The answer is the third choice.
We're only looking for signatures here, so we don't need to encrypt the document.
We don't care about confidentiality.
We can send the document in clear, but what we want to send along with it
is something that proves that it's the document that Alice intended.
To do that we need to do something that uses Alice's private key.
That's these two options.
If we use the public key--well, anyone can do that.
The public key could be known to anyone else.
We're assuming that the private key is only known to Alice.
The only one who could compute these two things would be Alice
Then we have a choice of which one of these two things is better.
If we believe we can have one-way hash functions that have the collision resistance
properties that we talked about.
Then this is much better, because the output of the hash function is
small fixed-size value.
It's only for a given security level. It might be 256 bits.
We can encrypt that much more cheaply than if we had to encrypt the whole document
using RSA.
That's why this is the best choice, and lot's of protocols are based on this kind of solution
where we use RSA to encrypt something small, which could be a hash value
or it could be an encryption key.
Then we use that with symmetric crypto for the rest of the message.
