What is/was reason behind the 'double hash'?

[a298b112]

Turns out a Bitcoin address is Base58Check encoded double hash (SHA256 and RIPEMD160) of public key. What is the reason to hash it twice? First with SHA256 and then RIPEMD160? Thanks.

[pooya87]

I don't think Satoshi (who made this decision) has ever answered this question, so we have to guess.

What HASH160 seems to prevent is second pre-image attacks. It also is both shorter (compared to SHA256) and provides the at least 128-bits of security that exists everywhere else in Bitcoin.

[Cookdata]

Turns out a Bitcoin address is Base58Check encoded double hash (SHA256 and RIPEMD160) of public key. What is the reason to hash it twice? First with SHA256 and then RIPEMD160? Thanks.

In addition to the response above, basically, SHA256 gives you 32 bytes (256 bits) and the RIPEMD160 function gives you 20 bytes (160 bits) of data, when you compared the two functions, RIPEMD160 provides a shorter version of data and this gives allows us to save a lot of space on blocks of transactions and easily encode it to base58 bitcoin address format.
I think the main reason why they adopt two hash functions is just to add extra security so that we don't rely on a single function as we don't know what the future may tell if SHA256 becomes vulnerable.

[Charles-Tim]

According to what I saw on Wikipedia:

The 256- and 320-bit versions of RIPEMD provide the same level of security as RIPEMD-128 and RIPEMD-160, respectively; they are designed for applications where the security level is sufficient but longer hash result is necessary.

RIPEMD160 produces hash that is shorter though in the process of bitcoin address generation but has 128 bit of security which is secure enough.

[pooya87]

According to what I saw on Wikipedia:

The 256- and 320-bit versions of RIPEMD provide the same level of security as RIPEMD-128 and RIPEMD-160, respectively; they are designed for applications where the security level is sufficient but longer hash result is necessary.

RIPEMD160 produces hash that is shorter though in the process of bitcoin address generation but has 128 bit of security which is secure enough.

RIPEMD160 still provides the same 160-bit security due to its size and the algorithm.
The reason why the bigger versions (256 and 320 bit alternatives) produce smaller security is because they are not different algorithms, instead they just extend the hash of the 128-bit and 160-bit algorithms.

[nc50lc]

Here are some quotes of satoshi's posts that support the previously given answers...
From this topic: /index.php?topic=571.msg5712#msg5712

For "shorter addresses"

-snip- To make Bitcoin Addresses short, they are a hash of the public key, not the public key itself.

Security of HASH160

-snip-
Bitcoin Addresses are the only place where 160-bit hash is used.  Everything else is SHA-256.  They're calculated as:

bitcoinaddress = RIPEMD-160(SHA-256(publickey))

Correct me if I'm wrong (please, and I'll gladly eat crow) but I think it would be hard to use an analytical attack on RIPEMD-160 in this case.  An analytical attack prescribes a certain range or pattern of inputs to try that will greatly increase your chance of finding a collision.  Here, you don't have that kind of control over RIPEMD-160's input, because the input is the output of SHA-256.  If an analytical attack helps you find an input to RIPEMD-160 that produces a collision, what are you going to do with it?  You still have to get SHA-256 to output that value, so you would still have to break SHA-256 too.

For brute force, RIPEMD-160(SHA-256(x)) is no stronger than RIPEMD-160 alone.  But for analytical attack, it seems like you must analytical attack both RIPEMD-160 and SHA-256.  If I'm wrong, then the strength is the same as RIPEMD-160 and the SHA-256 only serves as one round of key strengthening.