Use scrypt as the key derivation function

[LeftyBC]

Currently we use PBKDF2 to derive the AES key for encryption/decryption.

A better alternative would be scrypt, or the HKDF from whatever HMAC function we end up choosing.

[kisom]

It might be useful to have scrypt give you the the 48 bytes you need for AES-256-CTR with HMAC-SHA-256, or just 32 bytes for AES-256-GCM.

[LeftyBC]

Will CTR mode work for multiparty systems? Would all parties need to agree on the counter, or is it stored within the message somehow?

[kisom]

With CTR you generally generate a random counter that you can prepend to the message (inside the MAC). This does add 16 bytes of overhead, but it's the most robust way.