Before stating my questions, let us recall the REACT transform [OP01], which enables to construct a CCA-secure hybrid PKE scheme, $\varepsilon'_{pk}$, from an OW-CPA PKE scheme $\varepsilon_{pk}^{asym}$, an IND-secure symmetric encryption scheme $\varepsilon^{sym}$, and hash functions $H$ and $G$. The transform works as follows:
$c_1 = \varepsilon_{pk}^{asym}(R), c_2 = \varepsilon_{K}^{sym}(m)$, where $K = G(R)$ and $R$ is chosen at random.
Then $\varepsilon'_{pk}(m) = (c_1, c_2, H(R,m,c_1,c_2))$
My questions are: Why is it necessary to include $c_1$ in the hash $H$? What would be the consequences of dropping it from the hash (i.e., $\varepsilon''_{pk}(m) = (c_1,c_2, H(R,m,c_2))$? I guess that the main reason is to achieve non-malleability, but is it possible that by dropping it we obtain a transform to Replayable CCA (RCCA) security [CKN03]? Informally, RCCA was like CCA security “except that they allow anyone to generate new ciphertexts that decrypt to the same value as a given ciphertext” [CKN03]. Since we are including $m$ in the hash, we can guarantee that the original message is preserved, but we allow modifications on $c_1$.
I am asking this because I'm interested in schemes where a certain degree of malleability is permitted. In particular, re-encryptions of the original ciphertext are permitted, as long as they decrypt to the original message.
References:
[OP01] Okamoto, T., & Pointcheval, D. (2001). REACT: Rapid enhanced-security asymmetric cryptosystem transform. In Topics in Cryptology—CT-RSA 2001 (pp. 159-174). Springer Berlin Heidelberg. $\rightarrow$ PDF
[CKN03] Canetti, R., Krawczyk, H., & Nielsen, J. B. (2003). Relaxing chosen-ciphertext security. In Advances in Cryptology-CRYPTO 2003 (pp. 565-582). $\rightarrow$ PDF
