In [[cryptography]], an '''initialization vector''' ('''IV''') or '''starting variable''' ('''SV''')<ref>ISO/IEC 10116:2006 ''Information technology — Security techniques — Modes of operation for an ''n''-bit block cipher''</ref> is an input to a [[cryptographic primitive]] being used forto provide the initial state. The IV is typically required to be [[random]] or [[pseudorandom]], but sometimes an IV only needs to be unpredictable [?] or unique. [[Randomization]] is crucial for some [[encryption]] schemes to achieve [[semantic security]], a property whereby repeated usage of the scheme under the same [[cryptographic key|key]] does not allow an attacker to infer relationships between (potentially similar) segments of the encrypted message. For [[block cipher]]s, the use of an IV is described by the [[Block cipher mode of operation|modes of operation]].
Some cryptographic primitives require the IV only to be non-repeating, and the required randomness is derived internally. In this case, the IV is commonly called a [[cryptographic nonce|nonce]] (''number used once''), and the primitives (e.g. [[Block_cipher_mode_of_operation#CBC|CBC]]) are considered ''stateful'' rather than ''randomized''. This is because an IV need not be explicitly forwarded to a recipient but may be derived from a common state updated at both sender and receiver side. (In practice, a short nonce is still transmitted along with the message to consider message loss.) An example of stateful encryption schemes is the [[counter mode]] of operation, which has a [[sequence number]] for a nonce.
The IV size depends on the cryptographic primitive used; for block ciphers it is generally the cipher's block-size. In encryption schemes, the unpredictable part of the IV has at best the same size ofas the key to compensate for [[time/memory/data tradeoff attack]]s.<ref>{{cite journal |author = Alex Biryukov |title = Some Thoughts on Time-Memory-Data Tradeoffs |journal = IACR ePrint Archive |year = 2005 |url = http://eprint.iacr.org/2005/207 }}</ref><ref>{{cite journal |author1 = Jin Hong |author2 = Palash Sarkar |title = Rediscovery of Time Memory Tradeoffs |journal = IACR ePrint Archive |year = 2005 |url = http://eprint.iacr.org/2005/090 }}</ref><ref>{{cite journal |author1 = Alex Biryukov |author2 = Sourav Mukhopadhyay |author3 = Palash Sarkar |title = Improved Time-Memory Trade-Offs with Multiple Data |journal = LNCS |issue = 3897 |pages = 110–127 |publisher = Springer |year = 2007 }}</ref><ref name="ECRYPT">{{cite techreport |author1 = Christophe De Cannière |author2 = Joseph Lano |author3 = Bart Preneel |title = Comments on the Rediscovery of Time/Memory/Data Trade-off Algorithm |institution = ECRYPT Stream Cipher Project |number = 40 |year = 2005 |url = http://www.ecrypt.eu.org/stream/papersdir/040.pdf }}</ref> When the IV is chosen at random, the probability of collisions due to the [[birthday problem]] must be taken into account. Traditional stream ciphers such as [[RC4]] do not support an explicit IV as input, and a custom solution for incorporating an IV into the cipher's key or internal state is needed. Some designs realized in practice are known to be insecure; the [[Wired Equivalent Privacy|WEP]] protocol is a notable example, and is prone to related-IV attacks.
