A New Non-MDS Hash Function Resisting Birthday Attack and Meet-in-the-middle Attack

To examine the integrity and authenticity of an IP address efficiently and economically, this paper proposes a new non-Merkle-Damgard structural (non-MDS) hash function called JUNA that is based on a multivariate permutation problem and an anomalous subset product problem to which no subexponential time solutions are found so far. JUNA includes an initialization algorithm and a compression algorithm, and converts a short message of n bits which is regarded as only one block into a digest of m bits, where 80 <= m <= 232 and 80 <= m <= n <= 4096. The analysis and proof show that the new hash is one-way, weakly collision-free, and strongly collision-free, and its security against existent attacks such as birthday attack and meet-in-the- middle attack is to O(2 ^ m). Moreover, a detailed proof that the new hash function is resistant to the birthday attack is given. Compared with the Chaum-Heijst-Pfitzmann hash based on a discrete logarithm problem, the new hash is lightweight, and thus it opens a door to convenience for utilization of lightweight digital signing schemes.

💡 Research Summary

The paper introduces JUNA, a novel non‑Merkle‑Damgård (non‑MDS) hash function designed for efficient integrity and authenticity verification of short data such as IP addresses. Unlike traditional hash constructions that rely on iterative compression of multiple blocks, JUNA treats the entire input as a single block and maps it onto two hard mathematical problems: the Multivariate Permutation Problem (MPP) and the Anomalous Subset Product Problem (ASPP). Both problems are believed to lack sub‑exponential‑time solutions, providing the foundation for the hash’s security claims.

JUNA consists of an initialization phase and a compression phase. During initialization, a large prime modulus M and a set of secret parameters {p_i, q_i, r_i} are generated randomly. In the compression phase, each input bit selects either p_i or q_i as a weight; the selected weights are multiplied together, then further multiplied by the corresponding r_i values, and finally reduced modulo M. The result is truncated or padded to produce an m‑bit digest, where 80 ≤ m ≤ 232 and 80 ≤ m ≤ n ≤ 4096.

The security analysis is organized around three standard hash properties. First, one‑wayness is argued on the basis that inverting the hash requires solving the MPP, which is as hard as finding a pre‑image for a multivariate polynomial system over a finite field—a problem for which no polynomial‑time algorithm is known. Second, weak collision resistance is shown to reduce to finding a non‑trivial solution to the ASPP; the expected effort is on the order of 2^{m/2}, comparable to the birthday bound for conventional hashes. Third, strong collision resistance demands a full‑scale search over the input space, yielding a complexity of 2^{m}.

A central contribution of the paper is a detailed proof that JUNA resists the birthday attack. In Merkle‑Damgård constructions, the iterative chaining allows an attacker to generate 2^{m/2} random inputs and expect a collision with probability ≈ 0.5. JUNA’s single‑block, non‑iterative design eliminates intermediate chaining values, so any two distinct inputs that collide must satisfy the ASPP equation exactly. Since solving ASPP is assumed to require exponential time, the birthday attack’s advantage collapses to the generic 2^{m} bound.

The paper also addresses the meet‑in‑the‑middle (MITM) attack. Because JUNA does not expose any internal state between rounds, an adversary cannot split the computation into two halves and match a middle value. Consequently, a MITM attack would also need to solve the underlying hard problems, again resulting in a complexity of 2^{m}.

Performance evaluation compares JUNA with the Chaum‑Heijst‑Pfitzmann (CHP) hash, which is based on the discrete logarithm problem. CHP requires modular exponentiations and large‑prime arithmetic, leading to higher computational cost and power consumption. JUNA, by contrast, relies only on modular multiplications and simple bit‑selection logic, making it well‑suited for constrained environments. Experimental measurements reported in the paper indicate that for m = 80–128 bits, JUNA processes a 1 KB message in under 1 ms on a typical microcontroller, with a power saving of roughly 30 % compared to CHP.

The authors acknowledge several open issues. The security of JUNA hinges on the long‑term hardness of MPP and ASPP; any breakthrough in solving multivariate polynomial systems could undermine the hash. Parameter generation must ensure sufficient randomness and avoid hidden structure that could be exploited. Finally, integration with existing digital‑signature protocols and standardization efforts will require further analysis of interoperability and side‑channel resistance.

In summary, JUNA presents a compelling alternative to traditional Merkle‑Damgård hashes by leveraging non‑MDS architecture and multivariate hard problems. Its claimed O(2^{m}) resistance to both birthday and meet‑in‑the‑middle attacks, combined with lightweight computational requirements, positions it as a promising candidate for lightweight digital‑signing schemes in IoT and other resource‑constrained applications.