Balloon has a limited output length, with the paper only discussing it in terms of being a password hashing algorithm, not a password-based key derivation function. By contrast, Wikipedia and NIST call it a PBKDF.
It would be nice to have longer outputs, like with scrypt and Argon2, without bringing in another primitive. For example, by doing something akin to NIST's One-Step KDF or NIST's KDF in Feedback Mode. However, XOF functionality should be used when available like NIST's KDF using KMAC but for algorithms such as SHAKE and BLAKE3.
Like #1, this would be a breaking change for existing implementations.
Balloon has a limited output length, with the paper only discussing it in terms of being a password hashing algorithm, not a password-based key derivation function. By contrast, Wikipedia and NIST call it a PBKDF.
It would be nice to have longer outputs, like with scrypt and Argon2, without bringing in another primitive. For example, by doing something akin to NIST's One-Step KDF or NIST's KDF in Feedback Mode. However, XOF functionality should be used when available like NIST's KDF using KMAC but for algorithms such as SHAKE and BLAKE3.
Like #1, this would be a breaking change for existing implementations.