CKM_ECIES
ECIES, or Elliptic Curve Integrated Encryption Scheme, is a public-key encryption scheme that combines
TIP Luna HSM Firmware 7.7.2 and newer adds the derivation of the Initial Counter block (ICB) for ECIES AES-CTR encryption scheme to support the 5G 3GPP TS 33.501 standard, for processing of SUbscription Concealed Identifier (SUCI) de-concealment requests.
Decrypt operations with curve ed25519 are accelerated with Luna HSM Firmware 7.7.2 and newer - optimum performance is achieved with 10 program threads for standalone Luna HSMs, while the best gain for HSMs in an HA group is around 20 threads, with smaller improvements observed up to 50 threads.
See Luna HSM Firmware 7.8.9 and scroll down to Allowed Elliptic Curves.
See also ECIES general and ECIES for 5G.
Firmware 7.8.9 and Newer Summary
| FIPS approved? | Yes |
| Supported functions | Encrypt | Decrypt |
| Functions restricted from FIPS use | None |
| Minimum key length (bits) | 105 |
| Minimum key length for FIPS use (bits) | 224 |
| Minimum legacy key length for FIPS use (bits) | 160 |
| Maximum key length (bits) | 571 |
| Block size | 0 |
| Digest size | 0 |
| Key types | ECDSA | EC_MONT | BIP32 |
| Algorithms | None |
| Modes | None |
| Flags | Accumulating | FIPS-approved curves only |
NOTE Using Luna HSM Firmware 7.8.9 or newer, this mechanism now verifies that the specified EC curve is FIPS-approved, and rejects operations that specify non-approved curves.
Firmware 7.3.0-7.8.7 Summary
| FIPS approved? | Yes |
| Supported functions | Encrypt | Decrypt |
| Functions restricted from FIPS use | None |
| Minimum key length (bits) | 105 |
| Minimum key length for FIPS use (bits) | 224 |
| Minimum legacy key length for FIPS use (bits) | 160 |
| Maximum key length (bits) | 571 |
| Block size | 0 |
| Digest size | 0 |
| Key types | ECDSA | EC_MONT | BIP32 |
| Algorithms | None |
| Modes | None |
| Flags | Accumulating |
Firmware 7.2.0 and Older Summary
| FIPS approved? | Yes |
| Supported functions | Encrypt | Decrypt |
| Minimum key length (bits) | 105 |
| Minimum key length for FIPS use (bits) | 224 |
| Minimum legacy key length for FIPS use (bits) | 160 |
| Maximum key length (bits) | 571 |
| Block size | 0 |
| Digest size | 0 |
| Key types | ECDSA | EC_MONT |
| Algorithms | None |
| Modes | None |
| Flags | Accumulating |
NOTE This is a single part operation, so even if it is called using multi-part API, we accumulate the data (up to a maximum) and return data only on the “final” operation. That is the meaning of "Accumulating" in the tables, above.
