After reading this topic:
How do I construct a 256-bit hash function from 128-bit AES?
It looks like it can be done. If we have 128-bit into 128-bit secure mapping, indistinguishable from random (but vulnerable for birthday attack itself, because of its size), can we construct secure 256-bit hash function (especially in case of birthday attack), just by concatenation of two 128-bit outputs?
It looks like until our 128-bit hash is not keyed, it may be problematic. Because - how to feed our 128-bit hash functions, while we have only one input, and functions are the same. But if they are keyed, we can use just two different keys. Am I right? Does this method have any drawbacks that I am not aware of?
PS For me it looks like we can break half of the output with complexity $2^{64}$. Isn't it a problem? Do standard 256-bit hash functions have the same vulnerability?
