LIGHTWEIGHT SIDE-CHANNEL PROTECTION FOR POLYNOMIAL MULTIPLICATION IN POST-QUANTUM SIGNATURES

§103 §DP

DETAILED ACTION The following claims are pending in this office action: 1-2, 4-5, 8-9, 11-12, 15-16 and 18-19 Claim 1, 8 and 15 are independent claims. The following claims are amended: - The following claims are new: - The following claims are cancelled: 3, 6-7, 10, 13-14, 17 and 20-21 Claims 1-2, 4-5, 8-9, 11-12, 15-16 and 18-19 are rejected. This rejection is FINAL. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . RESPONSE TO ARGUMENTS Applicant’s arguments in the amendment filed 09/02/2025 have been fully considered but are not persuasive. The reasons are set forth below. Applicant argues that Poeppelmann in view of Xiao do not teach the claimed elements. Poeppelmann relates to executing cryptographic operations and discloses multiplying polynomials to determine a result and using the result of multiplication in the cryptographic operation. (Remarks, pg. 7) Xiao relates to module exponentiation with transparent side channel attack countermeasures and discloses that the same modular exponential function may be used to perform encryption and decryption operations but with different keys. (Remarks pg. 7) Poeppelmann and Xiao, individually or when combined, do not teach or reasonably suggest perform a polynomial multiplication function using a first input as an element of a digital signature protocol wherein the polynomial multiplication function comprises a plurality of polynomial multiplication operations and is performed in a security mode determined based on a control signal, wherein the security mode includes a first mode or a second mode, the first mode operating during a signature process, the second mode having a shuffling-based side-channel protection provided to the polynomial multiplication operation as recited by claim 1. (Remarks, pg. 7-8) 37 CFR 1.111(b) requires applicant to distinctly and specifically point out the supposed errors in the Office’s action and reply to every ground of objection and rejection in the Office action. The reply must present arguments pointing out the specific distinction believed to render the claims patentable over any applied references. If an applicant disagrees with any factual findings by the Office, an effective traverse of a rejection based wholly or partially on such findings must include a reasoned statement explaining why the applicant believes the Office has erred substantively as to the factual findings. A mere statement or argument that the Office has not established a prima facie case of obviousness will not be considered substantively adequate to rebut the rejection or an effective traverse of the rejection under 37 CFR 1.111(b). See MPEP §2141. During patent prosecution, “claims must be given their broadest reasonable interpretation in light of the specification… Though understanding the claim language may be aided by explanations contained in the written description, it is important not to import into a claim limitations that are not part of the claim.” See MPEP 2111. As explained below, Poeppelmann discloses multiplying polynomials to generate a signature where the multiplication is performed efficiently using NTT, which is a plurality of polynomial multiplication operations. Poeppelmann also discloses that it is an option to achieve protection against side channel attacks using a Fisher-Yates algorithm in the polynomial multiplication. Furthermore, Xiao clearly teaches “the modular exponentiation function may (internally) ascertain whether the key is greater than L bits long 104 ... In this implementation, it is assumed that public keys (e.g., no security or lower security) will be no more than L bits long and that private keys (e.g., secure) will be longer than L bits long ... Consequently, if the key is longer than L bits, it is a private key, and countermeasure against side channel attacks (or other countermeasures) will be applied 106.” Xiao, para. 00035 A person of ordinary skill in the art would combine Poeppelmann and Xiao to have a more efficient system that allows selection by a control signal/key to provide a more secure side-channel attack countermeasure, or a less resource intensive system without the countermeasure. Applicant’s arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references. It is unclear from the Applicant’s remarks why the Applicant believes the combination of references does not teach or reasonably suggest the claimed elements. Accordingly, applicant’s argument is not convincing. Regarding the non-statutory double patenting and Applicant’s request that the obviousness-type double patenting rejection be held in abeyance, Examiner notes, however, that this is not a proper reply. As per MPEP § 804(1)(B)(1) [added in 2015-07], a “complete response to a non-statutory double patenting (NSDP) rejection is either a reply by applicant showing that the claims subject to the rejection are patentably distinct from the reference claims, or the filing of a terminal disclaimer in accordance with 37 CFR 1.321” and that “such a filing should not be held in abeyance.” The Examiner therefore maintains the non-statutory double patenting over Basso et al. (US Pub. 2024/0031140) corresponding to copending Application No. 17/814,448 in view of Poeppelmann (US Pub. 2020/0082738), as well as notes the requirements for a proper reply for any future response. If Ghosh et al. (US Pub. 2022/0006630) is commonly owned, Applicant may provide a statement of common ownership to overcome rejections related to Ghosh. See MPEP 717.02(a). Claim Interpretation Independent claims 1, 8 and 15 recites the optional limitation of “wherein the security mode includes a first mode or a second mode”. Although both limitations are disclosed in the prior art as explained below, these limitations are broadly interpreted to mean either the first mode or the second mode is required. As claim 2, 9 and 16 further claims operating in the first mode, the second mode is non-limiting. Therefore, as the first mode is selected/provided, and the selection of the second mode is optional, the limitation that “the second mode having a shuffling-based side-channel protection provided to the polynomial multiplication operation” in the claims is interpreted to be non-limiting. Dependent claims 4, 11 and 18 recites the optional limitation of “operations computed during a key generation process or a signing process”. Although both limitations are disclosed in the prior art as explained below, these limitations are broadly interpreted to mean either a key generation process or a signing process is required. As claim 1 discloses a digital signature protocol, the key generation process limitation is non-limiting. Dependent claims 5, 12 and 19 recites the optional limitation of “comprises one or more of application processing circuitry or graphics processing circuitry”. Although both processors are obvious computer elements known to perform cryptographic operations by a person of ordinary skill in the art, these limitations are broadly interpreted to mean either one or more application processing circuitry are required or one or more graphics processing circuitry are required to perform the stated functions. The references disclose one or more application circuitry to perform the recited functions. Double Patenting The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp. Claims 1, 5, 8, 12, 15, and 19 are provisionally rejected on the ground of nonstatutory obviousness type double patenting as being unpatentable over claims 1 and 22-38 of Basso et al. (US Pub. 2024/0031140) corresponding to copending Application No. 17/814,448 (hereinafter “Basso”) in view of Poeppelmann (US Pub. 2020/0082738) (hereinafter “Poeppelmann”). As per claim 1, Basso teaches an apparatus comprising: (Basso, claim 1) processing circuitry coupled to a memory, the processing circuitry to: (Basso, claim 1) perform a polynomial multiplication function using a first input wherein the polynomial multiplication function comprises a plurality of polynomial multiplication operations and is performed in a security mode determined based on a control signal, (Basso, claim 1; the polynomial multiplication function comprises a plurality of polynomial multiplication operations, as the polynomial multiplications functions disclosed to perform the operations are NTT calculations, and NTT calculations consists of a plurality of multiplication functions: see para. 0071 of Basso) wherein the security mode includes a first mode or a second mode ... (Basso, claim 22) the second mode having a shuffling-based side-channel protection provided to the polynomial multiplication operation. (Basso, claim 22) Basso does not clearly teach a polynomial multiplication function using a first input as an element of a digital signature protocol, and the first mode operating during a signature process. However, Poeppelmann teaches a polynomial multiplication function using a first input ([Poeppelmann, para. 0175; Fig. 4] “At act 403, the first polynomial [first input] is multiplied with the second polynomial to determine a result”) as an element of a digital signature protocol; and ([para. 0175; Fig. 4] “At act 404, the result of the multiplication is used in the cryptographic Lattice operation [digital signature protocol]”; [claim 3] “using the [result of the multiplication in the] cryptographic operation to … generate a signature”) the first mode operating during a signature process. ([Poeppelmann, para. 0019] “According to an embodiment [the first mode], the cryptographic operation may be used to [operating] ... generate a signature [during a signature process]”) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Basso with the teachings of Poeppelmann to include a polynomial multiplication function using a first input as an element of a digital signature protocol, and the first mode operating during a signature process. One of ordinary skill in the art would have been motivated to make this modification because Lattice-based crypto systems, such as the Dilithium digital signature protocol, resist attacks by quantum computers. (Poeppelmann, para. 0049; para. 0057) As per claim 5, Basso in view of Poeppelmann teaches claim 1. Basso does not clearly teach wherein the processing circuitry comprises one or more of application processing circuitry or graphics processing circuitry. However, Poeppelmann teaches wherein the processing circuitry comprises one or more of application processing circuitry or graphics processing circuitry. ([Poeppelmann, para. 0226] “the application processor 307 may perform the procedures described herein”) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Basso with the teachings of Poeppelmann to include wherein the processing circuitry comprises one or more of application processing circuitry or graphics processing circuitry. One of ordinary skill in the art would have been motivated to make this modification because in practicality there are only a finite number of processing circuitry types to use to perform to use the process. It would have been obvious to one of ordinary skill in the art to try an application processing circuitry to provide circuitry for performing the functions, as a person with ordinary skill has a good reason to pursue the known replacement within his or her technical grasp. In turn, because the application processing circuitry when used in the system of Basso has the predicted properties of the replacement strategy, it would have been obvious. As per claim 8, Basso teaches a method comprising, performing, by a computing device a polynomial multiplication function using a first input wherein the polynomial multiplication function comprises a plurality of polynomial multiplication operations and is performed in a security mode determined based on a control signal, (Basso, claim 27; the polynomial multiplication function comprises a plurality of polynomial multiplication operations, as the polynomial multiplications functions disclosed to perform the operations are NTT calculations, and NTT calculations consists of a plurality of multiplication functions: see para. 0071 of Basso) wherein the security mode includes a first mode or a second mode ... (Basso, claim 28) the second mode having a shuffling-based side-channel protection provided to the polynomial multiplication operation. (Basso, claim 28) Basso does not clearly teach a polynomial multiplication function using a first input as an element of a digital signature protocol, and the first mode operating during a signature process. However, Poeppelmann teaches a polynomial multiplication function using a first input ([Poeppelmann, para. 0175; Fig. 4] “At act 403, the first polynomial [first input] is multiplied with the second polynomial to determine a result”) as an element of a digital signature protocol; and ([Para. 0175; Fig. 4] “At act 404, the result of the multiplication is used in the cryptographic Lattice operation [digital signature protocol]”; [claim 3] “using the [result of the multiplication in the] cryptographic operation to … generate a signature”) the first mode operating during a signature process. ([Poeppelmann, para. 0019] “According to an embodiment [the first mode], the cryptographic operation may be used to [operating] ... generate a signature [during a signature process]”) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Basso with the teachings of Poeppelmann to include a polynomial multiplication function using a first input as an element of a digital signature protocol. One of ordinary skill in the art would have been motivated to make this modification because Lattice-based crypto systems, such as the Dilithium digital signature protocol, resist attacks by quantum computers. (Poeppelmann, para. 0049; para. 0057) As per claim 12, the claim language is identical or substantially similar to that of claim 5. Therefore, it is rejected under the same rationale applied to claim 5. As per claim 15, Basso teaches a non-transitory computer-readable medium having stored thereon instructions which, when executed by a processor, cause a computing device to perform operations comprising: performing a polynomial multiplication function using a first input wherein the polynomial multiplication function comprises a plurality of polynomial multiplication operations and is performed in a security mode determined based on a control signal, (Basso, claim 33; the polynomial multiplication function comprises a plurality of polynomial multiplication operations, as the polynomial multiplications functions disclosed to perform the operations are NTT calculations, and NTT calculations consists of a plurality of multiplication functions: see para. 0071 of Basso) wherein the security mode includes a first mode or a second mode ... (Basso, claim 34) the second mode having a shuffling-based side-channel protection provided to the polynomial multiplication operation. (Basso, claim 34) Basso does not clearly teach a polynomial multiplication function using a first input as an element of a digital signature protocol, and the first mode operating during a signature process. However, Poeppelmann teaches a polynomial multiplication function using a first input ([Poeppelmann, para. 0175; Fig. 4] “At act 403, the first polynomial [first input] is multiplied with the second polynomial to determine a result”) as an element of a digital signature protocol; and ([Para. 0175; Fig. 4] “At act 404, the result of the multiplication is used in the cryptographic Lattice operation [digital signature protocol]”; [claim 3] “using the [result of the multiplication in the] cryptographic operation to … generate a signature”) the first mode operating during a signature process. ([Poeppelmann, para. 0019] “According to an embodiment [the first mode], the cryptographic operation may be used to [operating] ... generate a signature [during a signature process]”) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Basso with the teachings of Poeppelmann to include a polynomial multiplication function using a first input as an element of a digital signature protocol. One of ordinary skill in the art would have been motivated to make this modification because Lattice-based crypto systems, such as the Dilithium digital signature protocol, resist attacks by quantum computers. (Poeppelmann, para. 0049; para. 0057) As per claim 19, the claim language is identical or substantially similar to that of claim 5. Therefore, it is rejected under the same rationale applied to claim 5. Claims 2, 9 and 16 are provisionally rejected on the ground of nonstatutory obviousness type double patenting as being unpatentable over claims 1 and 22-38 of Basso in view of Poeppelmann as applied to claims 1, 9 and 15 above and further in view of Xiao et al. (US Pub. 2018/0026782) (hereinafter “Xiao”). As per claim 2, Basso in view of Poeppelmann teaches claim 1. Basso also teaches wherein the processing circuitry is further to facilitate the first mode to operate in response to a detection of a computing environment without side-channel protection. (Basso, claim 23) As per claim 9, the claim language is identical or substantially similar to that of claim 2. Therefore, it is rejected under the same rationale applied to claim 2. As per claim 16, the claim language is identical or substantially similar to that of claim 2. Therefore, it is rejected under the same rationale applied to claim 2. Claims 4, 11 and 18 are provisionally rejected on the ground of nonstatutory obviousness type double patenting as being unpatentable over claims 1 and 22-38 of Basso in view of Poeppelmann as applied to claims 1, 8 and 15 above and further in view of Shankar et al. (US Pub. 2015/0199217) (hereinafter “Shankar”). As per claim 4, Basso in view of Poeppelmann teaches claim 1. Basso also teaches wherein the processing circuitry is further to facilitate a random number generator to apply a random shuffle order to operations computed during a key generation process. (Basso, claim 24) Basso does not clearly teach a random number generator to apply a random shuffle order to operations computed during a signing process, wherein the random number is periodically seeded by a random seed, wherein the digital signature protocol comprises a Dilithium protocol. However, Poeppelmann teaches a random number generator to apply a random shuffle order ([Poeppelmann, para. 0172] “to achieve … protection against … side channel attacks … A uniformly random polynomial r … may be sampled [generated, and so supplied by the generator 212] … to randomize [randomly shuffle] … the polynomial w1 [input value/first polynomial]; [para. 0206] “values obtained by c′←$ConvSample(k) may be reordered … The Fisher-Yates algorithm can be used to randomly shuffle coefficients in c′ [a shuffling side-channel protection] and to obtain an output c=Fisher-Yates(c′)”) to operations computed ([para. 0175; Fig. 4] “At act 403, the first polynomial is multiplied with the second polynomial to determine a result”) during a signing process ([para. 0175; Fig. 4] “At act 404, the result of the multiplication is used in the cryptographic Lattice operation”; [claim 3] “using the [result of the multiplication in the] cryptographic operation to … generate a signature”) wherein the digital signature protocol comprises a Dilithium protocol. ([Para. 0057] “lattice-based signature schemes include Dilithium”) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Basso and Poeppelmann for the same reasons as disclosed above. Basso in view of Poeppelmann does not clearly teach wherein the random number generator is periodically seeded by a random seed. However, Shankar teaches wherein the random number generator is periodically seeded by a random seed. ([Shankar, para. 0029] “a seed event for a software random number generator … The seed event can occur as the result of a periodic re-seeding”) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Basso in view of Poeppelmann with the teachings of Shankar to include wherein the random number generator is periodically seeded by a random seed. One of ordinary skill in the art would have been motivated to make this modification because hardware random number generation is slow while software random number generators are designed for simplicity and performance, making random number generation fast, and to create a cryptographically secure sequence a software random number generator seed value must possess high entropy and be re-seeded at periodic intervals. (Shankar, para. 0003) As per claim 11, the claim language is identical or substantially similar to that of claim 4. Therefore, it is rejected under the same rationale applied to claim 4. As per claim 18, the claim language is identical or substantially similar to that of claim 4. Therefore, it is rejected under the same rationale applied to claim 4. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-2, 5, 8-9, 12, 15-16 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Poeppelmann (US Pub. 2020/0082738) in view of Xiao et al. (US Pub. 2018/0026782). As per claim 1, Poeppelmann teaches an apparatus comprising: ([Poeppelmann, para. 0231; “the techniques of this disclosure may be implemented in a … apparatuses”) processing circuitry coupled to a memory, the processing circuitry to: ([Poeppelmann, para. 0224; Fig. 3] “an application processor 307, a random access memory (RAM) … which is coupled”; (para. 0226] “the application processor 307 may perform the procedures described herein”) perform a polynomial multiplication function using a first input ([Poeppelmann, para. 0175; Fig. 4] “At act 403, the first polynomial [first input] is multiplied with the second polynomial to determine a result”) as an element of a digital signature protocol, ([para. 0175; Fig. 4] “At act 404, the result of the multiplication is used in the cryptographic Lattice operation [digital signature protocol]”; [claim 3] “using the [result of the multiplication in the] cryptographic operation to … generate a signature”) wherein the polynomial multiplication function comprises a plurality of polynomial multiplication operations ([para. 0161] “the polynomial multiplication can be performed [comprises] efficiently using … NTT”; [105] “NTT is … a polynomial multiplication operation … require … roughly n log2 n modular multiplications [a plurality of polynomial multiplication operations]”) and is performed in a security mode, ([Abstract] “A security device arranged to perform … the acts is provided”; a function performed in a security mode determined based on a the control signal is taught by Xiao below; as the option/mode is performed by a security device, the option/mode is a security mode) wherein the security mode includes a first mode ([para. 0048] “a cryptosystem [security mode] may be a ... signature scheme ... or an advanced scheme”) or a second mode, ([para. 0172] “It is an option [mode] to achieve some protection against observatory attacks (e.g., side channel attacks) [second mode] … To randomize the computation the random polynomial r may be added to the polynomial w1 [first input/polynomial – see para. 0151 “polynomial w1∈ Rq is sampled”]; [para. 0175. Fig. 4] “At act 403, the first polynomial is multiplied with the second polynomial”; as the option/mode for side channel protection performs an operation on the input polynomial/first input which is then subsequently multiplied to produce the result used to generate the signature, the polynomial multiplication function is performed in a security mode) the first mode operating during a signature process, ([para. 0019] “According to an embodiment [the first mode], the cryptographic operation may be used to [operating] ... generate a signature [during a signature process]”) the second mode having a shuffling-based side-channel protection provided ([para. 0206] “values obtained by c′←$ConvSample(k) may be reordered … The Fisher-Yates algorithm can be used to randomly shuffle coefficients in c′ [a shuffling side-channel protection] and to obtain an output c=Fisher-Yates(c′)”; [para. 0164] “The notation w3←$ConvSample(k) indicates that a sampler uses the approach described herein [the protection against side channel attack] and outputs a polynomial w3∈Rq”) to the polynomial multiplication operation. ([Para. 0172] “It is an option to achieve … protection against observatory attacks (e.g., side channel attacks) … To randomize [shuffle] the computation the random polynomial r may be added to the polynomial w1 [first input/polynomial – see para. 0151 “polynomial w1∈ Rq is sampled”]; [para. 0175. Fig. 4] “At act 403, the first polynomial is multiplied with the second polynomial”; as it is an option to add the polynomial r to provide side channel protection to the input polynomial/first input which is then subsequently multiplied to produce the result used to generate the signature, an optional mode is disclosed having side-channel protection is provided to the polynomial multiplication operation) Poeppelmann does not clearly teach perform a function ... in a security mode determined based on a control signal, wherein the security mode includes a first mode or a second mode. However, Xiao teaches perform a function ... in a security mode determined based on a control signal, ([Xiao, para. 0051] “the key 614 as a parameter [the control signal as it controls whether the countermeasures are implemented] … may serve to ascertain [determine] whether … processing circuit 607 may also be configured to implement software [the function performed] countermeasures [in a security mode]”) wherein the security mode includes a first mode or a second mode. ([para. 0035] “Upon being invoked with a key ... the modular exponential function ... ascertain whether the key is greater than L bits long 104 ... if the key is longer than L bits ... countermeasure against side channel attacks will be applied [the security mode includes a second mode] ... Otherwise, if the key is no longer than L bits ... no countermeasure is applied [the security mode includes a first mode]”; [para. 0047] “the same modular exponential function may perform cryptographic signing [includes a first mode]”) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Poeppelmann with the teachings of Xiao to include perform a function ... in a security mode determined based on a control signal, wherein the security mode includes a first mode or a second mode. One of ordinary skill in the art would have been motivated to make this modification because always enabling countermeasures provides a penalty on public key usage, without any security gain, and this method instead avoids the performance penalty on public key generation/usage during a modular exponentiation operation such as polynomial multiplication used to generate a public key. (Xiao, para. 0007-0008) As per claim 2, Poeppelmann in view of Xiao teaches claim 1. Poeppelmann does not clearly teach wherein the processing circuitry is further to facilitate the first mode to operate in response to a detection of a computing environment without side-channel protection. However, Xiao teaches wherein the processing circuitry ([Xiao, para. 0015] “A modular exponentiation circuit is provided comprising a register and a processing circuit coupled to the register”) is further to facilitate the first mode to operate in response to a detection of a computing environment without side-channel protection. ([Fig. 1; para. 0035] “the modular exponentiation function may be invoked … to perform a cryptographic operation … if the key is no longer than L bits [a detection], it is a public key [a computing environment in which side channel is not required – see para. 0007] and no countermeasure is applied [the circuitry is to cooperate in the first mode as the software countermeasures are enacted by the processing circuit – see Fig. 6]”). It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Poeppelmann with the teachings of Xiao to include wherein the processing circuitry is further to facilitate the first mode to operate in response to a detection of a computing environment without side-channel protection. One of ordinary skill in the art would have been motivated to make this modification because always enabling countermeasures provides a penalty on a public key usage, for example a signature verification/authentication operation, without any security gain, and this method instead avoids the performance penalty on public key generation/usage during a modular exponentiation operation such as polynomial multiplication used to generate a public key. (Xiao, para. 0007-0008; para. 0047) As per claim 5, Poeppelmann in view of Xiao teaches claim 1. Poeppelmann also teaches wherein the processing circuitry comprises one or more of application processing circuitry or graphics processing circuitry. ([Poeppelmann, para. 0226] “the application processor 307 may perform the procedures described herein”; examiner interprets “or” here to be an optional limitation, thus requiring either an application or a graphic processing circuitry) As per claim 8, Poeppelmann teaches a method, comprising: performing, by a computing device, ([Poeppelmann para. 0228] “the functions described herein may be implemented … by one or more computers”) a polynomial multiplication function using a first input ([para. 0175; Fig. 4] “At act 403, the first polynomial [first input] is multiplied with the second polynomial to determine a result”) as an element of a digital signature protocol, ([para. 0175; Fig. 4] “At act 404, the result of the multiplication is used in the cryptographic Lattice operation”; [claim 3] “using the cryptographic operation to … generate a signature [a digital signature protocol as the signature is a digital signature]”) wherein the polynomial multiplication function comprises a plurality of polynomial multiplication operations ([para. 0161] “the polynomial multiplication can be performed efficiently using … NTT”; [105] “NTT is … a polynomial multiplication operation … require … roughly n log2 n modular multiplications [a plurality of polynomial multiplication operations]”) and is performed in a security mode ([Abstract] “A security device arranged to perform … the acts is provided”; a function performed in a security mode determined based on a the control signal is taught by Xiao below; as the option/mode is performed by a security device, the option/mode is a security mode) wherein the security mode includes a first mode ([para. 0048] “a cryptosystem [security mode] may be a ... signature scheme ... or an advanced scheme”) or a second mode, ([para. 0172] “It is an option [mode] to achieve some protection against observatory attacks (e.g., side channel attacks) [second mode] … To randomize the computation the random polynomial r may be added to the polynomial w1 [first input/polynomial – see para. 0151 “polynomial w1∈ Rq is sampled”]; [para. 0175. Fig. 4] “At act 403, the first polynomial is multiplied with the second polynomial”; as the option/mode for side channel protection performs an operation on the input polynomial/first input which is then subsequently multiplied to produce the result used to generate the signature, the polynomial multiplication function is performed in a security mode) the first mode operating during a signature process, ([para. 0019] “According to an embodiment [the first mode], the cryptographic operation may be used to [operating] ... generate a signature [during a signature process]”) the second mode having a shuffling-based side-channel protection provided ([para. 0206] “values obtained by c′←$ConvSample(k) may be reordered … The Fisher-Yates algorithm can be used to randomly shuffle coefficients in c′ [a shuffling side-channel protection] and to obtain an output c=Fisher-Yates(c′)”; [para. 0164] “The notation w3←$ConvSample(k) indicates that a sampler uses the approach described herein [the protection against side channel attack] and outputs a polynomial w3∈Rq”) to the polynomial multiplication operation. ([Para. 0172] “It is an option to achieve … protection against observatory attacks (e.g., side channel attacks) … To randomize [shuffle] the computation the random polynomial r may be added to the polynomial w1 [first input/polynomial – see para. 0151 “polynomial w1∈ Rq is sampled”]; [para. 0175. Fig. 4] “At act 403, the first polynomial is multiplied with the second polynomial”; as it is an option to add the polynomial r to provide side channel protection to the input polynomial/first input which is then subsequently multiplied to produce the result used to generate the signature, an optional mode is disclosed having side-channel protection is provided to the polynomial multiplication operation) Poeppelmann does not clearly teach performing a function ... in a security mode determined based on a control signal, wherein the security mode includes a first mode or a second mode. However, Xiao teaches performing a function ... in a security mode determined based on a control signal, ([Xiao, para. 0051] “the key 614 as a parameter [the control signal as it controls whether the countermeasures are implemented] … may serve to ascertain [determine] whether … processing circuit 607 may also be configured to implement software [the function performed] countermeasures [in a security mode]”) wherein the security mode includes a first mode or a second mode. ([para. 0035] “Upon being invoked with a key ... the modular exponential function ... ascertain whether the key is greater than L bits long 104 ... if the key is longer than L bits ... countermeasure against side channel attacks will be applied [the security mode includes a second mode] ... Otherwise, if the key is no longer than L bits ... no countermeasure is applied [the security mode includes a first mode]”; [para. 0047] “the same modular exponential function may perform cryptographic signing [includes a first mode]”) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Poeppelmann with the teachings of Xiao to include performing a function ... in a security mode determined based on a control signal, wherein the security mode includes a first mode or a second mode. One of ordinary skill in the art would have been motivated to make this modification because always enabling countermeasures provides a penalty on public key usage, without any security gain, and this method instead avoids the performance penalty on public key generation/usage during a modular exponentiation operation such as polynomial multiplication used to generate a public key. (Xiao, para. 0007-0008) As per claim 9, the claim language is identical or substantially similar to that of claim 2. Therefore, it is rejected under the same rationale applied to claim 2. As per claim 12, the claim language is identical or substantially similar to that of claim 5. Therefore, it is rejected under the same rationale applied to claim 5. As per claim 15, Poeppelmann teaches a non-transitory computer-readable medium having stored thereon instructions which, when executed, cause a computing device to perform operations comprising: ([Poeppelmann, para. 0228] “the techniques may be implemented in … software … on a computer-readable medium and executed by a hardware-based processing unit … computer-readable media which is non-transitory … by one or more computers”) performing a polynomial multiplication function using a first input ([para. 0175; Fig. 4] “At act 403, the first polynomial [first input] is multiplied with the second polynomial to determine a result”) as an element of a digital signature protocol, ([para. 0175; Fig. 4] “At act 404, the result of the multiplication is used in the cryptographic Lattice operation”; [claim 3] “using the cryptographic operation to … generate a signature [a digital signature protocol as the signature is a digital signature]”) wherein the polynomial multiplication function comprises a plurality of polynomial multiplication operations ([para. 0161] “the polynomial multiplication can be performed efficiently using … NTT”; [105] “NTT is … a polynomial multiplication operation … require … roughly n log2 n modular multiplications [a plurality of polynomial multiplication operations]”) and is performed in a security mode, ([Abstract] “A security device arranged to perform … the acts is provided”; a function performed in a security mode determined based on a the control signal is taught by Xiao below; as the option/mode is performed by a security device, the option/mode is a security mode) wherein the security mode includes a first mode ([para. 0048] “a cryptosystem [security mode] may be a ... signature scheme ... or an advanced scheme”) or a second mode, ([para. 0172] “It is an option [mode] to achieve some protection against observatory attacks (e.g., side channel attacks) [second mode] … To randomize the computation the random polynomial r may be added to the polynomial w1 [first input/polynomial – see para. 0151 “polynomial w1∈ Rq is sampled”]; [para. 0175. Fig. 4] “At act 403, the first polynomial is multiplied with the second polynomial”; as the option/mode for side channel protection performs an operation on the input polynomial/first input which is then subsequently multiplied to produce the result used to generate the signature, the polynomial multiplication function is performed in a security mode) the first mode operating during a signature process, ([para. 0019] “According to an embodiment [the first mode], the cryptographic operation may be used to [operating] ... generate a signature [during a signature process]”) the second mode having a shuffling-based side-channel protection provided ([para. 0206] “values obtained by c′←$ConvSample(k) may be reordered … The Fisher-Yates algorithm can be used to randomly shuffle coefficients in c′ [a shuffling side-channel protection] and to obtain an output c=Fisher-Yates(c′)”; [para. 0164] “The notation w3←$ConvSample(k) indicates that a sampler uses the approach described herein [the protection against side channel attack] and outputs a polynomial w3∈Rq”) to the polynomial multiplication operation. ([Para. 0172] “It is an option to achieve … protection against observatory attacks (e.g., side channel attacks) … To randomize [shuffle] the computation the random polynomial r may be added to the polynomial w1 [first input/polynomial – see para. 0151 “polynomial w1∈ Rq is sampled”]; [para. 0175. Fig. 4] “At act 403, the first polynomial is multiplied with the second polynomial”; as it is an option to add the polynomial r to provide side channel protection to the input polynomial/first input which is then subsequently multiplied to produce the result used to generate the signature, an optional mode is disclosed having side-channel protection is provided to the polynomial multiplication operation) Poeppelmann does not clearly teach performing a function ... in a security mode determined based on a control signal, wherein the security mode includes a first mode or a second mode. However, Xiao teaches performing a function ... in a security mode determined based on a control signal, ([Xiao, para. 0051] “the key 614 as a parameter [the control signal as it controls whether the countermeasures are implemented] … may serve to ascertain [determine] whether … processing circuit 607 may also be configured to implement software [the function performed] countermeasures [in a security mode]”) wherein the security mode includes a first mode or a second mode. ([para. 0035] “Upon being invoked with a key ... the modular exponential function ... ascertain whether the key is greater than L bits long 104 ... if the key is longer than L bits ... countermeasure against side channel attacks will be applied [the security mode includes a second mode] ... Otherwise, if the key is no longer than L bits ... no countermeasure is applied [the security mode includes a first mode]”; [para. 0047] “the same modular exponential function may perform cryptographic signing [includes a first mode]”) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Poeppelmann with the teachings of Xiao to include performing a function ... in a security mode determined based on a control signal, wherein the security mode includes a first mode or a second mode. One of ordinary skill in the art would have been motivated to make this modification because always enabling countermeasures provides a penalty on public key usage, without any security gain, and this method instead avoids the performance penalty on public key generation/usage during a modular exponentiation operation such as polynomial multiplication used to generate a public key. (Xiao, para. 0007-0008) As per claim 16, the claim language is identical or substantially similar to that of claim 2. Therefore, it is rejected under the same rationale applied to claim 2. As per claim 19, the claim language is identical or substantially similar to that of claim 5. Therefore, it is rejected under the same rationale applied to claim 5. Claims 4, 11 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Poeppelmann in view of Xiao as applied to claims 1, 8 and 15 above and further in view of Shankar et al. (US Pub. 2015/0199217). As per claim 4, Poeppelmann in view of Xiao teaches claim 1. Poeppelmann also teaches wherein the processing circuitry is further to facilitate a random number generator ([Poeppelmann, para. 0221] “Random numbers are supplied by the hardware-random number generator 212”) to apply a random shuffle order ([para. 0172] “to achieve … protection against … side channel attacks … A uniformly random polynomial r … may be sampled [generated, and so supplied by the generator 212] … to randomize [randomly shuffle] … the polynomial w1 [input value/first polynomial]; [para. 0206] “values obtained by c′←$ConvSample(k) may be reordered … The Fisher-Yates algorithm can be used to randomly shuffle coefficients in c′ [a shuffling side-channel protection] and to obtain an output c=Fisher-Yates(c′)”) to operations computed ([para. 0175; Fig. 4] “At act 403, the first polynomial is multiplied with the second polynomial to determine a result”) during a key generation process ([claim 3] “using the [result of the multiplication in the] cryptographic operation to … generate a public key … generate a private key”) or a signing process ([para. 0175; Fig. 4] “At act 404, the result of the multiplication is used in the cryptographic Lattice operation”; [claim 3] “using the [result of the multiplication in the] cryptographic operation to … generate a signature”) wherein the digital signature protocol comprises a Dilithium protocol. ([Para. 0057] “lattice-based signature schemes include Dilithium”) Poeppelmann does not clearly teach wherein the random number is periodically seeded by a random seed. However, Shankar teaches wherein the random number generator is periodically seeded by a random seed. ([Shankar, para. 0029] “a seed event for a software random number generator … The seed event can occur as the result of a periodic re-seeding”) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Poeppelmann in view of Xiao with the teachings of Shankar to include wherein the random number generator is periodically seeded by a random seed. One of ordinary skill in the art would have been motivated to make this modification because hardware random number generation is slow while software random number generators are designed for simplicity and performance, making random number generation fast, and to create a cryptographically secure sequence a software random number generator seed value must possess high entropy and be re-seeded at periodic intervals. (Shankar, para. 0003) As per claim 11, the claim language is identical or substantially similar to that of claim 4. Therefore, it is rejected under the same rationale applied to claim 4. As per claim 18, the claim language is identical or substantially similar to that of claim 4. Therefore, it is rejected under the same rationale applied to claim 4. Alternatively, claims 1-2, 5, 8-9, 12, 15-16 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Ghosh et al. (US Pub. 2022/0006630) (hereinafter “Ghosh”, which includes the additional inventor Avinash L. Varna not included in the instant application) in view of Xiao et al. (US Pub. 2018/0026782). If Ghosh is commonly owned, Applicant may provide a statement of common ownership to overcome these rejections. See MPEP 717.02(a). As per claim 1, Ghosh teaches an apparatus comprising: ([Ghosh, para. 0012] “first device 110 … computing device capable of performing the functions described herein”) processing circuitry coupled to a memory, the processing circuitry to: ([Ghosh, para. 0013] “First device 110 includes one or more processor(s) 120 and a memory 122 … The memory 122 is communicatively coupled to the processor(s)”) perform a polynomial multiplication function using a first input ([Ghosh, claim 1] “a processing datapath communicatively coupled to the input register comprising a plurality of compute nodes to perform a number theoretic transform (NTT) algorithm [polynomial multiplication function] on the input polynomial [the first input] to generate an output polynomial in NTT format”; [para. 0022] “The NTT algorithm transforms a polynomial a(x) into its NTT form ã(x) … Then, multiplication between polynomials … to compute the product between a(x) and b(x)”) as an element of a digital signature protocol, ([para. 0021-0022] “A Dilithium signature process relies on multiple polynomial multiplication operations … polynomial multiplication in Dilithium may be computed using the number theoretic transform (NTT) algorithm”) wherein the polynomial multiplication function comprises a plurality of polynomial multiplication operations ([para. 0022] “multiplication between polynomials in the NTT form corresponds to coefficient-wise multiplication between polynomials [a plurality of polynomial multiplication operations] in the NTT form”) and is performed in a security mode ... ([para. 0030] “security [security mode of operation] and performance can be achieved by using different randomizations [different modes] for each compute node”; perform a function ... in a security mode determined based on a control signal, wherein the security mode includes a first mode or a second mode taught by Xiao below) wherein the security mode includes a first mode ([para. 0038] “In some embodiments ... one or more portions or components of a digital signature signing system ... implement one or more techniques described herein [a first mode]”) or a second mode, ([para. 0025] “In some examples [a second mode] the datapath 200 may be protected against side-channel attacks by randomizing operation) the first mode operating during a signature process, ([para. 0019] “In some embodiments, the cryptography logic 140 may generate and/or utilize various cryptographic keys ... to facilitate ... signing”) the second mode having a shuffling-based side-channel protection provided to the polynomial multiplication operation. ([para. 0025] “In some examples [a second mode] the datapath 200 may be protected against side-channel attacks by randomizing operation … One technique for accomplishing this is referred to as shuffling, which consists of reordering in random order different operations … Several algorithms exist to generate a random shuffle, with the Fisher-Yates algorithm being one of the most secure”; as the datapath performs the polynomial multiplication operation, and it may be protected against side-channel attacks, an embodiment is disclosed that side-channel protection is provided to the polynomial multiplication operation) Ghosh does not clearly teach perform a function ... in a security mode determined based on a control signal, wherein the security mode includes a first mode or a second mode. However, Xiao teaches perform a function ... in a security mode determined based on a control signal, ([Xiao, para. 0051] “the key 614 as a parameter [the control signal as it controls whether the countermeasures are implemented] … may serve to ascertain [determine] whether … processing circuit 607 may also be configured to implement software [the function performed] countermeasures [in a security mode]”) wherein the security mode includes a first mode or a second mode. ([para. 0035] “Upon being invoked with a key ... the modular exponential function ... ascertain whether the key is greater than L bits long 104 ... if the key is longer than L bits ... countermeasure against side channel attacks will be applied [the security mode includes a second mode] ... Otherwise, if the key is no longer than L bits ... no countermeasure is applied [the security mode includes a first mode]”; [para. 0047] “the same modular exponential function may perform cryptographic signing [includes a first mode]”) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Ghosh with the teachings of Xiao to include perform a function ... in a security mode determined based on a control signal, wherein the security mode includes a first mode or a second mode. One of ordinary skill in the art would have been motivated to make this modification because always enabling countermeasures provides a penalty on public key usage, without any security gain, and this method instead avoids the performance penalty on public key generation/usage during a modular exponentiation operation such as polynomial multiplication used to generate a public key. (Xiao, para. 0007-0008) As per claim 2, Ghosh in view of Xiao teaches claim 1. Ghosh does not clearly teach wherein the processing circuitry is further to facilitate the first mode to operate in response to a detection of a computing environment without side-channel protection. However, Xiao teaches wherein the processing circuitry ([Xiao, para. 0015] “A modular exponentiation circuit is provided comprising a register and a processing circuit coupled to the register”) is further to facilitate the first mode to operate in response to a detection of a computing environment without side-channel protection. ([Fig. 1; para. 0035] “the modular exponentiation function may be invoked … to perform a cryptographic operation … if the key is no longer than L bits [a detection], it is a public key [a computing environment in which side channel is not required – see para. 0007] and no countermeasure is applied [the circuitry is to cooperate in the first mode as the software countermeasures are enacted by the processing circuit – see Fig. 6]”). It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Ghosh with the teachings of Xiao to include wherein the processing circuitry is further to facilitate the first mode to operate in response to a detection of a computing environment without side-channel protection. One of ordinary skill in the art would have been motivated to make this modification because always enabling countermeasures provides a penalty on a public key usage, for example a signature verification/authentication operation, without any security gain, and this method instead avoids the performance penalty on public key generation/usage during a modular exponentiation operation such as polynomial multiplication used to generate a public key. (Xiao, para. 0007-0008; para. 0047) As per claim 5, Ghosh in view of Xiao teaches claim 1. Poeppelmann also teaches wherein the processing circuitry comprises one or more of application processing circuitry or graphics processing circuitry. ([Ghosh, para. 0013] “processor(s) 120 [application processing circuitry] … used during operation of … applications”; examiner interprets “or” here to be an optional limitation, thus requiring either an application or a graphic processing circuitry) As per claim 8, Ghosh teaches a method, comprising: performing, by a computing device, ([Ghosh, para. 0012] “first device 110 … computing device capable of performing the functions described herein”) a polynomial multiplication function using a first input ([Ghosh, claim 1] “a processing datapath communicatively coupled to the input register comprising a plurality of compute nodes to perform a number theoretic transform (NTT) algorithm [polynomial multiplication function] on the input polynomial [the first input] to generate an output polynomial in NTT format”; [para. 0022] “The NTT algorithm transforms a polynomial a(x) into its NTT form ã(x) … Then, multiplication between polynomials … to compute the product between a(x) and b(x)”) as an element of a digital signature protocol, ([para. 0021-0022] “A Dilithium signature process relies on multiple polynomial multiplication operations … polynomial multiplication in Dilithium may be computed using the number theoretic transform (NTT) algorithm”) wherein the polynomial multiplication function comprises a plurality of polynomial multiplication operations ([para. 0022] “multiplication between polynomials in the NTT form corresponds to coefficient-wise multiplication between polynomials [a plurality of polynomial multiplication operations] in the NTT form”) and is performed in a security mode ... ([para. 0030] “security [security mode of operation] and performance can be achieved by using different randomizations [different modes] for each compute node”; perform a function ... in a security mode determined based on a control signal, wherein the security mode includes a first mode or a second mode taught by Xiao below) wherein the security mode includes a first mode ([para. 0038] “In some embodiments ... one or more portions or components of a digital signature signing system ... implement one or more techniques described herein [a first mode]”) or a second mode, ([para. 0025] “In some examples [a second mode] the datapath 200 may be protected against side-channel attacks by randomizing operation) the first mode operating during a signature process, ([para. 0019] “In some embodiments, the cryptography logic 140 may generate and/or utilize various cryptographic keys ... to facilitate ... signing”) the second mode having a shuffling-based side-channel protection provided to the polynomial multiplication operation. ([para. 0025] “In some examples [a second mode] the datapath 200 may be protected against side-channel attacks by randomizing operation … One technique for accomplishing this is referred to as shuffling, which consists of reordering in random order different operations … Several algorithms exist to generate a random shuffle, with the Fisher-Yates algorithm being one of the most secure”; as the datapath performs the polynomial multiplication operation, and it may be protected against side-channel attacks, an embodiment is disclosed that side-channel protection is provided to the polynomial multiplication operation) Ghosh does not clearly teach performing a function ... in a security mode determined based on a control signal, wherein the security mode includes a first mode or a second mode. However, Xiao teaches performing a function ... in a security mode determined based on a control signal, ([Xiao, para. 0051] “the key 614 as a parameter [the control signal as it controls whether the countermeasures are implemented] … may serve to ascertain [determine] whether … processing circuit 607 may also be configured to implement software [the function performed] countermeasures [in a security mode]”) wherein the security mode includes a first mode or a second mode. ([para. 0035] “Upon being invoked with a key ... the modular exponential function ... ascertain whether the key is greater than L bits long 104 ... if the key is longer than L bits ... countermeasure against side channel attacks will be applied [the security mode includes a second mode] ... Otherwise, if the key is no longer than L bits ... no countermeasure is applied [the security mode includes a first mode]”; [para. 0047] “the same modular exponential function may perform cryptographic signing [includes a first mode]”) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Ghosh with the teachings of Xiao to include performing a function ... in a security mode determined based on a control signal, wherein the security mode includes a first mode or a second mode. One of ordinary skill in the art would have been motivated to make this modification because always enabling countermeasures provides a penalty on public key usage, without any security gain, and this method instead avoids the performance penalty on public key generation/usage during a modular exponentiation operation such as polynomial multiplication used to generate a public key. (Xiao, para. 0007-0008) As per claim 9, the claim language is identical or substantially similar to that of claim 2. Therefore, it is rejected under the same rationale applied to claim 2. As per claim 12, the claim language is identical or substantially similar to that of claim 5. Therefore, it is rejected under the same rationale applied to claim 5. As per claim 15, Ghosh teaches a non-transitory computer-readable medium having stored thereon instructions which, when executed by a processor, configure the processor to perform operations, ([Ghosh, para. 0046] “Memory device 520 [non-transitory computer-readable medium] … to store … instructions 521 for use when the one or more processors 502 executes an application or process; [para. 0038; Fig. 5] “for implementing various embodiments as previously described”) comprising: performing a polynomial multiplication function using a first input ([Ghosh, claim 1] “a processing datapath communicatively coupled to the input register comprising a plurality of compute nodes to perform a number theoretic transform (NTT) algorithm [polynomial multiplication function] on the input polynomial [the first input] to generate an output polynomial in NTT format”; [para. 0022] “The NTT algorithm transforms a polynomial a(x) into its NTT form ã(x) … Then, multiplication between polynomials … to compute the product between a(x) and b(x)”) as an element of a digital signature protocol, ([para. 0021-0022] “A Dilithium signature process relies on multiple polynomial multiplication operations … polynomial multiplication in Dilithium may be computed using the number theoretic transform (NTT) algorithm”) wherein the polynomial multiplication function comprises a plurality of polynomial multiplication operations ([para. 0022] “multiplication between polynomials in the NTT form corresponds to coefficient-wise multiplication between polynomials [a plurality of polynomial multiplication operations] in the NTT form”) wherein the security mode includes a first mode ([para. 0038] “In some embodiments ... one or more portions or components of a digital signature signing system ... implement one or more techniques described herein [a first mode]”) or a second mode, ([para. 0025] “In some examples [a second mode] the datapath 200 may be protected against side-channel attacks by randomizing operation) the first mode operating during a signature process, ([para. 0019] “In some embodiments, the cryptography logic 140 may generate and/or utilize various cryptographic keys ... to facilitate ... signing”) the second mode having a shuffling-based side-channel protection provided to the polynomial multiplication operation. ([para. 0025] “In some examples [a second mode] the datapath 200 may be protected against side-channel attacks by randomizing operation … One technique for accomplishing this is referred to as shuffling, which consists of reordering in random order different operations … Several algorithms exist to generate a random shuffle, with the Fisher-Yates algorithm being one of the most secure”; as the datapath performs the polynomial multiplication operation, and it may be protected against side-channel attacks, an embodiment is disclosed that side-channel protection is provided to the polynomial multiplication operation) Ghosh does not clearly teach performing a function ... in a security mode determined based on a control signal, wherein the security mode includes a first mode or a second mode. However, Xiao teaches performing a function ... in a security mode determined based on a control signal, ([Xiao, para. 0051] “the key 614 as a parameter [the control signal as it controls whether the countermeasures are implemented] … may serve to ascertain [determine] whether … processing circuit 607 may also be configured to implement software [the function performed] countermeasures [in a security mode]”) wherein the security mode includes a first mode or a second mode. ([para. 0035] “Upon being invoked with a key ... the modular exponential function ... ascertain whether the key is greater than L bits long 104 ... if the key is longer than L bits ... countermeasure against side channel attacks will be applied [the security mode includes a second mode] ... Otherwise, if the key is no longer than L bits ... no countermeasure is applied [the security mode includes a first mode]”; [para. 0047] “the same modular exponential function may perform cryptographic signing [includes a first mode]”) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Ghosh with the teachings of Xiao to include performing a function ... in a security mode determined based on a control signal, wherein the security mode includes a first mode or a second mode. One of ordinary skill in the art would have been motivated to make this modification because always enabling countermeasures provides a penalty on public key usage, without any security gain, and this method instead avoids the performance penalty on public key generation/usage during a modular exponentiation operation such as polynomial multiplication used to generate a public key. (Xiao, para. 0007-0008) As per claim 16, the claim language is identical or substantially similar to that of claim 2. Therefore, it is rejected under the same rationale applied to claim 2. As per claim 19, the claim language is identical or substantially similar to that of claim 5. Therefore, it is rejected under the same rationale applied to claim 5. Alternatively, claims 4, 11 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Ghosh in view of Xiao as applied to claims 1, 8 and 15 above and further in view of Shankar et al. (US Pub. 2015/0199217). If Ghosh is commonly owned, Applicant may provide a statement of common ownership to overcome these rejections. See MPEP 717.02(a) As per claim 4, Ghosh in view of Xiao teaches claim 1. Ghosh also teaches wherein the processing circuitry is further to facilitate a random number generator ([Ghosh, para. 0028] “the random numbers may be generated … using an algorithm [random number generator] that generates numbers”) to apply a random shuffle order to operations computed ([para. 0025] “the datapath [operations computed] … protected against side-channel attacks by randomizing operation … One technique for accomplishing this is referred to as shuffling, which consists of reordering in random order different operations … Several algorithms exist to generate a random shuffle, with the Fisher-Yates algorithm being one of the most secure”; [para. 0029] “a shuffle generation requires … random bits [random numbers]”) during a key generation process ([para. 0015] “the cryptography logic 140 may generate … cryptographic keys [during a key generation process] … to facilitate … signing [the operations computed including a key generation process, as signing is the operation performed by the datapath]”) or a signing process wherein the digital signature protocol comprises a Dilithium protocol. ([claim 1] “a processing datapath communicatively coupled to the input register comprising a plurality of compute nodes to perform a number theoretic transform (NTT) algorithm [an operation that results in the digital signature protocol] on the input polynomial to generate an output polynomial in NTT format”; [para. 0022] “The NTT algorithm transforms a polynomial a(x) into its NTT form ã(x) … Then, multiplication between polynomials … to compute the product between a(x) and b(x)”; [para. 0021-0022] “A Dilithium signature process [a signing process] relies on multiple polynomial multiplication operations … polynomial multiplication in Dilithium [the digital signature protocol] may be computed using the number theoretic transform (NTT) algorithm”) Ghosh does not clearly teach wherein the random number is periodically seeded by a random seed. However, Shankar teaches wherein the random number generator is periodically seeded by a random seed. ([Shankar, para. 0029] “a seed event for a software random number generator … The seed event can occur as the result of a periodic re-seeding”) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Ghosh in view of Xiao with the teachings of Shankar to include wherein the random number generator is periodically seeded by a random seed. One of ordinary skill in the art would have been motivated to make this modification because hardware random number generation is slow while software random number generators are designed for simplicity and performance, making random number generation fast, and to create a cryptographically secure sequence a software random number generator seed value must possess high entropy and be re-seeded at periodic intervals. (Shankar, para. 0003) As per claim 11, the claim language is identical or substantially similar to that of claim 4. Therefore, it is rejected under the same rationale applied to claim 4. As per claim 18, the claim language is identical or substantially similar to that of claim 4. Therefore, it is rejected under the same rationale applied to claim 4. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: Patne et al. (US Pub. 2015/0373035) discloses thwarting side channel attacks where obfuscation is selectively introduced into the system for protecting against side channel attacks. Hoffstein et al. (US Pub. 2003/0120929) discloses multiplication of constrained polynomials over a ring in order to generate a digital signature. Poeppelmann et al. (US Pub. 2019/0312728) generating a lattice-based signature using polynomials where randomization of the system can be used to prevent side channel attacks. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHE LIU whose telephone number is (571) 272-3634. The examiner can normally be reached on Monday - Friday: 8:30 AM to 5:30 PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on (571) 272-3862. The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call (800) 786-9199 (IN USA OR CANADA) or (571) 272-1000. /Z.L./Examiner, Art Unit 2493 /CARL G COLIN/Supervisory Patent Examiner, Art Unit 2493