What is the best cryptographic hash function that generates 16-bit hashes values in openssl?

Question

I was thinking of just using SHA256 and then using only the first two bytes of the result. Is there anything wrong with this approach?

NOTE: The concern here is not malicious attacks, but to ensure the best possible protection against random bit flips.

Answer 1

Any hash that satisfies the strict avalanche criterion (that is, if any bit is flipped in the input, every bit in the output will be flipped with a probability of 50%) may be used in this way, and that includes every cryptographic hash in common use, including SHA512. There are security implications to using very short hashes, but if they really aren't relevant, as you claim, you're free to select the fastest hash available (probably MD5).

Since short hashes will be particularly vulnerable to the birthday paradox, though, consider using longer hashes anyway. If you're generating so many hashes that 16 bits versus 256 bits is significant, you will run into duplicates even without malicious attackers.