DETAILED ACTION
This Office Action is in response to the communication filed on 10/10/2025.
Claims 1-19 are pending.
Claims 3-6 and 9-15 have been amended.
Claims 4-5, 7 and 14-15 are objected to as allowable.
Claims 3, 6, 8-13, and 16-19 are rejected.
The Examiner cites particular sections in the references as applied to the claims below for the convenience of the applicant(s). Although the specified citations are representative of the teachings in the art and are applied to the specific limitations within the individual claim, other passages and figures may apply as well. It is respectfully requested that, in preparing responses, the applicant(s) fully consider the references in their entirety as potentially teaching all or part of the claimed invention, as well as the context of the passage as taught by the prior art or disclosed by the Examiner.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Election/Restrictions
Applicant’s election without traverse of Claims 3-13 and 14-19 in the reply filed on 10/10/2025 is acknowledged.
On page 16 of Remarks filed 12/18/2025, Applicant requests rejoinder of the currently withdrawn claims and asserts this is proper because the withdrawn claims are similar to the examined claims.
Examiner agrees that the inventions are related as combination and subcombination and asserts that restriction is proper because the inventions are distinct. Here the inventions have separate utility and do not require the particulars of each other to perform each inventions individual and distinct functions.
Note
Applicant amended Claims 6, 9, 10, 11 and 12 which recited “sever” now properly recite “server”. The claim amended was not properly annotated.
Applicant is required to submit a corrected version in the next office action.
Examiner will be interpreting the claims to read “server” and not “sever”.
Allowable Subject Matter
Claims 4-5, 7 and 14-15 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
The following is a statement of reasons for the indication of allowable subject matter: Prior art does not reasonably teach:
“The first server computing system of claim 3, wherein: the respective ciphertext received from each of the plurality of client devices further comprises a respective first ciphertext component, the first ciphertext component comprising a hashed version of the index that has been encrypted using a semantic public key associated with the second server computing system; and computing the respective pseudoindex for each ciphertext comprises computing the pseudoindex from the first ciphertext component using a hash function and key held by the first server computing system.”
The second server computing system of claim 13, wherein: each modified ciphertext further comprises a respective index that has been encrypted using a combined public key generated from two or more private keys respectively separately held by the first server computing system and the second server computing system; and the second server system operations further comprise: using the respective private key separately held by the second server computing system to partially decrypt the respective index and generate a respective partially decrypted index; and for at least one of the set of aggregated values, transmitting the corresponding partially decrypted index to the first server computing system for the first server computing system to use the respective private key separately held by the first server computing system to recover the original respective index from the partially decrypted index. or
“The first server computing system of claim 3, wherein: the respective ciphertext received from each of the plurality of client devices further comprises a respective index that has been encrypted using a combined public key generated from two or more private keys respectively separately held by the first server computing system and the second server computing system; each of the set of aggregated values received from the second server computing system has a respective partially decrypted index associated therewith, each partially decrypted index having been generated by the second server computing system using the respective private key separately held by the second server computing system; and for at least one of the set of aggregated values, the first server operations further comprise: further decrypting the corresponding partially decrypted index using the respective private key separately held by the first server computing system to recover the original respective index.”
The second server computing system of claim 13, wherein: each pseudoindex was generated by the first server computing system from a first ciphertext component using a hash function and key held by the first server computing system, the first ciphertext component comprising a hashed version of the index that has been encrypted using a semantic public key associated with the second server computing system; and the second server system operations further comprise, prior to partitioning the modified ciphertexts based on the pseudoindex: partially decrypting each pseudoindex using a semantic private key that corresponds to the semantic public key, wherein said partitioning is performed based on the partially decrypted pseudoindices.
“The first server computing system of claim 3, wherein the first sever system operations further comprise, prior to transmitting the modified ciphertexts to the second server computing system: generating one or more dummy contributions; and inserting the dummy contributions into the modified ciphertexts.” And “The first server computing system of claim 6, wherein generating the one or more dummy contributions comprises: sampling one or more frequency dummy contributions; sampling one or more duplicate dummy contributions; and sampling one or more blanket dummy contributions.”
Claim Objections
The claim objections are withdrawn due to Applicant’s amendments.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 3, 5, 9-15 and 18 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Claims 5, 13, 14 and 15 recite “partially” decrypted and Claims 3, 9-12 and 18 recite “decrypted, aggregated values”. Because the method performs double encryption it not clear if the “decrypting” removed both layers of encryption on parts of the data of if the decryption removes one layer of encryption on all of the data. The specifications provide support for both interpretations which makes not unclear which interpretation Applicant is claiming as the invention.
The term “non-zero” in claims 19 renders the claim indefinite. The term “non-zero” is not defined by the claim, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention. It is not clear what is “non-zero” refers to, is the index non-zero? Is the value non-zero? Is the aggregated value non-zero?
Amendments were made to claim 12 and the rejection regarding claim 12 is withdrawn, however similar amendments were not made to claim 19.
The 112 rejections for antecedent basis are withdrawn due to Applicant’s amendments.
Claims rejections under 112 regarding thresholding are withdrawn due to applicant’s amendments.
Claims rejections under 112 regarding semantic are withdrawn due to applicant’s amendments.
Claims rejections under 112 regarding frequency, duplicate, and blanket dummy contributions are withdrawn due to applicant’s arguments.
Claims rejections under 112 regarding pseudoindex/pseudoindices are withdrawn due to applicant’s arguments.
Claims rejections under 112 regarding shuffle/de-shuffle are withdrawn due to applicant’s arguments.
Claims rejections under 112 regarding aggregation/aggregated are withdrawn due to applicant’s arguments.
Response to Arguments
Applicant's arguments filed 3/18/2026 have been fully considered but they are not persuasive.
Initially, [0056] of the instant application recites “Homomorphic encryption (HE) is a primitive that allows computation on encrypted data” which examiner is interpreting to mean that Applicant is admitting that a POSITA would have known about homomorphic encryption in this context because it is low-level and well understood.
On Page 14 of Remarks Applicant argues Bonawitz does not teach a person of ordinary skill in the art to use homomorphic encryption.
Examiner disagrees because Bonawitz only states that homomorphic encryption is “unworkable” because of specific constraints related to client devices. Bonawitz specifically teaches that homomorphic encryption can be used to solve the secure aggregation problem, which is the same problem as applicant is solving with homomorphic encryption. Further the specific constraints which Bonawitz indicates make homomorphic encryption “unworkable” are not constraints in the instant application, therefore Bonawitz does teach a POSIA to use homomorphic encryption to solve the security problem.
On Pages 14-15 of Remarks Applicant argues Bonawitz and Lopez do not render claim 3 obvious because Bonawitz teaches away from the use of homomorphic encryption.
Bonawitz teaches homomorphic encryption can be used in the disclosed secure aggregation for privacy preserving machine learning. Bonawitz does not “teach away” but rather performs a comparative analysis (section 1: “We discuss these existing works in more detail in Section 9, and compare them to our approach”; Section 9: “Schemes based on threshold additively homomorphic cryptosystems (e.g. the Paillier cryptosystem [40, 49]) can handle client dropouts, but are either computationally expensive or require additional trust assumptions”). Therefore Bonawitz teaches homomorphic encryption can be used, but has tradeoffs which need to be considered.
On Page 15 of Remarks Applicant argues Bonawitz and Lopez do not render claim 3 obvious because somehow modifying Bonawitz to arrive at the elements of claim 3 would render Bonawitz unsatisfactory for its intended purpose.
Examiner disagrees because Bonawitz does not “teach away” rather Bonawitz “teaches” homomorphic encryption can be used, but when it is used it has tradeoffs. The claims are not directed to any of the constraints which Bonawitz indicates are unworkable when using homomorphic encryption.
Applicant argues that the dependent claims are allowable by virtue of reliance on allowable independent claims, however examiner does not find the independent claims allowable therefore the dependent claims are not allowable other than dependent claims 4-5, 7 and 14-15 which Examiner indicated contain allowable subject matter.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 3, 6, 8-13, and 16-19 are rejected under 35 U.S.C. 103 as being unpatentable over (Practical Secure Aggregation for Privacy-Preserving Machine Learning), Bonawitz, in view of (On-the-Fly Multiparty Computation on the Cloud via Multikey Fully Homomorphic Encryption), Lopez.
Regarding claim 1,
BONAWITZ discloses: A first server computing system comprising one or more server computing devices, the first server computing system configured to perform first server system operations to enable private and secure multi-party computation, the first server system operations comprising:
receiving a respective ciphertext from each of a plurality of client devices, wherein each respective ciphertext comprises: (BONAWITZ [Page 1 Section 1] teaches multiple users uploading encrypted data to a server, shown in figure 2)
a respective value that has been encrypted using both: (BONAWITZ [Section 3, Protocol 0; Page 4, 4.0.1] teaches a first masking (encryption); BONAWITZ [Section 3, Protocol 3; Page 5, 4.0.3]; [Page 7 Round] teaches a using a random seed during double encryption (bu) which is associated with other users and used to add the secondary mask); [Section 1 and Section 10] teach homomorphic encryption)
a public homomorphic encryption key associated with the first server computing system; and (BONAWITZ [Section 3, Protocol 0; Page 4, 4.0.1] teaches a first masking (encryption); BONAWITZ [Section 3, Protocol 3; Page 5, 4.0.3]; [Page 7 Round] teaches a using a random seed during double encryption (bu) which is associated with other users and used to add the secondary mask); [Section 1 and Section 10] teach homomorphic encryption)
obtaining modified ciphertexts based on computing a respective pseudoindex for each respective ciphertext and inserting the respective pseudoindex into the respective ciphertext to obtain a respective modified ciphertext of the modified ciphertexts; (BONAWITZ [Page 2-3, Section 3.1; Page 6-8, Sections 6.1-6.2]; [Page 5 Section 4.0.3]; [Page 7 Round 1] teaches that all ciphertexts contain addressing information (u, v) as metadata (pseudoindex), which was inserted into the ciphertexts)
transmitting the modified ciphertexts to the second server computing system for the second server computing system to compute homomorphic aggregation of the encrypted values grouped on the basis of pseudoindex; (BONAWITZ [Page 3 Section 3, Page 4 Section 4.0.1] The server receiving sectioned masked inputs form users and grouping of values; [Page 14 Section 8] teaches multiple servers, which can receive the ciphertext data)
receiving a set of aggregated values from the second server computing system; and (BONAWITZ Page s, Section 2, (Figure 1, right); Page 20-21, Section B] teaches a third party server which can perform the aggregation and send the received aggregated values)
using a private homomorphic encryption key that corresponds to the public homomorphic encryption key to decrypt the set of aggregated values to generate a set of decrypted, aggregated values. (BONAWITZ [Page 7, Round 4] teaches unmasking (decrypting) the aggregated values; [Section 1 and Section 10] teach homomorphic encryption))
While BONAWITZ discloses double masking, it does not explicitly disclose: encrypting a value using a first public key and an additional public key associated with a second, different server computing system;
However, in the same field of endeavor LOPEZ discloses:
an additional public key associated with a second, different server computing system; (LOPEZ [Section 3.2 and Section 4.2] teaches multikey encryption of ciphertexts for 3rd party aggregation and using a public key, which is associated with the server to encode the ciphertext(s))
BONAWITZ and LOPEZ are analogous art because they are from the same field of endeavor multiparty computations.
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of BONAWITZ and LOPEZ before him or her, to modify the method of BONAWITZ to include the multikey encryption of LOPEZ because MPC can be achieved using a new type of encryption scheme that we call multikey FHE, which is capable of operating on inputs encrypted under multiple, unrelated keys.
The motivation for doing so would be [“to perform practical FHE”] (Section 1.2 by LOPEZ)].
Therefore, it would have been obvious to combine BONAWITZ and LOPEZ to obtain the invention as specified in the instant claim.
Regarding claim 13,
BONAWITZ discloses: A second server computing system comprising one or more server computing devices, the second server computing system configured to perform second server system operations to enable private and secure multi-party computation, the second server system operations comprising: (BONAWITZ Page s, Section 2, (Figure 1, right); Page 20-21, Section B] teaches a third party server which can perform the aggregation and send the received aggregated values)
receiving a plurality of modified ciphertexts from a first, different server computing system, each respective modified ciphertext of the plurality of modified ciphertexts comprising: (BONAWITZ [Page 1 Section 1] teaches multiple users uploading encrypted data to a server, as shown in figure 2)
a respective pseudoindex generated by the first server computing system; and (BONAWITZ [Page 2-3, Section 3.1; Page 6-8, Sections 6.1-6.2]; [Page 5 Section 4.0.3]; [Page 7 Round 1] teaches that all ciphertexts contain addressing information (u, v) as metadata (pseudoindex), which was inserted into the ciphertexts)
a respective value that has been encrypted using both: (BONAWITZ [Section 3, Protocol 0; Page 4, 4.0.1] teaches a first masking (encryption); BONAWITZ [Section 3, Protocol 3; Page 5, 4.0.3]; [Page 7 Round] teaches a using a random seed during double encryption (bu) which is associated with other users and used to add the secondary mask); [Section 1 and Section 10] teach homomorphic encryption)
a public homomorphic encryption key associated with the first server computing system; and (BONAWITZ [Section 3, Protocol 0; Page 4, 4.0.1] teaches a first masking (encryption); BONAWITZ [Section 3, Protocol 3; Page 5, 4.0.3]; [Page 7 Round] teaches a using a random seed during double encryption (bu) which is associated with other users and used to add the secondary mask); [Section 1 and Section 10] teach homomorphic encryption)
decrypting the respective value in each respective modified ciphertext using a private key associated with the additional public key to obtain a partially decrypted value for each respective modified ciphertext; (Lopez [Section 3, Protocol 0; Page 4, 4.0.1] teaches a first masking (encryption); BONAWITZ [Section 3, Protocol 3; Page 5, 4.0.3]; [Page 7 Round] teaches a using a random seed during double encryption (bu) which is associated with other users and used to add the secondary mask); [Section 1 and Section 10] teach homomorphic encryption; teaches unmasking data which was twice masked. Partial decryption occurring when the first mask is removed but the second one remains)
grouping the plurality of modified ciphertexts based on the pseudoindices; (Lopez [Page 4-5, Section 4; Page 7-8, Section 6.1] teaches shares (partitions) of a Diffie Hellman secret (ciphertext), associated with each user’s identifier)
determining, for each pseudoindex and using homomorphic aggregation, an aggregated value to generate a set of aggregated values; and (Lopez [Page 4-5, Section 4; Page 7-8, Section 6.1] teaches shares (partitions) of a Diffie Hellman secret (ciphertext), which are based on homomorphic encryption; (Lopez [Page 2, Section 2; Page 6-7, Section 5-6] teaches that once the aggregation has been performed, the aggregated values are sent back to a server of the first computing system for decryption))
transmitting the set of aggregated values to the first server computing system for the first server computing system to decrypt using a private homomorphic encryption key that corresponds to the public homomorphic encryption key. (Lopez [Page 2, Section 2; Page 6-7, Section 5-6] teaches that once the aggregation has been performed, the aggregated values are sent back to a server of the first computing system for decryption)
While BONAWITZ discloses double masking, it does not explicitly disclose: encrypting a value using a first public key and an additional public key associated with the second server computing system;
However, in the same field of endeavor LOPEZ discloses:
an additional public key associated with the second server computing system; (LOPEZ [Section 3.2 and Section 4.2] teaches multikey encryption of ciphertexts for 3rd party aggregation and using a public key, which is associated with the server to encode the ciphertext(s))
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify with LOPEZ for similar reasons as cited in claim 1.
Regarding claim 6,
BONAWITZ in view of LOPEZ discloses: The first server computing system of claim 3, wherein the first server system operations further comprise, prior to transmitting the modified ciphertexts to the second server computing system: generating one or more dummy contributions; and inserting the dummy contributions into the modified ciphertexts. (BONAWITZ [Page 8, Section 6] teaches inserting dummy inputs (for example vectors of 0) into ciphertexts)
Regarding claims 8 and 16,
BONAWITZ in view of LOPEZ discloses: The first server computing system of claim 3, wherein the second server computing system has added noise to one or more of the set of aggregated values. (BONAWITZ [Page 20 Section B] Teaches that noise can be incorporated (added) when computations are being performed)
Regarding claim 9,
BONAWITZ in view of LOPEZ discloses: The first server computing system of claim 3, wherein the first server system operations further comprise, after decrypting the set of aggregated values to generate the set of decrypted, aggregated values: adding noise to one or more of the set of decrypted, aggregated values. (BONAWITZ [Page 20 Section B] Teaches that noise can be incorporated (added) by the user)
Regarding claim 10,
BONAWITZ in view of LOPEZ discloses: The first server computing system of claim 3, wherein the first server system operations further comprise, after decrypting the set of aggregated values to generate the set of decrypted, aggregated values: removing one or more of the set of decrypted, aggregated values that is less than a threshold value. (BONAWITZ [Page 1 Section 1; Page 3, Section 2; Page 5, Section 4, Page 7] teaches thresholding being performed, including removing data from the dataset based on the threshold)
Regarding claims 11 and 18,
BONAWITZ in view of LOPEZ discloses: The first server computing system of claim 3, wherein: the set of aggregated values have been shuffled by the second server computing system; and the first server system operations further comprise, after decrypting the set of aggregated values to generate the set of decrypted, aggregated values: transmitting the set of decrypted, aggregated values to the second server computing system for de-shuffling by the second server computing. (BONAWITZ [Page 6, Section 6; Page 7; and Page 8-9, Section 6] teaches that individual contribution from individual users are combined using randomness, but once the computations are performed the data is sent back to the respective use (unshuffled))
Regarding claims 12 and 19,
BONAWITZ in view of LOPEZ discloses: The first server computing system of claim 3, wherein the first server system operations further comprise, after decrypting the set of aggregated values to generate the set of decrypted, aggregated values: receiving a non-zero index decryption list from the second server computing system, the non-zero index decryption list identifying partially decrypted indices that have non-zero values; and recovering a respective index associated with each entry on the non-zero index decryption list. (BONAWITZ [Page 8, Section 6] teaches using dummy inputs (for example vectors of 0); [Page 21, Section C] teaches identification of non-zero entries; [Section 1 and Section 10] teach homomorphic encryption; teaches unmasking data which was twice masked. Partial decryption occurring when the first mask is removed but the second one remains)
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's
disclosure.
Gentry 2019-6-18 (US 20200403781) teaches using homomorphic encryption at the bit level.
Wang 2005-12-19 (US 20070140479) teaches a collection system of a device receives from a previous device a request for data that includes a public key and a homomorphic encryption of data based on the public key. The collection system then combines the received public key with a device public key to generate a combined public key and combines a homomorphic encryption of device data with the homomorphic encryption of the received data into a homomorphic encryption of the combined data. The collection system then forwards the combined public key and the homomorphic encryption of the combined data to the next device.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THOMAS A CARNES whose telephone number is (571)272-4378. The examiner can normally be reached Monday-Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached at (571) 272-4219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
THOMAS A. CARNES
Examiner
Art Unit 2436
/THOMAS A CARNES/Examiner, Art Unit 2436 /KENDALL DOLLY/Primary Examiner, Art Unit 2436