XOR Cipher

XOR text, hex, or bytes against a repeating key. Visual byte-by-byte breakdown. Output as hex, Base64, or binary. Educational purposes only.

6 bytes, repeating

Educational use only. XOR cipher with a repeating key (Vigenère variant) is trivially broken via frequency analysis or known-plaintext attacks. It provides no real security.

Understanding XOR cipher

XOR is the simplest symmetric cipher: apply a key to plaintext to get ciphertext, then apply the same key to ciphertext to recover plaintext. This property makes it foundational in cryptography education. Many CTF (Capture the Flag) challenges involve XOR encryption with weak repeating keys.

This tool lets you perform repeating-key XOR in your browser with a visual byte-by-byte breakdown of the first 16 bytes. Output is available in hex, Base64, or binary. Note that a repeating-key XOR provides no real security: see the FAQ below for when XOR is used safely in production cryptography.

Step-by-step guide

  1. 1
    Select an input format
    Choose 'text' to enter plain text, or 'hex' to enter space-separated hex bytes such as '48 65 6C 6C 6F'.
  2. 2
    Enter your input
    Type or paste the data you want to XOR into the input field.
  3. 3
    Enter the key
    Enter a text key. The key repeats cyclically to match the length of your input. Shorter keys are weaker.
  4. 4
    Click XOR
    The XOR operation is applied byte-by-byte. The result appears in the Output section.
  5. 5
    Choose an output format and copy
    Switch between hex, Base64, and binary output. Copy the result with the Copy button. Apply XOR again with the same key to decrypt.

Related Tools

Frequently Asked Questions

How does XOR cipher work?
XOR (exclusive OR) is a bitwise operation that outputs 1 when bits differ and 0 when they are the same. Each byte of the input is XOR-ed with the corresponding byte of the key (repeating the key if it is shorter than the input). Applying XOR twice with the same key recovers the original data.
Is XOR cipher secure?
No. A repeating-key XOR cipher (also called a Vigenere cipher applied to bytes) is easily broken by frequency analysis or known-plaintext attacks. If any part of the plaintext is known, the key can be recovered. It provides no real-world security and should only be used for educational purposes.
When is XOR used legitimately in cryptography?
XOR is a building block in many secure cryptographic constructions. Stream ciphers like ChaCha20 XOR the plaintext with a cryptographically random keystream. Block cipher modes like CTR and OFB also use XOR. The critical difference is using a cryptographically secure, non-repeating keystream.
How do I decrypt XOR output?
XOR is its own inverse. To decrypt, paste the XOR output (in hex or text format) as the input, use the same key, and click XOR again. The original plaintext is recovered.
What is a one-time pad and how does it relate to XOR?
A one-time pad uses XOR with a truly random key that is exactly as long as the message and used only once. This is theoretically unbreakable. The repeating key XOR shown in this tool is the insecure version: the key reuse is what makes it attackable.
What does the byte-by-byte breakdown show?
The table shows the first 16 bytes of the operation: each data byte in hex, the corresponding key byte in hex, and the XOR result with its ASCII character if printable.
Can I XOR binary files with this tool?
This tool works on text input (UTF-8 encoded) or manually entered hex bytes. For binary file XOR operations, command-line tools like xxd or a scripting language are more suitable.
Why does the output differ between hex and Base64 modes?
The underlying XOR result is the same set of bytes in all cases. Hex, Base64, and binary are simply different text representations of those bytes: they encode the same data in different formats.

AlteredIdea vs alternatives

vs server-side tools: Everything runs in your browser: your data never leaves your device.

vs command-line tools: No setup needed. Works instantly in any browser.

vs paid tools: Completely free, no account required.