Shamir’s Secret Sharing (SLIP-39)

Shamir's Secret Sharing (SSS) is a cryptographic technique that splits a secret into a number of shares such that any threshold of them can rebuild it, while fewer than the threshold reveal nothing at all. A 2-of-3 split, for example, produces three shares; any two reconstruct the seed, but a single captured share is mathematically useless. SLIP-39 is the wallet-focused standard that adapts SSS to hierarchical deterministic seeds.

The math, briefly

SSS works by polynomial interpolation. The secret is encoded as a point on a randomly chosen polynomial of degree K-1; each share is another point on that curve. K points uniquely determine the polynomial and therefore the secret, while K-1 points leave infinitely many possibilities. This gives information-theoretic security below the threshold, not merely computational difficulty.

SLIP-39 specifics

SLIP-39 standardizes how this applies to BIP-32 seeds. It uses a dedicated 1024-word list, deliberately different from the BIP-39 list, so a Shamir share can never be confused with an ordinary seed phrase. It also supports two-level grouping, for example requiring two of three family shares plus three of five institutional shares, which enables sophisticated inheritance and organizational policies.

The key trade-off

SSS has a limitation that on-chain multisig does not: to spend, the threshold of shares must be brought together and the full seed reconstructed on one device, briefly recreating a single point of failure. For threshold security that never reassembles a whole key, see threshold ECDSA. For an all-or-nothing offline alternative, compare Seed XOR.