diff --git a/src/mod25638.c b/src/mod25638.c
index 7e83416..2a617a2 100644
--- a/src/mod25638.c
+++ b/src/mod25638.c
@@ -73,6 +73,15 @@ const bn256 n25638 = { {0xffffffda, 0xffffffff, 0xffffffff, 0xffffffff,
 			0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff } };
 
 
+/*
+ * Implementation Note.
+ *
+ * It's not always modulo n25638.  The representation is redundant
+ * during computation.  For example, when we add the number - 1 and 1,
+ * it won't overflow to 2^256, and the result is represented within
+ * 256-bit.
+ */
+
 /**
  * @brief  X = (A + B) mod 2^256-38
  */
@@ -142,7 +151,7 @@ mod25638_mul (bn256 *X, const bn256 *A, const bn256 *B)
 void
 mod25638_sqr (bn256 *X, const bn256 *A)
 {
-  /* This could be improved a bit, see mpi_montsqr.  */
+  /* This could be improved a bit, see bn256_sqr.  */
   mod25638_mul (X, A, A);
 }
 
diff --git a/src/modp256k1.c b/src/modp256k1.c
index 95fcb6f..e22f826 100644
--- a/src/modp256k1.c
+++ b/src/modp256k1.c
@@ -52,6 +52,17 @@
 const bn256 p256k1 = { {0xfffffc2f, 0xfffffffe, 0xffffffff, 0xffffffff,
 			0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff } };
 
+/*
+ * Implementation Note.
+ *
+ * It's not always modulo p256k1.  The representation is redundant
+ * during computation.  For example, when we add the prime - 1 and 1,
+ * it won't overflow to 2^256, and the result is represented within
+ * 256-bit.
+ *
+ * It is guaranteed that modp256k1_reduce reduces to modulo p256k1.
+ */
+
 /**
  * @brief  X = (A + B) mod p256k1
  */
diff --git a/src/modp256r1.c b/src/modp256r1.c
index 75b94c6..dc52a73 100644
--- a/src/modp256r1.c
+++ b/src/modp256r1.c
@@ -46,6 +46,17 @@
 const bn256 p256r1 = { {0xffffffff, 0xffffffff, 0xffffffff, 0x00000000,
 			0x00000000, 0x00000000, 0x00000001, 0xffffffff} };
 
+/*
+ * Implementation Note.
+ *
+ * It's not always modulo p256r1.  The representation is redundant
+ * during computation.  For example, when we add the prime - 1 and 1,
+ * it won't overflow to 2^256, and the result is represented within
+ * 256-bit.
+ *
+ * It is guaranteed that modp256r1_reduce reduces to modulo p256r1.
+ */
+
 /**
  * @brief  X = (A + B) mod p256r1
  */