BitVM3 promises cheaper Bitcoin bridges — but not yet
BitVM3’s “garbled circuit” approach faces critical security and scaling research before it will be practical
Mix3r/Shutterstock and Adobe modified by Blockworks
This is a segment from the 0xResearch newsletter. To read full editions, subscribe.
The race to make Bitcoin programmable without a soft fork has turned into one of the most creative arms races in crypto.
At the center is BitVM, a framework for proving off-chain computation on Bitcoin via fraud proofs. Its first iteration, now known as BitVM1, used a multi-round interactive protocol. BitVM2 simplified this to a single-round fault proof using a split SNARK verifier, and is already proving practical for early adopters like Build on Bitcoin (BOB), Citrea and Bitlayer.
Now, BitVM3 proposes to go even further by cutting onchain fraud proof costs by ~1000x. But there’s a catch: It’s still in the research phase, with critical security, complexity and data availability challenges to solve before becoming production-ready.
“The overall design of the BitVM bridge between BitVM2 and BitVM3 remains the same,” BOB co-founder Alexei Zamyatin told Blockworks. “The key difference is swapping the SNARK verifier (BitVM2) with a garbled circuit (BitVM3), he said, adding “we are exploring incorporating elements of the latest BitVM design in our customised hybrid BitVM bridge.”
Garbled circuits are a term for cryptographic gadgets that allow one party to pre-commit to a computation that another can verify without learning the private inputs. In theory, this reduces Bitcoin’s onchain burden to tiny commitments per logic gate. While it holds great promise, it’s far from proven at scale and research is ongoing to address shortcomings before deployment.
Meanwhile, existing bridges are moving ahead on BitVM2. BOB recently launched its latest BitVM2-based bridge testnet with major DeFi partners to enable Bitcoin-backed assets on other chains. BitVM2 is being audited and is expected to be ready for mainnet soon.
“Garbled circuits are an exciting development but they still need quite a bit more research before they could be considered practical to implement,” Zamyatin explained. “It is important to note that the majority of the work to build a bridge using BitVM stays the same [when] using BitVM2 or BitVM3.”
BitVM2’s current costs aren’t trivial: Zamyatin estimates a worst-case onchain fraud proof at around $16,000 in transaction fees. But even that is cheaper than Ethereum’s OP Stack fault proofs, which require 14 ETH or more (over $40,000 today) for bonds, and can run into hundreds of ETH to actually prove fraud onchain.
Meanwhile, other teams are experimenting with different flavors of garbled circuits, as Robin Linus said in the BitVM Builders Telegram group this week:
“Citrea is exploring a classic approach of Yao-style garbling combined with a cut-and-choose method for verifying the circuits’ correctness. That comes at the expense of higher communication and storage cost, but it is nicely simple and relies on very conservative assumptions. In contrast, Alpen [Labs] is exploring a designated-verifier SNARK, which reduces the communication overhead, but comes at the expense of more exotic cryptography, which isn’t battle-hardened yet and doesn’t work as well with off-the-shelf tooling.”
In simpler terms, Citrea’s method is like making lots of sealed envelopes (“garbled circuits”) that hide each step, then letting the checker randomly open some of them (“cut and choose”) to confirm you didn’t cheat. It’s straightforward and built on time-tested ideas, but you need to send and store piles of envelopes, which is bulky and slow.
Alpen’s method shrinks everything into a single, tiny postcard (“designated-verifier SNARK”) that the checker can read quickly, saving bandwidth and space. The catch is that this postcard relies on newer, more experimental “cryptographic ink” that hasn’t faced as many real-world stress tests and isn’t yet compatible with the standard stationery most developers keep on their desks.
Ultimately, the entire effort gets dramatically easier if Bitcoin Core can agree on new opcodes in a soft fork — like CTV or TXHASH — that would let these protocols enforce covenant-like spending conditions without relying on elaborate multisig setups. But a periodic glance at the Wiki-style page that tracks stakeholder views on new opcodes shows that consensus building is a painfully slow process.
“One thing that’s looking more and more likely is CTV — but it also depends on the flavor,” Zamyatin told me. For instance, a new proposal just two days ago is not as favorable for BitVM, he said, and therefore unlikely to win support from most L2 builders.
So, BitVM3 remains a highly promising but deeply experimental approach. Meanwhile, BitVM2 bridges and other approaches look set to be Bitcoin’s next major step toward trust-minimized layer-2 scaling.
Get the news in your inbox. Explore Blockworks newsletters:
- The Breakdown: Decoding crypto and the markets. Daily.
- Empire: Crypto news and analysis to start your day.
- Forward Guidance: The intersection of crypto, macro and policy.
- 0xResearch: Alpha directly in your inbox.
- Lightspeed: All things Solana.
- The Drop: Apps, games, memes and more.
- Supply Shock: Bitcoin, bitcoin, bitcoin.
