ECDH itself is very easy to implement; it's just DH (which is probably the simplest algorithm in cryptography), but in a different group.
ECC (the group) is hard to implement safely. The NIST P-curves are tricky to implement relative to Curve25519.
But there's also a lot more study of how to safely implement the NIST P- curves than there is for how to make a constant-time GCM.
I don't know. They seem like comparably difficult tasks.
ECDH itself is very easy to implement; it's just DH (which is probably the simplest algorithm in cryptography), but in a different group.
ECC (the group) is hard to implement safely. The NIST P-curves are tricky to implement relative to Curve25519.
But there's also a lot more study of how to safely implement the NIST P- curves than there is for how to make a constant-time GCM.
I don't know. They seem like comparably difficult tasks.