Using N first bits of a hash function to have an N-bit hash

Question

I need a cryptographically secure hash function which would have similar properties that MD5 had, namely: 128-bit size and being fast. Since MD5 itself is quite broken nowadays, I'd like to use another hash. SHA1 is actually faster than MD5 these days, at least on my computer (try openssl speed md5 sha1 on yours), so I thought I could just take the first 128 bits from the SHA1 output and be done. However, I'm not sure about security and collision implications.

1. Is such a hash function less secure than a real 128-bit hash function?
2. Is such a hash function more prone to collisions than a real 128-bit hash function?

_{p.s. Alternative suggestions on a good fast 128-bit hash alternative are also welcome, even if they are a little bit out of scope of the original question.}

Answer 1

Yes, you can just take the first 128 bits from the SHA1 output and be done.

If you're really concerned about distributing bits through the hash for short inputs, put some padding data or salt after the input. This will help ensure even distribution of the input bits, throughout the hash result.