EIP-191 — Signed Data Prefix

Back to Account & Authentication

EIP-191: Signed Data Standard

EIP-191 introduces the \x19 prefix that disambiguates signed messages from transactions: a wallet signing personal_sign of an arbitrary string actually signs keccak256("\x19Ethereum Signed Message:\n" + len + message). This prevents a malicious dApp from tricking a user into signing a transaction by presenting it as a "message".

Versions

• 0x00 — data with intended validator (a specific contract address).
• 0x01 — structured data (extended by EIP-712).
• 0x45 (E) — personal_sign (the canonical "Sign in with Ethereum" prefix).

Neo Equivalent

Neo wallets distinguish between signing transactions and signing arbitrary messages at the wallet level — there's no need for an in-band byte prefix because the signing API exposes them as separate calls (signTransaction vs signMessage). The Neo C# tab shows the native signature-verification helper used for a signMessage-produced signature; the deployed parity test covers the shared EIP-191 prefix surface.

Live on Neo TestNet

Both implementations are deployed on Neo N3 TestNet (network magic 894710606).

Implementation	Contract Hash	Deploy Tx
Solidity (neo-solc)	0x64d3b4d2e0ce6b26cf0dedad9a5c2d0bf96ddeb1	(reused — see 0x64d3b4d2e0ce6b26cf0dedad9a5c2d0bf96ddeb1)
Neo C# (nccs)	0xd06071f84b917cde1d16c23110f501b9dc3e914e	(reused — see 0xd06071f84b917cde1d16c23110f501b9dc3e914e)

Checked-in snapshot records the deployed admin identity; the manifest now also asserts the shared EIP-191 prefix length. Source pairs under docs/standards-mirror/deployments/eip-191/.

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.20;

library SignatureChecker {
    /// EIP-191 v0x45 — personal_sign style.
    function recover(bytes32 messageHash, bytes memory sig)
        internal pure returns (address)
    {
        bytes32 ethHash = keccak256(abi.encodePacked(
            "\x19Ethereum Signed Message:\n32", messageHash
        ));
        if (sig.length != 65) return address(0);
        bytes32 r; bytes32 s; uint8 v;
        assembly {
            r := mload(add(sig, 32))
            s := mload(add(sig, 64))
            v := byte(0, mload(add(sig, 96)))
        }
        return ecrecover(ethHash, v, r, s);
    }
}

contract LoginVerifier {
    using SignatureChecker for bytes32;

    function login(string calldata message, bytes calldata signature)
        external view returns (address)
    {
        bytes32 hash = keccak256(bytes(message));
        return hash.recover(signature);
    }
}

using System;
using System.ComponentModel;
using Neo;
using Neo.SmartContract.Framework;
using Neo.SmartContract.Framework.Attributes;
using Neo.SmartContract.Framework.Native;
using Neo.SmartContract.Framework.Services;

namespace R3E.Examples;

[DisplayName("LoginVerifier")]
[ContractPermission("*", "*")]
public class LoginVerifier : SmartContract
{
    /// <summary>
    /// Verify a wallet-signed message. The wallet's signMessage API hashes the
    /// message internally before signing, exactly like personal_sign on Ethereum,
    /// but without the in-band prefix because the Wallet API distinguishes
    /// "sign transaction" and "sign message" as separate methods.
    /// </summary>
    public static UInt160 Login(string message, ECPoint pubKey, ByteString signature)
    {
        var messageBytes = (ByteString)System.Text.Encoding.UTF8.GetBytes(message);
        var digest = CryptoLib.Sha256(messageBytes);

        if (!CryptoLib.VerifyWithECDsa(digest, pubKey, signature, NamedCurveHash.secp256r1SHA256))
            throw new Exception("invalid signature");

        // Derive the Neo address (script hash) from the public key.
        return Contract.CreateStandardAccount(pubKey);
    }
}

Why the Prefix Doesn't Apply

On Ethereum, signing requests reach the wallet as a single eth_sign / personal_sign RPC call with no type information; the prefix prevents an attacker from constructing a message whose bytes match a valid transaction format.

On Neo, the wallet API (NeoLine, O3, OneGate, NeonWallet) has typed methods — signTransaction(tx) and signMessage(message) are different RPC calls that wallets display differently. The prefix becomes redundant.