`
`UNITED STATES PATENT AND TRADEMARK OFFICE
`
`
`
`
`
`
`
`
`
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`FACEBOOK, INC., INSTAGRAM, LLC, and WHATSAPP INC.,
`Petitioners
`
`v.
`
`BLACKBERRY LIMITED,
`Patent Owner
`
`
`
`
`
`
`
`
`
`
`
`
`Case No. IPR2019-00923
`Patent No. 7,372,961
`
`
`
`
`
`
`
`
`
`
`
`
`DECLARATION OF MARKUS JAKOBSSON, PH.D.
`
`Page 1
`
`BLACKBERRY 2001
`FACEBOOK V. BLACKBERRY
`IPR2019-00923
`
`MOBILEIRON, INC. - EXHIBIT 1030
`Page 001
`
`

`

`TABLE OF CONTENTS
`
` 
`INTRODUCTION AND SCOPE OF WORK ................................................ 4 
`I. 
`QUALIFICATIONS ........................................................................................ 5 
`II. 
`III.  MATERIALS CONSIDERED ........................................................................ 9 
`IV.  PERSON OF ORDINARY SKILL IN THE ART ........................................ 10 
`V.  OVERVIEW OF THE ’961 PATENT .......................................................... 11 
`VI. 
`INTERPRETATION OF THE ’961 PATENT CLAIMS AT ISSUE ........... 14 
`VII.  OVERVIEW OF THE CITED REFERENCES ............................................ 16 
`A.  DSS ...................................................................................................... 16 
`B.  
`Rose ..................................................................................................... 19 
`C.   Menezes ............................................................................................... 21 
`D. 
`Schneier ............................................................................................... 23 
`VIII.  THE PETITION FAILS TO ESTABLISH THAT THE CITED
`REFERENCES WOULD HAVE PROVIDED FOR REPETITION OF THE
`REQUISITE OPERATIONS RECITED IN INDEPENDENT CLAIMS 1,
`15, AND 23 .................................................................................................... 23 
`A. 
`The ’961 Claims Require Repetition Of Operations For Both Random
`Seed Value Generation And Hashing Of The Seed Value If A
`Preceding Hashed Value Is Not Less Than Said Order Q .................. 23 
` The References Cited In Grounds 1 And 3 Do Not Disclose Repetition
`Of The Required Operations ............................................................... 26 
`C.   Grounds 2 And 4 Do Not Disclose Repetition Of The Required
`Operations ........................................................................................... 38 
`IX.  SUBSEQUENT DSS RELEASES DEMONSTRATE THAT THE
`PETITIONER’S THEORY WAS ROOTED IN HINDSIGHT, NOT THE
`REALITY AT THE TIME ............................................................................ 48 
`
`B.
`
`Page 2
`
`MOBILEIRON, INC. - EXHIBIT 1030
`Page 002
`
`

`

`X. 
`
`A. 
`FIPS 186-2 (October 2001) ................................................................. 49 
`FIPS 186-3 (June 2009) ....................................................................... 51 
`B.  
`LEGAL STANDARDS ................................................................................. 55 
`A.  Obviousness ......................................................................................... 55 
`XII.  ADDITIONAL REMARKS .......................................................................... 60 
`
`
`Page 3
`
`MOBILEIRON, INC. - EXHIBIT 1030
`Page 003
`
`

`

`I, Markus Jakobsson, Ph.D., of Portoloa Valley, California, declare that:
`
`I.
`
`INTRODUCTION AND SCOPE OF WORK
`1.
`I have been retained by Fish & Richardson P.C. as an expert witness
`
`on behalf of BlackBerry Limited (“Blackberry” or “Patent Owner”). I understand
`
`that Facebook, Inc., Instagram, LLC, and WhatsApp Inc. (“Petitioners”) filed a
`
`petition for inter partes review (“IPR”) of claims 1, 2, 5, 15, 16, 19, 23, 24, and 27
`
`of U.S. Patent No. 7,372,961 (“the ’961 patent”), and the case was assigned case
`
`no. IPR2019-00923.
`
`2.
`
`I have been asked to provide my independent analysis of the ’961
`
`patent in light of the materials cited below and my knowledge and experience in
`
`this field during the relevant period. I have been asked to consider what a person
`
`of ordinary skill in the art at the time of the invention of the ’961 patent (a
`
`“POSITA”; refer to ¶¶15-16) would have understood from the teachings of the
`
`’961 patent, including scientific and technical knowledge related to the ’961 patent.
`
`I have also been asked to consider whether the references cited in the petition
`
`anticipate or render obvious the inventions described by independent claims 1, 15,
`
`and 23 of the ’961 patent. I have been told that this is only a preliminary stage of
`
`this proceeding, and accordingly, I address at this stage only certain aspects of the
`
`petition and only some of my analysis of the cited grounds. I reserve the
`
`Page 4
`
`MOBILEIRON, INC. - EXHIBIT 1030
`Page 004
`
`

`

`opportunity to address other issues and provide further analysis at a later date
`
`should it become necessary.
`
`3.
`
`I am being compensated according to my normal hourly rate for my
`
`time providing my independent analysis in this aforementioned IPR proceeding,
`
`but my compensation is not contingent in any way on the content of my analysis or
`
`the outcome of this proceeding. I am not, and never was, an employee or agent of
`
`BlackBerry Limited, the owner of the ’961 patent.
`
`II. QUALIFICATIONS
`4. My findings, as explained below, are informed by my studies,
`
`experiences, and background as described below and set forth in greater detail in
`
`my Curriculum Vitae (attached as Appendix A). Based on my experience, I
`
`understand and know of the capabilities of persons of ordinary skill in the field of
`
`cryptography during the timeframe leading up to the earliest priority date of
`
`the ’961 patent (December 27, 2000), and indeed, I have personal knowledge and
`
`experience in working directly with many such persons in the field during that
`
`timeframe. I have also relied on my review and analysis of the prior art cited in the
`
`petition, information provided to me in connection with this case, and information
`
`I have independently reviewed. See Section III.
`
`5.
`
`I received a Ph.D. in Computer Science/Cryptography in 1997 from
`
`the University of California San Diego and a M.Sc. in Computer Engineering in
`
`Page 5
`
`MOBILEIRON, INC. - EXHIBIT 1030
`Page 005
`
`

`

`1994 from the Lund Institute of Technology, Sweden. The title of my doctoral
`
`thesis was “Privacy vs. Authenticity,” and the focus was on secure digital
`
`commerce.
`
`6.
`
`In my professional capacity, I have worked extensively with
`
`technologies related to computer security, mobile security, malware detection,
`
`quantitative and qualitative fraud analysis, and disruptive security. I have studied
`
`and published on many topics including randomness, digital signatures, and
`
`security analysis.
`
`7.
`
`I am currently the Chief of Security and Data Analytics at Amber
`
`Solutions, Inc. My work there is to develop and evaluate algorithms to process
`
`sensor outputs from distributed and mobile sensor networks, which generate
`
`predicates related to the underlying actions of users in the proximity of the sensor
`
`networks; to develop and evaluate algorithms to protect the privacy of such users;
`
`to develop and evaluate algorithms to protect the security of such users; and to
`
`develop and evaluate algorithms that assess the risk of attacks against the system. I
`
`also work as an independent security researcher and consultant in the fields of
`
`computer/mobile security, fraud detection/prevention, digital rights management,
`
`malware, phishing, crimeware, mobile malware, and cryptographic protocols. In
`
`addition, I am a visiting research fellow of the Anti-Phishing Working Group, an
`
`Page 6
`
`MOBILEIRON, INC. - EXHIBIT 1030
`Page 006
`
`

`

`international consortium focused on unifying the global response to cybercrime in
`
`the public and private sectors.
`
`8.
`
`I have been materially involved in designing, developing, testing, and
`
`assessing technologies for computer and network security, digital rights
`
`management, trust establishment, randomness, cryptography, socio-technical fraud,
`
`malware detection, detection of malicious emails, user interfaces, authentication,
`
`and fraud detection for over twenty years. Between 2013 and 2015, I served as a
`
`Senior Director at Qualcomm where my work focused on mobile security systems
`
`and mobile malware detection.
`
`9.
`
`I have authored or co-authored more than 100 publications including
`
`technical papers, textbooks, textbook chapters, and articles, and have delivered
`
`numerous presentations including keynotes at several international conferences and
`
`workshops, as well as the US Patent and Trademark Office. These publications of
`
`topics including, but not limited to: digital signatures, randomness, security
`
`analysis, crimeware, phishing, electronic identity theft, email security, endpoint
`
`security, network security, digital fraud, software based attestation, remote
`
`transaction security and malware detection. My peer reviewed publications have
`
`been cited at least 14,875 times, according to Google Scholar. I hold more than
`
`100 patents.
`
`Page 7
`
`MOBILEIRON, INC. - EXHIBIT 1030
`Page 007
`
`

`

`10. Examples of textbooks I have authored or co-authored on the topic of
`
`Internet security include:
`
` “Crimeware: Understanding New Attacks and Defenses” (Symantec
`Press, 2008)
` “Phishing and Countermeasures: Understanding the Increasing Problem
`of Electronic Identity Theft” (Wiley, 2006)
` “The Death of the Internet” (Wiley, 2012)
` “Mobile Authentication: Problems and Solutions” (Springer, 2012)
` “Understanding Social Engineering Based Scams” (Springer, 2016)
` “Towards Trustworthy Elections: New Directions in Electronic Voting”
`(Springer, 2010); and
` “Mobile Authentication: Problems and Solutions” (Springer, 2012)
`11.
`I have authored or provided inventive contributions to numerous
`
`publications regarding randomness and/or digital signatures. Relevant examples of
`
`such publications include:
`
` “A practical secure physical random bit generator”, CCS ’98 Proceedings
`of the 5th ACM conference on Computer and communications security
`(pp. 103-111)
` “How to turn loaded dice into fair coins”, IEEE Transactions on
`Information Theory (Vol. 46, Issue: 3, May 2000)
` U.S. Patent No. 6,317,499
`12.
`In view of the foregoing, I believe I possess the expertise to testify
`
`from the perspective of a POSITA with respect to the technology at issue in this
`
`case.
`
`Page 8
`
`MOBILEIRON, INC. - EXHIBIT 1030
`Page 008
`
`

`

`III. MATERIALS CONSIDERED
`13.
`In preparing this declaration, I have considered the claims,
`
`specification, and prosecution history of the ’961 patent. I have also read and
`
`considered the petition for inter partes review in Case No. IPR2019-00923. As
`
`part of my analysis for this declaration, I have considered my own knowledge and
`
`experience, including my work and experience in the field of cryptography, and
`
`my experience in working with others in these fields. Some additional materials
`
`that I have reviewed in preparing this declaration include the following documents:
`
` Ex. 1001: U.S. Patent No. 7,372,961 (“the ’961 Patent”)
` Ex. 1002: Declaration of Jonathan Katz, Ph.D. (“Katz Declaration”)
` Ex. 1003: Prosecution History for U.S. Patent Application No.
`10/025,924 (“’961 file history”)
` Ex. 1004: Federal Information Processing (FIPS) Publication 196,
`Digital Signature Standard (“DSS”)
` Ex. 1005: Excerpts from Alfred J. Menezes et al., Handbook of
`Applied Cryptography (“Menezes”)
` Ex. 1006: USENET article by Greg Rose (“Rose”)
` Ex. 1008: Excerpts from Bruce Schneier, Applied Cryptography (2d
`ed. 1996) (“Schneier”)
` Ex. 1018: Excerpts from Thammavarapu R. N. Rao, Error Coding for
`Arithmetic Processors (1974) (“Rao”)
` EX. 1019: Excerpts from Nancy A. Floyd, Essentials of Data
`Processing (1987) (“Floyd”)
`
`Page 9
`
`MOBILEIRON, INC. - EXHIBIT 1030
`Page 009
`
`

`

` Ex. 2002: FIPS PUB 186-2, Digital Signature Standard (DSS) Change
`Notice (October 5, 2001)
` Ex. 2003: FIPS PUB 186-3, Digital Signature Standard (DSS) (June
`2009)
` Ex. 2004: Corrected Final Ruling on Claim Construction/Markman
`Hearing, Blackberry Limited v. Snap Inc., Case Nos. CV 18-1844-GW
`& 18-2693-GW (C.D. Cal. April 5, 2019) (“Markman Order”)
` Ex. 2005: Serge Vaudenay, Evaluation Report on DSA (2003)
`(“Vaudenay”)
`14. Further, in addition to the exhibits listed above, I have reviewed the
`
`remaining exhibits submitted with the petition in this proceeding—including Ex.
`
`1009 through Ex. 1017 and Ex. 1020 through Ex. 1035, which were listed in the
`
`petition (at petition p. i-iv) but not expressly set forth in the listing of Grounds 1-4
`
`(at petition p. 4).
`
`IV. PERSON OF ORDINARY SKILL IN THE ART
`15.
`I understand that the teaching of the prior art is viewed through the
`
`eyes of a POSITA. My analysis is thus based on the perspective of a POSITA
`
`having this level of knowledge and skill at the relevant time of the invention. For
`
`purposes of my analysis, I have been informed that the priority date of the ’961
`
`patent is no later than the December 27, 2000 timeframe, and I have applied this
`
`timeframe as being the relevant time for the perspective of a POSITA. For
`
`purposes of assessing the level of ordinary skill in the art, I have considered the
`
`Page 10
`
`MOBILEIRON, INC. - EXHIBIT 1030
`Page 010
`
`

`

`types of problems encountered in the art, the prior solutions to those problems
`
`found in prior art references, the speed with which innovations were made at that
`
`time, the sophistication of the technology, and the level of education of active
`
`workers in the field. As previously described, I have reviewed and understand the
`
`’961 patent. Based on my above-described experience, I am familiar with and
`
`know of the capabilities of a POSITA in this field during the late 1990s and early
`
`2000s.
`
`16. Based upon my knowledge and experience in this area, I believe a
`
`POSITA at the time of the invention would have had a bachelor of science degree
`
`in Computer Science or the equivalent, and approximately three years of work or
`
`research experience in the field of cryptography or an equivalent subject matter; or
`
`an advanced degree (masters or doctorate) in Computer Science or the equivalent,
`
`and less work or research experience (dependent in part on the level of degrees
`
`achieved) in the field of cryptography or an equivalent subject matter. My analysis
`
`as to the level of ordinary skill in the art would remain the same regardless of
`
`whether the time of the invention is found to be in December 2000, or some later
`
`time up until and including the December 26, 2001 filing date of the ’961 patent.
`
`V. OVERVIEW OF THE ’961 PATENT
`17. U.S. Patent 7,372,961 (“the ’961 patent”) is titled “Method of Public
`
`Key Generation,” and its Abstract provides that “[a] potential bias in the generation
`
`Page 11
`
`MOBILEIRON, INC. - EXHIBIT 1030
`Page 011
`
`

`

`[of] a private key is avoided by selecting the key and comparing it against the
`
`system parameters[,]” and “[i]f a predetermined condition is attained it is
`
`accepted” or “[i]f not it is rejected a new a new key is generated.” EX1001,
`
`Abstract; see also id., 2:65-3:4, 3:64-4:17, FIG. 2.
`
`18. The background section of the ’961 patent discloses that certain
`
`cryptographic functions such as the Digital Signature Algorithm (DSA) “utilize
`
`both long term and ephemeral keys to generate a signature of [a] message.” Id.,
`
`1:54-56. A party that digitally signs a message typically employs a new ephemeral
`
`key k on a per-message or per-session basis in order to obscure the party’s
`
`permanent or long-term private key. Id., 1:33-51.
`
`19. According to the ’961 patent, the selection of a key k should be
`
`randomized within a range of values. However, certain implementations of the
`
`DSA, including the Digital Signature Standard (DSS) that was promulgated by the
`
`National Institute of Standards and Technology (NIST) in the FIPS 186-2 standard,
`
`“inadvertently introduce a bias in to the selection of k.” Id., 2:3-34. This bias
`
`made the selection of some values for the key k within the acceptable range more
`
`likely than others. Id. The’961 patent explained that the bias could be “exploited
`
`to extract a value of the [user’s long-term] private key d and thereafter render the
`
`security of the system vulnerable.” Id., 2:33-36. For example, a security
`
`researcher, Dr. Daniel Bleichenbacher, determined that the method specified in
`
`Page 12
`
`MOBILEIRON, INC. - EXHIBIT 1030
`Page 012
`
`

`

`DSS for generating the ephemeral key k introduced sufficient bias such that an
`
`examination of 222 signatures could allow a hacker to derive a user’s long-term
`
`private key and effectively be able to pose as the user. Id., 2:56-61. But, despite
`
`Dr. Bleichenbacher’s recognition of a security vulnerability stemming from DSS’s
`
`biased selection of ephemeral key k, a workable solution to the problem had not yet
`
`been resolved before the effective filing date of the ’961 patent (December 27,
`
`2000).
`
`20. The solution proposed by the inventors of the ’961 patent involved
`
`determining a key k by first generating a seed value from a random number
`
`generator, hashing the seed value using a suitable hash function (e.g., SHA), and
`
`comparing the output of the hash function to a parameter related to how the key k
`
`was to be employed (e.g., q in DSS). Id., 3:64-4:17, FIG. 2. Because the length L
`
`of the output of the hash function in terms was at least as long as the length of the
`
`parameter q against which the hash output is compared, the output of the hash
`
`function would sometimes exceed the value of q and fall outside the acceptable
`
`range of values for the key k (e.g., since k must be less than q in DSS). The
`
`inventors proposed to ensure the selection of a compliant key k without introducing
`
`bias by either accepting the hashed seed value as the key k if the hashed value were
`
`less than the compared parameter (e.g., q), and rejecting the hashed value as the
`
`key k if the hashed value were greater than or equal to that parameter. EX1001,
`
`Page 13
`
`MOBILEIRON, INC. - EXHIBIT 1030
`Page 013
`
`

`

`3:64-4:17, FIG. 2 (reproduced below). If a hashed value was rejected for being too
`
`large, the method would repeat until an acceptable hash value was found that could
`
`be used as the key k. Id. This approach stands in contrast, for example, to DSS’s
`
`method of generating key k where a modulo reduction was performed on the output
`
`of a hash function—thereby introducing the bias that Dr. Bleichenbacher was able
`
`to leverage to compromise the long-term private key of a user. See EX1004, p. 18.
`
`
`
`EX1001, FIG. 2.
`
`VI.
`
`INTERPRETATION OF THE ’961 PATENT CLAIMS AT ISSUE
`21.
`I understand that, for purposes of my analysis in this IPR proceeding,
`
`the terms appearing in the patent claims should be interpreted according to their
`
`plain and ordinary meaning under the Phillips standard. Phillips v. AWH Corp.,
`
`415 F.3d 1303, 1312-13 (Fed. Cir. 2005) (en banc). According to Phillips, the
`
`Page 14
`
`MOBILEIRON, INC. - EXHIBIT 1030
`Page 014
`
`

`

`structure of the claims, the specification, and the patent prosecution history are
`
`used to construe a claim, and the “ordinary meaning” of a claim term is its
`
`meaning that would have been recognized by a POSITA after reading the entire
`
`patent. Moreover, Phillips provides that even treatises and dictionaries may be
`
`used, albeit under limited circumstances, to determine the meaning attributed by a
`
`POSITA to a claim term at the time of filing. For example, Phillips cautions
`
`against heavy reliance on the dictionary divorced from the intrinsic record of the
`
`patent, such as the patent’s specification. I followed this approach in my analysis.
`
`22.
`
`I also understand that the words of the claims should be interpreted as
`
`they would have been interpreted by a POSITA at the time the invention was made
`
`(not today). For purposes of my analysis here, I have used the December 27, 2000
`
`priority date of the ’961 patent as the date of invention. Without exception,
`
`however, my analysis of the proper meaning of the recited claim elements (under
`
`the Phillips standard) in this declaration would be correct if the date of invention
`
`was anywhere in the late 1990s or early 2000s.
`
`23.
`
`I understand that the district court in a related proceeding involving
`
`the ’961 patent issued a Corrected Final Ruling on Claim Construction (“Markman
`
`Order”) on April 5, 2019. EX2004. I have reviewed the sections of the Markman
`
`Order that pertain to the ’961 patent. I understand that the claim construction
`
`standard under Phillips that applies in this inter partes review is the same standard
`
`Page 15
`
`MOBILEIRON, INC. - EXHIBIT 1030
`Page 015
`
`

`

`that the court applied in its Markman Order. For purposes of my analysis of the
`
`challenged claims in this IPR proceeding, I have employed the same constructions
`
`that were adopted by the court in the Markman Order. For example, I understand
`
`that the court construed the term “reducing mod q” in the Markman Order to mean
`
`“computing the remainder of dividing a value by q.” EX2004, 36. I have adopted
`
`the construction of this term for purposes of my analysis in this declaration. I note,
`
`however, that all of the shortcomings of Grounds 1-4 (as detailed below) would
`
`remain true even if the alternative interpretation of this claim phrase (as explained
`
`at p. 34-35 of the Markman Order) was implemented.
`
`VII. OVERVIEW OF THE CITED REFERENCES1
`A. DSS
`24.
`I understand that the primary reference cited in each ground of the
`
`petition is the Federal Information Processing Standards Publication (FIPS) 186,
`
`
`
`1 I understand the petition cites Rao (EX1018) and Floyd (EX1019) in combination
`
`with DSS, Rose, and Schneier in Ground 3, and in combination with DSS,
`
`Menezes, and Schneier in Ground 4. Pet., 57-63. The petition’s stated reasons for
`
`reliance on Rao and Floyd are not directly implicated by the particular claim
`
`element addressed in this declaration. Therefore, I did not include specific
`
`summaries of Rao and Floyd in this declaration.
`
`Page 16
`
`MOBILEIRON, INC. - EXHIBIT 1030
`Page 016
`
`

`

`entitled Digital Signature Standard (“DSS”). See EX1004. DSS describes a
`
`standardized version of the Digital Signature Algorithm. Id., 5. This algorithm,
`
`which is also referenced in the background section of the ’961 patent (specifically,
`
`the ’961 patent refers to the FIPS 186-2 release of DSS), descscribes rules and
`
`parameters for computing a digital signature of an electronic message. Id. The
`
`digital signature allows “the identity of the signatory” of the message to be
`
`verified, and also allows the recipient of a message to verify its integrity. Id. For
`
`example, Figure 1 from DSS (reproduced below) depicts an overview of the
`
`signature generation and verification functions set forth in the standard:
`
`EX1004, FIG. 1.
`
`25. DSS provides for the use of two keys to generate a digital signature of
`
`a message: (1) a long-term secret (private) key x that belongs to the signing party
`
`
`
`Page 17
`
`MOBILEIRON, INC. - EXHIBIT 1030
`Page 017
`
`

`

`and is used across all messages signed by that party, and (2) a short-term (also
`
`referred to as “ephemeral”) key k that is typically used just once so that every
`
`message signed by a particular party is signed with a different short-term key k.
`
`As the background of the ’961 patent explains, “[t]he ephemeral private key is
`
`generated at the start of each session between a pair of correspondents” (along with
`
`a “corresponding, ephemeral public key”),” and “[o]nce the session is terminated,
`
`the ephemeral key is securely discarded and a new ephemeral key generate for a
`
`new session.” EX1001, 1:38-51.
`
`26. DSS describes the following algorithm for generating a batch of
`
`ephemeral keys k:
`
`EX1004, 18.
`
`Page 18
`
`
`
`MOBILEIRON, INC. - EXHIBIT 1030
`Page 018
`
`

`

`27. At step 1, the algorithm for generating key k involves first obtaining a
`
`seed-key, referred to as KKEY. Id. A one-way function G() is then applied to
`
`KKEY at Step 3(a). Id. The one-way function G() can be a hash or a block cipher
`
`such as those specified by the Secure Secure Hash Algorithm (SHA) or Data
`
`Encryption Standard (DES), respectively. Id., 17. Because the value of key k must
`
`be less than the a pre-defined prime number q and the output of G() may be larger
`
`than q, DSS provides for a reduction modulo q to be performed on the output of
`
`G() to ensure that the value of key k is less than q. However, as explained in the
`
`background of the ’961 patent, a bias is introduced by the modular reduction due to
`
`a greater likelihood of computing values in a first interval than a second. EX1001,
`
`2:48-55.
`
`28. DSS also allows for generation of a batch of keys k based by
`
`performing a random selection of KKEY just once (at step 1). EX1004, 18. After
`
`the algorithm computes the initial key k in the batch, subsequent keys k are
`
`generated by updating the value of the seed-key (KKEY) using the deterministic
`
`formula from step 3(d): KKEY = (1 + KKEY + k) mod 2b. EX1004, 14.
`
`B. Rose
`29. The Rose reference is an article that was allegedly posted to a pair of
`
`USENET newsgroups in the 1990s. See EX1006. Rose describes a method for
`
`Page 19
`
`MOBILEIRON, INC. - EXHIBIT 1030
`Page 019
`
`

`

`“roll[ing] a random number in the interval [0, n),” and even provides computer
`
`code for an implementation of its method:
`
`
`
`EX1006, 2.
`
`30. The roll() function specifies several operations for generating a
`
`random number within a desired range [0, n). First, Rose computes the largest
`
`multiple of n that is less than or equal to BIG, where BIG is “the biggest value
`
`returned by random ().” The computed multiple is assigned to the variable
`
`‘biggest.’ Id. Rose then provides a do-while loop that repeatedly determines a
`
`random number using the random() function until the output of the random()
`
`function is less than the value of ‘biggest.’ Id. Because the final output of the
`
`random() function, which is assigned ot ‘rval’, upon exiting the loop is compared
`
`to a multiple of n and thus may be greater than the maximum value of the specified
`
`Page 20
`
`MOBILEIRON, INC. - EXHIBIT 1030
`Page 020
`
`

`

`range (n-1), Rose’s roll() function computes ‘rval’ modulo n and returns the result
`
`of this operation as the output of the software routine. Id.
`
`C. Menezes
`31. Grounds 2 and 4 of the petition cite the “Handbook of Applied
`
`Cryptography” by Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone
`
`(“Menezes”). See EX1005. While Menezes covers a number of topics, the
`
`petition principally relies upon disclosure from the following paragraph on the
`
`subjects of random numbers and random bit generators:
`
`
`
`EX1005, 69.
`
`32.
`
`In this description, Menezes discloses that a random bit sequence is
`
`converted to an integer. I understand the petition alleges that the operation of
`
`converting a random bit sequence to an integer corresponds to a hashing operation
`
`performed on a seed value, but based on my knowledge and experience in the field,
`
`I am confident a POSITA would have found this contention to be an error. A
`
`POSITA would have known as a basic computer science or engineering matter that
`
`to obtain an integer value from a random bit generator, all it takes would be to
`
`iterate the bit generation process the proper number of times (e.g., 160 times for a
`
`Page 21
`
`MOBILEIRON, INC. - EXHIBIT 1030
`Page 021
`
`

`

`160-bit integer using a pseudo-random bit generator that produces one bit at a
`
`time) and to concatenate the outputs to form an integer. This type of formatting is
`
`straightforward and can be achieved in a variety of ways, such as using string
`
`concatenation, bit-shift and addition, and more. This is completely different from
`
`the function performed by a hash function, and orders of magnitude less
`
`computationally demanding.
`
`33. Moreover, Menezes describes a solution for obtaining a random
`
`integer in a fundamentally different than that provided by the ’961 claims.
`
`Specifically, Menezes assumes the availability of a perfect random bit generator
`
`that could generate each bit in a sequence without any bias. But a POSITA would
`
`have recognized that such a bit generator that exhibited perfect randomness is
`
`largely theoretical and unavailable for broad adoption on a wide range of systems
`
`(such as the range of systems that typically implemented DSS). By starting with a
`
`perfect random bit generator, Menezes had no need to perform additional
`
`transformations on the random integer produced by the bit generator. In reality,
`
`however, Menezes’ approach is impractical, and so the ’961 patent provides a
`
`materially different solution for generating an unbiased output within a desired
`
`range by first obtaining a seed value from a random number generator, and then
`
`hashing the seed value, thereby removing or obscuring any bias that is often
`
`present in real-world random number generators.
`
`Page 22
`
`MOBILEIRON, INC. - EXHIBIT 1030
`Page 022
`
`

`

`D.
`Schneier
`34. Each ground of the petition also relies upon the textbook Applied
`
`Cryptography (2nd Ed.) by Bruce Schneier (“Schneier”). See EX1008. The
`
`petition cites Schneier for its discussion of “various techniques for generating
`
`random and pseudorandom numbers” and its alleged description of the “benefit of
`
`[true random numbers] over pseudorandom numbers in cryptographic key
`
`generation.” Pet., 27 (citing EX1008, 146-153).
`
`VIII. THE PETITION FAILS TO ESTABLISH THAT THE CITED
`REFERENCES WOULD HAVE PROVIDED FOR REPETITION OF
`THE REQUISITE OPERATIONS RECITED IN INDEPENDENT
`CLAIMS 1, 15, AND 23
`A. The ’961 Claims Require Repetition Of Operations For Both
`Random Seed Value Generation And Hashing Of The Seed Value
`If A Preceding Hashed Value Is Not Less Than Said Order Q
`I understand that independent claim 1 of the ’961 patent recites the
`
`35.
`
`following language:
`
`generating a seed value SV from a random number
`generator;
`performing a hash function H( ) on said seed value SV
`to provide an output H(SV);
`determining whether said output H(SV) is less than
`said order q prior to reducing mod q;
`accepting said output H(SV) for use as said key k if the
`value of said output H(SV) is less than said order q;
`rejecting said output H(SV) as said key if said value is
`not less than said order q;
`if said output H(SV) is rejected, repeating said
`method;
`
`Page 23
`
`MOBILEIRON, INC. - EXHIBIT 1030
`Page 023
`
`

`

`
`EX1001, 5:36-51 (emphasis added).
`
`36.
`
` Independent claims 15 and 23 recite corresponding language to the
`
`language quoted above from claim 1. Id., 6:62-64 (claim 15), 7:31-8:6 (claim 23).
`
`37. Notably, each of claims 1, 15, and 23 provides that “if said output
`
`H(SV) is rejected,” then the claimed method is to be repeated. The method that is
`
`to be repeated entails multiple operations as expressly recited in the claims,
`
`including “generating a seed value SV from a random number generator” and
`
`“performing a hash function H( ) on said seed value SV to provide an output
`
`H(SV).” Id., 5:37-40. In other words, if in a first iteration of the method, the
`
`output H(SV) is rejected due to the value of H(SV) not being less than the order q,
`
`the ’961 claims provide that the method must repeate such that, in a second
`
`iteration, a new seed value SV would be generated from a random number
`
`generator and the has function H( ) would be performed on the new seed value SV
`
`to provide another output H(SV). This pattern of operations is confirmed by
`
`Figure 2 of the ’961 patent, in which, after the rejection of H(seed), the flowchart
`
`returns to box 26 where a new seed value is obtained from the output of the
`
`random number generator (RNG):
`
`Page 24
`
`MOBILEIRON, INC. - EXHIBIT 1030
`Page 024
`
`

`

`
`
`EX1001, FIG. 2; see also id., 4:11-17 (“The resultant output H(seed) is tested
`
`against the value of q and a decision made based on the relative values. If
`
`H(seed)<q then it is accepted for use as k. If not, the value is rejected and the
`
`random number generator is conditioned to generate a new value which is again
`
`hashed by the function 28 and tested. This loop continues until a satisfactory value
`
`is obtained.”).
`
`38. Despite the plain requirements of claims 1, 15, and 23, as I explain
`
`below, the petition has failed to establish that it would have been obvious to
`
`provide for rep