Gmaxwell pointed out that we could safely front-load all the key pre-stretching. The spec has been updated to take advantage of this.

The user's password is now protected by 10,000 rounds of salted PBKDF2-HMAC-SHA512, as well as the main KDF (which ranges from scrypt 2^14/8/8 to scrypt 2^18/16/16 and PBKDF2-HMAC-SHA512 2^16 to 2^21).

Will

On Mon, Apr 21, 2014 at 7:05 PM, William Yager <will.yager@gmail.com> wrote:

The idea is that more powerful devices (mobile phones, laptops, etc.) can do all the key-stretching on their own, whereas weaker devices with access to another device with more computing power (like Trezors) do a fair amount of key-stretching on their own, but can safely export the rest of the key-stretching to the other device.