Typically, CBC-MAC is a secure MAC for fixed length message if the construction uses a pseudorandom function. However, for a secure MAC, we can use a keyed function that is not necessarily pseudorandom. For example, the generated tag of this secure MAC can be the output of a pseudorandom function (F) appended by a string of 0s, i.e., $F_k(message)||0^n$.
My question: how do we construct a secure MAC and use it to replace the pseudorandom random function in the CBC-MAC, such that CBC-MAC is NOT secure anymore for fixed length messages? Any hints or clues?
This question is found in "Introduction to Modern Cryptography" by Katz and Lindell.
