Can iterated hashing be used to mitigate collision and preimage weaknesses?

Question

How much security does double hashing add regarding collisions and preimages? Is it helpful to iterate a hash function even more times than two?

For example, can MD5 be fixed (in practice) by applying the hash function twice (MD5(MD5(x)))? Also, Bitcoin uses SHA256(SHA256(x)). Does this add security in practice?

I understand that iterating a function many times can reduce the number of possible outputs. Also, the function might enter a cycle. Is that a problem with just a few iterations (such as two)?

(This question is not about storing passwords securely.)

Answer 1

With respect to collisions, hashing twice can not increase security, because if $x$ and $x'\ne x$ collide for $H$, that is $H(x)=H(x')$, then $H(H(x))=H(H(x'))$. Otherwise said, any collision for $H$ is a collision for the double hash $H\circ H$. It is therefore trivial to exhibit collisions for $\operatorname{MD5}\circ\operatorname{MD5}$. Hence the answer to the question as worded in its title is NO.

With respect to preimage, hashing twice demonstrably does not harm security (from a preimage for $H\circ H$ one can make a preimage for $H$, simply by applying $H$), and tends to improve it for practical functions. In particular, one hypothetically able to build preimages for $\operatorname{MD5}$ only for 512-bit messages would likely have a hard time extending that to $\operatorname{MD5}\circ\operatorname{MD5}$.
Handwaving argument: if for some 128-bit $v$ one could find a 512-bit $\operatorname{MD5}\circ\operatorname{MD5}$ premiage $m$, then the easilly computed $m'=\operatorname{MD5}(m)$ would be a 128-bit $\operatorname{MD5}$ preimage of $v$, which arguably is harder to find than a 512-bit $\operatorname{MD5}$ preimage of $v$, since for a given $v$ it is expected that there are about $1$ premimage of the former kind, and about $2^{384}$ of the later.

One area where double-hashing increases security is length extension attack. $\operatorname{SHA-256}$ is trivially vulnerable to that, $\operatorname{SHA-256}\circ\operatorname{SHA-256}$ is not.

In some use cases, hashing twice can destroy security, including for common hashes; an example is given here; in summary: some proof-of-work protocol safe when using $H$ is entirely unsafe using $H\circ H$.

---

With usual hash functions (or ideal ones), hashing twice does not dramatically reduce the output space (it is reduced by a factor about $1-1/e\approx0.63212$); that makes accidental collision slightly less unlikely, and it is mostly immaterial in practice. It does not make collisions easier to exhibit, since the amount of invocations of $H$ expected necessary to exhibit a collision by whatever brute force method can not decrease (if it did, that would be trivially usable to exhibit collisions for $H$ at reduced cost).