diff --git a/internal/scalar/scalar.go b/internal/scalar/scalar.go
index d705388..73254f4 100644
--- a/internal/scalar/scalar.go
+++ b/internal/scalar/scalar.go
@@ -898,6 +898,9 @@ func (s *Scalar) NonAdjacentForm(w uint) [256]int8 {
 	// This implementation is adapted from the one
 	// in curve25519-dalek and is documented there:
 	// https://github.com/dalek-cryptography/curve25519-dalek/blob/f630041af28e9a405255f98a8a93adca18e4315b/src/scalar.rs#L800-L871
+	if s[31] >= 127 {
+		panic("scalar has high bit set illegally")
+	}
 	if w < 2 {
 		panic("w must be at least 2 by the definition of NAF")
 	} else if w > 8 {
@@ -956,6 +959,10 @@ func (s *Scalar) NonAdjacentForm(w uint) [256]int8 {
 }
 
 func (s *Scalar) SignedRadix16() [64]int8 {
+	if s[31] >= 127 {
+		panic("scalar has high bit set illegally")
+	}
+
 	var digits [64]int8
 
 	// Compute unsigned radix-16 digits: