diff --git a/arm/curve25519/curve25519_x25519.S b/arm/curve25519/curve25519_x25519.S
index d66884d5..0b7ec7a1 100644
--- a/arm/curve25519/curve25519_x25519.S
+++ b/arm/curve25519/curve25519_x25519.S
@@ -13,7 +13,8 @@
 // this returns the X coordinate of n * P = (X, Y), or 0 when n * P is the
 // point at infinity. Both n and X inputs are first slightly modified/mangled
 // as specified in the relevant RFC (https://www.rfc-editor.org/rfc/rfc7748);
-// in particular the lower three bits of n are set to zero.
+// in particular the lower three bits of n are set to zero. Does not implement
+// the zero-check specified in Section 6.1.
 //
 // Standard ARM ABI: X0 = res, X1 = scalar, X2 = point
 // ----------------------------------------------------------------------------
diff --git a/arm/curve25519/curve25519_x25519_alt.S b/arm/curve25519/curve25519_x25519_alt.S
index 4e9b91b4..3a521a60 100644
--- a/arm/curve25519/curve25519_x25519_alt.S
+++ b/arm/curve25519/curve25519_x25519_alt.S
@@ -13,7 +13,8 @@
 // this returns the X coordinate of n * P = (X, Y), or 0 when n * P is the
 // point at infinity. Both n and X inputs are first slightly modified/mangled
 // as specified in the relevant RFC (https://www.rfc-editor.org/rfc/rfc7748);
-// in particular the lower three bits of n are set to zero.
+// in particular the lower three bits of n are set to zero. Does not implement
+// the zero-check specified in Section 6.1.
 //
 // Standard ARM ABI: X0 = res, X1 = scalar, X2 = point
 // ----------------------------------------------------------------------------
diff --git a/arm/curve25519/curve25519_x25519_byte.S b/arm/curve25519/curve25519_x25519_byte.S
index d64eb73e..6162a380 100644
--- a/arm/curve25519/curve25519_x25519_byte.S
+++ b/arm/curve25519/curve25519_x25519_byte.S
@@ -13,7 +13,8 @@
 // this returns the X coordinate of n * P = (X, Y), or 0 when n * P is the
 // point at infinity. Both n and X inputs are first slightly modified/mangled
 // as specified in the relevant RFC (https://www.rfc-editor.org/rfc/rfc7748);
-// in particular the lower three bits of n are set to zero.
+// in particular the lower three bits of n are set to zero. Does not implement
+// the zero-check specified in Section 6.1.
 //
 // Standard ARM ABI: X0 = res, X1 = scalar, X2 = point
 // ----------------------------------------------------------------------------
diff --git a/arm/curve25519/curve25519_x25519_byte_alt.S b/arm/curve25519/curve25519_x25519_byte_alt.S
index 7f79cfd8..f59e6114 100644
--- a/arm/curve25519/curve25519_x25519_byte_alt.S
+++ b/arm/curve25519/curve25519_x25519_byte_alt.S
@@ -13,7 +13,8 @@
 // this returns the X coordinate of n * P = (X, Y), or 0 when n * P is the
 // point at infinity. Both n and X inputs are first slightly modified/mangled
 // as specified in the relevant RFC (https://www.rfc-editor.org/rfc/rfc7748);
-// in particular the lower three bits of n are set to zero.
+// in particular the lower three bits of n are set to zero. Does not implement
+// the zero-check specified in Section 6.1.
 //
 // Standard ARM ABI: X0 = res, X1 = scalar, X2 = point
 // ----------------------------------------------------------------------------
diff --git a/x86/curve25519/curve25519_x25519.S b/x86/curve25519/curve25519_x25519.S
index 06efe800..1937833f 100644
--- a/x86/curve25519/curve25519_x25519.S
+++ b/x86/curve25519/curve25519_x25519.S
@@ -20,7 +20,8 @@
 // this returns the X coordinate of n * P = (X, Y), or 0 when n * P is the
 // point at infinity. Both n and X inputs are first slightly modified/mangled
 // as specified in the relevant RFC (https://www.rfc-editor.org/rfc/rfc7748);
-// in particular the lower three bits of n are set to zero.
+// in particular the lower three bits of n are set to zero. Does not implement
+// the zero-check specified in Section 6.1.
 //
 // Standard x86-64 ABI: RDI = res, RSI = scalar, RDX = point
 // Microsoft x64 ABI:   RCX = res, RDX = scalar, R8 = point
diff --git a/x86/curve25519/curve25519_x25519_alt.S b/x86/curve25519/curve25519_x25519_alt.S
index ffa1f4a7..9f50fd74 100644
--- a/x86/curve25519/curve25519_x25519_alt.S
+++ b/x86/curve25519/curve25519_x25519_alt.S
@@ -20,7 +20,8 @@
 // this returns the X coordinate of n * P = (X, Y), or 0 when n * P is the
 // point at infinity. Both n and X inputs are first slightly modified/mangled
 // as specified in the relevant RFC (https://www.rfc-editor.org/rfc/rfc7748);
-// in particular the lower three bits of n are set to zero.
+// in particular the lower three bits of n are set to zero. Does not implement
+// the zero-check specified in Section 6.1.
 //
 // Standard x86-64 ABI: RDI = res, RSI = scalar, RDX = point
 // Microsoft x64 ABI:   RCX = res, RDX = scalar, R8 = point
diff --git a/x86_att/curve25519/curve25519_x25519.S b/x86_att/curve25519/curve25519_x25519.S
index 2a97ee94..9914fdd0 100644
--- a/x86_att/curve25519/curve25519_x25519.S
+++ b/x86_att/curve25519/curve25519_x25519.S
@@ -20,7 +20,8 @@
 // this returns the X coordinate of n * P = (X, Y), or 0 when n * P is the
 // point at infinity. Both n and X inputs are first slightly modified/mangled
 // as specified in the relevant RFC (https://www.rfc-editor.org/rfc/rfc7748);
-// in particular the lower three bits of n are set to zero.
+// in particular the lower three bits of n are set to zero. Does not implement
+// the zero-check specified in Section 6.1.
 //
 // Standard x86-64 ABI: RDI = res, RSI = scalar, RDX = point
 // Microsoft x64 ABI:   RCX = res, RDX = scalar, R8 = point
diff --git a/x86_att/curve25519/curve25519_x25519_alt.S b/x86_att/curve25519/curve25519_x25519_alt.S
index 241c4505..ca92a920 100644
--- a/x86_att/curve25519/curve25519_x25519_alt.S
+++ b/x86_att/curve25519/curve25519_x25519_alt.S
@@ -20,7 +20,8 @@
 // this returns the X coordinate of n * P = (X, Y), or 0 when n * P is the
 // point at infinity. Both n and X inputs are first slightly modified/mangled
 // as specified in the relevant RFC (https://www.rfc-editor.org/rfc/rfc7748);
-// in particular the lower three bits of n are set to zero.
+// in particular the lower three bits of n are set to zero. Does not implement
+// the zero-check specified in Section 6.1.
 //
 // Standard x86-64 ABI: RDI = res, RSI = scalar, RDX = point
 // Microsoft x64 ABI:   RCX = res, RDX = scalar, R8 = point