Initialization vector

In this case, the IV is commonly called a nonce (a number used only once), and the primitives (e.g. CBC) are considered stateful rather than randomized.

This is because an IV need not be explicitly forwarded to a recipient but may be derived from a common state updated at both sender and receiver side.

An example of stateful encryption schemes is the counter mode of operation, which has a sequence number for a nonce.

In encryption schemes, the unpredictable part of the IV has at best the same size as the key to compensate for time/memory/data tradeoff attacks.

[2][3][4][5] When the IV is chosen at random, the probability of collisions due to the birthday problem must be taken into account.

Some designs realized in practice are known to be insecure; the WEP protocol is a notable example, and is prone to related-IV attacks.

In 1980, the NIST published a national standard document designated Federal Information Processing Standard (FIPS) PUB 81, which specified four so-called block cipher modes of operation, each describing a different solution for encrypting a set of input blocks.

The ultimate goal for encryption schemes is to provide semantic security: by this property, it is practically impossible for an attacker to draw any knowledge from observed ciphertext.

It can be shown that each of the three additional modes specified by the NIST are semantically secure under so-called chosen-plaintext attacks.

In stream cipher encryption uniqueness is crucially important as plaintext may be trivially recovered otherwise.

In such schemes, the chance of a duplicate IV is negligible, but the effect of the birthday problem must be considered.

Insecure encryption of an image as a result of electronic codebook mode encoding.