diff --git a/library/bignum.c b/library/bignum.c
index c513525e7..d1676515a 100644
--- a/library/bignum.c
+++ b/library/bignum.c
@@ -1956,12 +1956,15 @@ static void mpi_montmul( mbedtls_mpi *A, const mbedtls_mpi *B, const mbedtls_mpi
     memcpy( A->p, d, ( n + 1 ) * ciL );
 
     /* If A >= N then A -= N. Do the subtraction unconditionally to prevent
-     * timing attacks. Modify T as a side effect. */
-    if( mbedtls_mpi_cmp_abs( A, N ) >= 0 )
-        mpi_sub_hlp( n, N->p, A->p );
-    else
-        /* prevent timing attacks */
-        mpi_sub_hlp( n, A->p, T->p );
+     * timing attacks. */
+    /* Set d to A + (2^biL)^n - N. */
+    d[n] += 1;
+    mpi_sub_hlp( n, N->p, d );
+    /* Now d - (2^biL)^n = A - N so d >= (2^biL)^n iff A >= N.
+     * So we want to copy the result of the subtraction iff d->p[n] != 0.
+     * Note that d->p[n] is either 0 or 1 since A - N <= N <= (2^biL)^n. */
+    mpi_safe_cond_assign( n + 1, A->p, d, d[n] );
+    A->p[n] = 0;
 }
 
 /*