How Shamir's Secret Sharing WorksDownloadPricingBlogAboutDownloadHelpGitHub26kSign upHow Shamir's Secret Sharing WorksMay 25, 2026[email protected]Some secrets are too important to trust to one person, and too important to lose if that person disappears.A company wants three officers present before the master key is used. A family wants account recovery to need more than one envelope. A team wants a backup that survives a missing member without handing anyone the whole thing.Adi Shamir (the S in RSA), published a way to do this in 1979. Split a secret into pieces so that some number of them can recover it, and any smaller number reveals nothing at all. Not "is hard to crack." Reveals nothing.The core idea fits on a page.Two points make a lineStart with something you already know: two distinct points determine exactly one straight line.A single point does not. Infinitely many lines pass through one point, and each line crosses the vertical axis somewhere different.Now hide a secret where a line crosses the vertical axis. Say the secret is the number 7. Draw a random line through that height. The slope is not important. It is just randomness that hides the secret.Give each person one point from the line. Nobody gets the line itself.A person with one point can draw many possible lines through it. Each line implies a different secret. Their share is compatible with every possible answer, so it tells them nothing useful by itself.Put two points together and the line is fixed. Once you know the line, you can read the secret from where it crosses zero.That is a 2-of-n secret sharing scheme. You can create as many points as you want, but any two are enough to recover the line.More people means more bendFor a higher threshold, use a curve with more bend.A parabola needs three points to determine it. So if the secret is hidden where the parabola crosses the vertical axis, any three shares can recover the secret and any two cannot.In general, a threshold of k uses a polynomial of degree k - 1.2 shares: a line3 shares: a parabola4 shares: a cubicReal implementations use finite-field arithmetic rather than graph paper, but the shape of the idea is the same. The secret is the value at zero. The random coefficients hide it. Each share is one point on the polynomial.The useful part is not that the secret is hard to compute from too few shares. It is that too few shares contain no information about the secret. With one share missing, every possible secret is still possible.Why we careWe use this idea in Ente's Legacy Kit.Although, our problem was not just "how do we split a secret?", but also "how do we make recovery possible without turning the split secrets into a permanent recovery key?"Legacy Kit uses Shamir's scheme as one layer inside a larger flow. The cards don't carry the recovery key. They reconstruct a separate secret locally, which then participates in a server-mediated recovery — so issued cards can be revoked, and a lost card is not a permanent liability.This post is only the math behind the "any two, never one" part.Further readingAdi Shamir's "How to Share a Secret"Bruce Schneier's "Sharing Secrets Among Friends"Max Levchin's PayPal storyEnte's source codeBack to all postsCompanyAboutNewsJobsMedia KitProductsPhotosAuthLockerEnsuExploreFriendsToysShopTalksOpen SourceMobileWebDesktopCLITechnologyEncryptionReplicationMachine learningCompareGoogle Photos vs EnteApple Photos vs EnteDropbox vs EnteDiscordMastodonX (formerly Twitter)BlueskyRedditInstagramEmailLinkedInGitHubRSSContactHelpArticlesPrivacyTerms

Adi Shamir introduced a method for secret sharing in 1979, which allows a secret to be divided into pieces such that specific numbers of these pieces are required to reconstruct the original secret, while any smaller number reveals no useful information. The fundamental concept leverages the geometric property that two distinct points uniquely determine a straight line, which serves as the basis for the initial scheme. To hide a secret, the secret value is conceptually placed at the point where a line crosses the vertical axis. By distributing points along this line, each point represents a share; a single share is entirely compatible with any possible secret, meaning it provides no meaningful information on its own. However, when two points are combined, they define the unique line, allowing the secret—which is the value at the line's zero point—to be determined. This forms the basis of a two-of-n secret sharing scheme.

The scheme can be generalized to higher thresholds by employing curves with greater curvature. For instance, a parabola requires three points to uniquely define it, and consequently, three shares are necessary and sufficient to recover the secret, whereas any two shares remain insufficient. Generally, a threshold of k necessitates the use of a polynomial of degree k minus one. This means a line corresponds to a polynomial of degree one (two-of-n), a parabola corresponds to a polynomial of degree two (three-of-n), and a cubic curve corresponds to a polynomial of degree three (four-of-n). In practical implementations, these polynomial concepts are realized through finite-field arithmetic rather than graphical representations. The secret itself is encoded as the value of the polynomial at zero, and the random coefficients of the polynomial serve to obscure this value, with each share being a single point on that polynomial curve.

The security of the system resides not in making the secret computationally difficult to crack from a subset of shares, but rather in ensuring that an insufficient number of shares contains absolutely no information about the secret. If any single share is omitted, all possible secrets remain equally feasible. This principle allows the scheme to provide provable information-theoretic security regarding the distribution of knowledge among the participants. Beyond the core mathematics of the splitting mechanism, the application of Shamir's scheme extends to ensuring secure recovery processes. For example, in systems like Ente's Legacy Kit, the scheme is integrated into a larger flow where the goal is to enable recovery without establishing a permanent recovery key. This approach allows for flexible control over access and revocation, as the distributed shares do not carry the master recovery key, facilitating server-mediated recovery processes.