I understand that it is important to use well known and well tested hashing algo
ID: 660023 • Letter: I
Question
I understand that it is important to use well known and well tested hashing algorithms instead of designing my own. For such there often are reference implementations available, which initialize the needed constants with manually picked random numbers.
When I use such implementations, does it improve security to pick custom constants? I would expect an attacker to use the most likely values when bruteforcing my hashes, which are those from the reference.
A strong cryptographic hashing algorithm shouldn't be breakable, not even with rainbow tables when using salting. So from a theoretic point, there shouldn't be much of a difference. However, I'm not an expert so I'd like to hear what you say.
Explanation / Answer
No, due to reasons you have already stated: Don't design your own algorithms. You can achieve resistance from rainbow tables by using unique salts, no need to mess with the constants of your hashing algorithm. The algorithms have been subject to thorough cryptoanalysis by international experts, like for NIST SP800-90 Dual Ec Prng, its likely you won't have the resources to do the same for your constants. However, in most cases the numbers are chosen very randomly. You might even have advantages from chosing your own constants, in some cases, but I still don't recommend it.