[Crypto] Hash of a ciphertext

Solution 1:


Any adversary could simply perform the hash themselves and so you are providing them with no additional resources.

Solution 2:

Would hashing a ciphertext (so $H(Enc(pk,m))$) compromise it in any way if both schemes are secure by themselves? This doesn't seem to be the case but I couldn't find a definitive answer.

I can read this two ways

  1. You only reveal the $H(Enc(pk,m))$ to the attackers;

    • then the attackers need to execute pre-image attack on the secure hash function to find $Enc(pk,m)$. This can be executed with some pre-known plaintext since the key is public or can be executed with the generic pre-image attack.

    • If the public key is Ind-CPA secure, then the search will fail.

  2. You will send your message as encrypt then hash $C = (Enc(pk,m) \mathbin\|H(Enc(pk,m)))$

    • In this case, the hash doesn't provide any authentication. Since the attacker can calculate an encryption $Enc(pk,m')$ of the message $m'$ of their choice and hash it to send on their advantage $$C' = (Enc(pk,m') \mathbin\|H(Enc(pk,m')))$$. This is vary dangerous and can have catastrophic results.

    • This will not reveal the original message, however, in public-key cryptography, the encryption is free therefore to mitigate either a digital signature is required to a mutual authentication like HMAC.