diff --git a/ecdsa.c b/ecdsa.c
index 3f2e4d429..f18a13397 100644
--- a/ecdsa.c
+++ b/ecdsa.c
@@ -177,13 +177,15 @@ void conditional_negate(uint32_t cond, bignum256 *a, const bignum256 *prime)
 {
 	int j;
 	uint32_t tmp = 1;
+	assert(a->val[8] < 0x20000);
 	for (j = 0; j < 8; j++) {
-		tmp += 0x3fffffff + prime->val[j] - a->val[j];
+		tmp += 0x3fffffff + 2*prime->val[j] - a->val[j];
 		a->val[j] = ((tmp & 0x3fffffff) & cond) | (a->val[j] & ~cond);
 		tmp >>= 30;
 	}
-	tmp += 0x3fffffff + prime->val[j] - a->val[j];
+	tmp += 0x3fffffff + 2*prime->val[j] - a->val[j];
 	a->val[j] = ((tmp & 0x3fffffff) & cond) | (a->val[j] & ~cond);
+	assert(a->val[8] < 0x20000);
 }
 
 typedef struct jacobian_curve_point {