A secret split into n pieces, such that any k of them can rebuild it — and any k−1 reveal nothing at all. Adi Shamir's 1979 trick exploits a small algebraic fact: a polynomial of degree k−1 is pinned down by exactly k points. Fewer points, and the polynomial could be anything — including the one that hides any secret you can imagine.
For each byte s of the secret, we build a polynomial
f(x) = s + a₁x + a₂x² + … + a_{k−1}x^{k−1} with random
coefficients drawn from crypto.getRandomValues, all over GF(2⁸) with
the AES irreducible polynomial 0x11b. Share i is the pair
(i, f(i)). Reconstruction is Lagrange interpolation evaluated
at x = 0.
Shamir's scheme has no built-in integrity check. Any k pairs (x, y)
will produce some reconstructed bytes — they just won't be your secret
if the points came from different polynomials. In production you'd pair each
share with an HMAC or use a scheme like SLIP-0039 that bakes in checksums.
This is the unforgeable property of Shamir's scheme. With fewer than k shares,
the attacker can construct a perfectly valid polynomial through their points for every
possible secret. There's no signal to lock onto. The table below proves it: pick
k−1 share points, then for a range of guessed secrets, we build the polynomial that
forces f(0) = guess and fits the given points. Every row is a real,
consistent polynomial.
This is the information-theoretic core: given fewer than k points, the remaining degrees of freedom in the polynomial are exactly enough to make any secret consistent. So the attacker's posterior over the secret equals their prior — zero information leaked. Note this is over GF(p); the byte-wise implementation in the Split tab gives the same guarantee per byte over GF(2⁸).