@filippo @juliank
Or maybe even have each higher one be a function of the previous one, getting rid of any necessity of precomputation. (If we had an ideal PRF this would obviously work, but I'm not sure what function would work as the "step" function here in practice though.)
@robryk @filippo @juliank it's not a terrible idea assuming old backups aren't disclosed and assuming no threat actor can maintain silent access. But otherwise that fails to increase the work required for an attack.
The best solution is to signal to the client that rekeying is necessary.