DETAILED ACTION
This office action has been issued in response to communications received on 11/07/2019, a preliminary amendment received 2/25/2021 as well as an Examiner’s Interview conducted on 2/25/2021.  Claims 3, 13 and 14 were cancelled via the preliminary amendment on 2/25/2021.  Claims 1-2, 4-12 and 15-16 were amended.  New claims 17-23 were added.  Claims 1-2, 4-12 and 15-23 are pending and are examined.  The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312.  To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with Michael Epstein on 2/25/2021.
Claims 1-2, 4-12 and 15-23 have been amended.  This application has been amended as follows:

Claim 1 (Currently Amended) A first network node configured for a key agreement protocol, the first network node comprising:
a communication interface circuit, wherein the communication interface circuit is arranged for digital communication with a second network node; and
a processor circuit,
wherein the processor circuit is configured to obtain a shared polynomial (                
                    a
                
            ),
                
                    (
                    a
                    )
                
             are selected modulo a first modulus                 
                    q
                
            ,
wherein the processor circuit is configured to generate a private key polynomial (                
                    
                        
                            s
                            k
                        
                        
                            I
                        
                    
                
            ;                 
                    
                        
                            s
                            k
                        
                        
                            R
                        
                    
                
            ),
wherein coefficients of the private key polynomial are bounded in absolute value by a bound (                
                    s
                
            ),
wherein the bound (                
                    s
                
            ) is smaller than a second modulus (                
                    p
                
            ),
wherein the second modulus (                
                    p
                
            ) is smaller than the first modulus (                
                    q
                
            ),
wherein the processor circuit is configured to generate a public key polynomial (                
                    
                        
                            p
                            k
                        
                        
                            I
                        
                    
                
            ;                 
                    
                        
                            p
                            k
                        
                        
                            R
                        
                    
                
            ), the generation comprising:
computing a polynomial product between the shared polynomial (                
                    a
                
            ) and the private key polynomial (                
                    
                        
                            s
                            k
                        
                        
                            I
                        
                    
                
            ) modulo the first modulus (                
                    q
                
            ) obtaining a polynomial product; and
scaling coefficients of the polynomial product down to the second modulus (                
                    p
                
            ), wherein a scaled coefficient is equal to the unscaled coefficient multiplied with the second modulus (                
                    p
                
            ), divided by the first modulus (                
                    q
                
            ) and rounded to the nearest integer,
wherein the processor circuit is configured to send the public key polynomial of the first network node to the second network node,
wherein the processor circuit is configured to receive a public key polynomial (                
                    
                        
                            p
                            k
                        
                        
                            R
                        
                    
                
            ;                 
                    
                        
                            p
                            k
                        
                        
                            I
                        
                    
                
            ) of the second network node,
wherein the processor circuit is configured to compute a raw key polynomial, wherein the raw polynomial is a polynomial product between the received public key of the second node and the private key polynomial of the first network node modulo the second modulus (                
                    p
                
            ),
wherein the processor circuit is configured to compute a 
wherein the first network node is configured to receive reconciliation data (                
                    h
                
            ) of the second network node,
                
                    r
                    e
                    c
                
            ) to the received reconciliation data and multiple coefficients of the raw key polynomial.

Claim 2 (Currently Amended) The [[A]] first network node as in claim 1,
wherein the first network node is configured to receive helper data of the second network node,
wherein the helper data comprises information allowing deriving of the same shared key at the first and second node such that differences are cancelled between the raw keys computed 
wherein the first network node is configured to compute [[a]] the shared key from the helper data and multiple coefficients of the raw key polynomial.

Claim 3 (Cancelled)

Claim 4 (Currently Amended) The [[A]]  first network node as in claim 1, wherein the bound (                
                    s
                
            ) in absolute value of                 
                    
                        
                            s
                            k
                        
                        
                            I
                        
                    
                    ,
                     
                    
                        
                            s
                            k
                        
                        
                            R
                        
                    
                
            ) is 2 (                
                    s
                    =
                    2
                
            ), or wherein the bound is 1 (                
                    s
                    =
                    1
                
            ), the latter corresponding to signed binary.

Claim 5 (Currently Amended) The [[A]] first network node as in claim 1,
wherein the first network nodes is configured with a predetermined number (                
                    
                        
                            h
                        
                        
                            s
                        
                    
                
            ) of non-zero coefficients,
wherein the private key polynomial (                
                    
                        
                            s
                            k
                        
                        
                            I
                        
                    
                
            ) is generated with at most the number (                
                    
                        
                            h
                        
                        
                            s
                        
                    
                
            ) of non-zero coefficients.

Claim 6 (Currently Amended) The [[A]] first network node as in claim 1, wherein the second modulus (                
                    p
                
            ) divides the first modulus (                
                    q
                
            ).

Claim 7 (Currently Amended) The [[A]] first network node as in claim 1, wherein the second modulus (                
                    p
                
            ) and/or the first modulus (                
                    q
                
            ) is a power of 2.

The [[A]] first network node as in claim 1, wherein the first network node[[s] is arranged to obtain a fresh shared polynomial (                
                    a
                
            ) and a fresh private key for each new key exchange. 

Claim 9 (Currently Amended) The [[A]] first network node as in claim 1, wherein reconciliation data is obtained, sent, received, and applied for fewer than all coefficients of the raw key polynomial.

Claim 10 (Currently Amended) The [[A]] first network node as in claim 1, wherein the size of the reconciliation data is at least two 2 bits per corresponding coefficient of the raw key polynomial. 

Claim 11 (Currently Amended) The [[A]] first network node as in claim 1,
wherein the first modulus (                
                    q
                
            ) has as bit size of at least 12, and 
wherein the second modulus (                
                    p
                
            ) has as bit size of at least 7.

Claim 12 (Currently Amended) The [[A]] first network node as in claim 1, wherein the polynomial product between the shared polynomial (                
                    a
                
            ) and the private key polynomial (                
                    
                        
                            s
                            k
                        
                        
                            I
                        
                    
                
            ) and the polynomial product between the received public key of the second node and the private key polynomial of the first network node are both modulo a reduction polynomial.

Claim 13 (Cancelled)

Claim 14 (Cancelled)

Claim 15 (Currently Amended) An electronic key agreement method for a first network node, the method comprising:
arranging digital communication between the first network node and a second network node;
                
                    a
                
            ), the shared polynomial is shared with the second network node through the digital communication, coefficients of the shared polynomial                 
                    a
                
             is selected modulo a first modulus                 
                    q
                
            ; 
generating a private key polynomial (                
                    
                        
                            s
                            k
                        
                        
                            I
                        
                    
                
            ),
wherein coefficients of the private key polynomial are bounded in absolute value by a bound (                
                    s
                
            ),
wherein the bound (                
                    s
                
            ) is smaller than a second modulus (                
                    p
                
            ),
wherein the second modulus (                
                    p
                
            ) is smaller than the first modulus (                
                    q
                
            );
generating a public key polynomial (                
                    
                        
                            p
                            k
                        
                        
                            I
                        
                    
                
            ) wherein the generating comprises:
computing a polynomial product between the shared polynomial (                
                    a
                
            ) and the private key polynomial (                
                    
                        
                            s
                            k
                        
                        
                            I
                        
                    
                
            ) modulo the first modulus (                
                    q
                
            ) obtaining a polynomial product; and
scaling the coefficients of the polynomial product down to a second modulus (                
                    p
                
            ), wherein a scaled coefficient is equal to the unscaled coefficient multiplied with the second modulus (                
                    p
                
            ), divided by the first modulus (                
                    q
                
            ) and rounded to the nearest integer; 
sending the public key polynomial of the first network node to the second network node;
receiving a public key polynomial (                
                    
                        
                            p
                            k
                        
                        
                            R
                        
                    
                
            ) of the second network node;
computing a raw key polynomial as a polynomial product between the received public key of the second node and the private key polynomial of the first network node modulo the second modulus (                
                    p
                
            );
computing 
receiving helper data of the second network node, wherein the helper data comprises information allowing deriving of the same shared key at the first and second node such that differences are cancelled between the raw keys derived at the first and second nodes; and
computing [[a]] the shared key from the helper data and multiple coefficients of the raw key polynomial.

 as follows: 
arranging digital communication between the first network node and a second network node;
obtaining a shared polynomial (                
                    a
                
            ), the shared polynomial is shared with the second network node through the digital communication, coefficients of the shared polynomial                 
                    a
                
             is selected modulo a first modulus                 
                    q
                
            ;
generating a private key polynomial (                
                    
                        
                            s
                            k
                        
                        
                            I
                        
                    
                
            ),
wherein coefficients of the private key polynomial are bounded in absolute value by a bound (                
                    s
                
            ),
wherein the bound (                
                    s
                
            ) is smaller than a second modulus (                
                    p
                
            ),
wherein the second modulus (                
                    p
                
            ) is smaller than the first modulus (                
                    q
                
            );
generating a public key polynomial (                
                    
                        
                            p
                            k
                        
                        
                            I
                        
                    
                
            ) wherein the generating comprises:
computing a polynomial product between the shared polynomial (                
                    a
                
            ) and the private key polynomial (                
                    
                        
                            s
                            k
                        
                        
                            I
                        
                    
                
            ) modulo the first modulus (                
                    q
                
            ) obtaining a polynomial product; and
scaling the coefficients of the polynomial product down to a second modulus (                
                    p
                
            ), wherein a scaled coefficient is equal to the unscaled coefficient multiplied with the second modulus (                
                    p
                
            ), divided by the first modulus (                
                    q
                
            ) and rounded to the nearest integer; 
sending the public key polynomial of the first network node to the second network node;
receiving a public key polynomial (                
                    
                        
                            p
                            k
                        
                        
                            R
                        
                    
                
            ) of the second network node;
computing a raw key polynomial as a polynomial product between the received public key of the second node and the private key polynomial of the first network node modulo the second modulus (                
                    p
                
            ); 
computing a shared key from the raw key;
receiving helper data of the second network node, wherein the helper data comprises information allowing deriving of the same shared key at the first and second 
obtaining the shared key and the helper data from multiple coefficients of the raw key polynomial; and
sending the helper data to the second network node.

Claim 17 (Amended) A first network node configured for a key agreement protocol, the first network node comprising:
a communication interface circuit, wherein the communication interface circuit is arranged for digital communication with a second network node; and
a processor circuit,
wherein the processor circuit is configured to obtain a shared polynomial (                
                    a
                
            ),
wherein coefficients of the shared polynomial                 
                    (
                    a
                    )
                
             are selected modulo a first modulus                 
                    q
                
            ,
wherein the processor circuit is configured to generate a private key polynomial (                
                    
                        
                            s
                            k
                        
                        
                            I
                        
                    
                
            ;                 
                    
                        
                            s
                            k
                        
                        
                            R
                        
                    
                
            ),
wherein coefficients of the private key polynomial are bounded in absolute value by a bound (                
                    s
                
            ),
wherein the bound (                
                    s
                
            ) is smaller than a second modulus (                
                    p
                
            ),
wherein the second modulus (                
                    p
                
            ) is smaller than the first modulus (                
                    q
                
            ),
wherein the processor circuit is configured to generate a public key polynomial (                
                    
                        
                            p
                            k
                        
                        
                            I
                        
                    
                
            ;                 
                    
                        
                            p
                            k
                        
                        
                            R
                        
                    
                
            )the generation comprising: 
computing a polynomial product between the shared polynomial (                
                    a
                
            ) and the private key polynomial (                
                    
                        
                            s
                            k
                        
                        
                            I
                        
                    
                
            ) modulo the first modulus (                
                    q
                
            ) obtaining a polynomial product; and
scaling coefficients of the polynomial product down to the second modulus (                
                    p
                
            ), wherein a scaled coefficient is equal to the unscaled coefficient multiplied with the second modulus (                
                    p
                
            ), divided by the first modulus (                
                    q
                
            ) and rounded to the nearest integer,
wherein the processor circuit is configured to send the public key polynomial of the first network node to the second network node,
                
                    
                        
                            p
                            k
                        
                        
                            R
                        
                    
                
            ;                 
                    
                        
                            p
                            k
                        
                        
                            I
                        
                    
                
            ) of the second network node,
wherein the processor circuit is configured to compute a raw key polynomial, wherein the raw polynomial is a polynomial product between the received public key of the second node and the private key polynomial of the first network node modulo the second modulus (                
                    p
                
            ),
wherein the processor circuit is configured to compute a 
wherein the first network node is configured to receive reconciliation data (                
                    h
                
            ) of the second network node,
wherein the first network node is configured to obtain the shared key and reconciliation data from multiple coefficients of the raw key polynomial,
wherein the first network node is configured to send the reconciliation data to the second network node.

Claim 18 (Amended) The [[A]] first network node as in claim 17,
wherein the first network node is configured to  receive helper data of the second network node,
wherein the helper data comprises information allowing deriving of the same shared key at the first and second node such that differences are cancelled between the raw keys computed 
wherein the first network node is configured to obtain the shared key,
wherein the first network node is configured to obtain the helper data from at least multiple coefficients of the raw key polynomial, 
wherein the first network node is configured to send the helper data to the second network node.

Claim 19 (Amended) The [[A]] first network node as in claim 1,
wherein the first network node                 
                    
                        
                            h
                        
                        
                            s
                        
                    
                
            ) of non-zero coefficients,
                
                    
                        
                            s
                            k
                        
                        
                            I
                        
                    
                
            ;                 
                    
                        
                            s
                            k
                        
                        
                            R
                        
                    
                
            ) is chosen from a probability distribution,
wherein the probability distribution has a fixed expected number (                
                    
                        
                            h
                        
                        
                            s
                        
                    
                
            ) of non-zero coefficients for the private key polynomial (                
                    
                        
                            s
                            k
                        
                        
                            I
                        
                    
                
            ;                 
                    
                        
                            s
                            k
                        
                        
                            R
                        
                    
                
            ).

Claim 20 (Amended) The [[A]] first network node as in claim 1, wherein the first network node                 
                    a
                
            ) or a fresh private key for each new key exchange. 

Claim 21 (Amended) The [[A]] first network node as in claim 1, wherein reconciliation data is obtained, sent, received, or applied for fewer than all coefficients of the raw key polynomial.

Claim 22 (Amended) The [[A]] first network node as in claim 1,
wherein the first modulus (                
                    q
                
            ) has as bit size of at least 12, or
wherein the second modulus (                
                    p
                
            ) has as bit size of at least 7.

Claim 23 (Amended) An electronic key agreement method for a first network node, the method comprising:
arranging digital communication between the first network node and a second network node;
obtaining a shared polynomial (                
                    a
                
            ), the shared polynomial is shared with the second network node through the digital communication, coefficients of the shared polynomial                 
                    a
                
             is selected modulo a first modulus                 
                    q
                
            ;
generating a private key polynomial (                
                    
                        
                            s
                            k
                        
                        
                            I
                        
                    
                
            ),
wherein coefficients of the private key polynomial are bounded in absolute value by a bound (                
                    s
                
            ),
wherein the bound (                
                    s
                
            ) is smaller than a second modulus (                
                    p
                
            ),
wherein the second modulus (                
                    p
                
            ) is smaller than the first modulus (                
                    q
                
            );
generating a public key polynomial (                
                    
                        
                            p
                            k
                        
                        
                            I
                        
                    
                
            ) wherein the generating comprises:
                
                    a
                
            ) and the private key polynomial (                
                    
                        
                            s
                            k
                        
                        
                            I
                        
                    
                
            ) modulo the first modulus (                
                    q
                
            ) obtaining a polynomial product; and
scaling the coefficients of the polynomial product down to a second modulus (                
                    p
                
            ), wherein a scaled coefficient is equal to the unscaled coefficient multiplied with the second modulus (                
                    p
                
            ), divided by the first modulus (                
                    q
                
            ) and rounded to the nearest integer; 
sending the public key polynomial of the first network node to the second network node;
receiving a public key polynomial (                
                    
                        
                            p
                            k
                        
                        
                            R
                        
                    
                
            ) of the second network node;
computing a raw key polynomial as a polynomial product between the received public key of the second node and the private key polynomial of the first network node modulo the second modulus (                
                    p
                
            ); 
computing a 
receiving helper data of the second network node, wherein the helper data comprises information allowing deriving of the same shared key at the first and second node such that differences are cancelled between the raw keys derived at the first and second nodes;
obtaining the shared key and the helper data from multiple coefficients of the raw key polynomial; and
sending the helper data to the second network node.

Allowable Subject Matter
Claims 1-2, 4-12 and 15-23 are allowed in light of the Examiner’s amendments herein, the newly filed IDS and in light of the prior art made of record.

Reasons for Allowance
The following is an examiner’s statement for reasons for allowance:

As to independent claims 1, 15-17 and 23, the prior art including Joppe Bos et al., Post-quantum key exchange for the TLS protocol from the ring learning with errors problem”, International Association for Cryptologic Research, vol. 20161027, pp. 1-29 (October 27 2016) (hereafter Bos) and Bogdanov Andrej et al., On the Hardness of Learning with Rounding over Small Modulus, Network and Parallel Computing Lecture Notes in Computer Science, Springer International Publishing, pages 209-224, XP047415904, ISSN: 0302-9743 (December 19 2015) (herafter Andrej), alone or in combination, fails to anticipate or render obvious the claimed invention.  
Bos (prior art on the record) teaches a method for performing a R-LWE key exchange with Bob using a client computer and server.  The client computer of Alice obtains a shared polynomial R, the shared polynomial R being shared with Bob through the computer interface, with coefficient of the shared polynomial R being the modulus as Rq. A private key polynomial s’ is generated, the coefficients of which the private key being bounded in absolute value by Zq.  A public key polynomial b’ is generated by computing polynomial arithmetic to generate a polynomial product as b’ = as’ + e’.  Bob receives b’ from Alice as part of the key exchange.  Alice receives b (i.e. public key polynomial of Bob, second network node).  V (i.e. raw key polynomial) is computed as a polynomial product between b (i.e. received public key of Bob) and s’ (the private key polynomial of Alice) in the equation v = bs’ + e”, and compute kB (i.e. the shared key) from v (the raw key).  Alice receives c (i.e. reconciliation data) of Bob. Alice obtains )the key kB (i.e. shared key) and c from rec (2b’s,c) (i.e. obtaining the received reconciliation B are both obtained from v (i.e. the raw key polynomial) and sends c to Bob.  However, Bos does not teach compute a raw key polynomial as a polynomial product between the received public key of the second node and the private key polynomial of the first network node modulo the second modulus (p).
Andrej (prior art on the record) teaches reductions from the learning with errors problem (LWE) can be applied to the learning with rounding problem (LWR) where distinguishing LWR samples from random strings is of equivalent hardness to LWE who noise distribution is over a modulus that is reduced by dividing q by p.  A smaller integer modulus is generated by dividing q by p, or reducing Zq to Zp (i.e. scaling coefficients of a polynomial product down from q to an integer second modulus p that is smaller and bound by p), where p (i.e. scaled coefficient as second modulus) is equal to q (i.e. unscaled coefficient) multiplied by p, divided by q and rounded to an integer, where the integer from q/p is smaller than q.  Andrej does not teach sending the public key polynomial of the first network node to the second network node and receiving a public key polynomial (pkR; pk1) of the second network node and receiving reconciliation data (h) of the second network node, and computing a shared key by applying a reconciliation function (rec) to the received reconciliation data and multiple coefficients of the raw key polynomial.
None of the prior art of record cited above teaches all of the combination of non-obvious features of independent claims 1, 15-17 and 23 of the present invention: 
“a communication interface arranged for digital communication with a second network node second network node, and  a processor circuit configured to obtain a shared polynomial (a), the shared polynomial being shared with the second network ,” “generate a private key polynomial (sk1; skR), coefficients of the private key polynomial being bounded in absolute value by a bound (s)” “generate a public key polynomial (pk1; pkR) by computing a polynomial product between the shared polynomial (a) and the private key polynomial (sk1) modulo the first modulus (q) obtaining a polynomial product,” “scaling coefficients of the polynomial product down to a second modulus (p), a scaled coefficient being equal to the unscaled coefficient multiplied with the second modulus (p), divided by the first modulus (q) and rounded to the nearest integer, the second modulus (p) being smaller than the first modulus (q), the bound (s) being at most the second modulus (p),” “send the public key polynomial of the first network node to the second network node,” “receive a public key polynomial (pkR; pk1) of the second network node,” “compute a raw key polynomial as a polynomial product between the received public key of the second node and the private key polynomial of the first network node modulo the second modulus (p), and compute the shared key from the raw key, wherein the first network node is further configured to receive reconciliation data (h) of the second network node,” “compute a shared key by applying a reconciliation function (rec) to the received reconciliation data and multiple coefficients of the raw key polynomial, or wherein the first network node is further configured to obtain the shared key and reconciliation data from multiple coefficients of the raw key polynomial, send the reconciliation data to the second network node.”

None of the prior art of record or in the newly filed IDS, either taken by itself or in any combination, would have anticipated or made obvious the invention of the present application at or before the time it was filed.

Conclusion
Therefore, claims 1-2, 4-12 and 15-23 are hereby allowed in view of the Examiner’s amendments herein and the Examiner’s reasons for allowance disclosed herein.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should be preferably accompany the issue fee.  Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance".
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHARON S LYNCH whose telephone number is (571)272-4583.  The examiner can normally be reached on 10AM-6PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T Arani can be reached on 571-272-3787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
/SHARON S LYNCH/Primary Examiner, Art Unit 2438