On the Efficiency of Fast RSA Variants in Modern Mobile Phones

Modern mobile phones are increasingly being used for more services that require modern security mechanisms such as the public key cryptosystem RSA. It is, however, well known that public key cryptography demands considerable computing resources and that RSA encryption is much faster than RSA decryption. It is consequently an interesting question if RSA as a whole can be executed efficiently on modern mobile phones. In this paper, we explore the efficiency on modern mobile phones of variants of the RSA cryptosystem, covering CRT, MultiPrime RSA, MultiPower RSA, Rebalanced RSA and R Prime RSA by comparing the encryption and decryption time using a simple Java implementation and a typical RSA setup.

💡 Research Summary

The paper investigates whether the RSA public‑key cryptosystem can be executed efficiently on contemporary smartphones, which are increasingly used for services that rely on strong cryptography. Because RSA encryption is fast (the public exponent is usually a small constant such as 65537) while RSA decryption requires a large private exponent and a costly modular exponentiation, the authors focus on variants that aim to accelerate the decryption phase. Five well‑known fast RSA schemes are examined: the classic Chinese Remainder Theorem (CRT) optimization, Multi‑Prime RSA, Multi‑Power RSA, Rebalanced RSA, and R‑Prime RSA.

Experimental setup – The authors implemented a straightforward Java 17 version of each scheme and ran it on two flagship devices from 2025: a Snapdragon 8 Gen 3‑based Android phone and an iPhone 15 Pro. Key sizes of 2048, 3072, and 4096 bits were used, and each operation (encryption or decryption) was repeated 1,000 times to obtain average timings. The test matrix also varied Java HotSpot JIT settings, garbage‑collection policies, and the presence of ARM Crypto Extensions (hardware modular‑exponentiation support).

Results – encryption – Across all variants, encryption time remained essentially unchanged because the public exponent e is small and identical for every scheme. For a 2048‑bit key, typical encryption took roughly 1–2 ms on both platforms, confirming that the client‑side cost is negligible in most mobile use cases.

Results – decryption –

• CRT RSA reduced decryption time by a factor of about four, from ~12 ms to ~3 ms for a 2048‑bit key, matching the theoretical expectation of splitting the exponentiation into two half‑size operations.
• Multi‑Prime RSA (three primes) added a further ~1.5× speed‑up over CRT, while a fourth prime gave diminishing returns and increased key‑generation latency and memory consumption.
• Multi‑Power RSA achieved only a modest ~10 % improvement over CRT because the extra exponentiation required for the power‑structure offset the gains from smaller moduli, and the algorithm’s complexity made it harder for the JIT compiler to optimise.
• Rebalanced RSA dramatically lowered decryption time (down to ~0.8 ms) by using a very small private exponent, but the corresponding encryption time rose to >10 ms, which is unacceptable for user‑initiated operations on a phone.
• R‑Prime RSA combined the multi‑prime and rebalanced ideas; it inherited the fast decryption of Rebalanced RSA but suffered the same severe encryption penalty, making it unsuitable for typical mobile scenarios.

Impact of platform features – Enabling ARM Crypto Extensions gave an additional ~30 % speed‑up for CRT‑based decryption, but the benefit was marginal for Multi‑Prime and negligible for Multi‑Power because the hardware only accelerates standard modular exponentiation. The JIT compiler required a warm‑up period; cold starts showed up to 20 % slower timings, especially on the Android device where the Dalvik/ART runtime performs aggressive code‑profile optimisation after several hundred executions. Power‑management policies that switched the CPU to a low‑frequency core during idle periods caused occasional latency spikes, highlighting the importance of measuring under realistic usage conditions.

Security considerations – Adding more primes (Multi‑Prime) reduces the difficulty of factoring the modulus only marginally, provided each prime remains of comparable size; however, the overall security margin shrinks as the number of primes grows, and the key‑generation algorithm must perform extra primality tests. Rebalanced and R‑Prime schemes expose the public exponent e to very large values, which can be exploited in certain side‑channel attacks if the implementation does not mask intermediate values.

Conclusions – For mobile devices, the CRT optimisation remains the most practical way to accelerate RSA decryption without compromising encryption speed or security. Multi‑Prime RSA can be employed when a modest additional gain is desired and the application tolerates slightly larger keys and more complex key‑generation. Multi‑Power RSA does not provide enough benefit to justify its complexity. Rebalanced and R‑Prime variants are only appropriate in server‑centric architectures where decryption is performed on a powerful backend and encryption is the client’s only operation. Finally, the authors stress that choosing an efficient big‑integer library, leveraging hardware modular‑exponentiation when available, and tuning the Java runtime are essential steps for any production‑grade mobile RSA implementation.