Gmaxwell pointed out that we could safely front-load all the key
pre-stretching. The spec has been updated to take advantage of this.

The user's password is now protected by 10,000 rounds of salted
PBKDF2-HMAC-SHA512, as well as the main KDF (which ranges from scrypt
2^14/8/8 to scrypt 2^18/16/16 and PBKDF2-HMAC-SHA512 2^16 to 2^21).

Will

On Mon, Apr 21, 2014 at 7:05 PM, William Yager <will.yager@gmail.com> wrote:

>
> The idea is that more powerful devices (mobile phones, laptops, etc.) can
> do all the key-stretching on their own, whereas weaker devices with access
> to another device with more computing power (like Trezors) do a fair amount
> of key-stretching on their own, but can safely export the rest of the
> key-stretching to the other device.
>