Shamir's Secret Sharing

Polynomials Are the Right Tool

Why polynomials? Because a polynomial of degree t1t-1 is uniquely determined by its values at any tt distinct points and is completely unconstrained by its values at any t1t - 1 points. This single algebraic fact delivers both correctness (any tt evaluations interpolate back to p(0)=sp(0) = s) and perfect secrecy (any t1t-1 evaluations are statistically indistinguishable from random, for any fixed ss). Shamir's 1979 insight was that this two-for-one gift is exactly what secret sharing needs.

The construction takes two lines to state and four to implement. The result is the canonical information-theoretic threshold cryptography.

Shamir Share Generation

Complexity: O(nt)O(nt) finite-field multiplications
Input: Secret sFqs \in \mathbb{F}_q, threshold tt, number of
parties nq1n \leq q - 1, distinct nonzero evaluation points
α1,,αnFq\alpha_1, \ldots, \alpha_n \in \mathbb{F}_q^*.
Output: Shares s1,,sns_1, \ldots, s_n for the nn parties.
1. Draw r1,,rt1r_1, \ldots, r_{t-1} independently and uniformly from Fq\mathbb{F}_q.
2. Define the polynomial p(x)=s+r1x+r2x2++rt1xt1p(x) = s + r_1 x + r_2 x^2 + \cdots + r_{t-1} x^{t-1}.
3. for k=1,2,,nk = 1, 2, \ldots, n do
4. skp(αk)\quad s_k \leftarrow p(\alpha_k)
5. end for
6. return (s1,s2,,sn)(s_1, s_2, \ldots, s_n)

The polynomial pp is constructed with p(0)=sp(0) = s so that the secret is recoverable at x=0x = 0. Each party kk is assigned a fixed distinct evaluation point αk0\alpha_k \neq 0; the mapping kαkk \mapsto \alpha_k is public, while the coefficients r1,,rt1r_1, \ldots, r_{t-1} are freshly random per share.

Shamir Reconstruction via Lagrange Interpolation

Complexity: O(t2)O(t^2) finite-field operations, or O(tlog2t)O(t \log^2 t) with FFTs
Input: Any tt shares {(αk,sk):kT}\{(\alpha_k, s_k) : k \in \mathcal{T}\}
where T=t|\mathcal{T}| = t.
Output: The secret ss.
1. for each kTk \in \mathcal{T} do
2. k(0)jT,jk0αjαkαj=jkαjαkαj\quad \ell_k(0) \leftarrow \prod_{j \in \mathcal{T}, j \neq k} \dfrac{0 - \alpha_j}{\alpha_k - \alpha_j} = \prod_{j \neq k} \dfrac{-\alpha_j}{\alpha_k - \alpha_j}
3. end for
4. skTskk(0)s \leftarrow \displaystyle\sum_{k \in \mathcal{T}} s_k \cdot \ell_k(0)
5. return ss

The Lagrange basis polynomials k\ell_k evaluated at x=0x = 0 give the interpolation coefficients. Every coalition of size tt uses its own αk\alpha_k's to compute its own k(0)\ell_k(0)'s — the reconstruction formula works over all size-tt subsets.

Theorem: Shamir's (t,n)(t, n)-Threshold: Correctness and Perfect Secrecy

For every prime power q>nq > n and distinct nonzero α1,,αnFq\alpha_1, \ldots, \alpha_n \in \mathbb{F}_q^*, Shamir's scheme (Algorithms 3.1, 3.2) is a perfect (t,n)(t, n)-threshold secret-sharing scheme over Fq\mathbb{F}_q:

  1. Correctness. For every secret sFqs \in \mathbb{F}_q and every T{1,,n}\mathcal{T} \subseteq \{1, \ldots, n\} with T=t|\mathcal{T}| = t, Lagrange interpolation on {(αk,sk):kT}\{(\alpha_k, s_k) : k \in \mathcal{T}\} recovers p(0)=sp(0) = s exactly.
  2. Perfect secrecy. For every forbidden coalition U\mathcal{U} with Ut1|\mathcal{U}| \leq t - 1 and every secret value s~Fq\tilde s \in \mathbb{F}_q, Pr[shares of Us=s~]\Pr[\text{shares of } \mathcal{U} \mid s = \tilde s] is uniform over FqU\mathbb{F}_q^{|\mathcal{U}|}; equivalently, I(s;{sk:kU})=0I(s; \{s_k : k \in \mathcal{U}\}) = 0.

A polynomial of degree t1t-1 has tt free parameters (the coefficients s,r1,,rt1s, r_1, \ldots, r_{t-1}). Specifying tt evaluations completely determines the polynomial; specifying fewer than tt leaves at least one free parameter, and the randomness of the rir_i's ensures that free parameter is uniform. This is the information-theoretic heart of the scheme.

Proof
Correctness: $p$ has degree $\leq t-1$

A degree-(t1)(t-1) polynomial is uniquely determined by its values at any tt distinct points. The Lagrange interpolation formula evaluated at 00 gives p(0)=sp(0) = s exactly. Hence any authorized T\mathcal{T} reconstructs correctly.

Perfect secrecy: set up

Fix a forbidden coalition U={k1,,km}\mathcal{U} = \{k_1, \ldots, k_m\} with mt1m \leq t - 1. We show that for any candidate secret value s~Fq\tilde s \in \mathbb{F}_q, the coalition's view (sk1,,skm)(s_{k_1}, \ldots, s_{k_m}) is uniform over Fqm\mathbb{F}_q^m, hence independent of ss.

Perfect secrecy: uniform shares

The coalition's shares are ski=p(αki)=s~+j=1t1rjαkijs_{k_i} = p(\alpha_{k_i}) = \tilde s + \sum_{j=1}^{t-1} r_j \alpha_{k_i}^j. This is a linear transformation of the uniformly random vector (r1,,rt1)Fqt1(r_1, \ldots, r_{t-1}) \in \mathbb{F}_q^{t-1} plus the constant s~\tilde s. The matrix of this transformation has rows (αki,αki2,,αkit1)(\alpha_{k_i}, \alpha_{k_i}^2, \ldots, \alpha_{k_i}^{t-1}); since mt1m \leq t-1 and the αki\alpha_{k_i} are distinct nonzero elements of Fq\mathbb{F}_q, this is a Vandermonde-like matrix of full row rank mm.

Perfect secrecy: finish

A full-row-rank linear transformation of a uniform random vector is itself uniform over the image. Hence the coalition's view is uniform over Fqm\mathbb{F}_q^m, independent of the secret s~\tilde s. This holds for every s~\tilde s; therefore I(s;{sk:kU})=0I(s; \{s_k : k \in \mathcal{U}\}) = 0. \blacksquare

Example: Shamir Over F7\mathbb{F}_7: (2,3)(2, 3)-Threshold

Share secret s=5s = 5 among 3 parties (evaluation points α1=1,α2=2,α3=3\alpha_1 = 1, \alpha_2 = 2, \alpha_3 = 3) with threshold t=2t = 2 over F7\mathbb{F}_7, using random coefficient r1=4r_1 = 4. Verify that any two shares reconstruct the secret, and that one share reveals nothing.

Solution
Build the polynomial

p(x)=5+4xp(x) = 5 + 4x over F7\mathbb{F}_7.

Compute shares

s1=p(1)=5+4=92(mod7).s_1 = p(1) = 5 + 4 = 9 \equiv 2 \pmod 7. s2=p(2)=5+8=136(mod7).s_2 = p(2) = 5 + 8 = 13 \equiv 6 \pmod 7. s3=p(3)=5+12=173(mod7).s_3 = p(3) = 5 + 12 = 17 \equiv 3 \pmod 7.

Reconstruct from shares 1 and 2

Lagrange basis at x=0x = 0: 1(0)=(02)/(12)=2/1=2\ell_1(0) = (0-2)/(1-2) = -2/-1 = 2. 2(0)=(01)/(21)=1/1=16(mod7)\ell_2(0) = (0-1)/(2-1) = -1/1 = -1 \equiv 6 \pmod 7. s=s11(0)+s22(0)=22+66=4+36=405(mod7).s = s_1 \ell_1(0) + s_2 \ell_2(0) = 2 \cdot 2 + 6 \cdot 6 = 4 + 36 = 40 \equiv 5 \pmod 7.

Reconstruct from shares 2 and 3

Lagrange basis at x=0x = 0: 2(0)=(03)/(23)=3/1=3\ell_2(0) = (0-3)/(2-3) = -3/-1 = 3. 3(0)=(02)/(32)=2/1=25(mod7)\ell_3(0) = (0-2)/(3-2) = -2/1 = -2 \equiv 5 \pmod 7. s=s22(0)+s33(0)=63+35=18+15=335(mod7).s = s_2 \ell_2(0) + s_3 \ell_3(0) = 6 \cdot 3 + 3 \cdot 5 = 18 + 15 = 33 \equiv 5 \pmod 7. ✓ Same secret, confirming that the answer does not depend on which two shares we use.

One share reveals nothing

A single share — say s1=2s_1 = 2 — is consistent with every possible secret s~F7\tilde s \in \mathbb{F}_7 under a suitable random r1r_1: for each s~\tilde s there is a unique r~1\tilde r_1 such that s~+r~11=2\tilde s + \tilde r_1 \cdot 1 = 2. Since r1r_1 was uniform, the seven candidate secrets are equally likely given s1s_1. Perfect secrecy confirmed.

Shamir Polynomial Evaluation

Plot a degree-(t1)(t-1) polynomial over the reals to visualize Shamir's scheme. The secret is p(0)p(0); the shares are p(α1),p(α2),,p(αn)p(\alpha_1), p(\alpha_2), \ldots, p(\alpha_n). Move the slider to see how any tt of the nn points uniquely determine the curve, but fewer than tt points leave infinitely many candidate curves — each passing through the known points but hitting a different value at x=0x = 0.

Parameters
3

Polynomial degree = $t - 1$

5

Number of parties

2

Polynomial value at $x = 0$

Shamir: From Shares to Polynomial to Secret

Animated sequence: (1) a random polynomial of degree t1t - 1 is drawn with the secret at x=0x = 0; (2) nn evaluation points are highlighted; (3) any tt of them determine the polynomial and hence the secret; (4) any t1t - 1 leave infinitely many curves consistent with those points, visualizing perfect secrecy.

Shamir Threshold Explorer

Adjust tt (threshold) and nn (number of shares) and see the security / robustness trade-off. The plot shows: (top) share values as a function of the polynomial; (bottom) the number of "consistent secrets" given a forbidden coalition of size t1t - 1 — which equals qq (the field size) because every secret is equally likely. Changing tt changes the polynomial's shape but not the information-theoretic security guarantee.

Parameters
3
6
31

Reconstruction Cost at Scale

Naive Lagrange interpolation runs in O(t2)O(t^2) field operations. For tt on the order of a few thousand — the regime of ByzSecAgg in Chapter 11 — this becomes noticeable. The standard optimization is to compute the k(0)\ell_k(0) coefficients via FFT over the evaluation points, bringing the cost to O(tlog2t)O(t \log^2 t). Practical implementations (PyTorch / C++ MPC libraries) achieve this with modest constant factors on modern hardware. For the purpose of this book, treat reconstruction as cheap relative to the per-round training compute.

Common Mistake: Evaluation Points Must Be Distinct and Nonzero

Mistake:

Assign party 11 evaluation point α1=0\alpha_1 = 0 (maybe "to save field elements").

Correction:

Party 11's share would then equal the secret: s1=p(0)=ss_1 = p(0) = s. One share would suffice to reconstruct, ruining the threshold structure. Always use distinct nonzero evaluation points — typically αk=k\alpha_k = k for k=1,,nk = 1, \ldots, n when n<qn < q.

Common Mistake: Field Size Must Exceed nn

Mistake:

Use qnq \leq n (e.g., q=2q = 2 when n=5n = 5).

Correction:

There are only q1q - 1 nonzero elements in Fq\mathbb{F}_q, so at most q1q - 1 distinct evaluation points. If nqn \geq q then two parties must share the same α\alpha, breaking the construction. Practical Shamir implementations use F2k\mathbb{F}_{2^k} for large kk — e.g., F2256\mathbb{F}_{2^{256}} in modern MPC wallets — giving ample room.

⚠️Engineering Note

Shamir in MPC Wallet Systems

Production MPC (multi-party computation) wallet systems such as Fireblocks, ZenGo, and Unbound Tech all use Shamir's scheme as a building block. The typical deployment uses (t,n)=(3,5)(t, n) = (3, 5) over F2256\mathbb{F}_{2^{256}}, with shares stored in geographically distributed HSMs owned by independent trust zones. The pattern is: never store a private key as a single blob; reconstruct on demand from tt shares and discard. Modern threshold-signature protocols (GG18, CMP21) build on this foundation to sign ECDSA transactions without ever reconstructing the private key at all — a stronger guarantee that blends Shamir with coded computing (Chapter 5).

Practical Constraints

  • Fireblocks MPC: (t,n)=(3,5)(t, n) = (3, 5), field F2256\mathbb{F}_{2^{256}}, per-signature cost \sim 50 ms

  • Lightweight implementations use F264\mathbb{F}_{2^{64}} for IoT

  • Practical tt values rarely exceed 10 due to latency budgets in consumer products

📋 Ref: NIST SP 800-186 (threshold crypto); MPC Wallet Alliance specs

Why This Matters: The Same Polynomial Trick Appears Again in Chapter 5

Chapter 5 develops polynomial codes for distributed matrix multiplication. The construction is virtually identical to Shamir's: each worker is assigned an evaluation point, the master encodes data-dependent polynomials, and recovery from any KK responses uses the same Lagrange interpolation. The difference is that Shamir's polynomial has random coefficients (for privacy), while the polynomial-code polynomial has data-dependent coefficients (for correctness). Recognizing this structural kinship is the key to seeing why Chapter 5 calls coded computing "Shamir's polynomial plus linear structure".

🎓CommIT Contribution(2021)

Group Contributions Building on Shamir Secret Sharing

K. Wan, D. Tuninetti, G. CaireIEEE International Symposium on Information Theory (ISIT)

Several CommIT group results build directly on Shamir's secret- sharing primitive introduced in this section. The Wan–Tuninetti–Caire coded-shuffling framework (Chapter 7) uses a Shamir-style polynomial evaluation for the coded message construction. The Jahani-Nezhad / Maddah-Ali / Caire ByzSecAgg result (Chapter 11) relies on ramp secret sharing — the generalization introduced in Section 3.4. Both families of results illustrate that secret sharing is not a historical curiosity but an active tool in modern distributed-computing research.

secret-sharingcoded-shufflingcommit-foundation

Quick Check

In a Shamir (5,8)(5, 8)-scheme, what is the degree of the underlying polynomial p(x)p(x)?

44

55

77

88

Correction:
44

The polynomial has degree t1=4t - 1 = 4 — exactly enough so that t=5t = 5 evaluations determine it, but t1=4t - 1 = 4 evaluations do not.

The (t,n)(t, n)-Threshold ProblemBlakley's Scheme and Alternative Constructions