Prosecution Insights
Browse Companies Examiners Firms Draft Your Response
Office ActionsCyberark Software Ltd. › 18622983
Last updated: May 29, 2026
Application No. 18/622,983

BLIND SECRET MANAGEMENT AND ROTATION

Final Rejection §103
Filed
Mar 31, 2024
Examiner
PHAM, PHUC H
Art Unit
2408
Tech Center
2400 — Computer Networks
Assignee
Cyberark Software Ltd.
OA Round
2 (Final)
89%
Grant Probability
Favorable
3-4
OA Rounds
5m
Est. Remaining
99%
With Interview

Interview Optional

+19.3% interview lift. Examiner has a relatively high allowance rate (89%); +19.3% interview lift. A written response may suffice.
Based on 172 resolved cases, 2023–2026

Examiner Intelligence

PHAM, PHUC H View full profile →
Grants 89% — above average
89%
Career Allowance Rate
153 granted / 172 resolved
+31.0% vs TC avg
Strong +19% interview lift
Without
With
+19.3%
Interview Lift
resolved cases with interview
Typical timeline
2y 7m
Avg Prosecution
11 currently pending
Career history
191
Total Applications
across all art units

Statute-Specific Performance

§101
1.9%
-38.1% vs TC avg
§103
92.7%
+52.7% vs TC avg
§102
0.5%
-39.5% vs TC avg
§112
2.7%
-37.3% vs TC avg
Black line = Tech Center average estimate • Based on career data from 172 resolved cases

Office Action

§103
DETAILED ACTION The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This office action is in response to communication filed on February 17, 2026. Status of claims within the present application: Claims 1 – 30 are pending. Claims 1, 16, 20, and 24 are amended. Claim Objections Claims 1 and 3 are objected to because of the following informalities: “Error! Reference source not found.” within claims 1 and 3. Appropriate correction is required. Response to Arguments With respect to independent claims 1, Applicant argued that the prior art does not teach “generating a combined key material by combining the encrypted first key material and the additional key material without decrypting the encrypted first key material;”. Examiner noted that the prior art of No does teaches “a homomorphic rotation operation key is generated using a public key and a hierarchical Galois key of the first electronic device stored in the memory and transmitted to the first server in response to not searching the memory for the homomorphic encryption operation key.” [Para. 26] and “the hierarchical Galois key is a type of public key capable of generating an operation key (evaluation key) for a rotation operation of a homomorphic ciphertext. The hierarchical Galois key may include one or more Galois keys. The hierarchical Galois key including one or more Galois keys may be referred to as a hierarchical Galois key or a hierarchical Galois key set for convenience of description. For example, the hierarchical Galois key may include a Galois key corresponding to a k-step shift. Since the key is a type of public key, the processor 110 may generate an operation key for the rotation operation using the received hierarchical Galois key without knowing a secret key of the client 200.” [Para. 61]. This mapping teaches that a homomorphic rotation operation key is using key materials and the first key material can be a hierarchical Galois key which could be used to generate the homomorphic rotation operational key without needing to the secret key of the client and which is used within homomorphic encryption. Therefore, the rejection still stands. With respect to independent claims 21, Applicant argued that the prior art does not teach “transmitting the encrypted secret from the secret management service to the application;” and “ decrypting, by the application, the encrypted secret using a private key of the key pair;” Examiner noted that the prior art of Rahn does teach “UI agent 204 can be configured to receive parameters to configure the cryptographic information used by network devices and client devices in deployment 100 and for rotating the cryptographic information. UI agent 204 can write these parameters to cryptographic rotation policy 124. Crypto-rotate agent (rotation agent) 206 can configure a rotation schedule to generate new/updated cryptographic information according to rotation parameters in cryptographic rotation policy 124. One or more crypto-push agents (push agents) 208 can push the updated cryptographic information to the client and network devices in response to being notified that the cryptographic information has been updated.” [Para. 29] and “A device receiving the encrypted packet decrypts the received packet with a corresponding decrypting key.” [Para. 21]. These mapping does teach the claimed limitation of the application respectively. It details how the cryptographic information was being sent from the crypto-push agents to the client and network devices. Along with the decryption of the encrypted packets using the corresponding decrypting key. Therefore, the rejection still stands. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1 – 17 and 19 – 30 are rejected under 35 U.S.C. 103 as being unpatentable over US 20230254125 A1 to No et al., (hereinafter, “No”) in view of US 20230078179 A1 to Rahn et al., (hereinafter, “Rahn”). Regarding claim 1, No teaches a non-transitory computer readable medium including instructions that, when executed by at least one processor, cause the at least one processor to perform operations for providing blind secret management and rotation, the operations comprising: identifying, by a secret rotation manager operating in a first network environment, an encrypted version of a first key material; [No, para. 45 discloses the token may include information on a right to use the operation key between the client 200 and the server 300. The token is transmitted and received by being encrypted, and only the client 200 issuing the token and the homomorphic encryption operation key management system 100 to which operation key generation is delegated from the client 200 may decrypt the token. The server 300 may receive the token and transmit the token to the homomorphic encryption operation key management system 100, and cannot decrypt the encrypted content.] generating a combined key material by combining the encrypted first key material and the additional key material without decrypting the encrypted first key material; [No, para. 26 discloses a homomorphic rotation operation key is generated using a public key and a hierarchical Galois key of the first electronic device stored in the memory and transmitted to the first server in response to not searching the memory for the homomorphic encryption operation key. Para. 61 discloses the hierarchical Galois key is a type of public key capable of generating an operation key (evaluation key) for a rotation operation of a homomorphic ciphertext. The hierarchical Galois key may include one or more Galois keys. The hierarchical Galois key including one or more Galois keys may be referred to as a hierarchical Galois key or a hierarchical Galois key set for convenience of description. For example, the hierarchical Galois key may include a Galois key corresponding to a k-step shift. Since the key is a type of public key, the processor 110 may generate an operation key for the rotation operation using the received hierarchical Galois key without knowing a secret key of the client 200.] and providing the combined key material to at least one rotation agent operating in a second network environment; [No, para. 70 discloses the homomorphic encryption operation key management system 100 may receive a first token and an operation key request from a first server 300. The operation key request may include information on a type and number of required operation keys. Para. 72 discloses the homomorphic encryption operation key management system 100 may search the memory 120 for the operation key. When the operation key is found, the homomorphic encryption operation key management system 100 may immediately transmit the found operation key to the first server 300 (step S405).] wherein the at least one rotation agent is configured‎ to decrypt at least the encrypted first key material of the combined key material; [No, para. 45 discloses the homomorphic encryption operation key management system 100 may decrypt the token using a method previously agreed upon with the client 200.], but No does not teach generating, by the secret rotation manager, an additional key material; and wherein the at least one rotation agent is configured to generate, according to a secret generation policy, a secret using at least the decrypted first key material and the additional key material. However, Rahn does teach generating, by the secret rotation manager, an additional key material; [Rahn, para. 50 discloses the rotation agent can generate a new pair of encryption/decryption keys. In the case of a secure shell for a server or a client device, the rotation agent can generate a new password, and so on. In some embodiments, the rotation agent can generate cryptographic data using suitable random number or random bit generation algorithms. These can be pseudo-random or truly random based on the source of entropy.] and wherein the at least one rotation agent is configured to generate, according to a secret generation policy, a secret using at least the decrypted first key material and the additional key material. [Rahn, para. 50 discloses the rotation agent can interact with one or more hardware security modules (e.g., HSM 126) for high-entropy key generation. Because the cryptographic information is computer-generated, the secrets (e.g., encryption/decryption keys, password, etc.) can be much stronger than human-generated secrets. The rotation agent can write the newly generated (updated) cryptographic information to the system state database. The rotations run automatically (rotations are triggered by timers) and autonomously without user intervention (the rotation agent generates its own secrets, and in some embodiments with the help of HSMs).] Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Rahn’s system with No’s system, with a motivation for a centralized network manager (centralized manager) configured to rotate the cryptographic data at a high frequency, during normal network operation, and without human intervention to minimize the chances for misconfigurations that can bring down connections. A centralized manager in accordance with the present disclosure can rotate secrets in the network at a high frequency to provide an extra layer of security by making protocols use new keys after a period of time. [Rahn, para. 11] As per claim 2, modified No teaches the non-transitory computer readable medium of claim 1, wherein the operations further comprise: encrypting, by the secret rotation manager, the additional key material; [No, para. 11 discloses The token may encrypt and include at least one of a user identity of the first electronic device, allowed operation time information, a type and range of an operation key allowed to be generated, or a random nonce issued by the first electronic device] combining the encrypted first key material and the encrypted additional key material; [No, para. 52 discloses The client 200 may generate each of hierarchical Galois keys for k=1,−1,2,−2,4,−4, . . . , −2.sup.n−2,2.sup.n−2,2.sup.n−1. The value k is an example, and may be determined as a value such that values from −2.sup.n−1 to 2.sup.n−1 are obtained by a sum of combinations allowing repetition.] and providing the combined encrypted key material to the at least one rotation agent; [No, para. 70 discloses the homomorphic encryption operation key management system 100 may receive a first token and an operation key request from a first server 300. The operation key request may include information on a type and number of required operation keys. Para. 72 discloses the homomorphic encryption operation key management system 100 may search the memory 120 for the operation key. When the operation key is found, the homomorphic encryption operation key management system 100 may immediately transmit the found operation key to the first server 300 (step S405).] wherein the at least one rotation agent is configured to decrypt the combined encrypted key material. [No, para. 45 discloses the homomorphic encryption operation key management system 100 may decrypt the token using a method previously agreed upon with the client 200.] As per claim 3, modified No teaches the non-transitory computer readable medium of claim 2, wherein combining the encrypted first key material and the encrypted additional key material is based on at least one of: concatenation ‎‎or homomorphic encryption. [No, para. 53 discloses the client 200 may generate a plurality of rotation operation keys by repeatedly performing a rotation operation on the public key using the hierarchical Galois key. The hierarchical Galois key may be generated in response to a k-step shift, and may be generated by the client 200 at the request of the server 300 or the homomorphic encryption operation key management system 100.] As per claim 4, modified No teaches the non-transitory computer readable medium of claim 2, wherein the at least one rotation agent is further configured to generate a public key and a private key, and to access the public key and the private key; [No, para. 75 discloses the homomorphic encryption operation key management system 100 may generate a plurality of homomorphic rotation operation keys using one or more public keys received from the client 20. The one or more public keys may include a public key generated using a secret key of the client 200 and one or more hierarchical Galois keys. A public key for a homomorphic encryption operation may be expressed as a polynomial.] and wherein the operations further comprise receiving, by the secret rotation manager, the public key; [No, para. 76 discloses the homomorphic encryption operation key management system 100 may receive one or more public keys (for example, pk and MRkey) from the client 200.] and wherein encrypting the additional key material comprises using the public key and decrypting the additional key material comprises using the private key. [No, para. 45 discloses the homomorphic encryption operation key management system 100 may decrypt the token using a secret key/public key code agreed upon with the client 200.] As per claim 5, modified No teaches the non-transitory computer readable medium of claim 4, wherein the private key is stored in a local key store; and wherein the operations further comprise accessing, by the at least one rotation agent, the private key from the local key store. [No, para. 40 discloses the homomorphic encryption operation key management system 100 may store the public key at all times, and store the derived key only for a certain period of time or for a set period of time according to selection of a user. The homomorphic encryption operation key management system 100 may transmit the derived key stored in the memory to the server 300 in response to an operation key request with respect to the client 200, and regenerate a derived key and transmit the regenerated derived key to the server 300 when the derived key is deleted from the memory.] As per claim 6, modified No teaches the non-transitory computer readable medium of claim 1, wherein identifying the encrypted version of the first key material comprises receiving, from a customer operating in the second network environment, the encrypted first key material. [No, para. 45 discloses the token may include information on a right to use the operation key between the client 200 and the server 300. The token is transmitted and received by being encrypted, and only the client 200 issuing the token and the homomorphic encryption operation key management system 100 to which operation key generation is delegated from the client 200 may decrypt the token. The server 300 may receive the token and transmit the token to the homomorphic encryption operation key management system 100, and cannot decrypt the encrypted content.] As per claim 7, modified No teaches the non-transitory computer readable medium of claim 1, wherein identifying the encrypted version of the first key material comprises: generating the first key material; [No, para. 46 discloses the token may include user identity information of the client 200. The user identity information may include client 200 identification information, user identification information, and authentication information. The token may include information about a time allowed for an operation by the client 200.] encrypting the first key material; and storing the encrypted first key material. [No, para. 45 discloses the token may include information on a right to use the operation key between the client 200 and the server 300. The token is transmitted and received by being encrypted, and only the client 200 issuing the token and the homomorphic encryption operation key management system 100 to which operation key generation is delegated from the client 200 may decrypt the token.] As per claim 8, modified No teaches the non-transitory computer readable medium of claim 1, wherein generating the additional key material comprises generating a random value by at least one of: a random generator in the first network environment, the rotation agent or a third-party random generator. [No, para. 46 discloses the token may include a random nonce issued by the client 200. The random nonce may be utilized for additional authentication, for example, in a process of requesting important information for the homomorphic operation on the ciphertext of the client 200 by the operation server and the homomorphic encryption operation key management system 100.] As per claim 9, modified No teaches the non-transitory computer readable medium of claim 1, wherein the decrypted first key material and the secret are stored in at least one of: a volatile memory or a protected memory region. [No, para. 66 discloses the memory 120 may store client 200 information, and the client 200 information may include a token received from the client 200, one or more public keys, and a derived key (one or more operation keys) generated by the processor 110. The memory 120 may store the derived key for a predetermined period, and may delete the corresponding derived key when the predetermined period elapses. Para. 65 discloses the memory 120 may include an internal memory and/or an external memory, and may include a volatile memory.] As per claim 10, modified No teaches the non-transitory computer readable medium of claim 1, wherein the operations further comprise storing the decrypted first key material and the secret as cleartext configured for registration of the secret with a target service in the second network environment. [No, para. 60 discloses the processor 110 may decrypt the token received from the server 300 based on an encryption method set in advance with the client 200, and determine that the token is valid when decryption is successful. The token may encrypt and include at least one of a user identity of the client 200, allowed operation time information, a type and range of an operation key allowed to be generated, or a random nonce issued by the client 200.] Regarding claim 11, modified No teaches the non-transitory computer readable medium of claim 1, but No does not teach wherein the secret generation policy is provided to the at least one rotation agent by at least one of: the secret rotation manager, a storage location in the second network environment, or a third-party. However, Rahn does teach wherein the secret generation policy is provided to the at least one rotation agent by at least one of: the secret rotation manager, a storage location in the second network environment, or a third-party. [Rahn, para. 23 discloses Centralized manager 102 includes network topology 122 and cryptographic rotation policy 124. Network topology 122 represents information that identifies network devices in the network 104 and their connectivity with each other. The topology can also identify client devices 110 that are connected to the network. Para. 24 discloses Cryptographic rotation policy 124 comprises cryptographic information (keys, passwords, hash keys, etc.) that are stored or otherwise installed in the client and network devices and parameters for rotating the cryptographic information. Cryptographic rotation policy 124 can include parameters such as how frequently the cryptographic information is rotated (rotation frequency), which devices/peer groups are rotated, when to do the rotations (e.g., time of day, week, etc.), and so on.] Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Rahn’s system with No’s system, with a motivation for a centralized network manager (centralized manager) configured to rotate the cryptographic data at a high frequency, during normal network operation, and without human intervention to minimize the chances for misconfigurations that can bring down connections. A centralized manager in accordance with the present disclosure can rotate secrets in the network at a high frequency to provide an extra layer of security by making protocols use new keys after a period of time. [Rahn, para. 11] Regarding claim 12, modified No teaches the non-transitory computer readable medium of claim 1, but No does not teach wherein the operations further comprise retrieving the secret generation policy from a first secure location in the first network environment or from a second secure location in the second network environment that is accessible to the at least one rotation agent. However, Rahn does teach wherein the operations further comprise retrieving the secret generation policy from a first secure location in the first network environment or from a second secure location in the second network environment that is accessible to the at least one rotation agent. [Rahn, para. 29 discloses UI agent 204 can be configured to receive parameters to configure the cryptographic information used by network devices and client devices in deployment 100 and for rotating the cryptographic information. UI agent 204 can write these parameters to cryptographic rotation policy 124. Crypto-rotate agent (rotation agent) 206 can configure a rotation schedule to generate new/updated cryptographic information according to rotation parameters in cryptographic rotation policy 124. One or more crypto-push agents (push agents) 208 can push the updated cryptographic information to the client and network devices in response to being notified that the cryptographic information has been updated.] Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Rahn’s system with No’s system, with a motivation for a centralized network manager (centralized manager) configured to rotate the cryptographic data at a high frequency, during normal network operation, and without human intervention to minimize the chances for misconfigurations that can bring down connections. A centralized manager in accordance with the present disclosure can rotate secrets in the network at a high frequency to provide an extra layer of security by making protocols use new keys after a period of time. [Rahn, para. 11] As per claim 13, modified No teaches the non-transitory computer readable medium of claim 1, wherein the combined key material is composed of a chain of values between the encrypted first key material and a plurality of additional key materials. [No, para. 52 discloses The client 200 may generate each of hierarchical Galois keys for k=1,−1,2,−2,4,−4, . . . , −2.sup.n−2,2.sup.n−2,2.sup.n−1. The value k is an example, and may be determined as a value such that values from −2.sup.n−1 to 2.sup.n−1 are obtained by a sum of combinations allowing repetition. Para. 53 dsicloses when a hierarchical Galois key set includes Galois keys corresponding to k={1, −1, 2, −2, 4, −4, 8, −8}, the client 200 may generate a rotation operation key by combining k different Galois keys. For example, the client 200 may sequentially use a Galois key corresponding to k=8 and a Galois key corresponding to k=2 to generate a rotation operation key for a 10-step shift.] Regarding claim 14, modified No teaches the non-transitory computer readable medium of claim 13, but No does not teach wherein the operations further comprise retrieving the plurality of additional key materials from a secret store. However, Rahn does teach wherein the operations further comprise retrieving the plurality of additional key materials from a secret store. [Rahn, para. 24 discloses Cryptographic rotation policy 124 comprises cryptographic information (keys, passwords, hash keys, etc.) that are stored or otherwise installed in the client and network devices and parameters for rotating the cryptographic information. Cryptographic rotation policy 124 can include parameters such as how frequently the cryptographic information is rotated (rotation frequency), which devices/peer groups are rotated, when to do the rotations (e.g., time of day, week, etc.), and so on. Para. 50 discloses the centralized manager can rotate cryptographic information in response to expiration of a timer corresponding to the cryptographic information. In some embodiments, for example, when a timer expires, the timer can signal the rotation agent. The timer can be associated with one or more peer groups, which in turn identifies the corresponding security protocol(s) that need to be updated. The rotation agent can generate new cryptographic information that is appropriate for the corresponding security protocols.] Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Rahn’s system with No’s system, with a motivation for a centralized network manager (centralized manager) configured to rotate the cryptographic data at a high frequency, during normal network operation, and without human intervention to minimize the chances for misconfigurations that can bring down connections. A centralized manager in accordance with the present disclosure can rotate secrets in the network at a high frequency to provide an extra layer of security by making protocols use new keys after a period of time. [Rahn, para. 11] As per claim 15, modified No teaches the non-transitory computer readable medium of claim 13, wherein the operations further comprise compacting the encrypted first key material and the plurality of additional key materials. [No, para. 53 dsicloses when a hierarchical Galois key set includes Galois keys corresponding to k={1, −1, 2, −2, 4, −4, 8, −8}, the client 200 may generate a rotation operation key by combining k different Galois keys. For example, the client 200 may sequentially use a Galois key corresponding to k=8 and a Galois key corresponding to k=2 to generate a rotation operation key for a 10-step shift.] Regarding claim 16, it recites features similar to features within claim 1, therefore, it is rejected in a similar manner. Regarding claim 17, it recites features similar to features within claim 3, therefore, it is rejected in a similar manner. As per claim 19, modified No teaches the computer-implemented method of claim 16, wherein generating the additional key material comprises using a true Random Number Generator. [No, para. 46 discloses the token may include a random nonce issued by the client 200. The random nonce may be utilized for additional authentication, for example, in a process of requesting important information for the homomorphic operation on the ciphertext of the client 200 by the operation server and the homomorphic encryption operation key management system 100.] Regarding claim 20, it recites features similar to features within claim 2, therefore, it is rejected in a similar manner. Regarding claim 21, No teaches a non-transitory computer readable medium including instructions that, when executed by at least one processor, cause the at least one processor to perform operations for providing a clear secret corresponding to an encrypted secret, the operations comprising: requesting, from an application associated with a network identity operating in a second network environment, the clear secret, [No, para. 26 discloses the instruction controls the electronic device so that a request for a homomorphic encryption operation key and a first token for a first electronic device are received from a first server, the first token is decrypted based on a first encryption method for the first electronic device stored in the memory] wherein the request comprises a secret identifier and a public key of a key pair; [No, para. 45 discloses the token may include information on a right to use the operation key between the client 200 and the server 300. The token is transmitted and received by being encrypted, and only the client 200 issuing the token and the homomorphic encryption operation key management system 100 to which operation key generation is delegated from the client 200 may decrypt the token. The server 300 may receive the token and transmit the token to the homomorphic encryption operation key management system 100, and cannot decrypt the encrypted content.] retrieving, by a secret management service operating in a first network environment, the encrypted secret associated with the secret identifier; [No, para. 70 discloses the homomorphic encryption operation key management system 100 may receive a first token and an operation key request from a first server 300. The operation key request may include information on a type and number of required operation keys.] sending, by the secret management service to an agent, the encrypted secret and the public key; [No, Para. 72 discloses the homomorphic encryption operation key management system 100 may search the memory 120 for the operation key. When the operation key is found, the homomorphic encryption operation key management system 100 may immediately transmit the found operation key to the first server 300 (step S405).] decrypting, by the agent, the encrypted secret using a cryptographic master key; [No, para. 45 discloses the homomorphic encryption operation key management system 100 may decrypt the token using a method previously agreed upon with the client 200.] encrypting, by the agent, the secret using the public key; [No, para. 11 discloses The token may encrypt and include at least one of a user identity of the first electronic device, allowed operation time information, a type and range of an operation key allowed to be generated, or a random nonce issued by the first electronic device] returning the encrypted secret to the secret management service; [No, para. 70 discloses the homomorphic encryption operation key management system 100 may receive a first token and an operation key request from a first server 300. The operation key request may include information on a type and number of required operation keys. Para. 72 discloses the homomorphic encryption operation key management system 100 may search the memory 120 for the operation key. When the operation key is found, the homomorphic encryption operation key management system 100 may immediately transmit the found operation key to the first server 300 (step S405).] and providing, by the application, the clear secret to the network [No, para. 47 discloses the homomorphic encryption operation key management system 100 may receive a request for an operation key for a specific client 200 among the plurality of clients 200 from the plurality of servers 300, and provide a homomorphic encryption operation key for the corresponding client 200. As an embodiment, in FIG. 6, a description has been given of an example in which one homomorphic encryption operation key management system 100 operates with two clients 200a and 200b and two servers 300a and 300b.], but No does not teach transmitting the encrypted secret from the secret management service to the application; decrypting, by the application, the encrypted secret using a private key of the key pair; However, Rahn does teach transmitting the encrypted secret from the secret management service to the application; [Rahn, para. 29 discloses UI agent 204 can be configured to receive parameters to configure the cryptographic information used by network devices and client devices in deployment 100 and for rotating the cryptographic information. UI agent 204 can write these parameters to cryptographic rotation policy 124. Crypto-rotate agent (rotation agent) 206 can configure a rotation schedule to generate new/updated cryptographic information according to rotation parameters in cryptographic rotation policy 124. One or more crypto-push agents (push agents) 208 can push the updated cryptographic information to the client and network devices in response to being notified that the cryptographic information has been updated.] decrypting, by the application, the encrypted secret using a private key of the key pair; [Rahn, para. 21 discloses A device receiving the encrypted packet decrypts the received packet with a corresponding decrypting key.] Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Rahn’s system with No’s system, with a motivation for a centralized network manager (centralized manager) configured to rotate the cryptographic data at a high frequency, during normal network operation, and without human intervention to minimize the chances for misconfigurations that can bring down connections. A centralized manager in accordance with the present disclosure can rotate secrets in the network at a high frequency to provide an extra layer of security by making protocols use new keys after a period of time. [Rahn, para. 11] As per claim 22, modified No teaches the non-transitory computer readable medium of claim 21, wherein the operations further comprise generating, by the application, the key pair. [No, para. 40 discloses the homomorphic encryption operation key management system 100 according to an embodiment may store the public key (operation key) received from the client 200, generate a derived key (another operation key) based on the stored public key, and transmit the stored public key and derived keys to the server 300 requiring the homomorphic encryption operation in relation to the client 200. When the client 200 generates a public key (for example, a hierarchical Galois key) only once for the first time and transmits the public key to the homomorphic encryption operation key management system 100, operation keys (for example, a plurality of rotation operation keys) required for the homomorphic encryption operation may be generated by the homomorphic encryption operation key management system 100.] As per claim 23, modified No teaches the non-transitory computer readable medium of claim 21, wherein the operations further comprise storing the private key in a location accessible by the application. [No, para. 40 discloses the homomorphic encryption operation key management system 100 may store the public key at all times, and store the derived key only for a certain period of time or for a set period of time according to selection of a user. The homomorphic encryption operation key management system 100 may transmit the derived key stored in the memory to the server 300 in response to an operation key request with respect to the client 200, and regenerate a derived key and transmit the regenerated derived key to the server 300 when the derived key is deleted from the memory.] Regarding claim 24, modified No teaches the non-transitory computer readable medium of claim 21, but No does not teach wherein the agent is at least one of: a rotation agent or a local key store. However, Rahn does teach wherein the agent is at least on of: the rotation agent or a local key store. [Rahn, para. 50 discloses the rotation agent can interact with one or more hardware security modules (e.g., HSM 126) for high-entropy key generation. Because the cryptographic information is computer-generated, the secrets (e.g., encryption/decryption keys, password, etc.) can be much stronger than human-generated secrets. The rotation agent can write the newly generated (updated) cryptographic information to the system state database. The rotations run automatically (rotations are triggered by timers) and autonomously without user intervention (the rotation agent generates its own secrets, and in some embodiments with the help of HSMs).] Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Rahn’s system with No’s system, with a motivation for a centralized network manager (centralized manager) configured to rotate the cryptographic data at a high frequency, during normal network operation, and without human intervention to minimize the chances for misconfigurations that can bring down connections. A centralized manager in accordance with the present disclosure can rotate secrets in the network at a high frequency to provide an extra layer of security by making protocols use new keys after a period of time. [Rahn, para. 11] As per claim 25, modified No teaches the non-transitory computer readable medium of claim 21, wherein the agent is located in one of: a computing device associated with the network identity, an on-premises computing device operating in the second network environment, or a cloud-based environment. [No, para. 40 discloses the homomorphic encryption operation key management system 100 according to an embodiment may store the public key (operation key) received from the client 200, generate a derived key (another operation key) based on the stored public key, and transmit the stored public key and derived keys to the server 300 requiring the homomorphic encryption operation in relation to the client 200. When the client 200 generates a public key (for example, a hierarchical Galois key) only once for the first time and transmits the public key to the homomorphic encryption operation key management system 100, operation keys (for example, a plurality of rotation operation keys) required for the homomorphic encryption operation may be generated by the homomorphic encryption operation key management system 100.] Regarding claim 26, modified No teaches the non-transitory computer readable medium of claim 21, but No does not teach wherein the first network environment comprises a cloud-based environment. However, Rahn does teach wherein the first network environment comprises a cloud-based environment. [Rahn, para. 25 discloses centralized manager 102 can include a data management module 200 in accordance with some embodiments of the present disclosure. Merely for discussion purposes and to support a description of the present disclosure, data management module 200 can be loosely fashioned after CloudVision®, a state-driven network management system] Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Rahn’s system with No’s system, with a motivation for a centralized network manager (centralized manager) configured to rotate the cryptographic data at a high frequency, during normal network operation, and without human intervention to minimize the chances for misconfigurations that can bring down connections. A centralized manager in accordance with the present disclosure can rotate secrets in the network at a high frequency to provide an extra layer of security by making protocols use new keys after a period of time. [Rahn, para. 11] As per claim 27, modified No teaches the non-transitory computer readable medium of claim 21, wherein the secret management service is blind to the clear secret. [No, para. 45 discloses The server 300 may receive the token and transmit the token to the homomorphic encryption operation key management system 100, and cannot decrypt the encrypted content.] As per claim 28, modified No teaches the non-transitory computer readable medium of claim 21, wherein the clear secret is associated with an account. [No, para. 28 discloses The generating of the homomorphic rotation operation key may be generating the homomorphic rotation operation key based on data obtained by decrypting the token, and the decrypted data may include at least one of a user identity of the first electronic device, allowed operation time information, a type and range of an operation key allowed to be generated, or a random nonce issued by the first electronic device.] As per claim 29, modified No teaches the non-transitory computer readable medium of claim 28, wherein the account comprises a directory account enabling the network identity to access a computing resource. [No, para. 40 discloses he homomorphic encryption operation key management system 100 may receive, from one or more clients 200, a hierarchical Galois key (public key) capable of generating a rotation operation key for the homomorphic encryption rotation operation. In response to receiving a rotation operation key request from the server 300 in relation to the one or more clients 200 managed by the homomorphic encryption operation key management system 100, the homomorphic encryption operation key management system 100 may generate a plurality of rotation operation keys (derived keys) from the hierarchical Galois key (public key) for the corresponding client 200.] As per claim 30, modified No teaches the non-transitory computer readable medium of claim 21, wherein the second network environment comprises at least one of: a cloud-based environment or a self-hosted server. [No, para. 41 discloses the server 300 requesting an operation key in relation to the client 200 may be an operation server that receives a ciphertext transmitted by the client 200 and performs a homomorphic encryption operation on the received ciphertext. For example, the server 300 may be an AI server. The server 300 may transmit a token received from the client 200 and data on a type of necessary operation key to the homomorphic encryption operation key management system 100 in order to perform a homomorphic encryption operation on the ciphertext of the client 200. The homomorphic encryption operation key management system 100 may transmit the operation key of the client 200 to the server 300 when validity is proved after verifying the token.] Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over US 20230254125 A1 to No et al., (hereinafter, “No”) in view of US 20230078179 A1 to Rahn et al., (hereinafter, “Rahn”) in further view of US 20220014351 A1 to Jung et al., (hereinafter, “Jung”). Regarding claim 18, modified No teaches the computer-implemented method of claim 17, but No does not teach wherein the homomorphic encryption comprises an RSA public key encryption scheme or an ElGamal encryption scheme. However, Jung does teach wherein the homomorphic encryption comprises an RSA public key encryption scheme or an ElGamal encryption scheme. [Jung, para. 59 discloses the encrypted data region 152 is a region for storing data obtained by encrypting data (i.e., encrypted data), which does not require a high level of security but requires storing the data in an encryption form, by using a method different from a homomorphic encryption method. The electronic device 100 may store data, which are encrypted by an encryption algorithm such as an AES encryption algorithm or an RSA encryption algorithm, in the encrypted data region 152.] Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Jung’s system with No’s system, with a motivation for a The homomorphic encryption data region 153 is a region for storing data obtained by performing homomorphic encryption on data (i.e., homomorphic encrypted data) requiring a high level of security in the electronic device 100. [Jung, para. 59] Conclusion Pertinent prior art made of record however not relied upon: US 20240129106 A1 to Kim et al. “An apparatus with a homomorphic encryption operation includes: one or more processors configured to: generate a modified vector by preprocessing vector components of an operand ciphertext of a blind rotation operation based on an order of a polynomial of an output ciphertext of the blind rotation operation and a modulus of the operand ciphertext; and generate a homomorphic encryption operation result by performing the blind rotation operation based on a public key for performing the blind rotation operation and the modified vector.” THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to Phuc Pham whose telephone number is (571)272-8893. The examiner can normally be reached Monday - Thursday 7:30 AM - 4:30 PM; Friday 8:00 AM - 12:00 PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Linglan Edwards can be reached at (571) 270-5440. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /P.P./Patent Examiner, Art Unit 2408 /CHAU LE/Primary Examiner, Art Unit 2408
Read full office action

Prosecution Timeline

Mar 31, 2024
Application Filed
Nov 17, 2025
Non-Final Rejection mailed — §103
Feb 17, 2026
Response Filed
May 07, 2026
Final Rejection mailed — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

18/189,381
Patent 12626025
COMPUTING SYSTEM AND TRUSTED COMPUTING METHOD
3y 1m to grant Granted May 12, 2026
17/951,818
Patent 12619705
DIGITAL IDENTIFICATION CREDENTIAL USER INTERFACES
3y 7m to grant Granted May 05, 2026
18/113,211
Patent 12621144
SYSTEM FOR MONITORING ACCESS TO A VIRTUAL ENVIRONMENT USING DEVICE TAGGING
3y 2m to grant Granted May 05, 2026
18/232,858
Patent 12615147
SYSTEMS AND METHODS TO REPLICATE PRIVATE KEY SHARES FROM MULTI-PARTY COMPUTATION (MPC) NODES IN A PRIMARY SUBSYSTEM TO MPC NODES A BACKUP SUBSYSTEM
2y 8m to grant Granted Apr 28, 2026
18/516,691
Patent 12615148
LATTICE-BASED PUBLIC KEY CRYPTOSYSTEM AND ELECTRONIC DEVICE INCLUDED IN THE SAME
2y 5m to grant Granted Apr 28, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

3-4
Expected OA Rounds
89%
Grant Probability
99%
With Interview (+19.3%)
2y 7m (~5m remaining)
Median Time to Grant
Moderate
PTA Risk
Based on 172 resolved cases by this examiner. Grant probability derived from career allowance rate.

Ready to respond to this office action?

IP Author drafts your complete OA response — amendments, arguments, and claim strategy — in minutes, not days.

Start Drafting Your Response →

Data sourced from USPTO Patent File Wrapper (daily) and Office Action Archive (weekly). Analysis generated by IP Author.

Data: USPTO Patent File Wrapper (daily) • Office Action Archive (weekly) • 89M+ prosecution events

© 2026 IP Author — Browse Office ActionsExaminersCompaniesFirms

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month