Performance and Resource Trade-offs in Rivest–Shamir–Adleman Public-Key Cryptography: An Experimental Study on the Impact of Key Length

Rivest–Shamir–Adleman (RSA) public-key cryptography remains a foundational mechanism in modern secure communication systems, supporting technologies such as Transport Layer Security (TLS), digital signatures, and Public Key Infrastructure (PKI). Although increasing RSA key length strengthens resistance against classical factorization-based attacks, it also increases computational cost and resource consumption, especially in systems with limited processing capacity or high transaction volumes. This study presents a controlled empirical evaluation of RSA performance across four key sizes: 1024, 2048, 3072, and 4096 bits. A Java-based benchmarking framework was used to measure key generation latency, encryption and decryption time, digital signature generation and verification cost, and ciphertext/signature size overhead. The novelty of this article lies in providing a focused, reproducible, and quantitative comparison of RSA key-length trade-offs using commonly recommended modern constructions: RSA Optimal Asymmetric Encryption Padding (RSA-OAEP) with Secure Hash Algorithm 256-bit (SHA-256) and RSA Probabilistic Signature Scheme (RSA-PSS) with SHA-256. The results show that private-key operations, including decryption and digital signing, grow superlinearly as key size increases. In particular, 4096-bit RSA decryption and signing were approximately 29 times slower than their 1024-bit counterparts, while key generation increased by nearly 120 times. In contrast, public-key operations such as encryption and signature verification showed more moderate growth because of the use of smaller public exponents. Output sizes also increased linearly with modulus length, from 128 bytes for 1024-bit keys to 512 bytes for 4096-bit keys. These findings demonstrate the security–performance trade-off inherent in RSA and show that larger keys may impose practical limitations in performance-sensitive or resource-constrained environments. The study is limited to one hardware platform and Java cryptographic provider, so results may vary across other systems and implementations. Overall, the results suggest that RSA-2048 remains a practical baseline for many applications, while RSA-3072 or RSA-4096 should be selected only when higher security margins justify the additional computational overhead. This revision fixes the abstract comments by making the methodology shorter and clearer, adding the novelty explicitly, defining abbreviations on first use, and mentioning the limitation briefly. It also improves alignment and academic flow compared with the original abstract.