Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This Office Action is in response to the U.S. patent application 18373126 filed on September 26, 2023, and Applicant’s Response filed on December 31, 2025.
Original prior claims 1-20 remain pending without claim amendment, cancellation or addition, and have been examined in this application. This Action is made FINAL.
Response to Arguments
Applicants’ arguments in the instant Response, submitted on December 31, 2029, with respect to limitations listed below, have been fully considered but they are not persuasive as follows.
Applicant’s arguments: “…Woodage's HMAC-DRBG does not use a clocked hardware counter during output generation.”
The Examiner traverses the Applicant’s argument, in respectfully noting that Applicant’s claims do not recite a “clocked hardware counter”. Accordingly, the examiner respectfully submits that Applicant’s argument is irrelevant. In response to Applicant’s argument that the references fail to show certain features of the invention, it is noted that the features upon which Applicant relies (i.e., “clocked hardware counter”) are not recited in the rejected claim(s). Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims. See 7.37.08 Unpersuasive Argument, and In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993).
Applicant’s arguments: “…the cnt in Woodage does not increment based on a state of a clock as recited in the claims and instead increments for each call of a generate function. The current application explains that such a counter (counter 120) exists and distinguishes this counter 120 from a counter 112 used for HMAC-DRBG that increments based on a state of a clock. Section “Reseeding” in Woodage explains cnt’s role relative to a reseed interval. Nothing in Woodage suggests a counter “increment based on a state of a clock.” Note that counters do not need a clock to increment as logic gats can be used. This non-clock gating of a counter is typical and often called an interrupt.”
The Examiner disagrees with Applicant. The Examiner respectfully submits that Woodage does disclose an arrangement to increment based on a “state of a clock”, as recited in the claims. Under a broadest reasonable interpretation (BRI), words of the claim must be given their plain meaning, unless such meaning is inconsistent with the specification. The plain meaning of a term means the ordinary and customary meaning given to the term by those of ordinary skill in the art at the relevant time. In the present BRI analysis, the Examiner’s position is that the claimed “state of a clock” phrase is reasonably interpretable as having a broad range of meanings. For example, the “state of a clock” of a simple square-wave clock could mean the “rising edge” of one of the square-wave pulses, but could also mean the “falling edge” of the same one of the square-wave pulses. As another example, “state of the clock” could mean the “rising edge” of every 2nd, 3rd, 4th, etc. one of the square-wave pulses, but could also mean the “falling edge” of the 5th, 6th, 7th, etc. one of the square-wave pulses.
The point is, there can be many differing types of condition (not necessarily involving “time” in the clock-sense) that can represent a “state of a clock” resulting in an “output increment”). Woodage’s sentence spanning the left and right columns of Woodage’s page 4, recites “Output blocks are then iteratively generated using the block cipher in CTR-mode (each block/counter increment corresponding to an iteration of the next subroutine in lines 13-14)”. It is the Examiner’s position that based on such statement, at least “block cipher in CRT-mode” is interpretable as the claimed “counter configured to increment”, under a BRI interpretation.
While Applicant’s December 31, 2025, argument that Woodage’s “Reseeding” section “explains CNT’s role relative to a reseed interval”, the “reseeding interval” is not the only “clock-type increment” disclosed in Woodage. Accordingly, the rejection is maintained.
Applicant’s arguments: “…The Examiner’s reliance on Petersen to fill in “two hashing circuits” and “key splitting based on counter output” is not a simple plug-in to Woodage’s specific architecture of HMAC-DRBG. Pertersen’s generalized discussion of “subsets of a number” and “parallel instances” does not teach an HMAC implementations with two distinct hashing circuits, nor counter-driven key sharing “the HMAC function circuitry configured to split a key into first and second shares based on the counter output”. Further, the splitting in Petersen is based on a state variable, not based on a counter value that increments based on a clock stage. Under KSR, the generic motivation “to improve random properties” is insufficient to retrofit Woodage’s HMAC-DRBG with hardware features foreign to its disclosed operation.”
The Examiner disagrees with Applicant. The Examiner respectfully submits that Petersen para. [0014] states, “The methods of the present invention are applicable to cryptographic methods and cryptographic systems, in particular but not exclusively to … Hash functions,”. Petersen para. [0474] provides “speed” motivation, i.e., Petersen states “Thus, pseudo-random number generation in a plurality of instances in parallel may, in some cases, be faster than if the steps are performed in one instance only, in particular if the hardware on which the method is executed supports parallel processing. Further, by coupling the two or more instances, a larger key length in encryption may be applied than if only one instance were used. For example, one part of an encryption key may be used for a first instance, and another part of the encryption key may be used for a second instance.” Finally, Petersen para. [0271] provides further “random property improvement motivation, i.e., Petersen para. [0271] states, “By extracting a subset of digits of a number instead of extracting the entire number, random properties are improved”. Accordingly, it is respectfully submitted that sufficient motivation is provided for the combination of Petersen with the primary Woodage reference/teachings.
Further, Petersen para. [0588] (concerning “Initialization Vectors (IV)”) discloses, “…problem can be solved by use of an IV. An IV is also useful in a Virtual Private Network (VPN). In such a network, the data may be divided into packages, and a unique IV is transmitted along with each package, whereby each package can be decrypted individually, even if other packages are lost. The data to be encrypted/decrypted is divided into sections, and each section is associated with a unique IV. The cipher is firstly setup by use of the key, and thereafter the internal state of the mathematical system is changed in an unpredictably way, as function of the IV. These changes may be performed on counters, on the state values or on both. The output of the cipher is then a function of both the key and the IV, and thereby a given section or package can be encrypted/decrypted, without iterating multiple times.”
Applicant’s arguments: “…Petersen [0676] mentions “a linear feedback shift register,” but Petersen’s overall disclosure on counters ([0070]) and subsets ([0271]) is generic and not tied to HMAC-DRBG hardware. Petersen does not teach or suggest “a first LFSR coupled to receive a portion of the counter output as a seed value” in an HMAC-DRBG..”
The Examiner disagrees with Applicant. The Examiner respectfully submits that Petersen para. [0049] discloses, “In order to further improve unpredictability, multiple parameters may be employed. Some of such multiple parameters may be dynamic, i.e. varying, whereas others may be static, i.e. constant. A constant parameter may for example be generated from a seed value provided to the mathematical system, such as an encryption key. The variation of a first one of the parameters, such as of a counter”. Petersen para. [0229] discloses, “A counter is herein defined as a variable which may serve as a parameter in a mathematical system. The counter is continuously iterated and updated by means of a mathematical function.” Applicant’s admission that Petersen’s counters are generic means such counters are useable with LFSRs.
Applicant’s arguments: “…For claims 3-4: “the first hashing circuit includes a second LFSR and the second hashing circuit includes a third LFSR …receive respective portions of an output of the first lfsr,” with MSB/LSB split. Cordery (US2010/0128872) describes an NLFSR (a NON-LINEAR feedback shift register) in a printer metering system (e.g., Abstract; [0016]-[0019], [0025]; Fig. 2). It does not disclose intergrating “a second LFSR” within a “first hashing circuit” and “a third LFSR” within a “second hashing circuit,” nor seeding them via MSBs/LSBs of a “first LFSR’s output. The Office Action identifies no paragraph in Cordery that teaches MSB/LSB splitting to seed multiple LFSRs across two hashing circuits.”
The Examiner disagrees with Applicant. The Examiner respectfully submits that although a mainstay of the Cordery disclosure focuses in on using NLFSRs, Cordery does disclosure an alternative embodiment using LFSRs, i.e., see Cordery paras. [0004] and [0019], for example. Accordingly, it is respectfully submitted that it would have been obvious to one skilled in the art that Cordery’s NLFSR teachings could be applicable to LFSRs.
Applicant’s arguments: “…Clams 6 and 16 recite an XOR gate coupled to an LFSR input pin, “situated to receive output of the counter and an LFSR seed value” when the command pin is in a second state, Cordery FIG. 2 shows XOR gate 54 combining NLFSR feedback output and input data portions (e.g., session key, then image data) to compute the next stage value ([0016], [0025]). Cordery [0018] states that challenge data r1 “may be …generated by a counter” to derive a session key via key agreement. Corderry does not disclose an XOR at an LFSR input pin receiving the output of a counter and an LFSR seed value contingent on a command-pin gating state in a DRBG. The Examiner’s mapping conflates application-level challenge generation with the claimed hardware pin-gated XOR feed into an LFSR.”
The Examiner disagrees with Applicant. Again, the Examiner respectfully submits that although a mainstay of the Cordery disclosure focuses in on using NLFSRs, Cordery does disclosure an alternative embodiment using LFSR, i.e., see Cordery paras. [0004] and [0019], for example. Accordingly, it is respectfully submitted that it would have been obvious to one skilled in the art that Cordery’s NLFSR teachings could be applicable to LFSRs.
Applicant’s arguments: “…Method claims 11-13 (and related method claims) recite receiving an LFSR value; initializing second/third LFSRs to MSBs/LSBs. As above, Cordery describes one NLFSR per device, and Petersen’s “subset of digits” is generic. There is no teaching of receiving a “first LFSR value” and initializing to other LFSRs (in distinct hashing circuits) respectively to MSBs/LSBs of that value.”
The Examiner disagrees with Applicant. Again, the Examiner respectfully submits that although a mainstay of the Cordery disclosure focuses in on using NLFSRs, Cordery does disclosure an alternative embodiment using LFSRs, i.e., see Cordery paras. [0004] and [0019], for example. Accordingly, it is respectfully submitted that it would have been obvious to one skilled in the art that Cordery’s NLFSR teachings could be applicable to LFSRs.
Applicant’s arguments: “…Cordery [0029]-[0030] (and FIG. 2) present acceptance/rejection of image data at the application level based on MAC verification. This is not a DRBG hardware-level command pin gating of inputs. The assertion that pins are an “obvious matter of design choice” is insufficient where the claimed pin gating has a functional security purpose (e.g., inhibiting side-channel injection and preventing state change unless the command pin is asserted).”
The Examiner respectfully traverses Applicant’s arguments. More particularly, regarding the mention of at least “MAC” and “hardware”, such words/features are not recited in the rejected claim(s). Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims. See 7.37.08 Unpersuasive Argument, and In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993). Further, regarding the mention of “insufficient where the claimed pin gating has a functional security purpose (e.g., inhibiting side-channel injection and preventing state change unless the command pin is asserted)”, the purpose or intended use is not recited within the claims.
Applicant’s arguments: “…Regarding claim 10 and related method claims Woodage explicitly states HMAC-DRBG is “instantiated with HMAC/SHA-256,” and Figure 1 provides pseudocode of HMAC-DRBG next and update (Sewction “4-Algorithms,” “4.2 HMAC – DRBG”; Section “3.1-Algorithms and mapping into definition 1”), HMAC itself is standard and Woodage does not disclose performing HMAC’s inner/outer operations in distinct hashing circuits, nor LFSR-based initializations to MSBs/LSBs, as recited. The Examiner’s reliance on Petersen’s generic concatenation or “partial results” (e.g., [0385]) does not provide a teaching to re-architect HMAC into two hardware hash circuits with counter-driven key splitting or LFSR seeding.”
The Examiner respectfully traverses Applicant’s arguments. More particularly, the Examiner respectfully submits that Petersen para. [0014] states, “The methods of the present invention are applicable to cryptographic methods and cryptographic systems, in particular but not exclusively to … Hash functions,”. Petersen para. [0474] provides “speed” motivation, i.e., Petersen states “Thus, pseudo-random number generation in a plurality of instances in parallel may, in some cases, be faster than if the steps are performed in one instance only, in particular if the hardware on which the method is executed supports parallel processing. Further, by coupling the two or more instances, a larger key length in encryption may be applied than if only one instance were used. For example, one part of an encryption key may be used for a first instance, and another part of the encryption key may be used for a second instance.” Finally, Petersen para. [0271] provides further “random property improvement motivation, i.e., Petersen para. [0271] states, “By extracting a subset of digits of a number instead of extracting the entire number, random properties are improved”. Accordingly, it is respectfully submitted that sufficient motivation is provided for the combination of Petersen with the primary Woodage reference/teachings.
The Examiner respectfully suggests that the claim be further amended; details in the specification be incorporated, to distinguish the claimed invention over prior art of record. Should the Applicant desire an interview to further clarify the claim interpretation/rejections, please contact the Examiner at (571) 272-2642 to schedule an interview.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1-2, 10 and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over WOODAGE, et al., "An Analysis of the NIST SP 800-90AStandard", Advances in Cryptology - EUROCRYPT 2019, April 24, 2019, pp. 151-180 (“Woodage”; copy renumbered pp. 1-22 for convenience) in view of Petersen et al. (“Petersen”; US20040086117A1).
Per claim 1: Woodage discloses a secure hash-based message authentication code (HMAC) deterministic random bit generator (DRBG) circuit (Woodage, page 1, left column, last full paragraph, “These DRBGs -which respectively use a block cipher, a cryptographic hash function, and HMAC as their basic building blocks – are widely used.”; Woodage page 4, right column, last full paragraph, “HMAC is a keyed-hash message authentication code”; Woodage page 1, left column, last full paragraph, “any cryptographic software or hardware seeking HPS certification must implement a pseudorandom generator from the standard.”) comprising:
HMAC DRBG circuitry (Woodage, page 1, left column, last full paragraph, “These DRBGs -which respectively use a block cipher, a cryptographic hash function, and HMAC as their basic building blocks – are widely used.”; Woodage page 1, left column, last full paragraph, “any cryptographic software or hardware seeking HPS certification must implement a pseudorandom generator from the standard.”) including a counter configured to increment based on a clock state and provide a counter output (Woodage, page 4, right column, second last full paragraph, “V ϵ {0, l}ℓ is a counter”; Woodage page 4, right column, “counter increment”; NOTE: An incrementing counter is being interpreted as being in a clocked state”); and
HMAC function circuitry coupled to the HMAC DRBG circuitry (Woodage, page 1, left column, last full paragraph, “These DRBGs -which respectively use a block cipher, a cryptographic hash function, and HMAC as their basic building blocks – are widely used.”; Woodage page 1, left column, last full paragraph, “any cryptographic software or hardware seeking HPS certification must implement a pseudorandom generator from the standard.”; Woodage page 4, second last full paragraph, “the HMAC-DRBG is instantiated with HMAC / SHA-256”).
Woodage does not disclose the HMAC function circuitry including first and second hashing circuits, the HMAC function circuitry configured to implement an HMAC function using the first and second hashing circuits and the counter output, the HMAC function circuitry configured to split a key into first and second shares based on the counter output and provide the first share to the first hashing circuit and the second share to the second hashing circuit.
However, in an analogous art, Petersen discloses a HMAC function circuitry including first and second hashing circuits, the HMAC function circuitry configured to implement an HMAC function using the first and second hashing circuits and the counter output, the HMAC function circuitry configured to split a key into first and second shares based on the counter output and provide the first share to the first hashing circuit and the second share to the second hashing circuit (Petersen para. [0179], “identification value can be a hash value, a check-sum or a MAC (Message Authentication Code)”; Petersen para. [0065], “In case a cryptographic key is used as a seed value for the computations, the hash function is usually referred to as a MAC function (Message Authentication Code)”; Petersen para. [0269], “A subset of a number may be regarded as a part of that number, such as some, but not necessarily all digits or bits of the number.”; Petersen para. [0074], “At least one of the first and second number may be derived from a cryptographic key”; Petersen para. [0271], “By extracting a subset of digits of a number instead of extracting the entire number, random properties are improved in case the method is used in a pseudo-random number generator, for example for encryption and/or decryption purposes.”; Petersen para. [0474], “pseudo-random number generation in a plurality of instances in parallel may, in some cases, be faster than if the steps are performed in one instance only, in particular if the hardware on which the method is executed supports parallel processing. Further, by coupling the two or more instances, a larger key length in encryption may be applied than if only one instance were used. For example, one part of an encryption key may be used for a first instance, and another part of the encryption key may be used for a second instance”; Petersen para. [0014], “a cryptographic system in which several numbers x.sub.1 . . . x.sub.n are being generated based on iterations of one or more state variables”; NOTE: Iterations is being interpreted as resulting in a counter output; Petersen para. [0014] states, “The methods of the present invention are applicable to cryptographic methods and cryptographic systems, in particular but not exclusively to … Hash functions,”. Petersen para. [0474] provides “speed” motivation, i.e., Petersen states “Thus, pseudo-random number generation in a plurality of instances in parallel may, in some cases, be faster than if the steps are performed in one instance only, in particular if the hardware on which the method is executed supports parallel processing. Further, by coupling the two or more instances, a larger key length in encryption may be applied than if only one instance were used. For example, one part of an encryption key may be used for a first instance, and another part of the encryption key may be used for a second instance.” Finally, Petersen para. [0271] provides further “random property improvement motivation, i.e., Petersen para. [0271] states, “By extracting a subset of digits of a number instead of extracting the entire number, random properties are improved”. Accordingly, it is respectfully submitted that sufficient motivation is provided for the combination of Petersen with the primary Woodage reference/teachings. Further, Petersen para. [0588] (concerning “Initialization Vectors (IV)”) discloses, “…problem can be solved by use of an IV. An IV is also useful in a Virtual Private Network (VPN). In such a network, the data may be divided into packages, and a unique IV is transmitted along with each package, whereby each package can be decrypted individually, even if other packages are lost. The data to be encrypted/decrypted is divided into sections, and each section is associated with a unique IV. The cipher is firstly setup by use of the key, and thereafter the internal state of the mathematical system is changed in an unpredictably way, as function of the IV. These changes may be performed on counters, on the state values or on both. The output of the cipher is then a function of both the key and the IV, and thereby a given section or package can be encrypted/decrypted, without iterating multiple times.”).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify Woodage to include, as taught by Petersen, regarding the HMAC function circuitry including first and second hashing circuits, the HMAC function circuitry configured to implement an HMAC function using the first and second hashing circuits and the counter output, the HMAC function circuitry configured to split a key into first and second shares based on the counter output and provide the first share to the first hashing circuit and the second share to the second hashing circuit. Motivation would have been to improve random properties and enhance security (Petersen para. [0271], “By extracting a subset of digits of a number instead of extracting the entire number, random properties are improved in case the method is used in a pseudo-random number generator, for example for encryption and/or decryption purposes. Moreover, as only a subset is extracted, less information concerning the internal state of the mathematical system is contained in the extracted set of data which enhances the security of an encryption/decryption system incorporating the method.”)
Per claim 2: The Woodage/Petersen combination discloses the secure HMAC DRBG circuit of claim 1. Petersen further discloses an arrangement wherein the HMAC DRBG circuit further comprises a first linear feedback shift register (LFSR) coupled to receive a portion of the counter output as a seed value (Petersen para. [0676], “a linear feedback shift register”; Petersen para. [0070], “At least one of the first and second number may be a …value X.sub.i to which there is added a variable parameter value, such as a counter C.sub.i.”; Petersen para. [0271], “By extracting a subset of digits of a number instead of extracting the entire number, random properties are improved in case the method is used in a pseudo-random number generator, for example for encryption and/or decryption purposes.”).
Per claim 10: Woodage discloses a secure hash-based message authentication code (HMAC) deterministic random bit generator (DRBG) method (Woodage, page 1, left column, last full paragraph, “These DRBGs -which respectively use a block cipher, a cryptographic hash function, and HMAC as their basic building blocks – are widely used.”; Woodage page 4, right column, last full paragraph, “HMAC is a keyed-hash message authentication code”; Woodage page 1, left column, last full paragraph, “any cryptographic software or hardware seeking HPS certification must implement a pseudorandom generator from the standard.”) comprising:
hashing, by a first hashing circuit of HMAC function circuitry, a first padded key value resulting in a first hashed key value (Woodage, page 1, left column, last full paragraph, “These DRBGs -which respectively use a block cipher, a cryptographic hash function, and HMAC as their basic building blocks – are widely used.”; Woodage page 1, left column, last full paragraph, “any cryptographic software or hardware seeking HPS certification must implement a pseudorandom generator from the standard.”; Woodage page 4, second last full paragraph, “the HMAC-DRBG is instantiated with HMAC / SHA-256”; Woodage, page 3, “Additional Input” paragraph, “In addition to inputs drawn from the entropy source, the NIST SP 800-90A standard gives the option for strings of additional input (denoted a.ddin), to be fed into the state of the DRBG during generate and reseed calls. The standard pemits these strings to be public information (e.g., device serial numbers and time stamps), or may contain secrets”);
hashing, by a second hashing circuit of the HMAC function circuitry, a second padded key value resulting in a second hashed key value (Woodage, page 1, left column, last full paragraph, “These DRBGs -which respectively use a block cipher, a cryptographic hash function, and HMAC as their basic building blocks – are widely used.”; Woodage page 1, left column, last full paragraph, “any cryptographic software or hardware seeking HPS certification must implement a pseudorandom generator from the standard.”; Woodage page 4, second last full paragraph, “the HMAC-DRBG is instantiated with HMAC / SHA-256”; Woodage, page 3, “Additional Input” paragraph, “In addition to inputs drawn from the entropy source, the NIST SP 800-90A standard gives the option for strings of additional input (denoted a.ddin), to be fed into the state of the DRBG during generate and reseed calls. The standard pemits these strings to be public information (e.g., device serial numbers and time stamps), or may contain secrets”).
Woodage does not disclose an arrangement: concatenating the first hashed key value with a hash of a message resulting in a first concatenated hash value; hashing, by the first hashing circuit, the first concatenated hash value resulting in a first hashed message value; concatenating the first hashed message value and the second hashed key value resulting in a second concatenated hash value; and hashing, by the first hashing circuit or the second hashing circuit, the second concatenated hash value resulting in a message hash.
However, in an analogous art, Petersen discloses an arrangement:
concatenating the first hashed key value with a hash of a message resulting in a first concatenated hash value (Petersen para. [0385], “concatenating the partial results to yield a representation of a result of said at least one computation”);
hashing, by the first hashing circuit, the first concatenated hash value resulting in a first hashed message value (Petersen para. [292], “system is iterated until the end of the message is reached. The last calculated value of x or part thereof, such as the least significant digits, is denoted, for example, the Hash value, the MAC or the checksum”);
concatenating the first hashed message value and the second hashed key value resulting in a second concatenated hash value (Petersen para. [0385], “concatenating the partial results to yield a representation of a result of said at least one computation”); and
hashing, by the first hashing circuit or the second hashing circuit, the second concatenated hash value resulting in a message hash (Petersen para. [292], “system is iterated until the end of the message is reached. The last calculated value of x or part thereof, such as the least significant digits, is denoted, for example, the Hash value, the MAC or the checksum”).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify Woodage to include, as taught by Petersen, regarding the HMAC function circuitry including first and second hashing circuits, an arrangement: concatenating the first hashed key value with a hash of a message resulting in a first concatenated hash value; hashing, by the first hashing circuit, the first concatenated hash value resulting in a first hashed message value; concatenating the first hashed message value and the second hashed key value resulting in a second concatenated hash value; and hashing, by the first hashing circuit or the second hashing circuit, the second concatenated hash value resulting in a message hash. Motivation would have been to enhance security via conducting a plurality of concatenating and hashing operations (Petersen para. [0271], “less information concerning the internal state of the mathematical system is contained in the extracted set of data which enhances the security of an encryption/decryption system incorporating the method.”)
Per claim 17, such method claim recites limitations with similar scope to claim 7. Therefore, claim 17 is also rejected under 35 USC 103 as being unpatentable, for the same reason set forth above for claim 7.
Per claim 18, such method claim recites limitations with similar scope to claim 16. Therefore, claim 18 is also rejected under 35 USC 103 as being unpatentable, for the same reason set forth above for claim 16.
Per claim 19, such method claim recites limitations with similar scope to claim 9. Therefore, claim 19 is also rejected under 35 USC 103 as being unpatentable, for the same reason set forth above for claim 9.
Per claim 20: Woodage discloses a secure hash-based message authentication code (HMAC) deterministic random bit generator (DRBG) wrapper circuit (Woodage, page 1, left column, last full paragraph, “These DRBGs -which respectively use a block cipher, a cryptographic hash function, and HMAC as their basic building blocks – are widely used.”; Woodage page 4, right column, last full paragraph, “HMAC is a keyed-hash message authentication code”; Woodage page 1, left column, last full paragraph, “any cryptographic software or hardware seeking HPS certification must implement a pseudorandom generator from the standard.”) comprising:
a first counter configured to provide a counter output, the first counter configured to increment based on a state of a clock (Woodage, page 4, right column, second last full paragraph, “V ϵ {0, l}ℓ is a counter”; Woodage page 4, right column, “counter increment”; NOTE: An incrementing counter is being interpreted as being in a clocked state”); and
HMAC DRBG circuitry (Woodage, page 1, left column, last full paragraph, “These DRBGs -which respectively use a block cipher, a cryptographic hash function, and HMAC as their basic building blocks – are widely used.”; Woodage page 1, left column, last full paragraph, “any cryptographic software or hardware seeking HPS certification must implement a pseudorandom generator from the standard.”) including:
HMAC function circuitry (Woodage, page 1, left column, last full paragraph, “These DRBGs -which respectively use a block cipher, a cryptographic hash function, and HMAC as their basic building blocks – are widely used.”; Woodage page 1, left column, last full paragraph, “any cryptographic software or hardware seeking HPS certification must implement a pseudorandom generator from the standard.”; Woodage page 4, second last full paragraph, “the HMAC-DRBG is instantiated with HMAC / SHA-256”).
Woodage does not disclose the HMAC function circuitry including: a first linear feedback shift register (LFSR); a first hashing circuit including a second LFSR situated to receive most significant bits (MSBs) of the LFSR as an initialization seed; including a second hashing circuit including a third LFSR situated to receive least significant bits (LSBs) of the LFSR as an initialization seed; and configured to, based on the counter output, generate an HMAC using the first and second hashing circuits.
However, in an analogous art, Petersen discloses a HMAC function circuitry including:
a first linear feedback shift register (LFSR) (Petersen para. [0676], “a linear feedback shift register”; Petersen para. [0070], “At least one of the first and second number may be a …value X.sub.i to which there is added a variable parameter value, such as a counter C.sub.i.”; Petersen para. [0271], “By extracting a subset of digits of a number instead of extracting the entire number, random properties are improved in case the method is used in a pseudo-random number generator, for example for encryption and/or decryption purposes.”); and
a first hashing circuit including a second LFSR situated to receive most significant bits (MSBs) of the LFSR as an initialization seed (Petersen para. [0179], “identification value can be a hash value, a check-sum or a MAC (Message Authentication Code)”; Petersen para. [0065], “In case a cryptographic key is used as a seed value for the computations, the hash function is usually referred to as a MAC function (Message Authentication Code)”; Petersen para. [0269], “A subset of a number may be regarded as a part of that number, such as some, but not necessarily all digits or bits of the number.”; Petersen para. [0074], “At least one of the first and second number may be derived from a cryptographic key”; Petersen para. [0271], “By extracting a subset of digits of a number instead of extracting the entire number, random properties are improved in case the method is used in a pseudo-random number generator, for example for encryption and/or decryption purposes.”; Petersen para. [0474], “pseudo-random number generation in a plurality of instances in parallel may, in some cases, be faster than if the steps are performed in one instance only, in particular if the hardware on which the method is executed supports parallel processing. Further, by coupling the two or more instances, a larger key length in encryption may be applied than if only one instance were used. For example, one part of an encryption key may be used for a first instance, and another part of the encryption key may be used for a second instance”; Petersen para. [0014], “a cryptographic system in which several numbers x.sub.1 . . . x.sub.n are being generated based on iterations of one or more state variables”; NOTE: Iterations is being interpreted as resulting in a counter output);
including a second hashing circuit including a third LFSR situated to receive least significant bits (LSBs) of the LFSR as an initialization seed (Petersen para. [0179], “identification value can be a hash value, a check-sum or a MAC (Message Authentication Code)”; Petersen para. [0065], “In case a cryptographic key is used as a seed value for the computations, the hash function is usually referred to as a MAC function (Message Authentication Code)”; Petersen para. [0269], “A subset of a number may be regarded as a part of that number, such as some, but not necessarily all digits or bits of the number.”; Petersen para. [0074], “At least one of the first and second number may be derived from a cryptographic key”; Petersen para. [0271], “By extracting a subset of digits of a number instead of extracting the entire number, random properties are improved in case the method is used in a pseudo-random number generator, for example for encryption and/or decryption purposes.”; Petersen para. [0474], “pseudo-random number generation in a plurality of instances in parallel may, in some cases, be faster than if the steps are performed in one instance only, in particular if the hardware on which the method is executed supports parallel processing. Further, by coupling the two or more instances, a larger key length in encryption may be applied than if only one instance were used. For example, one part of an encryption key may be used for a first instance, and another part of the encryption key may be used for a second instance”; Petersen para. [0014], “a cryptographic system in which several numbers x.sub.1 . . . x.sub.n are being generated based on iterations of one or more state variables”; NOTE: Iterations is being interpreted as resulting in a counter output); and
configured to, based on the counter output, generate an HMAC using the first and second hashing circuits (Petersen para. [0179], “identification value can be a hash value, a check-sum or a MAC (Message Authentication Code)”; Petersen para. [0065], “In case a cryptographic key is used as a seed value for the computations, the hash function is usually referred to as a MAC function (Message Authentication Code)”; Petersen para. [0269], “A subset of a number may be regarded as a part of that number, such as some, but not necessarily all digits or bits of the number.”; Petersen para. [0074], “At least one of the first and second number may be derived from a cryptographic key”; Petersen para. [0271], “By extracting a subset of digits of a number instead of extracting the entire number, random properties are improved in case the method is used in a pseudo-random number generator, for example for encryption and/or decryption purposes.”; Petersen para. [0474], “pseudo-random number generation in a plurality of instances in parallel may, in some cases, be faster than if the steps are performed in one instance only, in particular if the hardware on which the method is executed supports parallel processing. Further, by coupling the two or more instances, a larger key length in encryption may be applied than if only one instance were used. For example, one part of an encryption key may be used for a first instance, and another part of the encryption key may be used for a second instance”; Petersen para. [0014], “a cryptographic system in which several numbers x.sub.1 . . . x.sub.n are being generated based on iterations of one or more state variables”; NOTE: Iterations is being interpreted as resulting in a counter output).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify Woodage to include, as taught by Petersen, regarding the HMAC function circuitry including: a first linear feedback shift register (LFSR); a first hashing circuit including a second LFSR situated to receive most significant bits (MSBs) of the LFSR as an initialization seed; including a second hashing circuit including a third LFSR situated to receive least significant bits (LSBs) of the LFSR as an initialization seed; and configured to, based on the counter output, generate an HMAC using the first and second hashing circuits. Motivation would have been to improve random properties and enhance security (Petersen para. [0271], “By extracting a subset of digits of a number instead of extracting the entire number, random properties are improved in case the method is used in a pseudo-random number generator, for example for encryption and/or decryption purposes. Moreover, as only a subset is extracted, less information concerning the internal state of the mathematical system is contained in the extracted set of data which enhances the security of an encryption/decryption system incorporating the method.”)
Claim(s) 3-9 and 11-16 are rejected under 35 U.S.C. 103 as being unpatentable over WOODAGE, et al., "An Analysis of the NIST SP 800-90AStandard", Advances in Cryptology - EUROCRYPT 2019, April 24, 2019, pp. 151-180 (“Woodage”; copy renumbered pp. 1-22 for convenience) in view of Petersen et al. (“Petersen”; US20040086117A1) and Cordery et al. (“Cordery”; US20100128872A1).
Per claim 3: The Woodage/Petersen combination discloses the secure HMAC DRBG circuit of claim 2. The Woodage/Petersen combination does not disclose an arrangement wherein the first hashing circuit includes a second LFSR and the second hashing circuit includes a third LFSR, the first and second LFSRs configured to receive respective portions of an output of the first LFSR.
However, in an analogous art, Cordery discloses an arrangement wherein the first hashing circuit includes a second LFSR and the second hashing circuit includes a third LFSR, the first and second LFSRs configured to receive respective portions of an output of the first LFSR (Cordery, claim 1, “method comprising: inputting a session key to a non-linear feedback shift register having a plurality of stages for storing data, each of the stages storing a portion of the session key, at least a portion of the plurality of stages providing the data currently stored therein to a feedback function to generate a current feedback output; clocking the non-linear feedback shift register by shifting each stage of the non-linear feedback shift register by one stage, combining a portion of the session key with the current feedback output to produce a first result and storing the first result in a first stage of the non-linear feedback shift register; clocking the non-linear feedback shift register by shifting each stage of the non-linear feedback shift register by one stage, combining a portion of the image data with the current feedback output to generate a second result, and storing the second result in the first stage of the non-linear feedback shift register; repeating the clocking of the non-linear feedback shift register using a portion of the image data until all of the image data desired to be secured has been utilized; clocking the non-linear feedback shift by shifting each stage of the non-linear feedback shift register by one stage, combining a portion of the session key with the current feedback output to generate a third result, and storing the third result in the first stage of the non-linear feedback shift register; outputting at least a portion of the data currently stored in the non-linear feedback shift register”).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the Woodage/Petersen combination to include, as taught by Cordery, an arrangement wherein the first hashing circuit includes a second LFSR and the second hashing circuit includes a third LFSR, the first and second LFSRs configured to receive respective portions of an output of the first LFSR. Motivation would have been to utilize plural stages of LFSRs and hashing, in order to improve a security of the Woodage/Petersen combination.
Per claim 4: The Woodage/Petersen/Cordery combination discloses the secure HMAC DRBG circuit of claim 3. Cordery further discloses an arrangement wherein the second LFSR is configured to receive most significant bits (MSBs) of the first LFSR and the third LFSR is configured to receive least significant bits (LSBs) of the first LFSR (Cordery, claim 1, “method comprising: inputting a session key to a non-linear feedback shift register having a plurality of stages for storing data, each of the stages storing a portion of the session key, at least a potion of the plurality of stages providing the data currently stored therein to a feedback function to generate a current feedback output; clocking the non-linear feedback shift register by shifting each stage of the non-linear feedback shift register by one stage, combining a portion of the session key with the current feedback output to produce a first result and storing the first result in a first stage of the non-linear feedback shift register; clocking the non-linear feedback shift register by shifting each stage of the non-linear feedback shift register by one stage, combining a portion of the image data with the current feedback output to generate a second result, and storing the second result in the first stage of the non-linear feedback shift register; repeating the clocking of the non-linear feedback shift register using a portion of the image data until all of the image data desired to be secured has been utilized; clocking the non-linear feedback shift by shifting each stage of the non-linear feedback shift register by one stage, combining a portion of the session key with the current feedback output to generate a third result, and storing the third result in the first stage of the non-linear feedback shift register; outputting at least a portion of the data currently stored in the non-linear feedback shift register”). .
Per claim 5: The Woodage/Petersen combination discloses the secure HMAC DRBG circuit of claim 1. The Woodage/Petersen combination does not disclose an arrangement wherein the HMAC DRBG circuitry further includes multiple pins including a command pin coupled to circuitry that causes the HMAC DRBG to (i) ignore input on pins of the HMAC DRBG circuitry other than the command pin, in response to input on the command pin in a first state and (ii) ingest input on the pins other than the command pin in response to input on the command pin in a second, different state.
However, in an analogous art, Cordery discloses an arrangement wherein the HMAC DRBG circuitry further includes multiple pins including a command pin coupled to circuitry that causes the HMAC DRBG to (i) ignore input on pins of the HMAC DRBG circuitry other than the command pin, in response to input on the command pin in a first state (Cordery para. [0030], “If in step 154 it is determined that the MAC generated by the controller 40 of the printer 14 is not the same as the MAC received from the accounting device 12, then in step 158 the image data will not be accepted, as it has not been authenticated due to the failure of the MACs to correspond, and the image data will be discarded”) and (ii) ingest input on the pins other than the command pin in response to input on the command pin in a second, different state (Cordery para. [0029], “the controller 40 of the printer 14 generates a MAC, using its NLFSR 26, in the same manner as described above with respect to steps 122-144 of FIG. 4 (the description of which need not be repeated here). In step 154, the controller 40 will verify the MAC by comparing the MAC generated by the controller 40 to the MAC received from the accounting device 12 to determine if they are the same. If in step 154 it is determined that the MAC generated by the controller 40 of the printer 14 is identical to the MAC received from the accounting device 12, then in step 156 the printer 14 will accept the image data as authentic and use the received image data”; [Regarding the claimed “pins”, it would have been an obvious matter of design choice to utilize pins in any implementation, since applicant has not disclosed that the specific pins recited, solve any stated problem or is for any particular purpose and it appears that the invention would perform equally well with other types of input arrangements.]).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the Woodage/Petersen combination to include, as taught by Cordery, an arrangement wherein the HMAC DRBG circuitry further includes multiple pins including a command pin coupled to circuitry that causes the HMAC DRBG to (i) ignore input on pins of the HMAC DRBG circuitry other than the command pin, in response to input on the command pin in a first state and (ii) ingest input on the pins other than the command pin in response to input on the command pin in a second, different state. Motivation would have been to provide an input pin serving double-duty according to two differing states, in order to minimize a number of required input pins.
Per claim 6: The Woodage/Petersen/Cordery combination discloses the secure HMAC DRBG circuit of claim 5. Cordery further discloses an arrangement further comprising an XOR gate (Cordery FIG. 2, XOR gate 54) coupled to an LFSR input pin of the multiple pins (Cordery, para. [0016], “the output value from the XOR function 54 is input to the stage S.sub.n”), the XOR gate situated to receive output of the counter (Cordery para. [0018], “the accounting unit controller 22 generates challenge data r.sub.1 and sends it to the printer controller 40. The challenge data may be, for example, a 128 bit number generated by a counter”; Cordery para. [0017], “performing a key agreement process to derive a shared session key k which is used to establish the initial state”; Cordery para. [0018], “compute the session key k based on the challenge data r.sub.1, r.sub.2, the serial number, SN, and the master key, MK”; Cordery para. [0019], “the session key k is input to the NLFSR 26”) and a linear feedback shift register (LFSR) initialization seed value as input when the input on the command pin in the second state (Cordery FIG. 2; Cordery para. [0016], “output y from the feedback function 52 is input to an exclusive-or (XOR) function 54”; Cordery para. [0025], “a portion of the session key k required to completely fill a stage (based on the word size of the stage, e.g., 32 bits) is combined with the current output y of the feed back function 52, using, for example, the exclusive-or (XOR) function”).
Per claim 7: The Woodage/Petersen/Cordery combination discloses the secure HMAC DRBG circuit of claim 6. Woodage further discloses an arrangement wherein an entropy input pin of the multiple pins is configured to receive an initialization vector (Petersen para. [0179], “identification value can be a hash value, a check-sum or a MAC (Message Authentication Code)”; Petersen para. [0065], “In case a cryptographic key is used as a seed value for the computations, the hash function is usually referred to as a MAC function (Message Authentication Code)”; Petersen para. [0269], “A subset of a number may be regarded as a part of that number, such as some, but not necessarily all digits or bits of the number.”; Petersen para. [0074], “At least one of the first and second number may be derived from a cryptographic key”; Petersen para. [0271], “By extracting a subset of digits of a number instead of extracting the entire number, random properties are improved in case the method is used in a pseudo-random number generator, for example for encryption and/or decryption purposes.”; Petersen para. [0474], “pseudo-random number generation in a plurality of instances in parallel may, in some cases, be faster than if the steps are performed in one instance only, in particular if the hardware on which the method is executed supports parallel processing. Further, by coupling the two or more instances, a larger key length in encryption may be applied than if only one instance were used. For example, one part of an encryption key may be used for a first instance, and another part of the encryption key may be used for a second instance”; Petersen para. [0014], “a cryptographic system in which several numbers x.sub.1 . . . x.sub.n are being generated based on iterations of one or more state variables”; NOTE: Iterations is being interpreted as resulting in a counter output)and a nonce input pin of the multiple pins is configured to receive the output of the counter (Woodage, page 3, “Additional Input” paragraph, “In addition to inputs drawn from the entropy source, the NIST SP 800-90A standard gives the option for strings of additional input (denoted a.ddin), to be fed into the state of the DRBG during generate and reseed calls. The standard pemits these strings to be public information (e.g., device serial numbers and time stamps), or may contain secrets”).
Per claim 8, such HMAC DRBG circuit claim recites limitations with similar scope to claim 6. Therefore, claim 8 is also rejected under 35 USC 103 as being unpatentable, for the same reason set forth above for claim 6.
Per claim 9: The Woodage/Petersen/Cordery combination discloses the secure HMAC DRBG circuit of claim 8. Woodage further discloses an arrangement wherein an entropy input pin of the multiple pins is configured to receive a private key (Woodage, page 3, left column, first sentence, “DRBG is initially seeded with entropy equal to the security strength of the instantiation”; Woodage page 3, left column, second paragraph, “HASH-DRBG use a derivation function to condition entropy inputs”) and a nonce input pin of the multiple pins is configured to receive a hashed message (Woodage, page 3, “Additional Input” paragraph, “In addition to inputs drawn from the entropy source, the NIST SP 800-90A standard gives the option for strings of additional input (denoted a.ddin), to be fed into the state of the DRBG during generate and reseed calls. The standard pemits these strings to be public information (e.g., device serial numbers and time stamps), or may contain secrets”).
Per claim 11: The Woodage/Petersen combination discloses the method of claim 10. The Woodage/Petersen combination does not disclose an arrangement: receiving, from a first linear feedback shift register (LFSR) of the HMAC DRBG circuitry, an LFSR value.
However, in an analogous art, Cordery discloses an arrangement: receiving, from a first linear feedback shift register (LFSR) of the HMAC DRBG circuitry, an LFSR value (Cordery, claim 1, “method comprising: inputting a session key to a non-linear feedback shift register having a plurality of stages for storing data, each of the stages storing a portion of the session key, at least a portion of the plurality of stages providing the data currently stored therein to a feedback function to generate a current feedback output; clocking the non-linear feedback shift register by shifting each stage of the non-linear feedback shift register by one stage, combining a portion of the session key with the current feedback output to produce a first result and storing the first result in a first stage of the non-linear feedback shift register; clocking the non-linear feedback shift register by shifting each stage of the non-linear feedback shift register by one stage, combining a portion of the image data with the current feedback output to generate a second result, and storing the second result in the first stage of the non-linear feedback shift register; repeating the clocking of the non-linear feedback shift register using a portion of the image data until all of the image data desired to be secured has been utilized; clocking the non-linear feedback shift by shifting each stage of the non-linear feedback shift register by one stage, combining a portion of the session key with the current feedback output to generate a third result, and storing the third result in the first stage of the non-linear feedback shift register; outputting at least a portion of the data currently stored in the non-linear feedback shift register”).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the Woodage/Petersen combination to include, as taught by Cordery, an arrangement: receiving, from a first linear feedback shift register (LFSR) of the HMAC DRBG circuitry, an LFSR value. Motivation would have been to utilize plural stages of LFSRs and hashing, in order to improve a security of the Woodage/Petersen combination.
Per claim 12: The Woodage/Petersen/Cordery combination discloses the method of claim 11. Petersen discloses an arrangement further comprising: initializing a second LFSR of the first hashing circuit to most significant bits (MSBs) or least significant bits (LSBs) of the LFSR value (Petersen para. [0179], “identification value can be a hash value, a check-sum or a MAC (Message Authentication Code)”; Petersen para. [0065], “In case a cryptographic key is used as a seed value for the computations, the hash function is usually referred to as a MAC function (Message Authentication Code)”; Petersen para. [0269], “A subset of a number may be regarded as a part of that number, such as some, but not necessarily all digits or bits of the number.”; Petersen para. [0074], “At least one of the first and second number may be derived from a cryptographic key”; Petersen para. [0271], “By extracting a subset of digits of a number instead of extracting the entire number, random properties are improved in case the method is used in a pseudo-random number generator, for example for encryption and/or decryption purposes.”; Petersen para. [0474], “pseudo-random number generation in a plurality of instances in parallel may, in some cases, be faster than if the steps are performed in one instance only, in particular if the hardware on which the method is executed supports parallel processing. Further, by coupling the two or more instances, a larger key length in encryption may be applied than if only one instance were used. For example, one part of an encryption key may be used for a first instance, and another part of the encryption key may be used for a second instance”; Petersen para. [0014], “a cryptographic system in which several numbers x.sub.1 . . . x.sub.n are being generated based on iterations of one or more state variables”; NOTE: Iterations is being interpreted as resulting in a counter output).
Per claim 13: The Woodage/Petersen/Cordery combination discloses the method of claim 12. Petersen discloses an arrangement further comprising: initializing a third LFSR of the second hashing circuit to LSBs or MSBs of the LFSR value, whichever is not used to initialize the second LFSR (Petersen para. [0179], “identification value can be a hash value, a check-sum or a MAC (Message Authentication Code)”; Petersen para. [0065], “In case a cryptographic key is used as a seed value for the computations, the hash function is usually referred to as a MAC function (Message Authentication Code)”; Petersen para. [0269], “A subset of a number may be regarded as a part of that number, such as some, but not necessarily all digits or bits of the number.”; Petersen para. [0074], “At least one of the first and second number may be derived from a cryptographic key”; Petersen para. [0271], “By extracting a subset of digits of a number instead of extracting the entire number, random properties are improved in case the method is used in a pseudo-random number generator, for example for encryption and/or decryption purposes.”; Petersen para. [0474], “pseudo-random number generation in a plurality of instances in parallel may, in some cases, be faster than if the steps are performed in one instance only, in particular if the hardware on which the method is executed supports parallel processing. Further, by coupling the two or more instances, a larger key length in encryption may be applied than if only one instance were used. For example, one part of an encryption key may be used for a first instance, and another part of the encryption key may be used for a second instance”; Petersen para. [0014], “a cryptographic system in which several numbers x.sub.1 . . . x.sub.n are being generated based on iterations of one or more state variables”; NOTE: Iterations is being interpreted as resulting in a counter output).
Per claim 14: The Woodage/Petersen combination discloses the method of claim 10. The Woodage/Petersen combination does not disclose an arrangement further comprising ignoring input on other pins of the HMAC DRBG circuitry when input on a command pin is in a first state.
However, in an analogous art, Cordery discloses an arrangement further comprising ignoring input on other pins of the HMAC DRBG circuitry when input on a command pin is in a first state (Cordery para. [0030], “If in step 154 it is determined that the MAC generated by the controller 40 of the printer 14 is not the same as the MAC received from the accounting device 12, then in step 158 the image data will not be accepted, as it has not been authenticated due to the failure of the MACs to correspond, and the image data will be discarded”)
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the Woodage/Petersen combination to include, as taught by Cordery, an arrangement further comprising ignoring input on other pins of the HMAC DRBG circuitry when input on a command pin is in a first state. Motivation would have been to provide an input pin serving double-duty according to two differing states, in order to minimize a number of required input pins.
Per claim 15: The Woodage/Petersen/Cordery combination discloses the method of claim 14. Cordery discloses an arrangement further comprising ingesting input on the other pins when input on the command pin is in a second, different state (Cordery para. [0029], “the controller 40 of the printer 14 generates a MAC, using its NLFSR 26, in the same manner as described above with respect to steps 122-144 of FIG. 4 (the description of which need not be repeated here). In step 154, the controller 40 will verify the MAC by comparing the MAC generated by the controller 40 to the MAC received from the accounting device 12 to determine if they are the same. If in step 154 it is determined that the MAC generated by the controller 40 of the printer 14 is identical to the MAC received from the accounting device 12, then in step 156 the printer 14 will accept the image data as authentic and use the received image data”; [Regarding the claimed “pins”, it would have been an obvious matter of design choice to utilize pins in any implementation, since applicant has not disclosed that the specific pins recited, solve any stated problem or is for any particular purpose and it appears that the invention would perform equally well with other types of input arrangements.]).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the Woodage/Petersen combination to include, as taught by Cordery, an arrangement which will (ii) ingest input on the pins other than the command pin in response to input on the command pin in a second, different state. Motivation would have been to provide an input pin serving double-duty according to two differing states, in order to minimize a number of required input pins.
Per claim 16: The Woodage/Petersen/Cordery combination discloses the method of claim 15. The Woodage/Petersen combination does not disclose an arrangement further comprising initializing the first LFSR to an output of an XOR gate that is coupled to an LFSR input pin of the other pins and is situated to receive output of a counter of the HMAC DRBG circuitry and a linear feedback shift register (LFSR) initialization seed value as input when the input on the command pin in the second state.
However, in an analogous art, Cordery discloses an arrangement further comprising initializing the first LFSR to an output of an XOR gate (Cordery FIG. 2, XOR gate 54) that is coupled to an LFSR input pin of the other pins (Cordery, para. [0016], “the output value from the XOR function 54 is input to the stage S.sub.n”) and is situated to receive output of a counter of the HMAC DRBG circuitry (Cordery para. [0018], “the accounting unit controller 22 generates challenge data r.sub.1 and sends it to the printer controller 40. The challenge data may be, for example, a 128 bit number generated by a counter”; Cordery para. [0017], “performing a key agreement process to derive a shared session key k which is used to establish the initial state”; Cordery para. [0018], “compute the session key k based on the challenge data r.sub.1, r.sub.2, the serial number, SN, and the master key, MK”; Cordery para. [0019], “the session key k is input to the NLFSR 26”) and a linear feedback shift register (LFSR) initialization seed value as input when the input on the command pin in the second state (Cordery FIG. 2; Cordery para. [0016], “output y from the feedback function 52 is input to an exclusive-or (XOR) function 54”; Cordery para. [0025], “a portion of the session key k required to completely fill a stage (based on the word size of the stage, e.g., 32 bits) is combined with the current output y of the feed back function 52, using, for example, the exclusive-or (XOR) function”).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the Woodage/Petersen combination to include, as taught by Cordery, an arrangement further comprising initializing the first LFSR to an output of an XOR gate that is coupled to an LFSR input pin of the other pins and is situated to receive output of a counter of the HMAC DRBG circuitry and a linear feedback shift register (LFSR) initialization seed value as input when the input on the command pin in the second state. Motivation would have been to provide an input pin serving double-duty according to two differing states, in order to minimize a number of required input pins.
Conclusion
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Paul J Skwierawski whose telephone number is (571)272-2642. The examiner can normally be reached 6:00am-3:30pm weekdays.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisory primary examiner (SPE) Luu Pham can be reached on (571) 270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Paul Skwierawski/
Patent Examiner, Art Unit 2439
/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439