From 614e4cfc14faf36f6c45d1fead4c9455ffbfd4ce Mon Sep 17 00:00:00 2001
From: Conrado Gouvea <conradoplg@gmail.com>
Date: Thu, 13 Jul 2023 14:30:35 -0300
Subject: [PATCH] remove asserts that could leak timing information

---
 src/field/scalar.rs          | 1 -
 src/field/u32/prime_field.rs | 4 +---
 2 files changed, 1 insertion(+), 4 deletions(-)

diff --git a/src/field/scalar.rs b/src/field/scalar.rs
index 895de91..a7a84e8 100644
--- a/src/field/scalar.rs
+++ b/src/field/scalar.rs
@@ -384,7 +384,6 @@ fn sub_extra(a: &Scalar, b: &Scalar, carry: u32) -> Scalar {
     // Since the borrow should never be more than 0, the carry should never be more than 1;
     // XXX: Explain why the case of borrow == 1 should never happen
     let borrow = chain + (carry as i64);
-    assert!(borrow == -1 || borrow == 0);
 
     chain = 0i64;
     for i in 0..14 {
diff --git a/src/field/u32/prime_field.rs b/src/field/u32/prime_field.rs
index 96ea062..c72ab46 100644
--- a/src/field/u32/prime_field.rs
+++ b/src/field/u32/prime_field.rs
@@ -326,9 +326,7 @@ impl FieldElement28 {
         // If the value was more than p, then the final borrow will be zero. This is scarry.
         // Case 2:
         // If the  value was less than p, the final borrow will be -1.
-
-        // The only two possibilities for the borrow bit is -1 or 0.
-        assert!(scarry == 0 || scarry + 1 == 0);
+        // Thus the only two possibilities for the borrow bit is -1 or 0.
 
         let scarry_mask = (scarry as u32) & MASK;
         let mut carry = 0u64;