@peg just use sha256 - since that is provided by the crypto library we use (libsodium) so it doesn't add any new code, and then just truncate the hash to say 16 bytes. That's plenty for this - libsodium's macs on secretbox are also only 16 bytes.