Zen has SHA1/2 extensions compatible to the Intel SHA extensions, yes. These are kinda new on desktops, but since they existed for some years some software already supports them out of the box (like OpenSSL and cryptopp); so applications will automatically profit.
With this extension Zen does SHA1 @ 2 cpb, SHA-256 @ 3 cpb and SHA-512 @ 2 cpb (off the top of my head). (All of which are faster than the fastest BLAKE2 implementation I know on Haswell).
Do you by chance have hard numbers about SHA2 with/without hardware instructions and BLAKE2 on a specific Intel CPU?
I've wondered about trade off between SHA256 vs BLAKE2. In the future there'll be no debate since more and more computers will have SHA instructions. But right now I'm wondering about the speedup of BLAKE2 vs SHA256 with hardware. On the other hand, many computers, especially servers don't have SHA2 instructions for the foreseeable future which will make BLAKE2 a very good option.
However, none with SHAEXT; they just weren't there yet. But the Zen numbers should give you a good idea.
Note that these benchmarks are made using a plain C implementation of BLAKE2 (the reference one), which is not vectorized by any compiler. The fastest (AVX2) BLAKE2 implementation is about 40 % faster than the scalar C implementation (on Haswell).
As far as I'm aware no mainstream crypto library ships optimized BLAKE2 versions. I believe some Go packages do/did make up their own version (not the one from Samuel Neves), but at least one of them mixed SSE and VEX/AVX insns with the predictably bad results (60 MB/s or so) - perhaps this is fixed by now.
So in summary, BLAKE2b is imho the best candidate on perf, and if you use a good implementation it should be within ~30% of SHA2 (512) with SHAEXT — with the numbers we have so far. I understand that Zen's aggressive (=good) power mgt makes it somewhat difficult to benchmark hot loops consistently, so we'll have to wait and see for practical results, I guess.
