Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Detailed action
Claims 1-19 are pending and being considered.
Claims 1-15 have been amended.
Claims 16-19 have been newly added.
The new title submitted on 01/21/2026 have been accepted.
Response to 101
In response to applicants’ argument that the claims are not directed towards abstract idea under step 2A prong two because the claims are integrated into practical application. The examiner respectfully disagrees because the claims recite additional element such as using (t, n) threshold scheme and hash-based signature scheme and processor. These elements in the claim are recited at a high-level of generality such that it amounts no more than mere instructions to apply the exception. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea.
Response to 103
Applicants’ arguments filed on 01/21/2026 have been fully considered and are partially persuasive.
In response to applicant’s argument on page 5 of the remarks that there is no teaching, suggestion, or motivation to combine the references, the examiner recognizes that obviousness may be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art. See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992), and KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007). In this case, the applicant argues that Sastry describes a single signing facility 700 that includes hardware security modules HSMs. However, the claimed threshold signature scheme is used to store a secret in multiple locations. The applicant argues that since all the HSMs are in the same signing facility 700, implementing a threshold signing scheme would not improve security because if the signing facility 700 is compromised all the HSMs would be compromised too. The examiner acknowledges applicant’s point of view but respectfully disagrees due to following reasons.
Key shares are stored in plurality of HSMs just like instant application key share stored in plurality of devices.
The claimed plurality of participants devices are hardware security modules as per claim 5.
The signing facility containing plurality of HSMs are included in plurality of devices. See [0037 and 0046] the first and the second device includes the signing facility.
Rest of applicant’s argument regarding claims 11 and 18 are moot in view of new grounds of rejections.
Claim Objections
Claims 3-5, 8, 10 and 12-13 objected to because of the following informalities:
Claim 3 recites “…the private key, sk, is a signature private key of a set of signature private keys associated with a private key” should read as “the private key, sk, is a signature private key of a set of signature private keys
Claim 4 recites “ the private key, sk, is a one-time signature private key of a set of one-time signature private keys associated with a private key” should read as “the private key, sk, is a one-time signature private key of a set of one-time signature private keys
Claim 5 recites “the devices are hardware security modules” should read as “the plurality of participating devices are hardware security modules”
Claim 8 recites “generate a state indicium” the examiner suggests to clarify whether “state indicium” recited in claim 1 is same as recited in claim 8.
Claim 10 is in improper dependent form for failing to further limit the subject matter of the claim upon which it depends, or for failing to include all the limitations of the claim upon which it depends. In instant case the subject matter of claim 10 is directed towards incrementing state indicium and distributing the state indicum to plurality of device. Applicant may cancel the claim(s), amend the claim(s) to place the claim(s) in proper dependent form, rewrite the claim(s) in independent form, or present a sufficient showing that the dependent claim(s) complies with the statutory requirements.
Claim 12 and 13 recites “a hash-based signature scheme” should read as “the hash-based signature scheme” to be consistence with “hash-based signature scheme” recited in claim 11.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claim 1 recites the limitation "the other devices”. There is insufficient antecedent basis for this limitation in the claim. Furthermore, please clarify whether the other devices are part of the plurality of participating devices.
Claim 11 recites the limitation " distribute the shares to a set of devices”. There is insufficient antecedent basis for this limitation in the claim. Should read as “distribute the n shares to a set of devices”
Claim 11 recites the limitation " the hash-based signature scheme”. There is insufficient antecedent basis for this limitation in the claim.
Claim 16 recites the limitation " the respective device”. There is insufficient antecedent basis for this limitation in the claim.
Claim 18 recites the limitation " the respective share” and “the participating device”. There is insufficient antecedent basis for this limitation in the claim.
Claim 19 recites “the threshold” it’s unclear whether “the threshold” refers to “threshold number of shares” OR “the threshold secret sharing scheme” as recited in claim 1.
Dependent claims 2-10, 12-14 are also rejected due to inheriting the deficiency of independent claim.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1, 11 and 15 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim recites receive threshold numbers of shares of private key, receive state indicia indicating numbers of messages signed using private key, recover private key, sign the message and update the state indicium.
The limitations receive threshold numbers of shares of private key, receive state indicia indicating numbers of messages signed using private key, recover private key, sign the message and update the state indicium is a process that, under its broadest reasonable interpretation, covers performance of the limitations in the mind mentally or physically nothing in the claim precludes the steps from practically being performed in the mind or using paper and pencil. Receive threshold numbers of shares of private key, receive state indicia indicating numbers of messages signed using private key, recover private key, sign the message and update the state indicium as drafted is a process that, under its broadest reasonable interpretation, covers performance of the limitations in the mind. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea.
This judicial exception is not integrated into a practical application because the claim recites additional element such as using (t, n) threshold scheme and hash-based signature scheme. These elements in the claim are recited at a high-level of generality such that it amounts no more than mere instructions to apply the exception. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea.
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of devices to perform generating of n shares of private key and distributing the shares to set of devices, steps amount to no more than mere instructions to apply the exception using a generic computer component. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. The claim is not patent eligible.
This judicial exception is not integrated into a practical application because the claim recites additional element such as using (t, n) threshold scheme. These elements in the claim are recited at a high-level of generality such that it amounts no more than mere instructions to apply the exception. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea.
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of devices to perform generating of n shares of private key and distributing the shares to set of devices, steps amount to no more than mere instructions to apply the exception using a generic computer component. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. The claim is not patent eligible.
Further recited elements within dependent claims 2-10, 12-14 and 16-19taken individually do not amount to “significantly more” than just the abstract idea as previously identified above. Therefore, the claims do not amount to significantly more than the previously defined abstract idea. Some of the evidences of “significantly more” are a) improvement to another technology or field; b) applying judicial exception with or by a “particular machine’; c) transforming particular article/data into different state or thing; d) adding unconventional or non-routine steps, producing useful application; and e) other meaningful limitations beyond generic link to particular technological environment.
As a result, the claims are directed to non-statutory subject matter. See Also Alice, 134 S. Ct. at 2360. Under Alice, that is not sufficient "to transform an abstract idea into a patent-eligible invention." See Alice Corporation v. CLS Bank International, (S.Ct.2014) and Ultramercial, Inc. v. Hulu, LLC. (Fed.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-17 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Sastry et al (hereinafter Sastry) (US 20210306155) in view of JIMENEZ-DELGADO (hereinafter JIMENEZ) (US 20200137082).
Regarding claim 1 Sastry a non-transitory computer-readable storage medium including instructions that, when executed by a processor of an electronic device, cause the processor to (Sastry on [0030-0031 and 0087-0090] instruction stored in memory executed by a processor to utilize a private key for signing message);
receive respective state indicia from the plurality of participating devices (Sastry on [0070-0077] teaches when HSM 730A receives a lock acknowledge from all other HSMs, it performs the signing operation, increments the counter (i.e., state indicia) for signing key #23 in its internal state, and sends an unlock request to all HSMs with an updated counter value, and waits for all HSMs to respond. When each HSM receives the unlock request for signing key #23 with a new counter value, the HSMs update their respective counter values state for signing key #23, unlock the signing key #23, and send an acknowledge message to HSM 730A that the key #23 state is updated);
the respective state indicia being indicative of the number of messages having been signed using the private key, sk (Sastry on [0070-0077] teaches when the signing request is received by the signing facility 700, the synchronization manager 720 (or alternatively the HSMs in some renditions) verify the signature on the signing request, and verify the maximum counter value is not larger than the current counter for the signing key. If no violation occurs, the signing request is performed as outlined in the previous paragraphs updating the counter as defined for the different renditions);
sign a message using a hash-based signature scheme subject to assessing a state indicium indicating the highest number of messages that have been signed using the private key, sk (Sastry on [0028, 0038 and 0070-0077] teaches when the signing request is received by the signing facility 700, the synchronization manager 720 (or alternatively the HSMs in some renditions) verify the signature on the signing request, and verify the maximum counter value is not larger than the current counter for the signing key. If no violation occurs, the signing request is performed as outlined in the previous paragraphs updating the counter as defined for the different renditions. Further teaches signing message using hash-based signature scheme).
Sastry fails to explicitly teach the shares having been created using a (t,n)-threshold secret sharing scheme, where n>=t and t>n/2, receive, from a plurality of participating devices of a set of devices, a threshold number of shares of a private key, sk and recover the private key, sk, using the received shares, however JIMENEZ from analogous art teaches
receive, from a plurality of participating devices of a set of devices, a threshold number of shares of a private key, sk the shares having been created using a (t,n)-threshold secret sharing scheme (JIMENEZ on [0087-0090] teaches receiving plurality of private key shares under threshold signature scheme in which at least a threshold of private key shares must be obtained to generate private key for generating signature);
where n>=t and t>n/2, in which n is the number of shares created, t is the threshold number of shares to recover a secret (JIMENEZ on [0065-0067] teaches the threshold signature scheme allows sharing of signing power between n parties as long as at least a threshold number of private key shares have contributed towards generating a valid signature. Any subset smaller than the threshold cannot generate a valid signature. More particularly, each of the parties controls a share of a private signing key and a threshold number of key shares must be used to generate a valid signature through the combining of partial signatures. Any subset of key shares that is less than the threshold cannot generate a valid signature. Further teaches threshold signature scheme is an extension of a digital signature scheme which is an elliptic curve cryptography based algorithm in which t+1 key shares from a party of n key share holders are required to reconstruct a private key. The scheme may be used to construct a valid signature without having to reconstruct a private key and without any party having to reveal their key share to another party. See on [0074-0075] teaches qualified subset of key shares of size 2t+1<=(n+1)/2 is sufficient. Accordingly, when TEEs are used, a threshold for the threshold signature scheme may be configured to be a number that is greater than or equal to 50% of the key shares to produce a valid signature in the presence of corrupted nodes);
recover the private key, sk, using the received shares (JIMENEZ [0066-0067 and 0093] reconstructing private key based on threshold number of private key shares);
in response to signing the message, update the state indicia indicative of the highest number of times the private key has been used to sign a message; (Sastry on [0070-0077] teaches when HSM 730A receives a lock acknowledge from all other HSMs, it performs the signing operation, increments the counter for signing key #23 in its internal state, and sends an unlock request to all HSMs with an updated counter value, and waits for all HSMs to respond. When each HSM receives the unlock request for signing key #23 with a new counter value, the HSMs update their respective counter value state for signing key #23, unlock the signing key #23, and send an acknowledge message to HSM 730A that the key #23 state is updated);
and disseminate the updated state indica to the plurality of participating devices and the other devices, in which each device has a share (Sastry on [0070-0077] teaches when HSM 730A receives a lock acknowledge from all other HSMs, it performs the signing operation, increments the counter for signing key #23 in its internal state, and sends an unlock request to all HSMs with an updated counter value, and waits for all HSMs to respond. When each HSM receives the unlock request for signing key #23 with a new counter value, the HSMs update their respective counter value state for signing key #23, unlock the signing key #23, and send an acknowledge message to HSM 730A that the key #23 state is updated).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of JIMENEZ into the teaching of Sastry by generating private key based on threshold numbers of plurality key shares generated under threshold secret sharing scheme. One would be motivated to do so in order to secure data based on threshold signature scheme which allows sharing of signing power between n parties as long as at least a threshold number of private key shares have contributed towards generating a valid signature (JIMENEZ [0064-0066]).
Regarding claim 2 the combination of Sastry and JIMENEZ teaches all the limitations of claim 1 above, Sastry further teaches instructions to distribute the state indicium to at least a subset of the set of devices comprising more than n/2 device (Sastry on [0070-0077] teaches when HSM 730A receives a lock acknowledge from all other HSMs, it performs the signing operation, increments the counter for signing key #23 in its internal state, and sends an unlock request to all HSMs with an updated counter value, and waits for all HSMs to respond. When each HSM receives the unlock request for signing key #23 with a new counter value, the HSMs update their respective counter values state for signing key #23, unlock the signing key #23, and send an acknowledge message to HSM 730A that the key #23 state is updated).
Regarding claim 3 the combination of Sastry and JIMENEZ teaches all the limitations of claim 1 above, Sastry further teaches in which the private key, sk, is a signature private key of a set of signature private keys associated with a private key (Sastry on [0030 and 0038] teaches a private key to sign a message. See on [0077] at least one private key for signing messages. See on [0055-0056] teaches signing keys for signing messages).
Regarding claim 4 the combination of Sastry and JIMENEZ teaches all the limitations of claim 1 above, Sastry further teaches in which the private key, sk, is a one-time signature private key of a set of one-time signature private keys associated with a private key (Sastry on [0030] teaches a one-time signature (OTS) scheme 100, such as using a private key to sign a message, where a private key only signs a single message).
Regarding claim 5 the combination of Sastry and JIMENEZ teaches all the limitations of claim 1 above, Sastry further teaches in which the devices are hardware security modules (Sastry on [0055-0058 and 0068-0072] teaches devices as Hardware Security Modules HSM).
Regarding claim 6 the combination of Sastry and JIMENEZ teaches all the limitations of claim 1 above, Sastry further teaches instructions to generate the private key, sk, using a hash-based signature scheme parameter set associated with a hash-based signature scheme (Sastry on [0037-0039] teaches utilizing private key using Hash-based signature scheme).
Regarding claim 7 the combination of Sastry and JIMENEZ teaches all the limitations of claim 6 above, Sastry further teaches in which the instructions to generate the private key, sk, using a hash-based signature scheme parameter set, associated with a hash-based signature scheme comprising a parameter, h, associated with the height of a tree associated with the hash-based signature scheme (Sastry on [0037-0039] teaches utilizing private key using Hash-based signature scheme. See on [0019] teaches XMSS-specific hash functions include a Pseudo-Random Function (PRF), a chain hash (F), a tree hash (H) and message hash function (H.sub.msg). As used herein, the term WOTS shall refer to the WOTS signature scheme and or a derivative scheme such as WOTS+. See Fig 4A, 4B and text on [0050-0051] Hash-based tree structure).
Regarding claim 8 the combination of Sastry and JIMENEZ teaches all the limitations of claim 1 above, Sastry further teaches instructions to generate a state indicium in response to receiving a share of the private key, sk (Sastry on [0073-0076] teaches determining counter value for specific signing key).
Regarding claim 9 the combination of Sastry and JIMENEZ teaches all the limitations of claim 1 above, Sastry further teaches instructions to delete the recovered private key, sk, following signing the message (Sastry on [0024 and 0030] teaches single use of every private key based one-time signature scheme. See on [0058] teaches each HSM in the signing facility 700 can sign for a single unique key. This ensures no key is used twice i.e., private key or signing key is discarded after single use).
Regarding claim 10 the combination of Sastry and JIMENEZ teaches all the limitations of claim 1 above, Sastry further teaches in which the instructions to establish the state indicium comprise instructions to increment a state indicium of the state indicia; the state indicium indicating the highest number of messages, m, that have been signed using the private key, sk; and instructions to distribute the incremented state indicium to at least a subset of the set of devices (Sastry on [0070-0077] teaches when HSM 730A receives a lock acknowledge from all other HSMs, it performs the signing operation, increments the counter for signing key #23 in its internal state, and sends an unlock request to all HSMs with an updated counter value, and waits for all HSMs to respond. When each HSM receives the unlock request for signing key #23 with a new counter value, the HSMs update their respective counter values state for signing key #23, unlock the signing key #23, and send an acknowledge message to HSM 730A that the key #23 state is updated).
Regarding claim 11 Sastry teaches a non-transitory computer-readable storage medium including instructions that, when executed by a processor of an electronic device, cause the processor to: (Sastry on [0030-0031 and 0087-0090] instruction stored in memory executed by a processor to utilize a private key for signing message);
receive, from each device of a number of devices of the set of devices that satisfies the threshold number of shares, a respective state indicia (Sastry on [0070-0077] teaches when HSM 730A receives a lock acknowledge from all other HSMs, it performs the signing operation, increments the counter (i.e., state indicia) for signing key #23 in its internal state, and sends an unlock request to all HSMs with an updated counter value, and waits for all HSMs to respond. When each HSM receives the unlock request for signing key #23 with a new counter value, the HSMs update their respective counter values state for signing key #23, unlock the signing key #23, and send an acknowledge message to HSM 730A that the key #23 state is updated. Further teaches the requestor creates a signing request and sets the maximum counter value in the request to the counter value returned by the synchronization manager 720 plus some fixed value (which may be referred to as the window size), for example 5 or 10. The window size may be chosen based on the number of expected signing requests that could be performed by the signing facility for this key over a period of time the request is being constructed);
determine, from the respective state indica from the number of devices, a highest number of times the private key has been used to sign a message (Sastry on [0028, 0038 and 0070-0077] teaches when the signing request is received by the signing facility 700, the synchronization manager 720 (or alternatively the HSMs in some renditions) verify the signature on the signing request, and verify the maximum counter value is not larger than the current counter for the signing key. If no violation occurs, the signing request is performed as outlined in the previous paragraphs updating the counter as defined for the different renditions. Further teaches signing message using hash-based signature scheme);
and sign the message using the hash-based signature scheme, based on the highest number of times being at or below an upper bound indicating a maximum number of times the private key can be used to sign messages, the upper bound being more than one (Sastry on [0028, 0038 and 0070-0077] teaches when the signing request is received by the signing facility 700, the synchronization manager 720 (or alternatively the HSMs in some renditions) verify the signature on the signing request, and verify the maximum counter value is not larger than the current counter for the signing key. If no violation occurs, the signing request is performed as outlined in the previous paragraphs updating the counter as defined for the different renditions. Further teaches signing message using hash-based signature scheme).
Sastry fails to explicitly teach the shares having been created using a (t,n)-threshold secret sharing scheme, where n>=t and t>n/2, receive, from a plurality of participating devices of a set of devices, a threshold number of shares of a private key, sk and recover the private key, sk, using the received shares, however JIMENEZ from analogous art teaches
generate n shares of a private key, sk, using a (t,n) threshold scheme, where t is the threshold number of shares to recover a secret, t>n/2,and n>=t (JIMENEZ on [0082] teaches a private key is divided into private key shares according to a threshold signature scheme at operation 307. The private key shares are then distributed to each participant. See on [0065-0067] teaches the threshold signature scheme allows sharing of signing power between n parties as long as at least a threshold number of private key shares have contributed towards generating a valid signature. Any subset smaller than the threshold cannot generate a valid signature. More particularly, each of the parties controls a share of a private signing key and a threshold number of key shares must be used to generate a valid signature through the combining of partial signatures. Any subset of key shares that is less than the threshold cannot generate a valid signature. Further teaches threshold signature scheme is an extension of a digital signature scheme which is an elliptic curve cryptography-based algorithm in which t+1 key shares from a party of n key share holders are required to reconstruct a private key. The scheme may be used to construct a valid signature without having to reconstruct a private key and without any party having to reveal their key share to another party. See on [0074-0075] teaches qualified subset of key shares of size 2t+1<=(n+1)/2 is sufficient. Accordingly, when TEEs are used, a threshold for the threshold signature scheme may be configured to be a number that is greater than or equal to 50% of the key shares to produce a valid signature in the presence of corrupted nodes);
distribute the shares to a set of devices (JIMENEZ on [0082] a private key is divided into private key shares according to a threshold signature scheme at operation 307. The private key shares are then distributed).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of JIMENEZ into the teaching of Sastry by generating private key based on threshold numbers of plurality key shares generated under threshold secret sharing scheme. One would be motivated to do so in order to secure data based on threshold signature scheme which allows sharing of signing power between n parties as long as at least a threshold number of private key shares have contributed towards generating a valid signature (JIMENEZ [0064-0066]).
Regarding claim 12 the combination of Sastry and JIMENEZ teaches all the limitations of claim 11 above, Sastry further teaches generate the private key, sk, using a hash-based signature scheme parameter set associated with a hash-based signature scheme (Sastry on [0037-0039] teaches utilizing private key using Hash-based signature scheme).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Sastry into the teaching of JIMENEZ by generating signature using hash-based signature scheme. One would be motivated to do so in order to use single use of private key based on hash-based signature scheme that prevents private key from unauthorized access (Sastry [0022-0024]).
Regarding claim 13 the combination of Sastry and JIMENEZ teaches all the limitations of claim 11 above, Sastry further teaches generate the private key, sk, using a hash-based signature scheme parameter set, associated with a hash-based signature scheme, comprising a parameter, h, associated with the height of a tree associated with the hash-based signature scheme (Sastry on [0037-0039] teaches utilizing private key using Hash-based signature scheme. See on [0019] teaches XMSS-specific hash functions include a Pseudo-Random Function (PRF), a chain hash (F), a tree hash (H) and message hash function (H.sub.msg). As used herein, the term WOTS shall refer to the WOTS signature scheme and or a derivative scheme such as WOTS+. See Fig 4A, 4B and text on [0050-0051] Hash-based tree structure).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Sastry into the teaching of JIMENEZ by generating signature using hash-based signature scheme. One would be motivated to do so in order to use single use of private key based on hash-based signature scheme that prevents private key from unauthorized access (Sastry [0022-0024]).
Regarding claim 14 the combination of Sastry and JIMENEZ teaches all the limitations of claim 11 above, Sastry further teaches the (t,n) threshold scheme is a repairable threshold scheme; the machine-readable instructions comprising instructions to repair data associated with the (t,n) threshold sharing scheme of a device of the set of devices that has lost at least one, or both, of a respective state indicium and at least one respective share of the private key (Sastry on [0068] teaches the synchronization manager 720 sends the encrypted state from the database in memory 710 to a working HSM 730C and commands the working HSM 730C to increment the state by one to recover from a lost signing operation. The commanded HSM 730C decrypts the state, increments the counter, re-encrypts the state and returns the re-encrypted state to the synchronization manager 720. The synchronization manager 720 updates the new state in the database in memory 710, and resubmits the lost signing request with the updated state to an available HSM).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Sastry into the teaching of JIMENEZ by generating signature using hash-based signature scheme. One would be motivated to do so in order to use single use of private key based on hash-based signature scheme that prevents private key from unauthorized access (Sastry [0022-0024]).
Regarding claim 15 Sastry teaches a device for signing a message in a stateful hash-based signature system; the device comprising a processors to: (Sastry on [0028] teaches a one-time hash-based signatures scheme and a multi-time hash-based signatures scheme. See on [0037] teaches signing facility 330 which comprises one or more hardware security module(s) 331 which includes memory 332, signature logic, and verification logic 336. Hash logic 332 is configured to hash (i.e., to apply a hash function to) a message (M) to generate a hash value (m′) of the message M);
receive respective state indicia from the plurality of participating devices (Sastry on [0070-0077] teaches when HSM 730A receives a lock acknowledge from all other HSMs, it performs the signing operation, increments the counter for signing key #23 in its internal state, and sends an unlock request to all HSMs with an updated counter value, and waits for all HSMs to respond. When each HSM receives the unlock request for signing key #23 with a new counter value, the HSMs update their respective counter values state for signing key #23, unlock the signing key #23, and send an acknowledge message to HSM 730A that the key #23 state is updated);
the respective state indicia being indicative of the number of messages having been signed using the private key, sk (Sastry on [0070-0077] teaches when the signing request is received by the signing facility 700, the synchronization manager 720 (or alternatively the HSMs in some renditions) verify the signature on the signing request, and verify the maximum counter value is not larger than the current counter for the signing key. If no violation occurs, the signing request is performed as outlined in the previous paragraphs updating the counter as defined for the different renditions);
sign a message using a hash-based signature scheme subject to assessing a state indicium indicating the highest number of messages that have been signed using the private key, sk (Sastry on [0070-0077] teaches when the signing request is received by the signing facility 700, the synchronization manager 720 (or alternatively the HSMs in some renditions) verify the signature on the signing request, and verify the maximum counter value is not larger than the current counter for the signing key. If no violation occurs, the signing request is performed as outlined in the previous paragraphs updating the counter as defined for the different renditions);
in response to signing the message, update the state indicia indicative of the highest number of times the private key has been used to sign a message (Sastry on [0070-0077] teaches when HSM 730A receives a lock acknowledge from all other HSMs, it performs the signing, increments the counter for signing key #23 in its internal state, and sends an unlock request to all HSMs with an updated counter value, and waits for all HSMs to respond. When each HSM receives the unlock request for signing key #23 with a new counter value, the HSMs update their respective counter values state for signing key #23, unlock the signing key #23, and send an acknowledge message to HSM 730A that the key #23 state is update. Further teaches when the signing request is received by the signing facility 700, the synchronization manager 720 (or alternatively the HSMs in some renditions) verify the signature on the signing request, and verify the maximum counter value is not larger than the current counter for the signing key. If no violation occurs, the signing request is performed as outlined in the previous paragraphs updating the counter as defined for the different renditions).
Sastry fails to explicitly teach the shares having been created using a (t,n)-threshold secret sharing scheme, where n>=t and t>n/2, receive, from a plurality of participating devices of a set of devices, a threshold number of shares of a private key, sk and recover the private key, sk, using the received shares, however JIMENEZ from analogous art teaches
receive, from a plurality of participating devices of a set of devices, a threshold number of shares of a private key, sk (JIMENEZ on [0087-0090] teaches receiving plurality of private key shares under threshold signature scheme in which at least a threshold of private key sahres must be obtained to generate private key for generating signature);
the shares having been created using a (t,n)-threshold secret sharing scheme, where n>=t and t>n/2 t, in which n is the number of shares created, t is the threshold number of shares to recover a secret (JIMENEZ on [0065-0067] teaches the threshold signature scheme allows sharing of signing power between n parties as long as at least a threshold number of private key shares have contributed towards generating a valid signature. Any subset smaller than the threshold cannot generate a valid signature. More particularly, each of the parties controls a share of a private signing key and a threshold number of key shares must be used to generate a valid signature through the combining of partial signatures. Any subset of key shares that is less than the threshold cannot generate a valid signature. Further teaches threshold signature scheme is an extension of a digital signature scheme which is an elliptic curve cryptography based algorithm in which t+1 key shares from a party of n key share holders are required to reconstruct a private key. The scheme may be used to construct a valid signature without having to reconstruct a private key and without any party having to reveal their key share to another party. See on [0074-0075] teaches qualified subset of key shares of size 2t+1<=(n+1)/2 is sufficient. Accordingly, when TEEs are used, a threshold for the threshold signature scheme may be configured to be a number that is greater than or equal to 50% of the key shares to produce a valid signature in the presence of corrupted nodes);
recover the private key, sk, using the received shares (JIMENEZ [0066-0067 and 0093] reconstructing private key based on threshold number of private key shares).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of JIMENEZ into the teaching of Sastry by generating private key based on threshold numbers of plurality key shares generated under threshold secret sharing scheme. One would be motivated to do so in order to secure data based on threshold signature scheme which allows sharing of signing power between n parties as long as at least a threshold number of private key shares have contributed towards generating a valid signature (JIMENEZ [0064-0066]).
Regarding claim 16 the combination of Sastry and JIMENEZ teaches all the limitations of claim 15 above, Sastry further teaches wherein the processor is further to: retrieve a state indicia of the device from memory, the state indicia being indicative of the number of messages having been signed using the private key, sk; (Sastry on [0055] teaches counter securely stored in memory. See on [0070-0077] teaches when HSM 730A receives a lock acknowledge from all other HSMs, it performs the signing operation, increments the counter for signing key #23 in its internal state, and sends an unlock request to all HSMs with an updated counter value, and waits for all HSMs to respond. When each HSM receives the unlock request for signing key #23 with a new counter value, the HSMs update their respective counter values state for signing key #23, unlock the signing key #23, and send an acknowledge message to HSM 730A that the key #23 state is updated);
determine, from the state indicia of the device and the respective state indica from the plurality of participating devices, a highest number of times the private key has been used to sign a message; sign the message using the hash-based signature scheme, based on the highest number of times being at or below an upper bound indicating a maximum number of times the private key can be used to sign messages, the upper bound being more than one; store the updated state indicia in memory (Sastry on [0028, 0038 and 0070-0077] teaches when the signing request is received by the signing facility 700, the synchronization manager 720 (or alternatively the HSMs in some renditions) verify the signature on the signing request, and verify the maximum counter value is not larger than the current counter for the signing key. If no violation occurs, the signing request is performed as outlined in the previous paragraphs updating the counter as defined for the different renditions. Further teaches signing message using hash-based signature scheme);
and transmit, to at least one device of the plurality of participating devices, the updated state indicium or instructions to update the state indicium stored on the respective device (Sastry on [0070-0077] teaches when HSM 730A receives a lock acknowledge from all other HSMs, it performs the signing operation, increments the counter for signing key #23 in its internal state, and sends an unlock request to all HSMs with an updated counter value, and waits for all HSMs to respond. When each HSM receives the unlock request for signing key #23 with a new counter value, the HSMs update their respective counter values state for signing key #23, unlock the signing key #23, and send an acknowledge message to HSM 730A that the key #23 state is updated);
Regarding claim 17 the combination of Sastry and JIMENEZ teaches all the limitations of claim 15 above, Sastry further teaches wherein the processor is further to update the state indicia by incrementing the highest number of times the private key has been used to sign a message (Sastry on [0070-0077] teaches when HSM 730A receives a lock acknowledge from all other HSMs, it performs the signing operation, increments the counter for signing key #23 in its internal state, and sends an unlock request to all HSMs with an updated counter value, and waits for all HSMs to respond. When each HSM receives the unlock request for signing key #23 with a new counter value, the HSMs update their respective counter values state for signing key #23, unlock the signing key #23, and send an acknowledge message to HSM 730A that the key #23 state is updated).
Regarding claim 19 the combination of Sastry and JIMENEZ teaches all the limitations of claim 1 above, Sastry further teaches wherein the instructions include instructions that cause the processor to: transmit to each device of the plurality of participating devices that forms the threshold, a request to provide a respective share to the electronic device; and wherein in response to transmitting the request to each device of the plurality of participating devices that forms the threshold, increment the respective state indicium on each device before transmitting the share to the electronic device (Sastry on [0070-0077] teaches when HSM 730A receives a lock acknowledge from all other HSMs, it performs the signing, increments the counter for signing key #23 in its internal state, and sends an unlock request to all HSMs with an updated counter value, and waits for all HSMs to respond. When each HSM receives the unlock request for signing key #23 with a new counter value, the HSMs update their respective counter values state for signing key #23, unlock the signing key #23, and send an acknowledge message to HSM 730A that the key #23 state is update. Further teaches when the signing request is received by the signing facility 700, the synchronization manager 720 (or alternatively the HSMs in some renditions) verify the signature on the signing request, and verify the maximum counter value is not larger than the current counter for the signing key. If no violation occurs, the signing request is performed as outlined in the previous paragraphs updating the counter as defined for the different renditions).
Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over Sastry et al (hereinafter Sastry) (US 20210306155) in view of JIMENEZ-DELGADO (hereinafter JIMENEZ) (US 20200137082) and further in view of TOMLINSON et al (hereinafter TOMLINSON) (US 20210099290).
Regarding claim 18 the combination of Sastry and JIMENEZ teaches all the limitations of claim 15 above, the combination fails to explicitly teach receive, from each device of the participating devices that defines the threshold number of shares, the respective share together with the state indicia, however TOMLINSON from analogous art teaches
wherein the processor is further to: receive, from each device of the participating devices that defines the threshold number of shares, the respective share together with the state indicia (TOMLINSON on [0146 and 0151] teaches key fragments with key indicia)
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of TOMLINSON into the combined teaching of Sastry and JIMENEZ by receiving key shares along with key indicia. One would be motivated to do so in order to utilize the key fragment based on its corresponding key indicia thereby mitigate the risk of key being compromised (TOMLINSON [0004-0010]).
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOEEN KHAN whose telephone number is (571)272-3522. The examiner can normally be reached 7AM-5PM EST M-TH Alternate Fridays.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached at (571)272-4219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MOEEN KHAN/Primary Examiner, Art Unit 2436