Sometimes I am blown away by how thorough Pieter Wuille is ...
https://github.com/bitcoin/bitcoin/pull/6954#issuecomment-167126321
For all of the above, we have: * High test coverage (the only missing parts are cryptographically improbable to reach ones). * Hand verifiable proof of correctness for the field multiplication algorithm (provably no overflow, and provably equivalent to the correct response assuming no overflow). * Computer verified proof of correctness for group addition formulae (computer algebra system can prove polynomial equivalence between implementation and mathematical expressions for the result). * Special compilable mode that changes a constant to end up with a very small group, and exhaustive tests that all assumptions remain true (in progress, by Andrew Poelstra). * Test cases for the scalar code that were extracted from a set of 1 trillion randomly generated tests which give very high coverage, and work in progress to algebraically derive cases that trigger the (nearly) unreachable remaining ones. Furthermore: * An old build mode which used OpenSSL's bignum code for integer operations helped discover a bug in OpenSSL square code (CVE-2014-3570). * During tested we discovered an platform inconsistency in OpenSSL's signature parsing code (fixed by BIP66). * Our ECDSA signature fuzzer pointed out several types of previously unknown invalid signature types that OpenSSL accepted (discovered after BIP66 took effect).