Stream ciphers use a deceptively simple mechanism: you combine the plaintext data, bit by bit, with “key” bits, using the exclusive or operation.
Why can't I use other opeartions such as NAND, AND, OR . Can you guys give me one real time example which brings advantage of using XOR over other operations.
Why can't I use other opeartions such as NAND, AND, OR
Because it needs to be invertible.
For example, if you use NAND, then if the bit from the key generator is a 0, then the output of the NAND will be 1, no matter what the data bit was. Hence, when the decryptor tries to recover that data bit, it can't.
If you assume that the operation works on individual bits, is invertable, is stateless and adds security (hence having the output which is just the plaintext bit is not acceptable), then the only two possibilities that work are XOR and XNOR (which is just XOR with the output inverted).
Edit: For any additive group operation, including addition modulo $k$ if the added keystream symbols $z_t$ are uniformly distributed, which means $$ Pr(z_t=a)=1/k, \quad \forall a \in \{0,\ldots, k-1\} $$ then the ciphertext symbols $c_t=x_t+z_t \pmod k$ are themselves uniformly distributed, $x_k$ being the plaintext symbol. You can show this in exactly the same manner as in the new answer by @user93353. Essentially addition of symbols corresponds to convolution of the probability distributions of $z_t$ and $x_t$ to get the probability distribution of $c_t$.
The idea of using addition is older than modern ciphers. In classical alphabetic ciphers, addition modulo $k$ over a finite alphabet of size $k$ will work. Note that XOR is a special case of this where addition is modulo 2.
Addition modulo $k$ just means that you add $a,b \in \{0,1,\ldots,k-1\}$ by taking the remainder after division by $k,$ if necessary; this is sometimes informally referred to as clock addition: If the time is 10 am, 4 hours later the time is $10+4 = 14 \pmod{12} \equiv 2$ hence you obtain 2 pm.
Consider the alphabet $\{A,B,\ldots,Z\}$ modelled by $\mathbb{Z}_{26}$ the integers modulo 26 under addition where
we have the encoding
$$
A\leftrightarrow 0, B\leftrightarrow 1,\ldots,Z\leftrightarrow 25.
$$
or pictorially
If you have the plaintext ATTACK it is represented by the sequence $$0,19,19,0,2,10$$ and if you additively apply the key SECRET represented by the sequence $$18,4,2,17,4,19$$ you obtain the ciphertext $$ 0+18,19+4,19+2,0+17,2+4,10+19=18,23,21,17,6,29 $$ which after applying the modulo 26 reduction becomes $$ 18,23,21,17,6,3 $$ giving the ciphertext SXVRGC.
The first reason obviously is that XOR is reversible. AND and NAND are not reversible.
But the important reason is found by looking at the truth table for XOR
Let $x$ be the plain text bit & let $s$ be the bit from the keystream generator.
| x | s | output |
|---|---|---|
| 0 | 0 | 0 |
| 0 | 1 | 1 |
| 1 | 0 | 1 |
| 1 | 1 | 0 |
If the keystream bit $s$ is perfectly random, then it has 50% chance of being $0$ or $1$. In this case, the output also is perfectly random - i.e. has a 50% chance of being $0$ or $1$
XOR function is perfectly balanced, i.e., by observing an output value, there is exactly a 50% chance for any value of the input bits. This distinguishes the XOR gate from other Boolean functions such as the OR, AND or NAND gate.
This can also be proved more formally.
Let the probability of the clear text bit $x$ being $0$ is $p$. $p$ can be any value.
$P(x = 0) = p$
$P(x = 1) = 1 - p$
$P(s = 0) = 0.5$
$P(s = 1) = 0.5$
$P(x\text{ XOR } s == 0) $ (Probability of output of $XOR$ being $0$)
$= P(s = 0) \star P(s = 0) + P(x = 1) \star P(s = 1) =$
$= p \star 0.5 + (1 - p) \star 0.5$
$= 0.5x + 0.5 - 0.5p$
$= 0.5$
$P(x \text { XOR } s == 1)$ (Probability of output of $XOR$ being $1$)
$= P(x = 1) \star P(s = 0) + P(x = 0) \star P(s = 1) $
$= (1 - p) \star 0.5 + p \star 0.5$
$= 0.5 - 0.5p + 0.5p $
$ = 0.5$
So we see that irrespective of what is the probability of the cleartext bit $x$ being $0$ or $1$, the output has exactly 50% probability of being $0$ or $1$.
As the other answers say, the reason is that XOR is invertible. Your diagram shows exactly that: $$f(P, K) = C$$ $$f(C, K) = P$$
Actually, there are many functions that are invertible.
If we operate on separate bits (argument length is 1 bit, or arity = 1), then besides XOR we can construct other invertible functions, for instance: $$f(P, K) = \lnot (P \oplus K)$$ Its inversion function is: $$f^{-1}(C, K) = (\lnot C) \oplus K$$
We can also define many other functions that operate not on a single bit, but on groups of 2 bits or even on 8 bits. For instance, the definition may look as follows:
| a | b | f(a,b) |
|----------|----------|----------|
| 00000000 | 00000000 | 11010011 |
| 11010011 | 00000000 | 00000000 |
| ... | ... | ... |
| 00110010 | 01001101 | 10010110 |
| 01001101 | 10010110 | 00110010 |
| ... | ... | ... |
But implementation of such function can take much resources. E.g. for $arity = 8$ the definition would contain $2^8 * 2^8 = 2^{16}$ elements in generic case. But since it needs to be invertible, it will contain 2 times less elements, $2^{15} = 32K$. Means, just the function definition would need 32K memory. Hardware operations with such function can be relatively slow.
Whereas hardware implementation of XOR is very simple and very efficient.
This says what the other answers say (necessarily) but in a way which is simpler and which may be more intuitive. It may be useful to see things put this way.
XOR inverts a data bit if the key is 1 and does not invert it if the key is 0.
(A random key data stream randomly does or doesn't invert data bits.)
When the same key stream is applied to the encrypted data stream it reinverts the bits which were inverted during encoding, thus restoring the original data bit AND does not invert bits that were not inverted during encoding, so you obtain a data stream identical to the original.
No function other than XOR has these properties*.
*XNOR is simply XOR inverted - XNOR inverts on key = 0 and dooes not invet on key = 1 - the end to end result is the same.
Because those papers were written after The Great God Gates invented the computer. Computers find XOR easy/fast/boring.
Invertability is crucial in encrypting and then decrypting a message. But it doesn't have to be XOR. It only has to be a varied bijective function, i.e. a one-to-one correspondence subject to an external variable. So for example "A" maps to "giraffe" given 200, "B" maps to "5" given 1 and "C" maps to $\Psi$ given 65 but maps to $\mu$ given 64, e.t.c. And in reverse. Uniquely. It's just luck that XOR happens to be bijective.
Since cryptography is more of an art than science, it's up to you to develop your own fun mapping. As long as its 1:1. Perhaps it'll look like:-
