Batched Threshold Encryption (BTE) builds on foundational concepts such as threshold cryptography, which enable secure collaboration among multiple parties without exposing sensitive data to any single participant. BTE is an evolution of the earliest TE-encrypted mempool schemes, such as Shutter, which we have covered previously. For now, all existing work on BTE remains at the prototype or research stage, but it could shape the future of decentralized ledgers if successful. This creates a clear opportunity for more research and potential adoption, which we will explore in this article.
On most modern blockchains, transaction data is publicly viewable in the mempool before it is sequenced, executed and confirmed in a block. This transparency creates avenues for sophisticated parties to engage in extractive practices known as Maximal Extractable Value (MEV). MEV exploits the block proposer’s ability to reorder, include or omit transactions for financial gain.
Typical forms of MEV exploitation, such as frontrunning and sandwich attacks, remain pervasive, particularly on Ethereum, where, during the flash crash on Oct. 10, an estimated $2.9 million was extracted. Accurately measuring total extractive MEV remains difficult because roughly 32% of these attacks were privately relayed to miners, with some involving over 200 chained subtransactions in a single exploit.
Some researchers have sought to prevent MEV with mempool designs, where pending transactions are held encrypted until block finalization. This prevents other blockchain participants from seeing what trades or actions the transacting users are about to take. Many encrypted mempool proposals use some form of threshold encryption (TE) for this. TE splits a secret key that can unveil the transaction data among several servers. Akin to a multisig, a minimum number of signers must work together to combine their key shares and unlock the data.
Why BTE matters
Standard TE struggles to scale efficiently because every server must decrypt each transaction separately and broadcast a partial decryption share for it. These individual shares are recorded onchain for aggregation and verification. This creates a server communication load that slows the network and increases chain congestion. BTE solves this limitation by allowing each server to release a single constant-sized decryption share that unlocks an entire batch, regardless of size.
The first functional version of BTE, developed by Arka Rai Choudhuri, Sanjam Garg, Julien Piet and Guru-Vamsi Policharla (2024), used the so-called KZG commitment scheme. It lets the committee of servers lock a polynomial function to a public key while keeping that function initially hidden from both users and committee members.
Decrypting transactions that are encrypted to the public key requires proving that they fit into the polynomial. Because a polynomial of fixed degree can be fully determined from a set number of points, the servers only need to collectively exchange a small amount of data to provide this proof. Once the shared curve is established, they can send out a single compact piece of information derived from it to unlock all transactions in the batch at once.
Importantly, transactions that do not fit within the polynomial remain locked, so the committee can selectively reveal a subset of the encrypted transactions while keeping others hidden. This guarantees that all encrypted transactions outside the selected batch for execution remain encrypted.
Current TE implementations, such as Ferveo and MEVade, could therefore integrate BTE to preserve privacy for non-batch-included transactions. BTE also fits naturally with layer-2 rollups such as Metis, Espresso and Radius, which already pursue fairness and privacy through time-delay encryption or trusted sequencers. By using BTE, these rollups could achieve a trustless ordering process that prevents anyone from exploiting transaction visibility for arbitrage or liquidation gains.
However, this first version of BTE had two major drawbacks: It required a full reinitialization of the system, including a new round of key generation and parameter setup each time a new batch of transactions was encrypted. Decryption consumed significant memory and processing power as nodes worked to combine all partial shares.
Both of these factors limited BTE’s practicality; for instance, the required frequent DKG execution for committee refresh and block processing made the scheme effectively prohibitive for moderately sized permissioned committees, let alone any attempt to scale to a permissionless network.
For cases of selective decryption, where validators only decrypt profitable transactions, BTE makes all decryption shares publicly verifiable. This allows anyone to detect dishonest behavior and penalize offenders via slashing. It keeps the process reliable as long as a threshold of honest servers remains active.
Upgrades to BTE
Choudhuri, Garg, Policharla and Wang (2025) made the…
cointelegraph.com