On Mon, May 1, 2017 at 7:54 PM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
> I was looking at Samuel's (CC'd) AVX2 optimized implementations of
> Blake2 [1] and noticed there wasn't any implementation for Blake2s.
> Samuel explained to me that blake2s and blake2b don't naturally
> parallelize, which is why the blake2sp and blake2bp variants exist;
> these nicely parallelize, so fast implementations are possible. Given
> that Noise is pretty hash-heavy, we have good reason to be interested
> in fast hash functions.

Is it, really? ("hash-heavy").  The hash is just used during the
handshake, where's there's all the public-key ops.

Noise does lots of small-message hashing (including HMAC and HKDF),
plus hashing the "e" and "s" tokens, where I imagine this wouldn't
help much or at all.  And I assume it's more complex and less widely

It's easy to just do it if you use the "BLAKE2sp" name, but at first
glance I'm skeptical this would be a good recommendation for the core


