This is just a headsup message that the discussion and progress on this topic is great, but should not be viewed as the whole picture for a circuit protocol.
I was just talking to Ian and noting that, despite calling it "culminating" in their paper, the fourth protocol that Lasse and I did was not intended to be culminating but only, well fourth. The question of how to build the circuit is not just about the crypto of the handshake, but also about which messages get passed when and what sorts of forward anonymity guarantees are provided and/or needed. This was at least as much a focus of my paper with Lasse as the suggested way of trying to be efficient in the exponentiation in the fourth protocol. Ian tells me that he has another paper dealing with these further issues as well, which he will check into being able to make available in tech report. So maybe there will be a further discussion and proposal on those issues.
Anyway, keep up the good work all. Just keep in mind that there may be other issues. Hopefully they can be addressed modularly so won't imply pulling apart what is provable in what is currently progressing (or giving up on them because at that point it would be too hard to go back).
aloha, Paul