As noted by Martin here, we currently do unnecessary work when deriving key material, because our crypto backend only exposes a single hkdf_sha256 operation. If it instead exposed separate hkdf_sha256_extract and hkdf_sha256_expand operations, we could save a few iterations of the hash function by doing a single extract and then multiple expands.
As noted by Martin here, we currently do unnecessary work when deriving key material, because our crypto backend only exposes a single
hkdf_sha256operation. If it instead exposed separatehkdf_sha256_extractandhkdf_sha256_expandoperations, we could save a few iterations of the hash function by doing a singleextractand then multipleexpands.