BitVM3 was released last month (#1006977), but then a fellow named Liam Eagen broke the cryptography on it:
The garbling scheme proposed in BitVM3 is likely broken in general for circuits with gates of fanout greater than. This renders the scheme impractical for SNARK verification on bitcoin. Before continuing work on the BitVM3 garbling scheme, we believe these issues should be addressed. We understand that several other teams have discovered attacks on the BitVM3 garbling scheme as well. [source[(https://hackmd.io/@liameagen/bitvm3-garbling-note)
So Robin Linus released a new version of BitVM3: BitVM3s. (The new version is hosted at the exact same url as the old version, so, when you go to download the BitVM3 pdf, you will now get version 3s, even though the file is simply called BitVM3.pdf)
BitVM 3s is the secure, simple, and Script-based successor to the earlier RSA-based prototype, now referred to as BitVM3-RSA.
What is kinda cool is that BitVM3s introduces a new has function called BitHash which is "optimized for the intricacies of Bitcoin Script."
This new hash function is apparently pretty efficient (even this statement is a little beyond my own understanding, so I'm taking other people's word for it).
Here's what it looks like, if you're interested (from page 4 of the 3s paper):
BitHash processes a 160-bit preimage bit-by-bit, using each bit to select between RIPEMD160 and SHA256:
// Unlocking Script: 160 bits of preimage
// <bit159><bit158>...<bit1><bit0>
//
// Locking Script
// <staticinitialvalue>// e.g., 0 x00000000
repeat 160 times:
OP SWAP
OP IF
OP RIPEMD160
OP ELSE
OP SHA256
OP ENDIF
OP RIPEMD160
<expected hash>
OP EQUALVERIFY