password-hash: common functionality for parallelized password hashing

[tarcieri]

There are at least three algorithms in RustCrypto/password-hashes which would benefit from parallelism: argon2, pbkdf2, and scrypt.

However, of those, only pkbdf2 presently has a parallel implementation (using rayon)

It might make sense to provide more general support for parallel password hashing in the password-hash crate, to wrap up the rayon dependency in a higher-level, more reusable way

(or perhaps the usage is so trivial it won't help, but I thought it's worth discussing)

[newpavlov]

Note that pbkdf2 parallelism works only for long output sizes, which DO NOT improve security, i.e. attacker only needs to brute-force the first output block to trivially compute remaining blocks. So for the "password hashing" use-case it's not recommended to use output sizes longer than one block, since they increase computational load without meaningfully improving security. This is why I wondered that it could be worth to remove the rayon backend completely from pbkdf2.