diff --git a/src/secp256k1/.travis.yml b/src/secp256k1/.travis.yml
--- a/src/secp256k1/.travis.yml
+++ b/src/secp256k1/.travis.yml
@@ -1,6 +1,11 @@
 language: c
-os: linux
-dist: xenial
+os:
+  - linux
+  - osx
+
+dist: bionic
+# Valgrind currently supports upto macOS 10.13, the latest xcode of that version is 10.1
+osx_image: xcode10.1
 addons:
   apt:
     packages:
@@ -11,8 +16,16 @@
       - libtool-bin
       - ninja-build
       - valgrind
+  homebrew:
+    packages:
+      - cmake
+      - gcc@9
+      - gmp
+      - ninja
+      - valgrind
+    update: true
 install:
-  - ./travis/install_cmake.sh
+  - if [ "${TRAVIS_OS_NAME}" = "linux" ]; then ./travis/install_cmake.sh; fi
 cache:
   directories:
     - /opt/cmake
@@ -42,7 +55,7 @@
     - MULTISET=no
     - CTIMETEST=yes
     - BENCH=yes
-    - SECP256K1_BENCH_ITERS=2
+    - ITERS=2
   jobs:
     - SCALAR=32bit    RECOVERY=yes
     - SCALAR=32bit    FIELD=32bit       ECDH=yes  EXPERIMENTAL=yes  MULTISET=yes
@@ -58,45 +71,49 @@
     - BIGNUM=no       STATICPRECOMPUTATION=no
     - AUTOTOOLS_TARGET=distcheck       CMAKE_TARGET=install    CTIMETEST= BENCH=
     - AUTOTOOLS_EXTRA_FLAGS=CPPFLAGS=-DDETERMINISTIC CMAKE_EXTRA_FLAGS=-DCMAKE_C_FLAGS=-DDETERMINISTIC
-    - AUTOTOOLS_EXTRA_FLAGS=CFLAGS=-O0               CMAKE_EXTRA_FLAGS=-DCMAKE_BUILD_TYPE=Debug
+    - AUTOTOOLS_EXTRA_FLAGS=CFLAGS=-O0               CMAKE_EXTRA_FLAGS=-DCMAKE_BUILD_TYPE=Debug CTIMETEST=
     - AUTOTOOLS_TARGET=check-java      CMAKE_TARGET=check-secp256k1-java JNI=yes ECDH=yes EXPERIMENTAL=yes CTIMETEST= BENCH=
     - ECMULTGENPRECISION=2
     - ECMULTGENPRECISION=8
+    - VALGRIND=yes
+      BIGNUM=no ENDOMORPHISM=yes ASM=x86_64 EXPERIMENTAL=yes ECDH=yes RECOVERY=yes OPENSSL_TESTS=no MULTISET=yes
+      AUTOTOOLS_EXTRA_FLAGS=CPPFLAGS=-DVALGRIND AUTOTOOLS_TARGET=
+      CMAKE_EXTRA_FLAGS=-DCMAKE_C_FLAGS=-DVALGRIND CMAKE_TARGET="secp256k1-tests secp256k1-exhaustive_tests"
+    # The same as above but without endomorphism.
+    - VALGRIND=yes
+      BIGNUM=no                  ASM=x86_64 EXPERIMENTAL=yes ECDH=yes RECOVERY=yes OPENSSL_TESTS=no MULTISET=yes
+      AUTOTOOLS_EXTRA_FLAGS=CPPFLAGS=-DVALGRIND  AUTOTOOLS_TARGET=
+      CMAKE_EXTRA_FLAGS=-DCMAKE_C_FLAGS=-DVALGRIND CMAKE_TARGET="secp256k1-tests secp256k1-exhaustive_tests"
     - SCHNORR=no
 jobs:
   fast_finish: true
   include:
     - compiler: clang
+      os: linux
       env: HOST=i686-linux-gnu ENDOMORPHISM=yes OPENSSL_TESTS=no
     - compiler: clang
+      os: linux
       env: HOST=i686-linux-gnu BIGNUM=no OPENSSL_TESTS=no
     - compiler: gcc
+      os: linux
       env: HOST=i686-linux-gnu ENDOMORPHISM=yes BIGNUM=no OPENSSL_TESTS=no
     - compiler: gcc
+      os: linux
       env: HOST=i686-linux-gnu OPENSSL_TESTS=no
-    - compiler: gcc
-      env:
-        - VALGRIND=yes
-        - BIGNUM=no  ENDOMORPHISM=yes  ASM=x86_64  EXPERIMENTAL=yes  ECDH=yes  RECOVERY=yes  OPENSSL_TESTS=no  MULTISET=yes
-        - AUTOTOOLS_EXTRA_FLAGS=CPPFLAGS=-DVALGRIND  AUTOTOOLS_TARGET=
-        - CMAKE_EXTRA_FLAGS=-DCMAKE_C_FLAGS=-DVALGRIND  CMAKE_TARGET="secp256k1-tests secp256k1-exhaustive_tests"
-    - compiler: gcc
-      env: # The same as above but without endomorphism.
-        - VALGRIND=yes
-        - BIGNUM=no  ENDOMORPHISM=no  ASM=x86_64  EXPERIMENTAL=yes  ECDH=yes  RECOVERY=yes  OPENSSL_TESTS=no  MULTISET=yes
-        - AUTOTOOLS_EXTRA_FLAGS=CPPFLAGS=-DVALGRIND  AUTOTOOLS_TARGET=
-        - CMAKE_EXTRA_FLAGS=-DCMAKE_C_FLAGS=-DVALGRIND  CMAKE_TARGET="secp256k1-tests secp256k1-exhaustive_tests"
 
+before_script:
+  # This limits the iterations in the benchmarks below to ITER iterations.
+  - export SECP256K1_BENCH_ITERS="$ITERS"
+
+# travis auto terminates jobs that go for 10 minutes without printing to stdout,
+# but travis_wait doesn't work well with forking programs like valgrind
+# (https://docs.travis-ci.com/user/common-build-problems/#build-times-out-because-no-output-was-received https://github.com/bitcoin-core/secp256k1/pull/750#issuecomment-623476860)
 script:
+  - function keep_alive() { while true; do echo -en "\a"; sleep 60; done }
+  - keep_alive &
   - ./travis/build_autotools.sh
   - ./travis/build_cmake.sh
-  - # travis_wait extends the 10 minutes without output allowed (https://docs.travis-ci.com/user/common-build-problems/#build-times-out-because-no-output-was-received)
-  - # the `--error-exitcode` is required to make the test fail if valgrind found errors, otherwise it'll return 0 (http://valgrind.org/docs/manual/manual-core.html)
-  - if [ -n "$VALGRIND" ]; then
-    travis_wait 30 valgrind --error-exitcode=42 ./buildautotools/tests 16 &&
-    travis_wait 30 valgrind --error-exitcode=42 ./buildautotools/exhaustive_tests;
-    fi
-  - if [ -n "$VALGRIND" ]; then
-    travis_wait 30 valgrind --error-exitcode=42 ./buildcmake/secp256k1-tests 16 &&
-    travis_wait 30 valgrind --error-exitcode=42 ./buildcmake/secp256k1-exhaustive_tests;
-    fi
+  - kill %keep_alive
+
+after_script:
+  - valgrind --version
diff --git a/src/secp256k1/src/modules/schnorr/schnorr_impl.h b/src/secp256k1/src/modules/schnorr/schnorr_impl.h
--- a/src/secp256k1/src/modules/schnorr/schnorr_impl.h
+++ b/src/secp256k1/src/modules/schnorr/schnorr_impl.h
@@ -152,6 +152,11 @@
     secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Rj, &k);
     secp256k1_ge_set_gej(&R, &Rj);
 
+    /*
+     * We declassify R to allow using it as a branch point.
+     * This is fine because R is not a secret.
+     */
+    secp256k1_declassify(ctx, &R, sizeof(R));
     /** Negate the nonce if R.y is not a quadratic residue. */
     secp256k1_scalar_cond_negate(&k, !secp256k1_fe_is_quad_var(&R.y));
 
diff --git a/src/secp256k1/travis/build_autotools.sh b/src/secp256k1/travis/build_autotools.sh
--- a/src/secp256k1/travis/build_autotools.sh
+++ b/src/secp256k1/travis/build_autotools.sh
@@ -4,6 +4,16 @@
 
 set -ex
 
+# FIXME The java tests will fail on macOS with autotools due to the
+# libsepc256k1_jni library referencing the libsecp256k1 library with an absolute
+# path. This needs to be rewritten with install_name_tool to use relative paths
+# via the @variables supported by the macOS loader.
+if [ "$TRAVIS_OS_NAME" = "osx" ] && [ "$JNI" = "yes" ]
+then
+  echo "Skipping the java tests built with autotools on OSX"
+  exit 0
+fi
+
 if [ -n "$HOST" ]; then
   USE_HOST="--host=$HOST"
 fi
@@ -12,6 +22,13 @@
   CC="$CC -m32"
 fi
 
+if [ "$TRAVIS_OS_NAME" = "osx" ] && [ "$TRAVIS_COMPILER" = "gcc" ]
+then
+  CC="gcc-9"
+fi
+
+$CC --version
+
 ./autogen.sh
 
 mkdir buildautotools
@@ -45,28 +62,38 @@
 
 make -j2 $AUTOTOOLS_TARGET
 
+if [ -n "$VALGRIND" ]; then
+  # the `--error-exitcode` is required to make the test fail if valgrind found
+  # errors, otherwise it'll return 0
+  # (http://valgrind.org/docs/manual/manual-core.html)
+  valgrind --error-exitcode=42 ./tests 16
+  valgrind --error-exitcode=42 ./exhaustive_tests
+fi
+
 if [ -n "$BENCH" ]; then
   if [ -n "$VALGRIND" ]; then
-    EXEC='libtool --mode=execute valgrind --error-exitcode=42';
+    # Using the local `libtool` because on macOS the system's libtool has
+    # nothing to do with GNU libtool
+    EXEC='./libtool --mode=execute valgrind --error-exitcode=42';
   else
     EXEC= ;
   fi
-  $EXEC ./bench_ecmult &>> bench.log
-  $EXEC ./bench_internal &>> bench.log
-  $EXEC ./bench_sign &>> bench.log
-  $EXEC ./bench_verify &>> bench.log
+  $EXEC ./bench_ecmult >> bench.log 2>&1
+  $EXEC ./bench_internal >> bench.log 2>&1
+  $EXEC ./bench_sign >> bench.log 2>&1
+  $EXEC ./bench_verify >> bench.log 2>&1
   if [ "$RECOVERY" == "yes" ]; then
-    $EXEC ./bench_recover &>> bench.log
+    $EXEC ./bench_recover >> bench.log 2>&1
   fi
   if [ "$ECDH" == "yes" ]; then
-    $EXEC ./bench_ecdh &>> bench.log
+    $EXEC ./bench_ecdh >> bench.log 2>&1
   fi
   if [ "$MULTISET" == "yes" ]; then
-    $EXEC ./bench_multiset &>> bench.log
+    $EXEC ./bench_multiset >> bench.log 2>&1
   fi
 fi
 if [ -n "$CTIMETEST" ]; then
-  libtool --mode=execute valgrind  ./valgrind_ctime_test &> valgrind_ctime_test.log
+  ./libtool --mode=execute valgrind --error-exitcode=42 ./valgrind_ctime_test > valgrind_ctime_test.log 2>&1
 fi
 
 popd
diff --git a/src/secp256k1/travis/build_cmake.sh b/src/secp256k1/travis/build_cmake.sh
--- a/src/secp256k1/travis/build_cmake.sh
+++ b/src/secp256k1/travis/build_cmake.sh
@@ -7,6 +7,10 @@
 if [ "x$HOST" = "xi686-linux-gnu" ]; then
   CMAKE_EXTRA_FLAGS="$CMAKE_EXTRA_FLAGS -DCMAKE_C_FLAGS=-m32"
 fi
+if [ "$TRAVIS_OS_NAME" = "osx" ] && [ "$TRAVIS_COMPILER" = "gcc" ]
+then
+  CMAKE_EXTRA_FLAGS="$CMAKE_EXTRA_FLAGS -DCMAKE_C_COMPILER=gcc-9"
+fi
 
 # "auto" is not a valid value for SECP256K1_ECMULT_GEN_PRECISION with cmake.
 # In this case we use the default value instead by not setting the cache
@@ -18,8 +22,13 @@
 mkdir -p buildcmake/install
 pushd buildcmake
 
-# Use the cmake version installed via the install_cmake.sh script.
-CMAKE_COMMAND=/opt/cmake/bin/cmake
+# Use the cmake version installed via the install_cmake.sh script on linux
+if [ "$TRAVIS_OS_NAME" = "linux" ]
+then
+  CMAKE_COMMAND=/opt/cmake/bin/cmake
+else
+  CMAKE_COMMAND=cmake
+fi
 ${CMAKE_COMMAND} --version
 
 ${CMAKE_COMMAND} -GNinja .. \
@@ -41,4 +50,12 @@
 
 ninja $CMAKE_TARGET
 
+if [ -n "$VALGRIND" ]; then
+  # the `--error-exitcode` is required to make the test fail if valgrind found
+  # errors, otherwise it'll return 0
+  # (http://valgrind.org/docs/manual/manual-core.html)
+  valgrind --error-exitcode=42 ./secp256k1-tests 16
+  valgrind --error-exitcode=42 ./secp256k1-exhaustive_tests
+fi
+
 popd