rbsecp256k1 5.1.0 → 6.0.0

data/ext/rbsecp256k1/rbsecp256k1.c

@@ -7,19 +7,39 @@
 //
 // Dependencies:
 //   * libsecp256k1
+
+// Sanity check that we have the basic header file.
+#ifndef HAVE_SECP256K1_H
+  #error missing secp256k1.h during build
+#endif // HAVE_SECP256K1_H
+
+// Sanity check we have extrakeys module as we need it for keypair which is
+// used by schnorrsig.
+#ifndef HAVE_SECP256K1_EXTRAKEYS_H
+  #error missing secp256k1_extrakeys.h during build
+#endif // HAVE_SECP256K1_EXTRAKEYS_H
+
 #include <ruby.h>
 #include <secp256k1.h>
 
-// Include recoverable signatures functionality if available
+// Check for optional sub-modules. As a rule any secp256k1 submodule is
+// optional and so should be blocked off using these ifdefs.
 #ifdef HAVE_SECP256K1_RECOVERY_H
 #include <secp256k1_recovery.h>
 #endif // HAVE_SECP256K1_RECOVERY_H
 
-// Include EC Diffie-Hellman functionality
 #ifdef HAVE_SECP256K1_ECDH_H
 #include <secp256k1_ecdh.h>
 #endif // HAVE_SECP256K1_ECDH_H
 
+#ifdef HAVE_SECP256K1_EXTRAKEYS_H
+#include <secp256k1_extrakeys.h>
+#endif // HAVE_SECP256K1_EXTRAKEYS_H
+
+#ifdef HAVE_SECP256K1_SCHNORRSIG_H
+#include <secp256k1_schnorrsig.h>
+#endif // HAVE_SECP256K1_SCHNORRSIG_H
+
 // High-level design:
 //
 // The Ruby wrapper is divided into the following hierarchical organization:
@@ -28,13 +48,15 @@
 // |--  Context
 // |--  KeyPair
 // |--  PublicKey
+// |--  XOnlyPublicKey
 // |--  PrivateKey
-// |--  RecoverableSignature
-// |--  SharedSecret
+// |--  RecoverableSignature (recovery module)
+// |--  SharedSecret (ecdh module)
 // |--  Signature
+// |--  SchnorrSignature
 //
 // The Context class contains most of the methods that invoke libsecp256k1.
-// The KayPair, PublicKey, PrivateKey, RecoverableSignature, SharedSecret, and
+// The KeyPair, PublicKey, PrivateKey, RecoverableSignature, SharedSecret, and
 // Signature objects act as data objects and are passed to various
 // methods. Contexts are thread safe and can be used across
 // applications. Context initialization is expensive so it is recommended that
@@ -58,8 +80,12 @@
 const size_t UNCOMPRESSED_PUBKEY_SIZE_BYTES = 65;
 // Size of a compressed public key
 const size_t COMPRESSED_PUBKEY_SIZE_BYTES = 33;
+// Size of a serialized x-only public key
+const size_t SERIALIZED_XONLY_PUBKEY_SIZE_BYTES = 32;
 // Size of a compact signature in bytes
 const size_t COMPACT_SIG_SIZE_BYTES = 64;
+// Size of a schnorr signature in bytes
+const size_t SCHNORR_SIG_SIZE_BYTES = 64;
 
 // Globally define our module and its associated classes so we can instantiate
 // objects from anywhere. The use of global variables seems to be inline with
@@ -73,6 +99,7 @@ static VALUE Secp256k1_KeyPair_class;
 static VALUE Secp256k1_PublicKey_class;
 static VALUE Secp256k1_PrivateKey_class;
 static VALUE Secp256k1_Signature_class;
+static VALUE Secp256k1_XOnlyPublicKey_class;
 
 #ifdef HAVE_SECP256K1_RECOVERY_H
 static VALUE Secp256k1_RecoverableSignature_class;
@@ -82,14 +109,17 @@ static VALUE Secp256k1_RecoverableSignature_class;
 static VALUE Secp256k1_SharedSecret_class;
 #endif // HAVE_SECP256K1_ECDH_H
 
+#ifdef HAVE_SECP256K1_SCHNORRSIG_H
+static VALUE Secp256k1_SchnorrSignature_class;
+#endif // HAVE_SECP256K1_SCHNORRSIG_H
+
 // Forward definitions for all structures
 typedef struct Context_dummy {
   secp256k1_context *ctx; // Context used by libsecp256k1 library
 } Context;
 
 typedef struct KeyPair_dummy {
-  VALUE public_key;
-  VALUE private_key;
+  secp256k1_keypair keypair;
 } KeyPair;
 
 typedef struct PublicKey_dummy {
@@ -100,6 +130,10 @@ typedef struct PrivateKey_dummy {
   unsigned char data[32]; // Bytes comprising the private key data
 } PrivateKey;
 
+typedef struct XOnlyPublicKey_dummy {
+  secp256k1_xonly_pubkey pubkey; // Opaque object representing an x-only pubkey.
+} XOnlyPublicKey;
+
 typedef struct Signature_dummy {
   secp256k1_ecdsa_signature sig; // Signature object, contains 64-byte signature
 } Signature;
@@ -117,6 +151,11 @@ typedef struct SharedSecret_dummy {
 } SharedSecret;
 #endif // HAVE_SECP256K1_ECDH_H
 
+#ifdef HAVE_SECP256K1_SCHNORRSIG_H
+typedef struct SchnorrSignature_dummy {
+  unsigned char sig[64]; // Serialized schnorr signature data
+} SchnorrSignature;
+#endif // HAVE_SECP256K1_SCHNORRSIG_H
 //
 // Typed data definitions
 //
@@ -154,12 +193,38 @@ static const rb_data_type_t PublicKey_DataType = {
   RUBY_TYPED_FREE_IMMEDIATELY
 };
 
+// XOnlyPublicKey
+static void
+XOnlyPublicKey_free(void* in_xonly_pubkey)
+{
+  XOnlyPublicKey *xonly_pubkey;
+  xonly_pubkey = (XOnlyPublicKey*)in_xonly_pubkey;
+  xfree(xonly_pubkey);
+}
+
+static const rb_data_type_t XOnlyPublicKey_DataType = {
+  "XOnlyPublicKey",
+  { 0, XOnlyPublicKey_free, 0 },
+  0, 0,
+  RUBY_TYPED_FREE_IMMEDIATELY
+};
+
 // PrivateKey
 static void
 PrivateKey_free(void *in_private_key)
 {
   PrivateKey *private_key;
   private_key = (PrivateKey*)in_private_key;
+
+  /* Take the best practice recommendation from the libsecp256k1 example and
+   * clear the secret from memory in case there are bugs that might allow an
+   * attacker to leak memory.
+   *
+   * That being said its not clear how much control we actually have over Ruby
+   * potentially copying the string version of this private key data.
+   */
+  memset(private_key->data, 0, 32);
+
   xfree(private_key);
 }
 
@@ -172,24 +237,16 @@ static const rb_data_type_t PrivateKey_DataType = {
 
 // KeyPair
 static void
-KeyPair_mark(void *in_key_pair)
-{
-  KeyPair *key_pair = (KeyPair*)in_key_pair;
-
-  // Mark both contained objects to ensure they are properly garbage collected
-  rb_gc_mark(key_pair->public_key);
-  rb_gc_mark(key_pair->private_key);
-}
-
-static void
-KeyPair_free(void *self)
+KeyPair_free(void *in_keypair)
 {
-  xfree(self);
+  KeyPair *keypair;
+  keypair = (KeyPair*)in_keypair;
+  xfree(keypair);
 }
 
 static const rb_data_type_t KeyPair_DataType = {
   "KeyPair",
-  { KeyPair_mark, KeyPair_free, 0 },
+  { 0, KeyPair_free, 0 },
   0, 0,
   RUBY_TYPED_FREE_IMMEDIATELY
 };
@@ -249,6 +306,25 @@ static const rb_data_type_t SharedSecret_DataType = {
 };
 #endif // HAVE_SECP256K1_ECDH_H
 
+// SchnorrSignature
+#ifdef HAVE_SECP256K1_SCHNORRSIG_H
+static void
+SchnorrSignature_free(void *in_schnorr_sig)
+{
+  SchnorrSignature *schnorr_sig;
+
+  schnorr_sig = (SchnorrSignature*)in_schnorr_sig;
+  xfree(schnorr_sig);
+}
+
+static const rb_data_type_t SchnorrSignature_DataType = {
+  "SchnorrSignature",
+  { 0, SchnorrSignature_free, 0 },
+  0, 0,
+  RUBY_TYPED_FREE_IMMEDIATELY
+};
+#endif // HAVE_SECP256K1_SCHNORRSIG_H
+
 /**
  * Macro: SUCCESS
  * 
@@ -337,72 +413,103 @@ RecoverableSignData(secp256k1_context *in_context,
 #endif // HAVE_SECP256K1_RECOVERY_H
 
 //
-// Secp256k1::KeyPair class interface
+// Secp256k1::XOnlyPublicKey class interface
 //
 
 static VALUE
-KeyPair_alloc(VALUE klass)
+XOnlyPublicKey_alloc(VALUE klass)
 {
-  KeyPair *key_pair;
+  VALUE result;
+  XOnlyPublicKey* xonly_pubkey;
 
-  key_pair = ALLOC(KeyPair);
+  xonly_pubkey = ALLOC(XOnlyPublicKey);
+  MEMZERO(xonly_pubkey, XOnlyPublicKey, 1);
+  result = TypedData_Wrap_Struct(klass, &XOnlyPublicKey_DataType, xonly_pubkey);
 
-  return TypedData_Wrap_Struct(klass, &KeyPair_DataType, key_pair);
+  return result;
+}
+
+static VALUE
+XOnlyPublicKey_create_from_data(unsigned char *in_xonly_pubkey32)
+{
+  XOnlyPublicKey *xonly_pubkey;
+  VALUE result;
+
+  result = XOnlyPublicKey_alloc(Secp256k1_XOnlyPublicKey_class);
+  TypedData_Get_Struct(result, XOnlyPublicKey, &XOnlyPublicKey_DataType, xonly_pubkey);
+
+  if (secp256k1_xonly_pubkey_parse(secp256k1_context_static, &xonly_pubkey->pubkey, in_xonly_pubkey32) != 1)
+  {
+    rb_raise(Secp256k1_DeserializationError_class, "invalid x-only public key data");
+    return Qnil;
+  }
+
+  return result;
 }
 
 /**
- * Default constructor.
+ * Loads an x-only public key from serialized data.
  *
- * @param in_public_key [Secp256k1::PublicKey] public key
- * @param in_private_key [Secp256k1::PrivateKey] private key
- * @return [Secp256k1::KeyPair] newly initialized key pair.
+ * @param in_xonly_public_key_serialized [String] binary string with serialized
+ * data.
+ * @return [Secp256k1::XOnlyPublicKey] x-only public key derived from data.
+ * @raise [Secp256k1::DeserializationError] if x-only public key data is invalid
  */
 static VALUE
-KeyPair_initialize(VALUE self, VALUE in_public_key, VALUE in_private_key)
+XOnlyPublicKey_from_data(VALUE klass, VALUE in_xonly_public_key_serialized)
 {
-  KeyPair *key_pair;
+  unsigned char *xonly_pubkey_data;
 
-  TypedData_Get_Struct(self, KeyPair, &KeyPair_DataType, key_pair);
-  Check_TypedStruct(in_public_key, &PublicKey_DataType);
-  Check_TypedStruct(in_private_key, &PrivateKey_DataType);
+  Check_Type(in_xonly_public_key_serialized, T_STRING);
+  if (RSTRING_LEN(in_xonly_public_key_serialized) != 32)
+  {
+    rb_raise(Secp256k1_DeserializationError_class, "x-only public key data must be 32 bytes in length");
+    return Qnil;
+  }
+
+  xonly_pubkey_data = (unsigned char*)StringValuePtr(in_xonly_public_key_serialized);
+  return XOnlyPublicKey_create_from_data(xonly_pubkey_data);
+}
 
-  key_pair->public_key = in_public_key;
-  key_pair->private_key = in_private_key;
+/**
+ * Returns the 32-byte serialized version of this x-only public key.
+ *
+ * @return [String] 32-byte binary string containing serialized x-only public
+ * key.
+ */
+static VALUE
+XOnlyPublicKey_serialized(VALUE self)
+{
+  XOnlyPublicKey* xonly_pubkey;
+  unsigned char out[SERIALIZED_XONLY_PUBKEY_SIZE_BYTES];
 
-  rb_iv_set(self, "@public_key", in_public_key);
-  rb_iv_set(self, "@private_key", in_private_key);
+  TypedData_Get_Struct(self, XOnlyPublicKey, &XOnlyPublicKey_DataType, xonly_pubkey);
 
-  return self;
+  if (secp256k1_xonly_pubkey_serialize(secp256k1_context_static, out, &xonly_pubkey->pubkey) != 1)
+  {
+    rb_raise(Secp256k1_SerializationError_class, "failed to serialize x-only public key");
+    return Qnil;
+  }
+
+  return rb_str_new((char*)out, SERIALIZED_XONLY_PUBKEY_SIZE_BYTES);
 }
 
 /**
- * Compare two key pairs.
+ * Compare two x-only public keys.
  *
- * Two key pairs are equal if they have the same public and private key. The
- * keys are compared using their own comparison operators.
- *
- * @param other [Secp256k1::KeyPair] key pair to compare to.
- * @return [Boolean] true if the keys match, false otherwise.
+ * @param other [Secp256k1::XOnlyPublicKey] x-only public key to compare.
+ * @return [Boolean] true if they are equal, false otherwise.
  */
 static VALUE
-KeyPair_equals(VALUE self, VALUE other)
+XOnlyPublicKey_equals(VALUE self, VALUE other)
 {
-  KeyPair *lhs;
-  KeyPair *rhs;
-  VALUE public_keys_equal;
-  VALUE private_keys_equal;
+  XOnlyPublicKey *lhs;
+  XOnlyPublicKey *rhs;
 
-  TypedData_Get_Struct(self, KeyPair, &KeyPair_DataType, lhs);
-  TypedData_Get_Struct(other, KeyPair, &KeyPair_DataType, rhs);
+  TypedData_Get_Struct(self, XOnlyPublicKey, &XOnlyPublicKey_DataType, lhs);
+  TypedData_Get_Struct(other, XOnlyPublicKey, &XOnlyPublicKey_DataType, rhs);
 
-  public_keys_equal = rb_funcall(
-    lhs->public_key, rb_intern("=="), 1, rhs->public_key
-  );
-  private_keys_equal = rb_funcall(
-    lhs->private_key, rb_intern("=="), 1, rhs->private_key
-  );
-
-  if (public_keys_equal == Qtrue && private_keys_equal == Qtrue)
+  if (secp256k1_xonly_pubkey_cmp(secp256k1_context_static, &lhs->pubkey, &rhs->pubkey) == 0)
   {
     return Qtrue;
   }
@@ -427,27 +534,6 @@ PublicKey_alloc(VALUE klass)
   return result;
 }
 
-static VALUE
-PublicKey_create_from_private_key(Context *in_context,
-                                  unsigned char *private_key_data)
-{
-  PublicKey *public_key;
-  VALUE result;
-
-  result = PublicKey_alloc(Secp256k1_PublicKey_class);
-  TypedData_Get_Struct(result, PublicKey, &PublicKey_DataType, public_key);
-
-  if (secp256k1_ec_pubkey_create(
-        in_context->ctx,
-        (&public_key->pubkey),
-        private_key_data) != 1)
-  {
-    rb_raise(Secp256k1_DeserializationError_class, "invalid private key data");
-  }
-
-  return result;
-}
-
 static VALUE
 PublicKey_create_from_data(unsigned char *in_public_key_data,
                            unsigned int in_public_key_data_len)
@@ -458,12 +544,13 @@ PublicKey_create_from_data(unsigned char *in_public_key_data,
   result = PublicKey_alloc(Secp256k1_PublicKey_class);
   TypedData_Get_Struct(result, PublicKey, &PublicKey_DataType, public_key);
 
-  if (secp256k1_ec_pubkey_parse(secp256k1_context_no_precomp,
+  if (secp256k1_ec_pubkey_parse(secp256k1_context_static,
                                 &(public_key->pubkey),
                                 in_public_key_data,
                                 in_public_key_data_len) != 1)
   {
     rb_raise(Secp256k1_DeserializationError_class, "invalid public key data");
+    return Qnil;
   }
 
   return result;
@@ -505,7 +592,7 @@ PublicKey_uncompressed(VALUE self)
 
   TypedData_Get_Struct(self, PublicKey, &PublicKey_DataType, public_key);
 
-  secp256k1_ec_pubkey_serialize(secp256k1_context_no_precomp,
+  secp256k1_ec_pubkey_serialize(secp256k1_context_static,
                                 serialized_pubkey,
                                 &serialized_pubkey_len,
                                 &(public_key->pubkey),
@@ -528,7 +615,7 @@ PublicKey_compressed(VALUE self)
 
   TypedData_Get_Struct(self, PublicKey, &PublicKey_DataType, public_key);
 
-  secp256k1_ec_pubkey_serialize(secp256k1_context_no_precomp,
+  secp256k1_ec_pubkey_serialize(secp256k1_context_static,
                                 serialized_pubkey,
                                 &serialized_pubkey_len,
                                 &(public_key->pubkey),
@@ -537,6 +624,35 @@ PublicKey_compressed(VALUE self)
   return rb_str_new((char*)serialized_pubkey, serialized_pubkey_len);
 }
 
+/**
+ * Returns the x-only public key equivalent of this public key.
+ *
+ * @return [Secp256k1::XOnlyPublicKey] x-only public key
+ */
+static VALUE
+PublicKey_to_xonly(VALUE self)
+{
+  PublicKey *public_key;
+  XOnlyPublicKey *xonly_pubkey;
+  VALUE result;
+
+  TypedData_Get_Struct(self, PublicKey, &PublicKey_DataType, public_key);
+
+  result = XOnlyPublicKey_alloc(Secp256k1_XOnlyPublicKey_class);
+  TypedData_Get_Struct(result, XOnlyPublicKey, &XOnlyPublicKey_DataType, xonly_pubkey);
+
+  if (secp256k1_xonly_pubkey_from_pubkey(secp256k1_context_static,
+                                         &xonly_pubkey->pubkey,
+                                         NULL,
+                                         &public_key->pubkey) != 1)
+  {
+    rb_raise(Secp256k1_Error_class, "failed to convert pubkey to x-only pubkey");
+    return Qnil;
+  }
+
+  return result;
+}
+
 /**
  * Compares two public keys.
  *
@@ -562,14 +678,14 @@ PublicKey_equals(VALUE self, VALUE other)
   TypedData_Get_Struct(other, PublicKey, &PublicKey_DataType, rhs);
 
   secp256k1_ec_pubkey_serialize(
-    secp256k1_context_no_precomp,
+    secp256k1_context_static,
     lhs_compressed,
     &lhs_len,
     &(lhs->pubkey),
     SECP256K1_EC_COMPRESSED
   );
   secp256k1_ec_pubkey_serialize(
-    secp256k1_context_no_precomp,
+    secp256k1_context_static,
     rhs_compressed,
     &rhs_len,
     &(rhs->pubkey),
@@ -602,27 +718,42 @@ PrivateKey_alloc(VALUE klass)
   return new_instance;
 }
 
+/* Internal-only method for creating a private key from secret data */
 static VALUE
 PrivateKey_create(unsigned char *in_private_key_data)
 {
   PrivateKey *private_key;
   VALUE result;
 
-  if (secp256k1_ec_seckey_verify(secp256k1_context_no_precomp,
+  if (secp256k1_ec_seckey_verify(secp256k1_context_static,
                                  in_private_key_data) != 1)
   {
     rb_raise(Secp256k1_Error_class, "invalid private key data");
+    return Qnil;
   }
 
   result = PrivateKey_alloc(Secp256k1_PrivateKey_class);
   TypedData_Get_Struct(result, PrivateKey, &PrivateKey_DataType, private_key);
   MEMCPY(private_key->data, in_private_key_data, char, 32);
 
-  rb_iv_set(result, "@data", rb_str_new((char*)in_private_key_data, 32));
-
   return result;
 }
 
+/**
+ * Returns binary string of private key data.
+ *
+ * @return [String] 32 byte binary string of private key data.
+ */
+static VALUE
+PrivateKey_data(VALUE self)
+{
+  PrivateKey *private_key;
+
+  TypedData_Get_Struct(self, PrivateKey, &PrivateKey_DataType, private_key);
+
+  return(rb_str_new((char*)private_key->data, 32));
+}
+
 /**
  * Load a private key from binary data.
  *
@@ -643,6 +774,7 @@ PrivateKey_from_data(VALUE klass, VALUE in_private_key_data)
       Secp256k1_Error_class,
       "private key data must be 32 bytes in length"
     );
+    return Qnil;
   }
 
   private_key_data = (unsigned char*)StringValuePtr(in_private_key_data);
@@ -674,6 +806,121 @@ PrivateKey_equals(VALUE self, VALUE other)
   return Qfalse;
 }
 
+//
+// Secp256k1::KeyPair class interface
+//
+
+static VALUE
+KeyPair_alloc(VALUE klass)
+{
+  KeyPair *key_pair;
+
+  key_pair = ALLOC(KeyPair);
+
+  return TypedData_Wrap_Struct(klass, &KeyPair_DataType, key_pair);
+}
+
+/**
+ * Retrieve the public key for the given key pair.
+ *
+ * @return [Secp256k1::PublicKey] public key corresponding to private key.
+ */
+static VALUE
+KeyPair_public_key(VALUE self)
+{
+  KeyPair *key_pair;
+  VALUE result;
+  PublicKey *public_key;
+
+  TypedData_Get_Struct(self, KeyPair, &KeyPair_DataType, key_pair);
+
+  result = PublicKey_alloc(Secp256k1_PublicKey_class);
+  TypedData_Get_Struct(result, PublicKey, &PublicKey_DataType, public_key);
+
+  if (secp256k1_keypair_pub(secp256k1_context_static, &public_key->pubkey, &key_pair->keypair) == 0)
+  {
+    rb_raise(Secp256k1_Error_class, "failed to derive public key from keypair");
+    return Qnil;
+  }
+
+  return result;
+}
+
+/**
+ * Retrieve the x-only public key for the given key pair.
+ *
+ * @return [Secp256k1::XOnlyPublicKey] x-only public key corresponding to
+ * private key.
+ */
+static VALUE
+KeyPair_xonly_public_key(VALUE self)
+{
+  KeyPair *key_pair;
+  VALUE result;
+  XOnlyPublicKey *xonly_pubkey;
+
+  TypedData_Get_Struct(self, KeyPair, &KeyPair_DataType, key_pair);
+
+  result = XOnlyPublicKey_alloc(Secp256k1_XOnlyPublicKey_class);
+  TypedData_Get_Struct(result, XOnlyPublicKey, &XOnlyPublicKey_DataType, xonly_pubkey);
+
+  if (secp256k1_keypair_xonly_pub(secp256k1_context_static, &xonly_pubkey->pubkey, NULL, &key_pair->keypair) == 0)
+  {
+    rb_raise(Secp256k1_Error_class, "failed to derive x-only public key from keypair");
+    return Qnil;
+  }
+
+  return result;
+}
+
+/**
+ * Retrieve the private key for the given key pair.
+ *
+ * @return [Secp256k1::PrivateKey] public key corresponding to private key.
+ */
+static VALUE
+KeyPair_private_key(VALUE self)
+{
+  KeyPair *key_pair;
+  unsigned char private_key_data[32];
+
+  TypedData_Get_Struct(self, KeyPair, &KeyPair_DataType, key_pair);
+
+  if (secp256k1_keypair_sec(secp256k1_context_static, private_key_data, &key_pair->keypair) == 0)
+  {
+    rb_raise(Secp256k1_Error_class, "failed to derive private key from keypair");
+    return Qnil;
+  }
+
+  return PrivateKey_create(private_key_data);
+}
+
+/**
+ * Compare two key pairs.
+ *
+ * Two key pairs are equal if they have the same public and private key. The
+ * keys are compared using their own comparison operators.
+ *
+ * @param other [Secp256k1::KeyPair] key pair to compare to.
+ * @return [Boolean] true if the keys match, false otherwise.
+ */
+static VALUE
+KeyPair_equals(VALUE self, VALUE other)
+{
+  KeyPair *lhs;
+  KeyPair *rhs;
+
+  TypedData_Get_Struct(self, KeyPair, &KeyPair_DataType, lhs);
+  TypedData_Get_Struct(other, KeyPair, &KeyPair_DataType, rhs);
+
+  if (memcmp(&lhs->keypair, &rhs->keypair, sizeof(secp256k1_keypair)) == 0)
+  {
+    return Qtrue;
+  }
+
+  return Qfalse;
+}
+
 //
 // Secp256k1::Signature class interface
 //
@@ -718,11 +965,12 @@ Signature_from_compact(VALUE klass, VALUE in_compact_signature)
   signature_result = Signature_alloc(Secp256k1_Signature_class);
   TypedData_Get_Struct(signature_result, Signature, &Signature_DataType, signature);
 
-  if (secp256k1_ecdsa_signature_parse_compact(secp256k1_context_no_precomp,
+  if (secp256k1_ecdsa_signature_parse_compact(secp256k1_context_static,
                                               &(signature->sig),
                                               signature_data) != 1)
   {
     rb_raise(Secp256k1_DeserializationError_class, "invalid compact signature");
+    return Qnil;
   }
 
   return signature_result;
@@ -751,12 +999,13 @@ Signature_from_der_encoded(VALUE klass, VALUE in_der_encoded_signature)
   signature_result = Signature_alloc(Secp256k1_Signature_class);
   TypedData_Get_Struct(signature_result, Signature, &Signature_DataType, signature);
 
-  if (secp256k1_ecdsa_signature_parse_der(secp256k1_context_no_precomp,
+  if (secp256k1_ecdsa_signature_parse_der(secp256k1_context_static,
                                           &(signature->sig),
                                           signature_data,
                                           RSTRING_LEN(in_der_encoded_signature)) != 1)
   {
     rb_raise(Secp256k1_DeserializationError_class, "invalid DER encoded signature");
+    return Qnil;
   }
 
   return signature_result;
@@ -778,7 +1027,7 @@ Signature_der_encoded(VALUE self)
   TypedData_Get_Struct(self, Signature, &Signature_DataType, signature);
 
   der_signature_len = 72;
-  if (secp256k1_ecdsa_signature_serialize_der(secp256k1_context_no_precomp,
+  if (secp256k1_ecdsa_signature_serialize_der(secp256k1_context_static,
                                               der_signature,
                                               &der_signature_len,
                                               &(signature->sig)) != 1)
@@ -787,6 +1036,7 @@ Signature_der_encoded(VALUE self)
       Secp256k1_SerializationError_class,
       "could not compute DER encoded signature"
     );
+    return Qnil;
   }
 
   return rb_str_new((char*)der_signature, der_signature_len);
@@ -806,7 +1056,7 @@ Signature_compact(VALUE self)
 
   TypedData_Get_Struct(self, Signature, &Signature_DataType, signature);
 
-  if (secp256k1_ecdsa_signature_serialize_compact(secp256k1_context_no_precomp,
+  if (secp256k1_ecdsa_signature_serialize_compact(secp256k1_context_static,
                                                   compact_signature,
                                                   &(signature->sig)) != 1)
   {
@@ -814,6 +1064,7 @@ Signature_compact(VALUE self)
       Secp256k1_SerializationError_class,
       "unable to compute compact signature"
     );
+    return Qnil;
   }
 
   return rb_str_new((char*)compact_signature, COMPACT_SIG_SIZE_BYTES);
@@ -847,7 +1098,7 @@ Signature_normalized(VALUE self)
 
   was_normalized = Qfalse;
   if (secp256k1_ecdsa_signature_normalize(
-        secp256k1_context_no_precomp,
+        secp256k1_context_static,
         &(normalized_signature->sig),
         &(signature->sig)) == 1)
   {
@@ -881,10 +1132,10 @@ Signature_equals(VALUE self, VALUE other)
   TypedData_Get_Struct(other, Signature, &Signature_DataType, rhs);
 
   secp256k1_ecdsa_signature_serialize_compact(
-    secp256k1_context_no_precomp, lhs_compact, &(lhs->sig)
+    secp256k1_context_static, lhs_compact, &(lhs->sig)
   );
   secp256k1_ecdsa_signature_serialize_compact(
-    secp256k1_context_no_precomp, rhs_compact, &(rhs->sig)
+    secp256k1_context_static, rhs_compact, &(rhs->sig)
   );
 
   if (memcmp(lhs_compact, rhs_compact, 64) == 0)
@@ -939,7 +1190,7 @@ RecoverableSignature_compact(VALUE self)
   );
 
   if (secp256k1_ecdsa_recoverable_signature_serialize_compact(
-        secp256k1_context_no_precomp,
+        recoverable_signature->ctx,
         compact_sig,
         &recovery_id,
         &(recoverable_signature->sig)) != 1)
@@ -948,6 +1199,7 @@ RecoverableSignature_compact(VALUE self)
       Secp256k1_SerializationError_class,
       "unable to serialize recoverable signature"
     );
+    return Qnil;
   }
 
   // Create a new array with room for 2 elements and push data onto it
@@ -988,7 +1240,7 @@ RecoverableSignature_to_signature(VALUE self)
 
   // NOTE: This method cannot fail
   secp256k1_ecdsa_recoverable_signature_convert(
-    secp256k1_context_no_precomp,
+    recoverable_signature->ctx,
     &(signature->sig),
     &(recoverable_signature->sig));
 
@@ -1016,6 +1268,7 @@ RecoverableSignature_recover_public_key(VALUE self, VALUE in_hash32)
   if (RSTRING_LEN(in_hash32) != 32)
   {
     rb_raise(Secp256k1_Error_class, "in_hash32 is not 32 bytes in length");
+    return Qnil;
   }
 
   TypedData_Get_Struct(
@@ -1101,6 +1354,98 @@ SharedSecret_alloc(VALUE klass)
 
 #endif // HAVE_SECP256K1_ECDH_H
 
+//
+// Secp256k1::SchnorrSignature class interface
+//
+
+#ifdef HAVE_SECP256K1_SCHNORRSIG_H
+
+static VALUE
+SchnorrSignature_alloc(VALUE klass)
+{
+  VALUE new_instance;
+  SchnorrSignature *schnorr_sig;
+
+  schnorr_sig = ALLOC(SchnorrSignature);
+  MEMZERO(schnorr_sig, SchnorrSignature, 1);
+  new_instance = TypedData_Wrap_Struct(klass, &SchnorrSignature_DataType, schnorr_sig);
+
+  return new_instance;
+}
+
+static VALUE
+SchnorrSignature_from_data(VALUE klass, VALUE in_data)
+{
+  SchnorrSignature* sig;
+  VALUE result;
+  unsigned char* schnorr_data;
+
+  Check_Type(in_data, T_STRING);
+  if (RSTRING_LEN(in_data) != SCHNORR_SIG_SIZE_BYTES)
+  {
+    rb_raise(Secp256k1_DeserializationError_class, "schnorr signature data must be 64 bytes in length");
+    return Qnil;
+  }
+
+  schnorr_data = (unsigned char*)StringValuePtr(in_data);
+
+  result = SchnorrSignature_alloc(Secp256k1_SchnorrSignature_class);
+  TypedData_Get_Struct(result, SchnorrSignature, &SchnorrSignature_DataType, sig);
+
+  memcpy(sig->sig, schnorr_data, SCHNORR_SIG_SIZE_BYTES);
+
+  return result;
+}
+
+static VALUE
+SchnorrSignature_serialized(VALUE self)
+{
+  SchnorrSignature *schnorr_sig;
+
+  TypedData_Get_Struct(self, SchnorrSignature, &SchnorrSignature_DataType, schnorr_sig);
+
+  return rb_str_new((char*)schnorr_sig->sig, SCHNORR_SIG_SIZE_BYTES);
+}
+
+static VALUE
+SchnorrSignature_verify(VALUE self, VALUE in_message, VALUE in_xonly_pubkey)
+{
+  XOnlyPublicKey *xonly_pubkey;
+  SchnorrSignature *schnorr_sig;
+  unsigned char* msg;
+
+  TypedData_Get_Struct(self, SchnorrSignature, &SchnorrSignature_DataType, schnorr_sig);
+  TypedData_Get_Struct(in_xonly_pubkey, XOnlyPublicKey, &XOnlyPublicKey_DataType, xonly_pubkey);
+  Check_Type(in_message, T_STRING);
+
+  msg = (unsigned char*)StringValuePtr(in_message);
+  if (secp256k1_schnorrsig_verify(secp256k1_context_static, schnorr_sig->sig, msg, RSTRING_LEN(in_message), &xonly_pubkey->pubkey) != 1)
+  {
+    return Qfalse;
+  }
+
+  return Qtrue;
+}
+
+static VALUE
+SchnorrSignature_equals(VALUE self, VALUE other)
+{
+  SchnorrSignature *lhs;
+  SchnorrSignature *rhs;
+
+  TypedData_Get_Struct(self, SchnorrSignature, &SchnorrSignature_DataType, lhs);
+  TypedData_Get_Struct(other, SchnorrSignature, &SchnorrSignature_DataType, rhs);
+
+  if (memcmp(lhs->sig, rhs->sig, SCHNORR_SIG_SIZE_BYTES) == 0)
+  {
+    return Qtrue;
+  }
+
+  return Qfalse;
+}
+
+#endif // HAVE_SECP256K1_SCHNORRSIG_H
+
 //
 // Secp256k1::Context class interface
 //
@@ -1207,8 +1552,8 @@ static VALUE
 Context_key_pair_from_private_key(VALUE self, VALUE in_private_key_data)
 {
   Context *context;
-  VALUE public_key;
-  VALUE private_key;
+  VALUE result;
+  KeyPair *keypair;
   unsigned char *private_key_data;
 
   Check_Type(in_private_key_data, T_STRING);
@@ -1217,20 +1562,20 @@ Context_key_pair_from_private_key(VALUE self, VALUE in_private_key_data)
   if (RSTRING_LEN(in_private_key_data) != 32)
   {
     rb_raise(Secp256k1_Error_class, "private key data must be 32 bytes in length");
+    return Qnil;
   }
 
+  result = KeyPair_alloc(Secp256k1_KeyPair_class);
+  TypedData_Get_Struct(result, KeyPair, &KeyPair_DataType, keypair);
+
   private_key_data = (unsigned char*)StringValuePtr(in_private_key_data);
 
-  private_key = PrivateKey_create(private_key_data);
-  public_key = PublicKey_create_from_private_key(context, private_key_data);
+  if (secp256k1_keypair_create(context->ctx, &keypair->keypair, private_key_data) == 0)
+  {
+    rb_raise(Secp256k1_Error_class, "invalid secret when attempting to create keypair");
+  }
 
-  return rb_funcall(
-    Secp256k1_KeyPair_class,
-    rb_intern("new"),
-    2,
-    public_key,
-    private_key
-  );
+  return result;
 }
 
 /**
@@ -1257,6 +1602,7 @@ Context_sign(VALUE self, VALUE in_private_key, VALUE in_hash32)
   if (RSTRING_LEN(in_hash32) != 32)
   {
     rb_raise(Secp256k1_Error_class, "in_hash32 is not 32 bytes in length");
+    return Qnil;
   }
 
   TypedData_Get_Struct(self, Context, &Context_DataType, context);
@@ -1276,6 +1622,39 @@ Context_sign(VALUE self, VALUE in_private_key, VALUE in_hash32)
   }
 
   rb_raise(Secp256k1_Error_class, "unable to compute signature");
+  return Qnil;
+}
+
+/**
+ * Computes the tagged hash as defined in BIP-340.
+ *
+ * @param in_tag [String] tag value included in the hash.
+ * @param in_message [String] message to be hashed.
+ * @return [String] 32-byte binary hash.
+ */
+static VALUE
+Context_tagged_sha256(VALUE self, VALUE in_tag, VALUE in_message)
+{
+  Context *context;
+  unsigned char* tag;
+  unsigned char* msg;
+  unsigned char hash32[32];
+
+  Check_Type(in_tag, T_STRING);
+  Check_Type(in_message, T_STRING);
+
+  TypedData_Get_Struct(self, Context, &Context_DataType, context);
+
+  tag = (unsigned char*)StringValuePtr(in_tag);
+  msg = (unsigned char*)StringValuePtr(in_message);
+
+  if (secp256k1_tagged_sha256(context->ctx, hash32, tag, RSTRING_LEN(in_tag), msg, RSTRING_LEN(in_message)) != 1)
+  {
+    rb_raise(Secp256k1_Error_class, "failed to compute tagged SHA256");
+    return Qnil;
+  }
+
+  return rb_str_new((char*)hash32, 32);
 }
 
 /**
@@ -1347,6 +1726,7 @@ Context_sign_recoverable(VALUE self, VALUE in_private_key, VALUE in_hash32)
   if (RSTRING_LEN(in_hash32) != 32)
   {
     rb_raise(Secp256k1_Error_class, "in_hash32 is not 32 bytes in length");
+    return Qnil;
   }
 
   TypedData_Get_Struct(self, Context, &Context_DataType, context);
@@ -1373,6 +1753,7 @@ Context_sign_recoverable(VALUE self, VALUE in_private_key, VALUE in_hash32)
   }
 
   rb_raise(Secp256k1_Error_class, "unable to compute recoverable signature");
+  return Qnil;
 }
 
 /**
@@ -1407,11 +1788,13 @@ Context_recoverable_signature_from_compact(
   if (RSTRING_LEN(in_compact_sig) != 64)
   {
     rb_raise(Secp256k1_Error_class, "compact signature is not 64 bytes");
+    return Qnil;
   }
 
   if (recovery_id < 0 || recovery_id > 3)
   {
     rb_raise(Secp256k1_Error_class, "invalid recovery ID, must be in range [0, 3]");
+    return Qnil;
   }
 
   result = RecoverableSignature_alloc(Secp256k1_RecoverableSignature_class);
@@ -1423,7 +1806,7 @@ Context_recoverable_signature_from_compact(
   );
 
   if (secp256k1_ecdsa_recoverable_signature_parse_compact(
-        secp256k1_context_no_precomp,
+        context->ctx,
         &(recoverable_signature->sig),
         compact_sig,
         recovery_id) == 1)
@@ -1433,6 +1816,7 @@ Context_recoverable_signature_from_compact(
   }
   
   rb_raise(Secp256k1_DeserializationError_class, "unable to parse recoverable signature");
+  return Qnil;
 }
 
 #endif // HAVE_SECP256K1_RECOVERY_H
@@ -1476,6 +1860,7 @@ Context_ecdh(VALUE self, VALUE point, VALUE scalar)
                      NULL) != 1)
   {
     rb_raise(Secp256k1_Error_class, "invalid scalar provided to ecdh");
+    return Qnil;
   }
 
   rb_iv_set(result, "@data", rb_str_new((char*)shared_secret->data, 32));
@@ -1485,6 +1870,57 @@ Context_ecdh(VALUE self, VALUE point, VALUE scalar)
 
 #endif // HAVE_SECP256K1_ECDH_H
 
+#ifdef HAVE_SECP256K1_SCHNORRSIG_H
+
+static VALUE
+Context_sign_schnorr_custom(VALUE self, VALUE in_keypair, VALUE in_message, VALUE in_auxrand)
+{
+  Context* context;
+  KeyPair* keypair;
+  SchnorrSignature* schnorr_sig;
+  unsigned char* msg;
+  unsigned char* auxrand;
+  unsigned char sig[64];
+  VALUE result;
+
+  TypedData_Get_Struct(self, Context, &Context_DataType, context);
+  TypedData_Get_Struct(in_keypair, KeyPair, &KeyPair_DataType, keypair);
+
+  Check_Type(in_message, T_STRING);
+  if (RSTRING_LEN(in_message) != 32)
+  {
+    rb_raise(Secp256k1_Error_class, "schnorr signing message must be 32-bytes in length");
+    return Qnil;
+  }
+
+  if (!NIL_P(in_auxrand))
+  {
+    Check_Type(in_auxrand, T_STRING);
+    if (RSTRING_LEN(in_auxrand) != 32)
+    {
+      rb_raise(Secp256k1_Error_class, "schnorr signing auxrand must be 32-bytes in length");
+      return Qnil;
+    }
+  }
+
+  msg = (unsigned char*)StringValuePtr(in_message);
+  auxrand = (unsigned char*)StringValuePtr(in_auxrand);
+
+  if (secp256k1_schnorrsig_sign32(context->ctx, sig, msg, &keypair->keypair, auxrand) != 1)
+  {
+    rb_raise(Secp256k1_Error_class, "schnorr signing failed");
+    return Qnil;
+  }
+
+  result = SchnorrSignature_alloc(Secp256k1_SchnorrSignature_class);
+  TypedData_Get_Struct(result, SchnorrSignature, &SchnorrSignature_DataType, schnorr_sig);
+  memcpy(schnorr_sig->sig, sig, SCHNORR_SIG_SIZE_BYTES);
+
+  return result;
+}
+
+#endif // HAVE_SECP256K1_SCHNORRSIG_H
+
 //
 // Secp256k1 module methods
 //
@@ -1521,12 +1957,31 @@ Secp256k1_have_ecdh(VALUE module)
 #endif // HAVE_SECP256K1_ECDH_H
 }
 
+/**
+ * Indicates whether or not libsecp256k1 Schnorr signature module is installed.
+ *
+ * @return [Boolean]
+ */
+static VALUE
+Secp256k1_have_schnorr(VALUE module)
+{
+#ifdef HAVE_SECP256K1_SCHNORRSIG_H
+  return Qtrue;
+#else
+  return Qfalse;
+#endif
+}
+
 //
 // Library initialization
 //
 
-void Init_rbsecp256k1()
+void Init_rbsecp256k1(void)
 {
+  // Perform selftest to ensure secp256k1_context_static is valid. This will
+  // cause the program to abort if the selftest fails.
+  secp256k1_selftest();
+
   // Secp256k1
   Secp256k1_module = rb_define_module("Secp256k1");
   rb_define_singleton_method(
@@ -1541,6 +1996,12 @@ void Init_rbsecp256k1()
     Secp256k1_have_ecdh,
     0
   );
+  rb_define_singleton_method(
+    Secp256k1_module,
+    "have_schnorr?",
+    Secp256k1_have_schnorr,
+    0
+  );
 
   // Secp256k1 exception hierarchy
   Secp256k1_Error_class = rb_define_class_under(
@@ -1571,6 +2032,10 @@ void Init_rbsecp256k1()
                    "sign",
                    Context_sign,
                    2);
+  rb_define_method(Secp256k1_Context_class,
+                   "tagged_sha256",
+                   Context_tagged_sha256,
+                   2);
   rb_define_method(Secp256k1_Context_class,
                    "verify",
                    Context_verify,
@@ -1582,12 +2047,9 @@ void Init_rbsecp256k1()
                                                   rb_cObject);
   rb_undef_alloc_func(Secp256k1_KeyPair_class);
   rb_define_alloc_func(Secp256k1_KeyPair_class, KeyPair_alloc);
-  rb_define_attr(Secp256k1_KeyPair_class, "public_key", 1, 0);
-  rb_define_attr(Secp256k1_KeyPair_class, "private_key", 1, 0);
-  rb_define_method(Secp256k1_KeyPair_class,
-                   "initialize",
-                   KeyPair_initialize,
-                   2);
+  rb_define_method(Secp256k1_KeyPair_class, "public_key", KeyPair_public_key, 0);
+  rb_define_method(Secp256k1_KeyPair_class, "private_key", KeyPair_private_key, 0);
+  rb_define_method(Secp256k1_KeyPair_class, "xonly_public_key", KeyPair_xonly_public_key, 0);
   rb_define_method(Secp256k1_KeyPair_class, "==", KeyPair_equals, 1);
 
   // Secp256k1::PublicKey
@@ -1604,6 +2066,10 @@ void Init_rbsecp256k1()
                    "uncompressed",
                    PublicKey_uncompressed,
                    0);
+  rb_define_method(Secp256k1_PublicKey_class,
+                   "to_xonly",
+                   PublicKey_to_xonly,
+                   0);
   rb_define_singleton_method(
     Secp256k1_PublicKey_class,
     "from_data",
@@ -1612,13 +2078,31 @@ void Init_rbsecp256k1()
   );
   rb_define_method(Secp256k1_PublicKey_class, "==", PublicKey_equals, 1);
 
+  // Secp256k1::XOnlyPublicKey
+  Secp256k1_XOnlyPublicKey_class = rb_define_class_under(Secp256k1_module,
+                                                         "XOnlyPublicKey",
+                                                         rb_cObject);
+
+  rb_undef_alloc_func(Secp256k1_XOnlyPublicKey_class);
+  rb_define_alloc_func(Secp256k1_XOnlyPublicKey_class, XOnlyPublicKey_alloc);
+  rb_define_method(Secp256k1_XOnlyPublicKey_class,
+                   "serialized",
+                   XOnlyPublicKey_serialized,
+                   0);
+  rb_define_singleton_method(
+    Secp256k1_XOnlyPublicKey_class,
+    "from_data",
+    XOnlyPublicKey_from_data,
+    1);
+  rb_define_method(Secp256k1_XOnlyPublicKey_class, "==", XOnlyPublicKey_equals, 1);
+
   // Secp256k1::PrivateKey
   Secp256k1_PrivateKey_class = rb_define_class_under(
     Secp256k1_module, "PrivateKey", rb_cObject
   );
   rb_undef_alloc_func(Secp256k1_PrivateKey_class);
   rb_define_alloc_func(Secp256k1_PrivateKey_class, PrivateKey_alloc);
-  rb_define_attr(Secp256k1_PrivateKey_class, "data", 1, 0);
+  rb_define_method(Secp256k1_PrivateKey_class, "data", PrivateKey_data, 0);
   rb_define_method(Secp256k1_PrivateKey_class, "==", PrivateKey_equals, 1);
   rb_define_singleton_method(
     Secp256k1_PrivateKey_class,
@@ -1732,4 +2216,29 @@ void Init_rbsecp256k1()
     2
   );
 #endif // HAVE_SECP256K1_ECDH_H
+
+#ifdef HAVE_SECP256K1_SCHNORRSIG_H
+  Secp256k1_SchnorrSignature_class = rb_define_class_under(
+    Secp256k1_module,
+    "SchnorrSignature",
+    rb_cObject);
+  rb_undef_alloc_func(Secp256k1_SchnorrSignature_class);
+  rb_define_alloc_func(Secp256k1_SchnorrSignature_class, SchnorrSignature_alloc);
+  rb_define_method(Secp256k1_SchnorrSignature_class, "serialized", SchnorrSignature_serialized, 0);
+  rb_define_method(Secp256k1_SchnorrSignature_class, "verify", SchnorrSignature_verify, 2);
+  rb_define_method(Secp256k1_SchnorrSignature_class, "==", SchnorrSignature_equals, 1);
+
+  rb_define_singleton_method(
+    Secp256k1_SchnorrSignature_class,
+    "from_data",
+    SchnorrSignature_from_data,
+    1
+  );
+
+  rb_define_method(
+    Secp256k1_Context_class,
+    "sign_schnorr_custom",
+    Context_sign_schnorr_custom,
+    3);
+#endif // HAVE_SECP256K1_SCHNORRSIG_H
 }