We are pleased to announce that BOB’s engineering team has implemented cut-and-choose (a cryptographic technique to verify the honesty of garbled circuits) for BitVM3 using Verifiable Secret Sharing Schemes (VSSS) and adaptor signatures - submitting Bitcoin mainnet transactions for the first time.

Parent tx: 8be08e55c7d414d2c8e7c0d40fccd4ea491cde58642148fab15514e045c6d4ecChild tx: 576b749303e97efba6ca16ed65b4df325e2f61cff095d63583fbf3483c8cc8a4

Thanks to this implementation, the assert transaction cost is now ~87% cheaper compared to previous approaches using SP1 soldering - with potential for further improvements at the cost of increased precalculation time and storage cost.

Originally proposed by Alpen Labs, BOB led the majority of the implementation, with some VSSS performance optimizations being contributed by other BitVM Alliance members. The PR (pull request) is currently being finalized in conjunction with Babylon.

How VSSS and Adaptor Signatures Reduce Costs

VSSS is a method for representing secrets as polynomials. The key property: by revealing just one missing value on the polynomial, you implicitly reveal all the others. So instead of posting multiple secret values on-chain, you post one and the rest follow.

Adaptor signatures allow a committed secret value to be revealed in the form of a signature - the secret can then be extracted directly from the signature itself, removing the need for separate on-chain disclosure. The real efficiency gain here comes from using wide labels: the transaction is set up so that a signature check can be satisfied by any one of 256 possible values. This allows 8 input bits to be revealed using a single signature check, a significant on-chain cost saving compared to checking each bit individually.

Together, these techniques compress assert transactions into something cheaper and more practical.

A few firsts along the way

Getting these transactions on-chain wasn't straightforward. The implementation worked in simulation but was rejected by Bitcoin due to invalid signature errors. Debugging revealed issues in two separate tools, prompting a fix for one and an issue report for the other. This effort also surfaced some notable firsts.

After three months of scanning Bitcoin blocks, the team suspects these transactions may be one of the first - if not the first - uses of a p2tr OP _CODESEPERATOR on mainnet. They also use several newer Bitcoin features: V3 transactions, p2a output types (only ~100 existing uses on mainnet), and ephemeral anchors - all of which are key to a practical BitVM implementation.

BOB is excited to be pushing the boundaries of Bitcoin functionality to enable native BTC DeFi, and we expect more discoveries and improvements to Bitcoin tooling along the way.

Why This Matters for Native BTC on BOB

BitVM3 is the next evolution of BitVM - the technology that will power BOB's native BTC bridge, enabling trust-minimized Bitcoin transfers without custodians or wrappers. Compared to BitVM2, BitVM3 uses garbled circuits to dramatically reduce on-chain costs, making disputes roughly 1,000x cheaper to resolve.

Reducing assert transaction size is one of the most important practical improvements. Smaller transactions mean lower fees, which makes the BitVM bridge viable for a broader range of use cases, not just large institutional transfers.

This implementation also lays the groundwork for dynamic public inputs, a capability BOB will need to enable the reuse of garbled circuits - significantly cutting down on storage cost overhead. 

Sander Bosma, Staff Engineer at BOB had this to say on the recent implementation:

"Sometimes it feels like Bitcoin is slow moving. But then there are times like these, where new technologies like BitVM3, VSSS and ephemeral anchors are being used in conjunction for the first time on mainnet. It's really exciting to see everything come together and be a part of this journey."

What's Next

Beyond the immediate cost savings, the recent implementation and the work that went into it has deepened BOB's understanding of BitVM3 internals, which will be invaluable for integrating the technology into BOB's client infrastructure.

The next step is implementing dynamic public inputs, building on the techniques developed here. In the meantime, the team will continue to work diligently on ensuring the BitVM bridge is ready for mainnet, targeted for early 2026.