Matthew Green has a related post about this speaking to “multiple encryption” where people do the same thing with ciphers. [1]
A very generic take would be that depending on the system, it may be able to be done securely, but with all crypto there be dragons.
For example, let’s say you have two hashes H1 and H2 and want to use the double hash to prove existence of a file in history. Publish the hash to a blockchain or something.
So the file is hashed H1(H2(file)). In what ways could you break this if one of the hash functions is broken?
The first way is if you want to dispute the validity of what file was hashed. If we assume they later publish the file and you have a second-preimage attack on the hash.
You can create a different file where H2(file) = H2(newFile), and because H1 is deterministic, this second file verifies. It’s now no longer clear which is the true file. While a single hash function also fails under this attack, you increase your exposure to possible attacks by introducing a second one.
If you have control over the verification procedure you can imagine a similar attack with only a break in H2 by not even using H1 to generate the output.
The way to combine hash functions for collision resistance is not composition (as with encryption) but concatenation: H'(file) = (H1(file), H2(file)). Now to have a collision on H' you need to collide both H1 and H2. But now pre-image resistance suffers.
Checking two full hashes and requiring both to match only improves pre-image resistance. However, you now need twice the space to store the hash and efficiency suffers, likely wose than the sum of the speeds due to cache effects of running two different algorithms on the data. If you use shorter or weaker hashes you might end up with two breakable hashes (either now or by some potential quantum computer) rather than one unbreakable hash.
Some package systems store multiple secure hashes and pick one at random to verify.
A very generic take would be that depending on the system, it may be able to be done securely, but with all crypto there be dragons.
For example, let’s say you have two hashes H1 and H2 and want to use the double hash to prove existence of a file in history. Publish the hash to a blockchain or something.
So the file is hashed H1(H2(file)). In what ways could you break this if one of the hash functions is broken?
The first way is if you want to dispute the validity of what file was hashed. If we assume they later publish the file and you have a second-preimage attack on the hash.
You can create a different file where H2(file) = H2(newFile), and because H1 is deterministic, this second file verifies. It’s now no longer clear which is the true file. While a single hash function also fails under this attack, you increase your exposure to possible attacks by introducing a second one.
If you have control over the verification procedure you can imagine a similar attack with only a break in H2 by not even using H1 to generate the output.
[1]: https://blog.cryptographyengineering.com/2012/02/02/multiple...