XOR Cipher Calculator

Reviewed by the CalculatorHub team, edited by James Graham. Repeating-key XOR, teaching use only. Last verified 17 June 2026.

The XOR cipher combines each byte of your message with a byte of a repeating key using the bitwise exclusive-or operation. Because XOR is its own inverse, the same key both encrypts and decrypts. It is the engine behind stream ciphers and the theoretically perfect one-time pad, but with a short repeating key it is easily broken. This calculator XORs UTF-8 text with a key and shows the result as hexadecimal, and reports the byte counts. A short reused key is never real security.

Plaintext (UTF-8)

Key (UTF-8)

XOR result (hex)

Message bytes

Key bytes

XOR cipher formula

convert message and key to UTF-8 byte arrays
for byte i: cipher[i] = message[i] XOR key[i mod keylen]
output = hex of each cipher byte
decode: same operation, since (m XOR k) XOR k = m

XOR (exclusive-or) returns 1 only when the two bits differ. The key repeats cyclically. Hex output is two characters per byte. The same key reverses the operation, so encode and decode are identical.

XOR cipher context

XOR is the core of stream ciphers and the one-time pad.
A truly random, never-reused, message-length key (one-time pad) is unbreakable; a short repeating key is not.
Reusing a key across messages enables a crib-dragging attack.
Hex output safely represents non-printable cipher bytes.
For real security use a vetted stream or block cipher such as AES, not a hand-rolled XOR.

XOR cipher: frequently asked questions

What is a repeating-key XOR cipher?

Each byte of the plaintext is combined with a byte of the key using the bitwise exclusive-or (XOR) operation, with the key repeating over the message. XOR is its own inverse, so applying the same key again recovers the original. It is the building block of stream ciphers and the one-time pad.

Why is the output shown in hexadecimal?

XOR of text and a key produces arbitrary bytes, many of which are non-printable control characters. Hexadecimal (two hex digits per byte) is a safe, lossless way to display and copy the result. To decode, this calculator also accepts hex input when you switch the input format.

Is XOR encryption secure?

A repeating short key is not secure: it is vulnerable to known-plaintext attacks and to frequency analysis once the key length is found. XOR is only unconditionally secure as a one-time pad, where the key is truly random and as long as the message and never reused.

How does XOR decode work?

Because (A XOR K) XOR K equals A, decoding is identical to encoding with the same key. Feed the hex ciphertext and the same key back in, and you get the original text. This symmetry is what makes XOR central to stream ciphers.

Does it support multi-byte (UTF-8) characters?

Yes. Text is encoded to UTF-8 bytes before XOR, so accented and non-Latin characters work. The key is also taken as UTF-8 bytes. The byte count shown reflects UTF-8 length, which can exceed the visible character count.

Official sources

NIST: stream ciphers and block cipher modes (SP 800-38 series).
NIST glossary: exclusive-or and stream cipher definitions.

Reviewed by the CalculatorHub team, edited by James Graham, 17 June 2026. See our methodology.