“…For a user with secret key x, a group membership certificate for an appointed verifier V , will be a quin-tuple (s, Z, c, u, e) such that each of these values lies in the correct integer interval, u 2e = (a 0 a s 1 a x 2 Za c 4 ) 2 holds, and c is the encryption of the value log a3 Z mod n under V 's public key. We show that such a certificate is hard to forge under the strong RSA assumption [3,11,23,27,28] and the assumption that computing discrete logarithms modulo a modulus of this form is hard. On the other hand, if c is not an encryption of log a3 Z mod n, then this certificate is easy to forge (Lemma 3).…”