Right now, we're relying on PBKDF2-HMAC-SHA512-SHA3 as the final stage of key stretching, but that means we're vulnerable to a bug in SHA-512 leaving correlations among adjacent blocks (and thereby weakening the cipher cascade). I think the simple thing to do is a quick PBKDF2 with HMAC-SHA512 XOR HMAC-SHA3 as a finishing pass on the output of Scrypt.

Some progress, I implemented the KDF in keybase/python-triplesec@d8a1529

Is this still an issue with the switch to Argon2 in #51 ?