T 0845/12 (Implicit signature scheme/CERTICOM) 13-10-2015

The invention

1. The invention relates to a certification authority (CA in figure 1) certifying keys for use in message ex­change between two correspondents (A and B in figure 1) by distributing so-called implicitly certified key com­ponents. Explicit keys are not transmitted as explicit­ly signed public key certificates, but are to be re­con­structed by the recipient from the implicit cer­tificate components (see paragraph [0009] of the patent).

1.1 Such a certification protocol is already known and is acknowledged by the patent to be contained in a Cana­di­an patent application 2,232,936 (paragraphs [0009] and [0014]). The patent aims to address certain problems in prior art implicit certification schemes encountered in verifying the validity of a certificate. Several solu­tions to this problem such as revocation lists or issuance of certificates with a certain expiry date are ack­nowledged to be known in the relevant art (para­graphs [0016], [0017] and [0019]).

1.2 The patent proposes an alternative in which the cer­ti­fi­cates are "transaction specific". When two corres­pon­dents want to exchange a message such as a "trans­action record" (paragraph [0028]), the CA is requested to issue certificates. The certificates have com­po­nents at least some of which are transaction-spe­ci­­fic, as "a timestamp, a message, or similar trans­action spe­cific information" is used in their calcula­tion (para­graph [0029], last sentence, to paragraph [0033]). Upon re­ceipt of the certificate components the corres­pon­dents compute private and public keys for sub­sequent message exchange (paragraphs [0035] and [0036]).

Main request, auxiliary requests 0 and 0+1

2. It is common ground between the opposition division and both appellants, and the board agrees, that inventive step should be assessed starting from document D1.

2.1 D1 discloses a certification authority (CA in figure 1) generating an implicit certificate for a correspondent involved in message exchange with other correspondents (A and B in figure 1) using its identity. Based on the components of a correspondent's implicit certificate, third parties can reconstruct its public key (page 3, line 32 to page 4, line 28).

2.2 In the decision under appeal the opposition division identified three distinguishing features of claim 1 of the patent over D1, the central one being that the implicit signature components are transaction-specific (see point 2.2.2 of the reasons), and formulated the objective technical problem solved by these features as "the necessity to frequently verify the status of a public key to ensure that it has not been revoked by the certifying authority". The opposition division stated that it had derived this problem from column 3, lines 4 to 6, of the patent. As such a passage cannot be found in column 3 but in column 4, the board under­stands this as referring to column 4, lines 4 to 6. The opposition division did not expound which technical effect the distinguishing feature of the invention has or how the invention solved this revocation problem, but found it to be inventive as there was no hint in D1 towards binding an implicit certificate to a trans­action (see reasons 2.3.2).

2.3 In its reply to the summons and at the oral proceedings the proprietor formulated the objective technical problem solved by claim 1 of the patent as being how to extend the teaching of D1 to facilitate retrospective interrogation of message validity. The opponent argued, and the board agrees, that any public key signature scheme enables retrospective interrogation of message validity. Thus the objective technical problem over D1, as defined by the proprietor, cannot be correct.

2.4 In the board's view, the association of a certificate with one particular transaction is a mere legal decla­ration of the rights conferred by a certificate rather than a technical issue.

2.5 Therefore the board considers the opponent's formu­la­tion of the technical problem (see the opponent's statement of grounds of appeal, point 3.4 on page 21), i.e. how to apply the teaching of D1 to messages which concern a particular transaction (see the opponent's statement of grounds of appeal, point 3.4 on page 21), to be more appropriate than the problem defined by the opposition division. In this regard the board does not agree with the opposition division's concern that such a formulation would be an example of ex post facto ana­lysis (see the decision, reasons 2.3.3­). According to established jurisprudence of the boards of appeal (see especially T 641/00, OJ EPO 2003, 352), if the claim refers to an aim to be achieved in a non-techni­cal field, this aim may legitimately appear in the for­mu­lation of the problem as part of the framework of the technical problem that is to be solved.

2.6 Given this objective technical problem, the skilled person would generate new implicit certificates using the method disclosed in D1 for each individual trans­action without the need to exercise any inventive acti­vity. The proprietor could not demonstrate any particu­lar technical effect caused by the inclusion of the transaction-specific information in the computation of implicit signature components as compared to the com­pu­tation of new implicit signature components for every new transaction without using any transaction specific information.

2.7 Thus the board concludes that the subject-matter of claim 1 of the main request does not establish an inventive step over D1 (Article 56 EPC 1973).

2.8 The additional features of claim 1 of auxiliary re­quests 0 and 0+1 serve to emphasise the transaction specificity of the implicit signature components and the resultant transaction specificity of the public and private keys recovered based on transaction-specific components. Thus the conclusion of lack of inventive step with regard to claim 1 of the main request remains valid for claim 1 of auxiliary request 0 and auxiliary request 0+1.

Auxiliary request 0+4

Admitting the amendment to the proprietor's case

3. Under Article 13(1) RPBA, amendments to a party's case may be admitted and considered at the board's discre­tion. Discretion is to be exer­cised in view of in­ter alia the complexity of the new subject-matter sub­mitted, the current state of the proceedings and the need for procedural economy.

3.1 The board is of the opinion that the subject-matter of amended claim 1 raises a number of complex issues. The opponent mentioned a number of clarity issues which, to the extent that they may not be raised in view of G 3/14, may affect how the claim is to be construed in view of the description. The proprietor claimed that amended claim 1 was inventive since it improved the known methods of recertification. In the board's view, the merits of this argument require a detailed dis­cussion.

3.2 However, since the inventive step of claim 40 of the patent had not been decided upon by the opposition division, the board considers that the proprietor is entitled to have this issue addressed now. The board also considers auxiliary request 0+4 to be a reasonable reaction to an in­ven­tive step objection which was raised during oral proceedings, based on a remark made in the board's summons to oral procee­dings (see point 6.5 therein).

3.3 In the board's view, these circumstances outweigh the complexity of this case, its age and the need for pro­cedural economy. Moreover, the opponent did not object to admitting the request. Hence, the board exer­cises its discretion under Article 13(1) RPBA and ad­mits auxiliary request 0+4 into the proce­edings.

Article 123(2) EPC

4. Claim 1 of auxiliary request 0+4 is a combination of claims 40, 43 and 44 of the patent.

5. In the decision under appeal claim 40 of the patent was found not to meet the requirements of Article 123(2) EPC. The opposition division based its decision on the un­der­standing that claim 40, based on claim 44 as ori­gi­nally filed, sought protection for the so-called "re­cer­tifying embodiment" disclosed on page 9, line 20, to page 12, line 10, of the description as originally filed, and concluded that the qualification of the "im­plicit signa­ture components" as "transaction spe­cific" in steps b and d of the claimed me­thod and the replace­ment of the word "certificate" by "trans­action specific implicit signature components" were not dis­closed as part of the recertifying embodiment. In par­ticular, according to the appealed de­ci­sion (reasons 1.1-1.2), that embo­diment did not even mention trans­actions.

5.1 The decision further points to an alleged inconsistency between the claims and the description (see reasons 1.3), namely that according to "claims 45 and 48 the signature com­ponent sA is calculated using Ai" whereas according to the description "only IDA is used for that purpose". Then, "interpreting­­ original claims 45 and 18 in the light of the description", the decision con­cludes "that it is not unambiguously derivable that the signature components are transaction specific". The board is not convinced by the assumption of this argu­ment that, in case of a conflict between the claims and the description, the disclosure of the application is determined by the description. The content of the appli­cation re­ferred to in Article 123(2) EPC is deter­mined by the description, claims and drawings (see e.g. Rule 137(1,2) EPC), and the board sees no legal basis for giving more weight to any of said parts when assessing the compliance of an amendment with Article 123(2) EPC, unless specific rea­sons present themselves for doing so. In the pre­sent case, no such reasons are apparent, given that the use of Ai for the com­pu­tation of the signature compo­nents is as plausible as the use of IDA.

5.2 As identified by the opposition division, claims 45 and 48 as originally filed specify the calculation of sA based on a secure hash function with Ai as one of its parameters. This alternative is briefly mentioned in the "recertifying embodiment" on page 9, line 24. Ai is disclosed to have a transaction-specific and a non-trans­action-specific part (page 6, lines 19 to 21, as originally filed). The opposition division and the oppo­­nent argued that there was no direct and unambi­guous indication that the transaction-specific part of Ai is actually used in the calculation of sA according to claims 45 and 48, even if it is sent to the certi­fy­ing authority. This argument does not convince the board. Rather, in the board's view the skilled person would take the specification of Ai as a parameter of the function h as an indication that Ai is actually "used" in the calculation of h. A fortiori, this applies to the evaluation of a hash function which, as is well-known, must be such that a small modification to the input leads to a substantially different output: if Ai was an unused parameter of h, no modification of Ai whatsoever would affect the calculated hash value.

5.3 The preliminary opinion of the board to this effect was communicated to the parties in the annex to the summons to oral proceedings and the opponent did not comment.

5.4 Thus the board finds claim 40 of the patent to meet the requirements of Article 123(2) EPC.

6. Claim 43 of the patent is based on claim 47 as origi­nally filed, amended through the addition of a refe­rence sign and the replacement of the term "first ran­dom integer" with the term "first random number" for consistency with the obviously corres­ponding term in claim 44 as originally filed.

7. Claim 44 of the patent is based on claim 48 as ori­gi­nally filed, amended through the addition of refe­rence signs, the replacement of "first random integer" with "first random number" as in claim 43 of the patent, the addition of the words "transaction specific" before the words "implicit signature components" as in claim 40 of the patent and the addition of the statement that Ai also in­cludes "transaction specific informa­tion" (which, as mentioned, is disclosed on page 6, lines 29 to 30, of the description as originally filed).

8. Thus the board, being satisfied that claims 40, 43 and 44 of the patent comply with Article 123(2) EPC, con­cludes that their combination, and thus claim 1 of auxiliary request 0+4, also does.

Remittal to the department of first instance

9. As the decision did not ­­contain any dis­cussion or fin­ding on the inventive merit of claim 40 as granted, let alone of amended claim 1, the pro­pri­etor suggested that it would be unfair for the board to come to an adverse finding on the inventive step of claim 40 of the patent as granted (letter of 14 September 2015, page 1, 4th pa­ragraph). Accordingly, having determined the compli­ance of granted claim 40 with Article 123(2) EPC, the board should re­mit the case to the opposition division for further prosecution (see also that letter, page 7, paragraph entitled "Claims 40-49").

10. According to Article 111(1) EPC 1973, the board has to examine the allowability of the appeal and then has dis­cretion either to exercise any power within the com­petence of the department which was responsible for the decision appealed or to remit the case to that depart­ment for further prosecution.

10.1 The board agrees with the proprietor that procedures before the EPO are designed so that issues are normally decided by two instances. As follows from Article 111(1) EPC, however, and as conceded by the proprietor (see letter of 14 September 2015, page 1, 4th para­graph), this does not give the parties an absolute right to two instances.

10.2 The board considers that no purpose would be served by remitting a case for further prosecution based on a re­quest that is clearly not allowable as it stands.

10.3 Notwithstanding the fact that the opponent raised a num­­ber of concerns it had in relation to claim 1, the board takes the view that claim 1 is not clearly un­allow­able. Moreover, claim 1 now specifies a conside­rable number of features which were not assessed in the oppo­sition proceedings, for example as regards their po­ten­tial technical effects, the techni­cal problem they might solve and their inventive merit, and cannot rea­di­­ly be assessed in the present appeal proceedings. This also applies to the proprietor's suggestion that D1 might be an inappropriate starting point for the assessment of the inventive step of the amended recer­ti­­fi­ca­tion method. The board thus concludes that a fair and proper assessment, for both parties, of whether claim 1 of auxiliary re­quest 0+4 establishes an inventive step over the prior art necessitates the remittal of the case to the depart­ment of first instance for continua­tion of the opposition proceedings.