prop224 should say we use SHA3-256 for rend circuit digests
In prop224, the rend section says:
A successfully completed handshake, as embedded in the
INTRODUCE/RENDEZVOUS cells, gives the client and hidden service host
a shared set of keys Kf, Kb, Df, Db, which they use for sending
end-to-end traffic encryption and authentication as in the regular
Tor relay encryption protocol, applying encryption with these keys
before other encryption, and decrypting with these keys before other
decryption. The client encrypts with Kf and decrypts with Kb; the
service host does the opposite.
https://gitweb.torproject.org/torspec.git/tree/proposals/224-rend-spec-ng.txt#n1890
But that's not what the code does: circuit_init_cpath_crypto() uses SHA3-256 rather than SHA1 when is_hs_v3
is true.