256", bench_rfc6979_hmac_sha256, bench_setup, NULL, &data, 10, iters);

-    if (have_flag(argc, argv, "context") || have_flag(argc, argv, "verify")) run_benchmark("context_verify", bench_context_verify, bench_setup, NULL, &data, 10, 20);
-    if (have_flag(argc, argv, "context") || have_flag(argc, argv, "sign")) run_benchmark("context_sign", bench_context_sign, bench_setup, NULL, &data, 10, 200);
+    if (have_flag(argc, argv, "context") || have_flag(argc, argv, "verify")) run_benchmark("context_verify", bench_context_verify, bench_setup, NULL, &data, 10, 1 + iters/1000);
+    if (have_flag(argc, argv, "context") || have_flag(argc, argv, "sign")) run_benchmark("context_sign", bench_context_sign, bench_setup, NULL, &data, 10, 1 + iters/100);

 #ifndef USE_NUM_NONE
-    if (have_flag(argc, argv, "num") || have_flag(argc, argv, "jacobi")) run_benchmark("num_jacobi", bench_num_jacobi, bench_setup, NULL, &data, 10, 200000);
+    if (have_flag(argc, argv, "num") || have_flag(argc, argv, "jacobi")) run_benchmark("num_jacobi", bench_num_jacobi, bench_setup, NULL, &data, 10, iters*10);
 #endif
    return 0;
 }
--- a/src/bench_rangeproof.c
+++ b/src/bench_rangeproof.c
@@ -34,11 +34,11 @@ static void bench_rangeproof_setup(void* arg) {
    CHECK(secp256k1_rangeproof_verify(data->ctx, &minv, &maxv, &data->commit, data->proof, data->len, NULL, 0, secp256k1_generator_h));
 }

-static void bench_rangeproof(void* arg) {
+static void bench_rangeproof(void* arg, int iters) {
    int i;
    bench_rangeproof_t *data = (bench_rangeproof_t*)arg;

-    for (i = 0; i < 1000; i++) {
+    for (i = 0; i < iters/data->min_bits; i++) {
        int j;
        uint64_t minv;
        uint64_t maxv;
@@ -51,12 +51,14 @@ static void bench_rangeproof(void* arg) {

 int main(void) {
    bench_rangeproof_t data;
+    int iters;

    data.ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);

    data.min_bits = 32;
+    iters = data.min_bits*get_iters(32);

-    run_benchmark("rangeproof_verify_bit", bench_rangeproof, bench_rangeproof_setup, NULL, &data, 10, 1000 * data.min_bits);
+    run_benchmark("rangeproof_verify_bit", bench_rangeproof, bench_rangeproof_setup, NULL, &data, 10, iters);

    secp256k1_context_destroy(data.ctx);
    return 0;
--- a/src/bench_recover.c
+++ b/src/bench_recover.c
@@ -15,13 +15,13 @@ typedef struct {
    unsigned char sig[64];
 } bench_recover_data;

-void bench_recover(void* arg) {
+void bench_recover(void* arg, int iters) {
    int i;
    bench_recover_data *data = (bench_recover_data*)arg;
    secp256k1_pubkey pubkey;
    unsigned char pubkeyc[33];

-    for (i = 0; i < 20000; i++) {
+    for (i = 0; i < iters; i++) {
        int j;
        size_t pubkeylen = 33;
        secp256k1_ecdsa_recoverable_signature sig;
@@ -51,9 +51,11 @@ void bench_recover_setup(void* arg) {
 int main(void) {
    bench_recover_data data;

+    int iters = get_iters(20000);
+
    data.ctx = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);

-    run_benchmark("ecdsa_recover", bench_recover, bench_recover_setup, NULL, &data, 10, 20000);
+    run_benchmark("ecdsa_recover", bench_recover, bench_recover_setup, NULL, &data, 10, iters);

    secp256k1_context_destroy(data.ctx);
    return 0;
--- a/src/bench_schnorrsig.c
+++ b/src/bench_schnorrsig.c
@@ -1,5 +1,5 @@
 /**********************************************************************
- * Copyright (c) 2018 Andrew Poelstra                                 *
+ * Copyright (c) 2018-2020 Andrew Poelstra, Jonas Nick                *
 * Distributed under the MIT software license, see the accompanying   *
 * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
 **********************************************************************/
@@ -7,86 +7,64 @@
 #include <string.h>
 #include <stdlib.h>

+
 #include "include/secp256k1.h"
 #include "include/secp256k1_schnorrsig.h"
 #include "util.h"
 #include "bench.h"

-#define MAX_SIGS	(32768)
-
 typedef struct {
    secp256k1_context *ctx;
-    secp256k1_scratch_space *scratch;
-    size_t n;
+    int n;
+
+    const secp256k1_keypair **keypairs;
    const unsigned char **pk;
-    const secp256k1_schnorrsig **sigs;
+    const unsigned char **sigs;
    const unsigned char **msgs;
 } bench_schnorrsig_data;

-void bench_schnorrsig_sign(void* arg) {
+void bench_schnorrsig_sign(void* arg, int iters) {
    bench_schnorrsig_data *data = (bench_schnorrsig_data *)arg;
-    size_t i;
-    unsigned char sk[32] = "benchmarkexample secrettemplate";
+    int i;
    unsigned char msg[32] = "benchmarkexamplemessagetemplate";
-    secp256k1_schnorrsig sig;
+    unsigned char sig[64];

-    for (i = 0; i < 1000; i++) {
+    for (i = 0; i < iters; i++) {
        msg[0] = i;
        msg[1] = i >> 8;
-        sk[0] = i;
-        sk[1] = i >> 8;
-        CHECK(secp256k1_schnorrsig_sign(data->ctx, &sig, NULL, msg, sk, NULL, NULL));
+        CHECK(secp256k1_schnorrsig_sign(data->ctx, sig, msg, data->keypairs[i], NULL, NULL));
    }
 }

-void bench_schnorrsig_verify(void* arg) {
+void bench_schnorrsig_verify(void* arg, int iters) {
    bench_schnorrsig_data *data = (bench_schnorrsig_data *)arg;
-    size_t i;
+    int i;

-    for (i = 0; i < 1000; i++) {
-        secp256k1_pubkey pk;
-        CHECK(secp256k1_ec_pubkey_parse(data->ctx, &pk, data->pk[i], 33) == 1);
+    for (i = 0; i < iters; i++) {
+        secp256k1_xonly_pubkey pk;
+        CHECK(secp256k1_xonly_pubkey_parse(data->ctx, &pk, data->pk[i]) == 1);
        CHECK(secp256k1_schnorrsig_verify(data->ctx, data->sigs[i], data->msgs[i], &pk));
    }
 }

-void bench_schnorrsig_verify_n(void* arg) {
-    bench_schnorrsig_data *data = (bench_schnorrsig_data *)arg;
-    size_t i, j;
-    const secp256k1_pubkey **pk = (const secp256k1_pubkey **)malloc(data->n * sizeof(*pk));
-
-    CHECK(pk != NULL);
-    for (j = 0; j < MAX_SIGS/data->n; j++) {
-        for (i = 0; i < data->n; i++) {
-            secp256k1_pubkey *pk_nonconst = (secp256k1_pubkey *)malloc(sizeof(*pk_nonconst));
-            CHECK(secp256k1_ec_pubkey_parse(data->ctx, pk_nonconst, data->pk[i], 33) == 1);
-            pk[i] = pk_nonconst;
-        }
-        CHECK(secp256k1_schnorrsig_verify_batch(data->ctx, data->scratch, data->sigs, data->msgs, pk, data->n));
-        for (i = 0; i < data->n; i++) {
-            free((void *)pk[i]);
-        }
-    }
-    free(pk);
-}
-
 int main(void) {
-    size_t i;
+    int i;
    bench_schnorrsig_data data;
+    int iters = get_iters(10000);

    data.ctx = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY | SECP256K1_CONTEXT_SIGN);
-    data.scratch = secp256k1_scratch_space_create(data.ctx, 1024 * 1024 * 1024);
-    data.pk = (const unsigned char **)malloc(MAX_SIGS * sizeof(unsigned char *));
-    data.msgs = (const unsigned char **)malloc(MAX_SIGS * sizeof(unsigned char *));
-    data.sigs = (const secp256k1_schnorrsig **)malloc(MAX_SIGS * sizeof(secp256k1_schnorrsig *));
+    data.keypairs = (const secp256k1_keypair **)malloc(iters * sizeof(secp256k1_keypair *));
+    data.pk = (const unsigned char **)malloc(iters * sizeof(unsigned char *));
+    data.msgs = (const unsigned char **)malloc(iters * sizeof(unsigned char *));
+    data.sigs = (const unsigned char **)malloc(iters * sizeof(unsigned char *));

-    for (i = 0; i < MAX_SIGS; i++) {
+    for (i = 0; i < iters; i++) {
        unsigned char sk[32];
        unsigned char *msg = (unsigned char *)malloc(32);
-        secp256k1_schnorrsig *sig = (secp256k1_schnorrsig *)malloc(sizeof(*sig));
-        unsigned char *pk_char = (unsigned char *)malloc(33);
-        secp256k1_pubkey pk;
-        size_t pk_len = 33;
+        unsigned char *sig = (unsigned char *)malloc(64);
+        secp256k1_keypair *keypair = (secp256k1_keypair *)malloc(sizeof(*keypair));
+        unsigned char *pk_char = (unsigned char *)malloc(32);
+        secp256k1_xonly_pubkey pk;
        msg[0] = sk[0] = i;
        msg[1] = sk[1] = i >> 8;
        msg[2] = sk[2] = i >> 16;
@@ -94,35 +72,31 @@ int main(void) {
        memset(&msg[4], 'm', 28);
        memset(&sk[4], 's', 28);

+        data.keypairs[i] = keypair;
        data.pk[i] = pk_char;
        data.msgs[i] = msg;
        data.sigs[i] = sig;

-        CHECK(secp256k1_ec_pubkey_create(data.ctx, &pk, sk));
-        CHECK(secp256k1_ec_pubkey_serialize(data.ctx, pk_char, &pk_len, &pk, SECP256K1_EC_COMPRESSED) == 1);
-        CHECK(secp256k1_schnorrsig_sign(data.ctx, sig, NULL, msg, sk, NULL, NULL));
+        CHECK(secp256k1_keypair_create(data.ctx, keypair, sk));
+        CHECK(secp256k1_schnorrsig_sign(data.ctx, sig, msg, keypair, NULL, NULL));
+        CHECK(secp256k1_keypair_xonly_pub(data.ctx, &pk, NULL, keypair));
+        CHECK(secp256k1_xonly_pubkey_serialize(data.ctx, pk_char, &pk) == 1);
    }

-    run_benchmark("schnorrsig_sign", bench_schnorrsig_sign, NULL, NULL, (void *) &data, 10, 1000);
-    run_benchmark("schnorrsig_verify", bench_schnorrsig_verify, NULL, NULL, (void *) &data, 10, 1000);
-    for (i = 1; i <= MAX_SIGS; i *= 2) {
-        char name[64];
-        sprintf(name, "schnorrsig_batch_verify_%d", (int) i);
+    run_benchmark("schnorrsig_sign", bench_schnorrsig_sign, NULL, NULL, (void *) &data, 10, iters);
+    run_benchmark("schnorrsig_verify", bench_schnorrsig_verify, NULL, NULL, (void *) &data, 10, iters);

-        data.n = i;
-        run_benchmark(name, bench_schnorrsig_verify_n, NULL, NULL, (void *) &data, 3, MAX_SIGS);
-    }
-
-    for (i = 0; i < MAX_SIGS; i++) {
+    for (i = 0; i < iters; i++) {
+        free((void *)data.keypairs[i]);
        free((void *)data.pk[i]);
        free((void *)data.msgs[i]);
        free((void *)data.sigs[i]);
    }
+    free(data.keypairs);
    free(data.pk);
    free(data.msgs);
    free(data.sigs);

-    secp256k1_scratch_space_destroy(data.scratch);
    secp256k1_context_destroy(data.ctx);
    return 0;
 }
--- a/src/bench_sign.c
+++ b/src/bench_sign.c
@@ -12,11 +12,11 @@ typedef struct {
    secp256k1_context* ctx;
    unsigned char msg[32];
    unsigned char key[32];
-} bench_sign;
+} bench_sign_data;

 static void bench_sign_setup(void* arg) {
    int i;
-    bench_sign *data = (bench_sign*)arg;
+    bench_sign_data *data = (bench_sign_data*)arg;

    for (i = 0; i < 32; i++) {
        data->msg[i] = i + 1;
@@ -26,12 +26,12 @@ static void bench_sign_setup(void* arg) {
    }
 }

-static void bench_sign_run(void* arg) {
+static void bench_sign_run(void* arg, int iters) {
    int i;
-    bench_sign *data = (bench_sign*)arg;
+    bench_sign_data *data = (bench_sign_data*)arg;

    unsigned char sig[74];
-    for (i = 0; i < 20000; i++) {
+    for (i = 0; i < iters; i++) {
        size_t siglen = 74;
        int j;
        secp256k1_ecdsa_signature signature;
@@ -45,11 +45,13 @@ static void bench_sign_run(void* arg) {
 }

 int main(void) {
-    bench_sign data;
+    bench_sign_data data;
+
+    int iters = get_iters(20000);

    data.ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);

-    run_benchmark("ecdsa_sign", bench_sign_run, bench_sign_setup, NULL, &data, 10, 20000);
+    run_benchmark("ecdsa_sign", bench_sign_run, bench_sign_setup, NULL, &data, 10, iters);

    secp256k1_context_destroy(data.ctx);
    return 0;
--- a/src/bench_verify.c
+++ b/src/bench_verify.c
@@ -17,6 +17,7 @@
 #include <openssl/obj_mac.h>
 #endif

+
 typedef struct {
    secp256k1_context *ctx;
    unsigned char msg[32];
@@ -28,13 +29,13 @@ typedef struct {
 #ifdef ENABLE_OPENSSL_TESTS
    EC_GROUP* ec_group;
 #endif
-} benchmark_verify_t;
+} bench_verify_data;

-static void benchmark_verify(void* arg) {
+static void bench_verify(void* arg, int iters) {
    int i;
-    benchmark_verify_t* data = (benchmark_verify_t*)arg;
+    bench_verify_data* data = (bench_verify_data*)arg;

-    for (i = 0; i < 20000; i++) {
+    for (i = 0; i < iters; i++) {
        secp256k1_pubkey pubkey;
        secp256k1_ecdsa_signature sig;
        data->sig[data->siglen - 1] ^= (i & 0xFF);
@@ -50,11 +51,11 @@ static void benchmark_verify(void* arg) {
 }

 #ifdef ENABLE_OPENSSL_TESTS
-static void benchmark_verify_openssl(void* arg) {
+static void bench_verify_openssl(void* arg, int iters) {
    int i;
-    benchmark_verify_t* data = (benchmark_verify_t*)arg;
+    bench_verify_data* data = (bench_verify_data*)arg;

-    for (i = 0; i < 20000; i++) {
+    for (i = 0; i < iters; i++) {
        data->sig[data->siglen - 1] ^= (i & 0xFF);
        data->sig[data->siglen - 2] ^= ((i >> 8) & 0xFF);
        data->sig[data->siglen - 3] ^= ((i >> 16) & 0xFF);
@@ -83,7 +84,9 @@ int main(void) {
    int i;
    secp256k1_pubkey pubkey;
    secp256k1_ecdsa_signature sig;
-    benchmark_verify_t data;
+    bench_verify_data data;
+
+    int iters = get_iters(20000);

    data.ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);

@@ -100,10 +103,10 @@ int main(void) {
    data.pubkeylen = 33;
    CHECK(secp256k1_ec_pubkey_serialize(data.ctx, data.pubkey, &data.pubkeylen, &pubkey, SECP256K1_EC_COMPRESSED) == 1);

-    run_benchmark("ecdsa_verify", benchmark_verify, NULL, NULL, &data, 10, 20000);
+    run_benchmark("ecdsa_verify", bench_verify, NULL, NULL, &data, 10, iters);
 #ifdef ENABLE_OPENSSL_TESTS
    data.ec_group = EC_GROUP_new_by_curve_name(NID_secp256k1);
-    run_benchmark("ecdsa_verify_openssl", benchmark_verify_openssl, NULL, NULL, &data, 10, 20000);
+    run_benchmark("ecdsa_verify_openssl", bench_verify_openssl, NULL, NULL, &data, 10, iters);
    EC_GROUP_free(data.ec_group);
 #endif

--- a/src/bench_whitelist.c
+++ b/src/bench_whitelist.c
@@ -8,8 +8,8 @@
 #include "include/secp256k1.h"

 #include "include/secp256k1_whitelist.h"
-#include "bench.h"
 #include "util.h"
+#include "bench.h"
 #include "hash_impl.h"
 #include "num_impl.h"
 #include "scalar_impl.h"
@@ -29,9 +29,12 @@ typedef struct {
    size_t n_keys;
 } bench_data;

-static void bench_whitelist(void* arg) {
+static void bench_whitelist(void* arg, int iters) {
    bench_data* data = (bench_data*)arg;
-    CHECK(secp256k1_whitelist_verify(data->ctx, &data->sig, data->online_pubkeys, data->offline_pubkeys, data->n_keys, &data->sub_pubkey) == 1);
+    int i;
+    for (i = 0; i < iters; i++) {
+        CHECK(secp256k1_whitelist_verify(data->ctx, &data->sig, data->online_pubkeys, data->offline_pubkeys, data->n_keys, &data->sub_pubkey) == 1);
+    }
 }

 static void bench_whitelist_setup(void* arg) {
@@ -40,17 +43,17 @@ static void bench_whitelist_setup(void* arg) {
    CHECK(secp256k1_whitelist_sign(data->ctx, &data->sig, data->online_pubkeys, data->offline_pubkeys, data->n_keys, &data->sub_pubkey, data->online_seckey[i], data->summed_seckey[i], i, NULL, NULL));
 }

-static void run_test(bench_data* data) {
+static void run_test(bench_data* data, int iters) {
    char str[32];
    sprintf(str, "whitelist_%i", (int)data->n_keys);
-    run_benchmark(str, bench_whitelist, bench_whitelist_setup, NULL, data, 100, 1);
+    run_benchmark(str, bench_whitelist, bench_whitelist_setup, NULL, data, 100, iters);
 }

 void random_scalar_order(secp256k1_scalar *num) {
    do {
        unsigned char b32[32];
        int overflow = 0;
-        secp256k1_rand256(b32);
+        secp256k1_testrand256(b32);
        secp256k1_scalar_set_b32(num, b32, &overflow);
        if (overflow || secp256k1_scalar_is_zero(num)) {
            continue;
@@ -64,6 +67,7 @@ int main(void) {
    size_t i;
    size_t n_keys = 30;
    secp256k1_scalar ssub;
+    int iters = get_iters(5);

    data.ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);

@@ -96,7 +100,7 @@ int main(void) {
    /* Run test */
    for (i = 1; i <= n_keys; ++i) {
        data.n_keys = i;
-        run_test(&data);
+        run_test(&data, iters);
    }

    secp256k1_context_destroy(data.ctx);
--- a/src/eccommit.h
+++ b/src/eccommit.h
@@ -0,0 +1,28 @@
+/**********************************************************************
+ * Copyright (c) 2020 The libsecp256k1-zkp Developers                 *
+ * Distributed under the MIT software license, see the accompanying   *
+ * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
+ **********************************************************************/
+
+#ifndef SECP256K1_ECCOMMIT_H
+#define SECP256K1_ECCOMMIT_H
+
+/** Helper function to add a 32-byte value to a scalar */
+static int secp256k1_ec_seckey_tweak_add_helper(secp256k1_scalar *sec, const unsigned char *tweak);
+/** Helper function to add a 32-byte value, times G, to an EC point */
+static int secp256k1_ec_pubkey_tweak_add_helper(const secp256k1_ecmult_context* ecmult_ctx, secp256k1_ge *p, const unsigned char *tweak);
+
+/** Serializes elem as a 33 byte array. This is non-constant time with respect to
+ *  whether pubp is the point at infinity. Thus, you may need to declassify
+ *  pubp->infinity before calling this function. */
+static int secp256k1_ec_commit_pubkey_serialize_const(secp256k1_ge *pubp, unsigned char *buf33);
+/** Compute an ec commitment tweak as hash(pubkey, data). */
+static int secp256k1_ec_commit_tweak(unsigned char *tweak32, secp256k1_ge* pubp, secp256k1_sha256* sha, const unsigned char *data, size_t data_size);
+/** Compute an ec commitment as pubkey + hash(pubkey, data)*G. */
+static int secp256k1_ec_commit(const secp256k1_ecmult_context* ecmult_ctx, secp256k1_ge* commitp, const secp256k1_ge* pubp, secp256k1_sha256* sha, const unsigned char *data, size_t data_size);
+/** Compute a secret key commitment as seckey + hash(pubkey, data). */
+static int secp256k1_ec_commit_seckey(const secp256k1_ecmult_gen_context* ecmult_gen_ctx, secp256k1_scalar* seckey, secp256k1_ge* pubp, secp256k1_sha256* sha, const unsigned char *data, size_t data_size);
+/** Verify an ec commitment as pubkey + hash(pubkey, data)*G ?= commitment. */
+static int secp256k1_ec_commit_verify(const secp256k1_ecmult_context* ecmult_ctx, const secp256k1_ge* commitp, const secp256k1_ge* pubp, secp256k1_sha256* sha, const unsigned char *data, size_t data_size);
+
+#endif /* SECP256K1_ECCOMMIT_H */
--- a/src/eccommit_impl.h
+++ b/src/eccommit_impl.h
@@ -0,0 +1,73 @@
+/**********************************************************************
+ * Copyright (c) 2020 The libsecp256k1 Developers                     *
+ * Distributed under the MIT software license, see the accompanying   *
+ * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
+ **********************************************************************/
+
+#include <stddef.h>
+
+#include "eckey.h"
+#include "hash.h"
+
+/* from secp256k1.c */
+static int secp256k1_ec_seckey_tweak_add_helper(secp256k1_scalar *sec, const unsigned char *tweak);
+static int secp256k1_ec_pubkey_tweak_add_helper(const secp256k1_ecmult_context* ecmult_ctx, secp256k1_ge *pubp, const unsigned char *tweak);
+
+static int secp256k1_ec_commit_pubkey_serialize_const(secp256k1_ge *pubp, unsigned char *buf33) {
+    if (secp256k1_ge_is_infinity(pubp)) {
+        return 0;
+    }
+    secp256k1_fe_normalize(&pubp->x);
+    secp256k1_fe_normalize(&pubp->y);
+    secp256k1_fe_get_b32(&buf33[1], &pubp->x);
+    buf33[0] = secp256k1_fe_is_odd(&pubp->y) ? SECP256K1_TAG_PUBKEY_ODD : SECP256K1_TAG_PUBKEY_EVEN;
+    return 1;
+}
+
+/* Compute an ec commitment tweak as hash(pubp, data). */
+static int secp256k1_ec_commit_tweak(unsigned char *tweak32, secp256k1_ge* pubp, secp256k1_sha256* sha, const unsigned char *data, size_t data_size)
+{
+    unsigned char rbuf[33];
+
+    if (!secp256k1_ec_commit_pubkey_serialize_const(pubp, rbuf)) {
+        return 0;
+    }
+    secp256k1_sha256_write(sha, rbuf, sizeof(rbuf));
+    secp256k1_sha256_write(sha, data, data_size);
+    secp256k1_sha256_finalize(sha, tweak32);
+    return 1;
+}
+
+/* Compute an ec commitment as pubp + hash(pubp, data)*G. */
+static int secp256k1_ec_commit(const secp256k1_ecmult_context* ecmult_ctx, secp256k1_ge* commitp, const secp256k1_ge* pubp, secp256k1_sha256* sha, const unsigned char *data, size_t data_size) {
+    unsigned char tweak[32];
+
+    *commitp = *pubp;
+    return secp256k1_ec_commit_tweak(tweak, commitp, sha, data, data_size)
+           && secp256k1_ec_pubkey_tweak_add_helper(ecmult_ctx, commitp, tweak);
+}
+
+/* Compute the seckey of an ec commitment from the original secret key of the pubkey as seckey +
+ * hash(pubp, data). */
+static int secp256k1_ec_commit_seckey(secp256k1_scalar* seckey, secp256k1_ge* pubp, secp256k1_sha256* sha, const unsigned char *data, size_t data_size) {
+    unsigned char tweak[32];
+    return secp256k1_ec_commit_tweak(tweak, pubp, sha, data, data_size)
+           && secp256k1_ec_seckey_tweak_add_helper(seckey, tweak);
+}
+
+/* Verify an ec commitment as pubp + hash(pubp, data)*G ?= commitment. */
+static int secp256k1_ec_commit_verify(const secp256k1_ecmult_context* ecmult_ctx, const secp256k1_ge* commitp, const secp256k1_ge* pubp, secp256k1_sha256* sha, const unsigned char *data, size_t data_size) {
+    secp256k1_gej pj;
+    secp256k1_ge p;
+
+    if (!secp256k1_ec_commit(ecmult_ctx, &p, pubp, sha, data, data_size)) {
+        return 0;
+    }
+
+    /* Return p == commitp */
+    secp256k1_ge_neg(&p, &p);
+    secp256k1_gej_set_ge(&pj, &p);
+    secp256k1_gej_add_ge_var(&pj, &pj, commitp, NULL);
+    return secp256k1_gej_is_infinity(&pj);
+}
+
--- a/src/ecdsa_impl.h
+++ b/src/ecdsa_impl.h
@@ -280,6 +280,7 @@ static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, sec
    secp256k1_ge r;
    secp256k1_scalar n;
    int overflow = 0;
+    int high;

    secp256k1_ecmult_gen(ctx, &rp, nonce);
    secp256k1_ge_set_gej(&r, &rp);
@@ -287,15 +288,11 @@ static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, sec
    secp256k1_fe_normalize(&r.y);
    secp256k1_fe_get_b32(b, &r.x);
    secp256k1_scalar_set_b32(sigr, b, &overflow);
-    /* These two conditions should be checked before calling */
-    VERIFY_CHECK(!secp256k1_scalar_is_zero(sigr));
-    VERIFY_CHECK(overflow == 0);
-
    if (recid) {
        /* The overflow condition is cryptographically unreachable as hitting it requires finding the discrete log
         * of some P where P.x >= order, and only 1 in about 2^127 points meet this criteria.
         */
-        *recid = (overflow ? 2 : 0) | (secp256k1_fe_is_odd(&r.y) ? 1 : 0);
+        *recid = (overflow << 1) | secp256k1_fe_is_odd(&r.y);
    }
    secp256k1_scalar_mul(&n, sigr, seckey);
    secp256k1_scalar_add(&n, &n, message);
@@ -304,16 +301,15 @@ static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, sec
    secp256k1_scalar_clear(&n);
    secp256k1_gej_clear(&rp);
    secp256k1_ge_clear(&r);
-    if (secp256k1_scalar_is_zero(sigs)) {
-        return 0;
+    high = secp256k1_scalar_is_high(sigs);
+    secp256k1_scalar_cond_negate(sigs, high);
+    if (recid) {
+            *recid ^= high;
    }
-    if (secp256k1_scalar_is_high(sigs)) {
-        secp256k1_scalar_negate(sigs, sigs);
-        if (recid) {
-            *recid ^= 1;
-        }
-    }
-    return 1;
+    /* P.x = order is on the curve, so technically sig->r could end up being zero, which would be an invalid signature.
+     * This is cryptographically unreachable as hitting it requires finding the discrete log of P.x = N.
+     */
+    return !secp256k1_scalar_is_zero(sigr) & !secp256k1_scalar_is_zero(sigs);
 }

 #endif /* SECP256K1_ECDSA_IMPL_H */
--- a/src/eckey_impl.h
+++ b/src/eckey_impl.h
@@ -54,10 +54,7 @@ static int secp256k1_eckey_pubkey_serialize(secp256k1_ge *elem, unsigned char *p

 static int secp256k1_eckey_privkey_tweak_add(secp256k1_scalar *key, const secp256k1_scalar *tweak) {
    secp256k1_scalar_add(key, key, tweak);
-    if (secp256k1_scalar_is_zero(key)) {
-        return 0;
-    }
-    return 1;
+    return !secp256k1_scalar_is_zero(key);
 }

 static int secp256k1_eckey_pubkey_tweak_add(const secp256k1_ecmult_context *ctx, secp256k1_ge *key, const secp256k1_scalar *tweak) {
@@ -75,12 +72,11 @@ static int secp256k1_eckey_pubkey_tweak_add(const secp256k1_ecmult_context *ctx,
 }

 static int secp256k1_eckey_privkey_tweak_mul(secp256k1_scalar *key, const secp256k1_scalar *tweak) {
-    if (secp256k1_scalar_is_zero(tweak)) {
-        return 0;
-    }
+    int ret;
+    ret = !secp256k1_scalar_is_zero(tweak);

    secp256k1_scalar_mul(key, key, tweak);
-    return 1;
+    return ret;
 }

 static int secp256k1_eckey_pubkey_tweak_mul(const secp256k1_ecmult_context *ctx, secp256k1_ge *key, const secp256k1_scalar *tweak) {
--- a/src/ecmult.h
+++ b/src/ecmult.h
@@ -15,9 +15,7 @@
 typedef struct {
    /* For accelerating the computation of a*P + b*G: */
    secp256k1_ge_storage (*pre_g)[];    /* odd multiples of the generator */
-#ifdef USE_ENDOMORPHISM
    secp256k1_ge_storage (*pre_g_128)[]; /* odd multiples of 2^128*generator */
-#endif
 } secp256k1_ecmult_context;

 static const size_t SECP256K1_ECMULT_CONTEXT_PREALLOCATED_SIZE;
--- a/src/ecmult_const.h
+++ b/src/ecmult_const.h
@@ -10,8 +10,11 @@
 #include "scalar.h"
 #include "group.h"

-/* Here `bits` should be set to the maximum bitlength of the _absolute value_ of `q`, plus
- * one because we internally sometimes add 2 to the number during the WNAF conversion. */
+/**
+ * Multiply: R = q*A (in constant-time)
+ * Here `bits` should be set to the maximum bitlength of the _absolute value_ of `q`, plus
+ * one because we internally sometimes add 2 to the number during the WNAF conversion.
+ */
 static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, const secp256k1_scalar *q, int bits);

 #endif /* SECP256K1_ECMULT_CONST_H */
--- a/src/ecmult_const_impl.h
+++ b/src/ecmult_const_impl.h
@@ -14,16 +14,22 @@

 /* This is like `ECMULT_TABLE_GET_GE` but is constant time */
 #define ECMULT_CONST_TABLE_GET_GE(r,pre,n,w) do { \
-    int m; \
-    int abs_n = (n) * (((n) > 0) * 2 - 1); \
-    int idx_n = abs_n / 2; \
+    int m = 0; \
+    /* Extract the sign-bit for a constant time absolute-value. */ \
+    int mask = (n) >> (sizeof(n) * CHAR_BIT - 1); \
+    int abs_n = ((n) + mask) ^ mask; \
+    int idx_n = abs_n >> 1; \
    secp256k1_fe neg_y; \
    VERIFY_CHECK(((n) & 1) == 1); \
    VERIFY_CHECK((n) >= -((1 << ((w)-1)) - 1)); \
    VERIFY_CHECK((n) <=  ((1 << ((w)-1)) - 1)); \
    VERIFY_SETUP(secp256k1_fe_clear(&(r)->x)); \
    VERIFY_SETUP(secp256k1_fe_clear(&(r)->y)); \
-    for (m = 0; m < ECMULT_TABLE_SIZE(w); m++) { \
+    /* Unconditionally set r->x = (pre)[m].x. r->y = (pre)[m].y. because it's either the correct one \
+     * or will get replaced in the later iterations, this is needed to make sure `r` is initialized. */ \
+    (r)->x = (pre)[m].x; \
+    (r)->y = (pre)[m].y; \
+    for (m = 1; m < ECMULT_TABLE_SIZE(w); m++) { \
        /* This loop is used to avoid secret data in array indices. See
         * the comment in ecmult_gen_impl.h for rationale. */ \
        secp256k1_fe_cmov(&(r)->x, &(pre)[m].x, m == idx_n); \
@@ -44,7 +50,7 @@
 *
 *  Adapted from `The Width-w NAF Method Provides Small Memory and Fast Elliptic Scalar
 *  Multiplications Secure against Side Channel Attacks`, Okeya and Tagaki. M. Joye (Ed.)
- *  CT-RSA 2003, LNCS 2612, pp. 328-443, 2003. Springer-Verlagy Berlin Heidelberg 2003
+ *  CT-RSA 2003, LNCS 2612, pp. 328-443, 2003. Springer-Verlag Berlin Heidelberg 2003
 *
 *  Numbers reference steps of `Algorithm SPA-resistant Width-w NAF with Odd Scalar` on pp. 335
 */
@@ -99,16 +105,22 @@ static int secp256k1_wnaf_const(int *wnaf, const secp256k1_scalar *scalar, int w
    /* 4 */
    u_last = secp256k1_scalar_shr_int(&s, w);
    do {
-        int sign;
        int even;

        /* 4.1 4.4 */
        u = secp256k1_scalar_shr_int(&s, w);
        /* 4.2 */
        even = ((u & 1) == 0);
-        sign = 2 * (u_last > 0) - 1;
-        u += sign * even;
-        u_last -= sign * even * (1 << w);
+        /* In contrast to the original algorithm, u_last is always > 0 and
+         * therefore we do not need to check its sign. In particular, it's easy
+         * to see that u_last is never < 0 because u is never < 0. Moreover,
+         * u_last is never = 0 because u is never even after a loop
+         * iteration. The same holds analogously for the initial value of
+         * u_last (in the first loop iteration). */
+        VERIFY_CHECK(u_last > 0);
+        VERIFY_CHECK((u_last & 1) == 1);
+        u += even;
+        u_last -= even * (1 << w);

        /* 4.3, adapted for global sign change */
        wnaf[word++] = u_last * global_sign;
@@ -128,19 +140,16 @@ static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, cons
    secp256k1_fe Z;

    int skew_1;
-#ifdef USE_ENDOMORPHISM
    secp256k1_ge pre_a_lam[ECMULT_TABLE_SIZE(WINDOW_A)];
    int wnaf_lam[1 + WNAF_SIZE(WINDOW_A - 1)];
    int skew_lam;
    secp256k1_scalar q_1, q_lam;
-#endif
    int wnaf_1[1 + WNAF_SIZE(WINDOW_A - 1)];

    int i;

    /* build wnaf representation for q. */
    int rsize = size;
-#ifdef USE_ENDOMORPHISM
    if (size > 128) {
        rsize = 128;
        /* split q into q_1 and q_lam (where q = q_1 + q_lam*lambda, and q_1 and q_lam are ~128 bit) */
@@ -148,12 +157,9 @@ static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, cons
        skew_1   = secp256k1_wnaf_const(wnaf_1,   &q_1,   WINDOW_A - 1, 128);
        skew_lam = secp256k1_wnaf_const(wnaf_lam, &q_lam, WINDOW_A - 1, 128);
    } else
-#endif
    {
        skew_1   = secp256k1_wnaf_const(wnaf_1, scalar, WINDOW_A - 1, size);
-#ifdef USE_ENDOMORPHISM
        skew_lam = 0;
-#endif
    }

    /* Calculate odd multiples of a.
@@ -167,13 +173,12 @@ static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, cons
    for (i = 0; i < ECMULT_TABLE_SIZE(WINDOW_A); i++) {
        secp256k1_fe_normalize_weak(&pre_a[i].y);
    }
-#ifdef USE_ENDOMORPHISM
    if (size > 128) {
        for (i = 0; i < ECMULT_TABLE_SIZE(WINDOW_A); i++) {
            secp256k1_ge_mul_lambda(&pre_a_lam[i], &pre_a[i]);
        }
+
    }
-#endif

    /* first loop iteration (separated out so we can directly set r, rather
     * than having it start at infinity, get doubled several times, then have
@@ -182,34 +187,30 @@ static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, cons
    VERIFY_CHECK(i != 0);
    ECMULT_CONST_TABLE_GET_GE(&tmpa, pre_a, i, WINDOW_A);
    secp256k1_gej_set_ge(r, &tmpa);
-#ifdef USE_ENDOMORPHISM
    if (size > 128) {
        i = wnaf_lam[WNAF_SIZE_BITS(rsize, WINDOW_A - 1)];
        VERIFY_CHECK(i != 0);
        ECMULT_CONST_TABLE_GET_GE(&tmpa, pre_a_lam, i, WINDOW_A);
        secp256k1_gej_add_ge(r, r, &tmpa);
    }
-#endif
    /* remaining loop iterations */
    for (i = WNAF_SIZE_BITS(rsize, WINDOW_A - 1) - 1; i >= 0; i--) {
        int n;
        int j;
        for (j = 0; j < WINDOW_A - 1; ++j) {
-            secp256k1_gej_double_nonzero(r, r, NULL);
+            secp256k1_gej_double(r, r);
        }

        n = wnaf_1[i];
        ECMULT_CONST_TABLE_GET_GE(&tmpa, pre_a, n, WINDOW_A);
        VERIFY_CHECK(n != 0);
        secp256k1_gej_add_ge(r, r, &tmpa);
-#ifdef USE_ENDOMORPHISM
        if (size > 128) {
            n = wnaf_lam[i];
            ECMULT_CONST_TABLE_GET_GE(&tmpa, pre_a_lam, n, WINDOW_A);
            VERIFY_CHECK(n != 0);
            secp256k1_gej_add_ge(r, r, &tmpa);
        }
-#endif
    }

    secp256k1_fe_mul(&r->z, &r->z, &Z);
@@ -218,43 +219,35 @@ static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, cons
        /* Correct for wNAF skew */
        secp256k1_ge correction = *a;
        secp256k1_ge_storage correction_1_stor;
-#ifdef USE_ENDOMORPHISM
        secp256k1_ge_storage correction_lam_stor;
-#endif
        secp256k1_ge_storage a2_stor;
        secp256k1_gej tmpj;
        secp256k1_gej_set_ge(&tmpj, &correction);
        secp256k1_gej_double_var(&tmpj, &tmpj, NULL);
        secp256k1_ge_set_gej(&correction, &tmpj);
        secp256k1_ge_to_storage(&correction_1_stor, a);
-#ifdef USE_ENDOMORPHISM
        if (size > 128) {
            secp256k1_ge_to_storage(&correction_lam_stor, a);
        }
-#endif
        secp256k1_ge_to_storage(&a2_stor, &correction);

        /* For odd numbers this is 2a (so replace it), for even ones a (so no-op) */
        secp256k1_ge_storage_cmov(&correction_1_stor, &a2_stor, skew_1 == 2);
-#ifdef USE_ENDOMORPHISM
        if (size > 128) {
            secp256k1_ge_storage_cmov(&correction_lam_stor, &a2_stor, skew_lam == 2);
        }
-#endif

        /* Apply the correction */
        secp256k1_ge_from_storage(&correction, &correction_1_stor);
        secp256k1_ge_neg(&correction, &correction);
        secp256k1_gej_add_ge(r, r, &correction);

-#ifdef USE_ENDOMORPHISM
        if (size > 128) {
            secp256k1_ge_from_storage(&correction, &correction_lam_stor);
            secp256k1_ge_neg(&correction, &correction);
            secp256k1_ge_mul_lambda(&correction, &correction);
            secp256k1_gej_add_ge(r, r, &correction);
        }
-#endif
    }
 }

--- a/src/ecmult_gen.h
+++ b/src/ecmult_gen.h
@@ -10,20 +10,27 @@
 #include "scalar.h"
 #include "group.h"

+#if ECMULT_GEN_PREC_BITS != 2 && ECMULT_GEN_PREC_BITS != 4 && ECMULT_GEN_PREC_BITS != 8
+#  error "Set ECMULT_GEN_PREC_BITS to 2, 4 or 8."
+#endif
+#define ECMULT_GEN_PREC_B ECMULT_GEN_PREC_BITS
+#define ECMULT_GEN_PREC_G (1 << ECMULT_GEN_PREC_B)
+#define ECMULT_GEN_PREC_N (256 / ECMULT_GEN_PREC_B)
+
 typedef struct {
    /* For accelerating the computation of a*G:
     * To harden against timing attacks, use the following mechanism:
-     * * Break up the multiplicand into groups of 4 bits, called n_0, n_1, n_2, ..., n_63.
-     * * Compute sum(n_i * 16^i * G + U_i, i=0..63), where:
-     *   * U_i = U * 2^i (for i=0..62)
-     *   * U_i = U * (1-2^63) (for i=63)
-     *   where U is a point with no known corresponding scalar. Note that sum(U_i, i=0..63) = 0.
-     * For each i, and each of the 16 possible values of n_i, (n_i * 16^i * G + U_i) is
-     * precomputed (call it prec(i, n_i)). The formula now becomes sum(prec(i, n_i), i=0..63).
+     * * Break up the multiplicand into groups of PREC_B bits, called n_0, n_1, n_2, ..., n_(PREC_N-1).
+     * * Compute sum(n_i * (PREC_G)^i * G + U_i, i=0 ... PREC_N-1), where:
+     *   * U_i = U * 2^i, for i=0 ... PREC_N-2
+     *   * U_i = U * (1-2^(PREC_N-1)), for i=PREC_N-1
+     *   where U is a point with no known corresponding scalar. Note that sum(U_i, i=0 ... PREC_N-1) = 0.
+     * For each i, and each of the PREC_G possible values of n_i, (n_i * (PREC_G)^i * G + U_i) is
+     * precomputed (call it prec(i, n_i)). The formula now becomes sum(prec(i, n_i), i=0 ... PREC_N-1).
     * None of the resulting prec group elements have a known scalar, and neither do any of
     * the intermediate sums while computing a*G.
     */
-    secp256k1_ge_storage (*prec)[64][16]; /* prec[j][i] = 16^j * i * G + U_i */
+    secp256k1_ge_storage (*prec)[ECMULT_GEN_PREC_N][ECMULT_GEN_PREC_G]; /* prec[j][i] = (PREC_G)^j * i * G + U_i */
    secp256k1_scalar blind;
    secp256k1_gej initial;
 } secp256k1_ecmult_gen_context;
--- a/src/ecmult_gen_impl.h
+++ b/src/ecmult_gen_impl.h
@@ -28,7 +28,7 @@ static void secp256k1_ecmult_gen_context_init(secp256k1_ecmult_gen_context *ctx)

 static void secp256k1_ecmult_gen_context_build(secp256k1_ecmult_gen_context *ctx, void **prealloc) {
 #ifndef USE_ECMULT_STATIC_PRECOMPUTATION
-    secp256k1_ge prec[1024];
+    secp256k1_ge prec[ECMULT_GEN_PREC_N * ECMULT_GEN_PREC_G];
    secp256k1_gej gj;
    secp256k1_gej nums_gej;
    int i, j;
@@ -40,7 +40,7 @@ static void secp256k1_ecmult_gen_context_build(secp256k1_ecmult_gen_context *ctx
        return;
    }
 #ifndef USE_ECMULT_STATIC_PRECOMPUTATION
-    ctx->prec = (secp256k1_ge_storage (*)[64][16])manual_alloc(prealloc, prealloc_size, base, prealloc_size);
+    ctx->prec = (secp256k1_ge_storage (*)[ECMULT_GEN_PREC_N][ECMULT_GEN_PREC_G])manual_alloc(prealloc, prealloc_size, base, prealloc_size);

    /* get the generator */
    secp256k1_gej_set_ge(&gj, &secp256k1_ge_const_g);
@@ -64,39 +64,39 @@ static void secp256k1_ecmult_gen_context_build(secp256k1_ecmult_gen_context *ctx

    /* compute prec. */
    {
-        secp256k1_gej precj[1024]; /* Jacobian versions of prec. */
+        secp256k1_gej precj[ECMULT_GEN_PREC_N * ECMULT_GEN_PREC_G]; /* Jacobian versions of prec. */
        secp256k1_gej gbase;
        secp256k1_gej numsbase;
-        gbase = gj; /* 16^j * G */
+        gbase = gj; /* PREC_G^j * G */
        numsbase = nums_gej; /* 2^j * nums. */
-        for (j = 0; j < 64; j++) {
-            /* Set precj[j*16 .. j*16+15] to (numsbase, numsbase + gbase, ..., numsbase + 15*gbase). */
-            precj[j*16] = numsbase;
-            for (i = 1; i < 16; i++) {
-                secp256k1_gej_add_var(&precj[j*16 + i], &precj[j*16 + i - 1], &gbase, NULL);
+        for (j = 0; j < ECMULT_GEN_PREC_N; j++) {
+            /* Set precj[j*PREC_G .. j*PREC_G+(PREC_G-1)] to (numsbase, numsbase + gbase, ..., numsbase + (PREC_G-1)*gbase). */
+            precj[j*ECMULT_GEN_PREC_G] = numsbase;
+            for (i = 1; i < ECMULT_GEN_PREC_G; i++) {
+                secp256k1_gej_add_var(&precj[j*ECMULT_GEN_PREC_G + i], &precj[j*ECMULT_GEN_PREC_G + i - 1], &gbase, NULL);
            }
-            /* Multiply gbase by 16. */
-            for (i = 0; i < 4; i++) {
+            /* Multiply gbase by PREC_G. */
+            for (i = 0; i < ECMULT_GEN_PREC_B; i++) {
                secp256k1_gej_double_var(&gbase, &gbase, NULL);
            }
            /* Multiply numbase by 2. */
            secp256k1_gej_double_var(&numsbase, &numsbase, NULL);
-            if (j == 62) {
+            if (j == ECMULT_GEN_PREC_N - 2) {
                /* In the last iteration, numsbase is (1 - 2^j) * nums instead. */
                secp256k1_gej_neg(&numsbase, &numsbase);
                secp256k1_gej_add_var(&numsbase, &numsbase, &nums_gej, NULL);
            }
        }
-        secp256k1_ge_set_all_gej_var(prec, precj, 1024);
+        secp256k1_ge_set_all_gej_var(prec, precj, ECMULT_GEN_PREC_N * ECMULT_GEN_PREC_G);
    }
-    for (j = 0; j < 64; j++) {
-        for (i = 0; i < 16; i++) {
-            secp256k1_ge_to_storage(&(*ctx->prec)[j][i], &prec[j*16 + i]);
+    for (j = 0; j < ECMULT_GEN_PREC_N; j++) {
+        for (i = 0; i < ECMULT_GEN_PREC_G; i++) {
+            secp256k1_ge_to_storage(&(*ctx->prec)[j][i], &prec[j*ECMULT_GEN_PREC_G + i]);
        }
    }
 #else
    (void)prealloc;
-    ctx->prec = (secp256k1_ge_storage (*)[64][16])secp256k1_ecmult_static_context;
+    ctx->prec = (secp256k1_ge_storage (*)[ECMULT_GEN_PREC_N][ECMULT_GEN_PREC_G])secp256k1_ecmult_static_context;
 #endif
    secp256k1_ecmult_gen_blind(ctx, NULL);
 }
@@ -109,7 +109,7 @@ static void secp256k1_ecmult_gen_context_finalize_memcpy(secp256k1_ecmult_gen_co
 #ifndef USE_ECMULT_STATIC_PRECOMPUTATION
    if (src->prec != NULL) {
        /* We cast to void* first to suppress a -Wcast-align warning. */
-        dst->prec = (secp256k1_ge_storage (*)[64][16])(void*)((unsigned char*)dst + ((unsigned char*)src->prec - (unsigned char*)src));
+        dst->prec = (secp256k1_ge_storage (*)[ECMULT_GEN_PREC_N][ECMULT_GEN_PREC_G])(void*)((unsigned char*)dst + ((unsigned char*)src->prec - (unsigned char*)src));
    }
 #else
    (void)dst, (void)src;
@@ -133,9 +133,9 @@ static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp25
    /* Blind scalar/point multiplication by computing (n-b)G + bG instead of nG. */
    secp256k1_scalar_add(&gnb, gn, &ctx->blind);
    add.infinity = 0;
-    for (j = 0; j < 64; j++) {
-        bits = secp256k1_scalar_get_bits(&gnb, j * 4, 4);
-        for (i = 0; i < 16; i++) {
+    for (j = 0; j < ECMULT_GEN_PREC_N; j++) {
+        bits = secp256k1_scalar_get_bits(&gnb, j * ECMULT_GEN_PREC_B, ECMULT_GEN_PREC_B);
+        for (i = 0; i < ECMULT_GEN_PREC_G; i++) {
            /** This uses a conditional move to avoid any secret data in array indexes.
             *   _Any_ use of secret indexes has been demonstrated to result in timing
             *   sidechannels, even when the cache-line access patterns are uniform.
@@ -163,7 +163,7 @@ static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const
    secp256k1_fe s;
    unsigned char nonce32[32];
    secp256k1_rfc6979_hmac_sha256 rng;
-    int retry;
+    int overflow;
    unsigned char keydata[64] = {0};
    if (seed32 == NULL) {
        /* When seed is NULL, reset the initial point and blinding value. */
@@ -183,21 +183,18 @@ static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const
    }
    secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, seed32 ? 64 : 32);
    memset(keydata, 0, sizeof(keydata));
-    /* Retry for out of range results to achieve uniformity. */
-    do {
-        secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
-        retry = !secp256k1_fe_set_b32(&s, nonce32);
-        retry = retry || secp256k1_fe_is_zero(&s);
-    } while (retry); /* This branch true is cryptographically unreachable. Requires sha256_hmac output > Fp. */
+    /* Accept unobservably small non-uniformity. */
+    secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
+    overflow = !secp256k1_fe_set_b32(&s, nonce32);
+    overflow |= secp256k1_fe_is_zero(&s);
+    secp256k1_fe_cmov(&s, &secp256k1_fe_one, overflow);
    /* Randomize the projection to defend against multiplier sidechannels. */
    secp256k1_gej_rescale(&ctx->initial, &s);
    secp256k1_fe_clear(&s);
-    do {
-        secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
-        secp256k1_scalar_set_b32(&b, nonce32, &retry);
-        /* A blinding value of 0 works, but would undermine the projection hardening. */
-        retry = retry || secp256k1_scalar_is_zero(&b);
-    } while (retry); /* This branch true is cryptographically unreachable. Requires sha256_hmac output > order. */
+    secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
+    secp256k1_scalar_set_b32(&b, nonce32, NULL);
+    /* A blinding value of 0 works, but would undermine the projection hardening. */
+    secp256k1_scalar_cmov(&b, &secp256k1_scalar_one, secp256k1_scalar_is_zero(&b));
    secp256k1_rfc6979_hmac_sha256_finalize(&rng);
    memset(nonce32, 0, 32);
    secp256k1_ecmult_gen(ctx, &gb, &b);
--- a/src/ecmult_impl.h
+++ b/src/ecmult_impl.h
@@ -38,8 +38,8 @@
 *      (1 << (WINDOW_G - 2)) * sizeof(secp256k1_ge_storage)  bytes,
 *  where sizeof(secp256k1_ge_storage) is typically 64 bytes but can
 *  be larger due to platform-specific padding and alignment.
- *  If the endomorphism optimization is enabled (USE_ENDOMORMPHSIM)
- *  two tables of this size are used instead of only one.
+ *  Two tables of this size are used (due to the endomorphism
+ *  optimization).
 */
 #  define WINDOW_G ECMULT_WINDOW_SIZE
 #endif
@@ -59,11 +59,7 @@
 #  error Set ECMULT_WINDOW_SIZE to an integer in range [2..24].
 #endif

-#ifdef USE_ENDOMORPHISM
-    #define WNAF_BITS 128
-#else
-    #define WNAF_BITS 256
-#endif
+#define WNAF_BITS 128
 #define WNAF_SIZE_BITS(bits, w) (((bits) + (w) - 1) / (w))
 #define WNAF_SIZE(w) WNAF_SIZE_BITS(WNAF_BITS, w)

@@ -77,17 +73,9 @@
 #define PIPPENGER_MAX_BUCKET_WINDOW 12

 /* Minimum number of points for which pippenger_wnaf is faster than strauss wnaf */
-#ifdef USE_ENDOMORPHISM
-    #define ECMULT_PIPPENGER_THRESHOLD 88
-#else
-    #define ECMULT_PIPPENGER_THRESHOLD 160
-#endif
+#define ECMULT_PIPPENGER_THRESHOLD 88

-#ifdef USE_ENDOMORPHISM
-    #define ECMULT_MAX_POINTS_PER_BATCH 5000000
-#else
-    #define ECMULT_MAX_POINTS_PER_BATCH 10000000
-#endif
+#define ECMULT_MAX_POINTS_PER_BATCH 5000000

 /** Fill a table 'prej' with precomputed odd multiples of a. Prej will contain
 *  the values [1*a,3*a,...,(2*n-1)*a], so it space for n values. zr[0] will
@@ -138,7 +126,7 @@ static void secp256k1_ecmult_odd_multiples_table(int n, secp256k1_gej *prej, sec
 *    It only operates on tables sized for WINDOW_A wnaf multiples.
 *  - secp256k1_ecmult_odd_multiples_table_storage_var, which converts its
 *    resulting point set to actually affine points, and stores those in pre.
- *    It operates on tables of any size, but uses heap-allocated temporaries.
+ *    It operates on tables of any size.
 *
 *  To compute a*P + b*G, we compute a table for P using the first function,
 *  and for G using the second (which requires an inverse, but it only needs to
@@ -313,16 +301,12 @@ static void secp256k1_ecmult_odd_multiples_table_storage_var(const int n, secp25

 static const size_t SECP256K1_ECMULT_CONTEXT_PREALLOCATED_SIZE =
    ROUND_TO_ALIGN(sizeof((*((secp256k1_ecmult_context*) NULL)->pre_g)[0]) * ECMULT_TABLE_SIZE(WINDOW_G))
-#ifdef USE_ENDOMORPHISM
    + ROUND_TO_ALIGN(sizeof((*((secp256k1_ecmult_context*) NULL)->pre_g_128)[0]) * ECMULT_TABLE_SIZE(WINDOW_G))
-#endif
    ;

 static void secp256k1_ecmult_context_init(secp256k1_ecmult_context *ctx) {
    ctx->pre_g = NULL;
-#ifdef USE_ENDOMORPHISM
    ctx->pre_g_128 = NULL;
-#endif
 }

 static void secp256k1_ecmult_context_build(secp256k1_ecmult_context *ctx, void **prealloc) {
@@ -347,7 +331,6 @@ static void secp256k1_ecmult_context_build(secp256k1_ecmult_context *ctx, void *
    /* precompute the tables with odd multiples */
    secp256k1_ecmult_odd_multiples_table_storage_var(ECMULT_TABLE_SIZE(WINDOW_G), *ctx->pre_g, &gj);

-#ifdef USE_ENDOMORPHISM
    {
        secp256k1_gej g_128j;
        int i;
@@ -364,7 +347,6 @@ static void secp256k1_ecmult_context_build(secp256k1_ecmult_context *ctx, void *
        }
        secp256k1_ecmult_odd_multiples_table_storage_var(ECMULT_TABLE_SIZE(WINDOW_G), *ctx->pre_g_128, &g_128j);
    }
-#endif
 }

 static void secp256k1_ecmult_context_finalize_memcpy(secp256k1_ecmult_context *dst, const secp256k1_ecmult_context *src) {
@@ -372,11 +354,9 @@ static void secp256k1_ecmult_context_finalize_memcpy(secp256k1_ecmult_context *d
        /* We cast to void* first to suppress a -Wcast-align warning. */
        dst->pre_g = (secp256k1_ge_storage (*)[])(void*)((unsigned char*)dst + ((unsigned char*)(src->pre_g) - (unsigned char*)src));
    }
-#ifdef USE_ENDOMORPHISM
    if (src->pre_g_128 != NULL) {
        dst->pre_g_128 = (secp256k1_ge_storage (*)[])(void*)((unsigned char*)dst + ((unsigned char*)(src->pre_g_128) - (unsigned char*)src));
    }
-#endif
 }

 static int secp256k1_ecmult_context_is_built(const secp256k1_ecmult_context *ctx) {
@@ -395,7 +375,7 @@ static void secp256k1_ecmult_context_clear(secp256k1_ecmult_context *ctx) {
 *    than the number of bits in the (absolute value) of the input.
 */
 static int secp256k1_ecmult_wnaf(int *wnaf, int len, const secp256k1_scalar *a, int w) {
-    secp256k1_scalar s = *a;
+    secp256k1_scalar s;
    int last_set_bit = -1;
    int bit = 0;
    int sign = 1;
@@ -408,6 +388,7 @@ static int secp256k1_ecmult_wnaf(int *wnaf, int len, const secp256k1_scalar *a,

    memset(wnaf, 0, len * sizeof(wnaf[0]));

+    s = *a;
    if (secp256k1_scalar_get_bits(&s, 255, 1)) {
        secp256k1_scalar_negate(&s, &s);
        sign = -1;
@@ -446,16 +427,11 @@ static int secp256k1_ecmult_wnaf(int *wnaf, int len, const secp256k1_scalar *a,
 }

 struct secp256k1_strauss_point_state {
-#ifdef USE_ENDOMORPHISM
    secp256k1_scalar na_1, na_lam;
-    int wnaf_na_1[130];
-    int wnaf_na_lam[130];
+    int wnaf_na_1[129];
+    int wnaf_na_lam[129];
    int bits_na_1;
    int bits_na_lam;
-#else
-    int wnaf_na[256];
-    int bits_na;
-#endif
    size_t input_pos;
 };

@@ -463,58 +439,43 @@ struct secp256k1_strauss_state {
    secp256k1_gej* prej;
    secp256k1_fe* zr;
    secp256k1_ge* pre_a;
-#ifdef USE_ENDOMORPHISM
    secp256k1_ge* pre_a_lam;
-#endif
    struct secp256k1_strauss_point_state* ps;
 };

-static void secp256k1_ecmult_strauss_wnaf(const secp256k1_ecmult_context *ctx, const struct secp256k1_strauss_state *state, secp256k1_gej *r, int num, const secp256k1_gej *a, const secp256k1_scalar *na, const secp256k1_scalar *ng) {
+static void secp256k1_ecmult_strauss_wnaf(const secp256k1_ecmult_context *ctx, const struct secp256k1_strauss_state *state, secp256k1_gej *r, size_t num, const secp256k1_gej *a, const secp256k1_scalar *na, const secp256k1_scalar *ng) {
    secp256k1_ge tmpa;
    secp256k1_fe Z;
-#ifdef USE_ENDOMORPHISM
    /* Splitted G factors. */
    secp256k1_scalar ng_1, ng_128;
    int wnaf_ng_1[129];
    int bits_ng_1 = 0;
    int wnaf_ng_128[129];
    int bits_ng_128 = 0;
-#else
-    int wnaf_ng[256];
-    int bits_ng = 0;
-#endif
    int i;
    int bits = 0;
-    int np;
-    int no = 0;
+    size_t np;
+    size_t no = 0;

    for (np = 0; np < num; ++np) {
        if (secp256k1_scalar_is_zero(&na[np]) || secp256k1_gej_is_infinity(&a[np])) {
            continue;
        }
        state->ps[no].input_pos = np;
-#ifdef USE_ENDOMORPHISM
        /* split na into na_1 and na_lam (where na = na_1 + na_lam*lambda, and na_1 and na_lam are ~128 bit) */
        secp256k1_scalar_split_lambda(&state->ps[no].na_1, &state->ps[no].na_lam, &na[np]);

        /* build wnaf representation for na_1 and na_lam. */
-        state->ps[no].bits_na_1   = secp256k1_ecmult_wnaf(state->ps[no].wnaf_na_1,   130, &state->ps[no].na_1,   WINDOW_A);
-        state->ps[no].bits_na_lam = secp256k1_ecmult_wnaf(state->ps[no].wnaf_na_lam, 130, &state->ps[no].na_lam, WINDOW_A);
-        VERIFY_CHECK(state->ps[no].bits_na_1 <= 130);
-        VERIFY_CHECK(state->ps[no].bits_na_lam <= 130);
+        state->ps[no].bits_na_1   = secp256k1_ecmult_wnaf(state->ps[no].wnaf_na_1,   129, &state->ps[no].na_1,   WINDOW_A);
+        state->ps[no].bits_na_lam = secp256k1_ecmult_wnaf(state->ps[no].wnaf_na_lam, 129, &state->ps[no].na_lam, WINDOW_A);
+        VERIFY_CHECK(state->ps[no].bits_na_1 <= 129);
+        VERIFY_CHECK(state->ps[no].bits_na_lam <= 129);
        if (state->ps[no].bits_na_1 > bits) {
            bits = state->ps[no].bits_na_1;
        }
        if (state->ps[no].bits_na_lam > bits) {
            bits = state->ps[no].bits_na_lam;
        }
-#else
-        /* build wnaf representation for na. */
-        state->ps[no].bits_na     = secp256k1_ecmult_wnaf(state->ps[no].wnaf_na,     256, &na[np],      WINDOW_A);
-        if (state->ps[no].bits_na > bits) {
-            bits = state->ps[no].bits_na;
-        }
-#endif
        ++no;
    }

@@ -546,7 +507,6 @@ static void secp256k1_ecmult_strauss_wnaf(const secp256k1_ecmult_context *ctx, c
        secp256k1_fe_set_int(&Z, 1);
    }

-#ifdef USE_ENDOMORPHISM
    for (np = 0; np < no; ++np) {
        for (i = 0; i < ECMULT_TABLE_SIZE(WINDOW_A); i++) {
            secp256k1_ge_mul_lambda(&state->pre_a_lam[np * ECMULT_TABLE_SIZE(WINDOW_A) + i], &state->pre_a[np * ECMULT_TABLE_SIZE(WINDOW_A) + i]);
@@ -567,21 +527,12 @@ static void secp256k1_ecmult_strauss_wnaf(const secp256k1_ecmult_context *ctx, c
            bits = bits_ng_128;
        }
    }
-#else
-    if (ng) {
-        bits_ng     = secp256k1_ecmult_wnaf(wnaf_ng,     256, ng,      WINDOW_G);
-        if (bits_ng > bits) {
-            bits = bits_ng;
-        }
-    }
-#endif

    secp256k1_gej_set_infinity(r);

    for (i = bits - 1; i >= 0; i--) {
        int n;
        secp256k1_gej_double_var(r, r, NULL);
-#ifdef USE_ENDOMORPHISM
        for (np = 0; np < no; ++np) {
            if (i < state->ps[np].bits_na_1 && (n = state->ps[np].wnaf_na_1[i])) {
                ECMULT_TABLE_GET_GE(&tmpa, state->pre_a + np * ECMULT_TABLE_SIZE(WINDOW_A), n, WINDOW_A);
@@ -600,18 +551,6 @@ static void secp256k1_ecmult_strauss_wnaf(const secp256k1_ecmult_context *ctx, c
            ECMULT_TABLE_GET_GE_STORAGE(&tmpa, *ctx->pre_g_128, n, WINDOW_G);
            secp256k1_gej_add_zinv_var(r, r, &tmpa, &Z);
        }
-#else
-        for (np = 0; np < no; ++np) {
-            if (i < state->ps[np].bits_na && (n = state->ps[np].wnaf_na[i])) {
-                ECMULT_TABLE_GET_GE(&tmpa, state->pre_a + np * ECMULT_TABLE_SIZE(WINDOW_A), n, WINDOW_A);
-                secp256k1_gej_add_ge_var(r, r, &tmpa, NULL);
-            }
-        }
-        if (i < bits_ng && (n = wnaf_ng[i])) {
-            ECMULT_TABLE_GET_GE_STORAGE(&tmpa, *ctx->pre_g, n, WINDOW_G);
-            secp256k1_gej_add_zinv_var(r, r, &tmpa, &Z);
-        }
-#endif
    }

    if (!r->infinity) {
@@ -624,27 +563,19 @@ static void secp256k1_ecmult(const secp256k1_ecmult_context *ctx, secp256k1_gej
    secp256k1_fe zr[ECMULT_TABLE_SIZE(WINDOW_A)];
    secp256k1_ge pre_a[ECMULT_TABLE_SIZE(WINDOW_A)];
    struct secp256k1_strauss_point_state ps[1];
-#ifdef USE_ENDOMORPHISM
    secp256k1_ge pre_a_lam[ECMULT_TABLE_SIZE(WINDOW_A)];
-#endif
    struct secp256k1_strauss_state state;

    state.prej = prej;
    state.zr = zr;
    state.pre_a = pre_a;
-#ifdef USE_ENDOMORPHISM
    state.pre_a_lam = pre_a_lam;
-#endif
    state.ps = ps;
    secp256k1_ecmult_strauss_wnaf(ctx, &state, r, 1, a, na, ng);
 }

 static size_t secp256k1_strauss_scratch_size(size_t n_points) {
-#ifdef USE_ENDOMORPHISM
    static const size_t point_size = (2 * sizeof(secp256k1_ge) + sizeof(secp256k1_gej) + sizeof(secp256k1_fe)) * ECMULT_TABLE_SIZE(WINDOW_A) + sizeof(struct secp256k1_strauss_point_state) + sizeof(secp256k1_gej) + sizeof(secp256k1_scalar);
-#else
-    static const size_t point_size = (sizeof(secp256k1_ge) + sizeof(secp256k1_gej) + sizeof(secp256k1_fe)) * ECMULT_TABLE_SIZE(WINDOW_A) + sizeof(struct secp256k1_strauss_point_state) + sizeof(secp256k1_gej) + sizeof(secp256k1_scalar);
-#endif
    return n_points*point_size;
 }

@@ -664,15 +595,11 @@ static int secp256k1_ecmult_strauss_batch(const secp256k1_callback* error_callba
    scalars = (secp256k1_scalar*)secp256k1_scratch_alloc(error_callback, scratch, n_points * sizeof(secp256k1_scalar));
    state.prej = (secp256k1_gej*)secp256k1_scratch_alloc(error_callback, scratch, n_points * ECMULT_TABLE_SIZE(WINDOW_A) * sizeof(secp256k1_gej));
    state.zr = (secp256k1_fe*)secp256k1_scratch_alloc(error_callback, scratch, n_points * ECMULT_TABLE_SIZE(WINDOW_A) * sizeof(secp256k1_fe));
-#ifdef USE_ENDOMORPHISM
-    state.pre_a = (secp256k1_ge*)secp256k1_scratch_alloc(error_callback, scratch, n_points * 2 * ECMULT_TABLE_SIZE(WINDOW_A) * sizeof(secp256k1_ge));
-    state.pre_a_lam = state.pre_a + n_points * ECMULT_TABLE_SIZE(WINDOW_A);
-#else
    state.pre_a = (secp256k1_ge*)secp256k1_scratch_alloc(error_callback, scratch, n_points * ECMULT_TABLE_SIZE(WINDOW_A) * sizeof(secp256k1_ge));
-#endif
+    state.pre_a_lam = (secp256k1_ge*)secp256k1_scratch_alloc(error_callback, scratch, n_points * ECMULT_TABLE_SIZE(WINDOW_A) * sizeof(secp256k1_ge));
    state.ps = (struct secp256k1_strauss_point_state*)secp256k1_scratch_alloc(error_callback, scratch, n_points * sizeof(struct secp256k1_strauss_point_state));

-    if (points == NULL || scalars == NULL || state.prej == NULL || state.zr == NULL || state.pre_a == NULL) {
+    if (points == NULL || scalars == NULL || state.prej == NULL || state.zr == NULL || state.pre_a == NULL || state.pre_a_lam == NULL || state.ps == NULL) {
        secp256k1_scratch_apply_checkpoint(error_callback, scratch, scratch_checkpoint);
        return 0;
    }
@@ -867,7 +794,6 @@ static int secp256k1_ecmult_pippenger_wnaf(secp256k1_gej *buckets, int bucket_wi
 * set of buckets) for a given number of points.
 */
 static int secp256k1_pippenger_bucket_window(size_t n) {
-#ifdef USE_ENDOMORPHISM
    if (n <= 1) {
        return 1;
    } else if (n <= 4) {
@@ -891,33 +817,6 @@ static int secp256k1_pippenger_bucket_window(size_t n) {
    } else {
        return PIPPENGER_MAX_BUCKET_WINDOW;
    }
-#else
-    if (n <= 1) {
-        return 1;
-    } else if (n <= 11) {
-        return 2;
-    } else if (n <= 45) {
-        return 3;
-    } else if (n <= 100) {
-        return 4;
-    } else if (n <= 275) {
-        return 5;
-    } else if (n <= 625) {
-        return 6;
-    } else if (n <= 1850) {
-        return 7;
-    } else if (n <= 3400) {
-        return 8;
-    } else if (n <= 9630) {
-        return 9;
-    } else if (n <= 17900) {
-        return 10;
-    } else if (n <= 32800) {
-        return 11;
-    } else {
-        return PIPPENGER_MAX_BUCKET_WINDOW;
-    }
-#endif
 }

 /**
@@ -925,7 +824,6 @@ static int secp256k1_pippenger_bucket_window(size_t n) {
 */
 static size_t secp256k1_pippenger_bucket_window_inv(int bucket_window) {
    switch(bucket_window) {
-#ifdef USE_ENDOMORPHISM
        case 1: return 1;
        case 2: return 4;
        case 3: return 20;
@@ -938,26 +836,11 @@ static size_t secp256k1_pippenger_bucket_window_inv(int bucket_window) {
        case 10: return 7880;
        case 11: return 16050;
        case PIPPENGER_MAX_BUCKET_WINDOW: return SIZE_MAX;
-#else
-        case 1: return 1;
-        case 2: return 11;
-        case 3: return 45;
-        case 4: return 100;
-        case 5: return 275;
-        case 6: return 625;
-        case 7: return 1850;
-        case 8: return 3400;
-        case 9: return 9630;
-        case 10: return 17900;
-        case 11: return 32800;
-        case PIPPENGER_MAX_BUCKET_WINDOW: return SIZE_MAX;
-#endif
    }
    return 0;
 }


-#ifdef USE_ENDOMORPHISM
 SECP256K1_INLINE static void secp256k1_ecmult_endo_split(secp256k1_scalar *s1, secp256k1_scalar *s2, secp256k1_ge *p1, secp256k1_ge *p2) {
    secp256k1_scalar tmp = *s1;
    secp256k1_scalar_split_lambda(s1, s2, &tmp);
@@ -972,32 +855,23 @@ SECP256K1_INLINE static void secp256k1_ecmult_endo_split(secp256k1_scalar *s1, s
        secp256k1_ge_neg(p2, p2);
    }
 }
-#endif

 /**
 * Returns the scratch size required for a given number of points (excluding
 * base point G) without considering alignment.
 */
 static size_t secp256k1_pippenger_scratch_size(size_t n_points, int bucket_window) {
-#ifdef USE_ENDOMORPHISM
    size_t entries = 2*n_points + 2;
-#else
-    size_t entries = n_points + 1;
-#endif
    size_t entry_size = sizeof(secp256k1_ge) + sizeof(secp256k1_scalar) + sizeof(struct secp256k1_pippenger_point_state) + (WNAF_SIZE(bucket_window+1)+1)*sizeof(int);
    return (sizeof(secp256k1_gej) << bucket_window) + sizeof(struct secp256k1_pippenger_state) + entries * entry_size;
 }

 static int secp256k1_ecmult_pippenger_batch(const secp256k1_callback* error_callback, const secp256k1_ecmult_context *ctx, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n_points, size_t cb_offset) {
    const size_t scratch_checkpoint = secp256k1_scratch_checkpoint(error_callback, scratch);
-    /* Use 2(n+1) with the endomorphism, n+1 without, when calculating batch
+    /* Use 2(n+1) with the endomorphism, when calculating batch
     * sizes. The reason for +1 is that we add the G scalar to the list of
     * other scalars. */
-#ifdef USE_ENDOMORPHISM
    size_t entries = 2*n_points + 2;
-#else
-    size_t entries = n_points + 1;
-#endif
    secp256k1_ge *points;
    secp256k1_scalar *scalars;
    secp256k1_gej *buckets;
@@ -1034,10 +908,8 @@ static int secp256k1_ecmult_pippenger_batch(const secp256k1_callback* error_call
        scalars[0] = *inp_g_sc;
        points[0] = secp256k1_ge_const_g;
        idx++;
-#ifdef USE_ENDOMORPHISM
        secp256k1_ecmult_endo_split(&scalars[0], &scalars[1], &points[0], &points[1]);
        idx++;
-#endif
    }

    while (point_idx < n_points) {
@@ -1046,10 +918,8 @@ static int secp256k1_ecmult_pippenger_batch(const secp256k1_callback* error_call
            return 0;
        }
        idx++;
-#ifdef USE_ENDOMORPHISM
        secp256k1_ecmult_endo_split(&scalars[idx - 1], &scalars[idx], &points[idx - 1], &points[idx]);
        idx++;
-#endif
        point_idx++;
    }

@@ -1092,9 +962,7 @@ static size_t secp256k1_pippenger_max_points(const secp256k1_callback* error_cal
        size_t space_overhead;
        size_t entry_size = sizeof(secp256k1_ge) + sizeof(secp256k1_scalar) + sizeof(struct secp256k1_pippenger_point_state) + (WNAF_SIZE(bucket_window+1)+1)*sizeof(int);

-#ifdef USE_ENDOMORPHISM
        entry_size = 2*entry_size;
-#endif
        space_overhead = (sizeof(secp256k1_gej) << bucket_window) + entry_size + sizeof(struct secp256k1_pippenger_state);
        if (space_overhead > max_alloc) {
            break;
--- a/src/field.h
+++ b/src/field.h
@@ -22,20 +22,22 @@
 #include "libsecp256k1-config.h"
 #endif

-#if defined(USE_FIELD_10X26)
-#include "field_10x26.h"
-#elif defined(USE_FIELD_5X52)
-#include "field_5x52.h"
-#else
-#error "Please select field implementation"
-#endif
-
 #include "util.h"

-/** Normalize a field element. */
+#if defined(SECP256K1_WIDEMUL_INT128)
+#include "field_5x52.h"
+#elif defined(SECP256K1_WIDEMUL_INT64)
+#include "field_10x26.h"
+#else
+#error "Please select wide multiplication implementation"
+#endif
+
+/** Normalize a field element. This brings the field element to a canonical representation, reduces
+ *  its magnitude to 1, and reduces it modulo field size `p`.
+ */
 static void secp256k1_fe_normalize(secp256k1_fe *r);

-/** Weakly normalize a field element: reduce it magnitude to 1, but don't fully normalize. */
+/** Weakly normalize a field element: reduce its magnitude to 1, but don't fully normalize. */
 static void secp256k1_fe_normalize_weak(secp256k1_fe *r);

 /** Normalize a field element, without constant-time guarantee. */
@@ -123,10 +125,10 @@ static void secp256k1_fe_to_storage(secp256k1_fe_storage *r, const secp256k1_fe
 /** Convert a field element back from the storage type. */
 static void secp256k1_fe_from_storage(secp256k1_fe *r, const secp256k1_fe_storage *a);

-/** If flag is true, set *r equal to *a; otherwise leave it. Constant-time. */
+/** If flag is true, set *r equal to *a; otherwise leave it. Constant-time.  Both *r and *a must be initialized.*/
 static void secp256k1_fe_storage_cmov(secp256k1_fe_storage *r, const secp256k1_fe_storage *a, int flag);

-/** If flag is true, set *r equal to *a; otherwise leave it. Constant-time. */
+/** If flag is true, set *r equal to *a; otherwise leave it. Constant-time.  Both *r and *a must be initialized.*/
 static void secp256k1_fe_cmov(secp256k1_fe *r, const secp256k1_fe *a, int flag);

 #endif /* SECP256K1_FIELD_H */
--- a/src/field_10x26_impl.h
+++ b/src/field_10x26_impl.h
@@ -320,6 +320,7 @@ static int secp256k1_fe_cmp_var(const secp256k1_fe *a, const secp256k1_fe *b) {
 }

 static int secp256k1_fe_set_b32(secp256k1_fe *r, const unsigned char *a) {
+    int ret;
    r->n[0] = (uint32_t)a[31] | ((uint32_t)a[30] << 8) | ((uint32_t)a[29] << 16) | ((uint32_t)(a[28] & 0x3) << 24);
    r->n[1] = (uint32_t)((a[28] >> 2) & 0x3f) | ((uint32_t)a[27] << 6) | ((uint32_t)a[26] << 14) | ((uint32_t)(a[25] & 0xf) << 22);
    r->n[2] = (uint32_t)((a[25] >> 4) & 0xf) | ((uint32_t)a[24] << 4) | ((uint32_t)a[23] << 12) | ((uint32_t)(a[22] & 0x3f) << 20);
@@ -331,15 +332,17 @@ static int secp256k1_fe_set_b32(secp256k1_fe *r, const unsigned char *a) {
    r->n[8] = (uint32_t)a[5] | ((uint32_t)a[4] << 8) | ((uint32_t)a[3] << 16) | ((uint32_t)(a[2] & 0x3) << 24);
    r->n[9] = (uint32_t)((a[2] >> 2) & 0x3f) | ((uint32_t)a[1] << 6) | ((uint32_t)a[0] << 14);

-    if (r->n[9] == 0x3FFFFFUL && (r->n[8] & r->n[7] & r->n[6] & r->n[5] & r->n[4] & r->n[3] & r->n[2]) == 0x3FFFFFFUL && (r->n[1] + 0x40UL + ((r->n[0] + 0x3D1UL) >> 26)) > 0x3FFFFFFUL) {
-        return 0;
-    }
+    ret = !((r->n[9] == 0x3FFFFFUL) & ((r->n[8] & r->n[7] & r->n[6] & r->n[5] & r->n[4] & r->n[3] & r->n[2]) == 0x3FFFFFFUL) & ((r->n[1] + 0x40UL + ((r->n[0] + 0x3D1UL) >> 26)) > 0x3FFFFFFUL));
 #ifdef VERIFY
    r->magnitude = 1;
-    r->normalized = 1;
-    secp256k1_fe_verify(r);
+    if (ret) {
+        r->normalized = 1;
+        secp256k1_fe_verify(r);
+    } else {
+        r->normalized = 0;
+    }
 #endif
-    return 1;
+    return ret;
 }

 /** Convert a field element to a 32-byte big endian value. Requires the input to be normalized */
@@ -1094,6 +1097,7 @@ static void secp256k1_fe_sqr(secp256k1_fe *r, const secp256k1_fe *a) {

 static SECP256K1_INLINE void secp256k1_fe_cmov(secp256k1_fe *r, const secp256k1_fe *a, int flag) {
    uint32_t mask0, mask1;
+    VG_CHECK_VERIFY(r->n, sizeof(r->n));
    mask0 = flag + ~((uint32_t)0);
    mask1 = ~mask0;
    r->n[0] = (r->n[0] & mask0) | (a->n[0] & mask1);
@@ -1107,15 +1111,16 @@ static SECP256K1_INLINE void secp256k1_fe_cmov(secp256k1_fe *r, const secp256k1_
    r->n[8] = (r->n[8] & mask0) | (a->n[8] & mask1);
    r->n[9] = (r->n[9] & mask0) | (a->n[9] & mask1);
 #ifdef VERIFY
-    if (a->magnitude > r->magnitude) {
+    if (flag) {
        r->magnitude = a->magnitude;
+        r->normalized = a->normalized;
    }
-    r->normalized &= a->normalized;
 #endif
 }

 static SECP256K1_INLINE void secp256k1_fe_storage_cmov(secp256k1_fe_storage *r, const secp256k1_fe_storage *a, int flag) {
    uint32_t mask0, mask1;
+    VG_CHECK_VERIFY(r->n, sizeof(r->n));
    mask0 = flag + ~((uint32_t)0);
    mask1 = ~mask0;
    r->n[0] = (r->n[0] & mask0) | (a->n[0] & mask1);
--- a/src/field_5x52.h
+++ b/src/field_5x52.h
@@ -46,4 +46,10 @@ typedef struct {
    (d6) | (((uint64_t)(d7)) << 32) \
 }}

+#define SECP256K1_FE_STORAGE_CONST_GET(d) \
+    (uint32_t)(d.n[3] >> 32), (uint32_t)d.n[3], \
+    (uint32_t)(d.n[2] >> 32), (uint32_t)d.n[2], \
+    (uint32_t)(d.n[1] >> 32), (uint32_t)d.n[1], \
+    (uint32_t)(d.n[0] >> 32), (uint32_t)d.n[0]
+
 #endif /* SECP256K1_FIELD_REPR_H */
--- a/src/field_5x52_impl.h
+++ b/src/field_5x52_impl.h
@@ -283,6 +283,7 @@ static int secp256k1_fe_cmp_var(const secp256k1_fe *a, const secp256k1_fe *b) {
 }

 static int secp256k1_fe_set_b32(secp256k1_fe *r, const unsigned char *a) {
+    int ret;
    r->n[0] = (uint64_t)a[31]
            | ((uint64_t)a[30] << 8)
            | ((uint64_t)a[29] << 16)
@@ -317,15 +318,17 @@ static int secp256k1_fe_set_b32(secp256k1_fe *r, const unsigned char *a) {
            | ((uint64_t)a[2] << 24)
            | ((uint64_t)a[1] << 32)
            | ((uint64_t)a[0] << 40);
-    if (r->n[4] == 0x0FFFFFFFFFFFFULL && (r->n[3] & r->n[2] & r->n[1]) == 0xFFFFFFFFFFFFFULL && r->n[0] >= 0xFFFFEFFFFFC2FULL) {
-        return 0;
-    }
+    ret = !((r->n[4] == 0x0FFFFFFFFFFFFULL) & ((r->n[3] & r->n[2] & r->n[1]) == 0xFFFFFFFFFFFFFULL) & (r->n[0] >= 0xFFFFEFFFFFC2FULL));
 #ifdef VERIFY
    r->magnitude = 1;
-    r->normalized = 1;
-    secp256k1_fe_verify(r);
+    if (ret) {
+        r->normalized = 1;
+        secp256k1_fe_verify(r);
+    } else {
+        r->normalized = 0;
+    }
 #endif
-    return 1;
+    return ret;
 }

 /** Convert a field element to a 32-byte big endian value. Requires the input to be normalized */
@@ -446,6 +449,7 @@ static void secp256k1_fe_sqr(secp256k1_fe *r, const secp256k1_fe *a) {

 static SECP256K1_INLINE void secp256k1_fe_cmov(secp256k1_fe *r, const secp256k1_fe *a, int flag) {
    uint64_t mask0, mask1;
+    VG_CHECK_VERIFY(r->n, sizeof(r->n));
    mask0 = flag + ~((uint64_t)0);
    mask1 = ~mask0;
    r->n[0] = (r->n[0] & mask0) | (a->n[0] & mask1);
@@ -454,15 +458,16 @@ static SECP256K1_INLINE void secp256k1_fe_cmov(secp256k1_fe *r, const secp256k1_
    r->n[3] = (r->n[3] & mask0) | (a->n[3] & mask1);
    r->n[4] = (r->n[4] & mask0) | (a->n[4] & mask1);
 #ifdef VERIFY
-    if (a->magnitude > r->magnitude) {
+    if (flag) {
        r->magnitude = a->magnitude;
+        r->normalized = a->normalized;
    }
-    r->normalized &= a->normalized;
 #endif
 }

 static SECP256K1_INLINE void secp256k1_fe_storage_cmov(secp256k1_fe_storage *r, const secp256k1_fe_storage *a, int flag) {
    uint64_t mask0, mask1;
+    VG_CHECK_VERIFY(r->n, sizeof(r->n));
    mask0 = flag + ~((uint64_t)0);
    mask1 = ~mask0;
    r->n[0] = (r->n[0] & mask0) | (a->n[0] & mask1);
--- a/src/field_impl.h
+++ b/src/field_impl.h
@@ -14,12 +14,12 @@
 #include "util.h"
 #include "num.h"

-#if defined(USE_FIELD_10X26)
-#include "field_10x26_impl.h"
-#elif defined(USE_FIELD_5X52)
+#if defined(SECP256K1_WIDEMUL_INT128)
 #include "field_5x52_impl.h"
+#elif defined(SECP256K1_WIDEMUL_INT64)
+#include "field_10x26_impl.h"
 #else
-#error "Please select field implementation"
+#error "Please select wide multiplication implementation"
 #endif

 SECP256K1_INLINE static int secp256k1_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
@@ -315,4 +315,6 @@ static int secp256k1_fe_is_quad_var(const secp256k1_fe *a) {
 #endif
 }

+static const secp256k1_fe secp256k1_fe_one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
+
 #endif /* SECP256K1_FIELD_IMPL_H */
--- a/src/gen_context.c
+++ b/src/gen_context.c
@@ -4,10 +4,16 @@
 * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
 **********************************************************************/

+// Autotools creates libsecp256k1-config.h, of which ECMULT_GEN_PREC_BITS is needed.
+// ifndef guard so downstream users can define their own if they do not use autotools.
+#if !defined(ECMULT_GEN_PREC_BITS)
+#include "libsecp256k1-config.h"
+#endif
 #define USE_BASIC_CONFIG 1
-
 #include "basic-config.h"
+
 #include "include/secp256k1.h"
+#include "assumptions.h"
 #include "util.h"
 #include "field_impl.h"
 #include "scalar_impl.h"
@@ -45,23 +51,26 @@ int main(int argc, char **argv) {
    fprintf(fp, "#define _SECP256K1_ECMULT_STATIC_CONTEXT_\n");
    fprintf(fp, "#include \"src/group.h\"\n");
    fprintf(fp, "#define SC SECP256K1_GE_STORAGE_CONST\n");
-    fprintf(fp, "static const secp256k1_ge_storage secp256k1_ecmult_static_context[64][16] = {\n");
+    fprintf(fp, "#if ECMULT_GEN_PREC_N != %d || ECMULT_GEN_PREC_G != %d\n", ECMULT_GEN_PREC_N, ECMULT_GEN_PREC_G);
+    fprintf(fp, "   #error configuration mismatch, invalid ECMULT_GEN_PREC_N, ECMULT_GEN_PREC_G. Try deleting ecmult_static_context.h before the build.\n");
+    fprintf(fp, "#endif\n");
+    fprintf(fp, "static const secp256k1_ge_storage secp256k1_ecmult_static_context[ECMULT_GEN_PREC_N][ECMULT_GEN_PREC_G] = {\n");

    base = checked_malloc(&default_error_callback, SECP256K1_ECMULT_GEN_CONTEXT_PREALLOCATED_SIZE);
    prealloc = base;
    secp256k1_ecmult_gen_context_init(&ctx);
    secp256k1_ecmult_gen_context_build(&ctx, &prealloc);
-    for(outer = 0; outer != 64; outer++) {
+    for(outer = 0; outer != ECMULT_GEN_PREC_N; outer++) {
        fprintf(fp,"{\n");
-        for(inner = 0; inner != 16; inner++) {
+        for(inner = 0; inner != ECMULT_GEN_PREC_G; inner++) {
            fprintf(fp,"    SC(%uu, %uu, %uu, %uu, %uu, %uu, %uu, %uu, %uu, %uu, %uu, %uu, %uu, %uu, %uu, %uu)", SECP256K1_GE_STORAGE_CONST_GET((*ctx.prec)[outer][inner]));
-            if (inner != 15) {
+            if (inner != ECMULT_GEN_PREC_G - 1) {
                fprintf(fp,",\n");
            } else {
                fprintf(fp,"\n");
            }
        }
-        if (outer != 63) {
+        if (outer != ECMULT_GEN_PREC_N - 1) {
            fprintf(fp,"},\n");
        } else {
            fprintf(fp,"}\n");
--- a/src/group.h
+++ b/src/group.h
@@ -59,6 +59,7 @@ static int secp256k1_ge_is_infinity(const secp256k1_ge *a);
 /** Check whether a group element is valid (i.e., on the curve). */
 static int secp256k1_ge_is_valid_var(const secp256k1_ge *a);

+/** Set r equal to the inverse of a (i.e., mirrored around the X axis) */
 static void secp256k1_ge_neg(secp256k1_ge *r, const secp256k1_ge *a);

 /** Set a group element equal to another which is given in jacobian coordinates */
@@ -95,14 +96,13 @@ static int secp256k1_gej_is_infinity(const secp256k1_gej *a);
 /** Check whether a group element's y coordinate is a quadratic residue. */
 static int secp256k1_gej_has_quad_y_var(const secp256k1_gej *a);

-/** Set r equal to the double of a. If rzr is not-NULL, r->z = a->z * *rzr (where infinity means an implicit z = 0).
- * a may not be zero. Constant time. */
-static void secp256k1_gej_double_nonzero(secp256k1_gej *r, const secp256k1_gej *a, secp256k1_fe *rzr);
+/** Set r equal to the double of a. Constant time. */
+static void secp256k1_gej_double(secp256k1_gej *r, const secp256k1_gej *a);

-/** Set r equal to the double of a. If rzr is not-NULL, r->z = a->z * *rzr (where infinity means an implicit z = 0). */
+/** Set r equal to the double of a. If rzr is not-NULL this sets *rzr such that r->z == a->z * *rzr (where infinity means an implicit z = 0). */
 static void secp256k1_gej_double_var(secp256k1_gej *r, const secp256k1_gej *a, secp256k1_fe *rzr);

-/** Set r equal to the sum of a and b. If rzr is non-NULL, r->z = a->z * *rzr (a cannot be infinity in that case). */
+/** Set r equal to the sum of a and b. If rzr is non-NULL this sets *rzr such that r->z == a->z * *rzr (a cannot be infinity in that case). */
 static void secp256k1_gej_add_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_gej *b, secp256k1_fe *rzr);

 /** Set r equal to the sum of a and b (with b given in affine coordinates, and not infinity). */
@@ -110,16 +110,14 @@ static void secp256k1_gej_add_ge(secp256k1_gej *r, const secp256k1_gej *a, const

 /** Set r equal to the sum of a and b (with b given in affine coordinates). This is more efficient
    than secp256k1_gej_add_var. It is identical to secp256k1_gej_add_ge but without constant-time
-    guarantee, and b is allowed to be infinity. If rzr is non-NULL, r->z = a->z * *rzr (a cannot be infinity in that case). */
+    guarantee, and b is allowed to be infinity. If rzr is non-NULL this sets *rzr such that r->z == a->z * *rzr (a cannot be infinity in that case). */
 static void secp256k1_gej_add_ge_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, secp256k1_fe *rzr);

 /** Set r equal to the sum of a and b (with the inverse of b's Z coordinate passed as bzinv). */
 static void secp256k1_gej_add_zinv_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, const secp256k1_fe *bzinv);

-#ifdef USE_ENDOMORPHISM
 /** Set r to be equal to lambda times a, where lambda is chosen in a way such that this is very fast. */
 static void secp256k1_ge_mul_lambda(secp256k1_ge *r, const secp256k1_ge *a);
-#endif

 /** Clear a secp256k1_gej to prevent leaking sensitive information. */
 static void secp256k1_gej_clear(secp256k1_gej *r);
@@ -133,10 +131,21 @@ static void secp256k1_ge_to_storage(secp256k1_ge_storage *r, const secp256k1_ge
 /** Convert a group element back from the storage type. */
 static void secp256k1_ge_from_storage(secp256k1_ge *r, const secp256k1_ge_storage *a);

-/** If flag is true, set *r equal to *a; otherwise leave it. Constant-time. */
+/** If flag is true, set *r equal to *a; otherwise leave it. Constant-time.  Both *r and *a must be initialized.*/
 static void secp256k1_ge_storage_cmov(secp256k1_ge_storage *r, const secp256k1_ge_storage *a, int flag);

 /** Rescale a jacobian point by b which must be non-zero. Constant-time. */
 static void secp256k1_gej_rescale(secp256k1_gej *r, const secp256k1_fe *b);

+/** Determine if a point (which is assumed to be on the curve) is in the correct (sub)group of the curve.
+ *
+ * In normal mode, the used group is secp256k1, which has cofactor=1 meaning that every point on the curve is in the
+ * group, and this function returns always true.
+ *
+ * When compiling in exhaustive test mode, a slightly different curve equation is used, leading to a group with a
+ * (very) small subgroup, and that subgroup is what is used for all cryptographic operations. In that mode, this
+ * function checks whether a point that is on the curve is in fact also in that subgroup.
+ */
+static int secp256k1_ge_is_in_correct_subgroup(const secp256k1_ge* ge);
+
 #endif /* SECP256K1_GROUP_H */
--- a/src/group_impl.h
+++ b/src/group_impl.h
@@ -11,49 +11,38 @@
 #include "field.h"
 #include "group.h"

-/* These points can be generated in sage as follows:
+/* These exhaustive group test orders and generators are chosen such that:
+ * - The field size is equal to that of secp256k1, so field code is the same.
+ * - The curve equation is of the form y^2=x^3+B for some constant B.
+ * - The subgroup has a generator 2*P, where P.x=1.
+ * - The subgroup has size less than 1000 to permit exhaustive testing.
+ * - The subgroup admits an endomorphism of the form lambda*(x,y) == (beta*x,y).
 *
- * 0. Setup a worksheet with the following parameters.
- *   b = 4  # whatever CURVE_B will be set to
- *   F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
- *   C = EllipticCurve ([F (0), F (b)])
- *
- * 1. Determine all the small orders available to you. (If there are
- *    no satisfactory ones, go back and change b.)
- *   print C.order().factor(limit=1000)
- *
- * 2. Choose an order as one of the prime factors listed in the above step.
- *    (You can also multiply some to get a composite order, though the
- *    tests will crash trying to invert scalars during signing.) We take a
- *    random point and scale it to drop its order to the desired value.
- *    There is some probability this won't work; just try again.
- *   order = 199
- *   P = C.random_point()
- *   P = (int(P.order()) / int(order)) * P
- *   assert(P.order() == order)
- *
- * 3. Print the values. You'll need to use a vim macro or something to
- *    split the hex output into 4-byte chunks.
- *   print "%x %x" % P.xy()
+ * These parameters are generated using sage/gen_exhaustive_groups.sage.
 */
 #if defined(EXHAUSTIVE_TEST_ORDER)
-#  if EXHAUSTIVE_TEST_ORDER == 199
+#  if EXHAUSTIVE_TEST_ORDER == 13
 static const secp256k1_ge secp256k1_ge_const_g = SECP256K1_GE_CONST(
-    0xFA7CC9A7, 0x0737F2DB, 0xA749DD39, 0x2B4FB069,
-    0x3B017A7D, 0xA808C2F1, 0xFB12940C, 0x9EA66C18,
-    0x78AC123A, 0x5ED8AEF3, 0x8732BC91, 0x1F3A2868,
-    0x48DF246C, 0x808DAE72, 0xCFE52572, 0x7F0501ED
+    0xc3459c3d, 0x35326167, 0xcd86cce8, 0x07a2417f,
+    0x5b8bd567, 0xde8538ee, 0x0d507b0c, 0xd128f5bb,
+    0x8e467fec, 0xcd30000a, 0x6cc1184e, 0x25d382c2,
+    0xa2f4494e, 0x2fbe9abc, 0x8b64abac, 0xd005fb24
 );
-
-static const int CURVE_B = 4;
-#  elif EXHAUSTIVE_TEST_ORDER == 13
+static const secp256k1_fe secp256k1_fe_const_b = SECP256K1_FE_CONST(
+    0x3d3486b2, 0x159a9ca5, 0xc75638be, 0xb23a69bc,
+    0x946a45ab, 0x24801247, 0xb4ed2b8e, 0x26b6a417
+);
+#  elif EXHAUSTIVE_TEST_ORDER == 199
 static const secp256k1_ge secp256k1_ge_const_g = SECP256K1_GE_CONST(
-    0xedc60018, 0xa51a786b, 0x2ea91f4d, 0x4c9416c0,
-    0x9de54c3b, 0xa1316554, 0x6cf4345c, 0x7277ef15,
-    0x54cb1b6b, 0xdc8c1273, 0x087844ea, 0x43f4603e,
-    0x0eaf9a43, 0xf6effe55, 0x939f806d, 0x37adf8ac
+    0x226e653f, 0xc8df7744, 0x9bacbf12, 0x7d1dcbf9,
+    0x87f05b2a, 0xe7edbd28, 0x1f564575, 0xc48dcf18,
+    0xa13872c2, 0xe933bb17, 0x5d9ffd5b, 0xb5b6e10c,
+    0x57fe3c00, 0xbaaaa15a, 0xe003ec3e, 0x9c269bae
+);
+static const secp256k1_fe secp256k1_fe_const_b = SECP256K1_FE_CONST(
+    0x2cca28fa, 0xfc614b80, 0x2a3db42b, 0x00ba00b1,
+    0xbea8d943, 0xdace9ab2, 0x9536daea, 0x0074defb
 );
-static const int CURVE_B = 2;
 #  else
 #    error No known generator for the specified exhaustive test group order.
 #  endif
@@ -68,7 +57,7 @@ static const secp256k1_ge secp256k1_ge_const_g = SECP256K1_GE_CONST(
    0xFD17B448UL, 0xA6855419UL, 0x9C47D08FUL, 0xFB10D4B8UL
 );

-static const int CURVE_B = 7;
+static const secp256k1_fe secp256k1_fe_const_b = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 7);
 #endif

 static void secp256k1_ge_set_gej_zinv(secp256k1_ge *r, const secp256k1_gej *a, const secp256k1_fe *zi) {
@@ -219,14 +208,13 @@ static void secp256k1_ge_clear(secp256k1_ge *r) {
 }

 static int secp256k1_ge_set_xquad(secp256k1_ge *r, const secp256k1_fe *x) {
-    secp256k1_fe x2, x3, c;
+    secp256k1_fe x2, x3;
    r->x = *x;
    secp256k1_fe_sqr(&x2, x);
    secp256k1_fe_mul(&x3, x, &x2);
    r->infinity = 0;
-    secp256k1_fe_set_int(&c, CURVE_B);
-    secp256k1_fe_add(&c, &x3);
-    return secp256k1_fe_sqrt(&r->y, &c);
+    secp256k1_fe_add(&x3, &secp256k1_fe_const_b);
+    return secp256k1_fe_sqrt(&r->y, &x3);
 }

 static int secp256k1_ge_set_xo_var(secp256k1_ge *r, const secp256k1_fe *x, int odd) {
@@ -269,41 +257,20 @@ static int secp256k1_gej_is_infinity(const secp256k1_gej *a) {
    return a->infinity;
 }

-static int secp256k1_gej_is_valid_var(const secp256k1_gej *a) {
-    secp256k1_fe y2, x3, z2, z6;
-    if (a->infinity) {
-        return 0;
-    }
-    /** y^2 = x^3 + 7
-     *  (Y/Z^3)^2 = (X/Z^2)^3 + 7
-     *  Y^2 / Z^6 = X^3 / Z^6 + 7
-     *  Y^2 = X^3 + 7*Z^6
-     */
-    secp256k1_fe_sqr(&y2, &a->y);
-    secp256k1_fe_sqr(&x3, &a->x); secp256k1_fe_mul(&x3, &x3, &a->x);
-    secp256k1_fe_sqr(&z2, &a->z);
-    secp256k1_fe_sqr(&z6, &z2); secp256k1_fe_mul(&z6, &z6, &z2);
-    secp256k1_fe_mul_int(&z6, CURVE_B);
-    secp256k1_fe_add(&x3, &z6);
-    secp256k1_fe_normalize_weak(&x3);
-    return secp256k1_fe_equal_var(&y2, &x3);
-}
-
 static int secp256k1_ge_is_valid_var(const secp256k1_ge *a) {
-    secp256k1_fe y2, x3, c;
+    secp256k1_fe y2, x3;
    if (a->infinity) {
        return 0;
    }
    /* y^2 = x^3 + 7 */
    secp256k1_fe_sqr(&y2, &a->y);
    secp256k1_fe_sqr(&x3, &a->x); secp256k1_fe_mul(&x3, &x3, &a->x);
-    secp256k1_fe_set_int(&c, CURVE_B);
-    secp256k1_fe_add(&x3, &c);
+    secp256k1_fe_add(&x3, &secp256k1_fe_const_b);
    secp256k1_fe_normalize_weak(&x3);
    return secp256k1_fe_equal_var(&y2, &x3);
 }

-static void secp256k1_gej_double_var(secp256k1_gej *r, const secp256k1_gej *a, secp256k1_fe *rzr) {
+static SECP256K1_INLINE void secp256k1_gej_double(secp256k1_gej *r, const secp256k1_gej *a) {
    /* Operations: 3 mul, 4 sqr, 0 normalize, 12 mul_int/add/negate.
     *
     * Note that there is an implementation described at
@@ -312,29 +279,8 @@ static void secp256k1_gej_double_var(secp256k1_gej *r, const secp256k1_gej *a, s
     * mainly because it requires more normalizations.
     */
    secp256k1_fe t1,t2,t3,t4;
-    /** For secp256k1, 2Q is infinity if and only if Q is infinity. This is because if 2Q = infinity,
-     *  Q must equal -Q, or that Q.y == -(Q.y), or Q.y is 0. For a point on y^2 = x^3 + 7 to have
-     *  y=0, x^3 must be -7 mod p. However, -7 has no cube root mod p.
-     *
-     *  Having said this, if this function receives a point on a sextic twist, e.g. by
-     *  a fault attack, it is possible for y to be 0. This happens for y^2 = x^3 + 6,
-     *  since -6 does have a cube root mod p. For this point, this function will not set
-     *  the infinity flag even though the point doubles to infinity, and the result
-     *  point will be gibberish (z = 0 but infinity = 0).
-     */
-    r->infinity = a->infinity;
-    if (r->infinity) {
-        if (rzr != NULL) {
-            secp256k1_fe_set_int(rzr, 1);
-        }
-        return;
-    }

-    if (rzr != NULL) {
-        *rzr = a->y;
-        secp256k1_fe_normalize_weak(rzr);
-        secp256k1_fe_mul_int(rzr, 2);
-    }
+    r->infinity = a->infinity;

    secp256k1_fe_mul(&r->z, &a->z, &a->y);
    secp256k1_fe_mul_int(&r->z, 2);       /* Z' = 2*Y*Z (2) */
@@ -358,9 +304,32 @@ static void secp256k1_gej_double_var(secp256k1_gej *r, const secp256k1_gej *a, s
    secp256k1_fe_add(&r->y, &t2);         /* Y' = 36*X^3*Y^2 - 27*X^6 - 8*Y^4 (4) */
 }

-static SECP256K1_INLINE void secp256k1_gej_double_nonzero(secp256k1_gej *r, const secp256k1_gej *a, secp256k1_fe *rzr) {
-    VERIFY_CHECK(!secp256k1_gej_is_infinity(a));
-    secp256k1_gej_double_var(r, a, rzr);
+static void secp256k1_gej_double_var(secp256k1_gej *r, const secp256k1_gej *a, secp256k1_fe *rzr) {
+    /** For secp256k1, 2Q is infinity if and only if Q is infinity. This is because if 2Q = infinity,
+     *  Q must equal -Q, or that Q.y == -(Q.y), or Q.y is 0. For a point on y^2 = x^3 + 7 to have
+     *  y=0, x^3 must be -7 mod p. However, -7 has no cube root mod p.
+     *
+     *  Having said this, if this function receives a point on a sextic twist, e.g. by
+     *  a fault attack, it is possible for y to be 0. This happens for y^2 = x^3 + 6,
+     *  since -6 does have a cube root mod p. For this point, this function will not set
+     *  the infinity flag even though the point doubles to infinity, and the result
+     *  point will be gibberish (z = 0 but infinity = 0).
+     */
+    if (a->infinity) {
+        r->infinity = 1;
+        if (rzr != NULL) {
+            secp256k1_fe_set_int(rzr, 1);
+        }
+        return;
+    }
+
+    if (rzr != NULL) {
+        *rzr = a->y;
+        secp256k1_fe_normalize_weak(rzr);
+        secp256k1_fe_mul_int(rzr, 2);
+    }
+
+    secp256k1_gej_double(r, a);
 }

 static void secp256k1_gej_add_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_gej *b, secp256k1_fe *rzr) {
@@ -397,7 +366,7 @@ static void secp256k1_gej_add_var(secp256k1_gej *r, const secp256k1_gej *a, cons
            if (rzr != NULL) {
                secp256k1_fe_set_int(rzr, 0);
            }
-            r->infinity = 1;
+            secp256k1_gej_set_infinity(r);
        }
        return;
    }
@@ -447,7 +416,7 @@ static void secp256k1_gej_add_ge_var(secp256k1_gej *r, const secp256k1_gej *a, c
            if (rzr != NULL) {
                secp256k1_fe_set_int(rzr, 0);
            }
-            r->infinity = 1;
+            secp256k1_gej_set_infinity(r);
        }
        return;
    }
@@ -506,7 +475,7 @@ static void secp256k1_gej_add_zinv_var(secp256k1_gej *r, const secp256k1_gej *a,
        if (secp256k1_fe_normalizes_to_zero_var(&i)) {
            secp256k1_gej_double_var(r, a, NULL);
        } else {
-            r->infinity = 1;
+            secp256k1_gej_set_infinity(r);
        }
        return;
    }
@@ -677,7 +646,6 @@ static SECP256K1_INLINE void secp256k1_ge_storage_cmov(secp256k1_ge_storage *r,
    secp256k1_fe_storage_cmov(&r->y, &a->y, flag);
 }

-#ifdef USE_ENDOMORPHISM
 static void secp256k1_ge_mul_lambda(secp256k1_ge *r, const secp256k1_ge *a) {
    static const secp256k1_fe beta = SECP256K1_FE_CONST(
        0x7ae96a2bul, 0x657c0710ul, 0x6e64479eul, 0xac3434e9ul,
@@ -686,7 +654,6 @@ static void secp256k1_ge_mul_lambda(secp256k1_ge *r, const secp256k1_ge *a) {
    *r = *a;
    secp256k1_fe_mul(&r->x, &r->x, &beta);
 }
-#endif

 static int secp256k1_gej_has_quad_y_var(const secp256k1_gej *a) {
    secp256k1_fe yz;
@@ -702,4 +669,25 @@ static int secp256k1_gej_has_quad_y_var(const secp256k1_gej *a) {
    return secp256k1_fe_is_quad_var(&yz);
 }

+static int secp256k1_ge_is_in_correct_subgroup(const secp256k1_ge* ge) {
+#ifdef EXHAUSTIVE_TEST_ORDER
+    secp256k1_gej out;
+    int i;
+
+    /* A very simple EC multiplication ladder that avoids a dependecy on ecmult. */
+    secp256k1_gej_set_infinity(&out);
+    for (i = 0; i < 32; ++i) {
+        secp256k1_gej_double_var(&out, &out, NULL);
+        if ((((uint32_t)EXHAUSTIVE_TEST_ORDER) >> (31 - i)) & 1) {
+            secp256k1_gej_add_ge_var(&out, &out, ge, NULL);
+        }
+    }
+    return secp256k1_gej_is_infinity(&out);
+#else
+    (void)ge;
+    /* The real secp256k1 group has cofactor 1, so the subgroup is the entire curve. */
+    return 1;
+#endif
+}
+
 #endif /* SECP256K1_GROUP_IMPL_H */
--- a/src/hash_impl.h
+++ b/src/hash_impl.h
@@ -8,6 +8,7 @@
 #define SECP256K1_HASH_IMPL_H

 #include "hash.h"
+#include "util.h"

 #include <stdlib.h>
 #include <stdint.h>
@@ -27,9 +28,9 @@
    (h) = t1 + t2; \
 } while(0)

-#ifdef WORDS_BIGENDIAN
+#if defined(SECP256K1_BIG_ENDIAN)
 #define BE32(x) (x)
-#else
+#elif defined(SECP256K1_LITTLE_ENDIAN)
 #define BE32(p) ((((p) & 0xFF) << 24) | (((p) & 0xFF00) << 8) | (((p) & 0xFF0000) >> 8) | (((p) & 0xFF000000) >> 24))
 #endif

@@ -163,6 +164,19 @@ static void secp256k1_sha256_finalize(secp256k1_sha256 *hash, unsigned char *out
    memcpy(out32, (const unsigned char*)out, 32);
 }

+/* Initializes a sha256 struct and writes the 64 byte string
+ * SHA256(tag)||SHA256(tag) into it. */
+static void secp256k1_sha256_initialize_tagged(secp256k1_sha256 *hash, const unsigned char *tag, size_t taglen) {
+    unsigned char buf[32];
+    secp256k1_sha256_initialize(hash);
+    secp256k1_sha256_write(hash, tag, taglen);
+    secp256k1_sha256_finalize(hash, buf);
+
+    secp256k1_sha256_initialize(hash);
+    secp256k1_sha256_write(hash, buf, 32);
+    secp256k1_sha256_write(hash, buf, 32);
+}
+
 static void secp256k1_hmac_sha256_initialize(secp256k1_hmac_sha256 *hash, const unsigned char *key, size_t keylen) {
    size_t n;
    unsigned char rkey[64];
--- a/src/java/org/bitcoin/NativeSecp256k1.java
+++ b/src/java/org/bitcoin/NativeSecp256k1.java
@@ -1,446 +0,0 @@
-/*
- * Copyright 2013 Google Inc.
- * Copyright 2014-2016 the libsecp256k1 contributors
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *    http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.bitcoin;
-
-import java.nio.ByteBuffer;
-import java.nio.ByteOrder;
-
-import java.math.BigInteger;
-import com.google.common.base.Preconditions;
-import java.util.concurrent.locks.Lock;
-import java.util.concurrent.locks.ReentrantReadWriteLock;
-import static org.bitcoin.NativeSecp256k1Util.*;
-
-/**
- * <p>This class holds native methods to handle ECDSA verification.</p>
- *
- * <p>You can find an example library that can be used for this at https://github.com/bitcoin/secp256k1</p>
- *
- * <p>To build secp256k1 for use with bitcoinj, run
- * `./configure --enable-jni --enable-experimental --enable-module-ecdh`
- * and `make` then copy `.libs/libsecp256k1.so` to your system library path
- * or point the JVM to the folder containing it with -Djava.library.path
- * </p>
- */
-public class NativeSecp256k1 {
-
-    private static final ReentrantReadWriteLock rwl = new ReentrantReadWriteLock();
-    private static final Lock r = rwl.readLock();
-    private static final Lock w = rwl.writeLock();
-    private static ThreadLocal<ByteBuffer> nativeECDSABuffer = new ThreadLocal<ByteBuffer>();
-    /**
-     * Verifies the given secp256k1 signature in native code.
-     * Calling when enabled == false is undefined (probably library not loaded)
-     *
-     * @param data The data which was signed, must be exactly 32 bytes
-     * @param signature The signature
-     * @param pub The public key which did the signing
-     */
-    public static boolean verify(byte[] data, byte[] signature, byte[] pub) throws AssertFailException{
-        Preconditions.checkArgument(data.length == 32 && signature.length <= 520 && pub.length <= 520);
-
-        ByteBuffer byteBuff = nativeECDSABuffer.get();
-        if (byteBuff == null || byteBuff.capacity() < 520) {
-            byteBuff = ByteBuffer.allocateDirect(520);
-            byteBuff.order(ByteOrder.nativeOrder());
-            nativeECDSABuffer.set(byteBuff);
-        }
-        byteBuff.rewind();
-        byteBuff.put(data);
-        byteBuff.put(signature);
-        byteBuff.put(pub);
-
-        byte[][] retByteArray;
-
-        r.lock();
-        try {
-          return secp256k1_ecdsa_verify(byteBuff, Secp256k1Context.getContext(), signature.length, pub.length) == 1;
-        } finally {
-          r.unlock();
-        }
-    }
-
-    /**
-     * libsecp256k1 Create an ECDSA signature.
-     *
-     * @param data Message hash, 32 bytes
-     * @param key Secret key, 32 bytes
-     *
-     * Return values
-     * @param sig byte array of signature
-     */
-    public static byte[] sign(byte[] data, byte[] sec) throws AssertFailException{
-        Preconditions.checkArgument(data.length == 32 && sec.length <= 32);
-
-        ByteBuffer byteBuff = nativeECDSABuffer.get();
-        if (byteBuff == null || byteBuff.capacity() < 32 + 32) {
-            byteBuff = ByteBuffer.allocateDirect(32 + 32);
-            byteBuff.order(ByteOrder.nativeOrder());
-            nativeECDSABuffer.set(byteBuff);
-        }
-        byteBuff.rewind();
-        byteBuff.put(data);
-        byteBuff.put(sec);
-
-        byte[][] retByteArray;
-
-        r.lock();
-        try {
-          retByteArray = secp256k1_ecdsa_sign(byteBuff, Secp256k1Context.getContext());
-        } finally {
-          r.unlock();
-        }
-
-        byte[] sigArr = retByteArray[0];
-        int sigLen = new BigInteger(new byte[] { retByteArray[1][0] }).intValue();
-        int retVal = new BigInteger(new byte[] { retByteArray[1][1] }).intValue();
-
-        assertEquals(sigArr.length, sigLen, "Got bad signature length.");
-
-        return retVal == 0 ? new byte[0] : sigArr;
-    }
-
-    /**
-     * libsecp256k1 Seckey Verify - returns 1 if valid, 0 if invalid
-     *
-     * @param seckey ECDSA Secret key, 32 bytes
-     */
-    public static boolean secKeyVerify(byte[] seckey) {
-        Preconditions.checkArgument(seckey.length == 32);
-
-        ByteBuffer byteBuff = nativeECDSABuffer.get();
-        if (byteBuff == null || byteBuff.capacity() < seckey.length) {
-            byteBuff = ByteBuffer.allocateDirect(seckey.length);
-            byteBuff.order(ByteOrder.nativeOrder());
-            nativeECDSABuffer.set(byteBuff);
-        }
-        byteBuff.rewind();
-        byteBuff.put(seckey);
-
-        r.lock();
-        try {
-          return secp256k1_ec_seckey_verify(byteBuff,Secp256k1Context.getContext()) == 1;
-        } finally {
-          r.unlock();
-        }
-    }
-
-
-    /**
-     * libsecp256k1 Compute Pubkey - computes public key from secret key
-     *
-     * @param seckey ECDSA Secret key, 32 bytes
-     *
-     * Return values
-     * @param pubkey ECDSA Public key, 33 or 65 bytes
-     */
-    //TODO add a 'compressed' arg
-    public static byte[] computePubkey(byte[] seckey) throws AssertFailException{
-        Preconditions.checkArgument(seckey.length == 32);
-
-        ByteBuffer byteBuff = nativeECDSABuffer.get();
-        if (byteBuff == null || byteBuff.capacity() < seckey.length) {
-            byteBuff = ByteBuffer.allocateDirect(seckey.length);
-            byteBuff.order(ByteOrder.nativeOrder());
-            nativeECDSABuffer.set(byteBuff);
-        }
-        byteBuff.rewind();
-        byteBuff.put(seckey);
-
-        byte[][] retByteArray;
-
-        r.lock();
-        try {
-          retByteArray = secp256k1_ec_pubkey_create(byteBuff, Secp256k1Context.getContext());
-        } finally {
-          r.unlock();
-        }
-
-        byte[] pubArr = retByteArray[0];
-        int pubLen = new BigInteger(new byte[] { retByteArray[1][0] }).intValue();
-        int retVal = new BigInteger(new byte[] { retByteArray[1][1] }).intValue();
-
-        assertEquals(pubArr.length, pubLen, "Got bad pubkey length.");
-
-        return retVal == 0 ? new byte[0]: pubArr;
-    }
-
-    /**
-     * libsecp256k1 Cleanup - This destroys the secp256k1 context object
-     * This should be called at the end of the program for proper cleanup of the context.
-     */
-    public static synchronized void cleanup() {
-        w.lock();
-        try {
-          secp256k1_destroy_context(Secp256k1Context.getContext());
-        } finally {
-          w.unlock();
-        }
-    }
-
-    public static long cloneContext() {
-       r.lock();
-       try {
-        return secp256k1_ctx_clone(Secp256k1Context.getContext());
-       } finally { r.unlock(); }
-    }
-
-    /**
-     * libsecp256k1 PrivKey Tweak-Mul - Tweak privkey by multiplying to it
-     *
-     * @param tweak some bytes to tweak with
-     * @param seckey 32-byte seckey
-     */
-    public static byte[] privKeyTweakMul(byte[] privkey, byte[] tweak) throws AssertFailException{
-        Preconditions.checkArgument(privkey.length == 32);
-
-        ByteBuffer byteBuff = nativeECDSABuffer.get();
-        if (byteBuff == null || byteBuff.capacity() < privkey.length + tweak.length) {
-            byteBuff = ByteBuffer.allocateDirect(privkey.length + tweak.length);
-            byteBuff.order(ByteOrder.nativeOrder());
-            nativeECDSABuffer.set(byteBuff);
-        }
-        byteBuff.rewind();
-        byteBuff.put(privkey);
-        byteBuff.put(tweak);
-
-        byte[][] retByteArray;
-        r.lock();
-        try {
-          retByteArray = secp256k1_privkey_tweak_mul(byteBuff,Secp256k1Context.getContext());
-        } finally {
-          r.unlock();
-        }
-
-        byte[] privArr = retByteArray[0];
-
-        int privLen = (byte) new BigInteger(new byte[] { retByteArray[1][0] }).intValue() & 0xFF;
-        int retVal = new BigInteger(new byte[] { retByteArray[1][1] }).intValue();
-
-        assertEquals(privArr.length, privLen, "Got bad pubkey length.");
-
-        assertEquals(retVal, 1, "Failed return value check.");
-
-        return privArr;
-    }
-
-    /**
-     * libsecp256k1 PrivKey Tweak-Add - Tweak privkey by adding to it
-     *
-     * @param tweak some bytes to tweak with
-     * @param seckey 32-byte seckey
-     */
-    public static byte[] privKeyTweakAdd(byte[] privkey, byte[] tweak) throws AssertFailException{
-        Preconditions.checkArgument(privkey.length == 32);
-
-        ByteBuffer byteBuff = nativeECDSABuffer.get();
-        if (byteBuff == null || byteBuff.capacity() < privkey.length + tweak.length) {
-            byteBuff = ByteBuffer.allocateDirect(privkey.length + tweak.length);
-            byteBuff.order(ByteOrder.nativeOrder());
-            nativeECDSABuffer.set(byteBuff);
-        }
-        byteBuff.rewind();
-        byteBuff.put(privkey);
-        byteBuff.put(tweak);
-
-        byte[][] retByteArray;
-        r.lock();
-        try {
-          retByteArray = secp256k1_privkey_tweak_add(byteBuff,Secp256k1Context.getContext());
-        } finally {
-          r.unlock();
-        }
-
-        byte[] privArr = retByteArray[0];
-
-        int privLen = (byte) new BigInteger(new byte[] { retByteArray[1][0] }).intValue() & 0xFF;
-        int retVal = new BigInteger(new byte[] { retByteArray[1][1] }).intValue();
-
-        assertEquals(privArr.length, privLen, "Got bad pubkey length.");
-
-        assertEquals(retVal, 1, "Failed return value check.");
-
-        return privArr;
-    }
-
-    /**
-     * libsecp256k1 PubKey Tweak-Add - Tweak pubkey by adding to it
-     *
-     * @param tweak some bytes to tweak with
-     * @param pubkey 32-byte seckey
-     */
-    public static byte[] pubKeyTweakAdd(byte[] pubkey, byte[] tweak) throws AssertFailException{
-        Preconditions.checkArgument(pubkey.length == 33 || pubkey.length == 65);
-
-        ByteBuffer byteBuff = nativeECDSABuffer.get();
-        if (byteBuff == null || byteBuff.capacity() < pubkey.length + tweak.length) {
-            byteBuff = ByteBuffer.allocateDirect(pubkey.length + tweak.length);
-            byteBuff.order(ByteOrder.nativeOrder());
-            nativeECDSABuffer.set(byteBuff);
-        }
-        byteBuff.rewind();
-        byteBuff.put(pubkey);
-        byteBuff.put(tweak);
-
-        byte[][] retByteArray;
-        r.lock();
-        try {
-          retByteArray = secp256k1_pubkey_tweak_add(byteBuff,Secp256k1Context.getContext(), pubkey.length);
-        } finally {
-          r.unlock();
-        }
-
-        byte[] pubArr = retByteArray[0];
-
-        int pubLen = (byte) new BigInteger(new byte[] { retByteArray[1][0] }).intValue() & 0xFF;
-        int retVal = new BigInteger(new byte[] { retByteArray[1][1] }).intValue();
-
-        assertEquals(pubArr.length, pubLen, "Got bad pubkey length.");
-
-        assertEquals(retVal, 1, "Failed return value check.");
-
-        return pubArr;
-    }
-
-    /**
-     * libsecp256k1 PubKey Tweak-Mul - Tweak pubkey by multiplying to it
-     *
-     * @param tweak some bytes to tweak with
-     * @param pubkey 32-byte seckey
-     */
-    public static byte[] pubKeyTweakMul(byte[] pubkey, byte[] tweak) throws AssertFailException{
-        Preconditions.checkArgument(pubkey.length == 33 || pubkey.length == 65);
-
-        ByteBuffer byteBuff = nativeECDSABuffer.get();
-        if (byteBuff == null || byteBuff.capacity() < pubkey.length + tweak.length) {
-            byteBuff = ByteBuffer.allocateDirect(pubkey.length + tweak.length);
-            byteBuff.order(ByteOrder.nativeOrder());
-            nativeECDSABuffer.set(byteBuff);
-        }
-        byteBuff.rewind();
-        byteBuff.put(pubkey);
-        byteBuff.put(tweak);
-
-        byte[][] retByteArray;
-        r.lock();
-        try {
-          retByteArray = secp256k1_pubkey_tweak_mul(byteBuff,Secp256k1Context.getContext(), pubkey.length);
-        } finally {
-          r.unlock();
-        }
-
-        byte[] pubArr = retByteArray[0];
-
-        int pubLen = (byte) new BigInteger(new byte[] { retByteArray[1][0] }).intValue() & 0xFF;
-        int retVal = new BigInteger(new byte[] { retByteArray[1][1] }).intValue();
-
-        assertEquals(pubArr.length, pubLen, "Got bad pubkey length.");
-
-        assertEquals(retVal, 1, "Failed return value check.");
-
-        return pubArr;
-    }
-
-    /**
-     * libsecp256k1 create ECDH secret - constant time ECDH calculation
-     *
-     * @param seckey byte array of secret key used in exponentiaion
-     * @param pubkey byte array of public key used in exponentiaion
-     */
-    public static byte[] createECDHSecret(byte[] seckey, byte[] pubkey) throws AssertFailException{
-        Preconditions.checkArgument(seckey.length <= 32 && pubkey.length <= 65);
-
-        ByteBuffer byteBuff = nativeECDSABuffer.get();
-        if (byteBuff == null || byteBuff.capacity() < 32 + pubkey.length) {
-            byteBuff = ByteBuffer.allocateDirect(32 + pubkey.length);
-            byteBuff.order(ByteOrder.nativeOrder());
-            nativeECDSABuffer.set(byteBuff);
-        }
-        byteBuff.rewind();
-        byteBuff.put(seckey);
-        byteBuff.put(pubkey);
-
-        byte[][] retByteArray;
-        r.lock();
-        try {
-          retByteArray = secp256k1_ecdh(byteBuff, Secp256k1Context.getContext(), pubkey.length);
-        } finally {
-          r.unlock();
-        }
-
-        byte[] resArr = retByteArray[0];
-        int retVal = new BigInteger(new byte[] { retByteArray[1][0] }).intValue();
-
-        assertEquals(resArr.length, 32, "Got bad result length.");
-        assertEquals(retVal, 1, "Failed return value check.");
-
-        return resArr;
-    }
-
-    /**
-     * libsecp256k1 randomize - updates the context randomization
-     *
-     * @param seed 32-byte random seed
-     */
-    public static synchronized boolean randomize(byte[] seed) throws AssertFailException{
-        Preconditions.checkArgument(seed.length == 32 || seed == null);
-
-        ByteBuffer byteBuff = nativeECDSABuffer.get();
-        if (byteBuff == null || byteBuff.capacity() < seed.length) {
-            byteBuff = ByteBuffer.allocateDirect(seed.length);
-            byteBuff.order(ByteOrder.nativeOrder());
-            nativeECDSABuffer.set(byteBuff);
-        }
-        byteBuff.rewind();
-        byteBuff.put(seed);
-
-        w.lock();
-        try {
-          return secp256k1_context_randomize(byteBuff, Secp256k1Context.getContext()) == 1;
-        } finally {
-          w.unlock();
-        }
-    }
-
-    private static native long secp256k1_ctx_clone(long context);
-
-    private static native int secp256k1_context_randomize(ByteBuffer byteBuff, long context);
-
-    private static native byte[][] secp256k1_privkey_tweak_add(ByteBuffer byteBuff, long context);
-
-    private static native byte[][] secp256k1_privkey_tweak_mul(ByteBuffer byteBuff, long context);
-
-    private static native byte[][] secp256k1_pubkey_tweak_add(ByteBuffer byteBuff, long context, int pubLen);
-
-    private static native byte[][] secp256k1_pubkey_tweak_mul(ByteBuffer byteBuff, long context, int pubLen);
-
-    private static native void secp256k1_destroy_context(long context);
-
-    private static native int secp256k1_ecdsa_verify(ByteBuffer byteBuff, long context, int sigLen, int pubLen);
-
-    private static native byte[][] secp256k1_ecdsa_sign(ByteBuffer byteBuff, long context);
-
-    private static native int secp256k1_ec_seckey_verify(ByteBuffer byteBuff, long context);
-
-    private static native byte[][] secp256k1_ec_pubkey_create(ByteBuffer byteBuff, long context);
-
-    private static native byte[][] secp256k1_ec_pubkey_parse(ByteBuffer byteBuff, long context, int inputLen);
-
-    private static native byte[][] secp256k1_ecdh(ByteBuffer byteBuff, long context, int inputLen);
-
-}
--- a/src/java/org/bitcoin/NativeSecp256k1Test.java
+++ b/src/java/org/bitcoin/NativeSecp256k1Test.java
@@ -1,226 +0,0 @@
-package org.bitcoin;
-
-import com.google.common.io.BaseEncoding;
-import java.util.Arrays;
-import java.math.BigInteger;
-import javax.xml.bind.DatatypeConverter;
-import static org.bitcoin.NativeSecp256k1Util.*;
-
-/**
- * This class holds test cases defined for testing this library.
- */
-public class NativeSecp256k1Test {
-
-    //TODO improve comments/add more tests
-    /**
-      * This tests verify() for a valid signature
-      */
-    public static void testVerifyPos() throws AssertFailException{
-        boolean result = false;
-        byte[] data = BaseEncoding.base16().lowerCase().decode("CF80CD8AED482D5D1527D7DC72FCEFF84E6326592848447D2DC0B0E87DFC9A90".toLowerCase()); //sha256hash of "testing"
-        byte[] sig = BaseEncoding.base16().lowerCase().decode("3044022079BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F817980220294F14E883B3F525B5367756C2A11EF6CF84B730B36C17CB0C56F0AAB2C98589".toLowerCase());
-        byte[] pub = BaseEncoding.base16().lowerCase().decode("040A629506E1B65CD9D2E0BA9C75DF9C4FED0DB16DC9625ED14397F0AFC836FAE595DC53F8B0EFE61E703075BD9B143BAC75EC0E19F82A2208CAEB32BE53414C40".toLowerCase());
-
-        result = NativeSecp256k1.verify( data, sig, pub);
-        assertEquals( result, true , "testVerifyPos");
-    }
-
-    /**
-      * This tests verify() for a non-valid signature
-      */
-    public static void testVerifyNeg() throws AssertFailException{
-        boolean result = false;
-        byte[] data = BaseEncoding.base16().lowerCase().decode("CF80CD8AED482D5D1527D7DC72FCEFF84E6326592848447D2DC0B0E87DFC9A91".toLowerCase()); //sha256hash of "testing"
-        byte[] sig = BaseEncoding.base16().lowerCase().decode("3044022079BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F817980220294F14E883B3F525B5367756C2A11EF6CF84B730B36C17CB0C56F0AAB2C98589".toLowerCase());
-        byte[] pub = BaseEncoding.base16().lowerCase().decode("040A629506E1B65CD9D2E0BA9C75DF9C4FED0DB16DC9625ED14397F0AFC836FAE595DC53F8B0EFE61E703075BD9B143BAC75EC0E19F82A2208CAEB32BE53414C40".toLowerCase());
-
-        result = NativeSecp256k1.verify( data, sig, pub);
-        //System.out.println(" TEST " + new BigInteger(1, resultbytes).toString(16));
-        assertEquals( result, false , "testVerifyNeg");
-    }
-
-    /**
-      * This tests secret key verify() for a valid secretkey
-      */
-    public static void testSecKeyVerifyPos() throws AssertFailException{
-        boolean result = false;
-        byte[] sec = BaseEncoding.base16().lowerCase().decode("67E56582298859DDAE725F972992A07C6C4FB9F62A8FFF58CE3CA926A1063530".toLowerCase());
-
-        result = NativeSecp256k1.secKeyVerify( sec );
-        //System.out.println(" TEST " + new BigInteger(1, resultbytes).toString(16));
-        assertEquals( result, true , "testSecKeyVerifyPos");
-    }
-
-    /**
-      * This tests secret key verify() for an invalid secretkey
-      */
-    public static void testSecKeyVerifyNeg() throws AssertFailException{
-        boolean result = false;
-        byte[] sec = BaseEncoding.base16().lowerCase().decode("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF".toLowerCase());
-
-        result = NativeSecp256k1.secKeyVerify( sec );
-        //System.out.println(" TEST " + new BigInteger(1, resultbytes).toString(16));
-        assertEquals( result, false , "testSecKeyVerifyNeg");
-    }
-
-    /**
-      * This tests public key create() for a valid secretkey
-      */
-    public static void testPubKeyCreatePos() throws AssertFailException{
-        byte[] sec = BaseEncoding.base16().lowerCase().decode("67E56582298859DDAE725F972992A07C6C4FB9F62A8FFF58CE3CA926A1063530".toLowerCase());
-
-        byte[] resultArr = NativeSecp256k1.computePubkey( sec);
-        String pubkeyString = javax.xml.bind.DatatypeConverter.printHexBinary(resultArr);
-        assertEquals( pubkeyString , "04C591A8FF19AC9C4E4E5793673B83123437E975285E7B442F4EE2654DFFCA5E2D2103ED494718C697AC9AEBCFD19612E224DB46661011863ED2FC54E71861E2A6" , "testPubKeyCreatePos");
-    }
-
-    /**
-      * This tests public key create() for a invalid secretkey
-      */
-    public static void testPubKeyCreateNeg() throws AssertFailException{
-       byte[] sec = BaseEncoding.base16().lowerCase().decode("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF".toLowerCase());
-
-       byte[] resultArr = NativeSecp256k1.computePubkey( sec);
-       String pubkeyString = javax.xml.bind.DatatypeConverter.printHexBinary(resultArr);
-       assertEquals( pubkeyString, "" , "testPubKeyCreateNeg");
-    }
-
-    /**
-      * This tests sign() for a valid secretkey
-      */
-    public static void testSignPos() throws AssertFailException{
-
-        byte[] data = BaseEncoding.base16().lowerCase().decode("CF80CD8AED482D5D1527D7DC72FCEFF84E6326592848447D2DC0B0E87DFC9A90".toLowerCase()); //sha256hash of "testing"
-        byte[] sec = BaseEncoding.base16().lowerCase().decode("67E56582298859DDAE725F972992A07C6C4FB9F62A8FFF58CE3CA926A1063530".toLowerCase());
-
-        byte[] resultArr = NativeSecp256k1.sign(data, sec);
-        String sigString = javax.xml.bind.DatatypeConverter.printHexBinary(resultArr);
-        assertEquals( sigString, "30440220182A108E1448DC8F1FB467D06A0F3BB8EA0533584CB954EF8DA112F1D60E39A202201C66F36DA211C087F3AF88B50EDF4F9BDAA6CF5FD6817E74DCA34DB12390C6E9" , "testSignPos");
-    }
-
-    /**
-      * This tests sign() for a invalid secretkey
-      */
-    public static void testSignNeg() throws AssertFailException{
-        byte[] data = BaseEncoding.base16().lowerCase().decode("CF80CD8AED482D5D1527D7DC72FCEFF84E6326592848447D2DC0B0E87DFC9A90".toLowerCase()); //sha256hash of "testing"
-        byte[] sec = BaseEncoding.base16().lowerCase().decode("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF".toLowerCase());
-
-        byte[] resultArr = NativeSecp256k1.sign(data, sec);
-        String sigString = javax.xml.bind.DatatypeConverter.printHexBinary(resultArr);
-        assertEquals( sigString, "" , "testSignNeg");
-    }
-
-    /**
-      * This tests private key tweak-add
-      */
-    public static void testPrivKeyTweakAdd_1() throws AssertFailException {
-        byte[] sec = BaseEncoding.base16().lowerCase().decode("67E56582298859DDAE725F972992A07C6C4FB9F62A8FFF58CE3CA926A1063530".toLowerCase());
-        byte[] data = BaseEncoding.base16().lowerCase().decode("3982F19BEF1615BCCFBB05E321C10E1D4CBA3DF0E841C2E41EEB6016347653C3".toLowerCase()); //sha256hash of "tweak"
-
-        byte[] resultArr = NativeSecp256k1.privKeyTweakAdd( sec , data );
-        String sigString = javax.xml.bind.DatatypeConverter.printHexBinary(resultArr);
-        assertEquals( sigString , "A168571E189E6F9A7E2D657A4B53AE99B909F7E712D1C23CED28093CD57C88F3" , "testPrivKeyAdd_1");
-    }
-
-    /**
-      * This tests private key tweak-mul
-      */
-    public static void testPrivKeyTweakMul_1() throws AssertFailException {
-        byte[] sec = BaseEncoding.base16().lowerCase().decode("67E56582298859DDAE725F972992A07C6C4FB9F62A8FFF58CE3CA926A1063530".toLowerCase());
-        byte[] data = BaseEncoding.base16().lowerCase().decode("3982F19BEF1615BCCFBB05E321C10E1D4CBA3DF0E841C2E41EEB6016347653C3".toLowerCase()); //sha256hash of "tweak"
-
-        byte[] resultArr = NativeSecp256k1.privKeyTweakMul( sec , data );
-        String sigString = javax.xml.bind.DatatypeConverter.printHexBinary(resultArr);
-        assertEquals( sigString , "97F8184235F101550F3C71C927507651BD3F1CDB4A5A33B8986ACF0DEE20FFFC" , "testPrivKeyMul_1");
-    }
-
-    /**
-      * This tests private key tweak-add uncompressed
-      */
-    public static void testPrivKeyTweakAdd_2() throws AssertFailException {
-        byte[] pub = BaseEncoding.base16().lowerCase().decode("040A629506E1B65CD9D2E0BA9C75DF9C4FED0DB16DC9625ED14397F0AFC836FAE595DC53F8B0EFE61E703075BD9B143BAC75EC0E19F82A2208CAEB32BE53414C40".toLowerCase());
-        byte[] data = BaseEncoding.base16().lowerCase().decode("3982F19BEF1615BCCFBB05E321C10E1D4CBA3DF0E841C2E41EEB6016347653C3".toLowerCase()); //sha256hash of "tweak"
-
-        byte[] resultArr = NativeSecp256k1.pubKeyTweakAdd( pub , data );
-        String sigString = javax.xml.bind.DatatypeConverter.printHexBinary(resultArr);
-        assertEquals( sigString , "0411C6790F4B663CCE607BAAE08C43557EDC1A4D11D88DFCB3D841D0C6A941AF525A268E2A863C148555C48FB5FBA368E88718A46E205FABC3DBA2CCFFAB0796EF" , "testPrivKeyAdd_2");
-    }
-
-    /**
-      * This tests private key tweak-mul uncompressed
-      */
-    public static void testPrivKeyTweakMul_2() throws AssertFailException {
-        byte[] pub = BaseEncoding.base16().lowerCase().decode("040A629506E1B65CD9D2E0BA9C75DF9C4FED0DB16DC9625ED14397F0AFC836FAE595DC53F8B0EFE61E703075BD9B143BAC75EC0E19F82A2208CAEB32BE53414C40".toLowerCase());
-        byte[] data = BaseEncoding.base16().lowerCase().decode("3982F19BEF1615BCCFBB05E321C10E1D4CBA3DF0E841C2E41EEB6016347653C3".toLowerCase()); //sha256hash of "tweak"
-
-        byte[] resultArr = NativeSecp256k1.pubKeyTweakMul( pub , data );
-        String sigString = javax.xml.bind.DatatypeConverter.printHexBinary(resultArr);
-        assertEquals( sigString , "04E0FE6FE55EBCA626B98A807F6CAF654139E14E5E3698F01A9A658E21DC1D2791EC060D4F412A794D5370F672BC94B722640B5F76914151CFCA6E712CA48CC589" , "testPrivKeyMul_2");
-    }
-
-    /**
-      * This tests seed randomization
-      */
-    public static void testRandomize() throws AssertFailException {
-        byte[] seed = BaseEncoding.base16().lowerCase().decode("A441B15FE9A3CF56661190A0B93B9DEC7D04127288CC87250967CF3B52894D11".toLowerCase()); //sha256hash of "random"
-        boolean result = NativeSecp256k1.randomize(seed);
-        assertEquals( result, true, "testRandomize");
-    }
-
-    public static void testCreateECDHSecret() throws AssertFailException{
-
-        byte[] sec = BaseEncoding.base16().lowerCase().decode("67E56582298859DDAE725F972992A07C6C4FB9F62A8FFF58CE3CA926A1063530".toLowerCase());
-        byte[] pub = BaseEncoding.base16().lowerCase().decode("040A629506E1B65CD9D2E0BA9C75DF9C4FED0DB16DC9625ED14397F0AFC836FAE595DC53F8B0EFE61E703075BD9B143BAC75EC0E19F82A2208CAEB32BE53414C40".toLowerCase());
-
-        byte[] resultArr = NativeSecp256k1.createECDHSecret(sec, pub);
-        String ecdhString = javax.xml.bind.DatatypeConverter.printHexBinary(resultArr);
-        assertEquals( ecdhString, "2A2A67007A926E6594AF3EB564FC74005B37A9C8AEF2033C4552051B5C87F043" , "testCreateECDHSecret");
-    }
-
-    public static void main(String[] args) throws AssertFailException{
-
-
-        System.out.println("\n libsecp256k1 enabled: " + Secp256k1Context.isEnabled() + "\n");
-
-        assertEquals( Secp256k1Context.isEnabled(), true, "isEnabled" );
-
-        //Test verify() success/fail
-        testVerifyPos();
-        testVerifyNeg();
-
-        //Test secKeyVerify() success/fail
-        testSecKeyVerifyPos();
-        testSecKeyVerifyNeg();
-
-        //Test computePubkey() success/fail
-        testPubKeyCreatePos();
-        testPubKeyCreateNeg();
-
-        //Test sign() success/fail
-        testSignPos();
-        testSignNeg();
-
-        //Test privKeyTweakAdd() 1
-        testPrivKeyTweakAdd_1();
-
-        //Test privKeyTweakMul() 2
-        testPrivKeyTweakMul_1();
-
-        //Test privKeyTweakAdd() 3
-        testPrivKeyTweakAdd_2();
-
-        //Test privKeyTweakMul() 4
-        testPrivKeyTweakMul_2();
-
-        //Test randomize()
-        testRandomize();
-
-        //Test ECDH
-        testCreateECDHSecret();
-
-        NativeSecp256k1.cleanup();
-
-        System.out.println(" All tests passed." );
-
-    }
-}
--- a/src/java/org/bitcoin/NativeSecp256k1Util.java
+++ b/src/java/org/bitcoin/NativeSecp256k1Util.java
@@ -1,45 +0,0 @@
-/*
- * Copyright 2014-2016 the libsecp256k1 contributors
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *    http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.bitcoin;
-
-public class NativeSecp256k1Util{
-
-    public static void assertEquals( int val, int val2, String message ) throws AssertFailException{
-      if( val != val2 )
-        throw new AssertFailException("FAIL: " + message);
-    }
-
-    public static void assertEquals( boolean val, boolean val2, String message ) throws AssertFailException{
-      if( val != val2 )
-        throw new AssertFailException("FAIL: " + message);
-      else
-        System.out.println("PASS: " + message);
-    }
-
-    public static void assertEquals( String val, String val2, String message ) throws AssertFailException{
-      if( !val.equals(val2) )
-        throw new AssertFailException("FAIL: " + message);
-      else
-        System.out.println("PASS: " + message);
-    }
-
-    public static class AssertFailException extends Exception {
-      public AssertFailException(String message) {
-        super( message );
-      }
-    }
-}
--- a/src/java/org/bitcoin/Secp256k1Context.java
+++ b/src/java/org/bitcoin/Secp256k1Context.java
@@ -1,51 +0,0 @@
-/*
- * Copyright 2014-2016 the libsecp256k1 contributors
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *    http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.bitcoin;
-
-/**
- * This class holds the context reference used in native methods 
- * to handle ECDSA operations.
- */
-public class Secp256k1Context {
-  private static final boolean enabled; //true if the library is loaded
-  private static final long context; //ref to pointer to context obj
-
-  static { //static initializer
-      boolean isEnabled = true;
-      long contextRef = -1;
-      try {
-          System.loadLibrary("secp256k1");
-          contextRef = secp256k1_init_context();
-      } catch (UnsatisfiedLinkError e) {
-          System.out.println("UnsatisfiedLinkError: " + e.toString());
-          isEnabled = false;
-      }
-      enabled = isEnabled;
-      context = contextRef;
-  }
-
-  public static boolean isEnabled() {
-     return enabled;
-  }
-
-  public static long getContext() {
-     if(!enabled) return -1; //sanity check
-     return context;
-  }
-
-  private static native long secp256k1_init_context();
-}
--- a/src/java/org_bitcoin_NativeSecp256k1.c
+++ b/src/java/org_bitcoin_NativeSecp256k1.c
@@ -1,379 +0,0 @@
-#include <stdlib.h>
-#include <stdint.h>
-#include <string.h>
-#include "org_bitcoin_NativeSecp256k1.h"
-#include "include/secp256k1.h"
-#include "include/secp256k1_ecdh.h"
-#include "include/secp256k1_recovery.h"
-
-
-SECP256K1_API jlong JNICALL Java_org_bitcoin_NativeSecp256k1_secp256k1_1ctx_1clone
-  (JNIEnv* env, jclass classObject, jlong ctx_l)
-{
-  const secp256k1_context *ctx = (secp256k1_context*)(uintptr_t)ctx_l;
-
-  jlong ctx_clone_l = (uintptr_t) secp256k1_context_clone(ctx);
-
-  (void)classObject;(void)env;
-
-  return ctx_clone_l;
-
-}
-
-SECP256K1_API jint JNICALL Java_org_bitcoin_NativeSecp256k1_secp256k1_1context_1randomize
-  (JNIEnv* env, jclass classObject, jobject byteBufferObject, jlong ctx_l)
-{
-  secp256k1_context *ctx = (secp256k1_context*)(uintptr_t)ctx_l;
-
-  const unsigned char* seed = (unsigned char*) (*env)->GetDirectBufferAddress(env, byteBufferObject);
-
-  (void)classObject;
-
-  return secp256k1_context_randomize(ctx, seed);
-
-}
-
-SECP256K1_API void JNICALL Java_org_bitcoin_NativeSecp256k1_secp256k1_1destroy_1context
-  (JNIEnv* env, jclass classObject, jlong ctx_l)
-{
-  secp256k1_context *ctx = (secp256k1_context*)(uintptr_t)ctx_l;
-
-  secp256k1_context_destroy(ctx);
-
-  (void)classObject;(void)env;
-}
-
-SECP256K1_API jint JNICALL Java_org_bitcoin_NativeSecp256k1_secp256k1_1ecdsa_1verify
-  (JNIEnv* env, jclass classObject, jobject byteBufferObject, jlong ctx_l, jint siglen, jint publen)
-{
-  secp256k1_context *ctx = (secp256k1_context*)(uintptr_t)ctx_l;
-
-  unsigned char* data = (unsigned char*) (*env)->GetDirectBufferAddress(env, byteBufferObject);
-  const unsigned char* sigdata = {  (unsigned char*) (data + 32) };
-  const unsigned char* pubdata = { (unsigned char*) (data + siglen + 32) };
-
-  secp256k1_ecdsa_signature sig;
-  secp256k1_pubkey pubkey;
-
-  int ret = secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigdata, siglen);
-
-  if( ret ) {
-    ret = secp256k1_ec_pubkey_parse(ctx, &pubkey, pubdata, publen);
-
-    if( ret ) {
-      ret = secp256k1_ecdsa_verify(ctx, &sig, data, &pubkey);
-    }
-  }
-
-  (void)classObject;
-
-  return ret;
-}
-
-SECP256K1_API jobjectArray JNICALL Java_org_bitcoin_NativeSecp256k1_secp256k1_1ecdsa_1sign
-  (JNIEnv* env, jclass classObject, jobject byteBufferObject, jlong ctx_l)
-{
-  secp256k1_context *ctx = (secp256k1_context*)(uintptr_t)ctx_l;
-  unsigned char* data = (unsigned char*) (*env)->GetDirectBufferAddress(env, byteBufferObject);
-  unsigned char* secKey = (unsigned char*) (data + 32);
-
-  jobjectArray retArray;
-  jbyteArray sigArray, intsByteArray;
-  unsigned char intsarray[2];
-
-  secp256k1_ecdsa_signature sig[72];
-
-  int ret = secp256k1_ecdsa_sign(ctx, sig, data, secKey, NULL, NULL);
-
-  unsigned char outputSer[72];
-  size_t outputLen = 72;
-
-  if( ret ) {
-    int ret2 = secp256k1_ecdsa_signature_serialize_der(ctx,outputSer, &outputLen, sig ); (void)ret2;
-  }
-
-  intsarray[0] = outputLen;
-  intsarray[1] = ret;
-
-  retArray = (*env)->NewObjectArray(env, 2,
-    (*env)->FindClass(env, "[B"),
-    (*env)->NewByteArray(env, 1));
-
-  sigArray = (*env)->NewByteArray(env, outputLen);
-  (*env)->SetByteArrayRegion(env, sigArray, 0, outputLen, (jbyte*)outputSer);
-  (*env)->SetObjectArrayElement(env, retArray, 0, sigArray);
-
-  intsByteArray = (*env)->NewByteArray(env, 2);
-  (*env)->SetByteArrayRegion(env, intsByteArray, 0, 2, (jbyte*)intsarray);
-  (*env)->SetObjectArrayElement(env, retArray, 1, intsByteArray);
-
-  (void)classObject;
-
-  return retArray;
-}
-
-SECP256K1_API jint JNICALL Java_org_bitcoin_NativeSecp256k1_secp256k1_1ec_1seckey_1verify
-  (JNIEnv* env, jclass classObject, jobject byteBufferObject, jlong ctx_l)
-{
-  secp256k1_context *ctx = (secp256k1_context*)(uintptr_t)ctx_l;
-  unsigned char* secKey = (unsigned char*) (*env)->GetDirectBufferAddress(env, byteBufferObject);
-
-  (void)classObject;
-
-  return secp256k1_ec_seckey_verify(ctx, secKey);
-}
-
-SECP256K1_API jobjectArray JNICALL Java_org_bitcoin_NativeSecp256k1_secp256k1_1ec_1pubkey_1create
-  (JNIEnv* env, jclass classObject, jobject byteBufferObject, jlong ctx_l)
-{
-  secp256k1_context *ctx = (secp256k1_context*)(uintptr_t)ctx_l;
-  const unsigned char* secKey = (unsigned char*) (*env)->GetDirectBufferAddress(env, byteBufferObject);
-
-  secp256k1_pubkey pubkey;
-
-  jobjectArray retArray;
-  jbyteArray pubkeyArray, intsByteArray;
-  unsigned char intsarray[2];
-
-  int ret = secp256k1_ec_pubkey_create(ctx, &pubkey, secKey);
-
-  unsigned char outputSer[65];
-  size_t outputLen = 65;
-
-  if( ret ) {
-    int ret2 = secp256k1_ec_pubkey_serialize(ctx,outputSer, &outputLen, &pubkey,SECP256K1_EC_UNCOMPRESSED );(void)ret2;
-  }
-
-  intsarray[0] = outputLen;
-  intsarray[1] = ret;
-
-  retArray = (*env)->NewObjectArray(env, 2,
-    (*env)->FindClass(env, "[B"),
-    (*env)->NewByteArray(env, 1));
-
-  pubkeyArray = (*env)->NewByteArray(env, outputLen);
-  (*env)->SetByteArrayRegion(env, pubkeyArray, 0, outputLen, (jbyte*)outputSer);
-  (*env)->SetObjectArrayElement(env, retArray, 0, pubkeyArray);
-
-  intsByteArray = (*env)->NewByteArray(env, 2);
-  (*env)->SetByteArrayRegion(env, intsByteArray, 0, 2, (jbyte*)intsarray);
-  (*env)->SetObjectArrayElement(env, retArray, 1, intsByteArray);
-
-  (void)classObject;
-
-  return retArray;
-
-}
-
-SECP256K1_API jobjectArray JNICALL Java_org_bitcoin_NativeSecp256k1_secp256k1_1privkey_1tweak_1add
-  (JNIEnv* env, jclass classObject, jobject byteBufferObject, jlong ctx_l)
-{
-  secp256k1_context *ctx = (secp256k1_context*)(uintptr_t)ctx_l;
-  unsigned char* privkey = (unsigned char*) (*env)->GetDirectBufferAddress(env, byteBufferObject);
-  const unsigned char* tweak = (unsigned char*) (privkey + 32);
-
-  jobjectArray retArray;
-  jbyteArray privArray, intsByteArray;
-  unsigned char intsarray[2];
-
-  int privkeylen = 32;
-
-  int ret = secp256k1_ec_privkey_tweak_add(ctx, privkey, tweak);
-
-  intsarray[0] = privkeylen;
-  intsarray[1] = ret;
-
-  retArray = (*env)->NewObjectArray(env, 2,
-    (*env)->FindClass(env, "[B"),
-    (*env)->NewByteArray(env, 1));
-
-  privArray = (*env)->NewByteArray(env, privkeylen);
-  (*env)->SetByteArrayRegion(env, privArray, 0, privkeylen, (jbyte*)privkey);
-  (*env)->SetObjectArrayElement(env, retArray, 0, privArray);
-
-  intsByteArray = (*env)->NewByteArray(env, 2);
-  (*env)->SetByteArrayRegion(env, intsByteArray, 0, 2, (jbyte*)intsarray);
-  (*env)->SetObjectArrayElement(env, retArray, 1, intsByteArray);
-
-  (void)classObject;
-
-  return retArray;
-}
-
-SECP256K1_API jobjectArray JNICALL Java_org_bitcoin_NativeSecp256k1_secp256k1_1privkey_1tweak_1mul
-  (JNIEnv* env, jclass classObject, jobject byteBufferObject, jlong ctx_l)
-{
-  secp256k1_context *ctx = (secp256k1_context*)(uintptr_t)ctx_l;
-  unsigned char* privkey = (unsigned char*) (*env)->GetDirectBufferAddress(env, byteBufferObject);
-  const unsigned char* tweak = (unsigned char*) (privkey + 32);
-
-  jobjectArray retArray;
-  jbyteArray privArray, intsByteArray;
-  unsigned char intsarray[2];
-
-  int privkeylen = 32;
-
-  int ret = secp256k1_ec_privkey_tweak_mul(ctx, privkey, tweak);
-
-  intsarray[0] = privkeylen;
-  intsarray[1] = ret;
-
-  retArray = (*env)->NewObjectArray(env, 2,
-    (*env)->FindClass(env, "[B"),
-    (*env)->NewByteArray(env, 1));
-
-  privArray = (*env)->NewByteArray(env, privkeylen);
-  (*env)->SetByteArrayRegion(env, privArray, 0, privkeylen, (jbyte*)privkey);
-  (*env)->SetObjectArrayElement(env, retArray, 0, privArray);
-
-  intsByteArray = (*env)->NewByteArray(env, 2);
-  (*env)->SetByteArrayRegion(env, intsByteArray, 0, 2, (jbyte*)intsarray);
-  (*env)->SetObjectArrayElement(env, retArray, 1, intsByteArray);
-
-  (void)classObject;
-
-  return retArray;
-}
-
-SECP256K1_API jobjectArray JNICALL Java_org_bitcoin_NativeSecp256k1_secp256k1_1pubkey_1tweak_1add
-  (JNIEnv* env, jclass classObject, jobject byteBufferObject, jlong ctx_l, jint publen)
-{
-  secp256k1_context *ctx = (secp256k1_context*)(uintptr_t)ctx_l;
-/*  secp256k1_pubkey* pubkey = (secp256k1_pubkey*) (*env)->GetDirectBufferAddress(env, byteBufferObject);*/
-  unsigned char* pkey = (*env)->GetDirectBufferAddress(env, byteBufferObject);
-  const unsigned char* tweak = (unsigned char*) (pkey + publen);
-
-  jobjectArray retArray;
-  jbyteArray pubArray, intsByteArray;
-  unsigned char intsarray[2];
-  unsigned char outputSer[65];
-  size_t outputLen = 65;
-
-  secp256k1_pubkey pubkey;
-  int ret = secp256k1_ec_pubkey_parse(ctx, &pubkey, pkey, publen);
-
-  if( ret ) {
-    ret = secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, tweak);
-  }
-
-  if( ret ) {
-    int ret2 = secp256k1_ec_pubkey_serialize(ctx,outputSer, &outputLen, &pubkey,SECP256K1_EC_UNCOMPRESSED );(void)ret2;
-  }
-
-  intsarray[0] = outputLen;
-  intsarray[1] = ret;
-
-  retArray = (*env)->NewObjectArray(env, 2,
-    (*env)->FindClass(env, "[B"),
-    (*env)->NewByteArray(env, 1));
-
-  pubArray = (*env)->NewByteArray(env, outputLen);
-  (*env)->SetByteArrayRegion(env, pubArray, 0, outputLen, (jbyte*)outputSer);
-  (*env)->SetObjectArrayElement(env, retArray, 0, pubArray);
-
-  intsByteArray = (*env)->NewByteArray(env, 2);
-  (*env)->SetByteArrayRegion(env, intsByteArray, 0, 2, (jbyte*)intsarray);
-  (*env)->SetObjectArrayElement(env, retArray, 1, intsByteArray);
-
-  (void)classObject;
-
-  return retArray;
-}
-
-SECP256K1_API jobjectArray JNICALL Java_org_bitcoin_NativeSecp256k1_secp256k1_1pubkey_1tweak_1mul
-  (JNIEnv* env, jclass classObject, jobject byteBufferObject, jlong ctx_l, jint publen)
-{
-  secp256k1_context *ctx = (secp256k1_context*)(uintptr_t)ctx_l;
-  unsigned char* pkey = (*env)->GetDirectBufferAddress(env, byteBufferObject);
-  const unsigned char* tweak = (unsigned char*) (pkey + publen);
-
-  jobjectArray retArray;
-  jbyteArray pubArray, intsByteArray;
-  unsigned char intsarray[2];
-  unsigned char outputSer[65];
-  size_t outputLen = 65;
-
-  secp256k1_pubkey pubkey;
-  int ret = secp256k1_ec_pubkey_parse(ctx, &pubkey, pkey, publen);
-
-  if ( ret ) {
-    ret = secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, tweak);
-  }
-
-  if( ret ) {
-    int ret2 = secp256k1_ec_pubkey_serialize(ctx,outputSer, &outputLen, &pubkey,SECP256K1_EC_UNCOMPRESSED );(void)ret2;
-  }
-
-  intsarray[0] = outputLen;
-  intsarray[1] = ret;
-
-  retArray = (*env)->NewObjectArray(env, 2,
-    (*env)->FindClass(env, "[B"),
-    (*env)->NewByteArray(env, 1));
-
-  pubArray = (*env)->NewByteArray(env, outputLen);
-  (*env)->SetByteArrayRegion(env, pubArray, 0, outputLen, (jbyte*)outputSer);
-  (*env)->SetObjectArrayElement(env, retArray, 0, pubArray);
-
-  intsByteArray = (*env)->NewByteArray(env, 2);
-  (*env)->SetByteArrayRegion(env, intsByteArray, 0, 2, (jbyte*)intsarray);
-  (*env)->SetObjectArrayElement(env, retArray, 1, intsByteArray);
-
-  (void)classObject;
-
-  return retArray;
-}
-
-SECP256K1_API jlong JNICALL Java_org_bitcoin_NativeSecp256k1_secp256k1_1ecdsa_1pubkey_1combine
-  (JNIEnv * env, jclass classObject, jobject byteBufferObject, jlong ctx_l, jint numkeys)
-{
-  (void)classObject;(void)env;(void)byteBufferObject;(void)ctx_l;(void)numkeys;
-
-  return 0;
-}
-
-SECP256K1_API jobjectArray JNICALL Java_org_bitcoin_NativeSecp256k1_secp256k1_1ecdh
-  (JNIEnv* env, jclass classObject, jobject byteBufferObject, jlong ctx_l, jint publen)
-{
-  secp256k1_context *ctx = (secp256k1_context*)(uintptr_t)ctx_l;
-  const unsigned char* secdata = (*env)->GetDirectBufferAddress(env, byteBufferObject);
-  const unsigned char* pubdata = (const unsigned char*) (secdata + 32);
-
-  jobjectArray retArray;
-  jbyteArray outArray, intsByteArray;
-  unsigned char intsarray[1];
-  secp256k1_pubkey pubkey;
-  unsigned char nonce_res[32];
-  size_t outputLen = 32;
-
-  int ret = secp256k1_ec_pubkey_parse(ctx, &pubkey, pubdata, publen);
-
-  if (ret) {
-    ret = secp256k1_ecdh(
-      ctx,
-      nonce_res,
-      &pubkey,
-      secdata,
-      NULL,
-      NULL
-    );
-  }
-
-  intsarray[0] = ret;
-
-  retArray = (*env)->NewObjectArray(env, 2,
-    (*env)->FindClass(env, "[B"),
-    (*env)->NewByteArray(env, 1));
-
-  outArray = (*env)->NewByteArray(env, outputLen);
-  (*env)->SetByteArrayRegion(env, outArray, 0, 32, (jbyte*)nonce_res);
-  (*env)->SetObjectArrayElement(env, retArray, 0, outArray);
-
-  intsByteArray = (*env)->NewByteArray(env, 1);
-  (*env)->SetByteArrayRegion(env, intsByteArray, 0, 1, (jbyte*)intsarray);
-  (*env)->SetObjectArrayElement(env, retArray, 1, intsByteArray);
-
-  (void)classObject;
-
-  return retArray;
-}
--- a/src/java/org_bitcoin_NativeSecp256k1.h
+++ b/src/java/org_bitcoin_NativeSecp256k1.h
@@ -1,119 +0,0 @@
-/* DO NOT EDIT THIS FILE - it is machine generated */
-#include <jni.h>
-#include "include/secp256k1.h"
-/* Header for class org_bitcoin_NativeSecp256k1 */
-
-#ifndef _Included_org_bitcoin_NativeSecp256k1
-#define _Included_org_bitcoin_NativeSecp256k1
-#ifdef __cplusplus
-extern "C" {
-#endif
-/*
- * Class:     org_bitcoin_NativeSecp256k1
- * Method:    secp256k1_ctx_clone
- * Signature: (J)J
- */
-SECP256K1_API jlong JNICALL Java_org_bitcoin_NativeSecp256k1_secp256k1_1ctx_1clone
-  (JNIEnv *, jclass, jlong);
-
-/*
- * Class:     org_bitcoin_NativeSecp256k1
- * Method:    secp256k1_context_randomize
- * Signature: (Ljava/nio/ByteBuffer;J)I
- */
-SECP256K1_API jint JNICALL Java_org_bitcoin_NativeSecp256k1_secp256k1_1context_1randomize
-  (JNIEnv *, jclass, jobject, jlong);
-
-/*
- * Class:     org_bitcoin_NativeSecp256k1
- * Method:    secp256k1_privkey_tweak_add
- * Signature: (Ljava/nio/ByteBuffer;J)[[B
- */
-SECP256K1_API jobjectArray JNICALL Java_org_bitcoin_NativeSecp256k1_secp256k1_1privkey_1tweak_1add
-  (JNIEnv *, jclass, jobject, jlong);
-
-/*
- * Class:     org_bitcoin_NativeSecp256k1
- * Method:    secp256k1_privkey_tweak_mul
- * Signature: (Ljava/nio/ByteBuffer;J)[[B
- */
-SECP256K1_API jobjectArray JNICALL Java_org_bitcoin_NativeSecp256k1_secp256k1_1privkey_1tweak_1mul
-  (JNIEnv *, jclass, jobject, jlong);
-
-/*
- * Class:     org_bitcoin_NativeSecp256k1
- * Method:    secp256k1_pubkey_tweak_add
- * Signature: (Ljava/nio/ByteBuffer;JI)[[B
- */
-SECP256K1_API jobjectArray JNICALL Java_org_bitcoin_NativeSecp256k1_secp256k1_1pubkey_1tweak_1add
-  (JNIEnv *, jclass, jobject, jlong, jint);
-
-/*
- * Class:     org_bitcoin_NativeSecp256k1
- * Method:    secp256k1_pubkey_tweak_mul
- * Signature: (Ljava/nio/ByteBuffer;JI)[[B
- */
-SECP256K1_API jobjectArray JNICALL Java_org_bitcoin_NativeSecp256k1_secp256k1_1pubkey_1tweak_1mul
-  (JNIEnv *, jclass, jobject, jlong, jint);
-
-/*
- * Class:     org_bitcoin_NativeSecp256k1
- * Method:    secp256k1_destroy_context
- * Signature: (J)V
- */
-SECP256K1_API void JNICALL Java_org_bitcoin_NativeSecp256k1_secp256k1_1destroy_1context
-  (JNIEnv *, jclass, jlong);
-
-/*
- * Class:     org_bitcoin_NativeSecp256k1
- * Method:    secp256k1_ecdsa_verify
- * Signature: (Ljava/nio/ByteBuffer;JII)I
- */
-SECP256K1_API jint JNICALL Java_org_bitcoin_NativeSecp256k1_secp256k1_1ecdsa_1verify
-  (JNIEnv *, jclass, jobject, jlong, jint, jint);
-
-/*
- * Class:     org_bitcoin_NativeSecp256k1
- * Method:    secp256k1_ecdsa_sign
- * Signature: (Ljava/nio/ByteBuffer;J)[[B
- */
-SECP256K1_API jobjectArray JNICALL Java_org_bitcoin_NativeSecp256k1_secp256k1_1ecdsa_1sign
-  (JNIEnv *, jclass, jobject, jlong);
-
-/*
- * Class:     org_bitcoin_NativeSecp256k1
- * Method:    secp256k1_ec_seckey_verify
- * Signature: (Ljava/nio/ByteBuffer;J)I
- */
-SECP256K1_API jint JNICALL Java_org_bitcoin_NativeSecp256k1_secp256k1_1ec_1seckey_1verify
-  (JNIEnv *, jclass, jobject, jlong);
-
-/*
- * Class:     org_bitcoin_NativeSecp256k1
- * Method:    secp256k1_ec_pubkey_create
- * Signature: (Ljava/nio/ByteBuffer;J)[[B
- */
-SECP256K1_API jobjectArray JNICALL Java_org_bitcoin_NativeSecp256k1_secp256k1_1ec_1pubkey_1create
-  (JNIEnv *, jclass, jobject, jlong);
-
-/*
- * Class:     org_bitcoin_NativeSecp256k1
- * Method:    secp256k1_ec_pubkey_parse
- * Signature: (Ljava/nio/ByteBuffer;JI)[[B
- */
-SECP256K1_API jobjectArray JNICALL Java_org_bitcoin_NativeSecp256k1_secp256k1_1ec_1pubkey_1parse
-  (JNIEnv *, jclass, jobject, jlong, jint);
-
-/*
- * Class:     org_bitcoin_NativeSecp256k1
- * Method:    secp256k1_ecdh
- * Signature: (Ljava/nio/ByteBuffer;JI)[[B
- */
-SECP256K1_API jobjectArray JNICALL Java_org_bitcoin_NativeSecp256k1_secp256k1_1ecdh
-  (JNIEnv* env, jclass classObject, jobject byteBufferObject, jlong ctx_l, jint publen);
-
-
-#ifdef __cplusplus
-}
-#endif
-#endif
--- a/src/java/org_bitcoin_Secp256k1Context.c
+++ b/src/java/org_bitcoin_Secp256k1Context.c
@@ -1,15 +0,0 @@
-#include <stdlib.h>
-#include <stdint.h>
-#include "org_bitcoin_Secp256k1Context.h"
-#include "include/secp256k1.h"
-
-SECP256K1_API jlong JNICALL Java_org_bitcoin_Secp256k1Context_secp256k1_1init_1context
-  (JNIEnv* env, jclass classObject)
-{
-  secp256k1_context *ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
-
-  (void)classObject;(void)env;
-
-  return (uintptr_t)ctx;
-}
-
--- a/src/java/org_bitcoin_Secp256k1Context.h
+++ b/src/java/org_bitcoin_Secp256k1Context.h
@@ -1,22 +0,0 @@
-/* DO NOT EDIT THIS FILE - it is machine generated */
-#include <jni.h>
-#include "include/secp256k1.h"
-/* Header for class org_bitcoin_Secp256k1Context */
-
-#ifndef _Included_org_bitcoin_Secp256k1Context
-#define _Included_org_bitcoin_Secp256k1Context
-#ifdef __cplusplus
-extern "C" {
-#endif
-/*
- * Class:     org_bitcoin_Secp256k1Context
- * Method:    secp256k1_init_context
- * Signature: ()J
- */
-SECP256K1_API jlong JNICALL Java_org_bitcoin_Secp256k1Context_secp256k1_1init_1context
-  (JNIEnv *, jclass);
-
-#ifdef __cplusplus
-}
-#endif
-#endif
--- a/src/modules/ecdh/main_impl.h
+++ b/src/modules/ecdh/main_impl.h
@@ -10,14 +10,14 @@
 #include "include/secp256k1_ecdh.h"
 #include "ecmult_const_impl.h"

-static int ecdh_hash_function_sha256(unsigned char *output, const unsigned char *x, const unsigned char *y, void *data) {
-    unsigned char version = (y[31] & 0x01) | 0x02;
+static int ecdh_hash_function_sha256(unsigned char *output, const unsigned char *x32, const unsigned char *y32, void *data) {
+    unsigned char version = (y32[31] & 0x01) | 0x02;
    secp256k1_sha256 sha;
    (void)data;

    secp256k1_sha256_initialize(&sha);
    secp256k1_sha256_write(&sha, &version, 1);
-    secp256k1_sha256_write(&sha, x, 32);
+    secp256k1_sha256_write(&sha, x32, 32);
    secp256k1_sha256_finalize(&sha, output);

    return 1;
@@ -32,36 +32,40 @@ int secp256k1_ecdh(const secp256k1_context* ctx, unsigned char *output, const se
    secp256k1_gej res;
    secp256k1_ge pt;
    secp256k1_scalar s;
+    unsigned char x[32];
+    unsigned char y[32];
+
    VERIFY_CHECK(ctx != NULL);
    ARG_CHECK(output != NULL);
    ARG_CHECK(point != NULL);
    ARG_CHECK(scalar != NULL);
+
    if (hashfp == NULL) {
        hashfp = secp256k1_ecdh_hash_function_default;
    }

    secp256k1_pubkey_load(ctx, &pt, point);
    secp256k1_scalar_set_b32(&s, scalar, &overflow);
-    if (overflow || secp256k1_scalar_is_zero(&s)) {
-        ret = 0;
-    } else {
-        unsigned char x[32];
-        unsigned char y[32];

-        secp256k1_ecmult_const(&res, &pt, &s, 256);
-        secp256k1_ge_set_gej(&pt, &res);
+    overflow |= secp256k1_scalar_is_zero(&s);
+    secp256k1_scalar_cmov(&s, &secp256k1_scalar_one, overflow);

-        /* Compute a hash of the point */
-        secp256k1_fe_normalize(&pt.x);
-        secp256k1_fe_normalize(&pt.y);
-        secp256k1_fe_get_b32(x, &pt.x);
-        secp256k1_fe_get_b32(y, &pt.y);
+    secp256k1_ecmult_const(&res, &pt, &s, 256);
+    secp256k1_ge_set_gej(&pt, &res);

-        ret = hashfp(output, x, y, data);
-    }
+    /* Compute a hash of the point */
+    secp256k1_fe_normalize(&pt.x);
+    secp256k1_fe_normalize(&pt.y);
+    secp256k1_fe_get_b32(x, &pt.x);
+    secp256k1_fe_get_b32(y, &pt.y);

+    ret = hashfp(output, x, y, data);
+
+    memset(x, 0, 32);
+    memset(y, 0, 32);
    secp256k1_scalar_clear(&s);
-    return ret;
+
+    return !!ret & !overflow;
 }

 #endif /* SECP256K1_MODULE_ECDH_MAIN_H */
--- a/src/modules/ecdh/tests_impl.h
+++ b/src/modules/ecdh/tests_impl.h
@@ -80,7 +80,7 @@ void test_ecdh_generator_basepoint(void) {
        /* compute "explicitly" */
        CHECK(secp256k1_ec_pubkey_serialize(ctx, point_ser, &point_ser_len, &point[1], SECP256K1_EC_UNCOMPRESSED) == 1);
        /* compare */
-        CHECK(memcmp(output_ecdh, point_ser, 65) == 0);
+        CHECK(secp256k1_memcmp_var(output_ecdh, point_ser, 65) == 0);

        /* compute using ECDH function with default hash function */
        CHECK(secp256k1_ecdh(ctx, output_ecdh, &point[0], s_b32, NULL, NULL) == 1);
@@ -90,7 +90,7 @@ void test_ecdh_generator_basepoint(void) {
        secp256k1_sha256_write(&sha, point_ser, point_ser_len);
        secp256k1_sha256_finalize(&sha, output_ser);
        /* compare */
-        CHECK(memcmp(output_ecdh, output_ser, 32) == 0);
+        CHECK(secp256k1_memcmp_var(output_ecdh, output_ser, 32) == 0);
    }
 }

--- a/src/modules/ecdsa_s2c/Makefile.am.include
+++ b/src/modules/ecdsa_s2c/Makefile.am.include
@@ -0,0 +1,3 @@
+include_HEADERS += include/secp256k1_ecdsa_s2c.h
+noinst_HEADERS += src/modules/ecdsa_s2c/main_impl.h
+noinst_HEADERS += src/modules/ecdsa_s2c/tests_impl.h
--- a/src/modules/ecdsa_s2c/main_impl.h
+++ b/src/modules/ecdsa_s2c/main_impl.h
@@ -0,0 +1,198 @@
+/**********************************************************************
+ * Copyright (c) 2019-2020 Marko Bencun, Jonas Nick                   *
+ * Distributed under the MIT software license, see the accompanying   *
+ * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
+ **********************************************************************/
+
+#ifndef SECP256K1_MODULE_ECDSA_S2C_MAIN_H
+#define SECP256K1_MODULE_ECDSA_S2C_MAIN_H
+
+#include "include/secp256k1.h"
+#include "include/secp256k1_ecdsa_s2c.h"
+
+static void secp256k1_ecdsa_s2c_opening_save(secp256k1_ecdsa_s2c_opening* opening, secp256k1_ge* ge) {
+    secp256k1_pubkey_save((secp256k1_pubkey*) opening, ge);
+}
+
+static int secp256k1_ecdsa_s2c_opening_load(const secp256k1_context* ctx, secp256k1_ge* ge, const secp256k1_ecdsa_s2c_opening* opening) {
+    return secp256k1_pubkey_load(ctx, ge, (const secp256k1_pubkey*) opening);
+}
+
+int secp256k1_ecdsa_s2c_opening_parse(const secp256k1_context* ctx, secp256k1_ecdsa_s2c_opening* opening, const unsigned char* input33) {
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(opening != NULL);
+    ARG_CHECK(input33 != NULL);
+    return secp256k1_ec_pubkey_parse(ctx, (secp256k1_pubkey*) opening, input33, 33);
+}
+
+int secp256k1_ecdsa_s2c_opening_serialize(const secp256k1_context* ctx, unsigned char* output33, const secp256k1_ecdsa_s2c_opening* opening) {
+    size_t out_len = 33;
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(output33 != NULL);
+    ARG_CHECK(opening != NULL);
+    return secp256k1_ec_pubkey_serialize(ctx, output33, &out_len, (const secp256k1_pubkey*) opening, SECP256K1_EC_COMPRESSED);
+}
+
+/* Initializes SHA256 with fixed midstate. This midstate was computed by applying
+ * SHA256 to SHA256("s2c/ecdsa/point")||SHA256("s2c/ecdsa/point"). */
+static void secp256k1_s2c_ecdsa_point_sha256_tagged(secp256k1_sha256 *sha) {
+    secp256k1_sha256_initialize(sha);
+    sha->s[0] = 0xa9b21c7bul;
+    sha->s[1] = 0x358c3e3eul;
+    sha->s[2] = 0x0b6863d1ul;
+    sha->s[3] = 0xc62b2035ul;
+    sha->s[4] = 0xb44b40ceul;
+    sha->s[5] = 0x254a8912ul;
+    sha->s[6] = 0x0f85d0d4ul;
+    sha->s[7] = 0x8a5bf91cul;
+
+    sha->bytes = 64;
+}
+
+/* Initializes SHA256 with fixed midstate. This midstate was computed by applying
+ * SHA256 to SHA256("s2c/ecdsa/data")||SHA256("s2c/ecdsa/data"). */
+static void secp256k1_s2c_ecdsa_data_sha256_tagged(secp256k1_sha256 *sha) {
+    secp256k1_sha256_initialize(sha);
+    sha->s[0] = 0xfeefd675ul;
+    sha->s[1] = 0x73166c99ul;
+    sha->s[2] = 0xe2309cb8ul;
+    sha->s[3] = 0x6d458113ul;
+    sha->s[4] = 0x01d3a512ul;
+    sha->s[5] = 0x00e18112ul;
+    sha->s[6] = 0x37ee0874ul;
+    sha->s[7] = 0x421fc55ful;
+
+    sha->bytes = 64;
+}
+
+int secp256k1_ecdsa_s2c_sign(const secp256k1_context* ctx, secp256k1_ecdsa_signature* signature, secp256k1_ecdsa_s2c_opening* s2c_opening, const unsigned char
+ *msg32, const unsigned char *seckey, const unsigned char* s2c_data32) {
+    secp256k1_scalar r, s;
+    int ret;
+    unsigned char ndata[32];
+    secp256k1_sha256 s2c_sha;
+
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
+    ARG_CHECK(msg32 != NULL);
+    ARG_CHECK(signature != NULL);
+    ARG_CHECK(seckey != NULL);
+    ARG_CHECK(s2c_data32 != NULL);
+
+    /* Provide `s2c_data32` to the nonce function as additional data to
+     * derive the nonce. It is first hashed because it should be possible
+     * to derive nonces even if only a SHA256 commitment to the data is
+     * known.  This is important in the ECDSA anti-klepto protocol. */
+    secp256k1_s2c_ecdsa_data_sha256_tagged(&s2c_sha);
+    secp256k1_sha256_write(&s2c_sha, s2c_data32, 32);
+    secp256k1_sha256_finalize(&s2c_sha, ndata);
+
+    secp256k1_s2c_ecdsa_point_sha256_tagged(&s2c_sha);
+    ret = secp256k1_ecdsa_sign_inner(ctx, &r, &s, NULL, &s2c_sha, s2c_opening, s2c_data32, msg32, seckey, NULL, ndata);
+    secp256k1_scalar_cmov(&r, &secp256k1_scalar_zero, !ret);
+    secp256k1_scalar_cmov(&s, &secp256k1_scalar_zero, !ret);
+    secp256k1_ecdsa_signature_save(signature, &r, &s);
+    return ret;
+}
+
+int secp256k1_ecdsa_s2c_verify_commit(const secp256k1_context* ctx, const secp256k1_ecdsa_signature* sig, const unsigned char* data32, const secp256k1_ecdsa_s2c_opening* opening) {
+    secp256k1_ge commitment_ge;
+    secp256k1_ge original_pubnonce_ge;
+    unsigned char x_bytes[32];
+    secp256k1_scalar sigr, sigs, x_scalar;
+    secp256k1_sha256 s2c_sha;
+
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
+    ARG_CHECK(sig != NULL);
+    ARG_CHECK(data32 != NULL);
+    ARG_CHECK(opening != NULL);
+
+    if (!secp256k1_ecdsa_s2c_opening_load(ctx, &original_pubnonce_ge, opening)) {
+        return 0;
+    }
+    secp256k1_s2c_ecdsa_point_sha256_tagged(&s2c_sha);
+    if (!secp256k1_ec_commit(&ctx->ecmult_ctx, &commitment_ge, &original_pubnonce_ge, &s2c_sha, data32, 32)) {
+        return 0;
+    }
+
+    /* Check that sig_r == commitment_x (mod n)
+     * sig_r is the x coordinate of R represented by a scalar.
+     * commitment_x is the x coordinate of the commitment (field element).
+     *
+     * Note that we are only checking the x-coordinate -- this is because the y-coordinate
+     * is not part of the ECDSA signature (and therefore not part of the commitment!)
+     */
+    secp256k1_ecdsa_signature_load(ctx, &sigr, &sigs, sig);
+
+    secp256k1_fe_normalize(&commitment_ge.x);
+    secp256k1_fe_get_b32(x_bytes, &commitment_ge.x);
+    /* Do not check overflow; overflowing a scalar does not affect whether
+     * or not the R value is a cryptographic commitment, only whether it
+     * is a valid R value for an ECDSA signature. If users care about that
+     * they should use `ecdsa_verify` or `anti_klepto_host_verify`. In other
+     * words, this check would be (at best) unnecessary, and (at worst)
+     * insufficient. */
+    secp256k1_scalar_set_b32(&x_scalar, x_bytes, NULL);
+    return secp256k1_scalar_eq(&sigr, &x_scalar);
+}
+
+/*** anti-klepto ***/
+int secp256k1_ecdsa_anti_klepto_host_commit(const secp256k1_context* ctx, unsigned char* rand_commitment32, const unsigned char* rand32) {
+    secp256k1_sha256 sha;
+
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(rand_commitment32 != NULL);
+    ARG_CHECK(rand32 != NULL);
+
+    secp256k1_s2c_ecdsa_data_sha256_tagged(&sha);
+    secp256k1_sha256_write(&sha, rand32, 32);
+    secp256k1_sha256_finalize(&sha, rand_commitment32);
+    return 1;
+}
+
+int secp256k1_ecdsa_anti_klepto_signer_commit(const secp256k1_context* ctx, secp256k1_ecdsa_s2c_opening* opening, const unsigned char* msg32, const unsigned char* seckey32, const unsigned char* rand_commitment32) {
+    unsigned char nonce32[32];
+    secp256k1_scalar k;
+    secp256k1_gej rj;
+    secp256k1_ge r;
+    unsigned int count = 0;
+    int is_nonce_valid = 0;
+
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
+    ARG_CHECK(opening != NULL);
+    ARG_CHECK(msg32 != NULL);
+    ARG_CHECK(seckey32 != NULL);
+    ARG_CHECK(rand_commitment32 != NULL);
+
+    memset(nonce32, 0, 32);
+    while (!is_nonce_valid) {
+        /* cast to void* removes const qualifier, but secp256k1_nonce_function_default does not modify it */
+        if (!secp256k1_nonce_function_default(nonce32, msg32, seckey32, NULL, (void*)rand_commitment32, count)) {
+            secp256k1_callback_call(&ctx->error_callback, "(cryptographically unreachable) generated bad nonce");
+        }
+        is_nonce_valid = secp256k1_scalar_set_b32_seckey(&k, nonce32);
+        /* The nonce is still secret here, but it being invalid is is less likely than 1:2^255. */
+        secp256k1_declassify(ctx, &is_nonce_valid, sizeof(is_nonce_valid));
+        count++;
+    }
+
+    secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &rj, &k);
+    secp256k1_ge_set_gej(&r, &rj);
+    secp256k1_ecdsa_s2c_opening_save(opening, &r);
+    memset(nonce32, 0, 32);
+    secp256k1_scalar_clear(&k);
+    return 1;
+}
+
+int secp256k1_anti_klepto_sign(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const unsigned char* msg32, const unsigned char* seckey, const unsigned char* host_data32) {
+    return secp256k1_ecdsa_s2c_sign(ctx, sig, NULL, msg32, seckey, host_data32);
+}
+
+int secp256k1_anti_klepto_host_verify(const secp256k1_context* ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msg32, const secp256k1_pubkey *pubkey, const unsigned char *host_data32, const secp256k1_ecdsa_s2c_opening *opening) {
+    return secp256k1_ecdsa_s2c_verify_commit(ctx, sig, host_data32, opening) &&
+        secp256k1_ecdsa_verify(ctx, sig, msg32, pubkey);
+}
+
+#endif /* SECP256K1_ECDSA_S2C_MAIN_H */
--- a/src/modules/ecdsa_s2c/tests_impl.h
+++ b/src/modules/ecdsa_s2c/tests_impl.h
@@ -0,0 +1,416 @@
+/**********************************************************************
+ * Copyright (c) 2019-2020 Marko Bencun, Jonas Nick                   *
+ * Distributed under the MIT software license, see the accompanying   *
+ * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
+ **********************************************************************/
+
+#ifndef SECP256K1_MODULE_ECDSA_S2C_TESTS_H
+#define SECP256K1_MODULE_ECDSA_S2C_TESTS_H
+
+#include "include/secp256k1_ecdsa_s2c.h"
+
+static void test_ecdsa_s2c_tagged_hash(void) {
+    unsigned char tag_data[14] = "s2c/ecdsa/data";
+    unsigned char tag_point[15] = "s2c/ecdsa/point";
+    secp256k1_sha256 sha;
+    secp256k1_sha256 sha_optimized;
+    unsigned char output[32];
+    unsigned char output_optimized[32];
+
+    secp256k1_sha256_initialize_tagged(&sha, tag_data, sizeof(tag_data));
+    secp256k1_s2c_ecdsa_data_sha256_tagged(&sha_optimized);
+    secp256k1_sha256_finalize(&sha, output);
+    secp256k1_sha256_finalize(&sha_optimized, output_optimized);
+    CHECK(secp256k1_memcmp_var(output, output_optimized, 32) == 0);
+
+    secp256k1_sha256_initialize_tagged(&sha, tag_point, sizeof(tag_point));
+    secp256k1_s2c_ecdsa_point_sha256_tagged(&sha_optimized);
+    secp256k1_sha256_finalize(&sha, output);
+    secp256k1_sha256_finalize(&sha_optimized, output_optimized);
+    CHECK(secp256k1_memcmp_var(output, output_optimized, 32) == 0);
+}
+
+void run_s2c_opening_test(void) {
+    int i = 0;
+    unsigned char output[33];
+    secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
+
+    unsigned char input[33] = {
+            0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+            0x02
+    };
+    secp256k1_ecdsa_s2c_opening opening;
+    int32_t ecount = 0;
+
+    secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
+
+    /* First parsing, then serializing works */
+    CHECK(secp256k1_ecdsa_s2c_opening_parse(none, &opening, input) == 1);
+    CHECK(secp256k1_ecdsa_s2c_opening_serialize(none, output, &opening) == 1);
+    CHECK(secp256k1_ecdsa_s2c_opening_parse(none, &opening, input) == 1);
+    CHECK(ecount == 0);
+
+    CHECK(secp256k1_ecdsa_s2c_opening_parse(none, NULL, input) == 0);
+    CHECK(ecount == 1);
+    CHECK(secp256k1_ecdsa_s2c_opening_parse(none, &opening, NULL) == 0);
+    CHECK(ecount == 2);
+    CHECK(secp256k1_ecdsa_s2c_opening_parse(none, &opening, input) == 1);
+
+    CHECK(secp256k1_ecdsa_s2c_opening_serialize(none, NULL, &opening) == 0);
+    CHECK(ecount == 3);
+    CHECK(secp256k1_ecdsa_s2c_opening_serialize(none, output, NULL) == 0);
+
+    CHECK(ecount == 4);
+    /* Invalid pubkey makes parsing fail */
+    input[0] = 0;  /* bad oddness bit */
+    CHECK(secp256k1_ecdsa_s2c_opening_parse(none, &opening, input) == 0);
+    input[0] = 2;
+    input[31] = 1; /* point not on the curve */
+    CHECK(secp256k1_ecdsa_s2c_opening_parse(none, &opening, input) == 0);
+    CHECK(ecount == 4); /* neither of the above are API errors */
+
+    /* Try parsing and serializing a bunch of openings */
+    for (i = 0; i < count; i++) {
+        /* This is expected to fail in about 50% of iterations because the
+         * points' x-coordinates are uniformly random */
+        if (secp256k1_ecdsa_s2c_opening_parse(none, &opening, input) == 1) {
+            CHECK(secp256k1_ecdsa_s2c_opening_serialize(none, output, &opening) == 1);
+            CHECK(memcmp(output, input, sizeof(output)) == 0);
+        }
+        secp256k1_testrand256(&input[1]);
+        /* Set pubkey oddness tag to first bit of input[1] */
+        input[0] = (input[1] & 1) + 2;
+    }
+
+    secp256k1_context_destroy(none);
+}
+
+static void test_ecdsa_s2c_api(void) {
+    secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
+    secp256k1_context *sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
+    secp256k1_context *vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
+    secp256k1_context *both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
+
+    secp256k1_ecdsa_s2c_opening s2c_opening;
+    secp256k1_ecdsa_signature sig;
+    const unsigned char msg[32] = "mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm";
+    const unsigned char sec[32] = "ssssssssssssssssssssssssssssssss";
+    const unsigned char s2c_data[32] = "dddddddddddddddddddddddddddddddd";
+    const unsigned char hostrand[32] = "hrhrhrhrhrhrhrhrhrhrhrhrhrhrhrhr";
+    unsigned char hostrand_commitment[32];
+    secp256k1_pubkey pk;
+
+    int32_t ecount;
+    secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
+    secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount);
+    secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
+    secp256k1_context_set_illegal_callback(both, counting_illegal_callback_fn, &ecount);
+    CHECK(secp256k1_ec_pubkey_create(ctx, &pk, sec));
+
+    ecount = 0;
+    CHECK(secp256k1_ecdsa_s2c_sign(both, NULL, &s2c_opening, msg, sec, s2c_data) == 0);
+    CHECK(ecount == 1);
+    CHECK(secp256k1_ecdsa_s2c_sign(both, &sig, NULL, msg, sec, s2c_data) == 1);
+    CHECK(ecount == 1); /* NULL opening is not an API error */
+    CHECK(secp256k1_ecdsa_s2c_sign(both, &sig, &s2c_opening, NULL, sec, s2c_data) == 0);
+    CHECK(ecount == 2);
+    CHECK(secp256k1_ecdsa_s2c_sign(both, &sig, &s2c_opening, msg, NULL, s2c_data) == 0);
+    CHECK(ecount == 3);
+    CHECK(secp256k1_ecdsa_s2c_sign(both, &sig, &s2c_opening, msg, sec, NULL) == 0);
+    CHECK(ecount == 4);
+    CHECK(secp256k1_ecdsa_s2c_sign(none, &sig, &s2c_opening, msg, sec, s2c_data) == 0);
+    CHECK(ecount == 5);
+    CHECK(secp256k1_ecdsa_s2c_sign(vrfy, &sig, &s2c_opening, msg, sec, s2c_data) == 0);
+    CHECK(ecount == 6);
+    CHECK(secp256k1_ecdsa_s2c_sign(sign, &sig, &s2c_opening, msg, sec, s2c_data) == 1);
+    CHECK(ecount == 6);
+
+    CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pk) == 1);
+
+    ecount = 0;
+    CHECK(secp256k1_ecdsa_s2c_verify_commit(both, NULL, s2c_data, &s2c_opening) == 0);
+    CHECK(ecount == 1);
+    CHECK(secp256k1_ecdsa_s2c_verify_commit(both, &sig, NULL, &s2c_opening) == 0);
+    CHECK(ecount == 2);
+    CHECK(secp256k1_ecdsa_s2c_verify_commit(both, &sig, s2c_data, NULL) == 0);
+    CHECK(ecount == 3);
+    CHECK(secp256k1_ecdsa_s2c_verify_commit(none, &sig, s2c_data, &s2c_opening) == 0);
+    CHECK(ecount == 4);
+    CHECK(secp256k1_ecdsa_s2c_verify_commit(sign, &sig, s2c_data, &s2c_opening) == 0);
+    CHECK(ecount == 5);
+    CHECK(secp256k1_ecdsa_s2c_verify_commit(vrfy, &sig, s2c_data, &s2c_opening) == 1);
+    CHECK(ecount == 5);
+    CHECK(secp256k1_ecdsa_s2c_verify_commit(vrfy, &sig, sec, &s2c_opening) == 0);
+    CHECK(ecount == 5); /* wrong data is not an API error */
+
+    /* Signing with NULL s2c_opening gives the same result */
+    CHECK(secp256k1_ecdsa_s2c_sign(sign, &sig, NULL, msg, sec, s2c_data) == 1);
+    CHECK(secp256k1_ecdsa_s2c_verify_commit(vrfy, &sig, s2c_data, &s2c_opening) == 1);
+
+    /* anti-klepto */
+    ecount = 0;
+    CHECK(secp256k1_ecdsa_anti_klepto_host_commit(none, NULL, hostrand) == 0);
+    CHECK(ecount == 1);
+    CHECK(secp256k1_ecdsa_anti_klepto_host_commit(none, hostrand_commitment, NULL) == 0);
+    CHECK(ecount == 2);
+    CHECK(secp256k1_ecdsa_anti_klepto_host_commit(none, hostrand_commitment, hostrand) == 1);
+    CHECK(ecount == 2);
+
+    ecount = 0;
+    CHECK(secp256k1_ecdsa_anti_klepto_signer_commit(both, NULL, msg, sec, hostrand_commitment) == 0);
+    CHECK(ecount == 1);
+    CHECK(secp256k1_ecdsa_anti_klepto_signer_commit(both, &s2c_opening, NULL, sec, hostrand_commitment) == 0);
+    CHECK(ecount == 2);
+    CHECK(secp256k1_ecdsa_anti_klepto_signer_commit(both, &s2c_opening, msg, NULL, hostrand_commitment) == 0);
+    CHECK(ecount == 3);
+    CHECK(secp256k1_ecdsa_anti_klepto_signer_commit(both, &s2c_opening, msg, sec, NULL) == 0);
+    CHECK(ecount == 4);
+    CHECK(secp256k1_ecdsa_anti_klepto_signer_commit(none, &s2c_opening, msg, sec, hostrand_commitment) == 0);
+    CHECK(ecount == 5);
+    CHECK(secp256k1_ecdsa_anti_klepto_signer_commit(vrfy, &s2c_opening, msg, sec, hostrand_commitment) == 0);
+    CHECK(ecount == 6);
+    CHECK(secp256k1_ecdsa_anti_klepto_signer_commit(sign, &s2c_opening, msg, sec, hostrand_commitment) == 1);
+    CHECK(ecount == 6);
+
+    ecount = 0;
+    CHECK(secp256k1_anti_klepto_sign(both, NULL, msg, sec, hostrand) == 0);
+    CHECK(ecount == 1);
+    CHECK(secp256k1_anti_klepto_sign(both, &sig, NULL, sec, hostrand) == 0);
+    CHECK(ecount == 2);
+    CHECK(secp256k1_anti_klepto_sign(both, &sig, msg, NULL, hostrand) == 0);
+    CHECK(ecount == 3);
+    CHECK(secp256k1_anti_klepto_sign(both, &sig, msg, sec, NULL) == 0);
+    CHECK(ecount == 4);
+    CHECK(secp256k1_anti_klepto_sign(none, &sig, msg, sec, hostrand) == 0);
+    CHECK(ecount == 5);
+    CHECK(secp256k1_anti_klepto_sign(vrfy, &sig, msg, sec, hostrand) == 0);
+    CHECK(ecount == 6);
+    CHECK(secp256k1_anti_klepto_sign(both, &sig, msg, sec, hostrand) == 1);
+    CHECK(ecount == 6);
+
+    ecount = 0;
+    CHECK(secp256k1_anti_klepto_host_verify(both, NULL, msg, &pk, hostrand, &s2c_opening) == 0);
+    CHECK(ecount == 1);
+    CHECK(secp256k1_anti_klepto_host_verify(both, &sig, NULL, &pk, hostrand, &s2c_opening) == 0);
+    CHECK(ecount == 2);
+    CHECK(secp256k1_anti_klepto_host_verify(both, &sig, msg, NULL, hostrand, &s2c_opening) == 0);
+    CHECK(ecount == 3);
+    CHECK(secp256k1_anti_klepto_host_verify(both, &sig, msg, &pk, NULL, &s2c_opening) == 0);
+    CHECK(ecount == 4);
+    CHECK(secp256k1_anti_klepto_host_verify(both, &sig, msg, &pk, hostrand, NULL) == 0);
+    CHECK(ecount == 5);
+    CHECK(secp256k1_anti_klepto_host_verify(none, &sig, msg, &pk, hostrand, &s2c_opening) == 0);
+    CHECK(ecount == 6);
+    CHECK(secp256k1_anti_klepto_host_verify(sign, &sig, msg, &pk, hostrand, &s2c_opening) == 0);
+    CHECK(ecount == 7);
+    CHECK(secp256k1_anti_klepto_host_verify(vrfy, &sig, msg, &pk, hostrand, &s2c_opening) == 1);
+    CHECK(ecount == 7);
+
+    secp256k1_context_destroy(both);
+    secp256k1_context_destroy(vrfy);
+    secp256k1_context_destroy(sign);
+    secp256k1_context_destroy(none);
+}
+
+/* When using sign-to-contract commitments, the nonce function is fixed, so we can use fixtures to test. */
+typedef struct {
+    /* Data to commit to */
+    unsigned char s2c_data[32];
+    /* Original nonce */
+    unsigned char expected_s2c_opening[33];
+    /* Original nonce (anti-klepto protocol, which mixes in host randomness) */
+    unsigned char expected_s2c_klepto_opening[33];
+} ecdsa_s2c_test;
+
+static ecdsa_s2c_test ecdsa_s2c_tests[] = {
+    {
+        "\x1b\xf6\xfb\x42\xf4\x1e\xb8\x76\xc4\xd7\xaa\x0d\x67\x24\x2b\x00\xba\xab\x99\xdc\x20\x84\x49\x3e\x4e\x63\x27\x7f\xa1\xf7\x7f\x22",
+        "\x03\xf0\x30\xde\xf3\x18\x8c\x0f\x56\xfc\xea\x87\x43\x5b\x30\x76\x43\xf4\x5d\xaf\xe2\x2c\xbc\x82\xfd\x56\x03\x4f\xae\x97\x41\x7d\x3a",
+        "\x02\xdf\x63\x75\x5d\x1f\x32\x92\xbf\xfe\xd8\x29\x86\xb1\x06\x49\x7c\x93\xb1\xf8\xbd\xc0\x45\x4b\x6b\x0b\x0a\x47\x79\xc0\xef\x71\x88",
+    },
+    {
+        "\x35\x19\x9a\x8f\xbf\x84\xad\x6e\xf6\x9a\x18\x4c\x1b\x19\x28\x5b\xef\xbe\x06\xe6\x0b\x62\x64\xe6\xd3\x73\x89\x3f\x68\x55\xe2\x4a",
+        "\x03\x90\x17\x17\xce\x7c\x74\x84\xa2\xce\x1b\x7d\xc7\x40\x3b\x14\xe0\x35\x49\x71\x39\x3e\xc0\x92\xa7\xf3\xe0\xc8\xe4\xe2\xd2\x63\x9d",
+        "\x02\xc0\x4a\xc7\xf7\x71\xe8\xeb\xdb\xf3\x15\xff\x5e\x58\xb7\xfe\x95\x16\x10\x21\x03\x50\x00\x66\x17\x2c\x4f\xac\x5b\x20\xf9\xe0\xea",
+    },
+};
+
+static void test_ecdsa_s2c_fixed_vectors(void) {
+    const unsigned char privkey[32] = {
+        0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55,
+        0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55,
+    };
+    const unsigned char message[32] = {
+        0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88,
+        0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88,
+    };
+    size_t i;
+
+    for (i = 0; i < sizeof(ecdsa_s2c_tests) / sizeof(ecdsa_s2c_tests[0]); i++) {
+        secp256k1_ecdsa_s2c_opening s2c_opening;
+        unsigned char opening_ser[33];
+        const ecdsa_s2c_test *test = &ecdsa_s2c_tests[i];
+        secp256k1_ecdsa_signature signature;
+        CHECK(secp256k1_ecdsa_s2c_sign(ctx, &signature, &s2c_opening, message, privkey, test->s2c_data) == 1);
+        CHECK(secp256k1_ecdsa_s2c_opening_serialize(ctx, opening_ser, &s2c_opening) == 1);
+        CHECK(memcmp(test->expected_s2c_opening, opening_ser, sizeof(opening_ser)) == 0);
+        CHECK(secp256k1_ecdsa_s2c_verify_commit(ctx, &signature, test->s2c_data, &s2c_opening) == 1);
+    }
+}
+
+static void test_ecdsa_s2c_sign_verify(void) {
+    unsigned char privkey[32];
+    secp256k1_pubkey pubkey;
+    unsigned char message[32];
+    unsigned char noncedata[32];
+    unsigned char s2c_data[32];
+    unsigned char s2c_data2[32];
+    secp256k1_ecdsa_signature signature;
+    secp256k1_ecdsa_s2c_opening s2c_opening;
+
+    /* Generate a random key, message, noncedata and s2c_data. */
+    {
+        secp256k1_scalar key;
+        random_scalar_order_test(&key);
+        secp256k1_scalar_get_b32(privkey, &key);
+        CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
+
+        secp256k1_testrand256_test(message);
+        secp256k1_testrand256_test(noncedata);
+        secp256k1_testrand256_test(s2c_data);
+        secp256k1_testrand256_test(s2c_data2);
+    }
+
+    { /* invalid privkeys */
+        unsigned char zero_privkey[32] = {0};
+        unsigned char overflow_privkey[32] = "\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff";
+        CHECK(secp256k1_ecdsa_s2c_sign(ctx, &signature, NULL, message, zero_privkey, s2c_data) == 0);
+        CHECK(secp256k1_ecdsa_s2c_sign(ctx, &signature, NULL, message, overflow_privkey, s2c_data) == 0);
+    }
+    /* Check that the sign-to-contract signature is valid, with s2c_data. Also check the commitment. */
+    {
+        CHECK(secp256k1_ecdsa_s2c_sign(ctx, &signature, &s2c_opening, message, privkey, s2c_data) == 1);
+        CHECK(secp256k1_ecdsa_verify(ctx, &signature, message, &pubkey) == 1);
+        CHECK(secp256k1_ecdsa_s2c_verify_commit(ctx, &signature, s2c_data, &s2c_opening) == 1);
+    }
+    /* Check that an invalid commitment does not verify */
+    {
+        unsigned char sigbytes[64];
+        size_t i;
+        CHECK(secp256k1_ecdsa_s2c_sign(ctx, &signature, &s2c_opening, message, privkey, s2c_data) == 1);
+        CHECK(secp256k1_ecdsa_verify(ctx, &signature, message, &pubkey) == 1);
+
+        CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, sigbytes, &signature) == 1);
+        for(i = 0; i < 32; i++) {
+            /* change one byte */
+            sigbytes[i] = (((int)sigbytes[i]) + 1) % 256;
+            CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &signature, sigbytes) == 1);
+            CHECK(secp256k1_ecdsa_s2c_verify_commit(ctx, &signature, s2c_data, &s2c_opening) == 0);
+            /* revert */
+            sigbytes[i] = (((int)sigbytes[i]) + 255) % 256;
+        }
+    }
+}
+
+static void test_ecdsa_anti_klepto_signer_commit(void) {
+    size_t i;
+    unsigned char privkey[32] = {
+        0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55,
+        0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55,
+    };
+    unsigned char message[32] = {
+        0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88,
+        0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88, 0x88,
+    };
+    /* Check that original pubnonce is derived from s2c_data */
+    for (i = 0; i < sizeof(ecdsa_s2c_tests) / sizeof(ecdsa_s2c_tests[0]); i++) {
+        secp256k1_ecdsa_s2c_opening s2c_opening;
+        unsigned char buf[33];
+        const ecdsa_s2c_test *test = &ecdsa_s2c_tests[i];
+        CHECK(secp256k1_ecdsa_anti_klepto_signer_commit(ctx, &s2c_opening, message, privkey, test->s2c_data) == 1);
+        CHECK(secp256k1_ecdsa_s2c_opening_serialize(ctx, buf, &s2c_opening) == 1);
+        CHECK(memcmp(test->expected_s2c_klepto_opening, buf, sizeof(buf)) == 0);
+    }
+}
+
+/* This tests the full ECDSA Anti-Klepto Protocol */
+static void test_ecdsa_anti_klepto(void) {
+    unsigned char signer_privkey[32];
+    unsigned char host_msg[32];
+    unsigned char host_commitment[32];
+    unsigned char host_nonce_contribution[32];
+    secp256k1_pubkey signer_pubkey;
+    secp256k1_ecdsa_signature signature;
+    secp256k1_ecdsa_s2c_opening s2c_opening;
+
+    /* Generate a random key, message. */
+    {
+        secp256k1_scalar key;
+        random_scalar_order_test(&key);
+        secp256k1_scalar_get_b32(signer_privkey, &key);
+        CHECK(secp256k1_ec_pubkey_create(ctx, &signer_pubkey, signer_privkey) == 1);
+        secp256k1_testrand256_test(host_msg);
+        secp256k1_testrand256_test(host_nonce_contribution);
+    }
+
+    /* Protocol step 1. */
+    CHECK(secp256k1_ecdsa_anti_klepto_host_commit(ctx, host_commitment, host_nonce_contribution) == 1);
+    /* Protocol step 2. */
+    CHECK(secp256k1_ecdsa_anti_klepto_signer_commit(ctx, &s2c_opening, host_msg, signer_privkey, host_commitment) == 1);
+    /* Protocol step 3: host_nonce_contribution send to signer to be used in step 4. */
+    /* Protocol step 4. */
+    CHECK(secp256k1_anti_klepto_sign(ctx, &signature, host_msg, signer_privkey, host_nonce_contribution) == 1);
+    /* Protocol step 5. */
+    CHECK(secp256k1_anti_klepto_host_verify(ctx, &signature, host_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 1);
+    /* Protocol step 5 (explicitly) */
+    CHECK(secp256k1_ecdsa_s2c_verify_commit(ctx, &signature, host_nonce_contribution, &s2c_opening) == 1);
+    CHECK(secp256k1_ecdsa_verify(ctx, &signature, host_msg, &signer_pubkey) == 1);
+
+    { /* host_verify: commitment does not match */
+        unsigned char sigbytes[64];
+        size_t i;
+        CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, sigbytes, &signature) == 1);
+        for(i = 0; i < 32; i++) {
+            /* change one byte */
+            sigbytes[i] += 1;
+            CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &signature, sigbytes) == 1);
+            CHECK(secp256k1_ecdsa_s2c_verify_commit(ctx, &signature, host_nonce_contribution, &s2c_opening) == 0);
+            CHECK(secp256k1_anti_klepto_host_verify(ctx, &signature, host_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 0);
+            /* revert */
+            sigbytes[i] -= 1;
+        }
+        CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &signature, sigbytes) == 1);
+    }
+    { /* host_verify: message does not match */
+        unsigned char bad_msg[32];
+        secp256k1_testrand256_test(bad_msg);
+        CHECK(secp256k1_anti_klepto_host_verify(ctx, &signature, host_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 1);
+        CHECK(secp256k1_anti_klepto_host_verify(ctx, &signature, bad_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 0);
+    }
+    { /* s2c_sign: host provided data that didn't match commitment */
+        secp256k1_ecdsa_s2c_opening orig_opening = s2c_opening;
+        unsigned char bad_nonce_contribution[32] = { 1, 2, 3, 4 };
+        CHECK(secp256k1_ecdsa_s2c_sign(ctx, &signature, &s2c_opening, host_msg, signer_privkey, bad_nonce_contribution) == 1);
+        /* good signature but the opening (original public nonce does not match the original */
+        CHECK(secp256k1_ecdsa_verify(ctx, &signature, host_msg, &signer_pubkey) == 1);
+        CHECK(secp256k1_anti_klepto_host_verify(ctx, &signature, host_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 0);
+        CHECK(secp256k1_anti_klepto_host_verify(ctx, &signature, host_msg, &signer_pubkey, bad_nonce_contribution, &s2c_opening) == 1);
+        CHECK(memcmp(&s2c_opening, &orig_opening, sizeof(s2c_opening)) != 0);
+    }
+}
+
+static void run_ecdsa_s2c_tests(void) {
+    run_s2c_opening_test();
+    test_ecdsa_s2c_tagged_hash();
+    test_ecdsa_s2c_api();
+    test_ecdsa_s2c_fixed_vectors();
+    test_ecdsa_s2c_sign_verify();
+
+    test_ecdsa_anti_klepto_signer_commit();
+    test_ecdsa_anti_klepto();
+}
+
+#endif /* SECP256K1_MODULE_ECDSA_S2C_TESTS_H */
--- a/src/modules/extrakeys/Makefile.am.include
+++ b/src/modules/extrakeys/Makefile.am.include
@@ -0,0 +1,4 @@
+include_HEADERS += include/secp256k1_extrakeys.h
+noinst_HEADERS += src/modules/extrakeys/tests_impl.h
+noinst_HEADERS += src/modules/extrakeys/tests_exhaustive_impl.h
+noinst_HEADERS += src/modules/extrakeys/main_impl.h
--- a/src/modules/extrakeys/main_impl.h
+++ b/src/modules/extrakeys/main_impl.h
@@ -0,0 +1,251 @@
+/**********************************************************************
+ * Copyright (c) 2020 Jonas Nick                                      *
+ * Distributed under the MIT software license, see the accompanying   *
+ * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
+ **********************************************************************/
+
+#ifndef _SECP256K1_MODULE_EXTRAKEYS_MAIN_
+#define _SECP256K1_MODULE_EXTRAKEYS_MAIN_
+
+#include "include/secp256k1.h"
+#include "include/secp256k1_extrakeys.h"
+
+static SECP256K1_INLINE int secp256k1_xonly_pubkey_load(const secp256k1_context* ctx, secp256k1_ge *ge, const secp256k1_xonly_pubkey *pubkey) {
+    return secp256k1_pubkey_load(ctx, ge, (const secp256k1_pubkey *) pubkey);
+}
+
+static SECP256K1_INLINE void secp256k1_xonly_pubkey_save(secp256k1_xonly_pubkey *pubkey, secp256k1_ge *ge) {
+    secp256k1_pubkey_save((secp256k1_pubkey *) pubkey, ge);
+}
+
+int secp256k1_xonly_pubkey_parse(const secp256k1_context* ctx, secp256k1_xonly_pubkey *pubkey, const unsigned char *input32) {
+    secp256k1_ge pk;
+    secp256k1_fe x;
+
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(pubkey != NULL);
+    memset(pubkey, 0, sizeof(*pubkey));
+    ARG_CHECK(input32 != NULL);
+
+    if (!secp256k1_fe_set_b32(&x, input32)) {
+        return 0;
+    }
+    if (!secp256k1_ge_set_xo_var(&pk, &x, 0)) {
+        return 0;
+    }
+    if (!secp256k1_ge_is_in_correct_subgroup(&pk)) {
+        return 0;
+    }
+    secp256k1_xonly_pubkey_save(pubkey, &pk);
+    return 1;
+}
+
+int secp256k1_xonly_pubkey_serialize(const secp256k1_context* ctx, unsigned char *output32, const secp256k1_xonly_pubkey *pubkey) {
+    secp256k1_ge pk;
+
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(output32 != NULL);
+    memset(output32, 0, 32);
+    ARG_CHECK(pubkey != NULL);
+
+    if (!secp256k1_xonly_pubkey_load(ctx, &pk, pubkey)) {
+        return 0;
+    }
+    secp256k1_fe_get_b32(output32, &pk.x);
+    return 1;
+}
+
+/** Keeps a group element as is if it has an even Y and otherwise negates it.
+ *  y_parity is set to 0 in the former case and to 1 in the latter case.
+ *  Requires that the coordinates of r are normalized. */
+static int secp256k1_extrakeys_ge_even_y(secp256k1_ge *r) {
+    int y_parity = 0;
+    VERIFY_CHECK(!secp256k1_ge_is_infinity(r));
+
+    if (secp256k1_fe_is_odd(&r->y)) {
+        secp256k1_fe_negate(&r->y, &r->y, 1);
+        y_parity = 1;
+    }
+    return y_parity;
+}
+
+int secp256k1_xonly_pubkey_from_pubkey(const secp256k1_context* ctx, secp256k1_xonly_pubkey *xonly_pubkey, int *pk_parity, const secp256k1_pubkey *pubkey) {
+    secp256k1_ge pk;
+    int tmp;
+
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(xonly_pubkey != NULL);
+    ARG_CHECK(pubkey != NULL);
+
+    if (!secp256k1_pubkey_load(ctx, &pk, pubkey)) {
+        return 0;
+    }
+    tmp = secp256k1_extrakeys_ge_even_y(&pk);
+    if (pk_parity != NULL) {
+        *pk_parity = tmp;
+    }
+    secp256k1_xonly_pubkey_save(xonly_pubkey, &pk);
+    return 1;
+}
+
+int secp256k1_xonly_pubkey_tweak_add(const secp256k1_context* ctx, secp256k1_pubkey *output_pubkey, const secp256k1_xonly_pubkey *internal_pubkey, const unsigned char *tweak32) {
+    secp256k1_ge pk;
+
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(output_pubkey != NULL);
+    memset(output_pubkey, 0, sizeof(*output_pubkey));
+    ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
+    ARG_CHECK(internal_pubkey != NULL);
+    ARG_CHECK(tweak32 != NULL);
+
+    if (!secp256k1_xonly_pubkey_load(ctx, &pk, internal_pubkey)
+        || !secp256k1_ec_pubkey_tweak_add_helper(&ctx->ecmult_ctx, &pk, tweak32)) {
+        return 0;
+    }
+    secp256k1_pubkey_save(output_pubkey, &pk);
+    return 1;
+}
+
+int secp256k1_xonly_pubkey_tweak_add_check(const secp256k1_context* ctx, const unsigned char *tweaked_pubkey32, int tweaked_pk_parity, const secp256k1_xonly_pubkey *internal_pubkey, const unsigned char *tweak32) {
+    secp256k1_ge pk;
+    unsigned char pk_expected32[32];
+
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
+    ARG_CHECK(internal_pubkey != NULL);
+    ARG_CHECK(tweaked_pubkey32 != NULL);
+    ARG_CHECK(tweak32 != NULL);
+
+    if (!secp256k1_xonly_pubkey_load(ctx, &pk, internal_pubkey)
+        || !secp256k1_ec_pubkey_tweak_add_helper(&ctx->ecmult_ctx, &pk, tweak32)) {
+        return 0;
+    }
+    secp256k1_fe_normalize_var(&pk.x);
+    secp256k1_fe_normalize_var(&pk.y);
+    secp256k1_fe_get_b32(pk_expected32, &pk.x);
+
+    return secp256k1_memcmp_var(&pk_expected32, tweaked_pubkey32, 32) == 0
+            && secp256k1_fe_is_odd(&pk.y) == tweaked_pk_parity;
+}
+
+static void secp256k1_keypair_save(secp256k1_keypair *keypair, const secp256k1_scalar *sk, secp256k1_ge *pk) {
+    secp256k1_scalar_get_b32(&keypair->data[0], sk);
+    secp256k1_pubkey_save((secp256k1_pubkey *)&keypair->data[32], pk);
+}
+
+
+static int secp256k1_keypair_seckey_load(const secp256k1_context* ctx, secp256k1_scalar *sk, const secp256k1_keypair *keypair) {
+    int ret;
+
+    ret = secp256k1_scalar_set_b32_seckey(sk, &keypair->data[0]);
+    /* We can declassify ret here because sk is only zero if a keypair function
+     * failed (which zeroes the keypair) and its return value is ignored. */
+    secp256k1_declassify(ctx, &ret, sizeof(ret));
+    ARG_CHECK(ret);
+    return ret;
+}
+
+/* Load a keypair into pk and sk (if non-NULL). This function declassifies pk
+ * and ARG_CHECKs that the keypair is not invalid. It always initializes sk and
+ * pk with dummy values. */
+static int secp256k1_keypair_load(const secp256k1_context* ctx, secp256k1_scalar *sk, secp256k1_ge *pk, const secp256k1_keypair *keypair) {
+    int ret;
+    const secp256k1_pubkey *pubkey = (const secp256k1_pubkey *)&keypair->data[32];
+
+    /* Need to declassify the pubkey because pubkey_load ARG_CHECKs if it's
+     * invalid. */
+    secp256k1_declassify(ctx, pubkey, sizeof(*pubkey));
+    ret = secp256k1_pubkey_load(ctx, pk, pubkey);
+    if (sk != NULL) {
+        ret = ret && secp256k1_keypair_seckey_load(ctx, sk, keypair);
+    }
+    if (!ret) {
+        *pk = secp256k1_ge_const_g;
+        if (sk != NULL) {
+            *sk = secp256k1_scalar_one;
+        }
+    }
+    return ret;
+}
+
+int secp256k1_keypair_create(const secp256k1_context* ctx, secp256k1_keypair *keypair, const unsigned char *seckey32) {
+    secp256k1_scalar sk;
+    secp256k1_ge pk;
+    int ret = 0;
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(keypair != NULL);
+    memset(keypair, 0, sizeof(*keypair));
+    ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
+    ARG_CHECK(seckey32 != NULL);
+
+    ret = secp256k1_ec_pubkey_create_helper(&ctx->ecmult_gen_ctx, &sk, &pk, seckey32);
+    secp256k1_keypair_save(keypair, &sk, &pk);
+    secp256k1_memczero(keypair, sizeof(*keypair), !ret);
+
+    secp256k1_scalar_clear(&sk);
+    return ret;
+}
+
+int secp256k1_keypair_pub(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const secp256k1_keypair *keypair) {
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(pubkey != NULL);
+    memset(pubkey, 0, sizeof(*pubkey));
+    ARG_CHECK(keypair != NULL);
+
+    memcpy(pubkey->data, &keypair->data[32], sizeof(*pubkey));
+    return 1;
+}
+
+int secp256k1_keypair_xonly_pub(const secp256k1_context* ctx, secp256k1_xonly_pubkey *pubkey, int *pk_parity, const secp256k1_keypair *keypair) {
+    secp256k1_ge pk;
+    int tmp;
+
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(pubkey != NULL);
+    memset(pubkey, 0, sizeof(*pubkey));
+    ARG_CHECK(keypair != NULL);
+
+    if (!secp256k1_keypair_load(ctx, NULL, &pk, keypair)) {
+        return 0;
+    }
+    tmp = secp256k1_extrakeys_ge_even_y(&pk);
+    if (pk_parity != NULL) {
+        *pk_parity = tmp;
+    }
+    secp256k1_xonly_pubkey_save(pubkey, &pk);
+
+    return 1;
+}
+
+int secp256k1_keypair_xonly_tweak_add(const secp256k1_context* ctx, secp256k1_keypair *keypair, const unsigned char *tweak32) {
+    secp256k1_ge pk;
+    secp256k1_scalar sk;
+    int y_parity;
+    int ret;
+
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
+    ARG_CHECK(keypair != NULL);
+    ARG_CHECK(tweak32 != NULL);
+
+    ret = secp256k1_keypair_load(ctx, &sk, &pk, keypair);
+    memset(keypair, 0, sizeof(*keypair));
+
+    y_parity = secp256k1_extrakeys_ge_even_y(&pk);
+    if (y_parity == 1) {
+        secp256k1_scalar_negate(&sk, &sk);
+    }
+
+    ret &= secp256k1_ec_seckey_tweak_add_helper(&sk, tweak32);
+    ret &= secp256k1_ec_pubkey_tweak_add_helper(&ctx->ecmult_ctx, &pk, tweak32);
+
+    secp256k1_declassify(ctx, &ret, sizeof(ret));
+    if (ret) {
+        secp256k1_keypair_save(keypair, &sk, &pk);
+    }
+
+    secp256k1_scalar_clear(&sk);
+    return ret;
+}
+
+#endif
--- a/src/modules/extrakeys/tests_exhaustive_impl.h
+++ b/src/modules/extrakeys/tests_exhaustive_impl.h
@@ -0,0 +1,68 @@
+/**********************************************************************
+ * Copyright (c) 2020 Pieter Wuille                                   *
+ * Distributed under the MIT software license, see the accompanying   *
+ * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
+ **********************************************************************/
+
+#ifndef _SECP256K1_MODULE_EXTRAKEYS_TESTS_EXHAUSTIVE_
+#define _SECP256K1_MODULE_EXTRAKEYS_TESTS_EXHAUSTIVE_
+
+#include "src/modules/extrakeys/main_impl.h"
+#include "include/secp256k1_extrakeys.h"
+
+static void test_exhaustive_extrakeys(const secp256k1_context *ctx, const secp256k1_ge* group) {
+    secp256k1_keypair keypair[EXHAUSTIVE_TEST_ORDER - 1];
+    secp256k1_pubkey pubkey[EXHAUSTIVE_TEST_ORDER - 1];
+    secp256k1_xonly_pubkey xonly_pubkey[EXHAUSTIVE_TEST_ORDER - 1];
+    int parities[EXHAUSTIVE_TEST_ORDER - 1];
+    unsigned char xonly_pubkey_bytes[EXHAUSTIVE_TEST_ORDER - 1][32];
+    int i;
+
+    for (i = 1; i < EXHAUSTIVE_TEST_ORDER; i++) {
+        secp256k1_fe fe;
+        secp256k1_scalar scalar_i;
+        unsigned char buf[33];
+        int parity;
+
+        secp256k1_scalar_set_int(&scalar_i, i);
+        secp256k1_scalar_get_b32(buf, &scalar_i);
+
+        /* Construct pubkey and keypair. */
+        CHECK(secp256k1_keypair_create(ctx, &keypair[i - 1], buf));
+        CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey[i - 1], buf));
+
+        /* Construct serialized xonly_pubkey from keypair. */
+        CHECK(secp256k1_keypair_xonly_pub(ctx, &xonly_pubkey[i - 1], &parities[i - 1], &keypair[i - 1]));
+        CHECK(secp256k1_xonly_pubkey_serialize(ctx, xonly_pubkey_bytes[i - 1], &xonly_pubkey[i - 1]));
+
+        /* Parse the xonly_pubkey back and verify it matches the previously serialized value. */
+        CHECK(secp256k1_xonly_pubkey_parse(ctx, &xonly_pubkey[i - 1], xonly_pubkey_bytes[i - 1]));
+        CHECK(secp256k1_xonly_pubkey_serialize(ctx, buf, &xonly_pubkey[i - 1]));
+        CHECK(secp256k1_memcmp_var(xonly_pubkey_bytes[i - 1], buf, 32) == 0);
+
+        /* Construct the xonly_pubkey from the pubkey, and verify it matches the same. */
+        CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &xonly_pubkey[i - 1], &parity, &pubkey[i - 1]));
+        CHECK(parity == parities[i - 1]);
+        CHECK(secp256k1_xonly_pubkey_serialize(ctx, buf, &xonly_pubkey[i - 1]));
+        CHECK(secp256k1_memcmp_var(xonly_pubkey_bytes[i - 1], buf, 32) == 0);
+
+        /* Compare the xonly_pubkey bytes against the precomputed group. */
+        secp256k1_fe_set_b32(&fe, xonly_pubkey_bytes[i - 1]);
+        CHECK(secp256k1_fe_equal_var(&fe, &group[i].x));
+
+        /* Check the parity against the precomputed group. */
+        fe = group[i].y;
+        secp256k1_fe_normalize_var(&fe);
+        CHECK(secp256k1_fe_is_odd(&fe) == parities[i - 1]);
+
+        /* Verify that the higher half is identical to the lower half mirrored. */
+        if (i > EXHAUSTIVE_TEST_ORDER / 2) {
+            CHECK(secp256k1_memcmp_var(xonly_pubkey_bytes[i - 1], xonly_pubkey_bytes[EXHAUSTIVE_TEST_ORDER - i - 1], 32) == 0);
+            CHECK(parities[i - 1] == 1 - parities[EXHAUSTIVE_TEST_ORDER - i - 1]);
+        }
+    }
+
+    /* TODO: keypair/xonly_pubkey tweak tests */
+}
+
+#endif
--- a/src/modules/extrakeys/tests_impl.h
+++ b/src/modules/extrakeys/tests_impl.h
@@ -0,0 +1,524 @@
+/**********************************************************************
+ * Copyright (c) 2020 Jonas Nick                                      *
+ * Distributed under the MIT software license, see the accompanying   *
+ * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
+ **********************************************************************/
+
+#ifndef _SECP256K1_MODULE_EXTRAKEYS_TESTS_
+#define _SECP256K1_MODULE_EXTRAKEYS_TESTS_
+
+#include "secp256k1_extrakeys.h"
+
+static secp256k1_context* api_test_context(int flags, int *ecount) {
+    secp256k1_context *ctx0 = secp256k1_context_create(flags);
+    secp256k1_context_set_error_callback(ctx0, counting_illegal_callback_fn, ecount);
+    secp256k1_context_set_illegal_callback(ctx0, counting_illegal_callback_fn, ecount);
+    return ctx0;
+}
+
+void test_xonly_pubkey(void) {
+    secp256k1_pubkey pk;
+    secp256k1_xonly_pubkey xonly_pk, xonly_pk_tmp;
+    secp256k1_ge pk1;
+    secp256k1_ge pk2;
+    secp256k1_fe y;
+    unsigned char sk[32];
+    unsigned char xy_sk[32];
+    unsigned char buf32[32];
+    unsigned char ones32[32];
+    unsigned char zeros64[64] = { 0 };
+    int pk_parity;
+    int i;
+
+    int ecount;
+    secp256k1_context *none = api_test_context(SECP256K1_CONTEXT_NONE, &ecount);
+    secp256k1_context *sign = api_test_context(SECP256K1_CONTEXT_SIGN, &ecount);
+    secp256k1_context *verify = api_test_context(SECP256K1_CONTEXT_VERIFY, &ecount);
+
+    secp256k1_testrand256(sk);
+    memset(ones32, 0xFF, 32);
+    secp256k1_testrand256(xy_sk);
+    CHECK(secp256k1_ec_pubkey_create(sign, &pk, sk) == 1);
+    CHECK(secp256k1_xonly_pubkey_from_pubkey(none, &xonly_pk, &pk_parity, &pk) == 1);
+
+    /* Test xonly_pubkey_from_pubkey */
+    ecount = 0;
+    CHECK(secp256k1_xonly_pubkey_from_pubkey(none, &xonly_pk, &pk_parity, &pk) == 1);
+    CHECK(secp256k1_xonly_pubkey_from_pubkey(sign, &xonly_pk, &pk_parity, &pk) == 1);
+    CHECK(secp256k1_xonly_pubkey_from_pubkey(verify, &xonly_pk, &pk_parity, &pk) == 1);
+    CHECK(secp256k1_xonly_pubkey_from_pubkey(none, NULL, &pk_parity, &pk) == 0);
+    CHECK(ecount == 1);
+    CHECK(secp256k1_xonly_pubkey_from_pubkey(none, &xonly_pk, NULL, &pk) == 1);
+    CHECK(secp256k1_xonly_pubkey_from_pubkey(none, &xonly_pk, &pk_parity, NULL) == 0);
+    CHECK(ecount == 2);
+    memset(&pk, 0, sizeof(pk));
+    CHECK(secp256k1_xonly_pubkey_from_pubkey(none, &xonly_pk, &pk_parity, &pk) == 0);
+    CHECK(ecount == 3);
+
+    /* Choose a secret key such that the resulting pubkey and xonly_pubkey match. */
+    memset(sk, 0, sizeof(sk));
+    sk[0] = 1;
+    CHECK(secp256k1_ec_pubkey_create(ctx, &pk, sk) == 1);
+    CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &xonly_pk, &pk_parity, &pk) == 1);
+    CHECK(secp256k1_memcmp_var(&pk, &xonly_pk, sizeof(pk)) == 0);
+    CHECK(pk_parity == 0);
+
+    /* Choose a secret key such that pubkey and xonly_pubkey are each others
+     * negation. */
+    sk[0] = 2;
+    CHECK(secp256k1_ec_pubkey_create(ctx, &pk, sk) == 1);
+    CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &xonly_pk, &pk_parity, &pk) == 1);
+    CHECK(secp256k1_memcmp_var(&xonly_pk, &pk, sizeof(xonly_pk)) != 0);
+    CHECK(pk_parity == 1);
+    secp256k1_pubkey_load(ctx, &pk1, &pk);
+    secp256k1_pubkey_load(ctx, &pk2, (secp256k1_pubkey *) &xonly_pk);
+    CHECK(secp256k1_fe_equal(&pk1.x, &pk2.x) == 1);
+    secp256k1_fe_negate(&y, &pk2.y, 1);
+    CHECK(secp256k1_fe_equal(&pk1.y, &y) == 1);
+
+    /* Test xonly_pubkey_serialize and xonly_pubkey_parse */
+    ecount = 0;
+    CHECK(secp256k1_xonly_pubkey_serialize(none, NULL, &xonly_pk) == 0);
+    CHECK(ecount == 1);
+    CHECK(secp256k1_xonly_pubkey_serialize(none, buf32, NULL) == 0);
+    CHECK(secp256k1_memcmp_var(buf32, zeros64, 32) == 0);
+    CHECK(ecount == 2);
+    {
+        /* A pubkey filled with 0s will fail to serialize due to pubkey_load
+         * special casing. */
+        secp256k1_xonly_pubkey pk_tmp;
+        memset(&pk_tmp, 0, sizeof(pk_tmp));
+        CHECK(secp256k1_xonly_pubkey_serialize(none, buf32, &pk_tmp) == 0);
+    }
+    /* pubkey_load called illegal callback */
+    CHECK(ecount == 3);
+
+    CHECK(secp256k1_xonly_pubkey_serialize(none, buf32, &xonly_pk) == 1);
+    ecount = 0;
+    CHECK(secp256k1_xonly_pubkey_parse(none, NULL, buf32) == 0);
+    CHECK(ecount == 1);
+    CHECK(secp256k1_xonly_pubkey_parse(none, &xonly_pk, NULL) == 0);
+    CHECK(ecount == 2);
+
+    /* Serialization and parse roundtrip */
+    CHECK(secp256k1_xonly_pubkey_from_pubkey(none, &xonly_pk, NULL, &pk) == 1);
+    CHECK(secp256k1_xonly_pubkey_serialize(ctx, buf32, &xonly_pk) == 1);
+    CHECK(secp256k1_xonly_pubkey_parse(ctx, &xonly_pk_tmp, buf32) == 1);
+    CHECK(secp256k1_memcmp_var(&xonly_pk, &xonly_pk_tmp, sizeof(xonly_pk)) == 0);
+
+    /* Test parsing invalid field elements */
+    memset(&xonly_pk, 1, sizeof(xonly_pk));
+    /* Overflowing field element */
+    CHECK(secp256k1_xonly_pubkey_parse(none, &xonly_pk, ones32) == 0);
+    CHECK(secp256k1_memcmp_var(&xonly_pk, zeros64, sizeof(xonly_pk)) == 0);
+    memset(&xonly_pk, 1, sizeof(xonly_pk));
+    /* There's no point with x-coordinate 0 on secp256k1 */
+    CHECK(secp256k1_xonly_pubkey_parse(none, &xonly_pk, zeros64) == 0);
+    CHECK(secp256k1_memcmp_var(&xonly_pk, zeros64, sizeof(xonly_pk)) == 0);
+    /* If a random 32-byte string can not be parsed with ec_pubkey_parse
+     * (because interpreted as X coordinate it does not correspond to a point on
+     * the curve) then xonly_pubkey_parse should fail as well. */
+    for (i = 0; i < count; i++) {
+        unsigned char rand33[33];
+        secp256k1_testrand256(&rand33[1]);
+        rand33[0] = SECP256K1_TAG_PUBKEY_EVEN;
+        if (!secp256k1_ec_pubkey_parse(ctx, &pk, rand33, 33)) {
+            memset(&xonly_pk, 1, sizeof(xonly_pk));
+            CHECK(secp256k1_xonly_pubkey_parse(ctx, &xonly_pk, &rand33[1]) == 0);
+            CHECK(secp256k1_memcmp_var(&xonly_pk, zeros64, sizeof(xonly_pk)) == 0);
+        } else {
+            CHECK(secp256k1_xonly_pubkey_parse(ctx, &xonly_pk, &rand33[1]) == 1);
+        }
+    }
+    CHECK(ecount == 2);
+
+    secp256k1_context_destroy(none);
+    secp256k1_context_destroy(sign);
+    secp256k1_context_destroy(verify);
+}
+
+void test_xonly_pubkey_tweak(void) {
+    unsigned char zeros64[64] = { 0 };
+    unsigned char overflows[32];
+    unsigned char sk[32];
+    secp256k1_pubkey internal_pk;
+    secp256k1_xonly_pubkey internal_xonly_pk;
+    secp256k1_pubkey output_pk;
+    int pk_parity;
+    unsigned char tweak[32];
+    int i;
+
+    int ecount;
+    secp256k1_context *none = api_test_context(SECP256K1_CONTEXT_NONE, &ecount);
+    secp256k1_context *sign = api_test_context(SECP256K1_CONTEXT_SIGN, &ecount);
+    secp256k1_context *verify = api_test_context(SECP256K1_CONTEXT_VERIFY, &ecount);
+
+    memset(overflows, 0xff, sizeof(overflows));
+    secp256k1_testrand256(tweak);
+    secp256k1_testrand256(sk);
+    CHECK(secp256k1_ec_pubkey_create(ctx, &internal_pk, sk) == 1);
+    CHECK(secp256k1_xonly_pubkey_from_pubkey(none, &internal_xonly_pk, &pk_parity, &internal_pk) == 1);
+
+    ecount = 0;
+    CHECK(secp256k1_xonly_pubkey_tweak_add(none, &output_pk, &internal_xonly_pk, tweak) == 0);
+    CHECK(ecount == 1);
+    CHECK(secp256k1_xonly_pubkey_tweak_add(sign, &output_pk, &internal_xonly_pk, tweak) == 0);
+    CHECK(ecount == 2);
+    CHECK(secp256k1_xonly_pubkey_tweak_add(verify, &output_pk, &internal_xonly_pk, tweak) == 1);
+    CHECK(secp256k1_xonly_pubkey_tweak_add(verify, NULL, &internal_xonly_pk, tweak) == 0);
+    CHECK(ecount == 3);
+    CHECK(secp256k1_xonly_pubkey_tweak_add(verify, &output_pk, NULL, tweak) == 0);
+    CHECK(ecount == 4);
+    /* NULL internal_xonly_pk zeroes the output_pk */
+    CHECK(secp256k1_memcmp_var(&output_pk, zeros64, sizeof(output_pk)) == 0);
+    CHECK(secp256k1_xonly_pubkey_tweak_add(verify, &output_pk, &internal_xonly_pk, NULL) == 0);
+    CHECK(ecount == 5);
+    /* NULL tweak zeroes the output_pk */
+    CHECK(secp256k1_memcmp_var(&output_pk, zeros64, sizeof(output_pk)) == 0);
+
+    /* Invalid tweak zeroes the output_pk */
+    CHECK(secp256k1_xonly_pubkey_tweak_add(verify, &output_pk, &internal_xonly_pk, overflows) == 0);
+    CHECK(secp256k1_memcmp_var(&output_pk, zeros64, sizeof(output_pk))  == 0);
+
+    /* A zero tweak is fine */
+    CHECK(secp256k1_xonly_pubkey_tweak_add(verify, &output_pk, &internal_xonly_pk, zeros64) == 1);
+
+    /* Fails if the resulting key was infinity */
+    for (i = 0; i < count; i++) {
+        secp256k1_scalar scalar_tweak;
+        /* Because sk may be negated before adding, we need to try with tweak =
+         * sk as well as tweak = -sk. */
+        secp256k1_scalar_set_b32(&scalar_tweak, sk, NULL);
+        secp256k1_scalar_negate(&scalar_tweak, &scalar_tweak);
+        secp256k1_scalar_get_b32(tweak, &scalar_tweak);
+        CHECK((secp256k1_xonly_pubkey_tweak_add(verify, &output_pk, &internal_xonly_pk, sk) == 0)
+              || (secp256k1_xonly_pubkey_tweak_add(verify, &output_pk, &internal_xonly_pk, tweak) == 0));
+        CHECK(secp256k1_memcmp_var(&output_pk, zeros64, sizeof(output_pk)) == 0);
+    }
+
+    /* Invalid pk with a valid tweak */
+    memset(&internal_xonly_pk, 0, sizeof(internal_xonly_pk));
+    secp256k1_testrand256(tweak);
+    ecount = 0;
+    CHECK(secp256k1_xonly_pubkey_tweak_add(verify, &output_pk, &internal_xonly_pk, tweak) == 0);
+    CHECK(ecount == 1);
+    CHECK(secp256k1_memcmp_var(&output_pk, zeros64, sizeof(output_pk))  == 0);
+
+    secp256k1_context_destroy(none);
+    secp256k1_context_destroy(sign);
+    secp256k1_context_destroy(verify);
+}
+
+void test_xonly_pubkey_tweak_check(void) {
+    unsigned char zeros64[64] = { 0 };
+    unsigned char overflows[32];
+    unsigned char sk[32];
+    secp256k1_pubkey internal_pk;
+    secp256k1_xonly_pubkey internal_xonly_pk;
+    secp256k1_pubkey output_pk;
+    secp256k1_xonly_pubkey output_xonly_pk;
+    unsigned char output_pk32[32];
+    unsigned char buf32[32];
+    int pk_parity;
+    unsigned char tweak[32];
+
+    int ecount;
+    secp256k1_context *none = api_test_context(SECP256K1_CONTEXT_NONE, &ecount);
+    secp256k1_context *sign = api_test_context(SECP256K1_CONTEXT_SIGN, &ecount);
+    secp256k1_context *verify = api_test_context(SECP256K1_CONTEXT_VERIFY, &ecount);
+
+    memset(overflows, 0xff, sizeof(overflows));
+    secp256k1_testrand256(tweak);
+    secp256k1_testrand256(sk);
+    CHECK(secp256k1_ec_pubkey_create(ctx, &internal_pk, sk) == 1);
+    CHECK(secp256k1_xonly_pubkey_from_pubkey(none, &internal_xonly_pk, &pk_parity, &internal_pk) == 1);
+
+    ecount = 0;
+    CHECK(secp256k1_xonly_pubkey_tweak_add(verify, &output_pk, &internal_xonly_pk, tweak) == 1);
+    CHECK(secp256k1_xonly_pubkey_from_pubkey(verify, &output_xonly_pk, &pk_parity, &output_pk) == 1);
+    CHECK(secp256k1_xonly_pubkey_serialize(ctx, buf32, &output_xonly_pk) == 1);
+    CHECK(secp256k1_xonly_pubkey_tweak_add_check(none, buf32, pk_parity, &internal_xonly_pk, tweak) == 0);
+    CHECK(ecount == 1);
+    CHECK(secp256k1_xonly_pubkey_tweak_add_check(sign, buf32, pk_parity, &internal_xonly_pk, tweak) == 0);
+    CHECK(ecount == 2);
+    CHECK(secp256k1_xonly_pubkey_tweak_add_check(verify, buf32, pk_parity, &internal_xonly_pk, tweak) == 1);
+    CHECK(secp256k1_xonly_pubkey_tweak_add_check(verify, NULL, pk_parity, &internal_xonly_pk, tweak) == 0);
+    CHECK(ecount == 3);
+    /* invalid pk_parity value */
+    CHECK(secp256k1_xonly_pubkey_tweak_add_check(verify, buf32, 2, &internal_xonly_pk, tweak) == 0);
+    CHECK(ecount == 3);
+    CHECK(secp256k1_xonly_pubkey_tweak_add_check(verify, buf32, pk_parity, NULL, tweak) == 0);
+    CHECK(ecount == 4);
+    CHECK(secp256k1_xonly_pubkey_tweak_add_check(verify, buf32, pk_parity, &internal_xonly_pk, NULL) == 0);
+    CHECK(ecount == 5);
+
+    memset(tweak, 1, sizeof(tweak));
+    CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &internal_xonly_pk, NULL, &internal_pk) == 1);
+    CHECK(secp256k1_xonly_pubkey_tweak_add(ctx, &output_pk, &internal_xonly_pk, tweak) == 1);
+    CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &output_xonly_pk, &pk_parity, &output_pk) == 1);
+    CHECK(secp256k1_xonly_pubkey_serialize(ctx, output_pk32, &output_xonly_pk) == 1);
+    CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, output_pk32, pk_parity, &internal_xonly_pk, tweak) == 1);
+
+    /* Wrong pk_parity */
+    CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, output_pk32, !pk_parity, &internal_xonly_pk, tweak) == 0);
+    /* Wrong public key */
+    CHECK(secp256k1_xonly_pubkey_serialize(ctx, buf32, &internal_xonly_pk) == 1);
+    CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, buf32, pk_parity, &internal_xonly_pk, tweak) == 0);
+
+    /* Overflowing tweak not allowed */
+    CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, output_pk32, pk_parity, &internal_xonly_pk, overflows) == 0);
+    CHECK(secp256k1_xonly_pubkey_tweak_add(ctx, &output_pk, &internal_xonly_pk, overflows) == 0);
+    CHECK(secp256k1_memcmp_var(&output_pk, zeros64, sizeof(output_pk)) == 0);
+    CHECK(ecount == 5);
+
+    secp256k1_context_destroy(none);
+    secp256k1_context_destroy(sign);
+    secp256k1_context_destroy(verify);
+}
+
+/* Starts with an initial pubkey and recursively creates N_PUBKEYS - 1
+ * additional pubkeys by calling tweak_add. Then verifies every tweak starting
+ * from the last pubkey. */
+#define N_PUBKEYS 32
+void test_xonly_pubkey_tweak_recursive(void) {
+    unsigned char sk[32];
+    secp256k1_pubkey pk[N_PUBKEYS];
+    unsigned char pk_serialized[32];
+    unsigned char tweak[N_PUBKEYS - 1][32];
+    int i;
+
+    secp256k1_testrand256(sk);
+    CHECK(secp256k1_ec_pubkey_create(ctx, &pk[0], sk) == 1);
+    /* Add tweaks */
+    for (i = 0; i < N_PUBKEYS - 1; i++) {
+        secp256k1_xonly_pubkey xonly_pk;
+        memset(tweak[i], i + 1, sizeof(tweak[i]));
+        CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &xonly_pk, NULL, &pk[i]) == 1);
+        CHECK(secp256k1_xonly_pubkey_tweak_add(ctx, &pk[i + 1], &xonly_pk, tweak[i]) == 1);
+    }
+
+    /* Verify tweaks */
+    for (i = N_PUBKEYS - 1; i > 0; i--) {
+        secp256k1_xonly_pubkey xonly_pk;
+        int pk_parity;
+        CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &xonly_pk, &pk_parity, &pk[i]) == 1);
+        CHECK(secp256k1_xonly_pubkey_serialize(ctx, pk_serialized, &xonly_pk) == 1);
+        CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &xonly_pk, NULL, &pk[i - 1]) == 1);
+        CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, pk_serialized, pk_parity, &xonly_pk, tweak[i - 1]) == 1);
+    }
+}
+#undef N_PUBKEYS
+
+void test_keypair(void) {
+    unsigned char sk[32];
+    unsigned char zeros96[96] = { 0 };
+    unsigned char overflows[32];
+    secp256k1_keypair keypair;
+    secp256k1_pubkey pk, pk_tmp;
+    secp256k1_xonly_pubkey xonly_pk, xonly_pk_tmp;
+    int pk_parity, pk_parity_tmp;
+    int ecount;
+    secp256k1_context *none = api_test_context(SECP256K1_CONTEXT_NONE, &ecount);
+    secp256k1_context *sign = api_test_context(SECP256K1_CONTEXT_SIGN, &ecount);
+    secp256k1_context *verify = api_test_context(SECP256K1_CONTEXT_VERIFY, &ecount);
+
+    CHECK(sizeof(zeros96) == sizeof(keypair));
+    memset(overflows, 0xFF, sizeof(overflows));
+
+    /* Test keypair_create */
+    ecount = 0;
+    secp256k1_testrand256(sk);
+    CHECK(secp256k1_keypair_create(none, &keypair, sk) == 0);
+    CHECK(secp256k1_memcmp_var(zeros96, &keypair, sizeof(keypair)) == 0);
+    CHECK(ecount == 1);
+    CHECK(secp256k1_keypair_create(verify, &keypair, sk) == 0);
+    CHECK(secp256k1_memcmp_var(zeros96, &keypair, sizeof(keypair)) == 0);
+    CHECK(ecount == 2);
+    CHECK(secp256k1_keypair_create(sign, &keypair, sk) == 1);
+    CHECK(secp256k1_keypair_create(sign, NULL, sk) == 0);
+    CHECK(ecount == 3);
+    CHECK(secp256k1_keypair_create(sign, &keypair, NULL) == 0);
+    CHECK(secp256k1_memcmp_var(zeros96, &keypair, sizeof(keypair)) == 0);
+    CHECK(ecount == 4);
+
+    /* Invalid secret key */
+    CHECK(secp256k1_keypair_create(sign, &keypair, zeros96) == 0);
+    CHECK(secp256k1_memcmp_var(zeros96, &keypair, sizeof(keypair)) == 0);
+    CHECK(secp256k1_keypair_create(sign, &keypair, overflows) == 0);
+    CHECK(secp256k1_memcmp_var(zeros96, &keypair, sizeof(keypair)) == 0);
+
+    /* Test keypair_pub */
+    ecount = 0;
+    secp256k1_testrand256(sk);
+    CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
+    CHECK(secp256k1_keypair_pub(none, &pk, &keypair) == 1);
+    CHECK(secp256k1_keypair_pub(none, NULL, &keypair) == 0);
+    CHECK(ecount == 1);
+    CHECK(secp256k1_keypair_pub(none, &pk, NULL) == 0);
+    CHECK(ecount == 2);
+    CHECK(secp256k1_memcmp_var(zeros96, &pk, sizeof(pk)) == 0);
+
+    /* Using an invalid keypair is fine for keypair_pub */
+    memset(&keypair, 0, sizeof(keypair));
+    CHECK(secp256k1_keypair_pub(none, &pk, &keypair) == 1);
+    CHECK(secp256k1_memcmp_var(zeros96, &pk, sizeof(pk)) == 0);
+
+    /* keypair holds the same pubkey as pubkey_create */
+    CHECK(secp256k1_ec_pubkey_create(sign, &pk, sk) == 1);
+    CHECK(secp256k1_keypair_create(sign, &keypair, sk) == 1);
+    CHECK(secp256k1_keypair_pub(none, &pk_tmp, &keypair) == 1);
+    CHECK(secp256k1_memcmp_var(&pk, &pk_tmp, sizeof(pk)) == 0);
+
+    /** Test keypair_xonly_pub **/
+    ecount = 0;
+    secp256k1_testrand256(sk);
+    CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
+    CHECK(secp256k1_keypair_xonly_pub(none, &xonly_pk, &pk_parity, &keypair) == 1);
+    CHECK(secp256k1_keypair_xonly_pub(none, NULL, &pk_parity, &keypair) == 0);
+    CHECK(ecount == 1);
+    CHECK(secp256k1_keypair_xonly_pub(none, &xonly_pk, NULL, &keypair) == 1);
+    CHECK(secp256k1_keypair_xonly_pub(none, &xonly_pk, &pk_parity, NULL) == 0);
+    CHECK(ecount == 2);
+    CHECK(secp256k1_memcmp_var(zeros96, &xonly_pk, sizeof(xonly_pk)) == 0);
+    /* Using an invalid keypair will set the xonly_pk to 0 (first reset
+     * xonly_pk). */
+    CHECK(secp256k1_keypair_xonly_pub(none, &xonly_pk, &pk_parity, &keypair) == 1);
+    memset(&keypair, 0, sizeof(keypair));
+    CHECK(secp256k1_keypair_xonly_pub(none, &xonly_pk, &pk_parity, &keypair) == 0);
+    CHECK(secp256k1_memcmp_var(zeros96, &xonly_pk, sizeof(xonly_pk)) == 0);
+    CHECK(ecount == 3);
+
+    /** keypair holds the same xonly pubkey as pubkey_create **/
+    CHECK(secp256k1_ec_pubkey_create(sign, &pk, sk) == 1);
+    CHECK(secp256k1_xonly_pubkey_from_pubkey(none, &xonly_pk, &pk_parity, &pk) == 1);
+    CHECK(secp256k1_keypair_create(sign, &keypair, sk) == 1);
+    CHECK(secp256k1_keypair_xonly_pub(none, &xonly_pk_tmp, &pk_parity_tmp, &keypair) == 1);
+    CHECK(secp256k1_memcmp_var(&xonly_pk, &xonly_pk_tmp, sizeof(pk)) == 0);
+    CHECK(pk_parity == pk_parity_tmp);
+
+    secp256k1_context_destroy(none);
+    secp256k1_context_destroy(sign);
+    secp256k1_context_destroy(verify);
+}
+
+void test_keypair_add(void) {
+    unsigned char sk[32];
+    secp256k1_keypair keypair;
+    unsigned char overflows[32];
+    unsigned char zeros96[96] = { 0 };
+    unsigned char tweak[32];
+    int i;
+    int ecount = 0;
+    secp256k1_context *none = api_test_context(SECP256K1_CONTEXT_NONE, &ecount);
+    secp256k1_context *sign = api_test_context(SECP256K1_CONTEXT_SIGN, &ecount);
+    secp256k1_context *verify = api_test_context(SECP256K1_CONTEXT_VERIFY, &ecount);
+
+    CHECK(sizeof(zeros96) == sizeof(keypair));
+    secp256k1_testrand256(sk);
+    secp256k1_testrand256(tweak);
+    memset(overflows, 0xFF, 32);
+    CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
+
+    CHECK(secp256k1_keypair_xonly_tweak_add(none, &keypair, tweak) == 0);
+    CHECK(ecount == 1);
+    CHECK(secp256k1_keypair_xonly_tweak_add(sign, &keypair, tweak) == 0);
+    CHECK(ecount == 2);
+    CHECK(secp256k1_keypair_xonly_tweak_add(verify, &keypair, tweak) == 1);
+    CHECK(secp256k1_keypair_xonly_tweak_add(verify, NULL, tweak) == 0);
+    CHECK(ecount == 3);
+    CHECK(secp256k1_keypair_xonly_tweak_add(verify, &keypair, NULL) == 0);
+    CHECK(ecount == 4);
+    /* This does not set the keypair to zeroes */
+    CHECK(secp256k1_memcmp_var(&keypair, zeros96, sizeof(keypair)) != 0);
+
+    /* Invalid tweak zeroes the keypair */
+    CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
+    CHECK(secp256k1_keypair_xonly_tweak_add(ctx, &keypair, overflows) == 0);
+    CHECK(secp256k1_memcmp_var(&keypair, zeros96, sizeof(keypair))  == 0);
+
+    /* A zero tweak is fine */
+    CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
+    CHECK(secp256k1_keypair_xonly_tweak_add(ctx, &keypair, zeros96) == 1);
+
+    /* Fails if the resulting keypair was (sk=0, pk=infinity) */
+    for (i = 0; i < count; i++) {
+        secp256k1_scalar scalar_tweak;
+        secp256k1_keypair keypair_tmp;
+        secp256k1_testrand256(sk);
+        CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
+        memcpy(&keypair_tmp, &keypair, sizeof(keypair));
+        /* Because sk may be negated before adding, we need to try with tweak =
+         * sk as well as tweak = -sk. */
+        secp256k1_scalar_set_b32(&scalar_tweak, sk, NULL);
+        secp256k1_scalar_negate(&scalar_tweak, &scalar_tweak);
+        secp256k1_scalar_get_b32(tweak, &scalar_tweak);
+        CHECK((secp256k1_keypair_xonly_tweak_add(ctx, &keypair, sk) == 0)
+              || (secp256k1_keypair_xonly_tweak_add(ctx, &keypair_tmp, tweak) == 0));
+        CHECK(secp256k1_memcmp_var(&keypair, zeros96, sizeof(keypair)) == 0
+              || secp256k1_memcmp_var(&keypair_tmp, zeros96, sizeof(keypair_tmp)) == 0);
+    }
+
+    /* Invalid keypair with a valid tweak */
+    memset(&keypair, 0, sizeof(keypair));
+    secp256k1_testrand256(tweak);
+    ecount = 0;
+    CHECK(secp256k1_keypair_xonly_tweak_add(verify, &keypair, tweak) == 0);
+    CHECK(ecount == 1);
+    CHECK(secp256k1_memcmp_var(&keypair, zeros96, sizeof(keypair))  == 0);
+    /* Only seckey part of keypair invalid */
+    CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
+    memset(&keypair, 0, 32);
+    CHECK(secp256k1_keypair_xonly_tweak_add(verify, &keypair, tweak) == 0);
+    CHECK(ecount == 2);
+    /* Only pubkey part of keypair invalid */
+    CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
+    memset(&keypair.data[32], 0, 64);
+    CHECK(secp256k1_keypair_xonly_tweak_add(verify, &keypair, tweak) == 0);
+    CHECK(ecount == 3);
+
+    /* Check that the keypair_tweak_add implementation is correct */
+    CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1);
+    for (i = 0; i < count; i++) {
+        secp256k1_xonly_pubkey internal_pk;
+        secp256k1_xonly_pubkey output_pk;
+        secp256k1_pubkey output_pk_xy;
+        secp256k1_pubkey output_pk_expected;
+        unsigned char pk32[32];
+        int pk_parity;
+
+        secp256k1_testrand256(tweak);
+        CHECK(secp256k1_keypair_xonly_pub(ctx, &internal_pk, NULL, &keypair) == 1);
+        CHECK(secp256k1_keypair_xonly_tweak_add(ctx, &keypair, tweak) == 1);
+        CHECK(secp256k1_keypair_xonly_pub(ctx, &output_pk, &pk_parity, &keypair) == 1);
+
+        /* Check that it passes xonly_pubkey_tweak_add_check */
+        CHECK(secp256k1_xonly_pubkey_serialize(ctx, pk32, &output_pk) == 1);
+        CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, pk32, pk_parity, &internal_pk, tweak) == 1);
+
+        /* Check that the resulting pubkey matches xonly_pubkey_tweak_add */
+        CHECK(secp256k1_keypair_pub(ctx, &output_pk_xy, &keypair) == 1);
+        CHECK(secp256k1_xonly_pubkey_tweak_add(ctx, &output_pk_expected, &internal_pk, tweak) == 1);
+        CHECK(secp256k1_memcmp_var(&output_pk_xy, &output_pk_expected, sizeof(output_pk_xy)) == 0);
+
+        /* Check that the secret key in the keypair is tweaked correctly */
+        CHECK(secp256k1_ec_pubkey_create(ctx, &output_pk_expected, &keypair.data[0]) == 1);
+        CHECK(secp256k1_memcmp_var(&output_pk_xy, &output_pk_expected, sizeof(output_pk_xy)) == 0);
+    }
+    secp256k1_context_destroy(none);
+    secp256k1_context_destroy(sign);
+    secp256k1_context_destroy(verify);
+}
+
+void run_extrakeys_tests(void) {
+    /* xonly key test cases */
+    test_xonly_pubkey();
+    test_xonly_pubkey_tweak();
+    test_xonly_pubkey_tweak_check();
+    test_xonly_pubkey_tweak_recursive();
+
+    /* keypair tests */
+    test_keypair();
+    test_keypair_add();
+}
+
+#endif
--- a/src/modules/generator/tests_impl.h
+++ b/src/modules/generator/tests_impl.h
@@ -33,8 +33,8 @@ void test_generator_api(void) {
    secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
    secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount);
    secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
-    secp256k1_rand256(key);
-    secp256k1_rand256(blind);
+    secp256k1_testrand256(key);
+    secp256k1_testrand256(blind);

    CHECK(secp256k1_generator_generate(none, &gen, key) == 1);
    CHECK(ecount == 0);
--- a/src/modules/musig/example.c
+++ b/src/modules/musig/example.c
@@ -18,8 +18,9 @@
 /* Number of public keys involved in creating the aggregate signature */
 #define N_SIGNERS 3
 /* Create a key pair and store it in seckey and pubkey */
-int create_key(const secp256k1_context* ctx, unsigned char* seckey, secp256k1_pubkey* pubkey) {
+int create_keypair(const secp256k1_context* ctx, unsigned char *seckey, secp256k1_xonly_pubkey *pubkey) {
    int ret;
+    secp256k1_keypair keypair;
    FILE *frand = fopen("/dev/urandom", "r");
    if (frand == NULL) {
        return 0;
@@ -32,32 +33,34 @@ int create_key(const secp256k1_context* ctx, unsigned char* seckey, secp256k1_pu
    /* The probability that this not a valid secret key is approximately 2^-128 */
    } while (!secp256k1_ec_seckey_verify(ctx, seckey));
    fclose(frand);
-    ret = secp256k1_ec_pubkey_create(ctx, pubkey, seckey);
+    ret = secp256k1_keypair_create(ctx, &keypair, seckey);
+    ret &= secp256k1_keypair_xonly_pub(ctx, pubkey, NULL, &keypair);
+
    return ret;
 }

 /* Sign a message hash with the given key pairs and store the result in sig */
-int sign(const secp256k1_context* ctx, unsigned char seckeys[][32], const secp256k1_pubkey* pubkeys, const unsigned char* msg32, secp256k1_schnorrsig *sig) {
+int sign(const secp256k1_context* ctx, unsigned char seckeys[][32], const secp256k1_xonly_pubkey* pubkeys, const unsigned char* msg32, unsigned char *sig64) {
    secp256k1_musig_session musig_session[N_SIGNERS];
    unsigned char nonce_commitment[N_SIGNERS][32];
    const unsigned char *nonce_commitment_ptr[N_SIGNERS];
    secp256k1_musig_session_signer_data signer_data[N_SIGNERS][N_SIGNERS];
-    secp256k1_pubkey nonce[N_SIGNERS];
+    unsigned char nonce[N_SIGNERS][32];
    int i, j;
    secp256k1_musig_partial_signature partial_sig[N_SIGNERS];

    for (i = 0; i < N_SIGNERS; i++) {
        FILE *frand;
        unsigned char session_id32[32];
-        unsigned char pk_hash[32];
-        secp256k1_pubkey combined_pk;
+        secp256k1_xonly_pubkey combined_pk;
+        secp256k1_musig_pre_session pre_session;

        /* Create combined pubkey and initialize signer data */
-        if (!secp256k1_musig_pubkey_combine(ctx, NULL, &combined_pk, pk_hash, pubkeys, N_SIGNERS)) {
+        if (!secp256k1_musig_pubkey_combine(ctx, NULL, &combined_pk, &pre_session, pubkeys, N_SIGNERS)) {
            return 0;
        }
        /* Create random session ID. It is absolutely necessary that the session ID
-         * is unique for every call of secp256k1_musig_session_initialize. Otherwise
+         * is unique for every call of secp256k1_musig_session_init. Otherwise
         * it's trivial for an attacker to extract the secret key! */
        frand = fopen("/dev/urandom", "r");
        if(frand == NULL) {
@@ -69,7 +72,7 @@ int sign(const secp256k1_context* ctx, unsigned char seckeys[][32], const secp25
        }
        fclose(frand);
        /* Initialize session */
-        if (!secp256k1_musig_session_initialize(ctx, &musig_session[i], signer_data[i], nonce_commitment[i], session_id32, msg32, &combined_pk, pk_hash, N_SIGNERS, i, seckeys[i])) {
+        if (!secp256k1_musig_session_init(ctx, &musig_session[i], signer_data[i], nonce_commitment[i], session_id32, msg32, &combined_pk, &pre_session, N_SIGNERS, i, seckeys[i])) {
            return 0;
        }
        nonce_commitment_ptr[i] = &nonce_commitment[i][0];
@@ -77,14 +80,14 @@ int sign(const secp256k1_context* ctx, unsigned char seckeys[][32], const secp25
    /* Communication round 1: Exchange nonce commitments */
    for (i = 0; i < N_SIGNERS; i++) {
        /* Set nonce commitments in the signer data and get the own public nonce */
-        if (!secp256k1_musig_session_get_public_nonce(ctx, &musig_session[i], signer_data[i], &nonce[i], nonce_commitment_ptr, N_SIGNERS)) {
+        if (!secp256k1_musig_session_get_public_nonce(ctx, &musig_session[i], signer_data[i], nonce[i], nonce_commitment_ptr, N_SIGNERS, NULL)) {
            return 0;
        }
    }
    /* Communication round 2: Exchange nonces */
    for (i = 0; i < N_SIGNERS; i++) {
        for (j = 0; j < N_SIGNERS; j++) {
-            if (!secp256k1_musig_set_nonce(ctx, &signer_data[i][j], &nonce[j])) {
+            if (!secp256k1_musig_set_nonce(ctx, &signer_data[i][j], nonce[j])) {
                /* Signer j's nonce does not match the nonce commitment. In this case
                 * abort the protocol. If you make another attempt at finishing the
                 * protocol, create a new session (with a fresh session ID!). */
@@ -104,7 +107,7 @@ int sign(const secp256k1_context* ctx, unsigned char seckeys[][32], const secp25
    for (i = 0; i < N_SIGNERS; i++) {
        for (j = 0; j < N_SIGNERS; j++) {
            /* To check whether signing was successful, it suffices to either verify
-             * the the combined signature with the combined public key using
+             * the combined signature with the combined public key using
             * secp256k1_schnorrsig_verify, or verify all partial signatures of all
             * signers individually. Verifying the combined signature is cheaper but
             * verifying the individual partial signatures has the advantage that it
@@ -119,23 +122,23 @@ int sign(const secp256k1_context* ctx, unsigned char seckeys[][32], const secp25
            }
        }
    }
-    return secp256k1_musig_partial_sig_combine(ctx, &musig_session[0], sig, partial_sig, N_SIGNERS);
+    return secp256k1_musig_partial_sig_combine(ctx, &musig_session[0], sig64, partial_sig, N_SIGNERS);
 }

 int main(void) {
    secp256k1_context* ctx;
    int i;
    unsigned char seckeys[N_SIGNERS][32];
-    secp256k1_pubkey pubkeys[N_SIGNERS];
-    secp256k1_pubkey combined_pk;
+    secp256k1_xonly_pubkey pubkeys[N_SIGNERS];
+    secp256k1_xonly_pubkey combined_pk;
    unsigned char msg[32] = "this_could_be_the_hash_of_a_msg!";
-    secp256k1_schnorrsig sig;
+    unsigned char sig[64];

    /* Create a context for signing and verification */
    ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
    printf("Creating key pairs......");
    for (i = 0; i < N_SIGNERS; i++) {
-        if (!create_key(ctx, seckeys[i], &pubkeys[i])) {
+        if (!create_keypair(ctx, seckeys[i], &pubkeys[i])) {
            printf("FAILED\n");
            return 1;
        }
@@ -148,13 +151,13 @@ int sign(const secp256k1_context* ctx, unsigned char seckeys[][32], const secp25
    }
    printf("ok\n");
    printf("Signing message.........");
-    if (!sign(ctx, seckeys, pubkeys, msg, &sig)) {
+    if (!sign(ctx, seckeys, pubkeys, msg, sig)) {
        printf("FAILED\n");
        return 1;
    }
    printf("ok\n");
    printf("Verifying signature.....");
-    if (!secp256k1_schnorrsig_verify(ctx, &sig, msg, &combined_pk)) {
+    if (!secp256k1_schnorrsig_verify(ctx, sig, msg, &combined_pk)) {
        printf("FAILED\n");
        return 1;
    }
--- a/src/modules/musig/main_impl.h
+++ b/src/modules/musig/main_impl.h
@@ -7,23 +7,23 @@
 #ifndef _SECP256K1_MODULE_MUSIG_MAIN_
 #define _SECP256K1_MODULE_MUSIG_MAIN_

+#include <stdint.h>
 #include "include/secp256k1.h"
 #include "include/secp256k1_musig.h"
 #include "hash.h"

 /* Computes ell = SHA256(pk[0], ..., pk[np-1]) */
-static int secp256k1_musig_compute_ell(const secp256k1_context *ctx, unsigned char *ell, const secp256k1_pubkey *pk, size_t np) {
+static int secp256k1_musig_compute_ell(const secp256k1_context *ctx, unsigned char *ell, const secp256k1_xonly_pubkey *pk, size_t np) {
    secp256k1_sha256 sha;
    size_t i;

    secp256k1_sha256_initialize(&sha);
    for (i = 0; i < np; i++) {
-        unsigned char ser[33];
-        size_t serlen = sizeof(ser);
-        if (!secp256k1_ec_pubkey_serialize(ctx, ser, &serlen, &pk[i], SECP256K1_EC_COMPRESSED)) {
+        unsigned char ser[32];
+        if (!secp256k1_xonly_pubkey_serialize(ctx, ser, &pk[i])) {
            return 0;
        }
-        secp256k1_sha256_write(&sha, ser, serlen);
+        secp256k1_sha256_write(&sha, ser, 32);
    }
    secp256k1_sha256_finalize(&sha, ell);
    return 1;
@@ -77,17 +77,16 @@ static void secp256k1_musig_coefficient(secp256k1_scalar *r, const unsigned char
 typedef struct {
    const secp256k1_context *ctx;
    unsigned char ell[32];
-    const secp256k1_pubkey *pks;
+    const secp256k1_xonly_pubkey *pks;
 } secp256k1_musig_pubkey_combine_ecmult_data;

 /* Callback for batch EC multiplication to compute ell_0*P0 + ell_1*P1 + ...  */
 static int secp256k1_musig_pubkey_combine_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *data) {
    secp256k1_musig_pubkey_combine_ecmult_data *ctx = (secp256k1_musig_pubkey_combine_ecmult_data *) data;
    secp256k1_musig_coefficient(sc, ctx->ell, idx);
-    return secp256k1_pubkey_load(ctx->ctx, pt, &ctx->pks[idx]);
+    return secp256k1_xonly_pubkey_load(ctx->ctx, pt, &ctx->pks[idx]);
 }

-
 static void secp256k1_musig_signers_init(secp256k1_musig_session_signer_data *signers, uint32_t n_signers) {
    uint32_t i;
    for (i = 0; i < n_signers; i++) {
@@ -97,10 +96,13 @@ static void secp256k1_musig_signers_init(secp256k1_musig_session_signer_data *si
    }
 }

-int secp256k1_musig_pubkey_combine(const secp256k1_context* ctx, secp256k1_scratch_space *scratch, secp256k1_pubkey *combined_pk, unsigned char *pk_hash32, const secp256k1_pubkey *pubkeys, size_t n_pubkeys) {
+static const uint64_t pre_session_magic = 0xf4adbbdf7c7dd304UL;
+
+int secp256k1_musig_pubkey_combine(const secp256k1_context* ctx, secp256k1_scratch_space *scratch, secp256k1_xonly_pubkey *combined_pk, secp256k1_musig_pre_session *pre_session, const secp256k1_xonly_pubkey *pubkeys, size_t n_pubkeys) {
    secp256k1_musig_pubkey_combine_ecmult_data ecmult_data;
    secp256k1_gej pkj;
    secp256k1_ge pkp;
+    int pk_parity;

    VERIFY_CHECK(ctx != NULL);
    ARG_CHECK(combined_pk != NULL);
@@ -113,27 +115,60 @@ int secp256k1_musig_pubkey_combine(const secp256k1_context* ctx, secp256k1_scrat
    if (!secp256k1_musig_compute_ell(ctx, ecmult_data.ell, pubkeys, n_pubkeys)) {
        return 0;
    }
-    if (!secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &pkj, NULL, secp256k1_musig_pubkey_combine_callback, (void *) &ecmult_data, n_pubkeys)) {
+    if (!secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &pkj, NULL, secp256k1_musig_pubkey_combine_callback, (void *) &ecmult_data, n_pubkeys)) {
        return 0;
    }
    secp256k1_ge_set_gej(&pkp, &pkj);
-    secp256k1_pubkey_save(combined_pk, &pkp);
+    secp256k1_fe_normalize(&pkp.y);
+    pk_parity = secp256k1_extrakeys_ge_even_y(&pkp);
+    secp256k1_xonly_pubkey_save(combined_pk, &pkp);

-    if (pk_hash32 != NULL) {
-        memcpy(pk_hash32, ecmult_data.ell, 32);
+    if (pre_session != NULL) {
+        pre_session->magic = pre_session_magic;
+        memcpy(pre_session->pk_hash, ecmult_data.ell, 32);
+        pre_session->pk_parity = pk_parity;
+        pre_session->is_tweaked = 0;
    }
    return 1;
 }

-int secp256k1_musig_session_initialize(const secp256k1_context* ctx, secp256k1_musig_session *session, secp256k1_musig_session_signer_data *signers, unsigned char *nonce_commitment32, const unsigned char *session_id32, const unsigned char *msg32, const secp256k1_pubkey *combined_pk, const unsigned char *pk_hash32, size_t n_signers, size_t my_index, const unsigned char *seckey) {
-    unsigned char combined_ser[33];
-    size_t combined_ser_size = sizeof(combined_ser);
+int secp256k1_musig_pubkey_tweak_add(const secp256k1_context* ctx, secp256k1_musig_pre_session *pre_session, secp256k1_pubkey *output_pubkey, const secp256k1_xonly_pubkey *internal_pubkey, const unsigned char *tweak32) {
+    secp256k1_ge pk;
+
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(pre_session != NULL);
+    ARG_CHECK(pre_session->magic == pre_session_magic);
+    /* This function can only be called once because otherwise signing would not
+     * succeed */
+    ARG_CHECK(pre_session->is_tweaked == 0);
+
+    pre_session->internal_key_parity = pre_session->pk_parity;
+    if(!secp256k1_xonly_pubkey_tweak_add(ctx, output_pubkey, internal_pubkey, tweak32)) {
+        return 0;
+    }
+
+    memcpy(pre_session->tweak, tweak32, 32);
+    pre_session->is_tweaked = 1;
+
+    if (!secp256k1_pubkey_load(ctx, &pk, output_pubkey)) {
+        return 0;
+    }
+    pre_session->pk_parity = secp256k1_extrakeys_ge_even_y(&pk);
+    return 1;
+}
+
+static const uint64_t session_magic = 0xd92e6fc1ee41b4cbUL;
+
+int secp256k1_musig_session_init(const secp256k1_context* ctx, secp256k1_musig_session *session, secp256k1_musig_session_signer_data *signers, unsigned char *nonce_commitment32, const unsigned char *session_id32, const unsigned char *msg32, const secp256k1_xonly_pubkey *combined_pk, const secp256k1_musig_pre_session *pre_session, size_t n_signers, size_t my_index, const unsigned char *seckey) {
+    unsigned char combined_ser[32];
    int overflow;
    secp256k1_scalar secret;
    secp256k1_scalar mu;
    secp256k1_sha256 sha;
-    secp256k1_gej rj;
-    secp256k1_ge rp;
+    secp256k1_gej pj;
+    secp256k1_ge p;
+    unsigned char nonce_ser[32];
+    size_t nonce_ser_size = sizeof(nonce_ser);

    VERIFY_CHECK(ctx != NULL);
    ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
@@ -142,30 +177,28 @@ int secp256k1_musig_session_initialize(const secp256k1_context* ctx, secp256k1_m
    ARG_CHECK(nonce_commitment32 != NULL);
    ARG_CHECK(session_id32 != NULL);
    ARG_CHECK(combined_pk != NULL);
-    ARG_CHECK(pk_hash32 != NULL);
+    ARG_CHECK(pre_session != NULL);
+    ARG_CHECK(pre_session->magic == pre_session_magic);
    ARG_CHECK(seckey != NULL);

+    ARG_CHECK(n_signers > 0);
+    ARG_CHECK(n_signers <= UINT32_MAX);
+    ARG_CHECK(my_index < n_signers);
+
    memset(session, 0, sizeof(*session));

+    session->magic = session_magic;
    if (msg32 != NULL) {
        memcpy(session->msg, msg32, 32);
-        session->msg_is_set = 1;
+        session->is_msg_set = 1;
    } else {
-        session->msg_is_set = 0;
+        session->is_msg_set = 0;
    }
    memcpy(&session->combined_pk, combined_pk, sizeof(*combined_pk));
-    memcpy(session->pk_hash, pk_hash32, 32);
-    session->nonce_is_set = 0;
+    session->pre_session = *pre_session;
    session->has_secret_data = 1;
-    if (n_signers == 0 || my_index >= n_signers) {
-        return 0;
-    }
-    if (n_signers > UINT32_MAX) {
-        return 0;
-    }
    session->n_signers = (uint32_t) n_signers;
    secp256k1_musig_signers_init(signers, session->n_signers);
-    session->nonce_commitments_hash_is_set = 0;

    /* Compute secret key */
    secp256k1_scalar_set_b32(&secret, seckey, &overflow);
@@ -173,18 +206,47 @@ int secp256k1_musig_session_initialize(const secp256k1_context* ctx, secp256k1_m
        secp256k1_scalar_clear(&secret);
        return 0;
    }
-    secp256k1_musig_coefficient(&mu, pk_hash32, (uint32_t) my_index);
+    secp256k1_musig_coefficient(&mu, session->pre_session.pk_hash, (uint32_t) my_index);
+    /* Compute the signer's public key point and determine if the secret is
+     * negated before signing. That happens if if the signer's pubkey has an odd
+     * Y coordinate XOR the MuSig-combined pubkey has an odd Y coordinate XOR
+     * (if tweaked) the internal key has an odd Y coordinate.
+     *
+     * This can be seen by looking at the secret key belonging to `combined_pk`.
+     * Let's define
+     * P' := mu_0*|P_0| + ... + mu_n*|P_n| where P_i is the i-th public key
+     * point x_i*G, mu_i is the i-th musig coefficient and |.| is a function
+     * that normalizes a point to an even Y by negating if necessary similar to
+     * secp256k1_extrakeys_ge_even_y. Then we have
+     * P := |P'| + t*G where t is the tweak.
+     * And the combined xonly public key is
+     * |P| = x*G
+     *      where x = sum_i(b_i*mu_i*x_i) + b'*t
+     *            b' = -1 if P != |P|, 1 otherwise
+     *            b_i = -1 if (P_i != |P_i| XOR P' != |P'| XOR P != |P|) and 1
+     *                otherwise.
+     */
+    secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pj, &secret);
+    secp256k1_ge_set_gej(&p, &pj);
+    secp256k1_fe_normalize(&p.y);
+    if((secp256k1_fe_is_odd(&p.y)
+            + session->pre_session.pk_parity
+            + (session->pre_session.is_tweaked
+                && session->pre_session.internal_key_parity))
+            % 2 == 1) {
+        secp256k1_scalar_negate(&secret, &secret);
+    }
    secp256k1_scalar_mul(&secret, &secret, &mu);
    secp256k1_scalar_get_b32(session->seckey, &secret);

    /* Compute secret nonce */
    secp256k1_sha256_initialize(&sha);
    secp256k1_sha256_write(&sha, session_id32, 32);
-    if (session->msg_is_set) {
+    if (session->is_msg_set) {
        secp256k1_sha256_write(&sha, msg32, 32);
    }
-    secp256k1_ec_pubkey_serialize(ctx, combined_ser, &combined_ser_size, combined_pk, SECP256K1_EC_COMPRESSED);
-    secp256k1_sha256_write(&sha, combined_ser, combined_ser_size);
+    secp256k1_xonly_pubkey_serialize(ctx, combined_ser, combined_pk);
+    secp256k1_sha256_write(&sha, combined_ser, 32);
    secp256k1_sha256_write(&sha, seckey, 32);
    secp256k1_sha256_finalize(&sha, session->secnonce);
    secp256k1_scalar_set_b32(&secret, session->secnonce, &overflow);
@@ -194,74 +256,81 @@ int secp256k1_musig_session_initialize(const secp256k1_context* ctx, secp256k1_m
    }

    /* Compute public nonce and commitment */
-    secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &rj, &secret);
-    secp256k1_ge_set_gej(&rp, &rj);
-    secp256k1_pubkey_save(&session->nonce, &rp);
+    secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pj, &secret);
+    secp256k1_ge_set_gej(&p, &pj);
+    secp256k1_fe_normalize_var(&p.y);
+    session->partial_nonce_parity = secp256k1_extrakeys_ge_even_y(&p);
+    secp256k1_xonly_pubkey_save(&session->nonce, &p);

-    if (nonce_commitment32 != NULL) {
-        unsigned char commit[33];
-        size_t commit_size = sizeof(commit);
-        secp256k1_sha256_initialize(&sha);
-        secp256k1_ec_pubkey_serialize(ctx, commit, &commit_size, &session->nonce, SECP256K1_EC_COMPRESSED);
-        secp256k1_sha256_write(&sha, commit, commit_size);
-        secp256k1_sha256_finalize(&sha, nonce_commitment32);
-    }
+    secp256k1_sha256_initialize(&sha);
+    secp256k1_xonly_pubkey_serialize(ctx, nonce_ser, &session->nonce);
+    secp256k1_sha256_write(&sha, nonce_ser, nonce_ser_size);
+    secp256k1_sha256_finalize(&sha, nonce_commitment32);

+    session->round = 0;
    secp256k1_scalar_clear(&secret);
    return 1;
 }

-int secp256k1_musig_session_get_public_nonce(const secp256k1_context* ctx, secp256k1_musig_session *session, secp256k1_musig_session_signer_data *signers, secp256k1_pubkey *nonce, const unsigned char *const *commitments, size_t n_commitments) {
+int secp256k1_musig_session_get_public_nonce(const secp256k1_context* ctx, secp256k1_musig_session *session, secp256k1_musig_session_signer_data *signers, unsigned char *nonce, const unsigned char *const *commitments, size_t n_commitments, const unsigned char *msg32) {
    secp256k1_sha256 sha;
    unsigned char nonce_commitments_hash[32];
    size_t i;
+    unsigned char nonce_ser[32];
+    size_t nonce_ser_size = sizeof(nonce_ser);
    (void) ctx;

    VERIFY_CHECK(ctx != NULL);
    ARG_CHECK(session != NULL);
+    ARG_CHECK(session->magic == session_magic);
    ARG_CHECK(signers != NULL);
    ARG_CHECK(nonce != NULL);
    ARG_CHECK(commitments != NULL);

-    if (!session->has_secret_data || n_commitments != session->n_signers) {
-        return 0;
-    }
+    ARG_CHECK(session->round == 0);
+    /* If the message was not set during initialization it must be set now. */
+    ARG_CHECK(!(!session->is_msg_set && msg32 == NULL));
+    /* The message can only be set once. */
+    ARG_CHECK(!(session->is_msg_set && msg32 != NULL));
+    ARG_CHECK(session->has_secret_data);
+    ARG_CHECK(n_commitments == session->n_signers);
    for (i = 0; i < n_commitments; i++) {
        ARG_CHECK(commitments[i] != NULL);
    }

+    if (msg32 != NULL) {
+        memcpy(session->msg, msg32, 32);
+        session->is_msg_set = 1;
+    }
    secp256k1_sha256_initialize(&sha);
    for (i = 0; i < n_commitments; i++) {
        memcpy(signers[i].nonce_commitment, commitments[i], 32);
        secp256k1_sha256_write(&sha, commitments[i], 32);
    }
    secp256k1_sha256_finalize(&sha, nonce_commitments_hash);
-    if (session->nonce_commitments_hash_is_set
-            && memcmp(session->nonce_commitments_hash, nonce_commitments_hash, 32) != 0) {
-        /* Abort if get_public_nonce has been called before with a different array of
-         * commitments. */
-        return 0;
-    }
    memcpy(session->nonce_commitments_hash, nonce_commitments_hash, 32);
-    session->nonce_commitments_hash_is_set = 1;
-    memcpy(nonce, &session->nonce, sizeof(*nonce));
+
+    secp256k1_xonly_pubkey_serialize(ctx, nonce_ser, &session->nonce);
+    memcpy(nonce, &nonce_ser, nonce_ser_size);
+    session->round = 1;
    return 1;
 }

-int secp256k1_musig_session_initialize_verifier(const secp256k1_context* ctx, secp256k1_musig_session *session, secp256k1_musig_session_signer_data *signers, const unsigned char *msg32, const secp256k1_pubkey *combined_pk, const unsigned char *pk_hash32, const unsigned char *const *commitments, size_t n_signers) {
+int secp256k1_musig_session_init_verifier(const secp256k1_context* ctx, secp256k1_musig_session *session, secp256k1_musig_session_signer_data *signers, const unsigned char *msg32, const secp256k1_xonly_pubkey *combined_pk, const secp256k1_musig_pre_session *pre_session, const unsigned char *const *commitments, size_t n_signers) {
    size_t i;

    VERIFY_CHECK(ctx != NULL);
    ARG_CHECK(session != NULL);
    ARG_CHECK(signers != NULL);
+    ARG_CHECK(msg32 != NULL);
    ARG_CHECK(combined_pk != NULL);
-    ARG_CHECK(pk_hash32 != NULL);
+    ARG_CHECK(pre_session != NULL);
+    ARG_CHECK(pre_session->magic == pre_session_magic);
    ARG_CHECK(commitments != NULL);
    /* Check n_signers before checking commitments to allow testing the case where
     * n_signers is big without allocating the space. */
-    if (n_signers > UINT32_MAX) {
-        return 0;
-    }
+    ARG_CHECK(n_signers > 0);
+    ARG_CHECK(n_signers <= UINT32_MAX);
    for (i = 0; i < n_signers; i++) {
        ARG_CHECK(commitments[i] != NULL);
    }
@@ -269,52 +338,48 @@ int secp256k1_musig_session_initialize_verifier(const secp256k1_context* ctx, se

    memset(session, 0, sizeof(*session));

+    session->magic = session_magic;
    memcpy(&session->combined_pk, combined_pk, sizeof(*combined_pk));
-    if (n_signers == 0) {
-        return 0;
-    }
+    session->pre_session = *pre_session;
    session->n_signers = (uint32_t) n_signers;
    secp256k1_musig_signers_init(signers, session->n_signers);

-    memcpy(session->pk_hash, pk_hash32, 32);
-    session->nonce_is_set = 0;
-    session->msg_is_set = 0;
-    if (msg32 != NULL) {
-        memcpy(session->msg, msg32, 32);
-        session->msg_is_set = 1;
-    }
+    session->pre_session = *pre_session;
+    session->is_msg_set = 1;
+    memcpy(session->msg, msg32, 32);
    session->has_secret_data = 0;
-    session->nonce_commitments_hash_is_set = 0;

    for (i = 0; i < n_signers; i++) {
        memcpy(signers[i].nonce_commitment, commitments[i], 32);
    }
+    session->round = 1;
    return 1;
 }

-int secp256k1_musig_set_nonce(const secp256k1_context* ctx, secp256k1_musig_session_signer_data *signer, const secp256k1_pubkey *nonce) {
-    unsigned char commit[33];
-    size_t commit_size = sizeof(commit);
+int secp256k1_musig_set_nonce(const secp256k1_context* ctx, secp256k1_musig_session_signer_data *signer, const unsigned char *nonce) {
    secp256k1_sha256 sha;
+    unsigned char commit[32];

    VERIFY_CHECK(ctx != NULL);
    ARG_CHECK(signer != NULL);
    ARG_CHECK(nonce != NULL);

    secp256k1_sha256_initialize(&sha);
-    secp256k1_ec_pubkey_serialize(ctx, commit, &commit_size, nonce, SECP256K1_EC_COMPRESSED);
-    secp256k1_sha256_write(&sha, commit, commit_size);
+    secp256k1_sha256_write(&sha, nonce, 32);
    secp256k1_sha256_finalize(&sha, commit);

    if (memcmp(commit, signer->nonce_commitment, 32) != 0) {
        return 0;
    }
    memcpy(&signer->nonce, nonce, sizeof(*nonce));
+    if (!secp256k1_xonly_pubkey_parse(ctx, &signer->nonce, nonce)) {
+        return 0;
+    }
    signer->present = 1;
    return 1;
 }

-int secp256k1_musig_session_combine_nonces(const secp256k1_context* ctx, secp256k1_musig_session *session, const secp256k1_musig_session_signer_data *signers, size_t n_signers, int *nonce_is_negated, const secp256k1_pubkey *adaptor) {
+int secp256k1_musig_session_combine_nonces(const secp256k1_context* ctx, secp256k1_musig_session *session, const secp256k1_musig_session_signer_data *signers, size_t n_signers, int *nonce_parity, const secp256k1_pubkey *adaptor) {
    secp256k1_gej combined_noncej;
    secp256k1_ge combined_noncep;
    secp256k1_ge noncep;
@@ -325,10 +390,10 @@ int secp256k1_musig_session_combine_nonces(const secp256k1_context* ctx, secp256
    VERIFY_CHECK(ctx != NULL);
    ARG_CHECK(session != NULL);
    ARG_CHECK(signers != NULL);
+    ARG_CHECK(session->magic == session_magic);
+    ARG_CHECK(session->round == 1);
+    ARG_CHECK(n_signers == session->n_signers);

-    if (n_signers != session->n_signers) {
-        return 0;
-    }
    secp256k1_sha256_initialize(&sha);
    secp256k1_gej_set_infinity(&combined_noncej);
    for (i = 0; i < n_signers; i++) {
@@ -336,20 +401,17 @@ int secp256k1_musig_session_combine_nonces(const secp256k1_context* ctx, secp256
            return 0;
        }
        secp256k1_sha256_write(&sha, signers[i].nonce_commitment, 32);
-        secp256k1_pubkey_load(ctx, &noncep, &signers[i].nonce);
+        secp256k1_xonly_pubkey_load(ctx, &noncep, &signers[i].nonce);
        secp256k1_gej_add_ge_var(&combined_noncej, &combined_noncej, &noncep, NULL);
    }
    secp256k1_sha256_finalize(&sha, nonce_commitments_hash);
-    /* Either the session is a verifier session or or the nonce_commitments_hash has
-     * been set in `musig_session_get_public_nonce`. */
-    VERIFY_CHECK(!session->has_secret_data || session->nonce_commitments_hash_is_set);
+    /* If the signers' commitments changed between get_public_nonce and now we
+     * have to abort because in that case they may have seen our nonce before
+     * creating their commitment. That can happen if the signer_data given to
+     * this function is different to the signer_data given to get_public_nonce.
+     * */
    if (session->has_secret_data
            && memcmp(session->nonce_commitments_hash, nonce_commitments_hash, 32) != 0) {
-        /* If the signers' commitments changed between get_public_nonce and now we
-         * have to abort because in that case they may have seen our nonce before
-         * creating their commitment. That can happen if the signer_data given to
-         * this function is different to the signer_data given to get_public_nonce.
-         * */
        return 0;
    }

@@ -358,31 +420,16 @@ int secp256k1_musig_session_combine_nonces(const secp256k1_context* ctx, secp256
        secp256k1_pubkey_load(ctx, &noncep, adaptor);
        secp256k1_gej_add_ge_var(&combined_noncej, &combined_noncej, &noncep, NULL);
    }
+
+    /* Negate nonce if Y coordinate is not square */
    secp256k1_ge_set_gej(&combined_noncep, &combined_noncej);
-    if (secp256k1_fe_is_quad_var(&combined_noncep.y)) {
-        session->nonce_is_negated = 0;
-    } else {
-        session->nonce_is_negated = 1;
-        secp256k1_ge_neg(&combined_noncep, &combined_noncep);
+    secp256k1_fe_normalize_var(&combined_noncep.y);
+    session->combined_nonce_parity = secp256k1_extrakeys_ge_even_y(&combined_noncep);
+    if (nonce_parity != NULL) {
+        *nonce_parity = session->combined_nonce_parity;
    }
-    if (nonce_is_negated != NULL) {
-        *nonce_is_negated = session->nonce_is_negated;
-    }
-    secp256k1_pubkey_save(&session->combined_nonce, &combined_noncep);
-    session->nonce_is_set = 1;
-    return 1;
-}
-
-int secp256k1_musig_session_set_msg(const secp256k1_context* ctx, secp256k1_musig_session *session, const unsigned char *msg32) {
-    VERIFY_CHECK(ctx != NULL);
-    ARG_CHECK(session != NULL);
-    ARG_CHECK(msg32 != NULL);
-
-    if (session->msg_is_set) {
-        return 0;
-    }
-    memcpy(session->msg, msg32, 32);
-    session->msg_is_set = 1;
+    secp256k1_xonly_pubkey_save(&session->combined_nonce, &combined_noncep);
+    session->round = 2;
    return 1;
 }

@@ -403,28 +450,22 @@ int secp256k1_musig_partial_signature_parse(const secp256k1_context* ctx, secp25
 }

 /* Compute msghash = SHA256(combined_nonce, combined_pk, msg) */
-static int secp256k1_musig_compute_messagehash(const secp256k1_context *ctx, unsigned char *msghash, const secp256k1_musig_session *session) {
-    unsigned char buf[33];
-    size_t bufsize = 33;
+static void secp256k1_musig_compute_messagehash(const secp256k1_context *ctx, unsigned char *msghash, const secp256k1_musig_session *session) {
+    unsigned char buf[32];
    secp256k1_ge rp;
    secp256k1_sha256 sha;

-    secp256k1_sha256_initialize(&sha);
-    if (!session->nonce_is_set) {
-        return 0;
-    }
-    secp256k1_pubkey_load(ctx, &rp, &session->combined_nonce);
+    VERIFY_CHECK(session->round >= 2);
+
+    secp256k1_schnorrsig_sha256_tagged(&sha);
+    secp256k1_xonly_pubkey_load(ctx, &rp, &session->combined_nonce);
    secp256k1_fe_get_b32(buf, &rp.x);
    secp256k1_sha256_write(&sha, buf, 32);
-    secp256k1_ec_pubkey_serialize(ctx, buf, &bufsize, &session->combined_pk, SECP256K1_EC_COMPRESSED);
-    VERIFY_CHECK(bufsize == 33);
-    secp256k1_sha256_write(&sha, buf, bufsize);
-    if (!session->msg_is_set) {
-        return 0;
-    }
+
+    secp256k1_xonly_pubkey_serialize(ctx, buf, &session->combined_pk);
+    secp256k1_sha256_write(&sha, buf, 32);
    secp256k1_sha256_write(&sha, session->msg, 32);
    secp256k1_sha256_finalize(&sha, msghash);
-    return 1;
 }

 int secp256k1_musig_partial_sign(const secp256k1_context* ctx, const secp256k1_musig_session *session, secp256k1_musig_partial_signature *partial_sig) {
@@ -436,15 +477,12 @@ int secp256k1_musig_partial_sign(const secp256k1_context* ctx, const secp256k1_m
    VERIFY_CHECK(ctx != NULL);
    ARG_CHECK(partial_sig != NULL);
    ARG_CHECK(session != NULL);
-
-    if (!session->nonce_is_set || !session->has_secret_data) {
-        return 0;
-    }
+    ARG_CHECK(session->magic == session_magic);
+    ARG_CHECK(session->round == 2);
+    ARG_CHECK(session->has_secret_data);

    /* build message hash */
-    if (!secp256k1_musig_compute_messagehash(ctx, msghash, session)) {
-        return 0;
-    }
+    secp256k1_musig_compute_messagehash(ctx, msghash, session);
    secp256k1_scalar_set_b32(&e, msghash, NULL);

    secp256k1_scalar_set_b32(&sk, session->seckey, &overflow);
@@ -459,7 +497,7 @@ int secp256k1_musig_partial_sign(const secp256k1_context* ctx, const secp256k1_m
        secp256k1_scalar_clear(&k);
        return 0;
    }
-    if (session->nonce_is_negated) {
+    if (session->partial_nonce_parity != session->combined_nonce_parity) {
        secp256k1_scalar_negate(&k, &k);
    }

@@ -473,20 +511,19 @@ int secp256k1_musig_partial_sign(const secp256k1_context* ctx, const secp256k1_m
    return 1;
 }

-int secp256k1_musig_partial_sig_combine(const secp256k1_context* ctx, const secp256k1_musig_session *session, secp256k1_schnorrsig *sig, const secp256k1_musig_partial_signature *partial_sigs, size_t n_sigs) {
+int secp256k1_musig_partial_sig_combine(const secp256k1_context* ctx, const secp256k1_musig_session *session, unsigned char *sig64, const secp256k1_musig_partial_signature *partial_sigs, size_t n_sigs) {
    size_t i;
    secp256k1_scalar s;
    secp256k1_ge noncep;
    (void) ctx;

    VERIFY_CHECK(ctx != NULL);
-    ARG_CHECK(sig != NULL);
+    ARG_CHECK(sig64 != NULL);
    ARG_CHECK(partial_sigs != NULL);
    ARG_CHECK(session != NULL);
+    ARG_CHECK(session->magic == session_magic);
+    ARG_CHECK(session->round == 2);

-    if (!session->nonce_is_set) {
-        return 0;
-    }
    if (n_sigs != session->n_signers) {
        return 0;
    }
@@ -502,21 +539,43 @@ int secp256k1_musig_partial_sig_combine(const secp256k1_context* ctx, const secp
        secp256k1_scalar_add(&s, &s, &term);
    }

-    secp256k1_pubkey_load(ctx, &noncep, &session->combined_nonce);
-    VERIFY_CHECK(secp256k1_fe_is_quad_var(&noncep.y));
+    /* If there is a tweak then add (or subtract) `msghash` times `tweak` to `s`.*/
+    if (session->pre_session.is_tweaked) {
+        unsigned char msghash[32];
+        secp256k1_scalar e, scalar_tweak;
+        int overflow = 0;
+
+        secp256k1_musig_compute_messagehash(ctx, msghash, session);
+        secp256k1_scalar_set_b32(&e, msghash, NULL);
+        secp256k1_scalar_set_b32(&scalar_tweak, session->pre_session.tweak, &overflow);
+        if (overflow || !secp256k1_eckey_privkey_tweak_mul(&e, &scalar_tweak)) {
+            /* This mimics the behavior of secp256k1_ec_seckey_tweak_mul regarding
+             * overflow and tweak being 0. */
+            return 0;
+        }
+        if (session->pre_session.pk_parity) {
+            secp256k1_scalar_negate(&e, &e);
+        }
+        secp256k1_scalar_add(&s, &s, &e);
+    }
+
+    secp256k1_xonly_pubkey_load(ctx, &noncep, &session->combined_nonce);
+    VERIFY_CHECK(!secp256k1_fe_is_odd(&noncep.y));
    secp256k1_fe_normalize(&noncep.x);
-    secp256k1_fe_get_b32(&sig->data[0], &noncep.x);
-    secp256k1_scalar_get_b32(&sig->data[32], &s);
+    secp256k1_fe_get_b32(&sig64[0], &noncep.x);
+    secp256k1_scalar_get_b32(&sig64[32], &s);

    return 1;
 }

-int secp256k1_musig_partial_sig_verify(const secp256k1_context* ctx, const secp256k1_musig_session *session, const secp256k1_musig_session_signer_data *signer, const secp256k1_musig_partial_signature *partial_sig, const secp256k1_pubkey *pubkey) {
+int secp256k1_musig_partial_sig_verify(const secp256k1_context* ctx, const secp256k1_musig_session *session, const secp256k1_musig_session_signer_data *signer, const secp256k1_musig_partial_signature *partial_sig, const secp256k1_xonly_pubkey *pubkey) {
    unsigned char msghash[32];
    secp256k1_scalar s;
    secp256k1_scalar e;
    secp256k1_scalar mu;
+    secp256k1_gej pkj;
    secp256k1_gej rj;
+    secp256k1_ge pkp;
    secp256k1_ge rp;
    int overflow;

@@ -526,33 +585,47 @@ int secp256k1_musig_partial_sig_verify(const secp256k1_context* ctx, const secp2
    ARG_CHECK(signer != NULL);
    ARG_CHECK(partial_sig != NULL);
    ARG_CHECK(pubkey != NULL);
+    ARG_CHECK(session->magic == session_magic);
+    ARG_CHECK(session->round == 2);
+    ARG_CHECK(signer->present);

-    if (!session->nonce_is_set || !signer->present) {
-        return 0;
-    }
    secp256k1_scalar_set_b32(&s, partial_sig->data, &overflow);
    if (overflow) {
        return 0;
    }
-    if (!secp256k1_musig_compute_messagehash(ctx, msghash, session)) {
-        return 0;
-    }
+    secp256k1_musig_compute_messagehash(ctx, msghash, session);
    secp256k1_scalar_set_b32(&e, msghash, NULL);

    /* Multiplying the messagehash by the musig coefficient is equivalent
     * to multiplying the signer's public key by the coefficient, except
     * much easier to do. */
-    secp256k1_musig_coefficient(&mu, session->pk_hash, signer->index);
+    secp256k1_musig_coefficient(&mu, session->pre_session.pk_hash, signer->index);
    secp256k1_scalar_mul(&e, &e, &mu);

-    if (!secp256k1_pubkey_load(ctx, &rp, &signer->nonce)) {
+    if (!secp256k1_xonly_pubkey_load(ctx, &rp, &signer->nonce)) {
        return 0;
    }

-    if (!secp256k1_schnorrsig_real_verify(ctx, &rj, &s, &e, pubkey)) {
+    /* If the MuSig-combined point has an odd Y coordinate, the signers will
+     * sign for the negation of their individual xonly public key such that the
+     * combined signature is valid for the MuSig aggregated xonly key. If the
+     * MuSig-combined point was tweaked then `e` is negated if the combined key
+     * has an odd Y coordinate XOR the internal key has an odd Y coordinate.*/
+    if (session->pre_session.pk_parity
+            != (session->pre_session.is_tweaked
+                && session->pre_session.internal_key_parity)) {
+        secp256k1_scalar_negate(&e, &e);
+    }
+
+    /* Compute rj =  s*G + (-e)*pkj */
+    secp256k1_scalar_negate(&e, &e);
+    if (!secp256k1_xonly_pubkey_load(ctx, &pkp, pubkey)) {
        return 0;
    }
-    if (!session->nonce_is_negated) {
+    secp256k1_gej_set_ge(&pkj, &pkp);
+    secp256k1_ecmult(&ctx->ecmult_ctx, &rj, &pkj, &e, &s);
+
+    if (!session->combined_nonce_parity) {
        secp256k1_ge_neg(&rp, &rp);
    }
    secp256k1_gej_add_ge_var(&rj, &rj, &rp, NULL);
@@ -560,7 +633,7 @@ int secp256k1_musig_partial_sig_verify(const secp256k1_context* ctx, const secp2
    return secp256k1_gej_is_infinity(&rj);
 }

-int secp256k1_musig_partial_sig_adapt(const secp256k1_context* ctx, secp256k1_musig_partial_signature *adaptor_sig, const secp256k1_musig_partial_signature *partial_sig, const unsigned char *sec_adaptor32, int nonce_is_negated) {
+int secp256k1_musig_partial_sig_adapt(const secp256k1_context* ctx, secp256k1_musig_partial_signature *adaptor_sig, const secp256k1_musig_partial_signature *partial_sig, const unsigned char *sec_adaptor32, int nonce_parity) {
    secp256k1_scalar s;
    secp256k1_scalar t;
    int overflow;
@@ -581,7 +654,7 @@ int secp256k1_musig_partial_sig_adapt(const secp256k1_context* ctx, secp256k1_mu
        return 0;
    }

-    if (nonce_is_negated) {
+    if (nonce_parity) {
        secp256k1_scalar_negate(&t, &t);
    }

@@ -591,7 +664,7 @@ int secp256k1_musig_partial_sig_adapt(const secp256k1_context* ctx, secp256k1_mu
    return 1;
 }

-int secp256k1_musig_extract_secret_adaptor(const secp256k1_context* ctx, unsigned char *sec_adaptor32, const secp256k1_schnorrsig *sig, const secp256k1_musig_partial_signature *partial_sigs, size_t n_partial_sigs, int nonce_is_negated) {
+int secp256k1_musig_extract_secret_adaptor(const secp256k1_context* ctx, unsigned char *sec_adaptor32, const unsigned char *sig64, const secp256k1_musig_partial_signature *partial_sigs, size_t n_partial_sigs, int nonce_parity) {
    secp256k1_scalar t;
    secp256k1_scalar s;
    int overflow;
@@ -600,10 +673,10 @@ int secp256k1_musig_extract_secret_adaptor(const secp256k1_context* ctx, unsigne
    (void) ctx;
    VERIFY_CHECK(ctx != NULL);
    ARG_CHECK(sec_adaptor32 != NULL);
-    ARG_CHECK(sig != NULL);
+    ARG_CHECK(sig64 != NULL);
    ARG_CHECK(partial_sigs != NULL);

-    secp256k1_scalar_set_b32(&t, &sig->data[32], &overflow);
+    secp256k1_scalar_set_b32(&t, &sig64[32], &overflow);
    if (overflow) {
        return 0;
    }
@@ -618,7 +691,7 @@ int secp256k1_musig_extract_secret_adaptor(const secp256k1_context* ctx, unsigne
        secp256k1_scalar_add(&t, &t, &s);
    }

-    if (!nonce_is_negated) {
+    if (!nonce_parity) {
        secp256k1_scalar_negate(&t, &t);
    }
    secp256k1_scalar_get_b32(sec_adaptor32, &t);
--- a/src/modules/musig/musig.md
+++ b/src/modules/musig/musig.md
@@ -14,7 +14,7 @@ The resulting signatures are valid Schnorr signatures as described in [2].
 In MuSig all signers contribute key material to a single signing key,
 using the equation

-    P = sum_i µ_i - P_i
+    P = sum_i µ_i * P_i

 where `P_i` is the public key of the `i`th signer and `µ_i` is a so-called
 _MuSig coefficient_ computed according to the following equation
@@ -74,7 +74,7 @@ signature process, which is also a supported mode) acts as follows.

 ### Signing Participant

-1. The signer starts the session by calling `secp256k1_musig_session_initialize`.
+1. The signer starts the session by calling `secp256k1_musig_session_init`.
   This function outputs
   - an initialized session state in the out-pointer `session`
   - an array of initialized signer data in the out-pointer `signers`
@@ -91,6 +91,8 @@ signature process, which is also a supported mode) acts as follows.
   length-32 byte arrays which can be communicated however is communicated.
 3. Once all signers nonce commitments have been received, the signer records
   these commitments with the function `secp256k1_musig_session_get_public_nonce`.
+   If the signer did not provide a message to `secp256k1_musig_session_init`,
+   a message must be provided now.
   This function updates in place
   - the session state `session`
   - the array of signer data `signers`
@@ -111,9 +113,6 @@ signature process, which is also a supported mode) acts as follows.
   - the array of signer data `signers`
   It outputs an auxiliary integer `nonce_is_negated` and has an auxiliary input
   `adaptor`. Both of these may be set to NULL for ordinary signing purposes.
-   If the signer did not provide a message to `secp256k1_musig_session_initialize`,
-   a message must be provided now by calling `secp256k1_musig_session_set_msg` which
-   updates the session state in place.
 6. The signer computes a partial signature `s_i` using the function
   `secp256k1_musig_partial_sign` which takes the session state as input and
   partial signature as output.
@@ -134,8 +133,8 @@ A participant who wants to verify the signing process, i.e. check that nonce com
 are consistent and partial signatures are correct without contributing a partial signature,
 may do so using the above instructions except for the following changes:

-1. A signing session should be produced using `musig_session_initialize_verifier`
-   rather than `musig_session_initialize`; this function takes no secret data or
+1. A signing session should be produced using `musig_session_init_verifier`
+   rather than `musig_session_init`; this function takes no secret data or
   signer index.
 2. The participant receives nonce commitments, public nonces and partial signatures,
   but does not produce these values. Therefore `secp256k1_musig_session_get_public_nonce`
--- a/src/modules/musig/tests_impl.h
+++ b/src/modules/musig/tests_impl.h
--- a/src/modules/rangeproof/borromean_impl.h
+++ b/src/modules/rangeproof/borromean_impl.h
@@ -20,9 +20,9 @@
 #include <limits.h>
 #include <string.h>

-#ifdef WORDS_BIGENDIAN
+#if defined(SECP256K1_BIG_ENDIAN)
 #define BE32(x) (x)
-#else
+#elif defined(SECP256K1_LITTLE_ENDIAN)
 #define BE32(p) ((((p) & 0xFF) << 24) | (((p) & 0xFF00) << 8) | (((p) & 0xFF0000) >> 8) | (((p) & 0xFF000000) >> 24))
 #endif

--- a/src/modules/rangeproof/main_impl.h
+++ b/src/modules/rangeproof/main_impl.h
@@ -14,15 +14,15 @@
 #include "modules/rangeproof/rangeproof_impl.h"

 /** Alternative generator for secp256k1.
- *  This is the sha256 of 'g' after DER encoding (without compression),
+ *  This is the sha256 of 'g' after standard encoding (without compression),
 *  which happens to be a point on the curve. More precisely, the generator is
 *  derived by running the following script with the sage mathematics software.

    import hashlib
    F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
-    G_DER = '0479be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8'
-    G2 = EllipticCurve ([F (0), F (7)]).lift_x(F(int(hashlib.sha256(G_DER.decode('hex')).hexdigest(),16)))
-    print('%x %x' % G2.xy())
+    G = '0479be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8'
+    H = EllipticCurve ([F (0), F (7)]).lift_x(F(int(hashlib.sha256(G.decode('hex')).hexdigest(),16)))
+    print('%x %x' % H.xy())
 */
 static const secp256k1_generator secp256k1_generator_h_internal = {{
    0x50, 0x92, 0x9b, 0x74, 0xc1, 0xa0, 0x49, 0x54, 0xb7, 0x8b, 0x4b, 0x60, 0x35, 0xe9, 0x7a, 0x5e,
--- a/src/modules/rangeproof/tests_impl.h
+++ b/src/modules/rangeproof/tests_impl.h
@@ -23,9 +23,9 @@ static void test_pedersen_api(const secp256k1_context *none, const secp256k1_con
    unsigned char blind_out[32];
    const unsigned char *blind_ptr = blind;
    unsigned char *blind_out_ptr = blind_out;
-    uint64_t val = secp256k1_rand32();
+    uint64_t val = secp256k1_testrand32();

-    secp256k1_rand256(blind);
+    secp256k1_testrand256(blind);
    CHECK(secp256k1_pedersen_commit(none, &commit, blind, val, secp256k1_generator_h) == 0);
    CHECK(*ecount == 1);
    CHECK(secp256k1_pedersen_commit(vrfy, &commit, blind, val, secp256k1_generator_h) == 0);
@@ -80,8 +80,8 @@ static void test_rangeproof_api(const secp256k1_context *none, const secp256k1_c
    unsigned char proof[5134];
    unsigned char blind[32];
    secp256k1_pedersen_commitment commit;
-    uint64_t vmin = secp256k1_rand32();
-    uint64_t val = vmin + secp256k1_rand32();
+    uint64_t vmin = secp256k1_testrand32();
+    uint64_t val = vmin + secp256k1_testrand32();
    size_t len = sizeof(proof);
    /* we'll switch to dylan thomas for this one */
    const unsigned char message[68] = "My tears are like the quiet drift / Of petals from some magic rose;";
@@ -89,7 +89,7 @@ static void test_rangeproof_api(const secp256k1_context *none, const secp256k1_c
    const unsigned char ext_commit[72] = "And all my grief flows from the rift / Of unremembered skies and snows.";
    size_t ext_commit_len = sizeof(ext_commit);

-    secp256k1_rand256(blind);
+    secp256k1_testrand256(blind);
    CHECK(secp256k1_pedersen_commit(ctx, &commit, blind, val, secp256k1_generator_h));

    CHECK(secp256k1_rangeproof_sign(none, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, message, mlen, ext_commit, ext_commit_len, secp256k1_generator_h) == 0);
@@ -271,8 +271,8 @@ static void test_pedersen(void) {
    int inputs;
    int outputs;
    int total;
-    inputs = (secp256k1_rand32() & 7) + 1;
-    outputs = (secp256k1_rand32() & 7) + 2;
+    inputs = (secp256k1_testrand32() & 7) + 1;
+    outputs = (secp256k1_testrand32() & 7) + 2;
    total = inputs + outputs;
    for (i = 0; i < 19; i++) {
        cptr[i] = &commits[i];
@@ -280,11 +280,11 @@ static void test_pedersen(void) {
    }
    totalv = 0;
    for (i = 0; i < inputs; i++) {
-        values[i] = secp256k1_rands64(0, INT64_MAX - totalv);
+        values[i] = secp256k1_testrandi64(0, INT64_MAX - totalv);
        totalv += values[i];
    }
    for (i = 0; i < outputs - 1; i++) {
-        values[i + inputs] = secp256k1_rands64(0, totalv);
+        values[i + inputs] = secp256k1_testrandi64(0, totalv);
        totalv -= values[i + inputs];
    }
    values[total - 1] = totalv;
@@ -331,27 +331,27 @@ static void test_borromean(void) {
    size_t i;
    size_t j;
    int c;
-    secp256k1_rand256_test(m);
-    nrings = 1 + (secp256k1_rand32()&7);
+    secp256k1_testrand256_test(m);
+    nrings = 1 + (secp256k1_testrand32()&7);
    c = 0;
    secp256k1_scalar_set_int(&one, 1);
-    if (secp256k1_rand32()&1) {
+    if (secp256k1_testrand32()&1) {
        secp256k1_scalar_negate(&one, &one);
    }
    for (i = 0; i < nrings; i++) {
-        rsizes[i] = 1 + (secp256k1_rand32()&7);
-        secidx[i] = secp256k1_rand32() % rsizes[i];
+        rsizes[i] = 1 + (secp256k1_testrand32()&7);
+        secidx[i] = secp256k1_testrand32() % rsizes[i];
        random_scalar_order(&sec[i]);
        random_scalar_order(&k[i]);
-        if(secp256k1_rand32()&7) {
+        if(secp256k1_testrand32()&7) {
            sec[i] = one;
        }
-        if(secp256k1_rand32()&7) {
+        if(secp256k1_testrand32()&7) {
            k[i] = one;
        }
        for (j = 0; j < rsizes[i]; j++) {
            random_scalar_order(&s[c + j]);
-            if(secp256k1_rand32()&7) {
+            if(secp256k1_testrand32()&7) {
                s[i] = one;
            }
            if (j == secidx[i]) {
@@ -365,14 +365,14 @@ static void test_borromean(void) {
    }
    CHECK(secp256k1_borromean_sign(&ctx->ecmult_ctx, &ctx->ecmult_gen_ctx, e0, s, pubs, k, sec, rsizes, secidx, nrings, m, 32));
    CHECK(secp256k1_borromean_verify(&ctx->ecmult_ctx, NULL, e0, s, pubs, rsizes, nrings, m, 32));
-    i = secp256k1_rand32() % c;
+    i = secp256k1_testrand32() % c;
    secp256k1_scalar_negate(&s[i],&s[i]);
    CHECK(!secp256k1_borromean_verify(&ctx->ecmult_ctx, NULL, e0, s, pubs, rsizes, nrings, m, 32));
    secp256k1_scalar_negate(&s[i],&s[i]);
    secp256k1_scalar_set_int(&one, 1);
    for(j = 0; j < 4; j++) {
-        i = secp256k1_rand32() % c;
-        if (secp256k1_rand32() & 1) {
+        i = secp256k1_testrand32() % c;
+        if (secp256k1_testrand32() & 1) {
            secp256k1_gej_double_var(&pubs[i],&pubs[i], NULL);
        } else {
            secp256k1_scalar_add(&s[i],&s[i],&one);
@@ -408,7 +408,7 @@ static void test_rangeproof(void) {
        memcpy(&message_long[i], message_short, sizeof(message_short));
    }

-    secp256k1_rand256(blind);
+    secp256k1_testrand256(blind);
    for (i = 0; i < 11; i++) {
        v = testvs[i];
        CHECK(secp256k1_pedersen_commit(ctx, &commit, blind, v, secp256k1_generator_h));
@@ -464,7 +464,7 @@ static void test_rangeproof(void) {
            CHECK(maxv == v);
        }
    }
-    secp256k1_rand256(blind);
+    secp256k1_testrand256(blind);
    v = INT64_MAX - 1;
    CHECK(secp256k1_pedersen_commit(ctx, &commit, blind, v, secp256k1_generator_h));
    for (i = 0; i < 19; i++) {
@@ -477,10 +477,10 @@ static void test_rangeproof(void) {
        /* Make sure it fails when validating with a committed message */
        CHECK(!secp256k1_rangeproof_verify(ctx, &minv, &maxv, &commit, proof, len, message_short, sizeof(message_short), secp256k1_generator_h));
    }
-    secp256k1_rand256(blind);
+    secp256k1_testrand256(blind);
    {
        /*Malleability test.*/
-        v = secp256k1_rands64(0, 255);
+        v = secp256k1_testrandi64(0, 255);
        CHECK(secp256k1_pedersen_commit(ctx, &commit, blind, v, secp256k1_generator_h));
        len = 5134;
        CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, 0, &commit, blind, commit.data, 0, 3, v, NULL, 0, NULL, 0, secp256k1_generator_h));
@@ -498,22 +498,22 @@ static void test_rangeproof(void) {
        CHECK(maxv >= v);
    }
    memcpy(&commit2, &commit, sizeof(commit));
-    for (i = 0; i < (size_t) 2*count; i++) {
+    for (i = 0; i < (size_t) count; i++) {
        int exp;
        int min_bits;
-        v = secp256k1_rands64(0, UINT64_MAX >> (secp256k1_rand32()&63));
+        v = secp256k1_testrandi64(0, UINT64_MAX >> (secp256k1_testrand32()&63));
        vmin = 0;
-        if ((v < INT64_MAX) && (secp256k1_rand32()&1)) {
-            vmin = secp256k1_rands64(0, v);
+        if ((v < INT64_MAX) && (secp256k1_testrand32()&1)) {
+            vmin = secp256k1_testrandi64(0, v);
        }
-        secp256k1_rand256(blind);
+        secp256k1_testrand256(blind);
        CHECK(secp256k1_pedersen_commit(ctx, &commit, blind, v, secp256k1_generator_h));
        len = 5134;
-        exp = (int)secp256k1_rands64(0,18)-(int)secp256k1_rands64(0,18);
+        exp = (int)secp256k1_testrandi64(0,18)-(int)secp256k1_testrandi64(0,18);
        if (exp < 0) {
            exp = -exp;
        }
-        min_bits = (int)secp256k1_rands64(0,64)-(int)secp256k1_rands64(0,64);
+        min_bits = (int)secp256k1_testrandi64(0,64)-(int)secp256k1_testrandi64(0,64);
        if (min_bits < 0) {
            min_bits = -min_bits;
        }
@@ -532,23 +532,23 @@ static void test_rangeproof(void) {
        CHECK(secp256k1_rangeproof_rewind(ctx, blindout, &vout, NULL, NULL, commit.data, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h));
        memcpy(&commit2, &commit, sizeof(commit));
    }
-    for (j = 0; j < 5; j++) {
+    for (j = 0; j < 3; j++) {
        for (i = 0; i < 96; i++) {
-            secp256k1_rand256(&proof[i * 32]);
+            secp256k1_testrand256(&proof[i * 32]);
        }
-        for (k = 0; k < 128; k++) {
+        for (k = 0; k < 128; k += 3) {
            len = k;
            CHECK(!secp256k1_rangeproof_verify(ctx, &minv, &maxv, &commit2, proof, len, NULL, 0, secp256k1_generator_h));
        }
-        len = secp256k1_rands64(0, 3072);
+        len = secp256k1_testrandi64(0, 3072);
        CHECK(!secp256k1_rangeproof_verify(ctx, &minv, &maxv, &commit2, proof, len, NULL, 0, secp256k1_generator_h));
    }
 }

 #define MAX_N_GENS	30
 void test_multiple_generators(void) {
-    const size_t n_inputs = (secp256k1_rand32() % (MAX_N_GENS / 2)) + 1;
-    const size_t n_outputs = (secp256k1_rand32() % (MAX_N_GENS / 2)) + 1;
+    const size_t n_inputs = (secp256k1_testrand32() % (MAX_N_GENS / 2)) + 1;
+    const size_t n_outputs = (secp256k1_testrand32() % (MAX_N_GENS / 2)) + 1;
    const size_t n_generators = n_inputs + n_outputs;
    unsigned char *generator_blind[MAX_N_GENS];
    unsigned char *pedersen_blind[MAX_N_GENS];
@@ -582,11 +582,11 @@ void test_multiple_generators(void) {
    /* Compute all the values -- can be positive or negative */
    total_value = 0;
    for (i = 0; i < n_outputs; i++) {
-        value[n_inputs + i] = secp256k1_rands64(0, INT64_MAX - total_value);
+        value[n_inputs + i] = secp256k1_testrandi64(0, INT64_MAX - total_value);
        total_value += value[n_inputs + i];
    }
    for (i = 0; i < n_inputs - 1; i++) {
-        value[i] = secp256k1_rands64(0, total_value);
+        value[i] = secp256k1_testrandi64(0, total_value);
        total_value -= value[i];
    }
    value[i] = total_value;
@@ -696,10 +696,10 @@ void run_rangeproof_tests(void) {
    test_api();
    test_rangeproof_fixed_vectors();
    test_pedersen_commitment_fixed_vector();
-    for (i = 0; i < 10*count; i++) {
+    for (i = 0; i < count / 2 + 1; i++) {
        test_pedersen();
    }
-    for (i = 0; i < 10*count; i++) {
+    for (i = 0; i < count / 2 + 1; i++) {
        test_borromean();
    }
    test_rangeproof();
--- a/src/modules/recovery/Makefile.am.include
+++ b/src/modules/recovery/Makefile.am.include
@@ -1,6 +1,7 @@
 include_HEADERS += include/secp256k1_recovery.h
 noinst_HEADERS += src/modules/recovery/main_impl.h
 noinst_HEADERS += src/modules/recovery/tests_impl.h
+noinst_HEADERS += src/modules/recovery/tests_exhaustive_impl.h
 if USE_BENCHMARK
 noinst_PROGRAMS += bench_recover
 bench_recover_SOURCES = src/bench_recover.c
--- a/src/modules/recovery/main_impl.h
+++ b/src/modules/recovery/main_impl.h
@@ -122,48 +122,15 @@ static int secp256k1_ecdsa_sig_recover(const secp256k1_ecmult_context *ctx, cons

 int secp256k1_ecdsa_sign_recoverable(const secp256k1_context* ctx, secp256k1_ecdsa_recoverable_signature *signature, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) {
    secp256k1_scalar r, s;
-    secp256k1_scalar sec, non, msg;
-    int recid;
-    int ret = 0;
-    int overflow = 0;
+    int ret, recid;
    VERIFY_CHECK(ctx != NULL);
    ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
    ARG_CHECK(msg32 != NULL);
    ARG_CHECK(signature != NULL);
    ARG_CHECK(seckey != NULL);
-    if (noncefp == NULL) {
-        noncefp = secp256k1_nonce_function_default;
-    }

-    secp256k1_scalar_set_b32(&sec, seckey, &overflow);
-    /* Fail if the secret key is invalid. */
-    if (!overflow && !secp256k1_scalar_is_zero(&sec)) {
-        unsigned char nonce32[32];
-        unsigned int count = 0;
-        secp256k1_scalar_set_b32(&msg, msg32, NULL);
-        while (1) {
-            ret = noncefp(nonce32, msg32, seckey, NULL, (void*)noncedata, count);
-            if (!ret) {
-                break;
-            }
-            secp256k1_scalar_set_b32(&non, nonce32, &overflow);
-            if (!overflow && !secp256k1_scalar_is_zero(&non)) {
-                if (secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, &r, &s, &sec, &msg, &non, &recid)) {
-                    break;
-                }
-            }
-            count++;
-        }
-        memset(nonce32, 0, 32);
-        secp256k1_scalar_clear(&msg);
-        secp256k1_scalar_clear(&non);
-        secp256k1_scalar_clear(&sec);
-    }
-    if (ret) {
-        secp256k1_ecdsa_recoverable_signature_save(signature, &r, &s, recid);
-    } else {
-        memset(signature, 0, sizeof(*signature));
-    }
+    ret = secp256k1_ecdsa_sign_inner(ctx, &r, &s, &recid, NULL, NULL, NULL, msg32, seckey, noncefp, noncedata);
+    secp256k1_ecdsa_recoverable_signature_save(signature, &r, &s, recid);
    return ret;
 }

--- a/src/modules/recovery/tests_exhaustive_impl.h
+++ b/src/modules/recovery/tests_exhaustive_impl.h
@@ -0,0 +1,149 @@
+/**********************************************************************
+ * Copyright (c) 2016 Andrew Poelstra                                 *
+ * Distributed under the MIT software license, see the accompanying   *
+ * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
+ **********************************************************************/
+
+#ifndef SECP256K1_MODULE_RECOVERY_EXHAUSTIVE_TESTS_H
+#define SECP256K1_MODULE_RECOVERY_EXHAUSTIVE_TESTS_H
+
+#include "src/modules/recovery/main_impl.h"
+#include "include/secp256k1_recovery.h"
+
+void test_exhaustive_recovery_sign(const secp256k1_context *ctx, const secp256k1_ge *group) {
+    int i, j, k;
+    uint64_t iter = 0;
+
+    /* Loop */
+    for (i = 1; i < EXHAUSTIVE_TEST_ORDER; i++) {  /* message */
+        for (j = 1; j < EXHAUSTIVE_TEST_ORDER; j++) {  /* key */
+            if (skip_section(&iter)) continue;
+            for (k = 1; k < EXHAUSTIVE_TEST_ORDER; k++) {  /* nonce */
+                const int starting_k = k;
+                secp256k1_fe r_dot_y_normalized;
+                secp256k1_ecdsa_recoverable_signature rsig;
+                secp256k1_ecdsa_signature sig;
+                secp256k1_scalar sk, msg, r, s, expected_r;
+                unsigned char sk32[32], msg32[32];
+                int expected_recid;
+                int recid;
+                int overflow;
+                secp256k1_scalar_set_int(&msg, i);
+                secp256k1_scalar_set_int(&sk, j);
+                secp256k1_scalar_get_b32(sk32, &sk);
+                secp256k1_scalar_get_b32(msg32, &msg);
+
+                secp256k1_ecdsa_sign_recoverable(ctx, &rsig, msg32, sk32, secp256k1_nonce_function_smallint, &k);
+
+                /* Check directly */
+                secp256k1_ecdsa_recoverable_signature_load(ctx, &r, &s, &recid, &rsig);
+                r_from_k(&expected_r, group, k, &overflow);
+                CHECK(r == expected_r);
+                CHECK((k * s) % EXHAUSTIVE_TEST_ORDER == (i + r * j) % EXHAUSTIVE_TEST_ORDER ||
+                      (k * (EXHAUSTIVE_TEST_ORDER - s)) % EXHAUSTIVE_TEST_ORDER == (i + r * j) % EXHAUSTIVE_TEST_ORDER);
+                /* The recid's second bit is for conveying overflow (R.x value >= group order).
+                 * In the actual secp256k1 this is an astronomically unlikely event, but in the
+                 * small group used here, it will be the case for all points except the ones where
+                 * R.x=1 (which the group is specifically selected to have).
+                 * Note that this isn't actually useful; full recovery would need to convey
+                 * floor(R.x / group_order), but only one bit is used as that is sufficient
+                 * in the real group. */
+                expected_recid = overflow ? 2 : 0;
+                r_dot_y_normalized = group[k].y;
+                secp256k1_fe_normalize(&r_dot_y_normalized);
+                /* Also the recovery id is flipped depending if we hit the low-s branch */
+                if ((k * s) % EXHAUSTIVE_TEST_ORDER == (i + r * j) % EXHAUSTIVE_TEST_ORDER) {
+                    expected_recid |= secp256k1_fe_is_odd(&r_dot_y_normalized);
+                } else {
+                    expected_recid |= !secp256k1_fe_is_odd(&r_dot_y_normalized);
+                }
+                CHECK(recid == expected_recid);
+
+                /* Convert to a standard sig then check */
+                secp256k1_ecdsa_recoverable_signature_convert(ctx, &sig, &rsig);
+                secp256k1_ecdsa_signature_load(ctx, &r, &s, &sig);
+                /* Note that we compute expected_r *after* signing -- this is important
+                 * because our nonce-computing function function might change k during
+                 * signing. */
+                r_from_k(&expected_r, group, k, NULL);
+                CHECK(r == expected_r);
+                CHECK((k * s) % EXHAUSTIVE_TEST_ORDER == (i + r * j) % EXHAUSTIVE_TEST_ORDER ||
+                      (k * (EXHAUSTIVE_TEST_ORDER - s)) % EXHAUSTIVE_TEST_ORDER == (i + r * j) % EXHAUSTIVE_TEST_ORDER);
+
+                /* Overflow means we've tried every possible nonce */
+                if (k < starting_k) {
+                    break;
+                }
+            }
+        }
+    }
+}
+
+void test_exhaustive_recovery_verify(const secp256k1_context *ctx, const secp256k1_ge *group) {
+    /* This is essentially a copy of test_exhaustive_verify, with recovery added */
+    int s, r, msg, key;
+    uint64_t iter = 0;
+    for (s = 1; s < EXHAUSTIVE_TEST_ORDER; s++) {
+        for (r = 1; r < EXHAUSTIVE_TEST_ORDER; r++) {
+            for (msg = 1; msg < EXHAUSTIVE_TEST_ORDER; msg++) {
+                for (key = 1; key < EXHAUSTIVE_TEST_ORDER; key++) {
+                    secp256k1_ge nonconst_ge;
+                    secp256k1_ecdsa_recoverable_signature rsig;
+                    secp256k1_ecdsa_signature sig;
+                    secp256k1_pubkey pk;
+                    secp256k1_scalar sk_s, msg_s, r_s, s_s;
+                    secp256k1_scalar s_times_k_s, msg_plus_r_times_sk_s;
+                    int recid = 0;
+                    int k, should_verify;
+                    unsigned char msg32[32];
+
+                    if (skip_section(&iter)) continue;
+
+                    secp256k1_scalar_set_int(&s_s, s);
+                    secp256k1_scalar_set_int(&r_s, r);
+                    secp256k1_scalar_set_int(&msg_s, msg);
+                    secp256k1_scalar_set_int(&sk_s, key);
+                    secp256k1_scalar_get_b32(msg32, &msg_s);
+
+                    /* Verify by hand */
+                    /* Run through every k value that gives us this r and check that *one* works.
+                     * Note there could be none, there could be multiple, ECDSA is weird. */
+                    should_verify = 0;
+                    for (k = 0; k < EXHAUSTIVE_TEST_ORDER; k++) {
+                        secp256k1_scalar check_x_s;
+                        r_from_k(&check_x_s, group, k, NULL);
+                        if (r_s == check_x_s) {
+                            secp256k1_scalar_set_int(&s_times_k_s, k);
+                            secp256k1_scalar_mul(&s_times_k_s, &s_times_k_s, &s_s);
+                            secp256k1_scalar_mul(&msg_plus_r_times_sk_s, &r_s, &sk_s);
+                            secp256k1_scalar_add(&msg_plus_r_times_sk_s, &msg_plus_r_times_sk_s, &msg_s);
+                            should_verify |= secp256k1_scalar_eq(&s_times_k_s, &msg_plus_r_times_sk_s);
+                        }
+                    }
+                    /* nb we have a "high s" rule */
+                    should_verify &= !secp256k1_scalar_is_high(&s_s);
+
+                    /* We would like to try recovering the pubkey and checking that it matches,
+                     * but pubkey recovery is impossible in the exhaustive tests (the reason
+                     * being that there are 12 nonzero r values, 12 nonzero points, and no
+                     * overlap between the sets, so there are no valid signatures). */
+
+                    /* Verify by converting to a standard signature and calling verify */
+                    secp256k1_ecdsa_recoverable_signature_save(&rsig, &r_s, &s_s, recid);
+                    secp256k1_ecdsa_recoverable_signature_convert(ctx, &sig, &rsig);
+                    memcpy(&nonconst_ge, &group[sk_s], sizeof(nonconst_ge));
+                    secp256k1_pubkey_save(&pk, &nonconst_ge);
+                    CHECK(should_verify ==
+                          secp256k1_ecdsa_verify(ctx, &sig, msg32, &pk));
+                }
+            }
+        }
+    }
+}
+
+static void test_exhaustive_recovery(const secp256k1_context *ctx, const secp256k1_ge *group) {
+    test_exhaustive_recovery_sign(ctx, group);
+    test_exhaustive_recovery_verify(ctx, group);
+}
+
+#endif /* SECP256K1_MODULE_RECOVERY_EXHAUSTIVE_TESTS_H */
--- a/src/modules/recovery/tests_impl.h
+++ b/src/modules/recovery/tests_impl.h
@@ -25,7 +25,7 @@ static int recovery_test_nonce_function(unsigned char *nonce32, const unsigned c
    }
    /* On the next run, return a valid nonce, but flip a coin as to whether or not to fail signing. */
    memset(nonce32, 1, 32);
-    return secp256k1_rand_bits(1);
+    return secp256k1_testrand_bits(1);
 }

 void test_ecdsa_recovery_api(void) {
@@ -184,7 +184,7 @@ void test_ecdsa_recovery_end_to_end(void) {
    CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &rsignature[3], message, privkey, NULL, extra) == 1);
    CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(ctx, sig, &recid, &rsignature[4]) == 1);
    CHECK(secp256k1_ecdsa_recoverable_signature_convert(ctx, &signature[4], &rsignature[4]) == 1);
-    CHECK(memcmp(&signature[4], &signature[0], 64) == 0);
+    CHECK(secp256k1_memcmp_var(&signature[4], &signature[0], 64) == 0);
    CHECK(secp256k1_ecdsa_verify(ctx, &signature[4], message, &pubkey) == 1);
    memset(&rsignature[4], 0, sizeof(rsignature[4]));
    CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsignature[4], sig, recid) == 1);
@@ -193,16 +193,16 @@ void test_ecdsa_recovery_end_to_end(void) {
    /* Parse compact (with recovery id) and recover. */
    CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsignature[4], sig, recid) == 1);
    CHECK(secp256k1_ecdsa_recover(ctx, &recpubkey, &rsignature[4], message) == 1);
-    CHECK(memcmp(&pubkey, &recpubkey, sizeof(pubkey)) == 0);
+    CHECK(secp256k1_memcmp_var(&pubkey, &recpubkey, sizeof(pubkey)) == 0);
    /* Serialize/destroy/parse signature and verify again. */
    CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(ctx, sig, &recid, &rsignature[4]) == 1);
-    sig[secp256k1_rand_bits(6)] += 1 + secp256k1_rand_int(255);
+    sig[secp256k1_testrand_bits(6)] += 1 + secp256k1_testrand_int(255);
    CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsignature[4], sig, recid) == 1);
    CHECK(secp256k1_ecdsa_recoverable_signature_convert(ctx, &signature[4], &rsignature[4]) == 1);
    CHECK(secp256k1_ecdsa_verify(ctx, &signature[4], message, &pubkey) == 0);
    /* Recover again */
    CHECK(secp256k1_ecdsa_recover(ctx, &recpubkey, &rsignature[4], message) == 0 ||
-          memcmp(&pubkey, &recpubkey, sizeof(pubkey)) != 0);
+          secp256k1_memcmp_var(&pubkey, &recpubkey, sizeof(pubkey)) != 0);
 }

 /* Tests several edge cases. */
@@ -215,7 +215,7 @@ void test_ecdsa_recovery_edge_cases(void) {
    };
    const unsigned char sig64[64] = {
        /* Generated by signing the above message with nonce 'This is the nonce we will use...'
-         * and secret key 0 (which is not valid), resulting in recid 0. */
+         * and secret key 0 (which is not valid), resulting in recid 1. */
        0x67, 0xCB, 0x28, 0x5F, 0x9C, 0xD1, 0x94, 0xE8,
        0x40, 0xD6, 0x29, 0x39, 0x7A, 0xF5, 0x56, 0x96,
        0x62, 0xFD, 0xE4, 0x46, 0x49, 0x99, 0x59, 0x63,
--- a/src/modules/schnorrsig/Makefile.am.include
+++ b/src/modules/schnorrsig/Makefile.am.include
@@ -1,6 +1,7 @@
 include_HEADERS += include/secp256k1_schnorrsig.h
 noinst_HEADERS += src/modules/schnorrsig/main_impl.h
 noinst_HEADERS += src/modules/schnorrsig/tests_impl.h
+noinst_HEADERS += src/modules/schnorrsig/tests_exhaustive_impl.h
 if USE_BENCHMARK
 noinst_PROGRAMS += bench_schnorrsig
 bench_schnorrsig_SOURCES = src/bench_schnorrsig.c
--- a/src/modules/schnorrsig/main_impl.h
+++ b/src/modules/schnorrsig/main_impl.h
@@ -1,5 +1,5 @@
 /**********************************************************************
- * Copyright (c) 2018 Andrew Poelstra                                 *
+ * Copyright (c) 2018-2020 Andrew Poelstra, Jonas Nick                *
 * Distributed under the MIT software license, see the accompanying   *
 * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
 **********************************************************************/
@@ -11,328 +11,229 @@
 #include "include/secp256k1_schnorrsig.h"
 #include "hash.h"

-int secp256k1_schnorrsig_serialize(const secp256k1_context* ctx, unsigned char *out64, const secp256k1_schnorrsig* sig) {
-    (void) ctx;
-    VERIFY_CHECK(ctx != NULL);
-    ARG_CHECK(out64 != NULL);
-    ARG_CHECK(sig != NULL);
-    memcpy(out64, sig->data, 64);
+/* Initializes SHA256 with fixed midstate. This midstate was computed by applying
+ * SHA256 to SHA256("BIP0340/nonce")||SHA256("BIP0340/nonce"). */
+static void secp256k1_nonce_function_bip340_sha256_tagged(secp256k1_sha256 *sha) {
+    secp256k1_sha256_initialize(sha);
+    sha->s[0] = 0x46615b35ul;
+    sha->s[1] = 0xf4bfbff7ul;
+    sha->s[2] = 0x9f8dc671ul;
+    sha->s[3] = 0x83627ab3ul;
+    sha->s[4] = 0x60217180ul;
+    sha->s[5] = 0x57358661ul;
+    sha->s[6] = 0x21a29e54ul;
+    sha->s[7] = 0x68b07b4cul;
+
+    sha->bytes = 64;
+}
+
+/* Initializes SHA256 with fixed midstate. This midstate was computed by applying
+ * SHA256 to SHA256("BIP0340/aux")||SHA256("BIP0340/aux"). */
+static void secp256k1_nonce_function_bip340_sha256_tagged_aux(secp256k1_sha256 *sha) {
+    secp256k1_sha256_initialize(sha);
+    sha->s[0] = 0x24dd3219ul;
+    sha->s[1] = 0x4eba7e70ul;
+    sha->s[2] = 0xca0fabb9ul;
+    sha->s[3] = 0x0fa3166dul;
+    sha->s[4] = 0x3afbe4b1ul;
+    sha->s[5] = 0x4c44df97ul;
+    sha->s[6] = 0x4aac2739ul;
+    sha->s[7] = 0x249e850aul;
+
+    sha->bytes = 64;
+}
+
+/* algo16 argument for nonce_function_bip340 to derive the nonce exactly as stated in BIP-340
+ * by using the correct tagged hash function. */
+static const unsigned char bip340_algo16[16] = "BIP0340/nonce\0\0\0";
+
+static int nonce_function_bip340(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *xonly_pk32, const unsigned char *algo16, void *data) {
+    secp256k1_sha256 sha;
+    unsigned char masked_key[32];
+    int i;
+
+    if (algo16 == NULL) {
+        return 0;
+    }
+
+    if (data != NULL) {
+        secp256k1_nonce_function_bip340_sha256_tagged_aux(&sha);
+        secp256k1_sha256_write(&sha, data, 32);
+        secp256k1_sha256_finalize(&sha, masked_key);
+        for (i = 0; i < 32; i++) {
+            masked_key[i] ^= key32[i];
+        }
+    }
+
+    /* Tag the hash with algo16 which is important to avoid nonce reuse across
+     * algorithms. If this nonce function is used in BIP-340 signing as defined
+     * in the spec, an optimized tagging implementation is used. */
+    if (secp256k1_memcmp_var(algo16, bip340_algo16, 16) == 0) {
+        secp256k1_nonce_function_bip340_sha256_tagged(&sha);
+    } else {
+        int algo16_len = 16;
+        /* Remove terminating null bytes */
+        while (algo16_len > 0 && !algo16[algo16_len - 1]) {
+            algo16_len--;
+        }
+        secp256k1_sha256_initialize_tagged(&sha, algo16, algo16_len);
+    }
+
+    /* Hash (masked-)key||pk||msg using the tagged hash as per the spec */
+    if (data != NULL) {
+        secp256k1_sha256_write(&sha, masked_key, 32);
+    } else {
+        secp256k1_sha256_write(&sha, key32, 32);
+    }
+    secp256k1_sha256_write(&sha, xonly_pk32, 32);
+    secp256k1_sha256_write(&sha, msg32, 32);
+    secp256k1_sha256_finalize(&sha, nonce32);
    return 1;
 }

-int secp256k1_schnorrsig_parse(const secp256k1_context* ctx, secp256k1_schnorrsig* sig, const unsigned char *in64) {
-    (void) ctx;
-    VERIFY_CHECK(ctx != NULL);
-    ARG_CHECK(sig != NULL);
-    ARG_CHECK(in64 != NULL);
-    memcpy(sig->data, in64, 64);
-    return 1;
+const secp256k1_nonce_function_hardened secp256k1_nonce_function_bip340 = nonce_function_bip340;
+
+/* Initializes SHA256 with fixed midstate. This midstate was computed by applying
+ * SHA256 to SHA256("BIP0340/challenge")||SHA256("BIP0340/challenge"). */
+static void secp256k1_schnorrsig_sha256_tagged(secp256k1_sha256 *sha) {
+    secp256k1_sha256_initialize(sha);
+    sha->s[0] = 0x9cecba11ul;
+    sha->s[1] = 0x23925381ul;
+    sha->s[2] = 0x11679112ul;
+    sha->s[3] = 0xd1627e0ful;
+    sha->s[4] = 0x97c87550ul;
+    sha->s[5] = 0x003cc765ul;
+    sha->s[6] = 0x90f61164ul;
+    sha->s[7] = 0x33e9b66aul;
+    sha->bytes = 64;
 }

-int secp256k1_schnorrsig_sign(const secp256k1_context* ctx, secp256k1_schnorrsig *sig, int *nonce_is_negated, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, void *ndata) {
-    secp256k1_scalar x;
+static void secp256k1_schnorrsig_challenge(secp256k1_scalar* e, const unsigned char *r32, const unsigned char *msg32, const unsigned char *pubkey32)
+{
+    unsigned char buf[32];
+    secp256k1_sha256 sha;
+
+    /* tagged hash(r.x, pk.x, msg32) */
+    secp256k1_schnorrsig_sha256_tagged(&sha);
+    secp256k1_sha256_write(&sha, r32, 32);
+    secp256k1_sha256_write(&sha, pubkey32, 32);
+    secp256k1_sha256_write(&sha, msg32, 32);
+    secp256k1_sha256_finalize(&sha, buf);
+    /* Set scalar e to the challenge hash modulo the curve order as per
+     * BIP340. */
+    secp256k1_scalar_set_b32(e, buf, NULL);
+}
+
+int secp256k1_schnorrsig_sign(const secp256k1_context* ctx, unsigned char *sig64, const unsigned char *msg32, const secp256k1_keypair *keypair, secp256k1_nonce_function_hardened noncefp, void *ndata) {
+    secp256k1_scalar sk;
    secp256k1_scalar e;
    secp256k1_scalar k;
-    secp256k1_gej pkj;
    secp256k1_gej rj;
    secp256k1_ge pk;
    secp256k1_ge r;
-    secp256k1_sha256 sha;
-    int overflow;
-    unsigned char buf[33];
-    size_t buflen = sizeof(buf);
+    unsigned char buf[32] = { 0 };
+    unsigned char pk_buf[32];
+    unsigned char seckey[32];
+    int ret = 1;

    VERIFY_CHECK(ctx != NULL);
    ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
-    ARG_CHECK(sig != NULL);
+    ARG_CHECK(sig64 != NULL);
    ARG_CHECK(msg32 != NULL);
-    ARG_CHECK(seckey != NULL);
+    ARG_CHECK(keypair != NULL);

    if (noncefp == NULL) {
-        noncefp = secp256k1_nonce_function_bipschnorr;
-    }
-    secp256k1_scalar_set_b32(&x, seckey, &overflow);
-    /* Fail if the secret key is invalid. */
-    if (overflow || secp256k1_scalar_is_zero(&x)) {
-        memset(sig, 0, sizeof(*sig));
-        return 0;
+        noncefp = secp256k1_nonce_function_bip340;
    }

-    secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pkj, &x);
-    secp256k1_ge_set_gej(&pk, &pkj);
-
-    if (!noncefp(buf, msg32, seckey, NULL, (void*)ndata, 0)) {
-        return 0;
+    ret &= secp256k1_keypair_load(ctx, &sk, &pk, keypair);
+    /* Because we are signing for a x-only pubkey, the secret key is negated
+     * before signing if the point corresponding to the secret key does not
+     * have an even Y. */
+    if (secp256k1_fe_is_odd(&pk.y)) {
+        secp256k1_scalar_negate(&sk, &sk);
    }
+
+    secp256k1_scalar_get_b32(seckey, &sk);
+    secp256k1_fe_get_b32(pk_buf, &pk.x);
+    ret &= !!noncefp(buf, msg32, seckey, pk_buf, bip340_algo16, ndata);
    secp256k1_scalar_set_b32(&k, buf, NULL);
-    if (secp256k1_scalar_is_zero(&k)) {
-        return 0;
-    }
+    ret &= !secp256k1_scalar_is_zero(&k);
+    secp256k1_scalar_cmov(&k, &secp256k1_scalar_one, !ret);

    secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &rj, &k);
    secp256k1_ge_set_gej(&r, &rj);

-    if (nonce_is_negated != NULL) {
-        *nonce_is_negated = 0;
-    }
-    if (!secp256k1_fe_is_quad_var(&r.y)) {
+    /* We declassify r to allow using it as a branch point. This is fine
+     * because r is not a secret. */
+    secp256k1_declassify(ctx, &r, sizeof(r));
+    secp256k1_fe_normalize_var(&r.y);
+    if (secp256k1_fe_is_odd(&r.y)) {
        secp256k1_scalar_negate(&k, &k);
-        if (nonce_is_negated != NULL) {
-            *nonce_is_negated = 1;
-        }
    }
-    secp256k1_fe_normalize(&r.x);
-    secp256k1_fe_get_b32(&sig->data[0], &r.x);
+    secp256k1_fe_normalize_var(&r.x);
+    secp256k1_fe_get_b32(&sig64[0], &r.x);

-    secp256k1_sha256_initialize(&sha);
-    secp256k1_sha256_write(&sha, &sig->data[0], 32);
-    secp256k1_eckey_pubkey_serialize(&pk, buf, &buflen, 1);
-    secp256k1_sha256_write(&sha, buf, buflen);
-    secp256k1_sha256_write(&sha, msg32, 32);
-    secp256k1_sha256_finalize(&sha, buf);
-
-    secp256k1_scalar_set_b32(&e, buf, NULL);
-    secp256k1_scalar_mul(&e, &e, &x);
+    secp256k1_schnorrsig_challenge(&e, &sig64[0], msg32, pk_buf);
+    secp256k1_scalar_mul(&e, &e, &sk);
    secp256k1_scalar_add(&e, &e, &k);
+    secp256k1_scalar_get_b32(&sig64[32], &e);

-    secp256k1_scalar_get_b32(&sig->data[32], &e);
+    secp256k1_memczero(sig64, 64, !ret);
    secp256k1_scalar_clear(&k);
-    secp256k1_scalar_clear(&x);
+    secp256k1_scalar_clear(&sk);
+    memset(seckey, 0, sizeof(seckey));

-    return 1;
+    return ret;
 }

-/* Helper function for verification and batch verification.
- * Computes R = sG - eP. */
-static int secp256k1_schnorrsig_real_verify(const secp256k1_context* ctx, secp256k1_gej *rj, const secp256k1_scalar *s, const secp256k1_scalar *e, const secp256k1_pubkey *pk) {
-    secp256k1_scalar nege;
-    secp256k1_ge pkp;
-    secp256k1_gej pkj;
-
-    secp256k1_scalar_negate(&nege, e);
-
-    if (!secp256k1_pubkey_load(ctx, &pkp, pk)) {
-        return 0;
-    }
-    secp256k1_gej_set_ge(&pkj, &pkp);
-
-    /* rj =  s*G + (-e)*pkj */
-    secp256k1_ecmult(&ctx->ecmult_ctx, rj, &pkj, &nege, s);
-    return 1;
-}
-
-int secp256k1_schnorrsig_verify(const secp256k1_context* ctx, const secp256k1_schnorrsig *sig, const unsigned char *msg32, const secp256k1_pubkey *pk) {
+int secp256k1_schnorrsig_verify(const secp256k1_context* ctx, const unsigned char *sig64, const unsigned char *msg32, const secp256k1_xonly_pubkey *pubkey) {
    secp256k1_scalar s;
    secp256k1_scalar e;
    secp256k1_gej rj;
+    secp256k1_ge pk;
+    secp256k1_gej pkj;
    secp256k1_fe rx;
-    secp256k1_sha256 sha;
-    unsigned char buf[33];
-    size_t buflen = sizeof(buf);
+    secp256k1_ge r;
+    unsigned char buf[32];
    int overflow;

    VERIFY_CHECK(ctx != NULL);
    ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
-    ARG_CHECK(sig != NULL);
+    ARG_CHECK(sig64 != NULL);
    ARG_CHECK(msg32 != NULL);
-    ARG_CHECK(pk != NULL);
+    ARG_CHECK(pubkey != NULL);

-    if (!secp256k1_fe_set_b32(&rx, &sig->data[0])) {
+    if (!secp256k1_fe_set_b32(&rx, &sig64[0])) {
        return 0;
    }

-    secp256k1_scalar_set_b32(&s, &sig->data[32], &overflow);
+    secp256k1_scalar_set_b32(&s, &sig64[32], &overflow);
    if (overflow) {
        return 0;
    }

-    secp256k1_sha256_initialize(&sha);
-    secp256k1_sha256_write(&sha, &sig->data[0], 32);
-    secp256k1_ec_pubkey_serialize(ctx, buf, &buflen, pk, SECP256K1_EC_COMPRESSED);
-    secp256k1_sha256_write(&sha, buf, buflen);
-    secp256k1_sha256_write(&sha, msg32, 32);
-    secp256k1_sha256_finalize(&sha, buf);
-    secp256k1_scalar_set_b32(&e, buf, NULL);
-
-    if (!secp256k1_schnorrsig_real_verify(ctx, &rj, &s, &e, pk)
-        || !secp256k1_gej_has_quad_y_var(&rj) /* fails if rj is infinity */
-        || !secp256k1_gej_eq_x_var(&rx, &rj)) {
+    if (!secp256k1_xonly_pubkey_load(ctx, &pk, pubkey)) {
        return 0;
    }

-    return 1;
-}
+    /* Compute e. */
+    secp256k1_fe_get_b32(buf, &pk.x);
+    secp256k1_schnorrsig_challenge(&e, &sig64[0], msg32, buf);

-/* Data that is used by the batch verification ecmult callback */
-typedef struct {
-    const secp256k1_context *ctx;
-    /* Seed for the random number generator */
-    unsigned char chacha_seed[32];
-    /* Caches randomizers generated by the PRNG which returns two randomizers per call. Caching
-     * avoids having to call the PRNG twice as often. The very first randomizer will be set to 1 and
-     * the PRNG is called at every odd indexed schnorrsig to fill the cache. */
-    secp256k1_scalar randomizer_cache[2];
-    /* Signature, message, public key tuples to verify */
-    const secp256k1_schnorrsig *const *sig;
-    const unsigned char *const *msg32;
-    const secp256k1_pubkey *const *pk;
-    size_t n_sigs;
-} secp256k1_schnorrsig_verify_ecmult_context;
+    /* Compute rj =  s*G + (-e)*pkj */
+    secp256k1_scalar_negate(&e, &e);
+    secp256k1_gej_set_ge(&pkj, &pk);
+    secp256k1_ecmult(&ctx->ecmult_ctx, &rj, &pkj, &e, &s);

-/* Callback function which is called by ecmult_multi in order to convert the ecmult_context
- * consisting of signature, message and public key tuples into scalars and points. */
-static int secp256k1_schnorrsig_verify_batch_ecmult_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *data) {
-    secp256k1_schnorrsig_verify_ecmult_context *ecmult_context = (secp256k1_schnorrsig_verify_ecmult_context *) data;
-
-    if (idx % 4 == 2) {
-        /* Every idx corresponds to a (scalar,point)-tuple. So this callback is called with 4
-         * consecutive tuples before we need to call the RNG for new randomizers:
-         * (-randomizer_cache[0], R1)
-         * (-randomizer_cache[0]*e1, P1)
-         * (-randomizer_cache[1], R2)
-         * (-randomizer_cache[1]*e2, P2) */
-        secp256k1_scalar_chacha20(&ecmult_context->randomizer_cache[0], &ecmult_context->randomizer_cache[1], ecmult_context->chacha_seed, idx / 4);
-    }
-
-    /* R */
-    if (idx % 2 == 0) {
-        secp256k1_fe rx;
-        *sc = ecmult_context->randomizer_cache[(idx / 2) % 2];
-        if (!secp256k1_fe_set_b32(&rx, &ecmult_context->sig[idx / 2]->data[0])) {
-            return 0;
-        }
-        if (!secp256k1_ge_set_xquad(pt, &rx)) {
-            return 0;
-        }
-    /* eP */
-    } else {
-        unsigned char buf[33];
-        size_t buflen = sizeof(buf);
-        secp256k1_sha256 sha;
-        secp256k1_sha256_initialize(&sha);
-        secp256k1_sha256_write(&sha, &ecmult_context->sig[idx / 2]->data[0], 32);
-        secp256k1_ec_pubkey_serialize(ecmult_context->ctx, buf, &buflen, ecmult_context->pk[idx / 2], SECP256K1_EC_COMPRESSED);
-        secp256k1_sha256_write(&sha, buf, buflen);
-        secp256k1_sha256_write(&sha, ecmult_context->msg32[idx / 2], 32);
-        secp256k1_sha256_finalize(&sha, buf);
-
-        secp256k1_scalar_set_b32(sc, buf, NULL);
-        secp256k1_scalar_mul(sc, sc, &ecmult_context->randomizer_cache[(idx / 2) % 2]);
-
-        if (!secp256k1_pubkey_load(ecmult_context->ctx, pt, ecmult_context->pk[idx / 2])) {
-            return 0;
-        }
-    }
-    return 1;
-}
-
-/** Helper function for batch verification. Hashes signature verification data into the
- *  randomization seed and initializes ecmult_context.
- *
- *  Returns 1 if the randomizer was successfully initialized.
- *
- *  Args:    ctx: a secp256k1 context object
- *  Out: ecmult_context: context for batch_ecmult_callback
- *  In/Out   sha: an initialized sha256 object which hashes the schnorrsig input in order to get a
- *                seed for the randomizer PRNG
- *  In:      sig: array of signatures, or NULL if there are no signatures
- *         msg32: array of messages, or NULL if there are no signatures
- *            pk: array of public keys, or NULL if there are no signatures
- *        n_sigs: number of signatures in above arrays (must be 0 if they are NULL)
- */
-int secp256k1_schnorrsig_verify_batch_init_randomizer(const secp256k1_context *ctx, secp256k1_schnorrsig_verify_ecmult_context *ecmult_context, secp256k1_sha256 *sha, const secp256k1_schnorrsig *const *sig, const unsigned char *const *msg32, const secp256k1_pubkey *const *pk, size_t n_sigs) {
-    size_t i;
-
-    if (n_sigs > 0) {
-        ARG_CHECK(sig != NULL);
-        ARG_CHECK(msg32 != NULL);
-        ARG_CHECK(pk != NULL);
-    }
-
-    for (i = 0; i < n_sigs; i++) {
-        unsigned char buf[33];
-        size_t buflen = sizeof(buf);
-        secp256k1_sha256_write(sha, sig[i]->data, 64);
-        secp256k1_sha256_write(sha, msg32[i], 32);
-        secp256k1_ec_pubkey_serialize(ctx, buf, &buflen, pk[i], SECP256K1_EC_COMPRESSED);
-        secp256k1_sha256_write(sha, buf, 32);
-    }
-    ecmult_context->ctx = ctx;
-    ecmult_context->sig = sig;
-    ecmult_context->msg32 = msg32;
-    ecmult_context->pk = pk;
-    ecmult_context->n_sigs = n_sigs;
-
-    return 1;
-}
-
-/** Helper function for batch verification. Sums the s part of all signatures multiplied by their
- *  randomizer.
- *
- *  Returns 1 if s is successfully summed.
- *
- *  In/Out: s: the s part of the input sigs is added to this s argument
- *  In:  chacha_seed: PRNG seed for computing randomizers
- *        sig: array of signatures, or NULL if there are no signatures
- *     n_sigs: number of signatures in above array (must be 0 if they are NULL)
- */
-int secp256k1_schnorrsig_verify_batch_sum_s(secp256k1_scalar *s, unsigned char *chacha_seed, const secp256k1_schnorrsig *const *sig, size_t n_sigs) {
-    secp256k1_scalar randomizer_cache[2];
-    size_t i;
-
-    secp256k1_scalar_set_int(&randomizer_cache[0], 1);
-    for (i = 0; i < n_sigs; i++) {
-        int overflow;
-        secp256k1_scalar term;
-        if (i % 2 == 1) {
-            secp256k1_scalar_chacha20(&randomizer_cache[0], &randomizer_cache[1], chacha_seed, i / 2);
-        }
-
-        secp256k1_scalar_set_b32(&term, &sig[i]->data[32], &overflow);
-        if (overflow) {
-            return 0;
-        }
-        secp256k1_scalar_mul(&term, &term, &randomizer_cache[i % 2]);
-        secp256k1_scalar_add(s, s, &term);
-    }
-    return 1;
-}
-
-/* schnorrsig batch verification.
- * Seeds a random number generator with the inputs and derives a random number ai for every
- * signature i. Fails if y-coordinate of any R is not a quadratic residue or if
- * 0 != -(s1 + a2*s2 + ... + au*su)G + R1 + a2*R2 + ... + au*Ru + e1*P1 + (a2*e2)P2 + ... + (au*eu)Pu. */
-int secp256k1_schnorrsig_verify_batch(const secp256k1_context *ctx, secp256k1_scratch *scratch, const secp256k1_schnorrsig *const *sig, const unsigned char *const *msg32, const secp256k1_pubkey *const *pk, size_t n_sigs) {
-    secp256k1_schnorrsig_verify_ecmult_context ecmult_context;
-    secp256k1_sha256 sha;
-    secp256k1_scalar s;
-    secp256k1_gej rj;
-
-    VERIFY_CHECK(ctx != NULL);
-    ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
-    ARG_CHECK(scratch != NULL);
-    /* Check that n_sigs is less than half of the maximum size_t value. This is necessary because
-     * the number of points given to ecmult_multi is 2*n_sigs. */
-    ARG_CHECK(n_sigs <= SIZE_MAX / 2);
-    /* Check that n_sigs is less than 2^31 to ensure the same behavior of this function on 32-bit
-     * and 64-bit platforms. */
-    ARG_CHECK(n_sigs < (size_t)(1 << 31));
-
-    secp256k1_sha256_initialize(&sha);
-    if (!secp256k1_schnorrsig_verify_batch_init_randomizer(ctx, &ecmult_context, &sha, sig, msg32, pk, n_sigs)) {
+    secp256k1_ge_set_gej_var(&r, &rj);
+    if (secp256k1_ge_is_infinity(&r)) {
        return 0;
    }
-    secp256k1_sha256_finalize(&sha, ecmult_context.chacha_seed);
-    secp256k1_scalar_set_int(&ecmult_context.randomizer_cache[0], 1);

-    secp256k1_scalar_clear(&s);
-    if (!secp256k1_schnorrsig_verify_batch_sum_s(&s, ecmult_context.chacha_seed, sig, n_sigs)) {
-        return 0;
-    }
-    secp256k1_scalar_negate(&s, &s);
-
-    return secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &rj, &s, secp256k1_schnorrsig_verify_batch_ecmult_callback, (void *) &ecmult_context, 2 * n_sigs)
-            && secp256k1_gej_is_infinity(&rj);
+    secp256k1_fe_normalize_var(&r.y);
+    return !secp256k1_fe_is_odd(&r.y) &&
+           secp256k1_fe_equal_var(&rx, &r.x);
 }

 #endif
--- a/src/modules/schnorrsig/tests_exhaustive_impl.h
+++ b/src/modules/schnorrsig/tests_exhaustive_impl.h
@@ -0,0 +1,206 @@
+/**********************************************************************
+ * Copyright (c) 2020 Pieter Wuille                                   *
+ * Distributed under the MIT software license, see the accompanying   *
+ * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
+ **********************************************************************/
+
+#ifndef _SECP256K1_MODULE_SCHNORRSIG_TESTS_EXHAUSTIVE_
+#define _SECP256K1_MODULE_SCHNORRSIG_TESTS_EXHAUSTIVE_
+
+#include "include/secp256k1_schnorrsig.h"
+#include "src/modules/schnorrsig/main_impl.h"
+
+static const unsigned char invalid_pubkey_bytes[][32] = {
+    /* 0 */
+    {
+        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+    },
+    /* 2 */
+    {
+        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2
+    },
+    /* order */
+    {
+        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+        ((EXHAUSTIVE_TEST_ORDER + 0UL) >> 24) & 0xFF,
+        ((EXHAUSTIVE_TEST_ORDER + 0UL) >> 16) & 0xFF,
+        ((EXHAUSTIVE_TEST_ORDER + 0UL) >> 8) & 0xFF,
+        (EXHAUSTIVE_TEST_ORDER + 0UL) & 0xFF
+    },
+    /* order + 1 */
+    {
+        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+        ((EXHAUSTIVE_TEST_ORDER + 1UL) >> 24) & 0xFF,
+        ((EXHAUSTIVE_TEST_ORDER + 1UL) >> 16) & 0xFF,
+        ((EXHAUSTIVE_TEST_ORDER + 1UL) >> 8) & 0xFF,
+        (EXHAUSTIVE_TEST_ORDER + 1UL) & 0xFF
+    },
+    /* field size */
+    {
+        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F
+    },
+    /* field size + 1 (note that 1 is legal) */
+    {
+        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x30
+    },
+    /* 2^256 - 1 */
+    {
+        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
+    }
+};
+
+#define NUM_INVALID_KEYS (sizeof(invalid_pubkey_bytes) / sizeof(invalid_pubkey_bytes[0]))
+
+static int secp256k1_hardened_nonce_function_smallint(unsigned char *nonce32, const unsigned char *msg32,
+                                                      const unsigned char *key32, const unsigned char *xonly_pk32,
+                                                      const unsigned char *algo16, void* data) {
+    secp256k1_scalar s;
+    int *idata = data;
+    (void)msg32;
+    (void)key32;
+    (void)xonly_pk32;
+    (void)algo16;
+    secp256k1_scalar_set_int(&s, *idata);
+    secp256k1_scalar_get_b32(nonce32, &s);
+    return 1;
+}
+
+static void test_exhaustive_schnorrsig_verify(const secp256k1_context *ctx, const secp256k1_xonly_pubkey* pubkeys, unsigned char (*xonly_pubkey_bytes)[32], const int* parities) {
+    int d;
+    uint64_t iter = 0;
+    /* Iterate over the possible public keys to verify against (through their corresponding DL d). */
+    for (d = 1; d <= EXHAUSTIVE_TEST_ORDER / 2; ++d) {
+        int actual_d;
+        unsigned k;
+        unsigned char pk32[32];
+        memcpy(pk32, xonly_pubkey_bytes[d - 1], 32);
+        actual_d = parities[d - 1] ? EXHAUSTIVE_TEST_ORDER - d : d;
+        /* Iterate over the possible valid first 32 bytes in the signature, through their corresponding DL k.
+           Values above EXHAUSTIVE_TEST_ORDER/2 refer to the entries in invalid_pubkey_bytes. */
+        for (k = 1; k <= EXHAUSTIVE_TEST_ORDER / 2 + NUM_INVALID_KEYS; ++k) {
+            unsigned char sig64[64];
+            int actual_k = -1;
+            int e_done[EXHAUSTIVE_TEST_ORDER] = {0};
+            int e_count_done = 0;
+            if (skip_section(&iter)) continue;
+            if (k <= EXHAUSTIVE_TEST_ORDER / 2) {
+                memcpy(sig64, xonly_pubkey_bytes[k - 1], 32);
+                actual_k = parities[k - 1] ? EXHAUSTIVE_TEST_ORDER - k : k;
+            } else {
+                memcpy(sig64, invalid_pubkey_bytes[k - 1 - EXHAUSTIVE_TEST_ORDER / 2], 32);
+            }
+            /* Randomly generate messages until all challenges have been hit. */
+            while (e_count_done < EXHAUSTIVE_TEST_ORDER) {
+                secp256k1_scalar e;
+                unsigned char msg32[32];
+                secp256k1_testrand256(msg32);
+                secp256k1_schnorrsig_challenge(&e, sig64, msg32, pk32);
+                /* Only do work if we hit a challenge we haven't tried before. */
+                if (!e_done[e]) {
+                    /* Iterate over the possible valid last 32 bytes in the signature.
+                       0..order=that s value; order+1=random bytes */
+                    int count_valid = 0, s;
+                    for (s = 0; s <= EXHAUSTIVE_TEST_ORDER + 1; ++s) {
+                        int expect_valid, valid;
+                        if (s <= EXHAUSTIVE_TEST_ORDER) {
+                            secp256k1_scalar s_s;
+                            secp256k1_scalar_set_int(&s_s, s);
+                            secp256k1_scalar_get_b32(sig64 + 32, &s_s);
+                            expect_valid = actual_k != -1 && s != EXHAUSTIVE_TEST_ORDER &&
+                                           (s_s == (actual_k + actual_d * e) % EXHAUSTIVE_TEST_ORDER);
+                        } else {
+                            secp256k1_testrand256(sig64 + 32);
+                            expect_valid = 0;
+                        }
+                        valid = secp256k1_schnorrsig_verify(ctx, sig64, msg32, &pubkeys[d - 1]);
+                        CHECK(valid == expect_valid);
+                        count_valid += valid;
+                    }
+                    /* Exactly one s value must verify, unless R is illegal. */
+                    CHECK(count_valid == (actual_k != -1));
+                    /* Don't retry other messages that result in the same challenge. */
+                    e_done[e] = 1;
+                    ++e_count_done;
+                }
+            }
+        }
+    }
+}
+
+static void test_exhaustive_schnorrsig_sign(const secp256k1_context *ctx, unsigned char (*xonly_pubkey_bytes)[32], const secp256k1_keypair* keypairs, const int* parities) {
+    int d, k;
+    uint64_t iter = 0;
+    /* Loop over keys. */
+    for (d = 1; d < EXHAUSTIVE_TEST_ORDER; ++d) {
+        int actual_d = d;
+        if (parities[d - 1]) actual_d = EXHAUSTIVE_TEST_ORDER - d;
+        /* Loop over nonces. */
+        for (k = 1; k < EXHAUSTIVE_TEST_ORDER; ++k) {
+            int e_done[EXHAUSTIVE_TEST_ORDER] = {0};
+            int e_count_done = 0;
+            unsigned char msg32[32];
+            unsigned char sig64[64];
+            int actual_k = k;
+            if (skip_section(&iter)) continue;
+            if (parities[k - 1]) actual_k = EXHAUSTIVE_TEST_ORDER - k;
+            /* Generate random messages until all challenges have been tried. */
+            while (e_count_done < EXHAUSTIVE_TEST_ORDER) {
+                secp256k1_scalar e;
+                secp256k1_testrand256(msg32);
+                secp256k1_schnorrsig_challenge(&e, xonly_pubkey_bytes[k - 1], msg32, xonly_pubkey_bytes[d - 1]);
+                /* Only do work if we hit a challenge we haven't tried before. */
+                if (!e_done[e]) {
+                    secp256k1_scalar expected_s = (actual_k + e * actual_d) % EXHAUSTIVE_TEST_ORDER;
+                    unsigned char expected_s_bytes[32];
+                    secp256k1_scalar_get_b32(expected_s_bytes, &expected_s);
+                    /* Invoke the real function to construct a signature. */
+                    CHECK(secp256k1_schnorrsig_sign(ctx, sig64, msg32, &keypairs[d - 1], secp256k1_hardened_nonce_function_smallint, &k));
+                    /* The first 32 bytes must match the xonly pubkey for the specified k. */
+                    CHECK(secp256k1_memcmp_var(sig64, xonly_pubkey_bytes[k - 1], 32) == 0);
+                    /* The last 32 bytes must match the expected s value. */
+                    CHECK(secp256k1_memcmp_var(sig64 + 32, expected_s_bytes, 32) == 0);
+                    /* Don't retry other messages that result in the same challenge. */
+                    e_done[e] = 1;
+                    ++e_count_done;
+                }
+            }
+        }
+    }
+}
+
+static void test_exhaustive_schnorrsig(const secp256k1_context *ctx) {
+    secp256k1_keypair keypair[EXHAUSTIVE_TEST_ORDER - 1];
+    secp256k1_xonly_pubkey xonly_pubkey[EXHAUSTIVE_TEST_ORDER - 1];
+    int parity[EXHAUSTIVE_TEST_ORDER - 1];
+    unsigned char xonly_pubkey_bytes[EXHAUSTIVE_TEST_ORDER - 1][32];
+    unsigned i;
+
+    /* Verify that all invalid_pubkey_bytes are actually invalid. */
+    for (i = 0; i < NUM_INVALID_KEYS; ++i) {
+        secp256k1_xonly_pubkey pk;
+        CHECK(!secp256k1_xonly_pubkey_parse(ctx, &pk, invalid_pubkey_bytes[i]));
+    }
+
+    /* Construct keypairs and xonly-pubkeys for the entire group. */
+    for (i = 1; i < EXHAUSTIVE_TEST_ORDER; ++i) {
+        secp256k1_scalar scalar_i;
+        unsigned char buf[32];
+        secp256k1_scalar_set_int(&scalar_i, i);
+        secp256k1_scalar_get_b32(buf, &scalar_i);
+        CHECK(secp256k1_keypair_create(ctx, &keypair[i - 1], buf));
+        CHECK(secp256k1_keypair_xonly_pub(ctx, &xonly_pubkey[i - 1], &parity[i - 1], &keypair[i - 1]));
+        CHECK(secp256k1_xonly_pubkey_serialize(ctx, xonly_pubkey_bytes[i - 1], &xonly_pubkey[i - 1]));
+    }
+
+    test_exhaustive_schnorrsig_sign(ctx, xonly_pubkey_bytes, keypair, parity);
+    test_exhaustive_schnorrsig_verify(ctx, xonly_pubkey, xonly_pubkey_bytes, parity);
+}
+
+#endif
--- a/src/modules/schnorrsig/tests_impl.h
+++ b/src/modules/schnorrsig/tests_impl.h
--- a/src/modules/surjection/main_impl.h
+++ b/src/modules/surjection/main_impl.h
@@ -9,11 +9,20 @@
 #include <assert.h>
 #include <string.h>

+#if defined HAVE_CONFIG_H
+#include "libsecp256k1-config.h"
+#endif
+
+#include "include/secp256k1_rangeproof.h"
+#include "include/secp256k1_surjectionproof.h"
 #include "modules/rangeproof/borromean.h"
 #include "modules/surjection/surjection_impl.h"
 #include "hash.h"
-#include "include/secp256k1_rangeproof.h"
-#include "include/secp256k1_surjectionproof.h"
+
+#ifdef USE_REDUCED_SURJECTION_PROOF_SIZE
+#undef SECP256K1_SURJECTIONPROOF_MAX_USED_INPUTS
+#define SECP256K1_SURJECTIONPROOF_MAX_USED_INPUTS 16
+#endif

 static size_t secp256k1_count_bits_set(const unsigned char* data, size_t count) {
    size_t ret = 0;
@@ -35,6 +44,9 @@ static size_t secp256k1_count_bits_set(const unsigned char* data, size_t count)
    return ret;
 }

+#ifdef USE_REDUCED_SURJECTION_PROOF_SIZE
+static
+#endif
 int secp256k1_surjectionproof_parse(const secp256k1_context* ctx, secp256k1_surjectionproof *proof, const unsigned char *input, size_t inputlen) {
    size_t n_inputs;
    size_t signature_len;
@@ -55,6 +67,15 @@ int secp256k1_surjectionproof_parse(const secp256k1_context* ctx, secp256k1_surj
        return 0;
    }

+    /* Check that the bitvector of used inputs is of the claimed
+     * length; i.e. the final byte has no "padding bits" set */
+    if (n_inputs % 8 != 0) {
+        const unsigned char padding_mask = (~0U) << (n_inputs % 8);
+        if ((input[2 + (n_inputs + 7) / 8 - 1] & padding_mask) != 0) {
+            return 0;
+        }
+    }
+
    signature_len = 32 * (1 + secp256k1_count_bits_set(&input[2], (n_inputs + 7) / 8));
    if (inputlen != 2 + (n_inputs + 7) / 8 + signature_len) {
        return 0;
@@ -204,6 +225,7 @@ int secp256k1_surjectionproof_initialize(const secp256k1_context* ctx, secp256k1
    ARG_CHECK(fixed_output_tag != NULL);
    ARG_CHECK(random_seed32 != NULL);
    ARG_CHECK(n_input_tags <= SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS);
+    ARG_CHECK(n_input_tags_to_use <= SECP256K1_SURJECTIONPROOF_MAX_USED_INPUTS);
    ARG_CHECK(n_input_tags_to_use <= n_input_tags);
    (void) ctx;

@@ -261,10 +283,8 @@ int secp256k1_surjectionproof_generate(const secp256k1_context* ctx, secp256k1_s
    size_t n_total_pubkeys;
    size_t n_used_pubkeys;
    size_t ring_input_index = 0;
-    secp256k1_gej ring_pubkeys[SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS];
-    secp256k1_scalar borromean_s[SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS];
-    secp256k1_ge inputs[SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS];
-    secp256k1_ge output;
+    secp256k1_gej ring_pubkeys[SECP256K1_SURJECTIONPROOF_MAX_USED_INPUTS];
+    secp256k1_scalar borromean_s[SECP256K1_SURJECTIONPROOF_MAX_USED_INPUTS];
    unsigned char msg32[32];

    VERIFY_CHECK(ctx != NULL);
@@ -303,17 +323,14 @@ int secp256k1_surjectionproof_generate(const secp256k1_context* ctx, secp256k1_s
        return 0;
    }

-    secp256k1_generator_load(&output, ephemeral_output_tag);
-    for (i = 0; i < n_total_pubkeys; i++) {
-        secp256k1_generator_load(&inputs[i], &ephemeral_input_tags[i]);
+    if (secp256k1_surjection_compute_public_keys(ring_pubkeys, n_used_pubkeys, ephemeral_input_tags, n_total_pubkeys, proof->used_inputs, ephemeral_output_tag, input_index, &ring_input_index) == 0) {
+        return 0;
    }

-    secp256k1_surjection_compute_public_keys(ring_pubkeys, n_used_pubkeys, inputs, n_total_pubkeys, proof->used_inputs, &output, input_index, &ring_input_index);
-
    /* Produce signature */
    rsizes[0] = (int) n_used_pubkeys;
    indices[0] = (int) ring_input_index;
-    secp256k1_surjection_genmessage(msg32, inputs, n_total_pubkeys, &output);
+    secp256k1_surjection_genmessage(msg32, ephemeral_input_tags, n_total_pubkeys, ephemeral_output_tag);
    if (secp256k1_surjection_genrand(borromean_s, n_used_pubkeys, &blinding_key) == 0) {
        return 0;
    }
@@ -331,15 +348,16 @@ int secp256k1_surjectionproof_generate(const secp256k1_context* ctx, secp256k1_s
    return 1;
 }

+#ifdef USE_REDUCED_SURJECTION_PROOF_SIZE
+static
+#endif
 int secp256k1_surjectionproof_verify(const secp256k1_context* ctx, const secp256k1_surjectionproof* proof, const secp256k1_generator* ephemeral_input_tags, size_t n_ephemeral_input_tags, const secp256k1_generator* ephemeral_output_tag) {
    size_t rsizes[1];    /* array needed for borromean sig API */
    size_t i;
    size_t n_total_pubkeys;
    size_t n_used_pubkeys;
-    secp256k1_gej ring_pubkeys[SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS];
-    secp256k1_scalar borromean_s[SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS];
-    secp256k1_ge inputs[SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS];
-    secp256k1_ge output;
+    secp256k1_gej ring_pubkeys[SECP256K1_SURJECTIONPROOF_MAX_USED_INPUTS];
+    secp256k1_scalar borromean_s[SECP256K1_SURJECTIONPROOF_MAX_USED_INPUTS];
    unsigned char msg32[32];

    VERIFY_CHECK(ctx != NULL);
@@ -355,12 +373,12 @@ int secp256k1_surjectionproof_verify(const secp256k1_context* ctx, const secp256
        return 0;
    }

-    secp256k1_generator_load(&output, ephemeral_output_tag);
-    for (i = 0; i < n_total_pubkeys; i++) {
-        secp256k1_generator_load(&inputs[i], &ephemeral_input_tags[i]);
+    /* Reject proofs with too many used inputs in USE_REDUCED_SURJECTION_PROOF_SIZE mode */
+    if (n_used_pubkeys > SECP256K1_SURJECTIONPROOF_MAX_USED_INPUTS) {
+        return 0;
    }

-    if (secp256k1_surjection_compute_public_keys(ring_pubkeys, n_used_pubkeys, inputs, n_total_pubkeys, proof->used_inputs, &output, 0, NULL) == 0) {
+    if (secp256k1_surjection_compute_public_keys(ring_pubkeys, n_used_pubkeys, ephemeral_input_tags, n_total_pubkeys, proof->used_inputs, ephemeral_output_tag, 0, NULL) == 0) {
        return 0;
    }

@@ -373,7 +391,7 @@ int secp256k1_surjectionproof_verify(const secp256k1_context* ctx, const secp256
            return 0;
        }
    }
-    secp256k1_surjection_genmessage(msg32, inputs, n_total_pubkeys, &output);
+    secp256k1_surjection_genmessage(msg32, ephemeral_input_tags, n_total_pubkeys, ephemeral_output_tag);
    return secp256k1_borromean_verify(&ctx->ecmult_ctx, NULL, &proof->data[0], borromean_s, ring_pubkeys, rsizes, 1, msg32, 32);
 }

--- a/src/modules/surjection/surjection_impl.h
+++ b/src/modules/surjection/surjection_impl.h
@@ -15,7 +15,7 @@
 #include "scalar.h"
 #include "hash.h"

-SECP256K1_INLINE static void secp256k1_surjection_genmessage(unsigned char *msg32, secp256k1_ge *ephemeral_input_tags, size_t n_input_tags, secp256k1_ge *ephemeral_output_tag) {
+SECP256K1_INLINE static void secp256k1_surjection_genmessage(unsigned char *msg32, const secp256k1_generator *ephemeral_input_tags, size_t n_input_tags, const secp256k1_generator *ephemeral_output_tag) {
    /* compute message */
    size_t i;
    unsigned char pk_ser[33];
@@ -24,12 +24,12 @@ SECP256K1_INLINE static void secp256k1_surjection_genmessage(unsigned char *msg3

    secp256k1_sha256_initialize(&sha256_en);
    for (i = 0; i < n_input_tags; i++) {
-        secp256k1_eckey_pubkey_serialize(&ephemeral_input_tags[i], pk_ser, &pk_len, 1);
-        assert(pk_len == sizeof(pk_ser));
+        pk_ser[0] = 2 + (ephemeral_input_tags[i].data[63] & 1);
+        memcpy(&pk_ser[1], &ephemeral_input_tags[i].data[0], 32);
        secp256k1_sha256_write(&sha256_en, pk_ser, pk_len);
    }
-    secp256k1_eckey_pubkey_serialize(ephemeral_output_tag, pk_ser, &pk_len, 1);
-    assert(pk_len == sizeof(pk_ser));
+    pk_ser[0] = 2 + (ephemeral_output_tag->data[63] & 1);
+    memcpy(&pk_ser[1], &ephemeral_output_tag->data[0], 32);
    secp256k1_sha256_write(&sha256_en, pk_ser, pk_len);
    secp256k1_sha256_finalize(&sha256_en, msg32);
 }
@@ -61,24 +61,29 @@ SECP256K1_INLINE static int secp256k1_surjection_genrand(secp256k1_scalar *s, si
    return 1;
 }

-SECP256K1_INLINE static int secp256k1_surjection_compute_public_keys(secp256k1_gej *pubkeys, size_t n_pubkeys, const secp256k1_ge *input_tags, size_t n_input_tags, const unsigned char *used_tags, const secp256k1_ge *output_tag, size_t input_index, size_t *ring_input_index) {
+SECP256K1_INLINE static int secp256k1_surjection_compute_public_keys(secp256k1_gej *pubkeys, size_t n_pubkeys, const secp256k1_generator *input_tags, size_t n_input_tags, const unsigned char *used_tags, const secp256k1_generator *output_tag, size_t input_index, size_t *ring_input_index) {
    size_t i;
    size_t j = 0;
    for (i = 0; i < n_input_tags; i++) {
        if (used_tags[i / 8] & (1 << (i % 8))) {
            secp256k1_ge tmpge;
-            secp256k1_ge_neg(&tmpge, &input_tags[i]);
+            secp256k1_generator_load(&tmpge, &input_tags[i]);
+            secp256k1_ge_neg(&tmpge, &tmpge);
+
+            VERIFY_CHECK(j < SECP256K1_SURJECTIONPROOF_MAX_USED_INPUTS);
+            VERIFY_CHECK(j < n_pubkeys);
            secp256k1_gej_set_ge(&pubkeys[j], &tmpge);
-            secp256k1_gej_add_ge_var(&pubkeys[j], &pubkeys[j], output_tag, NULL);
+
+            secp256k1_generator_load(&tmpge, output_tag);
+            secp256k1_gej_add_ge_var(&pubkeys[j], &pubkeys[j], &tmpge, NULL);
            if (ring_input_index != NULL && input_index == i) {
                *ring_input_index = j;
            }
            j++;
-            if (j > n_pubkeys) {
-                return 0;
-            }
        }
    }
+    /* Caller needs to ensure that the number of set bits in used_tags (which we counted in j) equals n_pubkeys. */
+    VERIFY_CHECK(j == n_pubkeys);
    return 1;
 }

--- a/src/modules/surjection/tests_impl.h
+++ b/src/modules/surjection/tests_impl.h
@@ -34,7 +34,7 @@ static void test_surjectionproof_api(void) {
    int32_t ecount = 0;
    size_t i;

-    secp256k1_rand256(seed);
+    secp256k1_testrand256(seed);
    secp256k1_context_set_error_callback(none, counting_illegal_callback_fn, &ecount);
    secp256k1_context_set_error_callback(sign, counting_illegal_callback_fn, &ecount);
    secp256k1_context_set_error_callback(vrfy, counting_illegal_callback_fn, &ecount);
@@ -45,11 +45,11 @@ static void test_surjectionproof_api(void) {
    secp256k1_context_set_illegal_callback(both, counting_illegal_callback_fn, &ecount);

    for (i = 0; i < n_inputs; i++) {
-        secp256k1_rand256(input_blinding_key[i]);
-        secp256k1_rand256(fixed_input_tags[i].data);
+        secp256k1_testrand256(input_blinding_key[i]);
+        secp256k1_testrand256(fixed_input_tags[i].data);
        CHECK(secp256k1_generator_generate_blinded(ctx, &ephemeral_input_tags[i], fixed_input_tags[i].data, input_blinding_key[i]));
    }
-    secp256k1_rand256(output_blinding_key);
+    secp256k1_testrand256(output_blinding_key);
    memcpy(&fixed_output_tag, &fixed_input_tags[0], sizeof(fixed_input_tags[0]));
    CHECK(secp256k1_generator_generate_blinded(ctx, &ephemeral_output_tag, fixed_output_tag.data, output_blinding_key));

@@ -213,10 +213,10 @@ static void test_input_selection(size_t n_inputs) {
    const size_t max_n_inputs = sizeof(fixed_input_tags) / sizeof(fixed_input_tags[0]) - 1;

    CHECK(n_inputs < max_n_inputs);
-    secp256k1_rand256(seed);
+    secp256k1_testrand256(seed);

    for (i = 0; i < n_inputs + 1; i++) {
-        secp256k1_rand256(fixed_input_tags[i].data);
+        secp256k1_testrand256(fixed_input_tags[i].data);
    }

    /* cannot match output when told to use zero keys */
@@ -281,7 +281,7 @@ static void test_input_selection_distribution_helper(const secp256k1_fixed_asset
        used_inputs[i] = 0;
    }
    for(j = 0; j < 10000; j++) {
-        secp256k1_rand256(seed);
+        secp256k1_testrand256(seed);
        result = secp256k1_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_input_tags, n_input_tags_to_use, &fixed_input_tags[0], 64, seed);
        CHECK(result > 0);

@@ -304,7 +304,7 @@ static void test_input_selection_distribution(void) {
    size_t used_inputs[4];

    for (i = 0; i < n_inputs; i++) {
-        secp256k1_rand256(fixed_input_tags[i].data);
+        secp256k1_testrand256(fixed_input_tags[i].data);
    }

    /* If there is one input tag to use, initialize must choose the one equal to fixed_output_tag. */
@@ -387,16 +387,16 @@ static void test_gen_verify(size_t n_inputs, size_t n_used) {
    /* setup */
    CHECK(n_used <= n_inputs);
    CHECK(n_inputs < max_n_inputs);
-    secp256k1_rand256(seed);
+    secp256k1_testrand256(seed);

    key_index = (((size_t) seed[0] << 8) + seed[1]) % n_inputs;

    for (i = 0; i < n_inputs + 1; i++) {
        input_blinding_key[i] = malloc(32);
-        secp256k1_rand256(input_blinding_key[i]);
+        secp256k1_testrand256(input_blinding_key[i]);
        /* choose random fixed tag, except that for the output one copy from the key_index */
        if (i < n_inputs) {
-            secp256k1_rand256(fixed_input_tags[i].data);
+            secp256k1_testrand256(fixed_input_tags[i].data);
        } else {
            memcpy(&fixed_input_tags[i], &fixed_input_tags[key_index], sizeof(fixed_input_tags[i]));
        }
@@ -422,11 +422,12 @@ static void test_gen_verify(size_t n_inputs, size_t n_used) {
    /* trailing garbage */
    memcpy(&serialized_proof_trailing, &serialized_proof, serialized_len);
    serialized_proof_trailing[serialized_len] = seed[0];
-    CHECK(secp256k1_surjectionproof_parse(ctx, &proof, serialized_proof, serialized_len + 1) == 0);
+    CHECK(secp256k1_surjectionproof_parse(ctx, &proof, serialized_proof_trailing, serialized_len + 1) == 0);

    CHECK(secp256k1_surjectionproof_parse(ctx, &proof, serialized_proof, serialized_len));
    result = secp256k1_surjectionproof_verify(ctx, &proof, ephemeral_input_tags, n_inputs, &ephemeral_input_tags[n_inputs]);
    CHECK(result == 1);
+
    /* various fail cases */
    if (n_inputs > 1) {
        result = secp256k1_surjectionproof_verify(ctx, &proof, ephemeral_input_tags, n_inputs, &ephemeral_input_tags[n_inputs - 1]);
@@ -441,6 +442,15 @@ static void test_gen_verify(size_t n_inputs, size_t n_used) {
        n_inputs += 1;
    }

+    for (i = 0; i < n_inputs; i++) {
+        /* flip bit */
+        proof.used_inputs[i / 8] ^= (1 << (i % 8));
+        result = secp256k1_surjectionproof_verify(ctx, &proof, ephemeral_input_tags, n_inputs, &ephemeral_input_tags[n_inputs]);
+        CHECK(result == 0);
+        /* reset the bit */
+        proof.used_inputs[i / 8] ^= (1 << (i % 8));
+    }
+
    /* cleanup */
    for (i = 0; i < n_inputs + 1; i++) {
        free(input_blinding_key[i]);
@@ -456,7 +466,6 @@ static void test_no_used_inputs_verify(void) {
    size_t n_ephemeral_input_tags = 1;
    secp256k1_generator ephemeral_output_tag;
    unsigned char blinding_key[32];
-    secp256k1_ge inputs[1];
    secp256k1_ge output;
    secp256k1_sha256 sha256_e0;
    int result;
@@ -467,18 +476,17 @@ static void test_no_used_inputs_verify(void) {
    memset(proof.used_inputs, 0, SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS / 8);

    /* create different fixed input and output tags */
-    secp256k1_rand256(fixed_input_tag.data);
-    secp256k1_rand256(fixed_output_tag.data);
+    secp256k1_testrand256(fixed_input_tag.data);
+    secp256k1_testrand256(fixed_output_tag.data);

    /* blind fixed output tags with random blinding key */
-    secp256k1_rand256(blinding_key);
+    secp256k1_testrand256(blinding_key);
    CHECK(secp256k1_generator_generate_blinded(ctx, &ephemeral_input_tags[0], fixed_input_tag.data, blinding_key));
    CHECK(secp256k1_generator_generate_blinded(ctx, &ephemeral_output_tag, fixed_output_tag.data, blinding_key));

    /* create "borromean signature" which is just a hash of metadata (pubkeys, etc) in this case */
    secp256k1_generator_load(&output, &ephemeral_output_tag);
-    secp256k1_generator_load(&inputs[0], &ephemeral_input_tags[0]);
-    secp256k1_surjection_genmessage(proof.data, inputs, 1, &output);
+    secp256k1_surjection_genmessage(proof.data, ephemeral_input_tags, 1, &ephemeral_output_tag);
    secp256k1_sha256_initialize(&sha256_e0);
    secp256k1_sha256_write(&sha256_e0, proof.data, 32);
    secp256k1_sha256_finalize(&sha256_e0, proof.data);
@@ -512,21 +520,164 @@ void test_bad_parse(void) {
    CHECK(secp256k1_surjectionproof_parse(ctx, &proof, serialized_proof2, sizeof(serialized_proof2)) == 0);
 }

+void test_fixed_vectors(void) {
+    const unsigned char tag0_ser[] = {
+        0x0a,
+        0x1c, 0xa3, 0xdd, 0x12, 0x48, 0xdd, 0x4d, 0xd0, 0x04, 0x30, 0x47, 0x48, 0x75, 0xf5, 0xf5, 0xff,
+        0x2a, 0xd5, 0x0d, 0x1d, 0x86, 0x2b, 0xa4, 0xa4, 0x2f, 0x46, 0xe9, 0xb4, 0x54, 0x21, 0xf0, 0x85
+    };
+    const unsigned char tag1_ser[] = {
+        0x0a,
+        0x09, 0x0d, 0x5a, 0xd4, 0xed, 0xae, 0x9c, 0x0c, 0x69, 0x79, 0xf3, 0x8d, 0x22, 0x03, 0x0a, 0x3d,
+        0x38, 0xd4, 0x78, 0xe1, 0x03, 0x0d, 0x70, 0x57, 0xd9, 0x9a, 0x23, 0x03, 0xf0, 0x7f, 0xfb, 0xef
+    };
+    const unsigned char tag2_ser[] = {
+        0x0a,
+        0xfd, 0xed, 0xba, 0x15, 0x20, 0x8a, 0xb2, 0xaf, 0x0b, 0x76, 0x6d, 0xd2, 0x5f, 0xd4, 0x15, 0x11,
+        0x90, 0xec, 0xcb, 0x3f, 0xcd, 0x08, 0xb5, 0x35, 0xd9, 0x24, 0x18, 0xb1, 0xd3, 0x47, 0x83, 0x54
+    };
+    const unsigned char tag3_ser[] = {
+        0x0b,
+        0x8b, 0x47, 0xca, 0xee, 0x20, 0x52, 0x17, 0xbf, 0xee, 0xcc, 0x84, 0xcd, 0x34, 0x32, 0x6c, 0x36,
+        0xf1, 0xd9, 0x3f, 0xe1, 0x6f, 0x77, 0xfe, 0x89, 0x3e, 0x4a, 0xc8, 0x2a, 0x75, 0xfa, 0x2d, 0x36
+    };
+    const unsigned char tag4_ser[] = {
+        0x0b,
+        0x3c, 0x5c, 0xf4, 0x61, 0x45, 0xa8, 0x53, 0xc1, 0x64, 0x32, 0x0e, 0x92, 0x68, 0x52, 0xbd, 0x12,
+        0xe9, 0x45, 0x31, 0xeb, 0x04, 0x4c, 0xf4, 0xe2, 0x9e, 0x9f, 0x60, 0x26, 0x50, 0xbf, 0xd6, 0x9f
+    };
+    const unsigned char output_tag_ser[] = {
+        0x0b,
+        0xf7, 0x3c, 0x03, 0xed, 0xae, 0x83, 0xa1, 0xa6, 0x94, 0x8c, 0xe3, 0xb8, 0x54, 0x02, 0xa8, 0xbd,
+        0x66, 0xca, 0x28, 0xef, 0x44, 0xf5, 0x3a, 0xcb, 0xc7, 0x5b, 0x16, 0xac, 0xce, 0x29, 0x4b, 0xc6
+    };
+
+    const unsigned char total1_used1[] = {
+        0x01, 0x00, 0x01, 0x8e, 0x6b, 0x8d, 0x8b, 0x96, 0x29, 0x10, 0x29, 0xcb, 0xf8, 0x48, 0xd9, 0xc8,
+        0x5b, 0x77, 0xdc, 0xdf, 0x16, 0x67, 0x19, 0xfe, 0x8d, 0xee, 0x8f, 0x56, 0x6f, 0x9c, 0xe9, 0xae,
+        0xb9, 0xd9, 0x12, 0xb8, 0x95, 0x6c, 0xf1, 0x48, 0x07, 0x7d, 0x49, 0xe4, 0x3e, 0x7f, 0xc1, 0x2c,
+        0xe2, 0xe1, 0x94, 0x10, 0xb1, 0xda, 0x86, 0x5f, 0xbc, 0x03, 0x59, 0xe1, 0x09, 0xd2, 0x1b, 0x18,
+        0xce, 0x58, 0x15
+    };
+    const size_t total1_used1_len = sizeof(total1_used1);
+
+    const unsigned char total2_used1[] = {
+        0x02, 0x00, 0x01, 0x35, 0x3a, 0x29, 0x4b, 0xe4, 0x99, 0xc6, 0xbf, 0x99, 0x4d, 0x6c, 0xc8, 0x18,
+        0x14, 0xad, 0x10, 0x22, 0x3a, 0xb8, 0x1c, 0xb9, 0xc5, 0x77, 0xda, 0xe0, 0x8a, 0x71, 0x2d, 0x0d,
+        0x8e, 0x80, 0xf5, 0x8d, 0x74, 0xf9, 0x01, 0x6b, 0x35, 0x88, 0xf4, 0x8e, 0x43, 0xa5, 0x9c, 0x0f,
+        0x7e, 0x37, 0x86, 0x77, 0x44, 0x72, 0x7c, 0xaa, 0xff, 0x14, 0x5b, 0x7a, 0x42, 0x41, 0x75, 0xb2,
+        0x5e, 0x3d, 0x6c
+    };
+    const size_t total2_used1_len = sizeof(total2_used1);
+
+    const unsigned char total3_used2[] = {
+        0x03, 0x00, 0x03, 0xf2, 0x3f, 0xca, 0x49, 0x52, 0x05, 0xaf, 0x81, 0x83, 0x01, 0xd7, 0xf4, 0x92,
+        0xc0, 0x50, 0xe3, 0x15, 0xfc, 0x94, 0xc1, 0x27, 0x10, 0xd7, 0x8f, 0x57, 0xb1, 0x23, 0xcf, 0x68,
+        0x31, 0xf8, 0xcb, 0x58, 0x3d, 0xca, 0x2f, 0x7a, 0x3b, 0x0b, 0xb6, 0x10, 0x52, 0x94, 0xc8, 0x5f,
+        0x0a, 0xf8, 0xca, 0x5d, 0x4c, 0x38, 0x44, 0x92, 0xb3, 0xc7, 0xe4, 0x46, 0x9f, 0x96, 0x64, 0xbd,
+        0xd2, 0xda, 0x40, 0xdb, 0x63, 0x76, 0x87, 0x48, 0xdc, 0x55, 0x0b, 0x82, 0x9c, 0xa5, 0x96, 0xbe,
+        0xe9, 0x0d, 0xe4, 0x98, 0x80, 0x8e, 0x58, 0x38, 0xdc, 0x13, 0x59, 0x1d, 0x5c, 0x8e, 0xda, 0x90,
+        0x4c, 0xa4, 0x91
+    };
+    const size_t total3_used2_len = sizeof(total3_used2);
+
+    const unsigned char total5_used3[] = {
+        0x05, 0x00, 0x15, 0x36, 0x3b, 0x92, 0x97, 0x84, 0x25, 0x75, 0xd6, 0xa6, 0xaf, 0xb7, 0x32, 0x5b,
+        0x2c, 0xf8, 0x31, 0xe2, 0x15, 0x3a, 0x9b, 0xb7, 0x20, 0x14, 0xc0, 0x67, 0x96, 0x7d, 0xa9, 0xc4,
+        0xa2, 0xb4, 0x22, 0x57, 0x5f, 0xb8, 0x20, 0xf1, 0xe8, 0x82, 0xaf, 0xbc, 0x8a, 0xbc, 0x01, 0xc9,
+        0x35, 0xf2, 0x7f, 0x6f, 0x0c, 0x0d, 0xba, 0x87, 0xa4, 0xc3, 0xec, 0x60, 0x54, 0x49, 0x35, 0xeb,
+        0x1e, 0x48, 0x2c, 0xdb, 0x63, 0x76, 0x87, 0x48, 0xdc, 0x55, 0x0b, 0x82, 0x9c, 0xa5, 0x96, 0xbe,
+        0xe9, 0x0d, 0xe4, 0x98, 0x80, 0x8e, 0x58, 0x38, 0xdc, 0x13, 0x59, 0x1d, 0x5c, 0x8e, 0xda, 0x90,
+        0x4c, 0xa4, 0x91, 0x5e, 0x8f, 0xcf, 0x2e, 0xc7, 0x5f, 0xfc, 0xca, 0x42, 0xd8, 0x80, 0xe4, 0x3b,
+        0x90, 0xa5, 0xd2, 0x07, 0x7d, 0xd1, 0xc9, 0x5c, 0x69, 0xc2, 0xd7, 0xef, 0x8a, 0xae, 0x0a, 0xee,
+        0x9c, 0xf5, 0xb9
+    };
+    const size_t total5_used3_len = sizeof(total5_used3);
+
+    const unsigned char total5_used5[] = {
+        0x05, 0x00, 0x1f, 0xfd, 0xbb, 0xb6, 0xc2, 0x78, 0x82, 0xad, 0xe1, 0x66, 0x6d, 0x20, 0x4d, 0xfe,
+        0x6b, 0xd2, 0x0b, 0x21, 0x6e, 0xa8, 0x5b, 0xc8, 0xe4, 0x88, 0x42, 0x11, 0x30, 0x3b, 0x6b, 0x02,
+        0xc9, 0x7f, 0x44, 0x1c, 0xee, 0xd8, 0x37, 0x6a, 0xf8, 0xfd, 0xc8, 0x4b, 0x0b, 0xa1, 0x43, 0x1f,
+        0x68, 0x77, 0x8d, 0x1b, 0xac, 0x9e, 0xc1, 0xc1, 0xda, 0x60, 0xa8, 0xcf, 0x10, 0x9d, 0x80, 0x07,
+        0x90, 0x57, 0xb6, 0xdb, 0x63, 0x76, 0x87, 0x48, 0xdc, 0x55, 0x0b, 0x82, 0x9c, 0xa5, 0x96, 0xbe,
+        0xe9, 0x0d, 0xe4, 0x98, 0x80, 0x8e, 0x58, 0x38, 0xdc, 0x13, 0x59, 0x1d, 0x5c, 0x8e, 0xda, 0x90,
+        0x4c, 0xa4, 0x91, 0x5e, 0x8f, 0xcf, 0x2e, 0xc7, 0x5f, 0xfc, 0xca, 0x42, 0xd8, 0x80, 0xe4, 0x3b,
+        0x90, 0xa5, 0xd2, 0x07, 0x7d, 0xd1, 0xc9, 0x5c, 0x69, 0xc2, 0xd7, 0xef, 0x8a, 0xae, 0x0a, 0xee,
+        0x9c, 0xf5, 0xb9, 0x5a, 0xc8, 0x03, 0x8d, 0x4f, 0xe3, 0x1d, 0x79, 0x38, 0x5a, 0xfa, 0xe5, 0xa8,
+        0x9d, 0x56, 0x77, 0xb3, 0xf9, 0xa8, 0x70, 0x46, 0x27, 0x26, 0x6c, 0x6e, 0x54, 0xaf, 0xf9, 0xd0,
+        0x37, 0xa4, 0x86, 0x68, 0x8f, 0xac, 0x3e, 0x78, 0xaa, 0x3d, 0x83, 0x1a, 0xca, 0x05, 0xfe, 0x10,
+        0x95, 0xa4, 0x6a, 0x10, 0xc6, 0x62, 0xf3, 0xf7, 0xf3, 0x4d, 0x0b, 0xd4, 0x94, 0xe5, 0x51, 0x6c,
+        0x85, 0xd7, 0xc7
+    };
+    const size_t total5_used5_len = sizeof(total5_used5);
+
+    unsigned char bad[sizeof(total5_used5) + 32] = { 0 };
+
+    secp256k1_generator input_tags[5];
+    secp256k1_generator output_tag;
+    secp256k1_surjectionproof proof;
+
+    CHECK(secp256k1_generator_parse(ctx, &input_tags[0], tag0_ser));
+    CHECK(secp256k1_generator_parse(ctx, &input_tags[1], tag1_ser));
+    CHECK(secp256k1_generator_parse(ctx, &input_tags[2], tag2_ser));
+    CHECK(secp256k1_generator_parse(ctx, &input_tags[3], tag3_ser));
+    CHECK(secp256k1_generator_parse(ctx, &input_tags[4], tag4_ser));
+    CHECK(secp256k1_generator_parse(ctx, &output_tag, output_tag_ser));
+
+    /* check 1-of-1 */
+    CHECK(secp256k1_surjectionproof_parse(ctx, &proof, total1_used1, total1_used1_len));
+    CHECK(secp256k1_surjectionproof_verify(ctx, &proof, input_tags, 1, &output_tag));
+    /* check 1-of-2 */
+    CHECK(secp256k1_surjectionproof_parse(ctx, &proof, total2_used1, total2_used1_len));
+    CHECK(secp256k1_surjectionproof_verify(ctx, &proof, input_tags, 2, &output_tag));
+    /* check 2-of-3 */
+    CHECK(secp256k1_surjectionproof_parse(ctx, &proof, total3_used2, total3_used2_len));
+    CHECK(secp256k1_surjectionproof_verify(ctx, &proof, input_tags, 3, &output_tag));
+    /* check 3-of-5 */
+    CHECK(secp256k1_surjectionproof_parse(ctx, &proof, total5_used3, total5_used3_len));
+    CHECK(secp256k1_surjectionproof_verify(ctx, &proof, input_tags, 5, &output_tag));
+    /* check 5-of-5 */
+    CHECK(secp256k1_surjectionproof_parse(ctx, &proof, total5_used5, total5_used5_len));
+    CHECK(secp256k1_surjectionproof_verify(ctx, &proof, input_tags, 5, &output_tag));
+
+    /* check invalid length fails */
+    CHECK(!secp256k1_surjectionproof_parse(ctx, &proof, total5_used5, total5_used3_len));
+    /* check invalid keys fail */
+    CHECK(secp256k1_surjectionproof_parse(ctx, &proof, total1_used1, total1_used1_len));
+    CHECK(!secp256k1_surjectionproof_verify(ctx, &proof, &input_tags[1], 1, &output_tag));
+    CHECK(!secp256k1_surjectionproof_verify(ctx, &proof, input_tags, 1, &input_tags[0]));
+
+    /* Try setting 6 bits on the total5-used-5; check that parsing fails */
+    memcpy(bad, total5_used5, total5_used5_len);
+    bad[2] = 0x3f;  /* 0x1f -> 0x3f */
+    CHECK(!secp256k1_surjectionproof_parse(ctx, &proof, bad, total5_used5_len));
+    /* Correct for the length */
+    CHECK(!secp256k1_surjectionproof_parse(ctx, &proof, bad, total5_used5_len + 32));
+    /* Alternately just turn off one of the "legit" bits */
+    bad[2] = 0x37;  /* 0x1f -> 0x37 */
+    CHECK(!secp256k1_surjectionproof_parse(ctx, &proof, bad, total5_used5_len));
+
+    /* Similarly try setting 4 bits on the total5-used-3, with one bit out of range */
+    memcpy(bad, total5_used3, total5_used3_len);
+    bad[2] = 0x35;  /* 0x15 -> 0x35 */
+    CHECK(!secp256k1_surjectionproof_parse(ctx, &proof, bad, total5_used3_len));
+    CHECK(!secp256k1_surjectionproof_parse(ctx, &proof, bad, total5_used3_len + 32));
+    bad[2] = 0x34;  /* 0x15 -> 0x34 */
+    CHECK(!secp256k1_surjectionproof_parse(ctx, &proof, bad, total5_used3_len));
+}
+
 void run_surjection_tests(void) {
-    int i;
-    for (i = 0; i < count; i++) {
-        test_surjectionproof_api();
-    }
+    test_surjectionproof_api();
+    test_fixed_vectors();

    test_input_selection(0);
    test_input_selection(1);
    test_input_selection(5);
-    test_input_selection(100);
-    test_input_selection(SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS);
+    test_input_selection(SECP256K1_SURJECTIONPROOF_MAX_USED_INPUTS);

    test_input_selection_distribution();
    test_gen_verify(10, 3);
-    test_gen_verify(SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS, SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS);
+    test_gen_verify(SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS, SECP256K1_SURJECTIONPROOF_MAX_USED_INPUTS);
    test_no_used_inputs_verify();
    test_bad_serialize();
    test_bad_parse();
--- a/src/scalar.h
+++ b/src/scalar.h
@@ -8,6 +8,7 @@
 #define SECP256K1_SCALAR_H

 #include "num.h"
+#include "util.h"

 #if defined HAVE_CONFIG_H
 #include "libsecp256k1-config.h"
@@ -15,12 +16,12 @@

 #if defined(EXHAUSTIVE_TEST_ORDER)
 #include "scalar_low.h"
-#elif defined(USE_SCALAR_4X64)
+#elif defined(SECP256K1_WIDEMUL_INT128)
 #include "scalar_4x64.h"
-#elif defined(USE_SCALAR_8X32)
+#elif defined(SECP256K1_WIDEMUL_INT64)
 #include "scalar_8x32.h"
 #else
-#error "Please select scalar implementation"
+#error "Please select wide multiplication implementation"
 #endif

 /** Clear a scalar to prevent the leak of sensitive data. */
@@ -32,9 +33,17 @@ static unsigned int secp256k1_scalar_get_bits(const secp256k1_scalar *a, unsigne
 /** Access bits from a scalar. Not constant time. */
 static unsigned int secp256k1_scalar_get_bits_var(const secp256k1_scalar *a, unsigned int offset, unsigned int count);

-/** Set a scalar from a big endian byte array. */
+/** Set a scalar from a big endian byte array. The scalar will be reduced modulo group order `n`.
+ * In:      bin:        pointer to a 32-byte array.
+ * Out:     r:          scalar to be set.
+ *          overflow:   non-zero if the scalar was bigger or equal to `n` before reduction, zero otherwise (can be NULL).
+ */
 static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow);

+/** Set a scalar from a big endian byte array and returns 1 if it is a valid
+ *  seckey and 0 otherwise. */
+static int secp256k1_scalar_set_b32_seckey(secp256k1_scalar *r, const unsigned char *bin);
+
 /** Set a scalar to an unsigned integer. */
 static void secp256k1_scalar_set_int(secp256k1_scalar *r, unsigned int v);

@@ -96,16 +105,18 @@ static void secp256k1_scalar_order_get_num(secp256k1_num *r);
 /** Compare two scalars. */
 static int secp256k1_scalar_eq(const secp256k1_scalar *a, const secp256k1_scalar *b);

-#ifdef USE_ENDOMORPHISM
-/** Find r1 and r2 such that r1+r2*2^128 = a. */
-static void secp256k1_scalar_split_128(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *a);
-/** Find r1 and r2 such that r1+r2*lambda = a, and r1 and r2 are maximum 128 bits long (see secp256k1_gej_mul_lambda). */
-static void secp256k1_scalar_split_lambda(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *a);
-#endif
+/** Find r1 and r2 such that r1+r2*2^128 = k. */
+static void secp256k1_scalar_split_128(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *k);
+/** Find r1 and r2 such that r1+r2*lambda = k,
+ * where r1 and r2 or their negations are maximum 128 bits long (see secp256k1_ge_mul_lambda). */
+static void secp256k1_scalar_split_lambda(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *k);

 /** Multiply a and b (without taking the modulus!), divide by 2**shift, and round to the nearest integer. Shift must be at least 256. */
 static void secp256k1_scalar_mul_shift_var(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b, unsigned int shift);

+/** If flag is true, set *r equal to *a; otherwise leave it. Constant-time.  Both *r and *a must be initialized.*/
+static void secp256k1_scalar_cmov(secp256k1_scalar *r, const secp256k1_scalar *a, int flag);
+
 /** Generate two scalars from a 32-byte seed and an integer using the chacha20 stream cipher */
 static void secp256k1_scalar_chacha20(secp256k1_scalar *r1, secp256k1_scalar *r2, const unsigned char *seed, uint64_t idx);

--- a/src/scalar_4x64_impl.h
+++ b/src/scalar_4x64_impl.h
@@ -202,9 +202,9 @@ static int secp256k1_scalar_cond_negate(secp256k1_scalar *r, int flag) {
        tl = t; \
    } \
    c0 += tl;                 /* overflow is handled on the next line */ \
-    th += (c0 < tl) ? 1 : 0;  /* at most 0xFFFFFFFFFFFFFFFF */ \
+    th += (c0 < tl);          /* at most 0xFFFFFFFFFFFFFFFF */ \
    c1 += th;                 /* overflow is handled on the next line */ \
-    c2 += (c1 < th) ? 1 : 0;  /* never overflows by contract (verified in the next line) */ \
+    c2 += (c1 < th);          /* never overflows by contract (verified in the next line) */ \
    VERIFY_CHECK((c1 >= th) || (c2 != 0)); \
 }

@@ -217,7 +217,7 @@ static int secp256k1_scalar_cond_negate(secp256k1_scalar *r, int flag) {
        tl = t; \
    } \
    c0 += tl;                 /* overflow is handled on the next line */ \
-    th += (c0 < tl) ? 1 : 0;  /* at most 0xFFFFFFFFFFFFFFFF */ \
+    th += (c0 < tl);          /* at most 0xFFFFFFFFFFFFFFFF */ \
    c1 += th;                 /* never overflows by contract (verified in the next line) */ \
    VERIFY_CHECK(c1 >= th); \
 }
@@ -231,16 +231,16 @@ static int secp256k1_scalar_cond_negate(secp256k1_scalar *r, int flag) {
        tl = t; \
    } \
    th2 = th + th;                  /* at most 0xFFFFFFFFFFFFFFFE (in case th was 0x7FFFFFFFFFFFFFFF) */ \
-    c2 += (th2 < th) ? 1 : 0;       /* never overflows by contract (verified the next line) */ \
+    c2 += (th2 < th);               /* never overflows by contract (verified the next line) */ \
    VERIFY_CHECK((th2 >= th) || (c2 != 0)); \
    tl2 = tl + tl;                  /* at most 0xFFFFFFFFFFFFFFFE (in case the lowest 63 bits of tl were 0x7FFFFFFFFFFFFFFF) */ \
-    th2 += (tl2 < tl) ? 1 : 0;      /* at most 0xFFFFFFFFFFFFFFFF */ \
+    th2 += (tl2 < tl);              /* at most 0xFFFFFFFFFFFFFFFF */ \
    c0 += tl2;                      /* overflow is handled on the next line */ \
-    th2 += (c0 < tl2) ? 1 : 0;      /* second overflow is handled on the next line */ \
+    th2 += (c0 < tl2);              /* second overflow is handled on the next line */ \
    c2 += (c0 < tl2) & (th2 == 0);  /* never overflows by contract (verified the next line) */ \
    VERIFY_CHECK((c0 >= tl2) || (th2 != 0) || (c2 != 0)); \
    c1 += th2;                      /* overflow is handled on the next line */ \
-    c2 += (c1 < th2) ? 1 : 0;       /* never overflows by contract (verified the next line) */ \
+    c2 += (c1 < th2);               /* never overflows by contract (verified the next line) */ \
    VERIFY_CHECK((c1 >= th2) || (c2 != 0)); \
 }

@@ -248,15 +248,15 @@ static int secp256k1_scalar_cond_negate(secp256k1_scalar *r, int flag) {
 #define sumadd(a) { \
    unsigned int over; \
    c0 += (a);                  /* overflow is handled on the next line */ \
-    over = (c0 < (a)) ? 1 : 0; \
+    over = (c0 < (a));         \
    c1 += over;                 /* overflow is handled on the next line */ \
-    c2 += (c1 < over) ? 1 : 0;  /* never overflows by contract */ \
+    c2 += (c1 < over);          /* never overflows by contract */ \
 }

 /** Add a to the number defined by (c0,c1). c1 must never overflow, c2 must be zero. */
 #define sumadd_fast(a) { \
    c0 += (a);                 /* overflow is handled on the next line */ \
-    c1 += (c0 < (a)) ? 1 : 0;  /* never overflows by contract (verified the next line) */ \
+    c1 += (c0 < (a));          /* never overflows by contract (verified the next line) */ \
    VERIFY_CHECK((c1 != 0) | (c0 >= (a))); \
    VERIFY_CHECK(c2 == 0); \
 }
@@ -922,18 +922,16 @@ static void secp256k1_scalar_sqr(secp256k1_scalar *r, const secp256k1_scalar *a)
    secp256k1_scalar_reduce_512(r, l);
 }

-#ifdef USE_ENDOMORPHISM
-static void secp256k1_scalar_split_128(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *a) {
-    r1->d[0] = a->d[0];
-    r1->d[1] = a->d[1];
+static void secp256k1_scalar_split_128(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *k) {
+    r1->d[0] = k->d[0];
+    r1->d[1] = k->d[1];
    r1->d[2] = 0;
    r1->d[3] = 0;
-    r2->d[0] = a->d[2];
-    r2->d[1] = a->d[3];
+    r2->d[0] = k->d[2];
+    r2->d[1] = k->d[3];
    r2->d[2] = 0;
    r2->d[3] = 0;
 }
-#endif

 SECP256K1_INLINE static int secp256k1_scalar_eq(const secp256k1_scalar *a, const secp256k1_scalar *b) {
    return ((a->d[0] ^ b->d[0]) | (a->d[1] ^ b->d[1]) | (a->d[2] ^ b->d[2]) | (a->d[3] ^ b->d[3])) == 0;
@@ -956,6 +954,17 @@ SECP256K1_INLINE static void secp256k1_scalar_mul_shift_var(secp256k1_scalar *r,
    secp256k1_scalar_cadd_bit(r, 0, (l[(shift - 1) >> 6] >> ((shift - 1) & 0x3f)) & 1);
 }

+static SECP256K1_INLINE void secp256k1_scalar_cmov(secp256k1_scalar *r, const secp256k1_scalar *a, int flag) {
+    uint64_t mask0, mask1;
+    VG_CHECK_VERIFY(r->d, sizeof(r->d));
+    mask0 = flag + ~((uint64_t)0);
+    mask1 = ~mask0;
+    r->d[0] = (r->d[0] & mask0) | (a->d[0] & mask1);
+    r->d[1] = (r->d[1] & mask0) | (a->d[1] & mask1);
+    r->d[2] = (r->d[2] & mask0) | (a->d[2] & mask1);
+    r->d[3] = (r->d[3] & mask0) | (a->d[3] & mask1);
+}
+
 #define ROTL32(x,n) ((x) << (n) | (x) >> (32-(n)))
 #define QUARTERROUND(a,b,c,d) \
  a += b; d = ROTL32(d ^ a, 16); \
@@ -963,11 +972,9 @@ SECP256K1_INLINE static void secp256k1_scalar_mul_shift_var(secp256k1_scalar *r,
  a += b; d = ROTL32(d ^ a, 8); \
  c += d; b = ROTL32(b ^ c, 7);

-#ifdef WORDS_BIGENDIAN
+#if defined(SECP256K1_BIG_ENDIAN)
 #define LE32(p) ((((p) & 0xFF) << 24) | (((p) & 0xFF00) << 8) | (((p) & 0xFF0000) >> 8) | (((p) & 0xFF000000) >> 24))
-#define BE32(p) (p)
-#else
-#define BE32(p) ((((p) & 0xFF) << 24) | (((p) & 0xFF00) << 8) | (((p) & 0xFF0000) >> 8) | (((p) & 0xFF000000) >> 24))
+#elif defined(SECP256K1_LITTLE_ENDIAN)
 #define LE32(p) (p)
 #endif

@@ -1026,14 +1033,14 @@ static void secp256k1_scalar_chacha20(secp256k1_scalar *r1, secp256k1_scalar *r2
        x14 += 0;
        x15 += over_count;

-        r1->d[3] = LE32((uint64_t) x0) << 32 | LE32(x1);
-        r1->d[2] = LE32((uint64_t) x2) << 32 | LE32(x3);
-        r1->d[1] = LE32((uint64_t) x4) << 32 | LE32(x5);
-        r1->d[0] = LE32((uint64_t) x6) << 32 | LE32(x7);
-        r2->d[3] = LE32((uint64_t) x8) << 32 | LE32(x9);
-        r2->d[2] = LE32((uint64_t) x10) << 32 | LE32(x11);
-        r2->d[1] = LE32((uint64_t) x12) << 32 | LE32(x13);
-        r2->d[0] = LE32((uint64_t) x14) << 32 | LE32(x15);
+        r1->d[3] = (((uint64_t)  x0) << 32) | x1;
+        r1->d[2] = (((uint64_t)  x2) << 32) | x3;
+        r1->d[1] = (((uint64_t)  x4) << 32) | x5;
+        r1->d[0] = (((uint64_t)  x6) << 32) | x7;
+        r2->d[3] = (((uint64_t)  x8) << 32) | x9;
+        r2->d[2] = (((uint64_t) x10) << 32) | x11;
+        r2->d[1] = (((uint64_t) x12) << 32) | x13;
+        r2->d[0] = (((uint64_t) x14) << 32) | x15;

        over1 = secp256k1_scalar_check_overflow(r1);
        over2 = secp256k1_scalar_check_overflow(r2);
@@ -1043,7 +1050,6 @@ static void secp256k1_scalar_chacha20(secp256k1_scalar *r1, secp256k1_scalar *r2

 #undef ROTL32
 #undef QUARTERROUND
-#undef BE32
 #undef LE32

 #endif /* SECP256K1_SCALAR_REPR_IMPL_H */
--- a/src/scalar_8x32_impl.h
+++ b/src/scalar_8x32_impl.h
@@ -284,9 +284,9 @@ static int secp256k1_scalar_cond_negate(secp256k1_scalar *r, int flag) {
        tl = t; \
    } \
    c0 += tl;                 /* overflow is handled on the next line */ \
-    th += (c0 < tl) ? 1 : 0;  /* at most 0xFFFFFFFF */ \
+    th += (c0 < tl);          /* at most 0xFFFFFFFF */ \
    c1 += th;                 /* overflow is handled on the next line */ \
-    c2 += (c1 < th) ? 1 : 0;  /* never overflows by contract (verified in the next line) */ \
+    c2 += (c1 < th);          /* never overflows by contract (verified in the next line) */ \
    VERIFY_CHECK((c1 >= th) || (c2 != 0)); \
 }

@@ -299,7 +299,7 @@ static int secp256k1_scalar_cond_negate(secp256k1_scalar *r, int flag) {
        tl = t; \
    } \
    c0 += tl;                 /* overflow is handled on the next line */ \
-    th += (c0 < tl) ? 1 : 0;  /* at most 0xFFFFFFFF */ \
+    th += (c0 < tl);          /* at most 0xFFFFFFFF */ \
    c1 += th;                 /* never overflows by contract (verified in the next line) */ \
    VERIFY_CHECK(c1 >= th); \
 }
@@ -313,16 +313,16 @@ static int secp256k1_scalar_cond_negate(secp256k1_scalar *r, int flag) {
        tl = t; \
    } \
    th2 = th + th;                  /* at most 0xFFFFFFFE (in case th was 0x7FFFFFFF) */ \
-    c2 += (th2 < th) ? 1 : 0;       /* never overflows by contract (verified the next line) */ \
+    c2 += (th2 < th);               /* never overflows by contract (verified the next line) */ \
    VERIFY_CHECK((th2 >= th) || (c2 != 0)); \
    tl2 = tl + tl;                  /* at most 0xFFFFFFFE (in case the lowest 63 bits of tl were 0x7FFFFFFF) */ \
-    th2 += (tl2 < tl) ? 1 : 0;      /* at most 0xFFFFFFFF */ \
+    th2 += (tl2 < tl);              /* at most 0xFFFFFFFF */ \
    c0 += tl2;                      /* overflow is handled on the next line */ \
-    th2 += (c0 < tl2) ? 1 : 0;      /* second overflow is handled on the next line */ \
+    th2 += (c0 < tl2);              /* second overflow is handled on the next line */ \
    c2 += (c0 < tl2) & (th2 == 0);  /* never overflows by contract (verified the next line) */ \
    VERIFY_CHECK((c0 >= tl2) || (th2 != 0) || (c2 != 0)); \
    c1 += th2;                      /* overflow is handled on the next line */ \
-    c2 += (c1 < th2) ? 1 : 0;       /* never overflows by contract (verified the next line) */ \
+    c2 += (c1 < th2);               /* never overflows by contract (verified the next line) */ \
    VERIFY_CHECK((c1 >= th2) || (c2 != 0)); \
 }

@@ -330,15 +330,15 @@ static int secp256k1_scalar_cond_negate(secp256k1_scalar *r, int flag) {
 #define sumadd(a) { \
    unsigned int over; \
    c0 += (a);                  /* overflow is handled on the next line */ \
-    over = (c0 < (a)) ? 1 : 0; \
+    over = (c0 < (a)); \
    c1 += over;                 /* overflow is handled on the next line */ \
-    c2 += (c1 < over) ? 1 : 0;  /* never overflows by contract */ \
+    c2 += (c1 < over);          /* never overflows by contract */ \
 }

 /** Add a to the number defined by (c0,c1). c1 must never overflow, c2 must be zero. */
 #define sumadd_fast(a) { \
    c0 += (a);                 /* overflow is handled on the next line */ \
-    c1 += (c0 < (a)) ? 1 : 0;  /* never overflows by contract (verified the next line) */ \
+    c1 += (c0 < (a));          /* never overflows by contract (verified the next line) */ \
    VERIFY_CHECK((c1 != 0) | (c0 >= (a))); \
    VERIFY_CHECK(c2 == 0); \
 }
@@ -685,26 +685,24 @@ static void secp256k1_scalar_sqr(secp256k1_scalar *r, const secp256k1_scalar *a)
    secp256k1_scalar_reduce_512(r, l);
 }

-#ifdef USE_ENDOMORPHISM
-static void secp256k1_scalar_split_128(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *a) {
-    r1->d[0] = a->d[0];
-    r1->d[1] = a->d[1];
-    r1->d[2] = a->d[2];
-    r1->d[3] = a->d[3];
+static void secp256k1_scalar_split_128(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *k) {
+    r1->d[0] = k->d[0];
+    r1->d[1] = k->d[1];
+    r1->d[2] = k->d[2];
+    r1->d[3] = k->d[3];
    r1->d[4] = 0;
    r1->d[5] = 0;
    r1->d[6] = 0;
    r1->d[7] = 0;
-    r2->d[0] = a->d[4];
-    r2->d[1] = a->d[5];
-    r2->d[2] = a->d[6];
-    r2->d[3] = a->d[7];
+    r2->d[0] = k->d[4];
+    r2->d[1] = k->d[5];
+    r2->d[2] = k->d[6];
+    r2->d[3] = k->d[7];
    r2->d[4] = 0;
    r2->d[5] = 0;
    r2->d[6] = 0;
    r2->d[7] = 0;
 }
-#endif

 SECP256K1_INLINE static int secp256k1_scalar_eq(const secp256k1_scalar *a, const secp256k1_scalar *b) {
    return ((a->d[0] ^ b->d[0]) | (a->d[1] ^ b->d[1]) | (a->d[2] ^ b->d[2]) | (a->d[3] ^ b->d[3]) | (a->d[4] ^ b->d[4]) | (a->d[5] ^ b->d[5]) | (a->d[6] ^ b->d[6]) | (a->d[7] ^ b->d[7])) == 0;
@@ -731,6 +729,21 @@ SECP256K1_INLINE static void secp256k1_scalar_mul_shift_var(secp256k1_scalar *r,
    secp256k1_scalar_cadd_bit(r, 0, (l[(shift - 1) >> 5] >> ((shift - 1) & 0x1f)) & 1);
 }

+static SECP256K1_INLINE void secp256k1_scalar_cmov(secp256k1_scalar *r, const secp256k1_scalar *a, int flag) {
+    uint32_t mask0, mask1;
+    VG_CHECK_VERIFY(r->d, sizeof(r->d));
+    mask0 = flag + ~((uint32_t)0);
+    mask1 = ~mask0;
+    r->d[0] = (r->d[0] & mask0) | (a->d[0] & mask1);
+    r->d[1] = (r->d[1] & mask0) | (a->d[1] & mask1);
+    r->d[2] = (r->d[2] & mask0) | (a->d[2] & mask1);
+    r->d[3] = (r->d[3] & mask0) | (a->d[3] & mask1);
+    r->d[4] = (r->d[4] & mask0) | (a->d[4] & mask1);
+    r->d[5] = (r->d[5] & mask0) | (a->d[5] & mask1);
+    r->d[6] = (r->d[6] & mask0) | (a->d[6] & mask1);
+    r->d[7] = (r->d[7] & mask0) | (a->d[7] & mask1);
+}
+
 #define ROTL32(x,n) ((x) << (n) | (x) >> (32-(n)))
 #define QUARTERROUND(a,b,c,d) \
  a += b; d = ROTL32(d ^ a, 16); \
@@ -738,11 +751,9 @@ SECP256K1_INLINE static void secp256k1_scalar_mul_shift_var(secp256k1_scalar *r,
  a += b; d = ROTL32(d ^ a, 8); \
  c += d; b = ROTL32(b ^ c, 7);

-#ifdef WORDS_BIGENDIAN
+#if defined(SECP256K1_BIG_ENDIAN)
 #define LE32(p) ((((p) & 0xFF) << 24) | (((p) & 0xFF00) << 8) | (((p) & 0xFF0000) >> 8) | (((p) & 0xFF000000) >> 24))
-#define BE32(p) (p)
-#else
-#define BE32(p) ((((p) & 0xFF) << 24) | (((p) & 0xFF00) << 8) | (((p) & 0xFF0000) >> 8) | (((p) & 0xFF000000) >> 24))
+#elif defined(SECP256K1_LITTLE_ENDIAN)
 #define LE32(p) (p)
 #endif

@@ -801,22 +812,22 @@ static void secp256k1_scalar_chacha20(secp256k1_scalar *r1, secp256k1_scalar *r2
        x14 += 0;
        x15 += over_count;

-        r1->d[7] = LE32(x0);
-        r1->d[6] = LE32(x1);
-        r1->d[5] = LE32(x2);
-        r1->d[4] = LE32(x3);
-        r1->d[3] = LE32(x4);
-        r1->d[2] = LE32(x5);
-        r1->d[1] = LE32(x6);
-        r1->d[0] = LE32(x7);
-        r2->d[7] = LE32(x8);
-        r2->d[6] = LE32(x9);
-        r2->d[5] = LE32(x10);
-        r2->d[4] = LE32(x11);
-        r2->d[3] = LE32(x12);
-        r2->d[2] = LE32(x13);
-        r2->d[1] = LE32(x14);
-        r2->d[0] = LE32(x15);
+        r1->d[7] = x0;
+        r1->d[6] = x1;
+        r1->d[5] = x2;
+        r1->d[4] = x3;
+        r1->d[3] = x4;
+        r1->d[2] = x5;
+        r1->d[1] = x6;
+        r1->d[0] = x7;
+        r2->d[7] = x8;
+        r2->d[6] = x9;
+        r2->d[5] = x10;
+        r2->d[4] = x11;
+        r2->d[3] = x12;
+        r2->d[2] = x13;
+        r2->d[1] = x14;
+        r2->d[0] = x15;

        over1 = secp256k1_scalar_check_overflow(r1);
        over2 = secp256k1_scalar_check_overflow(r2);
@@ -826,7 +837,6 @@ static void secp256k1_scalar_chacha20(secp256k1_scalar *r1, secp256k1_scalar *r2

 #undef ROTL32
 #undef QUARTERROUND
-#undef BE32
 #undef LE32

 #endif /* SECP256K1_SCALAR_REPR_IMPL_H */
--- a/src/scalar_impl.h
+++ b/src/scalar_impl.h
@@ -7,8 +7,12 @@
 #ifndef SECP256K1_SCALAR_IMPL_H
 #define SECP256K1_SCALAR_IMPL_H

-#include "group.h"
+#ifdef VERIFY
+#include <string.h>
+#endif
+
 #include "scalar.h"
+#include "util.h"

 #if defined HAVE_CONFIG_H
 #include "libsecp256k1-config.h"
@@ -16,14 +20,17 @@

 #if defined(EXHAUSTIVE_TEST_ORDER)
 #include "scalar_low_impl.h"
-#elif defined(USE_SCALAR_4X64)
+#elif defined(SECP256K1_WIDEMUL_INT128)
 #include "scalar_4x64_impl.h"
-#elif defined(USE_SCALAR_8X32)
+#elif defined(SECP256K1_WIDEMUL_INT64)
 #include "scalar_8x32_impl.h"
 #else
-#error "Please select scalar implementation"
+#error "Please select wide multiplication implementation"
 #endif

+static const secp256k1_scalar secp256k1_scalar_one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
+static const secp256k1_scalar secp256k1_scalar_zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
+
 #ifndef USE_NUM_NONE
 static void secp256k1_scalar_get_num(secp256k1_num *r, const secp256k1_scalar *a) {
    unsigned char c[32];
@@ -52,6 +59,12 @@ static void secp256k1_scalar_order_get_num(secp256k1_num *r) {
 }
 #endif

+static int secp256k1_scalar_set_b32_seckey(secp256k1_scalar *r, const unsigned char *bin) {
+    int overflow;
+    secp256k1_scalar_set_b32(r, bin, &overflow);
+    return (!overflow) & (!secp256k1_scalar_is_zero(r));
+}
+
 static void secp256k1_scalar_inverse(secp256k1_scalar *r, const secp256k1_scalar *x) {
 #if defined(EXHAUSTIVE_TEST_ORDER)
    int i;
@@ -243,37 +256,65 @@ static void secp256k1_scalar_inverse_var(secp256k1_scalar *r, const secp256k1_sc
 #endif
 }

-#ifdef USE_ENDOMORPHISM
+/* These parameters are generated using sage/gen_exhaustive_groups.sage. */
 #if defined(EXHAUSTIVE_TEST_ORDER)
+#  if EXHAUSTIVE_TEST_ORDER == 13
+#    define EXHAUSTIVE_TEST_LAMBDA 9
+#  elif EXHAUSTIVE_TEST_ORDER == 199
+#    define EXHAUSTIVE_TEST_LAMBDA 92
+#  else
+#    error No known lambda for the specified exhaustive test group order.
+#  endif
+
 /**
- * Find k1 and k2 given k, such that k1 + k2 * lambda == k mod n; unlike in the
- * full case we don't bother making k1 and k2 be small, we just want them to be
+ * Find r1 and r2 given k, such that r1 + r2 * lambda == k mod n; unlike in the
+ * full case we don't bother making r1 and r2 be small, we just want them to be
 * nontrivial to get full test coverage for the exhaustive tests. We therefore
- * (arbitrarily) set k2 = k + 5 and k1 = k - k2 * lambda.
+ * (arbitrarily) set r2 = k + 5 (mod n) and r1 = k - r2 * lambda (mod n).
 */
-static void secp256k1_scalar_split_lambda(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *a) {
-    *r2 = (*a + 5) % EXHAUSTIVE_TEST_ORDER;
-    *r1 = (*a + (EXHAUSTIVE_TEST_ORDER - *r2) * EXHAUSTIVE_TEST_LAMBDA) % EXHAUSTIVE_TEST_ORDER;
+static void secp256k1_scalar_split_lambda(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *k) {
+    *r2 = (*k + 5) % EXHAUSTIVE_TEST_ORDER;
+    *r1 = (*k + (EXHAUSTIVE_TEST_ORDER - *r2) * EXHAUSTIVE_TEST_LAMBDA) % EXHAUSTIVE_TEST_ORDER;
 }
 #else
 /**
 * The Secp256k1 curve has an endomorphism, where lambda * (x, y) = (beta * x, y), where
- * lambda is {0x53,0x63,0xad,0x4c,0xc0,0x5c,0x30,0xe0,0xa5,0x26,0x1c,0x02,0x88,0x12,0x64,0x5a,
- *            0x12,0x2e,0x22,0xea,0x20,0x81,0x66,0x78,0xdf,0x02,0x96,0x7c,0x1b,0x23,0xbd,0x72}
+ * lambda is: */
+static const secp256k1_scalar secp256k1_const_lambda = SECP256K1_SCALAR_CONST(
+    0x5363AD4CUL, 0xC05C30E0UL, 0xA5261C02UL, 0x8812645AUL,
+    0x122E22EAUL, 0x20816678UL, 0xDF02967CUL, 0x1B23BD72UL
+);
+
+#ifdef VERIFY
+static void secp256k1_scalar_split_lambda_verify(const secp256k1_scalar *r1, const secp256k1_scalar *r2, const secp256k1_scalar *k);
+#endif
+
+/*
+ * Both lambda and beta are primitive cube roots of unity.  That is lamba^3 == 1 mod n and
+ * beta^3 == 1 mod p, where n is the curve order and p is the field order.
 *
- * "Guide to Elliptic Curve Cryptography" (Hankerson, Menezes, Vanstone) gives an algorithm
- * (algorithm 3.74) to find k1 and k2 given k, such that k1 + k2 * lambda == k mod n, and k1
- * and k2 have a small size.
- * It relies on constants a1, b1, a2, b2. These constants for the value of lambda above are:
+ * Futhermore, because (X^3 - 1) = (X - 1)(X^2 + X + 1), the primitive cube roots of unity are
+ * roots of X^2 + X + 1.  Therefore lambda^2 + lamba == -1 mod n and beta^2 + beta == -1 mod p.
+ * (The other primitive cube roots of unity are lambda^2 and beta^2 respectively.)
+ *
+ * Let l = -1/2 + i*sqrt(3)/2, the complex root of X^2 + X + 1. We can define a ring
+ * homomorphism phi : Z[l] -> Z_n where phi(a + b*l) == a + b*lambda mod n. The kernel of phi
+ * is a lattice over Z[l] (considering Z[l] as a Z-module). This lattice is generated by a
+ * reduced basis {a1 + b1*l, a2 + b2*l} where
 *
 * - a1 =      {0x30,0x86,0xd2,0x21,0xa7,0xd4,0x6b,0xcd,0xe8,0x6c,0x90,0xe4,0x92,0x84,0xeb,0x15}
 * - b1 =     -{0xe4,0x43,0x7e,0xd6,0x01,0x0e,0x88,0x28,0x6f,0x54,0x7f,0xa9,0x0a,0xbf,0xe4,0xc3}
 * - a2 = {0x01,0x14,0xca,0x50,0xf7,0xa8,0xe2,0xf3,0xf6,0x57,0xc1,0x10,0x8d,0x9d,0x44,0xcf,0xd8}
 * - b2 =      {0x30,0x86,0xd2,0x21,0xa7,0xd4,0x6b,0xcd,0xe8,0x6c,0x90,0xe4,0x92,0x84,0xeb,0x15}
 *
- * The algorithm then computes c1 = round(b1 * k / n) and c2 = round(b2 * k / n), and gives
+ * "Guide to Elliptic Curve Cryptography" (Hankerson, Menezes, Vanstone) gives an algorithm
+ * (algorithm 3.74) to find k1 and k2 given k, such that k1 + k2 * lambda == k mod n, and k1
+ * and k2 are small in absolute value.
+ *
+ * The algorithm computes c1 = round(b2 * k / n) and c2 = round((-b1) * k / n), and gives
 * k1 = k - (c1*a1 + c2*a2) and k2 = -(c1*b1 + c2*b2). Instead, we use modular arithmetic, and
- * compute k1 as k - k2 * lambda, avoiding the need for constants a1 and a2.
+ * compute r2 = k2 mod n, and r1 = k1 mod n = (k - r2 * lambda) mod n, avoiding the need for
+ * the constants a1 and a2.
 *
 * g1, g2 are precomputed constants used to replace division with a rounded multiplication
 * when decomposing the scalar for an endomorphism-based point multiplication.
@@ -285,21 +326,21 @@ static void secp256k1_scalar_split_lambda(secp256k1_scalar *r1, secp256k1_scalar
 * Cryptography on Sensor Networks Using the MSP430X Microcontroller" (Gouvea, Oliveira, Lopez),
 * Section 4.3 (here we use a somewhat higher-precision estimate):
 * d = a1*b2 - b1*a2
- * g1 = round((2^272)*b2/d)
- * g2 = round((2^272)*b1/d)
+ * g1 = round(2^384 * b2/d)
+ * g2 = round(2^384 * (-b1)/d)
 *
- * (Note that 'd' is also equal to the curve order here because [a1,b1] and [a2,b2] are found
- * as outputs of the Extended Euclidean Algorithm on inputs 'order' and 'lambda').
+ * (Note that d is also equal to the curve order, n, here because [a1,b1] and [a2,b2]
+ * can be found as outputs of the Extended Euclidean Algorithm on inputs n and lambda).
 *
- * The function below splits a in r1 and r2, such that r1 + lambda * r2 == a (mod order).
+ * The function below splits k into r1 and r2, such that
+ * - r1 + lambda * r2 == k (mod n)
+ * - either r1 < 2^128 or -r1 mod n < 2^128
+ * - either r2 < 2^128 or -r2 mod n < 2^128
+ *
+ * See proof below.
 */
-
-static void secp256k1_scalar_split_lambda(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *a) {
+static void secp256k1_scalar_split_lambda(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *k) {
    secp256k1_scalar c1, c2;
-    static const secp256k1_scalar minus_lambda = SECP256K1_SCALAR_CONST(
-        0xAC9C52B3UL, 0x3FA3CF1FUL, 0x5AD9E3FDUL, 0x77ED9BA4UL,
-        0xA880B9FCUL, 0x8EC739C2UL, 0xE0CFC810UL, 0xB51283CFUL
-    );
    static const secp256k1_scalar minus_b1 = SECP256K1_SCALAR_CONST(
        0x00000000UL, 0x00000000UL, 0x00000000UL, 0x00000000UL,
        0xE4437ED6UL, 0x010E8828UL, 0x6F547FA9UL, 0x0ABFE4C3UL
@@ -309,25 +350,167 @@ static void secp256k1_scalar_split_lambda(secp256k1_scalar *r1, secp256k1_scalar
        0x8A280AC5UL, 0x0774346DUL, 0xD765CDA8UL, 0x3DB1562CUL
    );
    static const secp256k1_scalar g1 = SECP256K1_SCALAR_CONST(
-        0x00000000UL, 0x00000000UL, 0x00000000UL, 0x00003086UL,
-        0xD221A7D4UL, 0x6BCDE86CUL, 0x90E49284UL, 0xEB153DABUL
+        0x3086D221UL, 0xA7D46BCDUL, 0xE86C90E4UL, 0x9284EB15UL,
+        0x3DAA8A14UL, 0x71E8CA7FUL, 0xE893209AUL, 0x45DBB031UL
    );
    static const secp256k1_scalar g2 = SECP256K1_SCALAR_CONST(
-        0x00000000UL, 0x00000000UL, 0x00000000UL, 0x0000E443UL,
-        0x7ED6010EUL, 0x88286F54UL, 0x7FA90ABFUL, 0xE4C42212UL
+        0xE4437ED6UL, 0x010E8828UL, 0x6F547FA9UL, 0x0ABFE4C4UL,
+        0x221208ACUL, 0x9DF506C6UL, 0x1571B4AEUL, 0x8AC47F71UL
    );
-    VERIFY_CHECK(r1 != a);
-    VERIFY_CHECK(r2 != a);
+    VERIFY_CHECK(r1 != k);
+    VERIFY_CHECK(r2 != k);
    /* these _var calls are constant time since the shift amount is constant */
-    secp256k1_scalar_mul_shift_var(&c1, a, &g1, 272);
-    secp256k1_scalar_mul_shift_var(&c2, a, &g2, 272);
+    secp256k1_scalar_mul_shift_var(&c1, k, &g1, 384);
+    secp256k1_scalar_mul_shift_var(&c2, k, &g2, 384);
    secp256k1_scalar_mul(&c1, &c1, &minus_b1);
    secp256k1_scalar_mul(&c2, &c2, &minus_b2);
    secp256k1_scalar_add(r2, &c1, &c2);
-    secp256k1_scalar_mul(r1, r2, &minus_lambda);
-    secp256k1_scalar_add(r1, r1, a);
+    secp256k1_scalar_mul(r1, r2, &secp256k1_const_lambda);
+    secp256k1_scalar_negate(r1, r1);
+    secp256k1_scalar_add(r1, r1, k);
+
+#ifdef VERIFY
+    secp256k1_scalar_split_lambda_verify(r1, r2, k);
+#endif
 }
-#endif
-#endif
+
+#ifdef VERIFY
+/*
+ * Proof for secp256k1_scalar_split_lambda's bounds.
+ *
+ * Let
+ *  - epsilon1 = 2^256 * |g1/2^384 - b2/d|
+ *  - epsilon2 = 2^256 * |g2/2^384 - (-b1)/d|
+ *  - c1 = round(k*g1/2^384)
+ *  - c2 = round(k*g2/2^384)
+ *
+ * Lemma 1: |c1 - k*b2/d| < 2^-1 + epsilon1
+ *
+ *    |c1 - k*b2/d|
+ *  =
+ *    |c1 - k*g1/2^384 + k*g1/2^384 - k*b2/d|
+ * <=   {triangle inequality}
+ *    |c1 - k*g1/2^384| + |k*g1/2^384 - k*b2/d|
+ *  =
+ *    |c1 - k*g1/2^384| + k*|g1/2^384 - b2/d|
+ * <    {rounding in c1 and 0 <= k < 2^256}
+ *    2^-1 + 2^256 * |g1/2^384 - b2/d|
+ *  =   {definition of epsilon1}
+ *    2^-1 + epsilon1
+ *
+ * Lemma 2: |c2 - k*(-b1)/d| < 2^-1 + epsilon2
+ *
+ *    |c2 - k*(-b1)/d|
+ *  =
+ *    |c2 - k*g2/2^384 + k*g2/2^384 - k*(-b1)/d|
+ * <=   {triangle inequality}
+ *    |c2 - k*g2/2^384| + |k*g2/2^384 - k*(-b1)/d|
+ *  =
+ *    |c2 - k*g2/2^384| + k*|g2/2^384 - (-b1)/d|
+ * <    {rounding in c2 and 0 <= k < 2^256}
+ *    2^-1 + 2^256 * |g2/2^384 - (-b1)/d|
+ *  =   {definition of epsilon2}
+ *    2^-1 + epsilon2
+ *
+ * Let
+ *  - k1 = k - c1*a1 - c2*a2
+ *  - k2 = - c1*b1 - c2*b2
+ *
+ * Lemma 3: |k1| < (a1 + a2 + 1)/2 < 2^128
+ *
+ *    |k1|
+ *  =   {definition of k1}
+ *    |k - c1*a1 - c2*a2|
+ *  =   {(a1*b2 - b1*a2)/n = 1}
+ *    |k*(a1*b2 - b1*a2)/n - c1*a1 - c2*a2|
+ *  =
+ *    |a1*(k*b2/n - c1) + a2*(k*(-b1)/n - c2)|
+ * <=   {triangle inequality}
+ *    a1*|k*b2/n - c1| + a2*|k*(-b1)/n - c2|
+ * <    {Lemma 1 and Lemma 2}
+ *    a1*(2^-1 + epslion1) + a2*(2^-1 + epsilon2)
+ * <    {rounding up to an integer}
+ *    (a1 + a2 + 1)/2
+ * <    {rounding up to a power of 2}
+ *    2^128
+ *
+ * Lemma 4: |k2| < (-b1 + b2)/2 + 1 < 2^128
+ *
+ *    |k2|
+ *  =   {definition of k2}
+ *    |- c1*a1 - c2*a2|
+ *  =   {(b1*b2 - b1*b2)/n = 0}
+ *    |k*(b1*b2 - b1*b2)/n - c1*b1 - c2*b2|
+ *  =
+ *    |b1*(k*b2/n - c1) + b2*(k*(-b1)/n - c2)|
+ * <=   {triangle inequality}
+ *    (-b1)*|k*b2/n - c1| + b2*|k*(-b1)/n - c2|
+ * <    {Lemma 1 and Lemma 2}
+ *    (-b1)*(2^-1 + epslion1) + b2*(2^-1 + epsilon2)
+ * <    {rounding up to an integer}
+ *    (-b1 + b2)/2 + 1
+ * <    {rounding up to a power of 2}
+ *    2^128
+ *
+ * Let
+ *  - r2 = k2 mod n
+ *  - r1 = k - r2*lambda mod n.
+ *
+ * Notice that r1 is defined such that r1 + r2 * lambda == k (mod n).
+ *
+ * Lemma 5: r1 == k1 mod n.
+ *
+ *    r1
+ * ==   {definition of r1 and r2}
+ *    k - k2*lambda
+ * ==   {definition of k2}
+ *    k - (- c1*b1 - c2*b2)*lambda
+ * ==
+ *    k + c1*b1*lambda + c2*b2*lambda
+ * ==  {a1 + b1*lambda == 0 mod n and a2 + b2*lambda == 0 mod n}
+ *    k - c1*a1 - c2*a2
+ * ==  {definition of k1}
+ *    k1
+ *
+ * From Lemma 3, Lemma 4, Lemma 5 and the definition of r2, we can conclude that
+ *
+ *  - either r1 < 2^128 or -r1 mod n < 2^128
+ *  - either r2 < 2^128 or -r2 mod n < 2^128.
+ *
+ * Q.E.D.
+ */
+static void secp256k1_scalar_split_lambda_verify(const secp256k1_scalar *r1, const secp256k1_scalar *r2, const secp256k1_scalar *k) {
+    secp256k1_scalar s;
+    unsigned char buf1[32];
+    unsigned char buf2[32];
+
+    /* (a1 + a2 + 1)/2 is 0xa2a8918ca85bafe22016d0b917e4dd77 */
+    static const unsigned char k1_bound[32] = {
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0xa2, 0xa8, 0x91, 0x8c, 0xa8, 0x5b, 0xaf, 0xe2, 0x20, 0x16, 0xd0, 0xb9, 0x17, 0xe4, 0xdd, 0x77
+    };
+
+    /* (-b1 + b2)/2 + 1 is 0x8a65287bd47179fb2be08846cea267ed */
+    static const unsigned char k2_bound[32] = {
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x8a, 0x65, 0x28, 0x7b, 0xd4, 0x71, 0x79, 0xfb, 0x2b, 0xe0, 0x88, 0x46, 0xce, 0xa2, 0x67, 0xed
+    };
+
+    secp256k1_scalar_mul(&s, &secp256k1_const_lambda, r2);
+    secp256k1_scalar_add(&s, &s, r1);
+    VERIFY_CHECK(secp256k1_scalar_eq(&s, k));
+
+    secp256k1_scalar_negate(&s, r1);
+    secp256k1_scalar_get_b32(buf1, r1);
+    secp256k1_scalar_get_b32(buf2, &s);
+    VERIFY_CHECK(secp256k1_memcmp_var(buf1, k1_bound, 32) < 0 || secp256k1_memcmp_var(buf2, k1_bound, 32) < 0);
+
+    secp256k1_scalar_negate(&s, r2);
+    secp256k1_scalar_get_b32(buf1, r2);
+    secp256k1_scalar_get_b32(buf2, &s);
+    VERIFY_CHECK(secp256k1_memcmp_var(buf1, k2_bound, 32) < 0 || secp256k1_memcmp_var(buf2, k2_bound, 32) < 0);
+}
+#endif /* VERIFY */
+#endif /* !defined(EXHAUSTIVE_TEST_ORDER) */

 #endif /* SECP256K1_SCALAR_IMPL_H */
--- a/src/scalar_low.h
+++ b/src/scalar_low.h
@@ -12,4 +12,6 @@
 /** A scalar modulo the group order of the secp256k1 curve. */
 typedef uint32_t secp256k1_scalar;

+#define SECP256K1_SCALAR_CONST(d7, d6, d5, d4, d3, d2, d1, d0) (d0)
+
 #endif /* SECP256K1_SCALAR_REPR_H */
--- a/src/scalar_low_impl.h
+++ b/src/scalar_low_impl.h
@@ -39,21 +39,27 @@ static int secp256k1_scalar_add(secp256k1_scalar *r, const secp256k1_scalar *a,

 static void secp256k1_scalar_cadd_bit(secp256k1_scalar *r, unsigned int bit, int flag) {
    if (flag && bit < 32)
-        *r += (1 << bit);
+        *r += ((uint32_t)1 << bit);
 #ifdef VERIFY
+    VERIFY_CHECK(bit < 32);
+    /* Verify that adding (1 << bit) will not overflow any in-range scalar *r by overflowing the underlying uint32_t. */
+    VERIFY_CHECK(((uint32_t)1 << bit) - 1 <= UINT32_MAX - EXHAUSTIVE_TEST_ORDER);
    VERIFY_CHECK(secp256k1_scalar_check_overflow(r) == 0);
 #endif
 }

 static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *b32, int *overflow) {
-    const int base = 0x100 % EXHAUSTIVE_TEST_ORDER;
    int i;
+    int over = 0;
    *r = 0;
    for (i = 0; i < 32; i++) {
-       *r = ((*r * base) + b32[i]) % EXHAUSTIVE_TEST_ORDER;
+        *r = (*r * 0x100) + b32[i];
+        if (*r >= EXHAUSTIVE_TEST_ORDER) {
+            over = 1;
+            *r %= EXHAUSTIVE_TEST_ORDER;
+        }
    }
-    /* just deny overflow, it basically always happens */
-    if (overflow) *overflow = 0;
+    if (overflow) *overflow = over;
 }

 static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar* a) {
@@ -112,6 +118,14 @@ SECP256K1_INLINE static int secp256k1_scalar_eq(const secp256k1_scalar *a, const
    return *a == *b;
 }

+static SECP256K1_INLINE void secp256k1_scalar_cmov(secp256k1_scalar *r, const secp256k1_scalar *a, int flag) {
+    uint32_t mask0, mask1;
+    VG_CHECK_VERIFY(r, sizeof(*r));
+    mask0 = flag + ~((uint32_t)0);
+    mask1 = ~mask0;
+    *r = (*r & mask0) | (*a & mask1);
+}
+
 SECP256K1_INLINE static void secp256k1_scalar_chacha20(secp256k1_scalar *r1, secp256k1_scalar *r2, const unsigned char *seed, uint64_t n) {
    *r1 = (seed[0] + n) % EXHAUSTIVE_TEST_ORDER;
    *r2 = (seed[1] + n) % EXHAUSTIVE_TEST_ORDER;
--- a/src/scratch_impl.h
+++ b/src/scratch_impl.h
@@ -11,7 +11,7 @@
 #include "scratch.h"

 static secp256k1_scratch* secp256k1_scratch_create(const secp256k1_callback* error_callback, size_t size) {
-    const size_t base_alloc = ((sizeof(secp256k1_scratch) + ALIGNMENT - 1) / ALIGNMENT) * ALIGNMENT;
+    const size_t base_alloc = ROUND_TO_ALIGN(sizeof(secp256k1_scratch));
    void *alloc = checked_malloc(error_callback, base_alloc + size);
    secp256k1_scratch* ret = (secp256k1_scratch *)alloc;
    if (ret != NULL) {
@@ -26,7 +26,7 @@ static secp256k1_scratch* secp256k1_scratch_create(const secp256k1_callback* err
 static void secp256k1_scratch_destroy(const secp256k1_callback* error_callback, secp256k1_scratch* scratch) {
    if (scratch != NULL) {
        VERIFY_CHECK(scratch->alloc_size == 0); /* all checkpoints should be applied */
-        if (memcmp(scratch->magic, "scratch", 8) != 0) {
+        if (secp256k1_memcmp_var(scratch->magic, "scratch", 8) != 0) {
            secp256k1_callback_call(error_callback, "invalid scratch space");
            return;
        }
@@ -36,7 +36,7 @@ static void secp256k1_scratch_destroy(const secp256k1_callback* error_callback,
 }

 static size_t secp256k1_scratch_checkpoint(const secp256k1_callback* error_callback, const secp256k1_scratch* scratch) {
-    if (memcmp(scratch->magic, "scratch", 8) != 0) {
+    if (secp256k1_memcmp_var(scratch->magic, "scratch", 8) != 0) {
        secp256k1_callback_call(error_callback, "invalid scratch space");
        return 0;
    }
@@ -44,7 +44,7 @@ static size_t secp256k1_scratch_checkpoint(const secp256k1_callback* error_callb
 }

 static void secp256k1_scratch_apply_checkpoint(const secp256k1_callback* error_callback, secp256k1_scratch* scratch, size_t checkpoint) {
-    if (memcmp(scratch->magic, "scratch", 8) != 0) {
+    if (secp256k1_memcmp_var(scratch->magic, "scratch", 8) != 0) {
        secp256k1_callback_call(error_callback, "invalid scratch space");
        return;
    }
@@ -56,10 +56,14 @@ static void secp256k1_scratch_apply_checkpoint(const secp256k1_callback* error_c
 }

 static size_t secp256k1_scratch_max_allocation(const secp256k1_callback* error_callback, const secp256k1_scratch* scratch, size_t objects) {
-    if (memcmp(scratch->magic, "scratch", 8) != 0) {
+    if (secp256k1_memcmp_var(scratch->magic, "scratch", 8) != 0) {
        secp256k1_callback_call(error_callback, "invalid scratch space");
        return 0;
    }
+    /* Ensure that multiplication will not wrap around */
+    if (ALIGNMENT > 1 && objects > SIZE_MAX/(ALIGNMENT - 1)) {
+        return 0;
+    }
    if (scratch->max_size - scratch->alloc_size <= objects * (ALIGNMENT - 1)) {
        return 0;
    }
@@ -68,9 +72,16 @@ static size_t secp256k1_scratch_max_allocation(const secp256k1_callback* error_c

 static void *secp256k1_scratch_alloc(const secp256k1_callback* error_callback, secp256k1_scratch* scratch, size_t size) {
    void *ret;
-    size = ROUND_TO_ALIGN(size);
+    size_t rounded_size;

-    if (memcmp(scratch->magic, "scratch", 8) != 0) {
+    rounded_size = ROUND_TO_ALIGN(size);
+    /* Check that rounding did not wrap around */
+    if (rounded_size < size) {
+        return NULL;
+    }
+    size = rounded_size;
+
+    if (secp256k1_memcmp_var(scratch->magic, "scratch", 8) != 0) {
        secp256k1_callback_call(error_callback, "invalid scratch space");
        return NULL;
    }
--- a/src/secp256k1.c
+++ b/src/secp256k1.c
@@ -7,11 +7,13 @@
 #include "include/secp256k1.h"
 #include "include/secp256k1_preallocated.h"

+#include "assumptions.h"
 #include "util.h"
 #include "num_impl.h"
 #include "field_impl.h"
 #include "scalar_impl.h"
 #include "group_impl.h"
+#include "eccommit_impl.h"
 #include "ecmult_impl.h"
 #include "ecmult_const_impl.h"
 #include "ecmult_gen_impl.h"
@@ -19,6 +21,11 @@
 #include "eckey_impl.h"
 #include "hash_impl.h"
 #include "scratch_impl.h"
+#include "selftest.h"
+
+#if defined(VALGRIND)
+# include <valgrind/memcheck.h>
+#endif

 #ifdef ENABLE_MODULE_GENERATOR
 # include "include/secp256k1_generator.h"
@@ -30,6 +37,18 @@
 # include "modules/rangeproof/rangeproof.h"
 #endif

+#ifdef ENABLE_MODULE_ECDSA_S2C
+# include "include/secp256k1_ecdsa_s2c.h"
+static void secp256k1_ecdsa_s2c_opening_save(secp256k1_ecdsa_s2c_opening* opening, secp256k1_ge* ge);
+#else
+typedef void secp256k1_ecdsa_s2c_opening;
+static void secp256k1_ecdsa_s2c_opening_save(secp256k1_ecdsa_s2c_opening* opening, secp256k1_ge* ge) {
+    (void) opening;
+    (void) ge;
+    VERIFY_CHECK(0);
+}
+#endif
+
 #define ARG_CHECK(cond) do { \
    if (EXPECT(!(cond), 0)) { \
        secp256k1_callback_call(&ctx->illegal_callback, #cond); \
@@ -76,18 +95,22 @@ struct secp256k1_context_struct {
    secp256k1_ecmult_gen_context ecmult_gen_ctx;
    secp256k1_callback illegal_callback;
    secp256k1_callback error_callback;
+    int declassify;
 };

 static const secp256k1_context secp256k1_context_no_precomp_ = {
    { 0 },
    { 0 },
    { secp256k1_default_illegal_callback_fn, 0 },
-    { secp256k1_default_error_callback_fn, 0 }
+    { secp256k1_default_error_callback_fn, 0 },
+    0
 };
 const secp256k1_context *secp256k1_context_no_precomp = &secp256k1_context_no_precomp_;

 size_t secp256k1_context_preallocated_size(unsigned int flags) {
    size_t ret = ROUND_TO_ALIGN(sizeof(secp256k1_context));
+    /* A return value of 0 is reserved as an indicator for errors when we call this function internally. */
+    VERIFY_CHECK(ret != 0);

    if (EXPECT((flags & SECP256K1_FLAGS_TYPE_MASK) != SECP256K1_FLAGS_TYPE_CONTEXT, 0)) {
            secp256k1_callback_call(&default_illegal_callback,
@@ -121,27 +144,31 @@ secp256k1_context* secp256k1_context_preallocated_create(void* prealloc, unsigne
    size_t prealloc_size;
    secp256k1_context* ret;

-    VERIFY_CHECK(prealloc != NULL);
+    if (!secp256k1_selftest()) {
+        secp256k1_callback_call(&default_error_callback, "self test failed");
+    }
+
    prealloc_size = secp256k1_context_preallocated_size(flags);
+    if (prealloc_size == 0) {
+        return NULL;
+    }
+    VERIFY_CHECK(prealloc != NULL);
    ret = (secp256k1_context*)manual_alloc(&prealloc, sizeof(secp256k1_context), base, prealloc_size);
    ret->illegal_callback = default_illegal_callback;
    ret->error_callback = default_error_callback;

-    if (EXPECT((flags & SECP256K1_FLAGS_TYPE_MASK) != SECP256K1_FLAGS_TYPE_CONTEXT, 0)) {
-            secp256k1_callback_call(&ret->illegal_callback,
-                                    "Invalid flags");
-            return NULL;
-    }
-
    secp256k1_ecmult_context_init(&ret->ecmult_ctx);
    secp256k1_ecmult_gen_context_init(&ret->ecmult_gen_ctx);

+    /* Flags have been checked by secp256k1_context_preallocated_size. */
+    VERIFY_CHECK((flags & SECP256K1_FLAGS_TYPE_MASK) == SECP256K1_FLAGS_TYPE_CONTEXT);
    if (flags & SECP256K1_FLAGS_BIT_CONTEXT_SIGN) {
        secp256k1_ecmult_gen_context_build(&ret->ecmult_gen_ctx, &prealloc);
    }
    if (flags & SECP256K1_FLAGS_BIT_CONTEXT_VERIFY) {
        secp256k1_ecmult_context_build(&ret->ecmult_ctx, &prealloc);
    }
+    ret->declassify = !!(flags & SECP256K1_FLAGS_BIT_CONTEXT_DECLASSIFY);

    return (secp256k1_context*) ret;
 }
@@ -225,6 +252,20 @@ void secp256k1_scratch_space_destroy(const secp256k1_context *ctx, secp256k1_scr
    secp256k1_scratch_destroy(&ctx->error_callback, scratch);
 }

+/* Mark memory as no-longer-secret for the purpose of analysing constant-time behaviour
+ *  of the software. This is setup for use with valgrind but could be substituted with
+ *  the appropriate instrumentation for other analysis tools.
+ */
+static SECP256K1_INLINE void secp256k1_declassify(const secp256k1_context* ctx, const void *p, size_t len) {
+#if defined(VALGRIND)
+    if (EXPECT(ctx->declassify,0)) VALGRIND_MAKE_MEM_DEFINED(p, len);
+#else
+    (void)ctx;
+    (void)p;
+    (void)len;
+#endif
+}
+
 static int secp256k1_pubkey_load(const secp256k1_context* ctx, secp256k1_ge* ge, const secp256k1_pubkey* pubkey) {
    if (sizeof(secp256k1_ge_storage) == 64) {
        /* When the secp256k1_ge_storage type is exactly 64 byte, use its
@@ -268,6 +309,9 @@ int secp256k1_ec_pubkey_parse(const secp256k1_context* ctx, secp256k1_pubkey* pu
    if (!secp256k1_eckey_pubkey_parse(&Q, input, inputlen)) {
        return 0;
    }
+    if (!secp256k1_ge_is_in_correct_subgroup(&Q)) {
+        return 0;
+    }
    secp256k1_pubkey_save(pubkey, &Q);
    secp256k1_ge_clear(&Q);
    return 1;
@@ -280,7 +324,7 @@ int secp256k1_ec_pubkey_serialize(const secp256k1_context* ctx, unsigned char *o

    VERIFY_CHECK(ctx != NULL);
    ARG_CHECK(outputlen != NULL);
-    ARG_CHECK(*outputlen >= ((flags & SECP256K1_FLAGS_BIT_COMPRESSION) ? 33 : 65));
+    ARG_CHECK(*outputlen >= ((flags & SECP256K1_FLAGS_BIT_COMPRESSION) ? 33u : 65u));
    len = *outputlen;
    *outputlen = 0;
    ARG_CHECK(output != NULL);
@@ -423,27 +467,6 @@ static SECP256K1_INLINE void buffer_append(unsigned char *buf, unsigned int *off
    *offset += len;
 }

-/* This nonce function is described in BIP-schnorr
- * (https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki) */
-static int secp256k1_nonce_function_bipschnorr(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
-    secp256k1_sha256 sha;
-    (void) data;
-    (void) counter;
-    VERIFY_CHECK(counter == 0);
-
-    /* Hash x||msg as per the spec */
-    secp256k1_sha256_initialize(&sha);
-    secp256k1_sha256_write(&sha, key32, 32);
-    secp256k1_sha256_write(&sha, msg32, 32);
-    /* Hash in algorithm, which is not in the spec, but may be critical to
-     * users depending on it to avoid nonce reuse across algorithms. */
-    if (algo16 != NULL) {
-        secp256k1_sha256_write(&sha, algo16, 16);
-    }
-    secp256k1_sha256_finalize(&sha, nonce32);
-    return 1;
-}
-
 static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
   unsigned char keydata[112];
   unsigned int offset = 0;
@@ -477,70 +500,131 @@ static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *m
 const secp256k1_nonce_function secp256k1_nonce_function_rfc6979 = nonce_function_rfc6979;
 const secp256k1_nonce_function secp256k1_nonce_function_default = nonce_function_rfc6979;

-int secp256k1_ecdsa_sign(const secp256k1_context* ctx, secp256k1_ecdsa_signature *signature, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) {
-    secp256k1_scalar r, s;
+static int secp256k1_ecdsa_sign_inner(const secp256k1_context* ctx, secp256k1_scalar* r, secp256k1_scalar* s, int* recid, secp256k1_sha256* s2c_sha, secp256k1_ecdsa_s2c_opening *s2c_opening, const unsigned char* s2c_data32, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) {
    secp256k1_scalar sec, non, msg;
    int ret = 0;
-    int overflow = 0;
+    int is_sec_valid;
+    unsigned char nonce32[32];
+    unsigned int count = 0;
+    /* Default initialization here is important so we won't pass uninit values to the cmov in the end */
+    *r = secp256k1_scalar_zero;
+    *s = secp256k1_scalar_zero;
+    if (recid) {
+        *recid = 0;
+    }
+    if (noncefp == NULL) {
+        noncefp = secp256k1_nonce_function_default;
+    }
+    /* sign-to-contract commitments only work with the default nonce function,
+     * because we need to ensure that s2c_data is actually hashed into the nonce and
+     * not just ignored. Otherwise an attacker can exfiltrate the secret key by
+     * signing the same message thrice with different commitments. */
+    VERIFY_CHECK(s2c_data32 == NULL || noncefp == secp256k1_nonce_function_default);
+
+    /* Fail if the secret key is invalid. */
+    is_sec_valid = secp256k1_scalar_set_b32_seckey(&sec, seckey);
+    secp256k1_scalar_cmov(&sec, &secp256k1_scalar_one, !is_sec_valid);
+    secp256k1_scalar_set_b32(&msg, msg32, NULL);
+    while (1) {
+        int is_nonce_valid;
+        ret = !!noncefp(nonce32, msg32, seckey, NULL, (void*)noncedata, count);
+        if (!ret) {
+            break;
+        }
+        is_nonce_valid = secp256k1_scalar_set_b32_seckey(&non, nonce32);
+        /* The nonce is still secret here, but it being invalid is is less likely than 1:2^255. */
+        secp256k1_declassify(ctx, &is_nonce_valid, sizeof(is_nonce_valid));
+        if (is_nonce_valid) {
+            if (s2c_data32 != NULL) {
+                secp256k1_gej nonce_pj;
+                secp256k1_ge nonce_p;
+
+                /* Compute original nonce commitment/pubkey */
+                secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &nonce_pj, &non);
+                secp256k1_ge_set_gej(&nonce_p, &nonce_pj);
+                if (s2c_opening != NULL) {
+                    secp256k1_ecdsa_s2c_opening_save(s2c_opening, &nonce_p);
+                }
+
+                /* Because the nonce is valid, the nonce point isn't the point
+                 * at infinity and we can declassify that information to be able to
+                 * serialize the point. */
+                secp256k1_declassify(ctx, &nonce_p.infinity, sizeof(nonce_p.infinity));
+
+                /* Tweak nonce with s2c commitment. */
+                ret = secp256k1_ec_commit_seckey(&non, &nonce_p, s2c_sha, s2c_data32, 32);
+                secp256k1_declassify(ctx, &ret, sizeof(ret)); /* may be secret that the tweak falied, but happens with negligible probability */
+                if (!ret) {
+                    break;
+                }
+            }
+
+            ret = secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, r, s, &sec, &msg, &non, recid);
+            /* The final signature is no longer a secret, nor is the fact that we were successful or not. */
+            secp256k1_declassify(ctx, &ret, sizeof(ret));
+            if (ret) {
+                break;
+            }
+        }
+        count++;
+    }
+    /* We don't want to declassify is_sec_valid and therefore the range of
+     * seckey. As a result is_sec_valid is included in ret only after ret was
+     * used as a branching variable. */
+    ret &= is_sec_valid;
+    memset(nonce32, 0, 32);
+    secp256k1_scalar_clear(&msg);
+    secp256k1_scalar_clear(&non);
+    secp256k1_scalar_clear(&sec);
+    secp256k1_scalar_cmov(r, &secp256k1_scalar_zero, !ret);
+    secp256k1_scalar_cmov(s, &secp256k1_scalar_zero, !ret);
+    if (recid) {
+        const int zero = 0;
+        secp256k1_int_cmov(recid, &zero, !ret);
+    }
+    return ret;
+}
+
+int secp256k1_ecdsa_sign(const secp256k1_context* ctx, secp256k1_ecdsa_signature *signature, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) {
+    secp256k1_scalar r, s;
+    int ret;
    VERIFY_CHECK(ctx != NULL);
    ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
    ARG_CHECK(msg32 != NULL);
    ARG_CHECK(signature != NULL);
    ARG_CHECK(seckey != NULL);
-    if (noncefp == NULL) {
-        noncefp = secp256k1_nonce_function_default;
-    }

-    secp256k1_scalar_set_b32(&sec, seckey, &overflow);
-    /* Fail if the secret key is invalid. */
-    if (!overflow && !secp256k1_scalar_is_zero(&sec)) {
-        unsigned char nonce32[32];
-        unsigned int count = 0;
-        secp256k1_scalar_set_b32(&msg, msg32, NULL);
-        while (1) {
-            ret = noncefp(nonce32, msg32, seckey, NULL, (void*)noncedata, count);
-            if (!ret) {
-                break;
-            }
-            secp256k1_scalar_set_b32(&non, nonce32, &overflow);
-            if (!overflow && !secp256k1_scalar_is_zero(&non)) {
-                if (secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, &r, &s, &sec, &msg, &non, NULL)) {
-                    break;
-                }
-            }
-            count++;
-        }
-        memset(nonce32, 0, 32);
-        secp256k1_scalar_clear(&msg);
-        secp256k1_scalar_clear(&non);
-        secp256k1_scalar_clear(&sec);
-    }
-    if (ret) {
-        secp256k1_ecdsa_signature_save(signature, &r, &s);
-    } else {
-        memset(signature, 0, sizeof(*signature));
-    }
+    ret = secp256k1_ecdsa_sign_inner(ctx, &r, &s, NULL, NULL, NULL, NULL, msg32, seckey, noncefp, noncedata);
+    secp256k1_ecdsa_signature_save(signature, &r, &s);
    return ret;
 }

 int secp256k1_ec_seckey_verify(const secp256k1_context* ctx, const unsigned char *seckey) {
    secp256k1_scalar sec;
    int ret;
-    int overflow;
    VERIFY_CHECK(ctx != NULL);
    ARG_CHECK(seckey != NULL);

-    secp256k1_scalar_set_b32(&sec, seckey, &overflow);
-    ret = !overflow && !secp256k1_scalar_is_zero(&sec);
+    ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
    secp256k1_scalar_clear(&sec);
    return ret;
 }

-int secp256k1_ec_pubkey_create(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) {
+static int secp256k1_ec_pubkey_create_helper(const secp256k1_ecmult_gen_context *ecmult_gen_ctx, secp256k1_scalar *seckey_scalar, secp256k1_ge *p, const unsigned char *seckey) {
    secp256k1_gej pj;
+    int ret;
+
+    ret = secp256k1_scalar_set_b32_seckey(seckey_scalar, seckey);
+    secp256k1_scalar_cmov(seckey_scalar, &secp256k1_scalar_one, !ret);
+
+    secp256k1_ecmult_gen(ecmult_gen_ctx, &pj, seckey_scalar);
+    secp256k1_ge_set_gej(p, &pj);
+    return ret;
+}
+
+int secp256k1_ec_pubkey_create(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) {
    secp256k1_ge p;
-    secp256k1_scalar sec;
-    int overflow;
+    secp256k1_scalar seckey_scalar;
    int ret = 0;
    VERIFY_CHECK(ctx != NULL);
    ARG_CHECK(pubkey != NULL);
@@ -548,28 +632,31 @@ int secp256k1_ec_pubkey_create(const secp256k1_context* ctx, secp256k1_pubkey *p
    ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
    ARG_CHECK(seckey != NULL);

-    secp256k1_scalar_set_b32(&sec, seckey, &overflow);
-    ret = !overflow && !secp256k1_scalar_is_zero(&sec);
-    if (ret) {
-        secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pj, &sec);
-        secp256k1_ge_set_gej(&p, &pj);
-        secp256k1_pubkey_save(pubkey, &p);
-    }
+    ret = secp256k1_ec_pubkey_create_helper(&ctx->ecmult_gen_ctx, &seckey_scalar, &p, seckey);
+    secp256k1_pubkey_save(pubkey, &p);
+    secp256k1_memczero(pubkey, sizeof(*pubkey), !ret);
+
+    secp256k1_scalar_clear(&seckey_scalar);
+    return ret;
+}
+
+int secp256k1_ec_seckey_negate(const secp256k1_context* ctx, unsigned char *seckey) {
+    secp256k1_scalar sec;
+    int ret = 0;
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(seckey != NULL);
+
+    ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
+    secp256k1_scalar_cmov(&sec, &secp256k1_scalar_zero, !ret);
+    secp256k1_scalar_negate(&sec, &sec);
+    secp256k1_scalar_get_b32(seckey, &sec);
+
    secp256k1_scalar_clear(&sec);
    return ret;
 }

 int secp256k1_ec_privkey_negate(const secp256k1_context* ctx, unsigned char *seckey) {
-    secp256k1_scalar sec;
-    VERIFY_CHECK(ctx != NULL);
-    ARG_CHECK(seckey != NULL);
-
-    secp256k1_scalar_set_b32(&sec, seckey, NULL);
-    secp256k1_scalar_negate(&sec, &sec);
-    secp256k1_scalar_get_b32(seckey, &sec);
-
-    secp256k1_scalar_clear(&sec);
-    return 1;
+    return secp256k1_ec_seckey_negate(ctx, seckey);
 }

 int secp256k1_ec_pubkey_negate(const secp256k1_context* ctx, secp256k1_pubkey *pubkey) {
@@ -587,54 +674,64 @@ int secp256k1_ec_pubkey_negate(const secp256k1_context* ctx, secp256k1_pubkey *p
    return ret;
 }

-int secp256k1_ec_privkey_tweak_add(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak) {
+
+static int secp256k1_ec_seckey_tweak_add_helper(secp256k1_scalar *sec, const unsigned char *tweak) {
    secp256k1_scalar term;
-    secp256k1_scalar sec;
-    int ret = 0;
    int overflow = 0;
-    VERIFY_CHECK(ctx != NULL);
-    ARG_CHECK(seckey != NULL);
-    ARG_CHECK(tweak != NULL);
+    int ret = 0;

    secp256k1_scalar_set_b32(&term, tweak, &overflow);
-    secp256k1_scalar_set_b32(&sec, seckey, NULL);
-
-    ret = !overflow && secp256k1_eckey_privkey_tweak_add(&sec, &term);
-    memset(seckey, 0, 32);
-    if (ret) {
-        secp256k1_scalar_get_b32(seckey, &sec);
-    }
-
-    secp256k1_scalar_clear(&sec);
+    ret = (!overflow) & secp256k1_eckey_privkey_tweak_add(sec, &term);
    secp256k1_scalar_clear(&term);
    return ret;
 }

+int secp256k1_ec_seckey_tweak_add(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak) {
+    secp256k1_scalar sec;
+    int ret = 0;
+    VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(seckey != NULL);
+    ARG_CHECK(tweak != NULL);
+
+    ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
+    ret &= secp256k1_ec_seckey_tweak_add_helper(&sec, tweak);
+    secp256k1_scalar_cmov(&sec, &secp256k1_scalar_zero, !ret);
+    secp256k1_scalar_get_b32(seckey, &sec);
+
+    secp256k1_scalar_clear(&sec);
+    return ret;
+}
+
+int secp256k1_ec_privkey_tweak_add(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak) {
+    return secp256k1_ec_seckey_tweak_add(ctx, seckey, tweak);
+}
+
+static int secp256k1_ec_pubkey_tweak_add_helper(const secp256k1_ecmult_context* ecmult_ctx, secp256k1_ge *p, const unsigned char *tweak) {
+    secp256k1_scalar term;
+    int overflow = 0;
+    secp256k1_scalar_set_b32(&term, tweak, &overflow);
+    return !overflow && secp256k1_eckey_pubkey_tweak_add(ecmult_ctx, p, &term);
+}
+
 int secp256k1_ec_pubkey_tweak_add(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak) {
    secp256k1_ge p;
-    secp256k1_scalar term;
    int ret = 0;
-    int overflow = 0;
    VERIFY_CHECK(ctx != NULL);
    ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
    ARG_CHECK(pubkey != NULL);
    ARG_CHECK(tweak != NULL);

-    secp256k1_scalar_set_b32(&term, tweak, &overflow);
-    ret = !overflow && secp256k1_pubkey_load(ctx, &p, pubkey);
+    ret = secp256k1_pubkey_load(ctx, &p, pubkey);
    memset(pubkey, 0, sizeof(*pubkey));
+    ret = ret && secp256k1_ec_pubkey_tweak_add_helper(&ctx->ecmult_ctx, &p, tweak);
    if (ret) {
-        if (secp256k1_eckey_pubkey_tweak_add(&ctx->ecmult_ctx, &p, &term)) {
-            secp256k1_pubkey_save(pubkey, &p);
-        } else {
-            ret = 0;
-        }
+        secp256k1_pubkey_save(pubkey, &p);
    }

    return ret;
 }

-int secp256k1_ec_privkey_tweak_mul(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak) {
+int secp256k1_ec_seckey_tweak_mul(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak) {
    secp256k1_scalar factor;
    secp256k1_scalar sec;
    int ret = 0;
@@ -644,18 +741,20 @@ int secp256k1_ec_privkey_tweak_mul(const secp256k1_context* ctx, unsigned char *
    ARG_CHECK(tweak != NULL);

    secp256k1_scalar_set_b32(&factor, tweak, &overflow);
-    secp256k1_scalar_set_b32(&sec, seckey, NULL);
-    ret = !overflow && secp256k1_eckey_privkey_tweak_mul(&sec, &factor);
-    memset(seckey, 0, 32);
-    if (ret) {
-        secp256k1_scalar_get_b32(seckey, &sec);
-    }
+    ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
+    ret &= (!overflow) & secp256k1_eckey_privkey_tweak_mul(&sec, &factor);
+    secp256k1_scalar_cmov(&sec, &secp256k1_scalar_zero, !ret);
+    secp256k1_scalar_get_b32(seckey, &sec);

    secp256k1_scalar_clear(&sec);
    secp256k1_scalar_clear(&factor);
    return ret;
 }

+int secp256k1_ec_privkey_tweak_mul(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak) {
+    return secp256k1_ec_seckey_tweak_mul(ctx, seckey, tweak);
+}
+
 int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak) {
    secp256k1_ge p;
    secp256k1_scalar factor;
@@ -716,16 +815,24 @@ int secp256k1_ec_pubkey_combine(const secp256k1_context* ctx, secp256k1_pubkey *
 # include "modules/ecdh/main_impl.h"
 #endif

+#ifdef ENABLE_MODULE_RECOVERY
+# include "modules/recovery/main_impl.h"
+#endif
+
+#ifdef ENABLE_MODULE_EXTRAKEYS
+# include "modules/extrakeys/main_impl.h"
+#endif
+
 #ifdef ENABLE_MODULE_SCHNORRSIG
 # include "modules/schnorrsig/main_impl.h"
 #endif

-#ifdef ENABLE_MODULE_MUSIG
-# include "modules/musig/main_impl.h"
+#ifdef ENABLE_MODULE_ECDSA_S2C
+# include "modules/ecdsa_s2c/main_impl.h"
 #endif

-#ifdef ENABLE_MODULE_RECOVERY
-# include "modules/recovery/main_impl.h"
+#ifdef ENABLE_MODULE_MUSIG
+# include "modules/musig/main_impl.h"
 #endif

 #ifdef ENABLE_MODULE_GENERATOR
@@ -743,3 +850,4 @@ int secp256k1_ec_pubkey_combine(const secp256k1_context* ctx, secp256k1_pubkey *
 #ifdef ENABLE_MODULE_SURJECTIONPROOF
 # include "modules/surjection/main_impl.h"
 #endif
+
--- a/Show More
+++ b/Show More