diff --git a/include/mbedtls/ecp.h b/include/mbedtls/ecp.h
index 07ed110cdc..a30e876113 100644
--- a/include/mbedtls/ecp.h
+++ b/include/mbedtls/ecp.h
@@ -119,7 +119,7 @@ mbedtls_ecp_point;
  * 1. Short Weierstrass y^2 = x^3 + A x + B     mod P   (SEC1 + RFC 4492)
  * 2. Montgomery,       y^2 = x^3 + A x^2 + x   mod P   (Curve25519 + draft)
  * In both cases, a generator G for a prime-order subgroup is fixed. In the
- * short weierstrass, this subgroup is actually the whole curve, and its
+ * Short Weierstrass case, this subgroup is actually the whole curve, and its
  * cardinal is denoted by N.
  *
  * In the case of Short Weierstrass curves, our code requires that N is an odd
diff --git a/library/ecp.c b/library/ecp.c
index 454820ae57..41bf03d31e 100644
--- a/library/ecp.c
+++ b/library/ecp.c
@@ -1751,6 +1751,9 @@ cleanup:
  * this wrapper ensures that by replacing m by N - m if necessary, and
  * informs the caller that the result of multiplication will be negated.
  *
+ * This works because we only support large prime order for Short Weierstrass
+ * curves, so N is always odd hence either m or N - m is.
+ *
  * See ecp_comb_recode_core() for background.
  */
 static int ecp_comb_recode_scalar( const mbedtls_ecp_group *grp,
@@ -1766,7 +1769,7 @@ static int ecp_comb_recode_scalar( const mbedtls_ecp_group *grp,
     mbedtls_mpi_init( &M );
     mbedtls_mpi_init( &mm );
 
-    /* N is odd with all real-world curves, just make extra sure */
+    /* N is always odd (see above), just make extra sure */
     if( mbedtls_mpi_get_bit( &grp->N, 0 ) != 1 )
         return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );