PERFORMING COMPUTE FUNCTIONS IN SECURE COMPUTE NODES

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claims 1, 3-10 and 12-19 have been examined. Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 3/25/26 has been entered. Response to Arguments Applicant's arguments filed on 3/25/26 have been fully considered but they are not persuasive. Regarding Applicant’s remarks, Applicant mainly argues that the combination of prior art of record does not explicitly disclose the unique combination of features claimed. Specifically, Applicant asserts that Vogelberg does not appear to anticipate a scenario in which data is provided to a first client site, where the predetermined code run on decrypted data is provided by the first client site. Applicant’s arguments with respect to claims 1, 3-10 and 12-19 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Examiner’s Comment Claims 10 and 12-19 recite computer readable storage media. According to the Specification, computer readable storage media is not to be construed as storage in the form of transitory signals per se (Specification: [0025]). Therefore, claims will be examined accordingly. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1, 5-9, 10 and 14-19 are rejected under 35 U.S.C. 103 as unpatentable over Vogelberg et al. U.S. Pub. No. 2024/0411912 (hereinafter Vogelberg) in view of Jordan et al. U.S. 2011/0145596 (hereinafter Jordan). As per claim 1, 10 and 19, Vogelberg discloses a computer-implemented method (CIM)/computer program product/computer system, the CIM comprising: causing a first compute function to be performed on a first secure compute node that is configured to retrieve data directly from a storage system via a connection between the first secure compute node and the storage system (Vogelberg: Abstract: server computer/first secure compute node retrieves encrypted data directly from a memory device/storage system connected to the server; [0048]: encrypted data is stored on a memory device on a server device), wherein performing the first compute function includes: retrieving, via the connection between the first compute node and the storage system, encrypted first data directly from the storage system (Vogelberg: [0007]: server/ first compute node retrieves encrypted data from memory device/storage system; [0015]: first encrypted data associated with first client in a first database, second encrypted data stored in second database is encrypted with second encryption key), causing a first encryption key to be used to decrypt at least some of the encrypted first data (Vogelberg: [0007]: decrypt encrypted data), and running predetermined code on the decrypted data (Vogelberg: [0007]: fulfill processing request to determine processed data, i.e. based on predetermined code on decrypted data); and providing a first client site with first data that includes results of running the predetermined code on the decrypted data (Vogelberg: [0011]: deliver processed data to client); wherein the storage system does not have access to the first encryption key, wherein the first encryption key is provided to the first secure compute node by the first client site (Vogelberg: [0053]: the data stored in databases are encrypted using keys associated with clients; [0007]: server process client’s request using key provided by the client to decrypt encrypted data); and wherein the first compute node is configured according to a predetermined time-multiplexed scheme, wherein the predetermined time-multiplexed scheme configuration is based on: the first secure compute node holding encryption key(s) for a predetermined amount of time (Vogelberg: [0020]; [0041]-[0043]: delete key and data upon completion of processing request). Vogelberg does not explicitly disclose wherein the first secure compute node wiping a history of execution of compute functions on the first secure compute node in response to a determination that the predetermined amount of time has passed. However, Vogelberg at least suggests deleting keys and decrypted processed data, as appropriate upon completion of the process (Vogelberg: [0020]; [0041]-[0043]: delete key and data upon completion of processing request). Therefore, it would have been obvious to one having ordinary skill in the art to include execution history and all related operation data within predetermined time frame, e.g. completion of processing request, to ensure data security. Vogelberg does not explicitly disclose wherein the predetermined code is received from a first client site. However, Jordan, in the same field of endeavor, discloses client provides customized secure processing function to secure operating system of intermediary processing server to process encrypted protected data (Jordan: [0026]). It would have been obvious to one having ordinary skill in the art to provide processing functions to the server of Vogelberg to allow flexible and dynamic processing of sensitive data with no possibility to access sensitive data form the operating system (Jordan: [0051]). As per claim 5 and 14, Vogelberg discloses the limitations of claims 1 and 10 respectively. Vogelberg further discloses wherein the wiping includes: verifiably deleting the encryption key(s); uploading results of the performance of compute functions to the storage system; and verifiably deleting the results of the performance of compute functions (Vogelberg: [0020]; [0041]-[0043]: delete key and data upon completion of processing request). Therefore, it would have been obvious to one having ordinary skill in the art to delete the key after a predetermined amount of time, e.g. completion of processing request, to ensure data security. As per claim 6 and 15, Vogelberg discloses the limitations of claims 5 and 14 respectively. Vogelberg further discloses receiving, subsequent to the predetermined amount of time passing, on the first secure compute node from a second client site, a second encryption key; and causing a second compute function to be performed on the first secure compute node for the second client site, wherein the storage system does not have access to the second encryption key (Vogelberg: [0007]; [0015] and [0024]: process second encrypted data stored in second database using second client key). Perform secure processing sequentially or in parallel are matter of design choice, since both implementations are well known in the art. As per claim 7 and 16, Vogelberg discloses the limitations of claims 1 and 10 respectively. Vogelberg discloses processing second encrypted data stored in second database using second client key (Vogelberg: [0007]; [0015] and [0024]: process second encrypted data stored in second database using second client key). Vogelberg does not explicitly disclose causing a second compute function to be performed on a second secure compute node that is configured to retrieve data from the storage system, wherein the first compute function and the second compute function are concurrently performed; and providing a second client site with second data that results from performing the second compute function. However, performing parallel processing using multiple secure compute nodes appear is well known in the art to improve efficiency. As per claim 8, 9, 17 and 18, Vogelberg discloses the limitations of claims 1 and 10 respectively. Vogelberg does not explicitly disclose the limitations are recited in claims 8, 9, 17 and 18. However, Vogelberg discloses processing client request on retrieved encrypted data based on user’s processing instructions (Vogelberg: [0049]-[0051]). It would have been an obvious matter of design choice to process data based on various user instructions, e.g. data compression, modification, addition, deletion, etc., since the system of Vogelberg would perform equally well to securely process encrypted data according to well-known data operations. Claims 3 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Vogelberg in view of Jordan and further in view of Roth et al. U.S. Pat. No. 9,584,517 (hereinafter Roth). As per claim 3 and 12, Vogelberg discloses the limitations of claims 2 and 11 respectively. Vogelberg does not explicitly disclose wherein the first secure compute node is a data processing unit (DPU) that is a secure and isolated execution environment, wherein the connection between the first secure compute node and the storage system is established by an Ethernet cord or a peripheral component interconnect (PCI) express between the first compute node and the storage system. However, Roth discloses a server comprising secure enclave to securely process data in isolated environment (Roth: Fig. 1: secure enclave processes data from data server; col. 2 ll. 21-48). It would have been obvious to one having ordinary skill in the art to process data in secure execution environment in network to prevent unauthorized access to encrypted data, as well known in the art. Claims 4 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Vogelberg in view of Jordan and further in view of Paolino et al. U.S. Pub. No. 2017/0371698 (hereinafter Paolino). As per claim 4 and 13, Vogelberg discloses the limitations of claims 2 and 11 respectively. Vogelberg does not explicitly disclose wherein the first secure compute node is a virtual machine that is configured to retrieve data from the storage system via an Ethernet switch, wherein the first secure compute node is attached to an accelerator component that the first secure compute node uses to perform predetermined operator functions including the decrypting of the at least some of the encrypted first data. However, Paolino discloses dynamically allocating hardware acceleration resources to virtual machines to encrypt/decrypt data (Paolino: [0048]). It would have been obvious to one having ordinary skill in the art to execute virtual machines and accelerator on a server system to securely process request of multiple clients using shared hardware resources. The motivation to combine would be to enhance resource utilization, flexibility and security. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Bowman-Amuah U.S. 6,615,253 discloses efficient server side data retrieval for execution of client side applications. Liu et al. U.S. 2022/0405383 discloses training data protection in artificial data protection in artificial intelligence model execution environment. Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHIN HON (ERIC) CHEN whose telephone number is (571)272-3789. The examiner can normally be reached Monday to Thursday 9am- 7pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached at 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /SHIN-HON (ERIC) CHEN/ Primary Examiner, Art Unit 2431