On Mon, Dec 27, 2010 at 8:07 PM, Kjell Wooding <kj...@openbsd.org> wrote: > My question: Why? What exactly are we protecting against, and is this really > protection? (the comment indicates "some recognizable output pattern, but > that means little to me as is) Can we really be sure it doesn't make things > worse? > > Is this done elsewhere, or is it our particular brand of voodoo?
First thought would be, in the event that there's a bias in MD5 (bit 12 is set 75% of the time), it would "help"? No, it doesn't. Maybe if output bit 12 is always the same as input bit 12 and we want to avoid revealing the input? That would work, assuming the xor bit is random. Despite its flaws, MD5 doesn't have any biases I'm aware of and should have an even distribution of bits, so the fold neither adds anything nor takes any more away (other than the obvious cut half).
