*nods* In case cryptographic strength is not needed, one might just use an SHA-1 mac and cut it in half, so to speak; I have no idea what conditions would still hold with regard to the absence of collisions if one did that, but depending on the problem at hand, it might be worth looking into.

--
mowgli