Hello. So here are my thoughts.
As far as the threat model goes my personal opinion is that it's fairly safe to assume that the bad guys are static and don't change during the protocol. As far as delay goes I'm not sure.
For failure behaviour I think having a single possible fall back value that can't be influenced by any participants at all seems like the safest bet. For instance if there aren't enough valid shares then just set RAND = R. I'm not sure using the previous consensus's RAND value is a good idea or not, it depends on how readily available it is from non-directory sources; we probably don't want to trust the directories to tell us the backup RAND value if they weren't able to successfully calculate a primary RAND value.
Could you please confirm these for me?: 1. In your notation x.y = y^{x} mod p. 2. We know P_i and that dlog_B(P_i) == s_i from the DKG protocol. This simplifies verification a bit since we don't need to prove that dlog_B(P_i) is a valid (private) keyshare, we already know it is. 3. The threshold for RAND calculation is the same as the DKG's threshold, not a fraction of whoever's online when the RAND calculation starts.
Lastly what purpose does the Sign_i(...) part serve? If s_i is _only_ known by S_i, and the zero knowledge proof PROOF_i proves that dlog_R(Q_i) == s_i, then the signature seems a little redundant since only S_i could have created Q_i. Maybe I've missed something here.