Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
EXAMINER’S NOTE: The claims have been reviewed and considered under the new guidance pursuant to the 2019 Revised Patent Subject Matter Eligibility Guidance (PEG 2019) issued January 7, 2019.
This communication is in response to Applicant’s claims filed on 09 August 2024. Claims 1-20 remain pending.
Information Disclosure Statement
The Information Disclosure Statement respectfully submitted on 09 August 2024 has been considered by the Examiner.
Priority
Acknowledgment is made of applicant's claim for foreign priority based on an application filed in Japan on 23 August 2023. It is noted, however, that applicant has not filed a certified copy of the 2023-135348 application as required by 37 CFR 1.55.
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The following is a quotation of pre-AIA 35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is invoked.
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph:
(A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function;
(B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and
(C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function.
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function.
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function.
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
Claims 1-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Rogaway (Pub No. 2006/0285684).
Referring to rejection of claim 1, Rogaway discloses an information processing apparatus comprising:
at least one memory configured to store instructions; (See Rogaway, para. 0061, i.e., computer instructions stored on a computer-readable storage medium)
and at least one processor configured to execute the instructions to: (See Rogaway, para. 0167, i.e. CPU is disclosed as the processor for executing instructions)
generate concatenation data obtained by concatenating a plurality of elements of input data consisting of the plurality of elements with one another; (See Rogaway, para. 40 and 149, i.e., the system defines the ciphertext core as a concatenation of an m-1 ciphertext blocks and the ciphertext fragment. One can concatenate an encoding of each string in the vector of strings, where the encoding of each string in the vector of strings consists of a fixed-byte encoding of the string's length, followed by the string itself)
generate, for each of a plurality of message blocks obtained by dividing the concatenation data into blocks each having a predetermined data length, concatenation information about the concatenation of the elements in the message block; (See Rogaway, para. 0044 and 0085-0086, i.e., The system operates by first partitioning the message into m-1 message blocks of n bits and a message fragment of at most n bits. For each number i between 1 and m-1, the system then computes an i.sup.th ciphertext block by applying the n-bit tweakable block cipher to an i.sup.th message block, using a first tweak consisting of the nonce, the number i, and a constant 0. The message M has been partitioned into n-bit blocks M[1], . . . , M[m-1], as well as a message fragment, M[m], which may have fewer than n bits. The message blocks and the final fragment are treated differently. Each message block M[i] is xored with an offset (the Z[i] value), enciphered, and then xored again with the same offset. This gives a ciphertext block C[i])
and generate a tag for a message authentication code by a block cipher by using each of the plurality of message blocks and each of the concatenation information corresponding to the respective message blocks, the block cipher being a cipher of which an input is a message having the predetermined data length. (See Rogaway, para. 0011 and 0087-0089, i.e., a message authentication code using an n-bit block cipher E is the CBC MAC (cipher block chaining message authentication code), the message M to be authenticated must be a binary string having a length that is a positive multiple of n and is partitioned into n-bit blocks M[1], M[2], . . . , M[m] by taking M[1] as the first n bits of M, taking M[2] as the next n bits of M, and so forth. One then computes the authentication tag of M, using key K, by way of the same algorithm used for CBC encryption, but where the IV=0, the block of n zero bits, and where the authentication tag is the final ciphertext block, Tag=C[m]. Only Tag, or a prefix of Tag, is output as the authentication tag. A receiver who obtains an authenticated message M.parallel.Tag checks the validity of M by re-computing the CBC MAC of M under key K, obtaining a string Tag', and verifying that Tag' is identical to Tag. A checksum is now computed by xoring together: (a) the m-1 message blocks; (b) the zero-padded ciphertext fragment, C[m]0*; and (c) the value Pad. (This is equivalent to xoring together: (a) the message blocks; (b') the zero-padded message fragment, M[m]0*; (c') the string S which is the first n-|M[m]| bits of Pad followed by |M[m]| zero-bits.) The checksum is offset using offset Z[m], giving the PreFullTag. That string is enciphered to give the FullTag. The t-bit prefix of the FullTag is used as the actual tag, Tag)
Referring to rejection of claim 2, Rogaway discloses wherein the at least one processor is further configured to execute the instructions to generate the tag by generating a plurality of random numbers corresponding to the respective message blocks by the block cipher by using the concatenation information corresponding to the respective message blocks. (See Rogaway, para. 0042 and 0090, i.e., the method utilizing a key, a nonce, an n-bit block cipher, and a pseudorandom function to encrypt a message of arbitrary bit length into a ciphertext core and a tag, the ciphertext core having the same length as the message. the system defines the ciphertext core as the ciphertext body concatenated with the ciphertext fragment. The system then computes a checksum from the message body, the ciphertext fragment, and the n-bit pad, computes a full tag using the checksum, the offset from the sequence of offsets, the n-bit block cipher, and the key, and computes an associated-data authenticator by applying the pseudorandom function, keyed by the key, to the associated-data. Finally, the system defines the tag as an xor of the full tag and the associated-data authenticator. The ciphertext C is the ciphertext core C=C[1] . . . C[m] together with the tag Tag. The Nonce must be communicated along with the ciphertext C to allow the Receiver to decrypt)
Referring to rejection of claim 3, Rogaway discloses wherein the at least one processor is further configured to execute the instructions to generate the tag by encrypting each of the plurality of message blocks by the block cipher by using the concatenation information corresponding to the message block. (See Rogaway, para. 0095-0113, i.e., choose a random key K from the key space for the block cipher. Encryption: To encrypt message M .epsilon. {0,1}* using key K nonce Nonce .epsilon. {0,1}.sup.n, obtaining ciphertext C, do the following: 1. Partition M. Let m=.left brkt-top.|M|/n .right brkt-bot.. If m=0 then replace m by 1. Let M[1], . . . , M[m] be strings such that M[1] . . . M[m]=M and |M[i]|=n for all i .epsilon. [1 . . . m-1]. 2. Initialize variables. Let Offset=E.sub.K(Nonce .sym. L). Let Checksum=0. 3. Encipher all blocks but the last one. For i=1 to m-1, do the following: Let Checksum=Checksum .sym. M[i]. Let Offset=Offset .sym. L(ntz(i)). [0106] Let C[i]=E.sub.K(M[i] .sym. Offset. 4. Mask the final fragment and finish constructing the checksum: Let Offset=Offset .sym. L(ntz(m)). Let Pad=E.sub.K(len(M[m]) .sym. L(-1) .sym. Offset). Let C[m]=M[m] .sym. (the first |M[m]| bits of Pad). Let Checksum=Checksum .sym. Pad .sym. C[m]0*. 5. Form the tag. Let Tag be the first t bits of E.sub.K(Checksum .sym. Offset). 6. Return the ciphertext. The ciphertext is defined as the string C=C[1] . . . C[m-1]C[m] .parallel. Tag. It is communicated along with the nonce Nonce to the Receiver)
Referring to rejection of claim 4, Rogaway discloses wherein the at least one processor is further configured to execute the instructions to generate the tag by encrypting each of the plurality of message blocks by a Tweakable block cipher using the concatenation information corresponding to the message block as a Tweak. (See Rogaway, para. 0044, i.e., an authenticated-encryption method that uses a key, a nonce, and an n-bit tweakable block cipher to encrypt a message of arbitrary bit length into a ciphertext core of the same length and a tag, all invocations of the n-bit tweakable block cipher keyed by the key. The system operates by first partitioning the message into m-I message blocks of n bits and a message fragment of at most n bits. For each number i between 1 and m-1, the system computes an i.sup.th ciphertext block by applying the n-bit tweakable block cipher to an i.sup.th message block, using a first tweak consisting of the nonce, the number i, and a constant 0)
Referring to rejection of claim 5, Rogaway discloses wherein the at least one processor is further configured to execute the instructions to generate the tag by encrypting each of the plurality of message blocks by a Tweakable block cipher using the concatenation information corresponding to the message block as a Tweak, and performing a process for adding an obtained encryption result to a next message block. (See Rogaway, para. 0044, i.e., The system then computes a pad by applying the n-bit tweakable block cipher to a string that encodes a length of the message fragment, using a second tweak consisting of the nonce, a number m, and a constant 1, and computes a ciphertext fragment by xoring the message fragment and a portion of the pad that has a same number of bits as the message fragment)
Referring to rejection of claim 6, Rogaway discloses wherein the at least one processor is further configured to execute the instructions to generate the tag by encrypting the plurality of message blocks in parallel with each other by Tweakable block ciphers in which the concatenation information corresponding to the respective message blocks and indices of the message blocks are used as Tweaks, and adding obtained encryption results. (See Rogaway, para. 0044-0045, i.e., Next, the system defines the ciphertext core as a concatenation of the m-1 ciphertext blocks and the ciphertext fragment. The system then computes an n-bit padded ciphertext fragment from the ciphertext fragment, computes a checksum by xoring the m-I message blocks, the pad, and the n-bit padded ciphertext fragment, and computes the tag by applying the n-bit tweakable block cipher to the checksum, using a tweak consisting of the nonce, the number m, and a constant 2. The n-bit tweakable block cipher is implemented using an n-bit conventional block cipher, each invocation of the n-bit tweakable block cipher utilizing at least one shift operation, at least one conditional xor operation, and at least one call to the n-bit conventional block cipher)
Referring to rejection of claim 7, Rogaway discloses wherein the at least one processor is further configured to execute the instructions to generate the tag by encrypting each of the plurality of message blocks by the block cipher and converting each of obtained encryption results using the concatenation information corresponding to the message block. (See Rogaway, para. 0046, i.e., The system then defines the ciphertext core as a concatenation of the m ciphertext blocks and the ciphertext fragment. Next, the system computes an n-bit padded ciphertext fragment from the ciphertext fragment, computes a checksum by xoring the m-1 message blocks, the pad, and the n-bit padded ciphertext fragment, computes a full tag by applying the n-bit tweakable block cipher to the checksum, using a third tweak consisting of the nonce, the number m, and a constant 2, and computes an associated-data authenticator by applying a pseudorandom function to the associated-data. Finally, the system defines the tag as a portion of the string that is an xor of the full tag and the associated-data authenticator)
Referring to rejection of claim 8, Rogaway discloses wherein the at least one processor is further configured to execute the instructions to generate the concatenation information so that a delimiter of elements in the message block corresponding to the concatenation information can be determined based on the concatenation information. (See Rogaway, para. 0081 and 0152, i.e., A popular block cipher to use with OCB is likely to be the AES algorithm (AES-128, AES-192, or AES-256). A tweakable block cipher .epsilon. thus takes three values as input: a key K, a tweak T, and a plaintext block X having some fixed number n of bits. The output is a ciphertext block Y=E(K,T, X) having n bits. The block length will usually be n=64 or n=128 bits. (This corresponds to disclosing the delimiter of a “connectable position” in a message block is represented by the number is expressed as w=n/64= 4)
*According to the Applicant’s specification in para. 0062, the delimiter is defined as a connectable position in a message block represented by w, the number w is expressed as w=n/32=4 and the delimiter of elements can be present at 32nd, 6th, 96th, and 128th bit positions in the message block.
Referring to rejection of claim 9, Rogaway discloses wherein the concatenation information indicates at least a position at which elements are connected with each other in each of the plurality of message blocks. (See Rogaway, para. 0086 and 0089, i.e., Each message block M[i] is xored with an offset (the Z[i] value), enciphered, and then xored again with the same offset. This gives a ciphertext block C[i]. A checksum is now computed by xoring together: (a) the m-1 message blocks; (b) the zero-padded ciphertext fragment, C[m]0*; and (c) the value Pad. (This is equivalent to xoring together: (a) the message blocks)
Referring to rejection of claim 10, Rogaway discloses wherein the concatenation information indicates a position of each element which is an empty sequence and a number thereof in each of the message blocks. (See Rogaway, para. 0064 and 0067, i.e., In pseudocode we write "Partition M into M[1] . . . M[m]" as shorthand for "Let m=|M|.sub.n and let M[1], . . . , M[m] be strings such that M[1] . . . M[m]=M and |M[i]|=n for 1<i<m." We write "Partition C into C[1] . . . C[m] T" as shorthand for "if |C|<t then return invalid. Otherwise, let C=C[first|C|-t bits], let T=C[last t bits], let m=|C|.sub.m, and let C[1] . . . C[m] be strings such that C[1] . . . C[m]=C and |C[i]|=n for 1.ltoreq.i<m." Recall that |M|.sub.n=max {1, .left brkt-top.|M|/n.right brkt-bot.}, so the empty string partitions into m=1 blocks, that one block being the empty string)
Referring to rejection of claim 11, Rogaway discloses wherein the concatenation information indicates at least a position at which elements are connected with each other for each position at which elements can be concatenated with each other in each of the plurality of the message blocks. (See Rogaway, para. 0077, i.e., As an example, Gray(128)=(0,1,3,2,6,7,5,4, . . . ). To see this, start with (0, 1). Then write it once forward and once backwards, (0,1,1,0). Then write (00, 01, 11, 10). Then write it once forward and once backwards, (00,01,11,10, 10,11,01,00). Then write (000,001,011,010, 110,111,101,100). At this point we already know the first 8 strings of Gray(128), which are (0,1,3,2,6,7,5,4), where these numbers are understood to represent 128-bit strings. So, for example, .gamma..sub.5 is 7 and .gamma..sub.6 is 5, and .gamma..sub.6=5 really is .gamma..sub.5,=7 xored with 2, where 2 is the string 1 shifted left ntz(6)=1 positions)
Referring to rejection of claim 12, Rogaway discloses wherein the concatenation information indicates a position of each element which is an empty sequence and a number thereof for each position at which elements can be concatenated with each other in each of the plurality of the message blocks. (See Rogaway, para. 0064, i.e., A string is a finite sequence of symbols, each symbol being 0 or 1. The string of length 0 is called the empty string and is denoted .epsilon.. Let {0,1 }* denote the set of all strings. If A, B .epsilon. {0,1 }* then A B, or A .parallel. B, is their concatenation. If A .epsilon. {0,1}* and A.noteq..epsilon. then firstbit(A) is the first bit of A and lastbit(A) is the last bit of A. Let i and n be nonnegative integers. Then 0.sup.i and 1.sup.i idenote strings of i 0's and 1's, respectively. For n understood, 0 means 0.sup.n. Let {0,1}.sup.n denote the set of all strings of length n. If A .epsilon. {0,1}* then |A| is the length of A, in bits, while |A|.sub.n=max(1, .left brkt-top.|A|/n.right brkt-bot. is the length of A in n-bit blocks, where the empty string counts as one block. For A .epsilon. {0,1}* and |A|.ltoreq.n, zpad.sub.n(A) .parallel.0.sup.n-|A|. With n understood we write A0* for zpad.sub.n(A). If A .epsilon. {0,1}* and t .epsilon. [0 . . . |A|] then A[first t bits] and A [last t bits] are the first t bits of A and the last t bits of A, respectively. Both of these values are the empty string if t=0. If A, B .epsilon. {0,1 }* then A .sym. B is the bitwise xor of A[first s bits] and B[first s bits] where s=min{|A|,|B|}; for example, 1001 .sym. 110=010)
Referring to rejection of claim 13, Rogaway discloses wherein the at least one processor is further configured to execute the instructions to successively generate the concatenation information when input data is successively input. (See Rogaway, para. 0076-0077, i.e., a Gray code is an ordering of the points of {0,1 }.sup.s (for some number s) such that successive points differ (in the Hamming sense) by just one bit. For n a fixed number, like n=128, OCB uses the canonical Gray code Gray(n)=(.gamma..sub.0, .gamma..sub.1, . . . , .gamma..sub.2 n-1Y2). Gray(n) is defined as follows: Gray(1)=(0, 1) and Gray(s) is constructed from Gray(s-1) by first listing the strings of Gray(s-1) in order, each preceded by a 0-bit, and then listing the strings of Gray(s-1) in reverse order, each preceded by a 1 bit. It is easy to see that Gray(n) is a Gray code. What is more, .gamma..sub.i can be obtained from .gamma..sub.i-1 by xoring .gamma..sub.i-1 with 0.sup.n-1 1<<ntz(i). This makes successive strings easy to compute and successively form the strings)
Referring to rejection of claim 14, Rogaway discloses an information processing method comprising:
generating concatenation data obtained by concatenating a plurality of elements of input data consisting of the plurality of elements with one another; (See Rogaway, para. 40 and 149, i.e., the system defines the ciphertext core as a concatenation of an m-1 ciphertext blocks and the ciphertext fragment. One can concatenate an encoding of each string in the vector of strings, where the encoding of each string in the vector of strings consists of a fixed-byte encoding of the string's length, followed by the string itself)
generating, for each of a plurality of message blocks obtained by dividing the concatenation data into blocks each having a predetermined data length, concatenation information about the concatenation of the elements in the message block; (See Rogaway, para. 0044 and 0085-0086, i.e., The system operates by first partitioning the message into m-1 message blocks of n bits and a message fragment of at most n bits. For each number i between 1 and m-1, the system then computes an i.sup.th ciphertext block by applying the n-bit tweakable block cipher to an i.sup.th message block, using a first tweak consisting of the nonce, the number i, and a constant 0. The message M has been partitioned into n-bit blocks M[1], . . . , M[m-1], as well as a message fragment, M[m], which may have fewer than n bits. The message blocks and the final fragment are treated differently. Each message block M[i] is xored with an offset (the Z[i] value), enciphered, and then xored again with the same offset. This gives a ciphertext block C[i])
and generating a tag for a message authentication code by a block cipher by using each of the plurality of message blocks and each of the concatenation information corresponding to the respective message blocks, the block cipher being a cipher of which an input is a message having the predetermined data length. (See Rogaway, para. 0011 and 0087-0090, i.e., a message authentication code using an n-bit block cipher E is the CBC MAC (cipher block chaining message authentication code), the message M to be authenticated must be a binary string having a length that is a positive multiple of n and is partitioned into n-bit blocks M[1], M[2], . . . , M[m] by taking M[1] as the first n bits of M, taking M[2] as the next n bits of M, and so forth. One then computes the authentication tag of M, using key K, by way of the same algorithm used for CBC encryption, but where the IV=0, the block of n zero bits, and where the authentication tag is the final ciphertext block, Tag=C[m]. Only Tag, or a prefix of Tag, is output as the authentication tag. A receiver who obtains an authenticated message M.parallel.Tag checks the validity of M by re-computing the CBC MAC of M under key K, obtaining a string Tag', and verifying that Tag' is identical to Tag. A checksum is now computed by xoring together: (a) the m-1 message blocks; (b) the zero-padded ciphertext fragment, C[m]0*; and (c) the value Pad. (This is equivalent to xoring together: (a) the message blocks; (b') the zero-padded message fragment, M[m]0*; (c') the string S which is the first n-|M[m]| bits of Pad followed by |M[m]| zero-bits.) The checksum is offset using offset Z[m], giving the PreFullTag. That string is enciphered to give the FullTag. The t-bit prefix of the FullTag is used as the actual tag, Tag. The ciphertext C is the ciphertext core C=C[1] . . . C[m] together with the tag Tag. The Nonce must be communicated along with the ciphertext C to allow the Receiver to decrypt)
Referring to rejection of claim 15, Rogaway discloses wherein the tag is generated by generating a plurality of random numbers corresponding to the respective message blocks by the block cipher by using the concatenation information corresponding to the respective message blocks. (See Rogaway, para. 0042 and 0090, i.e., the method utilizing a key, a nonce, an n-bit block cipher, and a pseudorandom function to encrypt a message of arbitrary bit length into a ciphertext core and a tag, the ciphertext core having the same length as the message. the system defines the ciphertext core as the ciphertext body concatenated with the ciphertext fragment. The system then computes a checksum from the message body, the ciphertext fragment, and the n-bit pad, computes a full tag using the checksum, the offset from the sequence of offsets, the n-bit block cipher, and the key, and computes an associated-data authenticator by applying the pseudorandom function, keyed by the key, to the associated-data. Finally, the system defines the tag as an xor of the full tag and the associated-data authenticator. The ciphertext C is the ciphertext core C=C[1] . . . C[m] together with the tag Tag. The Nonce must be communicated along with the ciphertext C to allow the Receiver to decrypt)
Referring to rejection of claim 16, Rogaway discloses wherein the tag is generated by encrypting each of the plurality of message blocks by the block cipher by using the concatenation information corresponding to the message block. (See Rogaway, para. 0095-0113, i.e., choose a random key K from the key space for the block cipher. Encryption: To encrypt message M .epsilon. {0,1}* using key K nonce Nonce .epsilon. {0,1}.sup.n, obtaining ciphertext C, do the following: 1. Partition M. Let m=.left brkt-top.|M|/n .right brkt-bot.. If m=0 then replace m by 1. Let M[1], . . . , M[m] be strings such that M[1] . . . M[m]=M and |M[i]|=n for all i .epsilon. [1 . . . m-1]. 2. Initialize variables. Let Offset=E.sub.K(Nonce .sym. L). Let Checksum=0. 3. Encipher all blocks but the last one. For i=1 to m-1, do the following: Let Checksum=Checksum .sym. M[i]. Let Offset=Offset .sym. L(ntz(i)). [0106] Let C[i]=E.sub.K(M[i] .sym. Offset. 4. Mask the final fragment and finish constructing the checksum: Let Offset=Offset .sym. L(ntz(m)). Let Pad=E.sub.K(len(M[m]) .sym. L(-1) .sym. Offset). Let C[m]=M[m] .sym. (the first |M[m]| bits of Pad). Let Checksum=Checksum .sym. Pad .sym. C[m]0*. 5. Form the tag. Let Tag be the first t bits of E.sub.K(Checksum .sym. Offset). 6. Return the ciphertext. The ciphertext is defined as the string C=C[1] . . . C[m-1]C[m] .parallel. Tag. It is communicated along with the nonce Nonce to the Receiver)
Referring to rejection of claim 17, Rogaway discloses wherein the tag is generated by encrypting each of the plurality of message blocks by a Tweakable block cipher using the concatenation information corresponding to the message block as a Tweak. (See Rogaway, para. 0044, i.e., an authenticated-encryption method that uses a key, a nonce, and an n-bit tweakable block cipher to encrypt a message of arbitrary bit length into a ciphertext core of the same length and a tag, all invocations of the n-bit tweakable block cipher keyed by the key. The system operates by first partitioning the message into m-I message blocks of n bits and a message fragment of at most n bits. For each number i between 1 and m-1, the system computes an i.sup.th ciphertext block by applying the n-bit tweakable block cipher to an i.sup.th message block, using a first tweak consisting of the nonce, the number i, and a constant 0)
Referring to rejection of claim 18, Rogaway discloses wherein the tag is generated by encrypting each of the plurality of message blocks by a Tweakable block cipher using the concatenation information corresponding to the message block as a Tweak, and performing a process for adding an obtained encryption result to a next message block. (See Rogaway, para. 0044, i.e., The system then computes a pad by applying the n-bit tweakable block cipher to a string that encodes a length of the message fragment, using a second tweak consisting of the nonce, a number m, and a constant 1, and computes a ciphertext fragment by xoring the message fragment and a portion of the pad that has a same number of bits as the message fragment)
Referring to rejection of claim 19, Rogaway discloses wherein the tag is generated by encrypting the plurality of message blocks in parallel with each other by Tweakable block ciphers in which the concatenation information corresponding to the respective message blocks and indices of the message blocks are used as Tweaks, and adding obtained encryption results. (See Rogaway, para. 0044-0045, i.e., Next, the system defines the ciphertext core as a concatenation of the m-1 ciphertext blocks and the ciphertext fragment. The system then computes an n-bit padded ciphertext fragment from the ciphertext fragment, computes a checksum by xoring the m-I message blocks, the pad, and the n-bit padded ciphertext fragment, and computes the tag by applying the n-bit tweakable block cipher to the checksum, using a tweak consisting of the nonce, the number m, and a constant 2. The n-bit tweakable block cipher is implemented using an n-bit conventional block cipher, each invocation of the n-bit tweakable block cipher utilizing at least one shift operation, at least one conditional xor operation, and at least one call to the n-bit conventional block cipher)
Referring to rejection of claim 20, Rogaway discloses a non-transitory computer readable medium storing a program for causing a computer to perform:
a step of generating concatenation data obtained by concatenating a plurality of elements of input data consisting of the plurality of elements with one another; (See Rogaway, para. 40 and 149, i.e., the system defines the ciphertext core as a concatenation of an m-1 ciphertext blocks and the ciphertext fragment. One can concatenate an encoding of each string in the vector of strings, where the encoding of each string in the vector of strings consists of a fixed-byte encoding of the string's length, followed by the string itself)
a step of concatenation information generation means for generating, for each of a plurality of message blocks obtained by dividing the concatenation data into blocks each having a predetermined data length, concatenation information about the concatenation of the elements in the message block; (See Rogaway, para. 0044 and 0085-0086, i.e., The system operates by first partitioning the message into m-1 message blocks of n bits and a message fragment of at most n bits. For each number i between 1 and m-1, the system then computes an i.sup.th ciphertext block by applying the n-bit tweakable block cipher to an i.sup.th message block, using a first tweak consisting of the nonce, the number i, and a constant 0. The message M has been partitioned into n-bit blocks M[1], . . . , M[m-1], as well as a message fragment, M[m], which may have fewer than n bits. The message blocks and the final fragment are treated differently. Each message block M[i] is xored with an offset (the Z[i] value), enciphered, and then xored again with the same offset. This gives a ciphertext block C[i])
and a step of tag generation means for generating a tag for a message authentication code by a block cipher by using each of the plurality of message blocks and each of the concatenation information corresponding to the respective message blocks, the block cipher being a cipher of which an input is a message having the predetermined data length. (See Rogaway, para. 0011 and 0087-0090, i.e., a message authentication code using an n-bit block cipher E is the CBC MAC (cipher block chaining message authentication code), the message M to be authenticated must be a binary string having a length that is a positive multiple of n and is partitioned into n-bit blocks M[1], M[2], . . . , M[m] by taking M[1] as the first n bits of M, taking M[2] as the next n bits of M, and so forth. One then computes the authentication tag of M, using key K, by way of the same algorithm used for CBC encryption, but where the IV=0, the block of n zero bits, and where the authentication tag is the final ciphertext block, Tag=C[m]. Only Tag, or a prefix of Tag, is output as the authentication tag. A receiver who obtains an authenticated message M.parallel.Tag checks the validity of M by re-computing the CBC MAC of M under key K, obtaining a string Tag', and verifying that Tag' is identical to Tag. A checksum is now computed by xoring together: (a) the m-1 message blocks; (b) the zero-padded ciphertext fragment, C[m]0*; and (c) the value Pad. (This is equivalent to xoring together: (a) the message blocks; (b') the zero-padded message fragment, M[m]0*; (c') the string S which is the first n-|M[m]| bits of Pad followed by |M[m]| zero-bits.) The checksum is offset using offset Z[m], giving the PreFullTag. That string is enciphered to give the FullTag. The t-bit prefix of the FullTag is used as the actual tag, Tag. The ciphertext C is the ciphertext core C=C[1] . . . C[m] together with the tag Tag. The Nonce must be communicated along with the ciphertext C to allow the Receiver to decrypt)
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to COURTNEY D FIELDS whose telephone number is (571)272-3871. The examiner can normally be reached IFP M-F 8am-4:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SHEWAYE GELAGAY can be reached at (571)272-4219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/COURTNEY D FIELDS/Examiner, Art Unit 2436 December 27, 2025
/SHEWAYE GELAGAY/Supervisory Patent Examiner, Art Unit 2436