The European Patent Office considered a mathematical method of masking a private key technical. Here are the practical takeaways from the decision T 0556/14 (Masking a private key/CERTICOM) of 28.7.2016 of Technical Board of Appeal 3.5.06:

Key takeaways

Protecting a cryptographic computation against power attacks is considered a technical problem if, and only if, the computation is actually carried out on hardware and thus open to such attacks.

The invention

The invention underlying the present decision relates to a method for masking a private key used in cryptographic operations on a security token, such as a smartcard. The security of cryptographic systems relies on a particular piece of information being kept secret. One way to retrieve information about the secret is to apply power analysis attacks to extract information about the secret by statistically analysing the power consumption of the security token when carrying out the cryptographic operation. To avoid such attacks, masking is used, which is a technique of randomising the calculations carried out in each instance of a cryptographic algorithms, so that the result remains the same but no relevant statistical information about the key can be gathered.

Is it patentable?

After grant, in response to an opposition, the European patent No. 03 018 048.3 was fully revoked. The patent proprietor appealed this decision. Besides several other ground of opposition and of its own volition, the board in charge raised the issue of whether a “method of masking” constituted a mere mathematical method and was hence excluded “as such” from patentability under Article 52 EPC.

However, since claim 1 explicitly refers to a smart card, the board in charge outlined that the claimed subject-matter cannot be considered excluded from patent protection as such:

10. Due to the express reference in claim 1 to a smart card on which the key parts and also the new parts are stored, the claimed method of masking is not a mathematical method as such which can be objected to under Article 100(a) EPC 1973 for lack of compliance with Article 52(2) and (3) EPC.

Moreover, in this specific case, the Board expresses that protecting a cryptographic operation also solves a technical problem.

13.3 The board accepts as a technical problem the protection of a cryptographic computation against power analysis attacks – if, and only if, the computation is actually carried out on hardware and thus open to such attacks.

13.4 The board also accepts that claim 1 specifies a masking method carried out on hardware. Even though claim 1 literally specifies only the storage of the key parts on a smart card, in the board’s view the skilled person can only understand the method of claim 1 as a fully computer-implemented method.

14. The board therefore takes the position that the claimed randomisation steps, namely the calculation of two randomised key parts and the computation of Q = b1P + b2P instead of Q = dP, does achieve some protection against power analysis attacks and thus have a technical effect.

Hence, the board finally accepted that the claimed method is technical and provides an inventive step. Consequently, the board decided to set the decision of the first instance opposition aside and to remit the case back to the opposition division with the order to maintain the European patent.

More information

You can read the whole decision here: T 0556/14 (Masking a private key/CERTICOM) of 28.7.2016.