Provable security [6] is at the heart of modern cryptography. It advocates a mathematical approach in which the security of new cryptographic constructions is defined rigorously, and provably reduced to one or several assumptions, such as the hardness of a computational problem, or the existence of an ideal functionality. A typical provable security statement is of the form: for all adversary against the cryptographic construction TeX , there exists an adversary TeX against a security assumption TeX , such that if TeX has a high probability of breaking the scheme TeX in time t, then TeX has a high probability of breaking the assumption TeX in time t′ (defined as a function of t).