This is a segment from the 0xResearch newsletter. To read full editions, subscribe.
The race to make Bitcoin programmable without a soft fork has turned into one of the most creative arms races in crypto.
At the center is BitVM, a framework for proving off-chain computation on Bitcoin via fraud proofs. Its first iteration, now known as BitVM1, used a multi-round interactive protocol. BitVM2 simplified this to a single-round fault proof using a split SNARK verifier, and is already proving practical for early adopters like Build on Bitcoin (BOB), Citrea, and Bitlayer.
Now, BitVM3 proposes to go even further by cutting on-chain fraud proof costs by ~1000x. But there’s a catch: It’s still in the research phase, with critical security, complexity, and data availability challenges to solve before becoming production-ready.
“The overall design of the BitVM bridge between BitVM2 and BitVM3 remains the same,” BOB co-founder Alexei Zamyatin told Blockworks. “The key difference is swapping the SNARK verifier (BitVM2) with a garbled circuit (BitVM3),” he said, adding “we are exploring incorporating elements of the latest BitVM design in our customized hybrid BitVM bridge.”
Garbled circuits are a term for cryptographic gadgets that allow one party to pre-commit to a computation that another can verify without learning the private inputs. In theory, this reduces Bitcoin’s on-chain burden to tiny commitments per logic gate. While it holds great promise, it’s far from proven at scale and research is ongoing to address shortcomings before deployment.
Meanwhile, existing bridges are moving ahead on BitVM2. BOB recently launched its latest BitVM2-based bridge testnet with major DeFi partners to enable Bitcoin-backed assets on other chains. BitVM2 is being audited and is expected to be ready for mainnet soon.
“Garbled circuits are an exciting development but they still need quite a bit more research before they could be considered practical to implement,” Zamyatin explained. “It is important to note that the majority of the work to build a bridge using BitVM stays the same when using BitVM2 or BitVM3.”
BitVM2’s current costs aren’t trivial: Zamyatin estimates a worst-case on-chain fraud proof at around $16,000 in transaction fees. But even that is cheaper than Ethereum’s OP Stack fault proofs, which require 14 ETH or more (over $40,000 today) for bonds, and can run into hundreds of ETH to actually prove fraud on-chain.
Meanwhile, other teams are experimenting with different flavors of garbled circuits, as Robin Linus said in the BitVM Builders Telegram group this week:
“Citrea is exploring a classic approach of Yao-style garbling combined with a cut-and-choose method for verifying the circuits’ correctness. That comes at the expense of higher communication and storage cost, but it is nicely simple and relies on very conservative assumptions. In contrast, Alpen Labs is exploring a designated-verifier SNARK, which reduces the communication overhead, but comes at the expense of more exotic cryptography, which isn’t battle-hardened yet and doesn’t work as well with off-the-shelf tooling.”
In simpler terms, Citrea’s method is like making lots of sealed envelopes (“garbled circuits”) that hide each step, then letting the checker randomly open some of them (“cut and choose”) to confirm you didn’t cheat. It’s straightforward and built on time-tested ideas, but you need to send and store piles of envelopes, which is bulky and slow.
Alpen’s method shrinks everything into a single, tiny postcard (“designated-verifier SNARK”) that the checker can read quickly, saving bandwidth and space. The catch is that this postcard relies on newer, more experimental “cryptographic ink” that hasn’t faced as many real-world stress tests and isn’t yet compatible with the standard stationery most developers keep on their desks.
Comments (0)