`
`PATENT AND TRADEMARK OFFICE
`
`________________
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`________________
`
`UNIFIED PATENTS INC.,
`
`Petitioner,
`
`v.
`
`UNIVERSAL SECURE REGISTRY LLC,
`
`Patent Owner
`
`________________
`
`Case IPR2018-00067
`
`U.S. Patent No. 8,577,813
`
`________________
`
`PATENT OWNER’S SUR-REPLY
`
`
`
`
`
`
`
`TABLE OF CONTENTS
`
`Case No. IPR2018-00067
`U.S. Patent No. 8,577,813
`
`Page
`
`PATENT OWNER’S LIST OF EXHIBITS ............................................................ III
`
`I.
`
`THERE IS NO MOTIVATION FOR A PERSON OF ORDINARY
`SKILL IN THE ART TO COMBINE MAES AND PARE ............................. 1
`
`A.
`
`B.
`
`C.
`
`Pare teaches away from token-based transaction systems like
`Maes. ..................................................................................................... 2
`
`Petitioner’s modifications change Maes’ principles of operation
`and render it inoperable for its intended purpose. ................................. 8
`
`Petitioner fails to provide sufficient reasoning as to why a
`person of ordinary skill in the art would be motivated to
`combine Maes and Pare. ..................................................................... 11
`
`II.
`
`THERE IS NO MOTIVATION FOR A PERSON OF ORDINARY
`SKILL IN THE ART TO COMBINE MAES AND LABROU ...................... 14
`
`A.
`
`B.
`
`C.
`
`D.
`
`Petitioner fails to provide sufficient reasons why a person of
`ordinary skill in the art would modify Labrou to generate a PIE
`value based on both a biometric and a PIN. ........................................ 14
`
`There is no motivation to combine Maes with Labrou for the
`same reasons discussed above regarding Pare. .................................. 18
`
`Petitioner fails to show that claims 10 and 19 are invalid. ................. 20
`
`Claims 12 and 21 are not obvious over Maes in view of Labrou. ...... 20
`
`III. THERE IS NO MOTIVATION FOR A PERSON OF ORDINARY
`SKILL IN THE ART TO COMBINE PIZARRO AND PARE ..................... 23
`
`IV. CONCLUSION .............................................................................................. 24
`
`
`
`
`
`i
`
`
`
`Case No. IPR2018-00067
`U.S. Patent No. 8,577,813
`
`TABLE OF AUTHORITIES
`
`Cases
`
`Page
`
`Intelligent Bio-Systems, Inc. v. Illumina Cambridge Ltd.,
`821 F.3d 1359 (Fed. Cir. 2016) .....................................................................12
`
`Kemco Sales, Inc. v. Control Papers Co.,
`208 F.3d 1352 (Fed. Cir. 2000) .....................................................................49
`
`Ex parte Levy,
`17 USPQ2d 1461 (Bd. Pat. App. & Inter. 1990) ...........................................21
`
`Statutory Authorities
`
`37 C.F.R. § 42.6(e) ...................................................................................................27
`
`37 C.F.R. § 42.23(b) ................................................................................................12
`
`37 C.F.R. § 42.24 .....................................................................................................26
`
`37 C.F.R. § 42.24(b) ................................................................................................26
`
`37 C.F.R. § 42.121 ...................................................................................................27
`
`
`
`
`
`ii
`
`
`
`Case No. IPR2018-00067
`U.S. Patent No. 8,577,813
`
`PATENT OWNER’S LIST OF EXHIBITS
`
`Ex. 2001
`
`Unified-USR Stipulated Protective Order
`
`Ex. 2002
`
`Redline Comparison to Default Protective Order
`
`Ex. 2003
`
`U.S Patent App. No. 13/237,184
`
`Ex. 2004
`
`Declaration of Dr. Markus Jakobsson in Support of
`Patent Owner Response
`
`Ex. 2005
`
`Curriculum Vitae of Dr. Markus Jakobsson
`
`Ex. 2006
`
`July 31, 2018 Deposition Transcript of Dr. Eric Cole
`
`Ex. 2007
`
`Petitioner’s Website Dated Jan. 1, 2014
`
`Ex. 2008
`
`Petitioner’s Website Dated Mar. 2, 2016
`
`Ex. 2009
`
`Petitioner’s Website Dated Jun. 11, 2013
`
`Ex. 2010
`
`Brief of Amici Curiae Unified Patents
`
`Ex. 2011
`
`Confidential Document
`
`Ex. 2012
`
`Confidential Document
`
`Ex. 2013
`
`Ex. 2014
`
`Declaration in Support of Unopposed Motion for
`Admission Pro Hac Vice of Harold A. Barza
`
`Declaration in Support of Unopposed Motion for
`Admission Pro Hac Vice of Jordan Kaericher
`
`Ex. 2015
`
`Dec. 14, 2018 Deposition Transcript of Dr. Eric Cole
`
`
`
`
`
`
`
`06943-00002/10598788.4
`
`iii
`
`
`
`Case No. IPR2018-00067
`U.S. Patent No. 8,577,813
`
`
`
`Petitioner’s Reply fails to remedy several deficiencies in its Petition that are
`
`each fatal to one or more of its Grounds. First, a person of ordinary skill in the art
`
`at the time of the invention (POSITA) would not be motivated to combine the token-
`
`based system of Maes or Pizarro with teachings of a tokenless transaction system,
`
`such as Pare. Second, the modifications suggested by Petitioner to Maes based on
`
`features of Pare and Labrou change Maes’ principles of operation and render it
`
`inoperable for its intended purpose. Third, Petitioner fails to provide a clear,
`
`evidence-supported account of why a POSITA would be motivated to combine Maes
`
`with Pare or Maes with Labrou. Fourth, a POSITA would not be motivated to
`
`modify Labrou’s personal identification entry (PIE) value so that it was generated
`
`based on both a biometric and a personal identification number (PIN). Petitioner
`
`also fails to show that dependent claims 10, 12, 19, and 21 are invalid.
`
`I.
`
`THERE IS NO MOTIVATION FOR A PERSON OF ORDINARY
`SKILL IN THE ART TO COMBINE MAES AND PARE
`
`Petitioner fails to establish that a POSITA would be motivated to combine
`
`Maes and Pare to obtain an electronic ID device that, once activated, is configured
`
`to “generate a non-predictable value and to generate encrypted authentication
`
`information from the nonpredictable value, information associated with at least
`
`a portion of the biometric input, and the secret information.” (Limitations
`
`1[d][ii], 16[e], and 24[b].)
`
`
`
`1
`
`
`
`Case No. IPR2018-00067
`U.S. Patent No. 8,577,813
`
`
`
`A.
`
`Pare teaches away from token-based transaction systems like
`Maes.
`
`Pare, entitled “Tokenless Biometric Transaction Authorization Method And
`
`System,”1 criticizes prior art transaction systems that employ “portable man-made
`
`memory tokens” that centralize and store a buyer’s financial account information
`
`and need to be physically carried around by the buyer to conduct financial
`
`transactions. See, e.g., Pare, 3:15-36 (“The net result of ‘smartening’ the token is
`
`centralization of function…Given the number of functions that the smartcard will be
`
`performing, the loss or damage of this monster card will be excruciatingly
`
`inconvenient for the cardholder…[such a system] will result in heavier and
`
`heavier penalties on the consumer for destruction or loss of the card.”), 7:22-35.
`
`Indeed, the whole point of Pare’s invention is to eliminate the need for a buyer to
`
`carry any token at all. Pare, 6:55-7:3 (“[The present invention] eliminates the need
`
`to carry and present any tokens in order to access one’s accounts.”); see also id.,
`
`7:56-60, 9:14-17. To accomplish this tokenless system, Pare moves the hardware
`
`and software used to authenticate the buyer—found previously at the buyer’s
`
`token—over to a secure “biometric input apparatus (BIA)” associated with the
`
`merchant’s point of sale terminal. See Pare, 9:40-10:7, 10:41-11:30 (“All actions of
`
`
`1 Unless otherwise indicated, all emphasis has been added by Patent Owner.
`
`
`
`2
`
`
`
`Case No. IPR2018-00067
`U.S. Patent No. 8,577,813
`
`
`
`the BIA are directed by an outside controlling entity called a terminal…BIA models
`
`are either partially or fully integrated with the terminal.”), FIG. 3 (illustrating the
`
`Biometric Input Device 12 in direct communication with merchant’s terminal 2).
`
`Since buyer identification and authentication is performed at Pare’s merchant’s
`
`point-of-sale terminal having a biometric input apparatus (e.g., BIA), the buyer is
`
`free to conduct financial transactions without having to carry a token. See Pare,
`
`6:55-7:3, 7:46-56. Thus, a common feature to the “tokens” Pare aims to eliminate
`
`are that they are carried around by the user and store sensitive information.
`
`In contrast to Pare’s tokenless scheme, Maes’ token-based system relies on a
`
`portable digital assistant (PDA) that stores the buyer’s financial account information
`
`and biometric data. See, e.g., Maes, 4:65-5:35, 11:27-40, 11:58-12:1, FIG. 1. This
`
`PDA—which centralizes and stores highly sensitive buyer information and must be
`
`carried around by the user and presented to merchants to conduct transactions—is at
`
`risk of loss, theft, and destruction, and is exactly the kind of token Pare desires to
`
`eliminate. See Pare, 7:23-56. For this reason, a POSITA would not turn to Pare to
`
`modify the token-based transaction system of Maes.
`
`Petitioner contends that the above argument “fails because it relies on the
`
`misconception that Pare characterizes all ‘portable man made memory devices’ as
`
`‘tokens.’” Petitioner’s Reply, 2-3. According to Petitioner, the “tokens” Pare wishes
`
`
`
`3
`
`
`
`Case No. IPR2018-00067
`U.S. Patent No. 8,577,813
`
`
`
`to eliminate are strictly limited to credit/debit cards, “smart cards,” and magnetic
`
`strip swipe cards, and not other types of devices like PDAs. See id., 3. Petitioner
`
`comes to this misplaced conclusion because Pare’s BIA is allegedly itself a type of
`
`“portable man-made memory device” since it can be implemented at a telephone
`
`point of sale terminal. See id., 3-4 (citing Pare, 4:21-24, 9:65-10:7, 11:22-28, 30:48-
`
`50). To be clear, Pare’s BIA is not a token since it is not carried around by a user
`
`and presented to merchants to facilitate transactions and is instead integrated with
`
`the merchant’s point-of-sale terminal. See Pare, 10:46-49, 11:22-28. Moreover,
`
`Petitioner’s unduly narrow characterization of Pare’s token as being limited to credit
`
`cards and smart cards is without merit and fails for a number of reasons.
`
`First, Patent Owner never characterizes Pare’s token as including all portable
`
`man-made memory devices. See Patent Owner’s Response, 20-22. Instead, the
`
`tokens Pare desires to eliminate are physical objects that store a user’s sensitive
`
`financial and/or personal information and must be carried around by the user and
`
`presented to a merchant at the time of purchase, thereby safeguarding against loss,
`
`theft, or destruction of such physical objects that would be “excruciatingly
`
`inconvenient.” See Pare, 1:12-3:60, 5:5-8, 6:55-7:3, 7:46-60 (“[O]bject of the
`
`invention [is to] eliminate[] the need for a user to possess and present a physical
`
`object, such as a token, in order to authorize a transaction.”). These physical
`
`
`
`4
`
`
`
`Case No. IPR2018-00067
`U.S. Patent No. 8,577,813
`
`
`
`objects may be in the form of smart cards, credit cards, and also other electronic
`
`devices carried around by a user that centralize and store a buyer’s sensitive
`
`information, such as Maes’ PDA device. Limiting the tokens Pare desires to
`
`eliminate to just credit cards and smart cards is baseless and ignores many explicit
`
`teachings found in Pare that explain the perils of carrying a wide variety of objects
`
`that store a buyer’s sensitive financial and biometric information.
`
`Second, Pare explicitly calls out the “biometric security apparatus” of
`
`Gullman as being one example of a token found in the prior art “that disclose[s]
`
`commercial transaction systems [that] teach away from biometric recognition
`
`without the use of tokens.” Pare, 2:38-43, 2:64-66. Referring to FIG. 2 of Gullman
`
`below, Gullman’s token 14 (e.g., biometric security apparatus) is far from a simple
`
`magnetic swipe or smart card, and is instead a sophisticated electronic device having
`
`its own power source 15, display 20, biometric sensor 18, processor 22, memory 24,
`
`display drivers 30, and ON/OFF switch 16—features that undeniably are consistent
`
`with a PDA or mobile phone.2
`
`
`2 While denying that Gullman’s biometric security token 12 could be a telephone
`
`(Ex. 2015 (Cole Tr.), 52:6-52:24), Petitioner’s expert testified at his deposition that
`
`
`
`5
`
`
`
`
`
`Case No. IPR2018-00067
`U.S. Patent No. 8,577,813
`
`
`
`Third, every section Petitioner references in Pare as allegedly teaching that
`
`Pare’s BIA is a “portable man-made memory device” fails to disclose a BIA that is
`
`carried around by a user and presented to a merchant to conduct a transaction—a
`
`feature that is common to all tokens Pare wishes to eliminate. See Petitioner’s
`
`Reply, 3-4 (citing Pare, 4:21-24, 9:65-10:7, 11:22-28, 30:48-50). For example, Pare
`
`at 9:65-10:7 does not describe the BIA as being carried around by the user and
`
`instead merely discusses how the BIA communicates with the point-of-sale terminal
`
`through a serial port, which in turn communicates with the Data Processing Center
`
`(DPC) server via a variety of network types, including cable TV, telephone, and
`
`
`a token could take the form of many different credit-card sized electronic devices
`
`that include a display, power source, ON/OFF switch, processor, memory, and
`
`biometric sensors. See id., 51:7-8.
`
`
`
`6
`
`
`
`Case No. IPR2018-00067
`U.S. Patent No. 8,577,813
`
`
`
`cellular. As another example, Pare at 30:30-31:43 describes a “phone point of sale
`
`terminal (PPT)” having a BIA that again is not carried around by the user and is
`
`instead associated with the merchant. Petitioner’s expert also testified on this point.
`
`See Ex. 2015 (Cole Tr.), 59:18-22 (“Q…Would each one of those sellers have their
`
`own PPT?... A… Yes. In the embodiment of Pare, it looks like each seller would
`
`have [a] PPT.”). Similarly, the other portions of Pare cited to by Petitioner (Pare,
`
`4:21-24, 6:4-8, 11:22-28, 14:19-32, 41:34-55) also fail to describe an electronic
`
`device having a BIA that stores user financial information and is carried around by
`
`the user to present to merchants when desiring to conduct financial transactions. See
`
`Pare, 4:21-24 (describing that financial accounts are associated with account index
`
`codes assigned by the buyer during registration), 6:4-8 (system displays account
`
`name during authorization), 11:22-28 (describing that BIA is fully or partially
`
`integrated with the point-of-sale terminal, which may be a telephone), 14:19-32
`
`(BIA is integrated with telephone based point-of-sale terminal), 41:34-55 (accessing
`
`list of accounts).
`
`Moreover, as stated in Patent Owner’s Response (POR, 22), Pare also teaches
`
`that its commercial transaction message (alleged by Petitioner as being the claimed
`
`“encrypted authentication information”) should be implemented on hardware and
`
`software (e.g., BIA) that is “strictly limited” in its functionality, and that is
`
`
`
`7
`
`
`
`Case No. IPR2018-00067
`U.S. Patent No. 8,577,813
`
`
`
`“integrated” with the sales terminal. See Pare, 11:1-28. By contrast, the PDA taught
`
`in Maes is a general-purpose device that is not integrated with a sales terminal and
`
`includes substantial functionality not related to financial transactions (e.g.,
`
`calendaring and email). A POSITA would understand that limiting such a PDA’s
`
`interfaces to only financial functions would be neither practical nor desirable.
`
`Petitioner fails to address this obvious conflict between Maes and Pare. See
`
`Petitioner’s Reply, 2-11.
`
`B.
`
`Petitioner’s modifications change Maes’ principles of operation
`and render it inoperable for its intended purpose.
`
`The Petition specifically and exclusively identified the “authorization
`
`number” described in Maes at 12:30-13:5 as being the authentication information
`
`that could allegedly be replaced with the “commercial transaction message” of Pare.
`
`See Petition (Paper 12), 18-20 (citing to Maes, 12:40-13:5 and Pare, Abstract, 4:34-
`
`42, 17:27-46, 18:51-61, 19:43-20:15, FIG. 7). Similarly, the Petition argued that
`
`“[i]t would have been obvious to a PHOSITA to substitute the encrypted
`
`authentication information taught in Pare…for the authorization number of
`
`Maes.” Petition, 21; Decision (Paper 14), 11-12.
`
`However, as discussed in Patent Owner’s Response (POR, 26-28), by
`
`replacing the authorization number described at 12:30-13:5 of Maes with the
`
`commercial transaction message of Pare, Petitioner eliminates a key feature of this
`
`
`
`8
`
`
`
`Case No. IPR2018-00067
`U.S. Patent No. 8,577,813
`
`
`
`embodiment described by Maes: the ability to “provide[] biometric security for
`
`transactions that do not involve electronic data transfer.” Maes, 12:30-34. In
`
`response, Petitioner argues that “Maes specifically teaches that transaction and
`
`authentication information can be transmitted wirelessly.” Petitioner’s Reply, 7
`
`(citing to Petition, 23-24, Maes, 3:34-36, 12:5-29, 13:34-38). However, a close
`
`review of the Petition at 23-24 reveals that Petitioner admits that the “authorization
`
`number” described in Maes at 12:30-13:5 is not transmitted wirelessly and is instead
`
`verbally communicated by the buyer to the merchant over the phone. See Petition,
`
`23-24.
`
`Instead, Petitioner argues that wireless transmission of the authorization
`
`number described in Maes at 12:30-13:5 from the PDA to the POS would be
`
`allegedly obvious to a POSITA because Maes later describes in another, unrelated
`
`embodiment an “encrypted information file” that is wirelessly transmitted. See
`
`Petition, 23-24. Patent Owner respectfully disagrees. The embodiment described in
`
`Maes at 13:34-38 is wholly unrelated to the “authorization number” described in
`
`Maes at 12:30-13:5, and a POSITA would not be motivated to transmit the latter
`
`authorization number wirelessly from the PDA to a POS because the whole point of
`
`the authorization number described in Maes at 12:30-13:5 is to facilitate financial
`
`transactions “that do not involve electronic data transfer such as…transactions that
`
`
`
`9
`
`
`
`Case No. IPR2018-00067
`U.S. Patent No. 8,577,813
`
`
`
`are performed remotely over the telephone.” See Maes, 12:30-34.
`
`Petitioner also contends that Maes discloses wireless transmission of the
`
`authorization number described in Maes at 12:30-13:5 because at 14:58-67 Maes
`
`describes the use of another authorization number when transferring money between
`
`two different PDA devices. See Petitioner’s Reply, 7 (citing Maes 14:58-67).
`
`However, the authorization number described at 14:58-67 has nothing to do with the
`
`authorization number cited to in the Petition (see Petition 18-22) and described at
`
`12:30-13:5 of Maes. Compare Maes, 12:30-13:5 with 14:58-67. Similarly, a
`
`POSITA would not be motivated to transmit the authorization number described in
`
`Maes at 12:30-13:5 wirelessly because the purpose of the authorization number there
`
`is to facilitate financial transactions “that do not involve electronic data transfer.”
`
`Maes, 12:30-34.
`
`Moreover, as explained in Patent Owner’s Response (POR 28-29), modifying
`
`Maes’ system with Pare would require substantial changes to every element in
`
`Maes, including the central server, POS terminals, and PDA, which would frustrate
`
`a fundamental purpose of Maes to be backwards compatible with existing
`
`transaction systems. In response, Petitioner argues that “[w]hile Maes does teach
`
`backwards compatibility with current infrastructure…, it also teaches the PDA may
`
`be used without a card,” and that “Maes also contemplates other upgrades, such as
`
`
`
`10
`
`
`
`Case No. IPR2018-00067
`U.S. Patent No. 8,577,813
`
`
`
`‘advanced’ POS terminals that write receipts to cards.” First, whether Maes’ system
`
`is implemented with our without its Universal Card 26, modifying Maes’ systems
`
`with Pare’s commercial transaction message and implementing Pare’s related
`
`protocol would still require every element of Maes to be modified to accommodate
`
`Pare’s commercial transaction message and protocol, which would significantly
`
`frustrate Maes’ stated goal of backwards compatibility. Second, a minor upgrade to
`
`POS terminals of Maes to write receipts back to the user’s Universal Card 26 is a
`
`simple software change that does not involve the same logistical nightmare of
`
`overhauling the entire transaction chain (PDA, POS, and central server) to
`
`accommodate a new commercial transaction message at the heart of every
`
`transaction authorization request. Consequently, any minor improvements to POS
`
`terminals as suggested by Maes does not serve to provide a blanket license to
`
`overhaul Maes’ entire system, casting aside Maes’ stated goal of maintaining
`
`backwards compatibility with existing systems.
`
`C.
`
`Petitioner fails to provide sufficient reasoning as to why a person
`of ordinary skill in the art would be motivated to combine Maes
`and Pare.
`
`As described in Patent Owner’s Response (POR, 30-32), Petitioner’s bare
`
`allegations that the systems teach the use of encryption, biometric and PIN, fail to
`
`show why a POSITA would arrange the distinct teachings in these references such
`
`
`
`11
`
`
`
`Case No. IPR2018-00067
`U.S. Patent No. 8,577,813
`
`
`
`that the biometric and PIN information are used to form the claimed encrypted
`
`authentication information. Petitioner disputes this, arguing that Maes teaches
`
`transmitting encrypted data. Petitioner’s Reply, 10 (citing Maes, 13:34-38, 13:51-
`
`60.
`
`However, to the extent Petitioner is arguing that the encrypted data
`
`transmitted in Maes at 13:34-38, 13:51-60 (e.g., “encrypted information file”) could
`
`be replaced or otherwise modified by Pare, such an argument is new and does not
`
`appear in the original Petition, and should therefore be disregarded.3 37 C.F.R.
`
`§ 42.23(b) (“A reply may only respond to arguments raised in the corresponding
`
`opposition, patent owner preliminary response, or patent owner response.”); See
`
`Intelligent Bio-Systems, Inc. v. Illumina Cambridge Ltd., 821 F.3d 1359, 1369 (Fed.
`
`
`3 Petitioner’s citation to Maes at 13:24-38, 13:51-60 on page 22 of its Petition was
`
`merely to provide an “example” of why it would have been allegedly obvious to a
`
`PHOSITA to substitute the encrypted authentication information taught in Pare for
`
`the authorization number of Maes described at 12:30-13:5. See Petition, 22; see
`
`also id., 23-24. Notably, the Petition did not advance the argument that the
`
`encrypted file information described at 13:24-38 would be replaced by consumer
`
`transaction message of Pare.
`
`
`
`12
`
`
`
`Case No. IPR2018-00067
`U.S. Patent No. 8,577,813
`
`
`
`Cir. 2016) (“Once the Board identifies new issues presented for the first time in
`
`reply, neither this court nor the Board must parse the reply brief to determine which,
`
`if any, parts of that brief are responsive and which are improper.”).
`
`Moreover, Petitioner contends that “PO’s argument that Maes never suggests
`
`encrypting’ the authorization number itself is misplaced” since the “authorization
`
`number of Maes is ‘a function of the unexpired digital certificate’ obtained from the
`
`central server” and because “the authorization number…already represents obscured
`
`data.” Petitioner’s Reply, 10. A close review of Maes at 12:30-13:5 reveals that
`
`once the user of the PDA device has been locally authenticated, the PDA device
`
`displays the authorization number and the user verbally communicates the
`
`authorization number displayed to the merchant. Maes does not disclose that the
`
`authorization number is “encrypted” because doing so would make little sense in the
`
`context of an embodiment directed at facilitating transactions “that do not involve
`
`electronic data transfer” and instead rely on verbal communication. Also, just
`
`because the authorization number is a “function of the unexpired digital certificate”
`
`does not mean that the authorization number is encrypted or represents “obscured
`
`data.” Instead, Maes only states that the authorization number is displayed after the
`
`digital certificate is verified at the PDA device, and the merchant contacts the server
`
`to verify the authorization number it received. See Maes, 12:43-49, 12:55-13:5.
`
`
`
`13
`
`
`
`Case No. IPR2018-00067
`U.S. Patent No. 8,577,813
`
`
`
`II. THERE IS NO MOTIVATION FOR A PERSON OF ORDINARY
`SKILL IN THE ART TO COMBINE MAES AND LABROU
`
`Petitioner fails to establish that a POSITA would be motivated to combine
`
`Maes and Labrou to obtain the claim features found in limitations 1[d][ii], 16[e], and
`
`24[b].
`
`A.
`
`Petitioner fails to provide sufficient reasons why a person of
`ordinary skill in the art would modify Labrou to generate a PIE
`value based on both a biometric and a PIN.
`
`As discussed in Patent Owner’s Response (POR, 39-40), Petitioner concedes
`
`that Labrou does not disclose that its PIE value is generated based on both secret
`
`information (e.g., PIN) and biometric information. See Petition, 20-21. As such,
`
`Petitioner advances a two-level obviousness theory where a POSITA would first be
`
`motivated to modify Labrou so that its PIE is generated based on both biometric
`
`information and a PIN value, and then the POSITA would be motivated to substitute
`
`the resulting encrypted authentication information of Labrou for the authorization
`
`number of Maes. See id. However, Petitioner fails to identify any actual reasons
`
`why a POSITA would be motivated to generate its PIE value based on both biometric
`
`information and a PIN value, nor has Petitioner identified any deficiency in Labrou’s
`
`existing PIE that would motivate a POSITA to modify it to use both a PIN and
`
`biometric. See Petition, 20-21.
`
`In response, Petitioner contends that a POSITA would be motivated to modify
`
`
`
`14
`
`
`
`Case No. IPR2018-00067
`U.S. Patent No. 8,577,813
`
`
`
`Labrou to use both a biometric and the PIN to generate the PIE described in
`
`paragraphs [0524], [0536], [0537] because in other sections Labrou discusses that a
`
`biometric and a PIN are used to authenticate the user of the client device. See
`
`Petitioner’s Reply, 12 (citing Labrou, [0158], [0416]-[0418], [0421], [0456]).
`
`However, the PIE value shown in FIG. 58 and described in paragraphs [0524] and
`
`[0536]-[0537] that Petitioner proposes to modify is not used for local authentication,
`
`but is instead used to generate an encryption key for encrypting a message that is
`
`sent to a server for remote transaction authorization. See Labrou, [0536]-[0579].
`
`Therefore, even if Labrou describes that a user of the client device 102 may be
`
`locally authenticated by the client device 102 using both a PIN and biometric (see,
`
`e.g., [0158], [0421]), that does not mean that a POSITA would automatically be
`
`motivated to modify Labrou’s PIE, which is used for remote transaction verification,
`
`to also use a biometric and a PIN. Indeed, if Labrou believed that a PIE value used
`
`for remote transaction verification could or should be generated using both a
`
`biometric and a PIN it would have expressly used the same “and/or” language it had
`
`previously done for local authentication.
`
`Petitioner also contends that Patent Owner “mischaracterizes the state of the
`
`art” when Patent Owner argued that “Labrou’s encryption would fail if biometric
`
`input was used in generating the PIE because the same PIE could not be reproducibly
`
`
`
`15
`
`
`
`Case No. IPR2018-00067
`U.S. Patent No. 8,577,813
`
`
`
`generated from different, varied measurements of the same biometric input.”
`
`Petitioner’s Reply, 13. Petitioner then argues that “[b]ecause it was known how to
`
`generate a repeatable cryptographic string from varying biometric inputs, PO’s
`
`argument that it would not have been possible to reproducibly generate the PIE from
`
`biometric input is incorrect.” Id., 14. In support of this conclusion, Petitioner cites
`
`to deposition testimony of Patent Owner’s expert, Dr. Jakobsson, as purportedly
`
`“confirm[ing] that generating a repeatable string from a biometric was possible and
`
`known before 2006.” Id., 13 (emphasis in original).4
`
`
`4 Petitioner mischaracterizes Patent Owner’s expert’s testimony. Dr. Jakobsson did
`
`not admit that a repeatable cryptographic key could be generated when a varying
`
`biometric value is used as an input to just any key generation function, such as
`
`Labrou’s key generation function K = Hash(XOR(PIE, RSN)). See Labrou, [0537]-
`
`[0538]. Instead, Dr. Jakobsson was speaking specifically about key generation using
`
`varied biometric input values in the narrow, complex implementation described in
`
`U.S. Patent no. 6,901,145 (Ex. 1030), which requires obtaining and storing multiple
`
`biometric input sample parameters ( 1, 2, 3,…, m) in advance to generate a set of
`
`expected indices (ψ1, ψ2, ψ3,…,ψm) in a “training session” that are then mapped to a
`
`
`
`16
`
`
`
`Case No. IPR2018-00067
`U.S. Patent No. 8,577,813
`
`
`
`Petitioner improperly shifts the pertinent question at hand—whether a
`
`POSITA reading Labrou (e.g., paragraph [0524]) would understand how (and be
`
`motivated) to modify Labrou so that its PIE value is generated using both a biometric
`
`and a PIN—to the immaterial question of whether it was “possible to generate a
`
`repeatable string from a biometric.” Id., 13. But the question is not whether it was
`
`somehow possible to generate a repeatable string from a biometric. The question is
`
`whether Labrou itself teaches a POSITA how to generate a PIE using a biometric
`
`and a PIN. And the answer to that question remains unchanged: no. A close review
`
`of Labrou’s extremely limited discussion of a biometric-based PIE reveals that
`
`Labrou appears to advocate that the biometric sensor’s raw output data directly
`
`
`table of “cryptographic shares,” which are then in turn used in a complicated
`
`“polynomial secret sharing scheme” to try and generate the right key. See Ex. 1030,
`
`4:14-9:25. As such, to imply that the state of the art at the time of the invention was
`
`that key generation using varying biometric inputs to a general key generation
`
`function, such as the one described in paragraphs [0537]-[0538] of Labrou, grossly
`
`distorts the true state of the art: a POSITA would not know how to generate the same
`
`encryption key K in Labrou using the function described in Labrou ([0537]-[0538])
`
`if the PIE value varied each time because it was based on a varying biometric value.
`
`
`
`17
`
`
`
`Case No. IPR2018-00067
`U.S. Patent No. 8,577,813
`
`
`
`generates the PIE value. See Labrou, [0524] (“Whenever the user attempts a
`
`transaction, the user applies her finger to the fingerprint sensor, thus generating the
`
`PIE.”). Since the PIE value is then used to generate the encryption key K, the
`
`agreement verification server also needs to know the PIE value used in order to
`
`generate the same key K to allow for proper decryption of the message encrypted by
`
`key K. See Labrou, [0537]-[0541], [0552]-[0557]. However, as explained by Dr.
`
`Jakobsson, generating the PIE using the biometric sensor’s ever-changing output
`
`data means that the encryption key K would also change. Ex. 2004, ¶¶ 87-89. But
`
`since the verification server would not know the changing biometric sensor output
`
`value in advance, it would not be able to generate the correct encryption key K. See
`
`id. Labrou’s limited teaching does not address how to solve this problem, and a
`
`POSITA would not know how or what specific changes to make to Labrou to fix
`
`this issue. See id.
`
`Petitioner’s Reply also fails to address the argument set forth in Patent
`
`Owner’s Response discussing a POSITA’s lack of motivation to combine given that
`
`a PIN must be stored in memory but Labrou teaches that a PIE “is not kept in
`
`permanent storage on the user device.” See POR, 43-44; Ex. 2004, ¶ 91.
`
`B.
`
`There is no motivation to combine Maes with Labrou for the same
`reasons discussed above regarding Pare.
`
`As discussed in Patent Owner’s Response, replacing the authorization number
`
`
`
`18
`
`
`
`Case No. IPR2018-00067
`U.S. Patent No. 8,577,813
`
`
`
`described at 12:30-13:5 of Maes with Labrou’s encrypted authentication information
`
`would be contrary to Maes’ stated objective for that embodiment: to provide
`
`biometric security for non-electronic transactions. See POR, 46-47. Moreover,
`
`Maes’ system desires to “provide a PDA device with digital certificate security
`
`which is compatible with the current infrastructure.” Maes, 2:43-49. But, the system
`
`of Labrou requires changing existing infrastructure and software in a “non-
`
`negligible” w