We have secp256k1_ge_verify, secp256k1_gej_verify, and secp256k1_fe_verify functions to the invariants of the respective type. We call them on every entry/exit of a function that operates on a respective element.

We should add a similar function for scalars. I think the only invariant is that scalars a are reduced mod the group order, i.e., secp256k1_scalar_check_overflow(a) == 0.

(see #1184 (comment))

@stratospher Are you interested in working on this?