Skip to main content

Generation of Deterministic Initialization Vectors (IVs) and Nonces

Document Type Expired Internet-Draft (individual)
Author David McGrew
Last updated 2014-04-18 (Latest revision 2013-10-15)
Stream (None)
Intended RFC status (None)
Expired & archived
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


Many cryptographic algorithms use deterministic IVs, including CTR, GCM, CCM, GMAC. This type of IV is also called a (deterministic) nonce. Deterministic IVs must be distinct, for each fixed key, to guarantee the security of the algorithm. This note describes best practices for the generation of such IVs, and summarizes how they are generated and used in different protocols. Some problem areas are highlighted, and test considerations are outlined. This note will be useful to implementers of algorithms using deterministic IVs, and to protocol or system designers using them.


David McGrew

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)