Question
How do you sign and verify a message with RSA, and why are signing and verifying mirror images of each other?
Answer
The signer raises the message to the secret exponent, $s = m^d \bmod N$; anyone verifies by raising the signature to the public exponent and checking $s^e \bmod N = m$. It is the same modular exponentiation run with opposite keys.
* Signing and verifying are the same exponentiation with opposite keys — they cancel because e·d ≡ 1 mod φ(N). *
The signer holds the RSA secret key $(p, q, d)$ and publishes $(N, e)$ with $N = p\cdot q$. Signing is just the private RSA operation:
$$s = m^d \bmod N$$
and verification is the public operation applied back:
$$s^e \equiv (m^d)^e \equiv m^{ed} \equiv m \bmod N.$$
The two undo each other because the key is built so that $e\cdot d \equiv 1 \pmod{\varphi(N)}$ — exactly the same relation that makes RSA decryption undo RSA encryption. So verifying a signature literally recomputes the message out of $s$; if the recomputed value equals the message the verifier holds, the signature is genuine.
Two practical points the raw formula hides:
- You sign a hash, not the raw document. In practice $m$ is $h(\text{message})$ — a fixed-size digest — so any length of contract fits inside $\mathbb{Z}_N$ and one exponentiation binds the whole document.
- Signing is the "reverse" of encrypting only for RSA. Encryption is $c = m^e$ (public exponent), signing is $s = m^d$ (secret exponent) — the operations look symmetric here, which is convenient but is precisely what the existential-forgery attack exploits (see the next card). Most other signature schemes (DSA, Schnorr) deliberately make signing and verifying different operations to avoid that.
Go deeper:
RSA (cryptosystem) — signing and verification — the same modulus-and-exponent machinery, formalised, with the padding caveats.
Note saved — thanks!