 So we could use RSA to verify someone's identity. Could we use RSA as a way of digitally signing documents? The answer is no. So remember RSA can be used as an identification verification scheme. If Alice sets up RSA with public exponent E and public modulus N, keeping private exponent D secret, Bob sends Alice a message M, Alice computes C congruent to M to power D mod N and sends it to Bob, and then Bob verifies M is congruent to C to power E mod N, and this works to verify Alice's identity. Could we use this to sign documents? Well, let's try out the obvious thing. So Alice sets up RSA system with N equal 21829 and public encryption key E equal 37. Her private decryption key is D equals 11613, and Bob wants Alice to sign M equals 153. So to sign M equals 153, Alice computes 153 to her private decryption exponent and gets 5306 and sends this message on to Bob. Bob now has the pair 153, 5306 as the signed document. We can verify the signature as before, because if we take this encrypted value 5306 and use the public encryption key, we get back the original document. And again, since Alice is the only one who knows the decryption exponent, only Alice could have found 5306. Remember, technology allows us to do things we've never done before, and here's something new. If Alice signed a real-world document, Bob could change the 153 to another number and still have a document with Alice's signature. But what if Bob changed 153 to 758? Alice's signature is still 5306, but when we try to verify the signature, 5306 to power 37 is not congruent to 758. And so whatever document Alice signed with 5306 was not 758, 758 is a forgery. Unfortunately, it's easy to break the RSA signature scheme. To do this, suppose Bob wants Alice to sign a number m. So Bob picks a random k, then Bob asks Alice to sign km mod n, and Bob also asks Alice to sign k inverse mod n. When Alice does this, Bob now has km to power e, that's k to the e, m to the e, and also k inverse to power e. But if you multiply these two things together, you get m to the e, which is something that only Alice could have produced. So Bob has Alice's signature on document m. So let's say that we have the same RSA setup as before, but this time Bob wants to forge Alice's signature on the document m equals 758. So to carry out his nefarious scheme, Bob picks k equals 11 and asks Alice to sign km 758 times 11, which is 8338, and Alice computes 8338 to power 11613 to get. A little while later, Bob says, oops, I meant you to have to sign this document instead, k inverse, that's 11 inverse, which works out to be 3969. Alice sighs and says, Bob, get your numbers right, and she computes 3969 to power 11613, getting 20980. And so now Alice has sent to Bob km to power e, 11102, and k inverse to power e, 20980. And now Bob finds 11102 times 20980, and that's congruent to 4530. And since 4530 to the 37th power is congruent to 758, then 7584530 is a forged document that Alice has signed. Now, if you look at why this works, why Bob is able to do this, you realize that the problem with RSA digital signatures is that the same key, d, is used for all messages. And that's why this can work for authentication, because in authentication, you're trying to send the same message, I am this person. However, if we want to be able to sign different documents, what we need is a different key for each message. And we'll see how to do that next.