METHODS, UNIT AND DEVICE FOR SUCCESSIVELY EXECUTING FIRST AND NEXT BLOCK CRYPTOGRAPHIC COMPUTATIONS

§101 §102 §103

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Priority This application claims the benefit to European Patent Application No. 23187595.6 filed Jul. 25, 2023, which is hereby incorporated by reference, in entirety and for all purposes. DETAILED ACTION This Office Action is in response to an Amendment Application received on 01/21/2026. In the application, claims 1-6, 8-12, and 18-24 have been amended. Claims 7, and 17 remain original. Claims 13-16 remain cancelled. No new claim has been added. For this Office Action, claims 1-12, and 17-24 (overall 20) have been received for consideration and have been examined. Response to Arguments Claim Rejections – 35 USC § 101 Applicant’s amendments to 1, and 19 have been reviewed and amendments in light of the specification has overcome the 101 Abstract Idea rejection. Therefore, this rejection has been withdrawn. Claim Rejections – 35 USC § 102 Applicant’s amendments to claims rejected under 35 USC § 102 have been reviewed and amendments in light of the specification has overcome the 35 USC § 102 rejection. Therefore, this rejection has been withdrawn. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1-4, 7-10, and 19-22 are rejected under 35 U.S.C. 103 as being unpatentable over Pedersen., (US20200244434A1) in view of Kanda et al., (US6769063B1). Regarding claim 1, Pedersen discloses: A method for obfuscating block cryptographic computations of a ciphering circuit, the method comprising: performing (i.e., combining circuitry 208 may include multiplicative and/or inversion elements) a first block cryptographic computation by implementing a functional correspondence [[to transform a first input block into a first output block based on linear transformations and non-linear transformations applied]] to a plurality of elements of the first input block ([0008] Therefore, in accordance with embodiments of the present invention, an encryption or decryption system may generate cryptographic key schedules by using different cipher keys for each block. In some implementations, a first cipher key may be derived as a function of a second cipher key and of one of a previous block of plaintext, a previous block of ciphertext, or an output of a linear feedback shift register (LFSR) associated with the previous block of plaintext; [0009] In some embodiments, the encryption or decryption cryptographic system that implements the cryptographic algorithm, e.g., on a programmable device, is configurable to use obfuscated substitution S-boxes. S-boxes may be obfuscated by interleaving data to be encrypted (or decrypted) with random data. In some implementations, the random data may be true random (e.g., generated by a True Random Number Generator). In some implementations, the random data may be pseudo-random (e.g., generated by a linear feedback shift register); [0034] In some implementations, combining circuitry 208 may be implemented as an exclusive-OR gate. In some implementations, combining circuitry 208 may include multiplicative and/or inversion elements; [0049] During the first round 340, the following operations occur: (a) a data block is transformed using S-box substitution 342, row shifting 344, and column mixing 346, (b) round key 312 is generated in key expansion block 308, and (c) the transformed data block and round key 312 are added together using an XOR operation in the AddRoundKey 348 operation to provide the starting data block for the next round. Similar operations are repeated for each lth round 350 of AES); applying dynamical obfuscation to the non-linear transformations by-re-encoding the functional correspondence into a modified functional correspondence ([0009] In some embodiments, the encryption or decryption cryptographic system that implements the cryptographic algorithm, e.g., on a programmable device, is configurable to use obfuscated substitution S-boxes. S-boxes may be obfuscated by interleaving data to be encrypted (or decrypted) with random data. In some implementations, the random data may be true random (e.g., generated by a True Random Number Generator). In some implementations, the random data may be pseudo-random (e.g., generated by a linear feedback shift register); [0033] In some embodiments, plaintext (e.g., configuration data received in a configuration device for configuring programmable logic device 100 of FIG. 1) may be processed prior to encryption with a cryptographic algorithm. This may increase the security of the cryptographic algorithm. For instance, blocks of plaintext may be obfuscated prior to encrypting these blocks with AES. FIG. 2A shows an exemplary block diagram of whitening system 200 that could be used to carry out plaintext obfuscation according to an embodiment of the present invention. Whitening system 200 may include a linear feedback shift register (LFSR) 204 coupled to combining circuitry 208); and applying the modified functional correspondence to elements of a second input block during a second block cryptographic computation to transform the second input block into a second output block such that the ciphering circuit is more robust against side-channel attacks ([0042] The first two equations (EQS. 1a and 1b) correspond to initializing the LFSR by setting the initial value contained in the LFSR R0 and the first block of output bits L0. As explained above, R0 may be set to a block of mask values generated from decrypting a vector of predetermine values (e.g., all zeros) using cipher key K0. In this way, even if the vector of predetermined values is predictable, the value obtained by decrypting the vector of predetermined values using cipher key K0 is still unknown to the attacker; [0051] According to some embodiments, the cipher key used for encrypting subsequent blocks of plaintext or obfuscated plaintext is different with every block. This is different from normal AES where the same key schedule based on the same cipher key K is used for every block and the initial round key (i.e., round key 310) used in the first round of AES for every block is filled from the first words of the cipher key K. In some embodiments, encrypting a first block of plaintext P1 (or P′1) may use the same sequence of 14 round keys (or key schedule) as normal AES based on the original cipher key K. However, encrypting a second block of plaintext P2 (or P′2) may use a different key schedule. For example, a sequence of round keys for encrypting P2 may be based on expanding an initial round key that is different from the one used for P1). Pedersen does not explicitly disclose: to transform a first input block into a first output block based on linear transformations and non-linear transformations applied. However, Kanda discloses: to transform a first input block into a first output block based on linear transformations and non-linear transformations applied (Col. 7, Line # 35-37; FIG. 5 is a diagram showing in detail an example of the functional configuration of a nonlinear function part 304 in the first embodiment; Col. 14, Line # 57-65; The initial key-dependent transformation 302 and the final key-dependent transformation part 308 shown in FIG. 4 and the key-dependent linear transformation parts 341, 344 and 347 in each nonlinear function part 304 shown in FIG. 5 are linear transformation parts which depend on keys, therefore, the device of this embodiment is a cryptographic device which is sufficiently secure against both of differential cryptanalysis and linear cryptanalysis and hence attaches primary importance to Security; Col. 15, Line # 21-31; As is the case with the FIG. 5, the data R is input to the nonlinear function part 304 together with the key data ko, k and k. The data R is linearly transformed into data R* =R6Dko, for example, by being XORed with the key data ko in the first key-dependent linear transformation part 341. Next, the data R, is split into four pieces of data ino, in, in and in in the Splitting part 342. The four pieces of data ino, in, in and in are nonlinearly transformed into data MID, MID, MID and MID in the nonlinear transformation parts 343, 343, 343 and 343 depicted in FIGS. 8A to 8D, respectively; Col. 18, Line # 18-42; While in the above the data processing has been described to be performed using a hardware structure, it may also be implemented by Software that follows a program. For example, FIG. 11 is a flowchart showing the principal part of the procedure for data processing. FIG. 11 shows the procedure corresponding to the entire procedure of FIG. 4. Step S1: Initialize to 0 a variable i representing the repeat count of processing. Step S2: Perform initial transformation of an input plain text and split it into left and right block data L. and R. Step S3: Process the right block data R by a nonlinear function using the Subkey k, to generate the block data Y. Step S4: Perform linear processing of the left block data R by the block data Y to generate the block data L*. Step S5: Change the right block data R, to new left block data L and the block data L to new right block data R. Sep S6: Increment the variable i by one. Step S7: Check to see if i has reached N, and if not, return to step S3 and repeat steps S3 to S7. Step S8: If it is decided in step S7 that the variable i has reached N, combine the left and right data L. and R and output the result of final transformation as output data C. Details of the process by step S3 in FIG. 11 correspond to the process by the nonlinear function part 304 shown in FIG. 5). It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the systems and methods for protecting a programmable device against Differential Power Analysis attacks of Pedersen and include linear and non-linear transformation on the data, as disclosed by Kanda. The motivation to include linear and non-linear transformation on the data is to have a system that use a round-based structure that alternates between linear layers (for diffusion) and non-linear layers (S-boxes) to achieve maximum security efficiently. Regarding claim 19, it is an apparatus claim and recites similar subject matter as claim 1, and therefore rejected under similar ground of rejection. Regarding claim 2, the combination of Pedersen and Kanda discloses: The method of claim 1, further comprising: selecting, based on contents of at least one of a first output block or of a first intermediate block, a subset of the functional correspondence that was applied during the first block cryptographic computation (Pedersen: [0048] first round 340); and interchanging the selected subset of the functional correspondence to obtain the modified functional correspondence to be applied during the second block cryptographic computation (Pedersen: [0049] Similar operations are repeated for each lth round 350 of AES). Regarding claim 20, it is an apparatus claim and recites similar subject matter as claim 2, and therefore rejected under similar ground of rejection. Regarding claim 3, the combination of Pedersen and Kanda discloses: The method of claim 1, wherein the ciphering circuit includes at least one finite field arithmetic component (i.e., combining circuitry 208 may be implemented as an exclusive-OR gate) ([0034]), wherein each of the block cryptographic computations includes transforming a respective input block by substituting respective elements using the at least one finite field arithmetic component (Pedersen: [0034] & [0055]); wherein applying the dynamic obfuscation includes: applying the functional correspondence between input signals and output signals of the at least one finite field arithmetic component during the first block cryptographic computation (Pedersen: [0048]), and applying the modified functional correspondence to the finite field arithmetic component during the next block cryptographic computation (Pedersen: [0049]). Regarding claim 21, it is an apparatus claim and recites similar subject matter as claim 3, and therefore rejected under similar ground of rejection. Regarding claim 4, the combination of Pedersen and Kanda discloses: The method of claim 3, wherein: the at least one finite field arithmetic component comprises a multiplicative inversion subcomponent; and the modified functional correspondence is applied to the multiplicative inversion subcomponent (Pedersen: [0034]). Regarding claim 22, it is an apparatus claim and recites similar subject matter as claim 4, and therefore rejected under similar ground of rejection. Regarding claim 7, the combination of Pedersen and Kanda discloses: The method of claim 1, wherein the first block cryptographic computation includes computing the first output block by executing a plurality of first processing rounds based on the first input block, and wherein the method further comprises: executing, concurrently with the first block cryptographic computation, a second block cryptographic computation including computing a second output block by executing a plurality of second processing rounds based on a second input block, and wherein the respective first and second processing rounds are alternatingly executed in a round-interleaved sequence (Pedersen: FIG. 3; [0047-0049]). Regarding claim 8, Pedersen discloses: The method of claim 1, further comprising: applying Boolean masking to the elements when blocks are subjected to the linear transformations during each of the first and second block cryptographic computations (Pedersen: [0034]). Regarding claim 9, Pedersen discloses: The method of claim 1, wherein: the first and next block cryptographic computations are iterated key-alternating block cryptographic computations in accordance with the advanced encryption standard, AES ([0047-0048]); and each of the input and output blocks forms a two-dimensional state array composed of data elements of one byte each, wherein the non-linear transformations are a part of byte substitution transformations, and wherein the linear transformations include row shifting transformations, column mixing transformations, and round key addition transformations ([0048-0050). Regarding claim 10, Pedersen discloses: The method of claim 8, further comprising: applying the dynamical obfuscation when processing transformed elements originating from the elements of a respective block during the byte substitution transformation (FIG. 5A; [0063]); and applying the Boolean masking to the elements throughout the row shifting transformations, the column mixing transformations, and the round key addition transformations (FIG. 5A; [0064-0068]). Claim(s) 11-12 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Pedersen., (US20200244434A1) in view of Kanda et al., (US6769063B1) and further in view of Wong et al., (US20250047467A1). Regarding claim 11, the combination of Pedersen and Kanda discloses: The method of claim 4, wherein: the finite field arithmetic component (Pedersen: [0034]). Pedersen fails to disclose: the at least one finite field arithmetic component further comprises an affine transformation subcomponent and field basis transformation subcomponents for transforming the elements between a byte representation and a sub-field representation to be used by the multiplicative inversion subcomponent; and modifying the functional correspondence and applying the modified functional correspondence take place only in the multiplicative inversion subcomponent. However, Wong discloses: the at least one finite field arithmetic component further comprises an affine transformation subcomponent and field basis transformation subcomponents for transforming the elements between a byte representation and a sub-field representation to be used by the multiplicative inversion subcomponent ([0046] As mentioned above, AES S-box computation is comprised of (i) multiplicative inversion over GF(2.sup.8) using field polynomial q(x) (see Eqn. 1) and followed by (ii) affine transformation); and modifying the functional correspondence and applying the modified functional correspondence take place only in the multiplicative inversion subcomponent ([0049] The state transformation in Eqn. 3 enable the LFSR with primitive polynomial q.sup.0(x) to reach the maximum length at (2.sup.n−1).sup.th cycles (for GF (2.sup.n)), before returning to the initial state. This characteristic is an important enabler to derive multiplicative inversion in Galois Field. To explain further, for element u in GF(2.sup.8) that is defined in the state S(t+v), its multiplicative inverse, u.sup.−1, can be found at state S(t+v.sup.0) such that v+v.sup.0=2.sup.n−1=255 and 255 is the maximum length. To summarize, LFSR performs multiplicative inversion over GF(2.sup.8) using the steps below; [0050] 1. LFSR starts from its initial state and stops when the input value, u, matches its current state and the state is noted as S(t+v); [0051] 2. The total cycle lapsed (from the start to the stop point), v, is counted and that v.sup.0=255−v is calculated; [0052] 3. The LFSR is re-initialized with the same seed and re-run for v.sup.0 cycles; [0053] 4. The outcome of the state S(t+v), u.sup.0, is the multiplicative inversion of u, where u.Math.u.sup.0=1 (mod q.sup.0(x))). It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the systems and methods for protecting a programmable device against Differential Power Analysis attacks of Pedersen and include an AES Substitution box through Affine transformation, as disclosed by Wong. The motivation to combine Wong’s teachings in cryptography is to add complexity to encryption algorithms, by combining linear operations like scaling, rotation, and shearing with translation. Regarding claim 12, the combination of Pedersen, Kanda, and Wong discloses: The method of claim 11, wherein the finite field arithmetic component includes one or more masked-to-obfuscated subcomponents and one or more obfuscated-to-masked subcomponents located at the input and output interfaces of the multiplicative inversion subcomponent, and wherein the method further comprises: transforming, by a masked-to-obfuscated subcomponent, a masked input element directly into an obfuscated input element, and supplying the obfuscated input element to the multiplicative inversion subcomponent (Pedersen: [0045-0047]); and transforming, by an obfuscated-to-masked component, an obfuscated output element obtained from the inversion subcomponent directly into a masked output element (Pedersen: [0048-0050]). Regarding claim 18, the combination of Pedersen, Kanda, and Wong discloses: The method of claim 11, wherein the Boolean masking is additionally applied on the block elements passing through the affine transformation subcomponent and the field basis transformation subcomponents (Pedersen: [0034]). Claim 17 rejected under 35 U.S.C. 103 as being unpatentable over Pedersen., (US20200244434A1) in view of Kanda et al., (US6769063B1) in view of Ekdahl et al., (US20220278822A1). Regarding claim 17, Pedersen fails to disclose: The method of claim 5, wherein the multiplicative inversion subcomponent has a circuit architecture based on a Canright implementation operating on a normal basis subfield, on a Satoh implementation operating on a polynomial basis subfield, or on a Nogami implementation operating on a mixed basis subfield. However, Ekdahl discloses: wherein the multiplicative inversion subcomponent has a circuit architecture based on a Canright implementation operating on a normal basis subfield, on a Satoh implementation operating on a polynomial basis subfield, or on a Nogami implementation operating on a mixed basis subfield ([0034] Forward Sbox; [0035] The most widely used design is from 2005 by Canright [4]. After 2005, there have been many attempts to improve the design, both in terms of speed and area of the forward Sbox; [0174] In 2001, Satoh et al [SMTM01] took this idea further and reduced the inverse calculation to the subfield GF(22). In 2005, Canright [Can05] built on the work of Satoh et al and investigated the importance of the representation of the subfield, testing many different isomorphisms that led to the smallest area design). It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the systems and methods for protecting a programmable device against Differential Power Analysis attacks of Pedersen and include byte inversion circuit having a circuit architecture based on a Canright implementation operating on a normal basis subfield, as disclosed by Ekdahl. The motivation to have the byte inversion circuit having a circuit architecture based on a Canright implementation is allow parallel processing on all elements in one state matrix. Allowable Subject Matter Claims 5-6, and 23-24 objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED M AHSAN whose telephone number is (571)272-5018. The examiner can normally be reached 8:30 AM - 6:00 PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, William Korzuch can be reached at 571-272-7589. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /SYED M AHSAN/Primary Examiner, Art Unit 2491