Batched Threshold Encryption (BTE) leverages fundamental concepts such as threshold cryptography, which enable secure collaboration between multiple parties without exposing sensitive data to a single participant. BTE is an evolution of early TE-encrypted memory pool schemes, such as Shutter, that we covered previously. For now, all existing work on BTE is still in the prototype or research stage, but it could shape the future of decentralized ledgers if successful. This creates a clear opportunity for further research and potential adoption, which we will explore in this article.
On most modern blockchains, transaction data is publicly visible in the memory pool before being sequenced, executed, and confirmed in a block. This transparency creates opportunities for sophisticated parties to engage in extractive practices known as maximum extractable value (MEV). MEV exploits the ability of the block proponent to rearrange, include, or omit transactions for financial gain.
Typical forms of MEV exploitation, such as frontrunning and sandwich attacks, remain pervasive, especially on Ethereum, where, during the October 10 flash crash, approximately $2.9 million was mined. It remains difficult to accurately measure total extractive MEV because approximately 32% of these attacks were delivered privately to miners, with some involving more than 200 subtransactions chained together in a single exploit.
Some researchers have sought to prevent MEV with mempool designs, in which pending transactions are kept encrypted until the block is finalized. This prevents other blockchain participants from seeing what transactions or actions the transacting users are about to take. Many encrypted memory pool proposals use some form of threshold encryption (TE) to do this. TE splits a secret key that can reveal transaction data between multiple servers. Similar to a multisig, a minimum number of signers must work together to combine their key shares and unlock the data.
Why BTE is important
The TE standard struggles to scale efficiently because each server must decrypt each transaction separately and broadcast a partial decryption share for it. These individual actions are recorded on-chain for aggregation and verification. This creates a communication load on the server which slows down the network and increases chain congestion. BTE addresses this limitation by allowing each server to release a single decryption share of constant size that unlocks an entire batch, regardless of its size.
The first functional version of BTE, developed by Arka Rai Choudhuri, Sanjam Garg, Julien Piet and Guru-Vamsi Policharla (2024), used the so-called KZG engagement system. It allows the server committee to lock a polynomial function to a public key while keeping that function initially hidden from users and committee members.
Decrypting transactions encrypted with the public key requires proving that they match the polynomial. Since a polynomial of fixed degree can be fully determined from a defined number of points, servers only need to collectively exchange a small amount of data to provide this proof. Once the shared curve is established, they can send a single compact piece of information derived from it to unlock all transactions in the batch at the same time.
Importantly, transactions that do not match the polynomial remain locked, so the committee can selectively reveal a subset of the crypto transactions while keeping others hidden. This ensures that all encrypted transactions outside of the batch selected for execution remain encrypted.
Current TE implementations, such as Ferveo and MEVade, could therefore integrate BTE to preserve the confidentiality of transactions not included in batches. BTE also naturally integrates with Layer 2 rollups such as Metis, Espresso and Radius, which already seek fairness and privacy through timed encryption or reliable sequencers. Using BTE, these rollups could enable a trustless ordering process that prevents anyone from exploiting trade visibility for arbitrage or liquidation purposes.
However, this first version of BTE had two major drawbacks: It required a complete system reset, including a new generation of keys and a new configuration each time a new batch of transactions was encrypted. Decryption consumed a lot of memory and processing power as the nodes worked to combine all the partial shares.
These two factors limited the practicality of BTE; for example, the required frequent running of the DKG for committee refreshes and block processing made the system effectively prohibitive for medium-sized permissioned committees, let alone any attempt to scale to a permissionless network.
For cases of selective decryption, where validators only decrypt profitable transactions, BTE makes all decryption actions publicly verifiable. This allows anyone to detect dishonest behavior and sanction offenders with cuts. This keeps the process reliable as long as a threshold of honest servers remains active.
Upgrades to BTE
Choudhuri, Garg, Policharla, and Wang (2025) made the first upgrade to BTE to improve server communication through a scheme called single-configuration BTE. This scheme required only a single initial distributed key generation (DKG) ceremony that ran once on all decryption servers. However, a multi-party calculation protocol was still necessary to implement the commitment of each batch.
The first truly epoch-free BTE system took place in August 2025, when Bormet, Faust, Othman, and Qu introduced BEAT-MEV as a single, single initialization that could support all future batches. It achieved this by using two advanced tools, perforable pseudo-random functions and homomorphic threshold encryption, allowing servers to reuse the same configuration settings indefinitely. Each server only needed to send a small piece of data during decryption, keeping server communication costs low.
Overview of projected performance
Ultimately, another paper called BEAST-MEV introduced the concept of batch silent threshold encryption (SBTE) which removed the need for any interactive configuration between servers. It replaced repeated coordination with a single, universal, non-interactive configuration that allows nodes to operate independently.
However, the subsequent combination of all partial decryptions still required heavy interactive calculations. To solve this problem, BEAST-MEV borrowed BEAT-MEV’s subprocessing technique and used parallel processing to allow the system to decrypt large batches (up to 512 transactions) in less than a second. The following table summarizes how each successive BTE design improves on the original BTE design.
The potential of BTE also applies to protocols such as CoW Swap, which already mitigate MEV through batch auctions and intent-based matching, while still exposing a portion of the order flow in public memory pools. Integrating BTE before solver submission would fill this gap and ensure end-to-end transaction privacy. For now, Shutter Network remains the most promising candidate for rapid adoption, and other protocols will likely follow once implementation frameworks are more mature.
This article does not contain investment advice or recommendations. Every investment and trading move involves risk, and readers should conduct their own research before making a decision.
This article is intended for general information purposes and is not intended to be and should not be considered legal or investment advice. The views, thoughts and opinions expressed herein are solely those of the author and do not necessarily reflect or represent the views and opinions of Cointelegraph.
Cointelegraph does not endorse the content of this article or any products mentioned here. Readers should do their own research before taking any action related to any product or company mentioned and take full responsibility for their decisions.
