Consider the following suggestion for an asymmetric RSA-based encryption scheme:

Key generation: exactly as in RSA-OAEP

Encryption: to encrypt a plaintext m under a public key (n,e), we first compute an encryption c of m under RSA-OAEP and then output the pair (c, H(m || c || n)) as ciphertext. Here || denotes concatenation and H is a cryptographic hash function, which we model as random oracle.

Decryption: to decrypt a ciphertext (c, h) with secret key d, decrypt c as in RSA-OAEP to obtain a candidate plaintext m. If decryption with RSA-OAEP fails, abort with an error message. If the equality H(m || c || n) = h holds, then output m, otherwise abort with an error message.

User A intends to use this encryption scheme to transmit 4-digit PINs confidentially, using a sufficiently large RSA modulus and a secure cryptographic hash function H.

Show that the above scheme is not suitable for this.