The LaGrange Interpolation Polynomial Scheme is an easy-to-understand (m,n)-threshold scheme for secret sharing. The "Resources" section includes others.

Suppose you want to share a secret, M, among n people, such that any m of them will be able to reveal the secret by cooperating.

1. Generate a random prime, p, larger than M.
2. Generate n-1 random integers, R{1}, R{2}, ..., R{n-1}, each less than p.
3. Let F(x) be a polynomial in a finite field, defined by:
   F(x) = (R{1}*x^n + R{2}*x^(n-1) + ... + R{n-1}*x + M) mod p
4. Generate m "shadows" of F, defined by:
   k{i} = F(x{i})
   where each x{i} is distinct (using successive integer values [1,2,3,...] is a fine choice for x's).
5. Give [p, x{i}, k{i}] to each of the m secret sharers, for i corresponding to the number of each sharer (the enumeration is arbitrary).
6. Destroy R{1}, R{2}, ..., R{n-1}.
7. Destroy or hide M.

Given the information provided, each secret sharer is able to write out a linear equation. For example, Linda, who was enumerated as sharer #l, can construct the equation:

	    k{l} = (C{1}*x{l}^n + C{2}*x{l}^(n-1) + ... + C{n-1}*x{l} + M) mod p
	    

Because these linear equations have n unknowns -- C{1}...C{n-1} and M -- it requires the n equations with these same unknowns to solve the system of equations, and thereby reveal M (and also the C{i}'s, but these are not interesting once we have M).

Because the coefficients of F were chosen randomly, the cooperation of less than n secret sharers -- even combined with infinite computing power -- does not allow revelation of M. Without the nth sharer participating, any possible M (of a length less than p) is just as consistent with the (less than n) equations as any other!