
\section{Problem 4}
\paragraph{Proof}

Assume, for contradiction, that there exists a PPT distinguisher
$\mathcal{A}$ and a polynomial $p(\cdot)$ such that for infinitely many
$n$,
\begin{equation}
\bigl|\Pr[\mathcal{A}^{H^{n}_{S,J}}(1^{n})=1]
            -\Pr[\mathcal{A}^{\mathcal{R}}(1^{n})=1]\bigr|
        \;>\;1/p(n) \quad
\end{equation}
where $S,J\gets\{0,1\}^{n}$ are uniform, the first probability is taken
over a real $H^{n}_{S,J}$ oracle, the second over a uniform random
oracle $\mathcal{R}$.

Let $q(n)$ be an upper bound on $\mathcal{A}$'s number of oracle
queries; $q$ is polynomial.

\begin{itemize}
    \item \textbf{Hybrid $H_0$.} \quad Oracle answers with $h^{n}_{S,J}$ (the real world).
    \item \textbf{Hybrid $H_1$.} \quad Choose an \emph{independently random} function $R:\{0,1\}^{n}\to\{0,1\}^{n}$, answer with  
    \begin{equation*}
    h(x)=f^{n}_{\,R(x)}(S).
    \end{equation*}
\end{itemize}

\textbf{Claim 1} \quad
$\bigl|\Pr[\mathcal{A}^{H_0}=1]-\Pr[\mathcal{A}^{H_1}=1]\bigr|$
is negligible.  
\begin{itemize}
\item Construction of a reduction $\mathcal{B}_{G}$:  
  $\mathcal{B}_{G}$ receives an oracle $O$ that is either
  $g^{n}_{J}$ for uniform $J$ or a uniform random function.
  It sets $S\gets\{0,1\}^{n}$ and answers $\mathcal{A}$'s query $x$ by
  outputting $f^{n}_{\,O(x)}(S)$ (which it can compute because the code
  of $F$ is public).  
  If $O=g^{n}_{J}$ the simulation is $H_0$; if $O$ is random it is $H_1$.
  Thus any non-negligible difference breaks $G$'s PRF security,
  contradiction.  $\blacksquare$
\end{itemize}

From now on we work inside $H_1$ and condition on the event that all
$R$-outputs seen are \textbf{distinct}; by the birthday bound this event
fails with probability at most $q^{2}/2^{n}$, negligible in $n$.

Let the distinct keys produced so far be $k_{1},\dots,k_{t}$ with
$t\le q$.

Define hybrids $H_{2,0},\dots,H_{2,t}$ as follows:
$H_{2,0}$ is $H_1$.
For $i=1$ to $t$ obtain $H_{2,i}$ from $H_{2,i-1}$ by choosing
$Y_{i}\gets\{0,1\}^{n}$ uniformly at random and answering every oracle
query whose current key equals $k_{i}$ with $Y_{i}$ (instead of
$f^{n}_{k_{i}}(S)$).

\textbf{Claim 2} \quad For every $1\le i\le t$  
\begin{equation*}
\bigl|\Pr[\mathcal{A}^{H_{2,i-1}}=1]-\Pr[\mathcal{A}^{H_{2,i}}=1]\bigr|
\end{equation*}
is negligible.

\begin{itemize}
\item Reduction $\mathcal{B}_{F,i}$ for the $i$-th step.  
  $\mathcal{B}_{F,i}$ participates in the standard PRF game for $F$ and
  receives a challenge oracle $O$ that is either $f^{n}_{K^{\star}}$ for
  uniform $K^{\star}$ or a uniform random function.  
  It picks fresh $S\gets\{0,1\}^{n}$ and constructs on the fly a random
  function $R$ as in $H_1$, but when the $i$-th new key appears (this
  happens at most once because of distinctness) $\mathcal{B}_{F,i}$ sets

  $k_{i}=K^{\star}$ and outputs $O(S)$ as the oracle answer.

  All other keys are answered with the genuine value
  $f^{n}_{k}(S)$ computable by $\mathcal{B}_{F,i}$ itself.  

  \begin{itemize}
  \item If $O=f^{n}_{K^{\star}}$ the simulation is $H_{2,i-1}$  
  \item If $O$ is random it is $H_{2,i}$.
  \end{itemize}

  A non-negligible distinguishing gap therefore breaks $F$'s PRF
  security.  $\blacksquare$
\end{itemize}

By the triangle inequality and a telescoping sum
\begin{equation}
\bigl|\Pr[\mathcal{A}^{H_1}=1]-\Pr[\mathcal{A}^{H_{2,t}}=1]\bigr|
         \le t\cdot\mathsf{negl}(n)
         \le q(n)\cdot\mathsf{negl}(n)
         =\mathsf{negl}(n). \quad
\end{equation}

In $H_{2,t}$ every distinct key receives an \emph{independent} uniform answer, so
the oracle itself is a uniformly random function on
$\{0,1\}^{n}$ (except with negligible collision probability already
accounted for).  Hence
\begin{equation}
\bigl|\Pr[\mathcal{A}^{H_{2,t}}=1]-\Pr[\mathcal{A}^{\mathcal{R}}=1]\bigr|
       \le\mathsf{negl}(n). \quad
\end{equation}

Combining (2)--(4) with Claim 1 contradicts the assumed security of $F$ or
$G$.  Therefore no PPT distinguisher has non-negligible advantage against
$H$, i.e.
\begin{equation*}
H:=\{h^{n}_{s,j}\}_{n} \text{ is a pseudorandom-function family}. \quad \blacksquare
\end{equation*}