 So how can we sign documents in the information age? A very wise and brilliant and extremely modest and strikingly handsome person once said, technology allows us to do things we've never done before at the cost of requiring us to do things we've never done before. The digital era allows us to do many things remotely, but how do you know who is doing these things? And this is the basis for what we might call the authentication problem. How do you verify a person's identity? And we do this as follows. To verify someone's identity, you give them a problem that only they can solve. We can do this in two ways. We can give them a test based on biomechanics. And these are things like you can look like the person in the picture. You can sign like the person who signed the document. You can have the DNA as the same as the DNA in the sample. Or you can walk like the person who walked this way. The other way we can verify someone's identity is to give them a test based on knowledge. So you might have to give the social security number recorded for the person. Or give the correct password. Or give the name of your favorite cat your mother's third cousin had in elementary school. And this leads to the following problem. When authentication is based on knowing something no one else should, you have to keep everyone else from knowing about it. But if you present the information, then the recipient could impersonate you at a later point. And so the problem is we want a zero knowledge proof. Evidence that you know a piece of information that does not reveal the information. How can we do this? Asymmetric encryption offers the solution. Suppose Bob sends a message to Alice using an asymmetric cipher. Only Alice can decrypt the message, so Alice can verify her identity by decrypting a message. The RSA signature scheme was actually included as part of the original RSA patent. Suppose Alice sets up a RSA system with public modulus n, public exponent e, and private exponent d. Remember to send a message, Bob computes c equivalent to m to power e mod n, and sends c to Alice. And Alice decrypts this by computing m congruent to c to power d mod n. And this works because m to power e to power d mod n is congruent to m. Now Alice could prove her identity by giving out her decryption exponent d, and then Bob can verify that m to power e to power d is congruent to m mod n. But if Alice does this, she has to scrap her entire cryptosystem. She can't use e and d anymore, and in fact, she can't even use n. She has to find a new modulus. Reason left as exercise for viewer. So what could she do? Instead of giving out her key, Alice can prove her identity as follows. Bob sends Alice a plain text message, m. Alice then computes c congruent to m to power d mod n, using her private decryption exponent, and sends c back to Bob. Bob then computes m prime congruent to c to power e mod n, using Alice's public encryption exponent. If m prime is equal to m, then Alice has confirmed her identity, because she's demonstrated she's in possession of the decryption exponent. At the same time, she hasn't told anybody what that decryption exponent is. So for example, Alice sets up RSA system with public modulus n equal 2, 1, 8, 2, 9, and public encryption key e equal 37. Her private decryption key is d equal 1, 1, 6, 1, 3. Bob wants Alice to confirm her identity. So to do this, Bob picks a random number, say m equals 153, and sends this to Alice. Alice then computes 153 to her private decryption exponent, and gets 5306, and she sends this message on to Bob. Bob confirms it to Alice by verifying that 5306 to the public exponent 37 gives back the original message 153. And again, since Alice is the only one who knows the private decryption exponent, Alice is the only one who could have computed this value 5306. And so Bob knows that it's Alice at the other end of the line.