Method for Combined Key Value-Dependent Exchange and Randomization of Two Input Values

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This written action is responding to the amendment dated on 08/04/2025. Claim 1 has been amended and all other Claims are previously presented. Claims 1-20 are submitted for examination. Claims 1-20 are pending. In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Examiner’s Note The Examiner had contacted the Applicant’s representative and suggested claim amendments to expedite the prosecution. The Applicant’s representative had declined the offer. Priority This application filed on November 06, 2023 claims priority of foreign application DE102022120908.3 filed on November 09, 2022. Information Disclosure Statement The following Information Disclosure Statements in the instant application submitted in compliance with the provisions of 37 CFR 1.97, and thus, have been fully considered: IDS filed on 06 November 2023. IDS filed on 07 November 2023. IDS filed on 27 August 2025. Response to Arguments Applicant’s amendment, filed on August 04, 2025 has claim 1 amended and all other claims previously presented. Among the amended claims, claim 1 is an independent claim. The prior Double Patenting rejection has been withdrawn in view of the amendment received on August 04, 2025 and the Applicant’s persuasive arguments. Applicant’s remark, filed on August 04, 2025 on top of page 7 regarding, 35 U.S.C. 101 rejection for the Claims 1-8, 10,11,13,14,16,17, 19 and 20 has been considered, however is not found persuasive. Applicant’s further remark, “claim 1 is not directed to simply implementing these operations on a "generic computer." Instead, the whole purpose of the claim is to prevent the leakage of side- channel from a circuit performing cryptographic operations - this is a technical issue that arises specifically from the fact of performing these cryptographic operations on a (special-purpose) circuit, and obviously does not arise from performing the same or similar operations in one's mind”, has been considered however is not found persuasive. The recited limitations for the Claim such as “determining…..at least two shares of a key value, determining…..at least one modification value that depends on at least one of the first input value and the second input value, determining…for each share, an intermediary value that depends on the share and at least one of the at least one modification value, wherein at least one intermediary value further depends on a randomization value, and arithmetically assembling the intermediary values…..to generate an output value for one of the first input value and the second input value” doesn’t require a “special-purpose” circuit. The claims limitations can be performed by a generic computer having a generic processor. Specially, the technology has improved so much that the generic processor are very powerful and able to perform cryptographic operations and mathematical operations. Applicant’s further remark, on top of page 8 regarding, “MPEP §2106.05(a) makes clear that if "it is asserted that the invention improves upon conventional functioning of a computer, or upon conventional technology or technological processes, a technical explanation as to how to implement the invention should be present in the specification," so that one of ordinary skill in the art "would recognize the claimed invention as providing an improvement." That is definitely the case here - the Specification clearly sets forth not only how to implement the invention, but explains in great detail how this invention improves conventional technology, specifically by eliminating the leakage of certain side- channel information that would otherwise be available to someone seeking to break a cryptographic operation by observing various physical characteristics of the circuit” has been considered, however is not found persuasive. MPEP 2106.04(d)(1) states that, The claim must be evaluated to ensure that the claim itself reflects the disclosed improvement. That is, the claim includes the components or steps of the invention that provide the improvement described in the specification. The specification describes in details regarding leakage of side-channel information and describes solutions to avoid the leakage, however the claim language doesn’t reflect how the leakage of the side-channel is reduced. The claim language simply recites in preamble, “…..a combined key value-dependent exchange and randomization of a first input value and a second input value that reduces the leakage of side-channel information from the circuitry..”. It appears that Figure 2 and algorithm associated with the Figure 2 describes, how the leakage of side-channel information is reduced and how this invention improves upon previous inventions. Examiner suggest by incorporating these features into the Claim limitations may help in overcoming 35 U.S.C. 101 Abstract idea rejection. Applicant’s further remark, on bottom of page 8 regarding, “MPEP §2106.05(a) goes on to explain that the claim must then "be evaluated to ensure the claim itself reflects the disclosed improvement." The claim must include the "components or steps of the invention that provide the improvement" but "but does not need to explicitly recite the improvement." Here, claim 1 includes a specific ordering of mathematical operations that "reflect" the disclosed improvement, by providing a technique for performing an exchange operation in such a way that avoids an attack based on Hamming weight comparisons. While the claim itself does not specifically recite language indicating that the claimed approach specifically provides this security against Hamming-weight-based analysis, the recited steps provide that improvement, as the Specification fully explains” has been considered however is not found persuasive. As explained in above paragraph 13, MPEP 2106.04(d)(1) states that, The claim must be evaluated to ensure that the claim itself reflects the disclosed improvement. That is, the claim includes the components or steps of the invention that provide the improvement described in the specification. The specification describes in details regarding leakage of side-channel information and describes solutions to avoid the leakage, however the claim language doesn’t reflect how the leakage of the side-channel is reduced. The claim language simply recites in preamble, “…..a combined key value-dependent exchange and randomization of a first input value and a second input value that reduces the leakage of side-channel information from the circuitry..”. It appears that Figure 2 and algorithm associated with the Figure 2 describes, how the leakage of side-channel information is reduced and how this invention improves upon previous inventions. Examiner suggest by incorporating these features into the Claim limitations may help in overcoming 35 U.S.C. 101 Abstract idea rejection. The prior 35 U.S.C 112(b) rejection of Claim 20 has been withdrawn in view of the persuasive arguments by the applicant. The prior 35 U.S.C 103 rejections of Claims 1-20 have been withdrawn in view of the persuasive arguments by the applicant. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claim 1 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim recites determining at least two shares of values, at least one modification value, intermediary value that depends on the share and at least one of the modification value and outputting value by performing an arithmetical assembly as drafted. The limitation of determining at least two shares of values, at least one modification value, intermediary value that depends on the share and at least one of the modification value and outputting value by performing an arithmetical assembly as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components. That is, other than reciting “by a circuitry,” (processor) nothing in the claim element precludes the step from practically being performed in the mind. For example, but for the “by a circuitry” (processor) language, “determining” in the context of this claim encompasses the user manually calculating two values and finding a modification value that depend on input value. Similarly, the limitation of determining an intermediary value that depend on the share and at least one of the modification value, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components. For example, but for the “by a circuitry” (processor) language, If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea. This judicial exception is not integrated into a practical application. In particular, the claim only recites one additional element – generate an output value for at least one of the first input value and the second input value. The circuitry (processor) in both steps is recited at a high-level of generality (i.e., as a generic processor performing a generic computer function of arithmetically assembling the intermediary values…..to generate an output value for one of the first input and the second input value) such that it amounts no more than mere instructions to apply the exception using a generic computer component. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea. The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of using a circuitry (processor) to perform both the determining and calculating steps amounts to no more than mere instructions to apply the exception using a generic computer component. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. The claim is not patent eligible. The dependent Claims 2-8, 10-11, 13-14, 16-17and 19-20 does not recite significantly more and considers as an abstract ides. Please refer to above paragraphs 13-14 that suggest to overcome the e 35 U.S.C. 101 Abstract idea rejection. Allowable Subject Matter Claims 1-20 are objected to as being allowable if the 35 U.S.C. 101 Abstract idea rejection is overcome. The following is an examiner’s statement of reason for allowance. Macchetti et al. (US PGPUB. # US 2020/0287712) discloses, FIG. 1 are steps of the claimed method that can be applied on any cryptographic group, either of multiplicative nature, like used in the traditional Diffie-Hellman key exchange protocol that relies on the multiplication of integers modulo a prime number p, or of additive nature, like the scalar multiplication of points on an elliptic curve. In the following description, n is the order of the base element G that has to be combined with a secret value k. In a first step two positive secret integers k1 and k2 are generated and are both strictly smaller than n thanks to a cryptographically secure random number generator, k1 and k2 do not share any common divisor with the base element order n. In other words, computing the greatest common divisor of n and k1 and of n and k2, respectively, must each time provide the result 1. The two values k1 and k2 are completely uncorrelated from the secret value k, and consequently, the value k is not required to be present, either timely or physically, when generating k1 and k2. In a second step, a protected value k′ is computed as k′=k1*k2 and has a bit-length that is twice the bit-length of k. Then the protected secret value k′ is used as a second operand in a group operation as shown in a third step in FIG. 1. (Fig. 1, ¶48). Hamburg et al. (US PGPUB. # US 2022/0075879) discloses, the processing device may use a random number generator to generate a random number. The random number may be a one-bit number b.sub.j, with the subscript j indicating the iteration of the loop. In some implementations, the value of the random bit b.sub.j=1 may indicate that a swapping of the results of the double/add computation is to be performed, whereas the value of the random bit b.sub.j=0 may indicate to the processing device that no swapping is to be done. More specifically, if the processing device determines that b.sub.j=0, the processing device may store the accumulator value A+B in register R(0) (220) and store the new auxiliary value 2B in register R(1) (222). If, however, the processing device determines that b.sub.j=1, the processing device may store the accumulator value A+B in register R(1) (224) and store the new auxiliary value 2B in register R(0) (226). This randomization of outputs makes it harder for an adversary attempting a side-channel attack to determine reliably the value of the key bit k.sub.j. This is because the storage of the outputs A+B and 2B in randomly chosen registers R(0) and R(1) makes it harder for the adversary to correlate emissions (e.g., power consumption) with the outcome of the computational operations 210 and 212. (Fig. 2A, ¶33). At the beginning of the next, j+1-th, iteration of the algorithm, the processing device may retrieve the current value of the accumulator value and the auxiliary value stored in R(0) and R(1). The processing device may have to account for a possibility that the shuffle operation during the previous j-th iteration may have resulted the accumulator value being stored in R(1) and the auxiliary value being stored in R(0). To preserve the correct dataflow, the processing device may access the value of the random number b.sub.j and load the numbers from R(0) and R(1) in a manner that depends on whether b.sub.j=0 or b.sub.j=1. For example, assuming for the sake of illustration, that k.sub.j+1=0, the processing device may determine that during the previous iteration of the algorithm the random number had the value b.sub.j=0. The processing device may compute the value 2R(0) and identify it is the new value of the accumulator 240 (that is equal to 2A+2B, in the current illustration), as indicated by the thick dashed line in FIG. 2A. The processing device may further compute the value R(0)+R(1) (that is equal to A+3B) and determine it to be the new auxiliary number 242, as illustrated by the thin dashed lines in FIG. 2A. If, on the other hand, the processing device assesses that during the previous iteration of the algorithm the random number had the value b.sub.j=1, the processing device may compute the value 2R(1) and identify it as the new accumulator 240, as indicated by the thick solid line in FIG. 2A. Similarly to the scenario where b.sub.j=0, the processing device may compute the value R(0)+R(1) and identify this value as the new auxiliary value 242. Because in the Montgomery ladder algorithm the value R(0)+R(1) is computed at each iteration independent of the value of the random number b.sub.j, R(0)+R(1) may be computed before (or in parallel) with determination of the value b.sub.j. Similarly, in a situation where k.sub.j+1=1, the processing device may compute the value R(0)+R(1) and identify this value as the new accumulator value regardless of the value of the random bit b.sub.j. On the other hand, the new auxiliary value will be dependent on the value of b.sub.j and may be equal to 2R(1) for the unshuffled case of b.sub.j=1, and equal to 2R(0) for the shuffled case of b.sub.j=0. The determined values of the accumulator 240 and the auxiliary number 242 may then be stored in a manner described above in relation to the j-th iteration. Specifically, the processing device may use the random number generator to generate a new random number b.sub.j+1 and determine, based on b.sub.j+1, how the accumulator 240 and the auxiliary number 242 are to be stored in R(0) and R(1). If b.sub.j+1=0 (no swapping), the accumulator 240 may be stored in register R(0) and the auxiliary number 242 may be stored in register R(1). If b.sub.j+1=1 (swapping), the accumulator 240 may be stored in register R(1) and the auxiliary number 242 may be stored in register R(0). (Fig. 2A, ¶35-¶36). However, none of the art teaches, “…determining, in the circuitry, for each share, an intermediary value that depends on the share and at least one of the at least one modification value, wherein at least one intermediary value further depends on a randomization value..”, for Claim 1. Conclusion THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Refer to PTO-892, Notice of References Cited for a listing of analogous art. Simon (US # 2024/0281214) discloses, a method includes performing a cryptographic operation using a processing device. The performing the cryptographic operation includes protecting the performing of the cryptographic operation against side channel attacks by selecting a value amongst two values based on a selection bit. Selecting the value includes concatenating the two values in a register, generating a concatenated word including the two values in two distinct portions of the concatenated word in the register. The concatenated word is rotated according to the value of the selection bit to position the selected value in a determined portion of the concatenated word in the register amongst said two portions. The unselected value in the concatenated word is suppressed. One or more processing operations is performed based on a result of the cryptographic operation. Susella et al. (US # 2021/0194689) discloses, a method performs cryptographic operations on data in a processing device. An iterative operation between a first operand formed by a given number of words and a second operand using a secret key is performed. The iterative operation includes, for each bit of the secret key, applying one of a first set operations and a second set of operations to the first operand and to the second operand depending on of the bit, and conditionally swapping words of the first and the second operand based on a control bit value obtained by applying a logic XOR function to a random bit. Chen (US # 2021/0184831) discloses, an obfuscation process is described for obfuscating a cryptographic parameter of cryptographic operations such as calculations used in elliptical curve cryptography and elliptical curve point multiplication. Such obfuscation processes may be used for obfuscating device characteristics that might otherwise disclose information about the cryptographic parameter, cryptographic operations or a cryptographic operations more generally, such as information sometimes gleaned from side channel attacks and lattice attacks. Tunstall (US # 2017/0257210) discloses, a first share value and a second share value may be received. A combination of the first share value and the second share value may correspond to an exponent value. The value of a first register is updated using a first equation that is based on the first and second share values and the value of a second register is updated using a second equation that is based on the second share value. One of the value of the first register or the value of the second register is selected based on a bit value of the second share value. Parkinson (US # 9,590,805) discloses, a method includes receiving a first input value and a second input value, and obtaining a set of pre-computed values, wherein each pre-computed value is computed as the first input value multiplied by a given multiple in a set of multiples comprising powers of 2. A cryptographic process is performed to generate a cryptographic value based on the first and second input values, and one or more of the pre-computed values, wherein the cryptographic value that is generated is usable to generate a secure message or digital signature. The cryptographic process includes performing an iterative scalar multiplication process in which each step of the iterative scalar multiplication process is performed using a single point add operation to multiply a bit of the second input value with one of the pre-computed values in the set of pre-computed values. Any inquiry concerning this communication or earlier communications from the examiner should be directed to DARSHAN I DHRUV whose telephone number is (571)272-4316. The examiner can normally be reached M-F 9:00 AM-5:00 PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached at 571-272-8878. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /DARSHAN I DHRUV/Primary Examiner, Art Unit 2498