Looks like a pretty solid idea to me, at least, in theory![1].
On the 2022 DLEQAG paper, I noticed when I was researching something similar recently, an MRL note with an algo attributed to Poelstra
The Chase et al Paper focuses on a case of bit length of the secret significantly smaller than the smaller of the two groups, and then offers ways to extend it.
Poelstra’s sort of vanilla-sigma-protocol approach won’t be super efficient, but that is not needed here afaict. While it should work for any value in the order of the smaller group.
(Correct me if some part of that is wrong!)
Another part: you didn’t mention how the multiparty secret generation algorithm will work? I guess there’s a range of slightly different approaches but the template of DKG as in FROST seems to fit well, albeit there is no thresholding here; the point is to have a PoK of the contribution[2], mainly. Maybe if you wanted to get serious, look into powers of tau setup ceremony engineering style considerations so that you could get like 100s to 1000s of free participants.
[1] In practice, I don’t find that canary ideas when it comes to real (and huge) financial risk are very convincing. But one thing’s for sure, they don’t hurt!
[2]To state the obvious, if you just add participants keys together you’re open to key subtraction attacks.