Editing Initialization vector (section)

==Properties==
Properties of an IV depend on the cryptographic scheme used. A basic requirement is ''uniqueness'', which means that no IV may be reused under the same key. For block ciphers, repeated IV values devolve the encryption scheme into electronic codebook mode: equal IV and equal plaintext result in equal ciphertext. In [[stream cipher]] encryption uniqueness is crucially important as plaintext may be trivially recovered otherwise.

:'''''Example:''''' Stream ciphers encrypt plaintext ''P'' to ciphertext ''C'' by deriving a key stream ''K'' from a given key and IV and computing ''C'' as ''C'' = ''P'' xor ''K''. Assume that an attacker has observed two messages ''C''<sub>1</sub> and ''C''<sub>2</sub> both encrypted with the same key and IV. Then knowledge of either ''P''<sub>1</sub> or ''P''<sub>2</sub> reveals the other plaintext since
::''C''<sub>1</sub> xor ''C''<sub>2</sub> = (''P''<sub>1</sub> xor K) xor (''P''<sub>2</sub> xor K) = ''P''<sub>1</sub> xor ''P''<sub>2</sub>.

Many schemes require the IV to be ''unpredictable'' by an [[adversary (cryptography)|adversary]]. This is effected by selecting the IV at [[random]] or [[pseudo-random]]ly. In such schemes, the chance of a duplicate IV is [[negligible function|negligible]], but the effect of the [[birthday problem]] must be considered. As for the uniqueness requirement, a predictable IV may allow recovery of (partial) plaintext.

:'''''Example:''''' Consider a scenario where a legitimate party called Alice encrypts messages using the cipher-block chaining mode. Consider further that there is an adversary called Eve that can observe these encryptions and is able to forward plaintext messages to Alice for encryption (in other words, Eve is capable of a [[chosen-plaintext attack]]). Now assume that Alice has sent a message consisting of an initialization vector ''IV''<sub>1</sub> and starting with a ciphertext block ''C<sub>Alice</sub>''. Let further ''P<sub>Alice</sub>'' denote the first plaintext block of Alice's message, let ''E'' denote encryption, and let ''P<sub>Eve</sub>'' be Eve's guess for the first plaintext block. Now, if Eve can determine the initialization vector ''IV''<sub>2</sub> of the next message she will be able to test her guess by forwarding a plaintext message to Alice starting with (''IV''<sub>2</sub> xor ''IV''<sub>1</sub> xor ''P<sub>Eve</sub>''); if her guess was correct this plaintext block will get encrypted to ''C<sub>Alice</sub>'' by Alice. This is because of the following simple observation:
::''C<sub>Alice</sub>'' = ''E''(''IV''<sub>1</sub> xor ''P<sub>Alice</sub>'') = ''E''(''IV''<sub>2</sub> xor (''IV''<sub>2</sub> xor ''IV''<sub>1</sub> xor ''P<sub>Alice</sub>'')).<ref>[http://cwe.mitre.org/data/definitions/329.html CWE-329: Not Using a Random IV with CBC Mode]</ref>

Depending on whether the IV for a cryptographic scheme must be random or only unique the scheme is either called ''randomized'' or ''stateful''. While randomized schemes always require the IV chosen by a sender to be forwarded to receivers, stateful schemes allow sender and receiver to share a common IV state, which is updated in a predefined way at both sides.