
We prove that this SKE scheme is secure against chosen plaintext attacks by hybrid argument. Let $A$ be any p.p.t adversary of the CPA game for the SKE scheme.

\paragraph{Hybrid 0.} Game $\mathsf{G}_0$ is the real CPA game for the SKE scheme. We are aiming to prove that
$$
\left|\Pr[A\text{ wins }\mathsf{G}_0] - \frac{1}{2}\right| \le \text{negl}(n).
$$

\paragraph{Hybrid 1.} Game $\mathsf{G}_1$ runs $\mathsf{G}_0$ except when the challenger computes the ciphertext, it replaces $h_k^n(r) = f_k^{2n}(G(r))$ by $R(G(r))$, where $R: \{0, 1\}^{2n}\to \{0, 1\}^{2n}$ is a truly random function.

We prove that
$$
    \left|\Pr[A\text{ wins }\mathsf{G}_0] - \Pr[A\text{ wins }\mathsf{G}_1]\right| \le \text{negl}(n).
$$
We can construct a distinguisher $B$ for the PRF family $F$, that has the same advantage of $A$ between the two games. Given oracle access to either $f_k^{2n}$ or a truly random function $R$,
\begin{enumerate}
    \item $B$ simulates the CPA game. Whenever $A$ submits its query $(m_0, m_1)$,
    \begin{enumerate}
        \item $B$ chooses random $r \in \{0,1\}^n$ and computes $G(r)$;
        \item $B$ queries the oracle to obtain either $y = f_k^{2n}(G(r))$ or $y = R(G(r))$;
        \item $B$ sends back $A$ the ciphertext $(r, y\oplus m_b)$. 
    \end{enumerate}
    \item $B$ outputs 1 if and only if $A$ outputs the correct $b' = b$.
\end{enumerate}
Then
$$
\left|\Pr[A\text{ wins }\mathsf{G}_0] - \Pr[A\text{ wins }\mathsf{G}_1]\right| = \left|\Pr[B^{f_{k}^{2n}}(\cdot) = 1] - \Pr[B^{R}(\cdot) = 1]\right| \le \text{negl}(n).
$$

\paragraph{Hybrid 2.} Game $\mathsf{G}_2$ runs $\mathsf{G}_1$ except when the challenger computes the ciphertext, it replaces $R(G(r))$ by $u$, where $u\in \{0, 1\}^{2n}$ is truly random.
We prove that
$$
    \left|\Pr[A\text{ wins }\mathsf{G}_1] - \Pr[A\text{ wins }\mathsf{G}_2]\right| \le \text{negl}(n).
$$

Assume that $A$ makes $q = \text{poly}(n)$ queries to the challenger. Let $r_1, r_2, \cdots, r_q$ are the random values chosen by the challenger. Since $R$ is a truly random function, the pads $\{R(G(r_i))\}_{i\in [q]}$ are $q$ independent uniformly random strings, if and only if all $\{G(r_i)\}_{i\in [q]}$ exhibits no collisions.

We then bound the probability that there exists collisions in $\{G(r_i)\}_{i\in [q]}$. Firstly, the probability that there collisions in $\{r_i\}_{i\in [q]}$ is at most $\binom{q}{2}2^{-n}$, which is negligible. Secondly, given that all $r_i$'s are distinct, the probability that there exists collisions in $\{G(r_i)\}_{i\in [q]}$ must also be negligible, otherwise a distinguisher for the PRG family $G$ can easily samples $q$ inputs and check for collisions.

Therefore,
$$
\left|\Pr[A\text{ wins }\mathsf{G}_1] - \Pr[A\text{ wins }\mathsf{G}_2]\right| \le \Pr[\text{collision exists in }\{G(r_i)\}_{i\in [q]}] \le \text{negl}(n).
$$

By the fact that in game $\mathsf{G}_2$, the adversary $A$ will always receive ciphertexts that consists of two truly random strings, we get that
$$
\Pr[A\text{ wins }\mathsf{G}_2] = \frac{1}{2}.
$$
Therefore, the claim
$$
    \left|\Pr[A\text{ wins }\mathsf{G}_0] - \Pr[A\text{ wins }\mathsf{G}_1]\right| \le \text{negl}(n).
$$
in hybrid 0 holds.

\paragraph{Remark.} The attack from Problem 3 fails here because the adversary cannot control the input to $h_k^n$ - the random value $r$ is chosen by the encryption algorithm, not the adversary.
