DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
2.	The information disclosure statement (IDS) submitted on 06/28/2019 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Drawings
3.	The drawings submitted on 06/28/2019 have been accepted by the examiner.  

EXAMINER’S AMENDMENT
4.	An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephonic interview with applicant’s attorney Charles Phillips (Reg. No. 59,393) on 06/15/2021. 
Claims 1-5, 7-8 and 10 have been amended as follows: 
In the Claims:
1. A method for searching and updating encrypted data comprising: 

generating, with the trusted client, a second encrypted search query for a second keyword that is different than the first keyword and a second encrypted file update request for a second encrypted file that is different than the first encrypted file; 
transmitting, with the trusted client, the first encrypted search query and the first encrypted file update request to a first untrusted server; 
transmitting, with the trusted client, the second encrypted search query and the second encrypted file update request to a second untrusted server, the second untrusted server being different than the first untrusted server; 
receiving, with the trusted client, a first encrypted search entry corresponding to the first encrypted search query and a first encrypted file entry corresponding to the first encrypted file update request from the first untrusted server; 
receiving, with the trusted client, a second encrypted search entry corresponding to the second encrypted search query and a second encrypted file entry corresponding to the second encrypted file update request from the second untrusted server; 
decrypting, with the trusted client, the first encrypted search entry and the first encrypted file entry using a plurality of cryptographic keys associated with the first untrusted server to generate a first decrypted search entry and a first decrypted file entry; 
decrypting, with the trusted client, the second encrypted search entry and the second encrypted file entry using a plurality of cryptographic keys associated with the second untrusted server to generate a second decrypted search entry and a second decrypted file entry; 
generating, with the trusted client, a first re-encrypted search entry corresponding to the first keyword based on the first decrypted search entry and a first re-encrypted file entry corresponding a first file identifier based on the first decrypted file entry using the plurality of cryptographic keys associated with the second untrusted server; 
generating, with the trusted client, a second re-encrypted search entry corresponding to the second keyword based on the second decrypted search entry and a second re-encrypted file entry corresponding to a second file identifier based on the second decrypted file entry using the plurality of cryptographic keys associated with the first untrusted server; 
transmitting, with the trusted client, the second re-encrypted search entry and the second re-encrypted file entry to the first untrusted server to update a first encrypted search index stored in the first untrusted server; and 
transmitting, with the trusted client, the first re-encrypted search entry and the first re-encrypted file entry to the second untrusted server to update a second encrypted search index stored in the second untrusted server. 2. The method of claim 1 further comprising: 
generating, with the trusted client, a third encrypted search query for a third keyword that is different than the first keyword and the second keyword and a third encrypted file update request for a third encrypted file that is different than the first encrypted file and the second encrypted file; 
generating, with the trusted client, a fourth encrypted search query for a fourth keyword that is different than the first keyword, the second keyword, and the third keyword and a fourth encrypted file update request for a fourth encrypted file that is different than the first encrypted file, the second encrypted file, and the third encrypted file; 
transmitting, with the trusted client, the third encrypted search query and the third encrypted file update request to the first untrusted server with the first encrypted search query and the first encrypted file update request; 

receiving, with the trusted client, a third encrypted search entry corresponding to the third encrypted search query and a third encrypted file entry corresponding to the third encrypted file update request from the first untrusted server; 
receiving, with the trusted client, a fourth encrypted search entry corresponding to the fourth encrypted search query and a fourth encrypted file entry corresponding to the fourth encrypted file update request from the second untrusted server; 
decrypting, with the trusted client, the third encrypted search entry and the third encrypted file entry using the plurality of cryptographic keys associated with the first untrusted server to generate a third decrypted search entry and a third decrypted file entry; 
decrypting, with the trusted client, the fourth encrypted search entry and the fourth encrypted file entry using the plurality of cryptographic keys associated with the second untrusted server to generate a fourth decrypted search entry and a fourth decrypted file entry; 
generating, with the trusted client, a third re-encrypted search entry corresponding to the third keyword based on the third decrypted search entry and a third re-encrypted file entry corresponding to a third file identifier based on the third decrypted file entry using the plurality of cryptographic keys associated with the second untrusted server; 
generating, with the trusted client, a fourth re-encrypted search entry corresponding to the fourth keyword based on the fourth decrypted search entry and a fourth re-encrypted file entry corresponding to a fourth file identifier based on the fourth decrypted file entry using the plurality of cryptographic keys associated with the first untrusted server; 

transmitting, with the trusted client, the fourth re-encrypted search entry and the fourth re-encrypted file entry to the first untrusted server with the second re-encrypted search entry and the second re-encrypted file entry to update the first encrypted search index stored in the first untrusted server. 3. The method of claim 1 further comprising: 
updating, with the trusted client, a counter stored in an index in a memory of the trusted client; 
generating, with the trusted client, a first updated encryption key corresponding to the first keyword based on a symmetric key associated with the second untrusted server, a hash of the first keyword, and the counter; 
generating, with the trusted client, a second updated encryption key corresponding to the second keyword based on a symmetric key associated with the first untrusted server, a hash of the second keyword, and an updated second keyword counter; 
generating, with the trusted client, the first re-encrypted search entry corresponding to the first keyword based on the first decrypted search entry using the first updated encryption key; and 
generating, with the trusted client, the second re-encrypted search entry corresponding to the second keyword based on the second decrypted search entry using the second updated encryption key. 

generating, with the trusted client, the first re-encrypted file entry corresponding to the first keyword based on the first decrypted file entry and a first updated file counter using the plurality of cryptographic keys associated with the second untrusted server, the plurality of cryptographic keys associated with the second untrusted server including the first updated encryption key; and 
generating, with the trusted client, the second re-encrypted file entry corresponding to the second keyword based on the second decrypted file entry and a second updated file counter using the plurality of cryptographic keys associated with the first untrusted server, the plurality of cryptographic keys associated with the first untrusted server including the second updated encryption key. 5. The method of claim 1 further comprising: 
generating, with the trusted client, the first encrypted search query including a first row identifier of a first row in the first encrypted search index stored in the first untrusted server corresponding to the first keyword based on an index stored in a memory of the trusted client; 
generating, with the trusted client, the second encrypted search query including a second row identifier of a second row in the encrypted search index stored in the second untrusted server corresponding to the second keyword based on the index stored in the memory of the trusted client; 
generating, with the trusted client, the first encrypted file update request including a first column identifier of a first column in the first encrypted search index stored in the first untrusted server corresponding to the first file identifier based on the index stored in the memory of the trusted client; and 
generating, with the trusted client, the second encrypted file update request including a second column identifier of a second column in the second encrypted search index stored in the 
modifying, with the trusted client, a first decrypted file entry to add or remove at least one keyword from the first decrypted file entry corresponding to a modification of file that corresponds to the first file identifier prior to generating the first re-encrypted file entry. 8. The method of claim 1 further comprising: 
identifying, with the trusted client, an identifier of an encrypted file that contains the first keyword based on a first decrypted response; 
transmitting, with the trusted client, a request for the encrypted file to a third untrusted server; 
receiving, with the trusted client, the encrypted file from the third untrusted server; and 
decrypting, with a third cryptographic key stored in a memory of the trusted client, the encrypted file. 10. A trusted client computing device configured to search and update encrypted data comprising: 
a memory configured to store an index; 
a network interface device configured to transmit data to and receive data from a first untrusted server and a second untrusted server; and 
a processor operatively connected to the memory and the network interface, the processor being configured to: 

generate a second encrypted search query for a second keyword based on an entry in the index stored in the memory corresponding to the second keyword, the second keyword being different than the first keyword, and a second encrypted file update request for a second encrypted file based on an entry in the index stored in the memory corresponding to the second encrypted file, the second encrypted file being different than the first encrypted file; 
transmit the first encrypted search query and the first encrypted file update request to the first untrusted server; 
transmit the second encrypted search query and the second encrypted file update request to the second untrusted server, the second untrusted server being different than the first untrusted server; 
receive a first encrypted search entry corresponding to the first encrypted search query and a first encrypted file entry corresponding to the first encrypted file update request from the first untrusted server; 
receive a second encrypted search entry corresponding to the second encrypted search query and a second encrypted file entry corresponding to the second encrypted file update request from the second untrusted server; 
decrypt the first encrypted search entry and the first encrypted file entry using a plurality of cryptographic keys associated with the first untrusted server to generate a first decrypted search entry and a first decrypted file entry; 

generate a first re-encrypted search entry corresponding to the first keyword based on the first decrypted search entry and a first re-encrypted file entry corresponding to a first file identifier based on the first decrypted file entry using the plurality of cryptographic keys associated with the second untrusted server; 
generate a second re-encrypted search entry corresponding to the second keyword based on the second decrypted search entry and a second re-encrypted file entry corresponding to a second file identifier based on the second decrypted file entry using the plurality of cryptographic keys associated with the first untrusted server; 
transmit the second re-encrypted search entry and the second re-encrypted file entry to the first untrusted server to update a first encrypted search index stored in the first untrusted server; and 
transmit the first re-encrypted search entry and the first re-encrypted file entry to the second untrusted server to update a second encrypted search index stored in the second untrusted server.

Reasons for Allowance
5.	The following is an examiner’s statement of reasons for allowance: 
A prior art of record Kamara et al. (US 2013/0046974 A1), directed towards a dynamic Symmetric Searchable Encryption (SSE) scheme (Kamara: [Abstract]), an index is received that identifies, for each file in a file collection, which keywords in a dictionary are included in a respective file (Kamara: ¶ [0057]), the index is encrypted to generate an encrypted index. The unencrypted index may have, for instance, a structure that is similar to the tree structure…, the 
encrypted file c that is desirably added to a file collection, a plurality of vectors that can be indicative of which keywords in a dictionary are included in the file ( and not included in the file). The delete token can include data that identifies a position in an encrypted index that points to an encrypted file c that corresponds to a file that is desirably deleted from a file collection (Kamara: ¶ [0059]), and an
encrypted index and a collection of encrypted files are dynamically updated at a remote repository based at least in part upon the add token or the delete token (Kamara: ¶ [0060]). 
Another prior art of record, Lei et al. (US 2009/0300351 A1), discloses a method, apparatus and system for fast searchable encryption (Lei: [Abstract]), the keyword unit 101 sets association between each file and one or more keywords contained in or related to the file…, the association of the file and keywords may be set in advance by the data owner and stored as a table in storage means in the data owner terminal, or received from remote location (Lei: ¶ [0056]), encryption/decryption setting unit 102 sets file encryption and decryption keys for each file. The file encryption key is used to encrypt the corresponding file and the file decryption key is used to decrypt the corresponding
encrypted file (Lei: ¶ [0057]), after the file encryption and decryption keys for each file are set, the file encryption unit 103 encrypts each file with a corresponding file encryption key (Lei: ¶ [0064]), and the index forming unit 106 forms an encrypted inverted index composed of one or more Keyword Item Sets (KISes) based on the keywords of the files (Lei: ¶ [0065]). 
Finally, prior art of record, Olumofin (US 2014/0344944 A1), discloses system and methods to provide updates of an oblivious database that is based on an original database without compromising privacy guarantees, and without requiring a periodic downtime to re-initialize the database (Olumofin: [Abstract]), because the data is obtained from the oblivious database 18, the server 10 (or other server that performs the search) does not know what content was actually 1 20 and A2 22, out of the l available random servers. In step 52, the servers A1 20 and A2 22 establish a cryptographically secure pseudorandom function (PRF)…, and a synchronized timestamp (Olumofin: ¶ [0015]), and server A₁ 20 creates a vector z of length n and initializes each of its elements to the current timestamp, computes a temporary dataset u…, and sends u to server D 10. .., server A₂ 22 similarly creates a vector z and initializes each of its elements to the current timestamp…, computes a temporary dataset v…, and sends  v  to  server  D 10.  In  step  64, server  D 10  computes the initial oblivious database (Olumofin: ¶ [0016]).
However, the prior art of record does not explicitly disclose all the limitations recite in independent claims and the combination of the features recited thereon. With respect to independent claims 1 and 10, the prior art of record does not disclose at least the following limitations in the recited context(s):
decrypting, with the trusted client, the first encrypted search entry and the first encrypted file entry using a plurality of cryptographic keys associated with the first untrusted server to generate a first decrypted search entry and a first decrypted file entry; 
decrypting, with the trusted client, the second encrypted search entry and the second encrypted file entry using a plurality of cryptographic keys associated with the second untrusted server to generate a second decrypted search entry and a second decrypted file entry; 
generating, with the trusted client, a first re-encrypted search entry corresponding to the first keyword based on the first decrypted search entry and a first re-encrypted file entry corresponding to a first file identifier based on the first decrypted file entry using the plurality of cryptographic keys associated with the second untrusted server; and
generating, with the trusted client, a second re-encrypted search entry corresponding to the second keyword based on the second decrypted search entry and a second re-encrypted file entry corresponding to a second file identifier based on the second decrypted file entry using the plurality of cryptographic keys associated with the first untrusted server.
Therefore, Kamara, Lei and Olumofin individually and/or in combination fail to disclose all the limitations recited in the independent claims and the combination of features recited thereon. 

6.    	 Based on the search conducted, examiner’s amendment and the reasons described above, the prior art of record does not disclose, with respect to independent claims 1 and 10, the features corresponding to those of claims 1 and 10 in the respective context(s). Therefore, the independent claims 1 and 10 are allowed.

7. 	Dependent claims 2-9 are allowed in view of their respective dependence from claim 1. 

8.	Claims 1-10 are allowed.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAMEERA WICKRAMASURIYA whose telephone number is (571)272-1507.  The examiner can normally be reached on MON-FRI 8AM-4:30PM EST.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JUNG W. KIM can be reached on (571)272-3804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/SAMEERA WICKRAMASURIYA/
Examiner, Art Unit 2494
                                                                                                                                                                                                  
/ROBERT B LEUNG/Primary Examiner, Art Unit 2494                                                                                                                                                                                                        6-16-2021