Adam Back’s RSA T-shirt turned a few lines of Perl into a philosophical test case: if code can be speech, can a government treat speech like a weapon?
Thesis
The RSA munitions T-shirt matters because it compressed an entire constitutional, technical, and cultural argument into wearable source code. In the 1990s, strong cryptography was not merely a mathematical tool or a software feature. Under United States export controls, it could be treated as a controlled munition when sent outside the country. Adam Back’s terse RSA implementation in Perl, printed on a shirt and circulated as an email signature, exposed the strangeness of that regime: a few lines of text, intelligible to programmers and executable by machines, could be simultaneously speech, software, mathematics, and regulated weaponry.
The shirt was a protest object, but it was also a technical demonstration. Its point was not only that encryption policy was absurdly restrictive, although it was. Its deeper point was that software had crossed a category boundary that law was not prepared to understand. Source code could describe an idea, implement that idea, teach that idea, and move that idea across borders at the speed of email. Treating such code as if it were a physical arms shipment revealed a mismatch between industrial-era control systems and networked information.
John D. Cook’s short post on the RSA munitions T-shirt emphasizes the density of Back’s code and the role of Unix tooling, especially dc, in making the miniature implementation work. The historical page on the Munitions T-shirt preserves the protest’s original texture. To understand why this mattered, one also has to see the broader history of U.S. cryptography controls, including the export rules summarized in accounts of cryptography export from the United States and modern specifications such as PKCS #1 / RFC 8017, which show how far real-world RSA practice has moved beyond textbook examples.
Key Arguments
The first argument carried by the shirt is that code is not easily separable from expression. A mathematical formula written in a textbook is plainly communicative. A program written in Perl is also communicative, but it has the additional property that a machine can execute it. That dual nature made regulators uncomfortable, because export control systems depended on classifying objects by function. A missile part had a military function. A cryptographic device had a security function. A printed shirt with source code, however, sat in an unstable middle zone. It was an object, a message, a joke, a lesson, and a working description of an encryption system.
This is why the shirt became symbolically powerful. Back did not need a server farm, a polished application, or a commercial product to make the argument. He needed a compact implementation of RSA, a medium that could travel socially, and a legal environment that made the act of wearing or exporting that code provocative. The protest worked because the object was ordinary while the classification was extraordinary. A T-shirt is one of the least threatening artifacts in everyday life, yet the code on it forced the state’s theory of control into public view.
The second argument is technical: RSA is conceptually simple enough to fit inside a small program, but that simplicity hides severe implementation hazards. Textbook RSA depends on modular exponentiation. In its bare mathematical form, encryption or verification reduces to computing something like m^e mod n, while decryption or signing computes c^d mod n, where n is the product of two large primes and e and d are paired exponents. The central operation is not mysterious. It is repeated multiplication under a modulus, made practical through fast exponentiation.
Back’s code delegates the heavy arithmetic to dc, the old Unix desk calculator. That choice is elegant because RSA needs arbitrary-precision integer arithmetic, and ordinary fixed-width machine integers are not enough. The Perl wrapper handles input and output, while the dense dc fragment performs the modular exponentiation. Cook points out that the early characters 16do tell dc to operate in hexadecimal by pushing 16, duplicating it, and setting the output radix. That tiny detail captures the whole character of the program: it is less a normal application than a compressed conversation among Unix tools.
The compression also matters culturally. Obfuscated code contests and cryptographic activism shared a certain aesthetic in the 1990s: prove the point by making the artifact small, portable, reproducible, and a little mischievous. The code’s terseness was not only cleverness for its own sake. It made a legal claim visible. If this much cryptographic capability could fit in an email signature, then the idea of containing it through border inspection was already obsolete.
The third argument is historical. The RSA shirt belonged to the period often called the Crypto Wars, when governments worried that widely available strong encryption would weaken intelligence and law-enforcement capabilities, while technologists and civil-liberties advocates argued that secure communication was becoming basic infrastructure for commerce, privacy, journalism, and political freedom. The same period saw conflicts over PGP, export-grade browser encryption, key escrow, and weakened international versions of software.
The browser example is especially revealing. Export controls helped create weaker cryptographic modes for users outside the United States, including 40-bit symmetric encryption and reduced RSA key sizes in some contexts. Tools such as Fortify for Netscape existed because people wanted full-strength security in browsers that had been artificially weakened for export. This was not an abstract policy dispute. It shaped the security properties of real software used by real people, and the aftershocks persisted for years, as later attacks against old export-grade cryptography showed.
The fourth argument is that textbook RSA is not modern RSA. Back’s shirt demonstrated the core mathematical mechanism, but production RSA requires padding, careful randomness, side-channel resistance, key validation, constant-time operations, and protocol context. Raw RSA is famously brittle. Encrypting the same message directly can produce predictable structure. Signing raw values can invite algebraic manipulation. Decryption operations can leak information through timing or error behavior. Modern RSA practice is therefore defined less by the bare exponentiation step than by the disciplined envelope around it.
That distinction does not weaken the shirt’s importance. It clarifies it. The shirt was not a secure product one should deploy. It was a proof that the essential idea could not be confined. Once the mathematical recipe was public, the rest of the struggle moved from secrecy to implementation quality, standards, usability, and governance. In that sense, the shirt marks a transition from cryptography as guarded machinery to cryptography as public infrastructure.
Supporting Evidence
The supporting evidence begins with the legal classification itself. During the relevant period, strong cryptographic software could fall under U.S. export controls associated with munitions. The state’s concern was strategic: encryption protects military communication, diplomatic communication, and intelligence targets. Yet the personal computer and the internet changed the distribution model. Cryptography was no longer only embedded in specialized equipment. It could be written as source code, posted to a mailing list, printed in a book, or placed on clothing.
The T-shirt crystallized this change because it made source code visibly physical without making it meaningfully controllable. A customs officer could in theory inspect the shirt. A foreign reader could in theory retype the code. A programmer could modify it. An email recipient could forward it. The regulatory model assumed that dangerous capability moved through controllable channels, while the software model increasingly moved through copying, interpretation, and recombination.
The technical evidence sits inside the code’s structure. Perl supplies text processing and glue. dc supplies the arithmetic engine. Hexadecimal representation supplies a compact way to move bytes into and out of big integer form. The program’s density makes it hard to read, but its core task is plain: convert input into numbers, perform modular exponentiation, and convert the result back into bytes. This is RSA reduced to its mathematical skeleton.
That skeleton is precisely what gave RSA its pedagogical power. Public-key cryptography is one of the rare ideas in computer science that feels almost paradoxical when first encountered. One key can be public, another private, and the public key can enable operations that only the private key can reverse or authenticate. The security rests not on hiding the algorithm, but on the difficulty of deriving the private key from the public modulus. In RSA, that difficulty is tied to factoring a large composite number whose prime factors are secret.
The shirt therefore taught two lessons at once. It showed that the core algorithm could be expressed compactly, and it showed that the security of the system did not depend on suppressing that expression. This is a profound inversion of older security instincts. A cipher machine might have been protected by secrecy of design, restricted hardware, and guarded distribution. Public-key cryptography, at least in its mature form, wants the algorithm to be public so that it can be studied, attacked, repaired, standardized, and trusted.
Implications
The first implication is that software regulation must contend with the expressive nature of code. A government can regulate products, services, commercial exports, classified information, procurement, and conduct. It can also impose obligations on companies operating within its jurisdiction. But when regulation treats published source code as though it were a crate of military equipment, it runs into the fact that code is also knowledge. Knowledge can be copied by reading. It can be transformed by explanation. It can be reconstructed from principles.
This does not mean software should never be regulated. Malware, surveillance tools, exploit brokers, and dual-use cyber capabilities raise real policy problems. The lesson is narrower and more difficult: when the regulated object is also a general-purpose expression of an idea, blunt containment strategies tend to produce symbolic conflict, technical workarounds, and constitutional pressure. The RSA shirt sits near the beginning of a long argument that now includes vulnerability disclosure, open-source security tools, AI model weights, synthetic biology protocols, and 3D-printable weapon files.
The second implication is that the politics of encryption became the politics of everyday life. In the early internet era, strong cryptography could still be framed as a specialist concern. Today it is embedded in HTTPS, messaging apps, software updates, password managers, cloud storage, package registries, and device authentication. The old dispute over exportable RSA code now looks like an early negotiation over whether ordinary users would be allowed to possess meaningful privacy and integrity tools.
The third implication is that implementation replaced access as the central difficulty. Once strong cryptographic algorithms became broadly available, the hard problems shifted toward using them correctly. Padding schemes, random number generators, protocol composition, certificate authorities, key rotation, hardware side channels, downgrade attacks, and dependency maintenance became the practical battleground. The public availability of cryptography did not end the need for expertise. It changed the locus of expertise from possession of secret algorithms to disciplined engineering.
This shift is visible in RSA itself. The shirt’s code performs the heart of RSA, but modern systems rely on standards such as RSAES-OAEP for encryption and RSASSA-PSS for signatures, both described in RFC 8017. These constructions exist because the beautiful algebra of RSA is not enough by itself. Mathematics gives the primitive. Engineering gives the conditions under which the primitive can be safely used by fallible software in hostile networks.
The fourth implication is philosophical. The RSA shirt asks whether a society can preserve political categories when computation makes symbols operational. Before software, a written description and a machine were easier to separate. After software, descriptions can become machines when interpreted by other machines. A line of code is an instruction, but also a sentence in a technical language. A repository is a publication, but also a supply chain component. A model file is data, but also behavior waiting to be invoked.
This is why the shirt still feels contemporary. The object belongs to the 1990s, but the category problem has only grown. The same ambiguity now appears whenever regulators confront open-source AI systems, cryptographic libraries, exploit proof-of-concepts, or privacy-preserving protocols. The deeper question is not whether technology escapes politics. It plainly does not. The question is whether political systems can reason carefully about artifacts that are simultaneously speech, tool, infrastructure, and power.
Counter-Perspectives
A serious counter-perspective begins with national security. Cryptography really does protect military and intelligence communication. It can also shield criminal activity, hostile operations, and sanctioned actors. From that view, export controls were not irrational in origin. States have always tried to prevent adversaries from gaining strategically useful technologies, and strong encryption belongs on any honest list of such technologies.
Another counter-perspective is that symbolic protests can oversimplify policy. The T-shirt made the export regime look absurd, but policy makers were dealing with an actual transition in communications power. Once strong encryption became universal, lawful access became harder in some investigations. The fact that a regulation is technically awkward does not automatically dissolve the state interests behind it.
A third counter-perspective concerns the romance of code as speech. Programmers often emphasize expression, elegance, and publication, while affected communities may experience software primarily through consequences: surveillance, fraud, ransomware, exclusion, opacity, or platform control. Saying that code is speech can protect crucial freedoms, but it can also become too broad if used to evade responsibility for deployed systems. The better position is not that code is only speech, nor that it is only conduct, but that its dual nature requires more careful legal distinctions than older categories provide.
The RSA munitions T-shirt endures because it did not merely argue that one export rule was bad. It revealed a structural tension that still defines technology governance. Computation turns ideas into operational artifacts, and networks make those artifacts difficult to contain by geography. Back’s few lines of Perl, routed through dc and printed on cotton, showed that the future of cryptography would not be decided by suppressing algorithms. It would be decided by how societies chose to live with powerful public knowledge.
Comments
Please log in or register to join the discussion