What Is Shamir Secret Sharing?

Shamir secret sharing

Share this article

In researching Bitcoin, you’ve likely come across terms like decentralised, stateless, non-custodial, and elimination of third-party risk, all routed as benefits of using the network; well, that and “number go up“, right? 

While these features are unique to Bitcoin and contribute to the value proposition, many of us distil all that value into the fiat price when we first arrive at Bitcoin.

If you progress past the stage of Bitcoin being a method of trading in and out to attain more fiat currency, you’ll want to use the network’s self-custody feature. Self-custody is the act of creating a unique set of keys that represent a place on the blockchain that you have access to and can secure funds. 

When you take self-custody, you take personal responsibility for your funds. Since Bitcoin is a decentralised network, it means that it is not controlled by any central authority. And when we say no authority, it means that if you lose access to your funds, no one will be there to save you. 

There is no call centre to call, no chatbot, no support ticket to issue, no queue to stand in, no account reset, no transfer to a new account; in Bitcoin, you’re on your own.  

Having a decentralised communication network that can transfer value worldwide comes with its trade-offs. On one end, you have complete control over your money, making Bitcoin attractive to people as it offers a way to store and transfer value without relying on banks or other financial institutions.

Conversely, you are now at the mercy of your mistakes, negligence and ability to safeguard your funds. 

The single sig saga

When you self-custody your Bitcoin in a wallet you control, such as a hardware or software wallet, you are the only one with access to your private keys, which are the cryptographic keys that allow you to send and receive Bitcoin.

The vast majority of Bitcoin holders who self-custody are likely to begin with a single signature wallet; this results in a possible single point of failure. 

If you:

  • Lose your keys
  • Lose a partial set of your keys
  • Expose your keys to another person online or offline.

Those funds can be lost forever, and if you’re storing a considerable amount of wealth in Bitcoin, this could be devastating, so you need to plan for every possible attack vector or mistake. 

To add additional steps against potential losses with a single-sig setup, you can opt for the following:

  • Multiple copies of your keys – In case you lose one copy
  • Split the copies of your keys – In case your keys are exposed or stolen, they do not have the complete set
  • Encode your keys like using BIP39Colours – Making it harder to source your seed. 
  • Have a steel seed for robust key storage – Protect your seed against physical damage like fire or floods.
  • Limiting the amount of Bitcoin, you keep on a single seed phrase – distribute risk across multiple keys.
  • Splitting your key creation with Shamir backups.

What is Shamir’s secret sharing (SSS)?

Shamir’s secret sharing (SSS) is a cryptographic algorithm for distributing a secret, typically among a group of people, so the secret cannot be reconstructed unless a certain threshold of people collaborate. An individual can also use it to split information into several secret key combinations to limit access to files.

The secret can be anything, such as a password, a private key, or a piece of intellectual property.

The SSS algorithm works by dividing the secret into several shares, each of which is useless on its own. In order to reconstruct and extract the secret, a certain number of shares (the threshold) must be combined. 

The threshold can be any number greater than or equal to 2.

  • For example, a secret can be divided into ten shares with a threshold of 3. 
  • Any 3 of the ten shares can be combined to reconstruct the secret. 
  • If only 2 shares are available, the secret cannot be reconstructed.

The SSS algorithm is a secure way to distribute secrets because stealing or guessing a share is very difficult. Even if an attacker steals one or more shares, they still cannot reconstruct the secret without the collaboration of other people who have the other shares or if they do not have a majority of shares.

SSS is used in a variety of applications, such as:

  • Data backup: SSS can be used to backup sensitive data so that it can be reconstructed if the original data is lost or corrupted.
  • Key management: SSS can be used to distribute cryptographic keys so that they can be used to encrypt and decrypt data.
  • Digital voting: SSS can be used to create a secure voting system where voters can cast their votes without revealing their identities.
  • Software distribution: SSS can be used to distribute software updates so that they can be verified by a quorum of users before being installed.

Why Shamir secret sharing is so powerful?

Shamir’s secret sharing is a powerful cryptographic tool that can be used to protect sensitive information. It is a versatile algorithm that can be used in a variety of applications.

  • The number of shares required to reconstruct the secret is called the threshold. The threshold can be any number greater than or equal to 2.
  • The shares can be distributed to any number of people. The shares do not need to be evenly distributed.
  • The shares can be stored in any way. The shares can be stored on paper, on a computer, or in any other form.
  • The shares can be destroyed at any time. The shares are useless on their own, so destroying them does not compromise the secret.

Shamir’s secret sharing is a secure and versatile cryptographic algorithm that can be used to protect sensitive information. It is a valuable tool for a variety of applications.

What is a Shamir Bitcoin backup?

A Shamir backup takes the concept of file splitting and applies it to Bitcoin seed phrase storage. The Shamir backup is a method for securely splitting a recovery seed while adding an element of redundancy. 

For example, with Shamir backup, it is possible to have a 3-of-5 recovery seed, where the user writes down five lists of recovery words and later needs only 3 to recover the wallet. Compared to a setup based on a single list, this adds more complexity for you to recompile and restore a wallet and, in turn, makes it harder for others to recover your wallet.

Shamir backups also allow room for mistakes; if, for example, you’re using a 3-of-5, you could lose up to two sets of keys and still restore your wallet. Shamir backups bring a multi-sig-like experience to single-key storage, but it does have certain limitations. 

Trezor – Shamir Backups Explained

I want to try our SSS backup today.

If you want to try out constructing a Shamir backup, the easiest way is to use a Trezor device which implements a version of Shamir secret sharing standardised by Trezor. 

Trezor SSS backups can be constructed as follows:

  • Shamir Backup lets you generate up to 16 recovery shares – sequences of 20 or 33 words. 
  • Single backup recovery seeds consist of 12, 18, or 24 words.
  • Shamir Backup uses a different word list to the BIP-39 recovery seeds, i.e., some of the words used in Shamir backup recovery shares are never used in single seed backups and vice-versa.

If you don’t have a Trezor, you can try using a Keystone or Cypher Rock hardware wallet, which also provides SSS support, along with a few software wallets and services like Vault12. 

FeatureSingle Seed (BIP39)Shamir Backup Seed
Word Length12, 18, or 24 words20 or 33 words
Number of Shares1 (Single Seed)1 to 16 (Multiple Shares)
Word ListBIP-39 Word ListSpecific Shamir Word List
Threshold for RecoveryAll words required (1/1)User-specified (e.g., 2/3, 3/5)
Distribution FlexibilityNone (Single copy)Loss tolerable up to the threshold
RedundancyNoneConfigurable (e.g., 2/3 allows 1 backup)
Susceptibility to Loss/TheftComplete loss if seed is lost/stolenConfigurable (e.g., 2/3 allows one backup)
Comparison between a single sig backup and a Shamir backup

I want to migrate to an SSS wallet.

There is no way to transfer your original recovery seed to a wallet using Shamir Backup, so you must find a compatible wallet, create a brand new seed phrase that uses Shamir and then move your funds on-chain to the new wallet. 

Ultimately, this is a lengthy and costly process and depends on how much you value the features SSS can bring. 

Drawbacks of a Shamir Backup

In Bitcoin, there are no perfect solutions; risk is only migrated, and trade-offs need to be considered. Shamir Secret Sharing might give you the look and feel of a multi-sig, but it gives you different security assumptions. 

Most threat models are better defended by multi-sig, mainly because multi-sig, you’re requesting different keys to sign from different devices.

SSS requires recombining private key shares on a specific device. This leaves the key exposed to malware or a malicious device user, which are usually the most critical threats to protect against. 

If you have a device guaranteed to be free of malware operated by a user guaranteed to be incorrupt, you could leave the private key there, and SSS would be redundant. If you’re using SSS and you’re only tied to one wallet or software provider, and you cannot migrate, you’re leaving yourself open to failed or malicious firmware updates. 

A possible solution to this is to combine SSS with an open source project called FROST

What are my alternatives?

If this all sounds too complicated to you and you still have a fear of self-custody, you can store your Bitcoin on an exchange or other third-party platform but remember you are trusting that these entities will keep your funds safe. While it is convenient, its not without risk and there have been many cases of exchanges being hacked or going insolvent and users losing their funds. 

The path to returning funds is long and litigious, and you might only get a portion back if you’re lucky. If this is a risk you’re willing to take, then by all means, but if you have a large sum of Bitcoin you can’t afford to lose access to at any moment, self-custody is your only option. 

This is why Bitcoiners need to practice self-custody, become familiar with the ins and outs, how to recover funds, how best to store your wallets and do routine security checks to ensure your setup is as robust as it can be.

Alternatively, if you want to self custody but feel single signature wallets are not enough for you, you can move to a multi-sig quorum; this can be a set of keys you manage yourself using different devices, or you could bring in a 3rd party into your federation of key holders. 


Do your own research.

If you want to learn more about Shamir keys, use this article as a jumping-off point and don’t trust what we say as the final say. Take the time to research, check out their official resources below or review other articles and videos tackling the topic.

Disclaimer: This article should not be taken as, and is not intended to provide any investment advice. It is for educational and entertainment purposes only. As of the time posting, the writers may or may not have holdings in some of the coins or tokens they cover. Please conduct your own thorough research before investing in any cryptocurrency, as all investments contain risk. All opinions expressed in these articles are my own and are in no way a reflection of the opinions of The Bitcoin Manual

Leave a Reply

Related articles

You may also be interested in

Strata explained

What Is Strata?

It’s about that time of the cycle when everyone and their Uber driver begins to pay attention to Bitcoin, and with more eyes on the

Cookie policy
We use our own and third party cookies to allow us to understand how the site is used and to support our marketing campaigns.