diff --git a/app/Providers/AppServiceProvider.php b/app/Providers/AppServiceProvider.php
index dda9235..964dda8 100644
--- a/app/Providers/AppServiceProvider.php
+++ b/app/Providers/AppServiceProvider.php
@@ -2,6 +2,7 @@
 
 namespace App\Providers;
 
+use App\Support\LegacyCrypto\CiSeedCrypto;
 use Illuminate\Cache\RateLimiting\Limit;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\RateLimiter;
@@ -17,11 +18,25 @@ class AppServiceProvider extends ServiceProvider
         }
 
         $this->app->singleton(CiSeedCrypto::class, function () {
-            $key = (string) config('legacy.seed_user_key_default', '');
-            $iv  = (string) config('legacy.iv', '');
+            $key = config('legacy.seed_user_key_default', '');
+            $iv  = config('legacy.iv', []);
 
-            if ($key === '' || $iv === '') {
-                throw new \RuntimeException('legacy crypto config missing (seed_user_key_default/iv)');
+            // key는 string
+            if (!is_string($key) || $key === '') {
+                throw new \RuntimeException('legacy crypto key missing (seed_user_key_default)');
+            }
+
+            // iv는 array (16 bytes)
+            if (!is_array($iv)) {
+                throw new \RuntimeException('legacy iv must be array');
+            }
+            if (count($iv) !== 16) {
+                throw new \RuntimeException('legacy iv array must be 16 bytes');
+            }
+            foreach ($iv as $b) {
+                if (!is_int($b) || $b < 0 || $b > 255) {
+                    throw new \RuntimeException('legacy iv array values must be ints 0~255');
+                }
             }
 
             return new CiSeedCrypto($key, $iv);