Shamir's Secret Sharing
Shamir's Secret Sharing (SSS) is a cryptographic scheme that splits a secret into multiple shares, where a defined threshold of shares is required to reconstruct the original. It is sometimes used to distribute seed phrase backups but has significant practical drawbacks.
How It Works
Shamir's Secret Sharing uses polynomial interpolation to split a secret into N shares, where any K shares (the threshold) can reconstruct the original. For example, a 2-of-3 Shamir split creates 3 shares, and any 2 are sufficient to recover the seed. Each individual share reveals nothing about the original secret — you need at least the threshold number to recover anything.
The SLIP39 standard (used by Trezor) implements Shamir's Secret Sharing specifically for Bitcoin seed phrases, encoding shares as sequences of 20 or 33 words from a different wordlist than BIP39. This provides a standardized way to split and reconstruct seeds across compatible devices.
However, SSS has a fundamental limitation that multisig does not: when you need to spend bitcoin, you must bring the threshold shares together and reconstruct the complete seed on a single device. That moment of reconstruction is a point of vulnerability — the full secret exists in one place. Multisig avoids this entirely because each key signs independently, and the complete set of keys never exists in one location. For this reason, many Bitcoin security experts recommend multisig over Shamir's for securing significant holdings.
Key Points
- Splits a secret into N shares where K shares reconstruct the original
- Individual shares reveal zero information about the secret
- SLIP39 standardizes Shamir's for Bitcoin seed phrases (incompatible with BIP39)
- Requires reconstructing the full secret on one device — a moment of vulnerability
- Multisig is generally preferred because keys never need to be combined