Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination
1. A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 11/24/2025 has been entered.
Claim Status
2. Claims 29-30 and 33 have currently been amended.
Response to Arguments
3. The applicant’s arguments filed 2/18/2026 have been taken into consideration, but are moot in view of new grounds of rejection.
A. The previous claim objection and rejection under 35 USC 101 has been withdrawn in light of the current claim amendments.
B. In response to the applicant’s argument (disclosed on pg. 1-2 of the applicant’s remarks segment) that the cited prior art fails to teach or suggest generating, by the processing unit, a set of possible values of the at least one intermediate result, the set of possible vales including correct intermediate value candidates and incorrect intermediate value candidates:
See fig. 5-6, par [0009], par [0032], and par [0041], lines 8-25 of newly cited prior art reference Choi (US 2023/0044442), which discloses providing a potential adversary with a true leak of a possibility of values required in a cryptographic operation (e.g., the set of possible values including correct intermediate value candidates) and simultaneously providing the potential adversary with false decoy data along with the true leak values, to prevent the potential adversary from executing an attack (e.g., incorrect intermediate value candidates).
Claim Rejections – 35 USC 103
4. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office Action:
A patent may not be obtained through the invention is not identically disclosed or described as set forth in of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.
5. Claims 16-35 are rejected under 35 USC 103 as being unpatentable over Belenky et al (US 2023/0269065) in view of Walters et al (US 2016/0140340), further in view of Choi (US 2023/0044442).
With respect to claim 16, Belenky et al teaches a method of protecting a cryptographic device against side-channel attacks (par [0005], lines 1-8 & par [0152], lines 10-13, which disclose determining vulnerability related to and performing countermeasures for preventing side-channel attacks), the cryptographic device comprising a cryptographic unit (par [0021], lines 1-10) and a processing unit (par [0021], lines 1-10), and the method comprising:
performing, by the cryptographic unit, a cryptographic operation on input data, wherein said cryptographic operation generates at least one intermediate result (Abstract, lines 1-10, fig. 1, ‘110-‘120 & 7A-7B, which discloses performing a cryptographic functions on a plurality of input values to produce a plurality of bits); and
generating, by the processing unit, a set of possible values of the at least one intermediate result (fig. 1 & par [0041], lines 10-20, which disclose a set of possible values corresponding to the subset of data that the cryptographic function has been applied to).
Belenky et al does not explicitly teach leaking, by the cryptographic device, the set of possible values of the intermediate result.
However, Walters et al teaches leaking, by the cryptographic device, the set of possible values of the intermediate result (fig. 7, fig. 9, par [0043], par [0106], lines 1-6, par [0108], lines 1-10, and par [0127], lines 6-12, which disclose providing a plurality of intermediate values pertaining to several combinations of data to be presented to a potential attacker).
It would have been obvious to one of ordinary skill in the art before the effective date of the claimed invention to combine the teachings of Walters et al within the disclosure of Belenky et al because incorporating the feature of detecting side channel attack vulnerabilities by providing dummy index of intermediate values (as disclosed in fig. 14A & par [0115], lines 20-24 of Walters et al) would allow for improved tracing of leakage source because the intermediate values are used to provide more in depth information on location and sources of potential side-channel attacks.
Belenky et al and Walters et al do not explicitly teach the set of possible values including correct intermediate value candidates and incorrect intermediate value candidates.
However, Choi teaches the set of possible values including correct intermediate value candidates (fig. 5-6, par [0009], par [0032], and par [0041], lines 8-25, which disclose providing a potential adversary with a true leak of a possibility of values required in a cryptographic operation) and incorrect intermediate value candidates (fig. 5-6, par [0009], par [0032], and par [0041], lines 8-25, which disclose simultaneously providing the potential adversary with false decoy data along with the true leak values, to prevent the potential adversary from executing an attack).
It would have been obvious to one of ordinary skill in the art before the effective date of the claimed invention to combine the teachings of Choi within the disclosure of Belenky et al and Walters et al in order to improve attack prevention by providing potential attackers with decoy candidate cryptographic key values (as disclosed in par [0039], lines 10-20 of Choi) because this feature would decrease potential side-channel attacks by confusing attackers by providing attackers with fraudulent data rather than data required to access the secure device each attacker is attempting to access.
Regarding claim 17, Belenky et al does not explicitly teach wherein the cryptographic device leaks the set of possible values of the at least one intermediate result after the processing unit has generated said set.
However, Walters et al teaches wherein the cryptographic device leaks the set of possible values of the at least one intermediate result after the processing unit has generated said set (fig. 9, which discloses providing leaking instruction output data).
It would have been obvious to one of ordinary skill in the art before the effective date of the claimed invention to combine the teachings of Walters et al within the disclosure of Belenky et al according to the motivation disclosed regarding claim 16.
Regarding claim 18, Belenky et al does not explicitly teach wherein the possible values of the at least one intermediate result are generated and leaked one at a time.
However, Walters et al teaches wherein the possible values of the at least one intermediate result are generated and leaked one at a time (fig. 9, which discloses providing leaking instruction output data sequentially).
It would have been obvious to one of ordinary skill in the art before the effective date of the claimed invention to combine the teachings of Walters et al within the disclosure of Belenky et al according to the motivation disclosed regarding claim 16.
Regarding claim 19, Belenky et al does not explicitly teach wherein the cryptographic device leaks said possible values using a leakage register.
However, Walters et al teaches wherein the cryptographic device leaks said possible values using a leakage register (par [0112], lines 12-14, which discloses registers were leaked intermediate data is confined to).
It would have been obvious to one of ordinary skill in the art before the effective date of the claimed invention to combine the teachings of Walters et al within the disclosure of Belenky et al because incorporating the feature of detecting side channel attack vulnerabilities by providing dummy index of intermediate values (as disclosed in fig. 14A & par [0115], lines 20-24 of Walters et al) would allow for improved tracing of leakage source because the intermediate values are used to provide more in depth information on location and sources of potential side-channel attacks.
Regarding claim 20, Belenky et al, Walters et al, and Choi teach the limitations of claim 16.
Belenky et al further teaches wherein the cryptographic operation uses a key (par [0038]), and wherein the processing unit derives the possible values of the at least one intermediate result from possible values of said key (par [0038], which discloses generating input data to prevent from being provided to an attacker using a secret key).
Regarding claim 21, Belenky et al does not explicitly teach wherein the cryptographic operation comprises an advanced encryption standard (AES) block cipher.
However, Walters et al teaches wherein the cryptographic operation comprises an advanced encryption standard (AES) block cipher (par [0073], lines 5-10).
It would have been obvious to one of ordinary skill in the art before the effective date of the claimed invention to combine the teachings of Walters et al within the disclosure of Belenky et al according to the motivation disclosed regarding claim 19.
Regarding claim 22, Belenky et al, Walters et al teach the limitations of claim 16.
Belenky et al further teaches wherein the processing unit generates the possible values of the at least one intermediate result by performing XOR-operations (par [0039], lines 10-20), wherein each of the XOR-operations is performed on a predefined portion of the input data and on a predefined portion of a possible key value to produce and output (par [0049], lines 1-3), and S-box operations on the output of the XOR-operations (par [0039], lines 10-20).
Regarding claim 23, Belenky et al, Walters et al, and Choi teach the limitations of claim 16.
Belenky et al further teaches wherein the S-box operations are executed by an unsecured S- box implementation (par [0039], lines 10-20).
Regarding claim 24, Belenky et al does not explicitly teach wherein all possible values of the at least one intermediate result are generated and leaked.
However, Walters et al teaches wherein all possible values of the at least one intermediate result are generated and leaked (fig. 9).
It would have been obvious to one of ordinary skill in the art before the effective date of the claimed invention to combine the teachings of Walters et al within the disclosure of Belenky et al according to the motivation disclosed regarding claim 19.
Regarding claim 25, Belenky et al does not explicitly teach wherein the cryptographic device leaks the possible values of the at least one intermediate result in a predefined, device-specific order.
However, Walters et al teaches wherein the cryptographic device leaks the possible values of the at least one intermediate result in a predefined, device-specific order (fig. 9 & par [0013], lines 1-3, “device-specific interactions”).
It would have been obvious to one of ordinary skill in the art before the effective date of the claimed invention to combine the teachings of Walters et al within the disclosure of Belenky et al because incorporating the feature of detecting side channel attack vulnerabilities by providing dummy index of intermediate values (as disclosed in fig. 14A & par [0115], lines 20-24 of Walters et al) would allow for improved tracing of leakage source because the intermediate values are used to provide more in depth information on location and sources of potential side-channel attacks.
Regarding claim 26, Belenky et al does not explicitly teach wherein the cryptographic device uses at least one of a device-specific permutation seed, a shuffling algorithm or generation function to leak the possible values of the at least one intermediate result in the predefined, device-specific order.
However, Walters et al teaches wherein the cryptographic device uses at least one of a device-specific permutation seed, a shuffling algorithm (par [0068], lines 16-18, which discloses using masking to shuffle the order of operation regarding the leaked data) or generation function to leak the possible values of the at least one intermediate result in the predefined, device-specific order.
It would have been obvious to one of ordinary skill in the art before the effective date of the claimed invention to combine the teachings of Walters et al within the disclosure of Belenky et al according to the motivation disclosed regarding claim 25.
Regarding claim 27, Belenky et al does not explicitly teach wherein the processing unit comprises multiple sub-engines operating in parallel, wherein each of said sub-engines generates a part of the set of possible values of the at least one intermediate result.
However, Walters et al teaches wherein the processing unit comprises multiple sub-engines operating in parallel (fig. 4, ’410/’420), wherein each of said sub-engines generates a part of the set of possible values of the at least one intermediate result (fig. 5, ‘511/’513-‘514).
It would have been obvious to one of ordinary skill in the art before the effective date of the claimed invention to combine the teachings of Walters et al within the disclosure of Belenky et al according to the motivation disclosed regarding claim 25.
Regarding claim 28, Belenky et al does not explicitly teach wherein the processing unit comprises multiple sub-engines operating in parallel, wherein each of said sub-engines generates a part of the set of possible values of the at least one intermediate result.
However, Walters et al teaches wherein the processing unit is supplied with a faster clock than the cryptographic unit, and/or wherein the processing unit applies pipelining to generate the set of possible values of the at least one intermediate result (par [0069], lines 10-20).
It would have been obvious to one of ordinary skill in the art before the effective date of the claimed invention to combine the teachings of Walters et al within the disclosure of Belenky et al according to the motivation disclosed regarding claim 25.
With respect to claim 29, Belenky et al teaches a non-transitory storage medium (par [0021], lines 1-3) comprising a computer program comprising executable instructions which, when executed by a processor of a cryptographic device (par [0176], lines 1-5) cause the processor to perform a method of protecting a cryptographic device against side-channel attacks (par [0005], lines 1-10), the method comprising:
performing, by the processor, a cryptographic operation on input data, wherein said cryptographic operation generates at least one intermediate result (Abstract, lines 1-10, fig. 1, ‘110-‘120 & 7A-7B, which discloses performing a cryptographic functions on a plurality of input values to produce a plurality of bits); and
generating, by the processor, a set of possible values of the at least one intermediate result (fig. 1 & par [0041], lines 10-20, which disclose a set of possible values corresponding to the subset of data that the cryptographic function has been applied to).
Belenky et al does not explicitly teach leaking, by the processor, said set of possible values of the intermediate result.
However, Walters et al teaches leaking, by the processor, the set of possible values of the intermediate result (fig. 7, fig. 9, par [0043], par [0106], lines 1-6, par [0108], lines 1-10, and par [0127], lines 6-12, which disclose providing a plurality of intermediate values pertaining to several combinations of data to be presented to a potential attacker).
It would have been obvious to one of ordinary skill in the art before the effective date of the claimed invention to combine the teachings of Walters et al within the disclosure of Belenky et al because incorporating the feature of detecting side channel attack vulnerabilities by providing dummy index of intermediate values (as disclosed in fig. 14A & par [0115], lines 20-24 of Walters et al) would allow for improved tracing of leakage source because the intermediate values are used to provide more in depth information on location and sources of potential side-channel attacks.
Belenky et al and Walters et al do not explicitly teach the set of possible values including correct intermediate value candidates and incorrect intermediate value candidates.
However, Choi teaches the set of possible values including correct intermediate value candidates (fig. 5-6, par [0009], par [0032], and par [0041], lines 8-25, which disclose providing a potential adversary with a true leak of a possibility of values required in a cryptographic operation) and incorrect intermediate value candidates (fig. 5-6, par [0009], par [0032], and par [0041], lines 8-25, which disclose simultaneously providing the potential adversary with false decoy data along with the true leak values, to prevent the potential adversary from executing an attack).
It would have been obvious to one of ordinary skill in the art before the effective date of the claimed invention to combine the teachings of Choi within the disclosure of Belenky et al and Walters et al in order to improve attack prevention by providing potential attackers with decoy candidate cryptographic key values (as disclosed in par [0039], lines 10-20 of Choi) because this feature would decrease potential side-channel attacks by confusing attackers by providing attackers with fraudulent data rather than data required to access the secure device each attacker is attempting to access.
With respect to claim 30, Belenky et al teaches a cryptographic device configured to protect against side-channel attacks (par [0005], lines 1-8 & par [0152], lines 10-13, which disclose determining vulnerability related to and performing countermeasures for preventing side-channel attacks), the cryptographic device comprising:
a cryptographic unit configured to perform a cryptographic operation on input data, to generate at least one intermediate result (Abstract, lines 1-10, fig. 1, ‘110-‘120 & 7A-7B, which discloses performing a cryptographic functions on a plurality of input values to produce a plurality of bits); and
a processing unit configured to generate a set of possible values of the at least one intermediate result (fig. 1 & par [0041], lines 10-20, which disclose a set of possible values corresponding to the subset of data that the cryptographic function has been applied to).
Belenky et al does not explicitly teach wherein the cryptographic device is configured to leak said set of possible values of the intermediate result.
However, Walters et al teaches wherein the cryptographic device is configured to leak the set of possible values of the intermediate result (fig. 7, fig. 9, par [0043], par [0106], lines 1-6, par [0108], lines 1-10, and par [0127], lines 6-12, which disclose providing a plurality of intermediate values pertaining to several combinations of data to be presented to a potential attacker).
It would have been obvious to one of ordinary skill in the art before the effective date of the claimed invention to combine the teachings of Walters et al within the disclosure of Belenky et al because incorporating the feature of detecting side channel attack vulnerabilities by providing dummy index of intermediate values (as disclosed in fig. 14A & par [0115], lines 20-24 of Walters et al) would allow for improved tracing of leakage source because the intermediate values are used to provide more in depth information on location and sources of potential side-channel attacks.
Belenky et al and Walters et al do not explicitly teach the set of possible values including correct intermediate value candidates and incorrect intermediate value candidates.
However, Choi teaches the set of possible values including correct intermediate value candidates (fig. 5-6, par [0009], par [0032], and par [0041], lines 8-25, which disclose providing a potential adversary with a true leak of a possibility of values required in a cryptographic operation) and incorrect intermediate value candidates (fig. 5-6, par [0009], par [0032], and par [0041], lines 8-25, which disclose simultaneously providing the potential adversary with false decoy data along with the true leak values, to prevent the potential adversary from executing an attack).
It would have been obvious to one of ordinary skill in the art before the effective date of the claimed invention to combine the teachings of Choi within the disclosure of Belenky et al and Walters et al in order to improve attack prevention by providing potential attackers with decoy candidate cryptographic key values (as disclosed in par [0039], lines 10-20 of Choi) because this feature would decrease potential side-channel attacks by confusing attackers by providing attackers with fraudulent data rather than data required to access the secure device each attacker is attempting to access.
Regarding claim 31, Belenky et al does not explicitly teach wherein the cryptographic device leaks the set of possible values of the at least one intermediate result after the processing unit has generated said set.
However, Walters et al teaches wherein the cryptographic device leaks the set of possible values of the at least one intermediate result after the processing unit has generated said set (fig. 9, which discloses providing leaking instruction output data).
It would have been obvious to one of ordinary skill in the art before the effective date of the claimed invention to combine the teachings of Walters et al within the disclosure of Belenky et al according to the motivation disclosed regarding claim 30.
Regarding claim 32, Belenky et al does not explicitly teach wherein the possible values of the at least one intermediate result are generated and leaked one at a time.
However, Walters et al teaches wherein the possible values of the at least one intermediate result are generated and leaked one at a time (fig. 9, which discloses providing leaking instruction output data sequentially).
It would have been obvious to one of ordinary skill in the art before the effective date of the claimed invention to combine the teachings of Walters et al within the disclosure of Belenky et al according to the motivation disclosed regarding claim 30.
Regarding claim 33, Belenky et al does not explicitly teach wherein the cryptographic device leaks the possible values using a leakage register.
However, Walters et al teaches wherein the cryptographic device leaks the possible values using a leakage register (par [0112], lines 12-14, which discloses registers were leaked intermediate data is confined to).
It would have been obvious to one of ordinary skill in the art before the effective date of the claimed invention to combine the teachings of Walters et al within the disclosure of Belenky et al because incorporating the feature of detecting side channel attack vulnerabilities by providing dummy index of intermediate values (as disclosed in fig. 14A & par [0115], lines 20-24 of Walters et al) would allow for improved tracing of leakage source because the intermediate values are used to provide more in depth information on location and sources of potential side-channel attacks.
Regarding claim 34, Belenky et al, Walters et al, and Choi teach the limitations of claim 30.
Belenky et al further teaches wherein the cryptographic operation uses a key (par [0038]), and wherein the processing unit derives the possible values of the at least one intermediate result from possible values of said key (par [0038], which discloses generating input data to prevent from being provided to an attacker using a secret key).
Regarding claim 35, Belenky et al does not explicitly teach wherein the cryptographic operation comprises an advanced encryption standard, AES, block cipher.
However, Walters et al teaches wherein the cryptographic operation comprises an advanced encryption standard, AES, block cipher (par [0073], lines 5-10).
It would have been obvious to one of ordinary skill in the art before the effective date of the claimed invention to combine the teachings of Walters et al within the disclosure of Belenky et al according to the motivation disclosed regarding claim 33.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Randy A. Scott whose telephone number is (571) 272-3797. The examiner can normally be reached on Monday-Thursday 7:30 am-5:00 pm, second Fridays 7:30 am-4pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Luu Pham can be reached on (571) 270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/RANDY A SCOTT/Primary Examiner, Art Unit 2439 20260403