Quiz Entry - updated: 2026.07.14
How does the CBC-MAC work, and what is the role of the initialization vector (IV)?
CBC-MAC chains block cipher encryptions: each plaintext block is XORed with the previous ciphertext block before encryption, and the final block's output is the MAC.
* The chaining makes every block feed forward, so any change cascades into the final block — the MAC. *
Structure:
- Split the message into blocks ($Block_1, Block_2, ..., Block_n$)
- XOR $Block_1$ with the IV, then encrypt with key K → output $C_1$
- XOR $Block_2$ with $C_1$, encrypt with K → output $C_2$
- Continue chaining... final output $C_n$ = MAC
The IV problem:
- Theoretically, the IV has the same role as in CBC encryption mode
- But transmitting the IV in cleartext creates a vulnerability:
- Eve can create a new Block 1, adjust the IV so that $IV_{new} \oplus Block1_{new} = IV \oplus Block1$, producing the same MAC
- Solution: Set IV to all zeros (00...00) and don't transmit it
Historical note: CBC-MAC (ANSI X9.9) is the "mother" of all block-cipher-based integrity mechanisms. It has known theoretical weaknesses and was officially withdrawn as a standard, but the basic design lives on in industry variants because of the "never change a winning team" mentality.
Go deeper:
CBC-MAC (Wikipedia) — the construction, the fixed-IV requirement and why length must be fixed to stay secure.