> P.S. Maybe this attack can be optimized further by mixing 2-claws and 3-claws.
It can. The following is a 2^209.91 attack against 2^10*3^23 =
2^46.454... targets:
In this attack keys are initial hash values instead of message prefixes,
without loss of generality.
Let C: {0,1}^256 x {0,1}^512 -> {0,1}^256 be SHA-256's compression
function.
1. Repeat 10 times:
1.1. For each pair of keys (k, l):
1.1.1. Find an (x_k, x_l) such that y = C(k, x_k) = C(l, x_l).
This can be done using around 2*2^(256/2) compression function calls.
1.1.2. Replace the pair with the single key y.
2. Repeat 23 times:
2.1. For each trio of keys (k, l, m):
2.1.1. Find an (x_k, x_l, x_m) such that y = C(k, x_k) = C(l, x_l) = C(m, x_m).
This can be done using around (3/2)2^((2/3)256) compression function calls.
2.1.2. Replace the trio with the single key y.
3. Find a SHA-256 preimage of one of the targets using the final key
as an IV. This can be done using around 2^256/2^10/3^23 compression
function calls.
4. Concatenate the sequence of compression function blocks used in steps
1 and 2 to derive the final key from the key corresponding to the target
for which a preimage was found by step 3.
5. Concatenate the results of step 4 and step 3.
The result of step 5 is a preimage for one of the targets and an attacker
can ensure it's almost certainly not the original one by randomizing
step 3.
In total this attack makes around 2^10*3^23*2*2^(256/2) +
3^23*(3/2)*2^((2/3)256) + 2^256/2^10/3^23 or 2^209.91 compression
function calls.
Sydney