Download the PHP package amashukov/secp256k1-php without Composer
On this page you can find all versions of the php package amashukov/secp256k1-php. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
FAQ
Example:
In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
- Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
- To use Composer is sometimes complicated. Especially for beginners.
- Composer needs much resources. Sometimes they are not available on a simple webspace.
- If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
- Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Informations about the package secp256k1-php
amashukov/secp256k1-php
Pure-PHP secp256k1 elliptic-curve arithmetic and RFC 6979 deterministic ECDSA — sign, verify and recover for Ethereum and Bitcoin signatures.
amashukov/secp256k1-php implements the secp256k1 elliptic curve and ECDSA signature primitives in pure PHP on top of ext-gmp. It covers point arithmetic, RFC 6979 deterministic signing, signature verification and public-key recovery — the building blocks behind Ethereum and Bitcoin signatures, EIP-191 / EIP-712 signer derivation and EVM wallet tooling. Two static classes:
Secp256k1— curve constants (P,N,Gx,Gy) and point arithmetic (pointAdd,pointDouble,scalarMul,scalarMulG).Ecdsa— RFC 6979 deterministicsign,verify, andrecover(the latter is what EIP-191 / EIP-712 implementations call to derive a public key from a signature triple).
The package is a leaf primitive — it ships with zero composer dependencies (ext-gmp + ext-hash from PHP core), and the EIP-191 / EIP-712 message-prefix hashing belongs in a downstream package that owns the keccak / domain-separator step.
Features
- secp256k1 curve arithmetic —
pointAdd,pointDouble,scalarMul,scalarMulGover GMP big integers. - RFC 6979 deterministic ECDSA — same input always yields the same signature; no entropy source required.
- Canonical low-S signatures — two clients signing the same payload produce byte-identical output.
- Public-key recovery — derive the
04 || x || yuncompressed key from a(v, r, s)triple, the EIP-191 / EIP-712 signer step. - Validated public surface — malformed lengths and out-of-range scalars are rejected.
- Zero composer dependencies —
ext-gmp+ext-hashonly. - PHPStan level 9 clean,
@PER-CSformatted, CI-tested.
Why amashukov/secp256k1-php
simplito/elliptic-php is a fine general-purpose elliptic-curve library, but it is curve-agnostic and carries the machinery for many curves. amashukov/secp256k1-php is single-curve by design: it focuses exclusively on secp256k1 and the ECDSA operations EVM and Bitcoin tooling actually need — deterministic RFC 6979 signing, canonical low-S output and (v, r, s) recovery — with a smaller, audited surface and zero composer dependencies.
Installation
Usage
Curve arithmetic
Deterministic ECDSA sign (RFC 6979)
Signatures are deterministic per RFC 6979 (same input → same output) and returned in canonical low-S form, so two clients signing the same payload produce byte-identical signatures.
Verify
Recover (EIP-191 / EIP-712 step)
The recovered public key can then be hashed (keccak-256 of x || y → take last 20 bytes) to derive the signer's Ethereum address.
Requirements
- PHP 8.3+
ext-gmpext-hash(bundled with PHP core; used for HMAC-SHA256 in RFC 6979 nonce derivation)
No composer dependencies.
Security notes
- Not constant-time.
Secp256k1::scalarMulwalks the scalar bit-by-bit with conditional adds — it leaks timing information about secret scalars. Use this package for signing only when the resulting timing channel is acceptable for the deployment (server-side signing of own keys is generally fine; never use it to handle attacker-controlled scalars on shared hardware). - No side-channel hardening. No blinding, no constant-time inversion.
- Validated inputs.
Ecdsa::recoverandEcdsa::signreject malformed lengths and out-of-range scalars at the public surface.
Related packages
Part of a modular pure-PHP blockchain toolkit:
| Package | Purpose |
|---|---|
| amashukov/keccak-php | Keccak-256 / SHA-3 / SHAKE hashing |
| amashukov/secp256k1-php | secp256k1 ECDSA sign / verify / recover |
| amashukov/rlp-php | Ethereum RLP encode / decode |
| amashukov/ton-cell-php | TON TLB Cell / Builder / Slice / BOC |
| amashukov/eip1559-tx-signer-php | EIP-1559 transaction signer |
| amashukov/abi-encoder-php | Ethereum ABI encoder |
| amashukov/eth-rpc-client-php | Ethereum JSON-RPC client |
| amashukov/eth-php | EVM umbrella package |
Quality
- PHPStan level 9.
- php-cs-fixer with the
@PER-CSruleset. - GitHub Actions CI on every push.
- Test vectors validated against the SEC 2 / RFC 6979 reference outputs.
References
- SEC 2: Recommended Elliptic Curve Domain Parameters — https://www.secg.org/sec2-v2.pdf
- RFC 6979 — Deterministic ECDSA — https://www.rfc-editor.org/rfc/rfc6979
License
MIT License.
All versions of secp256k1-php with dependencies
ext-gmp Version *
ext-hash Version *