The spec has been updated a bit.

Even if the bulk of the key-stretching work has been outsourced to another device, and that device is compromised, the passphrase is now protected by minimum 8192 rounds of salted PBKDF2-HMAC-SHA512.

The idea is that more powerful devices (mobile phones, laptops, etc.) can do all the key-stretching on their own, whereas weaker devices with access to another device with more computing power (like Trezors) do a fair amount of key-stretching on their own, but can safely export the rest of the key-stretching to the other device.

Will

On Tue, Mar 11, 2014 at 10:17 PM, Jean-Paul Kogelman <jeanpaulkogelman@me.com> wrote:

Hi everyone,

We've been hard at work updating the spec to include features that were requested. We've removed the Scrypt dependency that was present in the initial drafts, added new KDFs, added plausible deniability and have a reference implementation.

Kind regards,

Jean-Paul Kogelman