DETAILED ACTION
This non-final office action is in response to claims 1-29 filed on 07/29/2019 for examination. Claims 1-29 are being examined and are pending.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 07/29/2019 and 02/21/2020 are consider by examiner. 

Drawings
The drawings filed on 07/29/2019 have been accepted. 

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:


Claim 8-10 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement.  The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for pre-AIA  the inventor(s), at the time the application was filed, had possession of the claimed invention.  
Regarding claim 8, claim 8 recites generating at least one third secret share by the first system and one fourth by the second system. The specification does not disclose any details regarding either one third or one fourth by any system. The specification also does not disclose generating secret share proportionally or by certain ratio by each involved system. Therefore claim 8 is rejected with lack of written description. 
Regarding claim 9-10, claims are rejected for carrying the deficiencies of claim 8 as well.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

Claim 1, 3, 7, 14-16, 18, 22 and 29 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Trevethan (US20200145231)
Regarding claim 1, 15 and 16, Trevethan teaches a method for securing digital signatures using multi-party computation (Trevethan: Para. 0001: The invention is particularly suited, but not limited to, allowing a threshold number of members of a group to generate a valid cryptographic signature on behalf of that group; Para. 0007: a dynamic multiparty threshold signature scheme allows control of a resource (e.g. a blockchain transaction output, UTXO) to be shared among a group of participants under a single public key but with each group member holding a private secret. A threshold subset of the participants are required to collectively sign in order to spend the output), comprising: generating at least one first secret share of a plurality of secret shares by a first system, wherein the plurality of secret shares includes the at least one first secret share and at least one second secret share, wherein each of the at least one second secret share is generated by one of at least one second system, wherein the at least one second system is not the first system (Trevethan: Fig. 3: P1, P2 and P3; Para. 0016: prior to forming the signing group, obtaining the secret share by based on secret share data received from a plurality of existing members of a group; Para. 0072: At operation 306, each enclave determines a secret share si….. The secret share is then determined as si=f(i) mod p which is the Pi point on the polynomial f(x) mod p (i.e., the point where x=i); signing data based on the at least one first secret share when a signing policy is met, wherein the signing occurs as part of an interactive signing process, wherein the interactive signing process includes running a multi-party computation protocol by the first system and the at least one second system (Trevethan: Para. 0005: Bitcoin's multisig feature provides such functionality. Multi-signature scripts may set a condition in which N public keys are recorded in a locking script and at least M private keys, each associated with a respective one of the N public keys, must provide signatures to release an encumbrance i.e. to unlock the UTXO; Para. 0112: a plurality of participants (i.e., members) in a group may signal to other participants that they wish to participate in a distributed signature generation to authorize a particular transaction, Tx. That is, nodes may signal an intention to participate in distributed signature generation for the transaction, Tx; Para. 0113: Once a threshold of participants have signalled an intention to participate, a signing group is formed by a node in cooperation with other nodes. In the illustrated example, the signing group includes three participants; Para. 0117: At operation 606, each node of the signing group determines a partial signature, vi, based on a private secret share; Para. 0119: At operation 606, each of the enclaves Ei (i=1, . . . , t+1) for the signing group securely broadcast their partial signature, vi, to the other enclaves for the signing group so that each node (and, more specifically, each enclave), receives partial signatures from the other nodes of the signing group; Para. 0120: At operation 608, each node of the signing group (and, more specifically, each enclave) may generate the second signature component, w, based on the partial signatures determined and received at operation 606; Para. 0121: At operation 608, each node of the signing group may send the ECDSA signature, including the first signature component and the second signature component, from its enclave to a host portion of the node); wherein each system uses each secret share generated by the system during the interactive signing process (Trevethan: Para. 0117: At operation 606, each node of the signing group determines a partial signature, vi, based on a private secret share; Para. 0072: At operation 306, each enclave determines a secret share si….. The secret share is then determined as si=f(i) mod p which is the Pi point on the polynomial f(x) mod p (i.e., the point where x=i),  wherein the signed data corresponds to a public key, wherein the public key is generated based on the plurality of secret shares (Trevethan: Para. 0076: Once secret shares are generated, a group public key (which is an elliptic curve public key) may be generated at operation 308. At operation 308, Lagrangian interpolation may be used to determine the group public key corresponding to the shared secret, a0. More particularly, the participants, Pi (where i=1, . . . , t+1,) of the group, U, each provision their enclaves Ei to compute a respective public key share based on a Lagrangian interpolation coefficient, an elliptic curve generator point and their secret share. That is, the public key share may be computed as bisi×G); wherein the signing policy at least requires a minimum number of secret shares of the plurality of secret shares (Trevethan: Para. 0110: The secret shares held by members of a group may be used to allow a valid ECDSA signature to be generated for a transaction. More particularly, at least a threshold number of secret shares may be used to allow group participants to generate a valid signature), wherein neither the at least one first secret share alone nor the at least one second secret share alone is sufficient to meet the signing policy (Trevethan: Para. 0062: The group 110 may operate according to a threshold signature scheme. More particularly, resources that are controlled (encumbered) by the group public key may be unlocked (i.e., the encumbrance may be removed) when at least a threshold number of nodes that are group members cooperate to generate a valid signature. The signature is valid under an elliptic curve digital signature algorithm (ECDSA). ECDSA is a cryptographic algorithm that is used in Bitcoin and other blockchain networks to ensure that resources can only be spent by their rightful owners and the threshold signature schemes described herein allow a valid ECDSA signature to be generated by a threshold number of nodes of a group; Para. 0007: a dynamic multiparty threshold signature scheme allows control of a resource (e.g. a blockchain transaction output, UTXO) to be shared among a group of participants under a single public key but with each group member holding a private secret. A threshold subset of the participants are required to collectively sign in order to spend the output); wherein no portion of the at least one first secret share is revealed to the at least one second system during the interactive signing process, wherein no portion of the at least one second secret share is revealed to the first system during the interactive signing process (Trevethan: Para. 0007: a digital signature scheme is described that allows a valid signature to be generated without requiring any of the participants who contribute to signature generation to reveal their respective private secrets; Para. 0063: these private secrets may be used to generate a valid signature for a transaction without a member node having to reveal their private secret to other member nodes
Regarding claim 3 and 18, Trevethan teaches wherein the public key is a first public key, further comprising: generating a second public key based on the plurality of shares, wherein the second public key is a predetermined function of the first public key (Trevethan: Para. 0076: Once secret shares are generated, a group public key (which is an elliptic curve public key) may be generated at operation 308. At operation 308, Lagrangian interpolation may be used to determine the group public key corresponding to the shared secret, a0. More particularly, the participants, Pi (where i=1, . . . , t+1,) of the group, U, each provision their enclaves Ei to compute a respective public key share based on a Lagrangian interpolation coefficient, an elliptic curve generator point and their secret share. That is, the public key share may be computed as bisi×G). 
Regarding claim 7 and 22, Trevethan teaches determining, by the first system, whether the signing policy is met based on the at least one first secret share and the at least one second secret share (Trevethan: Para. 0005: Blockchain protocols sometimes provide for multi-party signing features that require signatures from a number of nodes or parties before removing an encumbrance on an unspent output (UTXO). For example, Bitcoin's multisig feature provides such functionality. Multi-signature scripts may set a condition in which N public keys are recorded in a locking script and at least M private keys, each associated with a respective one of the N public keys, must provide signatures to release an encumbrance i.e. to unlock the UTXO). 
Regarding claim 14 and 29, Trevethan teaches wherein no portion of the at least one first secret share is revealed outside of the first system, wherein no portion of the at least one second secret share is revealed outside of the at least one second system (Trevethan: Para. 0007: a digital signature scheme is described that allows a valid signature to be generated without requiring any of the participants who contribute to signature generation to reveal their respective private secrets; Para. 0063: these private secrets may be used to generate a valid signature for a transaction without a member node having to reveal their private secret to other member nodes). 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner 
Claim 2 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Trevethan in view of Ruff et  al. (US20170277831, hereinafter Ruff) and Cheng et al. (US20180367316, hereinafter Cheng). 
Regarding claim 2 and 17, Trevethan teaches the method of claim 1. 
Yet, Trevethan does not teach  generating, by the first system, a master backup public key and a master backup private key, wherein an encrypting second system of the at least one second system encrypts at least one of the at least one second secret share using the master backup public key; and validating that the at least one encrypted share was encrypted by the encrypting second system using the master backup public key, wherein no portion of the at least one first secret share is revealed to the at least one second system during the validation, Page 24 of 35CURV P1225 wherein no portion of the at least one second secret share is revealed to the first system during the validation.
However, in the same field of endeavor, Ruff teaches generating, by the first system, a master backup public key and a master backup private key (Ruff: Para. 0009: A backup public/private encryption key pair may be generated for backup purposes). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the method disclosed by Trevethan to include generating, by the first system, a master backup public key and a master backup private key as disclosed by Ruff. One of ordinary skill in the art would have been motivated to make this modification in order to restore the compromised keys as suggested by Ruff (Ruff: Para. 0009). 
However, in the same field of endeavor, Cheng teaches wherein an encrypting second system of the at least one second system encrypts at least one of the at least one second secret share using the master backup public key (Cheng: Claim 18: wherein the encrypted second master key share is encrypted using the public key encryption key by the second HSM); and validating that the at least one A determination may be made at 614 whether the request for the encrypted second master private key share is authorized; Para. 0219: Any number (e.g., the specified number of master key shares to generate) of points (e.g., any four points) on this line may be selected to become the secret shares—each point by itself does not reveal any information about the original number S). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the method disclosed by Trevethan to include wherein an encrypting second system of the at least one second system encrypts at least one of the at least one second secret share using the master backup public key; and validating that the at least one encrypted share was encrypted by the encrypting second system using the master backup public key, wherein no portion of the at least one first secret share is revealed to the at least one second system during the validation, Page 24 of 35CURV P1225 wherein no portion of the at least one second secret share is revealed to the first system during the validation as disclosed by Cheng. One of ordinary skill in the art would have been motivated to make this modification in order to protect private keys as suggested by Cheng (Cheng: Para. 0070). 
Claim 4-6 and 19-21 are rejected under 35 U.S.C. 103 as being unpatentable over Trevethan in view of Spitz (US20060190734).
Regarding claim 4 and 19, Trevethan teaches the method of claim 1. 
Yet, Trevethan does not teach wherein the signing policy further requires at least one additional requirement.
However, in the same field of endeavor, Spitz teaches wherein the signing policy further requires at least one additional requirement (Spitz: Para. 0034: a signing policy database 100 a which stores information indicating the types and attributes of documents each authorized user is allowed to have signed. At least one signature requestor 102 a-102 n is authorized by signing system 100 to have specific documents signed by signing system 100. Each requester 102 a-102 n may submit a request to have any document they like signed. However, signing system 100 will only sign those documents that the requester is authorized to have signed). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the method disclosed by Trevethan to include wherein the signing policy further requires at least one additional requirement as disclosed by Spitz. One of ordinary skill in the art would have been motivated to make this modification in order to provide signature based on signing policy as suggested by Spitz (Spitz: Para. 0040). 
Regarding claim 5 and 20, combination of Trevethan and Spitz teaches the method of claim 4. 
In addition, Spitz teaches wherein the at least one additional requirement includes at least one of: approval by at least one entity, and at least one authentication (Spitz: Para. 0034: a signing policy database 100 a which stores information indicating the types and attributes of documents each authorized user is allowed to have signed. At least one signature requestor 102 a-102 n is authorized by signing system 100 to have specific documents signed by signing system 100. Each requester 102 a-102 n may submit a request to have any document they like signed. However, signing system 100 will only sign those documents that the requester is authorized to have signed). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the method disclosed by the combination to include wherein the at least one additional requirement includes at least one of: approval by at least one entity, and at least one authentication as disclosed by Spitz. One of ordinary skill in the art would have been motivated to make this modification in order to provide signature based on signing policy as suggested by Spitz (Spitz: Para. 0040).
Regarding claim 6 and 21, combination of Trevethan and Spitz teaches the method of claim 4. In addition, Trevethan further teaches wherein the data to be signed is transaction data for a blockchain transaction (Trevethan: Para. 0007: a dynamic multiparty threshold signature scheme allows control of a resource (e.g. a blockchain transaction output, UTXO) to be shared among a group of participants under a single public key but with each group member holding a private secret. A threshold subset of the participants are required to collectively sign in order to spend the output). 
In addition, Spitz teaches wherein the at least one additional requirement is determined based on at least one of: an amount of the transaction, a destination of the transaction, a type of the transaction, a transaction history of a user participating in the transaction, and a time of day (Spitz: Para. 0034: a signing policy database 100 a which stores information indicating the types and attributes of documents each authorized user is allowed to have signed. At least one signature requestor 102 a-102 n is authorized by signing system 100 to have specific documents signed by signing system 100. Each requester 102 a-102 n may submit a request to have any document they like signed. However, signing system 100 will only sign those documents that the requester is authorized to have signed). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the method disclosed by the combination to include wherein the at least one additional requirement is determined based on at least one of: an amount of the transaction, a destination of the transaction, a type of the transaction, a transaction history of a user participating in the transaction, and a time of day as disclosed by Spitz. One of ordinary skill in the art would have been motivated to make this modification in order to provide signature based on signing policy as suggested by Spitz (Spitz: Para. 0040).
Claim 11-13 and 26-28 are rejected under 35 U.S.C. 103 as being unpatentable over Trevethan in view of Cheng et al. (US20180367316, hereinafter Cheng). 
Regarding claim 11 and 26, Trevethan teaches the method of claim 1. 

However, in the same field of endeavor, Cheng teaches wherein the interactive signing process includes a plurality of rounds, wherein the plurality of rounds consists of at least one first round and a second round, wherein the at least one of the plurality of shares is stored offline during the at least one first round of the interactive signing process (Cheng: Para. 0084: In FIG. 2B, a deployment diagram for cold storages of funds is shown. A cold wallet is using an offline (e.g., PCI-e) HSM hosting a SFTS component, a first cold wallet master private key share, and a RSA private key used for decrypting a second cold wallet master private key share retrieved from a portable HSM. The portable (e.g., USB-connected) HSM hosts the second cold wallet master private key share and the RSA public key matching the RSA private key stored in the offline (e.g., PCI-e) HSM. The portable HSM uses an authentication entry device (e.g., a PED) to enforce MofN security policy for exporting the second cold wallet master private key share; Para. 0091: FIG. 4B shows an exemplary dual HSM use case for the SFTSP. For example, this use case may be utilized for a cold wallet (e.g., corresponding to the cold wallet shown in FIG. 2B).  In FIG. 4B, a client application 410 (e.g., utilized by a user via a client device) may send a transaction signing request to a TSS 420; Para. 0092: The TSS may forward the transaction signing request to a first HSM 430…The first HSM's tamper-proof storage (e.g., the first HSM's firmware) may store a private key decryption key (e.g., an RSA private key) 434, a SFTS module 436, and a first master private key share (e.g., an ECDSA private key share) 438; Para. 0093: The first HSM may send a get master request to a second HSM 440. For example, the second HSM may be a portable USB HSM. The second HSM's tamper-proof storage (e.g., the second HSM's firmware) may store a second master private key share (e.g., an ECDSA private key share) 444). 

Regarding claim 12 and 27, Trevethan teaches the method of claim 1. 
Yet, Trevethan does not teach wherein at least one of the first system and the at least one second system is offline during at least one round of the interactive signing process.
However, in the same field of endeavor, Cheng teaches wherein at least one of the first system and the at least one second system is offline during at least one round of the interactive signing process (Cheng: Para. 0084: In FIG. 2B, a deployment diagram for cold storages of funds is shown. A cold wallet is using an offline (e.g., PCI-e) HSM hosting a SFTS component, a first cold wallet master private key share, and a RSA private key used for decrypting a second cold wallet master private key share retrieved from a portable HSM. The portable (e.g., USB-connected) HSM hosts the second cold wallet master private key share and the RSA public key matching the RSA private key stored in the offline (e.g., PCI-e) HSM. The portable HSM uses an authentication entry device (e.g., a PED) to enforce MofN security policy for exporting the second cold wallet master private key share). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the method disclosed by Trevethan to include wherein at least one of the first system and the at least one second system is offline during at least one round of the interactive signing process as disclosed by Cheng. One of ordinary skill in the art would have been 
Regarding claim 13 and 28, Trevethan teaches the method of claim 1. 
Yet, Trevethan does not teach wherein at least one of the plurality of shares is offline during at least one round of the interactive signing process.
However, in the same field of endeavor, Cheng teaches wherein at least one of the plurality of shares is offline during at least one round of the interactive signing process (Cheng: Para. 0084: In FIG. 2B, a deployment diagram for cold storages of funds is shown. A cold wallet is using an offline (e.g., PCI-e) HSM hosting a SFTS component, a first cold wallet master private key share, and a RSA private key used for decrypting a second cold wallet master private key share retrieved from a portable HSM. The portable (e.g., USB-connected) HSM hosts the second cold wallet master private key share and the RSA public key matching the RSA private key stored in the offline (e.g., PCI-e) HSM. The portable HSM uses an authentication entry device (e.g., a PED) to enforce MofN security policy for exporting the second cold wallet master private key share). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the method disclosed by Trevethan to include wherein at least one of the plurality of shares is offline during at least one round of the interactive signing process as disclosed by Cheng. One of ordinary skill in the art would have been motivated to make this modification in order to protect fund using offline cold wallet as suggested by Cheng (Cheng: Para. 0082, 0083).

Allowable Subject Matter
Claim 8-10 are objected to as being dependent upon a rejected base claim 1, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. 
Regarding claim 8, none of the prior art of record, taken by itself or in any combination, would have anticipated or made obvious the following claim limitation/subject matter at or before the time it was filed: generating, by the first system, at least one third secret share of a second set of secret shares, wherein the second set of secret shares corresponds to the public key, wherein the second set of shares includes the at least one third secret share and at least one fourth secret share, wherein the at least one fourth secret share is generated by the at least one second system.
Claim 9-10 are dependent claim of claim 8, therefore are objected.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Fletcher et al. US20200074450: threshold signature, each member of group generates it’s won secret shares without reveal others, blockchain
Camenisch et al. US20170104588: each server generate it’s own secret shares
Jing et al. US20040103276: signature with multiparty and secret shares
Any inquiry concerning this communication or earlier communications from the examiner should be directed to LIN CHANG whose telephone number is (571)272-9998.  The examiner can normally be reached on Monday-Thursday 9AM-6PM EST Friday: Variable.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
 can be reached on (571)-272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/L.C./Examiner, Art Unit 2438                                                                                                                                                                                                                                                                                                                                                                                                          /Shawnchoy Rahman/ Primary Examiner, Art Unit 2438