What is Shamir's Secret Sharing, and why does Koaich use it for recovery?

Shamir's Secret Sharing — SSS — is a cryptographic technique invented by Adi Shamir in 1979 (the "S" in RSA). It solves a specific problem: how do you split a secret so that recovering it requires several parties to cooperate, while a smaller subset learns nothing?

Koaich uses SSS as the foundation for account recovery on mobile. When you set up your first device, your master key is split into five shares. Three of any of those five are enough to reconstruct the key. Fewer than three reveal nothing — not even hints.

Imagine your secret is a point on a graph. To uniquely identify a single point on a line, you need at least two other points on the same line — two points define a line in the plane.

Now imagine your secret is a point on a parabola (a degree-2 polynomial). To uniquely identify the parabola, you need at least three points. Any three points define exactly one parabola. Two points define infinitely many possible parabolas — so two points reveal nothing about the third.

Shamir's Secret Sharing generalizes this. The secret is encoded as a coefficient of a polynomial of degree k−1. We generate n random points on that polynomial. Any k of those n points reconstruct the polynomial (Lagrange interpolation) and recover the secret. Any k−1 points leave the polynomial undetermined — the missing piece could be any value, all equally likely.

Crucially: this isn't "hard to guess." It's information-theoretically secure. Even infinite computing power can't recover the secret from fewer than k shares, because the shares contain no usable information about it.

The recovery problem most workspace tools solve is: the user forgot their password; restore access. The standard solution is the vendor holds a copy of the user's data (or a key derived from the password); when the user resets the password, the vendor re-derives access.

Koaich made the opposite trade-off — see Why we don't have password recovery. We don't hold a copy. So how does recovery work?

When you set up your first Koaich device, your master key is split into n=5 SSS shares with threshold k=3. The shares get distributed across your trusted devices (your phone, your laptop, your tablet, optionally a hardware key). No share lives on a Koaich server.

If you lose one device, you still have the other four — more than enough to recover. If you lose two, you still have three. If you lose all five and never wrote down the backup codes... your data is gone. The threshold is set so that normal device-loss scenarios are recoverable, but no party (including Koaich) has enough shares to recover unilaterally.

An earlier draft of Koaich's recovery model (and several other privacy products' models) used "social recovery" — split shares across the user's trusted contacts (family, friends, coworkers). The advantage: the user doesn't need multiple devices. The disadvantage: a sophisticated attacker can socially-engineer the contacts.

Splitting across your own devices keeps the attack surface contained. Compromising one trusted contact's phone doesn't help; an attacker would have to compromise multiple of your devices simultaneously. That's a meaningfully harder attack than persuading three of your friends to send you their share over text.

The trade-off is that users who genuinely only own one device need a backup-code printout as their fallback. That's the path we recommend.

Shamir's Secret Sharing is well-deployed in security infrastructure:

· HSMs (Hardware Security Modules): most enterprise HSMs (Thales, Entrust, AWS CloudHSM) use SSS for key recovery. An HSM administrator can't recover a key alone; it requires k of n key custodians.

· Certificate authorities: the root CA private keys for some major public CAs are split across multiple physical locations using SSS-equivalent schemes.

· Cryptocurrency cold storage: many institutional Bitcoin custody setups use SSS so that no single employee can move funds.

· Vault by HashiCorp: the "unseal" process uses SSS by default.

When you use Shamir for account recovery, you're using the same primitive that protects the keys to enterprise PKIs and a sizable fraction of the world's institutional crypto custody.