During RWC we discussed some of the leftover items of this proposal with Nick. Here is a short summary of what we discussed:
On #8106: Nick Hopper's proof should give us sufficient confidence to start implementing this. We should make the proof more visible so that more cryptographers look at it.
On #8244: We have received lots of good comments and proposals by Nick Hopper and Kang here. We should look more into those, evaluate how implementable they are and turn them into proper specs. In the meanwhile, since we are building the #8244 subsystem to be modular, if there is a need to implement something we can start with the commit-and-reveal approach, and eventually migrate to a more robust solution.
If we have to implement the commit-and-reveal approach we should make it harder for authorities to misbehave by publishing protocol errors to consensus-health or something.
On HS scaling: We still haven't decided what's best here. We are not even sure if the whole project is worth doing, or whether we should even try to hide the number of peers and their status.
We decided that if we still haven't decided what to do when we start implementing stuff, we should first build the Introduction Point side so that the network is ready, and then eventually do the Hidden Service side if we ever decide what's best.
On the Introduction Point side we should allow Introduction Points to keep multiple introduction circuits open and implement some logic of deciding which one to use for passing introduction cells (probably pick one randomly). This should support future designs that allow "multiple HS peers behind each IP" and implementing the IP logic should be quite easy.
On the crypto: Nick showed NTOR-WITH-EXTRA-DATA to Ian and Doublas Stabila. Hopefully we will get some feedback on its correctness soon.
Cheers!