Shamir's Secret Sharing (SSS) is a cryptographic scheme that lets you split a secret like a wallet's master seed into multiple "shares," where any threshold number of shares can reconstruct the secret but any number below the threshold reveals nothing about it. SLIP-39, Trezor's implementation, brings SSS to hardware wallets as a practical alternative to single-paper seed phrase backup.
What is Shamir's Secret Sharing and SLIP-39?
Shamir's Secret Sharing is a cryptographic method, introduced by Adi Shamir in his 1979 paper "How to Share a Secret" published in Communications of the ACM (source: Shamir 1979 — How to Share a Secret), that splits a single secret value into multiple shares such that any specified threshold of those shares can reconstruct the original, but any fewer than the threshold reveals nothing whatsoever about the secret. SLIP-39 is the SatoshiLabs Improvement Proposal that adapts SSS for HD wallet seeds, defined in 2017 and implemented in Trezor hardware wallets (source: SLIP-39 Specification).
The intuition: if you split your house key into pieces, any one piece is useless on its own, but having "enough" pieces unlocks the door. Shamir formalizes this mathematically so that "enough" is a precise threshold (say, 3 out of 5), and any fewer than that threshold provides zero information about the secret. An attacker who steals 2 shares from a 3-of-5 setup learns no more about your seed than someone with no shares at all.
For crypto wallets specifically, the secret being split is the master seed entropy that an HD wallet derives all its keys from. Splitting that seed across multiple physical locations removes the single-point-of-failure problem that a BIP-39 seed phrase creates when written on one piece of paper or metal. SatoshiLabs published an open reference implementation alongside the spec so other wallet vendors could verify and adopt the standard (source: SatoshiLabs SLIP-39 Reference Implementation).
How does threshold splitting work (m-of-n math)?
Shamir's scheme works by placing the secret on a polynomial curve and giving each share a point on that curve. With enough points (the threshold m), the curve can be reconstructed by interpolation, revealing the secret. With fewer than m points, an infinite number of curves pass through them, so no specific secret can be determined.
A concrete walkthrough for a 2-of-3 scheme: imagine a line in two dimensions (a polynomial of degree 1). Two points define a unique line. The secret is encoded as the y-intercept of that line, where the line crosses the y-axis. Each share is a different point on the line. Any 2 shares give you 2 points, which determine the line and therefore the y-intercept (the secret). One share gives you 1 point, through which infinitely many lines pass; the y-intercept is mathematically undetermined.
For a 3-of-5 scheme, the curve is a parabola (polynomial of degree 2), and you need 3 points to uniquely determine it. Five points are generated as shares, any 3 can reconstruct the curve, and 2 alone reveal nothing. The scheme generalizes to any m-of-n where m ≤ n.
The cryptographic strength comes from working in a finite field (modular arithmetic over a prime), which prevents an attacker from narrowing down the secret by guessing at "plausible" continuous values. Each unknown coordinate in the field is equally likely, so a partial set of shares is genuinely no better than no shares at all. The information-theoretic security of this scheme is what distinguishes it from password-based splits or simple seed-fragment approaches (source: Wikipedia — Shamir's Secret Sharing).
SLIP-39 vs BIP-39: how does Trezor implement Shamir backup?
SLIP-39 is a different format from BIP-39 with a different wordlist and a different reconstruction process, and the two are not interchangeable. A BIP-39 seed phrase cannot be used directly as a SLIP-39 share, and vice versa, even though both encode wallet secrets as word lists.
The key differences:
Feature | BIP-39 | SLIP-39 |
|---|---|---|
Wordlist size | 2,048 words | 1,024 words (different list) |
Standard share/phrase length | 12 or 24 words | 20 words (Standard) or 33 words (with Extended security) |
Splitting model | Single phrase, no splitting | Threshold m-of-n shares, or grouped (multi-level threshold) |
Implementation | Universal across wallets | Trezor-specific (currently) |
Reconstruction | Type all 12/24 words back into any BIP-39 wallet | Combine threshold number of shares in a SLIP-39-aware wallet |
SLIP-39 offers two operational modes:
Standard (Single Group) mode. One m-of-n threshold across all shares. Simplest setup: 3-of-5 means any 3 of the 5 shares reconstruct the wallet.
Advanced (Group Threshold) mode. A two-level threshold. Shares are organized into multiple groups, and reconstruction requires a threshold number of groups, where each group itself has its own internal threshold. Example: 2-of-3 group threshold, where Group 1 needs 2-of-3 family shares and Group 2 needs 3-of-5 institution shares, etc. This supports complex inheritance and corporate-custody scenarios where different parties hold different roles.
Trezor's documentation covers the rationale for these modes in detail (source: Trezor SLIP-39 FAQs). The conversion path between BIP-39 and SLIP-39 is one-way through Trezor's recovery flow: a Trezor that was initialized with BIP-39 can be "re-secured" with SLIP-39, which generates a new wallet (different addresses) and the old BIP-39 seed becomes a legacy backup.
When should you use Shamir backup vs a traditional seed phrase?
Shamir backup is most useful when a single seed-phrase paper backup creates an unacceptable single-point-of-failure, and acceptable when the operational complexity is justified by the risk reduction. Four scenarios commonly justify it: inheritance planning, geographic distribution against natural disasters, family or partnership wallets, and corporate or institutional custody.
Inheritance planning. Distribute shares to family members or attorneys such that, on your death, heirs combining the threshold gain access. A 2-of-3 setup (spouse, child, attorney) means any two can recover the wallet but no single party can. This avoids the inheritance problem of either no-one-can-recover (sole-custodian seed lost) or anyone-can-recover (seed available to a single heir who could act unilaterally).
Geographic distribution against disasters. Shares stored in different homes, safe-deposit boxes, or jurisdictions survive any single-location disaster (fire, flood, earthquake). A traditional seed-phrase backup at a single location is lost when that location is destroyed; Shamir shares at five separate addresses can survive multiple simultaneous losses.
Family or partnership wallets. Where no single individual should have unilateral wallet access. The threshold acts as a "joint signature" requirement, although Shamir is technically about reconstruction rather than signing (multisig is the more direct tool when the goal is joint signing on each transaction).
Corporate or institutional custody. Combined with physical-security practices and a BIP-39 passphrase, Shamir shares can support compliance scenarios where access requires multiple authorized parties.
The tradeoff: Shamir adds complexity. Five shares means five places to secure, five backup-of-backups to consider, and five labels to keep coherent. For users with modest balances and a single trusted backup location, a traditional BIP-39 seed phrase on a metal plate may be operationally simpler without creating a meaningful additional risk.
Common SLIP-39 pitfalls
Shamir backup adds power but also introduces failure modes that don't exist with single-seed BIP-39. Five pitfalls recur in user-reported losses: forgetting the threshold number, mixing up shares from different splits, attempting to combine SLIP-39 shares with BIP-39 wallets, losing one share in a 5-of-5 setup, and treating Advanced (Group Threshold) mode as if it were Standard mode.
Forgetting the threshold. The shares themselves don't encode the threshold; you must remember it separately. Five shares without knowing whether they form a 2-of-5, 3-of-5, or 5-of-5 setup may take many attempts to combine. Users who write the threshold value alongside each share (or in a separate record) avoid this.
Mixing shares from different splits. Generating a new Shamir backup creates new shares incompatible with previous shares. If you regenerate a backup but mix old and new shares, none of them reconstruct anything. Label every share with its generation date and group identifier.
SLIP-39 / BIP-39 confusion. A SLIP-39 share is a 20-word phrase from a 1,024-word list. A BIP-39 seed phrase is a 12 or 24-word phrase from a 2,048-word list. They look superficially similar and use English words, but a BIP-39 wallet cannot accept a SLIP-39 share or combination of shares. The two formats are not interchangeable.
5-of-5 catastrophe. A 5-of-5 setup means every share is required. Lose any one share and the wallet is permanently inaccessible. Most users intend 3-of-5 (resilient against 2 lost shares) but accidentally configure 5-of-5; this is a setup-time check, not a recoverable error.
Group mode complexity. Advanced (Group Threshold) mode is powerful but error-prone. Users sometimes forget which shares belong to which group, or set up groups whose internal thresholds make reconstruction impossible in their intended scenario. Recommend Standard mode for most users.
From Blofin's customer-support inbox, Shamir-related tickets cluster around a specific pattern: a user has 4 shares but can't remember whether they configured a 3-of-5 or 4-of-5 setup, and trying various combinations either fails or eventually succeeds after substantial trial and error. Recording the threshold value alongside the shares resolves the issue before it occurs.
Which wallets support Shamir backup today?
Shamir backup support is concentrated almost entirely in Trezor's hardware-wallet lineup. SLIP-39 was developed by SatoshiLabs (Trezor's parent) and remains a Trezor-exclusive feature in mainstream hardware wallets as of 2026. Software-wallet support is rare; Ledger, Coldcard, and most software wallets do not implement SLIP-39 natively.
Trezor Model T. First device to ship with SLIP-39 support (2019); supports both Standard and Advanced modes (source: Trezor Blog — Shamir Backup Announcement).
Trezor Safe 3. Released 2023; supports SLIP-39.
Trezor Safe 5. Released June 2024; supports SLIP-39 (source: Trezor Safe 5 Product Page).
Software tools. Standalone command-line and reference implementations of SLIP-39 exist (linked from the SLIP-39 spec) for advanced users who want to verify shares or perform reconstruction outside the Trezor flow, but these are not full wallets.
Conversion. A user with a non-Trezor hardware wallet who wants Shamir backup must move funds to a Trezor that supports SLIP-39. The seed cannot be "Shamir-split in place" on a Ledger or Coldcard.
The Trezor-exclusive nature of SLIP-39 is a real consideration. Users who value Shamir backup but prefer a different vendor's UX have limited options today. For users committed to non-Trezor hardware, multisig is often the better practical answer for distributing trust across multiple parties.
Backup storage best practices for Shamir shares
The core principle: each share should be stored in a location that an attacker could compromise without also compromising threshold-many other shares. Geographic separation, custodian separation, and material protection each contribute to this goal.
Geographic separation. Spread shares across different addresses, different cities, or different jurisdictions. The point is that a fire at one location, a burglary at one residence, or a regulatory action in one country should not affect threshold-many shares simultaneously. Our physical security for crypto reference covers location selection.
Custodian separation. Different trusted parties hold different shares. No single custodian should hold threshold-many shares, because that custodian alone could then recover the wallet. The threshold's protective value only holds when at least one share is genuinely outside any single party's reach.
Material protection. Each share, like any seed-phrase material, should be on durable media. Metal seed plates work for SLIP-39 shares the same way they work for BIP-39 seeds; paper is acceptable for short-term storage but loses to fire, water, and age over decades.
Threshold and total recording. Write the threshold value and the total number of shares alongside the shares themselves, or in a separate "recipe card" kept somewhere accessible. Without this, future recovery requires guessing at the configuration.
Test reconstruction. Before relying on the Shamir backup for production funds, do a test reconstruction with a small amount. Generate the shares, distribute them, then later combine the threshold number to verify the wallet restores correctly. This catches setup errors while the cost of recovery from those errors is still low. For recovery procedures more broadly, see our recovery scenarios reference.
Frequently asked questions
What's the difference between Shamir backup and multisig?
Shamir backup splits a single secret across multiple shares, where the threshold number reconstructs the secret and the wallet operates as a single-signature wallet using that reconstructed secret. Multisig (multi-signature) uses multiple separate keys that each sign transactions; transactions require a threshold number of signatures to be valid. Shamir is about backup and recovery: reconstruction happens once, then the wallet behaves normally. Multisig is about ongoing operation: every transaction requires the threshold number of signatures. For coordinated custody where each transaction needs multiple parties' agreement, multisig is the right tool. For backup resilience where the wallet operates normally day to day, Shamir is simpler.
Can I convert my existing BIP-39 seed to SLIP-39?
Not directly. SLIP-39 and BIP-39 are different formats with different word lists and reconstruction processes. On a Trezor that was initialized with BIP-39, you can perform a "re-secure" operation that generates new SLIP-39 shares, but this creates a new wallet with different addresses, not a Shamir-split version of the existing BIP-39 seed. You would then need to move funds from the old BIP-39 wallet to the new SLIP-39 wallet. The conversion is operational (transfer funds), not cryptographic (reformat).
How many shares should I create?
For most users, 3-of-5 is a good default: resilient against losing up to 2 shares, requires gathering 3 shares for recovery, and total of 5 distributable copies. 2-of-3 is simpler but less resilient. 4-of-7 supports more elaborate distribution but is operationally heavier. The right answer depends on the number of trusted custodians you have access to and how many simultaneous share losses you want to survive. Avoid m-of-n configurations where m = n (e.g., 5-of-5), because losing any single share then loses the wallet entirely.
What happens if I lose one share?
In an m-of-n setup, you can lose up to (n - m) shares and still recover the wallet by combining the remaining m shares. Recommend generating a new Shamir backup when you have lost any share, even if you still have enough to recover. The new backup uses different shares than the original, so any compromised or unaccounted-for old share is no longer relevant to the wallet's security going forward.
Can I use Shamir backup with Ledger?
Not natively in 2026. Ledger does not implement SLIP-39, and Ledger seeds use BIP-39 format. Users who want Shamir backup with a non-Trezor hardware wallet have two options: migrate to Trezor for SLIP-39 support, or use multisig as a different approach to distributing trust. Multisig achieves a related goal (no single party can authorize a transaction) without splitting a single seed.
Researched and written by the Blofin Academy editorial team with AI-assisted drafting. Primary sources include Adi Shamir's 1979 paper "How to Share a Secret," the SLIP-39 specification (SatoshiLabs), Trezor Shamir backup documentation, and SatoshiLabs published rationale for the SLIP-39 design. All facts independently verified against cited documentation current as of May 2026.
This article is for informational purposes only and does not constitute financial advice, investment guidance, or a recommendation to buy, sell, or hold any digital asset. Cryptocurrency markets involve significant risk and you should conduct your own research and consult qualified professionals before making investment decisions. Blofin Academy content reflects the state of public information at time of publication; protocol parameters, fees, and ecosystem data change frequently.