Instructions for the secp256r1 native program
Note on Signature Malleability: This precompile requires low-S values in signatures (s <= half_curve_order) to prevent signature malleability. Signature malleability means that for a valid signature (r,s), (r, order-s) is also valid for the same message and public key.
This property can be problematic for developers who assume each signature is unique. Without enforcing low-S values, the same message and key can produce two different valid signatures, potentially breaking replay protection schemes that rely on signature uniqueness.