Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This written action is responding to application filed on February 10, 2020.
Claims 2-15 and 18-20 are allowed.

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below.  Should the changes and/or additions be unacceptable to Applicant, an amendment may filed as provided by 37 CFR 1.312.  To ensure consideration of such an amendment, it MUST be submitted no later than the payment of issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with Mr. Jeffrey C. Aldridge of registration number 51,390, on June 23, 2021.  During the telephone conference, Mr. Aldridge has agreed and authorized the examiner to further amend Claims 2-15 and 18-20 on the filed application dated on February 10, 2020.

Claims
Replacing Claims 2-15 and 18-20 of the filed application dated on February 10, 2020 with the following:

Claim 1:	(Cancelled).

Claim 2:
The method of claim [[1]]6, wherein the second user electronic device is the first user electronic device.

Claim 3:
The method of claim [[1]]6, wherein the enrollment biometric template is not accessible to the network node.

Claim 4:
The method of claim [[1]]6, wherein the authentication biometric sample is not accessible to the network node.

Claim 5:
The method of claim 4, wherein the enrollment biometric template is not accessible to the network node.

Claim 6:
[[The]] A method for authenticating a user of at least a first user electronic device and a second user electronic device using a network node, the method comprising:	receiving, at the network node, from the first user electronic device, at a first moment in time, communication protocol information comprising:		a restricted enrollment input corresponding to an unrestricted enrollment input that has been restricted by an enrollment biometric template indicative of user enrollment biometrics captured at an enrollment moment in time that is prior to the first moment in time;		an unrestricted authentication input; and		a transformed matching function that is operative to output a success key in response to successfully evaluating the transformed matching function using two inputs;	receiving, at the network node, from the second user electronic device, at a second moment in time after the first moment in time, a restricted authentication input corresponding to the unrestricted authentication input that has been restricted by an authentication biometric sample indicative of user authentication biometrics captured at an authentication moment in time that is after the first moment in time but that is prior to the second moment in time;	after the receiving the restricted authentication input, evaluating, at the network node, the transformed matching function using the restricted enrollment input and the restricted authentication input; and	when the evaluating is successful, using, at the network node, the success key output by the transformed matching function to enable a secure operation		the communication protocol information further comprises doubly encrypted seed data comprising seed information that has been encrypted with an inner key and then encrypted with the success key; and		the using the success key comprises:			decrypting, at the network node, using the success key output by 			after the decrypting, sending, from the network node, to a remote entity, the singly encrypted seed data for further enabling the secure operation.

Claim 7:
The method of claim 6, wherein the remote entity is the first user electronic device.

Claim 8:
The method of claim 6, wherein the remote entity is the second user electronic device.

Claim 9:
The method of claim 6, wherein the communication protocol information further comprises encrypted inner key data comprising the inner key that has been encrypted with a public encryption key of the first user electronic device.

Claim 10:
The method of claim 9, wherein:	the second user electronic device is the first user electronic device;	the unrestricted authentication input of the communication protocol information is 

Claim 11:
The method of claim 6, wherein the seed information comprises at least a portion of a secret seed generated by the first user electronic device.

Claim 12:
The method of claim 11, wherein the secret seed is not stored on the first user electronic device at the second moment in time.

Claim 13:
The method of claim 6, wherein:	the communication protocol information further comprises doubly encrypted enrollment biometric template data comprising enrollment biometric template information that has been encrypted with the inner key and then encrypted with the success key; and	the using the success key further comprises:		decrypting, at the network node, using the success key output by the transformed matching function, the doubly encrypted enrollment biometric template data 

Claim 14:
The method of claim 6, wherein the remote entity is configured to use the seed information to authenticate a challenge from a third party subsystem.

Claim 15:
A method for authenticating a user of a user electronic device using a network node, the method comprising:	obtaining, at the user electronic device, a seed;	generating, at the user electronic device, an enrollment biometric template indicative of user enrollment biometric identifier information;	identifying, at the user electronic device, a transformed matching function that is operative to output a success key in response to successfully evaluating the transformed matching function using a first input and a second input;	generating, at the user electronic device, a restricted enrollment input by restricting the first input using the enrollment biometric template;	generating, at the user electronic device, an inner key;	encrypting, at the user electronic device, with the success key, seed information that comprises at least a portion of the seed encrypted with the inner key;;	after the sending, receiving, at the user electronic device, from the network node, the seed information;	recovering, at the user electronic device, the seed using the received seed information; and	using, at the electronic device, the recovered seed to enable a secure operation.

Claim 16:	(Cancelled).

Claim 17:	(Cancelled).

Claim 18:
The method of claim 15, further comprising:	after the sending, generating, at the user electronic device, an authentication biometric sample indicative of user authentication biometric identifier information;	generating, at the user electronic device, a restricted authentication input by restricting the second input using the authentication biometric sample; and	transmitting, from the user electronic device, to the network node, the restricted authentication input.

Claim 19:
The method of claim 15, further comprising:	encrypting, at the user electronic device, with the success key, enrollment biometric template information that comprises at least a portion of the enrollment biometric template; and	after both of the encrypting the enrollment biometric template information and the generating the restricted enrollment input, deleting the enrollment biometric template from the user electronic device, wherein the enrollment data further comprises the encrypted enrollment biometric template information.

Claim 20:
A non-transitory computer-readable storage medium storing at least one program, the at least one program comprising instructions, which, when executed by at least one processor of an electronic subsystem, cause the at least one processor to:	receive, from a user electronic device, a restricted enrollment input corresponding to an unrestricted enrollment input that has been restricted by an enrollment biometric template indicative of user enrollment biometrics captured at an enrollment moment in time;	receive, from the user electronic device, a restricted authentication input corresponding to an unrestricted authentication input that has been restricted by an authentication biometric sample indicative of user authentication biometrics captured at an authentication moment in time after the enrollment moment in time;	receive, from the user electronic device, a transformed matching function that is 	receive, from the user electronic device, doubly encrypted seed data comprising seed information that has been encrypted with an inner key and then encrypted with the success key;	evaluate the received transformed matching function using the received restricted enrollment input and the received restricted authentication input; and	when the evaluation is successful, use the success key output by the transformed matching function to enable a secure operation, wherein the use of the success key comprises:		decrypting, using the success key output by the transformed matching function, the doubly encrypted seed data to reveal singly encrypted seed data comprising the seed information that has been encrypted with the inner key; and		after the decrypting, sending, to a remote entity, the singly encrypted seed data for further enabling the secure operation.

Allowable Subject Matter
Claims 2-15 and 18-20 are allowed.

Examiner’s Statement of Reasons for Allowance
The following is an examiner’s statement of reasons for allowance:
Independent claim 6 is allowable based on the Claims presented in the application filed on February 10, 2020 and further examiner’s amendment dated on January 20, 2016.
Specifically, the independent claim 6 now recites limitations as follows:

“A method for authenticating a user of at least a first user electronic device and a second user electronic device using a network node, the method comprising:	receiving, at the network node, from the first user electronic device, at a first moment in time, communication protocol information comprising:		a restricted enrollment input corresponding to an unrestricted enrollment input that has been restricted by an enrollment biometric template indicative of user enrollment biometrics captured at an enrollment moment in time that is prior to the first moment in time;		an unrestricted authentication input; and		a transformed matching function that is operative to output a success key in response to successfully evaluating the transformed matching function using two inputs;	receiving, at the network node, from the second user electronic device, at a second moment in time after the first moment in time, a restricted authentication input corresponding to the unrestricted authentication input that has been restricted by an authentication biometric sample indicative of user authentication biometrics captured at an authentication moment in time that is after the first moment in time but that is prior to the second moment in time;

The reference by Mather et al. (US PGPUB. # US 2016/0373440) disclose, an enrollment request is usable to enroll the user computing device in a network and includes an encrypted partial initial biometric vector associated with a user. An authentication request is processed that is subsequently received that includes an encrypted partial second biometric vector and that is associated with a user of the user computing device. A comparison of the encrypted partial initial biometric vector and (Abstract). Mather further discloses, a token request (RESTful) is transmitted from a client device 104 (1) and is received from the BOPS server 102 and verified (2). A DNS entry for the BOPS Server's 102 hostname can be configured to have a key in the key store (3), and a request is formatted (4A) and m Token Responses are transmitted to the client device 104 via 2-way SSL/TLS (4B). Thereafter, a c Token (e.g., 5-tuple and a TimeStamp) is transmitted form the client device 104 (5), which is verified, including as a function of a m TimeStamp in the request (6, 7). Thereafter, the missing 5-tuplet is determined (8) vis-a-vis a Trust Store and a request is formatted (9) and a SHA512 Token is transmitted to the client device 104 (10). (¶59). A register request that includes the SHA512 Token is transmitted from the client device 104 (11) and received for verification by the BOPS server 102 (12) and the client signing request is processed to unlock the certification (13), including to calculate a one-time password and check a Token count vis-a-vis a Key Store (14) and to push a client certificate password out to an external notification service (15). In addition, the verification step in 12 branches to steps associated with analytics, and includes determining device information (16), profile information (17) and biometrics (as shown and described herein) (18). (¶60). During an example biometric authentication (¶65). Facial recognition is performed by calculating the Euclidean distance between template vectors, where the face cannot be reverse-engineered from the vector. When two face images are matched, for example, using a neural network, each face is first converted to a float vector of size 128 bytes. The representation of this float vector is arbitrary and cannot be reverse-engineered back into the original face. To compare the faces, the Euclidean distance of the two vectors is calculated. Two faces from the same person should have similar vectors, and faces of different people should be further apart in Euclidean space. A verification vector can be calculated on the mobile device, and transmitted to a remote server for (¶102). Fingerprint recognition is performed by calculating the Euclidean distance between template vectors, where the fingerprints cannot be reverse-engineered from the vector. Similarly, as described above, a neural network can be applied for fingerprint matching. In such case, the fingerprint can be converted to a vector on the device and the vector would be transmitted, thereby eliminating a way to reconstruct the original fingerprint image from the network output vector. (¶103). A user operating client computing device 104 proceeds with biometric Enrollment (1), and captures an initial biometric vector (IBV) (2). At step (3), the IBV is encrypted and split, and 2/2 of the IBV is stored locally on or with the client computing device 104 (4), and an Enrollment request is sent that includes 1/2 of the IBV is transmitted to the BOPS server 102 via a transport layer (via 2-way SSL/TLS) (5). The 1/2 IBV is stored by the BOPS server 102, such as in BOPS big data (6) and a confirmation of Enrollment is transmitted from the BOPS server 102 back to the client computing device 104 (7). Continuing with reference to FIG. 12, following Enrollment, biometric authentication occurs at the client computing device 104 (8), and a current biometric vector is captured (9). Thereafter, an authentication request is sent via the transport layer (10) which is received by the BOPS server 102, combined with the 2/2 IBV and used for decryption (11). Thereafter, the CBV is compared with the  of the sheets and the server device 102 contains or accesses the other. The verification process combines the two sheets using a simple Boolean operation which results in the original biometric vector fully reconstructed. (Fig. 12, Fig. 13, ¶130-¶132). With regard to detecting a match, one or more modules in an example BOPS implementation employs multiple initial biometric vectors. There are then two RESTful web services calls that communicate via SSL/TLS, one for each biometric. One call can include halves of IBVs, in addition to a current biometric in an authentication session, and return a floating point value that represents the strength of the match. Another call can offer one IBV (half) at a time and the current biometric, and return a floating point value representing the strength of the match. For the second call, there (¶137).
The reference by Calapodescu et al. (US PGPUB. # US 2016/0119119) discloses, a method for data matching includes providing a first set of encrypted data elements, each of the encrypted data elements in the first set having been formed by converting a respective one of a first set of data elements to a set of vectors and encrypting each vector with a public key of a homomorphic encryption scheme. Each data element in the first set includes a sequence of characters drawn from an alphabet. A second set of encrypted data elements is received, each of the encrypted data elements in the second set having been formed by converting a respective one of a second set of data elements to a set of vectors and encrypting each vector with the public key. Each data element in the second set includes a sequence of characters drawn from the alphabet. For each of a plurality of pairs of encrypted data elements, each pair comprising an encrypted data element from the first set and an encrypted data elements second set, the method includes computing a comparison measure between the encrypted vectors of the encrypted data element in the second set and the encrypted vectors of the encrypted data element in the first set. For each encrypted data element in the first set, an obfuscated vector is generated which renders the first encrypted data element indecipherable when the comparison measure does not meet a threshold for at least one of the pairs of data encrypted elements comprising that (¶17). The matching component 74 of the server computes a comparison measure between pairs of the elements-one from the server and one from the client, e.g., a distance (or similarity) between the encrypted vectors for one of the server's elements and the encrypted vectors for one of the client's elements (S124). In one embodiment, the comparison measure is the Hamming distance. The Hamming distance between two vectors of equal length is the number of positions at which the corresponding symbols are different. In this step, the server computes the nm Hamming distance vectors .DELTA..sub.H(X.sub.i,Y.sub.j), but does so in encrypted form, i.e., as [.DELTA..sub.H(X.sub.i,Y.sub.j)].sub.K. First the server computes an encrypted similarity vector [H.sub.i.sup.j].sub.K (corresponding to the inverse Hamming distance), which identifies similar elements: .A-inverted.i.di-elect cons.[1 . . . m],.A-inverted.j.di-elect cons.[1 . n],[H.sub.i.sup.j].sub.K=[.SIGMA..sub..delta.=1.sup.Dr.sub.i.sup..del- ta.r'.sub.j.sup..delta.].sub.K (2). At S132, the client decrypts the n (Fig. 2, ¶83-¶85, ¶93).
Rolf Lindemann (US PGPUB. # US 2018/0191501) discloses, a method comprises: generating and storing a persistent group identification code (Group-ID) for a group of authenticators sharing a common set of authorization (Uauth) keys, an initial Group-ID to be generated on a first use of a first authenticator and/or following a factory reset of the first authenticator generating and storing an individual asymmetric wrapping key encryption key (WKEK) on a first use of the first authenticator and/or following each factory reset of the first authenticator; generating and storing a symmetric wrapping key (WK), the wrapping key to be generated on a first use of the first authenticator and/or following each factory reset of the first authenticator; generating a join-block using an authenticator identification code for the first authenticator and the WKEK, the join-block usable to join an existing authenticator group, the join block to be sent to a second authenticator; verifying the join-block at the second authenticator and generating a join response block responsive to user approval, the join response block generated by encrypting the WK and Group-ID using the (Abstract).
Derakhshani et al. (US PGPUB. # US 2015/0186721) discloses, securing biometric templates and generating secret keys are provided. One or more images are received. Interest points are identified based on the received images, and a plurality of obfuscating data points are generated based on the interest points. An obfuscated template based on the interest points and the obfuscating data points is created and stored. A secret key can be encoded using a subset of at least one of the obfuscating data points and the interest points in the template.
However, each of the cited references or reference from the updated search, at least, fails to teach or suggest the limitations regarding “…the communication protocol information further comprises doubly encrypted seed data comprising seed information that has been encrypted with an inner key and then encrypted with the success key; and the using the success key comprises: decrypting, at the network node, using the success key output by the transformed matching function, the doubly encrypted seed data to reveal singly encrypted seed data comprising the seed information that has been encrypted with the inner key; and after the decrypting, sending, from the network node, to a remote entity, the singly encrypted seed data for further enabling the secure operation..”, in 


None of the previous cited prior art references or reference(s) from the updated search yield any specific references that would reasonably, either singularly or in combination with previous cited reference, result a reasonable and proper rejection for each of the cited feature limitations of the independent claim 6 under 35 U.S.C. 102 or 35 U.S.C. 103 with proper motivation.
Claims 15 is also a method claim of above method claim 1 and Claim 20 is a non-transitory computer-readable storage medium claim of above method claim 6, and therefore, they are also allowed.
Claims 2-5 and 7-14 depend on the allowed claim 6, and therefore, they are also allowed.
Claims 18-19 depend on the allowed claim 15, and therefore, they are also allowed.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance".

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DARSHAN I DHRUV whose telephone number is (571)272-4316.  The examiner can normally be reached on M-F 9:00 AM-5:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 571-272-8878.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.