We use

to represent the adversary’s advantage in attacking the scheme S, for an adversary that makes at most Qsig signature queries, at most QH0 queries to H0, and at most QH1 queries to H1. We say that the scheme S is secure if for all efficient adversaries the advantage is negligible.

The co-CDH assumption is that the security of the scheme S relies on the standard co-CDH assumption in the bilinear group (G_0, G_1). The assumption states that for all efficient algorithms A,

where ǫ is a neglible quantity and where α, β ← Z_q.