The initial hash values (IV) of SHA256 are fixed. However, let's say I modify the SHA256 hash function to allow the attacker to use arbitrary IVs rather than fixed IVs. What kind of weaknesses would this cause? Would it be easier to find collisions, preimages, etc? Would it be possible to insert backdoors?
So far, I've only found one example, as specified here (Using SHA-256 with different initial hash value):
However, allowing an arbitrary IV renders ineffective one of the two redundant safeguards built into SHA-2's padding scheme. If the message length was removed from the above padding scheme, then an adversary having the ability to decide the different IV could do so nefariously; in particular, such that he knows a secret backdoor block $B$ that can be inserted at the beginning of any message, leaving the hash invariant. Proof: one round of SHA-2 transforms the state $S$ according to $S_{j+1}=F(M_j,S_j)\hat+S_j$, where $F$ is a cipher with the (padded) message block $M_j$ used as key, $\hat+$ is addition with some carries suppressed, and $S_0$ is the IV we are discussing. One able to choose the IV could choose it as $F^{-1}(B,0)$, thus such that $F(B,\mathtt{IV})=0$, thus such that $M_0=B\implies S_1=S_0$.
Are there any other examples of potential weaknesses/attacks that would ensue if I allow the attacker to choose arbitrary IVs for the SHA256 hash function?
