52 min read

Nobody Broke Shamir: A Field Guide to Secret Sharing and Threshold Cryptography

Shamir 1979 splits a secret so any t-of-n rebuild it and t-1 learn nothing. The perfect-secrecy core never broke; every failure was in the machinery around it.

Permalink

1. Split the Key So No One Holds It

You want any 3 of your 5 executives to open the company's root-key vault, and you want any 2 of them -- colluding, or a thief who has picked two pockets -- to learn nothing. Not "a little less." Not "a third of the key." Nothing at all, forever, against an adversary with a quantum computer and all the time until the heat death of the universe.

That sounds impossible, or at least like it should demand a very strong assumption. Adi Shamir solved it completely in 1979, on two-thirds of a page, with nothing but a random polynomial -- and no one has broken it since [1].

Here is the whole idea, and every later section is a variation on it. Pick a random curve -- a polynomial f of degree t-1 -- whose value at zero is the secret, so f(0) = s. Hand holder i the single point (i, f(i)). Shares use indices i = 1, 2, 3, ..., never i = 0. The point at x = 0 is f(0) = s, the secret itself, so handing out the zeroth point would hand over everything. Any t holders can pool their points and reconstruct the curve by Lagrange interpolation, then read off f(0) = s. Any t-1 holders have one point too few, and that gap is total.

Threshold secret sharing (t,n)

A method that splits a secret s into n shares so any t of them reconstruct s, while any t-1 reveal nothing about it. It is not encryption: there is no key to store and no computational assumption to break.

Why total? This is the part almost no one is shown. Fix any t-1 shares and guess a candidate secret s' -- any value you like. Exactly one degree-t-1 curve runs through your t-1 points and also through (0, s'), because t points pin a degree-t-1 polynomial uniquely. Every candidate secret is equally consistent with what you hold, so the secret's conditional distribution given t-1 shares stays perfectly uniform: you have learned zero bits, not "a few" [1].

This is a counting fact about polynomials over a finite field, not a hardness assumption a faster machine could someday overturn. Part 1 of this series drew the line between information-theoretic and computational security; plain Shamir sits firmly, and permanently, on the information-theoretic side.

Below the threshold, leakage is not small -- it is exactly zero. For every candidate secret there is precisely one degree-t-1 curve consistent with the t-1 shares an attacker holds, so the secret's conditional distribution stays uniform. No amount of computation, now or ever, narrows it down.

Ctrl + scroll to zoom
Shamir dealing and reconstruction: the dealer draws one random curve through the secret, hands out points, and any t of them pin the curve back to f(0).

The scheme is short enough to run in your head, and short enough to run in a browser. Here it is over a small prime field, drawing its coefficients from a cryptographically secure generator -- the one rule that, broken, has caused more real-world Shamir failures than everything else combined.

JavaScript Shamir split and reconstruct over a small prime field (pedagogical)
// Pedagogical Shamir over GF(p). NOT production: real code uses a large prime
// and constant-time field arithmetic. Here p is tiny so the numbers stay readable.
const p = 2087;
const mod = (a) => ((a % p) + p) % p;
const modpow = (b, e) => { let r = 1; b = mod(b); while (e > 0) { if (e & 1) r = mod(r * b); b = mod(b * b); e >>= 1; } return r; };
const inv = (a) => modpow(a, p - 2); // Fermat inverse, valid because p is prime
const rand = () => { const x = new Uint32Array(1); crypto.getRandomValues(x); return mod(x[0]); };

function split(secret, t, n) {
const coeffs = [mod(secret)];          // a_0 is the secret
for (let j = 1; j < t; j++) coeffs.push(rand()); // a_1 through a_(t-1) from a CSPRNG
const f = (x) => coeffs.reduce((acc, c, j) => mod(acc + c * modpow(x, j)), 0);
const shares = [];
for (let i = 1; i <= n; i++) shares.push([i, f(i)]); // hand out (i, f(i)), never (0, s)
return shares;
}

function reconstruct(shares) {           // Lagrange interpolation evaluated at x = 0
let s = 0;
for (let i = 0; i < shares.length; i++) {
  let num = 1, den = 1;
  for (let k = 0; k < shares.length; k++) {
    if (k === i) continue;
    num = mod(num * (0 - shares[k][0]));
    den = mod(den * (shares[i][0] - shares[k][0]));
  }
  s = mod(s + shares[i][1] * mod(num * inv(den)));
}
return s;
}

const shares = split(1234, 3, 5);        // 3-of-5 sharing of the secret 1234
console.log('any 3 shares  ->', reconstruct(shares.slice(0, 3)));
console.log('a different 3 ->', reconstruct([shares[1], shares[3], shares[4]]));
console.log('only 2 shares ->', reconstruct(shares.slice(0, 2)), '(a line through 2 points, not the curve)');

Press Run to execute.

That two-line scheme is not a museum piece. It is the seal on HashiCorp Vault, whose default configuration splits the unseal key into five shares and requires three to bring the server back [4, 5]. It is the SLIP-39 backup behind Trezor hardware wallets, engineered to survive a house fire, its recovery secret split into mnemonic word-lists kept in separate places [6]. And it underlies the key-generation step of RFC 9591, the June 2024 standard for FROST threshold signatures, in which an Ed25519 or Bitcoin signing key is Shamir-shared and no single machine ever holds it whole [3].

So as you read, keep three diagnostic questions in hand, because the whole field is the story of answering them: (1) Did the dealer who drew the curve cheat? (2) Is the secret ever reassembled in one place? (3) Will the shares outlive an adversary who keeps coming back? Hold one invariant alongside them, and let it be the promise this article keeps: the point never breaks -- watch the machinery. The title rhymes with Part 18, "Nobody Broke the Discrete Log," on purpose.

If the math is this final, why is this Part 22 of a field guide and not a footnote? Because the moment anyone wanted the primitive to do more -- catch a lying dealer, run with no dealer, stay alive for years, sign without ever reassembling the key -- they bolted machinery around the point. That machinery is where every real-world disaster you have heard of actually happened. To see how, we start where it started: two people, in the same year.

2. Two People, One Year, Two Ways to Hide a Point

In 1979 two researchers, working apart, answered the same question in the same year. Which one you have heard of tells you which idea won, and why.

Adi Shamir published "How to Share a Secret" in the November 1979 Communications of the ACM, on barely a page, motivated by exactly the executives-and-a-safe framing from the last section [1]. Two properties made his the construction people built on. It is ideal: each share is one field element, exactly the size of the secret and no larger. And it is extensible: because a share is just the curve at a new index, you can mint fresh shares for new holders at any time without disturbing anyone's existing share, and pick any threshold t up to n at deal time.

Those are not aesthetic niceties. They are why the scheme survived into production systems that add and retire shareholders for decades.

Ideal secret-sharing scheme

A scheme in which each share is exactly the size of the secret, meeting the information-theoretic lower bound on share size. Shamir's scheme is ideal; Blakley's geometric scheme is not, because its shares are larger than the secret.

The same year, George Blakley published "Safeguarding Cryptographic Keys" at the AFIPS National Computer Conference with a completely different mental picture [7]. Blakley's secret is a point in t-dimensional space, and each share is one hyperplane passing through it. Any t of the hyperplanes intersect in exactly that point, while t-1 of them intersect in a whole line of candidates that pins nothing down [8]. Blakley's shares are each an entire hyperplane -- larger than the secret, a storage rate of 1/t rather than Shamir's 1. That non-ideal size, not any weakness in security, is the main reason polynomial sharing rather than geometry became the default [8]. The geometry is correct and it is elegant, but in cryptography, size is destiny, and the ideal scheme is the one that spread.

Two years later, Robert McEliece and Dilip Sarwate added the observation that quietly armed the field for the next four decades: Shamir's shares are exactly the codewords of a Reed-Solomon code [9]. That single sentence connected secret sharing to coding theory. The coding-theory bridge is not a curiosity. A Reed-Solomon decoder corrects up to floor((n-t)/2) wrong shares, so reconstructing correctly against t active cheaters needs n >= 3t+1 -- a fact Section 9 leans on. The weaker n >= 2t+1 only buys an honest majority: enough to detect tampering, not to decode through it. With it came error-correcting decoders that can rebuild the right secret even when some of the shares handed in are corrupted -- exactly the machinery a later section needs when we meet cheaters at reconstruction time.

Ctrl + scroll to zoom
The field in one timeline: the primitive settles in 1979-1981, then two decades of layered defenses, then the deployed threshold-signature era and its breaks.

By the early 1980s the primitive was settled. Charles Asmuth and John Bloom added a third independent route in 1983, using the Chinese Remainder Theorem -- shares as residues modulo a chain of coprime numbers -- proving once more that thresholds were a natural idea with several natural constructions, not one lucky trick [10]. Together, Shamir, Blakley, and Asmuth-Bloom had defined the problem and answered it: distribute trust with a hard threshold, and prove that t-1 shares reveal nothing.

The primitive settled fast and settled hard. But a proof about polynomials quietly assumes the person drawing the polynomial is honest and competent, and that everyone who later shows up to reconstruct is honest too. Neither assumption survives contact with an adversary. The first cracks were never in the math. They were in what the math took for granted.

3. What Plain Sharing Could Not Yet Do

Plain Shamir silently trusts two parties it should not, and it pays a price the math forces on it. Three gaps, and none of them is a crack in the secrecy proof.

The dealer. The whole scheme rests on the dealer drawing one real polynomial and handing out consistent points on it. Nothing stops a malicious dealer from doing otherwise. A dealer who hands holders points that do not all lie on a single degree-t-1 curve can arrange for one quorum to reconstruct one secret and a different quorum to reconstruct a different secret -- and plain Shamir gives the holders no way to notice. Worse, a rushing dealer can wait to see challenges or other messages before committing to what it sends, tailoring its cheating to whatever it has already learned.

Rushing adversary

An adversary who waits to see the honest parties' messages in a communication round before choosing its own -- for example, to hand out shares inconsistent with what it already sent, or to skew a later protocol in its favor.

This exact gap is what Benny Chor, Shafi Goldwasser, Silvio Micali, and Baruch Awerbuch named in 1985 when they coined verifiable secret sharing -- machinery to catch a cheating dealer -- which the next section builds out in full [11].

The reconstructor. Suppose the dealer was honest. At reconstruction the holders pool their shares -- and a single dishonest holder can poison the well. Martin Tompa and Heather Woll showed in 1988 that a participant who submits one wrong share makes everyone else reconstruct a wrong secret, while the cheater, who alone knows the true share, privately computes the real one [12]. The honest majority walks away confidently holding garbage; the cheater walks away with the key.

This is where the coding-theory bridge earns its keep: treating shares as Reed-Solomon codewords lets an authenticated, error-correcting reconstruction detect and route around wrong shares instead of trusting them blindly [9].

The size wall. The third gap is not about honesty at all -- it is a law of information. In any perfect secret-sharing scheme, every share must be at least as large as the secret itself. Ehud Karnin, Jonathan Greene, and Martin Hellman proved this lower bound in 1983, and Shamir's scheme meets it exactly, which is what "ideal" means [13]. So you cannot perfectly share a one-gigabyte file into shares smaller than a gigabyte each. This is the first appearance of a trade the math forces everywhere in this field: you can have perfect secrecy or short shares, but not both. Section 9 states the lower bound precisely; the escape hatch below buys small shares only by trading unconditional secrecy for computational secrecy.

Hugo Krawczyk's 1993 "Secret Sharing Made Short" escapes the wall by giving up the unconditional guarantee: encrypt the secret under a fresh random key, Shamir-share only the short key, and disperse the ciphertext with Rabin's Information Dispersal Algorithm so each holder stores roughly a 1/t slice [14, 15]. The result is small shares -- at the price of dropping from information-theoretic to computational security, exactly the distinction Part 1 drew.

You can watch the perfect-secrecy claim hold in a few lines. Fix everything an attacker below threshold could have -- here, a single share of a 2-of-n scheme -- and count how many candidate secrets remain possible.

JavaScript Below threshold, every candidate secret is still possible (perfect secrecy)
const p = 13; // a tiny prime field, small enough to enumerate every candidate
const mod = (a) => ((a % p) + p) % p;
const inv = (a) => { for (let k = 1; k < p; k++) if (mod(a * k) === 1) return k; };

// A 2-of-n scheme: the curve is a line f(x) = s + a1 * x. We hold ONE share (x1, y1).
const x1 = 1, y1 = 7;

// For every candidate secret s, is there a degree-1 curve through (0, s) and (x1, y1)?
let consistent = 0;
for (let s = 0; s < p; s++) {
const a1 = mod((y1 - s) * inv(x1)); // the unique slope making f(0)=s and f(x1)=y1
const f = (x) => mod(s + a1 * x);
if (f(0) === s && f(x1) === y1) consistent++;
}
console.log('candidate secrets in the field:', p);
console.log('candidates still consistent with our 1 share:', consistent);
console.log('information gained about the secret:', consistent === p ? 'none -- every secret remains possible' : 'some');

Press Run to execute.

Three gaps, and each names a defense. The first two decades after 1979 are the story of building those defenses -- and of a hard truth waiting inside them: you cannot have perfect secrecy and short shares, and, as the next section shows, you cannot have perfect hiding and perfect binding either. The point never moves. The machinery around it is a sequence of honest trade-offs.

4. Layering Verifiability, Longevity, and Dealerlessness onto a Curve That Never Moves

For the next twenty years the picture never changes -- it only gains armor. This is the place to state the rule that governs the whole field, because it is the one experts see violated most often. Progress here runs along two different axes, and conflating them is the classic mistake. On the property axis, nothing ever supersedes Shamir: each generation bolts a new capability onto the same unmoved point, and plain (t,n) sharing stays the ideal, unbroken base underneath every one of them.

Genuine "X replaced Y" supersession happens only one layer up, among the protocols that deliver those capabilities -- and each time it does, this article says so out loud. Keep the two axes apart and the history reads cleanly. Blur them and you will say something false, like "Shamir was replaced," which never happened.

Ctrl + scroll to zoom
One unmoved point, four stacked defenses. Read bottom to top: each layer adds a capability, and plain Shamir stays the foundation of all of them.

Verifiability: did the dealer cheat?

Verifiable secret sharing (VSS)

Machinery that lets shareholders confirm their shares all lie on one degree-t-1 polynomial the dealer publicly committed to -- catching a cheating dealer -- without anyone learning the secret.

Chor, Goldwasser, Micali, and Awerbuch defined VSS in 1985, realized with an interactive protocol among dealer and holders [11]. Two years later Paul Feldman made it non-interactive and, therefore, deployable [16]. The idea is clean. The dealer publishes a commitment to each coefficient of the secret polynomial, Cj=gajC_j = g^{a_j}, in a group where discrete logs are hard. Any holder checks its share against the commitments with one equation:

gf(i)=j=0t1Cj(ij).g^{f(i)} = \prod_{j=0}^{t-1} C_j^{(i^j)}.

If the check passes, share i provably lies on the one polynomial the dealer committed to; a dealer who hands out inconsistent shares is caught in public, by anyone, in one round. Part 21 of this series develops this as commitments and sigma protocols; we reuse it here rather than rebuild it, and its security rests on the discrete-log hardness of Part 18.

There is a tax, and it is the single most important caveat in this article. The zeroth commitment is C0=ga0=gsC_0 = g^{a_0} = g^s. That value leaks. To a normal, computationally bounded observer, g^s hides s behind a discrete log. But to an unbounded adversary -- the one that "information-theoretic" secrecy is defined against -- g^s reveals s outright, because that adversary can simply take the logarithm. So Feldman VSS's hiding is only computational. The moment you commit with g^s, you have left the information-theoretic world.

Torben Pedersen fixed the hiding in 1991 by committing with two independent generators, Cj=gajhbjC_j = g^{a_j} h^{b_j}, blinding each coefficient with a second random polynomial [17]. Now the commitment is perfectly hiding: the blinding term makes every candidate value equally consistent, so even an unbounded adversary learns nothing. The price is that binding drops to computational -- someone who knew the discrete log of h to the base g could open a commitment two ways. That is the seesaw, and it is not an accident of engineering.

The choice between them is a genuine trade, not a ranking:

PropertyFeldman VSS (1987)Pedersen VSS (1991)
Commitmentg^{a_j}g^{a_j} h^{b_j}
HidingComputational (leaks g^s)Perfect / information-theoretic
BindingPerfectComputational (under discrete log)
Extra costone generatorsecond generator, second polynomial
Use wheng^s becomes a public key anywaythe committed value must stay hidden

Longevity: will the shares outlive a mobile adversary?

Proactive secret sharing

Refreshing every share each epoch -- by re-sharing zero and adding it in -- so the secret is unchanged but every old share becomes useless, defeating an adversary that collects shares slowly over time.

A static (t,n) split has a slow-motion weakness. An attacker who steals share 1 in January, share 2 in March, and one more each month eventually holds t of them, and the split is broken -- not by any cryptographic advance, just by patience. This slow collector is called a mobile adversary: it compromises different machines at different times, never all at once, and accumulates shares across months or years. Proactive refresh is the answer designed specifically for it. Amir Herzberg, Stanislaw Jarecki, Hugo Krawczyk, and Moti Yung closed this in 1995 [18].

Each epoch, every party deals a fresh zero-sharing -- a random degree-t-1 polynomial whose constant term is 0 -- and everyone adds the new sub-shares into their existing shares. Because every added curve passes through (0, 0), the sum still interpolates to the same f(0) = s; but the new share values are statistically independent of the old ones, so a share stolen last epoch is now noise. The attacker must gather t shares within a single epoch, and perpetual slow leakage no longer adds up.

Ctrl + scroll to zoom
Proactive refresh at an epoch boundary: each party re-shares zero, everyone adds the sub-shares in, the secret is unchanged, and every share from the previous epoch becomes useless.

Dealerlessness: must there be a dealer at all?

Distributed key generation (DKG)

A protocol that produces a shared key with no trusted dealer: each party verifiably shares a random contribution, and the group key is the sum -- a value no single party ever learns.

VSS catches a lying dealer, but a dealer still exists and still knows the secret. Pedersen's second 1991 paper removed the dealer entirely: each party acts as a sub-dealer, VSS-sharing a random contribution z_i, and the group secret is the sum s = z_1 + ... + z_n, with the public key the product of the individual public values [19]. No one ever knows s; the key is born distributed.

The obvious version of this is subtly broken, and the break is instructive. In 1999 Gennaro, Jarecki, Krawczyk, and Rabin proved that the naive Pedersen-DKG is biasable [20]. A rushing adversary waits until it has seen the honest parties' committed contributions, then selectively completes or aborts its own contribution depending on which choice nudges the resulting public key the way it wants.

The output key is no longer uniformly random, which is exploitable anywhere the key's distribution matters. Their fix adds a commit-then-reveal phase that pins every party's contribution before any public-key information is revealed, restoring a provably unbiased, resilient key.

The "obvious" dealerless key generation is subtly broken: a rushing adversary, after watching the honest parties commit, can complete or abort its own contribution to bias the public key away from uniform. "Use GJKR, not naive Pedersen-DKG" has been a standing deployment rule ever since.

Notice what these three generations did and did not do. On the property axis, each added a layer -- verifiability, longevity, dealerlessness -- to the same point Shamir drew in 1979; none replaced it. On the protocol axis, there were two real supersessions, and they are worth naming precisely: interactive VSS gave way to Feldman's non-interactive VSS, and naive Pedersen-DKG gave way to GJKR [16, 20]. Blakley's geometry and Asmuth-Bloom's modular scheme are neither -- they are contemporaneous alternatives to Shamir, not ancestors or descendants of any of this [7, 10].

GenerationKey ideaProperty addedWhat it still leaves open
Plain Shamir (1979)random curve, f(0) = shard threshold, perfect secrecydishonest dealer, longevity, the dealer's existence, use-without-reassembly
VSS (1985-1991)commit to the curvecatch a cheating dealerdealer still exists and knows s; shares still static
Proactive SS (1995)re-share zero each epochsurvive a mobile adversarystill needs a dealer at setup
DKG (1991-1999)every party sub-deals; key is the sumno trusted dealerthe key is still only stored, never used
Threshold signaturesLagrange-to-additive at signinguse the key without assembling itthe deployment layer -- Section 5

We can now catch a lying dealer, run with no dealer at all, and keep a key alive for years. But everything so far is still storage. To actually use a shared key you have had to put it back together in one place -- and that reassembly is the single most dangerous moment in the whole system. The breakthrough is the trick that deletes that moment.

5. Threshold Signatures: Using the Point Without Ever Assembling It

The eureka here was not a moment; it was a mechanism, and it arrived late. For two decades secret sharing was a storage-and-recovery trick: split the key, keep it safe, put it back together when you need it. Then someone noticed you can use the key without ever reconstructing it.

The conceptual leap belongs to Yvo Desmedt, whose 1987 "society and group oriented cryptography" proposed distributing a cryptographic capability across a group rather than merely storing a shared secret, and to Desmedt and Frankel's 1989 "Threshold Cryptosystems," which split a private key so a quorum can sign or decrypt without ever assembling it [21, 22]. For years it stayed largely theoretical. What made it practical is a small, exact piece of algebra worth slowing down for.

Recall how reconstruction works: the secret is a Lagrange combination of the shares, s=iSλif(i)s = \sum_{i \in S} \lambda_i\, f(i), where the coefficient λi=jS,jijji\lambda_i = \prod_{j \in S,\, j \neq i} \frac{j}{j - i} depends only on which signers showed up, the active set S. The naive reader sums those products and gets s. The threshold-signature reader does not.

Instead, each active signer keeps its own term private -- wi=λif(i)w_i = \lambda_i\, f(i) -- and treats w_i as its personal, additive piece of the key inside the signing computation. The pieces still satisfy iSwi=s\sum_{i \in S} w_i = s, so the group signs as if it held the key, yet s is never formed anywhere. The reassembly step, the one dangerous moment, simply never happens.

At signing time each active signer multiplies its (t,n) Shamir share by a Lagrange coefficient to obtain an additive share of the key. The additive shares sum to the key -- so a quorum can sign as though it held the key, while the key is never assembled on any machine. There is no reconstruction moment to attack.

JavaScript Lagrange-to-additive: convert Shamir shares to additive shares that sum to the key -- without ever forming it
const p = 2087;
const mod = (a) => ((a % p) + p) % p;
const modpow = (b, e) => { let r = 1; b = mod(b); while (e > 0) { if (e & 1) r = mod(r * b); b = mod(b * b); e >>= 1; } return r; };
const inv = (a) => modpow(a, p - 2);
const rand = () => { const x = new Uint32Array(1); crypto.getRandomValues(x); return mod(x[0]); };

// Deal a 3-of-5 sharing of a signing key.
const secret = 1234, t = 3;
const coeffs = [secret]; for (let j = 1; j < t; j++) coeffs.push(rand());
const f = (x) => coeffs.reduce((acc, c, j) => mod(acc + c * modpow(x, j)), 0);
const shares = [1, 2, 3, 4, 5].map((i) => [i, f(i)]);

// A quorum of exactly 3 signers shows up; their indices form the active set S.
const S = [shares[0], shares[2], shares[4]].map((sh) => sh[0]); // indices 1, 3, 5
const held = Object.fromEntries(shares.map((sh) => [sh[0], sh[1]]));

function lambda(i, S) {            // Lagrange coefficient for index i over S, evaluated at 0
let num = 1, den = 1;
for (const j of S) if (j !== i) { num = mod(num * (0 - j)); den = mod(den * (i - j)); }
return mod(num * inv(den));
}

// Each signer privately turns its Shamir share into an additive share w_i = lambda_i * f(i).
const additive = S.map((i) => mod(lambda(i, S) * held[i]));
const sum = additive.reduce((a, b) => mod(a + b), 0);
console.log('active signer set S    =', S);
console.log('private additive shares =', additive);
console.log('their sum               =', sum, '(the key -- yet f was never reassembled)');

Press Run to execute.

Threshold signature

A signature produced by a quorum of t share-holders that verifies as an ordinary single-signer signature, while the signing key is never reconstructed.

The clean, standardized instance of this is FROST -- Flexible Round-Optimized Schnorr Threshold signatures -- introduced by Chelsea Komlo and Ian Goldberg in 2020 and standardized as RFC 9591 by the IRTF in June 2024 [23, 3]. FROST signs in two rounds: each signer first publishes a one-time nonce commitment, then, after seeing the commitments and the message, emits a signature share that a coordinator aggregates [3]. The first round is message-independent and can be precomputed, giving a one-round online phase.

The output is an ordinary Schnorr signature -- the same object Part 17 covered for a single signer, only now the signer is split -- verifiable by anyone with the standard verifier, on any of five standardized ciphersuites (Ed25519, ristretto255, Ed448, P-256, and secp256k1) [3]. Its per-signer cost is a handful of group exponentiations, with no heavy public-key machinery, and it leans on exactly the Schnorr and Fiat-Shamir constructions Part 21 develops.

Ctrl + scroll to zoom
FROST signing: after a DKG setup, signers publish nonce commitments (round 1), then signature shares (round 2), and a coordinator aggregates them into one ordinary Schnorr signature. The key is never assembled.

The most telling detail is where FROST gets its keys. Its own key generation is Shamir secret sharing plus verifiable secret sharing -- the primitive of Section 1 and the VSS of Section 4, sitting explicitly at the core of the first standardized threshold signature.

In RFC 9591's own construction, the group signing key s is Shamir secret-shared among the participants: each signer's key sk_i is f(i) on a secret polynomial of degree one below the threshold, with s = f(0). The first standardized threshold signature puts secret sharing explicitly at its foundation [3].

Schnorr is the easy case because it is linear. ECDSA is the hard cousin, and it matters because Bitcoin's legacy addresses, Ethereum, and most custody APIs demand an ECDSA signature. ECDSA computes s=k1(H(m)+rx)s = k^{-1}\left(H(m) + r\,x\right), which multiplies two secret-shared quantities -- the nonce inverse k^{-1} and the key x -- and then inverts one of them. Multiplication does not distribute over Shamir shares the way addition does, so threshold ECDSA must wrap the shares in heavier multiparty computation, using either Paillier homomorphic encryption or oblivious transfer. Paillier is an additively homomorphic encryption scheme: you can add two encrypted numbers without decrypting either, which is how GG18 and GG20 multiply secret-shared values.

Its deployed lineage is the clearest example of genuine protocol supersession in this whole story: Lindell's 2017 two-party scheme, then GG18 for full multiparty signing with a trustless setup -- alongside Lindell and Nof's contemporaneous multiparty ECDSA with a practical distributed key generation aimed squarely at cryptocurrency custody -- then GG20 adding identifiable abort and a one-round online phase, then DKLs23 replacing Paillier with oblivious transfer entirely [24, 25, 26, 27, 28]. This lineage is what makes MPC-wallet custody work on legacy chains -- and, as the next section shows, it is where the money actually leaked.

Two more instances round out the family and get only a pointer here, by design: Victor Shoup's practical threshold RSA in 2000 -- the RSA trapdoor of Part 14, split -- and Alexandra Boldyreva's threshold BLS in 2003, whose signatures aggregate trivially [29, 30]. The common shape across all of them is the spine made operational: a DKG draws the key with no dealer, the shares are never assembled, and Lagrange-at-signing turns them into a usable capability. It is the same "useful service, held by no one" idea behind the distributed oblivious PRFs of Part 20.

So the key never exists in one place; there is no reconstruction moment to steal. And yet MPC wallets and threshold-signing libraries have leaked millions of dollars of private keys. If the point never breaks and the key is never assembled, what exactly failed? The answer is the whole point of this article, and it has a name.

6. Every Break, Named -- and Not One of Them Was Shamir

Here is the promise this section keeps. The information-theoretic core has never broken and provably cannot, so every entry below is a break in the machinery around the point. Read it that way and a pattern jumps out: the attack surface is always the plumbing, never the split.

Construction and implementation. The most common real-world break has nothing to do with dealers or protocols; it is a bad random number generator. If the coefficients of the secret polynomial come from a predictable source -- rand(), the clock, a process ID -- then the "random curve" is guessable, and an attacker who can reproduce the pen can reconstruct the secret from too few shares. This is the same failure class Part 2 of this series is entirely about, and it is the single most frequent way real Shamir code leaks.

Right behind it are two side channels: a non-constant-time Lagrange interpolation whose branch and timing behavior leaks share bytes, exactly the discipline Part 15 insists on for curve code; and missing share authentication, which lets a Tompa-Woll cheater submit one wrong share, corrupt everyone else's output, and privately keep the true secret [12]. Two more belong here: a secret larger than the field, and a polynomial reused across two secrets -- either one breaks secrecy outright, and neither is a flaw in the scheme, only in its operation.

Dealer and verifiability. A dealer with no VSS is invisible when it cheats: a rushing or equivocating dealer hands out shares that do not lie on one curve, reconstructing different secrets for different quorums, and plain Shamir offers no way to notice -- which is the entire reason VSS exists. And a subtler failure is a labeling one: shipping a Feldman-VSS'd or DKG'd system while calling it "information-theoretic." The commitment g^s leaks the secret to an unbounded adversary, so the guarantee is computational; selling it as unconditional misstates the very adversary the system can survive.

Protocol integration -- the flagship. In 2023, Verichains (as TSSHOCK) and Fireblocks (as BitForge) disclosed CVE-2023-33241: widely used GG18 and GG20 threshold-ECDSA implementations, in the tss-lib family, had omitted the zero-knowledge proofs that a co-signer's Paillier modulus is well-formed, along with the associated range proofs [2, 31, 32]. A malicious co-signer who supplied a malformed Paillier modulus could then extract the victim's key share over the course of the signing protocol; Fireblocks demonstrated recovery of a full private key from an affected wallet over as few as sixteen signatures [32].

Sit with what this was and was not. It was a missing check in the Paillier multiplication machinery that threshold ECDSA bolts around the shares. It was not, in any sense, a break of Shamir -- the secret sharing underneath was never the thing attacked.

The real-world tail arrived in 2026. THORChain reported that a malicious newly-churned node exploited an unpatched GG20 fork to drain roughly $10.7 million from one of its five vaults [33]. Here the sourcing discipline matters as much as the fact. THORChain's own Exploit Report #1 confirms the incident facts -- the date, the roughly $10.7 million, the GG20 fork, the churned node -- but explicitly calls the root-cause analysis "still ongoing," and does not itself name TSSHOCK [33]. The attribution to an unpatched, TSSHOCK-class missing-Paillier-proof fork is secondary, from QuillAudits and Cointelegraph [34, 35]. Treat it as the likely cause, not a settled one. The incident facts are first-party and clear; the specific root cause is secondary-attributed and, by THORChain's own account, not yet final [33, 34, 35]. Both readings obey the invariant either way: whatever the exact bug, Shamir's secrecy was never the thing that failed.

Ctrl + scroll to zoom
Where the breaks live. The Shamir point at the center is untouched by every named failure; each break sits in a machinery layer bolted around it.

The whole catalog fits in one table, and the pattern is the point of it:

BreakClassRoot causeLesson
Weak-RNG coefficientsImplementationpolynomial drawn from rand(), clock, or PIDdraw coefficients from a CSPRNG
Non-constant-time LagrangeImplementationtiming and branch leaks during interpolationinterpolate in constant time
Unauthenticated sharesImplementationa wrong share corrupts output; cheater keeps the secretauthenticate every share
Oversized or reused secretImplementationsecret exceeds the field, or a polynomial is reusedone fresh polynomial per secret; keep it in-field
No-VSS rushing dealerDealerinconsistent shares, undetectable without commitmentsadd VSS when the dealer is not fully trusted
"Information-theoretic" mislabelLabelingFeldman or DKG deployment sold as unconditionalreserve the term for plain Shamir
TSSHOCK / BitForge (CVE-2023-33241)Protocol integrationGG18/GG20 omitted Paillier and range proofsship the post-TSSHOCK checks or do not ship
THORChain 2026Deploymentunpatched GG20 fork exploited by a churned nodepatch, and prefer Paillier-free protocols

Nobody broke Shamir. The perfect-secrecy math has held since 1979 and cannot be broken by any computer that will ever exist. Every deployment that fell, fell in the layers it added -- to make the point verifiable, dealerless, long-lived, and signable.

Read the list once more with an eye on the invariant: a predictable pen, a leaky reconstruction, an unproven curve, a swapped share, a missing Paillier proof. Not one of them touched the secrecy of the split. This is the same lesson as Part 18, one layer deeper: nobody broke the primitive; deployments fell in the layers they added. So where does that machinery actually run today, and how do the pieces fit together in production?

7. Where the Substrate Actually Runs (2024-2026)

A forty-seven-year-old scheme is quietly load-bearing under a growing stack of custody, escrow, and signing systems -- and, exactly as the invariant predicts, all the recent action is in the layers on top.

The canonical break-glass deployment is HashiCorp Vault, which splits its master unseal key with Shamir and, by default, hands out five shares and requires three to unseal, configured through vault operator init with -key-shares and -key-threshold [4, 5]. Vault's default of five shares with a threshold of three is worth memorizing as the canonical break-glass numbers: no single operator can unseal the server, but any three of five can [4].

On the consumer side, SLIP-39 -- SatoshiLabs' "Shamir's Secret-Sharing for Mnemonic Codes," used by Trezor -- splits a wallet master secret into human-transcribable mnemonic word-lists, using a two-level group scheme over the byte field GF(256) GF(256) is the 256-element byte field, so every share value lands on a byte and maps cleanly onto human-transcribable mnemonic words. with authenticated share words so a mistyped share is caught rather than silently reconstructing garbage [6]. Both are reconstruct-once systems: the key is reassembled at exactly one recovery moment.

The opposite philosophy runs at scale in production MPC custody. Exchanges and custodians sign with GG20-, DKLs-, and FROST-based threshold protocols in which the private key is never reconstructed -- the disclosures around the BitForge class came out of exactly this world, and the DKLs family is maintained specifically for it [32, 36]. Alongside them, FROST is moving from standard to shipping code: RFC 9591 landed in June 2024, reference implementations such as the Zcash Foundation's frost and frost-ed25519 crates track it [37], and it is the natural fit for Bitcoin Taproot's secp256k1 Schnorr signatures [3].

Standardization is itself a state-of-the-art signal. NIST's Multi-Party Threshold Cryptography project and its First Call for Multi-Party Threshold Schemes are the center of gravity for turning this stack into interoperable standards [38, 39].

Where does the "leader" sit in all this? At the primitive level, nowhere is contested: plain Shamir is the settled, ideal, information-theoretic substrate, and there is no race to run there. Leadership is contested only one layer up, along the protocol-supersession axis -- FROST for Schnorr, the DKLs line for Paillier-free ECDSA -- exactly where the two-axis rule of Section 4 said it would be.

Two of those deployment philosophies now sit side by side, and marketing constantly blurs them: the wallet that reassembles the key exactly once, and the wallet that never assembles it at all. They rest on the same primitive and have opposite threat models.

Reconstruct-once backupNever-reconstruct MPC
ExamplesSLIP-39, HashiCorp VaultFROST, GG20, DKLs23
Is the key ever assembled?Yes, at one recovery momentNo, never
Primary threat to defendthe reconstruction eventsigner devices and protocol integration
Does it sign transactions?No -- it restores a keyYes -- it signs directly on the shares
Danger if the two are conflateda reassembly path smuggled into a "never assemble" designrelying on a quorum gathering that, by design, never happens

Choosing between these two -- and, underneath them, between FROST and threshold ECDSA, and between Feldman and Pedersen -- is where a practitioner earns their keep. That is a decision problem, so let us make it one.

8. The Decision Matrix

There is no single winner here, and anyone selling you one is selling you a mismatch. The right scheme falls out of the three diagnostic questions plus one deployment question: do you ever reconstruct the key, or never? Answer those and the rest is lookup.

The load-bearing distinction is reconstruct-or-never, because it fixes your entire threat model.

Ctrl + scroll to zoom
Which scheme should I use? The three diagnostic questions plus the reconstruct-or-never question as a single decision tree.

Once you are in signing territory, the choice is dictated by the signature your chain or API demands. FROST when a Schnorr or EdDSA signature is acceptable -- it is lighter, round-optimal, and standardized. Threshold ECDSA (GG20 or DKLs23) only when you must emit an ECDSA signature for a legacy chain, accepting the extra weight and the Paillier-proof surface that produced the TSSHOCK class.

FROSTGG18GG20DKLs23
Signature typeSchnorrECDSAECDSAECDSA
Online rounds2 (1 after preprocessing)multiple1 online (after preprocessing)3
Share multiplicationlinear, none neededPaillier + range proofsPaillier + range proofsoblivious transfer
Notable bug classnonce reuse, as any SchnorrTSSHOCK Paillier checksTSSHOCK Paillier checksavoids Paillier entirely
Standardized?Yes (RFC 9591)NoNoNo

If you are not signing but storing, the choice is about the dealer. A fully trusted dealer with one-time recovery wants plain Shamir. A dealer you must keep honest wants VSS -- Feldman when the committed value becomes a public key anyway, Pedersen when it must stay hidden. No dealer at all means DKG, and a resilient, GJKR-style one, never the biasable naive construction. Layer proactive refresh on top whenever the key must live for years against an adversary that keeps coming back.

SchemeHidingBindingTrusted dealer?Quantum-safe?Best for
Plain Shamirperfect (IT)not applicableyesyes, unconditionalbackups, escrow, the base layer
Feldman VSScomputationalperfectyesno, discrete logverifiable shares where g^s is public anyway
Pedersen VSSperfect (IT)computationalyesno, discrete logverifiable shares that must stay hidden
Proactive SSperfect point, computational refreshvia its VSSyes, at setuppoint yes, refresh layer nolong-lived keys vs a mobile adversary
DKG (GJKR)computationalvia its VSSnono, discrete logkeys with no single point of trust

Two constructions sit outside this decision entirely, and it is worth saying why. Blakley's geometric scheme and the Asmuth-Bloom Chinese-Remainder scheme are alternatives to Shamir, not descendants -- different constructions of the same (t,n) primitive that lost on share size, not security. They are named here, not built, precisely because they are contemporaneous alternatives rather than layers in the evolution [7, 10]. Reaching for one over Shamir in 2026 needs a specific reason, and there usually isn't one.

And a more basic question deserves an answer: why share a key at all, rather than encrypt it and copy the ciphertext to five people? Because encryption moves the problem instead of splitting it. Whoever holds the decryption key holds everything, and every ciphertext copy is only as safe as that one key and its one computational assumption. Secret sharing has no key and no assumption: the secrecy is unconditional and the trust is genuinely spread across a quorum. That is the whole distance between "one holder, computational" and "no holder, unconditional."

Every one of these choices is a trade-off the math forces on you -- perfect hiding or perfect binding, unconditional secrecy or short shares, reconstruct-once or never. Which raises the deeper question the next section answers: what exactly does the math promise, and what does each promise cost?

9. What the Math Guarantees and What It Costs

The theory here is bounded, stated cleanly, and worth knowing exactly: it tells you which problems are solved forever and which are still open.

Start with the positive result, the one everything else rests on. In Shamir's (t,n) scheme, any t-1 shares leave the secret's conditional distribution uniform: leakage is exactly zero, and it is arithmetic -- a Lagrange counting fact -- not a hardness assumption [1]. This is the information-theoretic side of the line Part 1 drew, and it is permanent.

Perfect / information-theoretic secrecy

Secrecy that holds against an adversary with unbounded computation and unlimited time, a quantum computer included. Below the threshold, the secret's conditional distribution given the shares is unchanged: zero information leaks, by a counting argument rather than a hardness assumption.

Perfection has a price, and it is a theorem. In any perfect secret-sharing scheme, every share must carry at least as much entropy as the secret, H(sharei)H(secret)H(\text{share}_i) \ge H(\text{secret}) [13, 8]. Shamir meets it with equality, which is exactly what "ideal" means. Meeting the bound with equality is why Shamir, not Blakley, became the substrate: Shamir's shares are the size of the secret, Blakley's are larger [13].

The consequence is concrete: you cannot perfectly share a gigabyte into sub-gigabyte shares. Hugo Krawczyk's computational escape hatch buys small shares by dropping to computational security -- encrypt the bulk, Shamir-share only the short key, disperse the ciphertext -- the same instinct as Part 13's insistence that one secret is not one key [14].

Reconstruction in the presence of cheaters has its own bounds, inherited from the Reed-Solomon connection of Section 2. Treating shares as codewords, a decoder corrects up to (nt)/2\lfloor (n-t)/2 \rfloor wrong shares, so reconstructing correctly against up to t active cheaters needs n3t+1n \ge 3t+1 [9]. The weaker n2t+1n \ge 2t+1 only guarantees an honest majority -- enough to detect tampering, or to decode once shares are authenticated by VSS.

Move up to verifiable sharing and multiparty computation and Ben-Or, Goldwasser, and Wigderson pinned the same regime: information-theoretic security against a malicious adversary requires t<n/3t \lt n/3 -- the very n3t+1n \ge 3t+1 again -- while t<n/2t \lt n/2 suffices against a passive one [40]. These are tight, and they bound the whole VSS and DKG layer in the unconditional model.

Threshold t-of-n is the happy case. The general problem -- sharing for an arbitrary authorized family of subsets -- costs more.

Access structure

The family of share-holder subsets authorized to reconstruct the secret. For a (t,n) threshold scheme it is simply "any t or more"; general monotone access structures allow arbitrary authorized sets.

Mitsuru Ito, Akira Saito, and Takao Nishizeki showed in 1987 that any monotone access structure can be realized, and Josh Benaloh and Jerry Leichter gave a monotone-formula construction in 1988 [41, 42]. But for general access structures the best known schemes can have shares super-polynomially larger than the secret, and closing the gap between constructions and lower bounds is a central open problem of the field -- threshold is the special case where the bound is met exactly [8].

Publicly verifiable secret sharing (Stadler 1996; Schoenmakers 1999) goes one step beyond VSS: any observer, not just the shareholders, can check that the dealer shared correctly, at the cost of heavier public-key machinery [43, 44].

Step back and the shape is clean. The primitive is at its theoretical optimum -- perfect below threshold, ideal in share size, post-quantum by construction. Every remaining hard problem lives one layer up, in the machinery. That is not a disappointment. It is a precise map of where the field is still moving.

10. Where It Is Still Moving

Every live frontier in this subject is one layer up from the primitive. Plain Shamir is not on the list, and that absence is the whole story. The asymmetry is the point: plain Shamir is already post-quantum and ideal, so it appears in no open problem below. Everything unsettled is about the discrete-log defenses layered on top of it. Five honest, signpost-level problems, each stated once, none with a build-it walkthrough.

Post-quantum threshold cryptography. Plain Shamir is post-quantum, but every deployed verifiability, dealerless, and signing layer rests on discrete log and falls to Shor. The open problem is to thresholdize lattice signatures like ML-DSA and hash-based schemes without exploding rounds, bandwidth, or share size. No such scheme yet matches FROST's lightness, and it is the sharpest frontier of NIST's MPTC First Call, whose two-class structure explicitly invites post-quantum submissions [39, 38].

Churn-resilient proactive sharing. Classical proactive refresh assumes a fixed committee, but blockchains and validator sets have constant churn -- members join and leave. Keeping a long-lived secret refreshed across a changing committee, without reconstruction and without communication blowing up in committee size, is the goal; CHURP is the current best partial answer, using two-dimensional sharing and polynomial commitments to keep off-chain cost sublinear [45].

Constant-size verifiable sharing. Feldman and Pedersen broadcast one commitment per coefficient, O(t) elements, which dominates cost at large committees. KZG polynomial commitments give constant-size commitments and evaluation proofs, enabling constant-broadcast VSS -- at the price of a trusted setup and pairing assumptions, which also makes it non-post-quantum [46]. Reconciling constant size, transparency, and quantum resistance at once is open.

Asynchronous and high-threshold protocols. Most deployed DKGs assume synchrony, which is fragile on real adversarial networks, and the honest-majority bounds tighten further under asynchrony. Practical asynchronous and high-threshold VSS and DKG are an active area with no single deployed default the way GJKR became one for the synchronous case.

Formally verified, constant-time implementations. The entire Failure Catalog of Section 6 -- weak-RNG coefficients, non-constant-time interpolation, missing Paillier checks behind TSSHOCK -- is implementation failure [2]. The structural fix is a formally verified, constant-time threshold stack, end to end. Verified efforts exist for individual primitives, but a fully verified threshold-signature system is not yet standard practice. Whether NIST's MPTC yields plug-compatible, interoperable standards the way RFC 9591 did for threshold Schnorr is the related open question on the standards side [38].

None of these frontiers threatens the point -- which is exactly the note to end the theory on and turn to practice. How do you actually deploy this without becoming a Failure Catalog entry?

11. The Decision Rules, Made Operational

Everything so far collapses into a short operating manual. Each rule is one of the three diagnostic questions answered correctly, or one Failure-Catalog entry pre-empted. The decision tree of Section 8 is the map; here are the turns.

Every rule below is the same four moves in a different order: draw the point safely, prove it if the dealer is not trusted, redraw it if it must live long, and use it without assembling it if you can. Get those four right and you do not appear in anyone's incident report.

Pick the scheme by the questions. That answer is Section 8's decision matrix, now read as an operating rule: the dealer-trust and reconstruct-or-never questions select the scheme, and the lookup table at the end of this section pairs each situation with its exact parameters and its matching never-do.

Pick the field and parameters. The secret must fit the field: byte-wise over GF(256) the way SLIP-39 does it, or a prime field larger than the secret, or -- for VSS and threshold signing -- the scalar field of the group you are signing in. Draw coefficients and nonces from a CSPRNG, never a statistical PRNG. It is t, not n, that sets secrecy: an attacker needs t shares to learn anything, so raising t raises the bar. Raising n only buys availability and, if anything, gives an attacker more shares to chase. "More shares" is not "more secure."

Set t for secrecy and n for availability, and remember that the share count is not a security parameter. For a large secret -- a file rather than a key -- encrypt it, Shamir-share the short key, and disperse the ciphertext, rather than sharing the megabytes directly.

Always. Source every coefficient and nonce from a CSPRNG. Interpolate in constant time. Authenticate shares, and verify each one against the VSS commitments before accepting it. Pin and publish a single commitment or verification key so nobody can quietly swap the curve. For any GG18 or GG20 deployment, apply the post-TSSHOCK Paillier-modulus and range-proof checks. And treat a backup's reconstruction moment as the crown-jewel threat, while treating an MPC wallet's rule as an absolute: never reconstruct.

Never. Never seed the polynomial from rand(), the clock, or a PID. Never reuse a polynomial or a share across two secrets. Never accept an unauthenticated share, or trust an un-auditable dealer with no VSS. Never call a Feldman-VSS'd or DKG'd deployment "information-theoretic." Never ship an unpatched GG18 or GG20 library. Never conflate an MPC wallet with a Shamir backup. And never treat "more shares" as "more secure."

The same guidance as a lookup table:

SituationScheme and key parametersNever do
Trusted dealer, one-time recovery is finePlain Shamir backup (SLIP-39, or Vault 5/3); CSPRNG coefficients; secret fits the field; authenticate sharesseed from rand(), clock, or PID; reuse a polynomial
Dealer must be kept honestAdd VSS: Feldman if g^s is public anyway, Pedersen if it must stay hidden; verify shares firstaccept a share that fails its commitment check
No trusted dealer at allDKG, GJKR-style, resilient and unbiasedship the biasable naive Pedersen-DKG
Long-lived key vs a roaming adversaryAdd proactive refresh each epochassume last epoch's stolen share is harmless
Key must never exist in one placeThreshold signatures: FROST for Schnorr, GG20 or DKLs23 for ECDSA with post-TSSHOCK checksrun unpatched GG18/GG20; conflate with a backup
Large secret, a file not a keyEncrypt, Shamir-share the short key, disperse the ciphertextShamir-share the megabytes directly
Try it: the canonical break-glass setup

HashiCorp Vault's default Shamir unseal initializes with vault operator init -key-shares=5 -key-threshold=3. That prints five unseal keys; any three bring the server back, and no single operator should hold more than one of them [4]. It is the cleanest real-world instance of the entire primitive: a trusted-dealer, reconstruct-once, 5/3 threshold split.

Internalize the questions and the anti-patterns fall out for free. A handful of misconceptions are common enough to deserve a direct answer, which is where we close.

12. The Antipattern Catalog

These are the questions engineers actually ask, answered against the one invariant. Each is a misconception named and fixed.

Frequently asked questions

If I have t-1 shares, don't I almost have the secret?

No -- you have exactly zero information about it. For every candidate secret there is precisely one degree-t-1 curve consistent with the t-1 points you hold, so every secret remains equally possible. There is no "getting warmer" and nothing to brute-force. This is a counting fact about polynomials, not a difficulty that a faster computer chips away at.

Is Shamir secret sharing just encryption?

No. There is no key and no hardness assumption. Encryption moves secrecy into a key that some party holds and that some algorithm might someday break; Shamir splits the secret so that no party holds it and no algorithm is involved. Its secrecy survives any future computer, quantum included, because it rests on arithmetic rather than on a problem being hard.

Is secret sharing quantum-safe?

Plain Shamir, yes -- unconditionally, because its secrecy is a counting argument with nothing for Shor's or Grover's algorithm to attack. But the discrete-log-based defenses layered on top are not: Feldman and Pedersen commitments, distributed key generation, and every deployed threshold Schnorr, ECDSA, and BLS signature fall to Shor. The point survives a quantum computer; several of its defenses do not.

The dealer could hand out inconsistent shares -- how would I know?

With plain Shamir, you would not, and that is precisely its limitation. Verifiable secret sharing closes the gap: the dealer publishes commitments to the polynomial, and every holder checks that its share lies on the one committed curve. A dealer who tries to hand out inconsistent shares is caught in public, in one round, without anyone learning the secret.

Feldman or Pedersen VSS?

Feldman is computationally hiding and perfectly binding, and it is simpler -- a fine choice when the committed value g^s becomes a public key anyway. Pedersen is perfectly (information-theoretically) hiding and only computationally binding -- the choice when the committed value must stay hidden even from an unbounded adversary. You cannot have both perfect at once; that is a theorem about commitments, so pick the property you actually need.

Is an MPC wallet the same as a Shamir backup?

No -- they have opposite threat models. A Shamir backup, such as SLIP-39 or Vault, reassembles the key at exactly one recovery moment, which is the thing you defend. An MPC or threshold-signature wallet never reconstructs the key at all -- it signs directly on the shares. Same primitive underneath, opposite rules: defend the reconstruction, or guarantee it never happens.

Did TSSHOCK break Shamir?

No. TSSHOCK and BitForge were a missing Paillier-modulus and range-proof check in threshold-ECDSA code -- the multiplication machinery bolted around the shares, not the shares themselves. A malicious co-signer could extract a key by exploiting that gap, but Shamir's secrecy was never the thing attacked. It is the cleanest illustration of the invariant: the break lived in the plumbing, not the point.

So here is the whole field guide in one picture. A secret can be a single point on a curve that no one ever fully draws, used by a quorum that never actually gathers, and defended against a thief who never stops coming back. Forty-seven years after Shamir's two-thirds of a page, the point still holds -- unbroken, ideal, already post-quantum. Every disaster worth the name happened in the machinery around it: a predictable pen, a leaky reconstruction, an unproven curve, a missing Paillier proof.

So carry the three questions with you into any deployment. Did the dealer cheat? Is the secret ever reassembled? Will the shares outlive a mobile adversary? Answer them honestly and you will build the layers as carefully as Shamir built the point. In Part 23 the field guide moves on to its next primitive -- and it carries this invariant with it, because it is the lesson every part of this series keeps teaching: the math is rarely where you get hurt.

Study guide

Key terms

Threshold secret sharing (t,n)
Split a secret into n shares so any t reconstruct it and any t-1 learn nothing, with no key and no computational assumption.
Verifiable secret sharing (VSS)
Machinery that catches a cheating dealer by letting holders check their shares against public commitments to the polynomial.
Distributed key generation (DKG)
Producing a shared key with no trusted dealer: each party contributes verifiably and the key is the sum, known to no one.
Proactive secret sharing
Refreshing shares each epoch by re-sharing zero, so old shares become useless while the secret stays fixed.
Threshold signature
A signature from a quorum of t holders that verifies as an ordinary single-signer signature, with the key never reconstructed.

Comprehension questions

  1. Why do t-1 shares reveal exactly zero information about the secret?

    For every candidate secret there is exactly one degree-(t-1) curve through the held t-1 points, so all secrets stay equally possible -- the conditional distribution is uniform.

  2. Why is a Feldman-VSS'd deployment not information-theoretically secure?

    Its commitment g^s leaks the secret to an unbounded adversary who can take a discrete log, so hiding is only computational.

  3. How does a threshold signature use the key without reconstructing it?

    At signing time, Lagrange coefficients convert the active signers' Shamir shares into additive shares that sum to the key, which combine into one signature without the key ever being assembled.

References

  1. Adi Shamir (1979). How to Share a Secret. https://nakamotoinstitute.org/library/how-to-share-a-secret/ - Communications of the ACM 22(11):612-613 (DOI 10.1145/359168.359176)
  2. NVD / MITRE (2023). CVE-2023-33241 (GG18/GG20 TSS Paillier key extraction). https://nvd.nist.gov/vuln/detail/CVE-2023-33241 - NVD
  3. D. Connolly, C. Komlo, I. Goldberg, & C. A. Wood (2024). The Flexible Round-Optimized Schnorr Threshold (FROST) Protocol. https://www.rfc-editor.org/rfc/rfc9591.html - RFC 9591 (IRTF/CFRG), June 2024
  4. HashiCorp (2024). Vault operator init (Shamir unseal, default 5/3). https://developer.hashicorp.com/vault/docs/commands/operator/init - HashiCorp Vault docs
  5. HashiCorp (2024). Vault seal/unseal concepts. https://developer.hashicorp.com/vault/docs/concepts/seal - HashiCorp Vault docs
  6. SatoshiLabs (Rusnak, Kozlik, Vejpustek, Susanka, Palatinus, Hoenicke) (2017). SLIP-39: Shamir's Secret-Sharing for Mnemonic Codes. https://github.com/satoshilabs/slips/blob/master/slip-0039.md - SLIP-0039 (Status: Final)
  7. George R. Blakley (1979). Safeguarding Cryptographic Keys. https://dblp.org/rec/conf/mark2/Blakley79.html - AFIPS NCC vol 48, pp.313-318, 1979 (DOI 10.1109/MARK.1979.8817296)
  8. Amos Beimel (2011). Secret-Sharing Schemes: A Survey. https://www.cs.bgu.ac.il/~beimel/Papers/Survey.pdf - survey (coding/crypto)
  9. R. J. McEliece & D. V. Sarwate (1981). On Sharing Secrets and Reed-Solomon Codes. https://dblp.org/rec/journals/cacm/McElieceS81.html - CACM 24(9):583-584, 1981 (DOI 10.1145/358746.358762)
  10. Charles Asmuth & John Bloom (1983). A Modular Approach to Key Safeguarding. https://dblp.org/rec/journals/tit/AsmuthB83.html - IEEE Trans. Inf. Theory 29(2):208-210, 1983 (DOI 10.1109/TIT.1983.1056651)
  11. B. Chor, S. Goldwasser, S. Micali, & B. Awerbuch (1985). Verifiable Secret Sharing and Achieving Simultaneity in the Presence of Faults. https://dblp.org/rec/conf/focs/ChorGMA85.html - FOCS 1985, pp.383-395 (DOI 10.1109/SFCS.1985.64)
  12. Martin Tompa & Heather Woll (1988). How to Share a Secret with Cheaters. https://dblp.org/rec/journals/joc/TompaW88.html - J. Cryptol. 1(2):133-138, 1988 (DOI 10.1007/BF02252871); prelim CRYPTO 1986 pp.261-265
  13. Ehud D. Karnin, J. W. Greene, & Martin E. Hellman (1983). On Secret Sharing Systems. https://dblp.org/rec/journals/tit/KarninGH83.html - IEEE Trans. Inf. Theory 29(1):35-41, 1983 (DOI 10.1109/TIT.1983.1056621)
  14. Hugo Krawczyk (1993). Secret Sharing Made Short. http://web.archive.org/web/20230708095825/https://link.springer.com/chapter/10.1007/3-540-48329-2_21 - CRYPTO 1993, LNCS 773 (DOI 10.1007/3-540-48329-2_21)
  15. Michael O. Rabin (1989). Efficient Dispersal of Information for Security, Load Balancing, and Fault Tolerance. https://dl.acm.org/doi/10.1145/65943.65947 - JACM 36(2):335-348, 1989 (DOI 10.1145/65943.65947)
  16. Paul Feldman (1987). A Practical Scheme for Non-Interactive Verifiable Secret Sharing. https://ieeexplore.ieee.org/document/45548 - FOCS 1987, pp.427-437 (DOI 10.1109/SFCS.1987.4)
  17. Torben Pryds Pedersen (1991). Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing. https://dblp.org/rec/conf/crypto/Pedersen91.html - CRYPTO 1991, pp.129-140 (DOI 10.1007/3-540-46766-1_9)
  18. Amir Herzberg, Stanislaw Jarecki, Hugo Krawczyk, & Moti Yung (1995). Proactive Secret Sharing Or: How to Cope With Perpetual Leakage. https://dblp.org/rec/conf/crypto/HerzbergJKY95.html - CRYPTO 1995, pp.339-352 (DOI 10.1007/3-540-44750-4_27)
  19. Torben Pryds Pedersen (1991). A Threshold Cryptosystem without a Trusted Party. https://dblp.org/rec/conf/eurocrypt/Pedersen91a.html - EUROCRYPT 1991, pp.522-526 (DOI 10.1007/3-540-46416-6_47)
  20. Rosario Gennaro, Stanislaw Jarecki, Hugo Krawczyk, & Tal Rabin (1999). Secure Distributed Key Generation for Discrete-Log Based Cryptosystems. http://web.archive.org/web/20240109031003/https://link.springer.com/chapter/10.1007/3-540-48910-X_21 - EUROCRYPT 1999, pp.295-310 (DOI 10.1007/3-540-48910-X_21); J. Cryptol. 20(1):51-83, 2007 (DOI 10.1007/s00145-006-0347-3)
  21. Yvo Desmedt (1987). Society and Group Oriented Cryptography: A New Concept. https://dblp.org/rec/conf/crypto/Desmedt87.html - CRYPTO 1987, pp.120-127 (DOI 10.1007/3-540-48184-2_8)
  22. Yvo Desmedt & Yair Frankel (1989). Threshold Cryptosystems. https://dblp.org/rec/conf/crypto/DesmedtF89.html - CRYPTO 1989, pp.307-315 (DOI 10.1007/0-387-34805-0_28)
  23. Chelsea Komlo & Ian Goldberg (2020). FROST: Flexible Round-Optimized Schnorr Threshold Signatures. http://web.archive.org/web/20200806113650/https://eprint.iacr.org/2020/852 - SAC 2020, LNCS 12804 / IACR ePrint 2020/852
  24. Yehuda Lindell (2017). Fast Secure Two-Party ECDSA Signing. http://web.archive.org/web/20260105174452/https://eprint.iacr.org/2017/552 - CRYPTO 2017 / IACR ePrint 2017/552; J.Cryptol 34:44, 2021
  25. Rosario Gennaro & Steven Goldfeder (2018). Fast Multiparty Threshold ECDSA with Fast Trustless Setup. http://web.archive.org/web/20210511143041/https://eprint.iacr.org/2019/114 - ACM CCS 2018 / IACR ePrint 2019/114
  26. Yehuda Lindell & Ariel Nof (2018). Fast Secure Multiparty ECDSA with Practical Distributed Key Generation and Applications to Cryptocurrency Custody. http://web.archive.org/web/20260421071218/https://eprint.iacr.org/2018/987 - ACM CCS 2018 / IACR ePrint 2018/987
  27. Rosario Gennaro & Steven Goldfeder (2020). One Round Threshold ECDSA with Identifiable Abort. http://web.archive.org/web/20260517041743/https://eprint.iacr.org/2020/540 - IACR ePrint 2020/540
  28. Jack Doerner, Yashvanth Kondi, Eysa Lee, & abhi shelat (2023). Threshold ECDSA in Three Rounds (DKLs23). https://dkls.info/ - IEEE S&P 2024 / IACR ePrint 2023/765
  29. Victor Shoup (2000). Practical Threshold Signatures. https://www.shoup.net/papers/thsig.pdf - EUROCRYPT 2000, LNCS 1807
  30. Alexandra Boldyreva (2003). Threshold Signatures, Multisignatures and Blind Signatures Based on the Gap-Diffie-Hellman-Group Signature Scheme. http://web.archive.org/web/20251230041129/https://eprint.iacr.org/2002/118.pdf - PKC 2003 (IACR ePrint 2002/118)
  31. Verichains (2023). TSSHOCK: New Key Extraction Attacks on Threshold Signature Schemes. https://verichains.io/tsshock/ - verichains.io
  32. Fireblocks (2023). GG18 and GG20 Paillier Key Vulnerability [CVE-2023-33241] Technical Report (BitForge). https://www.fireblocks.com/blog/gg18-and-gg20-paillier-key-vulnerability-technical-report - fireblocks.com
  33. THORChain (2026). THORChain Exploit Report #1. https://blog.thorchain.org/thorchain-exploit-report-1 - blog.thorchain.org
  34. QuillAudits (2026). THORChain 10.7M GG20 TSS Exploit - Hack Analysis. https://www.quillaudits.com/blog/hack-analysis/thorchain-gg20-hack - quillaudits.com
  35. Cointelegraph (2026). THORChain's 10M-dollar exploit tied to malicious node and GG20 flaw. https://cointelegraph.com/news/thorchains-10m-exploit-mpc-vulnerability-private-key-leak - cointelegraph.com
  36. Jack Doerner, Yashvanth Kondi, Eysa Lee, & abhi shelat (2023). DKLs threshold ECDSA (authors' site). https://dkls.info/ - dkls.info
  37. Zcash Foundation (2024). FROST in Rust: frost-core and ciphersuite crates. https://github.com/ZcashFoundation/frost - Reference FROST implementation (crates frost-core, frost-ed25519) tracking RFC 9591
  38. NIST (2023). Multi-Party Threshold Cryptography (MPTC) project. https://csrc.nist.gov/Projects/threshold-cryptography - csrc.nist.gov/Projects/threshold-cryptography
  39. NIST (2023). NIST IR 8214C: First Call for Multi-Party Threshold Schemes. https://csrc.nist.gov/pubs/ir/8214/c/final - NIST IR 8214C
  40. Ben-Or, Goldwasser, & Wigderson (1988). Completeness Theorems for Non-Cryptographic Fault-Tolerant Distributed Computation. https://dl.acm.org/doi/10.1145/62212.62213 - STOC 1988 (DOI 10.1145/62212.62213)
  41. M. Ito, A. Saito, & T. Nishizeki (1987). Secret Sharing Scheme Realizing General Access Structure. https://doi.org/10.1002/ecjc.4430720906 - GLOBECOM 1987, pp.99-102; journal version: Electronics and Communications in Japan (Part III) 72(9):56-64, 1989
  42. Josh Benaloh & Jerry Leichter (1988). Generalized Secret Sharing and Monotone Functions. https://dblp.org/rec/conf/crypto/Leichter88.html - CRYPTO 1988, pp.27-35 (DOI 10.1007/0-387-34799-2_3)
  43. Markus Stadler (1996). Publicly Verifiable Secret Sharing. https://dblp.org/rec/conf/eurocrypt/Stadler96.html - EUROCRYPT 1996, LNCS 1070, pp.190-199 (DOI 10.1007/3-540-68339-9_17)
  44. Berry Schoenmakers (1999). A Simple Publicly Verifiable Secret Sharing Scheme and Its Application to Electronic Voting. https://berry.win.tue.nl/papers/crypto99.pdf - CRYPTO 1999, LNCS 1666, pp.148-164 (DOI 10.1007/3-540-48405-1_10)
  45. Maram, Zhang, Wang, Low, Juels, & Song et al. (2019). CHURP: Dynamic-Committee Proactive Secret Sharing. https://dl.acm.org/doi/10.1145/3319535.3363203 - ACM CCS 2019 (DOI 10.1145/3319535.3363203)
  46. Aniket Kate, Gregory Zaverucha, & Ian Goldberg (2010). Constant-Size Commitments to Polynomials and Their Applications. https://www.iacr.org/archive/asiacrypt2010/6477178/6477178.pdf - ASIACRYPT 2010