ECC Diffie-Hellman (CSNDEDH and CSNFEDH)

Use the ECC Diffie-Hellman callable service to create:

Symmetric key material from a pair of ECC keys using the Elliptic Curve Diffie-Hellman protocol and the static unified model key agreement scheme.
"Z" - The "secret" material output from D-H process.
Symmetric key material from a Hybrid Quantum Safe Algorithm (QSA) Key Exchange Scheme involving a CRYSTALS-KYBER encrypted value or an AES encrypted value and a pair of ECC keys using the Elliptic Curve Diffie-Hellman protocol.

Output may be one of the following forms:

Internal CCA Token (DES or AES): AES keys are in the "Variable-length Symmetric Key Token" format. DES keys are in the "DES Internal Key Token" format.
External CCA Token (DES or AES): AES keys are in the "Variable-length Symmetric Key Token" format. DES keys are in the "DES External Key Token" format.
Internal TR-31 key block: DES or AES.
External TR-31 key block: DES or AES.
"Z" - The "secret" material output from D-H process.

The callable service name for AMODE(64) invocation is CSNFEDH.

Format

CALL CSNDEDH(
             return_code,
             reason_code,
             exit_data_length,
             exit_data,
             rule_array_count,
             rule_array,
             private_key_identifier_length,
             private_key_identifier,
             private_KEK_key_identifier_length,
             private_KEK_key_identifier,
             public_key_identifier_length,
             public_key_identifier,
             hybrid_key_identifier_length,
             hybrid_key_identifier,
             party_identifier_length,
             party_identifier,
             key_bit_length,
             initialization_vector_length,
             initialization_vector,
             hybrid_ciphertext_length,
             hybrid_ciphertext,
             reserved3_length,
             reserved3,
             reserved4_length,
             reserved4,
             reserved5_length,
             reserved5,
             output_KEK_key_identifier_length,
             output_KEK_key_identifier,
             output_key_identifier_length,
             output_key_identifier)

Parameters

return_code

Direction	Type
Output	Integer

The return code specifies the general result of the callable service. ICSF and cryptographic coprocessor return/reason codes lists the return codes.

reason_code

Direction	Type
Output	Integer

The reason code specifies the result of the callable service that is returned to the application program. Each return code has different reason codes that indicate specific processing problems. ICSF and cryptographic coprocessor return/reason codes lists the reason codes.

exit_data_length

Direction	Type
Input/Output	Integer

The length of the data that is passed to the installation exit. The data is identified in the exit_data parameter.

exit_data

Direction	Type
Input/Output	String

The data that is passed to the installation exit.

rule_array_count

Direction	Type
Input	Integer

The number of keywords you supplied in the rule_array parameter. The value must be from 1 to 8 inclusive.

rule_array

Direction	Type
Input	String

The rule_array parameter is an array of keywords. The keywords must be 8 bytes of contiguous storage with the keyword left-justified in its 8-byte location and padded on the right with blanks. The rule_array keywords are:

Table 1. Keywords for ECC Diffie-Hellman
Keyword	Meaning
*Scheme (one, optional)*
ECDH	Specifies to follow the Elliptic Curve Diffie Hellman Key Agreement Scheme. This is the default.
QSA-ECDH	Specifies to follow the Hybrid QSA Key Exchange Scheme. The hybrid_key_identifier parameter must contain the key used to decrypt the value in the hybrid_ciphertext parameter.
*Key agreement (one required)*
DERIV01	Use input skeleton key-token and derive one element of any key pair. Denotes ANSI X9.63 protocol static unified model key-agreement scheme (see NIST SP800-56A). Initiator and responder must have a sufficient level of trust such that they each derive only one element of any key pair. The DERIV01 rule is designed for CCA to CCA interaction.
DERIV02	Use input skeleton key-token and derive one element of any key pair. Denotes key derivation function ANSI-X9.63-KDF (see Section 5.6.3 of ANSI X9.63-2011). Initiator and responder must have a sufficient level of trust such that they each derive only one element of any key pair.
PASSTHRU	Skip Key derivation step and return raw “Z" material.
*Hybrid Scheme Encrypted Value Key Type (one required for QSA-ECDH, when hybrid key identifier is present)*
IHKEYKYB	The hybrid key identifier is a CRYSTALS-Kyber private key token.
IHKEYAES	The hybrid key identifier is an AES key token.
*Transport Key Type (one optional if output KEK key identifier is present)*
OKEK-DES	The output KEK key identifier is a "DES" KEK token.
OKEK-AES	The output KEK key identifier is a "AES" KEK token.
*Output Key Type (one optional if output key identifier is present)*
KEY-DES	The output key identifier is a "DES" skeleton token.
KEY-AES	The output key identifier is an "AES" skeleton token.
*Hash type (one optional, only valid with DERIV02)*
SHA-224	Specifies the use of the SHA-224 method.
SHA-256	Specifies the use of the SHA-256 method. This is the default.
SHA-384	Specifies the use of the SHA-384 method.
SHA-512	Specifies the use of the SHA-512 method.
Key Wrapping Method (optional). Valid for DES CCA keys only.
USECONFG	Specifies that the configuration setting for the default wrapping method is to be used to wrap the key. This is the default.
WRAP-ENH	Specifies that the new enhanced wrapping method is to be used to wrap the key.
WRAPENH2	Specifies to wrap the key using the enhanced wrapping method with SHA-256. This is the default for triple-length keys.
WRAPENH3	Specifies to wrap the key using the enhanced wrapping method with SHA-256 and CMAC authentication code.
WRAP-ECB	Specifies that the original wrapping method is to be used.
Translation Control (optional). Valid for DES CCA keys only.
ENH-ONLY	Restrict rewrapping of the key_identifier token. Once the token has been wrapped with the enhanced method, it cannot be rewrapped using the original method. This is the default when the wrapping method is WRAPENH2 or WRAPENH3.

private_key_identifier_length

Direction	Type
Input	Integer

The length of the private_key_identifier parameter in bytes. If the private_key_identifier contains a label, the value must be 64. Otherwise, the value must be between the actual length of the token and 3500.

private_key_identifier

Direction	Type
Input	String

The private_key_identifier must contain an internal or an external token or a label of an internal or external ECC key. The ECC key token must contain a public-private key pair. When the key agreement keyword is DERIV01, a clear key will be accepted.

The ECC curve type and size must be the same as the type (Prime, Brainpool, or Koblitz) and size of the ECC key-token specified by the public key identifier parameter. The key-usage flag byte (offset 50 in the private-key section) of the ECC key-token identified by the private key identifier parameter must permit key establishment (either KEY-MGMT or KM-ONLY).

For keyword DERIV02, the key identifier must contain a key-derivation section, type X’23’ (see key-derivation in Section 4.2 and Table 14 of ANSI X9.63-2011).

private_KEK_key_identifier_length

Direction	Type
Input	Integer

The length of the private_KEK_key_identifier in bytes. If the private_KEK_key_identifier contains a label, the value must be 64. Otherwise, the value must be between the actual length of the token and 9992. If the private_key_identifier contains an internal ECC token, this value must be a zero.

private_KEK_key_identifier

Direction	Type
Input	String

The key-encrypting key to unwrap the ECC private key token. The key identifier is an operational key token or key block or the key label of an operational token or block in key storage.

When private_KEK_key_identifier_length is zero, this parameter is ignored.

For CCA keys, the identifier is a variable-length AES key token of key type EXPORTER or IMPORTER with key management attributes enable to allow the key to wrap an AES key.

For X9.143 (TR-31) keys, the identifier is a variable-length AES key block of a key-encrypting key: key usage K0, algorithm A, and the mode of use D or E.

If the token or key block supplied was encrypted under the old master key, the token or key block is returned encrypted under the current master key.

public_key_identifier_length

Direction	Type
Input	Integer

The length of the public_key_identifier in bytes. If the public_key_identifier contains a label, the value must be 64. Otherwise, the value must be between the actual length of the token and 3500.

public_key_identifier

Direction	Type
Input	String

The public_key_identifier parameter must contain an ECC public token or the label of an ECC Public token. The public_key_identifier specifies the other party’s ECC public key which is enabled for key management functions. If the public_key_identifier identifies a token containing a public-private key pair, no attempt to decrypt the private part will be made.

hybrid_key_identifier_length

Direction	Type
Input	Integer

The length of the hybrid_key_identifier in bytes.

When the rule array keyword is neither IHKEYKYB nor IHKEYAES, the value must be zero.

When the hybrid_key_identifier contains a label, the value must be 64.

When hybrid_key_identifier contains an AES CIPHER token, the value must be actual length of the token and 9992.

When hybrid_key_identifier contains a CRYSTALS-Kyber private token, the value must be between the actual length of the token and 8000.

hybrid_key_identifier

Direction	Type
Input/Output	String

The identifier of the key used to decrypt the hybrid_ciphertext parameter. The key identifier is an operational key token or key block or the key label of an operational token or block in key storage.

When hybrid_key_identifier_length is zero, this parameter is ignored.

When IHKEYKYB is specified, the hybrid_key_identifier parameter must contain a CRYSTALS-Kyber private key. The private key must have the U-DATENC capability.

When IHKEYAES is specified, the hybrid_key_identifier parameter must contain an AES CIPHER key.

For CCA keys, the identifier is a variable-length AES key token of key type CIPHER with DECRYPT capability and the encryption mode attribute CBC.
For X9.143 (TR-31) keys, the identifier is a variable-length AES key block of a key-encrypting key: key usage D0, algorithm A, and mode of use D or B.

If the token or key block supplied was encrypted under the old master key, the token or key block is returned encrypted under the current master key.

party_identifier_length

Direction	Type
Input/Output	Integer

The length of the party_identifier parameter in bytes. For the DERIV01 keyword, the value must be between 8 and 64, inclusive. For the DERIV02 keyword, the value must be between 0 and 256, inclusive. When the PASSTHRU rule array keyword is specified, the value must be 0 and the party_identifier parameter is ignored.

party_identifier

Direction	Type
Input/Output	String

The party_identifier parameter contains the entity identifier information. This information should contain the both entities data according to NIST SP800-56A Section 5.8 when the DERIV01 rule array keyword is specified. For DERIV02, this information should contain the optional shared data according to Section 5.6.3 of ANSI X9.63-2011.

key_bit_length

Direction	Type
Input/Output	Integer

The key bit length parameter contains the number of bits of key material to derive and place in the provided key token. The value must be 0 if the PASSTHRU rule array keyword was specified. Otherwise, it must be 64 - 2048.

initialization_vector_length

Direction	Type
Input	Integer

When IHKEYAES is passed, this parameter contains the length of the initialization_vector in bytes. For IHKEYAES, the value must be 16 bytes.

When IHKEYAES is not passed, this parameter must be zero.

initialization_vector

Direction	Type
Input	String

When IHKEYAES is passed, this parameter contains the 16-byte initialization_vector that will be used to decrypt the hybrid_ciphertext.

When initialization_vector_length is zero, this parameter is ignored.

hybrid_ciphertext_length

Direction	Type
Input	Integer

When IHKEYKYB or IHKEYAES are passed, this parameter contains the length of hybrid_ciphertext in bytes. For IHKEYAES, the value must be 32 bytes. For IHKEYKYB, the value must be 1568 bytes.

When neither IHKEYKYB nor IHKEYAES are passed, this parameter must be zero.

hybrid_ciphertext

Direction	Type
Input	String

When IHKEYKYB or IHKEYAES is passed, the hybrid_ciphertext parameter must contain an encrypted value that will be deciphered with the hybrid_key_identifier and used in the Hybrid QSA Key Exchange Scheme.

When hybrid_ciphertext_length is zero, this parameter is ignored.

reserved3_length

Direction	Type
Input/Output	Integer

The reserved3_length parameter must be zero.

reserved3

Direction	Type
Input/Output	String

This parameter is ignored.

reserved4_length

Direction	Type
Input/Output	Integer

The reserved4_length parameter must be zero.

reserved4

Direction	Type
Input/Output	String

This parameter is ignored.

reserved5_length

Direction	Type
Input/Output	Integer

The reserved5_length parameter must be zero.

reserved5

Direction	Type
Input/Output	String

This parameter is ignored.

output_KEK_key_identifier_length

Direction	Type
Input	Integer

The length of the output_KEK_key_identifier parameter in bytes.

The output_KEK_key_identifier_length must be zero when:

The output_key_identifier will contain an internal token, or
The PASSTHRU rule array keyword was specified.

When the output_KEK_key_identifier contains a label, the value must be 64.

Otherwise, the value must be between the actual length of the token and 9992.

output_KEK_key_identifier

Direction	Type
Input/Output	String

The identifier of the key to wrap the output key identifier. The key identifier is an operational key token or key block or the key label of an operational token or block in key storage.

When the output_KEK_key_identifier_length is zero, this parameter is ignored.

For CCA keys, this is a variable-length key token containing a DES or AES key-encrypting key.

For DES keys, the key is of type IMPORTER or EXPORTER with the IMPORT/EXPORT key usage attribute enabled in the control vector.
For AES keys, the key is of type IMPORTER or EXPORTER with the IMPORT/EXPORT bit set in key usage field 1 and the wrap class derivation bit set in key usage field 4.

For X9.143 (TR-31) keys, this is a variable-length key block containing a TDES or AES key-encrypting key: key usage K0 or K1, algorithm T or A, and mode of use D or E.

If the token or key block supplied was encrypted under the old master key, the token or key block is returned encrypted under the current master key.

Note: A CCA key token can be wrapped by a CCA key-encrypting key or a TR-31 key-encrypting key. A TR-31 key block can be wrapped by a CCA key-encrypting key or a TR-31 key-encrypting key.

output_key_identifier_length

Direction	Type
Input/Output	Integer

The length of the output_key_identifier parameter in bytes. The service checks the field to ensure it is at least equal to the size of the token to return. On return from this service, this field is updated with the exact length of the key token created. The maximum allowed value is 9992 bytes.

output_key_identifier

Direction	Type
Input/Output	String

On input, the output_key_identifier must contain a skeleton key token or key block header (DERIV01 or DERIV02) or a null token (PASSTHRU).

For X9.143 (TR-31) key block headers, the header may contain: key usage K0, K1, or D0 algorithm D, T, or A, and mode of use D, E, or B.

On output, the output_key_identifier will contain:

An internal or an external key token containing the generated symmetric key material.
"Z" data (in the clear) if the PASSTHRU rule array keyword was specified.

If this variable specifies an external DES key token then the output KEK key identifier must identify a DES key-encrypting key token. If this specifies an external key token other than a DES key token then the output KEK key identifier must identify an AES key-encrypting key token.

Restrictions

The NIST security strength requirements will be enforced, with respect to ECC Curve type (input) and derived key length.

Only the following key types will be generated, skeleton key tokens of any other type will fail.

DES: (Legacy DES token)
- CIPHER
- CIPHERXI
- CIPHERXL
- CIPHERXO
- DECIPHER
- ENCIPHER
- IMPORTER
- EXPORTER
- IMP-PKA
AES
- DATA (Legacy AES token)
- CIPHER (Variable-length symmetric key-token)
- IMPORTER (Variable-length symmetric key-token)
- EXPORTER (Variable-length symmetric key-token)

Usage notes

SAF may be invoked to verify the caller is authorized to use this callable service, the key label, or internal secure key tokens that are stored in the CKDS or PKDS.

This table lists the valid key bit lengths and the minimum curve size required for each of the supported output key types.

Table 2. Valid key bit lengths and minimum curve size required for the supported output key types.
Output Key ID type	Valid Key Bit Lengths	Minimum Curve Required
DES	64	P160
DES	128	P160
AES	128	P256
	192	P384
	256	P512

If the output key-encrypting key identifier is a weaker key than the key being generated, then:

the service will fail if the Prohibit weak wrapping - Transport keys access control point is enabled.
the service will complete successfully with a warning return code if the Warn when weak wrap - Transport keys access control point is enabled.

When the Disallow 24-byte DATA wrapped with 16-byte Key access control point is enabled, this service will fail if the source key is a triple-length DATA key and the DES master key is a 16-byte key or the key-encrypting key is a double-length key.

Concatenation strings used for each derivation service

Table 3 describes the concatenation string used for derivation service DERIV01.

Note: All integers are in Big-Endian format.

Table 3. CSNDEDH concatenation string format for DERIV01
Offset (bytes)	Length (bytes)	Value	Comments
0	4	Initialized to X'00000001'	Counter (four-byte) unsigned integer.
4	xx	Z	A shared secret bit string or octet string.
*Fields added when QSA-ECDH is chosen*
4 + xx	tt	T plaintext decrypted from the hybrid_ciphertext parameter.	plaintext used for the Hybrid QSA Key Exchange Scheme.
4 + xx + tt	1	Value: X'03' DES X'04' AES	Algorithm identifier.
5 + xx + tt	1	Passed party_info_length variable.	Party information length passed by caller, converted to a one-byte unsigned integer.
6 + xx + tt	party_info_length	String identified by party_info parameter.	Party information passed by the caller.
6 + xx + tt + party_info_length	2	Supplied public information length, zz.	Two-byte unsigned integer specifying length of supplied public information.
6 + xx + tt + party_info_length	2	Supplied public information length, zz.	Two-byte unsigned integer specifying length of supplied public information.
8 + xx + tt + party_info_length	zz	Supplied public information.	Token data extracted from the skeleton key token identified by the output_key_identifier parameter.

Table 4 describes the concatenation string used for derivation service DERIV02.

Note: All integers are in Big-Endian format.

Table 4. CSNDEDH concatenation string format for DERIV02
Offset (bytes)	Length (bytes)	Value	Comments
0	xx	Z	A shared secret bit string or octet string.
*Fields added when QSA-ECDH is chosen*
xx	tt	T plaintext decrypted from the hybrid_ciphertext parameter.	32 byte plaintext decrypted from the hybrid_ciphertext parameter; length not an explicit field in concatenation string.
xx + tt	4	Initialized to X'00000001'.	Counter (four-byte) unsigned integer.
4 + xx + tt	yy	String identified by party_info parameter.	Party information passed by the caller; length not an explicit field in concatenation string.

Creating a Hybrid Quantum Safe Algorithm (QSA) Key Exchange Scheme

With CCA release 8.0, it is possible to build a Hybrid Quantum Safe (QSA) Key Exchange Scheme using CCA. The CCA services available support a Hybrid QSA Key Exchange Scheme where no data is exposed outside of the Crypto Express Adapter that is used as input to the final key derivation.

However, the Hybrid QSA Key Exchange Scheme is not a complete protocol so:

Authentication of the public keys used in the Hybrid QSA Key Exchange Scheme is the responsibility of the host.
- CRYSTALS-Kyber keys do not participate in PKIs at this time. The 'kyb-cert-A' certificate for a CRYSTALS-Kyber public key identified below is in recognition that certificate formats will be needed for the authentication part of a protocol.
- For the ECC public keys, the CCA internal PKI may be used for authentication if the trust anchor has been installed to the adapter.
A full protocol should include a Key Check Value calculated over the shared-key created by one person (for example, Alice) so that another person (for example, Bob) can verify the creation of an agreed shared-key.

The Hybrid QSA Key Exchange Scheme involves two participants (for example, Alice and Bob) and involves two CCA services: PKA Encrypt (CSNDPKE) and ECC Diffie-Hellman (CSNDEDH).

Step 1: The first person (Alice) creates the keys:

Kyb-priv-A, Kyb-pub-A: CRYSTALS-Kyber(1024) key pair 
EC-priv-A, EC-pub-A: ECC key pair for key agreement 
Kyb-cert-A, EC-cert-A: authenticated forms of Kyb-pub-A and EC-pub-A

and then sends the Kyb-cert-A and EC-cert-A keys to the second person (Bob).

Step 2: The second person (Bob) receives and validates the Kyb-cert-A and EC-cert-A keys from Alice.

After validation, Bob creates these keys:

AES-ciph-B: AES-CIPHER key in a CCA key token
EC-priv-B, EC-pub-B: ECC key pair for key agreement 
EC-cert-B: authenticated form of EC-pub-B  
Kyb-pub-A CCA public key token, with public key pulled from Kyb-cert-A

Notes:

AES-ciph-B should be as strong as the derived shared-key.
AES-ciph-B should allow encrypt and decrypt because it is used on the same node.

Bob creates the shared-key derivation input using the CSNDPKE service. Bob calls the CSNDPKE service with the RANDOM keyword, AES-ciph-B, Kyb-pub-A, AES encryp-tion IV. The CSNDPKE service:
- Generates a random 32B value: rand-32.
- AES-CBC encrypts rand-32 using key AES-ciph-B and the AES encryption IV, returning [AES-ciph-B(rand-32)] in keyvalue.
- CRYSTALS-Kyber encrypts rand-32 with Kyb-pub-A returning [Kyb-pub-A(rand-32)] in the PKA_enciphered_keyvalue parameter.
Bob completes the shared-key derivation, using the CSNDEDH service. Bob calls the CSNDEDH service with a derivation keyword, desired key length, [AES-ciph-B(rand-32)], AES-ciph-B, AES encryption IV, EC-priv-B, EC-cert-A, output skeleton token. The CSNDEDH service:
- Decrypts rand-32 using the key AES-ciph-B and the AES encryption IV.
- Uses EC-priv-B and EC-cert-A with ECDH to generate the Z value.
- Passes Z and rand-32 to the key derivation function indicated by the derivation keyword, rand-32 is the salt or OtherData. The shared-key of the requested length is derived.
- Places the shared-key in the output skeleton token provided, encrypts the key value.
- Returns the final CCA shared-key token.
Bob stores the shared-key.
Bob sends EC-cert-B, [Kyb-pub-A(rand-32)] to Alice.

Step 3: Alice receives and validates EC-cert-B, [Kyb-pub-A(rand-32)].

Alice completes the shared-key derivation, using the CSNDEDH service.

Alice calls the CSNDEDH service with a derivation keyword, desired key length, [Kyb-pub-A (rand-32)], Kyb-priv-A, EC-priv-A, EC-cert-B, output skeleton token. The CSNDEDH service:

Decrypts rand-32 using Kyb-priv-A.
Uses EC-priv-A and EC-cert-B with ECDH to generate the Z value.
Passes Z and rand-32 to the key derivation function indicated by the derivation keyword, rand-32 is the salt or OtherData. The shared-key of the requested length is derived.
Places the shared-key in the output skeleton token provided, encrypts the key value.
Returns the final CCA shared-key token.

Alice stores the shared-key .

The shared-key is now established at both Alice and Bob.

The role of the CSNDEDH service in this scheme is to complete the shared-key derivation for Alice or Bob and return the shared-key in a CCA key token.

Change to the key derivation in the CSNDEDH service:

For DERIV01 and DERIV02, the change is the same: NIST SP 800-56C Rev 2 has defined Z’ = Z || T, where T is a hybrid addition. The decrypted hybrid_ciphertext is concatenated to the end of the normal Z in the CSNDEDH concatenation string.
This is accomplished in one call to CSNDEDH as follows:
Bob's call to CSNDEDH:
Inputs:
- derivation keyword,
- desired key length,
- [AES-ciph-B(rand-32)], : output from CSNDPKE, random 32 byte value encrypted by AES-ciph-B
- AES-ciph-B : AES-cipher key CCA token for Bob
- EC-priv-B, : Bob's private ECC key
- EC-cert-A, : Alice's public key
- output skeleton token
Outputs:

CCA shared-key token
Alice's call to CSNDEDH:
Inputs:
- derivation keyword,
- desired key length,
- [Kyb-pub-A(rand-32)], : output from CSNDPKE, random 32 byte value encrypted by Kyb-pub-A
- Kyb-priv-A : CRYSTALS-Kyber private key CCA token for Alice
- EC-priv-A, : Alice's private ECC key
- EC-cert-B, : Bob's public key
- output skeleton token
Outputs:

CCA shared-key token

Access control points

The ECC Diffie-Hellman callable service requires the ECC Diffie-Hellman access control point to be enabled in the domain role.

Specifying the PASSTHRU rule array keyword requires that the ECC Diffie-Hellman - Allow PASSTHRU access control point be enabled in the domain role.

Specifying the DERIV02 rule array keyword requires that the ECC Diffie-Hellman - Allow DERIV02 access control point be enabled in the domain role.

Specifying the QSA-ECDH rule array keyword requires that the ECC Diffie-Hellman - Allow Hybrid QSA Scheme access control point be enabled in the domain role.

If the output_key_identifier parameter references a DES key token and the key wrapping method keyword speciﬁes a wrapping method that is not the default method, then the ECC Diffie-Hellman - Allow key wrap override access control point must be enabled in the domain role.

Each Elliptic Curve type supported has its own access control point. The access control point must be enabled to use the curve type and strength.

ECC Diffie-Hellman - Allow Prime Curve 192
ECC Diffie-Hellman - Allow Prime Curve 224
ECC Diffie-Hellman - Allow Prime Curve 256
ECC Diffie-Hellman - Allow Prime Curve 384
ECC Diffie-Hellman - Allow Prime Curve 521
ECC Diffie-Hellman - Allow BP Curve 160
ECC Diffie-Hellman - Allow BP Curve 192
ECC Diffie-Hellman - Allow BP Curve 224
ECC Diffie-Hellman - Allow BP Curve 256
ECC Diffie-Hellman - Allow BP Curve 320
ECC Diffie-Hellman - Allow BP Curve 384
ECC Diffie-Hellman - Allow BP Curve 512
ECC Diffie-Hellman - Allow Koblitz curve 256

To prevent a weaker key from being used to generate a stronger key, enable the ECC Diffie-Hellman – Prohibit weak key generate access control point in the domain role.

Required hardware

This table lists the required cryptographic hardware for each server type and describes restrictions for this callable service. The CCA releases used in the table are described in CCA release levels.

Table 5. ECC Diffie-Hellman required hardware
Server	Required cryptographic hardware	Restrictions
IBM z13 IBM z13s	Crypto Express5 CCA Coprocessor	The DERIV02, SHA-224, SHA-256, SHA-384, and SHA-512 keywords requires the March 2016 or later licensed internal code (LIC). Triple-length DES keys require the July 2019 or later licensed internal code (LIC). ECC Koblitz curve secp256k1 is not supported. Rule array keywords WRAPENH2 and WRAPENH3 require the May 2021 or later licensed internal code (LIC). CRYSTALS-Kyber private keys and rules QSA-ECDH and ECDH are not supported. X9.143 key blocks are not supported.
IBM z14 IBM z14 ZR1	Crypto Express5 CCA Coprocessor	The DERIV02, SHA-224, SHA-256, SHA-384, and SHA-512 keywords requires the March 2016 or later licensed internal code (LIC). Triple-length DES keys require the December 2018 or later licensed internal code (LIC). ECC Koblitz curve secp256k1 is not supported. Rule array keywords WRAPENH2 and WRAPENH3 require the May 2021 or later licensed internal code (LIC). CRYSTALS-Kyber private keys and rules QSA-ECDH and ECDH are not supported. X9.143 key blocks are not supported.
IBM z14 IBM z14 ZR1	Crypto Express6 CCA Coprocessor	Triple-length DES keys require the December 2018 or later licensed internal code (LIC). ECC Koblitz curve secp256k1 is not supported. Rule array keywords WRAPENH2 and WRAPENH3 require the May 2021 or later licensed internal code (LIC). CRYSTALS-Kyber private keys and rules QSA-ECDH and ECDH are not supported. X9.143 key blocks are not supported.
IBM z15 IBM z15 T02	Crypto Express5 CCA Coprocessor	ECC Koblitz curve secp256k1 is not supported. Rule array keywords WRAPENH2 and WRAPENH3 require the May 2021 or later licensed internal code (LIC). CRYSTALS-Kyber private keys and rules QSA-ECDH and ECDH are not supported. X9.143 key blocks are not supported.
	Crypto Express6 CCA Coprocessor	Rule array keywords WRAPENH2 and WRAPENH3 require the May 2021 or later licensed internal code (LIC). CRYSTALS-Kyber private keys and rules QSA-ECDH and ECDH are not supported. X9.143 key blocks are not supported.
	Crypto Express7 CCA Coprocessor	ECC Koblitz curve secp256k1 requires the September 2020 or later licensed internal code (LIC). Rule array keywords WRAPENH2 and WRAPENH3 require the May 2021 or later licensed internal code (LIC). CRYSTALS-Kyber private keys and rules QSA-ECDH and ECDH are not supported. X9.143 key blocks are not supported.
IBM z16 IBM z16 A02	Crypto Express6 CCA Coprocessor Crypto Express7 CCA Coprocessor	CRYSTALS-Kyber private keys and rules QSA-ECDH and ECDH are not supported. X9.143 key blocks are not supported.
IBM z16 IBM z16 A02	Crypto Express8 CCA Coprocessor	CRYSTALS-Kyber private keys and rules QSA-ECDH and ECDH require CCA release 8.0 or later licensed internal code (LIC). X9.143 key blocks support requires the CCA release 8.1 or later licensed internal code (LIC).