Hash(message) can be replaced with PRF(key, message) to support the use of HMAC, which NIST would likely prefer. This then helps with only hashing the password once (discussed in #14) and adding a pepper (#7).
However, to support ordinary hash functions still, prefix MAC can be used, padding the key to the block size to induce a random IV. When the hash function supports a key parameter (e.g., keyed BLAKE2), that can be used instead, which basically does the same thing internally.
Generation of the pseudorandom bytes won't use the same key to stay password-independent.
Hash(message)
can be replaced withPRF(key, message)
to support the use of HMAC, which NIST would likely prefer. This then helps with only hashing the password once (discussed in #14) and adding a pepper (#7).However, to support ordinary hash functions still, prefix MAC can be used, padding the key to the block size to induce a random IV. When the hash function supports a key parameter (e.g., keyed BLAKE2), that can be used instead, which basically does the same thing internally.
Generation of the pseudorandom bytes won't use the same key to stay password-independent.