预编译程序

概要

预编译程序（Ed25519、Secp256k1、Secp256r1）以原生代码方式验证签名，绕过 sBPF 虚拟机。它们用于处理 sBPF 执行速度过慢的加密操作。预编译程序无法通过 CPI 调用。

预编译程序

预编译程序绕过 sBPF 虚拟机，在 validator 内以原生代码运行。它们用于处理 sBPF 执行速度过慢的加密操作。

验证 ed25519 签名

ed25519 程序可在单条指令内验证一个或多个 ed25519 签名。

Program	Program ID	Description	Instructions	Source
Ed25519 Program	`Ed25519SigVerify111111111111111111111111111`	验证 ed25519 签名。如果有任意签名验证失败，则返回错误。	Instructions	Source

该指令的第一个 u8 字节包含要验证的签名数量，后跟一个字节的填充。之后，每个签名会序列化以下结构体一次：

Ed25519SignatureOffsets

struct Ed25519SignatureOffsets {
    signature_offset: u16,             // offset to ed25519 signature of 64 bytes
    signature_instruction_index: u16,  // instruction index to find signature
    public_key_offset: u16,            // offset to public key of 32 bytes
    public_key_instruction_index: u16, // instruction index to find public key
    message_data_offset: u16,          // offset to start of message data
    message_data_size: u16,            // size of message data
    message_instruction_index: u16,    // index of instruction data to get message data
}

Signature verification pseudocode

process_instruction() {
    for i in 0..count {
        // i'th index values referenced:
        instructions = &transaction.message().instructions
        instruction_index = ed25519_signature_instruction_index != u16::MAX ? ed25519_signature_instruction_index : current_instruction;
        signature = instructions[instruction_index].data[ed25519_signature_offset..ed25519_signature_offset + 64]
        instruction_index = ed25519_pubkey_instruction_index != u16::MAX ? ed25519_pubkey_instruction_index : current_instruction;
        pubkey = instructions[instruction_index].data[ed25519_pubkey_offset..ed25519_pubkey_offset + 32]
        instruction_index = ed25519_message_instruction_index != u16::MAX ? ed25519_message_instruction_index : current_instruction;
        message = instructions[instruction_index].data[ed25519_message_data_offset..ed25519_message_data_offset + ed25519_message_data_size]
        if pubkey.verify(signature, message) != Success {
            return Error
        }
    }
    return Success
}

验证 secp256k1 恢复

secp256k1 程序用于验证 secp256k1 公钥恢复操作（ecrecover）。

Program	Program ID	Description	Instructions	Source
Secp256k1 Program	`KeccakSecp256k11111111111111111111111111111`	验证 secp256k1 公钥恢复操作（ecrecover）。	Instructions	Source

该指令的第一个字节包含要验证的公钥数量。之后，每个公钥会序列化以下结构体一次：

SecpSignatureOffsets

struct SecpSignatureOffsets {
    signature_offset: u16,                // offset to [signature,recovery_id] of 64+1 bytes
    signature_instruction_index: u8,      // instruction index to find signature
    eth_address_offset: u16,              // offset to ethereum_address of 20 bytes
    eth_address_instruction_index: u8,    // instruction index to find ethereum address
    message_data_offset: u16,             // offset to start of message data
    message_data_size: u16,               // size of message data
    message_instruction_index: u8,        // instruction index to find message data
}

Recovery verification pseudocode

process_instruction() {
  for i in 0..count {
      // i'th index values referenced:
      instructions = &transaction.message().instructions
      signature = instructions[signature_instruction_index].data[signature_offset..signature_offset + 64]
      recovery_id = instructions[signature_instruction_index].data[signature_offset + 64]
      ref_eth_pubkey = instructions[eth_address_instruction_index].data[eth_address_offset..eth_address_offset + 20]
      message_hash = keccak256(instructions[message_instruction_index].data[message_data_offset..message_data_offset + message_data_size])
      pubkey = ecrecover(signature, recovery_id, message_hash)
      eth_pubkey = keccak256(pubkey[1..])[12..]
      if eth_pubkey != ref_eth_pubkey {
          return Error
      }
  }
  return Success
}

签名和消息数据可以引用交易中的任何 instruction data。通过指定特殊的 instructions sysvar，程序还可以从交易本身读取数据。

交易成本等于需要验证的签名数量乘以每个签名验证的成本。

验证 secp256r1 签名

secp256r1 程序每条指令最多可验证 8 个 secp256r1 签名。

Program	Program ID	Description	Instructions	Source
Secp256r1 Program	`Secp256r1SigVerify1111111111111111111111111`	最多可验证 8 个 secp256r1 签名。需要提供签名、公钥和消息。如果有任何验证失败，则返回错误。	Instructions	Source

该指令的第一个 u8 表示要检查的签名数量，后面跟着一个字节的填充。之后，每个签名会序列化以下结构体一次：

Secp256r1SignatureOffsets

struct Secp256r1SignatureOffsets {
    signature_offset: u16,             // offset to compact secp256r1 signature of 64 bytes
    signature_instruction_index: u16,  // instruction index to find signature
    public_key_offset: u16,            // offset to compressed public key of 33 bytes
    public_key_instruction_index: u16, // instruction index to find public key
    message_data_offset: u16,          // offset to start of message data
    message_data_size: u16,            // size of message data
    message_instruction_index: u16,    // index of instruction data to get message data
}

所有签名都强制使用低 S 值，以避免意外的签名可变性。

Signature verification pseudocode

process_instruction() {
    if data.len() < SIGNATURE_OFFSETS_START {
        return Error
    }

    num_signatures = data[0] as usize
    if num_signatures == 0 || num_signatures > 8 {
        return Error
    }

    expected_data_size = num_signatures * SIGNATURE_OFFSETS_SERIALIZED_SIZE + SIGNATURE_OFFSETS_START
    if data.len() < expected_data_size {
        return Error
    }

    for i in 0..num_signatures {
        offsets = parse_signature_offsets(data, i)

        signature = get_data_slice(data, instruction_datas, offsets.signature_instruction_index, offsets.signature_offset, SIGNATURE_SERIALIZED_SIZE)

        if s > half_curve_order {
            return Error
        }

        pubkey = get_data_slice(data, instruction_datas, offsets.public_key_instruction_index, offsets.public_key_offset, COMPRESSED_PUBKEY_SERIALIZED_SIZE)

        message = get_data_slice(data, instruction_datas, offsets.message_instruction_index, offsets.message_data_offset, offsets.message_data_size)

        if !verify_signature(signature, pubkey, message) {
            return Error
        }
    }

    return Success
}

预编译程序