Just read the full protocol description - does anyone know why PBKDF-SHA256 is used in steps 3 and 7? As far as I can tell, the input key material in both cases is high-entropy; what does a PBKDF do that e.g. HKDF couldn't?
PBKDF2-SHA256 is used with an iteration count of 1, so it doesn't make the computation any more expensive.
I'm using PBKDF2-SHA256 to fulfill the role of "something which has the same cryptographic strength as SHA256, but produces an arbitrary length output".
Have you looked at the new SHA-3 for this? Seems like you're looking for something like a sponge function. (It's obviously fine as-is, I was just curious)
