Shamir's Secret Sharing in Plain English — and When It's a Bad Fit for Your Backup Plan
A plain-English walkthrough of Shamir's Secret Sharing — the polynomial trick, where it works in production, and the brutal failure modes that make it the wrong tool for most family inheritance plans.
Splitting a Secret So That No One Person Holds It
There's a problem cryptographers have been chewing on since the 1970s. You have a secret — say, the key to a treasury, the master password to a vault, the recovery seed for a billion-dollar wallet. You don't want any one person to hold it, because any single person can be coerced, bribed, lose it, or die without telling anyone. But you also don't want to require everyone to be present every time you need it.
What you want is something like: split the secret among five people, and let any three of them, together, reconstruct it. Two can't. One definitely can't. And — this is the hard part — the math should make it provably impossible to learn anything about the secret from fewer than three shares.
This is a real problem, and Adi Shamir solved it in 1979. The trick is so elegant it's worth knowing even if you never implement it, and the failure modes are so subtle it's worth knowing especially if you do.
The Trick: A Polynomial Through a Point
Here's the whole idea in two sentences.
If I pick a polynomial of degree 2 — something like f(x) = ax² + bx + c — and I tell you that c is the secret, then I can hand out points on that polynomial as "shares." Any three of those points uniquely determine the polynomial, so any three people, together, can solve for c. Two points isn't enough — infinitely many degree-2 polynomials pass through any two given points. So two people, working together, learn nothing.
That's it. Degree k-1 polynomial, secret hidden in a coefficient, shares are evaluations of the polynomial at different x values. Reconstruction is high-school algebra (Lagrange interpolation). Security is information-theoretic: not "hard to break" but mathematically impossible to break, even with infinite compute, from fewer than k shares.
The scheme generalizes to any threshold k of any total n. Want 3-of-5? Degree 2 polynomial, 5 shares. Want 2-of-3? Degree 1 line, 3 shares. The math doesn't care.
Why It's Beautiful
It's perfectly secure. Most encryption is computationally secure — hard to break given current hardware, until someone builds a quantum computer or finds a flaw. Shamir's scheme is information-theoretically secure. Below the threshold, the shares contain literally zero information about the secret. There's nothing to break.
It's flexible. You can change the threshold without changing the secret. You can verify shares are valid without revealing the secret (with extensions like Feldman's VSS).
It composes. You can split shares of shares. You can build hierarchical schemes where some shareholders count more than others.
For a 1979 paper, it's aged remarkably well.
When It's a Good Fit
- Bitcoin custodians use it to split signing keys across multiple secure modules.
- HashiCorp Vault uses it for unsealing — the master key is split among operators, and a threshold is required to bring Vault online after a restart.
- Some hardware wallets (Trezor, with SLIP-39) offer Shamir-style seed splitting as an alternative to a single recovery phrase.
In every case, the same conditions hold: the shareholders are sophisticated, the ceremony is rehearsed, the substrate is reliable, and the event of reconstruction is rare and momentous.
When It's a Terrible Fit
Now the part the cryptography textbook doesn't always say out loud. Shamir's scheme is great math and a hard fit for the most common use case people reach for it: passing a secret to your family if you die.
Share rot. A share you give your brother today has to survive 30 or 40 years. He'll move houses. Lose drawers. Reformat hard drives. Get divorced and forget where he stashed the envelope. Even one missing share, below threshold, and the secret is gone forever.
Coordination problem at the worst possible time. The moment your family needs to reconstruct the secret is the moment they're grieving, scattered, and may not even know about each other. "Mom, also you need to call Uncle Dave and Aunt Sarah and get them all on a Zoom and read the QR codes off each other's pieces of paper" is not a workflow that survives contact with reality.
No ceremony. Real cryptographic deployments rehearse reconstruction. They do it quarterly, document it, train new operators. Family deployments are rehearsed exactly zero times before the one time they matter.
Collusion at the wrong threshold. Pick a low threshold and you're vulnerable to collusion. Pick a high threshold and you're vulnerable to share-rot. There's no sweet spot for most families.
Computer literacy floor. Reconstructing Shamir shares means handling QR codes, mnemonic phrases, or hex strings. Your 78-year-old mother doesn't want to type a 32-character hex string into anything.
What We Picked Instead
Killswitch doesn't use Shamir's Secret Sharing. We thought about it, and what we built is closer to a delegated trust model: a single encrypted blob, a single trigger condition (you stop checking in), and a clear chain of custody from you to a named beneficiary.
The math is less impressive. The user experience is better, and the failure modes are easier to recover from. When a beneficiary loses access to their email, we can detect it and notify you. When a beneficiary changes their address, you can update them in two clicks. There's no irrecoverable threshold to fall below.
Shamir's scheme is a hammer. It's an excellent hammer. Just be careful what you decide is a nail.
Killswitch skips the share-rot, ceremony, and collusion problems that Shamir's scheme inherits. Zero-knowledge delegated trust, with named beneficiaries, missed-check-in delivery, and the ability to update everything as life changes. Get started today