The answer is the second choice--that you can recover almost the full message--
everything except for the very first block--
that the point of the initialization vector is just to hide
repetition among encryptions that would appear just looking at the first block.
And the reason for this--we can look at how the encryption mode behaves--
We saw that for all of the blocks except for the first one, the value of Ci
is the encryption of the value mi--include my key there--and we saw for
the way the encryption mode works, Ci is equal to the encryption
using the key K of Mi EXOR C(i -1). The exception to that is block C0.
Where that's the value of encrypting m0 EXOR'd with IV.
So we didn't explain how to do decryption.
But from the way the encryption was, you should be able to figure that out.
We can look at this backwards--so in order to get the last message block--
well, what we need to do is decrypt using key K, and input to decrypt
is this last ciphertext block. So we're going backwards--
we're decrypting. We don't have the message block yet. To get the message block,
We need to do the EXOR to get the message block N - 1
and so that means we're EXORing that with the ciphertext value
of the previous block, which we already have.
Remember we have--to decrypt, we start wtih all the ciphertext blocks.
So this is how we decrypted the last block, but each
block is the same. To get message block i, we need to decrypt ciphertext block i,
and EXOR that with the previous ciphertext block.
So we can do that for all the blocks, except for--we have this exception
for the last one. The encryption for the last one used this IV--
to get the last message block, what we need to do is decrypt
the last ciphertext block--or the first ciphertext block--we're going backwards now.
And then EXOR that result with the IV.
So if we lose the IV but don't lose the key,
and don't lose the ciphertext, we've lost just the first block.
And if the IV was selected perfectly at random, well,
we have no information at all about the first block.
Because whatever we get out of this decryption is EXOR'd with that IV
to get the message. So if we have no information about the IV,
we have no information about the first message block.
But we can decrypt all the other blocks.
