Sorry, something being "pareto complete for a particular purpose" is an
abuse of Ian's definition. SHA1 is not pareto-complete, but still
pareto-secure if collision-resistance is not an issue.
There is a number of good papers on truncating hash functions for message
authentication and there's a general consensus that at least 80 bits or
half of the bits (whichever is more) of a full-stregth hash function are
sufficient for medium-term security.
For long term, I would upgrade that to 128 bits, and taking into account
known and unforseen weeknesses of hash functions, using 160 bits should
satisfy even the most paranoid.
--
Daniel