Shamir Secret Sharing splits a secret into n shares where any k shares can rebuild the secret (formally, and hopefully obviously, k ≤ n). Importantly, any k−1 shares should tell you nothing about the secret.
Why do we care? The obvious use is key management. Split a private key into shares held by different people or machines and no single one of them is worth stealing: you can lose a few shares and still recover the key, and an attacker has to gather k of them at once to learn anything.
On the surface this sounds like it should be some complex protocol with all sorts of deep cryptography (FHE/MPC/ZK), but in reality it's very simple and requires only some basic geometry and an understanding of polynomials. But how does it work?
I'm a visual learner, so if you prefer visuals just watch the attached video (this post was mostly an excuse to play with manim, a library for mathematical animations).
Otherwise:
Start with a straight line. You need a minimum of 2 points to fix exactly one line. A single point does not: infinitely many lines pass through it. Similarly, you need three points to fix a parabola, four to fix a cubic, and so on. A polynomial of degree k−1 is fixed by exactly k points. Give it k and only one such polynomial fits; give it k−1 (or less) and infinitely many do.
So here are the steps to share a secret. Take a polynomial of degree k−1 and make the secret its value at x equals zero (or f(0)). Fill the other k−1 coefficients with random numbers. Then hand out points on it: person i gets f(i), for i from 1 to n. Nobody gets f(0) itself.
To get the secret back, any k people pool their points/shares. k points fix the polynomial, so they rebuild it and read off its value at zero. That value is the secret.
What about k−1 people? Their points do not fix the polynomial. Plenty of curves pass through them, and they give different values at zero. So k−1 shares leave the secret open.
But does that actually keep it hidden? Over the real numbers, not quite. The polynomials through k−1 points do cover every possible secret, but not evenly, so your shares still make some secrets likelier than others, i.e, a little information leaks.
To fix this we stop using the real numbers and work in a finite field: the integers modulo a prime p, where arithmetic wraps around at p and the random coefficients are drawn uniformly from the field.
Now there is no leak. With k−1 shares, every value in the field is an equally likely secret, so the best anyone can do is guess. The shares give away nothing.
This is perfect secrecy: the secret cannot be recovered from those shares by any means, with any amount of computing power, ever (even a quantum computer does not change that!).
In practice that is exactly what you want for a secret that has to survive for years: a root key, a wallet seed, a recovery key. Split it this way and it does not get weaker as hardware improves or as quantum machines arrive, because its safety never rested on a computation being hard. The shares only have to stay apart!