diff --git a/bip-0374/reference.py b/bip-0374/reference.py
index d19f41e4..51354bd2 100755
--- a/bip-0374/reference.py
+++ b/bip-0374/reference.py
@@ -87,11 +87,10 @@ def dleq_verify_proof(
     s = int.from_bytes(proof[32:], "big")
     if s >= GE.ORDER:
         return False
-    # TODO: implement subtraction operator (__sub__) for GE class to simplify these terms
-    R1 = s * G + (-e * A)
+    R1 = s * G - e * A
     if R1.infinity:
         return False
-    R2 = s * B + (-e * C)
+    R2 = s * B - e * C
     if R2.infinity:
         return False
     if e != dleq_challenge(A, B, C, R1, R2, m, G):
diff --git a/bip-0374/secp256k1.py b/bip-0374/secp256k1.py
index eda8049c..b83d028f 100755
--- a/bip-0374/secp256k1.py
+++ b/bip-0374/secp256k1.py
@@ -240,6 +240,10 @@ class GE:
             return self
         return GE(self.x, -self.y)
 
+    def __sub__(self, a):
+        """Subtract a group element from another."""
+        return self + (-a)
+
     def to_bytes_compressed(self):
         """Convert a non-infinite group element to 33-byte compressed encoding."""
         assert not self.infinity