$6\mathrm{.}4.$ Let $F$ be a secure PRF with in $=2,$ and let $G$ be a length$-$doubling PRG$.$ Define

$F^{\text{'}}(k,x)=F(k,G(x)).$

We will see that $F^{\text{'}}$ is not necessarily a PRF$.$

$($a$)$ Prove that if $G$ is injective then $F^{\text{'}}$ is a secure PRF$.$

$***($b$)$ Exercise $5\mathrm{.}9($b$)$ constructs a secure length$-$doubling PRG that ignores half of its input.

Show that $F^{\text{'}}$ is insecure when instantiated with such a PRG$.$ Give a distinguisher and

compute its advantage.

Note: You are not attacking the PRF security of $F,$ nor the PRG security of $G.$ You are

attacking the invalid way in which they have been combined.