S2K, specified in RFC 4880 § 3.7.1.3, is a KDF designed for the OpenPGP standard which concatenates a password and salt and feeds this, repeating, into a hash function for a configurable number of bytes. PBKDF2, specified in RFC 2898 § 5.2, is a KDF which uses a hash function in HMAC mode and iterates it a configurable number of times over previous output.
Assuming standard optimizations for PBKDF2 are used (precomputing the hash state for the inner and outer key), is there any difference in security between S2K and PBKDF2 if they both run the same number of hash compressions? For example, does one of the schemes rely on stronger assumptions about the underlying hash?
