Messages

I think S_exp needs to be taken mod N, yes?

I thought taking (Sbase ^ Sexp) % n was sufficient?  I cross referenced this with the bncsutils code and that is what they have also as far as I can tell.

Yes you are right, and with that it looks to me like your operations are in order for S.

My notes have:
Sc = (((n+B-v) % n) ^ (xu+a)) % n

And you have:
tmp = B
Sbase = n
Sbase += tmp
Sbase -= v
Sbase %= n
Sexp = x
Sexp *= u
Sexp += a
Sc = (Sbase ^ Sexp) % n

These seem like equal operations so I am going to have to assume your S function is correct barring library issues.

As a side note, in your K function it seems to me like odd and even are oppositely named, this shouldn't effect your result though.

Not totally sure about this, but your derivation of 'u' seems off.  Should you not treat it similarly to x and run storm.SBigFromBinary(u, hash, 20); on it?  Instead you are doing something different which could be causing the problem