Andrey Semashev wrote:
I think, HashAlgorithm should allow implementations to use the seed arguments to the hash algorithm constructors as salt, i.e. the constructor would implicitly call update().
No, this is a bad practice and should never be used. As I already said, the algorithm should at minimum include the size of the seed, and then pad to a multiple of the block size. This is not just something I made up, it's existing practice. See for instance how KMAC is defined in https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-185.pdf If not that, you should at minimum include the hash of the seed in the initial prefix, instead of (or in addition to) the seed, like HMAC does. Don't forget to pad to a multiple of the block size.