Prosecution Insights
Last updated: July 17, 2026
Application No. 19/170,040

SYSTEMS AND METHODS FOR ZERO-KNOWLEDGE PROOF (ZKP) MODELING

Non-Final OA §103
Filed
Apr 03, 2025
Priority
May 31, 2022 — provisional 63/347,389 +4 more
Examiner
CHIANG, JASON
Art Unit
Tech Center
Assignee
As0001 Inc.
OA Round
1 (Non-Final)
83%
Grant Probability
Favorable
1-2
OA Rounds
1y 3m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 83% — above average
83%
Career Allowance Rate
458 granted / 551 resolved
+23.1% vs TC avg
Strong +28% interview lift
Without
With
+28.5%
Interview Lift
resolved cases with interview
Typical timeline
2y 6m
Avg Prosecution
14 currently pending
Career history
566
Total Applications
across all art units

Statute-Specific Performance

§101
1.8%
-38.2% vs TC avg
§103
91.4%
+51.4% vs TC avg
§102
4.0%
-36.0% vs TC avg
§112
0.7%
-39.3% vs TC avg
Black line = Tech Center average estimate • Based on career data from 551 resolved cases

Office Action

§103
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . DETAILED ACTION This action is in response to the communication filed on 04/03/2025. Claims 1-20 are under examination. The Information Disclosure Statements filed on 04/03/3035, 07/24/2025, 12/08/2025 and 05/12/2026 have been entered and considered. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Griffin et al. (US 2021/0211468 A1) and Azgad-Tromer et al. (US 2024/0104521 A1). Regarding claim 1, Griffin et al. discloses A method, comprising: receiving or identifying, by one or more processing circuits, at least one token comprising cyber resilience data of at least one entity [par. 0043, “the encryption circuit 122 uses a tokenization method that complies with X9.119 standard or other similarly adopted industry security standards. Tokenization is a form of obfuscating the cleartext such that it is replaced with a pseudonym data element in the form of a token. The tokens may be generated, stored, and maintained by an entity that specializes in the tokenization process (e.g., a token service provider)”, par. 0099, “The compliance blockchain schema can take a variety of forms. Generally, the schema provides for the blockchain facilitator to generate a policy and practices versions in blocks on the policy blockchain… the schema allows for… tokenized representation of the policies”], the cyber resilience data corresponding with at least one posture or compliance parameter of at least one third party [, par. 0021, “The compliance blockchain system, comprising one blockchain of the blockchain facilitator's policies and practices and another selectively encrypted blockchain of the related blockchain facilitator's compliance event data, allows for a more effective and reliable medium for subscribers, internal auditors, and external assessors monitoring and verifying blockchain facilitator actions. This ledger enables near real-time determination by subscribers of their security posture, the degree to which the blockchain facilitators are in compliance with organization security policies and the status of the organization's security governance activities”]. Griffin et al. does not explicitly disclose performing, by the one or more processing circuits, a zero-knowledge proof (ZKP) on the cyber resilience data by: determining at least one posture or compliance parameter of the at least one third party is satisfied based on the cyber resilience data; and generating at least one ZKP of the cyber resilience data, wherein the at least one ZKP comprises at least one cryptographic commitment obfuscating the cyber resilience data; and providing, by the one or more processing circuits to at least one third party computing system of the at least one third party, the at least one ZKP or indication of performance of the at least one ZKP. However, Azgad-Tromer et al. teaches performing, by the one or more processing circuits, a zero-knowledge proof (ZKP) on the cyber resilience data by: determining at least one posture or compliance parameter of the at least one third party is satisfied based on the cyber resilience data [par. 0184, “Soundness means that the consensus system participants and third parties must be convinced that the transaction does indeed satisfy the compliance policy”, par. 0370, requesting information regarding compliance… bank regulations… to comply with Travel Rule mandates, to ascertain Accredited Investor status…]; and generating at least one ZKP of the cyber resilience data, wherein the at least one ZKP comprises at least one cryptographic commitment obfuscating the cyber resilience data [par. 0265, “Once written and compiled, policies are enforced by the system using multiple underlying mechanisms. These may include cryptographic mechanisms such as zero-knowledge proofs”, par. 0399, “use a zero-knowledge proof that indicates the existence of a transaction (or transactions) meeting certain criteria on a public-visible cryptocurrency ledger, such as a blockchain”]; and providing, by the one or more processing circuits to at least one third party computing system of the at least one third party, the at least one ZKP or indication of performance of the at least one ZKP [par. 0266, “audited properties of the organization's sealed assets may be cryptographically certified for presentation to third parties, using cryptographic proofs that rigorously convince the third parties of a claim's correctness”]. Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Azgad-Tromer et al. into the teaching of Griffin et al. with the motivation to provide a compliance layer and architecture to facilitate regulatory compliance systems as taught by Azgad-Tromer et al. [Azgad-Tromer et al.: par. 0007]. Regarding claim 2, the rejection of claim 1 is incorporated. Azgad-Tromer et al. further discloses the cyber resilience data corresponds with attestation data, safeguard data, incident data, effectiveness data, or protectability data of the at least one entity [par. 0226, attestations, par. 0232, “zero-knowledge proofs attesting that the reported output was correctly computed from the underlying transactions and CRAI”], and wherein the at least one cryptographic commitment verifies the at least one posture or compliance parameter is satisfied and protects the attestation data, safeguard data, incident data, effectiveness data, or protectability data [par. 0266, “audited properties of the organization's sealed assets may be cryptographically certified for presentation to third parties, using cryptographic proofs that rigorously convince the third parties of a claim's correctness”]. Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Azgad-Tromer et al. into the teaching of Griffin et al. with the motivation to provide a compliance layer and architecture to facilitate regulatory compliance systems as taught by Azgad-Tromer et al. [Azgad-Tromer et al.: par. 0007]. Regarding claim 3, the rejection of claim 1 is incorporated. Griffin et al. further discloses the at least one token comprises at least one of a unified attestation token, a unified safeguard token, an incident readiness token, an effectiveness token, or a protectability token [par. 0043, “the encryption circuit 122 uses a tokenization method that complies with X9.119 standard or other similarly adopted industry security standards. Tokenization is a form of obfuscating the cleartext such that it is replaced with a pseudonym data element in the form of a token. The tokens may be generated, stored, and maintained by an entity that specializes in the tokenization process (e.g., a token service provider). The token service provider would handle receiving requests to detokenize (e.g., return the cleartext for a token) for an authorized party. The tokenization and encryption techniques may be made available to auditors, regulators, and attorneys by authorizing their access to selective parts of this information and providing them with any needed credentials and keys” (protectability token)]. Azgad-Tromer et al. further discloses wherein the cyber resilience data obfuscated by the at least one ZKP comprises one or more configurations of security controls, internal compliance reports or assessments, or incident histories and responses [par. 0266, “audited properties of the organization's sealed assets may be cryptographically certified for presentation to third parties, using cryptographic proofs that rigorously convince the third parties of a claim's correctness”, par. 0232, “zero-knowledge proofs attesting that the reported output was correctly computed from the underlying transactions and CRAI”]. Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Azgad-Tromer et al. into the teaching of Griffin et al. with the motivation to provide a compliance layer and architecture to facilitate regulatory compliance systems as taught by Azgad-Tromer et al. [Azgad-Tromer et al.: par. 0007]. Regarding claim 4, the rejection of claim 1 is incorporated. Azgad-Tromer et al. further discloses receiving, by the one or more processing circuits via an application programming interface (API), a verification request comprising the at least one posture or compliance parameter of the at least one third party [par. 0008, “The SAP may be configured to augment cryptocurrency transactions and wallets with compliance relevant auxiliary information (hereinafter, “CRAI”) to facilitate enforcing compliance, and to use the CRAI to cryptographically ensure adherence to compliance policies at each pertinent interaction”, par. 0009, “The CRAI may comprise user identities (name, national identifiers, etc.), account numbers and institution identifiers, credentials issued by third parties”, par. 0157, Application Programming Interface (API) for participants to obtain statistical data and make queries about the state of the network]; and transmitting, by the one or more processing circuits via the API [par. 0204, “ This combined data may then be published to users via the data platform API and/or be published to transactors via data oracles”], a response to the verification request comprising the at least one ZKP or the indication of performance of the at least one ZKP to a third party computing system of the at least one third party; wherein the API restricts access between a public environment and the cyber resilience data of a protected environment, and wherein the public environment corresponds to a plurality of third party computing systems, and wherein the protected environment comprises the one or more processing circuits and communication is restricted based at least on (i) transmitting the response comprising the ZKP and (ii) protecting the cyber resilience data from the public environment [par. 0030, “ determine that a requested transaction is in compliance with the compliance policy; [0032] generate at least partially encrypted compliance relevant auxiliary information (CRAI), the CRAI comprising information configured to facilitate independent verification of the compliance”, par. 0187, “ policies may specify that a particular transaction input/output is visible only to specific parties, e.g., regulators or banks”, par. 0266, “audited properties of the organization's sealed assets may be cryptographically certified for presentation to third parties, using cryptographic proofs that rigorously convince the third parties of a claim's correctness”, par. 0232, “zero-knowledge proofs attesting that the reported output was correctly computed from the underlying transactions and CRAI”]. Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Azgad-Tromer et al. into the teaching of Griffin et al. with the motivation to provide a compliance layer and architecture to facilitate regulatory compliance systems as taught by Azgad-Tromer et al. [Azgad-Tromer et al.: par. 0007]. Regarding claim 5, the rejection of claim 1 is incorporated. Griffin et al. further discloses determining the at least one posture or compliance parameter is satisfied based at least on: modeling, by the one or more processing circuits, one or more attributes of the cyber resilience data and one or more values or conditions corresponding with the at least one posture or compliance parameter to determine the one or more attributes satisfy the one or more values or conditions [par. 0021, “This ledger enables near real-time determination by subscribers of their security posture, the degree to which the blockchain facilitators are in compliance with organization security policies and the status of the organization's security governance activities”, par. 0096, “The blockchain facilitator computing system 102 generates information related to S1 as Statement 1, signs the statement, generates a hash of the signed Statement 1, and transmits the information to the TSA computing system 104. The TSA computing system 104 is managed by any trusted time authority that can provide a trusted time token for a piece of information or data entry. The trusted time authority can be one that complies with the X9.95 standard, or those defined in similar standards by ISO/IEC and satisfies the legal and regulatory requirements”]. Regarding claim 6, the rejection of claim 1 is incorporated. Azgad-Tromer et al. further discloses generating the at least one ZKP comprises: determining, by the one or more processing circuits, one or more attributes of the cyber resilience data corresponding to the at least one posture or compliance parameter [par. 0184, “Soundness means that the consensus system participants and third parties must be convinced that the transaction does indeed satisfy the compliance policy”, par. 0370, requesting information regarding compliance… bank regulations… to comply with Travel Rule mandates, to ascertain Accredited Investor status…]; applying, by the one or more processing circuits, one or more transformations, logical operations, or aggregations to one or more attributes [par. 0265, “Once written and compiled, policies are enforced by the system using multiple underlying mechanisms. These may include cryptographic mechanisms such as zero-knowledge proofs”, par. 0399, “use a zero-knowledge proof that indicates the existence of a transaction (or transactions) meeting certain criteria on a public-visible cryptocurrency ledger, such as a blockchain”]; hashing, by the one or more processing circuits, the one or more attributes; and generating, by the one or more processing circuits, the at least one cryptographic commitment based on the one or more attributes and the one or more transformations, logical operations, or aggregations [par. 0030, “ determine that a requested transaction is in compliance with the compliance policy; [0032] generate at least partially encrypted compliance relevant auxiliary information (CRAI), the CRAI comprising information configured to facilitate independent verification of the compliance”, par. 0266, “audited properties of the organization's sealed assets may be cryptographically certified for presentation to third parties, using cryptographic proofs that rigorously convince the third parties of a claim's correctness”, par. 0232, “zero-knowledge proofs attesting that the reported output was correctly computed from the underlying transactions and CRAI”, par. 0315, “compute a summary proof which may contain the output of a hash data structure (e.g., a Merkle tree or “cryptographic accumulator”) over the set of transactions and the inputs and outputs of each transaction”]. Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Azgad-Tromer et al. into the teaching of Griffin et al. with the motivation to provide a compliance layer and architecture to facilitate regulatory compliance systems as taught by Azgad-Tromer et al. [Azgad-Tromer et al.: par. 0007]. Regarding claim 7, the rejection of claim 6 is incorporated. Azgad-Tromer et al. further discloses validating, by the one or more processing circuits, the at least one ZKP based at least one on cross- referencing the at least one cryptographic commitment with one or more expected values derived from the one or more transformations, logical operations, or aggregations [par. 0030, “ determine that a requested transaction is in compliance with the compliance policy; [0032] generate at least partially encrypted compliance relevant auxiliary information (CRAI), the CRAI comprising information configured to facilitate independent verification of the compliance”, par. 0266, “audited properties of the organization's sealed assets may be cryptographically certified for presentation to third parties, using cryptographic proofs that rigorously convince the third parties of a claim's correctness”, par. 0232, “zero-knowledge proofs attesting that the reported output was correctly computed from the underlying transactions and CRAI”, par. 0315, “compute a summary proof which may contain the output of a hash data structure (e.g., a Merkle tree or “cryptographic accumulator”) over the set of transactions and the inputs and outputs of each transaction”]. Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Azgad-Tromer et al. into the teaching of Griffin et al. with the motivation to provide a compliance layer and architecture to facilitate regulatory compliance systems as taught by Azgad-Tromer et al. [Azgad-Tromer et al.: par. 0007]. Regarding claim 8, the rejection of claim 6 is incorporated. Azgad-Tromer et al. further discloses generating the at least one ZKP comprises: applying, by the one or more processing circuits, at least one of a zero-knowledge succinct non- interactive arguments of knowledge (zk-SNARKs) protocol or a zero-knowledge scalable transparent arguments of knowledge (zk-STARKS) protocol [par. 0277, “our system may utilize zero-knowledge non-interactive arguments of knowledge (zk-SNARK), which are a form of non-interactive zero-knowledge proof systems with additional efficiency and security properties. Our system may also utilize “interactive zero-knowledge proof system,” which has similar properties, except that the proof is not a data object, but rather an interactive protocol carried out by the prover and verifier”]. Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Azgad-Tromer et al. into the teaching of Griffin et al. with the motivation to provide a compliance layer and architecture to facilitate regulatory compliance systems as taught by Azgad-Tromer et al. [Azgad-Tromer et al.: par. 0007]. Regarding claim 9, the rejection of claim 1 is incorporated. Azgad-Tromer et al. further discloses generating, by the one or more processing circuits, the at least one token based at least on embedding the at least one ZKP into a structured data object; or responsive to a data exchange between one or more nodes of a decentralized network, centralized network, or data source, providing, by the one or more processing circuits, the at least one ZKP, wherein the data exchange corresponds to a transfer of at least a portion of the cyber resilience data [par. 0024, “propagating CRAI through a plurality of comingled systems… by decentralized exchanges and/or other decentralized finance systems, or by privacy-enhancing systems”, par. 0030, “determine that a requested transaction is in compliance with the compliance policy; [0032] generate at least partially encrypted compliance relevant auxiliary information (CRAI), the CRAI comprising information configured to facilitate independent verification of the compliance”, par. 0232, “zero-knowledge proofs attesting that the reported output was correctly computed from the underlying transactions and CRAI”]. Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Azgad-Tromer et al. into the teaching of Griffin et al. with the motivation to provide a compliance layer and architecture to facilitate regulatory compliance systems as taught by Azgad-Tromer et al. [Azgad-Tromer et al.: par. 0007]. Regarding claim 10, it recites limitations like claim 1. The reason for the rejection of claim 1 is incorporated herein. Regarding claim 11, it recites limitations like claim 2. The reason for the rejection of claim 2 is incorporated herein. Regarding claim 12, it recites limitations like claim 3. The reason for the rejection of claim 3 is incorporated herein. Regarding claim 13, it recites limitations like claim 4. The reason for the rejection of claim 4 is incorporated herein. Regarding claim 14, it recites limitations like claim 5. The reason for the rejection of claim 5 is incorporated herein. Regarding claim 15, it recites limitations like claim 6. The reason for the rejection of claim 6 is incorporated herein. Regarding claim 16, it recites limitations like claim 7. The reason for the rejection of claim 7 is incorporated herein. Regarding claim 17, it recites limitations like claim 8. The reason for the rejection of claim 8 is incorporated herein. Regarding claim 18, it recites limitations like claim 9. The reason for the rejection of claim 9 is incorporated herein. Regarding claim 19, it recites limitations like claim 1. The reason for the rejection of claim 1 is incorporated herein. Regarding claim 20, it recites limitations like claim 2. The reason for the rejection of claim 2 is incorporated herein. Conclusion The prior art made of record and not relied upon is considered pertinent to Applicant’s disclosure: US 11943358 B2 Methods And Systems For Identifying Anonymized Participants Of Distributed Ledger-based Networks Using Zero-knowledge Proofs US 11888886 B1 Cyber Security Risk Assessment And Cyber Security Insurance Platform US 11611590 B1 System And Methods For Reducing The Cybersecurity Risk Of An Organization By Verifying Compliance Status Of Vendors, Products And Services US 11595372 B1 Data Source Driven Expected Network Policy Control US 20220385687 A1 CYBERSECURITY THREAT MANAGEMENT USING ELEMENT MAPPING US 20220094596 A1 DYNAMIC COMPLIANCE MANAGEMENT US 20210334386 A1 METHOD AND SYSTEM FOR ASSESSING EFFECTIVENESS OF CYBERSECURITY CONTROLS IN AN OT ENVIRONMENT US 20210326872 A1 INTELLIGENT ASSERTION TOKENS FOR AUTHENTICATING AND CONTROLLING NETWORK COMMUNICATIONS USING A DISTRIBUTED LEDGER US 10944561 B1 Policy Implementation Using Security Tokens US 20200084202 A1 ATTESTATION TOKEN SHARING IN EDGE COMPUTING ENVIRONMENTS US 20180315026 A1 ZERO KNOWLEDGE THIRD PARTY GUARANTEE OF SERVICE ON DECENTRALIZED COMPUTING PLATFORM US 20160337407 A1 SCALABLE SECURITY ARCHITECTURE SYSTEMS AND METHODS Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASON CHIANG whose telephone number is (571)270-3393. The examiner can normally be reached on 9 AM to 6 PM. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /JASON CHIANG/Primary Examiner, Art Unit 2431
Read full office action

Prosecution Timeline

Apr 03, 2025
Application Filed
Jun 25, 2026
Non-Final Rejection mailed — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12682096
AUGMENTING SYSTEM ACCESS CONTROL PERSPECTIVE
2y 9m to grant Granted Jul 14, 2026
Patent 12676862
Systems and Methods for Anonymous Administrative Login
3y 3m to grant Granted Jul 07, 2026
Patent 12659339
RECORDING SECURITY MANAGEMENT
2y 8m to grant Granted Jun 16, 2026
Patent 12645809
ANALYZING AGGREGATED EVENT DATA TO IDENTIFY AND ADDRESS PERMISSIONS ISSUES
2y 10m to grant Granted Jun 02, 2026
Patent 12647461
TECHNIQUES FOR GENERATING POLICY RECOMMENDATIONS AND INSIGHTS USING GENERATIVE AI
2y 8m to grant Granted Jun 02, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

1-2
Expected OA Rounds
83%
Grant Probability
99%
With Interview (+28.5%)
2y 6m (~1y 3m remaining)
Median Time to Grant
Low
PTA Risk
Based on 551 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month