up:: Foundations MOC
XOR
XOR, short for exclusive-or, is a bitwise operation that takes two bits and outputs 1 when they differ and 0 when they match. Its defining feature for cryptography is that it undoes itself: applying the same value twice returns the original, so a XOR b XOR b = a. That self-inverse property is why XOR is the fundamental mixing step in symmetric encryption. Combining plaintext with a stream of key bits scrambles the data, and running the exact same combination again with the same key bits unscrambles it, so one operation both encrypts and decrypts.
XOR is the mathematical core of the one-time pad, the provably unbreakable cipher, and of the stream ciphers and block-cipher modes that protect most traffic today. It’s a primitive rather than a keyed hard problem, so a quantum computer has nothing in XOR itself to attack, and the symmetric constructions built on XOR inherit the symmetric world’s quantum resilience.
Source: A. Menezes, P. van Oorschot, S. Vanstone, “Handbook of Applied Cryptography,” CRC Press, 1996, Chapter 1 and Chapter 6, cacr.uwaterloo.ca/hac.
The short version:
- XOR outputs 1 when its two input bits differ and 0 when they are the same, so it acts as a bit-level difference detector.
- XOR is its own inverse. Since
b XOR b = 0anda XOR 0 = a, XORing a value in twice with the same key cancels out and hands back the original. - That reversibility is why symmetric encryption uses it: ciphertext is
plaintext XOR keystream, and the receiver recovers plaintext by XORing the same keystream back in. - The one-time pad is XOR with a truly random key that is at least as long as the message and never reused, and Claude Shannon proved it is information-theoretically secure, meaning no amount of computing power breaks it.
- Stream ciphers and block-cipher modes like CTR and CBC are the practical versions, XORing data with a pseudorandom keystream that a cipher generates from a short key.
- XOR is a logic primitive, so the quantum threat runs through the algorithms around it, not through XOR. XOR-based symmetric constructions keep the symmetric world’s quantum resilience, where Grover’s algorithm only halves key strength.
What is XOR?
XOR is one of the basic Boolean logic operations, alongside AND and OR, and it answers a single question about two input bits: are they different? If the two bits differ, XOR returns 1. If they are the same, it returns 0. The name “exclusive-or” captures the idea precisely, because it means “one or the other, but not both,” which is what separates it from the ordinary “inclusive” OR that also returns 1 when both inputs are 1.
In writing, XOR is often shown with the symbol ⊕, and in code it is usually the caret ^. Applied to full-length values rather than single bits, “bitwise XOR” just runs the operation independently on each pair of bits in the same position. So 1100 XOR 1010 compares column by column and gives 0110. That per-bit independence is part of what makes XOR cheap and fast in hardware and software, since every bit position is handled in parallel with no carries to propagate the way addition has.
The complete behavior fits in a four-row truth table, which is worth memorizing because everything else about XOR follows from it:
| Input a | Input b | a XOR b |
|---|---|---|
| 0 | 0 | 0 |
| 0 | 1 | 1 |
| 1 | 0 | 1 |
| 1 | 1 | 0 |
Two facts drop straight out of that table. XORing any bit with 0 leaves it unchanged, and XORing any bit with 1 flips it. Those two behaviors are the whole basis for using XOR to encrypt: the key bits decide, position by position, which plaintext bits get flipped and which stay put.
Source: A. Menezes, P. van Oorschot, S. Vanstone, “Handbook of Applied Cryptography,” CRC Press, 1996, Chapter 1, cacr.uwaterloo.ca/hac.
Why does XOR undo itself?
XOR is its own inverse, which means applying it a second time with the same value reverses the first application exactly. This is the single property that makes XOR so useful in cryptography, and it comes from two simple facts already visible in the truth table:
- Anything XORed with itself is 0.
b XOR b = 0, because every bit matches itself, and matching bits produce 0. - Anything XORed with 0 is unchanged.
a XOR 0 = a, because a bit XORed with 0 keeps its value.
Chain those together and the self-inverse behavior falls out: a XOR b XOR b = a XOR (b XOR b) = a XOR 0 = a. XOR is also associative and commutative, so the grouping and order do not change the result, which lets the receiver apply the key at their leisure and still land back on the original.
Translate that into encryption and the machinery becomes obvious. Let P be the plaintext bit, K be the key bit, and C be the ciphertext bit. Encryption is C = P XOR K. Decryption is C XOR K, and substituting gives (P XOR K) XOR K = P XOR (K XOR K) = P XOR 0 = P. The plaintext comes right back. The sender and receiver run the identical operation with the identical key, and the key cancels itself on the second pass. There is no separate decryption routine to build, which is elegant and also a warning: the security lives entirely in the key, since the operation itself is public and trivially reversible by anyone who holds the same key bits.
Source: A. Menezes, P. van Oorschot, S. Vanstone, “Handbook of Applied Cryptography,” CRC Press, 1996, Chapter 1 and Chapter 6, cacr.uwaterloo.ca/hac.
Why is XOR everywhere in cryptography?
XOR is everywhere in symmetric cryptography because it is the ideal way to blend a secret key into data, for four reasons that reinforce each other:
- It is perfectly reversible with the same key. As shown above, one operation encrypts and decrypts, so a design needs only to generate good key bits and XOR them in.
- It is balanced. For a uniformly random key bit, the output is 1 exactly half the time and 0 exactly half the time, regardless of the plaintext bit. That balance is what lets a random key hide the plaintext completely, since the ciphertext bit leaks nothing on its own about whether the plaintext bit was 0 or 1.
- It is fast and cheap. XOR is a single instruction on every processor and a handful of gates in hardware, with no carry propagation, so it costs almost nothing even at high throughput.
- It composes cleanly. Because it is associative and commutative, XOR can layer key material, chain blocks together, and mix in nonces without the order-of-operations headaches other combiners bring.
The pattern that results is the same across the whole symmetric world: a cipher’s real work is generating a stream of unpredictable key bits, and XOR is the join that fuses those bits onto the data. This shows up in three canonical places, from the theoretical ideal down to the workhorses running in production:
| Construction | How XOR is used | What the security rests on | Quantum status |
|---|---|---|---|
| One-time pad | plaintext XOR a truly random key at least as long as the message, used once | information theory, proven by Shannon | Unbreakable by any computer, quantum included |
| Stream cipher (for example ChaCha20, or AES in counter mode) | plaintext XOR a pseudorandom keystream the cipher generates | the keystream generator and its key | Survives, Grover only halves key strength |
| Block-cipher modes (CBC, CFB, OFB, CTR) | XOR chains ciphertext blocks together, or XORs plaintext with cipher output | the underlying block cipher, usually AES | Survives, Grover only halves key strength |
In every row, XOR is the constant and the key material is the variable. Change how you produce the key bits and you move from an unbreakable pad to a fast practical cipher, but the combining step stays the same simple operation. NIST specifies exactly these XOR-based modes for turning a block cipher like AES-256 into something that can encrypt data of any length.
Sources: A. Menezes, P. van Oorschot, S. Vanstone, “Handbook of Applied Cryptography,” CRC Press, 1996, Chapter 6, cacr.uwaterloo.ca/hac.
NIST, “Recommendation for Block Cipher Modes of Operation, Methods and Techniques,” SP 800-38A, December 2001, csrc.nist.gov.
What is the one-time pad?
The one-time pad is the cipher that XORs a message with a key that is truly random, at least as long as the message, and used exactly once, and it is the only encryption method proven to be perfectly secure. Encrypting is ciphertext = plaintext XOR key, and decrypting is the same XOR with the same key. What sets it apart from every other cipher is not the operation, which is ordinary XOR, but the key: when the key is genuinely random and never repeats, the ciphertext becomes indistinguishable from random noise.
Claude Shannon proved this rigorously in 1949. He showed that any cipher achieving what he called perfect secrecy must use a key that is at least as long as the message, truly random, and never reused, and that the one-time pad meets all three conditions. Perfect secrecy is a strong claim: given only the ciphertext, every possible plaintext of that length is equally likely, so an attacker with unlimited computing power learns nothing beyond the length of the message. A 20-bit ciphertext could have come from any of the roughly one million distinct 20-bit plaintexts with equal probability, and nothing in the ciphertext favors one over another.
This is a different kind of security from every other cipher in this Guide. AES-256, RSA, and the post-quantum standards like ML-KEM are computationally secure, meaning they rest on problems believed too expensive to solve. The one-time pad is information-theoretically secure, meaning no computer breaks it regardless of speed, quantum or otherwise. The catch is practicality. The key is as long as all the traffic combined and can be used only once, so two parties who could reliably exchange that much secret key material could just as easily exchange the message. That key-distribution cost is why the one-time pad is reserved for the highest-stakes channels, such as diplomatic hotlines and elite espionage links, rather than everyday use.
Source: A. Menezes, P. van Oorschot, S. Vanstone, “Handbook of Applied Cryptography,” CRC Press, 1996, Chapter 1 (perfect secrecy and the Vernam cipher), cacr.uwaterloo.ca/hac.
Is XOR encryption secure on its own?
Plain XOR encryption is only as secure as the key stream it uses, and with anything short of a one-time pad’s key it is weak. XOR contributes reversibility and balance, and nothing more. All of the security has to come from the key bits being unpredictable and never reused, so the ways XOR encryption fails are really ways the key fails:
- A short, repeating key is easy to break. If a short key is repeated to cover a long message, the ciphertext inherits the plaintext’s statistical structure at the key’s period. Classic frequency analysis and index-of-coincidence techniques recover the key length and then the key, which is how repeating-key ciphers have been broken for over a century.
- Reusing a one-time pad destroys it. If the same key stream encrypts two different messages, an attacker XORs the two ciphertexts together and the key cancels, leaving
plaintext1 XOR plaintext2. That combined stream leaks enough structure to peel both messages apart, which is why the “one-time” rule is absolute. - A non-random key stream is predictable. If the key bits come from a weak generator, an attacker who predicts the stream decrypts everything. This is why real stream ciphers invest almost all their design effort in producing a keystream that is computationally indistinguishable from random.
- XOR alone gives no integrity. XOR provides confidentiality only. An attacker who flips a bit in the ciphertext flips the exact same bit in the recovered plaintext without needing the key, so XOR-based encryption is paired with a MAC or authenticated mode to detect tampering.
The takeaway is that “XOR encryption” as a standalone scheme is a teaching example, not a real cipher. The moment the key is random, full-length, and single-use, it becomes the unbreakable one-time pad. The moment the key comes from a strong cipher’s keystream, it becomes a modern stream cipher. XOR is the reliable, public constant in both, and the secret lives entirely in the key.
Source: A. Menezes, P. van Oorschot, S. Vanstone, “Handbook of Applied Cryptography,” CRC Press, 1996, Chapter 6, cacr.uwaterloo.ca/hac.
Does a quantum computer break XOR?
No, because XOR is a logic primitive with no hidden mathematical structure for a quantum algorithm to exploit. The quantum attacks that matter target specific hard problems. Shor’s algorithm solves factoring and the discrete logarithm, which is what breaks public-key algorithms like RSA and ECDH outright. XOR rests on neither, so Shor’s algorithm has no purchase on it at all.
The only relevant quantum pressure lands on the key search around XOR, not on XOR itself, and it comes from Grover’s algorithm. Grover speeds up brute-force search of an unstructured key space quadratically, which halves the effective strength of a symmetric key. A stream cipher or a block-cipher mode keyed at 256 bits keeps about 128 bits of security against a quantum attacker, which stays far out of reach, so the response is a larger key rather than a new design. The one-time pad sits even further outside the quantum story, since its security rests on information theory rather than on any problem being hard to compute, so no computer of any kind touches it.
The practical read is that XOR-based symmetric constructions carry forward through the quantum transition with, at most, a key-size adjustment. The real quantum exposure sits in the public-key algorithms that distribute the symmetric keys in the first place. If an adversary records a session today and later breaks the recorded public-key key exchange, they recover the symmetric key and can XOR their way through the traffic without ever attacking XOR or the cipher. That recorded-now, decrypted-later problem is Harvest Now, Decrypt Later, and it is a public-key story, which is why the transition focuses there.
Source: NIST, “Report on Post-Quantum Cryptography,” NISTIR 8105, April 2016, csrc.nist.gov/pubs/ir/8105/final.
Where did encrypting with XOR come from?
The idea of mechanizing encryption as a bit-by-bit XOR against a key tape goes back to 1917, and its story is a clean illustration of everything above. Gilbert Vernam, an engineer at AT&T, built a teleprinter cipher that combined each character of the message with a character from a prepared key tape, and the combining function he wired into relay logic was XOR applied to the bits of the Baudot teleprinter code. His design was patented in 1919. Vernam did not use the word “XOR,” but the operation he implemented is exactly it, which makes the modern stream cipher a direct descendant of that machine.
The leap to unbreakability came from Joseph Mauborgne, a US Army Signal Corps officer, who added the requirement that the key tape be truly random and used only once. That Vernam-Mauborgne construction is the one-time pad, and it was in use for decades before anyone proved why it worked. The proof arrived in 1949, when Claude Shannon published “Communication Theory of Secrecy Systems” and showed formally that a one-time pad delivers perfect secrecy. So the practical machine came first, and the mathematics that explained its unbreakability followed 30 years later, a reminder that XOR has been the join between plaintext and key from the very start of automated cryptography.
Source: Simon Singh, “The Code Book,” Doubleday, 1999 (Vernam’s 1919 teleprinter patent, Mauborgne’s random-single-use key, and Shannon’s 1949 proof of the one-time pad’s perfect secrecy).
Common misconceptions
- “XOR is an encryption algorithm.” XOR is a combining operation, not a cipher. It supplies reversibility, while all of the security comes from the key stream it is fed. Change the key from a short repeating string to a truly random pad and the same XOR goes from trivially breakable to unbreakable.
- “XOR encryption is unbreakable.” Only the one-time pad is, and only when its key is truly random, at least as long as the message, and never reused. XOR with a short or repeated key is broken with classical frequency analysis.
- “Encrypting twice with XOR doubles the security.” XORing with the same key a second time cancels the first pass and returns the plaintext, because XOR is self-inverse. Layering it that way removes protection instead of adding it.
- “XOR and OR are the same operation.” OR returns 1 whenever either input is 1, including when both are. XOR returns 1 only when the inputs differ, so it returns 0 when both are 1. That single-row difference is what makes XOR reversible and OR not.
- “A quantum computer will break XOR-based ciphers.” XOR has no number-theoretic structure for Shor’s algorithm to solve. XOR-based symmetric ciphers face only Grover’s square-root speedup on key search, which a 256-bit key absorbs comfortably.
- “XOR keeps a message both secret and tamper-proof.” XOR delivers confidentiality only. Flipping a ciphertext bit flips the same plaintext bit with no key needed, so integrity requires a separate MAC or an authenticated encryption mode.
Questions people ask
Is XOR encryption secure? Only when it is a genuine one-time pad, with a truly random key that is at least as long as the message and used exactly once. In that form Shannon proved it perfectly secure. With a short or reused key, XOR encryption is weak and falls to classical analysis, so it is a teaching example rather than a standalone cipher.
Why does the same XOR operation both encrypt and decrypt? Because XOR is its own inverse. Encryption computes ciphertext = plaintext XOR key, and decryption computes ciphertext XOR key, which expands to plaintext XOR key XOR key. The key XORed with itself is 0, and XORing with 0 leaves the plaintext untouched, so the second pass cancels the first.
What is the difference between XOR and the one-time pad? XOR is the operation, and the one-time pad is a complete cipher that uses XOR with a specific kind of key. The pad’s guarantee comes entirely from the key being truly random, message-length, and single-use. Feed XOR a weaker key and it stops being a one-time pad and stops being secure.
Why can’t you reuse a one-time pad key? Because reusing the key lets an attacker XOR two ciphertexts together, which cancels the shared key and leaves the two plaintexts XORed with each other. That combined stream carries enough structure to separate both messages, so a reused pad loses the perfect secrecy that made it worth using.
Is the one-time pad quantum-safe? Yes, and more than that, it is safe against any computer at all. Its security rests on information theory rather than on a problem being expensive to compute, so neither a classical nor a quantum machine gains any advantage against it. Its limitation is key distribution rather than raw computation.
Does XOR provide integrity, or just confidentiality? Confidentiality only. An attacker who flips a bit in the ciphertext flips the matching plaintext bit on decryption without knowing the key, so XOR-based encryption is combined with a message authentication code or an authenticated mode to detect tampering.
What is the difference between XOR, AND, and OR? AND returns 1 only when both inputs are 1, OR returns 1 when at least one input is 1, and XOR returns 1 only when the inputs differ. XOR is the one that is reversible with a repeated operand, which is why cryptography reaches for it rather than the other two.
Do modern ciphers really just use XOR? They use XOR as the final combining step, and put enormous effort into everything that produces the key bits it is fed. A cipher like ChaCha20 or AES-256 in counter mode spends its complexity generating a keystream that looks random, then XORs that keystream onto the data. The strength is in the keystream, and XOR is the simple, reliable join.
Everything here is the map, given freely. When your team needs its own cryptography sorted into what survives the quantum transition and what has to move, that’s the work I do, and there’s an alignment briefing for it.
Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.