Suppose that you want to encrypt a single message M ∈ {0, 1, 2} using a random shared key K ∈ {0, 1, 2}. Suppose you do this by representing K and M using two bits (00, 01, or 10), and then XORing the two representations. Does this seem like a good protocol to you?

Encrypt a single message M ∈ {0, 1, 2} using a random shared key K ∈ {0, 1, 2}. No, this protocol does not seem good.

Explanation:

No, this scheme does not have the security guarantees of a one-time pad. The table below lists the resulting encrypted messages using this scheme. We can see that some outcomes exclude certain inputs.

For example, given E (K, M) = 11 an attacker knows that the sent message M is not 0.

K M E (K, M)

00 00 00

01 00 01

10 00 10

00 01 01

01 01 00

10 01 11

00 10 10

01 10 11

10 10 00