[Ethereum] Should signed text messages use the “\x19Ethereum Signed Message” prefix

signature

Background: I want to implement sign message feature in Trezor.

Is there a standard for signing text messages?

So far I found out that etherscan.io signs messages without the prefix, i.e. it signs keccak(msg), but also accepts signatures "with Geth prefix" of keccak("\x19Ethereum Signed Message\n32"+keccak(msg)). Signed messages of the form keccak("\x19Ethereum Signed Message\n"+strlen(msg)+msg) are not accepted.

MyEtherWallet only accepts messages signed without any prefix.

Without the prefix one can misuse the sign message feature to sign a transaction, though. Is this intentional?

Best Answer

There's no official standard (at the time of this writing) and has been debated for a while in this EIP thread EIP #683

According to issue #3731:

Geth prepends the string \x19Ethereum Signed Message:\n<length of message> to all data before signing it (https://github.com/ethereum/wiki/wiki/JSON-RPC#eth_sign). If you want to verify such a signature from Solidity, you'll have to prepend the same string in solidity before doing the ecrecovery.

Signature without Prefix – Sign Without \u201C\x19Ethereum Signed Message\u201D Prefix

ethereumjs-util has the hashPersonalMessage method which adds the prefix and signs it.

You can look at the codebase and see how this is implemented:

exports.hashPersonalMessage = function (message) {
  var prefix = exports.toBuffer('\u0019Ethereum Signed Message:\n' + message.length.toString())
  return exports.sha3(Buffer.concat([prefix, message]))
}

It is fairly apparent how you can modify this code snippet to not prepend the prefix :)

Signature – Verification of Externally-Created ECDSA Signatures in Solidity

The main issue is that you're signing "TEST" but then trying to recover the signer as though you signed a hash of "\x19Ethereum Signed Message:\n4TEST".

I'm also not confident you're emitting the public key properly, but you presumably only want the address anyway. Here's some working code:

Go:

package main

import (
    "crypto/ecdsa"
    "fmt"

    "crypto/rand"
    "encoding/hex"
    "github.com/ethereum/go-ethereum/common/math"
    "github.com/ethereum/go-ethereum/crypto"
    "github.com/ethereum/go-ethereum/crypto/secp256k1"
    "github.com/miguelmota/go-solidity-sha3"
)

func main() {
    key, err := ecdsa.GenerateKey(crypto.S256(), rand.Reader)
    if err != nil {
        panic(err)
    }

    message := "TEST"
    // Turn the message into a 32-byte hash
    hash := solsha3.SoliditySHA3(solsha3.String(message))
    // Prefix and then hash to mimic behavior of eth_sign
    prefixed := solsha3.SoliditySHA3(solsha3.String("\x19Ethereum Signed Message:\n32" + hex.EncodeToString(hash)))
    sig, err := secp256k1.Sign(prefixed, math.PaddedBigBytes(key.D, 32))
    if err != nil {
        panic(err)
    }

    fmt.Println("private key:", hex.EncodeToString(math.PaddedBigBytes(key.D, 32)))
    fmt.Println("address:", hex.EncodeToString(crypto.PubkeyToAddress(key.PublicKey).Bytes()))
    fmt.Println("message:", hex.EncodeToString(prefixed))
    fmt.Println("signature:", hex.EncodeToString(sig))
}

Solidity (values come from the Go program's output):

pragma solidity ^0.4.24;

contract Test {
    function recover(bytes32 hash, bytes sig)
        internal
        pure
        returns (address)
    {
        bytes32 r;
        bytes32 s;
        uint8 v;

        // Check the signature length
        if (sig.length != 65) {
            return (address(0));
        }

        // Divide the signature in r, s and v variables
        // ecrecover takes the signature parameters, and the only way to get them
        // currently is to use assembly.
        // solium-disable-next-line security/no-inline-assembly
        assembly {
            r := mload(add(sig, 32))
            s := mload(add(sig, 64))
            v := byte(0, mload(add(sig, 96)))
        }

        // Version of signature should be 27 or 28, but 0 and 1 are also possible versions
        if (v < 27) {
            v += 27;
        }

        // If the version is correct return the signer address
        if (v != 27 && v != 28) {
            return (address(0));
        } else {
            // solium-disable-next-line arg-overflow
            return ecrecover(hash, v, r, s);
        }
    }

    function verifySignature() public pure returns (bool) {
        bytes32 message = 0x2b350a58f723b94ef3992ad0d3046f2398aef2fe117dc3a36737fb29df4a706a;
        bytes memory sig = hex"e6ca6508de09cbb639216743721076bc8beb7bb45e796e0e3422872f9f0fcd362e693be7ca40e2123dd1efaf71ebb94d38052458281ad3b69ec8977c8294928400";
        address addr = 0x8e6a1f13a9c6b9443fea4393291308ac4c965b69;

        return recover(message, sig) == addr;
    }
}

Best Answer

Related Solutions

Signature without Prefix – Sign Without \u201C\x19Ethereum Signed Message\u201D Prefix

Signature – Verification of Externally-Created ECDSA Signatures in Solidity

Related Topic