The Amortization Envelope: Where a SHA-256d Mining Advantage Can and Cannot Live
Discussed on the blog: Tilting at Windmills V
Abstract
Bitcoin mining searches for a block header whose double-SHA-256 hash falls below a target, a weak-preimage problem solved in practice by brute force. We ask whether any classical algorithm beats brute force, and answer with a complete accounting of where an advantage could live. Decomposing SHA-256d into two layers with opposite properties (a shareable message schedule and a pseudorandom round function) splits the cost into a per-candidate factor and a candidate-count factor. We show the per-candidate factor is confined to three known, bounded regions (midstate caching, the ASICBoost message-expansion region, and a provably unshareable second hash), so it is near-fixed. We prove, in the random-oracle model, that the candidate count cannot fall below , a bound that survives preprocessing (Bitcoin is salted) and quantum search (Grover gives only a quadratic speedup), and we reduce the standard-model claim to a SHA-256 distinguisher. We close the remaining economic loophole (selecting which header prefixes to mine) by showing stems are exchangeable under the natural generator, as the round function’s mixing predicts. The result localizes the entire residual risk to one object: a global algebraic shortcut through SHA-256, which is a distinguisher. Mining cannot beat brute force unless SHA-256 is broken. Whether that residual is empty is an empirical question about SHA-256’s round function, which this paper isolates but does not resolve; the public cryptanalytic record is the present evidence.
@misc{hollows2026theamort,
author = {Hollows, Peter},
title = {{The Amortization Envelope: Where a SHA-256d Mining Advantage Can and Cannot Live}},
year = {2026},
month = jun,
note = {The Carry-Adder Wall series, Part I},
url = {https://dojo7.com/papers/amortization-envelope/}
}