DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The following is a Final Office action in response to communications received on 01/20/2026.
Response to Amendment
Claims 1, 10, 11, 12, 16, and 18 have been amended.
Claims 1-20 have been examined.
Applicant’s arguments with respect to claims 1, 11, and 16 regarding the new limitations: “a key-store device storing an encrypted key; a decryption circuit using a decrypted key to decrypt the encrypted operator to generate a decrypted result, and an asymmetric encryption algorithm is utilized to encrypt a key to generate the encrypted key, the decryption circuit decrypts the encrypted key to generate the decrypted key” have been considered but are moot in view of the new ground of rejection presented in the current office action.
Claim Objections
Claim 11 is objected to because of the following informalities: In line 5, the claim recites: “first encrypted operator operator”, i.e., the word “operator” is repeated twice. Appropriate correction is required.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Claims 1-3 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over prior art of record US 11443182 to Gu et al (hereinafter Gu) and US 20210117805 to Kyakuno (hereinafter Kyakuno).
As per claim 1, Gu teaches:
A micro-controller comprising:
a non-secure world comprising: a first storage circuit storing a neural network model comprising an encrypted operator and a first un-encrypted operator (Gu: column 9, lines 25-45. Column 19, lines 6-19: Based on the exchanged security keys via the security engine 422, e.g., symmetric keys, the client computing device 410 encrypts the FrontNet subnet model 432 and provides the DNN model 430, comprising both the encrypted FrontNet subnet model 432 and the unencrypted BackNet subnet model 434, to the server 404A and deep learning cloud service 400. Column 10, lines 46-50: On the cloud side, after receiving the encrypted input 214 and the encrypted FrontNet model 210, the privacy enhancing deep learning cloud service instantiates a trusted execution environment (TEE) 230, i.e., the encrypted FrontNet subnet model 210 and the unencrypted BackNet subnet model 220 are stored in a non-secure memory of the cloud service after they are provided by the client side);
a secure world comprising: a key-store device storing an key; a decryption circuit using key to decrypt the encrypted operator to generate a decrypted result; and a second storage circuit storing the decryption result (Gu: column 11, lines 3-7: the end user, via the client computing device, can provision symmetric keys (ENCLAVE_GET_KEYS at line 5 of FIG. 1) directly into the TEE 230 on the cloud (step 5 in FIG. 2). The FrontNet subnet model 210 is decrypted (ENCLAVE_DECRYPT at line 6 of FIG. 1) along with the input 214 (ENCLAVE_DECRYPT at line 10 of FIG. 1) using the provisioned symmetric keys from the end user (step 6 in FIG. 2). Column 18, lines 30-45: a trusted execution environment (TEE) 426 implementing a decryption engine 424. In addition, within the TEE 426, encrypted input data and an encrypted FrontNet subnet model are decrypted by the decryption engine 424 to provide input data 440 and FrontNet subnet model 432); and
a processing circuit interpreting the first un-encrypted operator and the decrypted result (Gu: Column 19, lines 6-35: The framework 420 of the deep learning cloud service 400 loads the encrypted FrontNet subnet model 432 into the TEE 426 where it is decrypted and used as a basis for instantiating a DNN implementation of the FrontNet subnet model 432 executing within the TEE 426. The BackNet subnet model 434 is instantiated in the framework 420 outside the TEE 426 as a DNN implementation of the BackNet subnet model 434. The input data 440 is input to the FrontNet subnet model 432 DNN executing in the TEE 426 which generates intermediate representations (IR) that are output to the BackNet subnet model 434. The BackNet subnet model 434 DNN then processes the IR output from the FrontNet subnet model 432 DNN to generate a classification output),
wherein: in a non-secure mode, the processing circuit interprets the first un-encrypted operator to generate first output data (Gu: Column 19, lines 6-35: The BackNet subnet model 434 is instantiated in the framework 420 outside the TEE 426 (non-secure mode) as a DNN implementation of the BackNet subnet model 434. The BackNet subnet model 434 DNN then processes the IR output from the FrontNet subnet model 432 DNN to generate a classification output),
in a secure mode: the processing circuit directs the decryption circuit to use the decrypted key to decrypt the encrypted operator, the processing circuit interprets the decrypted result to generate second output data, and the processing circuit stores the second output data in the first storage circuit (Gu: column 5, lines 25-50: In one illustrative embodiment, the TEE may be provided by an implementation of the Intel SGX enclave. However, the illustrative embodiments are not limited to SGX enclave and may be implemented with any suitable TEE, such as Protected Execution Facility for IBM Power Systems, and Secure Service Container for IBM Z Systems, ARM TrustZone, and AMD Secure Memory Encryption and Secure Encrypted Virtualization, for example. With the protection of the memory access control mechanism and memory encryption engine (MEE) of the TEE, all non-TEE accesses from privileged system software or other untrusted components of systems will be denied. Furthermore, the TEE can attest to remote parties (i.e., the end users of AI cloud services) that the FrontNet is running in a secure environment hosted by a trusted hardware platform, i.e., execution in the TEE is a secure mode execution. Column 18, lines 20-35: In addition, within the TEE 426, encrypted input data and an encrypted FrontNet subnet model are decrypted by the decryption engine 424 to provide input data 440 and FrontNet subnet model 432. Column 19, lines 20-35: The input data 440 is input to the FrontNet subnet model 432 DNN executing in the TEE 426 which generates intermediate representations (IR) that are output to the BackNet subnet model 434. Storing output data such as the intermediate representations (IR) was well known to one of ordinary skill in the art before the effective filing date of the claimed invention).
Gu does not teach: storing an encrypted key; a decryption circuit using a decrypted key to decrypt the encrypted operator; and an asymmetric encryption algorithm is utilized to encrypt a key to generate the encrypted key, the decryption circuit decrypts the encrypted key to generate the decrypted key. However, Kyakuno teaches:
storing an encrypted key (Kyakuno: [0288] The application development apparatus acquires the encrypted learned model and an encrypted common key ez from the development apparatus. Storing acquired data was well known to one of ordinary skill in the art before the effective filing date of the claimed invention);
a decryption circuit using a decrypted key to decrypt the encrypted operator (Kyakuno: [0290]: Upon input of the encrypted learned model, the customer apparatus decrypts the encrypted learned model by using the common key z to acquire the learned model); and
an asymmetric encryption algorithm is utilized to encrypt a key to generate the encrypted key, the decryption circuit decrypts the encrypted key to generate the decrypted key (Kyakuno: [0067]: Further, the obfuscated common key may be a value acquired by encrypting the common key by, for example, a secret key in public key encryption. [0290] When the encrypted common key ez is input, the customer apparatus uses the secret key x attached to the inference DLL to decrypt the encrypted common key ez to acquire the common key z).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Kyakuno in the invention of Gu to include the above limitations. The motivation to do so would be to promote collaboration between the developer of the learned model and the application developer, while reducing the risk such that the learned model is misused without permission (Kyakuno: [0292]).
As per claim 2, Gu in view of Kyakuno teaches:
The micro-controller as claimed in claim 1, wherein: in response to the processing circuit interpreting the first un-encrypted operator, the processing circuit uses input data, and in response to the processing circuit interpreting the encrypted operator, the processing circuit uses the input data (Gu: Column 19, lines 20-35: The input data 440 is input to the FrontNet subnet model 432 DNN executing in the TEE 426 which generates intermediate representations (IR) that are output to the BackNet subnet model 434. The BackNet subnet model 434 DNN then processes the IR output from the FrontNet subnet model 432 DNN to generate a classification output).
As per claim 3, Gu in view of Kyakuno teaches:
The micro-controller as claimed in claim 1, wherein: in response to the processing circuit interpreting the encrypted operator, the processing circuit uses input data, and in response to the processing circuit interpreting the first un-encrypted operator, the processing circuit uses the second output data (Gu: Column 19, lines 20-35: The input data 440 is input to the FrontNet subnet model 432 DNN executing in the TEE 426 which generates intermediate representations (IR) that are output to the BackNet subnet model 434. The BackNet subnet model 434 DNN then processes the IR output from the FrontNet subnet model 432 DNN to generate a classification output).
As per claim 16, Gu teaches:
A protection method for a micro-controller comprising a non-secure world (Gu: Column 19, lines 6-35: The BackNet subnet model 434 is instantiated in the framework 420 outside the TEE 426 (non-secure world) and a secure world (Gu: column 10, lines 46-49: the privacy enhancing deep learning cloud service instantiates a trusted execution environment (TEE) 230 (secure world), comprising:
storing a first operator and a first encrypted operator in the non-secure world (Gu: column 9, lines 25-45. Column 19, lines 6-19: Based on the exchanged security keys via the security engine 422, e.g., symmetric keys, the client computing device 410 encrypts the FrontNet subnet model 432 and provides the DNN model 430, comprising both the encrypted FrontNet subnet model 432 and the unencrypted BackNet subnet model 434, to the server 404A and deep learning cloud service 400. Column 10, lines 46-50: On the cloud side, after receiving the encrypted input 214 and the encrypted FrontNet model 210, the privacy enhancing deep learning cloud service instantiates a trusted execution environment (TEE) 230, i.e., the encrypted FrontNet subnet model 210 and the unencrypted BackNet subnet model 220 are stored in a non-secure memory of the cloud service after they are provided by the client side);
storing an key in the secure world (Gu: column 11, lines 3-7: the end user, via the client computing device, can provision symmetric keys (ENCLAVE_GET_KEYS at line 5 of FIG. 1) directly into the TEE 230 on the cloud (step 5 in FIG. 2));
in a non-secure mode: interpreting the first operator to generate first output data (Gu: Column 19, lines 6-35: The BackNet subnet model 434 is instantiated in the framework 420 outside the TEE 426 (non-secure mode) as a DNN implementation of the BackNet subnet model 434. The BackNet subnet model 434 DNN then processes the IR output from the FrontNet subnet model 432 DNN to generate a classification output);
in a secure mode: using the key to decrypt the first encrypted operator to generate a first decrypted result; interpreting the first decrypted result to generate second output data; and storing the second output data in the non-secure world (Gu: column 5, lines 25-50: In one illustrative embodiment, the TEE may be provided by an implementation of the Intel SGX enclave. However, the illustrative embodiments are not limited to SGX enclave and may be implemented with any suitable TEE, such as Protected Execution Facility for IBM Power Systems, and Secure Service Container for IBM Z Systems, ARM TrustZone, and AMD Secure Memory Encryption and Secure Encrypted Virtualization, for example. With the protection of the memory access control mechanism and memory encryption engine (MEE) of the TEE, all non-TEE accesses from privileged system software or other untrusted components of systems will be denied. Furthermore, the TEE can attest to remote parties (i.e., the end users of AI cloud services) that the FrontNet is running in a secure environment hosted by a trusted hardware platform, i.e., execution in the TEE is a secure mode execution. Column 18, lines 20-35: In addition, within the TEE 426, encrypted input data and an encrypted FrontNet subnet model are decrypted by the decryption engine 424 to provide input data 440 and FrontNet subnet model 432. Column 19, lines 20-35: The input data 440 is input to the FrontNet subnet model 432 DNN executing in the TEE 426 which generates intermediate representations (IR) that are output to the BackNet subnet model 434. Storing output data such as the intermediate representations (IR) was well known to one of ordinary skill in the art before the effective filing date of the claimed invention).
Gu does not teach: storing an encrypted key; decrypting the encrypted key to generate a decrypted key; using the decrypted key to decrypt the first encrypted operator; and wherein an asymmetric encryption algorithm is utilized to encrypt a key to generate the encrypted key. However, Kyakuno teaches:
storing an encrypted key (Kyakuno: [0288] The application development apparatus acquires the encrypted learned model and an encrypted common key ez from the development apparatus. Storing acquired data was well known to one of ordinary skill in the art before the effective filing date of the claimed invention); decrypting the encrypted key to generate a decrypted key (Kyakuno: [0290] When the encrypted common key ez is input, the customer apparatus uses the secret key x attached to the inference DLL to decrypt the encrypted common key ez to acquire the common key z); using the decrypted key to decrypt the first encrypted operator (Kyakuno: [0290]: Upon input of the encrypted learned model, the customer apparatus decrypts the encrypted learned model by using the common key z to acquire the learned model); and wherein an asymmetric encryption algorithm is utilized to encrypt a key to generate the encrypted key (Kyakuno: [0067]: Further, the obfuscated common key may be a value acquired by encrypting the common key by, for example, a secret key in public key encryption).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Kyakuno in the invention of Gu to include the above limitations. The motivation to do so would be to promote collaboration between the developer of the learned model and the application developer, while reducing the risk such that the learned model is misused without permission (Kyakuno: [0292]).
Claims 4-10 and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Gu in view of Kyakuno as applied to claims 1 and 16 above, and further in view of prior art of record US 20210133361 to Fishel et al (hereinafter Fishel).
As per claim 4, Gu in view of Kyakuno teaches:
The micro-controller as claimed in claim 1, wherein: the processing circuit … uses the first kernel to process the first input data and the first un-encrypted operator to generate the first output data (Gu: Column 19, lines 6-35: The BackNet subnet model 434 is instantiated in the framework 420 outside the TEE 426 (non-secure mode) as a DNN implementation of the BackNet subnet model 434. The BackNet subnet model 434 DNN then processes the IR output from the FrontNet subnet model 432 DNN to generate a classification output. Using a kernel to process the received data was well known to one of ordinary skill in the art before the effective filing date of the claimed invention).
Gu in view of Kyakuno does not teach: the processing circuit executes a first software program to read first tag information of the first un-encrypted operator, the processing circuit selects a first kernel according to the first tag information. However, Fishel teaches:
the processing circuit executes a first software program to read first tag information of the first un-encrypted operator, the processing circuit selects a first kernel according to the first tag information (Fishel: [0049] Neural task manager 310 manages the overall operation of neural processor circuit 218. Neural task manager 310 may receive a task list from a compiler executed by CPU 208, store tasks in its task queues, choose a task to perform, and send task commands to other components of the neural processor circuit 218 for performing the chosen task. Data may be associated with a task command that indicates the types of operations to be performed on the data. Data of the neural processor circuit 218 includes input data that is transmitted from another source such as system memory 230, and data generated by the neural processor circuit 218 in a previous operation cycle. Each dataset may be associated with a task command that specifies the type of operations to be performed on the data. In one or more embodiments, neural task manager 310 sends rasterizer information to the components of neural processor circuit 218 to enable each of the components to track, retrieve or process appropriate segments of the input data and kernel data. [0050] Kernel DMA 324 is a read circuit that fetches kernel data from a source (e.g., system memory 230) and sends kernel data 326A through 326N to each of the neural engines 314. The kernel data provided to each of neural engines 314 is different in most instances. [0069] The components in neural engine 314 may be configured during a configuration period by NE control 418 and neural task manager 310. For this purpose, neural task manager 310 sends configuration information to neural engine 314 during the configuration period. The configurable parameters and modes may include, but are not limited to, mapping between input data elements and kernel elements, etc. [0086] Configuration queue circuit 610 circuit holds configuration data 614 of multiple tasks that have been committed for execution. When a task is in configuration queue circuit 610, kernel DMA 324 may fetch kernel data from system memory 230 to store in kernel extract circuit 432 of neural engines 314, and buffer DMA 320 may fetch input data from system memory 230 to store in data buffer 318. To execute the task, kernel extract circuit 432 provides the prefetched kernel data to MAC 404 of neural engine 314, and data buffer 318 provides prefetched input data to MAC 404 of neural engine 314. [0087]: non-secure mode, i.e., the kernel is selected based on the configuration data associated with the task to be performed on the input data).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Fishel in the invention of Gu in view of Kyakuno to include the above limitations. The claim would have been obvious because a particular known technique was recognized as part of the ordinary capabilities of one skilled in the art (see KSR Int’l Co. v. Teleflex Inc. 550 U.S. ___, 82 USPQ2d 1385 (Supreme Court 2007) (KSR)).
As per claim 5, Gu in view of Kyakuno and Fishel teaches:
The micro-controller as claimed in claim 4, wherein: the decrypted result comprises a first decrypted operator and a second decrypted operator (Gu: column 11, line 57-column 12, line 8: As mentioned previously, one of the features of the illustrative embodiments is the partitioning of a deep neural network (DNN) into a FrontNet subnet model and a BackNet subnet model. The end user may test the DNN by providing input data and generating all intermediate representations (IRs) for all layers. The end user can then inspect the IRs with human perception to determine at which intermediate layer of the DNN the IRs do not contain sensitive information anymore. This may then be chosen as the partition point such that the input layer and layers up to and including the layer at which sensitive information is no longer present are contained in the FrontNet subnet model and the remainder of the DNN is contained in the BackNet subnet model, including the output layer, i.e., the FrontNet subnet model includes a plurality of layers. Column 18, lines 20-35: In addition, within the TEE 426, encrypted input data and an encrypted FrontNet subnet model are decrypted by the decryption engine 424 to provide input data 440 and FrontNet subnet model 432, i.e., the decrypted FrontNet subnet model includes a plurality of layers),
the processing circuit executes a second software program to read second tag information of the first decrypted operator and third tag information of the second decrypted operator, the processing circuit selects a second kernel according to the second tag information and uses the second kernel to process the first output data and the first decrypted operator to generate third output data, the processing circuit selects a third kernel according to the third tag information and uses the third kernel to process the third output data and the second decrypted operator to generate the second output data (Fishel: [0049]-[0050]: Kernel DMA 324 is a read circuit that fetches kernel data from a source (e.g., system memory 230) and sends kernel data 326A through 326N to each of the neural engines 314. The kernel data provided to each of neural engines 314 is different in most instances. [0069] The components in neural engine 314 may be configured during a configuration period by NE control 418 and neural task manager 310. For this purpose, neural task manager 310 sends configuration information to neural engine 314 during the configuration period. The configurable parameters and modes may include, but are not limited to, mapping between input data elements and kernel elements, etc. [0086] Configuration queue circuit 610 circuit holds configuration data 614 of multiple tasks that have been committed for execution. When a task is in configuration queue circuit 610, kernel DMA 324 may fetch kernel data from system memory 230 to store in kernel extract circuit 432 of neural engines 314, and buffer DMA 320 may fetch input data from system memory 230 to store in data buffer 318. To execute the task, kernel extract circuit 432 provides the prefetched kernel data to MAC 404 of neural engine 314, and data buffer 318 provides prefetched input data to MAC 404 of neural engine 314. [0088]: secure mode. [0090]: While in the secure mode, the kernel interface circuit of neural processor circuit 218 receives 750, second kernel coefficients from a second source (e.g., trust zone 630). The input interface circuit of neural processor circuit 218 also receives 760 second input data from the second source. Neural processor circuit 218 performs 770 convolution operations on the second input data using the second kernel coefficients. While in the secure mode, secure enclave processor 238 sends secure task list to neural task manager 310, i.e., different kernels are selected based on the configuration data associated with the tasks to be performed on the data. Also, it was well known to one of ordinary skill in the art before the effective filing date of the claimed invention that on a neural network, the output of one layer is processed by another layer).
The examiner provides the same rationale to combine prior arts Gu in view of Kyakuno and Fishel as in claim 4 above.
As per claim 6, Gu in view of Kyakuno and Fishel teaches:
The micro-controller as claimed in claim 4, wherein: the decrypted result comprises a decrypted operator (Gu: Column 18, lines 20-35: In addition, within the TEE 426, encrypted input data and an encrypted FrontNet subnet model are decrypted by the decryption engine 424 to provide input data 440 and FrontNet subnet model 432), the processing circuit executes a second software program to read second tag information of the decrypted operator, the processing circuit selects a second kernel according to the second tag information and uses the second kernel to process the first output data and the decrypted operator to generate the second output data (Fishel: [0086] Configuration queue circuit 610 circuit holds configuration data 614 of multiple tasks that have been committed for execution. When a task is in configuration queue circuit 610, kernel DMA 324 may fetch kernel data from system memory 230 to store in kernel extract circuit 432 of neural engines 314, and buffer DMA 320 may fetch input data from system memory 230 to store in data buffer 318. To execute the task, kernel extract circuit 432 provides the prefetched kernel data to MAC 404 of neural engine 314, and data buffer 318 provides prefetched input data to MAC 404 of neural engine 314. [0088]-[0089]: While in the secure mode, secure enclave processor 238 drives operations of the neural processor circuit 218. [0090]: While in the secure mode, the kernel interface circuit of neural processor circuit 218 receives 750, second kernel coefficients from a second source (e.g., trust zone 630). The input interface circuit of neural processor circuit 218 also receives 760 second input data from the second source. Neural processor circuit 218 performs 770 convolution operations on the second input data using the second kernel coefficients. While in the secure mode, secure enclave processor 238 sends secure task list to neural task manager 310).
The examiner provides the same rationale to combine prior arts Gu in view of Kyakuno and Fishel as in claim 4 above.
As per claim 7, Gu in view of Kyakuno and Fishel teaches:
The micro-controller as claimed in claim 6, wherein: the neural network model further comprises a second un-encrypted operator, in the non-secure mode, the processing circuit executes the first software program to interpret the second un-encrypted operator to generate fourth output information (Gu: Column 19, lines 6-35: The BackNet subnet model 434 is instantiated in the framework 420 outside the TEE 426 (non-secure mode) as a DNN implementation of the BackNet subnet model 434. The BackNet subnet model 434 DNN then processes the IR output from the FrontNet subnet model 432 DNN to generate a classification output. Fishel: [0092]: After the transition, security controller 351 asserts an interrupt to CPU 208 to notify CPU 208 that neural processor circuit 218 is ready for non-secure tasks. Then, CPU 208 enables neural task manager 310 to load a non-secure task list into its task queues 604).
As per claim 8, Gu in view of Kyakuno and Fishel teaches:
The micro-controller as claimed in claim 7, wherein the processing circuit selects a fourth kernel according to tag information of the second un-encrypted operator and uses the fourth kernel to process the second output data and the second un-encrypted operator to generate the fourth output data (Fishel: [0049]-[0050]: Kernel DMA 324 is a read circuit that fetches kernel data from a source (e.g., system memory 230) and sends kernel data 326A through 326N to each of the neural engines 314. The kernel data provided to each of neural engines 314 is different in most instances. Gu: Column 19, lines 6-35: The BackNet subnet model 434 DNN then processes the IR output from the FrontNet subnet model 432 DNN to generate a classification output).
The examiner provides the same rationale to combine prior arts Gu in view of Kyakuno and Fishel as in claim 4 above.
As per claim 9, Gu in view of Kyakuno and Fishel teaches:
The micro-controller as claimed in claim 6, further comprising: a first memory disposed in the non-secure world to store the first software program (Fishel: [0092]: Neural processor circuit 218 may switch from the secure mode back to the non-secure mode. After the transition, security controller 351 asserts an interrupt to CPU 208 to notify CPU 208 that neural processor circuit 218 is ready for non-secure tasks. Then, CPU 208 (i.e., the software executing in the CPU) enables neural task manager 310 to load a non-secure task list into its task queues 604); and a second memory disposed in the secure world to store the second software program (Fishel: [0088]-[0089]: While in the secure mode, secure enclave processor 238 (i.e., the software executing in the secure enclave processor 238) drives operations of the neural processor circuit 218).
The examiner provides the same rationale to combine prior arts Gu in view of Kyakuno and Fishel as in claim 4 above.
As per claim 10, Gu in view of Kyakuno and Fishel teaches:
The micro-controller as claimed in claim 9, wherein the processing circuit comprises: a processor coupled to the first memory and the second memory, wherein: in the non-secure mode, the processor accesses the first memory to execute the first software program and accesses the second memory to execute the second software program (Fishel: [0088]-[0089]: While in the secure mode, secure enclave processor 238 (i.e., the software executing in the secure enclave processor 238) drives operations of the neural processor circuit 218. [0092]: Neural processor circuit 218 may switch from the secure mode back to the non-secure mode. After the transition, security controller 351 asserts an interrupt to CPU 208 to notify CPU 208 that neural processor circuit 218 is ready for non-secure tasks. Then, CPU 208 (i.e., the software executing in the CPU) enables neural task manager 310 to load a non-secure task list into its task queues 604), the processor calls a first kernel according to tag information of the encrypted operator, the kernel comprises a non-secure callable secure function, the processor calls a second kernel located in the secure world according to the characteristic of the non-secure callable secure function and then leaves the non-secure mode to enter the secure mode (Kyakuno: [0199]: The processing apparatus 8 may include a determination unit that determines whether an encrypted learned model input from the customer apparatus 5B has been encrypted by referring to an encryption identifier (tag information). Gu: column 10, lines 46-60: On the cloud side, after receiving the encrypted input 214 and the encrypted FrontNet model 210, the privacy enhancing deep learning cloud service instantiates a trusted execution environment (TEE) 230. as shown in FIG. 1, the TEE 230 is an Intel SGX enclave that is initiated using the command INIT ENCLAVE at line 17 of the pseudocode shown in FIG. 1 (a non-secure callable secure function), and loads the encrypted FrontNet subnet model 210 (ENCLAVE_LOAD_ENC_MODEL at line 18 of FIG. 1) into the enclave (TEE 230) (step 3 in FIG. 2). The deep learning cloud service invokes the deep learning cloud service API function, e.g., the image classification API function in this example embodiment (ENCLAVE_INFERENCE_ENC_IMG at line 19 in FIG. 1), and securely copies the encrypted input 214 into the enclave (TEE 230) as the function argument).
The examiner provides the same rationale to combine prior arts Gu in view of Kyakuno and Fishel as in claim 4 above.
As per claim 17, Gu in view of Kyakuno does not teach the limitations of claim 17. However, Fishel teaches:
wherein the step of interpreting the first decrypted result to generate the second output data comprises: reading first tag information of the first decrypted result; selecting a first kernel of a plurality of kernels to process the first output data and the first decrypted result to generate the second output data (Fishel: [0049] Neural task manager 310 manages the overall operation of neural processor circuit 218. Neural task manager 310 may receive a task list from a compiler executed by CPU 208, store tasks in its task queues, choose a task to perform, and send task commands to other components of the neural processor circuit 218 for performing the chosen task. Data may be associated with a task command that indicates the types of operations to be performed on the data. Data of the neural processor circuit 218 includes input data that is transmitted from another source such as system memory 230, and data generated by the neural processor circuit 218 in a previous operation cycle. Each dataset may be associated with a task command that specifies the type of operations to be performed on the data. In one or more embodiments, neural task manager 310 sends rasterizer information to the components of neural processor circuit 218 to enable each of the components to track, retrieve or process appropriate segments of the input data and kernel data. [0050] Kernel DMA 324 is a read circuit that fetches kernel data from a source (e.g., system memory 230) and sends kernel data 326A through 326N to each of the neural engines 314. The kernel data provided to each of neural engines 314 is different in most instances. [0069] The components in neural engine 314 may be configured during a configuration period by NE control 418 and neural task manager 310. For this purpose, neural task manager 310 sends configuration information to neural engine 314 during the configuration period. The configurable parameters and modes may include, but are not limited to, mapping between input data elements and kernel elements, etc. [0086] Configuration queue circuit 610 circuit holds configuration data 614 of multiple tasks that have been committed for execution. When a task is in configuration queue circuit 610, kernel DMA 324 may fetch kernel data from system memory 230 to store in kernel extract circuit 432 of neural engines 314, and buffer DMA 320 may fetch input data from system memory 230 to store in data buffer 318. To execute the task, kernel extract circuit 432 provides the prefetched kernel data to MAC 404 of neural engine 314, and data buffer 318 provides prefetched input data to MAC 404 of neural engine 314, i.e., the kernel is selected based on the configuration data associated with the task to be performed on the input data).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Fishel in the invention of Gu in view of Kyakuno to include the above limitations. The claim would have been obvious because a particular known technique was recognized as part of the ordinary capabilities of one skilled in the art (see KSR Int’l Co. v. Teleflex Inc. 550 U.S. ___, 82 USPQ2d 1385 (Supreme Court 2007) (KSR)).
As per claim 18, Gu in view of Kyakuno and Fishel teaches:
The protection method as claimed in claim 17, further comprising: storing a second operator and a second encrypted operator in the non-secure world (Gu: column 11, line 57-column 12, line 8: The end user may test the DNN by providing input data and generating all intermediate representations (IRs) for all layers. The end user can then inspect the IRs with human perception to determine at which intermediate layer of the DNN the IRs do not contain sensitive information anymore. This may then be chosen as the partition point such that the input layer and layers up to and including the layer at which sensitive information is no longer present are contained in the FrontNet subnet model and the remainder of the DNN is contained in the BackNet subnet model, including the output layer, i.e., the both the FrontNet subnet model and the BackNet subnet model include a plurality of layers (a second encrypted layer and second unencrypted layer). column 9, lines 25-45. Column 19, lines 6-19: Based on the exchanged security keys via the security engine 422, e.g., symmetric keys, the client computing device 410 encrypts the FrontNet subnet model 432 and provides the DNN model 430, comprising both the encrypted FrontNet subnet model 432 and the unencrypted BackNet subnet model 434, to the server 404A and deep learning cloud service 400. Column 10, lines 46-50: On the cloud side, after receiving the encrypted input 214 and the encrypted FrontNet model 210, the privacy enhancing deep learning cloud service instantiates a trusted execution environment (TEE) 230, i.e., the encrypted FrontNet subnet model 210 and the unencrypted BackNet subnet model 220 are stored in a non-secure memory of the cloud service after they are provided by the client side);
in the non-secure mode: interpreting the second operator to generate third output data (Gu: Column 19, lines 6-35: The BackNet subnet model 434 is instantiated in the framework 420 outside the TEE 426 (non-secure mode) as a DNN implementation of the BackNet subnet model 434. The BackNet subnet model 434 DNN then processes the IR output from the FrontNet subnet model 432 DNN to generate a classification output);
in the secure mode: using the decrypted key to decrypt the second encrypted operator to generate a second decrypted result; interpreting the second decrypted result to generate fourth output data; storing the fourth output data in the non-secure world (Kyakuno: [0290] When the encrypted common key ez is input, the customer apparatus uses the secret key x attached to the inference DLL to decrypt the encrypted common key ez to acquire the common key z. Upon input of the encrypted learned model, the customer apparatus decrypts the encrypted learned model by using the common key z to acquire the learned model. Gu: Column 18, lines 20-35: In addition, within the TEE 426, encrypted input data and an encrypted FrontNet subnet model are decrypted by the decryption engine 424 to provide input data 440 and FrontNet subnet model 432. Column 19, lines 20-35: The input data 440 is input to the FrontNet subnet model 432 DNN executing in the TEE 426 which generates intermediate representations (IR) that are output to the BackNet subnet model 434. Storing output data such as the intermediate representations (IR) was well known to one of ordinary skill in the art before the effective filing date of the claimed invention).
The examiner provides the same rationale to combine prior arts Gu in view of Kyakuno and Fishel as in claim 17 above.
As per claim 19, Gu in view of Kyakuno and Fishel teaches:
The protection method as claimed in claim 18, wherein the step of interpreting the second decrypted result to generate the fourth output data comprising: reading second tag information of the second operator; selecting a second kernel of the plurality of kernels according to the second tag information; processing the second output data and the second operator according to the second kernel to generate the third output data (Fishel: [0049] Neural task manager 310 manages the overall operation of neural processor circuit 218. Neural task manager 310 may receive a task list from a compiler executed by CPU 208, store tasks in its task queues, choose a task to perform, and send task commands to other components of the neural processor circuit 218 for performing the chosen task. Data may be associated with a task command that indicates the types of operations to be performed on the data. Data of the neural processor circuit 218 includes input data that is transmitted from another source such as system memory 230, and data generated by the neural processor circuit 218 in a previous operation cycle. Each dataset may be associated with a task command that specifies the type of operations to be performed on the data. In one or more embodiments, neural task manager 310 sends rasterizer information to the components of neural processor circuit 218 to enable each of the components to track, retrieve or process appropriate segments of the input data and kernel data. [0050] Kernel DMA 324 is a read circuit that fetches kernel data from a source (e.g., system memory 230) and sends kernel data 326A through 326N to each of the neural engines 314. The kernel data provided to each of neural engines 314 is different in most instances. [0069] The components in neural engine 314 may be configured during a configuration period by NE control 418 and neural task manager 310. For this purpose, neural task manager 310 sends configuration information to neural engine 314 during the configuration period. The configurable parameters and modes may include, but are not limited to, mapping between input data elements and kernel elements, etc. [0086] Configuration queue circuit 610 circuit holds configuration data 614 of multiple tasks that have been committed for execution. When a task is in configuration queue circuit 610, kernel DMA 324 may fetch kernel data from system memory 230 to store in kernel extract circuit 432 of neural engines 314, and buffer DMA 320 may fetch input data from system memory 230 to store in data buffer 318. To execute the task, kernel extract circuit 432 provides the prefetched kernel data to MAC 404 of neural engine 314, and data buffer 318 provides prefetched input data to MAC 404 of neural engine 314, i.e., the kernel is selected based on the configuration data associated with the task to be performed on the input data).
The examiner provides the same rationale to combine prior arts Gu in view of Kyakuno and Fishel as in claim 17 above.
As per claim 20, Gu in view of Kyakuno and Fishel teaches:
The protection method as claimed in claim 19, wherein in response to the second tag information being the same as the first tag information, the second kernel is the same as the first kernel (Fishel: [0050]: kernel data provided to each of neural engines 314 may be the same in some instances. [0086] Configuration queue circuit 610 circuit holds configuration data 614 of multiple tasks that have been committed for execution. When a task is in configuration queue circuit 610, kernel DMA 324 may fetch kernel data from system memory 230 to store in kernel extract circuit 432 of neural engines 314, and buffer DMA 320 may fetch input data from system memory 230 to store in data buffer 318. To execute the task, kernel extract circuit 432 provides the prefetched kernel data to MAC 404 of neural engine 314, and data buffer 318 provides prefetched input data to MAC 404 of neural engine 314).
The examiner provides the same rationale to combine prior arts Gu in view of Kyakuno and Fishel as in claim 17 above.
Claims 11, 12, and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Gu, prior art of record CN116150784A to Jiang (hereinafter Jiang), and Kyakuno.
Examiner’s Note: The examiner used an English translation of CN116150784A provided in the previous office action.
As per claim 11, Gu teaches:
A secure system comprising:
an (Gu: column 9, lines 25-45. Column 19, lines 6-19: Based on the exchanged security keys via the security engine 422, e.g., symmetric keys, the client computing device 410 encrypts the FrontNet subnet model 432) and
a micro-controller comprising:
a non-secure world comprising: a first storage circuit storing the first operator and the first encrypted operator (Gu: column 9, lines 25-45. Column 19, lines 6-19: Based on the exchanged security keys via the security engine 422, e.g., symmetric keys, the client computing device 410 encrypts the FrontNet subnet model 432 and provides the DNN model 430, comprising both the encrypted FrontNet subnet model 432 and the unencrypted BackNet subnet model 434, to the server 404A and deep learning cloud service 400. Column 10, lines 46-50: On the cloud side, after receiving the encrypted input 214 and the encrypted FrontNet model 210, the privacy enhancing deep learning cloud service instantiates a trusted execution environment (TEE) 230, i.e., the encrypted FrontNet subnet model 210 and the unencrypted BackNet subnet model 220 are stored in a non-secure memory of the cloud service after they are provided by the client side);
a secure world comprising: a key-store device storing the key; a decryption circuit (Gu: column 11, lines 3-7: the end user, via the client computing device, can provision symmetric keys (ENCLAVE_GET_KEYS at line 5 of FIG. 1) directly into the TEE 230 on the cloud (step 5 in FIG. 2). The FrontNet subnet model 210 is decrypted (ENCLAVE_DECRYPT at line 6 of FIG. 1) along with the input 214 (ENCLAVE_DECRYPT at line 10 of FIG. 1) using the provisioned symmetric keys from the end user (step 6 in FIG. 2). Column 18, lines 30-45: a trusted execution environment (TEE) 426 implementing a decryption engine 424. In addition, within the TEE 426, encrypted input data and an encrypted FrontNet subnet model are decrypted by the decryption engine 424 to provide input data 440 and FrontNet subnet model 432); and
a processing circuit interpreting the first operator and the decrypted result (Gu: Column 19, lines 6-35: The framework 420 of the deep learning cloud service 400 loads the encrypted FrontNet subnet model 432 into the TEE 426 where it is decrypted and used as a basis for instantiating a DNN implementation of the FrontNet subnet model 432 executing within the TEE 426. The BackNet subnet model 434 is instantiated in the framework 420 outside the TEE 426 as a DNN implementation of the BackNet subnet model 434. The input data 440 is input to the FrontNet subnet model 432 DNN executing in the TEE 426 which generates intermediate representations (IR) that are output to the BackNet subnet model 434. The BackNet subnet model 434 DNN then processes the IR output from the FrontNet subnet model 432 DNN to generate a classification output), wherein:
in a non-secure mode, the processing circuit interprets the first operator to generate first output data (Gu: Column 19, lines 6-35: The BackNet subnet model 434 is instantiated in the framework 420 outside the TEE 426 (non-secure mode) as a DNN implementation of the BackNet subnet model 434. The BackNet subnet model 434 DNN then processes the IR output from the FrontNet subnet model 432 DNN to generate a classification output), in a secure mode: the processing circuit interprets the decrypted result to generate second output data and stores the second output data in the first storage circuit (Gu: column 5, lines 25-50: In one illustrative embodiment, the TEE may be provided by an implementation of the Intel SGX enclave. However, the illustrative embodiments are not limited to SGX enclave and may be implemented with any suitable TEE, such as Protected Execution Facility for IBM Power Systems, and Secure Service Container for IBM Z Systems, ARM TrustZone, and AMD Secure Memory Encryption and Secure Encrypted Virtualization, for example. With the protection of the memory access control mechanism and memory encryption engine (MEE) of the TEE, all non-TEE accesses from privileged system software or other untrusted components of systems will be denied. Furthermore, the TEE can attest to remote parties (i.e., the end users of AI cloud services) that the FrontNet is running in a secure environment hosted by a trusted hardware platform, i.e., execution in the TEE is a secure mode execution. Column 18, lines 20-35: In addition, within the TEE 426, encrypted input data and an encrypted FrontNet subnet model are decrypted by the decryption engine 424 to provide input data 440 and FrontNet subnet model 432. Column 19, lines 20-35: The input data 440 is input to the FrontNet subnet model 432 DNN executing in the TEE 426 which generates intermediate representations (IR) that are output to the BackNet subnet model 434. Storing output data such as the intermediate representations (IR) was well known to one of ordinary skill in the art before the effective filing date of the claimed invention).
Gu teaches a client computing device comprising an encryption circuit that performs the encryption but does not teach an offline tool comprising: an encryption circuit. Also, Gu does not teach: utilizes an asymmetric encryption algorithm to encrypt the first key to generate an encrypted key; storing the encrypted key; a decryption circuit decrypting the encrypted key to generate a decrypted key and using the decrypted key to decrypt the first encrypted operator. However, Jiang teaches:
an offline tool comprising: an encryption circuit (Jiang: [0013] During the production phase of the neural network acceleration chip, weight data of a loaded convolutional neural network (CNN) is obtained, and the weight data is encrypted offline using an encryption algorithm to obtain encrypted weight data).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Jiang in the invention of Gu to include the above limitations. The motivation to do so would be to protect the security of a neural network (Jiang: [0012]).
Gu in view of Jian does not teach the rest of the limitations. However, Kyakuno teaches:
utilizes an asymmetric encryption algorithm to encrypt the first key to generate an encrypted key (Kyakuno: [0067]: Further, the obfuscated common key may be a value acquired by encrypting the common key by, for example, a secret key in public key encryption);
storing the encrypted key (Kyakuno: [0288] The application development apparatus acquires the encrypted learned model and an encrypted common key ez from the development apparatus. Storing acquired data was well known to one of ordinary skill in the art before the effective filing date of the claimed invention);
a decryption circuit decrypting the encrypted key to generate a decrypted key and using the decrypted key to decrypt the first encrypted operator (Kyakuno: [0290]: When the encrypted common key ez is input, the customer apparatus uses the secret key x attached to the inference DLL to decrypt the encrypted common key ez to acquire the common key z. Upon input of the encrypted learned model, the customer apparatus decrypts the encrypted learned model by using the common key z to acquire the learned model).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Kyakuno in the invention of Gu in view of Jiang to include the above limitations. The motivation to do so would be to promote collaboration between the developer of the learned model and the application developer, while reducing the risk such that the learned model is misused without permission (Kyakuno: [0292]).
As per claim 12, Gu in view of Jiang and Kyakuno teaches:
The secure system as claimed in claim 11, wherein the offline tool comprises: a provision circuit provisioning the encrypted key to the key-store device (Jiang: [0013]: the encryption key is written into a one-time programmable (OTP) module in the chip).
As per claim 15, Gu in view of Jiang and Kyakuno teaches:
The secure system as claimed in claim 11, further comprising: a first memory storing a first software program; and a second memory storing a second software program, wherein: in the non-secure mode, the processing circuit executes the first software program to interpret the first operator (Gu: Column 19, lines 6-35: The BackNet subnet model 434 is instantiated in the framework 420 outside the TEE 426 (non-secure mode) as a DNN implementation of the BackNet subnet model 434. The BackNet subnet model 434 DNN then processes the IR output from the FrontNet subnet model 432 DNN to generate a classification output, i.e., software that is executing outside the TEE interprets the BackNet subnet model based on the input IR to produce a classification output), and in the secure mode, the processing circuit executes the second software program to interpret the decrypted result (Gu: column 10, lines 61-67: The TEE 230 (e.g., SGX enclave) can prove to the end user that it is running on top of a trusted hardware platform with legitimate code/data from a trusted cloud service provider using a standard attestation protocol, i.e., the TEE has its own software programs. Column 11, lines 7-25: the FrontNet subnet model 210 is decrypted (ENCLAVE_DECRYPT at line 6 of FIG. 1) along with the input 214 (ENCLAVE_DECRYPT at line 10 of FIG. 1) using the provisioned symmetric keys from the end user (step 6 in FIG. 2). the deep neural network 235 is passed the decrypted input, i.e. the original input 212 (ENCLAVE_NETWORK_INFERENCE at line 11 in FIG. 1), to thereby generate the IR 240 from the processing of the decrypted input 212 by the FrontNet subnet model 210. The generated IR 240 is securely copied out of the TEE 230, i.e., software in the TEE interprets the decrypted FrontNet subnet model based on the decrypted input to produce an output IR).
Claims 13 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Gu in view of Jiang and Kyakuno as applied to claim 11 above, and further in view of prior art of record CN115952529A to Xu (hereinafter Xu).
Examiner’s Note: The examiner used an English translation of CN115952529A that was provided in the previous office action.
As per claim 13, Gu in view of Jiang and Kyakuno does not explicitly teach the limitations of claim 13. However, Xu teaches:
wherein the neural network model further comprises a third operator and a fourth operator, the encryption circuit uses a second key to encrypt the fourth operator to generate a second encrypted operator, and the first storage circuit stores the third operator and the second encrypted operator (Xu: [0065]: The second key includes a second encryption key and a second decryption key; wherein the second encryption key is a key used to encrypt the weight parameters of the first hidden layer to obtain the second hidden layer. The second key for encrypting and decrypting each hidden layer may be different, and multiple second keys for encrypting and decrypting the second neural network may be set. Storing the encrypted and non-encrypted layers is well known to one of ordinary skill in the art).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Xu in the invention of Gu in view of Jiang and Kyakuno to include the above limitations. The motivation to do so would be to protect the neural network and improve the security of operations (Xu: [0018]).
As per claim 14, Gu in view of Jiang, Kyakuno and Xu teaches:
The secure system as claimed in claim 13, wherein the second key is different from the first key (Xu: [0065]: The second key for encrypting and decrypting each hidden layer may be different, and multiple second keys for encrypting and decrypting the second neural network may be set).
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MADHURI R HERZOG whose telephone number is (571)270-3359. The examiner can normally be reached 8:30AM-4:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached at (571)272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
MADHURI R. HERZOG
Primary Examiner
Art Unit 2438
/MADHURI R HERZOG/Primary Examiner, Art Unit 2438