【加解密与C】非对称加解密(三)ECC椭圆曲线

ECC椭圆曲线的基本概念

椭圆曲线密码学（Elliptic Curve Cryptography，ECC）是一种基于椭圆曲线数学的公钥密码体制。与传统的RSA相比，ECC在相同安全级别下使用更短的密钥，计算效率更高，适用于资源受限的环境。

椭圆曲线的数学定义通常表示为： [ y^2 = x^3 + ax + b ] 其中 (a) 和 (b) 是满足 (4a^3 + 27b^2 \neq 0) 的常数，以避免曲线出现奇异点。

ECC的核心运算

椭圆曲线的核心运算包括点加法（Point Addition）和标量乘法（Scalar Multiplication）。点加法用于定义曲线上两个点的加法运算，标量乘法则是通过重复点加法实现。

点加法的几何意义：

若 (P) 和 (Q) 是曲线上两个不同的点，连接 (P) 和 (Q) 的直线与曲线交于第三点 (R)，则 (P + Q = -R)（对称点）。
若 (P = Q)，则通过 (P) 的切线与曲线交于 (R)，此时 (2P = -R)。

标量乘法用于密钥生成和加密/解密过程： [ k \cdot P = \underbrace{P + P + \cdots + P}_{k \text{次}} ]

ECC的安全性

ECC的安全性基于椭圆曲线离散对数问题（ECDLP）：给定曲线上的点 (P) 和 (Q = k \cdot P)，求解 (k) 是计算困难的。目前没有已知的多项式时间算法可以解决ECDLP。

与RSA相比，ECC的优势在于：

更短的密钥长度（例如256位ECC密钥相当于3072位RSA密钥的安全性）。
更快的计算速度和更低的资源消耗。

ECC的应用场景

ECC广泛应用于以下领域：

数字签名（如ECDSA）。
密钥交换（如ECDH）。
物联网（IoT）设备的安全通信。
区块链技术（如比特币和以太坊使用ECC生成地址）。

ECC的注意事项

使用ECC时需注意以下问题：

选择标准化的椭圆曲线（如NIST推荐的曲线或SECP256k1）。
避免使用自定义曲线，可能存在安全隐患。
确保随机数生成器的质量，避免密钥泄露。

ECC因其高效性和安全性，已成为现代密码学的重要组成部分。

ECC.h

#ifndef _ECC_H_
#define _ECC_H_
#include <stdint.h>// 定义256位大整数结构
typedef struct {uint32_t d[8]; // 小端序存储: d[0]是最低32位
} uint256_t;// 椭圆曲线点结构
typedef struct {uint256_t x;uint256_t y;int infinity; // 是否为无穷远点
} Point;// 密钥生成
void ecc_keygen(uint256_t* private_key, Point* public_key);// ECDSA签名
void ecdsa_sign(const uint256_t* private_key, const uint256_t* hash, uint256_t* r, uint256_t* s);// ECDSA验签
int ecdsa_verify(const Point* public_key, const uint256_t* hash, const uint256_t* r, const uint256_t* s);// ECC加密
void ecc_encrypt(const Point* public_key, const uint8_t* plain, size_t len, Point* c1, uint8_t* c2);// ECC解密
void ecc_decrypt(const uint256_t* private_key, const Point* c1, const uint8_t* c2, size_t len, uint8_t* plain);
#endif

ECC.cpp

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include "ECC.h"// secp256k1曲线参数
static const uint256_t P = {{0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0xFFFFFC2F}};
static const uint256_t A = {{0}};
static const uint256_t B = {{7, 0, 0, 0, 0, 0, 0, 0}};
static const Point G = {{{0x79BE667E, 0xF9DCBBAC, 0x55A06295, 0xCE870B07, 0x029BFCDB, 0x2DCE28D9, 0x59F2815B, 0x16F81798}},{{0x483ADA77, 0x26A3C465, 0x5DA4FBFC, 0x0E1108A8, 0xFD17B448, 0xA6855419, 0x9C47D08F, 0xFB10D4B8}},0
};
static const uint256_t N = {{0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0xBAAEDCE6, 0xAF48A03B, 0xBFD25E8C, 0xD0364141}};// 比较两个大整数是否相等
static int uint256_equal(const uint256_t* a, const uint256_t* b) {for (int i = 0; i < 8; i++) {if (a->d[i] != b->d[i]) return 0;}return 1;
}// 判断大整数是否为0
static int uint256_is_zero(const uint256_t* a) {for (int i = 0; i < 8; i++) {if (a->d[i] != 0) return 0;}return 1;
}// 大整数复制
static void uint256_copy(uint256_t* dest, const uint256_t* src) {memcpy(dest, src, sizeof(uint256_t));
}// 模加: result = (a + b) mod P
static void uint256_add(const uint256_t* a, const uint256_t* b, uint256_t* result) {uint64_t carry = 0;for (int i = 0; i < 8; i++) {uint64_t sum = (uint64_t)a->d[i] + b->d[i] + carry;result->d[i] = (uint32_t)sum;carry = sum >> 32;}// 如果结果大于P，则减去Pif (carry || !uint256_equal(result, &P) && (result->d[7] > P.d[7] || (result->d[7] == P.d[7] && result->d[6] > P.d[6]) || (result->d[7] == P.d[7] && result->d[6] == P.d[6] && result->d[5] > P.d[5]) ||(result->d[7] == P.d[7] && result->d[6] == P.d[6] && result->d[5] == P.d[5] && result->d[4] > P.d[4]) ||(result->d[7] == P.d[7] && result->d[6] == P.d[6] && result->d[5] == P.d[5] && result->d[4] == P.d[4] && result->d[3] > P.d[3]) ||(result->d[7] == P.d[7] && result->d[6] == P.d[6] && result->d[5] == P.d[5] && result->d[4] == P.d[4] && result->d[3] == P.d[3] && result->d[2] > P.d[2]) ||(result->d[7] == P.d[7] && result->d[6] == P.d[6] && result->d[5] == P.d[5] && result->d[4] == P.d[4] && result->d[3] == P.d[3] && result->d[2] == P.d[2] && result->d[1] > P.d[1]) ||(result->d[7] == P.d[7] && result->d[6] == P.d[6] && result->d[5] == P.d[5] && result->d[4] == P.d[4] && result->d[3] == P.d[3] && result->d[2] == P.d[2] && result->d[1] == P.d[1] && result->d[0] >= P.d[0]))) {uint256_t temp = *result;uint64_t borrow = 0;for (int i = 0; i < 8; i++) {uint64_t diff = (uint64_t)temp.d[i] - P.d[i] - borrow;result->d[i] = (uint32_t)diff;borrow = (diff >> 32) ? 1 : 0;}}
}// 模减: result = (a - b) mod P
static void uint256_sub(const uint256_t* a, const uint256_t* b, uint256_t* result) {uint64_t borrow = 0;for (int i = 0; i < 8; i++) {uint64_t diff = (uint64_t)a->d[i] - b->d[i] - borrow;result->d[i] = (uint32_t)diff;borrow = (diff >> 63) ? 1 : 0;}// 如果结果为负，则加上Pif (borrow) {uint256_t temp = *result;uint64_t carry = 0;for (int i = 0; i < 8; i++) {uint64_t sum = (uint64_t)temp.d[i] + P.d[i] + carry;result->d[i] = (uint32_t)sum;carry = sum >> 32;}}
}// 模乘: result = (a * b) mod P
static void uint256_mul(const uint256_t* a, const uint256_t* b, uint256_t* result) {uint64_t product[16] = {0};// 计算乘积for (int i = 0; i < 8; i++) {uint64_t carry = 0;for (int j = 0; j < 8; j++) {uint64_t temp = product[i+j] + (uint64_t)a->d[i] * b->d[j] + carry;product[i+j] = temp & 0xFFFFFFFF;carry = temp >> 32;}product[i+8] = carry;}// 模P约简 (使用secp256k1的特殊形式)for (int i = 15; i >= 8; i--) {uint64_t carry = 0;for (int j = 0; j < 8; j++) {uint64_t temp = (uint64_t)product[i-8+j] + (product[i] * P.d[j]) + carry;product[i-8+j] = temp & 0xFFFFFFFF;carry = temp >> 32;}if (i < 15) {product[i] = carry;}}// 复制结果for (int i = 0; i < 8; i++) {result->d[i] = (uint32_t)product[i];}// 最终模约简if (uint256_equal(result, &P) || !uint256_equal(result, &P) && (result->d[7] > P.d[7] || (result->d[7] == P.d[7] && result->d[6] > P.d[6]) || (result->d[7] == P.d[7] && result->d[6] == P.d[6] && result->d[5] > P.d[5]) ||(result->d[7] == P.d[7] && result->d[6] == P.d[6] && result->d[5] == P.d[5] && result->d[4] > P.d[4]) ||(result->d[7] == P.d[7] && result->d[6] == P.d[6] && result->d[5] == P.d[5] && result->d[4] == P.d[4] && result->d[3] > P.d[3]) ||(result->d[7] == P.d[7] && result->d[6] == P.d[6] && result->d[5] == P.d[5] && result->d[4] == P.d[4] && result->d[3] == P.d[3] && result->d[2] > P.d[2]) ||(result->d[7] == P.d[7] && result->d[6] == P.d[6] && result->d[5] == P.d[5] && result->d[4] == P.d[4] && result->d[3] == P.d[3] && result->d[2] == P.d[2] && result->d[1] > P.d[1]) ||(result->d[7] == P.d[7] && result->d[6] == P.d[6] && result->d[5] == P.d[5] && result->d[4] == P.d[4] && result->d[3] == P.d[3] && result->d[2] == P.d[2] && result->d[1] == P.d[1] && result->d[0] >= P.d[0]))) {uint256_t temp = *result;uint64_t borrow = 0;for (int i = 0; i < 8; i++) {uint64_t diff = (uint64_t)temp.d[i] - P.d[i] - borrow;result->d[i] = (uint32_t)diff;borrow = (diff >> 63) ? 1 : 0;}}
}// 模逆元: result = a^{-1} mod P (使用扩展欧几里得算法)
static void uint256_inv(const uint256_t* a, uint256_t* result) {uint256_t u = *a;uint256_t v = P;uint256_t x1 = {{1,0,0,0,0,0,0,0}};uint256_t x2 = {{0,0,0,0,0,0,0,0}};uint256_t one = { {1,0,0,0,0,0,0,0} };while (!uint256_equal(&u, &one) && !uint256_equal(&v, &one)) {while ((u.d[0] & 1) == 0) { // u为偶数// u = u / 2for (int i = 7; i >= 0; i--) {if (i > 0 && (u.d[i] & 1)) {u.d[i-1] |= 0x80000000;}u.d[i] >>= 1;}// x1 = x1 / 2if (x1.d[0] & 1) {uint256_add(&x1, &P, &x1);}for (int i = 7; i >= 0; i--) {if (i > 0 && (x1.d[i] & 1)) {x1.d[i-1] |= 0x80000000;}x1.d[i] >>= 1;}}while ((v.d[0] & 1) == 0) { // v为偶数// v = v / 2for (int i = 7; i >= 0; i--) {if (i > 0 && (v.d[i] & 1)) {v.d[i-1] |= 0x80000000;}v.d[i] >>= 1;}// x2 = x2 / 2if (x2.d[0] & 1) {uint256_add(&x2, &P, &x2);}for (int i = 7; i >= 0; i--) {if (i > 0 && (x2.d[i] & 1)) {x2.d[i-1] |= 0x80000000;}x2.d[i] >>= 1;}}if (u.d[7] < v.d[7] || (u.d[7] == v.d[7] && u.d[6] < v.d[6]) || (u.d[7] == v.d[7] && u.d[6] == v.d[6] && u.d[5] < v.d[5]) ||(u.d[7] == v.d[7] && u.d[6] == v.d[6] && u.d[5] == v.d[5] && u.d[4] < v.d[4]) ||(u.d[7] == v.d[7] && u.d[6] == v.d[6] && u.d[5] == v.d[5] && u.d[4] == v.d[4] && u.d[3] < v.d[3]) ||(u.d[7] == v.d[7] && u.d[6] == v.d[6] && u.d[5] == v.d[5] && u.d[4] == v.d[4] && u.d[3] == v.d[3] && u.d[2] < v.d[2]) ||(u.d[7] == v.d[7] && u.d[6] == v.d[6] && u.d[5] == v.d[5] && u.d[4] == v.d[4] && u.d[3] == v.d[3] && u.d[2] == v.d[2] && u.d[1] < v.d[1]) ||(u.d[7] == v.d[7] && u.d[6] == v.d[6] && u.d[5] == v.d[5] && u.d[4] == v.d[4] && u.d[3] == v.d[3] && u.d[2] == v.d[2] && u.d[1] == v.d[1] && u.d[0] < v.d[0])) {uint256_sub(&v, &u, &v);uint256_sub(&x2, &x1, &x2);} else {uint256_sub(&u, &v, &u);uint256_sub(&x1, &x2, &x1);}}if (uint256_equal(&u, &one)) {uint256_copy(result, &x1);} else {uint256_copy(result, &x2);}if (result->d[7] & 0x80000000) {uint256_add(result, &P, result);}
}// 椭圆曲线点运算
static int point_is_zero(const Point* p) {return p->infinity;
}static void point_set_zero(Point* p) {p->infinity = 1;
}// 点加倍: result = 2 * P
static void point_double(const Point* p, Point* result) {if (point_is_zero(p)) {point_set_zero(result);return;}// λ = (3x² + a) / (2y)uint256_t lambda, numerator, denominator, temp;// 计算分子: 3x² + auint256_mul(&p->x, &p->x, &temp);uint256_t three = {{3,0,0,0,0,0,0,0}};uint256_mul(&temp, &three, &numerator);uint256_add(&numerator, &A, &numerator);// 计算分母: 2yuint256_t two = {{2,0,0,0,0,0,0,0}};uint256_mul(&p->y, &two, &denominator);// 计算λ = 分子 / 分母uint256_inv(&denominator, &temp);uint256_mul(&numerator, &temp, &lambda);// 计算新点坐标// xr = λ² - 2xuint256_mul(&lambda, &lambda, &temp);uint256_mul(&p->x, &two, &denominator);uint256_sub(&temp, &denominator, &result->x);// yr = λ(x - xr) - yuint256_sub(&p->x, &result->x, &temp);uint256_mul(&lambda, &temp, &temp);uint256_sub(&temp, &p->y, &result->y);result->infinity = 0;
}// 点加法: result = P + Q
static void point_add(const Point* p, const Point* q, Point* result) {if (point_is_zero(p)) {*result = *q;return;}if (point_is_zero(q)) {*result = *p;return;}// 处理相同点的情况if (uint256_equal(&p->x, &q->x)) {if (uint256_equal(&p->y, &q->y)) {point_double(p, result);return;} else {point_set_zero(result);return;}}// λ = (yq - yp) / (xq - xp)uint256_t lambda, numerator, denominator, temp;uint256_sub(&q->y, &p->y, &numerator);uint256_sub(&q->x, &p->x, &denominator);uint256_inv(&denominator, &temp);uint256_mul(&numerator, &temp, &lambda);// xr = λ² - xp - xquint256_mul(&lambda, &lambda, &temp);uint256_sub(&temp, &p->x, &temp);uint256_sub(&temp, &q->x, &result->x);// yr = λ(xp - xr) - ypuint256_sub(&p->x, &result->x, &temp);uint256_mul(&lambda, &temp, &temp);uint256_sub(&temp, &p->y, &result->y);result->infinity = 0;
}// 标量乘法: result = k * P
static void point_mul(const uint256_t* k, const Point* p, Point* result) {Point r;point_set_zero(&r);Point temp_point = *p;for (int i = 0; i < 256; i++) {int word_index = i / 32;int bit_index = i % 32;if ((k->d[word_index] >> bit_index) & 1) {if (point_is_zero(&r)) {r = temp_point;} else {point_add(&r, &temp_point, &r);}}Point new_point;point_double(&temp_point, &new_point);temp_point = new_point;}*result = r;
}// 密钥生成
void ecc_keygen(uint256_t* private_key, Point* public_key) {// 生成随机私钥 (1 < d < N-1)do {for (int i = 0; i < 8; i++) {private_key->d[i] = rand() ^ (rand() << 16);}} while (uint256_equal(private_key, &N) || uint256_is_zero(private_key) || private_key->d[7] >= N.d[7] || (private_key->d[7] == N.d[7] && private_key->d[6] >= N.d[6]) ||(private_key->d[7] == N.d[7] && private_key->d[6] == N.d[6] && private_key->d[5] >= N.d[5]) ||(private_key->d[7] == N.d[7] && private_key->d[6] == N.d[6] && private_key->d[5] == N.d[5] && private_key->d[4] >= N.d[4]) ||(private_key->d[7] == N.d[7] && private_key->d[6] == N.d[6] && private_key->d[5] == N.d[5] && private_key->d[4] == N.d[4] && private_key->d[3] >= N.d[3]) ||(private_key->d[7] == N.d[7] && private_key->d[6] == N.d[6] && private_key->d[5] == N.d[5] && private_key->d[4] == N.d[4] && private_key->d[3] == N.d[3] && private_key->d[2] >= N.d[2]) ||(private_key->d[7] == N.d[7] && private_key->d[6] == N.d[6] && private_key->d[5] == N.d[5] && private_key->d[4] == N.d[4] && private_key->d[3] == N.d[3] && private_key->d[2] == N.d[2] && private_key->d[1] >= N.d[1]) ||(private_key->d[7] == N.d[7] && private_key->d[6] == N.d[6] && private_key->d[5] == N.d[5] && private_key->d[4] == N.d[4] && private_key->d[3] == N.d[3] && private_key->d[2] == N.d[2] && private_key->d[1] == N.d[1] && private_key->d[0] >= N.d[0]));// 公钥 = 私钥 * Gpoint_mul(private_key, &G, public_key);
}// ECDSA签名
void ecdsa_sign(const uint256_t* private_key, const uint256_t* hash, uint256_t* r, uint256_t* s) {uint256_t k = { 0 };Point kG;do {// 生成随机kfor (int i = 0; i < 8; i++) {k.d[i] = rand() ^ (rand() << 16);}// 计算 r = (kG).x mod Npoint_mul(&k, &G, &kG);uint256_copy(r, &kG.x);while (!uint256_equal(r, &N) && (r->d[7] > N.d[7] || (r->d[7] == N.d[7] && r->d[6] > N.d[6]) || (r->d[7] == N.d[7] && r->d[6] == N.d[6] && r->d[5] > N.d[5]) ||(r->d[7] == N.d[7] && r->d[6] == N.d[6] && r->d[5] == N.d[5] && r->d[4] > N.d[4]) ||(r->d[7] == N.d[7] && r->d[6] == N.d[6] && r->d[5] == N.d[5] && r->d[4] == N.d[4] && r->d[3] > N.d[3]) ||(r->d[7] == N.d[7] && r->d[6] == N.d[6] && r->d[5] == N.d[5] && r->d[4] == N.d[4] && r->d[3] == N.d[3] && r->d[2] > N.d[2]) ||(r->d[7] == N.d[7] && r->d[6] == N.d[6] && r->d[5] == N.d[5] && r->d[4] == N.d[4] && r->d[3] == N.d[3] && r->d[2] == N.d[2] && r->d[1] > N.d[1]) ||(r->d[7] == N.d[7] && r->d[6] == N.d[6] && r->d[5] == N.d[5] && r->d[4] == N.d[4] && r->d[3] == N.d[3] && r->d[2] == N.d[2] && r->d[1] == N.d[1] && r->d[0] >= N.d[0]))) {uint256_sub(r, &N, r);}} while (uint256_is_zero(r));// 计算 s = (hash + r*d) * k^{-1} mod Nuint256_t tmp1, kinv;uint256_mul(r, private_key, &tmp1);   // r * duint256_add(&tmp1, hash, &tmp1);       // hash + r*duint256_inv(&k, &kinv);               // k^{-1}uint256_mul(&tmp1, &kinv, s);          // s = (hash + r*d) * k^{-1}while (!uint256_equal(s, &N) && (s->d[7] > N.d[7] || (s->d[7] == N.d[7] && s->d[6] > N.d[6]) || (s->d[7] == N.d[7] && s->d[6] == N.d[6] && s->d[5] > N.d[5]) ||(s->d[7] == N.d[7] && s->d[6] == N.d[6] && s->d[5] == N.d[5] && s->d[4] > N.d[4]) ||(s->d[7] == N.d[7] && s->d[6] == N.d[6] && s->d[5] == N.d[5] && s->d[4] == N.d[4] && s->d[3] > N.d[3]) ||(s->d[7] == N.d[7] && s->d[6] == N.d[6] && s->d[5] == N.d[5] && s->d[4] == N.d[4] && s->d[3] == N.d[3] && s->d[2] > N.d[2]) ||(s->d[7] == N.d[7] && s->d[6] == N.d[6] && s->d[5] == N.d[5] && s->d[4] == N.d[4] && s->d[3] == N.d[3] && s->d[2] == N.d[2] && s->d[1] > N.d[1]) ||(s->d[7] == N.d[7] && s->d[6] == N.d[6] && s->d[5] == N.d[5] && s->d[4] == N.d[4] && s->d[3] == N.d[3] && s->d[2] == N.d[2] && s->d[1] == N.d[1] && s->d[0] >= N.d[0]))) {uint256_sub(s, &N, s);}
}// ECDSA验签
int ecdsa_verify(const Point* public_key, const uint256_t* hash, const uint256_t* r, const uint256_t* s) {if (uint256_is_zero(r) || uint256_is_zero(s) || !uint256_equal(r, &N) && (r->d[7] > N.d[7] || (r->d[7] == N.d[7] && r->d[6] > N.d[6]) || (r->d[7] == N.d[7] && r->d[6] == N.d[6] && r->d[5] > N.d[5]) ||(r->d[7] == N.d[7] && r->d[6] == N.d[6] && r->d[5] == N.d[5] && r->d[4] > N.d[4]) ||(r->d[7] == N.d[7] && r->d[6] == N.d[6] && r->d[5] == N.d[5] && r->d[4] == N.d[4] && r->d[3] > N.d[3]) ||(r->d[7] == N.d[7] && r->d[6] == N.d[6] && r->d[5] == N.d[5] && r->d[4] == N.d[4] && r->d[3] == N.d[3] && r->d[2] > N.d[2]) ||(r->d[7] == N.d[7] && r->d[6] == N.d[6] && r->d[5] == N.d[5] && r->d[4] == N.d[4] && r->d[3] == N.d[3] && r->d[2] == N.d[2] && r->d[1] > N.d[1]) ||(r->d[7] == N.d[7] && r->d[6] == N.d[6] && r->d[5] == N.d[5] && r->d[4] == N.d[4] && r->d[3] == N.d[3] && r->d[2] == N.d[2] && r->d[1] == N.d[1] && r->d[0] >= N.d[0])) ||!uint256_equal(s, &N) && (s->d[7] > N.d[7] || (s->d[7] == N.d[7] && s->d[6] > N.d[6]) || (s->d[7] == N.d[7] && s->d[6] == N.d[6] && s->d[5] > N.d[5]) ||(s->d[7] == N.d[7] && s->d[6] == N.d[6] && s->d[5] == N.d[5] && s->d[4] > N.d[4]) ||(s->d[7] == N.d[7] && s->d[6] == N.d[6] && s->d[5] == N.d[5] && s->d[4] == N.d[4] && s->d[3] > N.d[3]) ||(s->d[7] == N.d[7] && s->d[6] == N.d[6] && s->d[5] == N.d[5] && s->d[4] == N.d[4] && s->d[3] == N.d[3] && s->d[2] > N.d[2]) ||(s->d[7] == N.d[7] && s->d[6] == N.d[6] && s->d[5] == N.d[5] && s->d[4] == N.d[4] && s->d[3] == N.d[3] && s->d[2] == N.d[2] && s->d[1] > N.d[1]) ||(s->d[7] == N.d[7] && s->d[6] == N.d[6] && s->d[5] == N.d[5] && s->d[4] == N.d[4] && s->d[3] == N.d[3] && s->d[2] == N.d[2] && s->d[1] == N.d[1] && s->d[0] >= N.d[0]))) {return 0;}uint256_t w;uint256_inv(s, &w);  // w = s^{-1} mod Nuint256_t u1, u2;uint256_mul(hash, &w, &u1);  // u1 = hash * w mod Nuint256_mul(r, &w, &u2);     // u2 = r * w mod NPoint p1, p2;point_mul(&u1, &G, &p1);     // u1 * Gpoint_mul(&u2, public_key, &p2); // u2 * QPoint res;point_add(&p1, &p2, &res);   // 计算点 (x, y)if (point_is_zero(&res)) {return 0;}// 验证 r == x mod Nuint256_t x = res.x;while (!uint256_equal(&x, &N) && (x.d[7] > N.d[7] || (x.d[7] == N.d[7] && x.d[6] > N.d[6]) || (x.d[7] == N.d[7] && x.d[6] == N.d[6] && x.d[5] > N.d[5]) ||(x.d[7] == N.d[7] && x.d[6] == N.d[6] && x.d[5] == N.d[5] && x.d[4] > N.d[4]) ||(x.d[7] == N.d[7] && x.d[6] == N.d[6] && x.d[5] == N.d[5] && x.d[4] == N.d[4] && x.d[3] > N.d[3]) ||(x.d[7] == N.d[7] && x.d[6] == N.d[6] && x.d[5] == N.d[5] && x.d[4] == N.d[4] && x.d[3] == N.d[3] && x.d[2] > N.d[2]) ||(x.d[7] == N.d[7] && x.d[6] == N.d[6] && x.d[5] == N.d[5] && x.d[4] == N.d[4] && x.d[3] == N.d[3] && x.d[2] == N.d[2] && x.d[1] > N.d[1]) ||(x.d[7] == N.d[7] && x.d[6] == N.d[6] && x.d[5] == N.d[5] && x.d[4] == N.d[4] && x.d[3] == N.d[3] && x.d[2] == N.d[2] && x.d[1] == N.d[1] && x.d[0] >= N.d[0]))) {uint256_sub(&x, &N, &x);}return uint256_equal(&x, r);
}// ECC加密
void ecc_encrypt(const Point* public_key, const uint8_t* plain, size_t len, Point* c1, uint8_t* c2) {uint256_t k = { 0 };Point kQ;// 生成临时密钥kdo {for (int i = 0; i < 8; i++) {k.d[i] = rand() ^ (rand() << 16);}} while (uint256_is_zero(&k));// c1 = k * Gpoint_mul(&k, &G, c1);// 共享密钥 S = k * Qpoint_mul(&k, public_key, &kQ);// 使用S.x的低32位作为XOR密钥uint32_t key = kQ.x.d[0];for (size_t i = 0; i < len; i++) {c2[i] = plain[i] ^ (key & 0xFF);key = (key >> 8) | (key << 24); // 循环移位}
}// ECC解密
void ecc_decrypt(const uint256_t* private_key, const Point* c1, const uint8_t* c2, size_t len, uint8_t* plain) {// 计算共享密钥 S = d * c1Point S;point_mul(private_key, c1, &S);// 使用S.x的低32位作为XOR密钥uint32_t key = S.x.d[0];for (size_t i = 0; i < len; i++) {plain[i] = c2[i] ^ (key & 0xFF);key = (key >> 8) | (key << 24); // 循环移位}
}

※说明：代码仅从原理上实现了ecc的加解密、签名、验签，并未充分验证其正确性和完整性，且性能较差，仅供自学习时参考。若应用于生产环境，请使用openssl等三方库。