It's multiplicative, not additive. 3DES is about 2^56 times as difficult to crack as DES. (Not 2^112 times because there is an attack that effectively limits it to twice the effective bits of DES, rather than the three times you might expect at first).
* Meet-in-the-Middle attack.
This attack is surprisingly simple, if you encrypt the message twice by
ciphertext = encrypt(encrypt(message, key1), key2)
decrypt(ciphertext, key2) == encrypt(message, key1)
But in this case, the attacker can obtain all the 2^56 possible encryption of message by enumerating key1, put it in a lookup table (assume the table-lookup time is O(1)) , then we can try all possible decryption of ciphertext by enumerating key2. Then compare it with the lookup-table for a match, bingo!
If key is 56-bit, the attacker gets 2^56 outputs for the left side, 2^56 outputs for the right side, total number of operations is 2 x 2^56 == 2^57, not 2^112.
To increase the security claim to 2^112, we need triple encryption, not double encryption, thus 2DES is never used.
The idea that simple double-encryption doesn't work because of such a simple attack shocked a lot of newcomers.
If you’re using 3 different keys, yes, that makes sense. But if you’re just keystretching one key, wouldn’t it just take 3 times as long because you encrypt, decrypt, encrypt (3 processes)?