DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
1. The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
2. This action is in response to the amendments filed on 5/31/2020. Claims 1,2,6,8, and 10 have been amended with new claims 11-17 added. Claims 1-9 and 11-17 are currently pending and have been considered below.

Examiner’s Amendment
3. An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.

Authorization for this examiner’s amendment was given in via electronic correspondence on 07/21/2021 in response to a telephonic interview with Pehr Jansson on 07/21/2021.

Please amend claims 1-9 and 11-17
(Currently Amended) A method for securing a white box cryptographic function computation on a cryptographic device such that a cryptography key K, used to 
receiving a first message ({𝐶}𝑃𝐾𝐻𝐸or m
receiving a message ({𝐾}𝐸𝐾𝐻𝐸) K) encrypted using a first homomorphic encryption key (𝐸𝐾𝐻𝐸) using a homomorphic encryption scheme, the homomorphic encryption key (𝐸𝐾𝐻𝐸) having a corresponding homomorphic decryption key (DKHE);
performing a cryptographic operation {𝐾}𝐸𝐾𝐻𝐸{𝑀}𝐸𝐾𝐻𝐸{𝑆}𝐸𝐾𝐻𝐸EKHE);
associating each step j of each computation block i of the cryptographic operation with a verification value (eaij, aij) and verification sum (A,EA) wherein one of the verification sum (EA) is an encryption of the sum of the verification values (aij) or the verification sum (A) is the sum of plaintext values (aij) corresponding to the verification values (eaij);
using homomorphic encryption, encrypting one of the verification value and the verification sum and not encrypting the other of the verification value and the verification sum; and
for each step j of each round i of the cryptographic function assigning a tracer value (tij,etij) with the verification value corresponding to that step i,j;
at the conclusion of the cryptographic function, calculating a tracer sum (eT, T) of all the tracer values;
performing one of the calculation of sum of tracer values (T) or the sum of verification values (A) on encrypted values (et, ea) and performing the other of the calculation of the sum of tracer values or the sum of verification values on plaintext values (t, a); and
comparing the calculated tracer sum (T, ET) with the expected verification sum (A,EA).

[AltContent: rect](Currently Amended) The method for securing a white box cryptographic function a cryptographic device such that a cryptography key K, used to encrypt a plaintext into a ciphertext, is not used in a plaintext form of Claim 
encrypting the homomorphic decryption key (DKHE) with an alternate homomorphic encryption key (EK’HE) corresponding to an alternate homomorphic decryption key (DK’HE) thereby producing an encrypted cryptography key ({𝐷𝐾𝐻𝐸 }𝐸𝐾′𝐻𝐸that is used to perform a key- exchange operation for a message encrypted using the homomorphic decryption key (DKHE) into a message encrypted using the alternate decryption key (DK’HE);
provisioning the cryptographic device with the alternate decryption key (DK’HE)
performing a key-exchange operation to cause the cryptographic function output to be encrypted using a the alternate homomorphic encryption key (EK’HE) corresponding to the alternate homomorphic decryption key (DK’HE) by decrypting the cryptographic function output ({𝑀}𝐸𝐾𝐻𝐸) thereby
producing a key-exchanged cryptographic function output ({𝑀}𝐸𝐾′𝐻𝐸
{𝑆}𝐸𝐾′𝐻𝐸
decrypting the key-exchanged cryptographic function output using the alternate decryption key (DKey’HE) thereby producing a cryptography output message corresponding to the first message wherein the cryptography output message has a value equivalent of the cryptography operation performed on the first message using the cryptography key (K) without using the cryptography key (K) in plaintext on the cryptographic device.

(Currently Amended) The method for securing a white box cryptographic function computation on a cryptographic device such that a cryptographic key K, used to
encrypt a plaintext into a ciphertext, is not used in a plaintext form of Claim 2, further comprising:
determining a first random sequence (ri
setting each tracer value to the corresponding verification value encrypted using a key that includes random number values from the first random sequence 
computing a summation random value (R
encrypting the verification sum (eA’) with a key that includes the summation random value

(Currently Amended) The method for securing a white box block cipher computation on a cryptographic device such that a cryptographic key K, used to encrypt a plaintext into a ciphertext, is not used in a plaintext form of Claim 3 further comprising:
computing a summation (eA) of the encrypted verification values encrypted using the key that includes random number values from the first random sequence
verifying the tracer computation based on a comparison of the summation of the encrypted verification values and the encrypted verification sum and the tracer sum.

(Currently Amended) The method for securing a white box block cipher computation on a K, used to encrypt a plaintext into a ciphertext, is not used in a plaintext form of Claim 1, further comprising:
determining r) based on a seed (R) such that an element of the pseudorandom sequence is associated with an element of the verification values;
provisioning aij), wherein a verification value (aij) is associated with each step (j) of each computation block (i) of a cryptographic function, and an encrypted verification sum (EA) computed aij) using a tracer key (EKTracer) and the corresponding random value from the pseudorandom sequence, and adding the encrypted verification values into an encrypted verification sum (EA);
wherein the step of performing a cryptographic operation (513”’) further comprises:
determining a tracer value (Ti) indicative of computation of all steps of each
computation block;
ri) corresponding to the random values (rij); and
encrypting ETi) using the tracerkey (EKTracer) and the summation random value (ri); and
comparing a summation of the tracer values (ET) with the encrypted verification sum (EA) and taking a corrective action of the summation of the tracer values is not equal to the encrypted verification sum.

(Currently Amended) The method for securing a white box block cipher computation on a cryptographic device such that a cryptographic key K, used to encrypt a plaintext into a ciphertext, is not used in a plaintext form of Claim 2, wherein the first message is formatted according to a predetermined secret format and wherein the decrypting of the key-exchanged block cipher output step further comprising verifying that the message corresponds to the predetermined secret format before performing decryption step thereby preventing encrypted keys from being decrypted.

(Currently Amended) The method for securing a white box block cipher computation on a cryptographic device such that a cryptographic key K, used to encrypt a plaintext into a ciphertext, is not used in a plaintext form of Claim 2,
wherein the first message ({𝐶}𝐸𝐾𝐻𝐸
and the cryptographic operation {𝑀}𝐾𝐻𝐸M encrypted using the first homomorphic public key (EKHE), wherein the key-exchange operation causes the cryptographic function output ({𝑀}𝐸𝐾𝐻𝐸) to be encrypted using a second homomorphic key (EK’HE) thereby producing a key-exchanged cryptographic function output ({𝑀}𝐸𝐾′𝐻𝐸)M) encrypted using the second homomorphic key; and
wherein decrypting the key-exchanged cryptographic function output message produces the message M that is a plaintext message that has a value equivalent K) without using the cryptography key
in plaintext on the cryptographic device.

(Currently Amended) The method for securing a white box block cipher computation on a cryptographic device such that a cryptographic key K, used to encrypt a plaintext into a ciphertext, is not used in a plaintext form of Claim 2,
wherein the first message (m{𝑆}𝐸𝐾𝐻𝐸) S encrypted using the first homomorphic public key (EKHE), wherein the key-exchange operation causes the cryptographic function output ({𝑆}𝐸𝐾𝐻𝐸) to be encrypted using a second homomorphic key (EK’HE) thereby producing a key-exchanged cryptographic function output ({𝑆}𝐸𝐾′𝐻𝐸) 
wherein decrypting the key-exchanged cryptographic function output message produces the message M that is a cryptographically signed output message that has a value equivalent of a cryptographic signature operation performed on the first message using the cryptography key (K) without using the cryptography key (K) in plaintext on the cryptographic device.

(Previously Presented) A cryptographic device having a secured white box cryptographic function computation whereby a cryptography key K, used to encrypt a plaintext into a ciphertext, is not used in a plaintext form, the cryptographic device operable to:
receive a first message ({𝐶}𝑃𝐾𝐻𝐸m
receive a message ({𝐾}𝐸𝐾𝐻𝐸) K) encrypted using the first homomorphic encryption key (𝐸𝐾𝐻𝐸) using a homomorphic encryption scheme;
perform a cryptographic operation {𝐾}𝐸𝐾𝐻𝐸{𝑀}𝐸𝐾𝐻𝐸{𝑆}𝐸𝐾𝐻𝐸EKHE);
associate each step j of each computation block i of the cryptographic operation with a verification value (eaij, aij) and verification sum (A,EA) wherein one of the verification sum (EA) is an encryption of the sum of the verification values (aij) or the verification sum (A) is the sum of plaintext values (aij) corresponding to the verification values (eaij);
use homomorphic encryption, to encrypt one of the verification value and the verification sum and not encrypting the other of the verification value and the verification sum; and
for each step j of each round i of the cryptographic function, assign a tracer
value (tij,etij) with the verification value corresponding to that step i,j;
at the conclusion of the cryptographic function, calculate a tracer sum (eT, T) of all the tracer values;
perform one of the calculation of sum of tracer values (T) or the sum of verification values (A) on encrypted values (et, ea) and performing the other of the calculation of the sum of tracer values or the sum of verification values on plaintext values (t, a); and
compare the calculated tracer sum (T, ET) with the expected verification sum (A,EA).

(Cancel)

[AltContent: rect](Currently Amended) The cryptographic device having a secured white box cryptographic function computation whereby a cryptography key K, used to encrypt a plaintext into a ciphertext, is not used in a plaintext form of Claim 9, the cryptographic device further comprising:
an alternate decryption key ( DK’HE) 
homomorphic encryption key (EK’HE);

the cryptographic device further operable to:
receive an encrypted cryptography key ({𝐷𝐾𝐻𝐸}𝐸𝐾′𝐻𝐸that is used to perform a 
homomorphic decryption key (DKHE) into a message encrypted using the alternate decryption key (DK’HE), the encrypted cryptography key ({𝐷𝐾𝐻𝐸 }𝐸𝐾′𝐻𝐸being an encryption of the homomorphic decryption key (DKHE) using the alternate encryption key (EK’HE);
perform a key-exchange operation to cause the cryptographic function output to be encrypted using the alternate homomorphic encryption key (EK’HE) corresponding to the alternate homomorphic decryption key (DK’HE) by decrypting the cryptographic function output ({𝑀}𝐸𝐾𝐻𝐸) thereby producing a key-exchanged cryptographic function output ({𝑀}𝐸𝐾′𝐻𝐸
{𝑆}𝐸𝐾′𝐻𝐸
decrypt the key-exchanged cryptographic function output using the alternate decryption key (DKey’HE) thereby producing a cryptography output message corresponding to the first message wherein the cryptography output message has a value equivalent of the cryptography operation performed on the first message using the cryptography key (K) without using the cryptography key (K) in plaintext on the cryptographic device.

(Currently Amended) The cryptographic device having a secured white box cryptographic function computation whereby a cryptography key K, used to encrypt a plaintext into a ciphertext, is not used in a plaintext form of Claim 11, further operable to:
determine a first random sequence (ri
set each tracer value to the corresponding verification value encrypted using a key that includes random number values from the first random sequence 
compute a summation random value (R
encrypt the verification sum (eA’) with a key that includes the summation random value

[AltContent: rect][AltContent: rect](Currently Amended) The cryptographic device having a secured white box K, used to encrypt a plaintext into a ciphertext, is not used in a plaintext form of Claim 12, the cryptographic device further operable to:
compute a summation (eA) of the encrypted verification values encrypted using the key that includes random number values from the first random sequence 
verify the tracer computation based on a comparison of the summation of the encrypted verification values and the encrypted verification sum and the tracer sum.

[AltContent: rect](Currently Amended) The cryptographic device having a secured white box cryptographic function computation whereby a cryptography key K, used to encrypt a plaintext into a ciphertext, is not used in a plaintext form of Claim 9, the cryptographic device further operable to:
determiner) based on a seed (R) such that an element of the pseudorandom sequence is associated with an element of the verification values;
provision aij), wherein a verification value (aij) is associated with each step (j) of each computation block (i) of a cryptographic function, and an encrypted verification sum (EA) computed aij) using a tracer key (EKTracer) and the corresponding random value from the pseudorandom sequence, and adding the encrypted verification values into an encrypted verification sum (EA);
wherein to perform said a cryptographic operation 
determine a tracer value (Ti) indicative of computation of all steps of each computation block;
determine a summation random value (ri) corresponding to the random values (rij); and
encrypt ETi) using the tracerkey (EKTracer) and the summation random value (ri); and
ET) with the encrypted verification sum (EA) and taking a corrective action of the summation of the tracer values is not equal to the encrypted verification sum.

(Currently Amended) The cryptographic device having a secured white box cryptographic function computation whereby a cryptography key K, used to encrypt a plaintext into a ciphertext, is not used in a plaintext form of Claim 11, wherein the first message is formatted according to a predetermined secret format and wherein the decrypting of the key-exchanged block cipher output step further comprising verifying that the message corresponds to the predetermined secret format before performing decryption step thereby preventing encrypted keys from being decrypted.

(Currently Amended) The cryptographic device having a secured white box cryptographic function computation whereby a cryptography key K, used to encrypt a plaintext into a ciphertext, is not used in a plaintext form of Claim 11,
wherein the first message ({𝐶}𝐸𝐾𝐻𝐸
and the cryptographic operation {𝑀}𝐸𝐾𝐻𝐸M encrypted using the first homomorphic public key (EKHE), wherein the key-exchange operation causes the cryptographic function output ({𝑀}𝐸𝐾𝐻𝐸) to be encrypted using a second homomorphic key (EK’HE) thereby producing a key-exchanged cryptographic function output ({𝑀}𝐸𝐾′𝐻𝐸)M) encrypted using the second homomorphic key; and
wherein decrypting the key-exchanged cryptographic function output message produces the message M that is a plaintext message that has a value equivalent of a cryptographic decryption operation performed on the first message using the cryptography key (K) without using the cryptography key
in plaintext on the cryptographic device.

(Currently Amended) The cryptographic device having a secured white box K, used to encrypt a plaintext into a ciphertext, is not used in a plaintext form of Claim 11,
wherein the first message (m{𝑆}𝐸𝐾𝐻𝐸)S encrypted using the first homomorphic public key (EKHE), wherein the key-exchange operation causes the cryptographic function output ({𝑆}𝐸𝐾𝐻𝐸) to be encrypted using a second homomorphic key (EK’HE) thereby producing a key-exchanged cryptographic function output ({𝑆}𝐸𝐾′𝐻𝐸)
wherein decrypting the key-exchanged cryptographic function output message produces the message M that is a cryptographically signed output message that has a value equivalent of a cryptographic signature operation performed on the first message using the cryptography key (K) without using the cryptography key (K) in plaintext on the cryptographic device.


Allowable Subject Matter
4.    Claims 1-9 and 11-17 are allowed as amended.

5.    The following is an examiner’s statement of reasons for allowance: The examiner finds novel within the context of an attacker seeking to discern information by inserting errors into a proof calculation causing the cipher not to compute all rounds or steps of individual rounds.  The novelty provides the ability to detect whether all rounds and steps have been executed. Specifically, a tracer is introduced to trace the execution of blocks and individual steps of blocks. A modified cryptography function includes a two-. A corresponding assigned value array has pre-assigned values such that for each execution of the step.  The closest prior art being "Hoang" (US 20200358611 A1), “Aidoo” (US 20200074548 A1), and non-patent literature “Chillotti” (Faster Packed Homomorphic Operations and Efficient Circuit Bootstrapping for TFHE). Hoang discloses a facility for performing accurate and real-time privacy-preserving biometrics verification in a client-server environment. The facility receives the user's biometrics data such as face, voice, fingerprint, iris, gait, heart rate, etc. The facility then processes and applies various privacy-preserving techniques to this data to complete enrollment and authenticate users, including but not limited to: encrypting data with a key using homomorphic encryption techniques and sending the encryption to the server; the server computes directly on the encryption and returns the result. Aidooi discloses methods and systems for calculating consensus data on a decentralized P2P network using a distributed ledger to calculate, by a network node, data values corresponding to market rates associated with the network node, and sharing the data values with other network nodes.  Non-patent literature Chillotti discloses methods to improve the evaluation of homomorphic functions in TFHE, both for fully and for leveled homomorphic encryption. We propose two methods to manipulate packed data, in order to decrease the ciphertext expansion and optimize the evaluation of look-up tables and arbitrary functions in Ring GSW based homomorphic schemes. 

6. What is missing from the prior art of record is a computer-readable storage media, a method, and a system fora modified cryptography function that includes a two-dimensional tracer array wherein the first index corresponds to a computation block of a cryptography function, e.g. a round of a multi-round block cipher, e.g., an AES round, and the second index corresponds to a step executed in that computation block. 

Thus the prior art does not teach or suggest, either individually or in combination, the subject matter as claimed in claims 1 and 9. Therefore claims 1 and 9 are deemed allowable over the prior art of record. The corresponding depending claims that further limit claims 1 and 9 also contain allowable subject matter by virtue of their dependency.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM B. JONES whose telephone number is (571) 272-9637.  The examiner can normally be reached on Mon - Fri., 5:30 a.m. to 2:00 p.m.  If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 571-272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-272-3900.

/WILLIAM B JONES/Examiner, Art Unit 2491                                                                                                                                                                                                                                                                                                                                                                                                               
/ASHOKKUMAR B PATEL/            Supervisory Patent Examiner, Art Unit 2491