| Matthew Green has a related post about this speaking to “multiple encryption” where people do the same thing with ciphers. [1] A very generic take would be that depending on the system, it may be able to be done securely, but with all crypto there be dragons. For example, let’s say you have two hashes H1 and H2 and want to use the double hash to prove existence of a file in history. Publish the hash to a blockchain or something. So the file is hashed H1(H2(file)). In what ways could you break this if one of the hash functions is broken? The first way is if you want to dispute the validity of what file was hashed. If we assume they later publish the file and you have a second-preimage attack on the hash. You can create a different file where H2(file) = H2(newFile), and because H1 is deterministic, this second file verifies. It’s now no longer clear which is the true file. While a single hash function also fails under this attack, you increase your exposure to possible attacks by introducing a second one. If you have control over the verification procedure you can imagine a similar attack with only a break in H2 by not even using H1 to generate the output. [1]: https://blog.cryptographyengineering.com/2012/02/02/multiple... |