How Batched Threshold Encryption could end extractive MEV and make DeFi fair again

Batched Threshold Encryption (BTE) builds on foundational concepts such as threshold cryptography, which enable secure collaboration among multiple parties without exposing sensitive data to any single participant. BTE is an evolution of the earliest TE-encrypted mempool schemes, such as Shutter, which we have covered previously. For now, all existing work on BTE remains at the prototype or research stage, but it could shape the future of decentralized ledgers if successful. This creates a clear opportunity for more research and potential adoption, which we will explore in this article. 

On most modern blockchains, transaction data is publicly viewable in the mempool before it is sequenced, executed and confirmed in a block. This transparency creates avenues for sophisticated parties to engage in extractive practices known as Maximal Extractable Value (MEV). MEV exploits the block proposer’s ability to reorder, include or omit transactions for financial gain. 

Typical forms of MEV exploitation, such as frontrunning and sandwich attacks, remain pervasive, particularly on Ethereum, where, during the flash crash on Oct. 10, an estimated $2.9 million was extracted. Accurately measuring total extractive MEV remains difficult because roughly 32% of these attacks were privately relayed to miners, with some involving over 200 chained subtransactions in a single exploit.

Some researchers have sought to prevent MEV with mempool designs, where pending transactions are held encrypted until block finalization. This prevents other blockchain participants from seeing what trades or actions the transacting users are about to take. Many encrypted mempool proposals use some form of threshold encryption (TE) for this. TE splits a secret key that can unveil the transaction data among several servers. Akin to a multisig, a minimum number of signers must work together to combine their key shares and unlock the data.

Why BTE matters

Standard TE struggles to scale efficiently because every server must decrypt each transaction separately and broadcast a partial decryption share for it. These individual shares are recorded onchain for aggregation and verification. This creates a server communication load that slows the network and increases chain congestion. BTE solves this limitation by allowing each server to release a single constant-sized decryption share that unlocks an entire batch, regardless of size. 

The first functional version of BTE, developed by Arka Rai Choudhuri, Sanjam Garg, Julien Piet and Guru-Vamsi Policharla (2024), used the so-called KZG commitment scheme. It lets the committee of servers lock a polynomial function to a public key while keeping that function initially hidden from both users and committee members.

Decrypting transactions that are encrypted to the public key requires proving that they fit into the polynomial. Because a polynomial of fixed degree can be fully determined from a set number of points, the servers only need to collectively exchange a small amount of data to provide this proof. Once the shared curve is established, they can send out a single compact piece of information derived from it to unlock all transactions in the batch at once.  

Importantly, transactions that do not fit within the polynomial remain locked, so the committee can selectively reveal a subset of the encrypted transactions while keeping others hidden. This guarantees that all encrypted transactions outside the selected batch for execution remain encrypted.

Current TE implementations, such as Ferveo and MEVade, could therefore integrate BTE to preserve privacy for non-batch-included transactions. BTE also fits naturally with layer-2 rollups such as Metis, Espresso and Radius, which already pursue fairness and privacy through time-delay encryption or trusted sequencers. By using BTE, these rollups could achieve a trustless ordering process that prevents anyone from exploiting transaction visibility for arbitrage or liquidation gains.

However, this first version of BTE had two major drawbacks: It required a full reinitialization of the system, including a new round of key generation and parameter setup each time a new batch of transactions was encrypted. Decryption consumed significant memory and processing power as nodes worked to combine all partial shares.

Both of these factors limited BTE’s practicality; for instance, the required frequent DKG execution for committee refresh and block processing made the scheme effectively prohibitive for moderately sized permissioned committees, let alone any attempt to scale to a permissionless network.

For cases of selective decryption, where validators only decrypt profitable transactions, BTE makes all decryption shares publicly verifiable. This allows anyone to detect dishonest behavior and penalize offenders via slashing. It keeps the process reliable as long as a threshold of honest servers remains active.

Upgrades to BTE

Choudhuri, Garg, Policharla and Wang (2025) made the first upgrade to BTE to improve server communication through a scheme called the one-time setup BTE. This scheme only required a single initial Distributed Key Generation (DKG) ceremony that runs once across all decryption servers. However, a multiparty computation protocol was still required to set up the commitment for each batch.

The first truly epochless BTE scheme came in August 2025 when Bormet, Faust, Othman and Qu introduced BEAT-MEV as a single, one-time initialization that could support all future batches. It achieved this using two advanced tools, puncturable pseudorandom functions and threshold homomorphic encryption, allowing servers to reuse the same setup parameters indefinitely. Each server only needed to send a small piece of data when decrypting, thus keeping server communication costs low.

Overview of projected performance

Down the line, another paper called BEAST-MEV introduced the concept of Silent Batched Threshold Encryption (SBTE) that removed the need for any interactive setup between servers. It replaced repeated coordination with a non-interactive, universal one-time setup that allows nodes to operate independently.

However, combining all the partial decryptions afterward still required heavy interactive computation. To fix this, BEAST-MEV borrowed BEAT-MEV’s sub-batching technique and used parallel processing to let the system decrypt large batches (up to 512 transactions) in under one second. The following table summarizes how each successive BTE design improves on the original BTE design.

BTE’s potential also holds for protocols such as CoW Swap that already mitigate MEV through batch auctions and intent-based matching, yet still expose parts of the order flow in public mempools. Integrating BTE before solver submission would seal that gap and provide end-to-end transaction privacy. For now, Shutter Network remains the most promising candidate for early adoption, with other protocols likely to follow once implementation frameworks become more mature.

This article does not contain investment advice or recommendations. Every investment and trading move involves risk, and readers should conduct their own research when making a decision.

This article is for general information purposes and is not intended to be and should not be taken as legal or investment advice. The views, thoughts, and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.

Cointelegraph does not endorse the content of this article nor any product mentioned herein. Readers should do their own research before taking any action related to any product or company mentioned and carry full responsibility for their decisions.