(I was asked to comment a few points in public by Jonathan.) I think this group can safely assume that SHA-256, SHA-512, BLAKE2, K12, etc are all secure to the extent that I don't believe that making comparisons between them on that axis is meaningful. Thus I think the question is primarily concerned with performance and implementation availability. I think any of the above would be reasonable choices. I don't believe that length-extension is a concern here. SHA-512/256 will be faster than SHA-256 on 64-bit systems in software. The graph at https://blake2.net/ suggests a 50% speedup on Skylake. On my Ivy Bridge system, it's about 20%. (SHA-512/256 does not enjoy the same availability in common libraries however.) Both Intel and ARM have SHA-256 instructions defined. I've not seen good benchmarks of them yet, but they will make SHA-256 faster than SHA-512 when available. However, it's very possible that something like BLAKE2bp will still be faster. Of course, BLAKE2bp does not enjoy the ubiquity of SHA-256, but nor do you have to wait years for the CPU population to advance for high performance. So, overall, none of these choices should obviously be excluded. The considerations at this point are not cryptographic and the tradeoff between implementation ease and performance is one that the git community would have to make. Cheers AGL