+ /*
+ * This is obviously not constant-time but it will almost-never happen
+ * for ECDH / ECDSA. The case where it can happen is during scalar-mult
+ * where the intermediate value gets very close to the group order.
+ * Since |ec_GFp_nistp_recode_scalar_bits| produces signed digits for
+ * the scalar, it's possible for the intermediate value to be a small
+ * negative multiple of the base point, and for the final signed digit
+ * to be the same value. We believe that this only occurs for the scalar
+ * 1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ * ffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb
+ * 71e913863f7, in that case the penultimate intermediate is -9G and
+ * the final digit is also -9G. Since this only happens for a single
+ * scalar, the timing leak is irrelevent. (Any attacker who wanted to
+ * check whether a secret scalar was that exact value, can already do
+ * so.)
+ */