Batched Threshold Encryption (BTE) is based on foundational concepts of threshold cryptography, enabling multiple participants to collaborate securely without exposing sensitive data to any single party. BTE is an upgraded version of the earliest TE encryption memory pool schemes (such as Shutter), which we have previously reported on. Currently, BTE is still in the prototype or research stage, but if breakthroughs are achieved, it has the potential to reshape the future of decentralized ledgers. Therefore, BTE provides clear opportunities for further research and application, which this article will explore.
On most modern blockchains, transaction data can be publicly viewed in the memory pool before being sorted, executed, and confirmed in a block. This transparency allows complex participants to engage in predatory operations such as Maximal Extractable Value (MEV). MEV is obtained through block proposers reordering, including, or omitting transactions for financial gain.
Common methods of exploiting MEV, such as front-running and sandwich attacks, remain prevalent on platforms like Ethereum. For example, during the flash crash on October 10, approximately $2.9 million was extracted. About 32% of the attacks were relayed to miners through private channels, with some single attacks involving over 200 chained sub-transactions. Therefore, accurately calculating the total MEV extraction remains quite challenging.
Some researchers have attempted to prevent MEV through encrypted memory pool designs, which encrypt and store pending transactions until the block is finally confirmed. This can prevent other blockchain participants from knowing in advance what actions transaction users will take. Many encrypted memory pool schemes utilize Threshold Encryption (TE). TE splits the keys that can reveal transaction data among multiple servers. Similar to multi-signatures, a minimum number of signers must collaborate to combine key shares to unlock the data.
Standard TE is limited in scalability because each server must decrypt each transaction separately and broadcast partial decryption shares. These shares are recorded on-chain for aggregation and verification, creating a communication burden on servers, slowing down the network, and exacerbating on-chain congestion. BTE addresses this bottleneck by allowing each server to release only a fixed-size decryption share to unlock the entire batch, regardless of the batch size.
The first usable version of BTE, developed by Arka Rai Choudhuri, Sanjam Garg, Julien Piet, and Guru-Vamsi Policharla (2024), employs the KZG commitment scheme. This scheme allows the server committee to lock polynomial functions to a public key while keeping them hidden from both users and committee members.
When decrypting transactions encrypted to the public key, it is necessary to prove that they belong to the polynomial. Since fixed-degree polynomials can be completely determined by a fixed number of points, servers only need to exchange a minimal amount of data to complete the proof. Once the shared curve is established, a single compact piece of information based on that curve can be sent to unlock all transactions within the batch at once.
It should be noted that transactions not belonging to the polynomial will remain encrypted, and the committee can selectively reveal some encrypted transactions as needed, while others remain hidden. This ensures that all encrypted transactions not selected for execution remain in an encrypted state.
Current TE implementations such as Ferveo and MEVade can integrate BTE to protect the privacy of non-batch transactions. BTE is also highly compatible with Layer-2 Rollups like Metis, Espresso, and Radius, which have enhanced fairness and privacy through delayed encryption or trusted sorters. With BTE, these Rollups can achieve a trustless sorting process, preventing anyone from exploiting transaction visibility for arbitrage or liquidation.
However, the first version of BTE has two major drawbacks: when encrypting each batch of transactions, the system must completely reinitialize, including a new round of key generation and parameter settings. The decryption process consumes a significant amount of memory and computing power as nodes merge all partial shares.
These factors limit the practical application of BTE. For instance, the frequent execution of distributed key generation (DKG) required for committee refresh and block processing makes this scheme nearly unfeasible for medium-sized permissioned committees and even more challenging to scale to permissionless networks.
In selective decryption scenarios, validators only decrypt profitable transactions, and BTE allows all decryption shares to be publicly verified. Anyone can detect dishonest behavior and impose penalties through reductions. As long as a sufficient number of honest servers continue to operate, the process can remain reliable.
Choudhuri, Garg, Policharla, and Wang (2025) first upgraded BTE by enhancing server communication efficiency through a one-time setup of the BTE scheme. This scheme requires only one initial distributed key generation (DKG) among all decryption servers, but each batch still requires multi-party computation protocol setup commitments.
The truly epoch-free BTE scheme was introduced in August 2025 by Bormet, Faust, Othman, and Qu, who implemented single initialization with BEAT-MEV to support all subsequent batches. This scheme employs puncturable pseudorandom functions and threshold homomorphic encryption, allowing servers to reuse the same parameter settings over the long term. Each server only needs to send a minimal data fragment during decryption, significantly reducing communication costs.
Subsequently, the paper BEAST-MEV proposed the concept of Silent Batched Threshold Encryption (SBTE), which eliminates the need for interactive setup among servers. It replaces repeated coordination with a non-interactive, universal one-time setup, allowing nodes to operate independently.
However, a significant amount of interactive computation is still required when merging all partial decryptions. To address this issue, BEAST-MEV borrowed the sub-batching technique from BEAT-MEV, employing parallel processing to enable the system to decrypt large batches of up to 512 transactions within one second. The table below summarizes the improvements of each generation of BTE designs over the original BTE scheme.
In addition to the aforementioned application scenarios, BTE can also be applied to protocols like CoW Swap, which have mitigated MEV through batch auctions and intent matching but still expose some order flow in public memory pools. Integrating BTE before solver submission can close this privacy gap, achieving end-to-end transaction protection. Currently, Shutter Network remains the most promising candidate protocol for early applications, and as related implementation frameworks mature, other protocols are also expected to follow suit.
Related Reading: From Rebates to Contract Points: The Next Stop for Crypto Trading Incentive Mechanisms
Original: “Batched Threshold Encryption: Ending Extractive MEV and Reshaping DeFi Fairness”
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
