DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to communication filed on October 26, 2021
Claims 1 – 10 are being considered on the merits.

Response to Arguments
Status of claims within the present application:
Claims 1 – 10 are pending.
Claims 1, 2, 5, and 8 – 9 are amended.
Applicant’s arguments, see page [6] of Applicant’s remark, filed October 26, 2021, with respect to claims 8 – 10 that were rejected 35 U.S.C 101 for not fall within at least one of the four categories of patent eligible subject matter, have been fully considered and are persuasive.  Therefore, the rejection is withdrawn.
Applicant’s arguments, see page [7 – 9] of Applicant’s remark, filed October 26, 2021, with respect to claims 1 – 2, 5, and 8 that were rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, regards as the invention, have been fully considered and are persuasive.  Therefore, the rejection is withdrawn. 
Applicant’s arguments, see page [7 – 9] of Applicant’s remark, filed October 26, 2021, with respect to Claims 1 – 10 are rejected under 35 U.S.C. 103 as being unpatentable over Oder et al., “Implementing the NewHope-Simple Key Exchange on Low-Cost FPGAs”, 2019, (hereinafter, “Oder”) in view of Xing et al., “An Efficient Implementation of the NewHope Key 
 	With respect to the argument regarding Oder teaching Trivium to generate polynomial            
                 
                â
            
        , Examiner does not rely on Oder to teach this feature. Oder is relied upon for everything except for the teaching of Trivium. However, Examiner notes that Xing is relied upon to teach using Trivium to generate a polynomial. Although Xing does not specifically teach generating polynomial            
                 
                â
            
         using Trivium, the combination of Oder and Xing renders obvious generating a polynomial            
                 
                â
            
         using Trivium.

Claim Rejections - 35 USC § 112
   The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

 	Claims 1 – 10 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. Applicant’s specification para. 31 discloses selecting polynomial             
                â
            
         “by parsing a random number sequence outputted by the Trivium module”. However, this is not the same as generating polynomial             
                â
            
         by the Trivium module. Similarly, specification para. 33 teaches “the polynomial coefficients of both sides are obtained by the random numbers outputted by the Trivium modules” which is not the same as generating polynomial             
                â
            
         by the Trivium module.  This can be further seen on Fig. 2 and 3 filed on June 18, 2020 where the Parse module obtains an input from the Trivium module and then generates the polynomial             
                â
            
         using the input. The dependent claims are also rejected because they include all the limitations of their parent claims. 
For the purpose of examination, the amended feature is interpreted as reciting "polynomials             
                
                    
                        â
                    
                    
                        1
                    
                
                 
                a
                n
                d
                 
                
                    
                        â
                    
                    
                        2
                    
                
            
         are generated based on the Trivium module of the client and the Trivium module of the server".

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1 – 10 are rejected under 35 U.S.C. 103 as being unpatentable over Oder et al., “Implementing the NewHope-Simple Key Exchange on Low-Cost FPGAs”, 2019, (hereinafter, “Oder”) in view of Xing et al., “An Efficient Implementation of the NewHope Key Exchange on FPGAs”, 2019, (hereinafter, “Xing”).

    PNG
    media_image1.png
    356
    457
    media_image1.png
    Greyscale
Regarding claim 1, Oder teaches a method for implementation of a post-quantum key exchange protocol, comprising: a client generating a public polynomial                         
                            
                                
                                    â
                                
                                
                                    1
                                
                            
                        
                    , [based on a Trivium] module therein and generating a polynomial                         
                            
                                
                                    u
                                
                                ^
                            
                        
                     based on the polynomial                         
                            
                                
                                    â
                                
                                
                                    1
                                
                            
                        
                    , then sending a data request signal to a server to receive a polynomial                         
                            
                                
                                    b
                                
                                ^
                            
                        
                     sent by the server for secured key transmission, and receiving data request signal sent by the server to send the polynomial                         
                            
                                
                                    u
                                
                                ^
                            
                        
                     to the server, wherein a public polynomial                         
                            
                                
                                    â
                                
                                
                                    2
                                
                            
                        
                    , for calculating the polynomial                         
                            
                                
                                    b
                                
                                ^
                            
                        
                     is generated by the server with adoption of a random number sequence generated by a [Trivium module] in the server, and                         
                            
                                
                                    â
                                
                                
                                    1
                                
                            
                             
                            =
                             
                            
                                
                                    â
                                
                                
                                    2
                                
                            
                        
                    ; and the client generating a key μ and a polynomial                         
                            
                                
                                    c
                                
                                ¯
                            
                        
                     based on the [Trivium module] therein, and sending the polynomial                         
                            
                                
                                    c
                                
                                ¯
                            
                        
                     to the server based on another received data request signal sent by the server, so that the server generates the key μ based on the polynomial                         
                            
                                
                                    c
                                
                                ¯
                            
                        
                     and adjusts a state of the [Trivium] module in the server to be synchronized with a current state of the [Trivium] module in the client wherein the public polynomials                         
                            
                                
                                    â
                                
                                
                                    1
                                
                            
                             
                            a
                            n
                            d
                             
                            
                                
                                    â
                                
                                
                                    2
                                
                            
                        
                     are generated by the [Trivium] module of the client and the [Trivium] module of the server. [Oder, page 4 section 2.2 protocol 1 discloses both the server and client are generating a polynomial                         
                            
                                
                                    a
                                
                                ^
                            
                        
                     using Parse(SHAKE-128(seed)). The client in the algorithm produces a polynomial                         
                            
                                
                                    u
                                
                                ^
                            
                        
                     from polynomial                         
                            
                                
                                    a
                                
                                ^
                            
                        
                     and a number theoretic transform of                         
                            e
                            '
                        
                     and send the polynomial                         
                            
                                
                                    u
                                
                                ^
                            
                        
                     to the server through an encodeB(mb) and the server decodeB(mb) to get the polynomial                         
                            
                                
                                    u
                                
                                ^
                            
                        
                    . Polynomial                         
                            
                                
                                    b
                                
                                ^
                            
                        
                     is send to the client in an encodeA and the client is to perform decodeA to receive polynomial                        
                             
                            
                                
                                    b
                                
                                ^
                            
                        
                    . The client also generate a key μ and a polynomial                         
                            
                                
                                    c
                                
                                ¯
                            
                        
                     and send the polynomial                         
                            
                                
                                    c
                                
                                ¯
                            
                        
                     to the server based on another received data request signal sent by the server, so that the server generates the key μ based on the polynomial                         
                            
                                
                                    c
                                
                                ¯
                            
                        
                    . This confirms that the polynomial                         
                            
                                
                                    a
                                
                                ^
                            
                        
                     created by the client and server are the same and the key μ are the same. Server (Alice) and Client (Bob) both are generating a polynomial                        
                             
                            
                                
                                    a
                                
                                ^
                            
                        
                     individually and based on the input, they are to be the same value. This would implies that the server and the client are matched up.], but Oder does not teach polynomials based on a Trivium module.
However, Xing does teach polynomials generated based on a Trivium module.[Xing, page 869 section III.A discloses for the generation of secret vector s and noise vector e that both obey centered binomial distribution ψ16, any PRNG can be qualified, where SHAKE-128 can also be a candidate, in which case we may be able to reuse the Keccak core. However, as these generation processes would be implemented in parallel with the generation of public parameter a, as depicted in Table V, Sect. IV, there is an unavoidable problem of hardware hazard. In addition it is not affordable to utilize another Keccak core, in consideration of its large resource demand. A lightweight PRNG can be adequate as long as it has a reasonable throughput. The Trivium PRNG [11] is selected in our design to generate s and e, mainly because that the throughput of Trivium can be as large as 64 bits per cycle while the resources it occupies is rather small. Trivium is a hardware oriented synchronous stream cipher, in which the key stream is generated through a few simple operations upon the 288-bit internal state register S[288:1]. The width of key stream z is set to be 64-bit in our design, corresponding to its maximum throughput capability. Detailed schematic corresponding to the generation of z as well as the update of S[288:1] is depicted in Fig. 3. The internal state register is initialized with an 80-bit key and an 80-bit initial vector according to specific rules, followed by 4 full rotation update based on the update logic, during which no key stream is outputted. As one coefficient consumes 32 pseudo random bits by computing                          
                            
                                
                                    ∑
                                    
                                        i
                                        =
                                        0
                                    
                                    
                                        15
                                    
                                
                                
                                    
                                        
                                            b
                                        
                                        
                                            i
                                        
                                    
                                
                            
                             
                            –
                            
                                
                                    ∑
                                    
                                        i
                                        =
                                        16
                                    
                                    
                                        31
                                    
                                
                                
                                    
                                        
                                            b
                                        
                                        
                                            i
                                        
                                        
                                            '
                                        
                                    
                                
                            
                        
                     , where                         
                            
                                
                                    b
                                
                                
                                    i
                                
                            
                        
                     and                         
                            
                                
                                    b
                                
                                
                                    i
                                
                                
                                    '
                                
                            
                        
                     are uniform pseudo random bits, two coefficients can be generated and stored per cycle. Considering both s and e are 1024-degree polynomials, the generation time would be 512 cycles each.]
Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Xing’s system with Oder’s system, with a motivation to use a light-weight pseudo-random number generator — Trivium, where the generation of a and one error polynomial s can be conducted concurrently [Xing, page 867 lines 3 – 6]


    PNG
    media_image1.png
    356
    457
    media_image1.png
    Greyscale
Regarding claim 2, modified Oder teaches the method according to claim 1, wherein the step of generating the polynomial                         
                            
                                
                                    u
                                
                                ^
                            
                        
                     based on the polynomial                         
                            
                                
                                    â
                                
                                
                                    1
                                
                            
                        
                    , comprises: the client adopting the random number sequence generated by the [Trivium] module in the client to generate polynomials                         
                            s
                            '
                        
                     and                         
                            e
                            '
                        
                     respectively, and calculating number-theoretic transformation polynomials of the polynomials                         
                            s
                            '
                        
                     and                         
                            e
                            '
                        
                     respectively, and calculating a sum of the number-theoretic transformation polynomial of' the polynomial                         
                            e
                            '
                        
                     and a product of the number-theoretic transformation polynomial of the polynomial                         
                            s
                            '
                        
                     and the public polynomial                         
                            
                                
                                    â
                                
                                
                                    1
                                
                            
                        
                    , to obtain the polynomial                         
                            
                                
                                    u
                                
                                ^
                            
                        
                    , wherein the [Trivium] module in the client generates a 64bit random number in one cycle. [Oder, page 4 section 2.2 protocol 1 discloses the client generate polynomials                         
                            s
                            '
                        
                     and                         
                            e
                            '
                        
                     respectively, and calculating number-theoretic transformation polynomials of the polynomials                         
                            s
                            '
                        
                     and                         
                            e
                            '
                        
                     respectively, in which NNT(                        
                            s
                            '
                        
                    ) becomes                         
                            
                                
                                    t
                                
                                ^
                            
                        
                     and NNT(                        
                            e
                            '
                        
                    ) and calculating a sum of NNT(                        
                            e
                            '
                        
                    ), NNT(                        
                            s
                            '
                        
                    ), and                         
                            
                                
                                    â
                                
                                
                                    1
                                
                            
                        
                     to obtain the polynomial                         
                            
                                
                                    u
                                
                                ^
                            
                        
                    ] , but Oder does not teach based on Trivium module.
However, Xing does teach based on Trivium module.[Xing, page 869 section III.A discloses for the generation of secret vector s and noise vector e that both obey centered binomial distribution ψ16, any PRNG can be qualified, where SHAKE-128 can also be a candidate, in which case we may be able to reuse the Keccak core. However, as these generation processes would be implemented in parallel with the generation of public parameter a, as depicted in Table V, Sect. IV, there is an unavoidable problem of hardware hazard. In addition it is not affordable to utilize another Keccak core, in consideration of its large resource demand. A lightweight PRNG can be adequate as long as it has a reasonable throughput. The Trivium PRNG [11] is selected in our design to generate s and e, mainly because that the throughput of Trivium can be as large as 64 bits per cycle while the resources it occupies is rather small. Trivium is a hardware oriented synchronous stream cipher, in which the key stream is generated through a few simple operations upon the 288-bit internal state register S[288:1]. The width of key stream z is set to be 64-bit in our design, corresponding to its maximum throughput capability. Detailed schematic corresponding to the generation of z as well as the update of S[288:1] is depicted in Fig. 3. The internal state register is initialized with an 80-bit key and an 80-bit initial vector according to specific rules, followed by 4 full rotation update based on the update logic, during which no key stream is outputted. As one coefficient consumes 32 pseudo random bits by computing                          
                            
                                
                                    ∑
                                    
                                        i
                                        =
                                        0
                                    
                                    
                                        15
                                    
                                
                                
                                    
                                        
                                            b
                                        
                                        
                                            i
                                        
                                    
                                
                            
                             
                            –
                            
                                
                                    ∑
                                    
                                        i
                                        =
                                        16
                                    
                                    
                                        31
                                    
                                
                                
                                    
                                        
                                            b
                                        
                                        
                                            i
                                        
                                        
                                            '
                                        
                                    
                                
                            
                        
                     , where                         
                            
                                
                                    b
                                
                                
                                    i
                                
                            
                        
                     and                         
                            
                                
                                    b
                                
                                
                                    i
                                
                                
                                    '
                                
                            
                        
                     are uniform pseudo random bits, two coefficients can be generated and stored per cycle. Considering both s and e are 1024-degree polynomials, the generation time would be 512 cycles each.]
Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Xing’s system with Oder’s system, with a motivation to use a light-weight pseudo-random number generator — Trivium, the generation of a and one error polynomial s can be conducted concurrently [Xing, page 867 lines 3 – 6]


    PNG
    media_image2.png
    556
    714
    media_image2.png
    Greyscale
Regarding claim 3, modified Oder teaches the method according to claim 1, wherein the client generating the key μ and the polynomial                         
                            
                                
                                    c
                                
                                ¯
                            
                        
                     based on the [Trivium] module therein comprises: the client respectively calculating the key μ and a polynomial                         
                            e
                            "
                        
                     based on the random number sequence generated by the [Trivium] module therein, calculating a product of the number-theoretic transformation polynomial of the polynomial                         
                            s
                            '
                        
                     and the polynomial                         
                            
                                
                                    b
                                
                                ^
                            
                        
                    , and performing inverse number-theoretic transformation to the product, wherein the key μ is obtained in a manner that the client performs first secure hash algorithm 3 (SHA3) to the random number sequence generated by the [Trivium] module therein to obtain                         
                            v
                            '
                        
                     and performs second SHA3 on the                         
                            v
                            '
                        
                    ; the client encoding the                         
                            v
                            '
                        
                     to obtain a polynomial k: and calculating a sum of the polynomial                         
                            e
                            "
                        
                    , the polynomial k and the result of the inverse number-theoretic transformation to obtain a polynomial c, and compressing data of the polynomial c to obtain the polynomial                         
                            
                                
                                    c
                                
                                ¯
                            
                        
                     . [Oder, page 4 section 2.2 protocol 1 discloses the client calculating a product of the NNT(                        
                            s
                            '
                        
                    ) in, which is change to be                         
                            
                                
                                    t
                                
                                ^
                            
                        
                    , and the polynomial                         
                            
                                
                                    b
                                
                                ^
                            
                        
                    , and performing inverse NNT to the product. The client performs first secure hash algorithm (SHA3) – 256 on v and use the random number sequence generated by the Trivium module therein to obtain                         
                            v
                            '
                        
                     and performs second SHA3 on the                         
                            v
                            '
                        
                     to get the key μ; the client encoding the                         
                            v
                            '
                        
                     to obtain a polynomial k: and calculating a sum of the polynomial                         
                            e
                            "
                        
                    , the polynomial k and the result of the NNT-1 (                        
                            
                                
                                    b
                                
                                ^
                            
                            ∘
                            
                                
                                    t
                                
                                ^
                            
                        
                    ) to obtain a polynomial c, and compressing data of the polynomial c to obtain the polynomial                         
                            
                                
                                    c
                                
                                ¯
                            
                        
                    ] , but Oder does not teach generated by the Trivium module.
However, Xing does teach generated by the Trivium module.[Xing, page 869 section III.A discloses for the generation of secret vector s and noise vector e that both obey centered binomial distribution ψ16, any PRNG can be qualified, where SHAKE-128 can also be a candidate, in which case we may be able to reuse the Keccak core. However, as these generation processes would be implemented in parallel with the generation of public parameter a, as depicted in Table V, Sect. IV, there is an unavoidable problem of hardware hazard. In addition it is not affordable to utilize another Keccak core, in consideration of its large resource demand. A lightweight PRNG can be adequate as long as it has a reasonable throughput. The Trivium PRNG [11] is selected in our design to generate s and e, mainly because that the throughput of Trivium can be as large as 64 bits per cycle while the resources it occupies is rather small. Trivium is a hardware oriented synchronous stream cipher, in which the key stream is generated through a few simple operations upon the 288-bit internal state register S[288:1]. The width of key stream z is set to be 64-bit in our design, corresponding to its maximum throughput capability. Detailed schematic corresponding to the generation of z as well as the update of S[288:1] is depicted in Fig. 3. The internal state register is initialized with an 80-bit key and an 80-bit initial vector according to specific rules, followed by 4 full rotation update based on the update logic, during which no key stream is outputted. As one coefficient consumes 32 pseudo random bits by computing                          
                            
                                
                                    ∑
                                    
                                        i
                                        =
                                        0
                                    
                                    
                                        15
                                    
                                
                                
                                    
                                        
                                            b
                                        
                                        
                                            i
                                        
                                    
                                
                            
                             
                            –
                            
                                
                                    ∑
                                    
                                        i
                                        =
                                        16
                                    
                                    
                                        31
                                    
                                
                                
                                    
                                        
                                            b
                                        
                                        
                                            i
                                        
                                        
                                            '
                                        
                                    
                                
                            
                        
                     , where                         
                            
                                
                                    b
                                
                                
                                    i
                                
                            
                        
                     and                         
                            
                                
                                    b
                                
                                
                                    i
                                
                                
                                    '
                                
                            
                        
                     are uniform pseudo random bits, two coefficients can be generated and stored per cycle. Considering both s and e are 1024-degree polynomials, the generation time would be 512 cycles each.]
Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Xing’s system with Oder’s system, with a motivation to use a light-weight pseudo-random number generator — Trivium, the generation of a and one error polynomial s can be conducted concurrently [Xing, page 867 lines 3 – 6]


    PNG
    media_image2.png
    556
    714
    media_image2.png
    Greyscale
Regarding claim 5, Oder teaches a method for implementation of a post-quantum key exchange protocol, comprising: a server generating a public polynomial                         
                            
                                
                                    â
                                
                                
                                    2
                                
                            
                        
                    , based on a [Trivium] module therein and generating a polynomial                         
                            
                                
                                    b
                                
                                ^
                            
                        
                     based on the polynomial                         
                            
                                
                                    â
                                
                                
                                    2
                                
                            
                        
                    , then receiving a data request signal sent by a client to send the polynomial                         
                            
                                
                                    b
                                
                                ^
                            
                        
                    , and sending a data request signal to the client to receive a polynomial                         
                            
                                
                                    u
                                
                                ^
                            
                        
                    , wherein a polynomial                         
                            
                                
                                    â
                                
                                
                                    1
                                
                            
                        
                     for calculating the polynomial                         
                            
                                
                                    u
                                
                                ^
                            
                        
                     is generated by the client with adoption of a random number sequence generated by a [Trivium] module in the client, and                         
                            
                                
                                    â
                                
                                
                                    1
                                
                            
                             
                            =
                             
                            
                                
                                    â
                                
                                
                                    2
                                
                            
                        
                    ; the server generating a polynomial m based on the polynomial                         
                            
                                
                                    u
                                
                                ^
                            
                        
                    , sending another data request signal to the client to receive a polynomial                         
                            
                                
                                    c
                                
                                ¯
                            
                        
                     corresponding to a key μ sent by the client, and generating the key μ based on the polynomial m and the polynomial                         
                            
                                
                                    c
                                
                                ¯
                            
                        
                    ; the server controlling the [Trivium] module therein to continue working for a certain time so that a state of the [Trivium] module in the server is the same as a state of the [Trivium] module in the client; wherein the public polynomials                         
                            
                                
                                    â
                                
                                
                                    1
                                
                            
                             
                            a
                            n
                            d
                             
                            
                                
                                    â
                                
                                
                                    2
                                
                            
                        
                     are generated by the [Trivium] module  of the client and the [Trivium] module of the server [Oder, page 4 section 2.2 protocol 1 discloses both the server and client are generating a polynomial                         
                            
                                
                                    a
                                
                                ^
                            
                        
                     using Parse(SHAKE-128(seed)). The client in the algorithm produces a polynomial                         
                            
                                
                                    u
                                
                                ^
                            
                        
                     from polynomial                         
                            
                                
                                    a
                                
                                ^
                            
                        
                     and a number theoretic transform of                         
                            e
                            '
                        
                     and send the polynomial                         
                            
                                
                                    u
                                
                                ^
                            
                        
                     to the server through an encodeB (mb) and the server decodeB(mb) to get the polynomial                         
                            
                                
                                    u
                                
                                ^
                            
                        
                    . Polynomial                         
                            
                                
                                    b
                                
                                ^
                            
                        
                     is send to the client in an encodeA and the client is to perform decodeA to receive polynomial                         
                            
                                
                                    b
                                
                                ^
                            
                        
                    . The client also generate a key μ and a polynomial                         
                            
                                
                                    c
                                
                                ¯
                            
                        
                     and send the polynomial                         
                            
                                
                                    c
                                
                                ¯
                            
                        
                     to the server based on another received data request signal sent by the server, so that the server generates the key μ based on the polynomial                         
                            
                                
                                    c
                                
                                ¯
                            
                        
                    . This confirms that the polynomial                         
                            
                                
                                    a
                                
                                ^
                            
                        
                     created by the client and server are the same and the key μ are the same. Server (Alice) and Client (Bob) both are generating a polynomial                        
                             
                            
                                
                                    a
                                
                                ^
                            
                        
                     individually and based on the input, they are to be the same value. This would implies that the server and the client are matched up.], but Oder does not teach polynomials generated based on a Trivium module.
However, Xing does teach polynomials generated based on a Trivium module.[Xing, page 869 section III.A discloses for the generation of secret vector s and noise vector e that both obey centered binomial distribution ψ16, any PRNG can be qualified, where SHAKE-128 can also be a candidate, in which case we may be able to reuse the Keccak core. However, as these generation processes would be implemented in parallel with the generation of public parameter a, as depicted in Table V, Sect. IV, there is an unavoidable problem of hardware hazard. In addition it is not affordable to utilize another Keccak core, in consideration of its large resource demand. A lightweight PRNG can be adequate as long as it has a reasonable throughput. The Trivium PRNG [11] is selected in our design to generate s and e, mainly because that the throughput of Trivium can be as large as 64 bits per cycle while the resources it occupies is rather small. Trivium is a hardware oriented synchronous stream cipher, in which the key stream is generated through a few simple operations upon the 288-bit internal state register S[288:1]. The width of key stream z is set to be 64-bit in our design, corresponding to its maximum throughput capability. Detailed schematic corresponding to the generation of z as well as the update of S[288:1] is depicted in Fig. 3. The internal state register is initialized with an 80-bit key and an 80-bit initial vector according to specific rules, followed by 4 full rotation update based on the update logic, during which no key stream is outputted. As one coefficient consumes 32 pseudo random bits by computing                          
                            
                                
                                    ∑
                                    
                                        i
                                        =
                                        0
                                    
                                    
                                        15
                                    
                                
                                
                                    
                                        
                                            b
                                        
                                        
                                            i
                                        
                                    
                                
                            
                             
                            –
                            
                                
                                    ∑
                                    
                                        i
                                        =
                                        16
                                    
                                    
                                        31
                                    
                                
                                
                                    
                                        
                                            b
                                        
                                        
                                            i
                                        
                                        
                                            '
                                        
                                    
                                
                            
                        
                     , where                         
                            
                                
                                    b
                                
                                
                                    i
                                
                            
                        
                     and                         
                            
                                
                                    b
                                
                                
                                    i
                                
                                
                                    '
                                
                            
                        
                     are uniform pseudo random bits, two coefficients can be generated and stored per cycle. Considering both s and e are 1024-degree polynomials, the generation time would be 512 cycles each.]
Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Xing’s system with Oder’s system, with a motivation to use a light-weight pseudo-random number generator — Trivium, the generation of a and one error polynomial s can be conducted concurrently [Xing, page 867 lines 3 – 6]

Regarding claim 8, Oder teaches a system for implementation of a post-quantum key exchange protocol, comprising a client and a server, wherein the client is configured to generate a public polynomial                         
                            
                                
                                    â
                                
                                
                                    1
                                
                            
                        
                    , with adoption of a random number sequence generated by a [Trivium] module in the client and generate a polynomial                         
                            
                                
                                    u
                                
                                ^
                            
                        
                     based on the polynomial                         
                            
                                
                                    â
                                
                                
                                    1
                                
                            
                        
                    , send a first data request signal to the server, and send the polynomial                         
                            
                                
                                    u
                                
                                ^
                            
                        
                     to the server according to a second data request signal from the server; the client is further configured to generate a key μ and a polynomial                         
                            
                                
                                    c
                                
                                ¯
                            
                        
                     based on the [Trivium] module therein, and send the polynomial                         
                            
                                
                                    c
                                
                                ¯
                            
                        
                     to the server according to a third data request signal sent by the server; the server is configured to generate a public polynomial                         
                            
                                
                                    â
                                
                                
                                    2
                                
                            
                        
                     with adoption of a random number sequence generated by a [Trivium] module in the server, generate a polynomial                         
                            
                                
                                    b
                                
                                ^
                            
                        
                     based on the polynomial                         
                            
                                
                                    â
                                
                                
                                    2
                                
                            
                        
                    , send the polynomial                         
                            
                                
                                    b
                                
                                ^
                            
                        
                     to the client according to the first data request signal and send the second data request signal to the client; and                         
                            
                                
                                    â
                                
                                
                                    1
                                
                            
                        
                     =                         
                            
                                
                                    â
                                
                                
                                    2
                                
                            
                        
                    ; the server is further configured to generate a polynomial m based on the polynomial                         
                            
                                
                                    u
                                
                                ^
                            
                        
                    , send the third data request signal to the client. and generate the key μ based on the polynomial m and the polynomial                        
                             
                            
                                
                                    c
                                
                                ¯
                            
                        
                    ; and steps that the client generates the polynomial                         
                            
                                
                                    u
                                
                                ^
                            
                        
                     and the server generates the polynomial                         
                            
                                
                                    b
                                
                                ^
                            
                        
                     are synchronized; and the steps that the client generates the 
    PNG
    media_image2.png
    556
    714
    media_image2.png
    Greyscale
key μ and the polynomial                         
                            
                                
                                    c
                                
                                ¯
                            
                        
                     based on the [Trivium] module in the client and the server generates the polynomial m based on the polynomial                         
                            
                                
                                    u
                                
                                ^
                            
                        
                     are synchronized; wherein the public polynomials                         
                            
                                
                                    â
                                
                                
                                    1
                                
                            
                             
                            a
                            n
                            d
                             
                            
                                
                                    â
                                
                                
                                    2
                                
                            
                        
                     are generated by the [Trivium] module of the client and the [Trivium] module of the server [Oder, page 4 section 2.2 protocol 1 discloses both the server and client are generating a polynomial                         
                            
                                
                                    a
                                
                                ^
                            
                        
                     using Parse(SHAKE-128(seed)). The client in the algorithm produces a polynomial                         
                            
                                
                                    u
                                
                                ^
                            
                        
                     from polynomial                         
                            
                                
                                    a
                                
                                ^
                            
                        
                     and a number theoretic transform of                         
                            e
                            '
                        
                     and send the polynomial                         
                            
                                
                                    u
                                
                                ^
                            
                        
                     to the server through an encodeB (mb) and the server decodeB (mb) to get the polynomial                         
                            
                                
                                    u
                                
                                ^
                            
                        
                    . Polynomial                         
                            
                                
                                    b
                                
                                ^
                            
                        
                     is send to the client in an encodeA and the client is to perform decodeA to receive polynomial                        
                            
                                
                                     
                                    b
                                
                                ^
                            
                        
                    . The client also generate a key μ and a polynomial                         
                            
                                
                                    c
                                
                                ¯
                            
                        
                     and send the polynomial                         
                            
                                
                                    c
                                
                                ¯
                            
                        
                     to the server based on another received data request signal sent by the server, so that the server generates the key μ based on the polynomial                         
                            
                                
                                    c
                                
                                ¯
                            
                        
                    . This confirms that the polynomial                         
                            
                                
                                    a
                                
                                ^
                            
                        
                     created by the client and server are the same and the key μ are the same. Server (Alice) and Client (Bob) both are generating a polynomial                        
                             
                            
                                
                                    a
                                
                                ^
                            
                        
                     individually and based on the input, they are to be the same value. This would implies that the server and the client are matched up.], but Oder does not teach polynomials generated based on a Trivium module.
However, Xing does teach polynomials generated based on a Trivium module [Xing, page 869 section III.A discloses for the generation of secret vector s and noise vector e that both obey centered binomial distribution ψ16, any PRNG can be qualified, where SHAKE-128 can also be a candidate, in which case we may be able to reuse the Keccak core. However, as these generation processes would be implemented in parallel with the generation of public parameter a, as depicted in Table V, Sect. IV, there is an unavoidable problem of hardware hazard. In addition it is not affordable to utilize another Keccak core, in consideration of its large resource demand. A lightweight PRNG can be adequate as long as it has a reasonable throughput. The Trivium PRNG [11] is selected in our design to generate s and e, mainly because that the throughput of Trivium can be as large as 64 bits per cycle while the resources it occupies is rather small. Trivium is a hardware oriented synchronous stream cipher, in which the key stream is generated through a few simple operations upon the 288-bit internal state register S[288:1]. The width of key stream z is set to be 64-bit in our design, corresponding to its maximum throughput capability. Detailed schematic corresponding to the generation of z as well as the update of S[288:1] is depicted in Fig. 3. The internal state register is initialized with an 80-bit key and an 80-bit initial vector according to specific rules, followed by 4 full rotation update based on the update logic, during which no key stream is outputted. As one coefficient consumes 32 pseudo random bits by computing                          
                            
                                
                                    ∑
                                    
                                        i
                                        =
                                        0
                                    
                                    
                                        15
                                    
                                
                                
                                    
                                        
                                            b
                                        
                                        
                                            i
                                        
                                    
                                
                            
                             
                            –
                            
                                
                                    ∑
                                    
                                        i
                                        =
                                        16
                                    
                                    
                                        31
                                    
                                
                                
                                    
                                        
                                            b
                                        
                                        
                                            i
                                        
                                        
                                            '
                                        
                                    
                                
                            
                        
                     , where                         
                            
                                
                                    b
                                
                                
                                    i
                                
                            
                        
                     and                         
                            
                                
                                    b
                                
                                
                                    i
                                
                                
                                    '
                                
                            
                        
                     are uniform pseudo random bits, two coefficients can be generated and stored per cycle. Considering both s and e are 1024-degree polynomials, the generation time would be 512 cycles each.]
Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Xing’s system with Oder’s system, with a motivation to use a light-weight pseudo-random number generator — Trivium, the generation of a and one error polynomial s can be conducted concurrently [Xing, page 867 lines 3 – 6]

As per claim 4, 7, and 10, modified Oder teaches the method according to claim 3, claim 5, and claim 8, wherein all the polynomials are stored in memories, wherein the polynomials obtained at the same step are stored in different memories respectively. [Oder, page 6 – 7 section 3.1 discloses it features DSPs blocks that can multiply, add, and subtract and have a configurable number of pipeline stages. It furthermore has several 18 Kb block memories that can be used in dual-port mode. The LUTs of the Artix-7 can either be used as 6-input LUTs or 5-input LUTs with two outputs. Figure 1 and Figure 2 provide an overview of our server architecture and the client architecture. We incorporated two read/write-BRAM blocks with a width of 14 bits and a depth of n = 1024 in dual-port mode to store polynomials (Reg0 and Reg1). Two read-only memories are used to store the twiddle factors used in the NTT. One DSP block with subsequent modular reduction serves as general-purpose DSP that is used in most sub-modules, like the NTT or the point-wise multiplication.]

Regarding claim 6, modified Oder teaches the method according to claim 5, but Oder does not teach wherein the Trivium module in the server generates a 64bit random number in one cycle.
However, Xing does teach wherein the Trivium module in the server generates a 64bit random number in one cycle. [Xing, page 869 section III.A discloses for the generation of secret vector s and noise vector e that both obey centered binomial distribution ψ16, any PRNG can be qualified, where SHAKE-128 can also be a candidate, in which case we may be able to reuse the Keccak core. However, as these generation processes would be implemented in parallel with the generation of public parameter a, as depicted in Table V, Sect. IV, there is an unavoidable problem of hardware hazard. In addition it is not affordable to utilize another Keccak core, in consideration of its large resource demand. A lightweight PRNG can be adequate as long as it has a reasonable throughput. The Trivium PRNG [11] is selected in our design to generate s and e, mainly because that the throughput of Trivium can be as large as 64 bits per cycle while the resources it occupies is rather small. Trivium is a hardware oriented synchronous stream cipher, in which the key stream is generated through a few simple operations upon the 288-bit internal state register S[288:1]. The width of key stream z is set to be 64-bit in our design, corresponding to its maximum throughput capability. Detailed schematic corresponding to the generation of z as well as the update of S[288:1] is depicted in Fig. 3. The internal state register is initialized with an 80-bit key and an 80-bit initial vector according to specific rules, followed by 4 full rotation update based on the update logic, during which no key stream is outputted. As one coefficient consumes 32 pseudo random bits by computing                          
                            
                                
                                    ∑
                                    
                                        i
                                        =
                                        0
                                    
                                    
                                        15
                                    
                                
                                
                                    
                                        
                                            b
                                        
                                        
                                            i
                                        
                                    
                                
                            
                             
                            –
                            
                                
                                    ∑
                                    
                                        i
                                        =
                                        16
                                    
                                    
                                        31
                                    
                                
                                
                                    
                                        
                                            b
                                        
                                        
                                            i
                                        
                                        
                                            '
                                        
                                    
                                
                            
                        
                     , where                         
                            
                                
                                    b
                                
                                
                                    i
                                
                            
                        
                     and                         
                            
                                
                                    b
                                
                                
                                    i
                                
                                
                                    '
                                
                            
                        
                     are uniform pseudo random bits, two coefficients can be generated and stored per cycle. Considering both s and e are 1024-degree polynomials, the generation time would be 512 cycles each.]
Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Xing’s system with Oder’s system, with a motivation to use a light-weight pseudo-random number generator — Trivium, the generation of a and one error polynomial s can be conducted concurrently [Xing, page 867 lines 3 – 6]

Regarding claim 9, modified Oder teaches the method according to claim 8, but Oder does not teach wherein the Trivium module in the client and the Trivium in the server are configured to generate a 64bit random number in one cycle.
However, Xing does teach wherein the Trivium module in the client and the Trivium in the server are configured to generate a 64bit random number in one cycle. [Xing, page 869 section III.A discloses for the generation of secret vector s and noise vector e that both obey centered binomial distribution ψ16, any PRNG can be qualified, where SHAKE-128 can also be a candidate, in which case we may be able to reuse the Keccak core. However, as these generation processes would be implemented in parallel with the generation of public parameter a, as depicted in Table V, Sect. IV, there is an unavoidable problem of hardware hazard. In addition it is not affordable to utilize another Keccak core, in consideration of its large resource demand. A lightweight PRNG can be adequate as long as it has a reasonable throughput. The Trivium PRNG [11] is selected in our design to generate s and e, mainly because that the throughput of Trivium can be as large as 64 bits per cycle while the resources it occupies is rather small. Trivium is a hardware oriented synchronous stream cipher, in which the key stream is generated through a few simple operations upon the 288-bit internal state register S[288:1]. The width of key stream z is set to be 64-bit in our design, corresponding to its maximum throughput capability. Detailed schematic corresponding to the generation of z as well as the update of S[288:1] is depicted in Fig. 3. The internal state register is initialized with an 80-bit key and an 80-bit initial vector according to specific rules, followed by 4 full rotation update based on the update logic, during which no key stream is outputted. As one coefficient consumes 32 pseudo random bits by computing                          
                            
                                
                                    ∑
                                    
                                        i
                                        =
                                        0
                                    
                                    
                                        15
                                    
                                
                                
                                    
                                        
                                            b
                                        
                                        
                                            i
                                        
                                    
                                
                            
                             
                            –
                            
                                
                                    ∑
                                    
                                        i
                                        =
                                        16
                                    
                                    
                                        31
                                    
                                
                                
                                    
                                        
                                            b
                                        
                                        
                                            i
                                        
                                        
                                            '
                                        
                                    
                                
                            
                        
                     , where                         
                            
                                
                                    b
                                
                                
                                    i
                                
                            
                        
                     and                         
                            
                                
                                    b
                                
                                
                                    i
                                
                                
                                    '
                                
                            
                        
                     are uniform pseudo random bits, two coefficients can be generated and stored per cycle. Considering both s and e are 1024-degree polynomials, the generation time would be 512 cycles each.]
Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Xing’s system with Oder’s system, with a motivation to use a light-weight pseudo-random number generator — Trivium, the generation of a and one error polynomial s can be conducted concurrently [Xing, page 867 lines 3 – 6]

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Phuc Pham whose telephone number is (571)272-8893.  The examiner can normally be reached on Monday - Thursday 7:30 AM - 4:30 PM; Friday 8:00 AM - 12:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/P.P./Patent Examiner, Art Unit 2434          

/NOURA ZOUBAIR/Primary Examiner, Art Unit 2434