Hi Andrew
Please allow me to comment on your work, as I happened to publish an article 5 months ago proposing SSS to split bitcoins private keys into shares that could be encoded directly using BIP-0039 mnemonic words. While cryptographically much simpler than your proposal, the proposal had the characteristic that it could be applied directly to existing private keys backups, by splitting the keys into SSS shares that could benefit from the existing BIP-0039 mnemonic to encode directly the shares. I thought it would be a simple path for hardware wallets providers such as Trezor into providing a better/more secure alternative the existing BIP-0039 privatekey backups of 24 words.
The article can be found here, and I've enclosed a simplified version
Mind two questions? Your proposed work provides a way to split the pre-secret into SSS shares, a format of encoding the shares, and finally several methods to derive the master secret from the pre-secret. Would you envision standarizing these different topics under the same proposal? Also, have you thought of a way to deal with the existing legacy privatekeys already encoded into BIP-0039, or stored in other formats, and how to migrate them securely into a schema of encoded SSS shares?
Best regards
Ignacio Berrozpe