From page 5 of Bernstein's paper, it says to do a simple summation equation of c_q * r ^(q-x+1) from 1 to q and mod the entire thing by 2^130-5, add it to an AES output and mod it by 2^128. However, I cannot seem to get his test vectors. one of them is:
c1 124bcb676f4f39395d883fb0f19ea3c66
c2 1366165d05266af8cdb6aa27e1079e6d7
# so, in this case, q = 2
r 48443d0bb0d21109c89a100b5ce2c208
m(r) mod (2^130 - 5) 1cfb6f98add6a0ea7c631de020225cc8b
k 6acb5f61a7176dd320c5c1eb2edcdc74
n ae212a55399729595dea458bc621ff0e
AES_k(n) 83149c69b561dd88298a1798b10716ef
Poly1305r(m, AES_k(n)) 0ee1c16bb73f0f4fd19881753c01cdbe
i got c1, c2, and AES_k(n), but i cannot get the m(r) mod (2^130 - 5) or the final mac output. What am i missing?
and does anyone even use this mac algorithm?
and yes, i know there is a code right under the description, but being as unable to read other people's codes as i am, please do not berate me for it
my python code for the section is:
(sum([c[x]*(r**(q-x)) for x in xrange(q)])%((1<<130)-5)+int(AES,16))%(1<<128)
i changed the indexes to start from 0 to make it simpler to program. c, r,q and AES are all correct