$S^e = \operatorname^d \pmod n$ and E captures them. If you're using RSA, the signature verification process is (effectively) checking whether: What made you think that the public key is enough to recreate the signature? It is sufficient to verify a signature that you're given, but it is not sufficient to generate new ones (or so we hope if that's not true, the signature scheme is broken). The important part and this is where I really started scratching my head: How can the recipient verify that I own the private key if the public key seems to be enough to recreate the signature? Hence, signing the hash is just as good as signing the original message without the length restrictions we would have if we didn't use a hash. In contrast, a cryptographical hash can take an arbitrarily long message, and 'compress' it into a short string, in such a way that we cannot find two messages that hash to the same value. That means that if you have a 2048 bit RSA key, you would be unable to directly sign any messages longer than 256 bytes long (and even that would have problems, because of lack of padding).
Well, the RSA operation can't handle messages longer than the modulus size. Why is it common practice to create a hash of the message and sign that instead of signing the message directly?
