DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Remarks
In a response filed on October 26, 2021 (the “Response”), Applicant amends claims 1, 6, 7, 12, 13 and 18.
Claims 1-18 are presented for examination.
Response to Arguments
Applicant’s arguments submitted October 26, 2021 have been fully considered, but they are not persuasive for at least the following reasons.
On page 7, in the Remarks section of the Response, Applicant argues that “Lin is silent with respect to threshold implementation....”  However, Applicant’s instant argument is nonresponsive because it fails to address Examiner’s actual position.
To be specific, Examiner’s position is not that Lin teaches threshold implementation.  Rather, Examiner’s actual position is inter alia that Li teaches threshold implementation.  One cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413 (CCPA 1981); In re Merck & Co., 800 F.2d 1091 (Fed. Cir. 1986).
On page 7 of the Response, Applicant also argues that “Lin is silent with respect to...composite field.”  However, as set forth in the prior art rejection below, Examiner disagrees with Applicant’s instant argument because a “composite field” is taught by section 2.1 of Lin’s following disclosure:


On page 7, Applicant further argues:
“The invention differs from Li in serveral ways.  First...the invention divides the S-box into parts and only considers a part of the S-box.”

However, Examiner respectfully submits that Applicant’s instant argument is nonresponsive because it fails to address Examiner’s actual position.
To be specific, Examiner’s position is not that Li teaches the limitation of Applicant’s instant argument.  Rather, Examiner’s actual position is inter alia that Lin teaches:
“decomposing original S-box into several algebraic steps and merging some of these into other parts of the cipher (§ 1 at ¶ 3 ‘In 2002, Chow et al. introduced...white-box implementation of AES. The general technique is to hide the secret key in the S-Boxes of original cipher (AES), decompose/break the original cipher into a number of steps/parts and merge/insert secret random bijections to...every step’; note: Applicant’s instant limitation is a general feature of the ‘white-box’ aspect of Lin’s improvement to SMS4 [see § 1 at ¶ 3; also see § 1 on p. 1784 at col. 2, lns. 7-9])....”

As previously stated, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See Keller, F.2d 413 at 642; Merck & Co., F.2d 1091 at 800.
On page 7, Applicant moreover argues:
“The invention differs from Li in serveral ways.  ...  Second...disclosed implementations use TI after a GF(2Λ4) inverter.  Third, the invention uses a composite field technique to implement isomorphism.”

However, Examiner respectfully submits that Applicant’s instant argument is nonresponsive because it fails to address Examiner’s actual position.
not that Li teaches the limitations of Applicant’s argument.  Rather, Examiner’s actual position is inter alia that, in combination, the prior art of record reads on the limitations of Applicant’s argument, as set forth in the prior art rejections below.  One cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See Keller, F.2d 413 at 642; Merck & Co., F.2d 1091 at 800.
Furthermore, on page 7, Applicant argues:
“The invention differs from Li in serveral ways.  ...  Fourth, the invention uses TI as a method to mask the outputs of lookup tables....”

However, Examiner notes that the limitation of Applicant’s instant argument (i.e., “the invention uses TI as a method to mask the outputs of lookup tables”) constitutes new matter because it does not have clear written description support in the disclosure of the invention, as set forth in its written description rejection below.  See item 13 below.
On page 7, Applicant argues:
“The invention differs from Li in serveral ways.  ...  Fourth, the invention uses TI as a method to...make the distribution of the masked values uniform and independent of the original inputs.”

However, Examiner respectfully disagrees with Applicant’s instant argument because the last paragraph on page 26 of Applicant’s instant Specification (i.e., ¶ 138 of the instant application’s pre-grant publication) teaches that “threshold implementation makes the distribution of the masked values uniform and independent of the corresponding unmasked values.”  In other words, Examiner disagrees with Applicant’s instant argument because the foregoing disclosure of the Specification indicates that making the “distribution of [] masked values uniform and independent” of its original inputs, is inherent feature of threshold implementation in general.
However, Examiner notes that On page 8, Applicant argues:
“although both the invention and Li apply TI on the S-box implementation, they use TI in different ways to achieve different results.”

However, Examiner respectfully submits that Applicant’s instant argument is nonresponsive because it fails to address Examiner’s actual position.
To be specific, Examiner’s position is not that Li anticipates Applicant’s invention.  Rather, Examiner’s actual position is inter alia that Applicant’s claims are rendered obvious by the prior art of record, as set forth in the prior art rejections below.  Again previously stated, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See Keller, F.2d 413 at 642; Merck & Co., F.2d 1091 at 800.
On page 8, Applicant also argues that “the manner used by Johnson has been successfully attacked.”  In response, Examiner notes that Applicant’s instant argument is presented without any actual support.  However, it is axiomatic that such conclusory arguments of counsel cannot take the place of factually supported objective evidence. See MPEP § 2145.
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):

(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:

The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1-18 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
To be specific, claims 1, 7 and 13 have been amended to include inter alia the following newly added limitation: “masking the outputs of the lookup tables....”  However, Applicant has not indicated where clear written description support can be found in the disclosure for this newly added limitation.  Therefore, Examiner has read the entire disclosure of the invention to ascertain where such support can be found.
Turning to the most pertinent part of the disclosure, Examiner notes that the initial paragraph on page 16 of Applicant’s instant Specification teaches:
“To obfuscate the relationship between the inputs and outputs of the T-Box, the lookup table is created with a threshold implementation.”

However, this disclosure does not teach that the “outputs of the T-Box” are masked.  To the contrary, the sentence that immediately precedes the foregoing teaching, explicitly states that the “masked data...are the inputs of the T-box.”  Therefore, Examiner finds a lack of written description support for Applicant’s foregoing newly added limitation.
Regarding claims 2-6, 8-12 and 14-18, these claims are rejected for depending from, but failing to cure the foregoing deficiency of, their base claims 1, 7 and 13.
In addition, claims 6, 12 and 18 have been amended to recite the following newly added limitation:
except for an initial mask, each mask is dependent on an earlier mask in an inverted tree structure.”

And again Applicant has not indicated where clear written description support can be found in the disclosure for this newly added limitation.  Therefore, Examiner has read the entire disclosure of the invention to ascertain where such support can be found.
Turning to the most pertinent part of the disclosure, Examiner notes that the fifth enumerated rule listed on page 13 of the Specification teaches:
“Each mask can be dependent on an earlier mask in an inverted tree structure.”

However, this disclosure does not even mention “an initial mask,” far less the foregoing newly added limitation of claims 6, 12 and 18.  Indeed, the aforementioned disclosure of Applicant’s instant Specification actually contradicts the newly added limitation of claims 6, 12 and 18.  Therefore, Examiner finds a lack of written description support.  Applicant is invited to show where clear support can be found for the newly added limitation.
Appropriate correction is required.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 5, 7, 11, 13 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Lin et al., “Security Evaluation and Improvement of a White-Box SMS4 Implementation Based on Affine Equivalence Algorithm” 2018, The Computer 
Regarding claims 1, 7 and 13, Lin teaches an apparatus for implementing a white-box block cipher in a software application to create a secure software application having the same functionality as the software application (§ 1 at ¶ 2 “a software application/cryptographic algorithm is supposed to execute on an untrusted host/ apparatus”), the apparatus comprising:
at least one hardware processor (note: it is implicit that the host of Lin’s software application/cryptographic algorithm, may “process” the cryptographic algorithm/software application [see § 1 at ¶ 2]); and
at least one memory operatively coupled to the processor and storing instructions thereon (§ 1 at ¶ 2 “the memory, cache”; note: Lin’s memory stores a cryptographic algorithm’s code/instruction, which Lin’s host/apparatus executes [see § 1 at ¶ 2]) that, when executed by the at least one hardware processor, cause the at least one hardware processor to: create an implementation of a block cipher by:
applying an isomorphism between an original finite field representation and a composite field representation (note: Lin’s disclosure is an improvement to SM4/SMS4 [see § 1 on p. 1784 at col. 2, lns. 7-9] and SM4/SMS4 applies isomorphism to an original finite field, namely a Galois field, because the T: GF (2)32 [Symbol font/0xAE] GF (2)32 is a substitution and reversible” [see § 2.1]), and
using this isomorphism to reconstruct the block cipher as operations that use only the elements of the composite field, including XOR, linear transformation and S-box (§ 2.1 “composite field/Output the cipher text... The transformation...is composed of a linear transformation [] and...applies ...S-Boxes”; note: SMS4’s linear transformation includes “⊕” [i.e., an XOR operation], also note that it is implicit that SMS4 may use “cipher text” as input because SMS4’s “decryption procedure is identical to [its] encryption procedure, except...reversed” [see § 2.1]);
decomposing original S-box into several algebraic steps and merging some of these into other parts of the cipher (§ 1 at ¶ 3 “In 2002, Chow et al. introduced...white-box implementation of AES. The general technique is to hide the secret key in the S-Boxes of original cipher (AES), decompose/break the original cipher into a number of steps/parts and merge/insert secret random bijections to...every step”; note: Applicant’s instant limitation is a general feature of the “white-box” aspect of Lin’s improvement to SMS4 [see § 1 at ¶ 3; also see § 1 on p. 1784 at col. 2, lns. 7-9]); and
in the non-linear step of S-box, implementing an inversion in the original finite field representation with algorithm in the composite field representation (§ 2.1 “The transformation is...reversible/invertible. [And] It is composed of...a non-linear transformation...[that] applies...S-Boxes...The decryption procedure is identical...except...reversed/inversed”).
 masking the outputs of the lookup tables and making the distribution of the masked values uniform and independent of the original inputs; and apply the block cipher to at least a portion of the software application to create the secure software application and thereby increase security of a computing platform executing the secure software application.
In an analogous art, Li teaches:
in the non-linear step of S-box, implementing the inversion in an original finite field representation with algorithm in a composite field representation (§ 2.1 on p. 208 “the inversion method of S-box based on composite field in...SMS4 algorithm”);
applying an initial threshold implementation of m input shares and n output shares (11, p. 211) to generate lookup tables for the non-linear step of S-box (Abstract “new S-box scheme on SMS4 [] is based on [threshold implementation]...use a secret sharing method to group the input and output of S-box”; ¶ 1 of § 3.1 at p. 209 “The basic idea [of threshold implementation] is to divide a complete secret into several parts and assign every part to each different participant, and the secret cannot be reconstructed unless the number of the participant reaches k or more, where k is [] the threshold value”; § 3.2 at ¶ 2 on p. 212 “the input consists of a and b...a is split into a1, a2, a3, a4 and b is split into b1, b2, b3, b4/input shares”; note: applying “the first step” of Li’s x, y, . . .” [see §§ 3.1, 3.2] and n “output shares” [see §§ 3.1 at p. 210-11] such as output shares “c1, c2, c3, c4,” which may be produced by Li’s “second step” [see § 3.2 at ¶ 2, 3 on p. 212]);
masking the outputs of the lookup tables and making the distribution of the masked values uniform and independent of the original inputs  (Li: Abstract “threshold implementation is a [] masking method...new S-box scheme on SMS4 [] is based on [threshold implementation]”; note: applying Li’s threshold implementation may produce “output shares” [see §§ 3.1 at p. 210-11] such as output shares “c1, c2, c3, c4” [see § 3.2 at ¶ 2, 3 on p. 212], also note that the second to last paragraph on page 26 of Applicant’s instant application—i.e., ¶ 138 of the instant application’s pre-grant publication—teaches that “threshold implementation makes the distribution of the masked values uniform and independent of the corresponding unmasked values,” which indicates that, inherently, Li’s “threshold implementation” also “makes the distribution of [] masked values uniform and independent” of Li’s original inputs [see Li: Abstract]); and
applying further threshold implementations to different steps of the cipher to generate lookup tables (note: Li also applies a threshold implementation to different steps because in “the third step...the input needs to be divided into four shares...then entered the Inv.AT.lin.map part, which will complete the second affine transformation and output the final results” [see § 3.2 at ¶ 1 on p. 213]).
Before the effective filing date of the invention, one of ordinary skill in the art would have recognized the ability to utilize the teachings of Li for protecting the SM4/ SMS4 cryptographic algorithm from a differential power analysis side-channel attack.  The teachings of Li, when used within the existing system of Lin’s white-box 
However, Lin in view of Li does not explicitly disclose, yet Johnson teaches: apply (12, FIG. 1) the block cipher to at least a portion of the software application to create the secure software application and thereby increase security of a computing platform executing the secure software application (¶ 63 “generating new functions and transforms”; ¶  62, 61, 60, 1 “computer software...resistant to a ‘white box attack’; that is, a system which will protect certain information from discovery even when the attacker has total visibility into software implementation and execution”).
Before the effective filing date of the invention, one of ordinary skill in the art would have recognized the ability to utilize the teachings of Johnson for using a cipher to protect a software application from a white box attack.  The teachings of Johnson, when used with the system of Lin in view of Li’s block cipher, will improve the security of a software application that employs the SM4/SMS4 algorithm.  Therefore, Examiner concludes that it would have been obvious for one of ordinary skill in the art to arrive at the above-claimed invention.
Regarding claims 5, 11 and 15, Lin in view of Li further in view of Johnson teaches all of the limitations of claims 1, 7 and 13, as previously stated, and further teaches: wherein the initial threshold implementation generates masks and extends outputs of the lookup tables to thereby obfuscate the S-box (Li: Abstract “threshold implementation is a [] masking method...a new S-box scheme on SMS4 [] based on TI... c1, c2, c3, c4”) an output c [see Li: § 3.2 at ¶ 2, 3 on p. 212; ¶ 1 of § 3.1 at p. 209; eq. 9-12 on pp. 210-211]).
Claims 2-4, 8-10 and 14-16 are rejected under 35 U.S.C. 103 as being unpatentable over Lin in view of Li further in view of Johnson further in view of Satpathy et al. (US 2017/0093571 A1, hereinafter Satpathy).
Regarding claims 2, 8 and 14, Lin in view of Li further in view of Johnson teaches all of the limitations of claims 1, 7 and 13, as previously stated, and further teaches: wherein the original finite field representation comprises element in GF(28) (Lin § 2.2 at ¶ 1 “SMS4 can be called EGF(28) cipher...dual ciphers correspond to [] representations of GF(28)...which yield isomorphisms between the fields of GF(28)”).
However, Lin in view of Li further in view of Johnson does not explicitly disclose, yet Satpathy teaches: wherein an original finite field representation comprises an 8-bit element (¶ 36 “input and output of S-box 208 are elements of a Galois field GF(28), which may be viewed as a set of 256 8-bit integers”).
Before the effective filing date of the invention, one of ordinary skill in the art would have recognized the ability to utilize the teachings of Satpathy for viewing the elements of a Galois field GF(28) as a set of 256 8-bit integers.  The teachings of Satpathy, when used with the input and output of the system of Lin in view of Li further in view of Johnson’s S-box, will make the system more practical by thus enabling it to use binary data to represent elements of the system’s Galois field.  Therefore, Examiner concludes that it would have been obvious for one of ordinary skill in the art to arrive at the above-claimed invention.
8) (Lin § 2.2 at ¶ 1 “SMS4 can be called EGF(28) cipher...dual ciphers correspond to [] representations of GF(28)...which yield isomorphisms between the fields of GF(28)”).
However, Lin in view of Li further in view of Johnson does not explicitly disclose, yet Satpathy teaches: wherein an original finite field representation comprises two 4-bit element (¶ 36 “input and output of S-box 208 are elements of a Galois field GF(28), which may be viewed as a set of 256 8-bit integers”; ¶ 38 “performing an inverse transformation in GF(28) may present significant computational complexity, a more efficient technique involves using composite-field arithmetic.  In an illustrative example, the S-box input in GF(28) is represented as a 2-term polynomial sh*x+sl, where coefficients sh and sl are represented by 4-bit elements of GF(24) field”).
Before the effective filing date of the invention, one of ordinary skill in the art would have recognized the ability to utilize the teachings of Satpathy for using a two 4-bit term polynomial to represent an S-box input.  The teachings of Satpathy, when used with the inverse transformation that the system of Lin in view of Li further in view of Johnson may perform in GF(28), will improve the efficiency of that inverse transformation.  Therefore, Examiner concludes that it would have been obvious for one of ordinary skill in the art to arrive at the above-claimed invention.
Regarding claims 4, 10 and 16, Lin in view of Li further in view of Johnson teaches all of the limitations of claims 1, 7 and 13, as previously stated, and further teaches: wherein the isomorphism is constructed from elements in GF(28) and the 8) cipher...dual ciphers correspond to [] representations of GF(28)...which yield isomorphisms between the fields of GF(28)”; Li: Abstract “new S-box scheme on SMS4 [] is based on [threshold implementation]...use a secret sharing method to group the input and output of S-box”; Li ¶ 1 of § 3.1 at p. 209 “The basic idea [of threshold implementation] is to mask/divide a complete secret into several parts and assign every part to each different participant, and the secret cannot be reconstructed unless the number of the participant reaches k or more, where k is [] the threshold value”; Li § 3.2 at ¶ 2 on p. 212 “the input consists of a and b...a is split into a1, a2, a3, a4 and b is split into b1, b2, b3, b4/input shares”; note: applying “the first step” of Li’s threshold implementation may produce “n” shares of  “input variables x, y, . . .” [see Li §§ 3.1, 3.2] and n “output shares” [see Li §§ 3.1 at p. 210-11] such as output shares “c1, c2, c3, c4,” which may be produced by Li’s “second step” [see Li § 3.2 at ¶ 2, 3 on p. 212]).
However, Lin in view of Li further in view of Johnson does not explicitly disclose, yet Satpathy teaches: wherein an isomorphism is constructed from elements in GF(28) to a composite field GF(24)2 for an S-box (¶ 39 “GF(28)...may be transformed to composite-field GF(24)2 ...S-box may be implemented by...a [] transformation from the price-field to the composite field”).
Before the effective filing date of the invention, one of ordinary skill in the art would have recognized the ability to utilize the teachings of Satpathy for constructing an isomorphism from elements in GF(28) to a composite field GF(24)2 for an S-box.  The teachings of Satpathy, when used with the inverse transformation that the system of Lin 8), will improve the efficiency of that inverse transformation.  Therefore, Examiner concludes that it would have been obvious for one of ordinary skill in the art to arrive at the above-claimed invention.
Claims 6, 12 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Lin in view of Li further in view of Johnson further in view of Luo et al., “Compiler-Assisted Threshold Implementation Against Power Analysis Attacks” 2017, IEEE (International Conference on Computer Design, 2017, pp. 541-544, hereinafter Luo).
Regarding claims 6, 12 and 18, Lin in view of Li further in view of Johnson teaches all of the limitations of claims 5, 11 and 17, as previously stated, and further teaches: masks (note: each of Li’s “threshold implementations” is a “mask” [see Li: Abstract], for example  “c1, c2, c3, c4” may be a “mask” of Li’s output c  [see Li: § 3.2 at ¶ 2, 3 of p. 212; ¶ 1 of § 3.1 at p. 209; eq. 9-12 on pp. 210-211]),
wherein each of the masks is a mask of a variable (Li: Abstract “threshold implementation is a [] masking method...a new S-box scheme on SMS4 [] based on TI...uses a secret sharing method to...output of S-box”; note: Li’s output may be variables “c1, c2, c3, c4” [see Li: § 3.2 at ¶ 2, 3 on p. 212; ¶ 1 of § 3.1 at p. 209; eq. 9-12 on pp. 210-211]).
However, Lin in view of Li further in view of Johnson does not explicitly disclose: wherein, except for an initial mask, each mask is dependent on an earlier mask in an inverted tree structure.
In an analogous art, Luo teaches:
wherein, except for an initial node, each node is dependent on an earlier node in an inverted tree structure (¶ 3 of § III on p. 542 “first step in computing [threshold 
wherein a root node is a variable (note: it is implicit that Luo’s root node may be a “secret” because the initial bullet point on page 542 discloses that each root node may be a “share of c” [see § III(A) in col. 1 of p. 542]).
Before the effective filing date of the invention, one of ordinary skill in the art would have recognized the ability to utilize the teachings of Luo for employing an inverted tree structure to compute a threshold implementation of a variable.  The teachings of Luo, when used with the masking feature of the system of Lin in view of Li further in view of Johnson’s applications of a threshold implementation, will make the system more feasible by thus providing it with a practical scheme (namely, an inverted tree structure) for applying the system’s threshold implementations.  Therefore, Examiner concludes that it would have been obvious for one of ordinary skill in the art to arrive at the above-claimed invention.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Kalish Bell whose telephone number is (571) 272-5294.  The examiner can normally be reached 9am-5pm, M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool.  To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469) 295-9235.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users.  To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-
/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                        




/KALISH K BELL/Examiner, Art Unit 2432