OP_CAT was Re: Continuing the discussion about noinput / anyprevout

A proposal was made to replace OP_CAT with an OP_SHA256STREAM that uses the streaming properties of a SHA256 hash function to allow concatenation of an unlimited amount of data, provided the only use is to hash it. The proposed implementation would start a new hash with item, add the item to the hash in state, and finalize it. However, one issue with this is that the simplest implementation where the state is just raw bytes would expose raw SHA256 midstates, allowing people to use them directly. This could be prevented by adding types to the stack. It was noted that SHA256 isn't designed to be used in situations where adversaries control the initialization vector, and that midstate support was not added to OpenTimestamps for this reason. A link was provided to an example of an experienced cryptographer on the bitcoin-dev mailing list proposing a design that falls victim to this attack, and it was suggested that this issue should not be encouraged.