Squashed 'src/secp256k1/' changes from b19c000..763484a1e5

763484a1e5 f fix undefined behavior when shifting an int 31 places
5af66e7f79 f expose nonce_function_bipschnorr
594e3abb69 f hash noncedata into nonce in nonce_function_bipschnorr
318d55155c f make helper functions static
d65adc82f8 Add schnorrsig module which implements BIP-schnorr [0] compatible signing, verification and batch verification.
f4153a29ab add chacha20 function
REVERT: b19c000 Merge bitcoin#607: Use size_t shifts when computing a size_t
REVERT: 4d01bc2 Merge bitcoin#606: travis: Remove unused sudo:false
REVERT: e6d01e9 Use size_t shifts when computing a size_t
REVERT: 7667532 travis: Remove unused sudo:false
REVERT: ee99f12 Merge bitcoin#599: Switch x86_64 asm to use "i" instead of "n" for immediate values.
REVERT: d58bc93 Switch x86_64 asm to use "i" instead of "n" for immediate values.
REVERT: 05362ee Merge bitcoin#597: Add $(COMMON_LIB) to exhaustive tests to fix ARM asm build
REVERT: 8348386 Add $(COMMON_LIB) to exhaustive tests to fix ARM asm build
REVERT: aa15154 Merge bitcoin#568: Fix integer overflow in ecmult_multi_var when n is large
REVERT: 2277af5 Fix integer overflow in ecmult_multi_var when n is large
REVERT: 85d0e1b Merge bitcoin#591: Make bench_internal obey secp256k1_fe_sqrt's contract wrt aliasing.
REVERT: 1419637 Merge bitcoin#580: Add trivial ecmult_multi algorithm which does not require a scratch space
REVERT: a697d82 Add trivial ecmult_multi to the benchmark tool
REVERT: bade617 Add trivial ecmult_multi algorithm. It is selected when no scratch space is given and just multiplies and adds the points.
REVERT: 5545e13 Merge bitcoin#584: configure: Use CFLAGS_FOR_BUILD when checking native compiler
REVERT: 20c5869 Merge bitcoin#516: improvements to random seed in src/tests.c
REVERT: b76e45d Make bench_internal obey secp256k1_fe_sqrt's contract wrt aliasing.
REVERT: 870a977 Merge bitcoin#562: Make use of TAG_PUBKEY constants in secp256k1_eckey_pubkey_parse
REVERT: be40c4d Fixup for C90 mixed declarations.
REVERT: c71dd2c Merge bitcoin#509: Fix algorithm selection in bench_ecmult
REVERT: 6492bf8 Merge bitcoin#518: Summarize build options after running configure
REVERT: 0e9ada1 Merge bitcoin#567: Correct order of libs returned on pkg-config --libs --static libsecp2…
REVERT: e96901a Merge bitcoin#587: Make randomization of a non-signing context a noop
REVERT: 58df8d0 Merge bitcoin#511: Portability fix for the configure scripts generated
REVERT: 2ebdad7 Merge bitcoin#552: Make constants static:
REVERT: 1c131af Merge bitcoin#551: secp256k1_fe_sqrt: Verify that the arguments don't alias.
REVERT: ba698f8 Merge bitcoin#539: Assorted minor corrections
REVERT: 949e85b Merge bitcoin#550: Optimize secp256k1_fe_normalize_weak calls.
REVERT: a34bcaa Actually pass CFLAGS_FOR_BUILD and LDFLAGS_FOR_BUILD to linker
REVERT: 2d5f4ce configure: Use CFLAGS_FOR_BUILD when checking native compiler
REVERT: b408c6a Merge bitcoin#579: Use __GNUC_PREREQ for detecting __builtin_expect
REVERT: 6198375 Make randomization of a non-signing context a noop
REVERT: c663397 Use __GNUC_PREREQ for detecting __builtin_expect
REVERT: e34ceb3 Merge bitcoin#557: Eliminate scratch memory used when generating contexts
REVERT: b3bf5f9 ecmult_impl: expand comment to explain how effective affine interacts with everything
REVERT: efa783f Store z-ratios in the 'x' coord they'll recover
REVERT: ffd3b34 add `secp256k1_ge_set_all_gej_var` test which deals with many infinite points
REVERT: 84740ac ecmult_impl: save one fe_inv_var
REVERT: 4704527 ecmult_impl: eliminate scratch memory used when generating context
REVERT: 7f7a2ed ecmult_gen_impl: eliminate scratch memory used when generating context
REVERT: 314a61d Merge bitcoin#553: add static context object which has no capabilities
REVERT: 89a20a8 Correct order of libs returned on pkg-config --libs --static libsecp256k1 call.
REVERT: d3cb1f9 Make use of TAG_PUBKEY constants in secp256k1_eckey_pubkey_parse
REVERT: 40fde61 prevent attempts to modify `secp256k1_context_no_precomp`
REVERT: ed7c084 add static context object which has no capabilities
REVERT: 496c5b4 Make constants static: static const secp256k1_ge secp256k1_ge_const_g; static const int CURVE_B;
REVERT: bf8b86c secp256k1_fe_sqrt: Verify that the arguments don't alias.
REVERT: 9bd89c8 Optimize secp256k1_fe_normalize_weak calls. Move secp256k1_fe_normalize_weak calls out of ECMULT_TABLE_GET_GE and ECMULT_TABLE_GET_GE_STORAGE and into secp256k1_ge_globalz_set_table_gej instead.
REVERT: 52ab96f clean dependendies in field_*_impl.h
REVERT: deff5ed Correct math typos in field_*.h
REVERT: 4efb3f8 Add check that restrict pointers don't alias with all parameters.
REVERT: 3965027 Summarize build options in configure script
REVERT: 0f05173 Fix algorithm selection in bench_ecmult
REVERT: 8b3841c fix bug in fread() failure check
REVERT: cddef0c tests: add warning message when /dev/urandom fails
REVERT: 270f6c8 Portability fix for the configure scripts generated

git-subtree-dir: src/secp256k1
git-subtree-split: 763484a1e5bed2b8b990e71c2f66129ae1038d59

Author: sipa

.gitignore

@@ -1,9 +1,9 @@
 bench_inv
 bench_ecdh
 bench_ecmult
+bench_schnorrsig
 bench_sign
 bench_verify
-bench_schnorr_verify
 bench_recover
 bench_internal
 tests

.travis.yml

@@ -1,5 +1,5 @@
 language: c
-os: linux
+sudo: false
 addons:
   apt:
     packages: libgmp-dev
@@ -66,3 +66,4 @@ script:
  - if [ -n "$HOST" ]; then export USE_HOST="--host=$HOST"; fi
  - if [ "x$HOST" = "xi686-linux-gnu" ]; then export CC="$CC -m32"; fi
  - ./configure --enable-experimental=$EXPERIMENTAL --enable-endomorphism=$ENDOMORPHISM --with-field=$FIELD --with-bignum=$BIGNUM --with-scalar=$SCALAR --enable-ecmult-static-precomputation=$STATICPRECOMPUTATION --enable-module-ecdh=$ECDH --enable-module-recovery=$RECOVERY --enable-jni=$JNI $EXTRAFLAGS $USE_HOST && make -j2 $BUILD
+os: linux

Makefile.am

@@ -114,7 +114,7 @@ exhaustive_tests_CPPFLAGS = -DSECP256K1_BUILD -I$(top_srcdir)/src $(SECP_INCLUDE
 if !ENABLE_COVERAGE
 exhaustive_tests_CPPFLAGS += -DVERIFY
 endif
-exhaustive_tests_LDADD = $(SECP_LIBS) $(COMMON_LIB)
+exhaustive_tests_LDADD = $(SECP_LIBS)
 exhaustive_tests_LDFLAGS = -static
 TESTS += exhaustive_tests
 endif
@@ -151,14 +151,15 @@ endif
 
 if USE_ECMULT_STATIC_PRECOMPUTATION
 CPPFLAGS_FOR_BUILD +=-I$(top_srcdir)
+CFLAGS_FOR_BUILD += -Wall -Wextra -Wno-unused-function
 
 gen_context_OBJECTS = gen_context.o
 gen_context_BIN = gen_context$(BUILD_EXEEXT)
 gen_%.o: src/gen_%.c
 	$(CC_FOR_BUILD) $(CPPFLAGS_FOR_BUILD) $(CFLAGS_FOR_BUILD) -c $< -o $@
 
 $(gen_context_BIN): $(gen_context_OBJECTS)
-	$(CC_FOR_BUILD) $(CFLAGS_FOR_BUILD) $(LDFLAGS_FOR_BUILD) $^ -o $@
+	$(CC_FOR_BUILD) $^ -o $@
 
 $(libsecp256k1_la_OBJECTS): src/ecmult_static_context.h
 $(tests_OBJECTS): src/ecmult_static_context.h
@@ -177,6 +178,10 @@ if ENABLE_MODULE_ECDH
 include src/modules/ecdh/Makefile.am.include
 endif
 
+if ENABLE_MODULE_SCHNORRSIG
+include src/modules/schnorrsig/Makefile.am.include
+endif
+
 if ENABLE_MODULE_RECOVERY
 include src/modules/recovery/Makefile.am.include
 endif

configure.ac

@@ -129,6 +129,11 @@ AC_ARG_ENABLE(module_ecdh,
     [enable_module_ecdh=$enableval],
     [enable_module_ecdh=no])
 
+AC_ARG_ENABLE(module_schnorrsig,
+    AS_HELP_STRING([--enable-module-schnorrsig],[enable schnorrsig module (experimental)]),
+    [enable_module_schnorrsig=$enableval],
+    [enable_module_schnorrsig=no])
+
 AC_ARG_ENABLE(module_recovery,
     AS_HELP_STRING([--enable-module-recovery],[enable ECDSA pubkey recovery module (default is no)]),
     [enable_module_recovery=$enableval],
@@ -153,6 +158,12 @@ AC_ARG_WITH([asm], [AS_HELP_STRING([--with-asm=x86_64|arm|no|auto]
 
 AC_CHECK_TYPES([__int128])
 
+AC_MSG_CHECKING([for __builtin_expect])
+AC_COMPILE_IFELSE([AC_LANG_SOURCE([[void myfunc() {__builtin_expect(0,0);}]])],
+    [ AC_MSG_RESULT([yes]);AC_DEFINE(HAVE_BUILTIN_EXPECT,1,[Define this symbol if __builtin_expect is available]) ],
+    [ AC_MSG_RESULT([no])
+    ])
+
 if test x"$enable_coverage" = x"yes"; then
     AC_DEFINE(COVERAGE, 1, [Define this symbol to compile out all VERIFY code])
     CFLAGS="$CFLAGS -O0 --coverage"
@@ -162,54 +173,27 @@ else
 fi
 
 if test x"$use_ecmult_static_precomputation" != x"no"; then
-  # Temporarily switch to an environment for the native compiler
   save_cross_compiling=$cross_compiling
   cross_compiling=no
-  SAVE_CC="$CC"
+  TEMP_CC="$CC"
   CC="$CC_FOR_BUILD"
-  SAVE_CFLAGS="$CFLAGS"
-  CFLAGS="$CFLAGS_FOR_BUILD"
-  SAVE_CPPFLAGS="$CPPFLAGS"
-  CPPFLAGS="$CPPFLAGS_FOR_BUILD"
-  SAVE_LDFLAGS="$LDFLAGS"
-  LDFLAGS="$LDFLAGS_FOR_BUILD"
-
-  warn_CFLAGS_FOR_BUILD="-Wall -Wextra -Wno-unused-function"
-  saved_CFLAGS="$CFLAGS"
-  CFLAGS="$CFLAGS $warn_CFLAGS_FOR_BUILD"
-  AC_MSG_CHECKING([if native ${CC_FOR_BUILD} supports ${warn_CFLAGS_FOR_BUILD}])
-  AC_COMPILE_IFELSE([AC_LANG_SOURCE([[char foo;]])],
-      [ AC_MSG_RESULT([yes]) ],
-      [ AC_MSG_RESULT([no])
-        CFLAGS="$saved_CFLAGS"
-      ])
-
-  AC_MSG_CHECKING([for working native compiler: ${CC_FOR_BUILD}])
+  AC_MSG_CHECKING([native compiler: ${CC_FOR_BUILD}])
   AC_RUN_IFELSE(
-    [AC_LANG_PROGRAM([], [])],
+    [AC_LANG_PROGRAM([], [return 0])],
     [working_native_cc=yes],
     [working_native_cc=no],[dnl])
-
-  CFLAGS_FOR_BUILD="$CFLAGS"
-
-  # Restore the environment
+  CC="$TEMP_CC"
   cross_compiling=$save_cross_compiling
-  CC="$SAVE_CC"
-  CFLAGS="$SAVE_CFLAGS"
-  CPPFLAGS="$SAVE_CPPFLAGS"
-  LDFLAGS="$SAVE_LDFLAGS"
 
   if test x"$working_native_cc" = x"no"; then
-    AC_MSG_RESULT([no])
     set_precomp=no
-    m4_define([please_set_for_build], [Please set CC_FOR_BUILD, CFLAGS_FOR_BUILD, CPPFLAGS_FOR_BUILD, and/or LDFLAGS_FOR_BUILD.])
     if test x"$use_ecmult_static_precomputation" = x"yes";  then
-      AC_MSG_ERROR([native compiler ${CC_FOR_BUILD} does not produce working binaries. please_set_for_build])
+      AC_MSG_ERROR([${CC_FOR_BUILD} does not produce working binaries. Please set CC_FOR_BUILD])
     else
-      AC_MSG_WARN([Disabling statically generated ecmult table because the native compiler ${CC_FOR_BUILD} does not produce working binaries. please_set_for_build])
+      AC_MSG_RESULT([${CC_FOR_BUILD} does not produce working binaries. Please set CC_FOR_BUILD])
     fi
   else
-    AC_MSG_RESULT([yes])
+    AC_MSG_RESULT([ok])
     set_precomp=yes
   fi
 else
@@ -452,6 +436,10 @@ if test x"$enable_module_ecdh" = x"yes"; then
   AC_DEFINE(ENABLE_MODULE_ECDH, 1, [Define this symbol to enable the ECDH module])
 fi
 
+if test x"$enable_module_schnorrsig" = x"yes"; then
+  AC_DEFINE(ENABLE_MODULE_SCHNORRSIG, 1, [Define this symbol to enable the schnorrsig module])
+fi
+
 if test x"$enable_module_recovery" = x"yes"; then
   AC_DEFINE(ENABLE_MODULE_RECOVERY, 1, [Define this symbol to enable the ECDSA pubkey recovery module])
 fi
@@ -462,16 +450,32 @@ if test x"$use_external_asm" = x"yes"; then
   AC_DEFINE(USE_EXTERNAL_ASM, 1, [Define this symbol if an external (non-inline) assembly implementation is used])
 fi
 
+AC_MSG_NOTICE([Using static precomputation: $set_precomp])
+AC_MSG_NOTICE([Using assembly optimizations: $set_asm])
+AC_MSG_NOTICE([Using field implementation: $set_field])
+AC_MSG_NOTICE([Using bignum implementation: $set_bignum])
+AC_MSG_NOTICE([Using scalar implementation: $set_scalar])
+AC_MSG_NOTICE([Using endomorphism optimizations: $use_endomorphism])
+AC_MSG_NOTICE([Building benchmarks: $use_benchmark])
+AC_MSG_NOTICE([Building for coverage analysis: $enable_coverage])
+AC_MSG_NOTICE([Building ECDH module: $enable_module_ecdh])
+AC_MSG_NOTICE([Building ECDSA pubkey recovery module: $enable_module_recovery])
+AC_MSG_NOTICE([Using jni: $use_jni])
+
 if test x"$enable_experimental" = x"yes"; then
   AC_MSG_NOTICE([******])
   AC_MSG_NOTICE([WARNING: experimental build])
   AC_MSG_NOTICE([Experimental features do not have stable APIs or properties, and may not be safe for production use.])
   AC_MSG_NOTICE([Building ECDH module: $enable_module_ecdh])
+  AC_MSG_NOTICE([Building schnorrsig module: $enable_module_schnorrsig])
   AC_MSG_NOTICE([******])
 else
   if test x"$enable_module_ecdh" = x"yes"; then
     AC_MSG_ERROR([ECDH module is experimental. Use --enable-experimental to allow.])
   fi
+  if test x"$enable_module_schnorrsig" = x"yes"; then
+    AC_MSG_ERROR([schnorrsig module is experimental. Use --enable-experimental to allow.])
+  fi
   if test x"$set_asm" = x"arm"; then
     AC_MSG_ERROR([ARM assembly optimization is experimental. Use --enable-experimental to allow.])
   fi
@@ -490,8 +494,9 @@ AM_CONDITIONAL([USE_EXHAUSTIVE_TESTS], [test x"$use_exhaustive_tests" != x"no"])
 AM_CONDITIONAL([USE_BENCHMARK], [test x"$use_benchmark" = x"yes"])
 AM_CONDITIONAL([USE_ECMULT_STATIC_PRECOMPUTATION], [test x"$set_precomp" = x"yes"])
 AM_CONDITIONAL([ENABLE_MODULE_ECDH], [test x"$enable_module_ecdh" = x"yes"])
+AM_CONDITIONAL([ENABLE_MODULE_SCHNORRSIG], [test x"$enable_module_schnorrsig" = x"yes"])
 AM_CONDITIONAL([ENABLE_MODULE_RECOVERY], [test x"$enable_module_recovery" = x"yes"])
-AM_CONDITIONAL([USE_JNI], [test x"$use_jni" = x"yes"])
+AM_CONDITIONAL([USE_JNI], [test x"$use_jni" == x"yes"])
 AM_CONDITIONAL([USE_EXTERNAL_ASM], [test x"$use_external_asm" = x"yes"])
 AM_CONDITIONAL([USE_ASM_ARM], [test x"$set_asm" = x"arm"])
 
@@ -501,24 +506,3 @@ unset PKG_CONFIG_PATH
 PKG_CONFIG_PATH="$PKGCONFIG_PATH_TEMP"
 
 AC_OUTPUT
-
-echo
-echo "Build Options:"
-echo "  with endomorphism   = $use_endomorphism"
-echo "  with ecmult precomp = $set_precomp"
-echo "  with jni            = $use_jni"
-echo "  with benchmarks     = $use_benchmark"
-echo "  with coverage       = $enable_coverage"
-echo "  module ecdh         = $enable_module_ecdh"
-echo "  module recovery     = $enable_module_recovery"
-echo
-echo "  asm                 = $set_asm"
-echo "  bignum              = $set_bignum"
-echo "  field               = $set_field"
-echo "  scalar              = $set_scalar"
-echo
-echo "  CC                  = $CC"
-echo "  CFLAGS              = $CFLAGS"
-echo "  CPPFLAGS            = $CPPFLAGS"
-echo "  LDFLAGS             = $LDFLAGS"
-echo

include/secp256k1.h

@@ -179,13 +179,6 @@ typedef int (*secp256k1_nonce_function)(
 #define SECP256K1_TAG_PUBKEY_HYBRID_EVEN 0x06
 #define SECP256K1_TAG_PUBKEY_HYBRID_ODD 0x07
 
-/** A simple secp256k1 context object with no precomputed tables. These are useful for
- *  type serialization/parsing functions which require a context object to maintain
- *  API consistency, but currently do not require expensive precomputations or dynamic
- *  allocations.
- */
-SECP256K1_API extern const secp256k1_context *secp256k1_context_no_precomp;
-
 /** Create a secp256k1 context object.
  *
  *  Returns: a newly created context object.
@@ -482,6 +475,12 @@ SECP256K1_API int secp256k1_ecdsa_signature_normalize(
  */
 SECP256K1_API extern const secp256k1_nonce_function secp256k1_nonce_function_rfc6979;
 
+/** An implementation of the nonce generation function as defined in BIP-schnorr.
+ * If a data pointer is passed, it is assumed to be a pointer to 32 bytes of
+ * extra entropy.
+ */
+SECP256K1_API extern const secp256k1_nonce_function secp256k1_nonce_function_bipschnorr;
+
 /** A default safe nonce generation function (currently equal to secp256k1_nonce_function_rfc6979). */
 SECP256K1_API extern const secp256k1_nonce_function secp256k1_nonce_function_default;
 
@@ -615,7 +614,7 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_mul(
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
 
 /** Updates the context randomization to protect against side-channel leakage.
- *  Returns: 1: randomization successfully updated or nothing to randomize
+ *  Returns: 1: randomization successfully updated
  *           0: error
  *  Args:    ctx:       pointer to a context object (cannot be NULL)
  *  In:      seed32:    pointer to a 32-byte random seed (NULL resets to initial state)
@@ -630,11 +629,6 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_mul(
  * that it does not affect function results, but shields against attacks which
  * rely on any input-dependent behaviour.
  *
- * This function has currently an effect only on contexts initialized for signing
- * because randomization is currently used only for signing. However, this is not
- * guaranteed and may change in the future. It is safe to call this function on
- * contexts not initialized for signing; then it will have no effect and return 1.
- *
  * You should call this after secp256k1_context_create or
  * secp256k1_context_clone, and may call this repeatedly afterwards.
  */

include/secp256k1_schnorrsig.h

@@ -0,0 +1,118 @@
+#ifndef SECP256K1_SCHNORRSIG_H
+#define SECP256K1_SCHNORRSIG_H
+
+/** This module implements a variant of Schnorr signatures compliant with
+ * BIP-schnorr
+ * (https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki).
+ */
+
+/** Opaque data structure that holds a parsed Schnorr signature.
+ *
+ *  The exact representation of data inside is implementation defined and not
+ *  guaranteed to be portable between different platforms or versions. It is
+ *  however guaranteed to be 64 bytes in size, and can be safely copied/moved.
+ *  If you need to convert to a format suitable for storage, transmission, or
+ *  comparison, use the `secp256k1_schnorrsig_serialize` and
+ *  `secp256k1_schnorrsig_parse` functions.
+ */
+typedef struct {
+    unsigned char data[64];
+} secp256k1_schnorrsig;
+
+/** Serialize a Schnorr signature.
+ *
+ *  Returns: 1
+ *  Args:    ctx: a secp256k1 context object
+ *  Out:   out64: pointer to a 64-byte array to store the serialized signature
+ *  In:      sig: pointer to the signature
+ *
+ *  See secp256k1_schnorrsig_parse for details about the encoding.
+ */
+SECP256K1_API int secp256k1_schnorrsig_serialize(
+    const secp256k1_context* ctx,
+    unsigned char *out64,
+    const secp256k1_schnorrsig* sig
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** Parse a Schnorr signature.
+ *
+ *  Returns: 1 when the signature could be parsed, 0 otherwise.
+ *  Args:    ctx: a secp256k1 context object
+ *  Out:     sig: pointer to a signature object
+ *  In:     in64: pointer to the 64-byte signature to be parsed
+ *
+ * The signature is serialized in the form R||s, where R is a 32-byte public
+ * key (x-coordinate only; the y-coordinate is considered to be the unique
+ * y-coordinate satisfying the curve equation that is a quadratic residue)
+ * and s is a 32-byte big-endian scalar.
+ *
+ * After the call, sig will always be initialized. If parsing failed or the
+ * encoded numbers are out of range, signature validation with it is
+ * guaranteed to fail for every message and public key.
+ */
+SECP256K1_API int secp256k1_schnorrsig_parse(
+    const secp256k1_context* ctx,
+    secp256k1_schnorrsig* sig,
+    const unsigned char *in64
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
+
+/** Create a Schnorr signature.
+ *
+ * Returns 1 on success, 0 on failure.
+ *  Args:    ctx: pointer to a context object, initialized for signing (cannot be NULL)
+ *  Out:     sig: pointer to the returned signature (cannot be NULL)
+ *       nonce_is_negated: a pointer to an integer indicates if signing algorithm negated the
+ *                nonce (can be NULL)
+ *  In:    msg32: the 32-byte message hash being signed (cannot be NULL)
+ *        seckey: pointer to a 32-byte secret key (cannot be NULL)
+ *       noncefp: pointer to a nonce generation function. If NULL, secp256k1_nonce_function_bipschnorr is used
+ *         ndata: pointer to arbitrary data used by the nonce generation function (can be NULL)
+ */
+SECP256K1_API int secp256k1_schnorrsig_sign(
+    const secp256k1_context* ctx,
+    secp256k1_schnorrsig *sig,
+    int *nonce_is_negated,
+    const unsigned char *msg32,
+    const unsigned char *seckey,
+    secp256k1_nonce_function noncefp,
+    void *ndata
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(4) SECP256K1_ARG_NONNULL(5);
+
+/** Verify a Schnorr signature.
+ *
+ *  Returns: 1: correct signature
+ *           0: incorrect or unparseable signature
+ *  Args:    ctx: a secp256k1 context object, initialized for verification.
+ *  In:      sig: the signature being verified (cannot be NULL)
+ *         msg32: the 32-byte message hash being verified (cannot be NULL)
+ *        pubkey: pointer to a public key to verify with (cannot be NULL)
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorrsig_verify(
+    const secp256k1_context* ctx,
+    const secp256k1_schnorrsig *sig,
+    const unsigned char *msg32,
+    const secp256k1_pubkey *pubkey
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
+
+/** Verifies a set of Schnorr signatures.
+ *
+ * Returns 1 if all succeeded, 0 otherwise. In particular, returns 1 if n_sigs is 0.
+ *
+ *  Args:    ctx: a secp256k1 context object, initialized for verification.
+ *       scratch: scratch space used for the multiexponentiation
+ *  In:      sig: array of signatures, or NULL if there are no signatures
+ *         msg32: array of messages, or NULL if there are no signatures
+ *            pk: array of public keys, or NULL if there are no signatures
+ *        n_sigs: number of signatures in above arrays. Must be smaller than
+ *                2^31 and smaller than half the maximum size_t value. Must be 0
+ *                if above arrays are NULL.
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_schnorrsig_verify_batch(
+    const secp256k1_context* ctx,
+    secp256k1_scratch_space *scratch,
+    const secp256k1_schnorrsig *const *sig,
+    const unsigned char *const *msg32,
+    const secp256k1_pubkey *const *pk,
+    size_t n_sigs
+) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2);
+#endif