SIMD-0075: Precompile for Secp256r1

Cargo.toml

@@ -460,6 +460,7 @@ solana-rayon-threadlimit = { path = "rayon-threadlimit", version = "=2.1.0" }
 solana-remote-wallet = { path = "remote-wallet", version = "=2.1.0", default-features = false }
 solana-rent = { path = "sdk/rent", version = "=2.1.0", default-features = false }
 solana-sanitize = { path = "sdk/sanitize", version = "=2.1.0" }
+solana-secp256r1 = { path = "sdk/secp256r1", version = "=2.1.0" }
 solana-serde-varint = { path = "sdk/serde-varint", version = "=2.1.0" }
 solana-serialize-utils = { path = "sdk/serialize-utils", version = "=2.1.0" }
 solana-sha256-hasher = { path = "sdk/sha256-hasher", version = "=2.1.0" }

docs/src/runtime/programs.md

@@ -168,6 +168,71 @@ also receive data from the transaction itself.
 Cost of the transaction will count the number of signatures to verify multiplied
 by the signature cost verify multiplier.
 
+## Secp256r1 Program
+
+The program for verifying secp256r1 signatures. It takes a secp256r1 signature,
+a public key, and a message. Up to 8 signatures can be verified. If any of the
+signatures fail to verify, an error is returned.
+
+- Program id: `Secp256r1SigVerify1111111111111111111111111`
+- Instructions: [secp256r1_instruction](https://docs.rs/solana-secp256r1)
+
+The secp256r1 program processes an instruction. The first `u8` is a count of the number of signatures to check, followed by a single byte padding. After that, the following struct is serialized, one for each signature to check:
+
+```rust
+struct Secp256r1SignatureOffsets {
+    signature_offset: u16,             // offset to compact secp256r1 signature of 64 bytes
+    signature_instruction_index: u16,  // instruction index to find signature
+    public_key_offset: u16,            // offset to compressed public key of 33 bytes
+    public_key_instruction_index: u16, // instruction index to find public key
+    message_data_offset: u16,          // offset to start of message data
+    message_data_size: u16,            // size of message data
+    message_instruction_index: u16,    // index of instruction data to get message data
+}
+
+```
+
+The pseudo code of the signature verification:
+
+process_instruction() {
+    if data.len() < SIGNATURE_OFFSETS_START {
+        return Error
+    }
+
+    num_signatures = data[0] as usize
+    if num_signatures == 0 || num_signatures > 8 {
+        return Error
+    }
+
+    expected_data_size = num_signatures * SIGNATURE_OFFSETS_SERIALIZED_SIZE + SIGNATURE_OFFSETS_START
+    if data.len() < expected_data_size {
+        return Error
+    }
+
+    for i in 0..num_signatures {
+        offsets = parse_signature_offsets(data, i)
+
+        signature = get_data_slice(data, instruction_datas, offsets.signature_instruction_index, offsets.signature_offset, SIGNATURE_SERIALIZED_SIZE)
+
+        if s > half_curve_order {
+            return Error
+        }
+
+        pubkey = get_data_slice(data, instruction_datas, offsets.public_key_instruction_index, offsets.public_key_offset, COMPRESSED_PUBKEY_SERIALIZED_SIZE)
+
+        message = get_data_slice(data, instruction_datas, offsets.message_instruction_index, offsets.message_data_offset, offsets.message_data_size)
+
+        if !verify_signature(signature, pubkey, message) {
+            return Error
+        }
+    }
+
+    return Success
+}
+
+Note: Low S values are enforced for all signatures to avoid accidental signature
+malleability.
+
 ### Optimization notes
 
 The operation will have to take place after (at least partial) deserialization,