Is there any added benefit to using SHA256d over SHA256 in Bitcoin?
For the computing of transaction hashes, block hashes, and merkle trees Bitcoin uses SHA256d
SHA256d(x) = SHA256(SHA256(x))
Effectively all hashing operations are taking twice as long. This isn't as bad as it sounds because ECDSA verification takes up the majority of the CPU cycles when verifying a block but is there any benefit to the work done in double hashing? Or should we just accept that this was a poor implementation decision by Satoshi? Simple if always better in cryptography so Satoshi must have had a reason to go with a double hash but I am wondering if that reason was based on flawed understanding of the limited benefits of double hashing.
Over the years I have heard a couple theories but I don't think they hold up to any scrutiny.
1) Double hashing prevents length extension attacksThis is true but length extension attacks are not useful against Bitcoin. Length extension attacks involve signature spoofing in authentication when the send and receiver are using a shared secret. There are no share secret communications in the Bitcoin protocol and thus there are no possible length extension attacks.
2) Double hashing provides a fallback if preimage resistance is weakenedThis is also true but only for first preimage resistance which involves the input being unknown. As such there is some merit to this rationale in using HASH160 (or any double hash) to produce the PubKeyHash (or ScriptHash) from the PubKey (or Script). Any benefit to double hashing is lost if the address is reused as the input becomes known. It would also only apply if due to cryptanalysis second preimage resistance was degraded but first preimage resistance was not.
This doesn't apply to any use of SHA256d because they are used in instances where the input is known. For those unclear on first and second preimage resistance:
First-preimage resistance: it is computationally infeasible to find any input which hashes to a pre-specified output
Given a "y" such that h(x) = y it is difficult to find any preimage x .
Second-preimage resistance: it is computationally infeasible to find a second input which has the same output as a specified input.
Given x, it is difficult to find a second preimage x' ≠ x such that h(x) = h(x′)
The key difference to the two scenarios is what is known to the attacker. In the first the attacker only has the hash. A good example would be cracking a password. In the second the attacker has the original input. A good example would be producing a "counterfeit" txn/block/merkletree/pubkey which results in the same hash as an existing one to spoof the network and steal funds.
In Bitcoin every use of SHA256 relies on second not first preimage resistance to provide security. The input is already known so the interim hash can be computed. The second hashing step provides no security because if the attacker finds a second input which produces the same interim hash as the target then they both will obviously produce the same final hash. It is possible that double hashing may harden a hash against first preimage attack but that doesn't enhance the security of Bitcoin.
3) Double hashing may break a backdoor in SHA256I believe a backdoor in a public open algorithm like SHA256 to be very unlikely. It would have to be hidden in plain sight. Still even if one did exist the use of a double hash could only provide protection in a first preimage scenario. Similar to the reasons above, in a second preimage scenario the input is known and thus the adversary can separate out the two steps.