{ "slug": "secret_sharing", "term": "Secret Sharing — Shamir's Scheme", "category": "cryptography", "difficulty": "advanced", "short": "Splitting a secret into N shares where any K can reconstruct it — preventing single points of failure for root encryption keys and disaster recovery credentials.", "long": "Shamir's Secret Sharing (1979) splits a secret S into N shares using polynomial interpolation — any K shares reconstruct S; K-1 shares reveal nothing (information-theoretic security). Use cases: root CA private keys (3-of-5 ceremony), disaster recovery keys (2-of-3: company safe + lawyer + escrow), cryptocurrency wallet seeds, HSM master keys. AWS CloudHSM and HashiCorp Vault implement secret sharing for key material ceremonies.", "aliases": [ "Shamir secret sharing", "K-of-N", "threshold cryptography", "secret splitting" ], "tags": [ "cryptography", "security", "reliability" ], "misconception": "Encrypting the secret with multiple keys is equivalent to secret sharing — multiple encryption requires each key individually; Shamir's is information-theoretically secure: K-1 shares reveal mathematically zero information about the secret.", "why_it_matters": "A root encryption key stored in one location is a single point of failure — Shamir's distributes it so no single person or location holds enough information to reconstruct it alone.", "common_mistakes": [ "Threshold K too low (1-of-N) — defeats the purpose", "All shares stored in the same location or with the same person", "Not testing reconstruction before destroying the original", "Using secret sharing for routine operations — it is for disaster recovery, not daily use" ], "when_to_use": [], "avoid_when": [], "related": [ "encryption_at_rest", "post_quantum_cryptography", "key_management" ], "prerequisites": [ "symmetric_encryption", "key_management", "secrets_management" ], "refs": [ "https://en.wikipedia.org/wiki/Shamir%27s_secret_sharing" ], "bad_code": "// Single root key — single point of failure:\n$rootKey = file_get_contents('/etc/app/root.key');\n// Compromised: all encrypted data exposed\n// Lost: all encrypted data permanently unrecoverable", "good_code": "// Shamir's 3-of-5 distribution:\n$shares = SecretSharing::split($rootKey, shares: 5, threshold: 3);\n// Share 1: CTO (sealed envelope in office safe)\n// Share 2: Company lawyer (offsite)\n// Share 3: Company safe (separate location)\n// Share 4: Escrow service\n// Share 5: Backup HSM\n// Any 3 parties must cooperate to reconstruct — no single point of failure", "quick_fix": "Use Shamir's Secret Sharing when a secret (master key, recovery code) must be held by multiple parties — split into N shares where any K shares reconstruct the secret, without any single holder being compromised", "severity": "info", "effort": "high", "created": "2026-03-16", "updated": "2026-03-22", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/secret_sharing", "html_url": "https://codeclaritylab.com/glossary/secret_sharing", "json_url": "https://codeclaritylab.com/glossary/secret_sharing.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[Secret Sharing — Shamir's Scheme](https://codeclaritylab.com/glossary/secret_sharing) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/secret_sharing" } } } }