ToolBelt

Shamir Secret Sharing

Split a secret into N shares with a K-of-N threshold.

Open tool

Overview

The Shamir Secret Sharing tool splits a secret — a passphrase, a key, a recovery phrase — into N independent shares, of which any K are enough to reconstruct the original. Lose a share or two and the secret is still recoverable; gather fewer than K and the secret is mathematically unrecoverable.

It is built for teams that need shared custody of a master key (cloud root accounts, treasury wallets, code-signing keys), for individuals splitting a backup across trusted custodians, and for security trainers teaching threshold cryptography. A Shamir secret sharing tool turns "one point of failure" into "K of N points of failure", a much harder situation for an attacker.

How it works

Adi Shamir's 1979 scheme is built on polynomial interpolation over a finite field. To split a secret s into N shares with threshold K:

  1. Encode s as a number (or bytewise as field elements over GF(2^8)).
  2. Pick K-1 random coefficients a_1 ... a_{K-1} from the same field.
  3. Form the polynomial f(x) = s + a_1·x + a_2·x^2 + ... + a_{K-1}·x^(K-1).
  4. Each share is (i, f(i)) for i = 1..N.

Reconstruction takes any K shares and uses Lagrange interpolation to recover f(0) = s. With fewer than K shares, the polynomial is underdetermined — every possible secret is equally likely, so the scheme provides information-theoretic security.

The tool typically encodes shares as M-<index>-<hex> strings and runs the math over GF(2^8) byte-by-byte for arbitrary-length secrets.

Examples

Secret:    "my-master-passphrase"
N=5, K=3
Output:    5 share strings, e.g.:
  share-1: 01-a7f3c2...
  share-2: 02-b914e1...
  share-3: 03-7c8d22...
  share-4: 04-3f0e51...
  share-5: 05-d61aff...

Reconstruct: shares 1, 3, and 5
Output:      "my-master-passphrase"

Reconstruct: shares 1 and 3 (below threshold)
Output:      Cannot reconstruct — at least 3 shares required

FAQ

What threshold should I pick?

Depends on your trust model and disaster tolerance. (3, 5) is a common choice: any three of five trusted custodians can recover, surviving the loss of two. (2, 3) is convenient but means any two custodians can collude.

Are shares safe to send over email?

A single share leaks zero information about the secret, so technically yes — but transit metadata (who sent what to whom) is itself sensitive. Treat shares like any other credential and prefer signal-or-encrypted channels.

Is SLIP-39 the same?

SLIP-39 is a SatoshiLabs spec that wraps Shamir Secret Sharing with a wordlist (like BIP-39) and grouped thresholds. Conceptually identical math; different framing for cryptocurrency wallet seeds.

What happens if a share is corrupted?

The reconstruction will produce garbage with no warning unless the scheme adds a checksum. Modern implementations (and SLIP-39) wrap each share in a CRC; this tool surfaces a verification step when shares are imported.

Try Shamir Secret Sharing

An unhandled error has occurred. Reload ×