`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`APPLE INC.,
`
`Petitioner,
`
`v.
`
`UNIVERSAL SECURE REGISTRY LLC,
`Patent Owner.
`_________________________________________
`
`Case CBM2018-00024
`U.S. Patent No. 8,577,813
`_________________________________________
`
`DECLARATION OF DR. VICTOR SHOUP IN SUPPORT OF
`PETITIONER’S REPLY TO PATENT OWNER RESPONSE
`
`Apple 1225
`Apple v. USR
`CBM2018-00024
`
`
`
`Contents
`
`INTRODUCTION .......................................................................................... 1
`I.
`II. LEGAL PRINCIPLES .................................................................................... 2
`A. Claim Construction.................................................................................... 2
`B. Obviousness .............................................................................................. 2
`C.
`Subject Matter Eligibility........................................................................... 5
`D. CBM Eligibility......................................................................................... 6
`III. OPINION ..................................................................................................... 8
`A. Maes In View Of The ’585 Reference Discloses A “Secure Registry.”...... 8
`B. Maes In View Of The ’585 Reference Discloses The Claimed “Encrypted
`Authentication Information.”.............................................................................10
`C. A POSITA Would Have Applied The ’585 Reference’s Teachings To
`Maes Because Both References Include Secure Registries That Receive And
`Decrypt Information To Authenticate The User.................................................11
`D. Maes Only Suggests that Physical Components Should Remain Compatible
`With Existing Infrastructure, Not Server Software. ...........................................13
`E. Combining The ’585 Reference’s Authentication Codes With Maes’
`Authentication System Would Have Improved The Security Of Maes. .............17
`1. A POSITA Would Have Understood That The ’585 Reference’s Multi-
`factor Authentication Code Is More Secure Than The Encrypted Information
`Of Maes. ........................................................................................................17
`The ’585 Reference’s Authentication Codes Would Have Added Security
`2.
`To Maes’ Digital Certificate System. .............................................................18
`F. Combination Function 230 Teaches That Inputs Can Be Combined,
`Including Secret Information And Identifying Information................................19
`G. Maes Discloses Displaying Indicators For The Plurality Of Accounts. .....19
`H. Maes Discloses De-Activating The Electronic ID Device.........................22
`I. The ’585 Reference Discloses Generating The Claimed Seed......................23
`J. Maes And The ’585 Reference Disclose The Claimed Act Of Generating
`Encrypted Authentication Information...............................................................25
`K. Maes In View Of Maritzen Discloses Not Permitting The Entry Of User
`Input. .................................................................................................................25
`
`i
`
`
`
`U.S. Patent No. 8,577,813
`Declaration in Support of Petitioner’s Reply
`L. A POSITA Would Not Have Been Dissuaded From Applying Maritzen’s
`Teachings To Maes Based On Immaterial Design Differences. .........................26
`M. Maes Discloses Displaying Options For Purchase. ...................................28
`N. A POSITA Would Not Have Been Dissuaded From Applying Labrou’s
`Teachings To Maes Based On Immaterial Design Differences. .........................30
`IV. CONCLUSION ...........................................................................................31
`V. AVAILABILITY FOR CROSS-EXAMINATION ........................................31
`VI. RIGHT TO SUPPLEMENT ........................................................................31
`VII. JURAT ........................................................................................................32
`
`ii
`
`
`
`U.S. Patent No. 8,577,813
`Declaration in Support of Petitioner’s Reply
`I, Victor Shoup, Ph.D., declare as follows:
`I.
`INTRODUCTION
`1.
`I have been retained by Apple to provide opinions in this proceeding
`
`relating to U.S. Patent No. 8,577,813 (“’813 patent”). I submit this Declaration to
`
`address and respond to the arguments made in Patent Owner’s Response and the
`
`declaration submitted by Dr. Jakobsson in support of the Patent Owner’s Response.
`
`2.
`
`My background and qualifications are summarized in my previous
`
`declaration (Ex-1102, Shoup-Decl.) and my curriculum vitae is attached thereto as
`
`Appendix A. Since preparing my Declaration, I have reviewed the following
`
`additional materials:
`
`(cid:120) The Board’s Decision on Institution (“DI”)
`
`(cid:120) USR’s Patent Owner Preliminary Response (“POPR”) and the
`
`exhibits cited therein
`
`(cid:120) USR’s Patent Owner Response (“POR”) and the exhibits cited therein
`
`(cid:120) USR’s Conditional Motion to Amend (“CMTA”) and the exhibits
`
`cited therein
`
`(cid:120) The transcript of Dr. Jakobsson’s April 24, 2019 deposition (Ex.
`
`1227)
`
`3.
`
`I am being compensated at my normal consulting rate for my work.
`
`My compensation is not dependent on the outcome of this CBM proceeding or the
`
`1
`
`
`
`U.S. Patent No. 8,577,813
`Declaration in Support of Petitioner’s Reply
`related litigation, and does not affect the substance of my statements in this
`
`Declaration.
`
`4.
`
`I have no financial interest in Petitioner. I have no financial interest in
`
`the ’813 patent.
`
`II.
`
`LEGAL PRINCIPLES
`5.
`I am not an attorney. For purposes of this Declaration, I have been
`
`informed about certain aspects of the law that are relevant to my analysis and
`
`opinions.
`
`A.
`6.
`
`Claim Construction
`I have been informed that claim construction is a matter of law and
`
`that the final claim construction will be determined by the Board.
`
`7.
`
`I have been informed that the claim terms in an CBM review should
`
`be given their broadest reasonable construction in light of the specification as
`
`commonly understood by a person of ordinary skill in the art (“POSITA”). I have
`
`applied this standard in my analysis.
`
`B.
`8.
`
`Obviousness
`I have been informed and understand that a patent claim can be
`
`considered to have been obvious to a POSITA at the time the application was filed.
`
`This means that, even if all the requirements of a claim are not found in a single
`
`prior art reference, the claim is not patentable if the differences between the subject
`
`2
`
`
`
`U.S. Patent No. 8,577,813
`Declaration in Support of Petitioner’s Reply
`matter in the prior art and the subject matter in the claim would have been obvious
`
`to a POSITA at the time the application was filed.
`
`9.
`
`I have been informed and understand that a determination of whether
`
`a claim would have been obvious should be based upon several factors, including,
`
`among others:
`
`(cid:120) the level of ordinary skill in the art at the time the application was
`
`filed;
`
`(cid:120) the scope and content of the prior art; and
`
`(cid:120) what differences, if any, existed between the claimed invention and
`
`the prior art.
`
`10.
`
`I have been informed and understand that the teachings of two or
`
`more references may be combined in the same way as disclosed in the claims, if
`
`such a combination would have been obvious to a POSITA. In determining
`
`whether a combination based on either a single reference or multiple references
`
`would have been obvious, it is appropriate to consider, among other factors:
`
`(cid:120) whether the teachings of the prior art references disclose known
`
`concepts combined in familiar ways, and when combined, would yield
`
`predictable results;
`
`(cid:120) whether a POSITA could implement a predictable variation, and
`
`would see the benefit of doing so;
`
`3
`
`
`
`U.S. Patent No. 8,577,813
`Declaration in Support of Petitioner’s Reply
`
`(cid:120) whether the claimed elements represent one of a limited number of
`
`known design choices, and would have a reasonable expectation of
`
`success by those skilled in the art;
`
`(cid:120) whether a POSITA would have recognized a reason to combine
`
`known elements in the manner described in the claim;
`
`(cid:120) whether the proposed modification would have a reasonable
`
`expectation of success by those skilled in the art;
`
`(cid:120) whether there is some teaching or suggestion in the prior art to make
`
`the modification or combination of elements claimed in the patent;
`
`and
`
`(cid:120) whether the innovation applies a known technique that had been used
`
`to improve a similar device or method in a similar way.
`
`11.
`
`I have been informed and understand that a POSITA has ordinary
`
`creativity, and is not an automaton.
`
`12.
`
`I have been informed and understand that in considering obviousness,
`
`it is important not to determine obviousness using the benefit of hindsight derived
`
`from the patent being considered.
`
`13.
`
`I have also been informed that objective evidence is also be relevant
`
`to the question of obviousness. I understand that such evidence, which is
`
`sometimes referred to as “secondary considerations,” can include evidence of
`
`4
`
`
`
`U.S. Patent No. 8,577,813
`Declaration in Support of Petitioner’s Reply
`commercial success, long-felt but unsolved needs, failure of others, copying by
`
`others, and unexpected results. I also understand that when considering the
`
`strength of secondary considerations, weight is not given unless a nexus is
`
`established between the rebuttal evidence and the claimed invention. In other
`
`words, secondary considerations only carry weight when the secondary
`
`considerations are attributable to the claimed invention.
`
`C.
`14.
`
`Subject Matter Eligibility
`I have been informed that laws of nature, abstract ideas, and natural
`
`phenomena are not patent eligible.
`
`15.
`
`I have been informed that an application of an abstract idea, such as a
`
`mathematical formula, may be patent eligible if the patent claims add significantly
`
`more than routine, conventional activity to the underlying concept.
`
`16.
`
`I have been informed that an important and useful clue to patent
`
`eligibility is whether a claim is tied to a particular machine or apparatus or
`
`transforms a particular article into a different state or thing, according to the so
`
`called machine-or-transformation test. I have been informed that the machine-or-
`
`transformation test is not the only test for patent eligibility.
`
`17.
`
`I have been informed that the Supreme Court’s decision in the Alice
`
`Corp. case in 2014 articulates a two-step framework for distinguishing patents that
`
`claim ineligible abstract ideas from those that claim eligible applications of those
`
`5
`
`
`
`U.S. Patent No. 8,577,813
`Declaration in Support of Petitioner’s Reply
`ideas. In step one, the court must determine whether the claims at issue are
`
`directed to a patent-ineligible abstract concept. If the claim is directed to an
`
`abstract idea, the analysis proceeds to step two. In step two, I understand that the
`
`elements of the claim must be searched, both individually and as an ordered
`
`combination, for an inventive concept—i.e., an element or combination of
`
`elements that is sufficient to ensure that the patent in practice amounts to
`
`significantly more than a patent upon the ineligible concept itself. I am informed
`
`that a patentee cannot circumvent the prohibition on patenting abstract ideas by
`
`limiting the idea to a particular technological environment, nor by adding
`
`insignificant postsolution activity, or well-understood, routine, conventional
`
`features.
`
`D.
`18.
`
`CBM Eligibility
`I have been informed that CBM review covers a wide range of
`
`finance-related activities, including activities that are financial in nature, incidental
`
`to a financial activity or complementary to a financial activity. I have been
`
`informed that the Board may institute a CBM review proceeding for any patent that
`
`qualifies as a CBM patent. I have been informed that a “covered business method”
`
`is a claim that both (1) claims a method or corresponding apparatus for performing
`
`data processing or other operations used in the practice, administration, or
`
`management of a financial product or service; and (2) is not directed to a
`
`6
`
`
`
`U.S. Patent No. 8,577,813
`Declaration in Support of Petitioner’s Reply
`
`technological invention.
`
`19.
`
`I have been informed that a patent qualifies for CBM review as long
`
`as “the subject matter of at least one claim is directed to a covered business
`
`method.” I have been informed that the definition of “covered business method
`
`patent” is not limited to products and services of only the financial industry, or to
`
`patents owned by or directly affecting the activities of financial institutions such as
`
`banks and brokerage houses. I have also been informed that CBM review covers a
`
`wide range of finance-related activities. I have been informed that the correct
`
`inquiry is not whether the claimed invention only has application in business
`
`contexts, but whether the claimed invention is a method or apparatus for
`
`performing data processing or other operations used in the practice, administration,
`
`or management of a financial product or service. I have been informed that the
`
`claims should be read in light of the specification when making this determination.
`
`20.
`
`I have been informed that a patent that otherwise qualifies as a CBM
`
`patent is nevertheless excluded from CBM review if it is directed to a
`
`“technological invention”—i.e., if “the claimed subject matter as a whole”
`
`(1) “recites a technological feature that is novel and unobvious over the prior art”
`
`and (2) “solves a technical problem using a technical solution.” I also understand
`
`that the patent is eligible for CBM review (i.e., not excluded under the
`
`“technological invention” exclusion) if it fails to meet either of these two prongs.
`
`7
`
`
`
`U.S. Patent No. 8,577,813
`Declaration in Support of Petitioner’s Reply
`In my opinion, the claims of the ’813 patent do not meet either prong of the
`
`technological invention exclusion.
`
`21.
`
`I have been informed that the first prong of the test analyzes whether
`
`the differences between the claimed invention and the prior art are technological
`
`features. I understand that the following characteristics would preclude a finding
`
`of a “technological invention”: 1) mere “recitation of known technologies”; 2)
`
`“reciting the use of known prior art technology”; and 3) “combining prior art
`
`structures to achieve the normal, expected, or predictable result of that
`
`combination.”
`
`22.
`
`I understand that the second prong requires a review of the patent’s
`
`specification to determine what problem the claimed invention purportedly solves.
`
`If the problem is nontechnical, the patent does not meet the technological invention
`
`exception. I understand that where the specification recognizes that technology
`
`known in the art could be used to reach the desired result, the patent does not solve
`
`a technical problem with a technical solution.
`
`III. OPINION
`A. Maes In View Of The ’585 Reference Discloses A “Secure
`Registry.”
`In my first declaration, I explained that Maes in view of the ’585
`
`23.
`
`reference discloses a “secure registry” (Ex-1202, Shoup-Decl., ¶¶83-87 (limitation
`
`1[c]) configured to receive “encrypted authentication information” (id., ¶¶114-116
`
`8
`
`
`
`U.S. Patent No. 8,577,813
`Declaration in Support of Petitioner’s Reply
`(limitation 1[g])) that is generated “from the non-predictable value, information
`
`associated with at least a portion of the biometric input, and the secret information”
`
`(id., ¶¶103-107 (limitation 1[f])). Dr. Jakobsson’s attempt to rebut this showing
`
`mischaracterizes the references and the mapping I proposed in my previously
`
`declaration.
`
`24. As my declaration demonstrates, Maes’ financial institution 70 is a
`
`“secure registry” (Ex-1202, Shoup-Decl., ¶¶83-85; DI, 31-32), which means a
`
`database with access restrictions. Ex-1202, Shoup-Decl., ¶¶63-64. Financial
`
`institution 70 is a database with access restrictions because it restricts access to
`
`information and services provided by a database. Id., ¶¶83-85. USR argues that
`
`“there are any number of security methodologies that could be implemented
`
`without using access restrictions” (POR, 41), but fails to identify even one.
`
`Moreover, Dr. Jakobsson’s argument misconstrues my position. Financial
`
`institution 70 is a database with access restrictions because it restricts database
`
`access to authorized users by authenticating encrypted information sent by the
`
`user. Ex-1202, Shoup-Decl., ¶¶83-85. Once authorized, the financial server
`
`provides access to an authorization number that can be used to conduct a financial
`
`transaction. Id. It is irrelevant what security methodology is used to restrict
`
`access, because the claim merely requires that access to the database is restricted.
`
`25.
`
`The ’585 reference also discloses a secure registry because its verifier
`
`9
`
`
`
`U.S. Patent No. 8,577,813
`Declaration in Support of Petitioner’s Reply
`105 restricts database access to authorized users. As I explained in my earlier
`
`declaration, verifier 105 has access restrictions because it will authenticate only
`
`users with valid credentials to enable a transaction. Ex-1202, Shoup-Decl., ¶87.
`
`Dr. Jakobsson asserts, with no support or explanation, that “authentication is not an
`
`access restriction” (Ex-2011, Jakobsson-Decl., ¶64), but the plain meaning of the
`
`phrase “access restriction” is a mechanism that restricts access, and the ’585
`
`reference’s authentication mechanism clearly restricts access to financial services.
`
`Ex-1214, ’585 reference, [0050], [0058], [0118].
`
`B. Maes In View Of The ’585 Reference Discloses The Claimed
`“Encrypted Authentication Information.”
`26. Maes discloses transmitting encrypted authentication information to
`
`financial institution 70. Ex-1202, Shoup-Decl., ¶114 (limitation 1[g]). Financial
`
`institution 70 is coupled to central server 60, which, as the Board found, is an
`
`example of a database used by financial institution 70. DI, 32. USR and Dr.
`
`Jakobsson contend that “[n]either [financial institution 70 nor central server 60]
`
`deals with, considers or suggests the claimed ‘encrypted authentication
`
`information’” (POR, 41), but immediately contradicts itself by acknowledging that
`
`“financial server 70 does receive encrypted information.” POR, 42; Ex-1213,
`
`Maes, 13:19-38.
`
`27.
`
`The ’585 reference discloses encrypted authentication information
`
`that is generated “from the non-predictable value, information associated with at
`
`10
`
`
`
`U.S. Patent No. 8,577,813
`Declaration in Support of Petitioner’s Reply
`least a portion of the biometric input, and the secret information” (Ex-1202,
`
`Shoup-Decl. ¶¶103-107. (limitation 1[f])), and it would have been obvious to
`
`combine these teachings with Maes because the ’585 reference’s authentication
`
`codes provide a robust security alternative to Maes’ encrypted information
`
`message. ¶¶109-112. USR and Dr. Jakobsson argue that my proposed
`
`combination fails to identify a “precise database functionality” and an “exact
`
`architecture” (POR, 47), but there is no “precise database functionality” or “exact
`
`architecture” that the claims require. In fact, Dr. Jakobsson acknowledges that the
`
`’813 patent can be used with “any form of database.” Ex-1227, Jakobsson-Dep.,
`
`312:17-25. The combination meets the claimed limitations and my declaration
`
`shows that a POSITA would have motivated to combine the references. There is
`
`no additional database functionality or architecture necessary to show that the
`
`claims are invalid. Nonetheless, the functionality and architecture for generating
`
`and processing the ’585 reference’s authentication codes are provided in detail by
`
`the disclosure of the ’585 reference. See, e.g., Ex-1214, ’585 reference, Figs. 1-2,
`
`[0037]-[0039], [0073].
`
`C.
`
`28.
`
`A POSITA Would Have Applied The ’585 Reference’s Teachings
`To Maes Because Both References Include Secure Registries That
`Receive And Decrypt Information To Authenticate The User.
`The ’585 reference discloses various non-limiting embodiments for
`
`generating and verifying authentication codes including encryption techniques that
`
`11
`
`
`
`U.S. Patent No. 8,577,813
`Declaration in Support of Petitioner’s Reply
`produce an encrypted authentication information. USR and Dr. Jakobsson
`
`erroneously assume that the ’585 reference is limited to one method (POR, 47),
`
`and ignore embodiments in the ’585 reference that are based on the same
`
`encryption and decryption model used by Maes. Ex-1226, Juels-Decl., ¶¶37-40.
`
`29.
`
`For example, the ’585 reference discloses an authentication code 292,
`
`which is generated by encrypting a non-predictable value 291 using a block cipher.
`
`Ex-1202, Shoup-Decl., ¶¶104-107; Ex-1214, ’585 reference, [0073]. Thus, the
`
`’585 reference’s authentication code 292 is encrypted authentication information;
`
`Dr. Jakobsson’s argument that no “encryption process, [takes] ‘authentication
`
`information’ as input” (POR, 52-53) is incorrect because authentication code 291
`
`is authentication information that is input into a block cipher to create encrypted
`
`authentication code 292.
`
`30. Dr. Jakobbson’s argument that “there is no decryption” in the ’585
`
`reference’s system (POR, 54) ignores that the ’585 reference discloses that the
`
`encrypted authentication code is decrypted. Ex-1214, ’585 reference, [0058] (“In
`
`some embodiments the verifier 105 decrypts a value encrypted by the user
`
`authentication device 120 using symmetric key encryption or asymmetric
`
`encryption techniques, such as public key encryption”). Likewise, the proposed
`
`combination need not undertake the “needless computational overhead” in USR’s
`
`hypothetical examples (POR, 55) because the ’585 reference discloses an
`
`12
`
`
`
`U.S. Patent No. 8,577,813
`Declaration in Support of Petitioner’s Reply
`authentication code this is encrypted, transmitted to a “secure registry,” and
`
`decrypted – just like the system in Maes. The combined system could easily index
`
`“many people with the same names [where] each such person may have several
`
`cards” (POR, 55), because the received authentication code could expressly
`
`include this information in encrypted form. Once decrypted, as disclosed in the
`
`’585 reference, the information can be directly applied to index into the relevant
`
`records in the database.
`
`31. USR also argues that erroneous PINs would deter a POSITA from
`
`making the proposed combination (POR, 56), but overlooks the ’585 reference’s
`
`disclosure that PINs are first authenticated in a local authentication before being
`
`sent to the remote verifier 105. Ex-1214, ’585 reference, [0059].
`
`D. Maes Only Suggests that Physical Components Should Remain
`Compatible With Existing Infrastructure, Not Server Software.
`32. Dr. Jakobsson’s argument about the “basic principles of Maes” (POR,
`
`57) is incorrect because Maes makes clear that “existing infrastructure” relates
`
`only to physical devices like ATMs and kiosks and does not relate to modification
`
`to software on servers, which is the only type of modification required to combine
`
`the ’585 reference with Maes. Maes itself proposes many modifications to servers
`
`that only require modifications to software and backend system changes that would
`
`not impact any “existing infrastructure.”
`
`33.
`
`For example, Maes discloses embodiments where financial
`
`13
`
`
`
`U.S. Patent No. 8,577,813
`Declaration in Support of Petitioner’s Reply
`institutions possess a “requisite key (provided by the service provider upon
`
`enrollment) to decode (i.e., decrypt) the transmitted information to verify the
`
`identity of the user.” Ex-1213, Maes, 13:51-55. Maes discloses an enrollment
`
`process for “providing the service provider with the user’s credit card or ATM card
`
`information so that such information can be verified with the financial institutions
`
`70 that issued such cards.” Id., 6:71-7:1. Maes also describes an enrollment
`
`process that involves comparing voice prints (id., 8:50-65) or asking a series of
`
`questions (id., 8:12-26). The existing infrastructure at the time of the Maes
`
`reference did not include support for such an enrollment process. These
`
`embodiments would have required changes to server software that are analogous to
`
`the software changes needed to implement the combination function of the ’585
`
`reference. None of these modifications would have been incompatible with then
`
`existing infrastructure.
`
`34. USR and Dr. Jakobsson also argue that the proposed combination
`
`would require “significant modifications” that are incompatible with existing
`
`infrastructure, but Maes makes clear that compatibility with existing infrastructure
`
`is meant to avoid costly overhauls to deployed physical systems like ATMs. Id.,
`
`4:12-18; 11:52-57. In contrast, modifications to servers like the financial
`
`institution 70 or the verifier 105 would be inexpensive in comparison to an
`
`overhaul of physical systems. The modifications required to implement the ’585
`
`14
`
`
`
`U.S. Patent No. 8,577,813
`Declaration in Support of Petitioner’s Reply
`reference’s combination function would require only simple changes to software,
`
`without any change to existing physical systems. Accordingly, the proposed
`
`combination of the ’585 reference’s combination function with Maes would not
`
`contradict Maes’s suggestion that new systems should be compatible with existing
`
`infrastructure.
`
`35. USR also argues that “a user would have to provide their private data
`
`(i.e., their biometric information) to each and every financial institution for which
`
`they have an account because [the ’585 reference’s] verifier authorizes upon a
`
`comparison of the transmitted code with a recreated code drawn from the stored
`
`private data” (POR, 58), but neither the claims nor Maes require the use of
`
`multiple financial institutions. A user could easily have multiple accounts (e.g.,
`
`cards) with the same financial institution. Moreover, even if multiple financial
`
`institutions were used, the secure data could be stored on a centralized server as
`
`taught by Maes. Thus, sensitive information need not be distributed across
`
`multiple financial institutions. Indeed, as the ’585 reference recognizes, the
`
`verifier can be implemented as a distributed system. See Ex-1214, ’585 reference,
`
`[0038] (“the verifier 105 can be implemented as a software program running on a
`
`general-purpose computer, possibly interacting with one or more other computer
`
`programs on the same or a different computer.”), [0139]-[0140] (master verifiers
`
`and subordinate verifiers), [0141] (“intermediate servers are employed to facilitate
`
`15
`
`
`
`U.S. Patent No. 8,577,813
`Declaration in Support of Petitioner’s Reply
`the communication of information between the verifier 105 and the authentication
`
`device 120.”). A POSITA would have understood that the secure data could be
`
`kept on a centralized server like central server 60 if there were concerns about
`
`keeping sensitive data safe.
`
`36. Moreover, the claims do not require the use of biometric information
`
`to generate the authentication information and authenticate the user. For example,
`
`claim 1 requires authentication information that is generated from “information
`
`associated with at least a portion of the biometric input.” See Ex-1201, ’813
`
`patent, cl. 1 (emphasis added). Claim 1 does not require that the biometric input
`
`itself is verified at the secure registry and therefore does not require that the
`
`verifier knows or uses any actual biometric information to authenticate the user.
`
`Consistent with this requirement, the ’585 reference teaches that the “User Data
`
`(P)” value that represents the biometric input to an authentication code can simply
`
`be a preprocessed form of biometric data. Ex-1214, ’585 reference, [0072] (“The
`
`user data (P) can be the actual PIN, password, biometric data, etc. that is provided
`
`by the user, or the user data value (P) can be the result of processing of the user
`
`data by one or more other functions.”), [0077] (“The combination function can
`
`(cid:70)(cid:82)(cid:80)(cid:69)(cid:76)(cid:81)(cid:72)(cid:3)(cid:87)(cid:75)(cid:72)(cid:86)(cid:72)(cid:3)(cid:89)(cid:68)(cid:79)(cid:88)(cid:72)(cid:86)(cid:3)(cid:11)(cid:46)(cid:15)(cid:3)(cid:55)(cid:15)(cid:3)(cid:40)(cid:15)(cid:3)(cid:51)(cid:15)(cid:3)(cid:49)(cid:15)(cid:3)(cid:515)(cid:12)(cid:3)(cid:76)(cid:81)(cid:3)(cid:89)(cid:68)(cid:85)(cid:76)(cid:82)(cid:88)(cid:86)(cid:3)(cid:90)(cid:68)(cid:92)(cid:86)(cid:3)(cid:68)(cid:81)(cid:71)(cid:3)(cid:76)(cid:81)(cid:3)(cid:68)(cid:81)(cid:92)(cid:3)(cid:82)(cid:85)(cid:71)(cid:72)(cid:85). Before
`
`being combined by the combination function 230, these values can be processed by
`
`one or more other functions”). It need not be the user’s biometric information
`
`16
`
`
`
`U.S. Patent No. 8,577,813
`Declaration in Support of Petitioner’s Reply
`itself. Claims 10 and 19 only require that two of several factors (which happen to
`
`include biometric information) are used to generate a seed. These claims list
`
`biometric information as one of several optional inputs to generate the seed, but do
`
`not require that biometric information be used. Thus, contrary to USR’s argument,
`
`the combination of the ’585 reference and Maes does not require that the user’s
`
`biometric information is stored at each and every financial institution.
`
`E.
`
`Combining The ’585 Reference’s Authentication Codes With
`Maes’ Authentication System Would Have Improved The
`Security Of Maes.
`1.
`A POSITA Would Have Understood That The ’585
`Reference’s Multi-factor Authentication Code Is More
`Secure Than The Encrypted Information Of Maes.
`37. A POSITA would have understood that the multi-factor authentication
`
`code of the ’585 reference is harder to replicate and would therefore improve
`
`Maes’ encrypted information. Ex-1202, Shoup-Decl., ¶¶110-112. USR disputes
`
`the proposed combination (POR, 44-47), but I identified a specific combination of
`
`the ’585 reference’s combination function with the authentication system of Maes.
`
`Ex-1202, Shoup-Decl. ¶109 (“It would have been obvious to combine the
`
`authentication code derivation techniques disclosed in [the ’585 reference’s]
`
`combination function with the teachings of Maes to arrive at limitation 1[f].”).
`
`USR argues that I did not consider whether adding “the claimed encrypted
`
`authentication information” to Maes would have been an improvement (POR, 59),
`
`17
`
`
`
`U.S. Patent No. 8,577,813
`Declaration in Support of Petitioner’s Reply
`but I did consider whether the ’585 reference’s combination function would have
`
`been an improvement to the security of Maes. As I pointed out in my previous
`
`declaration, adding the ’585 reference’s combination function to Maes would
`
`“provide a more robust security system.” Ex-1202, Shoup-Decl., ¶111
`
`2.
`
`The ’585 Reference’s Authentication Codes Would Have
`Added Security To Maes’ Digital Certificate System.
`The ’585 reference’s authentication codes would have supplemented
`
`38.
`
`the security provided by Maes’ digital certificate security feature. Ex-1213, Maes,
`
`13:19-24. USR argues that combining the ’585 reference’s teachings would
`
`“eviscerate[] the purpose of the digital certificate” because “one would have to
`
`again connect to the server” (POR 51), but USR completely ignores embodiments
`
`in Maes itself that combine the digital certificate with a remote authentication like
`
`the one disclosed in the ’585 reference.
`
`39.
`
`For example, Maes discloses embodiments “whereby the financial
`
`institution (e.g., credit card company) can verify the identity of the consumer
`
`during a purchase transaction.” Ex-1213, Maes, 13:22-25. In addition to the
`
`digital certificate, this embodiment uses a remote authentication involving
`
`encryption and decryption that is the same as the system disclosed in the ’585
`
`reference, where the verifier 105 verifies the identity of the user during a
`
`transaction. Ex-1213, Maes, 13:35-39 (“The selected card information, as well as
`
`the encrypted information file, would be transmitted to the POS terminal (via the
`
`18
`
`
`
`U.S. Patent No. 8,577,813
`Declaration in Support of Petitioner’s Reply
`Universal Card, RF or IR) and then transmitted in encrypted form directly to the
`
`processing financial institution together with the purchase details.”). As Maes
`