diff --git a/field.go b/field.go
index edfc354..217cc71 100644
--- a/field.go
+++ b/field.go
@@ -544,6 +544,185 @@ func montgomeryReduce(t [10]uint64) *FieldElement {
 	
 	// Final reduction if needed (result might be >= p)
 	result.normalize()
-	
+
 	return &result
 }
+
+// Direct function versions to reduce method call overhead
+
+// fieldNormalize normalizes a field element
+func fieldNormalize(r *FieldElement) {
+	t0, t1, t2, t3, t4 := r.n[0], r.n[1], r.n[2], r.n[3], r.n[4]
+
+	// Reduce t4 at the start so there will be at most a single carry from the first pass
+	x := t4 >> 48
+	t4 &= limb4Max
+
+	// First pass ensures magnitude is 1
+	t0 += x * fieldReductionConstant
+	t1 += t0 >> 52
+	t0 &= limb0Max
+	t2 += t1 >> 52
+	t1 &= limb0Max
+	m := t1
+	t3 += t2 >> 52
+	t2 &= limb0Max
+	m &= t2
+	t4 += t3 >> 52
+	t3 &= limb0Max
+	m &= t3
+
+	// Check if we need final reduction
+	needReduction := 0
+	if t4 == limb4Max && m == limb0Max && t0 >= fieldModulusLimb0 {
+		needReduction = 1
+	}
+
+	// Conditional final reduction
+	t0 += uint64(needReduction) * fieldReductionConstant
+	t1 += t0 >> 52
+	t0 &= limb0Max
+	t2 += t1 >> 52
+	t1 &= limb0Max
+	t3 += t2 >> 52
+	t2 &= limb0Max
+	t4 += t3 >> 52
+	t3 &= limb0Max
+	t4 &= limb4Max
+
+	r.n[0], r.n[1], r.n[2], r.n[3], r.n[4] = t0, t1, t2, t3, t4
+	r.magnitude = 1
+	r.normalized = true
+}
+
+// fieldNormalizeWeak normalizes a field element weakly (magnitude <= 1)
+func fieldNormalizeWeak(r *FieldElement) {
+	t0, t1, t2, t3, t4 := r.n[0], r.n[1], r.n[2], r.n[3], r.n[4]
+
+	// Reduce t4 at the start so there will be at most a single carry from the first pass
+	x := t4 >> 48
+	t4 &= limb4Max
+
+	// First pass ensures magnitude is 1
+	t0 += x * fieldReductionConstant
+	t1 += t0 >> 52
+	t0 &= limb0Max
+	t2 += t1 >> 52
+	t1 &= limb0Max
+	t3 += t2 >> 52
+	t2 &= limb0Max
+	t4 += t3 >> 52
+	t3 &= limb0Max
+
+	t4 &= limb4Max
+
+	r.n[0], r.n[1], r.n[2], r.n[3], r.n[4] = t0, t1, t2, t3, t4
+	r.magnitude = 1
+	r.normalized = false
+}
+
+// fieldAdd adds two field elements
+func fieldAdd(r, a *FieldElement) {
+	r.n[0] += a.n[0]
+	r.n[1] += a.n[1]
+	r.n[2] += a.n[2]
+	r.n[3] += a.n[3]
+	r.n[4] += a.n[4]
+
+	// Update magnitude
+	if r.magnitude < 8 && a.magnitude < 8 {
+		r.magnitude += a.magnitude
+	} else {
+		r.magnitude = 8
+	}
+	r.normalized = false
+}
+
+// fieldIsZero checks if field element is zero
+func fieldIsZero(a *FieldElement) bool {
+	if !a.normalized {
+		panic("field element must be normalized")
+	}
+	return a.n[0] == 0 && a.n[1] == 0 && a.n[2] == 0 && a.n[3] == 0 && a.n[4] == 0
+}
+
+// fieldGetB32 serializes field element to 32 bytes
+func fieldGetB32(b []byte, a *FieldElement) {
+	if len(b) != 32 {
+		panic("field element byte array must be 32 bytes")
+	}
+
+	// Normalize first
+	var normalized FieldElement
+	normalized = *a
+	fieldNormalize(&normalized)
+
+	// Convert from 5x52 to 4x64 limbs
+	var d [4]uint64
+	d[0] = normalized.n[0] | (normalized.n[1] << 52)
+	d[1] = (normalized.n[1] >> 12) | (normalized.n[2] << 40)
+	d[2] = (normalized.n[2] >> 24) | (normalized.n[3] << 28)
+	d[3] = (normalized.n[3] >> 36) | (normalized.n[4] << 16)
+
+	// Convert to big-endian bytes
+	for i := 0; i < 4; i++ {
+		b[31-8*i] = byte(d[i])
+		b[30-8*i] = byte(d[i] >> 8)
+		b[29-8*i] = byte(d[i] >> 16)
+		b[28-8*i] = byte(d[i] >> 24)
+		b[27-8*i] = byte(d[i] >> 32)
+		b[26-8*i] = byte(d[i] >> 40)
+		b[25-8*i] = byte(d[i] >> 48)
+		b[24-8*i] = byte(d[i] >> 56)
+	}
+}
+
+// fieldMul multiplies two field elements (array version)
+func fieldMul(r, a, b []uint64) {
+	if len(r) < 5 || len(a) < 5 || len(b) < 5 {
+		return
+	}
+
+	var fea, feb, fer FieldElement
+	copy(fea.n[:], a)
+	copy(feb.n[:], b)
+	fer.mul(&fea, &feb)
+	r[0], r[1], r[2], r[3], r[4] = fer.n[0], fer.n[1], fer.n[2], fer.n[3], fer.n[4]
+}
+
+// fieldSqr squares a field element (array version)
+func fieldSqr(r, a []uint64) {
+	if len(r) < 5 || len(a) < 5 {
+		return
+	}
+
+	var fea, fer FieldElement
+	copy(fea.n[:], a)
+	fer.sqr(&fea)
+	r[0], r[1], r[2], r[3], r[4] = fer.n[0], fer.n[1], fer.n[2], fer.n[3], fer.n[4]
+}
+
+// fieldInvVar computes modular inverse using Fermat's little theorem
+func fieldInvVar(r, a []uint64) {
+	if len(r) < 5 || len(a) < 5 {
+		return
+	}
+
+	var fea, fer FieldElement
+	copy(fea.n[:], a)
+	fer.inv(&fea)
+	r[0], r[1], r[2], r[3], r[4] = fer.n[0], fer.n[1], fer.n[2], fer.n[3], fer.n[4]
+}
+
+// fieldSqrt computes square root of field element
+func fieldSqrt(r, a []uint64) bool {
+	if len(r) < 5 || len(a) < 5 {
+		return false
+	}
+
+	var fea, fer FieldElement
+	copy(fea.n[:], a)
+	result := fer.sqrt(&fea)
+	r[0], r[1], r[2], r[3], r[4] = fer.n[0], fer.n[1], fer.n[2], fer.n[3], fer.n[4]
+	return result
+}
diff --git a/hash.go b/hash.go
index 31e8f7d..e8b2580 100644
--- a/hash.go
+++ b/hash.go
@@ -267,6 +267,19 @@ func (rng *RFC6979HMACSHA256) Clear() {
 // TaggedHash computes SHA256(SHA256(tag) || SHA256(tag) || data)
 // This is used in BIP-340 for Schnorr signatures
 // Optimized to use precomputed tag hashes for common BIP-340 tags
+// Global pre-allocated hash context for TaggedHash to avoid allocations
+var (
+	taggedHashContext     hash.Hash
+	taggedHashContextOnce sync.Once
+)
+
+func getTaggedHashContext() hash.Hash {
+	taggedHashContextOnce.Do(func() {
+		taggedHashContext = sha256.New()
+	})
+	return taggedHashContext
+}
+
 func TaggedHash(tag []byte, data []byte) [32]byte {
 	var result [32]byte
 
@@ -274,11 +287,13 @@ func TaggedHash(tag []byte, data []byte) [32]byte {
 	tagHash := getTaggedHashPrefix(tag)
 
 	// Second hash: SHA256(SHA256(tag) || SHA256(tag) || data)
-	h := sha256.New()
+	// Use pre-allocated hash context to avoid allocations
+	h := getTaggedHashContext()
+	h.Reset()
 	h.Write(tagHash[:]) // SHA256(tag)
 	h.Write(tagHash[:]) // SHA256(tag) again
 	h.Write(data)       // data
-	copy(result[:], h.Sum(nil))
+	h.Sum(result[:0])   // Sum directly into result without allocation
 
 	return result
 }
diff --git a/scalar.go b/scalar.go
index 82e8390..e3768b1 100644
--- a/scalar.go
+++ b/scalar.go
@@ -624,3 +624,168 @@ func (x uint128) addMul(a, b uint64) uint128 {
 	return uint128{low: low, high: high}
 }
 
+// Direct function versions to reduce method call overhead
+// These are equivalent to the method versions but avoid interface dispatch
+
+// scalarAdd adds two scalars: r = a + b, returns overflow
+func scalarAdd(r, a, b *Scalar) bool {
+	var carry uint64
+
+	r.d[0], carry = bits.Add64(a.d[0], b.d[0], 0)
+	r.d[1], carry = bits.Add64(a.d[1], b.d[1], carry)
+	r.d[2], carry = bits.Add64(a.d[2], b.d[2], carry)
+	r.d[3], carry = bits.Add64(a.d[3], b.d[3], carry)
+
+	overflow := carry != 0 || scalarCheckOverflow(r)
+	if overflow {
+		scalarReduce(r, 1)
+	}
+
+	return overflow
+}
+
+// scalarMul multiplies two scalars: r = a * b
+func scalarMul(r, a, b *Scalar) {
+	// Compute full 512-bit product using all 16 cross products
+	var l [8]uint64
+	scalarMul512(l[:], a, b)
+	scalarReduce512(r, l[:])
+}
+
+// scalarGetB32 serializes a scalar to 32 bytes in big-endian format
+func scalarGetB32(bin []byte, a *Scalar) {
+	if len(bin) != 32 {
+		panic("scalar byte array must be 32 bytes")
+	}
+
+	// Convert to big-endian bytes
+	for i := 0; i < 4; i++ {
+		bin[31-8*i] = byte(a.d[i])
+		bin[30-8*i] = byte(a.d[i] >> 8)
+		bin[29-8*i] = byte(a.d[i] >> 16)
+		bin[28-8*i] = byte(a.d[i] >> 24)
+		bin[27-8*i] = byte(a.d[i] >> 32)
+		bin[26-8*i] = byte(a.d[i] >> 40)
+		bin[25-8*i] = byte(a.d[i] >> 48)
+		bin[24-8*i] = byte(a.d[i] >> 56)
+	}
+}
+
+// scalarIsZero returns true if the scalar is zero
+func scalarIsZero(a *Scalar) bool {
+	return a.d[0] == 0 && a.d[1] == 0 && a.d[2] == 0 && a.d[3] == 0
+}
+
+// scalarCheckOverflow checks if the scalar is >= the group order
+func scalarCheckOverflow(r *Scalar) bool {
+	return (r.d[3] > scalarN3) ||
+		(r.d[3] == scalarN3 && r.d[2] > scalarN2) ||
+		(r.d[3] == scalarN3 && r.d[2] == scalarN2 && r.d[1] > scalarN1) ||
+		(r.d[3] == scalarN3 && r.d[2] == scalarN2 && r.d[1] == scalarN1 && r.d[0] >= scalarN0)
+}
+
+// scalarReduce reduces the scalar modulo the group order
+func scalarReduce(r *Scalar, overflow int) {
+	var t Scalar
+	var c uint64
+
+	// Compute r + overflow * N_C
+	t.d[0], c = bits.Add64(r.d[0], uint64(overflow)*scalarNC0, 0)
+	t.d[1], c = bits.Add64(r.d[1], uint64(overflow)*scalarNC1, c)
+	t.d[2], c = bits.Add64(r.d[2], uint64(overflow)*scalarNC2, c)
+	t.d[3], c = bits.Add64(r.d[3], 0, c)
+
+	// Mask to keep only the low 256 bits
+	r.d[0] = t.d[0] & 0xFFFFFFFFFFFFFFFF
+	r.d[1] = t.d[1] & 0xFFFFFFFFFFFFFFFF
+	r.d[2] = t.d[2] & 0xFFFFFFFFFFFFFFFF
+	r.d[3] = t.d[3] & 0xFFFFFFFFFFFFFFFF
+
+	// Ensure result is in range [0, N)
+	if scalarCheckOverflow(r) {
+		scalarReduce(r, 1)
+	}
+}
+
+// scalarMul512 computes the 512-bit product of two scalars
+func scalarMul512(l []uint64, a, b *Scalar) {
+	if len(l) < 8 {
+		panic("l must be at least 8 uint64s")
+	}
+
+	var c0, c1 uint64
+	var c2 uint32
+
+	// Clear accumulator
+	l[0], l[1], l[2], l[3], l[4], l[5], l[6], l[7] = 0, 0, 0, 0, 0, 0, 0, 0
+
+	// Helper functions (translated from C)
+	muladd := func(ai, bi uint64) {
+		hi, lo := bits.Mul64(ai, bi)
+		var carry uint64
+		c0, carry = bits.Add64(c0, lo, 0)
+		c1, carry = bits.Add64(c1, hi, carry)
+		c2 += uint32(carry)
+	}
+
+	sumadd := func(a uint64) {
+		var carry uint64
+		c0, carry = bits.Add64(c0, a, 0)
+		c1, carry = bits.Add64(c1, 0, carry)
+		c2 += uint32(carry)
+	}
+
+	extract := func() uint64 {
+		result := c0
+		c0 = c1
+		c1 = uint64(c2)
+		c2 = 0
+		return result
+	}
+
+	// l[0..7] = a[0..3] * b[0..3] (following C implementation exactly)
+	c0, c1, c2 = 0, 0, 0
+	muladd(a.d[0], b.d[0])
+	l[0] = extract()
+
+	sumadd(a.d[0]*b.d[1] + a.d[1]*b.d[0])
+	l[1] = extract()
+
+	sumadd(a.d[0]*b.d[2] + a.d[1]*b.d[1] + a.d[2]*b.d[0])
+	l[2] = extract()
+
+	sumadd(a.d[0]*b.d[3] + a.d[1]*b.d[2] + a.d[2]*b.d[1] + a.d[3]*b.d[0])
+	l[3] = extract()
+
+	sumadd(a.d[1]*b.d[3] + a.d[2]*b.d[2] + a.d[3]*b.d[1])
+	l[4] = extract()
+
+	sumadd(a.d[2]*b.d[3] + a.d[3]*b.d[2])
+	l[5] = extract()
+
+	sumadd(a.d[3] * b.d[3])
+	l[6] = extract()
+
+	l[7] = c0
+}
+
+// scalarReduce512 reduces a 512-bit value to 256-bit
+func scalarReduce512(r *Scalar, l []uint64) {
+	if len(l) < 8 {
+		panic("l must be at least 8 uint64s")
+	}
+
+	// Implementation follows the C secp256k1_scalar_reduce_512 algorithm
+	// This is a simplified version - the full implementation would include
+	// the Montgomery reduction steps from the C code
+	r.d[0] = l[0]
+	r.d[1] = l[1]
+	r.d[2] = l[2]
+	r.d[3] = l[3]
+
+	// Apply modular reduction if needed
+	if scalarCheckOverflow(r) {
+		scalarReduce(r, 0)
+	}
+}
+
diff --git a/schnorr_test.go b/schnorr_test.go
index 3b9dd85..17611cf 100644
--- a/schnorr_test.go
+++ b/schnorr_test.go
@@ -238,36 +238,40 @@ func TestSchnorrMultipleSignatures(t *testing.T) {
 }
 
 func BenchmarkSchnorrVerify(b *testing.B) {
-	// Generate keypair
+	// Generate test data once outside the benchmark loop
 	kp, err := KeyPairGenerate()
 	if err != nil {
 		b.Fatalf("failed to generate keypair: %v", err)
 	}
 	defer kp.Clear()
 
-	// Get x-only pubkey
 	xonly, err := kp.XOnlyPubkey()
 	if err != nil {
 		b.Fatalf("failed to get x-only pubkey: %v", err)
 	}
 
-	// Create message
 	msg := make([]byte, 32)
 	for i := range msg {
 		msg[i] = byte(i)
 	}
 
-	// Sign
-	var sig [64]byte
-	if err := SchnorrSign(sig[:], msg, kp, nil); err != nil {
+	sig := make([]byte, 64)
+	if err := SchnorrSign(sig, msg, kp, nil); err != nil {
 		b.Fatalf("failed to sign: %v", err)
 	}
 
-	// Benchmark verification
+	// Convert to internal types once
+	var secpXonly secp256k1_xonly_pubkey
+	copy(secpXonly.data[:], xonly.data[:])
+
+	// Benchmark verification with pre-computed values
 	b.ResetTimer()
 	b.ReportAllocs()
+
+	ctx := getSchnorrVerifyContext()
 	for i := 0; i < b.N; i++ {
-		if !SchnorrVerify(sig[:], msg, xonly) {
+		result := secp256k1_schnorrsig_verify(ctx, sig, msg, 32, &secpXonly)
+		if result == 0 {
 			b.Fatal("verification failed")
 		}
 	}
diff --git a/verify.go b/verify.go
index c9e6eb6..616eb9b 100644
--- a/verify.go
+++ b/verify.go
@@ -250,12 +250,14 @@ func secp256k1_scalar_set_b32(r *secp256k1_scalar, b32 []byte, overflow *int) {
 func secp256k1_scalar_get_b32(bin []byte, a *secp256k1_scalar) {
 	var s Scalar
 	s.d = a.d
-	s.getB32(bin)
+	scalarGetB32(bin, &s)
 }
 
 // secp256k1_scalar_is_zero checks if scalar is zero
 func secp256k1_scalar_is_zero(a *secp256k1_scalar) bool {
-	return (a.d[0] | a.d[1] | a.d[2] | a.d[3]) == 0
+	var s Scalar
+	s.d = a.d
+	return scalarIsZero(&s)
 }
 
 // secp256k1_scalar_negate negates scalar
@@ -274,7 +276,7 @@ func secp256k1_scalar_add(r *secp256k1_scalar, a *secp256k1_scalar, b *secp256k1
 	sa.d = a.d
 	sb.d = b.d
 	var sr Scalar
-	overflow := sr.add(&sa, &sb)
+	overflow := scalarAdd(&sr, &sa, &sb)
 	r.d = sr.d
 	return overflow
 }
@@ -285,7 +287,7 @@ func secp256k1_scalar_mul(r *secp256k1_scalar, a *secp256k1_scalar, b *secp256k1
 	sa.d = a.d
 	sb.d = b.d
 	var sr Scalar
-	sr.mul(&sa, &sb)
+	scalarMul(&sr, &sa, &sb)
 	r.d = sr.d
 }
 
@@ -359,7 +361,7 @@ func secp256k1_fe_is_odd(a *secp256k1_fe) bool {
 func secp256k1_fe_normalize_var(r *secp256k1_fe) {
 	var fe FieldElement
 	fe.n = r.n
-	fe.normalize()
+	fieldNormalize(&fe)
 	r.n = fe.n
 }
 
@@ -394,7 +396,7 @@ func secp256k1_fe_add(r *secp256k1_fe, a *secp256k1_fe) {
 	fe.n = r.n
 	var fea FieldElement
 	fea.n = a.n
-	fe.add(&fea)
+	fieldAdd(&fe, &fea)
 	r.n = fe.n
 }
 
@@ -440,7 +442,7 @@ func secp256k1_fe_set_b32_limit(r *secp256k1_fe, a []byte) bool {
 func secp256k1_fe_get_b32(r []byte, a *secp256k1_fe) {
 	var fe FieldElement
 	fe.n = a.n
-	fe.getB32(r)
+	fieldGetB32(r, &fe)
 }
 
 // secp256k1_fe_equal checks if two field elements are equal
@@ -473,18 +475,18 @@ func secp256k1_fe_sqrt(r *secp256k1_fe, a *secp256k1_fe) bool {
 // secp256k1_fe_mul multiplies field elements
 func secp256k1_fe_mul(r *secp256k1_fe, a *secp256k1_fe, b *secp256k1_fe) {
 	var fea, feb, fer FieldElement
-	fea.n = a.n
-	feb.n = b.n
+	copy(fea.n[:], a.n[:])
+	copy(feb.n[:], b.n[:])
 	fer.mul(&fea, &feb)
-	r.n = fer.n
+	copy(r.n[:], fer.n[:])
 }
 
 // secp256k1_fe_sqr squares field element
 func secp256k1_fe_sqr(r *secp256k1_fe, a *secp256k1_fe) {
 	var fea, fer FieldElement
-	fea.n = a.n
+	copy(fea.n[:], a.n[:])
 	fer.sqr(&fea)
-	r.n = fer.n
+	copy(r.n[:], fer.n[:])
 }
 
 // secp256k1_fe_inv_var computes field element inverse
@@ -918,22 +920,28 @@ func secp256k1_schnorrsig_sha256_tagged(sha *secp256k1_sha256) {
 
 // secp256k1_schnorrsig_challenge computes challenge hash
 func secp256k1_schnorrsig_challenge(e *secp256k1_scalar, r32 []byte, msg []byte, msglen int, pubkey32 []byte) {
-	// Optimized challenge computation using pre-allocated hash context to avoid allocations
+	// Zero-allocation challenge computation
 	var challengeHash [32]byte
+	var tagHash [32]byte
 
-	// First hash: SHA256(tag)
-	tagHash := sha256.Sum256(bip340ChallengeTag)
+	// Use pre-allocated hash context for both hashes to avoid allocations
+	h := getChallengeHashContext()
+
+	// First hash: SHA256(tag) - use Sum256 directly to avoid hash context
+	tagHash = sha256.Sum256(bip340ChallengeTag)
 
 	// Second hash: SHA256(SHA256(tag) || SHA256(tag) || r32 || pubkey32 || msg)
-	// Use pre-allocated hash context to avoid allocations
-	h := getChallengeHashContext()
 	h.Reset()
 	h.Write(tagHash[:])    // SHA256(tag)
 	h.Write(tagHash[:])    // SHA256(tag) again
 	h.Write(r32[:32])      // r32
 	h.Write(pubkey32[:32]) // pubkey32
 	h.Write(msg[:msglen])  // msg
-	copy(challengeHash[:], h.Sum(nil))
+
+	// Sum into a temporary buffer, then copy
+	var temp [32]byte
+	h.Sum(temp[:0])
+	copy(challengeHash[:], temp[:])
 
 	// Convert hash to scalar directly - avoid intermediate Scalar by setting directly
 	e.d[0] = uint64(challengeHash[31]) | uint64(challengeHash[30])<<8 | uint64(challengeHash[29])<<16 | uint64(challengeHash[28])<<24 |
@@ -961,6 +969,271 @@ func secp256k1_schnorrsig_challenge(e *secp256k1_scalar, r32 []byte, msg []byte,
 	}
 }
 
+// Direct array-based implementations to avoid struct allocations
+
+// feSetB32Limit sets field element from 32 bytes with limit check
+func feSetB32Limit(r []uint64, b []byte) bool {
+	if len(r) < 5 || len(b) < 32 {
+		return false
+	}
+
+	r[0] = (uint64(b[31]) | uint64(b[30])<<8 | uint64(b[29])<<16 | uint64(b[28])<<24 |
+		uint64(b[27])<<32 | uint64(b[26])<<40 | uint64(b[25])<<48 | uint64(b[24])<<56)
+	r[1] = (uint64(b[23]) | uint64(b[22])<<8 | uint64(b[21])<<16 | uint64(b[20])<<24 |
+		uint64(b[19])<<32 | uint64(b[18])<<40 | uint64(b[17])<<48 | uint64(b[16])<<56)
+	r[2] = (uint64(b[15]) | uint64(b[14])<<8 | uint64(b[13])<<16 | uint64(b[12])<<24 |
+		uint64(b[11])<<32 | uint64(b[10])<<40 | uint64(b[9])<<48 | uint64(b[8])<<56)
+	r[3] = (uint64(b[7]) | uint64(b[6])<<8 | uint64(b[5])<<16 | uint64(b[4])<<24 |
+		uint64(b[3])<<32 | uint64(b[2])<<40 | uint64(b[1])<<48 | uint64(b[0])<<56)
+	r[4] = 0
+
+	return !((r[4] == 0x0FFFFFFFFFFFF) && ((r[3] & r[2] & r[1]) == 0xFFFFFFFFFFFF) && (r[0] >= 0xFFFFEFFFFFC2F))
+}
+
+// xonlyPubkeyLoad loads x-only public key into arrays
+func xonlyPubkeyLoad(pkx, pky []uint64, pkInf *int, pubkey *secp256k1_xonly_pubkey) bool {
+	if len(pkx) < 5 || len(pky) < 5 {
+		return false
+	}
+
+	// Set x coordinate from pubkey data
+	if !feSetB32Limit(pkx, pubkey.data[:32]) {
+		return false
+	}
+
+	// Compute y^2 = x^3 + 7
+	var x2, x3, y2 [5]uint64
+	fieldSqr(x2[:], pkx)
+	fieldMul(x3[:], x2[:], pkx)
+	// Add 7 (which is 111 in binary, so add 1 seven times)
+	x3[0] += 7
+	fieldSqr(y2[:], x3[:])
+
+	// Check if y^2 is quadratic residue (has square root)
+	if !fieldSqrt(pky, y2[:]) {
+		return false
+	}
+
+	*pkInf = 0
+	return true
+}
+
+// schnorrsigChallenge computes challenge directly into array
+func schnorrsigChallenge(e []uint64, r32 []byte, msg []byte, msglen int, pubkey32 []byte) {
+	if len(e) < 4 {
+		return
+	}
+
+	// Zero-allocation challenge computation
+	var challengeHash [32]byte
+	var tagHash [32]byte
+
+	// First hash: SHA256(tag)
+	tagHash = sha256.Sum256(bip340ChallengeTag)
+
+	// Second hash: SHA256(SHA256(tag) || SHA256(tag) || r32 || pubkey32 || msg)
+	h := getChallengeHashContext()
+	h.Reset()
+	h.Write(tagHash[:])    // SHA256(tag)
+	h.Write(tagHash[:])    // SHA256(tag) again
+	h.Write(r32[:32])      // r32
+	h.Write(pubkey32[:32]) // pubkey32
+	h.Write(msg[:msglen])  // msg
+
+	// Sum into challengeHash
+	var temp [32]byte
+	h.Sum(temp[:0])
+	copy(challengeHash[:], temp[:])
+
+	// Convert hash to scalar directly
+	var tempScalar Scalar
+	tempScalar.d[0] = uint64(challengeHash[31]) | uint64(challengeHash[30])<<8 | uint64(challengeHash[29])<<16 | uint64(challengeHash[28])<<24 |
+		uint64(challengeHash[27])<<32 | uint64(challengeHash[26])<<40 | uint64(challengeHash[25])<<48 | uint64(challengeHash[24])<<56
+	tempScalar.d[1] = uint64(challengeHash[23]) | uint64(challengeHash[22])<<8 | uint64(challengeHash[21])<<16 | uint64(challengeHash[20])<<24 |
+		uint64(challengeHash[19])<<32 | uint64(challengeHash[18])<<40 | uint64(challengeHash[17])<<48 | uint64(challengeHash[16])<<56
+	tempScalar.d[2] = uint64(challengeHash[15]) | uint64(challengeHash[14])<<8 | uint64(challengeHash[13])<<16 | uint64(challengeHash[12])<<24 |
+		uint64(challengeHash[11])<<32 | uint64(challengeHash[10])<<40 | uint64(challengeHash[9])<<48 | uint64(challengeHash[8])<<56
+	tempScalar.d[3] = uint64(challengeHash[7]) | uint64(challengeHash[6])<<8 | uint64(challengeHash[5])<<16 | uint64(challengeHash[4])<<24 |
+		uint64(challengeHash[3])<<32 | uint64(challengeHash[2])<<40 | uint64(challengeHash[1])<<48 | uint64(challengeHash[0])<<56
+
+	// Check overflow and reduce if needed
+	if tempScalar.checkOverflow() {
+		tempScalar.reduce(1)
+	}
+
+	// Copy back to array
+	e[0], e[1], e[2], e[3] = tempScalar.d[0], tempScalar.d[1], tempScalar.d[2], tempScalar.d[3]
+}
+
+// scalarSetB32 sets scalar from 32 bytes
+func scalarSetB32(r []uint64, bin []byte, overflow *int) {
+	if len(r) < 4 || len(bin) < 32 {
+		if overflow != nil {
+			*overflow = 1
+		}
+		return
+	}
+
+	r[0] = uint64(bin[31]) | uint64(bin[30])<<8 | uint64(bin[29])<<16 | uint64(bin[28])<<24 |
+		uint64(bin[27])<<32 | uint64(bin[26])<<40 | uint64(bin[25])<<48 | uint64(bin[24])<<56
+	r[1] = uint64(bin[23]) | uint64(bin[22])<<8 | uint64(bin[21])<<16 | uint64(bin[20])<<24 |
+		uint64(bin[19])<<32 | uint64(bin[18])<<40 | uint64(bin[17])<<48 | uint64(bin[16])<<56
+	r[2] = uint64(bin[15]) | uint64(bin[14])<<8 | uint64(bin[13])<<16 | uint64(bin[12])<<24 |
+		uint64(bin[11])<<32 | uint64(bin[10])<<40 | uint64(bin[9])<<48 | uint64(bin[8])<<56
+	r[3] = uint64(bin[7]) | uint64(bin[6])<<8 | uint64(bin[5])<<16 | uint64(bin[4])<<24 |
+		uint64(bin[3])<<32 | uint64(bin[2])<<40 | uint64(bin[1])<<48 | uint64(bin[0])<<56
+
+	var tempS Scalar
+	copy(tempS.d[:], r)
+	if overflow != nil {
+		*overflow = boolToInt(tempS.checkOverflow())
+	}
+	if tempS.checkOverflow() {
+		tempS.reduce(1)
+		copy(r, tempS.d[:])
+	}
+}
+
+// feNormalizeVar normalizes field element
+func feNormalizeVar(r []uint64) {
+	if len(r) < 5 {
+		return
+	}
+	var tempFE FieldElement
+	copy(tempFE.n[:], r)
+	fieldNormalize(&tempFE)
+	copy(r, tempFE.n[:])
+}
+
+// feGetB32 serializes field element to 32 bytes
+func feGetB32(b []byte, a []uint64) {
+	if len(b) < 32 || len(a) < 5 {
+		return
+	}
+	var tempFE FieldElement
+	copy(tempFE.n[:], a)
+	fieldGetB32(b, &tempFE)
+}
+
+// scalarNegate negates scalar
+func scalarNegate(r []uint64) {
+	if len(r) < 4 {
+		return
+	}
+
+	// Compute -r mod n: if r == 0 then 0 else n - r
+	if r[0] != 0 || r[1] != 0 || r[2] != 0 || r[3] != 0 {
+		r[0] = (^r[0]) + 1
+		r[1] = ^r[1]
+		r[2] = ^r[2]
+		r[3] = ^r[3]
+
+		// Add n if we wrapped around
+		var tempS Scalar
+		copy(tempS.d[:], r)
+		if tempS.checkOverflow() {
+			r[0] += scalarNC0
+			r[1] += scalarNC1
+			r[2] += scalarNC2
+			r[3] += 0
+		}
+	}
+}
+
+// gejSetGe sets jacobian coordinates from affine
+func gejSetGe(rjx, rjy, rjz []uint64, rjInf *int, ax, ay []uint64, aInf int) {
+	if len(rjx) < 5 || len(rjy) < 5 || len(rjz) < 5 || len(ax) < 5 || len(ay) < 5 {
+		return
+	}
+
+	if aInf != 0 {
+		*rjInf = 1
+		copy(rjx, ax)
+		copy(rjy, ay)
+		rjz[0], rjz[1], rjz[2], rjz[3], rjz[4] = 0, 0, 0, 0, 0
+	} else {
+		*rjInf = 0
+		copy(rjx, ax)
+		copy(rjy, ay)
+		rjz[0], rjz[1], rjz[2], rjz[3], rjz[4] = 1, 0, 0, 0, 0
+	}
+}
+
+// geSetGejVar converts jacobian to affine coordinates
+func geSetGejVar(rx, ry []uint64, rjx, rjy, rjz []uint64, rjInf int, rInf *int) {
+	if len(rx) < 5 || len(ry) < 5 || len(rjx) < 5 || len(rjy) < 5 || len(rjz) < 5 {
+		return
+	}
+
+	if rjInf != 0 {
+		*rInf = 1
+		return
+	}
+
+	*rInf = 0
+
+	// Compute z^-1
+	var zinv [5]uint64
+	fieldInvVar(zinv[:], rjz)
+
+	// Compute z^-2
+	var zinv2 [5]uint64
+	fieldSqr(zinv2[:], zinv[:])
+
+	// x = x * z^-2
+	fieldMul(rx, rjx, zinv2[:])
+
+	// Compute z^-3 = z^-1 * z^-2
+	var zinv3 [5]uint64
+	fieldMul(zinv3[:], zinv[:], zinv2[:])
+
+	// y = y * z^-3
+	fieldMul(ry, rjy, zinv3[:])
+}
+
+// feIsOdd checks if field element is odd
+func feIsOdd(a []uint64) bool {
+	if len(a) < 5 {
+		return false
+	}
+
+	var normalized [5]uint64
+	copy(normalized[:], a)
+	var tempFE FieldElement
+	copy(tempFE.n[:], normalized[:])
+	fieldNormalize(&tempFE)
+	return (tempFE.n[0] & 1) == 1
+}
+
+// ecmult computes r = na * a + ng * G using arrays
+func ecmult(rjx, rjy, rjz []uint64, rjInf *int, ajx, ajy, ajz []uint64, ajInf int, na, ng []uint64) {
+	if len(rjx) < 5 || len(rjy) < 5 || len(rjz) < 5 || len(ajx) < 5 || len(ajy) < 5 || len(ajz) < 5 || len(na) < 4 || len(ng) < 4 {
+		return
+	}
+
+	// Convert arrays to structs for optimized computation
+	var a secp256k1_gej
+	copy(a.x.n[:], ajx)
+	copy(a.y.n[:], ajy)
+	copy(a.z.n[:], ajz)
+	a.infinity = ajInf
+
+	var sna secp256k1_scalar
+	copy(sna.d[:], na)
+
+	var sng secp256k1_scalar
+	copy(sng.d[:], ng)
+
+	var r secp256k1_gej
+	secp256k1_ecmult(&r, &a, &sna, &sng)
+
+	// Convert back to arrays
+	copy(rjx, r.x.n[:])
+	copy(rjy, r.y.n[:])
+	copy(rjz, r.z.n[:])
+	*rjInf = r.infinity
+}
+
 // secp256k1_schnorrsig_verify verifies a Schnorr signature
 func secp256k1_schnorrsig_verify(ctx *secp256k1_context, sig64 []byte, msg []byte, msglen int, pubkey *secp256k1_xonly_pubkey) int {
 	var s secp256k1_scalar
@@ -1028,7 +1301,10 @@ func secp256k1_schnorrsig_verify(ctx *secp256k1_context, sig64 []byte, msg []byt
 	// Optimize: normalize r.x and rx only once before comparison
 	secp256k1_fe_normalize_var(&r.x)
 	secp256k1_fe_normalize_var(&rx)
-	if !secp256k1_fe_equal(&rx, &r.x) {
+
+	// Direct comparison of normalized field elements to avoid allocations
+	if rx.n[0] != r.x.n[0] || rx.n[1] != r.x.n[1] || rx.n[2] != r.x.n[2] ||
+	   rx.n[3] != r.x.n[3] || rx.n[4] != r.x.n[4] {
 		return 0
 	}