In
cryptography
Cryptography, or cryptology (from "hidden, secret"; and ''graphein'', "to write", or ''-logy, -logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of Adversary (cryptography), ...
, an initialization vector (IV) or starting variable is an input to a
cryptographic primitive Cryptographic primitives are well-established, low-level cryptography, cryptographic algorithms that are frequently used to build cryptographic protocols for computer security systems. These routines include, but are not limited to, one-way hash fun ...
being used to provide the initial state. The IV is typically required to be
random
In common usage, randomness is the apparent or actual lack of definite pattern or predictability in information. A random sequence of events, symbols or steps often has no order and does not follow an intelligible pattern or combination. ...
or
pseudorandom
A pseudorandom sequence of numbers is one that appears to be statistically random, despite having been produced by a completely deterministic and repeatable process. Pseudorandom number generators are often used in computer programming, as tradi ...
, but sometimes an IV only needs to be unpredictable or unique.
Randomization
Randomization is a statistical process in which a random mechanism is employed to select a sample from a population or assign subjects to different groups.Oxford English Dictionary "randomization" The process is crucial in ensuring the random alloc ...
is crucial for some
encryption
In Cryptography law, cryptography, encryption (more specifically, Code, encoding) is the process of transforming information in a way that, ideally, only authorized parties can decode. This process converts the original representation of the inf ...
schemes to achieve
semantic security
In cryptography, a semantically secure cryptosystem is one where only negligible information about the plaintext can be feasibly extracted from the ciphertext. Specifically, any probabilistic, polynomial-time algorithm (PPTA) that is given the ci ...
, a property whereby repeated usage of the scheme under the same
key does not allow an attacker to infer relationships between (potentially similar) segments of the encrypted message. For
block cipher
In cryptography, a block cipher is a deterministic algorithm that operates on fixed-length groups of bits, called ''blocks''. Block ciphers are the elementary building blocks of many cryptographic protocols. They are ubiquitous in the storage a ...
s, the use of an IV is described by the
modes of operation
In cryptography, a block cipher mode of operation is an algorithm that uses a block cipher to provide information security such as confidentiality or authenticity.
A block cipher by itself is only suitable for the secure cryptographic transform ...
.
Some cryptographic primitives require the IV only to be non-repeating, and the required randomness is derived internally. In this case, the IV is commonly called a
nonce (a number used only once), and the primitives (e.g.
CBC CBC may refer to:
Media
* Cadena Baja California or Grupo Cadena, a radio and television broadcaster in Mexico
* Canadian Broadcasting Corporation, Canada's radio and television public broadcaster
** CBC Television
** CBC Radio One
** CBC Music
** ...
) are considered ''stateful'' rather than ''randomized''. This is because an IV need not be explicitly forwarded to a recipient but may be derived from a common state updated at both sender and receiver side. (In practice, a short nonce is still transmitted along with the message to consider message loss.) An example of stateful encryption schemes is the
counter mode of operation, which has a
sequence number for a nonce.
The IV size depends on the cryptographic primitive used; for block ciphers it is generally the cipher's block-size. In encryption schemes, the unpredictable part of the IV has at best the same size as the key to compensate for time/memory/data tradeoff attacks.
When the IV is chosen at random, the probability of collisions due to the
birthday problem
In probability theory, the birthday problem asks for the probability that, in a set of randomly chosen people, at least two will share the same birthday. The birthday paradox is the counterintuitive fact that only 23 people are needed for that ...
must be taken into account. Traditional stream ciphers such as
RC4 do not support an explicit IV as input, and a custom solution for incorporating an IV into the cipher's key or internal state is needed. Some designs realized in practice are known to be insecure; the
WEP protocol is a notable example, and is prone to related-IV attacks.
Motivation

A
block cipher
In cryptography, a block cipher is a deterministic algorithm that operates on fixed-length groups of bits, called ''blocks''. Block ciphers are the elementary building blocks of many cryptographic protocols. They are ubiquitous in the storage a ...
is one of the most basic
primitives in cryptography, and frequently used for data
encryption
In Cryptography law, cryptography, encryption (more specifically, Code, encoding) is the process of transforming information in a way that, ideally, only authorized parties can decode. This process converts the original representation of the inf ...
. However, by itself, it can only be used to encode a data block of a predefined size, called the
block size. For example, a single invocation of the
AES algorithm transforms a 128-bit
plaintext
In cryptography, plaintext usually means unencrypted information pending input into cryptographic algorithms, usually encryption algorithms. This usually refers to data that is transmitted or stored unencrypted.
Overview
With the advent of comp ...
block into a
ciphertext
In cryptography, ciphertext or cyphertext is the result of encryption performed on plaintext using an algorithm, called a cipher. Ciphertext is also known as encrypted or encoded information because it contains a form of the original plaintext ...
block of 128 bits in size. The
key, which is given as one input to the cipher, defines the mapping between plaintext and ciphertext. If data of arbitrary length is to be encrypted, a simple strategy is to split the data into blocks each matching the cipher's block size, and encrypt each block separately using the same key. This method is not secure as equal plaintext blocks get transformed into equal ciphertexts, and a third party observing the encrypted data may easily determine its content even when not knowing the encryption key.
To hide patterns in encrypted data while avoiding the re-issuing of a new key after each block cipher invocation, a method is needed to
randomize the input data. In 1980, the
NIST
The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical s ...
published a national standard document designated
Federal Information Processing Standard The Federal Information Processing Standards (FIPS) of the United States are a set of publicly announced standards that the National Institute of Standards and Technology (NIST) has developed for use in computer systems of non-military United Stat ...
(FIPS) PUB 81, which specified four so-called
block cipher modes of operation
In cryptography, a block cipher mode of operation is an algorithm that uses a block cipher to provide information security such as confidentiality or authenticity.
A block cipher by itself is only suitable for the secure cryptographic transfor ...
, each describing a different solution for encrypting a set of input blocks. The first mode implements the simple strategy described above, and was specified as the
electronic codebook (ECB) mode. In contrast, each of the other modes describe a process where ciphertext from one block encryption step gets intermixed with the data from the next encryption step. To initiate this process, an additional input value is required to be mixed with the first block, and which is referred to as an ''initialization vector''. For example, the
cipher-block chaining (CBC) mode requires an unpredictable value, of size equal to the cipher's block size, as additional input. This unpredictable value is added to the first plaintext block before subsequent encryption. In turn, the ciphertext produced in the first encryption step is added to the second plaintext block, and so on. The ultimate goal for encryption schemes is to provide
semantic security
In cryptography, a semantically secure cryptosystem is one where only negligible information about the plaintext can be feasibly extracted from the ciphertext. Specifically, any probabilistic, polynomial-time algorithm (PPTA) that is given the ci ...
: by this property, it is practically impossible for an attacker to draw any knowledge from observed ciphertext. It can be shown that each of the three additional modes specified by the NIST are semantically secure under so-called
chosen-plaintext attack
A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which presumes that the attacker can obtain the ciphertexts for arbitrary plaintexts.Ross Anderson, ''Security Engineering: A Guide to Building Dependable Distributed Systems'' ...
s.
Properties
Properties of an IV depend on the cryptographic scheme used. A basic requirement is ''uniqueness'', which means that no IV may be reused under the same key. For block ciphers, repeated IV values devolve the encryption scheme into electronic codebook mode: equal IV and equal plaintext result in equal ciphertext. In
stream cipher
stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream ( keystream). In a stream cipher, each plaintext digit is encrypted one at a time with the corresponding digit of the keystrea ...
encryption uniqueness is crucially important as plaintext may be trivially recovered otherwise.
:''Example:'' Stream ciphers encrypt plaintext ''P'' to ciphertext ''C'' by deriving a key stream ''K'' from a given key and IV and computing ''C'' as ''C'' = ''P'' xor ''K''. Assume that an attacker has observed two messages ''C''
1 and ''C''
2 both encrypted with the same key and IV. Then knowledge of either ''P''
1 or ''P''
2 reveals the other plaintext since
::''C''
1 xor ''C''
2 = (''P''
1 xor K) xor (''P''
2 xor K) = ''P''
1 xor ''P''
2.
Many schemes require the IV to be ''unpredictable'' by an
adversary
An adversary is generally considered to be a person, group, or force that opposes and/or attacks.
Adversary may also refer to:
* Satan ("adversary" in Hebrew), in Abrahamic religions
Entertainment Fiction
* Adversary (comics), villain from t ...
. This is effected by selecting the IV at
random
In common usage, randomness is the apparent or actual lack of definite pattern or predictability in information. A random sequence of events, symbols or steps often has no order and does not follow an intelligible pattern or combination. ...
or
pseudo-random
A pseudorandom sequence of numbers is one that appears to be statistically random, despite having been produced by a completely deterministic and repeatable process. Pseudorandom number generators are often used in computer programming, as tradi ...
ly. In such schemes, the chance of a duplicate IV is
negligible, but the effect of the
birthday problem
In probability theory, the birthday problem asks for the probability that, in a set of randomly chosen people, at least two will share the same birthday. The birthday paradox is the counterintuitive fact that only 23 people are needed for that ...
must be considered. As for the uniqueness requirement, a predictable IV may allow recovery of (partial) plaintext.
:''Example:'' Consider a scenario where a legitimate party called Alice encrypts messages using the cipher-block chaining mode. Consider further that there is an adversary called Eve that can observe these encryptions and is able to forward plaintext messages to Alice for encryption (in other words, Eve is capable of a
chosen-plaintext attack
A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which presumes that the attacker can obtain the ciphertexts for arbitrary plaintexts.Ross Anderson, ''Security Engineering: A Guide to Building Dependable Distributed Systems'' ...
). Now assume that Alice has sent a message consisting of an initialization vector ''IV''
1 and starting with a ciphertext block ''C
Alice''. Let further ''P
Alice'' denote the first plaintext block of Alice's message, let ''E'' denote encryption, and let ''P
Eve'' be Eve's guess for the first plaintext block. Now, if Eve can determine the initialization vector ''IV''
2 of the next message she will be able to test her guess by forwarding a plaintext message to Alice starting with (''IV''
2 xor ''IV''
1 xor ''P
Eve''); if her guess was correct this plaintext block will get encrypted to ''C
Alice'' by Alice. This is because of the following simple observation:
::''C
Alice'' = ''E''(''IV''
1 xor ''P
Alice'') = ''E''(''IV''
2 xor (''IV''
2 xor ''IV''
1 xor ''P
Alice'')).
Depending on whether the IV for a cryptographic scheme must be random or only unique the scheme is either called ''randomized'' or ''stateful''. While randomized schemes always require the IV chosen by a sender to be forwarded to receivers, stateful schemes allow sender and receiver to share a common IV state, which is updated in a predefined way at both sides.
Block ciphers
Block cipher processing of data is usually described as a mode of operation. Modes are primarily defined for encryption as well as
authentication
Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an Logical assertion, assertion, such as the Digital identity, identity of a computer system user. In contrast with iden ...
, though newer designs exist that combine both security solutions in so-called
authenticated encryption
Authenticated Encryption (AE) is an encryption scheme which simultaneously assures the data confidentiality (also known as privacy: the encrypted message is impossible to understand without the knowledge of a secret key) and authenticity (in othe ...
modes. While encryption and authenticated encryption modes usually take an IV matching the cipher's block size, authentication modes are commonly realized as
deterministic algorithm
In computer science, a deterministic algorithm is an algorithm that, given a particular input, will always produce the same output, with the underlying machine always passing through the same sequence of states. Deterministic algorithms are by fa ...
s, and the IV is set to zero or some other fixed value.
Stream ciphers
In stream ciphers, IVs are loaded into the keyed internal secret state of the cipher, after which a number of cipher rounds are executed prior to releasing the first bit of output. For performance reasons, designers of stream ciphers try to keep that number of rounds as small as possible, but because determining the minimal secure number of rounds for stream ciphers is not a trivial task, and considering other issues such as
entropy
Entropy is a scientific concept, most commonly associated with states of disorder, randomness, or uncertainty. The term and the concept are used in diverse fields, from classical thermodynamics, where it was first recognized, to the micros ...
loss, unique to each cipher construction, related-IVs and other IV-related attacks are a known security issue for stream ciphers, which makes IV loading in stream ciphers a serious concern and a subject of ongoing research.
WEP IV
The
802.11 encryption
In Cryptography law, cryptography, encryption (more specifically, Code, encoding) is the process of transforming information in a way that, ideally, only authorized parties can decode. This process converts the original representation of the inf ...
algorithm
In mathematics and computer science, an algorithm () is a finite sequence of Rigour#Mathematics, mathematically rigorous instructions, typically used to solve a class of specific Computational problem, problems or to perform a computation. Algo ...
called WEP (short for
Wired Equivalent Privacy
Wired Equivalent Privacy (WEP) is an obsolete, and insecure security algorithm for 802.11 wireless networks. It was introduced as part of the original IEEE 802.11 standard ratified in 1997. The intention was to provide a level of security and pr ...
) used a short, 24-bit IV, leading to reused IVs with the same key, which led to it being easily cracked.
Packet injection allowed for WEP to be cracked in times as short as several seconds. This ultimately led to the deprecation of WEP.
SSL 2.0 IV
In
cipher-block chaining mode (CBC mode), the IV need not be secret, but must be unpredictable (In particular, for any given plaintext, it must not be possible to predict the IV that will be associated to the plaintext in advance of the generation of the IV.) at encryption time. Additionally for the
output feedback mode (OFB mode), the IV must be unique. In particular, the (previously) common practice of re-using the last ciphertext block of a message as the IV for the next message is insecure (for example, this method was used by SSL 2.0). If an attacker knows the IV (or the previous block of ciphertext) before he specifies the next plaintext, he can check his guess about plaintext of some block that was encrypted with the same key before. This is known as the TLS CBC IV attack, also called the
BEAST attack.
See also
*
Cryptographic nonce
In cryptography, a nonce is an arbitrary number that can be used just once in a cryptographic communication. It is often a random or pseudo-random number issued in an authentication protocol to ensure that each communication session is unique, ...
*
Padding (cryptography)
In cryptography, padding is any of a number of distinct practices which all include adding data to the beginning, middle, or end of a message prior to encryption. In classical cryptography, padding may include adding nonsense phrases to a message ...
*
Random seed
A random seed (or seed state, or just seed) is a number (or vector) used to initialize a pseudorandom number generator.
A pseudorandom number generator's number sequence is completely determined by the seed: thus, if a pseudorandom number gener ...
*
Salt (cryptography)
In cryptography, a salt is random data fed as an additional input to a one-way function that hashes data
Data ( , ) are a collection of discrete or continuous values that convey information, describing the quantity, quality, fact, ...
*
Block cipher modes of operation
In cryptography, a block cipher mode of operation is an algorithm that uses a block cipher to provide information security such as confidentiality or authenticity.
A block cipher by itself is only suitable for the secure cryptographic transfor ...
*
CipherSaber
CipherSaber is a simple symmetric encryption Protocol (computing), protocol based on the RC4 stream cipher. Its goals are both technical and politics, political: it gives reasonably strong protection of message confidentiality, yet it's designed ...
(RC4 with IV)
References
Further reading
*
*
{{Cryptography navbox , block , stream
Block cipher modes of operation
Cryptography