What makes this inherently test-only?

It's not constant time.

IMO should be mentioned in the comment.

That's indeed a good warning to add in a followup.

It's not constant time.

Given that its only use in Bitcoin is ripemd160(sha256(data)), does this not make a timing attack effectively useless?

@mmgen Yes, but it's open-source code, and open-source code gets copied and can end up being adopted for other purposes.

nit: using the & operator is a slightly odd way to change the sign of an integer, no?

Might be better written as (119 - len&63) & 63 ?

See also https://docs.python.org/3/library/stdtypes.html#bitwise-operations-on-integer-types

Performing these calculations with at least one extra sign extension bit in a finite two’s complement representation (a working bit-width of 1 + max(x.bit_length(), y.bit_length()) or more) is sufficient to get the same result as if there were an infinite number of sign bits.

I'm happy to change it, but "& 63" is exactly the same as "% 64" but faster, and that should be sufficient here.

Oh it is fine. I was just commenting that &63 also changes the sign from negative to positive.

For example if the size is 172, then 119-172 will be negative and &63 will make it positive.

Edit: I checked that the two do the same:

>>> all([  (119-i)&63==(119-i&63)&63  for i in range(1000000) ])
True

Yes, the result of & is only negative if both inputs are negative.