[drzaiusapelord]

>And AMD should dump SHA1 acceleration in the next generation.

The cost to have that on silicon is probably close to zero. If you think SHA1 is just going to magically disappear because you want it to, well, you'll be in for a SHA1 sized surprise. Our grandkids will still have SHA1 acceleration.

>ARMv8 has had it for like 2-3 years now...

Because ARM cores don't remotely have the CPU heft an Intel x86/64 chip has, so ARM needs all this acceleration because its typically used in very low power mobile scenarios. On top of that, Intel claims AES-NI can be used to accelerate SHA1.

https://software.intel.com/en-us/articles/improving-the-perf...

[istoica]

Why should it be dropped ? Isn't it just a hash function ?

[pjc50]

If you remove things from the instruction set, any code that uses them will either crash or run very slowly in emulation.

Most uses of special instructions will check feature bits or CPU version, but not all will do so correctly.

(I'd say that the additional area cost of something like this is small, and the big cost of special instructions is reserving opcodes and feature bits)

[AYBABTME]

Short story: because its role as a crypto hash function is sort of obsolete given that it's been proven to be broken, and faster, more secure alternatives exist.

But for all practical purposes, SHA1 isn't about to disappear. MD5 has been shown to be broken since forever and people still write new code using it today.

[hvidgaard]

The thing with SHA-1 is that we know (and have known for a decade) that is not a good cryptographic hash function. It is still, along with MD5, a good hash function if you control the input, i.e. in a hash table.

[AYBABTME]

There are better functions than SHA1 to use for hash tables. Candid question: really what is the use for MD5/SHA1 these days?

[hvidgaard]

Yes, but those are widely implemented and thus available more or less everywhere. I'd rather use a slightly less ideal hash function, than use an untested one.