Batch Threshold Encryption (BTE) Builds on foundational concepts such as Threshold cryptographywhich enables secure collaboration among multiple parties without exposing sensitive data to any single participant. BTE is an evolution of the earliest TE-encrypt mempool schemes, such as shutter, which we have covered before. For now, all existing work on BTE remains in the prototype or research stage, but it could shape the future of decentralized ledgers if successful. This creates a clear opportunity for further research and potential adoption, which we will explore in this article.
In most modern blockchains, transaction data is publicly visible on Mempool Before it is sequential, executed and confirmed in a block. This transparency creates avenues for sophisticated parties to engage in procurement practices known as maximum value acquisition (Mev). MeV takes advantage of the block proposer’s ability to rearrange, include or omit transactions for financial gain.
Common forms of MeV exploitation, such as frontrunning and sandwich attacks, remain widespread, especially on Ethereum, where, during the October 10 flash crash, an estimated $ 2.9 million was obtained. Accurate measurement of the total extractive MeV remains difficult because almost 32% These attacks were privately passed on to miners, with some involving more than 200 subtransactions in a single exploit.
Some researchers have sought to avoid MeV in mempool designs, where pending transactions are held encrypted until block termination. This prevents other blockchain participants from seeing what trades or actions transacting users will make. Many encrypted mempool proposals use some form of Threshold Encryption (TE) for this TE shares a secret key that can unlock transaction data on several servers. Mine in a multisig, a minimum number of signers must work together to combine their key shares and unlock the data.
Why is BTE important?
Standard TE struggles to scale efficiently because each server must decrypt each transaction separately and broadcast a partial decryption share for it. Individual shares are recorded onchain for aggregation and verification. This creates a server communication load that slows down the network and increases chain congestion. BTE solves this limitation by allowing each server to issue a single constant-size decryption that unlocks an entire batch, regardless of size.
The first functional version of BTE, developed by Arka Rai Choudhuri, Sanjam Garg, Julien Piet and Guru-Vamsi Policharla (2024), used the so-called KZG Commitment Scheme. This allows a committee of servers to lock a polynomial function to a public key while keeping that function initially hidden from both users and committee members.
Decrypting transactions encrypted with the public key requires proving that they fit the polynomial. Since a polynomial of fixed degree can be fully determined from a set number of points, the servers only need to collectively exchange a small amount of data to provide this proof. Once the shared curve is established, they can send a single compact piece of information derived from it to unlock all batch transactions at once.
Importantly, transactions that do not fit within the polynomial remain locked, so the committee can select a subset of encrypted transactions while keeping others hidden. This guarantees that all encrypted transactions outside of the batch selected for execution will remain encrypted.
Current TE implementations, such as Ferveo and Mevademay therefore include BTE to preserve privacy for non-batch-included transactions. BTE also fits naturally with layer-2 rollup like mestizo, Espresso and radius. By using BTE, these rollups can achieve a trustless ordering process that prevents anyone from exploiting transaction visibility for arbitrage or liquidation gains.
However, the first version of BTE has two main drawbacks: it requires a full system reconfiguration, including a new round of key generation and parameter setup each time a new batch of transactions is encrypted. Decryption consumed significant memory and processing power as the nodes worked to combine all the partial shares.
Both of these factors limit the practicality of BTE; For example, the frequent DKG implementation required for committee refresh and block processing made the method effectively prohibitive for medium-sized permission committees, let alone any attempt to scale on a permissionless network.
For cases of selective decryption, where validators only decrypt profitable transactions, BTE does all decryption sharing publicly. This allows anyone to detect dishonest behavior and punish offenders by taking down. This keeps the process reliable as long as a threshold of honest servers remains active.
Upgrading to BTE
Choudhuri, Garg, Policharla and Wang (2025) made the first upgrade to BTE to improve server communication through a scheme called One time BTE setup. This method requires only a single initial Distributed Key Generation (DKG) The ceremony that runs once on all decryption servers. However, a multiparty calculation protocol is still required to set up the commitment for each batch.
The first truly no BTE scheme came in August 2025 when Bormet, Faust, Othman and Qu were introduced Beat-meV As a single, one-time startup that can support all future batches. This is achieved using two advanced tools, porous pseudorandom functions and threshold homomorphic encryption, which allow servers to reuse the same setup parameters indefinitely. Each server only needs to send a small piece of data when decrypting, thus keeping server communication costs down.
Overview of expected performance
Down the line, another paper called Beast-mev introduced the concept of silent batched threshold encryption (SBTE) which removes the need for any interactive setup between servers. This replaces repetitive coordination with a non-interactive, universal one-time setup that allows nodes to operate independently.
However, combining all the partial decryptions afterwards still requires heavy interactive calculations. To fix this, Beast-Mev borrowed the sub-batching technique and used parallel processing to let the system decrypt large batches (up to 512 transactions) in under a second. The following table summarizes how each successive BTE design improves upon the original BTE design.
The BTE potential also holds for protocols such as Cow exchange That mitigates MeV through batch auctions and intent-based matching, yet still exposes parts of the order flow to public mempools. Integrating the BTE before the resolver submission will seal the gap and provide end-to-end transaction privacy. For now, Shutter Network remains the most promising candidate for early adoption, with other protocols likely to follow once implementation frameworks become more mature.
This article does not contain investment advice or recommendations. Every investment and trading move involves risk, and readers should do their own research when making decisions.
This article is for general informational purposes and is not intended to be and should not be construed as legal or investment advice. The views, thoughts, and opinions expressed herein are those of the author alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.
Cointelegraph does not endorse the content of this article or any product mentioned herein. Readers should do their own research before taking any action related to any product or company mentioned and take full responsibility for their decisions.
