DEV Community

BuildCoreWorks
BuildCoreWorks

Posted on

Unleashing Native‑Speed Crypto in PHP: Introducing php‑secp256k1 & php‑keccak256

#webdev #programming #blockchain #opensource

Have you ever tried to build a blockchain wallet or an NFT marketplace in PHP and felt like you were wearing lead boots? You’re not alone. PHP remains widely used in production and by a large share of working developers, but cryptographic workloads have traditionally been its kryptonite. Pure-PHP libraries for signing and hashing do the job, but when you need to sign or verify thousands of transactions per second, 100 milliseconds per call is the difference between “Hello, world!” and “Sorry, network timeout.” (The JetBrains Blog)

Why pure-PHP crypto hurts

Let’s quantify the pain. A widely used pure-PHP ECDSA (secp256k1) implementation benchmarks at ~90–136 ms per signature and ~100–135 ms per verification. At that rate, a node processing 1,000 TPS would spend ~2–4 minutes computing signatures/verifications for just one second’s workload—nowhere near real-time.

Enter php-secp256k1: native-speed ECDSA

Secp256k1 is the elliptic curve chosen by Bitcoin and Ethereum for digital signatures. Thanks to its structure, a tuned implementation can be ~30% faster than many other curves. Our php-secp256k1 wraps Bitcoin Core’s battle-tested libsecp256k1 C library as a PHP extension, so you get the same engine—just callable from PHP. In benchmarks, the extension delivers ~0.03–0.06 ms per signature and ~0.04–0.06 ms per verification. On an AMD Ryzen 7 3700X, that’s 0.030 ms/sign vs 89.6 ms in pure PHP, turning 100,000 signatures from hours into ~3–5 seconds. (Bitcoin Wiki)

<?php
// Sign a 32-byte message hash with a private key (64-char hex)
$signature = secp256k1_sign($hash, $privateKey);

// Verify a signature with the message hash and public key
$isValid = secp256k1_verify($hash, $signature, $publicKey);

// Recover the public key (Ethereum-style) from a signature and message hash
$publicKey = secp256k1_recover($hash, $signature);
Enter fullscreen mode Exit fullscreen mode

Under the hood, the extension randomises context, zeroes sensitive memory, and exposes sign/verify/recover (Ethereum-style) in a thread-safe package—production-ready for FPM/CLI/frameworks. (DEV Community)

Enter php-keccak256: lightning-fast hashing

Keccak-256 (often called SHA-3) underpins Ethereum: address derivation, transaction hashing, event topics—the works. Ethereum externally owned account (EOA) addresses are the last 20 bytes of the Keccak-256 hash of the uncompressed public key. Pure PHP clocks ~0.28–0.44 ms per hash; the native extension cuts this to ~0.018–0.032 ms—about 15× faster. A million hashes drop from minutes to under half a minute. (Ethereum Stack Exchange)

<?php
// Hash any string and return hex output by default (or raw binary if $raw = true)
$hash = keccak_hash($data, $raw = false);
Enter fullscreen mode Exit fullscreen mode

Putting it together: an end-to-end Ethereum workflow in PHP 

<?php
// 1) Prepare transaction data and compute its Keccak-256 hash
$messageHash = keccak_hash($transactionData);

// 2) Sign the hash with a secp256k1 private key
$signature   = secp256k1_sign($messageHash, $privateKey);

// 3) Recover the public key (useful for smart-contract signatures)
$publicKey   = secp256k1_recover($messageHash, $signature);

// 4) Derive Ethereum address: last 20 bytes of Keccak(pubkey)
$address     = '0x' . substr(keccak_hash(hex2bin($publicKey)), -40);
Enter fullscreen mode Exit fullscreen mode

That one PHP snippet signs transactions, recovers the signer, and derives an address—no external process or second language required. And because signing and hashing now run in microseconds, you can build dApps, payment gateways, or nodes that chew through tens of thousands of ops per second on commodity hardware. (DEV Community)

Getting started 

# Dependencies
sudo apt-get update
sudo apt-get install -y libsecp256k1-dev libssl-dev php-dev build-essential

# php-secp256k1
git clone https://github.com/BuildCoreWorks/php-secp256k1.git
cd php-secp256k1 && phpize && ./configure && make && sudo make install
echo "extension=secp256k1.so" | sudo tee /etc/php/8.1/mods-available/secp256k1.ini
sudo phpenmod secp256k1

# php-keccak256
git clone https://github.com/BuildCoreWorks/php-keccak256.git
cd php-keccak256 && phpize && ./configure && make && sudo make install
echo "extension=keccak.so" | sudo tee /etc/php/8.1/mods-available/keccak.ini
sudo phpenmod keccak
Enter fullscreen mode Exit fullscreen mode

Both extensions are open source; see the GitHub READMEs for full docs and benchmarks. (GitHub)

Why secp256k1 & Keccak-256 (quick context)

  • secp256k1 was selected for Bitcoin/Ethereum and, when well-optimised, can outperform other common curves thanks to its structure. (Bitcoin Wiki)
  • Keccak-256 (Ethereum’s hashing workhorse) is used for address derivation, transaction hashing, and more. (Ethereum Stack Exchange)

Ready to build?

Performance shouldn’t be a blocker for innovation. With php-secp256k1 and php-keccak256, PHP developers can compete with Go and Rust without leaving PHP. Whether you’re building a high-frequency exchange, an NFT marketplace, or an Ethereum login service, these extensions open new possibilities. Try them, benchmark your workloads, and tell us what you build.

References & further reading

  • BuildCoreWorks — High-performance secp256k1 for PHP (benchmarks, install, code) (DEV Community)
  • BuildCoreWorks — High-performance Keccak-256 for PHP (benchmarks, install, code) (DEV Community)
  • Bitcoin Wiki — Why secp256k1 is fast/efficient (Bitcoin Wiki)
  • Ethereum Stack Exchange — How addresses are derived (last 20 bytes of Keccak-256(pubkey)) (Ethereum Stack Exchange)
  • JetBrains Developer Ecosystem / Accesto — PHP remains broadly used in production (The JetBrains Blog)

Written By AI

Top comments (0)