Batched Threshold Encryption (BTE) is based on essential principles like threshold cryptography, which facilitates secure cooperation among multiple parties while safeguarding sensitive information from individual access. BTE is an advancement of early TE-encrypted mempool frameworks, such as Shutter, previously discussed. Currently, all efforts surrounding BTE are limited to prototype or research phases, yet its successful development may influence the future of decentralized ledgers. This opens up significant opportunities for further analysis and potential implementation, which we will examine in this article.
On many contemporary blockchains, transaction details are publicly accessible within the mempool before being sequenced, executed, and confirmed in a block. This openness allows skilled entities to exploit practices known as Maximal Extractable Value (MEV). MEV takes advantage of the block proposer’s capacity to reorder, include, or exclude transactions for financial advantage. Common MEV exploitations, such as frontrunning and sandwich attacks, are particularly common on Ethereum, illustrated by the estimated $2.9 million extracted during the flash crash on Oct. 10. Accurately gauging total extractive MEV remains challenging, as approximately 32% of these attacks were privately communicated to miners, with some incidents involving over 200 linked subtransactions in a single exploit.
Some researchers aim to counter MEV through mempool designs that keep pending transactions encrypted until block finalization. This approach obstructs other blockchain participants from observing the trades or actions that users plan to undertake. Various encrypted mempool proposals utilize forms of threshold encryption (TE) for this purpose. TE divides a secret key capable of revealing transaction details among multiple servers. Similar to a multisig, a minimum number of signers are required to collaborate and combine their key shares to unlock the data.
Why BTE is important
Standard TE faces scalability challenges because each server must independently decrypt each transaction and broadcast a partial share for it. These individual shares are recorded on-chain for aggregation and verification, resulting in server communication loads that can slow down the network and contribute to congestion. BTE addresses this issue by allowing each server to generate a single constant-sized decryption share that can unlock an entire batch, irrespective of its size.
The initial functional version of BTE, created by Arka Rai Choudhuri, Sanjam Garg, Julien Piet, and Guru-Vamsi Policharla (2024), utilized the KZG commitment scheme. This permits the committee of servers to lock a polynomial function to a public key while initially concealing it from both users and committee members. To decrypt transactions encrypted to this public key, it is necessary to demonstrate that they conform to the polynomial. Since a polynomial of fixed degree can be entirely determined from a specific number of points, the servers only need to share a small amount of data to provide this proof. Once the shared curve is established, they can distribute a single compact piece of information derived from it to simultaneously unlock all transactions in the batch.
Critically, transactions that do not conform to the polynomial remain locked, permitting the committee to selectively disclose a subset of the encrypted transactions while keeping others concealed. This ensures that all encrypted transactions not included in the selected batch for execution stay encrypted. Present TE implementations, like Ferveo and MEVade, could potentially integrate BTE to maintain privacy for transactions not included in batches. BTE also aligns seamlessly with layer-2 rollups such as Metis, Espresso, and Radius, which already strive for fairness and privacy through time-delay encryption or trusted sequencers. By adopting BTE, these rollups could facilitate a trustless ordering process that prevents any exploitation of transaction visibility for arbitrage or liquidation benefits.
Nonetheless, this initial version of BTE had two significant limitations: it necessitated a complete reinitialization of the system, including a new round of key generation and parameter setup whenever a new batch of transactions was encrypted. Decryption required considerable memory and processing power as nodes combined all partial shares. These factors significantly hindered the practicality of BTE; for example, the mandatory frequent Distributed Key Generation (DKG) execution for committee refresh and block processing rendered the scheme effectively unsuitable for moderately sized permissioned committees, let alone an effort to scale to a permissionless network.
In cases of selective decryption, where validators decrypt only profitable transactions, BTE ensures that all decryption shares are publicly verifiable. This allows anyone to identify dishonest actions and impose penalties through slashing, maintaining reliability as long as a threshold of honest servers remains operational.
Improvements to BTE
Choudhuri, Garg, Policharla, and Wang (2025) proposed the first enhancement to BTE to optimize server communication using a scheme termed the one-time setup BTE. This method required only a single initial Distributed Key Generation (DKG) ceremony running once across all decryption servers. However, a multiparty computation protocol was still needed to configure the commitment for each batch.
The first truly epochless BTE framework emerged in August 2025, when Bormet, Faust, Othman, and Qu introduced BEAT-MEV, featuring a single, one-time initialization capable of supporting all subsequent batches. This was achieved using two advanced tools, puncturable pseudorandom functions, and threshold homomorphic encryption, which allowed servers to indefinitely reuse the same setup parameters. Each server was required to send only a small piece of data during decryption, thereby minimizing server communication costs.
Projected performance overview
Subsequently, another paper titled BEAST-MEV presented the concept of Silent Batched Threshold Encryption (SBTE), which eliminated the need for any interactive setup among servers. It substituted repeated coordination with a non-interactive, universal one-time setup enabling nodes to function independently. However, amalgamating all partial decryptions afterward still required intensive interactive computation. To resolve this, BEAST-MEV adopted BEAT-MEV’s sub-batching technique and employed parallel processing to allow the system to decrypt large batches (up to 512 transactions) in under one second. The following table summarizes how each successive BTE design enhances the original BTE framework.
BTE’s potential also exists for protocols like CoW Swap, which already mitigate MEV through batch auctions and intent-based matching, yet still reveal parts of the order flow in public mempools. Integrating BTE before solver submission could seal that gap and ensure comprehensive transaction privacy. Currently, Shutter Network appears as the most promising candidate for early implementation, with other protocols likely to follow as implementation frameworks mature.
This article does not constitute investment advice or recommendations. All investment and trading activities carry risk, and readers should conduct their own research before making any decisions. This article serves general informational purposes and should not be interpreted as legal or investment advice. The views, thoughts, and opinions presented here are solely those of the author and do not necessarily reflect the views of Cointelegraph. Cointelegraph does not endorse the content of this article or any products mentioned herein. Readers should conduct their own research before taking any actions regarding any products or companies mentioned and assume full responsibility for their decisions.
