Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendments / Arguments
Regarding the rejection(s) of claims under 35 USC 103:
Applicant’s arguments, filed 07/31/2025, in view of the amended claims, have been fully considered and are not persuasive. Applicant argues that Pornin's K is not used "as a random number k" and therefore does not teach "using the hash value of the stitched information as a random number." This argument is not persuasive.
Applicant argues that Pornin does not teach the amended limitations requiring “calculating a hash value of the stitched information,” where the stitched information includes only target information derived from the private key and the message hash value, and using that hash value “as a random number” when calculating the first and second parts of the digital signature. Applicant asserts that Pornin’s stitched information includes “bits in addition” to the private key and message hash, such as V and control bytes, and therefore fails to disclose the claimed stitched information or the claimed random number k. Applicant further argues that Pornin’s iterative HMAC_DRBG process materially differs from the claimed method, asserting that the claimed approach provides a “simpler calculation process.”
In response, it is noted that Pornin expressly discloses concatenating the private key (int2octets(x)) and the message hash (bits2octets(H(m))) to form the core seed material for generating the deterministic random value k (see, e.g., Sections 3.2(d)–(g) of Pornin). The use of V and constant bytes (0x00, 0x01) is merely an implementation detail of the deterministic random bit generator and does not change the fact that Pornin teaches combining the same two pieces of information, the private key and the message hash, to derive a deterministic k. The claim language does not exclude the presence of additional fixed or overhead bytes, nor does it require that no other values be included in the stitched material. Accordingly, Pornin is reasonably interpreted as teaching or suggesting the claimed “stitched information,” because the art uses the same operative inputs in a predictable manner to derive the random number.
Further, Applicant’s argument regarding Pornin’s iterative process is unpersuasive. The deterministic k generated in Pornin remains a direct function of the hashed concatenation of the private key and message hash; the fact that Pornin uses HMAC_DRBG to ensure compliance with DSA/ECDSA requirements (e.g., ensuring k is within [1, q−1]) does not constitute a substantive distinction.
Applicant further contends that Pornin does not disclose the claimed random number k, because Pornin’s k emerges after DRBG iteration rather than directly from a single hash. This argument is also unpersuasive. In Pornin, k is generated deterministically and entirely from the combined private key and message hash, matching the functional purpose recited in the claim. Whether k is taken from the first hashed value or from a subsequent DRBG iteration is an implementation detail that does not impart patentable weight.
Accordingly, the identified claim limitations are considered to be taught by Pornin, and the rejection is maintained. Further, as Applicant has not presented separate arguments pertaining to the dependent claims, their rejections are likewise maintained.
DETAILED ACTION
This is a reply to the arguments filed on 07/31/2025, in which, claims 1-20 are pending. Claims 1, 8, and 15 are independent. Claims 2, 4, 9, 11, 16 and 18 have been canceled.
When making claim amendments, the applicant is encouraged to consider the references in their entireties, including those portions that have not been cited by the examiner and their equivalents as they may most broadly and appropriately apply to any particular anticipated claim amendments.
Specification
The amendment filed 7/31/25 is objected to under 35 U.S.C. 132(a) because it introduces new matter into the disclosure. 35 U.S.C. 132(a) states that no amendment shall introduce new matter into the disclosure of the invention. The added material which is not supported by the original disclosure is as follows: The amended claim 1, limitation recites "stitching only the target information and the hash value to obtain stitch information". However, the specification as originally filed provides no written description support for the "only" limitation. The specification consistently describes stitching operations without any exclusionary language limiting the stitching to exactly two components. The "only" limitation appears to be new matter added during prosecution that finds no support in the specification as originally filed.
Applicant is required to cancel the new matter in the reply to this Office Action.
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.
The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.
Claims 1, 3, 5-8, 10, 12-15, 17 and 19-20 are rejected under 35 U.S.C. 112(a) as failing to comply with the written description requirement.
The amended claim 1, limitation recites "stitching only the target information and the hash value to obtain stitch information". However, the specification as originally filed provides no written description support for the "only" limitation. The specification consistently describes stitching operations without any exclusionary language limiting the stitching to exactly two components. The "only" limitation appears to be new matter added during prosecution that finds no support in the specification as originally filed. Applicant has not identified any portion of the specification that provides written description support for this limitation.
The dependent claims are rejected under similar rationale.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 5-8, 12-15, 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Wang et al. (“Overview on public key cryptographic algorithm sm2 based on elliptic curves”, referred to as Wang), in view of Pornin (“Deterministic usage of the digital signature algorithm (DSA) and elliptic curve digital signature algorithm (ECDSA)”, referred to as Pornin).
In reference to claim 1, a method for generating a digital signature for a message performed by a computer device, the method comprising: obtaining a message to be signed, Wang discloses (Section 6.1 "Let M be the message to be signed") which teaches obtaining a message to be signed, Wang also discloses (Section 4 "M: message to be signed").
Calculating a message hash value of the message, Wang discloses (Section 6.1 "compute e = Hv (M) where M = Za||M") which teaches calculating a hash value e of the message M concatenated (aka stitching) with user identifier Za.
Obtaining a signature private key, Wang discloses (Section 5.3 "the key pair of the user A includes the private key dA") which teaches obtaining the private key dA of the signer.
Generating a digital signature of the message by using a random number, the message hash value, and the signature private key, Wang discloses (Section 6.1 gives the algorithm for generating the signature (r, s) using signature of private key dA, a random number k, and the message hash value.) Which teaches generating the digital signature by using the message hash value, random number, and the signature of the private key..
Calculating a first part digital signature by using the random number and the message hash value, Wang discloses (Section 6.1 calculating a first part digital signature "r" uses the message hash value "e" then using the random number to check if (r+k=n)) which teaches calculating the first part r of the signature using the hash value e and random number k.
Calculating a second part digital signature by using the first part digital signature, the random number, and the signature private key, Wang discloses (Section 6.1 calculating a second part digital signature "s" using the first part digital signature "r", a random number "k" and the signature private key "dA") which teaches calculating the second part s of the signature using the first part r, random number k, and private key dA.
Generating the digital signature of the message by using the first part digital signature and the second part digital signature, Wang discloses (Section 6.1 step A7: "convert the type of data r, s to be bit strings according to the details in Clause 4.2.2 of GM/T 0003.1-2012. Then the signature of message M is (r,s)") which teaches generating the final signature (r, s) from the first part r and second part s.
However, Wang does not explicitly disclose stitching the signature private key and the message hash value to obtain stitched information, calculating a hash value of the stitched information, or using the hash value of the stitched information as the random number for calculating the first and second parts of the signature.
In an analogous art, Pornin teaches, converting the signature private key into target information according to a preset conversion rule, Pornin discloses (Section 2.3.3 "We call this transform int2octets. Since rlen is a multiple of 8 (the smallest multiple of 8 that is not smaller than qlen), then the resulting sequence of bits is also a sequence of octets, hence the name.") The private key x is converted to "int2octets(x)" according to the conversion rule defined in Section 2.3.3 for converting an integer to an octet string. Pornin also discloses (Section 3.2 step d: "Set: K = HMAC_K(V || 0x00 || int2octets(x) || bits2octets(h1))") This converted "int2octets(x)" representation is then stitched/concatenated with the message hash "bits2octets(h1)". Which teaches stitching the converted target representation of the private key "int2octets(x)" with the converted message hash "bits2octets(h1)" to obtain the stitched information as input to HMAC.
Stitching the signature private key and the message hash value to obtain stitched information, Pornin discloses (Section 3.2 step d: "Set: K = HMAC_K(V || 0x00 || int2octets(x) || bits2octets(h1))") This shows stitching/concatenating the private key x and the hashed message h1 as part of the HMAC input.
Obtaining a preset mapping relationship Obtaining a preset mapping relation that associates a plurality of signature private keys with corresponding conversion information in advance; Obtaining conversion information of the signature private key according to the preset mapping relationship; Pornin discloses (Section 2.3.3 "An integer value x less than q (and, in particular, a value that has been taken modulo q) can be converted into a sequence of rlen bits, where rlen = 8*ceil(qlen/8)”). RFC 6979 describes converting the private key integer x into a bit string representation according to defined conversion rules. This is the same as converting the private key to "target information" using a "preset conversion rule".
Using the conversion information as the target information, Pornin discloses (Section 3.2 "Set: K = HMAC_K(V || 0x00 || int2octets(x) || bits2octets(h1))") the octet string conversion of the private key, int2octets(x), is used in place of the original integer private key when concatenating with the message hash.
Calculating a hash value of the stitched information, Pornin discloses (Section 3.2 step d calculates: "K = HMAC_K(V || 0x00 || int2octets(x) || bits2octets(h1))" ) where HMAC_K(...) calculates a hash value over the stitched information. Which teaches calculating a hash value K by applying HMAC to the stitched information of private key x and hashed message h1.
Where in the random number is the hash value of the stitched information, Pornin discloses (Section 3.2: describes generating the random value k using a hash output T that incorporates the previous HMAC output from step d which hashed the stitched private key x and hashed message h1), therefore Pornin explains how the hash of the stitched information from step d is incorporated into the random value k.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Wang, which include generating a digital signature using a random number, message hash value, and private key, with the teaching of Pornin, which include generating a random value by iteratively hashing a concatenation of the private key and message hash. One of ordinary skill in the art would recognize the ability to modify Wang’s random number generation with Pornin’s technique of deriving the random value from a hash of the stitched private key and message hash. One of ordinary skill in the art would be motivated to make this modification in order to enable devices with limited computing capabilities, such as smart cards or other systems lacking random number generators, to securely generate the necessary random values for use in elliptic curve cryptography operations.
In reference to claim 5, The method according to claim 1, wherein the generating a digital signature of the message by using the hash value of the stitched information, the message hash value, and the signature private key comprises: obtaining an elliptic curve base point, Wang discloses (Section 4 shows that the symbol ‘G’ represents a base point on the elliptic curve E, with prime order) which teaches obtaining an elliptic curve base point G.
Performing calculation by using a random number and the elliptic curve base point to obtain elliptic curve point coordinates, Wang discloses (Section 6.1 step A4 obtains elliptic curve point coordinates by using the base point ‘G’ and the random number ‘k’) which teaches calculating elliptic curve point coordinates (x1, y1) using the base point G and random number k.
Determining corresponding order information according to the elliptic curve base point, and performing calculation by using the message hash value, the elliptic curve point coordinates, and the order information to obtain the first part digital signature, Wang discloses (Section 6.1 step A5 obtaining a first part digital signature ‘r’ that consists of using the elliptic curve point coordinates and the message hash value ‘e’) which teaches calculating the first part signature r using the message hash e, the elliptic curve point coordinates x1, and the order n.
Performing calculation by using the first part digital signature, the hash value of the stitched information, the signature private key, and the order information to obtain the second part digital signature when the first part digital signature meets a preset first condition, Wang discloses (Section 6.1 step A6 obtaining the second part digital signature ‘s’ by using the first part digital signature ‘r’, the signature private key and the order information calculation) which teaches calculating the second part signature s using the first part signature r, the private key dA, and the order n. This is when r meets the preset condition of not being 0.
Determining the digital signature of the message according to the first part digital signature and the second part digital signature when the second part digital signature meets a preset second condition, Wang discloses (Section 6.2 Figure 1: Digital signature generation algorithm discloses a preset second condition that the second part digital signature ‘s’ has to go through which is "s=0?" then it will determine the digital signature using the first part and the second part "the signature is (r,s)")
However, Wang does not explicitly disclose wherein the random number comprises hash value of the stitched information.
In an analogous art, Pornin teaches, wherein the random number comprises hash value of the stitched information, Pornin discloses (Section 3.2: Describes generating k from "T = T || V" where previous HMAC outputs like step d are incorporated into V) generating the random k value from an expanding hash output T, where T incorporates all the previous HMAC outputs including the one from step d with the stitched x and h1.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Wang, which include generating the digital signature using a base point, random number, message hash, private key, elliptic curve point coordinates, and order information, with the teaching of Pornin, which include deriving the random value from a hash of the stitched private key and message hash. One of ordinary skill in the art would recognize the ability to modify Wang’s random number k with Pornin’s technique of deriving k from the hash of the stitched private key and message hash. One of ordinary skill in the art would be motivated to make this modification in order to complete a deterministic approach to elliptic curve cryptography.
In reference to claim 6, the method according to claim 1, further comprising: obtaining a digital signature to be verified, and calculating a hash value of the digital signature when the digital signature conforms to a preset signature rule, Wang discloses (Section 7.1 "compute e=Hv(m) and convert the type of data e to be integer specific") It computes the hash value of the digital signature and converts the type of data to be integer specific, which matches the integer conversion rule described in the applicant’s specification.
Obtaining a verification public key of the digital signature, and calculating a target first part digital signature based on the digital signature, the verification public key, and the hash value, Wang discloses (Section 7.1 "B6: calculate the point (x1’, y1’)=[s’]G + [t]PA") It obtains the public key PA, and calculates a target value R (first part signature) using the signature ‘s’, public key PA, and hash ‘e’.
Obtaining a digital signature verification success result when the target first part digital signature is consistent with a first part digital signature in the digital signature, Wang discloses (Section 7.1 "B7: calculate R=(e’+x1’) modn,verify whether R=r’ holds") it compares the calculated value R with the received signature part r’, and if they match, the verification passes. This is equivalent to comparing the target first part signature with the received first part signature.
In reference to claim 7, the method according to claim 6, wherein the obtaining a verification public key of the digital signature, and calculating a target first part digital signature based on the digital signature, the verification public key, and the hash value comprises: obtaining an elliptic curve base point, Wang discloses (Section 5.2 "the base point G=(xG, yG) (G not equals O), where xG and yG are ellements in Fq") which teaches obtaining an elliptic curve base point G with coordinates xG and yG.
Determining corresponding order information based on the elliptic curve base point, Wang discloses (Section 5.2 the order n of G and other optional parameters) which teaches determining the order n of the base point G.
Calculating a target value by using the digital signature and the order information of the elliptic curve base point, Wang discloses (Section 7.1 "B5: calculate t = (r’ + s’) modn, If t=0, then the verifier output reject”) "It calculates a value t using the signature parts r’, s’ and the order n. Which is directly the same as the "target value".
Calculating a to-be-verified elliptic curve point by using a second part digital signature in the digital signature, the elliptic curve base point, the target value, and the verification public key when the target value meets a preset target condition, Wang discloses (Section 7.1 "B6: calculate the point (x1’, y1’)=[s’]G + [t]PA") it calculates a point (x1’, y1’) using the second part signature s’, base point G, the value t (target value), and the public key PA.
Calculating the target first part digital signature according to the to-be-verified elliptic curve point, the hash value, and the order information of the elliptic curve base point, Wang discloses (Section 7.1 "B7: compute R=(e’+x1’) modn, and verify whether R=r’ holds") it calculates a value R (target first part signature) using the point (x1’, y1’), the hash e’, and the order n.
In reference to claim 8, A computer device, comprising a memory and a processor, the memory storing computer-readable instructions, the computer-readable instructions, when executed by the processor, causing the computer device to perform a method for generating a digital signature for a message including: obtaining a message to be signed, Wang discloses (Section 6.1 "Let M be the message to be signed") which teaches obtaining a message to be signed, Wang also discloses (Section 4 "M: message to be signed").
Calculating a message hash value of the message, Wang discloses (Section 6.1 "compute e = Hv (M) where M = Za||M") which teaches calculating a hash value e of the message M concatenated (aka stitching) with user identifier Za.
Obtaining a signature private key, Wang discloses (Section 5.3 "the key pair of the user A includes the private key dA") which teaches obtaining the private key dA of the signer.
Generating a digital signature of the message by using a random number, the message hash value, and the signature private key, Wang discloses (Section 6.1 gives the algorithm for generating the signature (r, s) using signature of private key dA, a random number k, and the message hash value.) Which teaches generating the digital signature by using the message hash value, random number, and the signature of the private key..
Calculating a first part digital signature by using the random number and the message hash value, Wang discloses (Section 6.1 calculating a first part digital signature "r" uses the message hash value "e" then using the random number to check if (r+k=n)) which teaches calculating the first part r of the signature using the hash value e and random number k.
Calculating a second part digital signature by using the first part digital signature, the random number, and the signature private key, Wang discloses (Section 6.1 calculating a second part digital signature "s" using the first part digital signature "r", a random number "k" and the signature private key "dA") which teaches calculating the second part s of the signature using the first part r, random number k, and private key dA.
Generating the digital signature of the message by using the first part digital signature and the second part digital signature, Wang discloses (Section 6.1 step A7: "convert the type of data r, s to be bit strings according to the details in Clause 4.2.2 of GM/T 0003.1-2012. Then the signature of message M is (r,s)") which teaches generating the final signature (r, s) from the first part r and second part s.
However, Wang does not explicitly disclose stitching the signature private key and the message hash value to obtain stitched information, calculating a hash value of the stitched information, or using the hash value of the stitched information as the random number for calculating the first and second parts of the signature.
In an analogous art, Pornin teaches, converting the signature private key into target information according to a preset conversion rule, Pornin discloses (Section 2.3.3 "We call this transform int2octets. Since rlen is a multiple of 8 (the smallest multiple of 8 that is not smaller than qlen), then the resulting sequence of bits is also a sequence of octets, hence the name.") The private key x is converted to "int2octets(x)" according to the conversion rule defined in Section 2.3.3 for converting an integer to an octet string. Pornin also discloses (Section 3.2 step d: "Set: K = HMAC_K(V || 0x00 || int2octets(x) || bits2octets(h1))") This converted "int2octets(x)" representation is then stitched/concatenated with the message hash "bits2octets(h1)". Which teaches stitching the converted target representation of the private key "int2octets(x)" with the converted message hash "bits2octets(h1)" to obtain the stitched information as input to HMAC.
Stitching the signature private key and the message hash value to obtain stitched information, Pornin discloses (Section 3.2 step d: "Set: K = HMAC_K(V || 0x00 || int2octets(x) || bits2octets(h1))") This shows stitching/concatenating the private key x and the hashed message h1 as part of the HMAC input.
Obtaining a preset mapping relationship Obtaining a preset mapping relation that associates a plurality of signature private keys with corresponding conversion information in advance; Obtaining conversion information of the signature private key according to the preset mapping relationship; Pornin discloses (Section 2.3.3 "An integer value x less than q (and, in particular, a value that has been taken modulo q) can be converted into a sequence of rlen bits, where rlen = 8*ceil(qlen/8)”). RFC 6979 describes converting the private key integer x into a bit string representation according to defined conversion rules. This is the same as converting the private key to "target information" using a "preset conversion rule".
Using the conversion information as the target information, Pornin discloses (Section 3.2 "Set: K = HMAC_K(V || 0x00 || int2octets(x) || bits2octets(h1))") the octet string conversion of the private key, int2octets(x), is used in place of the original integer private key when concatenating with the message hash.
Calculating a hash value of the stitched information, Pornin discloses (Section 3.2 step d calculates: "K = HMAC_K(V || 0x00 || int2octets(x) || bits2octets(h1))" ) where HMAC_K(...) calculates a hash value over the stitched information. Which teaches calculating a hash value K by applying HMAC to the stitched information of private key x and hashed message h1.
Where in the random number is the hash value of the stitched information, Pornin discloses (Section 3.2: describes generating the random value k using a hash output T that incorporates the previous HMAC output from step d which hashed the stitched private key x and hashed message h1), therefore Pornin explains how the hash of the stitched information from step d is incorporated into the random value k.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Wang, which include generating a digital signature using a random number, message hash value, and private key, with the teaching of Pornin, which include generating a random value by iteratively hashing a concatenation of the private key and message hash. One of ordinary skill in the art would recognize the ability to modify Wang’s random number generation with Pornin’s technique of deriving the random value from a hash of the stitched private key and message hash. One of ordinary skill in the art would be motivated to make this modification in order to enable devices with limited computing capabilities, such as smart cards or other systems lacking random number generators, to securely generate the necessary random values for use in elliptic curve cryptography operations.
In reference to claim 12, The computer device according to claim 8, wherein the generating a digital signature of the message by using the hash value of the stitched information, the message hash value, and the signature private key comprises: obtaining an elliptic curve base point, Wang discloses (Section 4 shows that the symbol ‘G’ represents a base point on the elliptic curve E, with prime order) which teaches obtaining an elliptic curve base point G.
Performing calculation by using a random number and the elliptic curve base point to obtain elliptic curve point coordinates, Wang discloses (Section 6.1 step A4 obtains elliptic curve point coordinates by using the base point ‘G’ and the random number ‘k’) which teaches calculating elliptic curve point coordinates (x1, y1) using the base point G and random number k.
Determining corresponding order information according to the elliptic curve base point, and performing calculation by using the message hash value, the elliptic curve point coordinates, and the order information to obtain the first part digital signature, Wang discloses (Section 6.1 step A5 obtaining a first part digital signature ‘r’ that consists of using the elliptic curve point coordinates and the message hash value ‘e’) which teaches calculating the first part signature r using the message hash e, the elliptic curve point coordinates x1, and the order n.
Performing calculation by using the first part digital signature, the hash value of the stitched information, the signature private key, and the order information calculation to obtain the second part digital signature when the first part digital signature meets a preset first condition, Wang discloses (Section 6.1 step A6 obtaining the second part digital signature ‘s’ by using the first part digital signature ‘r’, the signature private key and the order information calculation) which teaches calculating the second part signature s using the first part signature r, the private key dA, and the order n. This is when r meets the preset condition of not being 0.
Determining the digital signature of the message according to the first part digital signature and the second part digital signature when the second part digital signature meets a preset second condition, Wang discloses (Section 6.2 Figure 1: Digital signature generation algorithm discloses a preset second condition that the second part digital signature ‘s’ has to go through which is "s=0?" then it will determine the digital signature using the first part and the second part "the signature is (r,s)")
However, Wang does not explicitly disclose wherein the random number comprises hash value of the stitched information.
In an analogous art, Pornin teaches, wherein the random number comprises hash value of the stitched information, Pornin discloses (Section 3.2: Describes generating k from "T = T || V" where previous HMAC outputs like step d are incorporated into V) generating the random k value from an expanding hash output T, where T incorporates all the previous HMAC outputs including the one from step d with the stitched x and h1.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Wang, which include generating the digital signature using a base point, random number, message hash, private key, elliptic curve point coordinates, and order information, with the teaching of Pornin, which include deriving the random value from a hash of the stitched private key and message hash. One of ordinary skill in the art would recognize the ability to modify Wang’s random number k with Pornin’s technique of deriving k from the hash of the stitched private key and message hash. One of ordinary skill in the art would be motivated to make this modification in order to complete a deterministic approach to elliptic curve cryptography.
In reference to claim 13, The computer device according to claim 8, further comprising: obtaining a digital signature to be verified, and calculating a hash value of the digital signature when the digital signature conforms to a preset signature rule, Wang discloses (Section 7.1 "compute e=Hv(m) and convert the type of data e to be integer specific") It computes the hash value of the digital signature and converts the type of data to be integer specific, which matches the integer conversion rule described in the applicant’s specification.
Obtaining a verification public key of the digital signature, and calculating a target first part digital signature based on the digital signature, the verification public key, and the hash value, Wang discloses (Section 7.1 "B6: calculate the point (x1’, y1’)=[s’]G + [t]PA") It obtains the public key PA, and calculates a target value R (first part signature) using the signature ‘s’, public key PA, and hash ‘e’.
Obtaining a digital signature verification success result when the target first part digital signature is consistent with a first part digital signature in the digital signature, Wang discloses (Section 7.1 "B7: calculate R=(e’+x1’) modn,verify whether R=r’ holds") it compares the calculated value R with the received signature part r’, and if they match, the verification passes. This is equivalent to comparing the target first part signature with the received first part signature.
In reference to claim 14, The computer device according to claim 13, wherein the obtaining a verification public key of the digital signature, and calculating a target first part digital signature based on the digital signature, the verification public key, and the hash value comprises: obtaining an elliptic curve base point, Wang discloses (Section 5.2 "the base point G=(xG, yG) (G not equals O), where xG and yG are ellements in Fq") which teaches obtaining an elliptic curve base point G with coordinates xG and yG.
Determining corresponding order information based on the elliptic curve base point, Wang discloses (Section 5.2 the order n of G and other optional parameters) which teaches determining the order n of the base point G.
Calculating a target value by using the digital signature and the order information of the elliptic curve base point, Wang discloses (Section 7.1 "B5: calculate t = (r’ + s’) modn, If t=0, then the verifier output reject”) "It calculates a value t using the signature parts r’, s’ and the order n. Which is directly the same as the "target value".
Calculating a to-be-verified elliptic curve point by using a second part digital signature in the digital signature, the elliptic curve base point, the target value, and the verification public key when the target value meets a preset target condition, Wang discloses (Section 7.1 "B6: calculate the point (x1’, y1’)=[s’]G + [t]PA") it calculates a point (x1’, y1’) using the second part signature s’, base point G, the value t (target value), and the public key PA.
Calculating the target first part digital signature according to the to-be-verified elliptic curve point, the hash value, and the order information of the elliptic curve base point, Wang discloses (Section 7.1 "B7: compute R=(e’+x1’) modn, and verify whether R=r’ holds") it calculates a value R (target first part signature) using the point (x1’, y1’), the hash e’, and the order n.
In reference to claim 15, One or more non-transitory storage mediums storing computer-readable instructions, the computer-readable instructions, when executed by one or more processors of a computer device, causing the computer device to perform a method for generating a digital signature for a message including: obtaining a message to be signed, Wang discloses (Section 6.1 "Let M be the message to be signed") which teaches obtaining a message to be signed, Wang also discloses (Section 4 "M: message to be signed").
Calculating a message hash value of the message, Wang discloses (Section 6.1 "compute e = Hv (M) where M = Za||M") which teaches calculating a hash value e of the message M concatenated (aka stitching) with user identifier Za.
Obtaining a signature private key, Wang discloses (Section 5.3 "the key pair of the user A includes the private key dA") which teaches obtaining the private key dA of the signer.
Generating a digital signature of the message by using a random number, the message hash value, and the signature private key, Wang discloses (Section 6.1 gives the algorithm for generating the signature (r, s) using signature of private key dA, a random number k, and the message hash value.) Which teaches generating the digital signature by using the message hash value, random number, and the signature of the private key..
Calculating a first part digital signature by using the random number and the message hash value, Wang discloses (Section 6.1 calculating a first part digital signature "r" uses the message hash value "e" then using the random number to check if (r+k=n)) which teaches calculating the first part r of the signature using the hash value e and random number k.
Calculating a second part digital signature by using the first part digital signature, the random number, and the signature private key, Wang discloses (Section 6.1 calculating a second part digital signature "s" using the first part digital signature "r", a random number "k" and the signature private key "dA") which teaches calculating the second part s of the signature using the first part r, random number k, and private key dA.
Generating the digital signature of the message by using the first part digital signature and the second part digital signature, Wang discloses (Section 6.1 step A7: "convert the type of data r, s to be bit strings according to the details in Clause 4.2.2 of GM/T 0003.1-2012. Then the signature of message M is (r,s)") which teaches generating the final signature (r, s) from the first part r and second part s.
However, Wang does not explicitly disclose stitching the signature private key and the message hash value to obtain stitched information, calculating a hash value of the stitched information, or using the hash value of the stitched information as the random number for calculating the first and second parts of the signature.
In an analogous art, Pornin teaches, converting the signature private key into target information according to a preset conversion rule, Pornin discloses (Section 2.3.3 "We call this transform int2octets. Since rlen is a multiple of 8 (the smallest multiple of 8 that is not smaller than qlen), then the resulting sequence of bits is also a sequence of octets, hence the name.") The private key x is converted to "int2octets(x)" according to the conversion rule defined in Section 2.3.3 for converting an integer to an octet string. Pornin also discloses (Section 3.2 step d: "Set: K = HMAC_K(V || 0x00 || int2octets(x) || bits2octets(h1))") This converted "int2octets(x)" representation is then stitched/concatenated with the message hash "bits2octets(h1)". Which teaches stitching the converted target representation of the private key "int2octets(x)" with the converted message hash "bits2octets(h1)" to obtain the stitched information as input to HMAC.
Stitching the signature private key and the message hash value to obtain stitched information, Pornin discloses (Section 3.2 step d: "Set: K = HMAC_K(V || 0x00 || int2octets(x) || bits2octets(h1))") This shows stitching/concatenating the private key x and the hashed message h1 as part of the HMAC input.
Obtaining a preset mapping relationship Obtaining a preset mapping relation that associates a plurality of signature private keys with corresponding conversion information in advance; Obtaining conversion information of the signature private key according to the preset mapping relationship; Pornin discloses (Section 2.3.3 "An integer value x less than q (and, in particular, a value that has been taken modulo q) can be converted into a sequence of rlen bits, where rlen = 8*ceil(qlen/8)”). RFC 6979 describes converting the private key integer x into a bit string representation according to defined conversion rules. This is the same as converting the private key to "target information" using a "preset conversion rule".
Using the conversion information as the target information, Pornin discloses (Section 3.2 "Set: K = HMAC_K(V || 0x00 || int2octets(x) || bits2octets(h1))") the octet string conversion of the private key, int2octets(x), is used in place of the original integer private key when concatenating with the message hash.
Calculating a hash value of the stitched information, Pornin discloses (Section 3.2 step d calculates: "K = HMAC_K(V || 0x00 || int2octets(x) || bits2octets(h1))" ) where HMAC_K(...) calculates a hash value over the stitched information. Which teaches calculating a hash value K by applying HMAC to the stitched information of private key x and hashed message h1.
Where in the random number is the hash value of the stitched information, Pornin discloses (Section 3.2: describes generating the random value k using a hash output T that incorporates the previous HMAC output from step d which hashed the stitched private key x and hashed message h1), therefore Pornin explains how the hash of the stitched information from step d is incorporated into the random value k.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Wang, which include generating a digital signature using a random number, message hash value, and private key, with the teaching of Pornin, which include generating a random value by iteratively hashing a concatenation of the private key and message hash. One of ordinary skill in the art would recognize the ability to modify Wang’s random number generation with Pornin’s technique of deriving the random value from a hash of the stitched private key and message hash. One of ordinary skill in the art would be motivated to make this modification in order to enable devices with limited computing capabilities, such as smart cards or other systems lacking random number generators, to securely generate the necessary random values for use in elliptic curve cryptography operations.
In reference to claim 19, the non-transitory storage mediums according to claim 15, wherein the generating a digital signature of the message by using the hash value of the stitched information, the message hash value, and the signature private key comprises: obtaining an elliptic curve base point, Wang discloses (Section 4 shows that the symbol ‘G’ represents a base point on the elliptic curve E, with prime order) which teaches obtaining an elliptic curve base point G.
Performing calculation by using a random number and the elliptic curve base point to obtain elliptic curve point coordinates, Wang discloses (Section 6.1 step A4 obtains elliptic curve point coordinates by using the base point ‘G’ and the random number ‘k’) which teaches calculating elliptic curve point coordinates (x1, y1) using the base point G and random number k.
Determining corresponding order information according to the elliptic curve base point, and performing calculation by using the message hash value, the elliptic curve point coordinates, and the order information to obtain the first part digital signature, Wang discloses (Section 6.1 step A5 obtaining a first part digital signature ‘r’ that consists of using the elliptic curve point coordinates and the message hash value ‘e’) which teaches calculating the first part signature r using the message hash e, the elliptic curve point coordinates x1, and the order n.
Performing calculation by using the first part digital signature, the hash value of the stitched information, the signature private key, and the order information calculation to obtain the second part digital signature when the first part digital signature meets a preset first condition, Wang discloses (Section 6.1 step A6 obtaining the second part digital signature ‘s’ by using the first part digital signature ‘r’, the signature private key and the order information calculation) which teaches calculating the second part signature s using the first part signature r, the private key dA, and the order n. This is when r meets the preset condition of not being 0.
Determining the digital signature of the message according to the first part digital signature and the second part digital signature when the second part digital signature meets a preset second condition, Wang discloses (Section 6.2 Figure 1: Digital signature generation algorithm discloses a preset second condition that the second part digital signature ‘s’ has to go through which is "s=0?" then it will determine the digital signature using the first part and the second part "the signature is (r,s)")
However, Wang does not explicitly disclose wherein the random number comprises hash value of the stitched information.
In an analogous art, Pornin teaches, wherein the random number comprises hash value of the stitched information, Pornin discloses (Section 3.2: Describes generating k from "T = T || V" where previous HMAC outputs like step d are incorporated into V) generating the random k value from an expanding hash output T, where T incorporates all the previous HMAC outputs including the one from step d with the stitched x and h1.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Wang, which include generating the digital signature using a base point, random number, message hash, private key, elliptic curve point coordinates, and order information, with the teaching of Pornin, which include deriving the random value from a hash of the stitched private key and message hash. One of ordinary skill in the art would recognize the ability to modify Wang’s random number k with Pornin’s technique of deriving k from the hash of the stitched private key and message hash. One of ordinary skill in the art would be motivated to make this modification in order to complete a deterministic approach to elliptic curve cryptography.
In reference to claim 20, the non-transitory storage mediums according to claim 15, wherein the method further comprising: obtaining a digital signature to be verified, and calculating a hash value of the digital signature when the digital signature conforms to a preset signature rule, Wang discloses (Section 7.1 "compute e=Hv(m) and convert the type of data e to be integer specific") It computes the hash value of the digital signature and converts the type of data to be integer specific, which matches the integer conversion rule described in the applicant’s specification.
Obtaining a verification public key of the digital signature, and calculating a target first part digital signature based on the digital signature, the verification public key, and the hash value, Wang discloses (Section 7.1 "B6: calculate the point (x1’, y1’)=[s’]G + [t]PA") It obtains the public key PA, and calculates a target value R (first part signature) using the signature ‘s’, public key PA, and hash ‘e’.
Obtaining a digital signature verification success result when the target first part digital signature is consistent with a first part digital signature in the digital signature, Wang discloses (Section 7.1 "B7: calculate R=(e’+x1’) modn,verify whether R=r’ holds") it compares the calculated value R with the received signature part r’, and if they match, the verification passes. This is equivalent to comparing the target first part signature with the received first part signature.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 3, 10 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Wang et al. (“Overview on public key cryptographic algorithm sm2 based on elliptic curves“, referred to as Wang), in view of Pornin (“Deterministic usage of the digital signature algorithm (DSA) and elliptic curve digital signature algorithm (ECDSA)”, referred to as Pornin) in further view of Dworkin ("Recommendation for block cipher modes of operation", referred to as Drowkin).
In reference to claim 3, Wang in view of Pornin teaches all the limitations of claims 1, the method according to claim 1, wherein the converting the signature private key into target information according to a preset conversion rule comprises: converting the signature private key into a bit string to obtain a bit string private key, Pornin discloses (Section 2.3.3 "We call this transform int2octets. Since rlen is a multiple of 8 (the smallest multiple of 8 that is not smaller than qlen), then the resulting sequence of bits is also a sequence of octets, hence the name.) Pornin also discloses (Section 3.2 step d: "Set: K = HMAC_K(V || 0x00 || int2octets(x) || bits2octets(h1))) this converted "int2octets(x)" which shows the converted octet string private key "int2octets(x)" being used.
However, Pornin does not disclose arranging the bit string private key in reverse order to obtain the target information.
In an analogous art Dworkin teaches, to arranging the bit string private key in reverse order to obtain the target information, Dworkin discloses (Section 3.3 "Given a byte string, X, the byte string that consists of the bytes of X in reverse REVB(X) order") which teaches a function REVB that reverses the order of bytes in a byte string X to produce the reversed byte string, Dworkin also discloses (Section 4.2 "Given a byte string, X, the string REVB(X) is the sequence of bytes of X in reverse order. For example, REVB([1]||[2]||[3])=[3]||[2]||[1])" which gives an example of reversing the byte string [1]||[2]||[3] to [3]||[2]||[1] using the REVB function.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Pornin, which include converting the private key to an octet string, with the teaching of Dworkin, which include reversing the order of a byte string using the REVB function. One of ordinary skill in the art would recognize the ability to modify Pornin’s int2octets octet string conversion of the private key with Dworkin’s REVB byte string reversal function. One of ordinary skill in the art would be motivated to make this modification in order to provide additional security to the private key by not only converting it to an octet string but also reversing the order of that octet string before using it further in the algorithm.
In reference to claim 10, Wang in view of Pornin teaches all the limitations of claims 8, The computer device according to claim 8, wherein the converting the signature private key into target information according to a preset conversion rule comprises: converting the signature private key into a bit string to obtain a bit string private key, Pornin discloses (Section 2.3.3 "We call this transform int2octets. Since rlen is a multiple of 8 (the smallest multiple of 8 that is not smaller than qlen), then the resulting sequence of bits is also a sequence of octets, hence the name.) Pornin also discloses (Section 3.2 step d: "Set: K = HMAC_K(V || 0x00 || int2octets(x) || bits2octets(h1))) this converted "int2octets(x)" which shows the converted octet string private key "int2octets(x)" being used.
However, Pornin does not disclose arranging the bit string private key in reverse order to obtain the target information.
In an analogous art Dworkin teaches, to arranging the bit string private key in reverse order to obtain the target information, Dworkin discloses (Section 3.3 "Given a byte string, X, the byte string that consists of the bytes of X in reverse REVB(X) order") which teaches a function REVB that reverses the order of bytes in a byte string X to produce the reversed byte string, Dworkin also discloses (Section 4.2 "Given a byte string, X, the string REVB(X) is the sequence of bytes of X in reverse order. For example, REVB([1]||[2]||[3])=[3]||[2]||[1])" which gives an example of reversing the byte string [1]||[2]||[3] to [3]||[2]||[1] using the REVB function.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Pornin, which include converting the private key to an octet string, with the teaching of Dworkin, which include reversing the order of a byte string using the REVB function. One of ordinary skill in the art would recognize the ability to modify Pornin’s int2octets octet string conversion of the private key with Dworkin’s REVB byte string reversal function. One of ordinary skill in the art would be motivated to make this modification in order to provide additional security to the private key by not only converting it to an octet string but also reversing the order of that octet string before using it further in the algorithm.
In reference to claim 17, Wang in view of Pornin teaches all the limitations of claims 15 and 16, the non-transitory storage mediums according to claim 16, wherein the converting the signature private key into target information according to a preset conversion rule comprises: converting the signature private key into a bit string to obtain a bit string private key, Pornin discloses (Section 2.3.3 "We call this transform int2octets. Since rlen is a multiple of 8 (the smallest multiple of 8 that is not smaller than qlen), then the resulting sequence of bits is also a sequence of octets, hence the name.) Pornin also discloses (Section 3.2 step d: "Set: K = HMAC_K(V || 0x00 || int2octets(x) || bits2octets(h1))) this converted "int2octets(x)" which shows the converted octet string private key "int2octets(x)" being used.
However, Pornin does not disclose arranging the bit string private key in reverse order to obtain the target information.
In an analogous art Dworkin teaches, to arranging the bit string private key in reverse order to obtain the target information, Dworkin discloses (Section 3.3 "Given a byte string, X, the byte string that consists of the bytes of X in reverse REVB(X) order") which teaches a function REVB that reverses the order of bytes in a byte string X to produce the reversed byte string, Dworkin also discloses (Section 4.2 "Given a byte string, X, the string REVB(X) is the sequence of bytes of X in reverse order. For example, REVB([1]||[2]||[3])=[3]||[2]||[1])" which gives an example of reversing the byte string [1]||[2]||[3] to [3]||[2]||[1] using the REVB function.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Pornin, which include converting the private key to an octet string, with the teaching of Dworkin, which include reversing the order of a byte string using the REVB function. One of ordinary skill in the art would recognize the ability to modify Pornin’s int2octets octet string conversion of the private key with Dworkin’s REVB byte string reversal function. One of ordinary skill in the art would be motivated to make this modification in order to provide additional security to the private key by not only converting it to an octet string but also reversing the order of that octet string before using it further in the algorithm.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892.
Applicant’s amendment necessitated the new ground(s) of rejection presented in this office action. Accordingly, THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AIDAN EDWARD SHAUGHNESSY whose telephone number is (703)756-1423. The examiner can normally be reached on Monday-Friday from 7:30am to 5pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson, can be reached at telephone number (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from Patent Center and the Private Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from Patent Center or Private PAIR. Status information for unpublished applications is available through Patent Center and Private PAIR for authorized users only. Should you have questions about access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) Form at https://www.uspto.gov/patents/usptoautomated-interview-request-air-form.
/A.E.S./Examiner, Art Unit 2432
/SYED A ZAIDI/Primary Examiner, Art Unit 2432
Prosecution Insights