@pervognsen Streaming serialization is pretty close to how I think about it too. Although if I were asked to describe it, I'd probably first say something unclear about automata and the theory of computation.

I spent a good part of the aughts thinking about the connections between streaming and continuations, which I also find extremely helpful for thinking about this.

I agree that prefixed domain separation is almost indisputably better when it comes to distinguishing root nodes from branches, but there's a subtle advantage to suffixed domain separation: prefixed domain separation can potentially be partially evaluated away, whereas I'm reasonably confident in my conjecture that suffixed domain separation constants cannot be efficiently removed from the computation except by homomorphic encryption.

Thus, you can use suffixed domain separation parameters as a means of communication. Salt that parameter with say, a URI link to your website's security.txt means that your hashing protocol becomes self-documenting, and anybody wishing to execute it must be "honest" about what is actually going on unless they are okay with paying the substantial overhead of homomorphic encryption.

I've written about this, but it's taken lot of effort to make it relatively comprehensible. There's a couple of minor problems with this section, but I still agree with the overall argument:

https://github.com/auth-global/self-documenting-cryptography/blob/prerelease/design-documents/g3pb2.md#combinatorics-of-cryptographic-continuations

Basically, what this section is attempting to do is argue there's enough "bandwidth" in this virtual transmission "medium" that it can plausibly support relatively "direct" communication of arbitrary plaintext messages. Prefixed salts clearly do not have enough "bandwidth" in this sense. Suffixed salts almost certainly have effectively unlimited "bandwidth".