DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17 (e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17 (e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 02/06/2026 has been entered.
This office Action is in response to the RCE filed on 02/06/2026. As per instant Amendment, Claims 1, 11, 14-15, and 17-18 have been amended; Claims 1, 11, and 18 are independent Claims; Claims 1-20 have been examined and are pending. This Office Action is made Non-Final.
Response to Arguments
Applicants’ arguments with respect to claims 1-20 have been considered but are moot in view of the new ground(s) of rejection.
In attempts to promote principle of compact prosecution, on 03/11/2026, the Examiner contacted the Applicants to discuss possible amendments to move the case forward. However, the Examiner and the Applicants could not come up with an agreement.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-2, 4-5, 10-12, 14-15, and 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over Bordow et al. (“Bordow,” US 20250103720, filed on 06/06/2022) in view of Carter et al. (“Carter,” US 11,477,016 Bl, published on 10/18/2022), and further in view of Ghosh et al. (“Ghosh,” US 20200117811, published on 04/16/2020).
Regarding Claim 1;
Bordow discloses a method comprising:
identifying a target to be analyzed (par 0022; the computing device executes the various risk modeling that is provided herein to analyze the impact of CRQCs on the applications of the system);
determining a collection of executable cipher suites used by the target (par 0040; a single node can have multiple points of cryptogrophy (1, 2, 3), and a single cryptography may have multiple remediations depending on the context of use (e.g., RSA is used for digital signatures and asymmetric keys and each use case may have distinct remediations));
classifying the target as being post-quantum computing unsafe and based on a predetermined rule for each executable cipher suite in the collection of executable cipher suites (par 0003; identify a plurality of applications associated with an entity; define one or more cryptographies associated with each of the plurality of applications; select an estimated time at which the one or more cryptographies will be compromised by the post-quantum cryptography; par 0029; each of the nodes in the node layer can have one or more a cryptographic profiles and potential remediation options, as depicted in a cryptographic profile and remediation layer; par 0040; a single node can have multiple points of cryptogrophy (1, 2, 3); par 0041; remediations based upon the type of cryptography are provided in the following table stored in the database); and
in response to classifying the target as being post-quantum computing unsafe, sending remediation instructions via a network to the target to upgrade at least one executable cipher suite in the collection of executable cipher suites used by the target to cause the target to be post- quantum computing safe (par 0003; identify a plurality of applications associated with an entity; define one or more cryptographies associated with each of the plurality of applications; select an estimated time at which the one or more cryptographies will be compromised by the post-quantum cryptography; par 0029; each of the nodes in the node layer can have one or more a cryptographic profiles and potential remediation options, as depicted in a cryptographic profile and remediation layer; par 0040; a single node can have multiple points of cryptogrophy (1, 2, 3), and a single cryptography may have multiple remediations depending on the context of use (e.g., RSA is used for digital signatures and asymmetric keys and each use case may have distinct remediations; par 0041; remediations based upon the type of cryptography are provided in the following table stored in the database).
Bordow discloses executable cipher suites; classifying the target as being post-quantum computing unsafe as recited above, but do not explicitly disclose generating and displaying a cipher suite dependency graph for the target based on the collection of executable cipher suites; classifying the target based on the cipher suite dependency graph based on the cipher suite dependency graph.
However, in an analogous art, Carter discloses post-quantum cryptography system/method that includes:
generating and displaying a cipher suite dependency graph for the target based on the collection of executable cipher suites (Carter: fig. 7A-C ; Col 67, lines 56-60; generate a PQC optimization GUI based on the PQC cryptographic performance information (including, but not limited to, the set of PQC cryptographic performance attributes), the set of PQC encryption attributes, or both; Col 67 lines 65 – Col 68, lines 2; the communications circuitry configured to transmit the data attribute GUI, risk profile GUI, PQC optimization GUI, data monitoring GUI, or a combination thereof to a client device for display by the client device).
classifying the target as being post-quantum computing unsafe based on cryptographic call ascertained by the cipher suite dependency graph (Carter: Col 90, lines 48-51; the set of PQC cryptographic performance attributes may comprise an information classification for each PQC cryptographic technique in the set of PQC cryptographic techniques; Col 83, lines 47-54; the PQC cryptographic performance information comprise a set of PQC cryptographic performance attributes for each PQC cryptographic technique in the set of PQC cryptographic techniques. In some embodiments, each PQC cryptographic technique in the set of PQC cryptographic techniques may be a variant (e.g., "II"; "III"; "IV"; "128"; "160") of a PQC cryptographic algorithm; Col 84, lines 14-23; generate, based on the generated PQC cryptographic performance information [] measurement of standard deviation indicates that the variant is unstable or unpredictable).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Carter with the method/system of SALIBA to include generating and displaying a cipher suite dependency graph for the target based on the collection of executable cipher suites; classifying the target as being post-quantum computing unsafe based on cryptographic call ascertained by the cipher suite dependency graph. One would have been motivated to retrieving PQC cryptographic performance information associated with a set of PQC cryptographic techniques. The PQC cryptographic performance information may comprise a set of PQC cryptographic performance attributes for each PQC cryptographic technique in the set of PQC cryptographic techniques (Carter: abstract).
The combination of Bordow and Carter disclose classifying the target as being post-quantum computing unsafe based on cryptographic call ascertained by the cipher suite dependency graph as recited above, but do not explicitly disclose cryptographic call sequences.
However, in an analogous art, Ghosh discloses cryptographic operations system/method that includes:
cryptographic call sequences (Ghosh: par 0032; cryptographic instructions (e.g., SHA3 instructions) are provided to the cryptographic execution data path in the execution stage).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Ghosh with the method/system of SALIBA and Carter to include cryptographic call sequences. One would have been motivated to accelerate SHA3 operations in software and provide better performance for secure boot, secure update, attestation, authenticating applications and data in cloud environments (Ghosh: par 0016).
Regarding Claim 2;
The combination of Bordow, Carter, and Ghosh disclose the method of claim 1,
Bordow discloses wherein the at least one executable cipher suite in the collection of executable cipher suites is at least one of an application programming interface and source software code (Bordow: par 0040; the application of the system is depicted, which has data pass through three nodes. A single node can have multiple points of cryptogrophy (1, 2, 3), and a single cryptography may have multiple remediations depending on the context of use).
Regarding Claim 4;
The combination of Bordow, Carter, and Ghosh disclose the method of claim 1,
Carter discloses generating a database of executable cipher suites and respective corresponding risk scores, and accessing the database when classifying the target as being post-quantum computing safe or unsafe (Carter: Col 23, lines 45-56; the families of PQC cryptographic techniques include key management and signature. PQC cryptographic techniques may comprise, for example, hash-based PQC cryptographic techniques, lattice-based PQC cryptographic techniques, isogeny-based PQC cryptographic techniques, code-based PQC cryptographic techniques, multivariate-based PQC cryptographic techniques, zero-knowledge proof PQC crypto graphic techniques, PQC communications charmel-based cryptographic techniques, and other suitable techniques. In some instances, a PQC cryptographic technique may be a variant of a PQC cryptographic algorithm; col 80, lines 42-47; figs. 7A and 7B; each PQC cryptographic technique in the set of post-quantum cryptographic techniques may be a variant of a PQC cryptographic algorithm. The PQC cryptographic performance information comprise a set of PQC cryptographic technique scores; Col 84, lines 14-23; generate, based on the generated PQC cryptographic performance information [] measurement of standard deviation ( e.g., the PQC system may determine that a large variation ( e.g., a variation that exceeds a predetermined threshold value or a dynamic threshold generated by machine learning circuitry) indicates that the variant is unstable or unpredictable).
The motivation is the same that of claim 1 above.
Bordow further discloses executable cipher suites (Bordow: par 0040; a single node can have multiple points of cryptogrophy (1, 2, 3)).
Regarding Claim 5;
The combination of Bordow, Carter, and Ghosh disclose the method of claim 4,
Carter disclose generating and displaying an aggregate risk score for the target based on the respective corresponding risk scores (Carter: col 80, lines 42-47; figs. 7A and 7B; each PQC cryptographic technique in the set of post-quantum cryptographic techniques may be a variant of a PQC cryptographic algorithm. The PQC cryptographic performance information comprise a set of PQC cryptographic technique scores; Col 84, lines 14-23; generate, based on the generated PQC cryptographic performance information [] measurement of standard deviation indicates that the variant is unstable or unpredictable).
The motivation is the same that of claim 1 above.
Regarding Claim 10;
The combination of Bordow, Carter, and Ghosh disclose the method of claim 1,
Carter disclose wherein the predetermined rule comprises an indication of whether a given cipher suite in the collection of cipher suites is post-quantum computing safe or post-quantum computing unsafe (Carter: Col 59, lines 31-37; the set of PQC cryptographic performance attributes comprise a set of policy attributes for each PQC cryptographic technique in the set of PQC cryptographic techniques. The set of PQC cryptographic performance attributes may comprise an information classification for each PQC cryptographic technique in the set of PQC cryptographic techniques; Col 84, lines 14-23; measurement of standard deviation ( e.g., a variation that exceeds a predetermined threshold value) indicates that the variant is unstable or unpredictable).
The motivation is the same that of claim 1 above.
Bordow further discloses executable cipher suites (Bordow: par 0040; a single node can have multiple points of cryptogrophy (1, 2, 3)).
Regarding Claim 11;
This Claim recites a device that perform the same steps as method of Claim 1, and has limitations that are similar to Claim 1, thus are rejected with the same rationale applied against claim 1.
Regarding Claim 12;
This Claim recites a device that perform the same steps as method of Claim 2, and has limitations that are similar to Claim 2, thus are rejected with the same rationale applied against claim 2.
Regarding Claim 14;
This Claim recites a device that perform the same steps as method of Claim 4, and has limitations that are similar to Claim 4, thus are rejected with the same rationale applied against claim 4.
Regarding Claim 15;
This Claim recites a device that perform the same steps as method of Claim 5, and has limitations that are similar to Claim 5, thus are rejected with the same rationale applied against claim 5.
Regarding Claim 18;
This Claim recites a non-transitory computer readable storage media that perform the same steps as method of Claim 1, and has limitations that are similar to Claim 1, thus are rejected with the same rationale applied against claim 1.
Regarding Claim 19;
This Claim recites a non-transitory computer readable storage media that perform the same steps as method of Claim 2, and has limitations that are similar to Claim 2, thus are rejected with the same rationale applied against claim 2.
Claims 3, 13, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Bordow et al. (US 20250103720) in view of Carter et al. (US 11,477,016 Bl), and further in view of Ghosh et al. (US 20200117811) and KONG et al. (“KONG,” CN 116795850 A, filed on 05/31/2023).
Regarding Claim 3;
The combination of Bordow, Carter, and Ghosh disclose the method of claim 1,
The combination of Bordow and Carter disclose all the limitations as recited above, but do not explicitly disclose wherein a vertex in the cipher suite dependency graph represents a specific executable cipher suite, and an edge in the cipher suite dependency graph represents a caller-callee relationship.
However, in an analogous art, KONG discloses transaction system/method that includes:
wherein a vertex in the cipher suite dependency graph represents a specific cipher suite, and an edge in the cipher suite dependency graph represents a caller-callee relationship (KONG: page 7, par 10; judging whether there is a pre-sequence dependency relationship based on the constructed hash table and the reading set of the transaction, if there is a pre-sequence dependency relationship, adding the transaction as a vertex v into a transaction dependency graph and constructing a directed edge e from the pre-sequence dependency transaction of the transaction to the transaction).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of KONG with the method/system of Bordow and Carter and Ghosh to include wherein a vertex in the cipher suite dependency graph represents a specific cipher suite, and an edge in the cipher suite dependency graph represents a caller-callee relationship. One would have been motivated to constructs a transaction dependency graph based on asset state for the batch transaction in the transaction pool and traverses the vertex with degree of entry of 0 in the transaction dependency graph based on depth priority algorithm (KONG: abstract).
Regarding Claim 13;
This Claim recites a device that perform the same steps as method of Claim 3, and has limitations that are similar to Claim 3, thus are rejected with the same rationale applied against claim 3.
Regarding Claim 20;
This Claim recites a non-transitory computer readable storage media that perform the same steps as method of Claim 3, and has limitations that are similar to Claim 3, thus are rejected with the same rationale applied against claim 3.
Claims 6 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Bordow et al. (US 20250103720) in view of Carter et al. (US 11,477,016 Bl), and further in view of Ghosh et al. (US 20200117811) and Madhavan et al. (“Madhavan,” US 20220198044, published on 06/23/2022).
Regarding Claim 6;
The combination of Bordow, Carter, and Ghosh disclose the method of claim 5,
The combination of Bordow, Carter, and Ghosh disclose all the limitations as recited above, but do not explicitly disclose wherein the aggregate risk score is based on a weighted average of respective risk scores.
However, in an analogous art, Madhavan discloses data lifecycle discovery system/method that includes:
wherein the aggregate risk score is based on a weighted average of respective risk scores (Madhavan: par 0177; determine a risk score of associated with a privacy principle as or based at least in part on a median value of the weighted risk scores that are applicable to that privacy principle, a trimmed average or mean of such weighted risk scores).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Madhavan with the method/system of Bordow and Carter and Ghosh to include wherein the aggregate risk score is based on a weighted average of respective risk scores. One would have been motivated to risk scores relating to levels of compliance of the data lifecycle discovery platform (Madhavan: abstract).
Regarding Claim 16;
This Claim recites a device that perform the same steps as method of Claim 6, and has limitations that are similar to Claim 6, thus are rejected with the same rationale applied against claim 6.
Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Bordow et al. (US 20250103720) in view of Carter et al. (US 11,477,016 Bl), and further in view of Ghosh et al. (US 20200117811) and Clark et al. (“Clark,” US 20230046959, published on 02/16/2023).
Regarding Claim 7;
The combination of Bordow, Carter, and Ghosh disclose the method of claim 1,
Carter disclose generating and displaying a pie chart indicative of a ratio of safe to unsafe post-quantum computing cipher suites in the collection of cipher suites (Carter: col 80, lines 42-47; figs. 7A and 7B; each PQC cryptographic technique in the set of post-quantum cryptographic techniques may be a variant of a PQC cryptographic algorithm. The PQC cryptographic performance information comprise a set of PQC cryptographic technique scores; Col 84, lines 14-23; generate, based on the generated PQC cryptographic performance information [] measurement of standard deviation ( e.g., the PQC system may determine that a large variation ( e.g., a variation that exceeds a predetermined threshold value or a dynamic threshold generated by machine learning circuitry) indicates that the variant is unstable or unpredictable).
The motivation is the same that of claim 1 above.
Bordow further discloses executable cipher suites (Bordow: par 0040; a single node can have multiple points of cryptogrophy (1, 2, 3)).
The combination of Bordow and Carter disclose generating and displaying a chart indicative of a ratio of safe to unsafe post-quantum computing cipher suites in the collection of cipher suites as recited above, but do not explicitly disclose displaying a pie chart
However, in an analogous art, Clark discloses data risk system/method that includes:
displaying a pie chart (Clark: par 0052; groups data risk metric user interface element displays the number in the center of its pie chart).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Clark with the method/system of Bordow and Carter to include displaying a pie chart. One would have been motivated to base at least in part on a result of the analysis determining whether each of the database tables includes data belonging to the one or more sensitive data categories (Clark: abstract).
Claims 8-9 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Bordow et al. (US 20250103720) in view of Carter et al. (US 11,477,016 Bl), and further in view of Ghosh et al. (US 20200117811) Culley et al. (“Culley,” US 11,868,937 Bl, filed on 12/092022).
Regarding Claim 8;
The combination of Bordow, Carter, and Ghosh disclose the method of claim 1,
Bordow disclose identifying a remediation action to convert a computing unsafe target to a computing safe target (Bordow: par 0003; identify a plurality of applications associated with an entity; define one or more cryptographies associated with each of the plurality of applications; select an estimated time at which the one or more cryptographies will be compromised by the post-quantum cryptography; par 0029; each of the nodes in the node layer can have one or more a cryptographic profiles and potential remediation options, as depicted in a cryptographic profile and remediation layer; par 0040; a single node can have multiple points of cryptogrophy (1, 2, 3), and a single cryptography may have multiple remediations depending on the context of use (e.g., RSA is used for digital signatures and asymmetric keys and each use case may have distinct remediations; par 0041; remediations based upon the type of cryptography are provided in the following table stored in the database).
The combination of Bordow and Carter disclose identifying a remediation action to convert a computing unsafe target to a computing safe target as recited above, but do not explicitly disclose displaying a remediation action to convert a computing unsafe target to a computing safe target.
However, in an analogous art, Culley discloses automatic troubleshooting system/method that includes:
identifying and displaying a remediation action to convert a post quantum computing unsafe target to a post quantum computing safe target (Culley: Col 12, lines 17-19; execute queries to retrieve information identifying the remediation steps to display and which sub panels to build in the troubleshooting GUI; Col 14, lines 57-59; automatically execute the given remediation action or prompt the user to perform the remediation action).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Culley with the method/system of Bordow and Carter and Ghosh to include displaying a remediation action to convert a computing unsafe target to a computing safe target. One would have been motivated to analyzes a corresponding set of metrics based on detection criteria associated with the issue to detect one or more issues. The system identifies a set of remediation steps for resolving each issue and infrastructure objects affected by each of the one or more detected issues (Culley: abstract).
Regarding Claim 9;
The combination of Bordow, Carter, Ghosh, and Culley disclose the method of claim 8,
automatically initiating the remediation action (Culley: Col 14, lines 57-59; automatically execute the given remediation action or prompt the user to perform the remediation action).
The motivation is the same that of claim 8 above.
Regarding Claim 17;
The combination of Bordow, Carter, and Ghosh disclose the device of claim 11,
Bordow disclose the one or more processors are further configured to identify a remediation action to convert a post quantum computing unsafe target to a post quantum computing safe target (Bordow: par 0003; identify a plurality of applications associated with an entity; define one or more cryptographies associated with each of the plurality of applications; select an estimated time at which the one or more cryptographies will be compromised by the post-quantum cryptography; par 0029; each of the nodes in the node layer can have one or more a cryptographic profiles and potential remediation options, as depicted in a cryptographic profile and remediation layer; par 0040; a single node can have multiple points of cryptogrophy (1, 2, 3), and a single cryptography may have multiple remediations depending on the context of use (e.g., RSA is used for digital signatures and asymmetric keys and each use case may have distinct remediations; par 0041; remediations based upon the type of cryptography are provided in the following table stored in the database).
The combination of Bordow and Carter disclose the one or more processors are further configured to identify a remediation action to convert a post quantum computing unsafe target to a post quantum computing safe target as recited above, but do not explicitly disclose displaying a remediation action to convert a computing unsafe target to a computing safe target; automatically initiate the remediation action.
However, in an analogous art, Culley discloses automatic troubleshooting system/method that includes:
identifying and displaying a remediation action to convert a post quantum computing unsafe target to a post quantum computing safe target (Culley: Col 12, lines 17-19; execute queries to retrieve information identifying the remediation steps to display and which sub panels to build in the troubleshooting GUI; Col 14, lines 57-59; automatically execute the given remediation action or prompt the user to perform the remediation action);
automatically initiate the remediation action (Culley: Col 14, lines 57-59; automatically execute the given remediation action or prompt the user to perform the remediation action).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Culley with the method/system of Bordow and Carter and Ghosh to include displaying a remediation action to convert a computing unsafe target to a computing safe target; automatically initiate the remediation action. One would have been motivated to analyzes a corresponding set of metrics based on detection criteria associated with the issue to detect one or more issues. The system identifies a set of remediation steps for resolving each issue and infrastructure objects affected by each of the one or more detected issues (Culley: abstract).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHAO WANG whose telephone number is (313)446-6644. The examiner can normally be reached on Monday-Friday 7:30-4:30PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/C.W./Examiner, Art Unit 2439
/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439