Avoid unnessarily duplicating HKDF work by using separate "expand" and "extract" steps. #61
Description
As noted by Martin here, we currently do unnecessary work when deriving key material, because our crypto backend only exposes a single hkdf_sha256 operation. If it instead exposed separate hkdf_sha256_extract and hkdf_sha256_expand operations, we could save a few iterations of the hash function by doing a single extract and then multiple expands.