Shamir Secret Sharing (SSS) is a cryptographic algorithm that protects a secret by dividing it into fragments called shares, distributed among several participants. The original secret can be reconstructed only when a sufficient number of shares are combined, defined in advance by a threshold.
The algorithm was devised by Adi Shamir, an Israeli cryptographer and co-inventor of the RSA encryption scheme, and published in a 1979 paper titled "How to Share a Secret" in Communications of the ACM. The paper addressed a limitation of classical secret sharing: the requirement that every participant be present and cooperative to recover the secret. Shamir's solution introduced a mathematically elegant alternative that removed this dependency and has become a foundational concept in applied cryptography.
Before SSS, distributing a secret among multiple parties required every custodian to present their portion before reconstruction. This created a single point of failure: the absence or incapacitation of one participant made the secret permanently inaccessible. Shamir's algorithm replaced this all-or-nothing model with a threshold model, where recovery is possible as long as a minimum number of shares are available, regardless of the others.
SSS relies on a property of polynomial functions: a polynomial of degree k-1 is uniquely determined by exactly k points. The secret is encoded as the constant term of a randomly generated polynomial. Each participant receives a unique point on that polynomial as their share. To reconstruct the secret, participants must pool enough points to interpolate the polynomial and compute its constant term. Anyone holding fewer shares than the threshold gains no useful information about the secret, even if they combine their shares below that number.
The threshold, expressed in a k-of-n format, defines how many of the n shares are required to reconstruct the secret. For example, in a 3-of-5 scheme, any three of five holders can recover the secret, while two cannot. This structure offers two advantages. First, the secret remains recoverable even if some shares are lost or holders become unavailable. Second, the secret owner can add, revoke, or redistribute shares anytime without altering the secret or notifying every participant.
A central property of SSS is that individual shares reveal nothing about the original secret. The encryption in polynomial interpolation guarantees that a participant holding fewer shares than the threshold is no closer to learning the secret than someone with no shares. This makes the scheme resilient against accidental disclosure and deliberate collusion, provided the colluding parties do not meet the threshold.
In blockchain and cryptocurrency, SSS is commonly used to protect private keys and secret recovery phrases (SRPs). A user can split their SRP into multiple encrypted fragments and distribute them across trusted individuals or storage locations. If the original phrase is lost, the user can reconstruct it by gathering enough fragments to meet the threshold without depending on any single party.
Beyond key backup, SSS underpins techniques known as threshold cryptography and secure multi-party computation (MPC). These methods allow groups to jointly perform cryptographic operations, such as signing a transaction, without any single party having access to the full secret. Financial institutions, decentralized autonomous organizations (DAOs), and enterprise key management systems use these schemes to distribute custody and risk.
SSS has applications beyond cryptocurrency. It is used in secure data centers for split-knowledge procedures, where no single administrator has access to a master password or root key. Government agencies and large organizations use similar schemes to protect access to high-value systems, requiring multiple authorized personnel to cooperate before sensitive operations proceed.
Despite its strengths, SSS has practical vulnerabilities. The scheme assumes all distributed shares remain confidential and unmodified. If an adversary obtains or corrupts enough shares to meet the threshold through coercion or compromise, unauthorized reconstruction becomes possible. The algorithm's security depends on the operational security of the share distribution process.
Basic SSS does not verify the integrity of shares during reconstruction. A corrupted or altered share can cause the reconstructed secret to be incorrect without alerting the user. This limitation led to improved variants designed to address it.
Verifiable Secret Sharing schemes extend SSS by adding mechanisms to verify the consistency of each share during the reconstruction process. These schemes allow participants to detect whether a share has been tampered with or incorrectly generated, without revealing the secret itself.
PVSS, introduced by Torben Pedersen in 1991, builds on VSS by incorporating cryptographic commitments that allow each share to be independently verified against the original distribution, using zero-knowledge techniques. This variant is used, for example, in Ledger's optional backup service Ledger Recover, where a user's SRP entropy is split and distributed among three custodians, with a reconstruction threshold of two.
Proactive variants periodically redistribute shares among participants without changing the secret. This limits the window for an attacker slowly compromising custodians over time, since shares change before enough can be gathered.
.webp)