# [Crypto] Hash of a ciphertext

## Solution 1:

No.

Any adversary could simply perform the hash themselves and so you are providing them with no additional resources.

## Solution 2:

Would hashing a ciphertext (so $$H(Enc(pk,m))$$) compromise it in any way if both schemes are secure by themselves? This doesn't seem to be the case but I couldn't find a definitive answer.

I can read this two ways

1. You only reveal the $$H(Enc(pk,m))$$ to the attackers;

• then the attackers need to execute pre-image attack on the secure hash function to find $$Enc(pk,m)$$. This can be executed with some pre-known plaintext since the key is public or can be executed with the generic pre-image attack.

• If the public key is Ind-CPA secure, then the search will fail.

2. You will send your message as encrypt then hash $$C = (Enc(pk,m) \mathbin\|H(Enc(pk,m)))$$

• In this case, the hash doesn't provide any authentication. Since the attacker can calculate an encryption $$Enc(pk,m')$$ of the message $$m'$$ of their choice and hash it to send on their advantage $$C' = (Enc(pk,m') \mathbin\|H(Enc(pk,m')))$$. This is vary dangerous and can have catastrophic results.

• This will not reveal the original message, however, in public-key cryptography, the encryption is free therefore to mitigate either a digital signature is required to a mutual authentication like HMAC.