Trials@uspto.gov Paper No. 45 571-272-7822 Filed: December 10, 2018

UNITED STATES PATENT AND TRADEMARK OFFICE

____________

BEFORE THE PATENT TRIAL AND APPEAL BOARD ____________

SAMSUNG ELECTRONICS CO., LTD.,

Petitioner,

v.

HUAWEI TECHNOLOGIES CO., LTD. Patent Owner. ____________

Case IPR2017-01487 Patent 8,812,848 B2

____________

Before TREVOR M. JEFFERSON, MICHELLE N. WORMMEESTER, and JOHN F. HORVATH, Administrative Patent Judges. HORVATH, Administrative Patent Judge.

FINAL WRITTEN DECISION 35 U.S.C. § 318(a) and 37 C.F.R. § 42.73

IPR2017-01487 Patent 8,812,848 B2

2

I. INTRODUCTION

A. Background

Samsung Electronics Co., Ltd.1 (“Petitioner”) filed a Petition (Paper 2,

“Pet.”) to institute inter partes review of claims 1, 3–5, 7–9, 11–13, 15, and

16 (“the challenged claims”) of U.S. Patent No. 8,812,848 B2 (Ex. 1001,

“the ’848 patent”). Huawei Technologies Co., Ltd. (“Patent Owner”) filed a

Preliminary Response. Paper 11 (“Prelim. Resp.”). Upon consideration of

the Petition and Preliminary Response, we instituted review of all challenged

claims. Paper 17 (“Dec. Inst.”)

Patent Owner filed a Response to the Petition (Paper 26, “PO Resp.”),

and Petitioner filed a Reply to the Response (Paper 31, “Reply”). Patent

Owner filed a Sur-Reply to Petitioner’s Reply. Paper 38 (“PO Sur-Reply”).

We held an oral hearing on September 26, 2018, and the hearing transcript is

included in the record. Paper 44 (“Tr.”).

We have jurisdiction under 35 U.S.C. § 6(b). This is a Final Written

Decision under 35 U.S.C. § 318(a) and 37 C.F.R. § 42.73. For the reasons

set forth below, we find Petitioner has shown by a preponderance of the

evidence that claims 1, 3–5, 7–9, 11–13, 15, and 16 of the ’848 patent are

unpatentable.

B. Related Matters

Petitioner and Patent Owner identify the following as a matter that

could affect, or be affected by, a decision in this proceeding: Huawei Tech.

Co., Ltd. v. Samsung Elecs. Co., Ltd., Case No. 3:16-cv-02787 (N.D. Cal.).

1 Samsung identifies Samsung Electronics America, Inc. and Samsung Research America as real parties-in-interest. Pet. 3.

IPR2017-01487 Patent 8,812,848 B2

6

102). Id. at 4:58–63, 5:10–16. The MME selects an NAS security algorithm

that is supported by both the UE and MME, derives a root key (Kasme) from

the authentication vector-related key, and derives an NAS protection key

from the root key (step 103). Id. at 5:25–31. The NAS protection key can

be an integrity protection key (Knas-int) or a confidentiality protection key

(Knas-enc). Id. at 5:31–33. The MME then sends a TAU accept message

identifying the selected NAS security algorithm to the UE (step 104). Id. at

5:34–44. The UE receives the TAU accept message, identifies the NAS

security algorithm selected by the MME, derives the same root key (Kasme)

from a UE key that is related to the authentication vector-related key (IK,

CK), and derives an NAS protection key (Knas-int or Knas-enc) from the

root key and the selected NAS security algorithm (step 105). Id. at 5:47–58.

Of the challenged claims, claims 1 and 9 of the ’848 patent are

independent. Other challenged claims depend directly or indirectly from

claims 1 or 9. Claim 9 is representative of the challenged claims, and is

reproduced below.

9. A method for security capability negotiation during idle state mobility of a user equipment (UE), in a situation where the UE moves from a non-long term evolution (non-LTE) network to a long term evolution (LTE) network, the method comprising:

sending, by the UE, UE security capabilities supported by the UE to the LTE network for a non-access stratum (NAS) security algorithm selection use;

receiving, by the UE, a selected NAS security algorithm from the LTE network;

IPR2017-01487 Patent 8,812,848 B2

7

generating, by the UE, a root key from an authentication vector-related key available at the UE; and

deriving, by the UE, according to the NAS security algorithm, a NAS protection key according to the generated root key.

Ex. 1001, 12:30–45. Claim 1 is similar in scope to claim 9, but recites a user

equipment (UE) comprising a transmitter, receiver, and processor for

performing the method recited in claim 9. Compare id. at 11:52–65 with id.

at 12:30–45.

B. Claim Construction

The claim construction standard applicable to this inter partes review

proceeding is the broadest reasonable interpretation in light of the patent

specification. See 37 C.F.R. § 42.100(b) (2016); Cuozzo Speed Techs., LLC

v. Lee, 136 S. Ct. 2131, 2144–46 (2016). Consistent with the rule of

broadest reasonable interpretation, claim terms are generally given their

plain and ordinary meaning, as would be understood by one of ordinary skill

in the art in the context of the entire patent disclosure. See In re Translogic

Tech., Inc., 504 F.3d 1249, 1257 (Fed. Cir. 2007). Only those terms which

are in controversy need be construed and only to the extent necessary to

resolve the controversy. See Vivid Techs., Inc. v. Am. Sci. & Eng’g, Inc.,

200 F.3d 795, 803 (Fed. Cir. 1999).

Petitioner contends all claim terms have their plain and ordinary

meaning, and does not expressly construe any claim term. Pet. 26–27.

Patent Owner does not expressly construe any claim term, or request express

construction of any claim term. See PO Resp. i–ii. In our Institution

Decision, we did not expressly construe any claim term because the meaning

IPR2017-01487 Patent 8,812,848 B2

8

of the claims was not in dispute. Dec. Inst. 6–7. We maintain that decision

here.

C. Level of Ordinary Skill in the Art

Petitioner, relying on the testimony of Dr. Williams, argues a person

of ordinary skill in the art would have had a master’s degree in electrical

engineering, computer science, or a related field, and at least two years of

experience working with cellular telephony systems. Pet. 26 (citing

Ex. 1014 ¶¶ 13–20). Patent Owner does not dispute Petitioner’s contention,

and accepts it as applicable in this proceeding. PO Resp. 10.

In our Institution Decision, we adopted Petitioner’s definition for the

level of ordinary skill in the art as reasonable. Dec. Inst. 7. We maintain

that decision here.

D. Public Accessibility of TR 33.821 and TS 23.401

Petitioner argues the 3GPP documents (TR 33.821 and TS 23.401) it

relies on to challenge the claims of the ’848 patent were stored, indexed, and

publicly accessible from the 3GPP website. See Pet. 27–35. Petitioner relies

on the testimony of Dr. Yaqub to demonstrate this public accessibility. Id.

(citing Ex. 1012 ¶¶ 26–56).

According to Dr. Yaqub, “3GPP was formed to coordinate and

facilitate the development of standards” for cellular communications.

Ex. 1012 ¶ 18. 3GPP’s goal “is to provide its members with an environment

to produce reports and specifications that define technologies covering

cellular telecommunications.” Id. ¶ 19. Network operators, handset

manufacturers, and device manufacturers have all “been involved in the

development of 3GPP standards.” Id. ¶¶ 18–19. 3GPP members contribute

technical specifications, technical reports, and feasibility studies at both

IPR2017-01487 Patent 8,812,848 B2

9

Working Group and Technical Specification Group levels. Id. ¶¶ 20–21.

Working Groups “meet regularly and also have quarterly plenary meetings

where member companies’ contributions, draft specification[s], and other

discussion documents are presented for approval.” Id. ¶ 20.

3GPP specification development “is an ongoing, collaborative effort

involving hundreds of engineers from many companies,” and 3GPP catalogs

that effort using “a very structured process.” Id. ¶¶ 24, 26. 3GPP names

member contributed documents using a naming procedure based on a

structured numbering system, whereby the numbers by which documents are

named indicate the subject matter of the documents. Id. ¶ 28–29 (citing

Ex. 1022 §§ 4, 5A). Once named, documents are compressed and uploaded

to the 3GPP FTP server as zipped files having the same name, and receive a

date and time stamp indicating when the upload occurred. Id. ¶¶ 30, 33, 37.

Once uploaded, documents are indexed on the 3GPP FTP server by subject

matter (e.g., Working Group number), meeting number, and type. Id. ¶ 35.

Documents are also effectively indexed by date due to the sequential

naming/numbering system. Id. Documents uploaded to the 3GPP FTP

server are available indefinitely and without restriction, and any interested

member of the public can freely access, download, print, reproduce, and

disseminate them. Id. ¶¶ 32–33. “Making documents publicly available

encourages discussion and promotes collaboration among Working Group

members toward the establishment of industry standards for cellular

telecommunications.” Id. ¶ 31.

Dr. Yaqub further testifies that the functionality of the 3GPP FTP

server, as described above, was present in October 1999, as evidenced by a

printout from the Internet Archive’s “Wayback Machine,” which shows the

IPR2017-01487 Patent 8,812,848 B2

10

October 1999 landing page of the 3GPP TSG RAN group. Id. ¶ 41 (citing

Ex. 1024). Dr. Yaqub testifies that this printout “refreshes and confirms

[his] recollection as to how 3GPP’s website looked and could be navigated

in 1999,” and shows how “meeting information, such as Working Group

documents, could be accessed by the public” at the time. Id. The printout of

the 3GPP TSG RAN landing page shows links to the landing pages of other

3GPP groups (e.g., TSG CN, TSG SA, TSG T). Ex. 1024, 1. It also shows

a link to documents generally available on the 3GPP FTP server, a link to

documents from the TSG RAN group, and links to documents from various

TSG RAN Working Groups (e.g., TSG RAN WG1–WG4). Id. For

example, the printout shows a link to documents from TSG RAN WG1

directed toward the 3GPP Radio Layer 1 Specification. Id.

Dr. Yaqub further testifies that because the documents stored on the

3GPP FTP server were available without restriction and fully searchable,

they were available “to users via conventional search engines, such as the

Google search engine.” Ex. 1012 ¶ 48. Regarding the specific 3GPP

documents Petitioner relies on in this proceeding, Dr. Yaqub testifies that

TR 33.821 was uploaded to the 3GPP FTP server on July 13, 2007 and

TS 23.401 was uploaded on August 13, 2007. Ex. 1012 ¶¶ 54, 56.

Dr. Yaqub further testifies that each of these documents could have been

located using reasonable diligence by navigating to the 3GPP FTP site and

clicking on the links corresponding to the desired subject matter, meeting

IPR2017-01487 Patent 8,812,848 B2

11

number, or document number, or by performing a Google search using the

terms “3GPP” and keywords within the document.3 Id. ¶ 49.

Patent Owner argues Petitioner has failed to establish the public

accessibility of TR 33.821 and TS 23.401 prior to the priority date of the

’848 patent. PO Resp. 37–40. In particular, Patent Owner argues Petitioner

has failed to demonstrate these 3GPP documents were sufficiently indexed

on the 3GPP FTP server to allow an interested party to locate them prior to

the priority date of the ’848 patent. Id. at 39. Patent Owner further argues

Petitioner has failed to provide any evidence that the documents were

presented at a 3GPP working group meeting, or were physically or

electronically disseminated in any manner. Id. at 39–40. Patent Owner also

argues that “Petitioner only provides present day evidence showing that the

public can download TR 33.821 and TS 23.401 from the [3GPP] FTP server

that putatively indicates TR 33.821 and TS 23.401 were uploaded on July

13, 2007 and August 13, 2007, respectively.” Id. at 40.

Public accessibility is “the touchstone in determining whether a

reference constitutes a ‘printed publication.’” In re Hall, 781 F.2d 897,

898–99 (Fed. Cir. 1986). A reference is publicly accessible if it “has been

disseminated or otherwise made available to the extent that persons

3 Dr. Yaqub further testifies that in addition to having access via the 3GPP FTP site, 3GPP members typically received an email whenever documents contributed for a Working Group meeting were uploaded to the FTP server. Id. ¶ 36. Moreover, each Working Group kept “minutes” of their meetings, and uploaded these to the 3GPP FTP server. Id. ¶ 38. These minutes were organized by subject matter or topic, as described above, and included a table of contents so that all TDocs relating to a particular subject or topic presented or discussed at the meeting could be easily located. Id. ¶ 39.

IPR2017-01487 Patent 8,812,848 B2

12

interested and ordinarily skilled in the subject matter or art, exercising

reasonable diligence, can locate it.” In re Wyer, 655 F.2d 221, 226 (CCPA

1981) (citations omitted). Public accessibility “is determined on a case-by-

case basis, and based on the ‘facts and circumstances surrounding the

reference's disclosure to members of the public.’” In re Lister, 583 F.3d

1307, 1311 (Fed. Cir. 2009) (quoting In re Klopfenstein, 380 F.3d 1345,

1350 (Fed. Cir. 2004)). The determination “is a legal conclusion based on

underlying factual determinations.” Kyocera Wireless Corp. v. Int’l Trade

Comm'n, 545 F.3d 1340, 1350 (Fed. Cir. 2008).

“[A] variety of factors may be useful in determining whether a

reference was publicly accessible.” Lister, 583 F.3d at 1312. Two such

factors are cataloging and indexing, although neither of these factors is “a

necessary condition for [a] reference to be publicly accessible.” Id.

Cataloging and indexing are most probative and relevant “in the context of

references stored in libraries.” Medtronic, Inc. v. Barry, 891 F.3d 1368,

1380 (Fed. Cir. 2018). However, such evidence is not needed to prove the

public accessibility of documents distributed at a meeting. Id. at 1381. To

prove the public accessibility of meeting-distributed documents, the most

relevant factors are “(1) ‘the length of time the [document] was exhibited,’

(2) ‘the expertise of the target audience’ (to determine how easily those who

viewed the material could retain the information), (3) ‘the existence (or lack

thereof) of reasonable expectations that the [document] would not be

copied,’ and (4) ‘the simplicity or ease with which the [document] could

have been copied.’” Id. at 1381–82 (quoting Klopfenstein, 380 F.3d at

1350).

IPR2017-01487 Patent 8,812,848 B2

13

Upon consideration of Petitioner’s evidence and Patent Owner’s

arguments regarding the insufficiency of that evidence, we find Petitioner

has demonstrated by a preponderance of the evidence that TR 33.821 and

TS 23.401 were publicly available before the earliest effective priority date

of the ’848 patent, and are prior art under 35 U.S.C. § 102.

Dr. Yaqub has provided extensive unrebutted testimony regarding

3GPP’s routine business practices, including how (1) 3GPP’s technical

specifications, reports, and TDocs were created and uploaded to 3GPP’s

FTP server, (2) these documents were downloaded without restriction by

hundreds of engineers from many different member companies for

discussion at 3GPP working group and plenary meetings, (3) these engineers

(and other interested members of the public) had indefinite access to these

documents long after the meetings had ended, and (4) the 3GPP FTP server

indexed meeting documents based on meeting date and subject. See Ex.

1012 ¶¶ 20–21, 24, 30–33, 35.

Although Dr. Yaqub’s testimony is directed to 3GPP documents in

general, Dr. Yaqub’s description of 3GPP’s regular business practice

demonstrates the public accessibility of TR 33.821 and TS 23.401. See

Constant v. Advanced Micro-Devices, Inc., 848 F.2d 1560, 1568–69

(“Evidence of routine business practice can be sufficient to prove that a

reference was made accessible.”). TR 33.821 and TS 23.401, like all 3GPP

documents, were generated with intent to distribute them to interested

members of the telecommunications industry. They were uploaded to

3GPP’s FTP server without restriction or expectation of confidentiality, and

were indefinitely maintained there. They have been available for

downloading (copying) from the FTP server since being uploaded, and can

IPR2017-01487 Patent 8,812,848 B2

14

be shared with others without restriction. Under such circumstances, the

documents are publicly accessible. See Klopfenstein, 380 F.3d at 1351

(finding publicly accessible a document that was easily copied and displayed

for an extended period of time to persons having ordinary skill in the art

without restrictions on copying). Indeed, Specifications for the related GSM

(Global System for Mobile) telecommunications standard were publicly

accessible because:

GSM specifications, though drafted within smaller technical subcommittees, were widely distributed before the critical date of the ’983 Patent. Versions of the standard were “publicly available and released as consistent sets.” Several U.S. companies took part in the ETSI work and had access to the GSM specifications through their European subsidiaries. The specifications themselves were visible to any member of the interested public without requesting them from an ETSI member. Further, ETSI did not impose restrictions on ETSI members to prevent them from disseminating information about the standard to non-members.

Kyocera, 545 F.3d at 1350–51 (internal citations omitted).

E. Patent Owner’s Motion to Exclude

Patent Owner filed a Motion to Exclude portions of TR 33.821

(Ex. 1004), TS 23.401 (Ex. 1005), and the Declaration of Raziq Yaqub,

Ph.D. (Ex. 1012), and the entirety of TS 23.401 (version 8.4.0) (Ex. 1028),

Patent Owner’s District Court Infringement Contentions (Ex. 1011), and the

Deposition Testimony of Johan Johansson (Ex. 1030). Paper 36, 2–6

(“Mot.”). Petitioner opposed the Motion (Paper 39, “Opp.”), and Patent

Owner replied (Paper 41, “Opp. Reply”). As the movant, Patent Owner

bears the burden of establishing it is entitled to the relief requested. See

37 C.F.R. § 42.20. The Board decides evidentiary issues based on the

IPR2017-01487 Patent 8,812,848 B2

15

Federal Rules of Evidence. Id. § 42.62(a). For the reasons discussed below,

we deny Patent Owner’s motion to exclude.

1. Declaration of Raziq Yaqub, Ph.D.(Ex. 1012)

In paragraphs 54–56 of his declaration, Dr. Yaqub opines on the

authenticity, public availability, and publication dates of TR 33.821 and

TS 23.401. See Ex. 1012 (“Yaqub Decl.”) ¶¶ 54–56. Dr. Yaqub bases his

opinion, in part, on his ability to find these documents on the 3GPP FTP

server and listserv server, and the time stamps associated with these

documents on those servers. Id. His testimony includes screen shots of

portions of the 3GPP FTP server’s webpage listing these documents, and

URLs (universal resource locators) pointing to where these documents are

located on the 3GPP FTP server. Id.

On December 21, 2017, Patent Owner objected to Dr. Yaqub’s

declaration “to the extent it relies on documents that lack authentication or

contain hearsay.” Paper 19, 1. In particular, Patent Owner objected to

certain paragraphs of Dr. Yaqub’s declaration that “quote, discuss, or

otherwise rely on web pages that were not filed in this proceeding,” and that

“lack authentication and contain hearsay.” Id. On January 8, 2018,

Petitioner provided the webpages to Patent Owner in the form of

supplemental evidence. See Paper 20, 1; see also 37 C.F.R. § 42.64(b)(2).

On January 11, 2018, Patent Owner objected to the webpages as lacking

authentication and containing hearsay. Id. at 1.

Patent Owner moves to exclude paragraphs 54–56 of Dr. Yaqub’s

declaration “because they rely on unauthenticated webpages for the truth of

the matter asserted in those webpages.” Mot. 3–4. Patent Owner argues the

webpages lack authentication, and contain inadmissible hearsay that Dr.

IPR2017-01487 Patent 8,812,848 B2

16

Yaqub relied on in determining when TR 33.821 and TS 23.401 (Exs. 1004–

1005) were publicly accessible on the 3GPP FTP server. Id. at 4–5.

Petitioner argues the objected to webpages are self-authenticating, and have

been authenticated by Dr. Yaqub’s testimony regarding their distinctive

characteristics. Opp. 3–5. Petitioner further argues the webpages “are

exempt from the rule against hearsay under Federal Rules of Evidence

803(6) and 807.” Id. at 6. Patent Owner responds that Dr. Yaqub is not

qualified to certify the authenticity of the webpages because his declaration

“is silent as to his role in the [3GPP] group’s recordkeeping or maintaining

the accuracy of the 3GPP webpages.” Opp. Reply 2.

Under Federal Rule of Evidence 803(6), records of a regularly

conducted activity are not hearsay provided the opposing party has not

established that the source of information or the method or circumstances of

their preparation indicate a lack of trustworthiness, and the party offering the

records establishes through the testimony of a qualified witness that the

records are (a) made at or near the time from information transmitted by

someone with knowledge, (b) kept in the course of a regularly conducted

business activity, and (c) made as a regular practice of that activity. Fed. R.

Evid. 803(6). Under Federal Rule of Evidence 902(11), such records are

self-authenticating provided (a) they are originals or copies that meet the

requirements of Rule 803(6)(a)–(c) as shown by certification of a qualified

person, (b) notice of intent to offer the records is given to the opposing party

before a hearing, and (c) the records and certifications are made available to

the opposing party so that the opposing party has a fair opportunity to

challenge them. Id. at 902(11).

We first note, “[b]ecause of the general trustworthiness of regularly

IPR2017-01487 Patent 8,812,848 B2

17

kept records and the need for such evidence in many cases, the business

records exception [to the hearsay rule] has been construed generously in

favor of admissibility.” Conoco Inc. v. Dept. of Energy, 99 F.3d 387, 391

(Fed. Cir. 1996). Moreover, “the ‘custodian or other qualified witness’ who

must authenticate business records need not be the person who prepared or

maintained the records, or even an employee of the record-keeping entity, so

long as the witness understands the system used to prepare the records.” Id.

Finally, “documents that are standard records of the type regularly

maintained by firms in a particular industry may require less by way of

foundation testimony than less conventional documents proffered for

admission as business records.” Id. at 392; see also Gjokaj v. U.S. Steel

Corp., 700 F. App’x 494, 502 (6th Cir.) (finding a business record certified

by a qualified witness is self-authenticating under Federal Rule of Evidence

902(11)).

We find persuasive Dr. Yaqub’s testimony that the 3GPP webpages

he relied upon in his declaration are authentic, and their content, including

the publication dates of TR 33.821 and TS 23.401, are not hearsay. Dr.

Yaqub is a qualifying witness for the purposes of Rule 806(b) and 902(11).

See Conoco, 99 F.3d at 391; see also Gjokaj, 700 F. App’x at 502. From

1998 until 2010, Dr. Yaqub worked for various entities having an interest in

developing or understanding 3GPP technologies. Ex. 1012 ¶¶ 7–12. During

that time, he both participated in and contributed to 3GPP standards setting

organizations, was an active member in various 3GPP plenary level and

working group level meetings, and was Rapporteur of Technical Feasibility

Report TR 33.817. Id. ¶¶ 8, 11.

Dr. Yaqub testifies that 3GPP “produce[s] reports and specifications

IPR2017-01487 Patent 8,812,848 B2

18

that define technologies covering cellular communications networks.” Id.

¶ 19. The specifications are “contribution-driven by 3GPP member

companies,” and produced via regularly and quarterly plenary meetings

“where member companies’ contributions, draft specification[s], and other

discussion documents are presented for approval.” Id. ¶ 20. Dr. Yaqub

further testifies that 3GPP follows “[a] well-established process . . . for

capturing accepted proposals and changes in Technical Specifications (TS)

and Technical Reports (TR).” Id. ¶ 24. This process includes a file naming

convention so that all of “the changes that are brought into the standard,

from the past, present, and in the future, are well documented and

controlled.” Id. ¶ 28 (quoting Ex. 1022, 5).

Dr. Yaqub further testifies that 3GPP documents are stored on 3GPP’s

FTP server in zip-compressed format, where the filename of the zip file is

the same as the name of the source document. Id. ¶ 29 (citing Ex. 1022

§ 5A). Member-contributed documents (“TDocs”) are assigned unique

document numbers, and “members upload these documents to 3GPP’s

public FTP server before, during, and after Working Group meetings.” Id.

¶ 30. The documents are uploaded “[s]oon after the end of the meeting—the

same day, or at worst within a few days.” Id. ¶ 37. The “TDocs are

publicly-available and unrestricted on the online FTP server,” and are

“openly published and no password is needed to access any information on

the 3GPP website.” Id. ¶ 30; see also Ex. 1022 § 7.6. Documents uploaded

to the 3GPP FTP server “receive a data and time stamp.” Ex. 1012 ¶ 33.

The documents are “retained on the public 3GPP server indefinitely, and the

date and time stamp can be relied upon to indicate when the upload

occurred.” Id. ¶¶ 33, 37.

IPR2017-01487 Patent 8,812,848 B2

19

Based on the foregoing testimony, we find Dr. Yaqub “understands

the system used to prepare [3GPP] records,” and is a “qualified witness” or

“qualified person” as those terms are used in Federal Rules of Evidence

803(6) and 902(11). See Conoco, 99 F.3d at 391; see also Gjokaj, 700 F.

App’x at 502.

For the documents relevant to this proceeding (TR 33.821 and TS

23.401), Dr. Yaqub testifies that he “navigated to the relevant file” on the

3GPP FTP server, and “confirm[ed] that it had been correctly uploaded.”

Ex. 1012 ¶ 51. Dr. Yaqub provides the URLs he used to navigate to the

documents, and testifies that he recognizes the documents located by those

URLs as “true and correct” copies. Id. ¶¶ 54, 56. Dr. Yaqub provides

screen shots of the 3GPP FTP server’s directories that include the identically

named zip files containing the objected to documents. Id. As discussed

above, when Patent Owner objected to these screen shots, Petitioner served

complete printouts of the 3GPP FTP server’s directories from which Dr.

Yaqub took the screenshots. Opp. 5; see also Paper 19, 1; Paper 20, 1; Exs.

1031–1032.

Patent Owner provides no evidence that the 3GPP FTP server, the

webpages disclosing the contents of the FTP server’s directories, or the

methods or circumstances by which those webpages or their content were

prepared lack trustworthiness. See Mot. 3–5; Opp. Reply 1–4. By contrast,

Dr. Yaqub testifies that the contents of the 3GPP FTP server directories

(webpages) he relied upon were made and kept in the course of 3GPP’s

regularly conducted business activity, and were made at or near the times

indicated by their upload date and time stamps from information transmitted

by 3GPP contributing members. See Ex. 1012 ¶¶ 24, 28–30, 33, 37, 54–56.

IPR2017-01487 Patent 8,812,848 B2

20

Dr. Yaqub’s declaration and the webpages (printouts of the 3GPP FTP

server directories) he relied upon were served on Patent Owner with notice

of intent to use them, and Patent Owner was provided with the opportunity

to challenge the webpages and their content, as well as Dr. Yaqub’s

testimony regarding how that content was created. See 37 C.F.R.

§ 42.51(b)(1)(ii).

Based on the evidence presented, as summarized above, we find Dr.

Yaqub’s testimony sufficient to authenticate the 3GPP FTP server’s

directories (webpages) and their content, such that they are admissible under

Federal Rule of Evidence 902(11) and not hearsay under Federal Rule of

Evidence 803(6). We, therefore, deny Patent Owner’s motion to exclude

paragraphs 54–56 of Dr. Yaqub’s declaration.

As discussed above, Petitioner also argues the 3GPP FTP server

directories (webpages) Dr. Yaqub relies upon can be authenticated under

Federal Rule of Evidence 901(b)(4), and their content is not hearsay under

Federal Rules of Evidence 807. Opp. 4–13. Patent Owner argues to the

contrary. Opp. Reply 2–3. Because we find Petitioner has shown the

webpages are self-authenticating business records and their contents are not

hearsay, we need not address these additional arguments. See Beloit Corp.

v. Valmet Oy, 742 F.2d 1421, 1423 (Fed. Cir. 1984) (finding an

administrative agency is at liberty to reach a decision based on a single

dispositive issue to “not only save the parties, the [agency], and [the

reviewing] court unnecessary cost and effort,” but to “greatly ease the

burden on [an agency] faced with a . . . proceeding involving numerous

complex issues and required by statute to reach its conclusion within rigid

time limits”).

IPR2017-01487 Patent 8,812,848 B2

21

2. TR 33.821 and TS 23.401

Patent Owner moves to exclude as hearsay portions of TR 33.821

(Ex. 1004) and TS 23.401 (Ex. 1005) “[t]o the extent Petitioner relies on the

dates within [each of these Exhibits] for the purported truth of the matter

asserted to show the date of [their] public accessibility.” Mot. 2. Petitioner

argues the contents of these documents are “exempt from the rule against

hearsay under Federal Rules of Evidence 803(6) and 807.” Opp. 10–13.

Patent Owner argues “Dr. Yaqub’s role as a ‘participant in 3GPP’ is

insufficient to render him a qualified individual to support admission under

FRE 806(b),” and that “FRE 807 is an ‘exceptional’ remedy that Petitioner

has not justified in this case.” Opp. Reply 4.

For the reasons discussed in § II.E.1, supra, we find Dr. Yaqub is a

qualified witness who has authenticated the objected to documents, and

established their trustworthiness, so that their content is not hearsay under

Fed. R. Evid. 803(6). Patent Owner relies on Kolmes v. World Fibers Corp.,

107 F.3d 1354, 1542–43 (Fed. Cir. 1997), to argue that Dr. Yaqub is not a

qualified witness. We disagree. In Kolmes, a witness who “testified that he

had seen [certain] documents while attending a meeting,” but failed to

“testify concerning the record-keeping process related to them” was found

not to be a “qualified witness” under Federal Rule of Evidence 803(6). Id.

In the instant case, however, Dr. Yaqub has provided extensive testimony

regarding 3GPP’s record-development and record-keeping process,

including the fact that member-contributed documents uploaded to the 3GPP

FTP server are maintained indefinitely on that server as of their upload

dates. See Ex. 1012 ¶¶ 24, 28–30, 33, 37. Dr. Yaqub is, therefore, a

qualified witness. See Conoco, 99 F.3d at 391. Moreover, regarding the

IPR2017-01487 Patent 8,812,848 B2

22

specifically objected to documents, Dr. Yaqub testifies that these documents

are “true and correct” copies of the documents uploaded to the 3GPP FTP

server as of their upload dates, and provides specific URLs to the 3GPP FTP

server by which they are downloadable. Id. ¶¶ 54, 56.

Accordingly, for the reasons discussed here and in § II.E.1 supra, we

find the objected to documents TR 33.821 (Ex. 1004) and TS 23.401

(Ex. 1005) are admissible business records under Federal Rule of Evidence

902(11), and their content is not hearsay under Federal Rule of Evidence

803(6). We, therefore, deny Patent Owner’s motion to exclude any portions

of Exhibits 1004 and 1005. Moreover, because we find these Exhibits are

admissible and not hearsay under Federal Rule of Evidence 803(6), we need

not address the parties’ additional arguments regarding whether these

documents are admissible and not hearsay under Federal Rule of Evidence

807. See Beloit, 742 F.2d at 1423.

3. Johansson Deposition Transcript (Ex. 1030)

Exhibit 1030 is a deposition transcript of Johan Johansson taken in the

related District Court proceeding. Mr. Johansson is a former Huawei

employee, and was Huawei’s 3GPP representative for Working Group 2.

Ex. 1030, 7:7–9, 54:18–55:7. Mr. Johansson testified that while he was

Huawei’s Working Group 2 representative, his practice was to download

TDocs for the Working Group 2 meetings he attended. Id. at 147, 9–13. He

further testified that he did not need to provide these TDocs to anyone else

because “[e]veryone that needed them would download them from the FTP

server at 3GPP,” and that because the FTP server was public, “the world had

access to these TDocs, everyone.” Id. at 147:19–22, 154:7–10.

Petitioner relies on Mr. Johansson’s testimony to corroborate Dr.

IPR2017-01487 Patent 8,812,848 B2

23

Yaqub’s testimony that it was 3GPP’s regular business practice to make

3GPP documents available to and accessible by “at least members of the

3GPP working [groups] through the 3GPP FTP site.” Reply 21. Patent

Owner moves to exclude this testimony as irrelevant and causing unfair

prejudice. Mot. 6 (citing Fed. R. Evid 401–403). Patent Owner argues the

testimony is irrelevant because it “makes no mention of the 3GPP

specifications in this case—TR 33.821 and TS 23.401,” and does not

identify which documents were downloaded from the FTP server or when.

Id.; Opp. Reply 5. Petitioner argues the testimony is relevant because it

“directly contradicts Huawei’s arguments concerning the public availability”

of 3GPP documents. Opp. 14.

A document is relevant if it tends to make a fact of consequence in

determining an action more or less probable. Fed. R. Evid. 401. Relevant

evidence is generally admissible, but may be excluded if its probative value

is substantially outweighed by unfair prejudice. Id. at 402–403.

Mr. Johansson’s testimony is relevant because it makes more or less

probable Dr. Yaqub’s testimony regarding 3GPP’s business practice of

making TDocs available to Working Group members before Working Group

meetings. This is true, even though Mr. Johansson’s testimony does not

concern the specific TDocs at issue in this proceeding. As discussed in

§ II.D, supra, the public availability of documents can be established based

on evidence of regularly conducted business practices. See Constant, 848

F.2d at 1568–69 (“Evidence of routine business practice can be sufficient to

prove that a reference was made accessible.”). Patent Owner’s concerns

about unfair prejudice do not persuade us that we should exclude Mr.

Johansson’s testimony because, like a district court conducting a bench trial,

IPR2017-01487 Patent 8,812,848 B2

24

we can assess the probative value of the testimony as it applies to this

proceeding.

Accordingly, for the reasons discussed above, we deny Patent

Owner’s motion to exclude the testimony of Mr. Johansson.

4. TS 23.401 v. 8.4.0 (Ex. 1028)

Exhibit 1028 is a newer version of TS 23.401 (Ex. 1005), released

December 2008, which is after the priority date of the ’848 patent.

Ex. 1028, 1. It discloses the UE’s “network capabilities indicate . . . the

supported NAS and AS security algorithms.” Id. at 55. Petitioner relies on

Exhibit 1028 to rebut Patent Owner’s argument that the TAU request a UE

sends to an MME in idle mode mobility between non-LTE and LTE

networks, which includes the UE’s Network Capability, does not include the

UE’s security capabilities. See Reply 19, n.5; see also Ex. 1005, 31–32

(showing a UE sends its “UE Network Capability” to an MME in a TAU

request).

Patent Owner argues that because Exhibit 1028 was dated after the

priority date of the ’848 patent, it “is irrelevant to showing how a Skilled

Artisan would understand ‘UE Network Capabilities’ as of the time at

issue—August 31, 2007 (’848 Patent’s effective filing date).” Mot. 5.

Petitioner counters that extrinsic evidence of the meaning of a term to a

person of ordinary skill in the art “need not antedate the critical date of the

patent at issue.” Opp. 13 (quoting Monsanto Tech. LLC v. E.I. DuPont de

Nemours & Co., 878 F.3d 1336, 1345 (Fed. Cir. 2018)). Petitioner further

argues that because Exhibit 1028 was submitted as “extrinsic evidence to

establish the understanding of a person of ordinary skill in the art,” it “is

relevant to demonstrate what . . . was meant by the term ‘UE network

IPR2017-01487 Patent 8,812,848 B2

25

capabilities’ in the prior art version of TS 23.401 [i.e., Exhibit 1005].”

Opp. 13–14. Patent Owner replies that because Exhibit 1028 “postdates the

February 2008 3GPP meeting where Patent Owner’s contribution was

accepted by the 3GPP standard’s body. . . . it shows only that Patent

Owner’s contribution was adopted in a later standard, and is irrelevant.”

Opp. Reply 5 (citing Ex. 2010, 1).

As discussed below, we do not rely on Exhibit 1028 to elucidate the

meaning of the term “UE Network Capability” in TS 23.401 (Ex. 1005) to a

person of ordinary skill in the art. Accordingly, we dismiss Patent Owner’s

motion to exclude Exhibit 1028 as moot.

5. Infringement Contentions (Ex. 1011)

Exhibit 1011 is a copy of Patent Owner’s infringement contentions

submitted to the District Court in the related district court litigation. Patent

Owner moves to exclude the exhibit as irrelevant and causing unfair

prejudice. Mot. 3. Patent Owner argues the exhibit is irrelevant because

“[n]either the Petitioner, nor its expert Dr. Tim Williams . . . cites or relies

on these infringement contentions,” which purport to show that Samsung’s

accused devices “comply with different versions of the 3GPP standards,

dated later than the versions Petitioner contends are prior art.” Id. Petitioner

does not dispute Patent Owner’s contentions. Opp. 13.

We agree with Patent Owner that its infringement contentions in the

related district court litigation are not relevant to any issue in this

proceeding. Accordingly, Patent Owner’s motion to exclude Exhibit 1011 is

granted.

IPR2017-01487 Patent 8,812,848 B2

26

F. Overview of Prior Art

1. TR 33.821

TR 33.821 is a 3GPP document describing the “rationale and

track[ing] of security decisions in Long Term Evolved (LTE)” networks.

Ex. 1004, 6. TR 33.821 explains that LTE security “separate[s] the security

between AS [Access Stratum] . . . and NAS [non-Access Stratum]

signalling,” and requires “the radio link and the core network . . . have

cryptographically separate keys.” Id. at 7. As a result, the “LTE system has

two layers of protection instead of one layer perimeter security like in

UTRAN [non-LTE].” Id. The first layer of security is RRC [Radio

Resource Control] security between the UE and eNB, and the second layer

of security is NAS security between the UE and a mobility management

entity (MME). Id. at 7, 41–42 (during initial attachment “Both UE-eNB and

UE-MME security needs to be established.”); see also id. at 42 (during idle

mode mobility “UE-MME security must be established. This could be done

by the passing of the NAS security context.”). The second or NAS security

layer protects the LTE network should the first or RRC security layer be

compromised. Id. at 4. As indicated above, the UE must establish NAS

security with the MME during both initial attachment to the LTE network

and idle mode mobility within the LTE network. Id. at 41–42.

TR 33.821 discloses that an Authentication and Key Agreement

(AKA) procedure authenticates a UE in both 3G and LTE networks. Id. at

31. In the 3G (UMTS) AKA procedure, the UE and 3G network agree on a

pair of security keys, a cipher key (CK) and an integrity key (IK). Id. at 31,

43. In the LTE AKA procedure, the UE and LTE network agree not only on

security keys (CK, IK), but also on NAS security keys (KNASint and

IPR2017-01487 Patent 8,812,848 B2

27

KNASenc). Id. at 43, 51–53, 59. A diagram depicting where and how the

various security keys are generated in an LTE network is shown in Figure 12

of TR 33.821, which is reproduced below.

Figure 12 is a diagram showing the distribution and generation of security

keys in an LTE network. Id. at 53. K is a secret key that is permanently

stored in both an LTE network’s Authentication Center (AuC) and a UE’s

Universal Subscriber Identity Module (USIM). Id. at 51. During an AKA

run, the USIM and AuC independently derive cipher and integrity keys

CK/IK from secret key K, and respectively provide CK/IK to the UE and to

the LTE network’s Home Subscriber Server (HSS). Id. at 52. The UE and

HSS independently derive key Kasme from keys CK/IK, and the HSS

provides Kasme to the MME. Id. Lastly, the UE and MME independently

derive NAS security keys KNASint and KNASenc from Kasme using selected

integrity and security algorithms, respectively. Id.

IPR2017-01487 Patent 8,812,848 B2

28

TR 33.821 discloses that the UE and MME must agree upon the

security algorithms used to derive NAS security keys KNASint and KNASenc

when the UE initially attaches to the network, undergoes idle to active

transition within the network, or undergoes idle mode mobility. Id. at 68

(“Here the UE and the target network entities have to agree on security

algorithms to use after a mobility event occurred.”). The network selects the

security algorithms based upon the capabilities of the UE, the capabilities of

the serving network entity, and the network’s restrictions. Id. TR 33.821

proposes having the MME select the NAS security algorithms based on the

UE’s security capability and that the most natural way for the MME to learn

of the UE’s security capability is for the UE to send it to the MME. Id. at

69.

Figure 17 of TR 33.821, reproduced below, discloses a procedure that

allows the MME to obtain the UE’s security capabilities and select an NAS

security algorithm during initial attachment.

IPR2017-01487 Patent 8,812,848 B2

29

Figure 17 is a flow chart showing the flow of information between the UE,

eNB, and MME in an LTE network during initial attachment. Id. at 70. At

step 1, the UE sends an NAS message to the eNB that includes the UE’s

security capabilities (UE caps). Id. At step 2, the eNB forwards the

message to the MME. Id. At step 3, the UE and MME optionally perform

an AKA run to derive keys CK/IK. Id. at 33, 70. At step 4, the MME

IPR2017-01487 Patent 8,812,848 B2

30

selects an NAS security algorithm, and sends it to the eNB in a Security

Mode Command (SMC) message. Id. at 70. At step 5, the eNB forwards

the SMC message to the UE. Id. at 71. At step 6, the UE begins NAS

encryption and sends an NAS complete message to the eNB, and at step 7

the eNB forwards this message to the MME. Id. Messages sent between the

UE and MME are now NAS encrypted. Id.

TR 33.821 further discloses that a UE undergoing idle mode mobility

within an LTE network “results in a location update procedure. The security

algorithm selection upon location updates shall be performed in the same

way as on initial attachment.” Id. at 75.

2. TS 23.401

TS 23.401 is a 3GPP specification that covers “roaming and non-

roaming scenarios and covers all aspects, including mobility between E-

UTRAN and pre-E-UTRAN 3GPP radio access technologies, policy control

and charging, and authentication.” Ex. 1005, 7. TS 23.401 discloses a

Tracking Area Update (TAU) procedure that allows a UE in a 3G network to

undergo idle mode transition to an LTE network. Id. at 30–33. The TAU

procedure executes when an idle state UE that is registered with a 3G-SGSN

registers with an MME in an LTE network as depicted in Figure 5.3.3.2-1,

reproduced below. Id. at 30–31.

IPR2017-01487 Patent 8,812,848 B2

31

Figure 5.3.3.2-1 discloses a TAU update procedure executed when an

idle mode UE transitions from a 3G network to an LTE network. Id. at 31.

At step 1, the UE moves from a 3G network Ranging Area (RA) to an LTE

network Tracking Area (TA). Id. At steps 2a/2b, the UE sends, via an

eNodeB, a TAU request to an MME in the LTE network. Id. The TAU

request includes the UE’s old TAI (tracking area identifier), S-TMSI

IPR2017-01487 Patent 8,812,848 B2

32

(temporary mobile subscriber identifier), UE Network Capability, selected

network, and an active flag. Id. At step 3, the MME uses the information in

the TAU request to identify the 3G-SGSN to which the UE was connected,

and sends a Context Request message to the SGSN to retrieve the UE’s

context. Id. At step 4, the SGSN sends a Context Response to the MME,

and the MME “shall ignore the UE Network Capability contained in the . . .

SGSN Context Response only when it has previously received an UE

Network Capability in the Tracking Area Update.” Id. At step 5, the UE

and MME execute authentication functions, security functions, and

ciphering procedures. Id. The remaining steps in Figure 5.3.3.2-1 involve

messages sent between the MME and various elements of the 3G and LTE

networks to ensure the UE’s context is transmitted to the LTE network,

which subsequently controls messaging to and from the UE. Id.

3. Shaheen

Shaheen is a patent directed to a system and method for implementing

a Routing Area Update (“RAU”) procedure in an LTE network. Ex. 1006,

Abstract. The RAU procedure involves signaling between various LTE

network elements, including an MME and a Wireless Transmit/Receive Unit

(WRTU) such as a UE. Id. ¶¶ 9, 33, Fig. 9. The WRTU includes a

transceiver (transmitter/receiver) for sending and receiving data to and from

the MME in the LTE network, and a processor for implementing the

disclosed procedure. Id. ¶¶ 40–42.

G. Obviousness of Claims 1, 3–5, 7–9, 11–13, 15, and 16 over TR 33.821 and TS 23.401

Petitioner argues claims 1, 3–5, 7–9, 11–13, 15, and 16 are

unpatentable as obvious over TR 33.821 and TS 23.401. Pet. 36–63.

IPR2017-01487 Patent 8,812,848 B2

33

1. Mapping of TR 33.821 and TS 23.401 to the Claims

a. Claims 1 and 9

Claim 1 recites a UE that includes a transmitter configured to send the

UE’s security capabilities to an LTE network for NAS security algorithm

selection when the UE moves in idle state from a non-LTE network to the

LTE network. Ex. 1001, 11:52–58. Petitioner relies on the combined

teachings of TR 33.821 and TS 23.401 to teach this limitation. See Pet. 37–

43, 58–63.

Petitioner argues TR 33.821 teaches a UE having an LTE radio that

sends radio signals to and receives radio signals from an eNodeB in an LTE

network. Pet. 37–39 (citing Ex. 1004, 18 (Fig. 3)). Relying on the

testimony of Dr. Williams, Petitioner argues a person of ordinary skill in the

art would have known that an LTE radio includes a transmitter. Id. at 39

(citing Ex. 1014 ¶¶ 93–94). Petitioner argues TR 33.821 also teaches the UE

transmitter sends an initial access message that includes the UE’s security

capabilities to an MME in an LTE network, and the MME selects an NAS

security algorithm based on the UE’s and MME’s security capabilities. Id.

at 39–41 (citing Ex. 1004, 69–70, Figs. 10, 17; Ex. 1014 ¶¶ 95–97). Lastly,

Petitioner argues TR 33.821 teaches “the same procedure used for initial

access/attach should be used during idle state mobility” within the LTE

network. Id. at 41–42 (quoting Ex. 1004, 75 (“Idle mode mobility results in

a location update procedure. The security algorithm selection upon location

updates shall be performed in the same way as on initial attachment.”)).

Petitioner acknowledges that TR 33.821 does not teach a non-LTE to

LTE idle mode mobility procedure. Id. at 42. However, Petitioner argues

TS 23.401 teaches such a procedure, and during that procedure a UE sends a

IPR2017-01487 Patent 8,812,848 B2

34

TAU request to an MME, and the UE and MME perform an AKA run to

generate security keys. Id. at 42–43 (citing Ex. 1005, 30–32, Fig. 5.3.3.2-1;

Ex. 1014 ¶¶ 87, 99–101). Petitioner argues a person of ordinary skill in the

art would have been motivated to modify this non-LTE to LTE idle mode

procedure such that the UE includes its NAS security capabilities in the

TAU request for several reasons. See Pet. 58–63.

Relying on the testimony of Dr. Williams, Petitioner argues

TR 33.821 and TS 23.401 were part of the LTE development process, and a

person implementing LTE network security would have considered the

teachings from both references “to understand the overall network

architecture and how security procedures are implemented in different

elements of the architecture.” Id. at 58–59 (citing Ex. 1014 ¶¶ 133, 135). In

particular, TS 23.401 discloses LTE “network architecture, including major

network elements . . . and information flows among the network elements

and UEs within the network,” and TR 33.821 discloses LTE “security and

authentication procedures between networks and user equipment.” Id.

(citing Ex. 1004, 6; Ex. 1005, 23–47).

Petitioner argues TR 33.821 “demonstrates all of the security

negotiation procedures claimed in the ’848 Patent were known in the context

of initial attachment and idle mode mobility.” Id. at 59–60 (citing Ex. 1014

¶ 136). Petitioner further argues TS 23.401 teaches a UE sends its network

capabilities to an MME in a TAU request during idle mode mobility

between non-LTE and LTE networks. Id. at 60–61 (quoting Ex. 1005, 31

(“The UE initiates a TAU procedure by sending a Tracking Area Update

Request (old TAI, old S-TMSI, UE Network Capability, Selected Network,

active flag) message to the eNodeB.”)). Moreover, TS 23.401 teaches the

IPR2017-01487 Patent 8,812,848 B2

35

LTE network needs to authenticate and establish security with the UE via an

AKA run. Id. at 62 (citing Ex. 1005, 31; Ex. 1014 ¶ 140). Therefore,

Petitioner argues, a person skilled in the art “would have looked to known

security negotiation and key derivation procedures in order to implement the

AKA procedure, which would have led him or her to TR 33.821.” Id. (citing

Ex. 1014 ¶ 140).

Petitioner argues a person of ordinary skill in the art would have

found it obvious to modify the non-LTE to LTE idle mode mobility TAU

procedure taught by TS 23.401 to include the UE security capabilities taught

by TR 33.821 because the UE needed to authenticate itself to and establish

security with the LTE network. Id. at 59–60 (citing Ex. 1014 ¶¶ 136–137).

Petitioner argues this modification would have been a simple substitution of

one known element for another to obtain predictable results because once the

MME obtained the UE’s security capabilities it would select an NAS

security algorithm, provide the selection to the UE, and the UE and MME

would proceed to derive security keys as taught by TR 33.821. Id. at 60–61

(citing Ex. 1014 ¶¶ 137–139). Petitioner argues the results of the

modification would have been predictable because the TS 23.401 TAU

request is a type of NAS message like the NAS message used to send UE

security capabilities to an MME on initial attachment as taught by

TR 33.821. Id. at 60–61 (citing Ex. 1014 ¶ 138).

Patent Owner disputes that it would have been obvious to combine the

teachings of TR 33.821 and TS 23.401 in the manner proposed by Petitioner.

See PO Resp. 21–33. In particular, Patent Owner argues Petitioner fails to

identify a reason to make the proposed combination, has relied on improper

hindsight, has improperly relied upon the initial attach procedure disclosed

IPR2017-01487 Patent 8,812,848 B2

36

in TR 33.821 rather than the idle mode mobility procedure, and has failed to

show the proposed combination would have been a simple and

straightforward substitution. Id. We summarize Patent Owner’s arguments

in more detail below, and explain why we find Petitioner’s arguments to be

persuasive.

First, Patent Owner argues that Petitioner’s rationale for combining

the teachings of TR 33.831 and TS 23.401 are too “generic, not specific,”

and lack an “objective reason to combine specific elements in the way they

are claimed in the ’848 Patent.” Id. at 29–30. We do not find this argument

persuasive because it only considers the starting point of Petitioner’s

analysis for why a person skilled in the art would have combined the

teachings of TR 33.831 and TS 23.401, namely, because they are in the same

field of endeavor and were drafted as part of the LTE standards development

process. Id. As discussed above, Petitioner further argues that a person

ordinarily skilled in the art would have combined these references because

TS 23.401 teaches that when a UE undergoes non-LTE to LTE idle mode

mobility, the UE needs to authenticate itself and establish security with the

LTE network via an AKA run. Pet. 62 (citing Ex. 1005, 31; Ex. 1014

¶ 140). Thus, he or she “would have looked to known security negotiation

and key derivation procedures in order to implement the AKA procedure.”

Id. at 62 (citing Ex. 1014 ¶ 140). This would have led to consideration of

the security negotiation and key derivation procedures disclosed in TR

33.821, including having the UE send its security capabilities to an MME as

taught in the TR 33.821 initial access procedure. Id. Therefore, a person

ordinarily skilled in the art would have modified the TS 23.401 idle mode

IPR2017-01487 Patent 8,812,848 B2

37

mobility TAU request to include transmitting the UE security capabilities to

the MME as taught by TR 33.821. Id. at 59–60 (citing Ex. 1014 ¶ 137).

Patent Owner argues the AKA run disclosed in the TS 23.401 idle

mode mobility TAU procedure would not have motivated a person skilled in

the art to combine the teachings of TS 23.401 and TR 33.801 because

“[n]either TR 33.821 nor TS 23.401 suggest that the UE security capabilities

are required for or used in this AKA procedure.” PO Resp. 32. Rather,

relying on the testimony of Dr. Mandayam, Patent Owner argues “[t]he

AKA procedure is instead for KASME deduction.” Id. (citing Ex. 2003 ¶ 43).

Dr. Mandayam’s testimony is based on two disclosures relating to Figure 13

of TR 33.821, which describes a TAU Request procedure for idle mode

mobility between LTE networks. See Ex. 2003 ¶¶ 39–43; Ex. 1004, 61

(Fig. 13). First, step 6 of Figure 13 shows that during an AKA run the UE

and MME agree on key KASME. Ex. 1004, 61. Second, TR 33.821 describes

a step 7 in which the MME derives new NAS keys from KASME and the NAS

security algorithm selected by the MME. Id. We are not persuaded by this

argument for the reasons that follow.

Initially, we note that Petitioner’s argument is based on the TS 23.401

non-LTE to LTE idle mode mobility TAU Request AKA run, not on the

TR 33.821 LTE to LTE idle mode TAU Request AKA run on which Patent

Owner’s argument depends. See Pet. 62 (citing Ex. 1005, 31) (“TS 23.401

recognizes that authentication and security must be established when the UE

moves in idle mode from a non-LTE network to an LTE network. . . . the UE

and MME engage in an AKA procedure following the TAU Request.”)

(internal citations omitted). TS 23.401 teaches a TAU Request is followed

by an authentication procedure (step 5) involving authentication functions,

IPR2017-01487 Patent 8,812,848 B2

38

security functions, and ciphering procedures. Ex. 1005, 31–32. Moreover,

Figure 13 of TR 33.821 discloses the TR 33.821 TAU Request procedure

concludes with an AKA run, and does not disclose step 7 as a separate step

from that AKA run. See Ex. 1004, 61. Elsewhere, TR 33.821 discloses

NAS keys are derived by an MME during an AKA run. See id. at 59

(disclosing an MME already has “NAS protection [keys] as well as other

higher layer keys” during idle to active transitions, and that “[t]hese higher

layer keys may have been established in the MME as a result of an AKA

run.”); see also id. at 42 (disclosing UE-MME security must be established

during a fresh AKA run). Accordingly, we are not persuaded that neither

TR 33.821 nor TS 23.401 suggests that the UE security capabilities are

required for or used in the TS 23.401 AKA run that occurs when a UE

connects to an LTE network from a non-LTE network.

Second, Patent Owner argues Petitioner’s reason for combining the

teachings of TR 33.821 and TS 23.401, i.e., “to enhance security during idle

mode mobility from a non-LTE network to an LTE network,” is hindsight-

based because it is “the reasoning of the 848 Patent itself.” PO Resp. 33

(quoting Pet. 62). We disagree. Petitioner correctly notes that TR 33.821 is

a 3GPP report that “elaborates on security and authentication procedures

between networks and user equipment.” Pet. 59 (citing Ex. 1004, 6); see

also Ex. 1004, 6 (describing the scope of TR 33.821 as a discussion of the

“rationale and track[ing] of security decisions in Long Term Evolved (LTE)

RAN and 3GPP System Architecture Evolution (SAE).”). Petitioner also

correctly notes that TS 23.401 “recognizes that authentication and security

must be established when the UE moves in idle mode from a non-LTE

network to an LTE network,” and does so by “engag[ing] in an AKA

IPR2017-01487 Patent 8,812,848 B2

39

procedure following the TAU Request.” Pet. 62 (citing Ex. 1005, 31;

Ex. 1014 ¶ 140); see also Ex. 1004, 31–32 (describing authentication step 5

of the TS 23.401 TAU procedure as involving authentication functions,

security functions, and ciphering procedures); see also Ex. 1005, 41–42

(disclosing a UE must establish NAS security upon idle mode mobility and

during an AKA run). Therefore, Petitioner argues, “a person of ordinary

skill in the art at the time of the invention would have found express

motivation to combine TR 33.821 and TS 23.401 in order to enhance

security during idle mode mobility from a non-LTE network to an LTE

network.” Id. (citing Ex. 1014 ¶ 140).

Notably, as discussed above, Petitioner’s rationale for combining the

teachings of TR 33.821 and TS 23.401 relies solely on disclosures obtained

from those references, and does not rely on any disclosure obtained from the

’848 patent. As such, we determine that Petitioner’s rationale is not

hindsight-based. See In re McLaughlin, 443 F.2d 1392, 1395 (CCPA 1971)

(finding an obviousness determination is not based on hindsight when “it

takes into account only knowledge which was within the level of ordinary

skill at the time the claimed invention was made and does not include

knowledge gleaned only from applicant’s disclosure”). This is true even if

Petitioner’s rationale also motivated the inventor of the ’848 patent. Indeed,

the fact that the inventor made the claimed invention for the same reason

motivated by the prior art is evidence that the invention was obvious, not

that the Petitioner relied on hindsight-bias.

Third, Patent Owner argues Petitioner’s reason to combine the

teachings of TR 33.821 and TS 23.401 is hindsight-based because it “ignores

the teaching in TR 33.821 for handling security during an idle state network

IPR2017-01487 Patent 8,812,848 B2

40

transition,” and instead focuses on “the initial attach procedure . . . that does

not involve a UE transition between two networks.” PO Resp. 23. Patent

Owner argues TR 33.821 teaches different security procedures for idle mode

mobility and initial attachment in LTE networks. Id. at 21–23, 27. In idle

mode mobility, TR 33.821 teaches a UE sends a TAU request to a new

MME, and the new MME receives the UE’s security capabilities from a

previous MME via context request/response messages. Id. at 21–22, 27

(citing Ex. 1004, 61, Fig. 13; Ex. 2003 ¶¶ 42, 52). By contrast, in initial

attachment, TR 33.821 teaches a new MME receives the UE’s security

capabilities directly from the UE because “there is no old SGSN or MME

that the new MME can contact to get the UE’s security capabilities.” Id. at

22–23 (citing Ex. 1004, 70, Fig. 17; Ex. 2003 ¶ 50). Patent Owner further

argues that TS 23.401 also teaches using a TAU request procedure in idle

mode mobility, albeit between non-LTE and LTE networks, in which the

MME in the LTE network receives information from the SGSN in the non-

LTE network via context request/response messages. Id. at 22, 27 (citing

Ex. 1005, 31–32; Ex. 2003 ¶ 52). Therefore, Patent Owner argues, a person

skilled in the art would have combined the teachings of TR 33.801 and

TS 23.401 such that “the new MME obtains the UE’s security capabilities

from the old network [i.e., old SGSN] through the exchange of ‘context

request’ and ‘context response’ messages.” Id. at 27, 34 (citing Ex. 2003

¶¶ 52, 61, 73).

Patent Owner’s argument highlights the fundamental dispute between

the parties regarding how a person of ordinary skill in the art would have

combined the teachings of TR 33.821 and TS 23.401. That dispute revolves

around whether an MME receiving a TS 23.401 TAU Request from a UE

IPR2017-01487 Patent 8,812,848 B2

41

undergoing non-LTE to LTE idle mode mobility should get the UE’s

security capabilities from the UE itself or from an SGSN in the non-LTE

network. Petitioner argues the MME should get the UE’s security

capabilities from the UE itself. See Pet. 43, 60–61. Patent Owner argues the

MME should get the UE’s security capabilities from an SGSN in the non-

LTE network. See PO Resp. 27, 32. To resolve this fundamental dispute,

we must determine “whether the teachings of the prior art, taken as a whole,

would have made obvious the claimed invention.” In re Gorman, 933 F.2d

982, 986, (Fed. Cir. 1991). For the reasons that follow, we find the prior art

as a whole suggests a UE undergoing non-LTE to LTE idle mode mobility

would send its security capabilities to an MME in the TS 23.401 TAU

Request as Petitioner contends.

TR 33.821 teaches that a UE must establish AS security between itself

and an eNodeB, and NAS security between itself and an MME, when the UE

first connects to an LTE network. Ex. 1004, 41–42. To establish NAS

security, the UE sends “all UE[] security capabilities” to the MME in an

initial NAS request message. Id. at 70 (steps 1, 3) (emphasis added).

TR 33.821 further teaches that during idle mode mobility between LTE

networks, the UE does not send its security capabilities to the MME because

the MME can obtain them from the MME to which the UE was previously

attached. Id. at 61.

The teachings of TS 23.401 are similar. In particular, TS 23.401

teaches that when a UE first registers or connects to an LTE network,

whether via initial attachment or non-LTE to LTE idle mode mobility, the

UE must send to an MME the information the MME needs to connect the

UE to the network. For example, TS 23.401 teaches a UE sends its UE

IPR2017-01487 Patent 8,812,848 B2

42

Network Capability to an MME in an LTE network attachment procedure.

See Ex. 1005, 24 (disclosing “[a] UE needs to register with the network. . . .

This registration is described as Network Attachment.”); see also id. at 25

(disclosing a UE Attach Request sent to an MME includes the UE’s S-

TMSI, old TAI, UE Network Capability, PDN Address Allocation, and

Selected Network). TS 23.401 also teaches that during non-LTE to LTE idle

mode mobility, a UE (which has not yet connected to the LTE network)

sends an MME its UE Network Capability in a TAU Request. Id. at 31

(disclosing the non-LTE to LTE TAU Request includes the UE’s S-TMSI,

old TAI, UE Network Capability, Selected Network, and an active flag). By

contrast, when the UE simply moves among MMEs within an LTE network,

TS 23.401 teaches the UE’s TAU request does not include the UE Network

Capability. Id. at 28 (disclosing the TAU request for mobility within LTE

networks includes the UE’s S-TMSI, old TAI, Selected Network, and an

active flag, but does not include the UE Network Capability).

Considering the teachings of TS 23.401 and TR 33.821 as a whole, we

agree with Petitioner’s argument and evidence that a person ordinarily

skilled in the art would have used “the TAU Request message in TS 23.401

to transport the UE security capabilities to the MME,” and would have done

so “to initiate the security negotiation and key derivation procedures

disclosed in TR 33.821.” Pet. 60–61 (citing Ex. 1014 ¶¶ 137–138).

TR 33.821 teaches that when a UE first connects to an LTE network, the UE

must establish NAS security with an MME in the LTE network. See Ex.

1004, 41–42, 71. TR 33.821 further teaches that to establish NAS security,

the MME needs the UE’s security capabilities, and gets them from the UE

itself. See Ex. 1004, 69 (“[I]n SAE/LTE MME has to obtain knowledge of

IPR2017-01487 Patent 8,812,848 B2

43

(at least NAS part) of UEs capabilities. . . . [I]t seems most natural to assume

that UE sends its capabilities to MME”). TS 23.401 teaches that when a UE

first connects to an LTE network (in which case the LTE network does not

have the UE’s context) it must perform authentication, which involves

“AKA authentication and establishment of a NAS level security association

with the UE.” Ex. 1005, 24–26 (step 5); see also id. at 30–32 (step 5).

TS 23.401 also teaches the UE sends its UE Network Capability to an MME

when if first attaches to an LTE network, including during idle mode

transitions from a non-LTE network. Ex. 1005, 25, 31.

For the reasons discussed above, we disagree with Patent Owner’s

contention that an MME would get a UE’s security capabilities from a

previous SGSN in non-LTE to LTE idle mode mobility when the UE

executes the TS 23.401 TAU Request. Although TR 33.821 does teach an

MME gets a UE’s security capabilities from a previous MME in LTE to

LTE idle mode mobility, the MME is able to do that because the LTE

network already has the UE’s security context. The previous MME obtained

that security context either itself, or from an even earlier MME, during an

initial attachment procedure in which the previous (or earlier) MME directly

received the UE’s security capabilities. See Ex. 1004, 41–42, 70. However,

when a UE transitions from a non-LTE network to an LTE network that LTE

initial attachment procedure has not taken place, and the LTE network does

not have the UE’s security context. TS 23.401 teaches that a UE first

connecting to an LTE network in non-LTE to LTE idle mode mobility

executes an authentication function. Ex. 1005, 31–32 (step 5). That

authentication function, which is mandatory when the LTE network does not

have the UE’s security context, involves “AKA authentication and

IPR2017-01487 Patent 8,812,848 B2

44

establishment of a NAS level of security association with the UE). Id. at

25–26 (step 5). TR 33.821 teaches an AKA run with an LTE network

establishes NAS protection and other higher layer security keys. See

Ex. 1004, 59 (disclosing NAS and other “higher layer keys may have been

established in the MME as a result of an AKA run”).

For the same reasons, we are not persuaded by Patent Owner’s

additional argument that although the TS 23.401 TAU request includes the

UE’s Network capabilities, “[t]he term UE Network capability does not

imply that the TAU request includes the UE’s security capabilities.” PO

Resp. 22 (citing Ex. 1005, 31; Ex. 2003 ¶ 54) (emphasis added). We first

note that Dr. Mandayam, Patent Owner’s expert, did not state the term UE

Network capabilities does not imply UE security capabilities. Rather, he

stated “a TAU request including network capabilities does not necessarily

mean that the TAU request can or should also include security capabilities.”

Ex. 2003 ¶ 54 (emphasis added). However, as explained above, TR 33.821

teaches that a UE must negotiate and establish NAS security with an LTE

network upon initial attachment. See Ex. 1004, 41–42, 70. Thus, when a

UE transitions in idle mode from a non-LTE network to an LTE network, the

UE must establish NAS security with the LTE network. TR 33.831 teaches

the most natural way for the UE to do this is to send its security capabilities

to an MME in the LTE network. Id. at 69–70. Moreover, as Petitioner

contends, TS 23.401 suggests doing exactly this by sending its UE Network

capabilities to an MME in the LTE network. Ex. 1005, 31; see also Pet. at

60 (“[A] person of ordinary skill in the art would have implemented this

combination by using the TAU Request message in TS 23.401 to transport

the UE security capabilities to the MME.”) (emphasis added); id. at 61

IPR2017-01487 Patent 8,812,848 B2

45

(“[T]he TAU Request message disclosed in TS 23.401 . . . would have been

readily capable of carrying the UE security capabilities to the MME in order

to initiate the security negotiation and key derivation procedures disclosed in

TR 33.821.”); id. (“[T]he TAU request message is specifically intended to

transmit UE capabilities to the MME, so there would be no unexpected

changes in its operation.”).

Patent Owner also argues Petitioner’s proposed combination of

TR 33.821 and TS 23.401 is flawed because Petitioner mischaracterizes the

teaching in TR 33.821 that the “security algorithm selection upon location

updates shall be performed in the same way as on initial attachment.” Id. at

25 (citing Pet. 41–42); see also Ex. 1004, 75. Patent Owner argues this

simply means what it says—that the MME should select the security

algorithm based on the UE’s security capabilities—not that the MME should

obtain the UE’s security capabilities from the UE as it does during initial

attachment. Id. at 25 (citing Ex. 2003 ¶ 70).

We do not find this argument persuasive because it does not address

the combination proposed by Petitioner, which is to modify the TS 23.401

TAU Request in view of the teachings of TR 33.821. See Pet. 43, 59–60

(citing Ex. 1014 ¶¶ 137–138). In the context of LTE to LTE idle mode

mobility, we agree that performing security algorithm selection upon

location updates in the same was as on initial attachment simply means the

new MME selects a UE’s security algorithm because it already knows the

UE’s security capabilities. This is because TR 33.821 teaches, in the context

of LTE to LTE idle mode mobility, the new MME obtains the UE’s security

capabilities from a previous MME in a context response message. Id. at 61.

IPR2017-01487 Patent 8,812,848 B2

46

TR 33.821, however, does not address how a UE should establish

NAS security with an MME when the UE connects to the LTE network from

a non-LTE network, e.g., during non-LTE to LTE idle mode mobility.

TS 23.401 discloses a non-LTE to LTE idle mode mobility TAU Request

procedure, and teaches the UE sends the MME its UE Network Capability in

a tracking area update (TAU) request, i.e., a location update. See Ex. 1005,

31–32. The UE must establish NAS security with an LTE network that does

not already have its security context via the LTE initial attachment

procedure when it moves in idle mode from a non-LTE network to an LTE

network. Thus, in this context, the TR 33.821 teaching that “security

algorithm selection upon location updates shall be performed in the same

way on initial attachment” has a different meaning. In particular, it means

the UE should follow the TR 33.821 “algorithm selection at initial

attachment” procedure, because although the UE is undergoing idle mode

mobility, it is also undergoing initial attachment to the LTE network.

Ex. 1004, 69–71.

Patent Owner further argues Petitioner has failed to show that

modifying the TS 23.401 TAU procedure to transmit the UE’s security

capabilities to the MME would have been a simple and straightforward

substitution because it could lead to the transmission of redundant or

incompatible security capability information. PO Resp. 30–31 (citing Ex.

1004, 61; Ex. 2003 ¶ 81). Patent Owner’s argument is again based on the

TR 33.821 LTE to LTE idle mode mobility TAU Request procedure in

which a previous MME sends a new MME the UE’s security capabilities in

a context response step after the TAU request. Id. at 31 (citing Ex. 1004,

61). However, as discussed above, Petitioner does not propose using or

IPR2017-01487 Patent 8,812,848 B2

47

modifying the TR 33.821 TAU Request procedure, which is only applicable

to idle mode mobility within LTE networks. See Ex. 1004, 60–61. Rather,

Petitioner proposes modifying the TS 23.401 TAU procedure, which is

applicable for idle mode mobility between non-LTE and LTE networks, such

that the UE sends a TAU request to the MME that includes not only the

UE’s network capabilities (as taught by TS 23.401), but also the UE’s

security capabilities (as taught by TR 33.821). See Pet. 42–43, 59–61.

Moreover, TS 23.401 teaches “[t]he MME shall ignore the UE Network

Capability contained in the 3G-SGSN Context of SGSN Context Response

. . . when it has previously received an UE Network Capability in the

Tracking Area Update Request.” Id. (emphasis added). Thus, even if the

MME receives the UE’s security capabilities in a context response message

from the non-LTE network’s SGSN, the MME would not have incompatible

security information because it would ignore the information provided in the

SGSN’s context response. Accordingly, for these reasons, we do not find

this argument persuasive.

For the reasons discussed above, we find Petitioner has demonstrated

by a preponderance of the evidence that it would have been obvious to

combine TR 33.821 and TS 23.401 to provide a UE having a transmitter

configured to send UE security capabilities to the MME for NAS security

algorithm selection during non-LTE to LTE idle mode mobility as required

by claim 1.

Claim 1 further requires the UE to include a receiver that is

configured to receive a selected NAS security algorithm from the LTE

network. Ex. 1001, 11:59–60. Petitioner argues the combination of TR

IPR2017-01487 Patent 8,812,848 B2

48

33.821 and TS 23.401 teaches this limitation. See Pet. 43–45, 58–63. Patent

Owner does not dispute Petitioner’s contentions. See generally PO Resp.

Petitioner demonstrates how TR 33.821 teaches a UE has an LTE

radio that sends radio signals to and receives radio signals from an eNodeB

in an LTE network. Pet. 43 (citing Ex. 1004, 18 (Fig. 3)). Petitioner further

demonstrates, via the unrebutted testimony of Dr. Williams, that a person of

ordinary skill in the art would have known that an LTE radio includes a

receiver. Id. at 43–44 (citing Ex. 1014 ¶¶ 93–94, 103). Petitioner further

demonstrates how TR 33.821 teaches the UE receiver is configured to

receive a selected NAS security algorithm from the LTE network by

receiving a Security Command Message (SMC) from the MME containing a

selected NAS security algorithm. Id. at 44–45 (citing 1004, 69, Fig. 17;

Ex. 1014 ¶¶ 93–94, 104–105). Accordingly, Petitioner has demonstrated

how the combination of TR 33.821 and TS 23.401 teaches the UE receiver

limitation.

Claim 1 further requires the UE to include a processor configured to

generate a root key from an authentication vector-related key available at the

UE. Ex. 1001, 11:61–62. Petitioner argues the combination of TR 33.821

and TS 23.401 teaches this limitation. See Pet. 45–50, 58–63. Patent Owner

does not dispute Petitioner’s contentions. See generally PO Resp.

Petitioner, via the unrebutted testimony of Dr. Williams, demonstrates

how TR 33.821 discloses a UE having a processor because a person skilled

in the art would have understood that a processor is “an inherent and

necessarily present feature of UEs as disclosed in LTE technical reports and

specifications.” Pet. 45–46 (citing Ex. 1014 ¶¶ 93–94, 106). Moreover,

Petitioner demonstrates how TR 33.821 discloses the UE’s processor

IPR2017-01487 Patent 8,812,848 B2

49

generates a root key from an authentication vector-related key by generating

root key Kasme from authentication vector-related keys CK and IK during

an AKA run. Pet. 46–48 (citing Ex. 1004, 47, 52–53, 70, Figs. 10, 12, 17;

Ex. 1014 ¶¶ 107–110).4 Accordingly, Petitioner has demonstrated how the

combination of TR 33.821 and TS 23.401 teaches a UE having a processor

configured to generate a root key from an authentication vector-related key

available at the UE as required by claim 1.

Lastly, claim 1 requires the UE processor to derive an NAS protection

key for communicating with the LTE network from the root key and the

selected NAS security algorithm. Ex. 1001, 11:62–65. Petitioner argues the

combination of TR 33.821 and TS 23.401 teaches this limitation. See Pet.

45–50, 58–63. Patent Owner does not dispute Petitioner’s contentions. See

generally PO Resp.

Petitioner demonstrates how TR 33.821 discloses this limitation by

generating NAS protection key KNASenc from root key Kasme based on a

particular encryption algorithm, and by generating NAS protection key

KNASint from root key Kasme based on a particular integrity algorithm,

during an AKA run. Pet. 48–50 (citing Ex. 1004, 33, 47, 52–53, Figs. 10,

12; Ex. 1014 ¶¶ 111–113).5 Accordingly, Petitioner has demonstrated how

the combination of TR 33.821 and TS 23.401 teaches a UE having a

processor configured to generate an NAS protection key for communicating

4 The ’848 patent identifies Kasme as a root key, and CK and IK as authentication vector-related keys. See Ex. 1001, 5:11–16, 5:25–33. 5 The ’848 patent identifies Knas-enc and Knas-int as NAS protection keys and Kasme as a root key. See Ex. 1001, 5:25–33.

IPR2017-01487 Patent 8,812,848 B2

50

with the LTE network from a generated root key according to the selected

NAS security algorithm as required by claim 1.

For the reasons discussed above, having considered the evidence and

arguments presented by Petitioner and Patent Owner, Petitioner has

demonstrated by a preponderance of the evidence that the combination of

TR 33.821 and TS 23.401 teaches or suggests all the limitations of claim 1.

Claim 9 is a method claim that recites a method for security capability

negotiation performed by a UE undergoing idle mode mobility from a non-

LTE to LTE network by performing the functions recited in claim 1.

Compare Ex. 1001, 12:30–45 with id. at 11:52–65. Petitioner maps the

limitations of claim 9 to the corresponding functional limitations of claim 1,

and provides the same analysis described above with respect to claim 1 to

demonstrate how the combination of TR 33.821 and TS 23.401 teaches all

the limitations of claim 9. See Pet. 55–56. Accordingly, for the reasons

discussed above with respect to claim 1, Petitioner has demonstrated how

the combination of TR 33.821 and TS 23.401 teaches all the limitations of

claim 9.

b. Claims 3 and 11

Claim 3 depends from claim 1, and requires the authentication vector-

related key for generating the root key to include an integrity key (IK) and

an encryption key (CK) when the UE moves from a 3G network to an LTE

network. Ex. 1001, 12:3–7, Cert. of Corr., 1. Claim 11 depends from claim

9, and requires the same limitation. Compare id. at 12:3–7, with id. at

12:50–53; see also id., Cert. of Corr., 1. Petitioner relies on the combination

of TR 33.821 and TS 23.401 to teach this limitation. See Pet. 50–51, 56–65.

Patent Owner does not dispute Petitioner’s contentions. See generally PO

IPR2017-01487 Patent 8,812,848 B2

51

Resp.

Petitioner demonstrates how TS 23.401 teaches a UE undergoing idle

mode mobility between 3G and LTE networks sends a TAU request to an

MME, and the UE and MME subsequently perform an AKA run. Pet. 50

(citing Ex. 1005, 30–31); see also id. at 42–43 (citing Ex. 1005, 30–32, Fig.

5.3.3.2-1). Petitioner further demonstrates how TR 33.821 teaches the UE

and MME generate root key Kasme from authentication vector-related keys

CK and IK during an AKA run.6 Id. at 50 (quoting Ex. 1004, 33); see also

id. at 46–48 (citing Ex. 1004, 47, 52–53, 70, Figs. 10, 12, 17). Accordingly,

Petitioner has demonstrated how the combination of TR 33.821 and TS

23.401 teaches this limitation, identically recited in claims 3 and 11.

c. Claims 4 and 12

Claim 4 depends from claim 1, and requires the UE transmitter to

send the UE security capabilities through a TAU request. Ex. 1001, 12:8–

10. Claim 12 depends from claim 9, and requires the UE to perform the

same function. Compare id. at 12:8–10 with id. at 12:54–56. Petitioner

argues the combination of TR 33.821 and TS 23.401 teaches this limitation.

See Pet. 51–52, 57–65.

For the reasons explained in § II.G.1.a, supra, Petitioner demonstrates

TR 33.821 teaches a UE having a transmitter configured to send UE security

capabilities to an MME in an LTE network. See Pet. 51 (citing Ex. 1004,

69, Ex. 1014 ¶¶ 115–116). Petitioner further demonstrates TS 23.401

teaches a UE sends UE information to the MME in a TAU request message

6 The ’848 patent identifies CK as an encryption key and IK as an integrity key. Ex. 1001, 5:13–15.

IPR2017-01487 Patent 8,812,848 B2

52

during non-LTE and LTE idle mode mobility. Id. at 51–52 (citing Ex. 1005

31, Fig. 5.3.3.2-1).

Patent Owner argues, “Petitioner fails to provide any explanation of

how the cited disclosure of TR 33.821 and TS 23.401 would be combined to

meet the requirements of claims 4 and 12.” PO Resp. 35. Patent Owner

further argues Petitioner has failed to “provide any rationale for why a

Skilled Artisan would have been motivated to combine TR 33.821 and

TS 23.401 in the specific manner required by these claims.” Id.

We disagree. Petitioner provides a limitation-by-limitation analysis

that maps the teachings of TR 33.821 and TS 23.401 to each of the

limitations of the challenged claims in §§ X.A.1–12 of the Petition. See Pet.

37–58. Petitioner then provides a reason to combine the teachings of

TR 33.821 and TS 23.401 in § X.A.13 of the Petition, and that reason to

combine is applicable to all of the challenged claims. See id. at 58–63.

This is evident by considering how Petitioner maps the teachings of

TR 33.821 and TS 23.401 to claim 1. In that mapping, Petitioner argues as

follows. TR 33.821 teaches a UE having a transmitter that sends UE

security capabilities to an MME in an LTE network during an initial access

procedure to establish security. Id. at 39–42. TS 23.401 teaches a UE that

sends UE Network Capability information to an MME in a TAU Request

message sent during non-LTE to LTE idle mode mobility. Id. at 42–43.

These teachings “could have been combined in a straightforward manner by

following the security procedures of TR 33.821 during idle mode mobility

from a non-LTE network to an LTE network as disclosed in TS 23.401.” Id.

at 60. Moreover, “a person of ordinary skill in the art would have

IPR2017-01487 Patent 8,812,848 B2

53

implemented this combination by using the TAU Request message in TS

23.401 to transport the UE security capabilities to the MME.” Id.

For the reasons discussed in § II.G.1.a, supra, we find Petitioner’s

analysis of claim 1 demonstrates the combination of TR 33.821 and

TS 23.401 teaches a UE transmitter configured to send UE security

capabilities to an LTE network through a TAU Request message, and

articulates why an ordinarily skilled artisan would have combined the

references to provide such UE transmitter. Thus, Petitioner’s analysis of

claim 1 also demonstrates the combination of TR 33.821 and TS 23.401

teaches the limitation required by claim 4, which simply requires the UE to

transmit its security capabilities to the LTE network in a TAU message.

Indeed, Petitioner’s brief analysis of claim 4 begins with “[a]s explained

above,” followed by a condensed version of the argument that maps the

teachings of TR 33.821 and TS 23.401 to claim 1. See Pet. 51–52.

Accordingly, for the reasons discussed above, we find Petitioner’s

analysis of claim 4 is sufficient to demonstrate that it would have been

obvious to combine TR 33.821 and TS 23.401 to provide this limitation,

similarly recited in claims 4 and 12.

d. Claims 5 and 13

Claim 5 depends from claim 1, and requires the UE receiver to receive

the selected NAS security algorithm through an NAS security mode

command message. Ex. 1001, 12:11–13. Claim 13 depends from claim 9,

and requires the UE to perform the same function. Compare id. at 12:11–13

with, id. at 12:57–60. Petitioner argues the combination of TR 33.821 and

TS 23.401 teaches this limitation. See Pet. 52–53, 57–65. Patent Owner

does not dispute Petitioner’s contentions. See generally PO Resp.

IPR2017-01487 Patent 8,812,848 B2

54

Petitioner demonstrates how TR 33.821 teaches that when an MME

selects an NAS security algorithm based on the UE’s security capabilities, it

sends the selected NAS security algorithm to the UE (via eNodeB) in a

security mode command (SMC) message. Pet. 52–53 (citing Ex. 1004, 69–

70, Fig. 17; Ex. 1014 ¶ 117); see also Ex. 1004, 7 (defining SMC as a

Security Mode Command). Accordingly, Petitioner has demonstrated the

combination of TR 33.821 and TS 23.401 teaches this limitation, similarly

recited in claims 5 and 13.

e. Claims 7 and 15

Claim 7 depends from claim 1, and further requires the UE receiver to

receive the UE security capability information from the LTE network. Ex.

1001, 12:17–19. Claim 15 depends from claim 9, and requires the UE to

perform the same function. Compare id. at 12:3–7 with id. at 12:65–67.

Petitioner argues the combination of TR 33.821 and TS 23.401 teaches this

limitation. See Pet. 53–54, 57–65. Patent Owner does not dispute

Petitioner’s contentions. See generally PO Resp.

Petitioner demonstrates how TR 33.821 teaches an MME sends the

UE’s security capabilities (UE caps) to the UE (via eNodeB) in the same

SMC message the MME sends the UE to indicate the MME’s selection of an

NAS security algorithm. Pet. 53–54 (citing Ex. 1004, 69–70, Fig. 17; Ex.

1014 ¶¶ 118–119). In particular, Petitioner demonstrates how steps 4 and 5

of Figure 17 of TR 33.821 teach “the MME provides the ‘UE caps’ to the

eNodeB in a NAS SMC,” and the “eNodeB provides the NAS SMC

(including the ‘UE caps’) to the UE. Id. at 53. Accordingly, Petitioner has

demonstrated the combination of TR 33.821 and TS 23.401 teaches this

limitation, similarly recited in claims 7 and 15.

IPR2017-01487 Patent 8,812,848 B2

55

f. Claims 8 and 16

Claim 8 depends from claim 7, and requires the processor to compare

whether the UE security capability information received from the LTE

network is consistent with the security capability information stored in the

UE, and to determine the security capability negotiation fails if the two are

inconsistent. Ex. 1001, 12:20–27. Claim 16 depends from claim 9, and

requires the UE to perform the same function. Compare id. at 12:20–27 with

id. at 13:1–9. Petitioner argues the combination of TR 33.821 and

TS 23.401 teaches this limitation. See Pet. 54–55, 58–65. Patent Owner

does not dispute Petitioner’s contentions. See generally PO Resp.

As discussed above, Petitioner demonstrates how TR 33.821 teaches

an MME sends the UE’s security capabilities (UE caps) to the UE (via

eNodeB) in the same SMC message the MME sends to the UE to indicate

the MME’s NAS security algorithm selection. Pet. 54 –55 (citing Ex. 1004,

69–70, Fig. 17; Ex. 1014 ¶¶ 118–119). Petitioner further demonstrates,

through the unrebutted testimony of Dr. Williams, that the UE “compare[s]

the information maintained at the UE with the information received from the

network . . . [to] ensure that an attacker has not interfered with the security

algorithm selection process.” Id. at 55 (quoting Ex. 1014 ¶ 121); see also id.

(quoting Ex. 1004, 68 (“The capabilities the UE sends to the network shall

be repeated in an integrity protected message to UE such that ‘bidding down

attacks’ against the UE’s capabilities can be detected by UE.”)).

Accordingly, Petitioner has demonstrated the combination of TR 33.821 and

TS 23.401 teaches this limitation, similarly recited in claims 8 and 16.

IPR2017-01487 Patent 8,812,848 B2

56

2. Secondary Considerations of Non-obviousness

Patent Owner argues that, notwithstanding Petitioner’s arguments and

evidence to the contrary, the challenged claims of the ’848 patent are

patentable due to secondary considerations of non-obviousness. PO Resp.

18–21. In particular, Patent Owner argues, “[w]hen the solution of the 848

Patent was presented to the Skilled Artisans at 3GPP, they did not respond

as if it was an obvious solution. Instead, they expressed considerable

skepticism.” Id. at 18.

Patent Owner argues that in October 2007, the inventor of the ’848

patent (Mr. He) presented two documents at a 3GPP working group

meeting—S3-070684 (Ex. 2006) and S3-070685 (Ex. 2007). Id. at 19.

Patent Owner characterizes these documents as presenting Mr. He’s “novel

solution for security negotiation between a UE and an MME when the UE is

in idle state and has moved from a non-LTE network to an LTE network.”

Id. Patent Owner argues the attendees of the working group meeting were

persons of ordinary skill in the art and “did not immediately see the benefits

of Mr. He’s proposals” because they “required Mr. He to submit ‘more

rationale on why this procedure is necessary.’” Id. at 19–20 (quoting Ex.

2008, 19).

Patent Owner argues Mr. He resubmitted his proposals7 at a 3GPP

working group meeting in December 2007, including S3a071040, which

Patent Owner characterizes as “an updated submission regarding security

negotiation between a UE and an MME when the UE is in idle state and has

7 Mr. He resubmitted S3-070684 (Ex. 2006) as S3a071039 (Ex. 2012). Compare Ex. 2006 with Ex. 2012. Mr. He resubmitted S3-07065 (Ex. 2007) as S3a071040 (Ex. 2013). Compare Ex. 2007 with Ex. 2013.

IPR2017-01487 Patent 8,812,848 B2

57

moved from a non-LTE network to an LTE network.” Id. at 20 (citing Ex.

2013, 2). Patent Owner argues the working group “questioned whether the

UE capabilities should be transmitted in step 1 (the TAU request [from the

UE]) when they could be sent in step 3 (the context response from the old

network element).” 8 Id. at 20 (citing Ex. 2009, 11).

Patent Owner argues Mr. He “then submitted discussion document

S3-080123 (Ex. 2004) for consideration” to 3GPP at a working group

meeting in February 2008. Id. Patent Owner argues Mr. He explained in

S3-080123 that “his solution of carrying the UE’s security capabilities in the

TAU request is more efficient than carrying this information in the context

response,” which would “[i]ntroduce unnecessary roundtrips between the

Rel-8 SGSN and the UE during idle mode mobility from Rel-8

UTRAN/GERAN [non-LTE] to EUTRAN [LTE].” Id. at 20 (quoting Ex.

2004, 1). Moreover, including the UE’s security capabilities in the context

response would require updating “the Pre-rel-8 SGSNs during idle mode

mobility from Rel-8 UTRAN/GERAN [non-LTE] to EUTRAN [LTE],

which seems infeasible from [an] operator’s point of view.” Id. at 21

(quoting Ex. 2004, 1). Patent Owner argues “[w]ith this further explanation

of the previously unknown and unexpected efficiency advantages of Mr.

8 We note the working group directed its comments to Sa071039 rather than to S3a071040 as Patent Owner contends. See Ex. 1009, 11. Sa071039 is the resubmission of S3-070684. Compare Ex. 1012 with Ex. 2006. Sa071039 proposes modifying an LTE to LTE idle mode procedure rather than a non-LTE to LTE idle mode procedure. See Ex. 2012, 2 (showing modification of an idle mode procedure between old and new MMEs, i.e., an LTE to LTE idle mode procedure).

IPR2017-01487 Patent 8,812,848 B2

58

He’s solution” the working group approved and adopted Mr. He’s proposals

into the TR 33.821 standard. Id. at 21 (citing Ex. 2010, 30).

Industry skepticism and unexpected results are objective indicia of

secondary considerations of non-obviousness. See In re Rouffet, 149 F.3d

1350, 1355 (Fed. Cir. 1998) (internal citations omitted). Such “objective

indicia of non-obviousness play an important role as a guard against the

statutorily proscribed hindsight reasoning in the obviousness analysis.”

WBIP, LLC v. Kohler Co., 829 F.3d 1317, 1328 (Fed. Cir. 2016). Patent

Owner bears the burden of producing evidence of secondary considerations

of non-obviousness. See Pfizer, Inc. v. Apotex, Inc., 480 F.3d 1348, 1360

(Fed. Cir. 2007); see also Winner Int’l Royalty Corp. v. Wang, 202 F.3d

1340, 1350 (Fed. Cir. 2000). Nonetheless, Petitioner retains the burden of

proving the unpatentability of the challenged claims. See 35 U.S.C.

§ 316(e).

As discussed above, Patent Owner characterizes Mr. He’s various

proposals to the 3GPP working group, and in particular his proposal in S3-

070684, as describing a “novel solution for security negotiation between a

UE and an MME when the UE is in idle state and has moved from a non-

LTE network to an LTE network.” PO Resp. 19. We disagree with this

characterization of Mr. He’s proposals, and find Patent Owner’s evidence of

secondary considerations to be weak evidence of non-obviousness.

Mr. He’s first proposal to 3GPP in S3-070685 was to “add a new

section” to TR 33.821 § 7.4.11 because “[i]n 3GPP TS 23.401 v1.1.1 section

5.3.3.2.1, [a] TAU procedure from UTRAN to E-UTRAN is introduced. But

there is no such . . . corresponding security part in TR 33.821.” Ex. 2007, 1.

The version of TS 23.401 cited by Mr. He (i.e., v1.1.1) is a later version of

IPR2017-01487 Patent 8,812,848 B2

59

TS 23.401 (Ex. 1004) that differs from TS 23.401 only by the addition of

editorial but not technical changes. See Ex. 1004, 1 (TS 23.401 v1.1.0); see

also Ex. 1022 § 4 (indicating the second digit of a 3GPP document’s version

number is “[i]ncremented every time a technical change is introduced into

the specification,” and the last digit is “[i]ncremented every time a purely

editorial change is introduced”) (emphases added); see also Ex. 1012 ¶ 28.

Section 5.3.3.2.1 of TS 23.401 describes a TAU Request procedure in which

a UE sends its UE Network Capability to an MME when the UE moves in

idle mode from a non-LTE network to the LTE network. See Ex. 1005, 30–

31. Thus, Mr. He’s proposal in S3-070685 was simply to add a new section

to TR 33.821 that described the non-LTE to LTE idle mode mobility

procedure already described in TS 23.401 v1.1.0. See Ex. 2007, 1. Mr. He

did not propose this non-LTE to LTE idle mode mobility procedure in S3-

070685, he simply proposed adding its description to TR 33.821, a

document that discusses 3GPP’s “design choices and rationale[s] for why

proposed security mechanisms are accepted or rejected to record the history

of the final security solution.” Ex. 1004, 6.

Mr. He’s second proposal to 3GPP similarly demonstrates that he did

not propose a non-LTE to LTE idle mode security procedure. Rather, in S3-

070684, Mr. He proposed updating the “TAU procedure in TR 33.821

section 7.4.11.3.” Ex. 2006, 1. The updated procedure is shown on page 2

of his proposal, and describes a UE sending its security capabilities to an

MME when the UE undergoes idle mode mobility from an old MME to a

new MME, i.e., when it undergoes LTE to LTE idle mode mobility. Id. at 2.

Mr. He suggests this change is needed for the LTE to LTE idle mode

mobility procedure described in TR 33.821 § 7.4.11.3 to “[k]eep the uniform

IPR2017-01487 Patent 8,812,848 B2

60

behaviour [sic] in both idle mobility scenarios: within E-UTRAN [LTE to

LTE] and from UTRAN/GERAN to E-UTRAN [non-LTE to LTE].” Id. at

1. That is, Mr. He proposes changing the LTE to LTE idle mode mobility

procedure described in TR 33.821 so that it would be consistent with the

non-LTE to LTE idle mode mobility procedure already described in TS

23.401 v1.1.1. See Ex. 2006, 1–2.

The 3GPP working group considered Mr. He’s S3-070684 and S3-

070685 proposals, and requested he revise them to provide “more rationale

on why [these] procedure[s] [are] necessary.” Ex. 2008, 19. To whatever

extent these requests from the working group can be considered skepticism

of Mr. He’s proposals, as Patent Owner contends, that skepticism is entitled

to little or no weight in our obviousness analysis because Mr. He’s proposals

have little to no nexus to the invention claimed in the ’848 patent. See

Wyers v. Master Lock Co., 616 F.3d 1231, 1246 (Fed. Cir. 2010) (“For

objective [evidence of secondary considerations] to be accorded substantial

weight, its proponent must establish a nexus between the evidence and the

merits of the claimed invention.”) (internal citation omitted).

As discussed above, Mr. He’s proposal in S3-070685 pertains to

modifying an LTE to LTE idle mode mobility procedure, rather than to a

non-LTE to LTE idle mode mobility procedure as claimed in the ’848 patent.

See Ex. 2006, 1–2 (showing the modified procedure is for mobility between

new and old MMEs, i.e., LTE to LTE mobility). It, therefore, lacks any

nexus to the invention claimed in the ’848 patent. Mr. He’s proposal in S3-

070685 pertains to adding a new section to TR 33.821 to document an

existing non-LTE to LTE idle mode mobility procedure described in

TS 23.401 v1.1.1. See Ex. 2007, 1. The record does not indicate that Mr. He

IPR2017-01487 Patent 8,812,848 B2

61

proposed the non-LTE to LTE idle mode mobility procedure described in

TS 23.401 v1.1.1. At best, it indicates he proposed adding its description to

TR 33.821, which again, documents the reasons 3GPP adopted various

security mode procedures. See Ex. 2007, 1; see also Ex. 1004, 6. Given this

uncertainty and lack of evidence, the nexus of Mr. He’s S3-070685 proposal

to the invention claimed in the ’848 patent is weak at best.9 Moreover, the

3GPP working group’s request to explain the need for a procedure change is

weak evidence of skepticism that the procedure change would not work.

After receiving the 3GPP meeting group’s recommendation, Mr. He

submitted revised proposals S3a071039 (Ex. 2012) and S3a071040 (Ex.

2013). S3a071039 is a revised version of S3-070684 (Ex. 2006), and again

proposes modifying TR 33.801 § 7.4.11.3 to indicate an MME receives a

UE’s security capabilities from the UE in LTE to LTE idle mode mobility.

See Ex. 2012, 1, 2 (showing modification of an idle mode mobility

procedure between new and old MMEs, i.e., LTE to LTE mobility); see also

n.7, supra. Thus, S3a071039 lacks nexus to the invention claimed in the

’848 patent, which pertains to a non-LTE to LTE idle mode mobility

procedure. S3a071040 is a revised version of S3-070685 (Ex. 2007), and

again proposes adding a new section to TR 33.801 to document the non-LTE

to LTE idle mode mobility procedure already described in TS 23.401 (albeit

in even newer version v1.4.1). See Ex. 2013, 1–2; see also n.7, supra.

9 The invention claimed in the ’848 patent is to a non-LTE to LTE idle mode mobility procedure. Mr. He’s S3-070685 proposal is not to add a new non-LTE to LTE idle mode mobility procedure, but to add the description of a procedure already described in TS 23.401 v1.1.1 to TR 33.821 to document the reasons for 3GPP’s security decisions. See Ex. 2007, 1; see also Ex. 1004, 6.

IPR2017-01487 Patent 8,812,848 B2

62

Thus, for the reasons discussed above with respect to S3-070685,

S3a071040 has weak nexus at best to the invention claimed in the ’848

patent.

The 3GPP working group considered Mr. He’s proposals in

S3a071039 and S3a071040, and commented only on the proposal in

S3a071039, which pertains to modifying an LTE to LTE idle mode mobility

procedure. See Ex. 2009, 11; see also Ex. 2012, 2 (showing the modified

procedure is for idle mode mobility between old and new MMEs, i.e., LTE

to LTE mobility). Specifically, the 3GPP working group suggested

modifying the Editor’s note in step 3 of the procedure described in

S3a071039 “to clarify that if the security capabilities are needed in step 3

then possibly they are not needed in step 1,” and to “extend the Editor’s note

to state that this procedure should be harmonised [sic] with the procedure in

S3a071040.” Ex. 2009, 11.

To whatever extent these suggestions show skepticism about Mr. He’s

proposals, they are weak evidence of skepticism. As noted above, the

suggestion to clarify editorial remarks in S3a071039 lacks any nexus to the

invention claimed in the ’848 patent because S3a071039 pertains to

modifying an LTE to LTE idle mode mobility procedure. See Ex. 2012, 1–2.

The suggestion to harmonize the editorial comments in S3a071039 and

S3a071040 is only weak evidence of skepticism for two reasons. First, it is

a suggestion to change an editor’s comment, not the proposed procedure.

Second, the editor’s comment does not question whether the non-LTE to

LTE idle mode mobility procedure described in TS 23.401 v.1.4.1 would

work. This can be seen from the description of step 3 of the TS 23.401

v1.4.1 non-LTE to LTE idle mode mobility procedure Mr. He proposes

IPR2017-01487 Patent 8,812,848 B2

63

adding to TR 33.801, and the editor’s comment regarding step 3, which is as

follows:

3. The old SGSN sends back a context response to the new MME including at least the IMSI, IK, CK to the new MME. Editor’s Notes: It is FFS [for further study] whether the UE’s security capabilities should be carried in this step.

Ex. 2013, 2. Nothing in the editor’s comment indicates skepticism that

sending the UE’s security capabilities to the MME in step 1 would not work,

i.e., that it would fail to provide the MME with the UE security information

the MME needs to negotiate NAS security with the UE. Rather, the

skepticism is whether the SGSN should provide the UE’s security

capabilities to the MME in a context response message given that the MME

has already received the UE’s security information from the UE in step 1.

Id.

In response to the 3GPP working group’s suggestions, Mr. He

submitted new proposal S3-080123 to the working group at the February

2008 meeting. See Ex. 2004, 1. In S3-080123, Mr. He proposes modifying

TR 33.821 v0.6.0 by deleting the Editor’s note to steps 3 in TR 33.821

§§ 7.4.12.3 and 7.4.12.4. Id. The proposed modification to section 7.4.12.3

pertains to LTE to LTE idle mode mobility within EUTRAN, incorporates

Mr. He’s proposal S3a071039, and simply proposes deleting the Editor’s

notes for step 3. Id. at 2, n.1. The proposed modification to section 7.4.12.4

pertains to non-LTE to LTE idle mode mobility between UTRAN and E-

UTRAN, incorporates Mr. He’s proposal S3a071040, and simply proposes

IPR2017-01487 Patent 8,812,848 B2

64

deleting the Editor’s notes for step 3. Id. at 4, n.2.10 Upon deleting the

editor’s notes as requested, the 3GPP working group accepted Mr. He’s

proposal without comment. See Ex. 2010, 30.

As discussed above, much of Patent Owner’s secondary

considerations evidence either lacks nexus to the invention claimed in the

’848 patent (e.g., Exs. 2006, 2012) or has weak nexus at best to the claimed

invention (e.g., Exs. 2004, 2007, 2013). Moreover, to the extent such

evidence does have nexus to the claimed invention, it is weak evidence of

industry skepticism because the 3GPP working group’s comments were

simply requests for more information for why changes were needed, or to

delete comments made by an editor of the proposed changes. None of the

3GPP working group’s comments expressed skepticism that the proposed

changes would not work to provide the MME with the UE security

capability information the MME needs to negotiate NAS security.

Moreover, the record shows that most proposals did not receive

approval when first submitted at 3GPP meetings. Rather, the norm was for

the proposals to be discussed and tabled for further discussion at future

meetings as happened with Mr. He’s proposals. For example, the record

shows that 234 proposals were made at the October 2007 3GPP working

group meeting, including Mr. He’s S3-070684 and S3-070685 proposals.

See Ex. 2008, 36–57 (showing a submitted document range of S3-070673 to

S3-070906). Of these, 98 (40%) were discussed and noted at the meeting

(including Mr. He’s two proposals); 75 (31%) were approved; 45 (18%)

10 Footnote 2 indicates the section is from S31071040, which appears to be a typo. Compare Ex. 2013, 2 with Ex. 2004, 4.

IPR2017-01487 Patent 8,812,848 B2

65

were replaced with other proposals; 6 (3%) were withdrawn; 5 (2%) were

new versions of 3GPP standards documents; 2 (1%) were rejected, 1 was

postponed, 1 was taken offline, and 1 was not discussed. Id. Moreover, the

record shows that when proposals were approved, such as when Mr. He’s

S3-080123 proposal was approved, no information was provided to indicate

whether the approved proposals were new or re-submitted proposals. See

Ex. 2010, 30, 49 (showing approval of S3-080123 without comment on its

status as a re-submitted proposal). Thus, there is no evidence to indicate

what percentage of the 45 (18%) proposals approved at the October 2007

meeting, when Mr. He first submitted proposals S3-070684 and S3-070685,

were first proposals or re-submitted proposals that were approved after

receiving additional information requested by the 3GPP working group.

Accordingly, the evidence that Mr. He’s proposals were not approved

at the October 2007 3GPP meeting when they were first presented, but were

instead approved after Mr. He provided additional requested information, is

weak evidence that the 3GPP working group was skeptical of Mr. He’s

proposals. To the contrary, that appears to have been the normal way

submitted proposals were considered and treated by the 3GPP working

group.

In additional to arguing industry skepticism, Patent Owner argues that

Mr. He’s proposals produced the surprising result of “unknown and

unexpected efficienc[ies].” PO Resp. 21. This too is weak evidence of

secondary considerations of non-obviousness. Exhibit 2010 are the minutes

from the February 2008 working group meeting at which Mr. He’s S3-

080123 proposal was approved. See Ex. 2010, 30. As discussed above, the

working group provided no commentary regarding the merits of the proposal

IPR2017-01487 Patent 8,812,848 B2

66

or its ability to achieve “unknown or unexpected efficiency advantages.”

Id. The working group simply indicated, without comment, that the

proposal was “Approved.” Ex. 2010, 30, 49.

Exhibit 2003 is Dr. Mandayam’s declaration. See Ex. 2003, i. Dr.

Mandayam summarizes the contents of S3-080123 in paragraph 93 of his

declaration, including Mr. He’s reasons for deleting the editor’s notes for

step 3 in the non-LTE to LTE idle mode mobility procedure described in

TR 33.821 v0.6.0 § 7.4.12.4. Id. ¶ 93. Dr. Mandayam then states in

paragraph 94 of his declaration that the 3GPP working group accepted Mr.

He’s proposal. Id. ¶ 94. We see no evidence here of unexpected results.

Unexpected results “must be established by factual evidence. ‘Mere

argument or conclusory statements . . . does not suffice.’” In re Geisler, 116

F.3d 1465, 1470, 43 (Fed. Cir. 1997) (quoting In re De Blauwe, 736 F.2d

699, 705 (Fed. Cir. 1984)).

Finally, we note that in S3-080123, Mr. He indicates that section

7.4.12.4 had already been added to TR 33.821 v0.6.0 when he proposes

deleting the editor’s note to step 3. See Ex. 2004, 1 (“In TR 33.821 v060,

section 7.4.12.4 . . . there is an Editor’s notes in step 3 . . . .”). The record

does not show when section 7.4.12.4 was added to TR 33.821, which is the

proposal Mr. He made in S3-070685 and S3a071040. See Ex. 2007, 1;

Ex. 2013, 1. Moreover, as discussed above, the record does not show that

Mr. He proposed the non-LTE to LTE idle mode security procedure added to

TR 33.821 v0.6.0 §7.4.12.4. Rather, Mr. He proposed adding a description

of that procedure, which was already described in TS 23.401 v1.1.1 or in

TS 23.401 v1.4.1, to a new section of TR 33.821. Id. The record does not

indicate that the security solution described in TS 23.401 v1.1.1 (or v1.4.1)

IPR2017-01487 Patent 8,812,848 B2

67

produced unexpected results, or that adding its description to a new section

of TR 33.821 produced unexpected results.

For all of the reasons discussed above, we find Patent Owner’s

evidence of industry skepticism or unexpected results lacks nexus to the

invention claimed in the ’848 patent (Exs. 2006 and 2012) or has a weak

nexus that provides weak evidence of industry skepticism or unexpected

results, such as unexpected efficiencies (Exs. 3004, 2007, and 2013).

3. Conclusions Regarding Obviousness

We have reviewed the Petition, Patent Owner Response, Petitioner

Reply and Patent Owner Sur-Reply. We have considered all of the

arguments made by Petitioner and Patent Owner, as well as all of the

evidence for and against obviousness, including evidence of secondary

considerations of non-obviousness in the form of industry skepticism and

unexpected results. We have weighed and assessed the entirety of this

evidence as a whole.

For the reasons discussed in §§ II.G.1.a–f, supra, Petitioner has shown

by a preponderance of the evidence that the combination of TR 33.821 and

TS 23.401 teaches each of the limitations of claims 1, 3–5, 7–9, 11–13, 15

and 16. Further, Petitioner has persuasively explained why a person skilled

in the art would have modified the non-LTE to LTE security procedure

taught in TS 23.401 to send the UE security capabilities to an MME based

on the teachings of TR 33.821. See § II.G.1.a, supra. In particular, a person

of ordinary skill in the art would have found it obvious to modify the non-

LTE to LTE idle mode mobility procedure taught by TS 23.401 to include

the UE security capabilities taught by TR 33.821 because the UE needed to

authenticate itself to and establish security with the LTE network. See Pet.

IPR2017-01487 Patent 8,812,848 B2

68

59–60 (citing Ex. 1014 ¶¶ 136–137). In short, Petitioner has made a strong

showing that claims 1, 3–5, 7–9, 11–13, 15 and 16 of the ’848 patent would

have been obvious over the combination of TR 33.821 and TS 23.401.

The only contravening evidence that claims 1, 3–5, 7–9, 11–13, 15

and 16 of the ’848 patent would not have been obvious is the evidence of

industry skepticism and unexpected results introduced by Patent Owner. For

the reasons discussed in § II.G.3, supra, this evidence has lacks or has only

weak nexus to the invention claimed in the ’848 patent, and does not

sufficiently demonstrate industry skepticism of or unexpected results arising

from the invention claimed in the ’848 patent. It is therefore insufficient to

overcome Petitioner’s “strong . . . case of obviousness.” Wyers, 616 F.3d at

1246.

Accordingly, for the reasons discussed in §§ II.G.1.a–f and II.G.2,

supra, Petitioner has demonstrated by a preponderance of the evidence that

claims 1, 3–5, 7–9, 11–13, 15 and 16 of the ’848 patent are unpatentable

over the combination of TR 33.821 and TS 23.401.

H. Obviousness of claims 1, 3–5, 7, and 8 over TR 33.821, TS 23.401, and Shaheen

Petitioner argues that to the extent the combination of TR 33.821 and

TS 23.401 does not disclose a UE comprising a transmitter, receiver, and

processor, “it would have been obvious to a person of ordinary skill in the

art to modify the UE to include these elements in light of Shaheen.” Pet.

63–64 (citing Ex. 1014 ¶¶ 142–146).

Petitioner argues Shaheen discloses a system and method for

implementing a Routing Area Update (RAU) procedure between a UE and

an LTE network in which the UE “includes a transceiver for sending and

IPR2017-01487 Patent 8,812,848 B2

69

receiving data to and from the LTE network, and a processor for

implementing the disclosed procedure.” Id. at 64 (citing Ex. 1006 ¶¶ 9, 23,

40–42; Ex. 1014 ¶¶ 93–94). Relying on the testimony of Dr. Williams,

Petitioner argues, “[a] person of ordinary skill in the art would have

understood that the transceiver includes both a transmitter for sending data

to the LTE network, and a receiver for receiving data from the network.” Id.

(citing Ex. 1014 ¶¶ 93–94).

For the purposes of the analysis that includes Shaheen, Petitioner

argues the combination of TR 33.821 and TS 23.401 teaches each of the

elements of claims 1, 3–5, 7, and 8, except the transmitter, receiver and

processor elements needed to carry out the functions recited in these claims.

Id. at 63 (citing Pet. 36–63). Petitioner further argues that LTE

specifications “like TR 33.821 and TS 23.401 establish that the UE must

have a means for transmitting data to the network, means for receiving data

from the network, and means for processing the data in order to implement

specific procedures.” Id. at 64–65 (citing Ex. 1014 ¶¶ 93–94). Petitioner

argues the “transmitter, receiver, and processor as disclosed in Shaheen

would have been the most logical and commonsense elements for

performing these functions.” Id. at 65. Therefore, Petitioner argues,

“[m]odifying the UE disclosed in TR 33.821 to include the transmitter,

receiver, and processor disclosed in Shaheen would have been a

straightforward combination of known prior art elements that would yield

predicable results,” and the combination of TR 33.821, TS 23.401, and

Shaheen “would include each element of claims 1, 3–5, 7, and 8.” Id. at 64–

65.

IPR2017-01487 Patent 8,812,848 B2

70

Patent Owner does not contest Petitioner’s rationale for modifying the

UE disclosed in TR 33.821 to include Shaheen’s transceiver and processor.

PO Resp. 37. Rather, Patent Owner argues that “[t]he combination set forth

by Petitioner in Ground 2 [obviousness over TR 33.821, TS 23.401, and

Shaheen] does not provide any further reasons to combine TR 33.821 and

TS 23.401, or any further reasons to modify them.” Id. Therefore, “all of

the deficiencies regarding Ground 1 [obviousness over TR 33.821 and TS

23.401] identified above apply equally to Ground 2.” Id.

As discussed in §§ II.G.1–3, supra, Petitioner has demonstrated how

the combination of TR 33.821 and TS 23.401 teaches all of the limitations of

claims 1, 3–5, 7, and 8, including the transmitter, receiver, and processor

limitations. Petitioner has further provided sufficient reason to combine the

teachings of TR 33.821 and TS 23.401. Here, Petitioner demonstrates that

Shaheen discloses a UE that includes a transmitter for sending information

to an LTE network, a receiver for receiving information from the LTE

network, and processor for processing the received information to perform

an RAU procedure. See Ex. 1006, ¶¶ 9, 33, 40–42, Fig. 9. Petitioner further

demonstrates why a person ordinarily skilled in the art would have modified

the UE disclosed in the combination of TR 33.821 and TS 23.401 to include

Shaheen’s transmitter, receiver, and processor to execute LTE procedures,

such as the non-LTE to LTE idle mode mobility procedure taught by the

combination of TR 33.821 and TS 23.401, in the event TR 33.821 and TS

23.401 lack these elements.

Accordingly, for the reasons discussed herein and in § II.G.1–3,

supra, Petitioner has demonstrated by a preponderance of the evidence that

IPR2017-01487 Patent 8,812,848 B2

71

claims 1, 3–5, 7, and 8 are unpatentable as obvious over the combination of

TR 33.821, TS 23.401, and Shaheen.

III. CONCLUSION

We have reviewed the Petition, Patent Owner’s Response, Petitioner’s

Reply, and Patent Owner’s Sur-Reply. We have considered all of the

evidence and arguments presented by Petitioner and Patent Owner, including

Patent Owner’s evidence of secondary considerations of non-obviousness,

and have weighed and assessed the entirety of this evidence as a whole. We

find, on this record, Petitioner has demonstrated by a preponderance of the

evidence that claims 1, 3–5, 7–9, 11–13, 15, and 16 are unpatentable over

TR 33.821 and TS 23.401, and that claims 1, 3–5, 7, and 8 are unpatentable

over TR 33.821, TS 23.401, and Shaheen.

IV. ORDER

It is hereby:

ORDERED that claims 1, 3–5, 7–9, 11–13, 15, and 16 of the ’848

patent are unpatentable under 35 U.S.C. § 103(a) as obvious over TR 33.821

and TS 23.401;

FURTHER ORDERED that claims 1, 3–5, 7, and 8 of the ’848 patent

are unpatentable under 35 U.S.C. § 103(a) as obvious over TR 33.821, TS

23.401, and Shaheen;

FURTHER ORDERED that Patent Owner’s Motion to Exclude is

granted with respect to Exhibit 1011, denied with respect to Exhibits 1004,

IPR2017-01487 Patent 8,812,848 B2

72

1005, 1012, and 1030, and dismissed as moot with respect to Exhibit 1028;

and

FURTHER ORDERED that this Decision is final, and a party to this

proceeding seeking judicial review of the Decision must comply with the

notice and service requirements of 37 C.F.R. § 90.2.

IPR2017-01487 Patent 8,812,848 B2

73

For PETITIONER:

Kevin P.B. Johnson Marissa Ducca Deepa Acharya Jared Newton Brian Mack kevinjohnson@quinnemanuel.com marissaducca@quinnemanuel.com deepaacharya@quinnemanuel.com jarednewton@quinnemanuel.com brianmack@quinnemanuel.com

For PATENT OWNER:

Jeffrey P. Kushan Joseph A. Micallef jkushan@sidley.com jmicallef@sidley.com