At the risk of sending this into a rathole, a viable alternative would be to
use SHA512/t as a truncation function. It's got a well-defined way to deal with
the issues of naive truncations, and you don't have to worry about defining how
to truncate. If you want a 200 bit hash, you can just get one.
Jon
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp