Some secrets are too important to trust to one person, and too important to lose if that person disappears.
A company wants three officers present before the master key is used. A family wants account recovery to need more than one envelope. A team wants a backup that survives a missing member without handing anyone the whole thing.
Adi Shamir (the S in RSA), published a way to do this in 1979. Split a secret into pieces so that some number of them can recover it, and any smaller number reveals nothing at all. Not "is hard to crack." Reveals nothing.
The core idea fits on a page.
Two points make a line
Start with something you already know: two distinct points determine exactly one straight line.
A single point does not. Infinitely many lines pass through one point, and each line crosses the vertical axis somewhere different.
Now hide a secret where a line crosses the vertical axis. Say the secret is the number 7. Draw a random line through that height. The slope is not important. It is just randomness that hides the secret.
Give each person one point from the line. Nobody gets the line itself.
A person with one point can draw many possible lines through it. Each line implies a different secret. Their share is compatible with every possible answer, so it tells them nothing useful by itself.
Put two points together and the line is fixed. Once you know the line, you can read the secret from where it crosses zero.
That is a 2-of-n secret sharing scheme. You can create as many points as you want, but any two are enough to recover the line.
More people means more bend
For a higher threshold, use a curve with more bend.
A parabola needs three points to determine it. So if the secret is hidden where the parabola crosses the vertical axis, any three shares can recover the secret and any two cannot.
In general, a threshold of k uses a polynomial of degree k - 1.
- 2 shares: a line
- 3 shares: a parabola
- 4 shares: a cubic
Real implementations use finite-field arithmetic rather than graph paper, but the shape of the idea is the same. The secret is the value at zero. The random coefficients hide it. Each share is one point on the polynomial.
The useful part is not that the secret is hard to compute from too few shares. It is that too few shares contain no information about the secret. With one share missing, every possible secret is still possible.
Why we care
We use this idea in Ente's Legacy Kit.
Although, our problem was not just "how do we split a secret?", but also "how do we make recovery possible without turning the split secrets into a permanent recovery key?"
Legacy Kit uses Shamir's scheme as one layer inside a larger flow. The cards don't carry the recovery key. They reconstruct a separate secret locally, which then participates in a server-mediated recovery — so issued cards can be revoked, and a lost card is not a permanent liability.
This post is only the math behind the "any two, never one" part.