Something that never stops bothering me is this bizarre construction in HOTP (RFC 4226):
int offset = hmac_result[19] & 0xf;
int bin_code = (hmac_result[offset] & 0x7f) << 24
| (hmac_result[offset+1] & 0xff) << 16
| (hmac_result[offset+2] & 0xff) << 8
| (hmac_result[offset+3] & 0xff);
What's the point of the dynamic array indexing? Why risk modulo bias with a 32-bit integer modulo 10^6 instead of just, y'know, taking the whole hash and reducing that?
I don't think anybody's been able to really explain it so far, either, and seems to have been born out of weird superstitions people had in the dark ages of cryptography.
@rq Also the whole offset business is weird.