diff --git a/src/crypto/crypto-sugar.h b/src/crypto/crypto-sugar.h
index 0c8f9dd9..fd72537f 100644
--- a/src/crypto/crypto-sugar.h
+++ b/src/crypto/crypto-sugar.h
@@ -327,7 +327,7 @@ namespace crypto
     /*
     I think it has bad symantic (operator-like), consider rename/reimplement -- sowle
     */
-    // returns this * b + c
+    // returns c + this * b
     scalar_t muladd(const scalar_t& b, const scalar_t& c) const
     {
       scalar_t result;
@@ -335,13 +335,20 @@ namespace crypto
       return result;
     }
 
-    // returns this = a * b + c
+    // returns this = c + a * b
     scalar_t& assign_muladd(const scalar_t& a, const scalar_t& b, const scalar_t& c)
     {
       sc_muladd(m_s, a.m_s, b.m_s, c.m_s);
       return *this;
     }
 
+    // returns this = c - a * b
+    scalar_t& assign_mulsub(const scalar_t& a, const scalar_t& b, const scalar_t& c)
+    {
+      sc_mulsub(m_s, a.m_s, b.m_s, c.m_s);
+      return *this;
+    }
+
     scalar_t reciprocal() const
     {
       scalar_t result;
diff --git a/tests/functional_tests/crypto_tests.cpp b/tests/functional_tests/crypto_tests.cpp
index 91f93298..d7b800f0 100644
--- a/tests/functional_tests/crypto_tests.cpp
+++ b/tests/functional_tests/crypto_tests.cpp
@@ -892,6 +892,13 @@ TEST(crypto, scalar_basics)
   ASSERT_EQ(c_scalar_2p64 - c_scalar_1, scalar_t(UINT64_MAX));
   ASSERT_EQ(c_scalar_2p64, scalar_t(UINT64_MAX) + c_scalar_1);
 
+  p.make_random();
+  z.make_random();
+  ASSERT_EQ(scalar_t().assign_muladd(z, z, p), p + z * z);
+  ASSERT_EQ(scalar_t().assign_muladd(z, p, z), z + z * p);
+  ASSERT_EQ(scalar_t().assign_mulsub(z, z, p), p - z * z);
+  ASSERT_EQ(scalar_t().assign_mulsub(z, p, z), z - z * p);
+
   return true;
 }