The new BLAKE3 hash function, which was just recently announced, warrants some attention. IoT devices often suffer from slow-down, especially if they hash their entire firmware image as part of Secure Boot which is a vital security feature. A hash function that's focused on performance, but still provides a full security guarantee, can help avoid that problem.
BLAKE3’s performance is amazing - over 12 times that of SHA-256 based on the authors' benchmarks. Those numbers are based on the Intel architecture, while on ARM the advantage is less pronounced with a speedup factor of around 6.
The BLAKE family of functions were originally based on ChaCha, which is a stream cipher designed by the renowned cryptographer D.J. Bernstein. ChaCha is somewhat notable because all its code fits in just a bit more than a single page. It's also very efficient on modern hardware. Today, ChaCha and several related functions are widely used on the Internet and deployed in embedded devices, browsers and servers by industry giants like Google and Apple.
BLAKE2 was a candidate for SHA-3 in the NIST hash function competition but lost to Keccak. In fact, no version of BLAKE has so far been recognized by NIST as part of their standards. Although no weaknesses have been discovered in the BLAKE family of functions, it's generally accepted that non-standard functions receive less public scrutiny and fewer research efforts compared to more widely used standard functions. As a result, most device manufacturers (especially those concerned with IoT security certifications) should continue to use SHA-256 for signature verification.
While on smaller messages and objects the performance benefits offered by BLAKE would be negligible, it is recommended for use in functions such as bulk hashing. For example, when computing hashes to verify the signature on a firmware image or an executable, performance might trump security, especially because these flows involve either device or process startup where time can be critical. An important caveat is to never use BLAKE for password hashing. Where password hashes are computed for storage or comparison, slower and heavier hashing functions are actually better, because they increase the effort required to crack passwords. Hashes that were specifically designed for this purpose remain the functions of choice including PBKDF2 (which is NIST-approved), Argon2 (which consumes lo of memory in addition to CPU), and bcrypt (which is the Linux de-facto standard).