From 9a1075e6a139b534db3e8b1a39ab094dcf4a999c Mon Sep 17 00:00:00 2001
From: Jack Lloyd <jack@randombit.net>
Date: Tue, 7 Nov 2023 14:03:48 -0500
Subject: [PATCH] Account for a possible cofactor when performing scalar
 blinding

This only matters in the case of performing a multiplication in
a curve that has a cofactor and the point is not in the prime order
subgroup.

See GH #3800
---
 src/lib/pubkey/ec_group/ec_group.cpp | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/lib/pubkey/ec_group/ec_group.cpp b/src/lib/pubkey/ec_group/ec_group.cpp
index eb4ed90e2bc..068d75bbd46 100644
--- a/src/lib/pubkey/ec_group/ec_group.cpp
+++ b/src/lib/pubkey/ec_group/ec_group.cpp
@@ -594,7 +594,11 @@ EC_Point EC_Group::blinded_var_point_multiply(const EC_Point& point,
                                               RandomNumberGenerator& rng,
                                               std::vector<BigInt>& ws) const {
    EC_Point_Var_Point_Precompute mul(point, rng, ws);
-   return mul.mul(k, rng, get_order(), ws);
+   // We pass order*cofactor here to "correctly" handle the case where the
+   // point is on the curve but not in the prime order subgroup. This only
+   // matters for groups with cofactor > 1
+   // See https://github.com/randombit/botan/issues/3800
+   return mul.mul(k, rng, get_order() * get_cofactor(), ws);
 }
 
 EC_Point EC_Group::zero_point() const {