How Shamir's Secret Sharing Works
subract
141 points
16 comments
May 25, 2026
Related Discussions
Found 5 related stories in 91.8ms across 8,444 title embeddings via pgvector HNSW
- A more efficient implementation of Shor's algorithm signa11 · 14 pts · May 01, 2026 · 45% similar
- The Comforting Lie of SHA Pinning chillax · 14 pts · March 28, 2026 · 41% similar
- Shor's algorithm is possible with as few as 10k reconfigurable atomic qubits ipnon · 13 pts · March 31, 2026 · 37% similar
- What we learned about TEE security from auditing WhatsApp's Private Inference wslh · 16 pts · April 07, 2026 · 36% similar
- How Monero’s proof of work works alcazar · 267 pts · May 04, 2026 · 36% similar
Discussion Highlights (10 comments)
compsciphd
before I learned of shamir secret sharing, I wondered why one couldn't do the same exact thing with a par2 like system (albiet with smaller pieces than a par2 system would traditionally have). i.e. you have X bits of data, you create Y*X/N sized recovery blocks (where Y > N). You hand each recovery block to individual users. and any N users can get together to recover the key and decrypt the contents.
teravor
if the secret is large usually it's encrypted and the payload is distributed along with the shares of the key. but you can also just use Reed-Solomon and split the payload, the difference with Shamir is that you lose information-theoretic security (you lose it the moment you use encryption anyway) and the payload also needs to undergo an all-or-nothing-transform (AONT). AONT transforms the entire payload into an encrypted blob which also serves as its own key, a withheld piece is a de facto encryption key. this is required because Reed-Solomon can have pathological cases where pieces leak information.
Cider9986
Here is Ente's implementation: ( https://2of3.ente.com/ )
_jackdk_
This is such a cool technique, and you could even teach it in secondary schools as a neat thing computer scientists can do with polynomials.
calvinmorrison
something tangentially i am interested in is computing following the 'two person rule' for things like sudo. Yes I am logged into server X at terinal Y, and so is my co-worker and we both sign off on running command X
3eb7988a1663
Do the people who hold the root DNS keys do anything like this? Or is that too much complexity when a safe in a secure room works as an effective backup?
cryptoz
See also a story about an implementation from Max Levchin: https://max.levch.in/post/724289457144070144/shamir-secret-s...
sreekanth850
ente means mine in Malayalam language. it's said to be one of the toughest Indian language to learn. FYI.
ghostfoxgod
It's an incredible technique, when I came across it, it just changed the way I thought of solving giving out keys without "truly" giving them out. This gave me confidence for eternalvault.app, a project of mine.
ndr_
Bruce Schneier described this in his seminal book Applied Cryptography, and HashiCorp Vault used to have an implementation in Go. On the practical side, I always wondered how large - in bits - the shares should be. One answer I got on a news group was "1 bit more than the actual key length". Nowadays, I wonder how the quantum computing threat would inform 1) share size choice and 2) pro/con Secret Sharing in general. Does anyone know?