[sha2throwaway]

Actually you do get some added security, because it prevents the length extension attacks sha-2 and related hash functions have thanks to the Merkle-Damgard construction [0]. Specifically, by truncating the hash, the output no longer contains enough state to perform the attack.

[0] https://en.wikipedia.org/wiki/Length_extension_attack

[loup-vaillant]

There are better ways to prevent length extension attacks, such as choosing Blake2b. With the current scheme, only 12 bytes are missing, so Length extension attacks only get 96 bits of security…

Replacing SHA-1 with SHA-2, what are they thinking? Blake2 is faster and more secure than either.

[simias]

Nobody gets fired for choosing SHA-256. It's the de-facto standard these days, it's the most likely to have hardware acceleration etc... I think it's a pretty conservative choice.

Furthermore I don't think hash performance is very critical for bittorrent, after all it's generally I/O bound.

Could you even exploit length extension with bittorrent? Given that it cuts files in chunks of the same size it sounds pretty hard to sneak extra bytes in there.

[loup-vaillant]

> hardware acceleration

Ah, that would explain a lot. (Not in this particular case, but why it seems to be the default choice in many settings).

> Could you even exploit length extension with bittorrent?

No Idea. I was just responding to a general point.

[derefr]

They're probably thinking something about which hashes will get hardware-accelerated instructions provided on x86 and ARM.

[loup-vaillant]

Yeah, I keep forgetting about Hardware acceleration…

[snakeanus]

Length extension attacks are a non-issue for torrents.