It scares me to use something other than something random here because any scheme to remember which nonces you've used before seems bug-prone and vulnerable. As for whether it's called a nonce or IV, I've seen it written as both and IV is 3 characters shorter :)
Hi Max! Have you looked into taking the style of cipher-stacking you use for symmetric encryption, and applying it to key-stretching? For example, you might replace PBKDF2 with PBKDF2^bcrypt^scrypt. Similarly for public-key encryption: is there a good reason not to stack RSA and multiple elliptic curves?
I personally think it's very unlikely that any of these algorithms have been broken, but it'd be a good way to restore some faith in cryptography, and introduce a safety factor.
For PBKDF2, we use SHA-512 XOR SHA3 as the inner PRF. But you're right, it would be interesting to stack bcrypt and scrypt too. That's a good idea in the name of maximum paranoia. My slight reservation here is that I haven't seen any published results on combinations of key stretchers (there are several for the other primitives).
As for public key stacking, it depends on the application. The fear with putting encrypted data on a server is that it might sit there for all time and therefore needs to be present- and future-proof. If using public key for signatures, you can plan ahead for your key's expiration. For public key encryption, maybe stacking is the right idea.
Version 3, compatible with the latest test vectors published here: http://keccak.noekeon.org/KeccakKAT-3.zip . Our hope is that the algorithm won't change, but if it does, we'll bump version numbers and support decryptions with the old.
It's all on GitHub. Please let me know of any bugs you find, and thanks. I did test the implementation against whatever test vectors I could find, but obviously carry code is tricky and error-prone. Link here: https://github.com/keybase/triplesec/blob/master/src/ctr.ice...
