The European Patent Office considered a mathematical method of masking a private key technical. Here are the practical takeaways from the decision T 0556/14 (Masking a private key/CERTICOM) of 28.7.2016 of Technical Board of Appeal 3.5.06:
The invention underlying the present decision relates to a method for masking a private key used in cryptographic operations on a security token, such as a smartcard. The security of cryptographic systems relies on a particular piece of information being kept secret. One way to retrieve information about the secret is to apply power analysis attacks to extract information about the secret by statistically analysing the power consumption of the security token when carrying out the cryptographic operation. To avoid such attacks, masking is used, which is a technique of randomising the calculations carried out in each instance of a cryptographic algorithms, so that the result remains the same but no relevant statistical information about the key can be gathered.
Fig. 5 of EP 1,365,308 A2
Claim 1 (main request)
1. A method of masking a private key used in a cryptographic operation of multiplying a point, P, on an elliptic curve with the private key, the method comprising the steps of:
(a) dividing said private key into a plurality of parts b1, b2 and storing the parts on a smart card;
(b) generating a random number pi;
(c) deriving new parts b1 = b1 + pi mod n and b2 = b2 – pi mod n, where n is the number of points on said elliptic curve, such that the new parts when added are equivalent to the original private key;
(d) storing the new parts on the smart card; and
(e) utilizing each of the new parts instead of the private key in said cryptographic operation by evaluating b1P + b2P.
Is it patentable?
After grant, in response to an opposition, the European patent No. 03 018 048.3 was fully revoked. The patent proprietor appealed this decision. Besides several other ground of opposition and of its own volition, the board in charge raised the issue of whether a “method of masking” constituted a mere mathematical method and was hence excluded “as such” from patentability under Article 52 EPC.
However, since claim 1 explicitly refers to a smart card, the board in charge outlined that the claimed subject-matter cannot be considered excluded from patent protection as such:
10. Due to the express reference in claim 1 to a smart card on which the key parts and also the new parts are stored, the claimed method of masking is not a mathematical method as such which can be objected to under Article 100(a) EPC 1973 for lack of compliance with Article 52(2) and (3) EPC.
Moreover, in this specific case, the Board expresses that protecting a cryptographic operation also solves a technical problem.
13.3 The board accepts as a technical problem the protection of a cryptographic computation against power analysis attacks – if, and only if, the computation is actually carried out on hardware and thus open to such attacks.
13.4 The board also accepts that claim 1 specifies a masking method carried out on hardware. Even though claim 1 literally specifies only the storage of the key parts on a smart card, in the board’s view the skilled person can only understand the method of claim 1 as a fully computer-implemented method.
14. The board therefore takes the position that the claimed randomisation steps, namely the calculation of two randomised key parts and the computation of Q = b1P + b2P instead of Q = dP, does achieve some protection against power analysis attacks and thus have a technical effect.
Hence, the board finally accepted that the claimed method is technical and provides an inventive step. Consequently, the board decided to set the decision of the first instance opposition aside and to remit the case back to the opposition division with the order to maintain the European patent.
You can read the whole decision here: T 0556/14 (Masking a private key/CERTICOM) of 28.7.2016.