herein is subject to change without notice. D(k, 0) ^ c[0] 50 D(k,⋅) D(k,⋅) D(k, c[0]) ^ k D(k, c[0]) ^ 0 ⊕ ⊕ D(k,⋅) ⊕ c[0] 0 c[0] IV=Key D(k,⋅) p[0] p[1] p[2] ⊕ D(k,⋅) ⊕ D(k,⋅) ⊕ IV = Key To recover the key, just XOR the first and third unencrypted bytes: p’[0] ^ p’[2] = D(k, c[0]) ^ k ^ D(k, c[0]) ^ 0 = k