Hi, we’ve been recently doing some research on distributed randomness, want to share a RandHoundinfluenced protocol that has the properties from the title, would appreciate feedback.
(EDIT: the description below is fully rewritten based on some offline feedback)
(EDIT2: more formal latexified version can be found here: https://www.overleaf.com/read/pcrtmwpxvnkb)
n
participants to do the following:

Each participant
j
generates vectorr[j]
of sizek = n*2/3
where each element is a 256 bit random numbers, erasure codes them to have a vectors[j]
of sizen
withn
shares such that anyk
shares can reconstruct the chosenk
numbers, and encodes each of then
shares with the public key of one of the partipants to get a vectores[j]
of sizen
.
They then publishes[j]
. Here it’s important that nobody can recoverr[j]
by just observinges[j]

Participants reach a consensus on a set
S
of at leastk
publishedes
's. 
Each participant
i
publishes decoded row ofes[{S}][i]
. Oncek
participants published the rows, everybody can reconstruct ther[{S}]
.
I now want participants for eachj
for whichr[j]
was sucessfully reconstructed to be able to reproduce thees[j]
and confirm that it matches the publishedes[j]
. If it matches, then all the participants were able to reconstructr[j]
, no matter what shares they observed. If a participant failed to reconstruct the erasure code or it didn’t match thees[j]
, then all the paritcipants either failed to reconstruct it or reconstructed something that doesn’t matches[j]
. 
Let
S
’ be the subset ofS
for which ther
was reconstructed. The output of the randomness beacon is the some function of ther[{S'}]
Here there are some requirements to the public key ecnryption:
 Encryption needs to be determenistic, so that reconstructed
es
in step 3 matches the publishedes
in step 1.  If some
es[j][i]
is gibberish (i.e. doesn’t decrypt or decrypts into something that is not equal toes[j][i]
after reencrypting), it should be possible to prove it.
Seems like ElGamal in which the step y=random()
is replaced with y=hash(input)
works for (1) above, and ChaumPedersen proof works for (2) if a malicious actor still used some y
that was not equal to y=hash(input)
.
Comparison to other schemes:
 This approach is naturally inferior to RANDAO+VDFs in that it has worse liveness and safety requirements, but VDFs have the known issues with the necessity to build ASICs (or fear that someone else will).
 It appears to be as good as threshold signatures (except that it requires
n^2
network instead ofn
for threshold signatures IIRC) without requiring the expensive DKG step.  Compared to RANDAO it is unbiasable
 Compared to RandShare it has lower complexity, compared to RandHound it is significantly simpler.
Feedback is appreciated.