non-reversible additive cryptographic hash algorithm

I need a lightweight cryptographic hash function which is additive but not reversible, however I'm not sure such a function exists! (it would be better if it works in multisets as well)

By additive I mean: given such function f, another function g must exist, having the property g(f(X),f(Y))=f(X||Y), where || denotes concatenation of strings X and Y.

I have found a homomorphic hash function from facebook which is additive but it is reversible too.

EDIT:

By non-reversible, I'm not referring to pre-image resistance even tho I want to have that property in the overall function.

non-reversiblility: If we know f(X||Y) and that Y is an element used as the input, it would impossible to compute g^-1(f(X||Y),f(Y)) to get the f(X)

PS. I'm trying to find a solution which is quantum resistant and lightweight enough to work in IoT devices

I'm in hurry now, but I want to share with you some ideas (which if needed I'll detail next days):

• concatenation can be seen as $x||y = xk+y$ where $k=2^{|y|}$
• so $f(x||y) = f(xk+y)$
• if we assume $f$ being the multiplication for an EC generator $G$ (the common EC privkey/pubkey setting) we obtain:

$f(x) = Gx$

$f(y) = Gy$

$f(x||y) = G(xk+y) = G(xk) + Gy = G(x+x+...+x) + Gy = (Gx + Gx + ... + Gx) + Gy = kGx + Gy$

• the last passage gives you $g$ (a relation symbolically equal to concatenation but now acting on EC points)

$f(x) = Gx$ of course isn't an hash, but it's not invertible (it's the common discrete logarithm problem), and with foregoing definitions it seems (if I'm not wrong) additive as you requested

EDIT: GENERALIZATION

As carefully pointed out by @poncho, the previous ideas work only when all $y$ have a fixed pre-known size, 'cause this guarantees that $k$ is constant and can be used in $g$ (which doesn't have "directly visibility" of $y$ to calculate its size). The clever workaround suggested by @poncho is to let $f$ pass its input size to "the next stage". So previous definitions are generalized in this way:

• $x||y = xk+y$ where $k=2^{|y|}$ whichever the size of $y$ is
• $f(x) = (Gx, |x|) = (X, |x|)$
• $f(x||y) = f(xk+y) = (kX+Y,|x|+|y|) = (2^{|y|}X+Y,|x|+|y|)$
• $g((X,s_x),(Y,s_y)) = (2^{s_y}X+Y, s_x+s_y)$

Still $f$ is not an hash but as previously said it's additive in your flavour and not invertible (first preimage resistant in hashes terminology).