SECURE TRAINING OF MACHINE LEARNING MODELS UNDER HOMOMORPHIC ENCRYPTION

§103 §112

DETAILED ACTION This Office Action is in response to communications filed on October 23, 2025 for Application No. 17/920,457, in which claims 1-3, 5-6, 8-23, and 27-28 are presented for examination. The amendments filed on October 23, 2025 have been entered, where claims 27 and 28 are added, claims 1, 5-6, 8-9, 12, 14, 20, 22 are amended, and claims 4 and 7 are canceled. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claim Objections Claims 1-3, 5-6, and 8 are objected to because of the following informalities: “the outputs the respective functions” (Claim 1, ln. 11) should be “the outputs of the respective functions” (objection applies equally to dependent claims 2-3, 5-6, and 8). Appropriate correction is required. Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. Claims 1-3, 5-6, 8-23, and 27-28 are rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention. Regarding Claim 1, the claim recites the term “equivalent” (ln. 11), which is a relative term that renders the claim indefinite. The term “equivalent” is not defined by the claim, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention. As a result, the scope of the claim is unclear because it is not clear what “outputs [of] the respective functions” (ln. 11) qualify as “equivalent to the outputs”. Therefore, claim 1 is rejected. The claim should be amended to clarify what qualifies as “equivalent to the outputs”. Regarding Claims 2-3 and 5, the claims are rejected because they are dependent on a rejected claim. Regarding Claim 6, the claim recites the limitation “The computer-implemented method according to claim 4” (ln. 1). However, Claim 4 is canceled. As a result, the claim is indefinite because it is not clear what claim limitations are applicable to the claim. Therefore, the claim is rejected. Additionally, the claim is rejected because it is dependent on a rejected claim. Regarding Claim 8, the claim is rejected because it is dependent on a rejected claim. Regarding Claim 9, the claim recites the term “equivalent” (ln. 11), which is indefinite for substantially the same reasoning as articulated in the reject of claim 1 above. As a result, the claim is similarly rejected and should be amended in a similar manner. Regarding Claims 10-23 and 27-28, the claims are rejected because they are dependent on a rejected claim. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-3, 6, 9-19, 23, and 27 are rejected under 35 U.S.C. 103 as being unpatentable over Hesamifard et al. (hereinafter Hesamifard) (“CryptoDL: Deep Neural Networks over Encrypted Data”) in view of Kim et al. (hereinafter Kim) (“Logistic regression model training based on the approximate homomorphic encryption”). Regarding Claim 1, Hesamifard teaches a computer-implemented (Pg. 13, Para. 3, “We used HELib [14] for implementation and all computations were run on a computer with 16GB RAM, Intel Xeon E5-2640, 2.4GHz and Ubuntu 16.04.”; Pg. 15, Para. 1, “we use machines with similar configuration (Intel Xeon E5-1620 CPU running at 3.5GHz with 16GB of RAM in CryptoNets and Intel Xeon E5-2640, 2.4GHz with 16GB RAM in our case) for the experiments”) method for training a machine learning model, the method comprising (Pg. 1, Abstract, “In this paper, we develop new techniques to adopt deep neural networks within the practical limitation of current homomorphic encryption schemes . . . we train convolutional neural networks with the approximation polynomials instead of original activation functions and analyze the performance of the models”): obtaining a machine learning model (Pg. 7, Para. 2, “our goal is to adopt a CNN to work within HE constraints”; Pg. 13, Para. 3, “we present results of implementing adopted version of CNNs (ReLU is replaced with polynomial approximation) over encrypted data”, where the CNN, which is a machine learning model, must be obtained it to be altered to become an “adopted version” and then be “implement[ed]”) comprising a plurality of computational layers, the layers being arranged such that outputs from one or more of the layers serve as inputs to other ones of the layers (Pg. 5, Para. 1, “a neural network is a combination of neurons arranged in ordered layers . . . Besides the first layer (input layer) and the last layer (output layer), there is at least one middle layer, called hidden layer”, where outputs of all but the “last layer” serve as inputs for other layers, see generally Pg. 5, Fig. 1(d); for more information see Pgs. 5-7, Sec. 2.2.1-2.2.6); identifying one or more of the layers as comprising one or more functions that are not compatible with a homomorphic encryption (HE) scheme (Pg. 4, Para. 5, “only a limited number of additions and multiplications are allowed over encrypted data and therefore complex functions such as activation functions used in neural networks are not compatible with HE schemes”, where “HE” is “homomorphic encryption”, see Pg. 2, Para. 2, “The main components of CryptoDL are convolutional neural networks (CNNs) and homomorphic encryption (HE)”; Pg. 6, Para. 2, “There are several activation functions we may encounter in practice including ReLU (ReLU(x) = max(0, x)), Sigmoid (σ = 1 1+e−x ), and Tanh (2σ(2x) − 1) functions. We cannot calculate these functions over encrypted values and we should find replacements for these functions that only include addition and multiplication operations”); replacing the one or more functions with alternative functions, wherein the alternative functions are functions that are compatible with the homomorphic encryption scheme, and wherein the alternative functions are configured to generate, for a given set of inputs, outputs equivalent to the outputs the respective functions that they replace (Pg. 7, Para. 2-3, “our goal is to adopt a CNN to work within HE constraints . . . our solution to this problem is to approximate the non-compatible functions with a compatible form so they can be implemented using HE . . . we aim to approximate the activation functions with polynomials and replace them with these polynomials when operating over encrypted data”, where the alternative “functions” must be configured, for a given set of inputs, outputs equivalent to the outputs of the functions they are “replac[ing]” in order for them to qualify as an “approximate [of] the non-compatible functions with a compatible form”); . . . train the machine learning model using a set of . . . training data (Pg. 11, Para. 3, “Now that we have found polynomial approximations, the next step is training CNN models using these polynomials”) . . . . Hesamifard does not explicitly disclose . . . encrypting internal parameters of the machine learning model with a public key of the homomorphic encryption scheme; and sending the machine learning model to a third party computing system to . . . encrypted . . . wherein the third party computing system is configured to perform the training without decrypting the encrypted internal parameters of the machine learning model. However, Kim teaches . . . encrypting internal parameters of the machine learning model with a public key of the homomorphic encryption scheme; and sending the machine learning model to a third party computing system (Pg. 26, Col. 2, Para. 6, “First of all, a client encrypts the dataset and the initial (random) weight vector β(0) and sends them to the public cloud”, where “the public cloud” is a third party computing system, see Pg. 24, Col. 1, Para. 3, “The goal of this challenge is to evaluate the performance of state-of-the-arts methods that ensures rigorous data confidentiality during data analysis in a cloud environment” and Pg. 27, Col. 1, para. 2, “The public server”, where a “cloud environment” run using a “public server” is within the broadest reasonable interpretation of third party computing system, and “weight vector β(0)” are internal parameters of the machine learning model, see Pg. 24, Col. 2, Para. 2-, “Logistic regression or logit model is a ML model used to predict the probability of occurrence of an event . . . Logistic regression aims to find an optimal β . . . For logistic regression, the gradient of the cost function with respect to β is computed . . . Starting from an initial β0, the gradient descent method at each step t updates the regression parameters”; see also Pg. 25, Col. 1-2, Para. 3-1, “Approximate homomorphic encryption HE is a cryptographic scheme that allows us to carry out operations on encrypted data without decryption . . . the public key as pk . . . Encpk(m)”, where encryption, “Encpk(m)”, is performed using a “public key” of a “homomorphic encryption . . . scheme”) to [train the machine learning model using a set of] encrypted [data,] wherein the third party computing system is configured to perform the training without decrypting the encrypted internal parameters of the machine learning model (Pg. 26-28, Col. 2-1, Para. 6-4, “a client encrypts the dataset and the initial (random) weight vector β(0) and sends them to the public cloud. The dataset is encoded to a matrix Z . . . The public server takes two ciphertexts ctz and ct(t) β and evaluates the GD algorithm to find an optimal modeling vector. The goal of each iteration is to update the modeling vector β(t) using the gradient of loss function . . . Finally it returns a ciphertext encrypting the updated modeling vector”, where “the public cloud” receives an “encrypt[ed]” set of data, “the dataset”, and uses it to train the machine learning model, “find an optimal modeling vector . . . The goal of each iteration is to update the modeling vector β(t) using the gradient”, before returning the “encrypt[ed]” “updated model”; see also Pg. 26-28, Section “Homomorphic evaluation of the gradient descent”, where the “public server” never decrypts the machine learning model; see generally Pg. 3, Col. 1, Para. 3, “HE is a cryptographic scheme that allows us to carry out operations on encrypted data without decryption . . . ”, where “decryption” is not necessary to “carry out operations”). Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to combine the modification of a machine learning model to replace functions not compatible with homomorphic encryption with compatible functions with equivalent outputs and subsequent training of the model with training data of Hesamifard with the encryption of the internal parameters of a machine learning model using the public key of an homomorphic encryption scheme and the transmission of the encrypted model parameters to a third party computing system for training with encrypted data without decryption of the model parameters of Kim in order to outsource model training, which due to its computational intensity can require complex system architectures and significant resource expenditure, while maintaining the confidentiality of sensitive training data (Kim, Pg. 23, Col. 1, Para. 2, “The scope of ML applications is constantly expanding; however, with the rise of ML, the security problem has become an important issue. For example, many medical decisions rely on logistic regression model, and biomedical data usually contain confidential information about individuals [3] which should be treated carefully. Therefore, privacy and security of data are the major concerns, especially when deploying the outsource analysis tools”, where privacy must be preserved from direct exposure, the data itself, and indirect exposure, parameters adjusted based on the data; Kim, Pg. 23, Abstract, “many machine learning algorithms aim to generate prediction models using training data which contain sensitive information about individuals. Cryptography community is considering secure computation as a solution for privacy protection . . . This paper presents a method to train a logistic regression model without information leakage . . . ”; Kim, Pg. 30, Col. 1, Para. 3, “In the paper, we presented a solution to homomorphically evaluate the learning phase of logistic regression model using the gradient descent algorithm and the approximate HE scheme. Our solution demonstrates a good performance and the quality of learning is comparable to the one of an unencrypted case. Our encoding method can be easily extended to a large-scale dataset, which shows the practical potential of our approach”) and state-of the art performance on real-world applications (Kim, Pg. 23, Abstract, “Our method shows a state-of-the-art performance of homomorphic encryption system in a real-world application”). Regarding Claim 2, Hesamifard in view of Kim teach the computer-implemented method according to claim 1, wherein the one or more functions that are not compatible with the HE scheme include one or more of: (ii) A non-polynomial function; (ii) A function including one or more conditional statements; and (iii) a polynomial function that includes a non-integer and/or negative power (Hesamifard, Pg. 6, Para. 2, “There are several activation functions we may encounter in practice including ReLU (ReLU(x) = max(0, x)), Sigmoid (σ = 1 1+e−x ), and Tanh (2σ(2x) − 1) functions. We cannot calculate these functions over encrypted values and we should find replacements”, where “ReLU” is a non-polynomial function that includes a conditional statement “max(0, x)”; see also Hesamifard, Pg. 2, Para. 3, “in neural networks activation functions such as Rectified Linear Unit (ReLU) and Sigmoid are used as an activation function and we have to replace these functions with another function that only uses addition and multiplication such as polynomials”). Regarding Claim 3, Hesamifard in view of Kim teach the computer-implemented method according to claim 1, wherein the alternative functions comprise polynomial functions whose powers are positive integers (Hesamifard, Pg. 2, Para. 3, “in neural networks activation functions such as Rectified Linear Unit (ReLU) and Sigmoid are used as an activation function and we have to replace these functions with another function that only uses addition and multiplication such as polynomials”; Hesamifard, Pg. 11, Para. 6, “We train different models using each approximation method discussed above. We use polynomials of degree 2 to replace the ReLU function in the first four methods and polynomial of degree 3 for the last method”, where “2” and “3” are positive integers). Regarding Claim 6, Hesamifard in view of Kim teach, as best understood given the 112(b)-issue discussed above, the computer-implemented method according to claim 4, wherein the internal parameters of the machine learning model comprise one or more of: (i) constants comprised within the functions of the machine learning model and (ii) weightings applied to input(s) to each layer of the machine learning model (Hesamifard, Pg. 5, Para. 1, “a neural network is a combination of neurons arranged in ordered layers . . . Besides the first layer (input layer) and the last layer (output layer), there is at least one middle layer, called hidden layer”, where the model, “neural network”, receives “input[s]” at each “layer”, and, in view of Kim, its weights are encrypted, see Kim, Pg. 26, Col. 2, Para. 6, “First of all, a client encrypts the dataset and the initial (random) weight vector β(0) and sends them to the public cloud”, where the internal parameters of the machine learning model, “β(0)”, comprise weights, “weight vector”, which are applied to the inputs “zTi”, at the layer of the machine learning model, see Kim, Pg. 24, Col. 2, Para. 2-3, “Logistic regression or logit model is a ML model used to predict the probability of occurrence of an event by fitting data to a logistic curve . . . Logistic regression aims to find an optimal β ∈ Rf +1 which maximizes the likelihood estimator . . . or equivalently minimizes the loss function, defined as the negative log-likelihood: PNG media_image1.png 74 338 media_image1.png Greyscale ”). The reasons for obviousness, in regard to the combination of Hesamifard with Kim, have been noted in the rejection of Claim 1 and remain applicable here. Regarding Claim 9, Hesamifard in view of Kim teach a computer-implemented (Hesamifard, Pg. 13, Para. 3, “We used HELib [14] for implementation and all computations were run on a computer with 16GB RAM, Intel Xeon E5-2640, 2.4GHz and Ubuntu 16.04.”; Hesamifard, Pg. 15, Para. 1, “we use machines with similar configuration (Intel Xeon E5-1620 CPU running at 3.5GHz with 16GB of RAM in CryptoNets and Intel Xeon E5-2640, 2.4GHz with 16GB RAM in our case) for the experiments”) method for training a machine learning model, the method comprising (Hesamifard, Pg. 1, Abstract, “In this paper, we develop new techniques to adopt deep neural networks within the practical limitation of current homomorphic encryption schemes . . . we train convolutional neural networks with the approximation polynomials instead of original activation functions and analyze the performance of the models”): obtaining a machine learning model (Hesamifard, Pg. 7, Para. 2, “our goal is to adopt a CNN to work within HE constraints”; Hesamifard Pg. 13, Para. 3, “we present results of implementing adopted version of CNNs (ReLU is replaced with polynomial approximation) over encrypted data”, where the CNN, which is a machine learning model, must be obtained it to be altered to become an “adopted version” and then be “implement[ed]”) comprising a plurality of computational layers, the layers being arranged such that outputs from one or more of the layers serve as inputs to other ones of the layers (Hesamifard, Pg. 5, Para. 1, “a neural network is a combination of neurons arranged in ordered layers . . . Besides the first layer (input layer) and the last layer (output layer), there is at least one middle layer, called hidden layer”, where outputs of all but the “last layer” serve as inputs for other layers, see generally Hesamifard, Pg. 5, Fig. 1(d); for more information see Hesamifard, Pgs. 5-7, Sec. 2.2.1-2.2.6); identifying one or more of the layers as comprising one or more functions that are not compatible with a homomorphic encryption (HE) scheme (Hesamifard, Pg. 4, Para. 5, “only a limited number of additions and multiplications are allowed over encrypted data and therefore complex functions such as activation functions used in neural networks are not compatible with HE schemes”, where “HE” is “homomorphic encryption”, see Hesamifard, Pg. 2, Para. 2, “The main components of CryptoDL are convolutional neural networks (CNNs) and homomorphic encryption (HE)”; Hesamifard, Pg. 6, Para. 2, “There are several activation functions we may encounter in practice including ReLU (ReLU(x) = max(0, x)), Sigmoid (σ = 1 1+e−x ), and Tanh (2σ(2x) − 1) functions. We cannot calculate these functions over encrypted values and we should find replacements for these functions that only include addition and multiplication operations”); replacing the one or more functions with alternative functions, wherein the alternative functions are functions that are compatible with a homomorphic encryption scheme, and wherein the alternative functions are configured to generate, for a given set of inputs, outputs equivalent to the outputs of the respective functions that they replace (Hesamifard, Pg. 7, Para. 2-3, “our goal is to adopt a CNN to work within HE constraints . . . our solution to this problem is to approximate the non-compatible functions with a compatible form so they can be implemented using HE . . . we aim to approximate the activation functions with polynomials and replace them with these polynomials when operating over encrypted data”, where the alternative “functions” must be configured, for a given set of inputs, outputs equivalent to the outputs of the functions they are “replac[ing]” in order for them to qualify as an “approximate [of] the non-compatible functions with a compatible form”); encrypting internal parameters of the machine learning model with a public key of the homomorphic encryption scheme (Kim, Pg. 26, Col. 2, Para. 6, “First of all, a client encrypts the dataset and the initial (random) weight vector β(0) and sends them to the public cloud”, where “weight vector β(0)” are internal parameters of the machine learning model, see Kim, Pg. 24, Col. 2, Para. 2-, “Logistic regression or logit model is a ML model used to predict the probability of occurrence of an event . . . Logistic regression aims to find an optimal β . . . For logistic regression, the gradient of the cost function with respect to β is computed . . . Starting from an initial β0, the gradient descent method at each step t updates the regression parameters”; see also Kim, Pg. 25, Col. 1-2, Para. 3-1, “Approximate homomorphic encryption HE is a cryptographic scheme that allows us to carry out operations on encrypted data without decryption . . . the public key as pk . . . Encpk(m)”, where encryption, “Encpk(m)”, is performed using a “public key” of a “homomorphic encryption . . . scheme”); receiving encrypted training data for training the machine learning model (Hesamifard, Pg. 11, Para. 3, “Now that we have found polynomial approximations, the next step is training CNN models using these polynomials”, where machine learning “CNN models” are “train[ed]”, which, in view of Kim, includes receiving encrypted training data, “the dataset”, see Kim, Pg. 26, Col. 2, Para. 6, “First of all, a client encrypts the dataset and the initial (random) weight vector β(0) and sends them to the public cloud”); and training the machine learning model using the encrypted training data, wherein the training is performed without decrypting the internal parameters of the machine learning model (Kim, Pg. 26-28, Col. 2-1, Para. 6-4, “a client encrypts the dataset and the initial (random) weight vector β(0) and sends them to the public cloud. The dataset is encoded to a matrix Z . . . The public server takes two ciphertexts ctz and ct(t) β and evaluates the GD algorithm to find an optimal modeling vector. The goal of each iteration is to update the modeling vector β(t) using the gradient of loss function . . . Finally it returns a ciphertext encrypting the updated modeling vector”, where “the public cloud” receives an “encrypt[ed]” set of data, “the dataset”, and uses it to train the machine learning model, “find an optimal modeling vector . . . The goal of each iteration is to update the modeling vector β(t) using the gradient”, before returning the “encrypt[ed]” “updated model”; see also Kim, Pg. 26-28, Section “Homomorphic evaluation of the gradient descent”, where the “public server” never decrypts the machine learning model; see generally Kim, Pg. 3, Col. 1, Para. 3, “HE is a cryptographic scheme that allows us to carry out operations on encrypted data without decryption . . . ”, where “decryption” is not necessary to “carry out operations”). The reasons for obviousness, in regard to the combination of Hesamifard with Kim, have been noted in the rejection of Claim 1 and remain applicable here. Regarding Claim 10, the additional elements of the dependent claim are substantially the same as limitations of Claim 2, therefore it is rejected under the same rationale. Regarding Claim 11, the additional elements of the dependent claim are substantially the same as limitations of Claim 3, therefore it is rejected under the same rationale. Regarding Claim 12, Hesamifard in view of Kim teach the computer implemented method according to claim 9, wherein the training data comprises data that is encrypted by a third party computing system (Hesamifard, Pg. 11, Para. 3, “Now that we have found polynomial approximations, the next step is training CNN models using these polynomials”, where machine learning “CNN models” are “train[ed]”, which, in view of Kim, includes receiving encrypted training data, “the dataset”, see Kim, Pg. 26, Col. 2, Para. 6, “First of all, a client encrypts the dataset and the initial (random) weight vector β(0) and sends them to the public cloud”, where the “the client” is a third party to the “public cloud” and the “public cloud” is a third party to “the client”, and both of which are computing systems). The reasons for obviousness, in regard to the combination of Hesamifard with Kim, have been noted in the rejection of Claim 1 and remain applicable here. Regarding Claim 13, Hesamifard in view of Kim teach the computer-implemented method according to claim 9, comprising using the trained machine leaning model to carry out a machine learning task (Hesamifard, Pg. 13, Para. 3-4, “We train the models using plaintext data and measure the accuracy of the built model”; where the “train[ing]” is “to provide/ receive the service” (i.e. tasks), see Hesamifard, Pg. 2, Para. 2, “we propose CryptoDL, a solution to run deep neural network algorithms on encrypted data and allow the parties to provide/ receive the service without having to reveal their sensitive data to the other parties”). Regarding Claim 14, Hesamifard in view of Kim teach the computer-implemented method according to claim 13, wherein the step of using the trained machine learning model to carry out the machine learning task is performed by a third party computing system (Hesamifard, Pg. 2, Para. 1-2, “with increasing growth of cloud services, machine learning services can be run on cloud providers’ infrastructure where . . . deploying machine learning models are performed on cloud servers. Once the models are deployed, users can use these models to make predictions without having to worry about maintaining the models and the service. In a nutshell, this is Machine Learning as a Service (MLaaS) . . . we propose CryptoDL, a solution to run deep neural network algorithms on encrypted data and allow the parties to provide/ receive the service without having to reveal their sensitive data to the other parties”, where “deployment” to “users” is carrying out the machine learning task, which is performed by third party computing system “cloud servers”). Regarding Claim 15, Hesamifard in view of Kim teach the computer-implemented method according to claim 14, wherein the task comprises classification of one or more images (Hesamifard, Pg. 13, Para. 3-4, “We train the models using plaintext data and measure the accuracy of the built model for classification of encrypted data . . . in each round of classification, we can classify a batch of encrypted images”; where the “train[ing]” is “to provide/ receive the service” (i.e. tasks), see Hesamifard, Pg. 2, Para. 2, “we propose CryptoDL, a solution to run deep neural network algorithms on encrypted data and allow the parties to provide/ receive the service without having to reveal their sensitive data to the other parties”). Regarding Claim 16, Hesamifard in view of Kim teach the computer-implemented method according to claim 14, wherein the machine learning model is a neural network (Hesamifard, Pg. 2, Para. 2, “In this paper, we propose CryptoDL . . . The main components of CryptoDL are convolutional neural networks (CNNs) and homomorphic encryption (HE)”). Regarding Claim 17, Hesamifard in view of Kim teach the computer-implemented method according to claim 16, wherein the machine learning model is a convolutional neural network (Hesamifard, Pg. 2, Para. 2, “In this paper, we propose CryptoDL . . . The main components of CryptoDL are convolutional neural networks (CNNs) and homomorphic encryption (HE)”). Regarding Claim 18, Hesamifard in view of Kim teach the computer-implemented method according to claim 14, wherein replacing the functions with alternative functions includes selection of an optimisation solver that is compatible with homomorphic encryption (Hesamifard, Pg. 16, Para. 2, “it is possible to train neural networks over encrypted data. If we replace all the activation functions and the loss function with polynomials, back-propagation can be computed using additions and multiplications”, where, in view of Kim, the “replac[ing]” includes selection of an optimization solver, see Kim, Pg. 24, Col. 1-2, Para. 4-4, “we use the HE scheme for approximate arithmetic . . . We also adapt Nesterov’s accelerated gradient [15] to increase the speed of convergence . . . Gradient Descent (GD) is a method for finding a local extremum (minimum or maximum) of a function by moving along gradients. To minimize the function in the direction of the gradient, one-dimensional optimization methods are used”, where “Nesterov’s accelerated gradient” to perform “one-dimensional optimization methods” is within the broadest reasonable interpretation of an optimisation solver, which is compatible with “HE”). Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to combine the modification of a machine learning model to replace functions not compatible with homomorphic encryption with compatible equivalents and the subsequent training of the model by a third party with training data in order to carry out a task of Hesamifard in view of Kim with the selection of an optimization solver compatible with homomorphic encryption in further view of Kim in order to minimize the loss function of the model (Hesamifard, Pg. 16, Para. 2, “it is possible to train neural networks over encrypted data. If we replace all the activation functions and the loss function with polynomials”; Kim, Pg. 24, Col. 2, Para. 4, “Gradient Descent (GD) is a method for finding a local extremum (minimum or maximum) of a function by moving along gradients. To minimize the function in the direction of the gradient, one-dimensional optimization methods are used”), which improves model accuracy using a method with increased speed of convergence (Kim, Pg. 24, Col. 1, Para. 4, “To improve the performance, we apply several additional techniques including a packing method, which reduce the required storage space and optimize the computational time. We also adapt Nesterov’s accelerated gradient [15] to increase the speed of convergence. As a result, we could obtain a high accuracy classifier using only a small number of iterations”). Regarding Claim 19, Hesamifard in view of Kim teach the computer-implemented method according to claim 14, wherein the functions to be replaced comprise one or more functions having one or more division operations and/or which contain one or more square roots (Hesamifard, Pg. 6, Para. 2, “There are several activation functions we may encounter in practice including ReLU (ReLU(x) = max(0, x)), Sigmoid (σ = 1 / ( 1 +   e ^ ( - x )   ) ), and Tanh (2σ(2x) − 1) functions. We cannot calculate these functions over encrypted values and we should find replacements”, where the “Sigmoid” function includes a division operator “ 1 / ( 1 +   e ^ ( - x )   ) ”; see also Hesamifard, Pg. 2, Para. 3, “in neural networks activation functions such as . . . and Sigmoid are used as an activation function and we have to replace these functions with another function”; Hesamifard, Pg. 4, Para. 5, “HE schemes . . . have some limitations . . . [t]he last and most important limitation is lack of division operation”). Regarding Claim 23, Hesamifard in view of Kim teach the computer-implemented method according to claim 14, comprising adding a batch normalisation layer before one or more of the layers whose functions have been replaced by alternative functions (Hesamifard, Pg. 12, Sect. “3.5 CNN Model 2 with Polynomial Activation Function”, Fig. 4, “CNN Model 2”, where “BN”, which “stand[s] for . . . Batch normalization” and is within the broadest reasonable interpretation of a layer because it is a component of the “CNN” that acts on data passed through it, occurs before “act function” in multiple instances; and where the act functions are replacement “polynomial activation function[s]”, see Hesamifard, Pg. 4, Para. 5, “only a limited number of additions and multiplications are allowed over encrypted data and therefore complex functions such as activation functions used in neural networks are not compatible with HE schemes”; Hesamifard, Pg. 12, Sect. “3.5 CNN Model 2 with Polynomial Activation Function”). Regarding Claim 27, Hesamifard in view of Kim teach the computer-implemented method according to claim 9, wherein the one or more replaced functions (Hesamifard, Pg. 4, Para. 5, “only a limited number of additions and multiplications are allowed over encrypted data and therefore complex functions such as activation functions used in neural networks are not compatible with HE schemes”, where “HE” is “homomorphic encryption”, see Hesamifard, Pg. 2, Para. 2, “The main components of CryptoDL are convolutional neural networks (CNNs) and homomorphic encryption (HE)”; Pg. 6, Para. 2, “There are several activation functions we may encounter in practice including ReLU (ReLU(x) = max(0, x)), Sigmoid (σ = 1 1+e−x ), and Tanh (2σ(2x) − 1) functions. We cannot calculate these functions over encrypted values and we should find replacements for these functions that only include addition and multiplication operations”) include a loss function used in training the machine learning model (Hesamifard, Pg. 16, Para. 2, “it is possible to train neural networks over encrypted data. If we replace all the activation functions and the loss function with polynomials, back-propagation can be computed using additions and multiplications”; Kim, Pg. 27, Col. 1, Para. 2, “The goal of each iteration is to update the modeling vector β(t) using the gradient of loss function”). The reasons for obviousness, in regard to the combination of Hesamifard with Kim, have been noted in the rejection of Claim 1 and remain applicable here. Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Hesamifard in view of Kim and Nandakumar et al. (hereinafter Nandakumar) (“Towards Deep Neural Network Training on Encrypted Data”). Regarding Claim 5, Hesamifard in view of Kim teach the computer-implemented method according to claim 1, further comprising: receiving a trained version of the machine learning model from the third party computing system (Kim, Pg. 27-28, Col. 1-1, Para. 3-5, “The public server takes two ciphertexts ctz and ct(t)β and evaluates the GD algorithm to find an optimal modeling vector. The goal of each iteration is to update the modeling vector β(t) using the gradient of loss function . . . Finally it returns a ciphertext encrypting the updated modeling vector”, where the third party computing system, public cloud with “public server”, trains the model, “optimal modeling vector. The goal of each iteration is to update the modeling vector β(t) using the gradient of loss function”, and returns the trained version, “updated modeling vector”); and decrypting . . . using the private key of the homomorphic encryption scheme (Kim, Pg. 25, Col. 1-2, Para. 3-1, “Approximate homomorphic encryption HE is a cryptographic scheme that allows us to carry out operations on encrypted data without decryption . . . a secret key sk . . . Decsk(ct)”, where the private key, “secret key sk”, of a “homomorphic encryption . . . scheme” is used for decryption “Decsk(ct)”). The reasons for obviousness, in regard to the combination of Hesamifard with Kim, have been noted in the rejection of Claim 1 and remain applicable here. Hesamifard in view of Kim do not explicitly disclose . . . the internal parameters of the trained version of the machine learning model . . . (where the data that is decrypted using the private key is not explicitly disclosed). However, Nandakumar teaches . . . [decrypting] the internal parameters of the trained version of the machine learning model . . . (Pg. 42, Para. 3, “The data owner can decrypt the model parameters and use them for inferencing”). Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to combine the receiving of a decrypted and trained version of the machine learning model from the third party computing system and homomorphic encryption scheme involving a private key for use in decryption of Hesamifard in view of Kim with the decrypting of internal parameters of the trained version of the machine learning model of Nandakumar in order to utilize machine learning models for inference, which were previously trained using third-party services in a privacy preserving manner (Nandakumar, Pg. 42, Para. 3, “The data owner can decrypt the model parameters and use them for inferencing”; see also Nandakumar, Pg. 40, Col. 2, Para. 2, “There are many scenarios where the data needed for training deep neural networks is extremely sensitive . . . The data owner may often lack the knowledge and proficiency to build deep learning models on their own to derive the benefits from their data. On the other hand, confidentiality and privacy constraints prevent sharing of the data with external service providers”). Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Hesamifard in view of Kim and Rekha et al. (hereinafter Rekha) (“Data Communication and Networks: A Review”). Regarding Claim 8, Hesamifard in view of Kim teach the computer-implemented method according to claim 1, wherein sending the machine learning model to the third party comprises transmitting the machine learning model as data (Kim, Pg. 26, Col. 2, Para. 5, “First of all, a client encrypts the dataset and the initial (random) weight vector β(0) and sends them to the public cloud”) . . . . The reasons of obviousness, in regard to the combination of Hesamifard with Kim, have been noted in the rejection of Claim 1 and remain applicable here. Hesamifard in view of Kim do not explicitly disclose . . . over a communications network. However, Rekha teaches . . . over a communications network (Pg. 1, Abstract, “In this paper we have given a complete overview about Data Communication and Computer Network”). Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to combine the sending of a model to a third party by transmitting the model as data of Hesamifard in view of Kim with the use of a computer network to communicate data of Rekha in order to share resources using a reliable and cost-effective method (Rekha, Pg. 310-311, Col. 2-1, Para. 5-2, “Reasons for Using Computer Network and Its advantages 1. Resource Sharing: It is possible to share all programs data and other resources. All the information gets stored in server . . . 2. High Reliability of Communication . . . 3. Cost Effective”). Claims 20 and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Hesamifard in view of Kim and Solomon (“Numerical Algorithms”). Regarding Claim 20, Hesamifard in view of Kim teach the computer-implemented method according to claim 19, wherein the functions having one or more division operations and/or which contain one or more square roots are replaced by using a . . . method (Hesamifard, Pg. 6, Para. 2, “There are several activation functions we may encounter in practice including ReLU (ReLU(x) = max(0, x)), Sigmoid (σ = 1 / ( 1 +   e ^ ( - x )   ) ), and Tanh (2σ(2x) − 1) functions. We cannot calculate these functions over encrypted values and we should find replacements”, where the “Sigmoid” function includes a division operation “ 1 / ( 1 +   e ^ ( - x )   ) ”; see also Hesamifard, Pg. 1, Abstract, “we design methods for approximation of the activation functions commonly used in CNNs (i.e. ReLU, Sigmoid, and Tanh)”). Hesamifard in view of Kim do not explicitly disclose . . . Newton-Raphson. However, Solomon teaches . . . Newton-Raphson (Pg. 160, Sect. 8.8, “In this problem, we will derive a technique is known as Newton-Raphson division . . . the reciprocal 1/a of a ∈ R can be computed iteratively using Newton’s method”). Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to combine the replacement of a function having a division operation with an approximate function to achieve an approximate output of Hesamifard in view of Kim with the use of a Newton-Raphson method to approximate division of Solomon in order to use a division approximation method with fast convergence (Solomon, Pg. 160, Sect. 8.8, “In this problem, we will derive a technique is known as Newton-Raphson division. Thanks to its fast convergence, it is often implemented in hardware for IEEE-754 floating point arithmetic”). Regarding Claim 21, Hesamifard in view of Kim and Solomon teach the computer-implemented method according to claim 20, wherein the functions to be replaced comprise one or more exponential functions (Hesamifard, Pg. 6, Para. 2, “There are several activation functions we may encounter in practice including ReLU (ReLU(x) = max(0, x)), Sigmoid (σ = 1 / ( 1 +   e ^ ( - x )   ) ), and Tanh (2σ(2x) − 1) functions. We cannot calculate these functions over encrypted values and we should find replacements”, where “Sigmoid” is an exponential function, where Euler’s number is raised to a variable exponent: “ e ^ ( - x ) ”; see also Hesamifard, Pg. 2, Para. 3, “in neural networks activation functions such as . . . and Sigmoid are used as an activation function and we have to replace these functions with another function”). Claim 22 is rejected under 35 U.S.C. 103 as being unpatentable over Hesamifard in view of Kim, Solomon, and Cetin et al. (hereinafter Cetin) (“An application of multilayer neural network on hepatitis disease diagnosis using approximations of sigmoid activation function”). Regarding Claim 22, Hesamifard in view of Kim and Solomon teach the computer-implemented method according to claim 21, wherein the exponential functions are replaced by using a . . . [replacement for the exponential functions] (Hesamifard, Pg. 6, Para. 2, “There are several activation functions we may encounter in practice including ReLU (ReLU(x) = max(0, x)), Sigmoid (σ = 1 / ( 1 +   e ^ ( - x )   ) ), and Tanh (2σ(2x) − 1) functions. We cannot calculate these functions over encrypted values and we should find replacements”, where “Sigmoid” is an exponential function because Euler’s number is raised to a variable exponent: “ e ^ ( - x ) ”; see Hesamifard, Pg. 1, Abstract, “we design methods for approximation of the activation functions commonly used in CNNs (i.e. ReLU, Sigmoid, and Tanh)”). Hesamifard in view of Kim and Solomon do not teach . . . Taylor series (where Hesamifard only explicitly teaches the use of Taylor series in other contexts). However, Cetin teaches . . . Taylor series (Pg. 154, Fig. 5, Pg. 154, Col. 1, Para. 2, “Taylor series expansion gives the closest approximation to the sigmoid function and provides much higher accuracy than previous approximations. The approximated function is shown in Figure 5”). Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to combine the replacement of an exponential function with a function to achieve an output of Hesamifard in view of Kim and Solomon with the use of a Taylor series method to approximate an exponential function of Cetin in order to replace a sigmoid function with a high degree of accuracy (Cetin, Pg. 154, Fig. 5, Pg. 154, Col. 1, Para. 2, “Taylor series expansion gives the closest approximation to the sigmoid function and provides much higher accuracy than previous approximations. The approximated function is shown in Figure 5”). Claim 28 is rejected under 35 U.S.C. 103 as being unpatentable over Hesamifard in view of Kim and Ghimes et al. (hereinafter Ghimes) (“Applying neural network approach to homomorphic encrypted data”). Regarding Claim 28, Hesamifard in view of Kim teach the computer-implemented method according to claim 9, wherein the machine learning model is trained . . . (Hesamifard, Pg. 11, Para. 3, “Now that we have found polynomial approximations, the next step is training CNN models using these polynomials”). Hesamifard in view of Kim do not explicitly disclose . . . using backpropagation. However, Ghimes teaches [a neural network approach to homomorphic encryption] (Pg. 1, Title, “Applying neural network approach to homomorphic encrypted data”) . . . using backpropagation (Pg. 4, Col. 1, Para. 1-2, “the neural network training . . . The research was done using a XOR neural network implementation using backpropagation and feed-forward algorithm”). Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to combine the method for training a machine learning model under homomorphic encryption of Hesamifard in view of Kim with the neural network approach to homomorphic encryption using backpropagation of Ghimes in order to enable efficient training of the machine learning model, using a popular method that resolves large learning problems without increased computational effort (Ghimes, Pg. 4, Col. 1, Para. 3, “The backpropagation algorithm represents a popular method used to resolve large learning problems without increasing computational effort”). Response to Arguments Applicant's arguments filed on October 23, 2025 have been fully considered. Each argument is addressed in detail below. I. Applicant argues the amendments to the specification overcome the objections to the specification (Applicant’s Remarks/Arguments, 10/23/2025, Pg. 7, Section “Response to Specification Objections”). Applicant’s amendments have overcome each and every objection to the specification previously set forth in the July 24, 2025 Office Action. As a result, the objections to the specification have been withdrawn. II. Applicant argues the amendments to the claims overcome the objections to the claims (Applicant’s Remarks/Arguments, 10/23/2025, Pg. 7, Section “Response to Claim Objections”). Applicant’s amendments have overcome each and every objection to the claims previously set forth in the July 24, 2025 Office Action. As a result, these objections to the claims have been withdrawn. However, as discussed in detail above, the amendments to the claims create additional minor informalities, which necessitate new grounds for objection. III. Applicant argues the amendments to the claim overcome the rejections to the claims, under 35 U.S.C. § 112(b) (Applicant’s Remarks/Arguments, 10/23/2025, Pg. 8-9, Section “Response to Claim Rejections - U.S.C. § 112”). Applicant’s amendments have overcome each and every claim rejection under 35 U.S.C. § 112(b), as previously set forth in the July 24, 2025 Office Action. As a result, these rejections have been withdrawn. However, as discussed in detail above, the amendments to the claims create additional indefiniteness, which necessitate new grounds for rejection under 35 U.S.C. § 112(b). Notably, Applicant argues the specification provides a standard for ascertaining the requisite degree for the relative term “equivalent” as computational functions that provide the same or similar output given a respective set of inputs. Under 35 U.S.C. § 112(b), “The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention”. Here, the cited pages from the specification do not provide a standard for ascertaining the requisite degree for the relative term “equivalent” because the term “similar” (Spec, Pg. 14, Para. 2), which applicant relies upon to provide the standard, is itself a relative term without a standard for ascertaining its relative degree. As a result, the argument is not persuasive. IV. Applicant argues the amendments to the claim overcome the rejections to the claims, under 35 U.S.C. § 101 (Applicant’s Remarks/Arguments, 10/23/2025, Pg. 9-11, Section “Response to Claim Rejections - U.S.C. § 101”). Applicant’s amendments have overcome each and every rejection to the claims, under 35 U.S.C. § 101, previously set forth in the July 24, 2025 Office Action. As a result, the rejections under 35 U.S.C. § 101 have been withdrawn. V. Applicant argues the amendments to the claim overcome the rejections to the claims, under 35 U.S.C. § 103 (Applicant’s Remarks/Arguments, 10/23/2025, Pg. 12-13, Section “Response to Claim Rejections - U.S.C. § 103”). In response to Applicant’s amendments, the previously communicated rejections under 35 U.S.C. § 103, have been withdrawn. However, Applicant’s arguments are not persuasive in light of the new rejections, under 35 U.S.C. § 103, discussed in detail above. The new grounds of rejection rely on new prior art of the record in order to teach the new combination of elements in the amended independent claims, which were not presented in this arrangement in any of the previously presented claims. For clarity of the record, it is worth pointing out the reference Kim (“Logistic regression model training based on the approximate homomorphic encryption”), which is relied upon in this Office Action, is not the same reference Kim (“Secure Logistic Regression Based on Homomorphic Encryption: Design and Evaluation”) that was relied upon in the previously communicated rejections under 35 U.S.C. § 103. As a result, the argument is moot. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to MATTHEW BRYCE GOLAN whose telephone number is (571)272-5159. The examiner can normally be reached Monday through Friday, 8:00 AM to 5:00 PM ET. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexey Shmatov can be reached at (571) 270-3428. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /MATTHEW BRYCE GOLAN/Examiner, Art Unit 2123 /ALEXEY SHMATOV/Supervisory Patent Examiner, Art Unit 2123