Let’s review the RSA encryption algorithm. We start from the definition of public key encryption algorithm and signature algorithm, and use a more standardized language to describe this algorithm. The RSA public key encryption system includes the following three algorithms: KeyGen (key generation algorithm), Encrypt (encryption algorithm) and Decrypt (decryption algorithm). ?(PK,SK)\leftarrowKeyGen(\lambda). The key generation algorithm takes the security constant \lambda as input and outputs a public key PK and a private key SK. The security constant is used to determine how secure the encryption algorithm is. It is generally related to the size of the prime number p used by the encryption algorithm. The larger \lambda is, the larger the prime number p is generally, ensuring that the system has higher security. In RSA, the key generation algorithm is as follows: the algorithm first randomly generates two different large prime numbers p and q, and calculates N=pq. Subsequently, the algorithm calculates the Euler function \varphi(N)=(p-1)(q-1). Next, the algorithm randomly selects an integer e that is less than \varphi(N), and calculates the modular inverse element d of e with respect to \varphi(N). Finally, the public key is PK=(N,e) and the private key is SK=(N,d). CT\leftarrowEncrypt(PK,M). The encryption algorithm takes the public key PK and the message M to be encrypted as input, and outputs the ciphertext CT. In RSA, the encryption algorithm is as follows: the algorithm directly outputs the ciphertext as CT=M^e\mod\varphi(N)　M\leftarrowDecrypt(SK,CT). The decryption algorithm takes the private key SK and the ciphertext CT as input and outputs the message M. In RSA, the decryption algorithm is as follows: the algorithm directly outputs plaintext as M=CT^d\mod\varphi(N). Since e and d are inverse to each other under \varphi(N), we have: CT^d=M^{ed}=M\mod\varphi(N) Therefore, we can also see from the algorithm description: Public key It is used to encrypt the data and the private key is used to decrypt the data. Of course, this can also be understood intuitively: the public key is a public key. Only when it is made public can everyone use it to encrypt data. The private key is a private key. Only whoever has this key can decrypt the ciphertext. Otherwise, if everyone can see the private key and decrypt it, it will be a mess. =================Separating line================== Let's review the RSA signature system again. The signature system also includes 3 algorithms: KeyGen (key generation algorithm), Sign (signature algorithm), and Verify (verification algorithm). ?(PK,SK)\leftarrowKeyGen(\lambda). The key generation algorithm also takes the security constant \lambda as input and outputs a public key PK and a private key SK. In RSA signatures, the key generation algorithm is exactly the same as the encryption algorithm. ?\sigma\leftarrowSign(SK,M). The signature algorithm takes the private key SK and the message M to be signed as input and outputs the signature \sigma. In RSA signature, the signature algorithm directly outputs the signature as \sigma=M^d\mod\varphi(N). Note that the signature algorithm is very similar to the decryption algorithm in the RSA encryption system. b\leftarrowVerify(PK,\sigma,M). The verification algorithm takes the public key PK, the signature \sigma and the message M as input and outputs a bit value b. b=1 means verification passed. b=0 means verification failed. In the RSA signature, the verification algorithm first calculates M'=\sigma^e\mod\varphi(N), and then compares M' with M. If they are equal, b=1 is output, otherwise b=0 is output. Note: The authentication algorithm is very similar to the encryption algorithm in the RSA encryption system. Therefore, in the signature algorithm, the private key is used to sign the data, and the public key is used to verify the signature. This can also be understood intuitively: to sign a file, of course you must use the private key, because we hope that only we can complete the signature. Of course, I hope that everyone can perform the verification process. Everyone who sees the signature can pass the verification and prove that it was indeed signed by me. =================Separating line=================So, why does the questioner ask such a question? We can see that the encryption/verification and decryption/signing processes of RSA are very similar. At the same time, the RSA system itself is symmetrical: if we think of e as the private key and d as the public key, this system can also be implemented well. I think it is for this reason that the subject encountered such confusion when learning the RSA system. So what is the solution? It is recommended that the subject can learn other public key encryption systems and signature systems. Other systems do not have this symmetry. For example, for public key encryption systems, you can look at ElGamal encryption and the more secure Cramer-Shoup encryption.

As for signature systems, you can take a closer look at ElGamal signatures or even BLS signatures. These systems may be able to help the subject better understand the differences and potential connections between encryption and signatures. As for the question of how encryption and signature are combined. This system is called a signcryption scheme (SignCrypt). In RSA, this signcryption scheme looks very similar and can easily cause confusion. I don't want to introduce the scheme of combining encryption and signature in RSA in detail here. What I want to remind the questioner is that when encryption and signature are combined, the two sets of public and private keys are different.