One can efficiently obtain a $\:GF\left(2^n\hspace{-0.02 in}\right)\:$ either by
$\;$ looking up the simplest binary irreducible polynomial of
$\;$ degree $n$ here and verifying that it is in fact irreducible
$\;\;\;$ or
$\;$ using this unconditional and deterministic algorithm to compute such a polynomial
.
For any such $\:GF\left(2^n\hspace{-0.02 in}\right)\:$, $\:$ $\:\left(GF\left(2^n\hspace{-0.02 in}\right)\right)^{\hspace{-0.02 in}*}\:$ is the set of finite tuples of elements of $\:GF\left(2^n\hspace{-0.02 in}\right)\:$, $\:$ and I define
$\operatorname{f}\hspace{-0.03 in}\operatorname{hash} \: : \: GF\left(2^n\hspace{-0.02 in}\right) \times \left(GF\left(2^n\hspace{-0.02 in}\right)\right)^{\hspace{-0.02 in}*} \: \to \: GF\left(2^n\hspace{-0.02 in}\right) \;\;\;$ by $\;\;\; \operatorname{f}\hspace{-0.03 in}\operatorname{hash}(x,\langle c_{\hspace{.02 in}0},...,c_L\rangle) \: = \: \displaystyle\sum_{i=0}^L \left(c_i \cdot x^i\right) \:\:\:$.
(Note that one can store $x^i$ from each term to easily compute $x^{i+1}$ for the next term.)
Since non-constant polynomials of degree $L$ have at most $L$ roots, $\:\operatorname{f}\hspace{-0.03 in}\operatorname{hash}\:$ is
"somewhat universal", that is, for all $(L\hspace{-0.04 in}+\hspace{-0.06 in}1)$-tuples $a$ and $b$ of elements of $\:GF\left(2^n\hspace{-0.02 in}\right)\:$,
the probability for a random choice of $x$ that $\: \operatorname{f}\hspace{-0.03 in}\operatorname{hash}(x,a) = \operatorname{f}\hspace{-0.03 in}\operatorname{hash}(x,b) \:$ is at most $\:\frac{L}{2^n}\;$.
$\{0,\hspace{-0.04 in}1\hspace{-0.03 in}\}^*$ is the set of finite binary strings. $\;\;\;$ Define $\: \operatorname{str2f} : \{0,\hspace{-0.04 in}1\hspace{-0.03 in}\}^* \to GF\left(2^n\hspace{-0.02 in}\right)$
by letting $\operatorname{str2ft}(s)$ be the result of padding $s$ with a single $1$ bit followed by however
many $0$ bits are needed to make the padded string's length a multiple of $n$ and then
splitting the padded string into $n$-bit blocks and interpreting those as field elements.
Define $\: \operatorname{shash} : GF\left(2^n\hspace{-0.02 in}\right) \to \{0,\hspace{-0.04 in}1\hspace{-0.03 in}\}^* \:$ by $\: \operatorname{shash}(x,s) = \operatorname{f}\hspace{-0.03 in}\operatorname{hash}(x,\hspace{-0.02 in}\operatorname{str2ft}(s)) \:$.
Since $\:\operatorname{str2ft}\:$ is injective, $\:\operatorname{shash}\:$ is such that for all binary strings $a$ and $b$
whose lengths are (strictly) less than $\:(L\hspace{-0.04 in}+\hspace{-0.06 in}1) \cdot n\:$, $\:$ the probability for a
random choice of $x$ that $\: \operatorname{shash}(x,a) = \operatorname{fshash}(x,b) \:$ is at most $\:\frac{L}{2^n}\;$.
However, the universality property does not imply security as a MAC.
A simple way to deal with that issue is to let $\:||\:$ denote string concatenation and
and then define $\;\; \operatorname{weakmac} : GF\left(2^n\hspace{-0.02 in}\right) \times \{0,\hspace{-0.04 in}1\hspace{-0.03 in}\}^n \times \left(GF\left(2^n\hspace{-0.02 in}\right)\right)^{\hspace{-0.02 in}*} \: \to \: GF\left(2^n\hspace{-0.02 in}\right) \;\;$ by $\operatorname{weakmac}(\langle x,y\rangle,s) = \operatorname{shash}(x,\operatorname{str2ft}(\hspace{.03 in}y\hspace{.02 in}||\hspace{.03 in}s))\;$. $\;\;\;$ Let $\mathbf{0}$ be the string of $n$ zeros.
Since expanding $\:\operatorname{weakmac}$'s$\:$ definition shows that $\;\; \operatorname{weakmac}(\langle x,y\rangle,s) \: = \: \operatorname{shash}(x,\mathbf{0}\hspace{.01 in}||\hspace{.02 in}s) \:\text{xor}\: y \;\;$,
it follows that for a randomly chosen $y$, the probability of successfully predicting $\operatorname{weakmac}(\langle x,y\rangle,s)$ without previously seeing any of its values is exactly $\frac1{2^n}$, and that seeing only one of its values perfectly hides $x$. $\;\;\;\;$ Thus, in the case of a single-chosen-plaintext forgery attack, we may assume without
loss of generality that the two messages are both chosen independently of $x$. $\;\;\;$ That means the
inputs to $\:\operatorname{shash}\:$ will be independent of $x$ and exactly $n$ bits longer than the inputs to $\:\operatorname{weakmac}\;$.
Therefore the success probability of an exactly-one-chosen-message forgery of $\:\operatorname{weakmac}\:$ in which
both the original and the substituted messages are (strictly) less than $\:L\hspace{-0.03 in}\cdot\hspace{-0.04 in}n\:$ bits long is at most $\:\frac{L}{2^n}\;$.
If one will be authenticating lots of messages, then that will use more key material than necessary.
If either the sender might authenticate a very long message or the verifier might
be willing to accept a very long message, then that probability might be too high.
One could get a much-closer-to-universal hash family by replacing $n$ with $m$ in $\:\operatorname{f}\hspace{-0.03 in}\operatorname{hash}$
for some $m$ such that $\:m< n\:$, $\:$ running the output of the modified $\:\operatorname{shash}\:$ through an
actual universal hash family, and then applying a random degree $d$ polynomial to that output.
That will give a mac such that, for $\:q\leq d\:$, $\:$ the success probability of a
$q$-chosen-message forgery on it in which all chosen messages and the
attempted forged message have length (strictly) less than $\:L\hspace{-0.03 in}\cdot\hspace{-0.04 in}m\:$ bits, is at most
$(1/(2^n))+((L\cdot \hspace{.03 in}$choose$(q\hspace{-0.04 in}+\hspace{-0.05 in}1,2))/(2^m)\:\:$, $\:\:$ and equality holds if and only if $\hspace{.045 in}q=0\hspace{.06 in}$.
The restriction of $\:\operatorname{f}\hspace{-0.03 in}\operatorname{hash}\:$ to $\; GF\left(2^n\hspace{-0.02 in}\right) \times \left(GF\left(2^n\hspace{-0.02 in}\right)\right)^2 \;$ is an actual universal hash from $\:(2\hspace{-0.04 in}\cdot\hspace{-0.03 in}n)$-bit$\:$ strings to $n$-bit strings. $\;\;\;$ If the construction outlined in the previous paragraph is used with that universal
hash family, then it would use $\;(d\hspace{-0.04 in}+\hspace{-0.04 in}4)\cdot n\;$ bits of key material to authenticate up to $d$ messages.
On the other hand, the "simple way" uses $\:2\hspace{-0.04 in}\cdot\hspace{-0.04 in}n\:$ bits of key material to authenticate each message.
