(You do not need to limit yourself to inputs that are multiples of the AES block size).
There's another one like this, I forget the name.
SHA-2 is just fine, and is usually a saner choice than SHA-3 (if you want to be a crypto-hipster, use Blake2, not SHA-3; it's usually an easier dep to pull in, and more things use it).
https://www.cs.ucdavis.edu/~rogaway/papers/thorp.pdf
(You do not need to limit yourself to inputs that are multiples of the AES block size).
There's another one like this, I forget the name.
SHA-2 is just fine, and is usually a saner choice than SHA-3 (if you want to be a crypto-hipster, use Blake2, not SHA-3; it's usually an easier dep to pull in, and more things use it).