Batched Threshold Encryption (BTE) builds on fundamental concepts like threshold cryptography, which allows secure collaboration among various parties without revealing sensitive data to any single member. BTE is an advancement over early TE-encrypted mempool schemes, such as Shutter, previously discussed. At present, all existing BTE research remains in the prototype or experimental phase, but its success could influence the future of decentralized ledgers. This offers a significant opportunity for continued research and potential uptake, which will be examined in this article.
On contemporary blockchains, transaction data can be publicly observed in the mempool prior to being sequenced, executed, and confirmed in a block. This transparency provides avenues for sophisticated actors to perform exploitative practices known as Maximal Extractable Value (MEV). MEV takes advantage of the block proposer’s capacity to reorder, include, or exclude transactions for financial advantage.
Common forms of MEV exploitation, such as frontrunning and sandwich attacks, are still widespread, especially on Ethereum; during the flash crash on Oct. 10, an estimated $2.9 million was extracted. Accurately quantifying total MEV extraction is challenging because around 32% of these attacks were privately communicated to miners, with some involving over 200 linked subtransactions in a single exploit.
Several researchers have attempted to mitigate MEV through mempool designs, wherein pending transactions are kept encrypted until block finalization. This prevents other blockchain participants from knowing what trades or actions the users intend to execute. Many encrypted mempool proposals utilize some variant of threshold encryption (TE) for this purpose. TE divides a secret key that can reveal the transaction data across multiple servers. Similar to a multisig, a requisite minimum number of signers must cooperate to combine their key shares to access the data.
Why BTE matters
Standard TE faces challenges in scalability because every server must decrypt each transaction separately and share a partial decryption share for it. These individual shares are recorded on-chain for aggregation and verification, creating server communication overhead that hampers network performance and adds to chain congestion. BTE addresses this restriction by enabling each server to release a single constant-sized decryption share that unlocks an entire batch, regardless of its size.
The initial functional iteration of BTE, created by Arka Rai Choudhuri, Sanjam Garg, Julien Piet, and Guru-Vamsi Policharla (2024), employed the so-called KZG commitment scheme. This allows the committee of servers to lock a polynomial function to a public key while keeping that function initially concealed from both users and committee members.
To decrypt transactions encrypted to the public key, one must prove that they fit within the polynomial. Since a polynomial of fixed degree can be fully defined from a set number of points, the servers only need to exchange minimal data to provide this proof. Once the shared curve is established, they can send out a single compact piece of data derived from it to unlock all transactions in the batch simultaneously.
Critically, transactions that do not conform to the polynomial remain locked, allowing the committee to selectively disclose a subset of the encrypted transactions while keeping others hidden. This ensures all encrypted transactions outside the chosen batch for processing stay encrypted.
Current TE implementations, such as Ferveo and MEVade, could potentially incorporate BTE to maintain privacy for transactions not included in the batch. BTE also aligns well with layer-2 rollups like Metis, Espresso, and Radius, which already strive for fairness and privacy through time-delay encryption or trusted sequencers. By employing BTE, these rollups could achieve a trustless ordering process, preventing anyone from taking advantage of transaction visibility for arbitrage or liquidation gains.
However, the initial version of BTE had two significant drawbacks: it necessitated a complete reinitialization of the system, including a new key generation and parameter setup each time a new transaction batch was encrypted. Decryption demanded considerable memory and processing resources as nodes worked to amalgamate all partial shares.
Both of these issues limited BTE’s practicality; for example, the frequent DKG execution required for committee refresh and block processing made the scheme effectively unattainable for moderately sized permissioned committees, let alone any effort to scale to a permissionless network.
In cases of selective decryption, where validators only decrypt profitable transactions, BTE renders all decryption shares publicly verifiable, enabling anyone to identify dishonest conduct and sanction offenders through slashing. It keeps the process reliable as long as a threshold of honest servers remains operational.
Upgrades to BTE
Choudhuri, Garg, Policharla, and Wang (2025) introduced the first upgrade to BTE to enhance server communication with a method called the one-time setup BTE. This approach only required a single initial Distributed Key Generation (DKG) ceremony to be conducted once across all decryption servers. Nonetheless, a multiparty computation protocol was still necessary to establish the commitment for each batch.
The first truly epochless BTE scheme emerged in August 2025 when Bormet, Faust, Othman, and Qu introduced BEAT-MEV as a single, one-time initialization capable of supporting all future batches. This was achieved using two advanced tools, puncturable pseudorandom functions and threshold homomorphic encryption, enabling servers to reuse the same setup parameters indefinitely. Each server only had to send a small piece of information during decryption, thereby keeping server communication costs at a minimum.
Overview of projected performance
Looking ahead, another paper titled BEAST-MEV presented the idea of Silent Batched Threshold Encryption (SBTE), which eliminated the requirement for any interactive setup among servers. It substituted repeated coordination with a non-interactive, universal one-time setup, allowing nodes to function autonomously.
Nevertheless, combining all the partial decryptions after the fact still necessitated intensive interactive computation. To resolve this, BEAST-MEV adopted BEAT-MEV’s sub-batching technique and employed parallel processing, enabling the system to decrypt large batches (up to 512 transactions) in under one second. The table below summarizes how each successive BTE design enhances the original BTE design.
BTE’s potential also extends to protocols like CoW Swap, which already mitigate MEV through batch auctions and intent-based matching, yet still expose portions of the order flow in public mempools. Integrating BTE before solver submission would close that gap and ensure end-to-end transaction privacy. Currently, Shutter Network stands out as the most promising candidate for early adoption, with other protocols likely to follow as implementation frameworks mature.
This article does not contain investment advice or recommendations. Every investment and trading move involves risk, and readers should conduct their own research when making a decision.
This article is for general informational purposes and is not intended to be and should not be taken as legal or investment advice. The views, thoughts, and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.
Cointelegraph does not endorse the content of this article nor any product mentioned herein. Readers should do their own research before taking any action related to any product or company mentioned and carry full responsibility for their decisions.
