The xDbladd(P,Q,QmP) function has an exceptional case when QmP is
a point of order two: either T=(0,1) or O=(1,0). When this happens,
the isogeny calculation continues with registers filled with all-zeros.
The fix proposed detects when QmP is exceptional, and replaces its value
with a random one. Both detection and replacement are performed in
constant-time.
The xDbladd(P,Q,QmP) function has an exceptional case when QmP is a point of order two: either T=(0,1) or O=(1,0). When this happens, the isogeny calculation continues with registers filled with all-zeros.
The fix proposed detects when QmP is exceptional, and replaces its value with a random one. Both detection and replacement are performed in constant-time.
Bug reported by Hovav & Wang.