BlockstreamResearch · DarkWindman · Feb 16, 2026 · Dec 17, 2025 · Jan 23, 2026 · Jan 14, 2026
diff --git a/.github/actions/install-homebrew-valgrind/action.yml b/.github/actions/install-homebrew-valgrind/action.yml
@@ -16,7 +16,7 @@ runs:
         cat valgrind_fingerprint
       shell: bash
 
-    - uses: actions/cache@v4
+    - uses: actions/cache@v5
       id: cache
       with:
         path: ${{ env.CI_HOMEBREW_CELLAR_VALGRIND }}

diff --git a/.github/actions/run-in-docker-action/action.yml b/.github/actions/run-in-docker-action/action.yml
@@ -13,9 +13,9 @@ inputs:
 runs:
   using: "composite"
   steps:
-    - uses: docker/setup-buildx-action@v3
+    - uses: docker/setup-buildx-action@v4
 
-    - uses: docker/build-push-action@v6
+    - uses: docker/build-push-action@v7
       id: main_builder
       continue-on-error: true
       with:
@@ -24,7 +24,7 @@ runs:
         load: true
         cache-from: type=gha,scope=${{ inputs.scope }}
 
-    - uses: docker/build-push-action@v6
+    - uses: docker/build-push-action@v7
       id: retry_builder
       if: steps.main_builder.outcome == 'failure'
       with:

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -81,14 +81,14 @@ jobs:
         run: echo "period=$((10#$(date +%V) / 4))" >> "$GITHUB_OUTPUT"
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4
         with:
           # See: https://github.com/moby/buildkit/issues/3969.
           driver-opts: |
             network=host
 
       - name: Build container
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v7
         with:
           file: ./ci/linux-debian.Dockerfile
           cache-from: type=gha,scope=${{ runner.arch }}-${{ steps.cache_timestamp.outputs.period }}

diff --git a/include/secp256k1.h b/include/secp256k1.h
@@ -6,6 +6,7 @@ extern "C" {
 #endif
 
 #include <stddef.h>
+#include <stdint.h>
 
 /** Unless explicitly stated all pointer arguments must not be NULL.
  *
@@ -404,6 +405,46 @@ SECP256K1_API void secp256k1_context_set_error_callback(
     const void *data
 ) SECP256K1_ARG_NONNULL(1);
 
+/** A pointer to a function implementing SHA256's internal compression function.
+ *
+ * This function processes one or more contiguous 64-byte message blocks and
+ * updates the internal SHA256 state accordingly. The function is not responsible
+ * for counting consumed blocks or bytes, nor for performing padding.
+ *
+ * In/Out:  state:     pointer to eight 32-bit words representing the current internal state;
+ *                     the state is updated in place.
+ * In:      blocks64:  pointer to concatenation of n_blocks blocks, of 64 bytes each.
+ *                     no alignment guarantees are made for this pointer.
+ *          n_blocks:  number of contiguous 64-byte blocks to process.
+ */
+typedef void (*secp256k1_sha256_compression_function)(
+    uint32_t *state,
+    const unsigned char *blocks64,
+    size_t n_blocks
+);
+
+/**
+ * Set a callback function to override the internal SHA256 compression function.
+ *
+ * This installs a function to replace the built-in block-compression
+ * step used by the library's internal SHA256 implementation.
+ * The provided callback must exactly implement the effect of n_blocks
+ * repeated applications of the SHA256 compression function.
+ *
+ * This API exists to support environments that wish to route the
+ * SHA256 compression step through a hardware-accelerated or otherwise
+ * specialized implementation. It is NOT meant for replacing SHA256
+ * with a different hash function.
+ *
+ * Args:    ctx:             pointer to a context object.
+ * In:      fn_compression:  pointer to a function implementing the compression function;
+ *                           passing NULL restores the default implementation.
+ */
+SECP256K1_API void secp256k1_context_set_sha256_compression(
+        secp256k1_context *ctx,
+        secp256k1_sha256_compression_function fn_compression
+) SECP256K1_ARG_NONNULL(1);
+
 /** Parse a variable-length public key into the pubkey object.
  *
  *  Returns: 1 if the public key was fully valid.

diff --git a/src/bench.c b/src/bench.c
@@ -183,8 +183,7 @@ int main(int argc, char** argv) {
                          "ecdsa_recover", "schnorrsig", "schnorrsig_verify", "schnorrsig_sign", "ec",
                          "keygen", "ec_keygen", "ellswift", "encode", "ellswift_encode", "decode",
                          "ellswift_decode", "ellswift_keygen", "ellswift_ecdh"};
-    size_t valid_args_size = sizeof(valid_args)/sizeof(valid_args[0]);
-    int invalid_args = have_invalid_args(argc, argv, valid_args, valid_args_size);
+    int invalid_args = have_invalid_args(argc, argv, valid_args, ARRAY_SIZE(valid_args));
 
     int default_iters = 20000;
     int iters = get_iters(default_iters);

diff --git a/src/bench_ecmult.c b/src/bench_ecmult.c
@@ -259,7 +259,7 @@ static void bench_ecmult_multi_teardown(void* arg, int iters) {
     }
 }
 
-static void generate_scalar(uint32_t num, secp256k1_scalar* scalar) {
+static void generate_scalar(const secp256k1_context *ctx, uint32_t num, secp256k1_scalar* scalar) {
     secp256k1_sha256 sha256;
     unsigned char c[10] = {'e', 'c', 'm', 'u', 'l', 't', 0, 0, 0, 0};
     unsigned char buf[32];
@@ -269,8 +269,8 @@ static void generate_scalar(uint32_t num, secp256k1_scalar* scalar) {
     c[8] = num >> 16;
     c[9] = num >> 24;
     secp256k1_sha256_initialize(&sha256);
-    secp256k1_sha256_write(&sha256, c, sizeof(c));
-    secp256k1_sha256_finalize(&sha256, buf);
+    secp256k1_sha256_write(secp256k1_get_hash_context(ctx), &sha256, c, sizeof(c));
+    secp256k1_sha256_finalize(secp256k1_get_hash_context(ctx), &sha256, buf);
     secp256k1_scalar_set_b32(scalar, buf, &overflow);
     CHECK(!overflow);
 }
@@ -362,7 +362,7 @@ int main(int argc, char **argv) {
     secp256k1_gej_set_ge(&data.pubkeys_gej[0], &secp256k1_ge_const_g);
     secp256k1_scalar_set_int(&data.seckeys[0], 1);
     for (i = 0; i < POINTS; ++i) {
-        generate_scalar(i, &data.scalars[i]);
+        generate_scalar(data.ctx, i, &data.scalars[i]);
         if (i) {
             secp256k1_gej_double_var(&data.pubkeys_gej[i], &data.pubkeys_gej[i - 1], NULL);
             secp256k1_scalar_add(&data.seckeys[i], &data.seckeys[i - 1], &data.seckeys[i - 1]);

diff --git a/src/bench_internal.c b/src/bench_internal.c
@@ -38,6 +38,7 @@ static void help(const char *executable_path, int default_iters) {
 }
 
 typedef struct {
+    const secp256k1_context* ctx;
     secp256k1_scalar scalar[2];
     secp256k1_fe fe[4];
     secp256k1_ge ge[2];
@@ -82,6 +83,9 @@ static void bench_setup(void* arg) {
         }
     };
 
+    /* Customize context if needed */
+    data->ctx = secp256k1_context_static;
+
     secp256k1_scalar_set_b32(&data->scalar[0], init[0], NULL);
     secp256k1_scalar_set_b32(&data->scalar[1], init[1], NULL);
     secp256k1_fe_set_b32_limit(&data->fe[0], init[0]);
@@ -371,34 +375,37 @@ static void bench_sha256(void* arg, int iters) {
     int i;
     bench_inv *data = (bench_inv*)arg;
     secp256k1_sha256 sha;
+    const secp256k1_hash_ctx *hash_ctx = secp256k1_get_hash_context(data->ctx);
 
     for (i = 0; i < iters; i++) {
         secp256k1_sha256_initialize(&sha);
-        secp256k1_sha256_write(&sha, data->data, 32);
-        secp256k1_sha256_finalize(&sha, data->data);
+        secp256k1_sha256_write(hash_ctx, &sha, data->data, 32);
+        secp256k1_sha256_finalize(hash_ctx, &sha, data->data);
     }
 }
 
 static void bench_hmac_sha256(void* arg, int iters) {
     int i;
     bench_inv *data = (bench_inv*)arg;
     secp256k1_hmac_sha256 hmac;
+    const secp256k1_hash_ctx *hash_ctx = secp256k1_get_hash_context(data->ctx);
 
     for (i = 0; i < iters; i++) {
-        secp256k1_hmac_sha256_initialize(&hmac, data->data, 32);
-        secp256k1_hmac_sha256_write(&hmac, data->data, 32);
-        secp256k1_hmac_sha256_finalize(&hmac, data->data);
+        secp256k1_hmac_sha256_initialize(hash_ctx, &hmac, data->data, 32);
+        secp256k1_hmac_sha256_write(hash_ctx, &hmac, data->data, 32);
+        secp256k1_hmac_sha256_finalize(hash_ctx, &hmac, data->data);
     }
 }
 
 static void bench_rfc6979_hmac_sha256(void* arg, int iters) {
     int i;
     bench_inv *data = (bench_inv*)arg;
     secp256k1_rfc6979_hmac_sha256 rng;
+    const secp256k1_hash_ctx *hash_ctx = secp256k1_get_hash_context(data->ctx);
 
     for (i = 0; i < iters; i++) {
-        secp256k1_rfc6979_hmac_sha256_initialize(&rng, data->data, 64);
-        secp256k1_rfc6979_hmac_sha256_generate(&rng, data->data, 32);
+        secp256k1_rfc6979_hmac_sha256_initialize(hash_ctx, &rng, data->data, 64);
+        secp256k1_rfc6979_hmac_sha256_generate(hash_ctx, &rng, data->data, 32);
     }
 }
 

diff --git a/src/bench_whitelist.c b/src/bench_whitelist.c
@@ -51,15 +51,17 @@ static void run_test(bench_data* data, int iters) {
 
 static void generate_scalar(secp256k1_scalar *scalar, unsigned char *seckey, uint32_t num) {
     secp256k1_sha256 sha256;
+    secp256k1_hash_ctx hash_ctx;
     unsigned char c[13] = {'w','h','i','t','e','l','i','s','t', 0, 0, 0, 0};
     int is_valid;
+    secp256k1_hash_ctx_init(&hash_ctx);
     c[9] = num;
     c[10] = num >> 8;
     c[11] = num >> 16;
     c[12] = num >> 24;
     secp256k1_sha256_initialize(&sha256);
-    secp256k1_sha256_write(&sha256, c, sizeof(c));
-    secp256k1_sha256_finalize(&sha256, seckey);
+    secp256k1_sha256_write(&hash_ctx, &sha256, c, sizeof(c));
+    secp256k1_sha256_finalize(&hash_ctx, &sha256, seckey);
     is_valid = secp256k1_scalar_set_b32_seckey(scalar, seckey);
     CHECK(is_valid);
 }

diff --git a/src/eccommit.h b/src/eccommit.h
@@ -17,7 +17,7 @@ static int secp256k1_ec_pubkey_tweak_add_helper(const secp256k1_ecmult_context*
  *  pubp->infinity before calling this function. */
 static int secp256k1_ec_commit_pubkey_serialize_const(secp256k1_ge *pubp, unsigned char *buf33);
 /** Compute an ec commitment tweak as hash(pubkey, data). */
-static int secp256k1_ec_commit_tweak(unsigned char *tweak32, secp256k1_ge* pubp, secp256k1_sha256* sha, const unsigned char *data, size_t data_size);
+static int secp256k1_ec_commit_tweak(const secp256k1_hash_ctx *hash_ctx, unsigned char *tweak32, secp256k1_ge* pubp, secp256k1_sha256* sha, const unsigned char *data, size_t data_size);
 /** Compute an ec commitment as pubkey + hash(pubkey, data)*G. */
 static int secp256k1_ec_commit(const secp256k1_ecmult_context* ecmult_ctx, secp256k1_ge* commitp, const secp256k1_ge* pubp, secp256k1_sha256* sha, const unsigned char *data, size_t data_size);
 /** Compute a secret key commitment as seckey + hash(pubkey, data). */

diff --git a/src/eccommit_impl.h b/src/eccommit_impl.h
@@ -25,42 +25,42 @@ static int secp256k1_ec_commit_pubkey_serialize_const(secp256k1_ge *pubp, unsign
 }
 
 /* Compute an ec commitment tweak as hash(pubp, data). */
-static int secp256k1_ec_commit_tweak(unsigned char *tweak32, secp256k1_ge* pubp, secp256k1_sha256* sha, const unsigned char *data, size_t data_size)
+static int secp256k1_ec_commit_tweak(const secp256k1_hash_ctx *hash_ctx, unsigned char *tweak32, secp256k1_ge* pubp, secp256k1_sha256* sha, const unsigned char *data, size_t data_size)
 {
     unsigned char rbuf[33];
 
     if (!secp256k1_ec_commit_pubkey_serialize_const(pubp, rbuf)) {
         return 0;
     }
-    secp256k1_sha256_write(sha, rbuf, sizeof(rbuf));
-    secp256k1_sha256_write(sha, data, data_size);
-    secp256k1_sha256_finalize(sha, tweak32);
+    secp256k1_sha256_write(hash_ctx, sha, rbuf, sizeof(rbuf));
+    secp256k1_sha256_write(hash_ctx, sha, data, data_size);
+    secp256k1_sha256_finalize(hash_ctx, sha, tweak32);
     return 1;
 }
 
 /* Compute an ec commitment as pubp + hash(pubp, data)*G. */
-static int secp256k1_ec_commit(secp256k1_ge* commitp, const secp256k1_ge* pubp, secp256k1_sha256* sha, const unsigned char *data, size_t data_size) {
+static int secp256k1_ec_commit(const secp256k1_hash_ctx *hash_ctx, secp256k1_ge* commitp, const secp256k1_ge* pubp, secp256k1_sha256* sha, const unsigned char *data, size_t data_size) {
     unsigned char tweak[32];
 
     *commitp = *pubp;
-    return secp256k1_ec_commit_tweak(tweak, commitp, sha, data, data_size)
+    return secp256k1_ec_commit_tweak(hash_ctx, tweak, commitp, sha, data, data_size)
            && secp256k1_ec_pubkey_tweak_add_helper(commitp, tweak);
 }
 
 /* Compute the seckey of an ec commitment from the original secret key of the pubkey as seckey +
  * hash(pubp, data). */
-static int secp256k1_ec_commit_seckey(secp256k1_scalar* seckey, secp256k1_ge* pubp, secp256k1_sha256* sha, const unsigned char *data, size_t data_size) {
+static int secp256k1_ec_commit_seckey(const secp256k1_hash_ctx *hash_ctx, secp256k1_scalar* seckey, secp256k1_ge* pubp, secp256k1_sha256* sha, const unsigned char *data, size_t data_size) {
     unsigned char tweak[32];
-    return secp256k1_ec_commit_tweak(tweak, pubp, sha, data, data_size)
+    return secp256k1_ec_commit_tweak(hash_ctx, tweak, pubp, sha, data, data_size)
            && secp256k1_ec_seckey_tweak_add_helper(seckey, tweak);
 }
 
 /* Verify an ec commitment as pubp + hash(pubp, data)*G ?= commitment. */
-static int secp256k1_ec_commit_verify(const secp256k1_ge* commitp, const secp256k1_ge* pubp, secp256k1_sha256* sha, const unsigned char *data, size_t data_size) {
+static int secp256k1_ec_commit_verify(const secp256k1_hash_ctx *hash_ctx, const secp256k1_ge* commitp, const secp256k1_ge* pubp, secp256k1_sha256* sha, const unsigned char *data, size_t data_size) {
     secp256k1_gej pj;
     secp256k1_ge p;
 
-    if (!secp256k1_ec_commit(&p, pubp, sha, data, data_size)) {
+    if (!secp256k1_ec_commit(hash_ctx, &p, pubp, sha, data, data_size)) {
         return 0;
     }
 

diff --git a/src/ecdsa_impl.h b/src/ecdsa_impl.h
@@ -196,6 +196,7 @@ static int secp256k1_ecdsa_sig_verify(const secp256k1_scalar *sigr, const secp25
     unsigned char c[32];
     secp256k1_scalar sn, u1, u2;
 #if !defined(EXHAUSTIVE_TEST_ORDER)
+    int range;
     secp256k1_fe xr;
 #endif
     secp256k1_gej pubkeyj;
@@ -226,9 +227,16 @@ static int secp256k1_ecdsa_sig_verify(const secp256k1_scalar *sigr, const secp25
     return secp256k1_scalar_eq(sigr, &computed_r);
 }
 #else
+
+    /* Interpret sigr as a field element xr  */
     secp256k1_scalar_get_b32(c, sigr);
-    /* we can ignore the fe_set_b32_limit return value, because we know the input is in range */
-    (void)secp256k1_fe_set_b32_limit(&xr, c);
+    range = secp256k1_fe_set_b32_limit(&xr, c);
+#ifdef VERIFY
+    /* We know that c is in range; it comes from a scalar. */
+    VERIFY_CHECK(range);
+#else
+    (void)range;
+#endif
 
     /** We now have the recomputed R point in pr, and its claimed x coordinate (modulo n)
      *  in xr. Naively, we would extract the x coordinate from pr (requiring a inversion modulo p),

diff --git a/src/eckey_impl.h b/src/eckey_impl.h
@@ -86,7 +86,7 @@ static int secp256k1_eckey_pubkey_tweak_mul(secp256k1_ge *key, const secp256k1_s
     }
 
     secp256k1_gej_set_ge(&pt, key);
-    secp256k1_ecmult(&pt, &pt, tweak, &secp256k1_scalar_zero);
+    secp256k1_ecmult(&pt, &pt, tweak, NULL);
     secp256k1_ge_set_gej(key, &pt);
     return 1;
 }

diff --git a/src/ecmult.h b/src/ecmult.h
@@ -40,7 +40,10 @@
 /** The number of entries a table with precomputed multiples needs to have. */
 #define ECMULT_TABLE_SIZE(w) ((size_t)1 << ((w)-2))
 
-/** Double multiply: R = na*A + ng*G */
+/** Double multiply: R = na*A + ng*G
+ *
+ * Passing NULL as ng is equivalent to the zero scalar but a tiny bit faster.
+ */
 static void secp256k1_ecmult(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_scalar *na, const secp256k1_scalar *ng);
 
 typedef int (secp256k1_ecmult_multi_callback)(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *data);

diff --git a/src/ecmult_gen.h b/src/ecmult_gen.h
@@ -7,6 +7,7 @@
 #ifndef SECP256K1_ECMULT_GEN_H
 #define SECP256K1_ECMULT_GEN_H
 
+#include "hash.h"
 #include "scalar.h"
 #include "group.h"
 
@@ -132,12 +133,12 @@ typedef struct {
     secp256k1_fe proj_blind;
 } secp256k1_ecmult_gen_context;
 
-static void secp256k1_ecmult_gen_context_build(secp256k1_ecmult_gen_context* ctx);
+static void secp256k1_ecmult_gen_context_build(secp256k1_ecmult_gen_context* ctx, const secp256k1_hash_ctx *hash_ctx);
 static void secp256k1_ecmult_gen_context_clear(secp256k1_ecmult_gen_context* ctx);
 
 /** Multiply with the generator: R = a*G */
 static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context* ctx, secp256k1_gej *r, const secp256k1_scalar *a);
 
-static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const unsigned char *seed32);
+static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const secp256k1_hash_ctx *hash_ctx, const unsigned char *seed32);
 
 #endif /* SECP256K1_ECMULT_GEN_H */
diff --git a/src/ecmult_gen_impl.h b/src/ecmult_gen_impl.h
@@ -14,8 +14,8 @@
 #include "hash_impl.h"
 #include "precomputed_ecmult_gen.h"
 
-static void secp256k1_ecmult_gen_context_build(secp256k1_ecmult_gen_context *ctx) {
-    secp256k1_ecmult_gen_blind(ctx, NULL);
+static void secp256k1_ecmult_gen_context_build(secp256k1_ecmult_gen_context *ctx, const secp256k1_hash_ctx *hash_ctx) {
+    secp256k1_ecmult_gen_blind(ctx, hash_ctx, NULL);
     ctx->built = 1;
 }
 
@@ -282,7 +282,7 @@ static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp25
 }
 
 /* Setup blinding values for secp256k1_ecmult_gen. */
-static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const unsigned char *seed32) {
+static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const secp256k1_hash_ctx *hash_ctx, const unsigned char *seed32) {
     secp256k1_scalar b;
     secp256k1_scalar diff;
     secp256k1_gej gb;
@@ -309,17 +309,17 @@ static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const
      */
     VERIFY_CHECK(seed32 != NULL);
     memcpy(keydata + 32, seed32, 32);
-    secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, 64);
+    secp256k1_rfc6979_hmac_sha256_initialize(hash_ctx, &rng, keydata, 64);
     secp256k1_memclear_explicit(keydata, sizeof(keydata));
 
     /* Compute projective blinding factor (cannot be 0). */
-    secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
+    secp256k1_rfc6979_hmac_sha256_generate(hash_ctx, &rng, nonce32, 32);
     secp256k1_fe_set_b32_mod(&f, nonce32);
     secp256k1_fe_cmov(&f, &secp256k1_fe_one, secp256k1_fe_normalizes_to_zero(&f));
     ctx->proj_blind = f;
 
     /* For a random blinding value b, set scalar_offset=diff-b, ge_offset=bG */
-    secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
+    secp256k1_rfc6979_hmac_sha256_generate(hash_ctx, &rng, nonce32, 32);
     secp256k1_scalar_set_b32(&b, nonce32, NULL);
     /* The blinding value cannot be zero, as that would mean ge_offset = infinity,
      * which secp256k1_gej_add_ge cannot handle. */