Generation of Deterministic Initialization Vectors (IVs) and Nonces

The information below is for an old version of the document
Document Type Expired Internet-Draft (individual)
Author David McGrew 
Last updated 2013-02-10 (latest revision 2012-08-09)
Stream (None)
Expired & archived
pdf htmlized (tools) htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


Many cryptographic algorithms use deterministic IVs, including CTR, GCM, CCM, GMAC. This type of IV is also called a (deterministic) nonce. Deterministic IVs must be distinct, for each fixed key, to guarantee the security of the algorithm. This note describes best practices for the generation of such IVs, and summarizes how they are generated and used in different protocols. Some problem areas are highlighted, and test considerations are outlined. This note will be useful to implementers of algorithms using deterministic IVs, and to protocol or system designers using them.


David McGrew (

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)