Cryptography is a vast subject, from symmetric cryptography which includes stream and block ciphers, to asymmetric cryptography and finally a large number of protocols. There is a lot to learn in this branch of science. But one thing is certain, no matter which topic you are studying in this vast field, you will always find some use of the logical operation known as Exclusive OR, or XOR.

There are a number of other logical operations out there, but none of them plays such a big role in almost all the cryptographic algorithms. Its almost as if XOR holds some magical properties within its operations, which makes it so special for this domain. Well, they are not magical, but XOR does hold a number of special properties which makes it stand out among other logical operations. Let's discuss these properties one by one in detail, and try to find out whether there exist any other logical operation which have these properties.

XOR is an involutory function, meaning the information is preserved

XOR is one of the logical operations which preserves the information. Meaning you can always get back one of your inputs if you use the other input. Lets understand this with an example.

Lets say you have two input strings, 'a' (0011) and 'k' (0101), and you XOR them together. The result will be 'c' (0110). In a cryptographic setting, usually the string 'a' will be the input string, and 'k' will be the key. The encrypted string will be 'c'. Now, for the decryption process, one can simply XOR the encrypted string 'c' with the key 'k' and get back the input string 'a' (and this works the other way too, for example one can XOR 'c' with 'a' and get 'k' back).

Testing this property on other logical operations, one will realize that it does not work. For instance using the same input text 'a' and the key 'k' as above, and using AND operations, we get 'c' as (0001). We will not get back 'a' if we AND 'c' with the key 'k' (what we get is 0001). Same goes with other operations like OR. Out of all the logical operations, there is one though, which does have this property. Its XOR's evil twin brother XNOR (you can check that XNOR does hold this property by using the same example as above). So why isn't XNOR popular in the cryptographic world? We shall see.

XOR does not leak information about the inputs

This property is very important for cryptography. Because of this property, when we get a result bit, we cannot predict anything about the input bit or the key bit. The probability of the input bit being 0 is the same as the probability of it being 1 (and this stands for the key bit as well).

Lets take our previous input 'a' (0011) and our key 'k' (0101). The result would be 'c' (0110). Taking a closer look at the resulting bits, we can see this property in play. When the resulting bits are 0 (the first and the last one), the input bit and the key bit can either be 0 or 1. Sure they have to be same for the result to be 0, but we cannot predict what they will be. There is a 50-50 chance. In cases when the resulting bit is 1 (the second and the third bit), again the input bit and the key bit can either 0 or 1. They have to be different for the result to be 1, but we cannot predict what they are.

Testing this property on other logical operations, one can easily see that it does not hold. In case of an AND operation, when the resulting bit is 1, it is known that both the input and the key bit for that particular instance is 1. Similarly, for an OR operation, when the resulting bit is 0, it is known that both the input and the key bit is 0. For a random string of input and key bits, this will leak about 25% of the information. Surprisingly, there is one logical operation which holds this property, and its no other than (you guessed it) XNOR. There has to be some advantage of XOR, which makes it more popular in the crypto world. We shall find out in the discussion below.

XOR corresponds to addition in Galois Field, GF(2)

When you start learning cryptography, you will come across stream ciphers. The main operation on the bits, in stream ciphers is addition modulo 2 ('a + b mod 2').

AES is one of the most widely used block ciphers and one of its main operation is byte substitution, which surprisingly is done using a fixed table. This fixed table (or S-box) is constructed using something called Galois fields, since Galois fields have incredible properties which can be used to scramble and unscramble data. Galois field (finite field) is a field with finite number of elements, on which addition, subtraction, multiplication and division (inverse) can be performed while satisfying basic rules. If we take an example of a simple Galois field GF(2), then these operations becomes trivial. Addition and subtraction both become the same, 'a + b mod 2' (We are not bothering with multiplication and division at this time since they are a little complicated, and not relevant to this discussion).

If you've not noticed it already then let me tell you that the above mentioned operation, 'a + b mod 2', is nothing but XOR. Because of these fundamental reasons, XOR got picked up for cryptographic algorithms instead of XNOR. XOR seems to be the more natural choice as compared to XNOR.

XOR is less complex and is efficient as compared to XNOR

Most programming languages and assembly language instruction sets offers an XOR operation, but no XNOR operation. To get an XNOR, one has to perform an XOR and a NOT. But wait! This sounds more like the result and not the reason. Could it be that most programming languages and assembly language instruction sets offer an XOR operation because it is popular in cryptography? Then it would mean that there was some other reason for XOR being chosen over XNOR.

It turns out, the reason was efficiency itself, but at the more basic, building block level of digital circuit construction. Firstly, we have to understand that there exist Universal Gates, which can be used to construct all other logical gates. NAND and NOR are the Universal gates. Also, NAND is preferred over NOR gate, because of a number of reasons such as less delay, and the size of the transistors needed, etc (we will not go into the details here).

Now, getting back to the topic at hand, to construct an XOR gate, we need 4 (2-input) NAND gates, but we need 5 (2-input) NAND gates to construct an XNOR gate. To construct an XOR gate, we need 5 (2-input) NOR gates, but we need 4 (2-input) NOR gates to construct an XNOR gate. But, we have already established that NAND gates are better than NOR gates. So, during the earlier days, XOR got a preference over XNOR, because it would need less number of the preferred NAND gates. This in turn resulted in most of the programming languages and assembly languages adopting XOR.