`
`
`
`
`
`
`
`
`
`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`APPLE INC.,
`Petitioner,
`v.
`UNIVERSAL SECURE REGISTRY, LLC,
`Patent Owner.
`_________________________________________
`Case IPR2018-00809
`U.S. Patent No. 9,530,137
`________________________________________
`
`PETITIONER’S REPLY TO PATENT OWNER’S RESPONSE
`
`
`
`
`
`
`
`
`
`
`

`

`Contents
`
`Introduction ......................................................................................................... 1 
`I. 
`II.  Argument ............................................................................................................. 1 
`A.  USR Fails To Overcome Petitioner’s Showing That The Challenged
`Claims Are Obvious. .............................................................................................. 1 
`The Petition Shows That Jakobsson Discloses The “One Or More
`1. 
`Signals.” .............................................................................................................. 1 
`2.  USR Erroneously Asserts That Jakobsson’s Combination Function Can
`Only Be A One-Way Function. ........................................................................... 3 
`Jakobsson In View Of Maritzen Discloses The Claimed “Enablement
`3. 
`Signal.” ................................................................................................................ 6 
`Jakobsson And Niwa Disclose A First Processor Configured To Compare
`4. 
`Stored Authentication Information With The Authentication Information Of
`The User. ........................................................................................................... 12 
`Jakobsson In View Of Maritzen Discloses A First Processor Configured
`5. 
`To Encrypt A First Authentication Information. .............................................. 13 
`Jakobsson In View Of Maritzen Discloses A First Memory Configured
`6. 
`To Store First Biometric Information. .............................................................. 15 
`The Superficial Differences Identified By USR Would Not Have
`7. 
`Dissuaded A POSITA From Combining Jakobsson With Maritzen. ............... 17 
`B.  Claim 5 Is Obvious Over Jakobsson In View Of Maritzen and Niwa. ....... 18 
`1.  A POSITA Would Have Been Motivated To Combine Jakobsson And
`Maritzen With Niwa. ......................................................................................... 18 
`C.  USR Failed To Demonstrate Secondary Considerations Of Non-
`Obviousness. ......................................................................................................... 22 
`III.  Conclusion ...................................................................................................... 26 
` 
`
`
`
`ii
`
`

`

`I.
`
`Introduction
`USR’s Patent Owner Response (“POR”) repeats arguments that the Board
`
`already rejected, and fails to rebut Petitioner’s showing that the challenged claims
`
`are unpatentable. First, USR mischaracterizes the teachings of the Jakobsson,
`
`Maritzen, and Niwa references. Second, USR mischaracterizes the testimony of
`
`Petitioner’s expert, Dr. Shoup. Finally, USR fails to demonstrate any secondary
`
`considerations of non-obviousness whatsoever.
`
`II. Argument
`A. USR Fails To Overcome Petitioner’s Showing That The
`Challenged Claims Are Obvious.
`1.
`The Petition Shows That Jakobsson Discloses The “One Or
`More Signals.”
`As the Petition demonstrated, Jakobsson discloses the “one or more signals”
`
`limitation of claims 1 and 12. Pet., 30-34. In response, USR merely reiterates its
`
`POPR argument – already rejected by the Board (DI, 11) – that the Petition fails to
`
`adequately map the “one or more signals” and “attempts to satisfy its burden by
`
`showing that some (but not all) of the three types of information are transmitted
`
`and processed.” POR, 18-19. To the contrary, the Petition maps all “three types of
`
`information” to Jakobsson’s teachings at the first mention of the limitation, and
`
`then expressly cites back to this mapping when the limitation appears in
`
`subsequent claims. See Pet., 33, 36-37, 51-52. Ex-1128, Shoup-Decl., ¶12; Ex-
`
`1130, Juels-Decl., ¶¶44-45.
`
`1
`
`

`

`As Petitioner explained for 1[e] (the first mention of the “one or more
`
`signals” limitation): “Jakobsson discloses that the first processor is configured to
`
`generate an authentication code (e.g., authentication code 292) [one or more
`
`signals] including a first authentication code (e.g., authentication code 291) [first
`
`authentication information], a strength of a biometric match (E) [indicator of
`
`biometric authentication], and a time-varying value (T) [time-varying value].”
`
`Pet., 33. Ex-1128, Shoup-Decl., ¶13; Ex-1130, Juels-Decl., ¶¶44-45.
`
`Although limitation 1[f] does not require that the authentication code include
`
`all three pieces of information, Petitioner expressly incorporated its analysis for
`
`limitation 1[e] into its analysis for limitation 1[f]. Pet., 34 (see internal citation to
`
`Section IX.A.1.vii). Petitioner’s analysis for limitation 1[f] shows that the same
`
`authentication code discussed in limitation 1[e] (which includes all three pieces of
`
`information) is transmitted to the verifier. Ex-1128, Shoup-Decl., ¶14.
`
`Similarly, limitation 1[h] requires a second device “configured to provide
`
`the enablement signal indicating that the second device approved the transaction
`
`based on use of the one or more signals.” ’137 patent, claim 1. Petitioner showed
`
`that Jakobsson discloses the “one or more signals” recited in limitation 1[h] (Pet.,
`
`36-38), and USR’s argument (POR, 20) fails because Petitioner’s analysis under
`
`1[e] clearly shows that an authentication code can comprise a first authentication
`
`information, a strength of a biometric match, and a time varying value. Thus, if a
`
`2
`
`

`

`second device approves the transaction based on the same authentication code (as
`
`shown in Petitioner’s analysis for limitation 1[h]), then the second device also
`
`approves the transaction based on an authentication code that includes constituent
`
`elements used to derive that authentication code. Ex-1128, Shoup-Decl., ¶15.
`
`2.
`
`USR Erroneously Asserts That Jakobsson’s Combination
`Function Can Only Be A One-Way Function.
`For three reasons, USR is incorrect to suggest that Jakobsson’s combination
`
`function is only a one-way function that transforms the inputs into a “unitary
`
`authentication code” and does not “include” the separate values input into the
`
`combination function. POR, 22. Ex-1128, Shoup-Decl., ¶16; Ex-1130, Juels-
`
`Decl., ¶¶39-43.
`
`3
`
`

`

`First, Jakobsson discloses that the combination function can combine values
`
`in a number of ways that do not involve a one-way function,1 such as
`
`“prepending[,] appending[,] arithmetically adding … or other algorithm, or a
`
`combination of these and other techniques that combine two or more values
`
`together.” Ex-1113, Jakobsson, [0073]. USR relies on a single example in
`
`Jakobsson that happens to be a one-way function, while ignoring all the other ways
`
`that Jakobsson discloses combining values not involving a one-way function. Ex-
`
`
`1 As explained in Jakobsson, a one-way function is “a mathematical function that
`
`maps a universe of input values to a universe of output values in such a way that
`
`knowledge of the output of the function does not allow one to reconstruct the input
`
`provided.” Ex-1113, Jakobsson, [0071]. In contrast, prepending or appending
`
`input values simply involves concatenating input bit strings together to form an
`
`output that can be separated into its inputs. Prepending or appending does not map
`
`the universe of input values to a universe of output values. Similarly, the inputs to
`
`an arithmetic addition, such as an XOR function, can be reconstructed from the
`
`output by simply repeating the arithmetic addition again. Arithmetic addition does
`
`not map the universe of input values to a universe of output values. A POSITA
`
`would have understood that these examples are not one-way functions. Ex-1128,
`
`Shoup-Decl., ¶17.
`
`4
`
`

`

`1128, Shoup-Decl., ¶17. As Dr. Ari Juels (a named inventor of the Jakobsson
`
`reference) confirms, Jakobsson’s combination function is not confined to the use of
`
`one-way functions and can perform many other combinatory functions including
`
`prepending, appending, and arithmetic addition. Ex-1130, Juels-Decl., ¶¶39-43.
`
`Second, even if Jakobsson’s combination function were always implemented
`
`as a one-way function (which it is not), a “unitary authentication code” that is
`
`generated as a function of three pieces of information necessarily includes those
`
`three pieces of information. USR is wrong that “[a] POSITA would not recognize
`
`Jakobsson’s system to transmit one or more signals ‘including’ [the three elements]
`
`because the combination function transformed those pieces of information into a
`
`unitary authentication code prior to transmission.” POR, 22. As long as the inputs
`
`to the combination function share a computationally one-to-one relationship with
`
`the output authentication code (which they do), a POSITA would have understood
`
`that the authentication code “includes” those inputs. See Ex-2011, Shoup-Dep.
`
`51:20-52:6, 52-18-24 (“So mapping is one-to-one if there are no two inputs that
`
`yield the same output. And computationally one-to-one means it’s hard to find
`
`computationally difficult to find two inputs mapped to the same output even
`
`though they may exist.”). As USR acknowledges in its Conditional Motion to
`
`amend by adding limitations that require “separable fields,” the present claim does
`
`not require that the inputs are separately identifiable once combined. Paper No. 19
`
`5
`
`

`

`at A1 (amending claim 1 to recite “wherein the first processor is programmed to
`
`generate one or more signals having at least three separable fields that include
`
`including the first authentication information, an indicator of biometric
`
`authentication, and a time varying value”). Ex-1128, Shoup-Decl., ¶18; Ex-1130,
`
`Juels-Decl., ¶44-45.
`
`Third, even if the claims required that the elements be separable once
`
`combined, Jakobsson teaches that its combination function can, among other
`
`functions, prepend, append, or arithmetically add the inputs together. (Ex-1113,
`
`Jakobsson, [0073]. A POSITA would have understood that an authentication code
`
`created by prepending or appending inputs would “include” those inputs and would
`
`be separable into its constituent inputs after combination. Ex-1128, Shoup-Decl.,
`
`¶19; Ex-1130, Juels-Decl., ¶¶44-45.
`
`3.
`
`Jakobsson In View Of Maritzen Discloses The Claimed
`“Enablement Signal.”
`a)
`Jakobsson’s “Positive Or Negative Acknowledgement”
`Is Based On A “First Authentication Information” And
`An “Indication Of Biometric Authentication”
`Jakobsson satisfies the claim requirement of an “enablement signal based on
`
`the indication of biometric authentication… [and] at least a portion of the first
`
`authentication information” (’137 Patent, claim 1) because the enablement signal is
`
`based on both the first authentication information and the indication of biometric
`
`authentication. USR’s argument that the Petition points to the “same item” for
`
`6
`
`

`

`both an “indication of biometric authentication” and “first authentication
`
`information” (POR, 23-24) is incorrect. In fact, the Petition points to two different
`
`items: the “indication of biometric authentication” corresponds to a strength of a
`
`biometric match (E), while “first authentication information” corresponds to
`
`Jakobsson’s authentication code. Pet., 38-41. USR also incorrectly argues that the
`
`claims require that “the enablement signal be based on the two different types of
`
`information.” Id. The claims include no such requirement, or indeed any
`
`restrictions on the relationship between the first authentication information and the
`
`indication of biometric authentication. Ex-1128, Shoup-Decl., ¶¶20-21.
`
`Moreover, Jakobsson discloses other embodiments where a first
`
`authentication information and an indicator of biometric authentication are separate
`
`items combined to form an authentication code on which an enablement signal is
`
`based. As explained with respect to limitation 1[e], a first authentication
`
`information (e.g., authentication code 291) can be combined with an indicator of
`
`biometric authentication (E) to form a new authentication code (e.g., authentication
`
`code 292). Pet., 30-33. Jakobsson’s enablement signal is based on an
`
`authentication code that, as shown, is based on a first authentication information
`
`(291) and an indicator of biometric authentication (E). Therefore, Jakobsson’s
`
`enablement signal is based on the first authentication information (291) and the
`
`7
`
`

`

`indicator of biometric authentication (E). Ex-1128, Shoup-Decl., ¶21; Ex-1130,
`
`Juels-Decl., ¶¶46-47.
`
`Contrary to USR’s arguments (POR, 24-25), Jakobsson’s enablement signal
`
`is based on the various inputs to the authentication code (on which Jakobsson’s
`
`enablement signal depends) for several reasons. First, as discussed above,
`
`Jakobsson’s combination function is not limited to a one-way function. Second,
`
`the claim does not require that the inputs can be reconstructed from the
`
`authentication code. Third, even if the combination function “completely
`
`transform[ed]” the inputs (e.g., the indicator of biometric authentication) (POR,
`
`24-25), the enablement signal would still be based on the indicator of biometric
`
`authentication and the first authentication information because the enablement
`
`signal is based on the authentication code, which is based on the indicator of
`
`biometric authentication. In other words, Jakobsson’s enablement signal is based
`
`on the inputs to Jakobsson’s authentication code because Jakobsson’s
`
`authentication code is based on its inputs. It is irrelevant whether the inputs are
`
`“transformed” when the inputs are combined to form the authentication code
`
`because the enablement signal is still determined from a function that takes as its
`
`inputs the first authentication information and the indicator of biometric
`
`authentication. Ex-1128, Shoup-Decl., ¶¶22-23.
`
`8
`
`

`

`Moreover, as USR itself acknowledges, Jakobsson’s first authentication
`
`information and indicator of biometric authentication (on which the authentication
`
`code, and the enablement signal are based) are only transformed “in some
`
`instances” (POR, 25) and in such a way that, at most, “may make it impossible to
`
`reconstruct the inputs from the authentication code.2 As explained above, one-
`
`way functions are merely one, non-limiting embodiment of the combination
`
`function, which can also append, prepend, or arithmetically add input values such
`
`that they are not impossible to reconstruct. Ex-1128, Shoup-Decl., ¶24; Ex-1130,
`
`Juels-Decl., ¶¶39-43.
`
`b)
`
`Jakobsson’s “Positive Or Negative Acknowledgement”
`Is An “Enablement Signal.”
`Jakobsson discloses at [0050] that the verifier sends the “positive or negative
`
`acknowledgement” in response to the result of the authentication procedure, and
`
`not, as USR suggests, only upon “successful receipt of the authentication code”
`
`(POR, 26). The “positive or negative acknowledgement” is discussed immediately
`
`following a discussion about comparing and authenticating authentication
`
`information. A POSITA would have understood that the “positive or negative
`
`acknowledgement” indicates an acknowledgment of successful or failed
`
`authentication because the context of Jakobsson’s disclosure makes clear that the
`
`
`2 Emphasis added throughout unless otherwise noted.
`
`9
`
`

`

`positive or negative acknowledgement is sent in response to an authentication
`
`attempt and in connection with the authentication procedure discussed in [0050].
`
`Ex-1128, Shoup-Decl., ¶25; Ex-1130, Juels-Decl., ¶¶48-50.
`
`Moreover, a POSITA would have understood that Jakobsson’s “positive or
`
`negative acknowledgement” is not a simple acknowledgment that the verifier 105
`
`successfully received an authentication code. Unlike the authentication protocol
`
`described in Jakobsson, receipt acknowledgments are typically used by lower
`
`layers of a communication protocol stack to detect failed transmissions and
`
`facilitate retransmissions in a way that is transparent to the user. For example,
`
`Internet traffic is routinely routed over a transport layer protocol called TCP. TCP
`
`uses acknowledgements (ACKs) and negative acknowledgements (NACKS) to
`
`signal whether messages were successfully received and to retransmit dropped
`
`messages accordingly. These ACKs, NACKs, and retransmissions are invisible to
`
`the user. In contrast, Jakobsson makes clear that its “positive or negative
`
`acknowledgement” can be communicated “directly to the user.” Ex-1113,
`
`Jakobsson, [0050]. A POSITA would have understood that Jakobsson’s “positive
`
`or negative acknowledgement” is an enablement signal as claimed, and not a
`
`simple receipt acknowledgment because such receipt acknowledgements would not
`
`be relayed directly to the user while an enablement signal would be sent directly to
`
`the user. Ex-1128, Shoup-Decl., ¶26; Ex-1130, Juels-Decl., ¶¶48-50.
`
`10
`
`

`

`c)
`
`Jakobsson Does Not Teach Away From The Use Of
`Enablement Signals
`USR’s argument that Jakobsson teaches away from the use of an
`
`“enablement signal” fails for at least two reasons. First, Jakobsson actually
`
`discloses the use of an enablement signal called a “positive or negative
`
`acknowledgement.” (Pet., 36; Ex-1113, Jakobsson, [0050].) Jakobsson clearly
`
`does not teach away from an enablement signal because its “positive or negative
`
`acknowledgement” is an enablement signal tied to its authentication procedure.
`
`Ex-1128, Shoup-Decl., ¶27.
`
`Second, while Jakobsson includes one, non-limiting embodiment in which
`
`event states can covertly indicate when device tampering occurs, Jakobsson
`
`expressly limits the covert communication of event states to “some embodiments,”
`
`not all embodiments. Ex-1113, Jakobsson, [0019]. Jakobsson discloses numerous
`
`other examples that do not involve the covert transmission of event states. See,
`
`e.g., id., [0052]. In fact, Jakobsson recognizes that overt communication (which is
`
`plainly compatible with enablement signals) has its benefits. Id., [0019] (“Overt
`
`communication may be beneficial in that it allows a general observer to become
`
`informed about state information.”). Thus, Jakobsson does not teach away from
`
`the use of enablement signals. Ex-1128, Shoup-Decl., ¶27; Ex-1130, Juels-Decl.,
`
`¶¶51-52.
`
`11
`
`

`

`4.
`
`Jakobsson And Niwa Disclose A First Processor Configured
`To Compare Stored Authentication Information With The
`Authentication Information Of The User.
`Petitioner showed that Jakobsson in view of Maritzen and Niwa discloses
`
`the local authentication set forth in claim 5 (namely, a first processor “configured
`
`to compare stored authentication information with the authentication information
`
`of the user and configured to enable the first device based on a valid comparison”).
`
`(Pet., 53-63.) Ex-1128, Shoup-Decl., ¶28.
`
`More specifically, Jakobsson provides an express disclosure that
`
`authentication is conducted by comparing a stored value to a value received from
`
`the user (Ex-1113, Jakobsson, [0005]), and therefore USR is incorrect in asserting
`
`that Jakobsson is silent as to how a local authentication occurs. POR, 28. For
`
`example, Jakobsson explains that verifying devices performing an authentication
`
`“can observe [a biological] characteristic, and compare the characteristic to records
`
`that associate the characteristic with the entity.” Ex-1113, Jakobsson, [0005].
`
`Moreover, as Dr. Shoup and Dr. Juels explain, a POSITA would have understood
`
`that locally authenticating a user involves comparing a stored value against a
`
`received value. Ex-1128, Shoup-Decl., ¶29; Ex-1130, Juels-Decl., ¶¶53-56. While
`
`the POR asserts that “many ways” of authenticating a user are possible without
`
`comparing a stored value (POR, 28), USR and Dr. Jakobsson fail to identify a
`
`single viable alternative for conducting the claimed local authentication without
`
`12
`
`

`

`comparing a stored value with a received value. As Dr. Shoup explains, the sole
`
`example cited by Dr. Jakobsson in support of USR’s argument is completely
`
`inapplicable to local authentication. Ex-1128, Shoup-Decl., ¶29.
`
`Petitioner also showed that Niwa discloses claim 5 (Pet., 53-55), but USR
`
`argues that Niwa fails to disclose a processor capable of performing a comparison
`
`between a stored value and received value. POR, 29-30. USR’s argument is
`
`wrong for two reasons. First, Jakobsson discloses a processor that performs an
`
`authentication based on a comparison with a stored value, and a POSITA would
`
`have understood that the authentication involves a comparison with a stored value
`
`because it is conventional to do so and because there are no other practical ways to
`
`confirm the validity of a particular value without comparing it against a stored
`
`value. Niwa merely reinforces that authentication involves a stored value that is
`
`matched to a received value – not whether it is performed by a first processor.
`
`Second, Niwa expressly discloses that the fingerprint identification device 50
`
`includes a microprocessor (i.e., a first processor) programmed to compare a
`
`fingerprint received from a user with a stored fingerprint. Ex-1117, Niwa, 4:27-32.
`
`Ex-1128, Shoup-Decl., ¶30.
`
`5.
`
`Jakobsson In View Of Maritzen Discloses A First Processor
`Configured To Encrypt A First Authentication Information.
`Jakobsson in view of Maritzen discloses a first processor “configured to
`
`encrypt the first authentication information to communicate to the second device,”
`
`13
`
`

`

`as claim 6 requires. Pet., 43-45. For example, Jakobsson discloses various
`
`embodiments using encryption algorithms including block ciphers to encrypt an
`
`authentication code. Ex-1113, Jakobsson, [0071], [0073]. Jakobsson also
`
`discloses that “the verifier 105 decrypts a value encrypted by the user
`
`authentication device.” Id., [0058]. USR’s argument that “a value” is not
`
`necessarily the first authentication information communicated to the second device
`
`(POR, 30) is inconsistent with Jakobsson, which makes clear that the “value” being
`
`decrypted is an authentication code. Paragraph [0058] explains that the verifier
`
`105 “generates an authentication code” (i.e., a first authentication information) “by
`
`arithmetically combining a secret stored by the user authentication device 120 and
`
`a user-supplied PIN.” A POSITA would have understood that an arithmetic
`
`combination, such as an XOR, is a form of encryption and that [0058] of
`
`Jakobsson therefore discloses the encryption recited in claim 6. Ex-1128, Shoup-
`
`Decl., ¶¶31-32.
`
`Furthermore, even if Jakobsson’s combination function only generated
`
`authentication codes using a one-way function, a POSITA would not consider the
`
`encryption required by claim 6 to be “wholly redundant.” POR, 31. As discussed
`
`above, one-way functions are just one, non-limiting embodiment of Jakobsson,
`
`which discloses examples that do not include a one-way function. A POSITA
`
`would have understood that layering forms of encryption is commonly done to
`
`14
`
`

`

`improve security and such a scheme would not be “wholly redundant.” Rather,
`
`encrypting the inputs to or the outputs of the one-way function would have
`
`improved the overall security of the system. Ex-1128, Shoup-Decl., ¶33; Ex-1130,
`
`Juels-Decl., ¶¶59-62.
`
`Finally, while Petitioner showed that Maritzen discloses encrypting a first
`
`authentication information (i.e., a transaction key 340) (Pet., 43-44), USR argues
`
`that encrypting a “transaction key 340” is not the same as encrypting the first
`
`authentication information. POR, 31-32. However, Petitioner showed that
`
`Maritzen’s “transaction key 340” is a first authentication information, and USR
`
`provides no support for its contention that the transaction key 340 is not a first
`
`authentication information. Moreover, as Dr. Jakobsson conceded, the prior art
`
`discloses encrypting communications between devices for authenticating a user
`
`using biometric information and authentication information. Ex-1127, Jakobsson-
`
`Dep., 30:17-24, 31:17-33:21. A POSITA would have understood that the teaching
`
`of encryption could have been applied to any transmission or subset thereof that is
`
`performed by the authentication system – including the encryption of first
`
`authentication information. Ex-1128, Shoup-Decl., ¶34.
`
`6.
`
`Jakobsson In View Of Maritzen Discloses A First Memory
`Configured To Store First Biometric Information.
`Claim 7 requires a memory at the first device configured to store the first
`
`biometric information. Jakobsson discloses that the first device stores “data
`
`15
`
`

`

`derived from the biometric observation.” Pet., 45-46. USR argues that data
`
`derived from a biometric observation “is not necessarily the same ‘first biometric
`
`information’ captured by the biometric sensor” (POR, 32), but does not explain
`
`what the distinction is. The data captured from the biometric sensor is the same as
`
`the data derived from the biometric observation. Biometric sensors make a
`
`biometric observation and derive a data representation of that observation that can
`
`be stored. USR has not articulated any difference between Jakobsson’s “data
`
`derived from the biometric observation” and a captured biometric observation. Ex-
`
`1128, Shoup-Decl., ¶35; Ex-1130, Juels-Decl., ¶57. In fact, Dr. Jakobsson
`
`acknowledged that biometric sensors were known in the prior art, and were
`
`configured to collect a data representation of a biometric observation. Ex-1127,
`
`Jakobsson-Dep., 197:24-200:18.
`
`USR also argues that the claim “requires at least some temporary storage of
`
`the claimed first biometric information” and that “Jakobsson does not disclose this
`
`storage.” POR, 32. To the extent the claim requires that the first device include a
`
`storage mechanism, Jakobsson clearly discloses storage for the claimed first
`
`biometric information. See, e.g., Ex-1113, Jakobsson, [0041]. Petitioner showed
`
`that the user authentication device 120 performs an authentication based on
`
`biometric information (Pet., 27-28), and a POSITA would have understood that the
`
`on-board memory of the user authentication device 120 could be used to facilitate
`
`16
`
`

`

`this authentication by providing temporary storage. Ex-1128, Shoup-Decl., ¶36;
`
`Ex-1130, Juels-Decl., ¶58.
`
`7.
`
`The Superficial Differences Identified By USR Would Not
`Have Dissuaded A POSITA From Combining Jakobsson
`With Maritzen.
`USR attempts to distinguish Jakobsson and Maritzen by identifying
`
`superficial differences, but none of them would have dissuaded a POSITA from
`
`combining the teachings of the two references because they disclose remarkably
`
`similar electronic authentication systems. Ex-1128, Shoup-Decl., ¶37.
`
`For example, USR asserts that Jakobsson’s system is directed toward a
`
`“personal (as opposed to vehicle)” (emphasis in original) event detecting and alert
`
`system, but Maritzen’s device is also called a “personal transaction device” that is
`
`clearly handheld and designed for personal use. See Ex-1114, Maritzen, Fig. 6a.
`
`Both references are directed toward secure financial transactions that address the
`
`issue of electronic fraud. Pet., 22-25. It is irrelevant whether Maritzen discloses
`
`embodiments that are directed toward a vehicle payment system because a
`
`POSITA would have understood that the electronic authentication techniques
`
`taught by Jakobsson and Maritzen are readily transferable across both systems.
`
`Ex-1128, Shoup-Decl., ¶38.
`
`USR also makes arguments that appear to misunderstand that Jakobsson is
`
`the primary reference. For example, USR argues that “Petitioner cites examples of
`
`17
`
`

`

`Jakobsson’s use of a PIN or password… [i]n contrast, Maritzen does not teach
`
`PIN-based authentication,…including a PIN would be contrary to Maritzen’s goal
`
`of reducing the time it takes to complete the transaction.” POR, 36. However,
`
`Jakobsson is the primary reference, and none of Petitioner’s arguments propose
`
`adding a PIN to Maritzen’s system. Moreover, the use of PINs is one set of
`
`limited, non-exclusive examples in Jakobsson and in no way defines the scope of
`
`Jakobsson’s teachings. Both disclosures discuss many examples of authentication
`
`techniques that were known at the time. A POSITA would have recognized that
`
`both systems are directed toward electronic authentication systems and would have
`
`had the skill to combine discrete teachings from Maritzen into the system of
`
`Jakobsson. Ex-1128, Shoup-Decl., ¶39.
`
`Similarly, USR argues that a POSITA would not combine Jakobsson and
`
`Maritzen “because Maritzen already discloses a method of secured authentication
`
`[and] there is no need to add Jakobsson.” POR, 37. This argument is unfounded
`
`and irrelevant. None of Petitioner’s grounds proposes adding the teachings of
`
`Jakobsson to Maritzen. Jakobsson is the primary reference. Ex-1128, Shoup-
`
`Decl., ¶40.
`
`B. Claim 5 Is Obvious Over Jakobsson In View Of Maritzen and
`Niwa.
`1.
`A POSITA Would Have Been Motivated To Combine
`Jakobsson And Maritzen With Niwa.
`
`18
`
`

`

`Combining Niwa with Jakobsson and Maritzen is appropriate because (a)
`
`USR’s argument relies on a fabricated a “main goal” of Maritzen, (b) Niwa does
`
`not require the transmission of biometric information, and (c) the purported
`
`incompatibility of some embodiments from secondary references would not
`
`dissuade a POSITA from combining these references. Ex-1128, Shoup-Decl., ¶41.
`
`a)
`USR Fabricates A “Main Goal” Of Maritzen.
`USR argues that Maritzen’s “main goal” is to provide “anonymity,” which it
`
`equates, citing no support, with a ban on sending personally identifiable
`
`information. POR, 34. But Maritzen does not bar sending “personally identifiable
`
`information.” Maritzen never uses the term “personally identifiable information,”
`
`and USR provides no definition for this term.3 USR argues that Dr. Shoup
`
`“confirmed at his deposition that the Maritzen system does not transmit any
`
`personally identifiable user or biometric information” (POR, 34), but he never
`
`made such a statement. Rather, he testified that Maritzen only limits transmission
`
`
`3 In fact, Dr. Shoup asked for a definition that counsel for USR never provided.
`
`Ex-2011, Shoup-Dep., 28:15-20 (“Q. So is it fair to say that the anonymous
`
`credentialing system didn't use any personally identifiable information in
`
`connection with the authentication? A. What do you mean by ‘personally
`
`identifiable information’?”
`
`19
`
`

`

`of user data from the user device to the point-of-sale device (Maritzen’s VAPGT).
`
`Ex-2011, Shoup-Dep., 163:14-16 (“It says here in this embodiment that no user
`
`information is transmitted to the VAPGT…”) (emphasis added), 160:23-24 (“it’s
`
`not sent during the protocol to the VAPGT”) (emphasis added). Ex-1128, Shoup-
`
`Decl., ¶42.
`
`As Dr. Shoup explained, Maritzen contemplates the transmission of
`
`encrypted biometric information because such biometric information would not
`
`“identify[] the user.” Ex-2011, Shoup-Dep., 201:19-202:1 (“biometric information
`
`identifying the user would be information as presented that would identify the user
`
`and if that information were encrypted, for example, then that information wouldn't
`
`identify the user”). Maritzen does not prohibit the transmission of biometric
`
`information in any form whatsoever. It teaches that biometric information
`
`identifying the user is not transmitted in some circumstances. Encrypted or
`
`cryptographically protected biometric information would not identify the user.
`
`Thus, at most, Maritzen advises against sending unprotected personal information.
`
`Ex-1128, Shoup-Decl., ¶42.
`
`b)
`
`Even If Maritzen Discouraged Sending User
`Information (Which It Does Not), Niwa Does Not
`Require Sending User Information.
`Niwa does not require sending any sensitive information, and would not be
`
`incompatible with Maritzen even if Maritzen were read to discourage sending user
`
`20
`
`

`

`information (which it does not). USR misleadingly cites to a portion of Niwa’s
`
`disclosure about sending information including “at least one of authenticatio