A message authentication code (MAC) is a cryptographic checksum generated from a message and a secret symmetric key shared between the sender and receiver, used to verify the message's integrity and authenticity by detecting both accidental and intentional modifications. The MAC algorithm processes an arbitrary-length message along with the key to produce a fixed-length tag, which is appended to the message and recomputed by the recipient using the same key and message; a match confirms that the message originated from the key holder and remains unaltered.^[1] Unlike digital signatures, which rely on asymmetric cryptography for non-repudiation, MACs use symmetric keys, making them efficient for high-speed applications but requiring secure key distribution between parties.^[2] MACs provide essential security properties, including resistance to existential forgery under chosen-message attacks, ensuring that an adversary without the key cannot produce a valid tag for a new message with non-negligible probability.^[2] Common constructions include hash-based MACs like the keyed-hash message authentication code (HMAC), which combines a cryptographic hash function (e.g., SHA-256) with the secret key in a specific manner to enhance security against length-extension attacks on plain hashes; other hash-based MACs include KMAC, based on the KECCAK family (SHA-3).^[3][4] HMAC is specified in Federal Information Processing Standard (FIPS) 198-1 (with content proposed for incorporation into NIST SP 800-224 as of 2025) and widely used in protocols such as TLS and IPsec for authenticating data in transit.^[3][5] Block cipher-based MACs, such as the cipher-based MAC (CMAC), employ modes like cipher block chaining (CBC) with algorithms like AES to generate tags, offering strong security guarantees for binary data integrity and authenticity.^[6] CMAC is specified in NIST Special Publication (SP) 800-38B and is particularly suitable for environments where block ciphers are already in use, such as in embedded systems.^[6] In practice, MACs are integral to securing communications, file integrity checks, and API authentication, with implementations required to use approved algorithms and keys of sufficient length (e.g., at least 128 bits for modern security) to withstand brute-force and collision attacks.^[4] While early MAC concepts emerged alongside symmetric ciphers like DES in the 1970s, contemporary standards from NIST ensure their robustness against classical threats, with ongoing research addressing potential vulnerabilities in specific constructions, including quantum threats.^[7]

Fundamentals

Definition

A message authentication code (MAC) is a cryptographic primitive that provides assurance of the integrity and authenticity of a message by generating a short, fixed-length value known as a tag, computed from the message and a shared secret key. This tag allows a recipient who possesses the same key to verify whether the message has been altered or originated from an unauthorized party. Formally, a MAC is defined as a family of functions parameterized by a symmetric key, where each function processes an input message of arbitrary length to produce an authenticator (the MAC tag) that is computationally infeasible to forge without knowledge of the key.^[1] A MAC scheme is typically specified as a tuple of three probabilistic polynomial-time algorithms: $(\mathsf{Gen}, \mathsf{Tag}, \mathsf{Vrfy})$. The key generation algorithm $\mathsf{Gen}(1^n)$ takes a security parameter $n$ and outputs a secret key $k$ from a key space $\mathcal{K}$. The tagging algorithm $\mathsf{Tag}_k(m)$ takes the key $k$ and a message $m$ from the message space $\mathcal{M}$ (usually $\{0,1\}^*$) and outputs a tag $t$ from a tag space $\mathcal{T}$. The verification algorithm $\mathsf{Vrfy}_k(m, t)$ takes the key $k$, message $m$, and tag $t$, and outputs 1 if the tag is valid for the message under the key (accepting it as authentic), or 0 otherwise (rejecting it). For security, the scheme requires that $\mathsf{Vrfy}_k(m, \mathsf{Tag}_k(m)) = 1$ with overwhelming probability for honestly generated keys and messages.^[8] Unlike digital signatures, which rely on asymmetric key pairs to enable public verification and provide non-repudiation, MACs utilize symmetric keys shared exclusively between the communicating parties, making them suitable for scenarios where key distribution is secure but public key infrastructure is unnecessary.^[9]

Terminology

In cryptographic literature, the output of a message authentication code (MAC) algorithm is commonly referred to as a "tag," a short fixed-length string appended to the message to enable verification, though it is sometimes interchangeably called a "code" or "MAC value" in older texts.^[10][11] The term "tag" has become prevalent in modern standards and papers to emphasize its role as an authenticating appendage, distinct from the MAC scheme itself. Certain MAC constructions, especially those built on hash functions, are described as "keyed hashes," where a secret key is integrated into the hashing process to produce the tag, ensuring the output depends on both the message and the key. In MAC designs relying on universal hashing, the term "universal hash" denotes a family of hash functions with provable collision resistance properties under random key selection, foundational to unconditionally secure authentication schemes.^[12][13] The nomenclature has evolved historically from "authentication code," as used in seminal works on universal hashing in the late 1970s and early 1980s, to the more precise "message authentication code" adopted in international standards beginning with the first edition of ISO/IEC 9797 in 1989, which formalized MAC algorithms for data integrity.^[13] This shift reflects a focus on message-specific authentication in symmetric cryptography.^[14] The primary acronym MAC expands to "message authentication code," denoting a symmetric-key primitive that generates a verifiable tag for a given message. HMAC, standing for "hash-based message authentication code," is a widely adopted variant that applies a cryptographic hash function (such as SHA-256) in a key-dependent manner to produce the tag. In MAC definitions, the term "message" encompasses any arbitrary binary string or data block, including non-textual content like files or network packets, rather than being restricted to human-readable text.^[1] This broad scope allows MACs to protect diverse data formats in practical applications.^[4]

Security Properties

Integrity and Authenticity

A message authentication code (MAC) ensures integrity by generating a tag that depends on the entire message content and a secret key, such that any modification to the message will result in a mismatch during verification, thereby detecting alterations.^[4] This protection arises because the MAC algorithm is designed to produce a unique output for each distinct input-message pair under the same key, making unauthorized changes computationally infeasible to conceal without knowledge of the key.^[4] MACs also provide authenticity by confirming that the message originates from a party possessing the shared secret key, as only the legitimate sender can generate a valid tag that the receiver will accept upon verification.^[4] This prevents impersonation attacks, where an adversary attempts to forge a message-tag pair, since producing a correct tag without the key violates the underlying cryptographic assumptions of the MAC construction.^[15] The primary formal security property for MACs is existential unforgeability under chosen-message attack (EUF-CMA), which captures both integrity and authenticity in an adversarial setting.^[15] In this model, an adversary is given oracle access to a MAC generation function for adaptively chosen messages and succeeds by producing a valid (message, tag) pair for a new message not previously queried; a secure MAC ensures no efficient adversary achieves this with more than negligible probability.^[15] The adversary's resources, including running time, query count, and total message length, bound the insecurity probability, emphasizing resistance even against powerful attackers with partial information.^[15] In probabilistic MACs, randomness plays a crucial role through the use of a nonce or initialization vector (IV), which is included in the input to ensure tag uniqueness and prevent replay attacks where an intercepted valid message-tag pair is reused. By requiring unique nonces for each message, these MACs render replays invalid, as verification fails if the nonce does not match the expected fresh value, while maintaining EUF-CMA security under the condition that nonces remain distinct.

Key Security Goals

Message authentication codes (MACs) are designed to ensure the integrity and authenticity of messages but do not provide confidentiality, as the underlying message remains unencrypted and visible to any observer, with the MAC tag serving only as a verification mechanism rather than an obfuscation tool.^[2] This limitation means that MACs must be combined with separate encryption schemes, such as in authenticated encryption modes, to protect message secrecy. A critical security goal for MACs is resistance to key recovery attacks, where an adversary observing multiple valid message-tag pairs cannot computationally feasibly extract the secret key used to generate the tags.^[16] This property is foundational to MAC security models, ensuring that even under adaptive chosen-message attacks, the key remains indistinguishable from random, preventing the generation of arbitrary forgeries beyond the unforgeability bound.^[17] To address replay attacks, where an adversary resubmits a previously valid message-tag pair to deceive the verifier, MAC constructions often incorporate nonces or timestamps into the authenticated data, ensuring that each tag is unique to a specific context and cannot be reused effectively.^[18] Without such mechanisms, a deterministic MAC would accept replayed tags as valid, compromising the protocol's freshness guarantees.^[18] In the context of quantum threats, MACs based on symmetric primitives like hash functions maintain security against Grover's algorithm by doubling the effective key and tag lengths to preserve pre-quantum security levels, as quantum search reduces brute-force complexity quadratically but does not break the core pseudorandomness assumptions. As of 2025, standards such as NIST's guidelines for post-quantum cryptography recommend these adjustments for hash-based MACs like HMAC, without requiring entirely new constructions for most symmetric authentication needs.^[19][20] MAC designers face trade-offs in tag length, where shorter tags—while improving efficiency—reduce the security margin against brute-force forgery attempts, potentially allowing an adversary to guess a valid tag with non-negligible probability after sufficiently many trials.^[21] For instance, tags below 128 bits may expose systems to practical attacks in high-volume scenarios, necessitating longer outputs to align with desired security levels like 128-bit resistance.^[22]

Constructions

Hash-Based MACs

Hash-based message authentication codes (MACs) construct authentication tags by leveraging cryptographic hash functions as the primary primitive, typically involving a secret key to ensure security. A simple approach nests the key and message within the hash, such as $ \text{MAC}_k(m) = H(k | m) $, where $ H $ denotes the hash function, $ k $ is the secret key, $ m $ is the message, and $ | $ represents concatenation.^[16] However, this naive construction is vulnerable to length-extension attacks, where an adversary, given a valid tag for message $ m $, can compute a tag for an extended message $ m' = m | \text{pad} | \text{extension} $ without knowledge of $ k $, exploiting the iterative structure of Merkle-Damgård hash functions like MD5 or SHA-1.^[16] To address these vulnerabilities, the HMAC construction was developed, providing a robust method for keying hash functions. HMAC is defined as

$$\text{HMAC}_k(m) = H\left( (\overline{k} \oplus \text{opad}) \| H\left( (\overline{k} \oplus \text{ipad}) \| m \right) \right),$$

where $ \overline{k} $ is the key $ k $ padded to the block size of $ H $, $ \text{ipad} = 0x36 $ repeated across the block, and $ \text{opad} = 0x5c $ repeated across the block.^[23] The inner hash computes $ H((\overline{k} \oplus \text{ipad}) | m) $, which processes the message after key-dependent padding, while the outer hash applies the outer padding to produce the final tag. This double-nesting with XOR-based padding prevents length-extension attacks by ensuring that the intermediate value is not directly reusable for extensions, as the outer key modification disrupts the hash's internal state.^[16] The security of HMAC reduces to the collision resistance of the underlying hash function $ H $. Specifically, if $ H $ is weakly collision-resistant, then HMAC is a secure MAC, with the proof establishing that any forgery against HMAC implies a collision in $ H $, under the assumption that the hash behaves as a pseudorandom function when keyed appropriately.^[16] This reduction holds for iterative hash functions, making HMAC provably secure as long as $ H $ resists collisions, even if it is not a full ideal hash.^[16] Hash-based MACs like HMAC offer significant advantages in efficiency, particularly for messages of arbitrary length, as they avoid the block size limitations inherent in cipher-based alternatives and require only a single pass over the data after the inner hash.^[23] Their simplicity and compatibility with widely available hash functions further enhance their practicality for software implementations.^[16]

Block Cipher-Based MACs

Block cipher-based message authentication codes (MACs) adapt standard encryption modes to produce authentication tags from a secret key and a message, leveraging the underlying block cipher's pseudorandom properties. The most straightforward construction is the cipher block chaining (CBC) MAC, designed for fixed-length messages that are exact multiples of the block size. In CBC-MAC, the message $ m = m_1 \parallel m_2 \parallel \cdots \parallel m_t $, where each $ m_i $ is a block, is processed sequentially: the first block is encrypted directly with the key $ k $, and each subsequent block is XORed with the previous ciphertext before encryption. The final ciphertext block serves as the MAC tag: $ \text{MAC}k(m) = C_t $, where $ C_1 = E_k(m_1) $, $ C_i = E_k(m_i \oplus C{i-1}) $ for $ i = 2, \dots, t $, and $ E $ is the block cipher.^[24] This mode initializes with a zero IV and requires no padding, ensuring efficiency for predefined message lengths.^[24] However, CBC-MAC is insecure for variable-length messages due to length-extension attacks, where an adversary can forge tags by appending blocks without knowing the key. To address this, extensions like CMAC (also known as OMAC1) introduce subkey generation and conditional padding to handle arbitrary lengths securely. In CMAC, two subkeys $ K_1 $ and $ K_2 $ are derived from the master key $ k $ by encrypting a zero block and applying left shifts with XORed constants based on carry bits, typically using a 128-bit block cipher like AES for derivation. The message is padded to the block length: if the last block is full, it is XORed with $ K_1 $; if partial, it is right-padded with a '1' bit and zeros, then XORed with $ K_2 $. The CBC chaining then proceeds as in basic CBC-MAC, with the final block as the tag, truncated if needed. This construction provably achieves security for messages of any length, with a birthday bound on forgery probability when the tag is shorter than the block size.^[25][26] For scenarios demanding higher throughput, such as hardware implementations with multiple processing units, parallelizable variants like PMAC offer an alternative to sequential chaining modes. PMAC partitions the message into blocks and applies the block cipher in parallel to each, using a key-derived tweak sequence (often based on a Gray code progression) to XOR with blocks before encryption; the results are then summed modulo 2 in the finite field of the block size to produce the tag. This allows all but the final (padded) block to be computed concurrently, reducing latency in parallel environments while maintaining provable security. PMAC requires approximately one block-cipher invocation per message block, similar to CBC-MAC, but its parallelism suits high-speed applications.^[27] The security of these block cipher-based MACs reduces to the pseudorandom function (PRF) security of the underlying block cipher, ensuring that distinguishing the MAC from a random function requires roughly $ 2^{b/2} $ queries, where $ b $ is the block size (typically 128 bits for modern ciphers like AES). Forgery attacks are thus infeasible under standard models, with the authentication tag length usually matching the block size at 128 bits to achieve full security strength, though truncation to 64 or 96 bits is sometimes used with adjusted bounds.^[24][25][27]

Specialized Variants

One-Time MACs

One-time message authentication codes (MACs) are cryptographic primitives designed to ensure message integrity and authenticity under the restriction that each key is used to authenticate at most one message, providing security guarantees that hold only for this single-use scenario.^[28] This approach contrasts with multi-use MACs by relying on information-theoretic principles rather than computational hardness assumptions, making it suitable for settings where unconditional security is desired.^[13] The foundational construction, introduced by Wegman and Carter, employs a strongly universal hash family $ H $ to compute a tag for a message $ m $.^[28] Specifically, given a key $ k $ that selects a hash function $ h_k \in H $, and a random one-time pad $ s $ from the tag space $ T $, the tag is generated as

$$t = h_k(m) \oplus s,$$

where $ \oplus $ denotes bitwise XOR, and $ h_k(m) $ maps the message to an element in $ T $.^[28] Verification by the receiver, who shares $ k $ and $ s $, recomputes $ h_k(m) \oplus s $ and checks equality with the received tag.^[28] The strongly universal property ensures that for any two distinct messages, the hash values are nearly uniformly random and independent, bounding the adversary's forgery probability.^[28] In theoretical applications, one-time MACs achieve information-theoretic security, where the probability of an adversary forging a valid tag for a new message is at most $ \epsilon + \frac{1}{|T|} $, with $ \epsilon $ determined by the hash family's universality parameter and $ |T| $ the tag space size, without relying on unproven computational assumptions.^[28] This makes them ideal for analyzing secure communication in models with unlimited computational power, such as in quantum-resistant cryptography or protocol proofs requiring perfect security.^[13] However, their single-use requirement leads to key exhaustion after one authentication per key pair, rendering them impractical for scenarios involving multiple messages without key generation overhead.^[28] Additionally, the tag length must match the hash output size, often necessitating large keys and pads that increase communication costs.^[28]

Deterministic vs. Probabilistic MACs

Message authentication codes (MACs) are classified as deterministic or probabilistic based on whether their tag generation process incorporates randomness. In deterministic MACs, the tag generation algorithm takes a secret key $k$ and message $m$ as inputs and produces a fixed tag $t$ such that the same inputs always yield the same output; this is the standard construction for most practical MACs, including those based on pseudorandom functions (PRFs), ensuring a unique valid tag per message under the unforgeability under chosen-message attack (UF-CMA) security definition.^[29] Such MACs are vulnerable to replay attacks, where an adversary can resend a previously authenticated (message, tag) pair, as the verification will succeed without additional context like timestamps or counters.^[30] Probabilistic MACs, in contrast, include a source of randomness—such as a random salt or nonce—during tag generation, resulting in potentially multiple valid tags for the same (key, message) pair; this requires security against unforgeability under chosen-message and verification attacks (UF-CMVA) to prevent forgeries via verification oracle queries.^[29] The randomness enhances resistance to replay attacks by ensuring each tag is unique and non-reusable, as the probability of collision is negligible. Key trade-offs between the two arise in efficiency, security, and applicability. Deterministic MACs offer simplicity in implementation and storage, producing compact tags without overhead for randomness management, making them suitable for scenarios where replay protection is handled externally. Probabilistic MACs, while providing built-in replay resistance, typically require larger tag sizes to accommodate the random component and may demand stronger computational assumptions (e.g., decisional Diffie-Hellman) for efficiency, though they excel in real-time protocols like two-round authentication where uniqueness is critical.^[29] In practice, probabilistic approaches are less common due to these size and complexity costs but enable constructions from weaker assumptions compared to PRF-based deterministic MACs.^[31] A hybrid approach mitigates replay vulnerabilities in deterministic MACs by incorporating an external nonce or sequence number into the message before tagging, effectively rendering the scheme probabilistic per invocation without modifying the underlying MAC algorithm; for instance, in TLS 1.2, the HMAC computation includes an implicit 64-bit sequence number to detect replays or reorders.^[30] This method balances the efficiency of deterministic MACs with the security benefits of uniqueness, commonly used in network protocols to ensure forward progress without full randomization.^[30]

Standards and Implementations

Key Standards

The National Institute of Standards and Technology (NIST) Federal Information Processing Standard (FIPS) 198-1 defines the Keyed-Hash Message Authentication Code (HMAC) as a mechanism for message authentication using cryptographic hash functions, serving as an approved standard for ensuring data integrity and authenticity in U.S. federal systems.^[3] Published in July 2008 (superseding the original 2002 version), it remains current as of November 2025, though NIST proposed its withdrawal in June 2025 to relocate the content to a Special Publication (SP 800-224) without impacting validation processes.^[3][32] As a FIPS publication, HMAC under FIPS 198-1 is mandatory for federal agencies handling sensitive unclassified information where cryptographic authentication is required.^[3] The International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) jointly publish ISO/IEC 9797, a multi-part standard specifying mechanisms for generating message authentication codes (MACs) to verify data integrity. Part 1 (ISO/IEC 9797-1:2011) details six MAC algorithms that employ a secret key and an n-bit block cipher to produce an m-bit MAC, applicable to various security architectures and processes.^[33] This part covers block cipher-based modes and was confirmed current in 2022, with an amendment in 2023.^[33] Part 2 (ISO/IEC 9797-2:2021) addresses MAC algorithms using a dedicated hash function (or its components) with a secret key to generate an m-bit MAC, building on frameworks like ISO/IEC 10181-6 for integrity services.^[34] Together, these parts provide international guidelines for both block cipher and hash-based MAC constructions, excluding key management details.^[33][34] The Internet Engineering Task Force (IETF) has standardized key MAC algorithms through its Request for Comments (RFC) series, promoting interoperability in network protocols. RFC 2104 (February 1997) specifies HMAC, enabling message authentication via keyed hashing with functions like MD5 or SHA-1, and supports key lengths up to the hash block size while allowing truncation for efficiency.^[35] RFC 4493 (June 2006) defines AES-CMAC, an authentication mode based on the Advanced Encryption Standard (AES-128) using the Cipher-based MAC (CMAC) construction, which generates a 128-bit tag (optionally truncated to at least 64 bits) for data origin authentication and integrity in IPsec and similar protocols.^[36] These RFCs underpin widespread adoption of HMAC and AES-CMAC in internet standards.^[35][36] MAC standards have evolved significantly with advances in cryptographic primitives, notably the deprecation of the Data Encryption Standard (DES) by NIST in 2005 due to its vulnerability to brute-force attacks, which rendered single-DES insufficient for protecting federal information.^[37] This withdrawal prompted a shift toward AES-based MACs, as AES (standardized in FIPS 197 in 2001) offered superior security and performance, influencing updates in standards like ISO/IEC 9797 and IETF RFC 4493 to prioritize AES-CMAC over DES-derived modes.^[37][36]

Practical Algorithms

HMAC-SHA-256 is a widely adopted hash-based message authentication code constructed using the SHA-256 hash function, producing a 256-bit output tag.^[38] The key can be of any length, but keys longer than the 64-byte block size of SHA-256 are first hashed to fit within that size, allowing effective key sizes up to 64 bytes.^[39] It is commonly used in protocols such as IPsec for integrity protection in VPNs, where it pairs with AES-CBC mode.^[40] HMAC-SHA-256 also serves as the authentication mechanism in TLS 1.3 cipher suites, ensuring message integrity during secure connections.^[41] In terms of performance, HMAC-SHA-256 achieves approximately 8 cycles per byte on modern Intel Skylake processors for typical workloads.^[42] AES-CMAC, or CMAC based on the AES block cipher, operates on 128-bit blocks and supports key sizes of 128, 192, or 256 bits, matching AES variants.^[6] It generates a 128-bit authentication tag, though truncation to at least 64 bits is permitted for some applications while maintaining security.^[43] Specified in NIST Special Publication 800-38B, published in May 2005, AES-CMAC provides authenticity for binary data and is suitable for environments requiring block cipher integration.^[26] On hardware with AES-NI instructions, such as Intel processors, AES-CMAC benefits from acceleration, achieving speeds around 3.3 cycles per byte in software implementations, with parallel variants reaching 1.65 cycles per byte.^[44] Poly1305 is a high-speed, one-time message authentication code often paired with the ChaCha stream cipher for key derivation, producing 128-bit tags from a 256-bit one-time key.^[45] Defined in RFC 8439 from June 2018, it uses a polynomial evaluation over a prime field for efficiency, making it particularly effective in software without specialized hardware.^[45] Poly1305 excels in scenarios demanding fast authentication, such as in the ChaCha20-Poly1305 AEAD construction, where it contributes to overall throughputs of about 1.33 cycles per byte on modern CPUs.^[46] Its design prioritizes low overhead for variable-length messages, outperforming traditional MACs like HMAC-SHA-1 in short-packet authentication on resource-constrained platforms.^[47]

Applications and Examples

Common Use Cases

Message authentication codes (MACs) are integral to securing network protocols, where they ensure the integrity and authenticity of transmitted data. In TLS versions such as 1.2, the record layer employs MACs during the handshake to protect message integrity, incorporating a sequence number to prevent replay attacks.^[30] Similarly, the Internet Protocol Security (IPsec) Authentication Header (AH) mode utilizes MACs to provide connectionless integrity and data origin authentication for IP datagrams, authenticating the entire packet excluding mutable fields. In software integrity applications, MACs facilitate secure API authentication in RESTful services by generating a keyed hash of the request payload and parameters, allowing servers to verify the sender and detect tampering without relying on public-key infrastructure.^[48] Hardware systems leverage MACs in secure boot processes to validate firmware images before execution, where a device computes a MAC over the firmware using a stored key and compares it to an embedded tag, halting boot if discrepancies indicate compromise.^[49] As of 2025, emerging applications include IoT device authentication, where lightweight MACs enable efficient mutual verification in resource-constrained networks, supporting broadcast schemes for group communications.^[50] In some research proposals for blockchain systems, such as those integrating IoT, MACs are used to authenticate message integrity in distributed ledgers, enhancing security in peer-to-peer validations.^[51]

Illustrative Example

To illustrate the use of a message authentication code (MAC), consider a scenario where Alice sends a bank transfer instruction to Bob over an insecure channel: the message $ m = $ "Pay 100 to Alice". Alice and Bob share a secret symmetric key, and they employ HMAC-MD5 to authenticate the message, ensuring its integrity and origin. Although HMAC-MD5 was once common, MD5 is now considered insecure for cryptographic purposes due to vulnerabilities like collision attacks, and stronger alternatives like HMAC-SHA-256 are recommended today.^[35] The process begins with key generation. The shared key $ k $ is a random 128-bit (16-byte) value, such as $ k = 0x0123456789abcdef0123456789abcdef $ (generated securely using a cryptographically strong random number generator). To create the MAC tag, Alice computes the HMAC as follows: first, pad the key to the MD5 block size of 64 bytes with zeros if necessary; XOR the padded key with the inner padding constant (a block of 0x36 bytes) and append the message $ m $; compute the MD5 hash of this inner input to get an intermediate hash value; then, XOR the padded key with the outer padding constant (a block of 0x5c bytes) and append the intermediate hash; finally, compute the MD5 hash of this outer input to produce the 128-bit (32-hex-digit) tag. This tag, say a value like 0x9294727a3638bb1c13f48ef8158bfc9d (from a standard test case illustrating the output format), is appended to the message and transmitted.^[35][52] Upon receipt, Bob performs verification by recomputing the HMAC using the same key $ k $ and the received message $ m $, then comparing the resulting tag to the received one. If they match exactly, Bob accepts the message as authentic and unaltered. The HMAC construction relies on nested hashing with key-derived padding to bind the key inseparably to the message.^[35] If an attacker modifies the message during transmission—for instance, changing it to "Pay 200 to Alice"—Bob's recomputation will produce a different tag that does not match the received one, causing verification to fail and alerting Bob to potential tampering. This property ensures that even a single-bit alteration in the message results in a completely different tag with overwhelming probability.^[35]