The XOR cipher

A while back, I had the idea to design reversible noise, where the function f used for both encrypting and decrypting is the same, so that f(text, password) = f(encrypted, password).


Read on if you're interested in how it works.

ROT-13 Encryption

Reciprocal ciphers have been around for ages. A classic example is the ROT-13 Cipher, which rotates a letter 13 positions in the alphabet. With an alphabet of 26 letters (excluding ñ), repeating this operation brings you back to the original letter: A -> N and N -> A.

ROT13 cipher dial

XOR Encryption

My aim was to create a somewhat more secure cipher that requires a password for encryption/decryption. This is where XOR Encryption comes into play, based on the XOR (⊕) logical operation, eXclusive OR:


This operation can be applied to a number at the bit level. For example, 220 ⊕ 153 = 69.

The beauty of XOR is its reciprocity: just as 220 ⊕ 153 = 69, 220 ⊕ 69 = 153. Given any number A, the operation A ⊕ P = B and B ⊕ P = A. Thus, we can define a password P, enabling us to reversibly encrypt any string by assigning a number to each letter.

For example, if our string is "HELLO WORLD", our password is "PASSWORD", and we assign each letter a position in the alphabet (0 for space), we get the encrypted string "IFMMP XPSME".

Reapplying the operation with "PASSWORD" and "IFMMP XPSME", we get back our original string. However, two issues remain:

Handling Different Length Strings

A simple solution is to pad the password with spaces until it matches the text length. However, this changes nothing, as A ⊕ 0 = A. For instance, with "HELLO WORLD THIS IS A TEST", we get "IFMMP XPSME THIS IS A TEST".

Another option is to pad the password with a non-space symbol. Or, for less predictability, loop the password. In this way, for "HELLO WORLD THIS IS A TEST", using "PASSWORDPASSWO" as the password, the encrypted result is "IFMMP XPSMETHIS IS A TEST".

Bar chart of the frequency (%) of the letters in Spanish

However, this solution is also insecure, as encrypting long texts would make it easy to spot frequently repeating letter combinations, allowing password guessing through frequency analysis. But there's still a trick up our sleeve.

Hash Functions

In cryptography, hash functions are techniques that encrypt a string at low cost but with a prohibitively high decryption cost, sometimes taking millennia.

This is the case with the SHA-256 function. Using this function, we can encrypt the password and safely apply XOR encryption. To create a longer password, we would use a list of salts. I won't go into detail on this to keep the post brief, but feel free to ask more in the comments.


After all this, we have achieved a moderately secure reciprocal cipher and, more importantly, learned a bit about cryptography.

If you're interested, you can try this cipher yourself on this page. It's a version to which I've added more characters.


Jatm4 Reply
Hola Juan me gusta mucho tu blog, me gustaría aprender sobre la función hash que usas y los salts para hacer la contraseña con la misma longitud, casi no entendí esa parte y quisiera que lo explicarás, espero que me respondas, un saludo!

Leave a comment

Get a mail