Carry Depth: A Circuit-Independent Coordinate of ARX, and the One-Round Advantage Cliff

Abstract

The hardness of SHA-256d mining reduces, by the accounting of the first paper in this series, to a single question: whether the round function admits a local shortcut that resolves the output without resolving the carries on the path. We give that question a coordinate. The carry chain of modular addition is the only operation in SHA-256 whose nonlinearity couples bit positions, so we define carry depth, the number of modular-addition layers on the dependency path between a controllable input and a target output, and compute it exactly for SHA-256d by static dataflow analysis: $386$ layers. We then measure how far local structure actually reaches. A hand-built carry-aware score predicts a downstream output byte with selection advantage $0.886$ one adder layer away, and that advantage falls below detection ($\le 0.0011$, consistent with zero) one round deeper: a cliff, with no geometric tail. We account for the cliff through the carry chain’s spectral structure (Holte’s matrix, contraction rate $\tfrac{1}{2}$ fixed by the base), separating the geometric per-bit decay from the per-round mixing that produces the reset, and we corroborate the cost reading with an exact-solver boundary, where Z3 nonce recovery cliffs by more than three orders of magnitude at round $11$. The $386$-layer separation is therefore wide: the strongest local attack we tested expires about $100$ rounds before the output.