Threshold Encryption
The leader cannot decrypt before commitment.
Problem
How does the protocol prevent leaders from seeing transaction content before committing to ordering? The leader's information advantage is the structural cause of MEV.
Solution
t-of-n threshold encryption to the active validator set.
Transactions are encrypted to a t-of-n threshold of the active validator set on entry to the mempool. The leader proposes a block ordering over encrypted transactions. The block is finalized over the encrypted ordering. Decryption shares are then released by validators and combined to produce the cleartext for execution.
The encryption scheme is ECDH-based threshold in Phase 1, with migration to Kyber-based (FIPS 203) threshold in Phase 3. The t-of-n parameters are tuned to match the consensus committee structure and require active liveness from a supermajority of validators to decrypt — meaning validators cannot collude to selectively decrypt transactions before commitment without colluding to halt consensus.
Discussion
Threshold encryption is the operational difference between a chain that has MEV and a chain that does not. It is also the part of the design that ordinary validators are most concerned about, because it adds a per-block decryption round and complicates the validator runtime.
200ms per block in the testnet conditions — meaningful but well below what most users would notice for non-HFT use cases.
See Also
- § 3.4 · MEV-Resistant Ordering — the ordering rule applied over encrypted content
- § 2.3 · Fairness as Protocol-Level Ordering — the property this primitive enforces