Designing an Efficicient Public-Key Cryptosystem: Rabin-p vs. RSA

December 23, 2025

ResumeCodeforcesEmailGitHub

After completing this semester of studies at my university, I found myself continuing to ponder the material discussed in my Number Theory course, particularly regarding the unit of cryptography, which dove into various public-key cryptosystems, like Diffie-Hellman, ElGamal, and RSA. I remember one lecture in particular where we briefly discussed the Discrete Logarithm Problem and how it single-handedly forms the backbone of several cryptosystems. At a high level, most of the widely-used encryption schemes today rely on the computational difficulty of solving certain mathematical problems, like factoring large integers or computing discrete logarithms, as the problem name suggests. This piqued my interest, and I decided to explore further the computational efficiency of these systems and how they compare to one another. This post may be a bit more math-heavy than my usual fare, but my goal is to make the ideas concrete and intuitive, especially where performance and design tradeoffs matter.

RSA Overview

We begin with a brief overview of the RSA cryptosystem. Suppose you want to send me a message, encoded as an integer, over a public channel, securely. How can we go about this? We could, in theory, send the message directly or use a simple cipher, but an eavesdropper could easily intercept and decode it. So, the problem becomes: how can we ensure that only you can read the message, even if someone intercepts it? This is the essence of the study of public-key cryptography, and where RSA comes into play. In short, we need to provide just enough information to allow you to encrypt/decrypt messages, but not enough for an eavesdropper to do the same. To do so, we perform the following procedure. Suppose you wish to send me a message over a public channel:

  1. I choose two large primes pp and qq, and compute n=pqn = pq.

  2. I compute φ(n)=(p1)(q1)\varphi(n) = (p-1)(q-1). This value helps us generate an exponent ee, chosen such that gcd(e,φ(n))=1\gcd(e, \varphi(n)) = 1.

  3. I compute d=e1(modφ(n))d = e^{-1} \pmod{\varphi(n)} using the Extended Euclidean Algorithm. This value acts as my private key.

  4. I publish the public key (n,e)(n, e).

  5. You encode your message mm as M=me(modn)M = m^e \pmod n and send me the ciphertext MM.

  6. I decrypt the message by computing

    Mdmedm1+kφ(n)mmkφ(n)m(modn). M^d \equiv m^{ed} \equiv m^{1 + k\varphi(n)} \equiv m \cdot m^{k\varphi(n)} \equiv m \pmod n.

This procedure and variants of it are widely used in modern encryption systems. But, can we improve upon this at all? While RSA is elegant and robust, modular exponentiation on a large scale can be computationally expensive. Although encryption is typically fast since the exponent ee is usually chosen to be small, commonly being 216+12^{16} + 1, decryption requires computing Md(modn)M^d \pmod n where dd is a large integer of size comparable to nn. Even though some strategies like binary exponentiation reduce the number of operations, the cost of decryption grows with the number of bits in dd, resulting in many large-integer multiplications and modular reductions.

This raises a natural question: can we design a public-key cryptosystem with similar security guarantees, but with a cheaper decryption step? One promising direction comes from Rabin-style cryptosystems, which replace exponentiation with squaring: an operation that is significantly faster in practice. The tradeoff, however, is that decryption in the textbook Rabin cryptosystem leads to four possible plaintext results since, for n=pqn = pq, calculating M(modp)\sqrt{M} \pmod p and M(modq)\sqrt{M} \pmod q yields two solutions each, much like how a positive number has two square roots over the integers. These results then combine to create four distinct square roots modulo nn (Chinese Remainder Theorem).

The Rabin-p Cryptosystem

This limitation is one of the primary reasons Rabin-style systems are rarely used. However, while exploring this design space, I came across a refinement known as the Rabin-p cryptosystem that resolves this ambiguity while preserving the efficiency benefits of squaring-based decryption. I will again step through the associated algorithms for encoding and decoding messages, following the Rabin-p cryptosystem as presented in Asbullah and Ariffin (2016). Suppose you wish to send me a message over a public channel:

  1. I choose two large primes, pp and qq, satisfying p3(mod4)p \equiv 3 \pmod 4, q3(mod4)q \equiv 3 \pmod 4, as well as 2k<p,q<2k+12^k < p,q < 2^{k+1} for some integer kk. I then compute n=p2qn = p^2q. This is the public key that I publish.

  2. You encode your message mm as M=m2(modn)M = m^2 \pmod n, ensuring gcd(m,n)=1\gcd(m, n) = 1 before doing so. You send me the ciphertext MM.

  3. To decrypt the ciphertext, I first reduce it modulo pp by computing wM(modp)w \equiv M \pmod p.

  4. Since p3(mod4)p \equiv 3 \pmod 4, I can efficiently compute a square root of ww modulo pp via mpwp+14(modp)m_p \equiv w^{\frac{p+1}{4}} \pmod p. This is a result of Euler's Criterion that gives a value satisfying mp2M(modp)m_p^2 \equiv M \pmod p.

  5. At this point, mpm_p is a square root modulo pp, but not necessarily modulo p2p^2. To quantify exactly how far mp2m_p^2 is from MM when the modulus is raised from pp to p2p^2, I compute

    i=Mmp2p. i = \frac{M - m_p^2}{p}.
  6. To lift the square root from modulo pp to modulo p2p^2, I consider a small correction of the form m1=mp+jpm_1 = m_p + jp and expand (mp+jp)2(m_p + jp)^2. Matching the resulting expression to MM modulo p2p^2 forces the congruence 2mpji(modp)2m_p j \equiv i \pmod p, which I solve by computing ji(2mp)1(modp)j \equiv i \cdot (2m_p)^{-1} \pmod p.

  7. Using the correction term, I construct a square root modulo p2p^2 via m1=mp+jpm_1 = m_p + jp. This value is the unique lift of mpm_p modulo p2p^2 that satisfies m12M(modp2)m_1^2 \equiv M \pmod{p^2}.

  8. As with any square root modulo an odd modulus, exactly two roots modulo p2p^2 exist, differing by a sign. This ambiguity is combated by enforcing a message size constraint at encryption time. Exactly one of m1m_1 or p2m1p^2 - m_1 lies in the valid range [0,22k1)[0, 2^{2k-1}) for kk as defined above. The decrypted message is m=m1m = m_1 if m1<22k1m_1 < 2^{2k-1}, and m=p2m1m = p^2 - m_1 otherwise.

A full proof of correctness of the decryption algorithm can be found in the paper cited above.

Complexity Comparison

In terms of complexity, however, how does Rabin-p compare to RSA? At a high level, both schemes spend most of their time doing arithmetic on large integers. But how many multiplications and modular reductions do we need to perform encryption and decryption in both schemes? First, we notice that encryption is the simplest operation in both schemes, being O(lg  e)O(lg \; e) modular multiplications for RSA but only a single modular squaring in Rabin-p.

For decryption, the naive view is that RSA performs a single modular exponentiation Md(modn)M^d \pmod{n}, with the exponent dd comparable in bit length to nn. On the other hand, Rabin-p performs a single exponentiation modulo pp, followed by a constant number of operations to perform the lift and extract the correct plaintext. Instead of doing work modulo nn, Rabin-p does work modulo pp.

However, this comparison is somewhat misleading. In practice, RSA decryption does not need to compute Md(modn)M^d \pmod{n} directly. Instead, using the Chinese Remainder Theorem, one computes d1=e1(modp1)d_1 = e^{-1} \pmod{p-1} and d2=e1(modq1)d_2 = e^{-1} \pmod{q-1}, then evaluates Md1(modp)M^{d_1} \pmod{p} and Md2(modq)M^{d_2} \pmod{q} separately, and combines the results via CRT to recover Md(modn)M^d \pmod{n}. Since each exponentiation now operates on numbers with roughly half the bit length of nn, each one is significantly cheaper. The tradeoff is that two exponentiations are required instead of one, but the reduction in operand size more than compensates in practice.

With this optimization in mind, the gap between RSA and Rabin-p narrows considerably. Both schemes ultimately perform their heavy arithmetic modulo factors of nn rather than modulo nn itself. Rabin-p still avoids full modular exponentiation in favor of a single exponentiation modulo pp plus a constant-cost Hensel lift, but RSA with CRT-based decryption is far more competitive than the naive comparison suggests. Each system makes a distinct tradeoff between efficiency, generality, and implementation complexity, and understanding these nuances is what makes the comparison worthwhile.

Edited April 9, 2026