SUCI

Subscription Concealed Identifier

Security →
Introduced in Rel-15 Also in: Security, User Equipment

SUCI is a privacy-preserving, encrypted identifier used by a mobile device during initial network access to conceal the user's permanent subscription identifier and prevent tracking over the air interface.

Category
Security
Introduced
Rel-15
Where
Core Network › 5G Core
Also touches
2 segments
Specifications
14 specs
SUCI Description Purpose Related Classification Detected Changes Specifications

Description

The Subscription Concealed Identifier (SUCI) is a fundamental security and privacy feature introduced in 5G, defined in 3GPP Release 15. It is a one-time-use identifier transmitted by the User Equipment (UE) in place of the permanent Subscription Permanent Identifier (SUPI) during the initial registration procedure, specifically in the Registration Request message. The SUCI is generated by the UE itself using a standardized scheme called ECIES (Elliptic Curve Integrated Encryption Scheme) profile A. The UE encrypts the SUPI using the public key of the home network's Subscription Identifier De-concealing Function (SIDF), which is securely provisioned in the UE (e.g., in the Universal Integrated Circuit Card (UICC)). The output is a string that includes the Home Network Public Key Identifier, the ECIES scheme identifier, the ciphertext, and the MAC tag.

Upon receiving the SUCI, the serving network (e.g., the Visited Public Land Mobile Network (VPLMN)) forwards it to the home network (HPLMN) as part of the authentication procedure. The home network's SIDF, which holds the corresponding private key, is the only entity capable of decrypting the SUCI to retrieve the plaintext SUPI. This decryption occurs within the home network's Unified Data Management (UDM) or Authentication Server Function (AUSF). The SUPI is then used for subscriber authentication and to derive the 5G Globally Unique Temporary Identifier (5G-GUTI) for subsequent signaling. Crucially, the serving network never sees the SUPI in clear text, protecting the subscriber's permanent identity from the visited operator and any passive eavesdroppers on the radio link.

The architecture for SUCI involves several network functions. The UE contains the USIM application which stores the home network public key and performs the encryption. The Access and Mobility Management Function (AMF) in the serving network receives the SUCI and routes it to the appropriate home network. The SIDF, typically collocated with the UDM/AUSF, performs the de-concealment. SUCI is mandatory for 5G initial registration when the UE does not have a valid 5G-GUTI, making it a cornerstone of 5G's enhanced subscriber privacy. Its use is governed by the subscriber's privacy settings, but the default and encouraged mode is to always use SUCI for initial registration, marking a significant shift from 4G where the permanent International Mobile Subscriber Identity (IMSI) was often sent in clear text during initial attach.

Purpose & Motivation

SUCI was created to solve a critical and long-standing privacy vulnerability in cellular networks: the exposure of the user's permanent subscriber identity (IMSI in 2G/3G/4G) over the radio interface. In previous generations, the IMSI was often transmitted in clear text during initial network attachment or in certain failure scenarios. This allowed passive eavesdroppers with inexpensive equipment (IMSI catchers or stingrays) to track individuals' locations and movements, conduct targeted attacks, or perform identity mapping. This vulnerability was a major privacy concern and eroded user trust.

The motivation for SUCI stemmed from regulatory pressures (e.g., GDPR), heightened societal awareness of digital privacy, and the technical opportunity presented by the clean-slate design of the 5G core network (5GC). 3GPP designed SUCI as a key component of 5G's enhanced subscriber privacy architecture. It addresses the limitation of previous temporary identifiers (like TMSI/GUTI) which could not always be used—if a UE entered a new area without a valid temporary ID, it had to fall back to sending the IMSI in clear text. SUCI eliminates this fallback vulnerability by ensuring the permanent identity is never exposed, even on the first contact.

Furthermore, SUCI supports the separation of the serving network from the home network in terms of identity knowledge. This aligns with the network slicing and service-based architecture principles of 5G, where a serving network should provide connectivity without necessarily knowing the subscriber's true identity. By solving the pervasive tracking problem, SUCI enables more secure and privacy-respecting use cases, including critical IoT and government services, where anonymity of the device is paramount until authenticated by the home domain.

Classification

Part ofSUPI
Related approaches5G-GUTIAUSFUDM

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (456 CRs across 5 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Rel-15 114 changes

In Release 15, the SUCI (Subscription Concealed Identifier) was newly introduced as a privacy-preserving identifier containing a concealed SUPI. Its structure was defined to include a SUPI Type, a Home Network Identifier, a Routing Indicator for network routing, a Protection Scheme Identifier, and a Home Network Public Key Identifier. This introduction specifically enabled subscription identifier privacy support by allowing the mobile device to send this protected identifier instead of the permanent SUPI over the air interface.

  • SUCI encoding format and protection scheme TS 24.501CR0254
  • Nudm_SDM retrieval of SMS Management Subscription data TS 29.503CR0037
  • Subscription identifier privacy suppport TS 31.102CR0778
  • Modify structure of SUCI Calc EF and introduce Routing Indicator TS 31.102CR0797
  • Clarification to Subscription identifier privacy TS 33.501CR0145
  • 5GS Support for MCS Subscription TS 23.501CR0693

+ 108 more changes

Rel-16 87 changes

In Release 16, the SUCI function was extended to support new SUPI types for wireline access, specifically the Global Line Identifier (GLI) and Global Cable Identifier (GCI). This allowed wireline subscriptions to use the SUCI privacy mechanism, with these SUPI types requiring the use of the null protection scheme. The release also introduced a Routing Indicator of 1 to 4 decimal digits to aid in routing network signaling to the correct network functions.

  • SUPI and SUCI for wireline access TS 23.501CR0744
  • Subscription Information Influence on PDU Session Rate Control TS 23.501CR1251
  • Alternative 2: Handling of a UE not allowed to access SNPN services via a PLMN by subscription with 5GMM cause value #72 TS 24.501CR2252
  • SUPI and SUCI for legacy wireline access TS 24.502CR0118
  • SUPI/SUCI of N5GC devices TS 24.502CR0143
  • Add PDU Session continuity at inter RAT mobility to and from NB-IoT in SM Subscription data TS 29.503CR0176

+ 81 more changes

Rel-17 108 changes

In Release 17, the key new development for the SUCI function was the formal introduction of an "anonymous SUCI." This type of SUCI is constructed by setting the SUPI Type field to "Network Specific Identifier," using the null protection scheme, and defining the scheme output's username part as either the string "anonymous" or an empty string. This provides a standardized mechanism for a UE to use a privacy-preserving, non-identifying subscription identifier during initial network access.

  • Anonymous SUCI TS 23.003CR0626
  • SNPN with separate entity hosting subscription TS 23.501CR2625
  • IMSI based SUPI support when access an SNPN using credentials owned by CH TS 23.501CR2919
  • Format of SUCI/SUPI used for Onboarding TS 23.501CR3097
  • AUSF/UDM discovery based SUCI information TS 23.501CR3170
  • Authentication and Subscription information checking for Disaster Roaming service TS 23.501CR3251

+ 102 more changes

Rel-18 78 changes

In Release 18, the key new aspect for the SUCI function was the introduction of a specific "Key identifier in AN-parameter when anonymous SUCI is used," enhancing the handling of anonymous subscription scenarios. This builds on the existing framework where an anonymous SUCI uses a SUPI Type of "Network-Specific Identifier" with the null protection scheme. The update provides a more granular mechanism for key identification within the access network parameters specifically for these anonymous SUCI cases.

  • SNPN Identifier based N3IWF FQDN TS 23.003CR0687
  • Decorated NAI format for 5G-NSWO for SUPI TS 23.003CR0696
  • Adding time synchronization service based on subscription TS 23.501CR3762
  • PIN identifiers TS 23.501CR4287
  • Protecting the N3IWF/TNGF identifier information in the REGISTRATION REJECT message TS 24.501CR5932
  • Resolving the EN related to N3IWF selection based on N3IWF identifier information in the REGISTRATION REJECT message TS 24.502CR0230

+ 72 more changes

Rel-19 69 changes

In Release 19, the SUCI function was enhanced to support the concealment of new SUPI types for non-3GPP devices, specifically the definition of identifiers like the AIoT Device Permanent Identifier and identifiers for non-3GPP devices behind a UE/5G-RG. Furthermore, updates were made to enable subscription-based routing to a target core network using the SUCI's components, such as the Routing Indicator and Home Network Identifier.

  • Non-3GPP Device Identifier TS 23.003CR0708
  • Definition of AIoT Device Permanent Identifier TS 23.003CR0713
  • Subscription-based routing to a target core network TS 23.501CR5380
  • Supporting direct subscription of UPF event exposure using UE's IP address TS 23.501CR5540
  • KI#2: UE subscription and policy control for energy efficiency and energy saving TS 23.501CR5739
  • Updates to UPF data exposure for KI#2 direct subscription TS 23.501CR5452

+ 63 more changes

Explore further

Broader topics and technologies where SUCI plays a role.

Topics
Authentication (5G-AKA, EAP)IMS & Voice (VoLTE, VoNR)Encryption & IntegrityPrivacy (SUPI, SUCI)Lawful InterceptNetwork Slicing
Technologies
LTE5G

Defining Specifications

3GPP specifications that define or reference SUCI, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TS 23.003 vj50 Numbering, addressing and identification in 3GPP Rel-19
TS 23.501 vk00 5G System Architecture Stage 2 Rel-20
TS 24.501 vj50 5G NAS Protocols Specification Rel-19
TS 24.502 vj20 5G Core Access via Non-3GPP Networks; Stage 3 Rel-19
TS 29.503 vj50 UDM Service Based Interface Stage 3 Rel-19
TS 29.518 vj50 AMF Service Based Interface Protocol Rel-19
TS 31.102 vj40 USIM Application Specification Rel-19
TS 31.122 vi50 USIM Conformance Test Specification Rel-18
TS 33.126 vj30 Lawful Interception Requirements Rel-19
TS 33.127 vj50 Lawful Interception Architecture and Functions Rel-19
TS 33.501 vk00 5G Security Architecture and Procedures Rel-20
TS 33.514 vk00 5G Security Assurance for UDM Rel-20
TS 33.835 vg10 Study on authentication and key management for apps Rel-16
TR 33.841 vg10 Security aspects; Study on 256-bit algorithms for 5G Rel-16