Key Takeaways
- Batched Threshold Encryption (BTE) is an evolution of threshold encryption, aimed at enhancing the security and efficiency of decentralized ledger technology by protecting against MEV.
- Standard threshold encryption faces scalability issues due to individual decryption shares per transaction, which BTE addresses by enabling a single, constant-sized share to decrypt an entire batch.
- Early BTE implementations, while promising, had drawbacks like requiring frequent system reinitialization and consuming significant resources.
- Subsequent upgrades, such as one-time setup BTE and epochless schemes like BEAT-MEV, have significantly improved efficiency and reduced computational overhead.
- BTE offers potential integration with various blockchain protocols, including layer-2 rollups and DEXs, to enhance privacy and prevent extractable value.
The Challenge of Maximal Extractable Value (MEV)
On most modern blockchains, transaction data is publicly visible in the mempool before it’s confirmed in a block. This transparency creates opportunities for sophisticated actors to engage in extractive practices known as Maximal Extractable Value (MEV). MEV exploits the power of block proposers to reorder, include, or omit transactions for financial gain.
Common MEV exploits, such as frontrunning and sandwich attacks, are particularly prevalent on networks like Ethereum. During a significant market event on October 10th, an estimated $2.9 million was extracted through such means. Accurately quantifying total extractive MEV is challenging, as approximately 32% of these attacks are privately relayed to miners, with some complex exploits involving over 200 chained subtransactions.
In response to these challenges, researchers have explored mempool designs that keep pending transactions encrypted until block finalization. This prevents other network participants from observing intended trades or actions. Many encrypted mempool proposals leverage some form of threshold encryption (TE) for this purpose. TE works by splitting a secret key, which is necessary to reveal transaction data, among several servers. Similar to a multisig mechanism, a minimum number of these servers must collaborate to combine their key shares and unlock the data.
Advancements in Batched Threshold Encryption (BTE)
Standard TE encounters scalability limitations because each server must decrypt every transaction individually and then broadcast a partial decryption share. These individual shares are recorded on-chain for aggregation and verification, leading to significant server communication overhead, network slowdowns, and increased chain congestion. Batched Threshold Encryption (BTE) overcomes this by allowing each server to issue a single, constant-sized decryption share that can unlock an entire batch of transactions, regardless of the batch’s size.
The initial functional version of BTE was developed by Arka Rai Choudhuri, Sanjam Garg, Julien Piet, and Guru-Vamsi Policharla in 2024. This iteration utilized the KZG commitment scheme. This scheme allows a committee of servers to lock a polynomial function to a public key, while keeping the function itself hidden from both users and the committee members initially. Decrypting transactions encrypted with this public key requires proving that they align with the polynomial. Since a polynomial of a fixed degree can be fully defined by a specific number of points, the servers need only exchange a small amount of data to establish this proof. Once the shared curve is established, they can emit a single, compact piece of information derived from it to collectively unlock all transactions within that batch simultaneously.
Crucially, transactions not conforming to the polynomial remain encrypted. This enables the committee to selectively reveal specific subsets of encrypted transactions while keeping others concealed. This mechanism ensures that all transactions outside the chosen batch for execution remain private.
Existing TE implementations, such as Ferveo and MEVade, could potentially integrate BTE to maintain privacy for transactions not included in a batch. BTE also aligns well with layer-2 rollups like Metis, Espresso, and Radius, which are already focused on fairness and privacy through methods such as time-delay encryption or trusted sequencers. By adopting BTE, these rollups could achieve a trustless transaction ordering process, preventing exploitation of transaction visibility for arbitrage or liquidation gains.
However, this early version of BTE had significant drawbacks. It necessitated a complete system reinitialization, including a new round of key generation and parameter setup, every time a new batch of transactions was encrypted. Furthermore, the decryption process was resource-intensive, demanding considerable memory and processing power as nodes worked to combine all partial shares.
These factors limited BTE’s practicality. For example, the requirement for frequent Distributed Key Generation (DKG) executions for committee refreshes and block processing made the scheme effectively unfeasible for moderately sized permissioned committees, let alone any attempt to scale to a permissionless network.
For scenarios involving selective decryption, where validators might only decrypt profitable transactions, traditional BTE makes all decryption shares publicly verifiable. This allows anyone to detect dishonest actions and penalize offenders through slashing mechanisms, maintaining process reliability as long as a threshold of honest servers remains operational.
Evolving BTE: Enhancements in Efficiency and Simplicity
Choudhuri, Garg, Policharla, and Wang addressed some of these limitations in 2025 with the development of a one-time setup BTE scheme. This upgrade substantially improved server communication by requiring only a single initial Distributed Key Generation (DKG) ceremony that would run once across all decryption servers. However, a multiparty computation protocol was still necessary to establish the commitment for each transaction batch.
The first truly epochless BTE scheme was introduced in August 2025 by Bormet, Faust, Othman, and Qu with their BEAT-MEV protocol. This design offered a single, one-time initialization capable of supporting all future transaction batches indefinitely. It achieved this by employing puncturable pseudorandom functions and threshold homomorphic encryption, enabling servers to reuse the same setup parameters without needing repeated ceremonies. Each server’s communication burden during decryption was also minimized, as they only needed to send a small piece of data, thereby keeping server communication costs low.
Projected Performance Improvements in BTE Designs
Following this, another research paper introduced BEAST-MEV, which advanced the concept further with Silent Batched Threshold Encryption (SBTE). This innovation eliminated the need for any interactive setup between servers, replacing repeated coordination with a non-interactive, universal one-time setup that allows nodes to function independently.
Despite this, combining all the partial decryptions still involved computationally intensive interactive processes. To resolve this, BEAST-MEV incorporated BEAT-MEV’s sub-batching technique and leveraged parallel processing. This allowed the system to decrypt large batches, accommodating up to 512 transactions, in under one second. The following table illustrates the performance advancements each successive BTE design brought compared to the original implementation.
BTE’s potential extends to protocols like CoW Swap, which already employ strategies such as batch auctions and intent-based matching to mitigate MEV. However, parts of their order flow remain exposed in public mempools. Integrating BTE prior to solver submission could close this privacy gap, offering end-to-end transaction privacy. While the Shutter Network currently appears to be the most promising candidate for early adoption, other protocols are expected to follow as implementation frameworks mature.
Expert Summary
Batched Threshold Encryption (BTE) represents a significant advancement in cryptographic techniques designed to combat MEV and enhance privacy on blockchains. Evolving from earlier threshold encryption methods, BTE offers improved scalability by allowing a single decryption share to unlock entire batches of transactions, reducing network congestion. While initial implementations faced challenges, subsequent research has yielded more efficient and easier-to-implement solutions, paving the way for potential broader adoption across decentralized protocols.