Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
Claims 1, 3, 10 and 15-16  have been amended.
No claims are cancelled.
No new claims are added.
Claims 1 and 3-21 are pending.

Response to Arguments
 		Applicant’s Remarks filed on 2/9/2021 have been considered.
With respect to the 112(a) rejection, this rejection has only been maintained for claim 3 because the amended claim still recites “void of cryptographic processing” which does not appear to have support in the specification.
With respect to the argument that there is no teaching of a secret being used in an authentication of a chip by an external agent, Examiner respectfully disagrees and points Applicant to the rejection below which cites that a: device can demonstrate its authenticity using techniques disclosed in this patent through its ability to supply a valid validator and/or decrypt a message [Kocher, para.0116]; and the ability to supply a validator relies on using the shared secret as described Kocher: after computing H1, the encrypting device using the shared base secret cryptographic value KROOT and H1 (103) as input to a leak resistant, key-tree-based key derivation process [Kocher, para.0048]. 
With respect to the recited feature “external agent”, Examiner notes that this argument has been presented previously and a response may be found in previous office actions. In short, Kocher teaches that authentication occurs between two parties and therefore one party is different than the other party and therefore the parties are external to each other.
With respect to the argument that hashing and permutation are different operations, Examiner agrees that hashing and permutation are not the same, however the office action relies on AES-based hash functions in Kocher, and since AES includes permutations, AES-based hash functions teach permutations.
With respect to arguments regarding sequential processing being inherent in Kocher and that Kocher cannot be modified to execute in parallel, Examiner disagrees and notes that this argument has been addressed in a detailed manner in previous office actions, therefore Applicant is directed to the previous office actions for a response.
With respect to claims 8, 14, 19, Applicant is still arguing the Hart reference, however Examiner noted in the previous office action that the rejection relies on the reference Silverbrook to teach the features recited in these claims.


Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

Claim 3 is rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. This claim recites “hardware permutation circuit…….void of cryptographic processing” however the written description does not appear to support such recitation. For the purpose of examination, a “permutation circuit” in the cited reference(s) is interpreted to read on this recitation.

The following is a quotation of 35 U.S.C. 112(b):

(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


Claim 3 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. The last feature in claim 3 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 5, 6, 9 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Kocher et al (US Pub. No.2016/0026826) in view of Duplys et al (US Pub.No. 2015/0270973).

 Re Claim 1, Kocher discloses a method, comprising: receiving a challenge of an authentication (i.e. The exemplary decryption process begins at step 400 with obtaining (e.g., over an untrusted digital interface) the putative result of the encryption (namely, the message identifier (e.g., nonce N), the validator V, and the encrypted result E comprising segments E1, . . . , EN)) [Kocher, para.0064, see also 0014], (i.e. device can demonstrate its authenticity using techniques disclosed in this patent through its ability to ) [Kocher, para.0116], in a chip having stored in a memory device therein a secret that is used in an authentication attempt of said chip (i.e. The encrypting device and decrypting device are set up so that each has access to a base shared secret cryptographic state value, such as a secret key denoted as KROOT. This secret state may, for example, be stored in one or more of EEPROM, flash, fuses, or other storage on a tamper-resistant chip) [Kocher, para.0034] by an external agent (i.e. exemplary embodiments are described involving two parties) [Kocher, para.0029], said chip comprising a hardware processing circuit that sequentially performs a processing related to said secret (i.e. uses a secret key to compute V (106), which is a validator of the message identifier and ciphertext segment(s) Ei.  Validator V is computed using the hash of at least one ciphertext segment (e.g., the hash H2=h(E1)) and an initial secret. Computation of V may be performed using the leak resistant, key-tree-based key derivation process described in FIG. 2, with the starting key KSTART being KMESSAGE and the path being determined using H2 (106).  Thus, the derivation of V includes computing a plurality of successive intermediate values leading to V, where each depends on at least one predecessor) [Kocher, para.0058], (i.e. At step 403, the device attempts to compute the message key, KMESSAGE, using the leak resistant, key-tree-based key derivation process described in FIG. 2) [Kocher, para.0064, The SoC has a cryptographic hardware component (705) with an AES engine for data encryption and decryption, a hash function engine, such as, without limitation, a SHA-1 or SHA-256 or a AES based hash function engine, and an implementation of the leak resistant, key-tree-based key derivation process based on FIG. 2) [Kocher, para.0096]; using said received challenge to derive a permutation (i.e. At step 401, the device next computes the value H1 by hashing the received nonce N) [Kocher, para.0064, computes hash of the received nonce N included in the challenge using H1=h(N) which, based on 0040, is a hash function that may use a number of algorithms that include permutations, for example AES, therefore H1 has been interpreted as the derived permutation]; retrieving said secret from said memory device; processing said secret in said hardware processing circuit using said derived permutation; and transmitting a result of said processing in said hardware processing circuit as a response to said challenge (i.e. The exemplary decryption process begins at step 400 with obtaining (e.g., over an untrusted digital interface) the putative result of the encryption ……………At step 403, the device attempts to compute the message key, KMESSAGE, using the leak resistant, key-tree-based key derivation process described in FIG. 2, with KSTART=KROOT and PATH=H1. ……………… If the counter has not yet reached L, then in step 412, the counter i is incremented and the register K is updated to the decryption key for the next segment by computing K=g(K), and the process is repeated from step 408 onwards. If ) [Kocher, para.0064-65, Fig.4], wherein said hardware processing circuit comprises a hardware permutation circuit (i.e. The SoC has a cryptographic hardware component (705) with an AES engine for data encryption and decryption, a hash function engine, such as, without limitation, a SHA-1 or SHA-256 or a AES based hash function engine, and an implementation of the leak resistant, key-tree-based key derivation process based on FIG. 2) [Kocher, para.0096, AES includes permutations therefore AES based hash function engine discloses a hardware permutation circuit],
Kocher does not explicitly disclose whereas Kocher in view of Duplys does that the hardware permutation circuit is a circuit: that executes in a parallel manner, thereby reducing a signal that can be detected by an adversary attempting a side channel attack to secure said secret (i.e. The operation of functional unit 130 in parallel, at least at times, to the operation of cryptographic unit 120 makes differential power analysis (DPA) attacks on device 100 more difficult, because in addition to the actual cryptographic function 110 of interest, which is carried out in cryptographic unit 120, the deterministic function is also carried out in functional unit 130, so that electromagnetic ) [Duplys, para.0038].  
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Kocher with Duplys because In this way, a precise analysis of cryptographic unit 120 is made more difficult [Duplys, para.0038].

Re Claim 9, in a similar manner as in the rejection of claim 1 above, Kocher in view of Duplys discloses a method, comprising: receiving a challenge for an authentication, in a chip having stored in a memory device therein a secret is used in an authentication attempt of said device by an external agent, said device comprising a hardware hashing circuit and a hardware permutation circuit that performs processings on said received challenge and said secret; hashing said received challenge in said hardware hashing circuit a plurality number of times; deriving a permutation from a result of said hashing; retrieving said secret from said memory device; processing said secret in said hardware permutation circuit using said derived permutation in said hardware permutation circuit executing in a parallel manner; and transmitting a result of said processing as a response to said challenge.  
 	
Re Claim 5. Kocher in view of Duplys discloses the method of claim 1, Kocher further discloses: further comprising performing a plurality of hashing operations on said received challenge to derive a permutation of said secret being implemented as an input into said permutation circuit [Kocher, Fig.4, steps 401 and 402 are two AES based hash operations h(N) and h(E1) on the received challenge which comprises N and E1]. 

Re Claim 6. Kocher in view of Duplys discloses the features of claims 1 and 5, Kocher further discloses: wherein the hashing operations are implemented in a hardware Secure Hash Algorithm 2 (SHA-2) circuit (i.e. The SoC has a cryptographic hardware component (705) with an AES engine for data encryption and decryption, a hash function engine, such as, without limitation, a SHA-1 or SHA-256 or a AES based hash function engine, and an implementation of the leak resistant, key-tree-based key derivation process based on FIG. 2) [Kocher, para.0096]. 

Re Claim 12, Kocher in view of Duplys discloses the features of claim 9, Kocher further discloses: wherein the hashing operations are implemented in a hardware Secure Hash Algorithm 2 (SHA-2) circuit (i.e. The SoC has a cryptographic hardware component (705) with an AES engine for data encryption and decryption, a hash function engine, such as, without limitation, a SHA-1 or SHA-256 or a AES based hash function ) [Kocher, para.0096]. 

Claims 3, 4, 10, 11 and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Kocher in view of Duplys as applied to claims 1 and 9 and further in view of Roy et al (US Pub. No.2010/0287374).

Re Claims 3 and 10. Kocher in view of Duplys discloses the features of claims 1 and 9, Kocher in view of Duplys does not explicitly disclose whereas Roy does: wherein the hardware processing circuit sequentially performs the processing related to said secret and said received challenge (i.e. Computation of V may be performed using the leak resistant, key-tree-based key derivation process described in FIG. 2, with the starting key KSTART being KMESSAGE and the path being determined using H2 (106).  Thus, the derivation of V includes computing a plurality of successive intermediate values leading to V, where each depends on at least one predecessor) [Kocher, para.0058], wherein the processing includes permuting said secret using the hardware permutation circuit [comprising a Benes network or a butterfly network] which is part of said hardware processing circuit and void of cryptographic processing (i.e. The SoC has a cryptographic hardware component (705) with an AES engine for data encryption and decryption, a hash function engine, such as, without limitation, a SHA-1 or SHA-256 or a AES based hash function engine, key-AES function or their variants) [Kocher, para.0096, AES discloses permutation],
Kocher in view of Duplys further discloses: and wherein said hardware permutation circuit executes in a parallel manner, to reduce the signal that can be detected by the adversary attempting a side channel attack to secure said secret. (i.e. The operation of functional unit 130 in parallel, at least at times, to the operation of cryptographic unit 120 makes differential power analysis (DPA) attacks on device 100 more difficult, because in addition to the actual cryptographic function 110 of interest, which is carried out in cryptographic unit 120, the deterministic function is also carried out in functional unit 130, so that electromagnetic radiation, energy signatures (electrical power consumption or energy consumption), and other features of device 100 that can be evaluated in the context of a DPA attack are always put together from components of both units 120, 130, or originate from both these units) [Duplys, para.0038], 
The same motivation to modify Kocher with Duplys, as in claim 1, applies.

Kocher in view of Duplys does not explicitly teach that the hardware permutation circuit comprises a Benes network or a butterfly network however Roy does: (i.e. FIG. 5 illustrates that the computation is pipelined so that one ) [Roy, para.0079] or a Benes Network (i.e. Bit permutations can be implemented using Benes networks where key length is n log 2n bits. An example of an 8-bit Benes network is shown in FIG. 5. Efficient implementations of Benes networks produce arbitrary permutations in one cycle of a high-performance microprocessor) [Roy, para.0052]. 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Kocher in view of Duplys with Roy because the preferred reversible transformations are bit permutations. They have efficient circuit implementations [Roy, para.0056].
Kocher further discloses the feature in claim 3: and wherein the permutation comprises re-ordering the secret in a set in accordance with a permutation code supplied by the challenge (i.e. a message identifier H1 is formed using nonce N. In the most straightforward implementation, in which N serves as the message identifier, H1 may simply equal N …………… the encrypting device could compute H1 as the hash of N using the function h()……….. After computing H1, the encrypting device computes a message key, KMESSAGE, using the shared base secret cryptographic value KROOT and H1 (103) as input to a leak resistant, key-tree-based key derivation process) [Kocher, para.0047-the nonce N is the received challenge and H1=N or H1=h(N) therefore H1 is interpreted as permutation code supplied by the challenge N. The KMESSAGE derivation process takes as input the secret KROOT and H1 and processes these inputs using permutations, for example AES-based operations, therefore this teaches permutation of the secret is in accordance with a permutation code supplied by the challenge N].

Re Claims 4 and 11. Kocher in view of Duplys of Roy discloses the features of claims 1 and 9, Roy further discloses: wherein said permutation circuit comprises a butterfly network (i.e. FIG. 5 illustrates that the computation is pipelined so that one permutation completes per cycle. A butterfly network 400 is applied on the first cycle and an inverse butterfly network is applied on the second cycle 402) [Roy, para.0079] or a Benes Network (i.e. Bit permutations can be implemented using Benes networks where key length is n log 2n bits. An example of an 8-bit Benes network is shown in FIG. 5. Efficient implementations of Benes networks produce arbitrary permutations in one cycle of a high-performance microprocessor) [Roy, para.0052]. 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Kocher in view of Duplys with Roy because the preferred reversible transformations are bit permutations. They have efficient circuit implementations [Roy, para.0056].

Re Claim 21, Kocher in view of Duplys discloses the features of claim 1, Kocher in view of Duplys does not explicitly disclose whereas Kocher in view of Duplys and Roy does: comprising converting each bit of the secret into a predetermined plurality of bits as the secret is retrieved from memory (i.e. The countermeasure for attack (i), brute-force key testing, is to increase the key length) [Roy, para.0076] and presented for said parallel permutation processing [as in claim 1]. 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Kocher in view of Duplys with Roy because so as to make the attack infeasible for modern circuits [Roy, para.0076].

Claims 7, 13, 15, 18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Kocher in view of Duplys as applied to claims 1 and 9 and further in view of Hart et al (US Pub. No.2013/0061303).

Re Claims 7 and 13. Kocher in view of Duplys discloses the features of claims 1 and 9, Kocher in view of Duplys does not explicitly disclose whereas Hart does: wherein said device receives a power for operation by intercepting radio frequency waves emanating from an external device sufficiently close in proximity to charge up a transitory internal power system (i.e. The reader 100 preferably also includes a field generator circuit (not shown) to provide power to the RFID device 106 using radio field inductive technology or ) [Hart, para.0033-0034]. 
 	Kocher further discloses the feature in claim 20: as embedded in an entity that represents a monetary value (i.e. cryptographically secured credit and debit cards) [Kocher, para.0137].
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Kocher in view of Duplys with Hart because it allows contactless operation  where a device may communicate with a reader without physical contact between the device and the associated reader [Hart, para.0029].

Re Claim 15. In a similar manner as in the rejection of claim 1 above, Kocher in view of Duplys discloses a chip, comprising: a non-volatile memory device storing a secret; Kocher further discloses: a receive/transmit (R/T) unit operating in a radio frequency (RF) wavelength (i.e. Data exchanges described herein may be accomplished in a wide range of possible manners. For example, and without limitation, conventional buses/interfaces (such as I2C, JTAG, PCI, serial I/O (including USB), PCI Express, wireless protocols (such as 802.11 family, Bluetooth, cellular telephony protocols, ISO14443, etc.)) [Kocher, para.0123]; 
 	Kocher in view of Duplys does not explicitly diclose whereas Hart does: a power supply unit that converts RF energy received from said R/T unit into a direct current (DC) and stores said converted DC as a power source for operation of circuits in said chip (i.e. The reader 100 preferably also includes a field generator circuit (not shown) to provide power to the RFID device 106 using radio field inductive technology or other short-range communication technology capable of communicating via electromagnetic field induction…………..proximity cards are generally passive devices obtaining a power supply from the rectified electromagnetic fields received at the on-board antenna. The received electromagnetic waves act like AC signals that, after rectification, can be regulated to power electronic equipment) [Hart, para.0033-0034]; 
 	In a similar manner as in the rejection of claims 1, 5 and 9 above Kocher in view of Duplys and Hart discloses: a hardware hash circuit; a hardware permutation circuit that executes in a parallel manner; and a control unit, wherein said control unit, upon receiving a sufficient voltage from said power source, operates a method to: receive a challenge for an authentication, by an external agent, via said R/T unit; hash said received challenge in said hardware hash circuit a plurality number of times; derive a permutation from a result of said hashing; retrieve said secret from said memory device; 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Kocher in view of Duplys with Hart because it allows contactless operation  where a device may communicate with a reader without physical contact between the device and the associated reader [Hart, para.0029].

	Re Claim 18. Kocher in view of Duplys and Hart discloses the features of claim 15, Kocher further discloses the features of claim 18 in a similar manner as presented in the rejection of claim 6 above.

 	Re Claim 20. Kocher in view of Duplys and Hart discloses the features of claim 15, Hart further discloses the features of claim 20 in a similar manner as presented in the rejection of claim 7 above.

Claims 16 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Kocher in view of Duplys and Hart as applied to claim 15 and further in view of Roy et al (US Pub. No.2010/0287374).

	Re Claim 16. Kocher in view of Duplys and Hart discloses the features of claim 15, Kocher in view of Duplys, Hart and Roy further discloses the features of claim 16 in a manner similar to the rejection of claim 3.

	Re Claim 17. Kocher in view of Duplys and Hart discloses the features of claim 15, Kocher in view of Duplys and Hart does not explicitly disclose whereas Roy teaches the features of claim 17 in a manner similar to the rejection of claim 4.

Claim 8, 14 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Kocher in view of Duplys and Hart as applied to claims 7, 13 and 15 and further in view of Silverbrook et al (US Pub. No.2007/0234068).
	Re Claims 8, 14 and 19. Kocher in view of Duplys and Hart discloses the features of claims 7, 13, and 15, Kocher in view of Duplys and Hart does not explicitly disclose whereas Silverbrook does: wherein said device further comprises a time delay mechanism that precludes repeating said method within a predetermined time interval (i.e. There are two mechanisms for preventing an attacker from generating multiple calls to TST and RD functions in a short period of time.  The first is a clock limiting hardware component that prevents the internal clock from operating at a speed more than a particular maximum (e.g. 10 MHz).  The second mechanism is the 32-bit MinTicks register, which is used to specify the minimum number of clock ticks that must elapse between calls to key-based functions) [Silverbrook, para.0438]. 
in order to prevent the capture and replay of any secret values within a given time period [Silverbrook, para.0116].

Conclusion
 Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to NOURA ZOUBAIR whose telephone number is (571)270-7285.  The examiner can normally be reached on Monday - Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on 571-272-3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/NOURA ZOUBAIR/Primary Examiner, Art Unit 2434