Thanks for the reply. Too bad you can't wait for SHA3. Now you'll have to think about whether new cryptanalytic results against SHA-256 mean that SHA-256-trunc-160 is vulnerable and if so what effect that has on the safety of your scheme.
But, I don't have a better solution for you, other than Nico Williams's proposal to put a MAC on only the root, which you've already rejected as being too disruptive of a change at this point. Regards, Zooko --- Your cloud storage provider does not need access to your data. Tahoe-LAFS -- http://allmydata.org
