Why are there no MACs inspired by block cipher modes other than CBC and CFB?

Question

I've been studying message authentication codes and I was wondering why a MAC can only be produced with AES in CBC and CFB mode and why not the other modes such as ECB, OFB and counter.

Why are CBC and CFB suitable modes to produce MACs? Is there a certain trait that makes them special when compared to the other modes?

Answer 1

It is certainly wrong to state that "MAC can only be produced with AES in CBC and CFB mode", but there seems to be a simple reason that people were inspired by these modes when thinking up possible MAC constructions: They carry along some state that incorporates information from the message while traversing the input blocks. In both modes, encrypting a block involves taking the current state along with a message block and transforming them in some way to obtain a ciphertext block and an updated state. This is not the case with the other common block cipher modes.

• ECB is completely stateless.
• Counter mode (CTR) has some state (namely, the counter), but it is independent of the message and therefore useless to assert message integrity.
• Output feedback mode (OFB) is also stateful, but the message is XORed into the to-be ciphertext block after the fed-back block has been tapped. Therefore, the state is independent of the message, just like for counter mode.