Why is XOR important in cryptography

Why is XOR used in cryptography?

Why is only XOR used in cryptographic algorithms and other logic gates such as OR, AND and NOR are not used?


It is not exactly correct to say that the XOR logical operation is the only one used in all of cryptography, but it is the only two-way encryption that uses it exclusively.

Here's how it is explained:

Imagine you have a sequence of binary digits and XOR the string that you get

Now your original string is encoded and the second string becomes your key. If you XOR your key with your encoded string, you will get your original string back.

With XOR you can easily encrypt and decrypt a string, with the other logic operations not.

If you have a longer string, you can repeat your key until it's long enough. For example, if your string is there, just rewrite your key twice and it will XOR with the new string

Here is a Wikipedia link on the XOR cipher.

I can see 2 reasons:

1) (main reason) XOR does not pass on any information about the original plaintext.

2) (Nice-to-have reason) XOR is an involving function, meaning if you apply XOR twice you get the original plaintext back (i.e. where is your plaintext and is your key). The inner XOR is encryption and the outer XOR is decryption, ie exactly the same XOR function can be used for both encryption and decryption.

To illustrate the first point, consider the truth tables of AND, OR, and XOR:


0 AND 0 = 0

0 AND 1 = 0

1 AND 0 = 0

1 AND 1 = 1 (leak!)


0 OR 0 = 0 (leak!)

0 OR 1 = 1

1 OR 0 = 1

1 OR 1 = 1


0 XOR 0 = 0

0 XOR 1 = 1

1 XOR 0 = 1

1 XOR 1 = 0

Everything in the first column is our input (i.e. the plain text) . The second column is our key and the last column is the result of your input "mixed" (encrypted) with the key using the specific operation (ie the ciphertext) .

Now imagine that an attacker has access to an encrypted byte, e.g. B. 10010111 , and want the original plaintext byte recall .

Suppose the AND operator was used to generate this encrypted byte from the original plaintext byte. If AND was used we know for sure that every time we see the bit '1' in the encrypted byte, the input (i.e. the first column, the plaintext) must also be '1' according to the truth table of '1'. If the encrypted bit is a '0' instead, we don't know whether the input (i.e. the plaintext) is a '0' or a '1'. Hence we can conclude that the original plaintext is as follows: 1 _ _ 1 _ 111. So 5 bits of the original plaintext were leaked (i.e. it could be accessed without the key).

If we apply the same idea to OR, we see that every time we find a '0' in the encrypted byte, we know that the input (i.e. the plaintext) must also be a '0'. If we find a '1', we don't know whether the input is a '0' or a '1'. Hence we can conclude that the plaintext entered is: _ 00 _ 0 _ _ _. This time we could lose 3 bits of the original plain text byte without knowing anything about the key.

After all, we can't get a piece of the original plaintext byte using XOR. Every time we see a '1' in the encrypted byte, this '1' could have been generated from a '0' or a '1'. The same applies to a '0' (it can come from either a '0' or a '1'). As a result, not a single bit is lost from the original plaintext byte.

The main reason is that if a random variable with unknown distribution R1 is XORed with a random variable R2 with uniform distribution, the result will be a random variable with uniform distribution. So you can just randomize a biased input, which you can't do with other binary operators.

The output of XOR always depends on both inputs. This is not the case with the other operations you mentioned.

I think because XOR is reversible. If you want to create hash, you should avoid XOR.

XOR is the only gate that is used directly, as the other input always has an influence on the output regardless of the input.

However, it is not the only gate used in cryptographic algorithms. That may be true of old school cryptography, which includes tons of bit shuffles and XORs and rotating buffers, but for prime-based crypto you need all kinds of math that is not implemented through XOR.

XOR acts like a toggle switch that you can use to toggle certain bits on and off. If you want to "encode" a number (a bit pattern), XOR it with a number. If you take that encrypted number and XOR it with the same number again, you will get Your original number back .

When you "encrypt" a number (or text or any bit pattern) with XOR, you have the basis for much of the cryptography.

XOR uses fewer transistors (4 NAND gates) than more complicated operations (e.g. ADD, MUL), which makes it easier to implement in hardware when the number of gates is important. In addition, an XOR is its own inversion, which is good for applying key material (the same code can be used for encryption and decryption). AES 'very simple AddRoundKey operation is an example of this.

In symmetric crypto, the only real selection operations that mix bits with the encryption and do not increase the length are operations that are added with carry, add without carry (XOR), and compare (XNOR). Any other operation will either lose bits, expand, or be unavailable on CPUs.

The XOR property (a xor b) xor b = a practical for stream ciphers: To encrypt encrypted data, a pseudo-random sequence of n bits is generated using the crypto key and the crypto-algorithm.

Sender: Data: 0100 1010 (0x4A) Pseudo-random sequence: 1011 1001 (0xB9) ------------------ ---------------- -. encrypted data 1111 0011 (0xF3) ------------------ ------------------. Recipient: encrypted data 1111 0011 (0xF3) Pseudo-random sequence: 1011 1001 (0xB9) (recipient has key and calculates the same sequence) ------------------ ------- -----------. 0100 1010 (0x4A) data after decryption ------------------ ------------------.

Let's look at the three common bitwise logical operators

Let's say we can choose a number (let's call it a mask) and combine it with an unknown value

  • AND is about setting some bits to zero (those that are set to zero in the mask).
  • OR is about forcing some bits to one (the ones that are set to one in the mask).

XOR is more subtle. You cannot exactly know the value of any part of the result, regardless of the mask you choose. If you have your mask however twice apply, you will get your original value back.

In other words, the purpose of AND and OR is to remove some information, and that's definitely not what you want in cryptographic algorithms (symmetric or asymmetric encryption or digital signature). If you lose information, you cannot get it back (decrypt), or the signature would tolerate some tiny changes in the message, ruining its purpose.

Everything that has been said applies to cryptographic algorithms, not to their implementations. Most cryptographic algorithm implementations also use many ANDs, usually to extract individual bytes from 32 or 64 internal registers.

Usually you will get such code (this is an almost random excerpt from aes_core.c).

8 XORs and 7 ANDs if I count correctly

I think it's just because a given random set of binary numbers would tend a large number of 'OR' operations to all 'ones, as would a large number of' AND 'operations tend to all zeros. With a large number of 'XORs producing a random selection of ones and zeros.

This doesn't mean AND and OR aren't useful - just that XOR is more useful.

The prevalence of OR / AND and XOR in cryptography has two reasons:

One of them is lightning-fast instructions.

Second, they are difficult to model using traditional math formulas

XOR is a mathematical calculation in cryptography. It is a logical operation. There are other logical operations: AND, OR, NOT, modulo function, etc. XOR is the most important and most used.

If it's the same, it's 0.

If it's different, it's 1.


Message: Hello

Binary version of Hello: 01001000 01100101 01101100 01101100 01101111

Keystone stream: 110001101010001101011010110011010010010111

Cipher text with XOR: 10001110 11000110 00110110 10100001 01001010

Applications: The one-time pad / Vern-am encryption uses the exclusive or function in which the recipient has the same keystream and receives the ciphertext via a hidden transport channel. The recipient then xor the ciphertext with the keystream to reveal the plaintext of hello. In One Time Pad, the key stream should be at least as long as the message.

Fact: The One Time Pad is the only truly unbreakable encryption.

Used exclusively or in the Feistel structure that is used in the DES algo block encryption.

Note: With an XOR operation, there is a 50% chance of outputting 0 or 1.

We use cookies and other tracking technologies to improve your browsing experience on our website, to show you personalized content and targeted ads, to analyze our website traffic, and to understand where our visitors are coming from.

By continuing, you consent to our use of cookies and other tracking technologies and affirm you're at least 16 years old or have consent from a parent or guardian.

You can read details in our Cookie policy and Privacy policy.