diff --git a/README.md b/README.md
index 6c86143..e8f6c76 100644
--- a/README.md
+++ b/README.md
@@ -261,8 +261,8 @@ verifyBatch x 888 ops/sec @ 1ms/op
 Point.fromHex decompression x 11,783 ops/sec @ 84μs/op
 ristretto255#fromHash x 5,482 ops/sec @ 182μs/op
 ristretto255 round x 5,621 ops/sec @ 177μs/op
-curve25519.scalarMultBase x 1,042 ops/sec @ 959μs/op
-ed25519.getSharedSecret x 801 ops/sec @ 1ms/op
+curve25519.scalarMultBase x 1,113 ops/sec @ 898μs/op
+ed25519.getSharedSecret x 844 ops/sec @ 1ms/op
 ```
 
 Compare to alternative implementations:
diff --git a/index.ts b/index.ts
index 98c710f..e5fec7a 100644
--- a/index.ts
+++ b/index.ts
@@ -913,17 +913,17 @@ function montgomeryLadder(pointU: bigint, scalar: bigint): bigint {
     z_3 = sw[1];
     swap = k_t;
 
-    const A = mod(x_2 + z_2);
+    const A = x_2 + z_2;
     const AA = mod(A * A);
-    const B = mod(x_2 - z_2);
+    const B = x_2 - z_2;
     const BB = mod(B * B);
-    const E = mod(AA - BB);
-    const C = mod(x_3 + z_3);
-    const D = mod(x_3 - z_3);
+    const E = AA - BB;
+    const C = x_3 + z_3;
+    const D = x_3 - z_3;
     const DA = mod(D * A);
     const CB = mod(C * B);
-    x_3 = mod(mod(DA + CB) ** _2n);
-    z_3 = mod(x_1 * mod(DA - CB) ** _2n);
+    x_3 = mod((DA + CB) ** _2n);
+    z_3 = mod(x_1 * (DA - CB) ** _2n);
     x_2 = mod(AA * BB);
     z_2 = mod(E * (AA + mod(a24 * E)));
   }