CIBA -02 has the below. However, if the id_token_hint was symmetrically encrypted, the client doesn’t have to decrypt it before sending to the AS/OP.
OPTIONAL. An ID Token previously issued to the Client by the OpenID Provider being passed back as a hint to identify the end-user for whom authentication is being requested. If the ID Token received by the Client from the OP was encrypted, to use it as an id_token_hint, the client MUST decrypt the encrypted ID Token to extract the signed ID Token contained in it.
Just changing the “was encrypted” part to say “was asymmetrically encrypted” should fix it.