Method for executing a cryptographic calculation: technical

The application underlying the discussed decision concerns a method for executing a cryptographic calculation in an electronic component to efficiently obtain a point on an elliptic curve from a secret parameter, for use in a cryptographic application such as authentication or encryption. The central dispute was whether the mathematical steps for determining the point, specifically designed to execute with a constant number of operations regardless of the input parameter (to prevent timing attacks), contribute to the technical character of the invention. The Board found that these mathematical steps do contribute to a technical effect when the parameter is specified as “secret,” as they protect the secret against timing attacks while ensuring computational efficiency.

Here are the practical takeaways from the decision: T 0558/21 (Cryptographic calculation on elliptic curve/IDEMIA) of 15 December 2025, of the Technical Board of Appeal 3.5.06.

Key takeaways

A mathematical method for generating a point on an elliptic curve is non-technical as such, but when designed to protect a secret parameter through constant-time execution (preventing timing attacks) and computational efficiency within a cryptographic application, it contributes to a technical effect and must be considered in the inventive step assessment. Merely belonging to a “technical domain” such as cryptography does not automatically render all features of an invention technical.

The invention

The Board of Appeal summarized the invention as follows:

In elliptic curve cryptography, it is necessary to determine a point on an elliptic curve from a parameter, for example a password-derived value. The traditional approach based on the Skalba equality requires testing which of three candidate values is a square in a finite field, involving expensive exponentiation operations. A naive constant-time implementation would require four such exponentiations. The invention proposes a method that restructures the computation so that the point determination always requires the same number and type of operations, regardless of the input parameter, using at most two exponentiations. When using a specific family of polynomials (Ulas polynomials), this can be further reduced to a single exponentiation. The constant-time property is cryptographically significant because it prevents timing attacks, where an attacker could deduce secret information by analyzing variations in computation time. The method is applicable to cryptographic protocols such as PACE (Password Authenticated Connection Establishment) used in electronic identity document verification.

Claim 1 of Auxiliary Request 8

A method for executing a cryptographic calculation in an electronic component comprising a step of obtaining a point P(X, Y) from at least one secret parameter t, on an elliptic curve satisfying the equation:

Y² = f(X)

and from polynomials X₁(t), X₂(t), X₃(t) and U(t) satisfying the following Skalba equality:

f(X₁(t)) · f(X₂(t)) · f(X₃(t)) = U(t)²

in the finite field Fq, whatever the parameter t, q satisfying the equation q = 3 mod 4;

said method comprising the following steps:

/1/ obtaining a value of the parameter t;

/2/ determining the point P by carrying out the following sub-steps:

/i/ calculating X₁ = X₁(t), X₂ = X₂(t), X₃ = X₃(t) and U = U(t)

/ii/ if the term f(X₁) · f(X₂) is a square term in the finite field Fq, then testing whether the term f(X₃) is a square term in the finite field Fq and calculating the square root of the term f(X₃), the point P having X₃ as abscissa and the square root of the term f(X₃) as ordinate;

/iii/ otherwise testing whether the term f(X₁) is a square term in the finite field Fq and in this case, calculating the square root of the term f(X₁), the point P having X₁ as abscissa and the square root of the term f(X₁) as ordinate;

/iv/ otherwise calculating the square root of the term f(X₂), the point P having X₂ as abscissa and the square root of the term f(X₂) as ordinate;

/3/ using said point P in a cryptographic application of encryption or hashing or signature or authentication or identification,

wherein:

– the polynomials satisfying the Skalba equality are such that it is possible to fix the value of X₃(t) for all possible t, such that f(X₃(t)) is never a square term in Fq,

– at step /2/-/ii/, the term f(X₁) · f(X₂) is not a square term in the finite field Fq,

– and, at step /2/-/iii/, one tests whether the term f(X₁) is a square term in the finite field Fq according to the following steps:

– calculate R₂’ such that: R₂’ = f(X₁)^(q-1-(q+1)/4)

– calculate R₃’ such that: R₃’ = R₂’²

– calculate R₄’ such that: R₄’ = R₃’ · f(X₁)

wherein, if R₄’ is not equal to 1, at step /2/-/iv/, the square root of f(X₂) is obtained according to the following equation:

√f(X₂) = R₁ · R₂’

where R₁ = (f(X₁) · f(X₂))^((q+1)/4)

Is it patentable?

The Opposition Division’s position

This case concerns an appeal by the opponent (Bundesdruckerei GmbH) against the Opposition Division’s decision to maintain European patent EP 2 443 787 in modified form. The Opposition Division found that the claimed method was not excluded from patentability under Article 52(2) EPC, reasoning that cryptography constitutes a “technical domain” according to established EPO practice. The division identified two “further technical effects” produced by the mathematical steps: the determination of a point on an elliptic curve for use in a cryptographic application, and the constant-time execution making the determination resistant to timing attacks. On this basis, it concluded that the distinguishing features over the cited prior art (D1/Ulas, D2/Shallue-van de Woestijne, D4/Skalba) had technical character and the invention involved an inventive step.

The Appellant’s (Opponent’s) arguments

The appellant (Bundesdruckerei GmbH) argued that the claimed subject matter was merely a juxtaposition of cryptography (which it considered a subset of mathematics) and an electronic component, without any functional link. The appellant contended that the preposition “in” rather than “by” in “cryptographic calculation in an electronic component” meant the method steps were not actually performed by the component. Since cryptography was allegedly just mathematics, the appellant argued the method was a purely mathematical method under Article 52(2) EPC. Applying the COMVIK approach (T 641/00), the appellant asserted that the mathematical aspects were entirely non-technical and the claim lacked inventive step over a bare electronic component.

The Board’s analysis

Claim interpretation

The Board interpreted “cryptographic calculation in an electronic component” as meaning the calculation is executed by the component, which therefore must be capable of performing such operations (point 19).
The “secret” parameter t represents information that must be protected against an attacker within the context of the cryptographic application at step 3 (point 20).
Sub-step 2(ii) is never actually executed because the chosen polynomials ensure f(X₃(t)) is never a square. Only sub-steps 2(i), 2(iii), and 2(iv) are carried out (point 21).

Article 52(2) EPC

Since the method uses a technical means (electronic component), it has technical character and is not excluded from patentability as a mathematical method “as such” (point 27, citing T 258/03, T 154/04, G 1/19).
Importantly, the Board stated that whether cryptography is “mathematics as such” or a “technical domain” is not determinative for this assessment (point 29).

Technical contribution of mathematical features (Article 56 EPC)

Designing a mathematical method for obtaining a point on an elliptic curve is, as such, a non-technical problem belonging to algorithmic number theory (point 40.1).
The mere fact that such a method has known technical applications is not sufficient to confer technical character (point 40.1, citing G 1/19, point 124).
However, with t specified as “secret,” the mathematical steps 1 and 2 become part of the cryptographic application: they transform a secret parameter into a point P efficiently while preventing timing attacks. This constitutes a technical effect (point 40.6, citing T 556/14).
Without the “secret” qualifier, it would not be established that steps 1 and 2 are integral to the cryptographic application. For instance, a fixed public point P used in Diffie-Hellman key exchange would not benefit from constant-time generation (points 40.2-40.3).

Critical observation on “technical domain”

The Board explicitly warned that belonging to a “technical domain” such as cryptography is insufficient by itself to conclude that all features of an invention are technical (point 42).
What matters is the extent to which features contribute to producing a technical effect solving a technical problem, not mere membership in a domain (point 42, citing T 761/20).

Other requests

In its preliminary opinion, the Board had indicated that claim 1 of the patent as maintained (main request) likely lacked inventive step starting from D4, because without the “t secret” qualification, the technical effect of timing attack prevention was not established. Auxiliary Request 8 differed from Auxiliary Request 2 solely by adding “secret” to parameter t, directly addressing this concern. The opponent did not raise inventive step objections based on specific prior art against this narrower claim, and the Board found no basis to extend the prior art objections from the broader claims.

Conclusion

The Board set aside the Opposition Division’s decision and remitted the case for the patent to be maintained on the basis of Auxiliary Request 8 (with description to be adapted). The critical amendment was adding “secret” to the parameter t, establishing the necessary link between the mathematical method and the cryptographic application’s need for security. This ensured that the mathematical steps contributed to a concrete technical effect: protecting the secret against timing attacks through constant-time execution while maintaining computational efficiency. The decision provides important guidance for cryptographic inventions: belonging to a “technical domain” is not enough; features must demonstrably contribute to a technical effect to be considered in the inventive step assessment.

More information

You can read the full decision here: T 0558/21 (Cryptographic calculation on elliptic curve/IDEMIA) of 15 December 2025, of the Technical Board of Appeal 3.5.06.

Stay in the loop

Never miss a beat by subscribing to the email newsletter. Please see our Privacy Policy.

Privacy policy Yes, I consent to the collection, processing and use of my above-mentioned personal data for the purposes of processing my message and for the purposes of contacting me via email. The legal basis of the processing shall be formed by my consent pursuant to Art. 6 (1) lit. a GDPR. The data will be deleted three months after expiry of the purpose, provided that longer retention periods are not required by law. I can revoke this consent with future effect at any time. I have taken note of the privacy statement and consent to it. With regard to the processing of my data, I am entitled to inalienable rights, information on which can be found in the privacy statement.

* = Required field