PNG
    media_image1.png
    172
    172
    media_image1.png
    Greyscale
United States Patent and Trademark Office    
        
            
                                
            
        
    

Commissioner for Patents
United States Patent and Trademark Office
P.O. Box 1450
Alexandria, VA 22313-1450
www.uspto.gov











BEFORE THE PATENT TRIAL AND APPEAL BOARD


Application Number: 15/439,553
Filing Date: 02/22/2017
Appellant(s): Hugues Thiebeauld dela Crouee



____________________________
Paul W. Churilla, Reg. No. 47,495 
For Appellant


EXAMINER’S ANSWER





This is in response to the appeal brief filed 09/30/2021.

(1) Grounds of Rejection to be Reviewed on Appeal
Every ground of rejection set forth in the Office action dated 04/02/2021 from which the appeal is taken is being maintained by the examiner except for the grounds of rejection (if any) listed under the subheading “WITHDRAWN REJECTIONS”.  New grounds of rejection (if any) are provided under the subheading “NEW GROUNDS OF REJECTION.”
(2) NEW GROUNDS OF REJECTION
	---- NONE ----
(3) WITHDRAWN REJECTIONS
	---- NONE ----
 (4)  Restatement of Rejection
The following ground(s) of rejection are applicable to the appealed claims.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3-6, 8-11, 13-16 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Pub. No. US 2009/0074181 A1 to Pelletier et al. (hereinafter “Pelletier”) in view of Pub. No. US 2017/0126398 A1 to Wiener et al. (hereinafter “Wiener”).
Regarding Claim 1. Pelletier discloses A method for executing, by a processing unit of a circuit (Pelletier, Para [0010]: … method of executing a cryptographic calculation in an electronic component …), an operation in a protected manner against side channel analysis, the operation being applied to an input data and providing an output data (Pelletier, Abstract, Para [0001, 0007, 0073], FIG. 1: … The invention concerns a method for executing cryptographic calculation in an electronic component, based on a specific cryptographic algorithm including at least one secret key operation (102) to be performed with a secret encryption key (103) comprising m secret encryption key blocks of n bits on a data block (101), wherein m and n are positive integers, and a non-linear operation (107) … The operation being applied in an equiprobable manner with all the possible key values, this step is protected against any attack relating to an analysis of the information leaks during the execution of the calculation … block 100 (input data), block 108 (output data) and nonlinear operation 107 …), the method comprising:
receiving, by the processing unit, an input data to be processed by a requested operation (Pelletier, Abstract, Para [0035, 0045]: … an electronic component adapted for executing a cryptographic calculation according to a determined cryptographic algorithm including at least one secret-key operation to be carried out with a secret cryptographic key comprising m secret key blocks of n bits on a data block and a nonlinear operation … The invention concerns a method for executing cryptographic calculation in an electronic component, based on a specific cryptographic algorithm including at least one secret key operation (102) to be performed with a secret encryption key (103) … In the case where the secret-key operation 102 is the first operation of the algorithm, it may correspond to the data block to be encrypted 100, received as input to the algorithm …), the input data having a bit width N1 greater than two, and the requested operation applied to the input data providing an output data having a bit width N2 greater than two (Pelletier, Para [0071-0072]: … The operation 102 is an operation to be carried out with a secret cryptographic key block K 304 written on n bits. A table 301 comprises elements corresponding to all the possible values, i.e. 2.sup.n elements, arranged randomly. By way of example, n is equal to 8. An element 304 corresponds to a secret cryptographic key block of the secret-key operation 102 … The secret-key operation 102 is applied to the data block 101 with all the elements of the table 301 comprising the values of keys, either simultaneously, or sequentially. One thus obtains a transformed table 303 which comprises 2.sup.n elements, i.e. 256 elements. Each of these elements corresponds to the result of the operation 102 applied to the data block 101 with the secret key situated in the table 301 at the same address as this element. This table 303 comprises in particular an element 305 corresponding to the data block being encrypted, this block being the result of the secret-key operation 102 applied with the secret cryptographic key block 304 …);
storing, in a memory coupled to the processing unit, a substitution table including 2N1 selectable elements (Pelletier, Para [0007, 0019-0025, 0054-0060]: … The nonlinear operations are generally implemented in the form of substitution tables. Thus, a nonlinear operation corresponding to a substitution table tab[i], applied to a data item x may be written in the following form: y=tab[x] … determining and arranging the secondary secret keys randomly in an initial table comprising said secret cryptographic key block … storing in memory the address corresponding to said secret cryptographic key block in the initial table; applying the secret-key operation to the data block with the keys of the initial table and obtaining a first transformed table of 2.sup.n first elements (2N1 selectable elements), each first element corresponding to the result of the secret-key operation applied to the data block with the key situated in the initial table at the same address as said first element … The initial message to be encrypted has a size of 128 bits. It is generally processed in initial data blocks of one byte 201. To a data block of one byte for a determined round of the algorithm there corresponds a byte of a key … applying said nonlinear operation to the elements of said first transformed table and obtaining a second transformed table of 2.sup.n second elements, each second element corresponding to the result of the nonlinear operation applied to the first element situated at the same address in the first transformed table as said second element …),
all possible values of the input data ranging from 0 to 2N1-1 and corresponding respectively to the selectable elements in the substitution table (Pelletier, Para [0072-0075]: … The secret-key operation 102 is applied to the data block 101 with all the elements of the table 301 comprising the values of keys, either simultaneously, or sequentially. One thus obtains a transformed table 303 which comprises 2.sup.n elements, i.e. 256 elements … The operation being applied in an equiprobable manner with all the possible key values, this step is protected against any attack relating to an analysis of the information leaks during the execution of the calculation … the nonlinear operation 107 is applied either simultaneously, or sequentially, to all the elements of the table 303 to provide a table 402 which comprises 2.sup.n elements, i.e. 256 elements. Each element corresponds to the result of the nonlinear operation applied to the element of the table 303 that is situated at the same address …),
each selectable element including a plurality of data having the bit width N2, such that transformed values obtained by applying a [surjective] function to all the data of the selectable element include a same number of occurrences of all different values resulting from the applying the [surjective] function to all integer values from 0 to 2N2-1 (Pelletier, Para [0054, 0067-0075, 0046], FIG.1, 3-4: in a preferred embodiment, an initial table comprising all the possible values of one byte is constructed randomly. Thus, such a table comprises in particular the secret cryptographic key block to be applied to the data block by the operation "AddRoundKey" 202 … Such a table of keys comprises 256 elements, taking the values from 1 to 256. These values are arranged in a random order … FIG. 3 illustrates a secret-key operation 102 according to an embodiment of the invention … The secret-key operation 102 is applied to the data block 101 with all the elements of the table 301 comprising the values of keys, either simultaneously, or sequentially. One thus obtains a transformed table 303 which comprises 2.sup.n elements, i.e. 256 elements. Each of these elements corresponds to the result of the operation 102 applied to the data block 101 with the secret key situated in the table 301 at the same address as this element. This table 303 comprises in particular an element 305 corresponding to the data block being encrypted, this block being the result of the secret-key operation 102 applied with the secret cryptographic key block 304 … the nonlinear operation 107 is applied either simultaneously, or sequentially, to all the elements of the table 303 to provide a table 402 which comprises 2.sup.n elements, i.e. 256 elements. Each element corresponds to the result of the nonlinear operation applied to the element of the table 303 that is situated at the same address … in the case where the secret-key operation is carried out with a 128-bit secret cryptographic key comprising 16 secret cryptographic key blocks of one byte each …);
performing, by the processing unit, a single selection of one of the selectable elements in the substitution table, the selected selectable element being selected as a function of the input data (Pelletier, Para [0022-0023, 0071-0073]: … applying the secret-key operation to the data block with the keys of the initial table and obtaining a first transformed table of 2.sup.n first elements, each first element corresponding to the result of the secret-key operation applied to the data block with the key situated in the initial table at the same address as said first element … applying said nonlinear operation to the elements of said first transformed table and obtaining a second transformed table of 2.sup.n second elements, each second element corresponding to the result of the nonlinear operation applied to the first element situated at the same address in the first transformed table as said second element … The secret-key operation 102 is applied to the data block 101 with all the elements of the table 301 comprising the values of keys, either simultaneously, or sequentially. One thus obtains a transformed table 303 which comprises 2.sup.n elements, i.e. 256 elements. Each of these elements corresponds to the result of the operation 102 applied to the data block 101 with the secret key situated in the table 301 at the same address as this element. This table 303 comprises in particular an element 305 corresponding to the data block being encrypted, this block being the result of the secret-key operation 102 applied with the secret cryptographic key block 304 …); and
providing, by the circuit, the selected selectable element as a result of the requested operation, the requested output data of the requested operation applied to the received input data having a position in the selected selectable element which is determinable by the circuit (Pelletier, Para [0024]: … retrieving, from the second transformed table, the element (result/output) corresponding to the data block being encrypted situated at the address of said secret cryptographic key block …).”
However, Pelletier does not explicitly teach, but Wiener from same or similar field of endeavor teaches:
one of the plurality of selectable elements corresponding to the input data and comprising a requested output data of the requested operation applied to the input data (Wiener, Para [0037-0039], FIGURE FIG. 2-3, 5A-5C: … representing the set of inputs [x.sub.1,…, x.sub.W] as a corresponding set of values [p.sub.1,…, p.sub.M], wherein each value p.sub.j (j=1,…, M) comprises at least part of each input of a corresponding plurality of the inputs; … (b) generating a set of one or more results [q.sub.1,…, q.sub.N] from the set of values [p.sub.1,…, p.sub.M], by applying each sub-function F.sub.1 (j=1,…, N) to a corresponding set of one or more values in the set of values [p.sub.1,…, p.sub.M] to generate a respective result q.sub.j; and … forming each output y.sub.i as either a part of a corresponding one of the results or as a combination of at least part of each result of a corresponding plurality of the results …),
a surjective function (Wiener, Para [0146-0147]: … the invention aim to be able to execute code that implements the function F, securely in a so-called white-box environment. A "white box environment" is an execution environment in which a person can execute an amount of computer code (or software)--where the code implements the function F--and the person may inspect and modify the code (or be assumed to know the underlying algorithm that is being implemented) and/or, during execution of the code, the person may inspect and modify the values of data being used (i.e. the contents of the memory being used), the data flow and the process flow (or order of execution of instructions in the code). Embodiments of the invention therefore aim to be able to provide or generate code (that implements the function F) such that, even if the code is executed in a white-box environment, the person executing the code cannot determine the values of inputs to the function F and/or outputs of the function F and/or secret information used by the function F … In the following, one or more bijective functions (or transformations or transforms) will be used. A bijective function is a function that is injective (i.e. is a 1-to-1 mapping) and that is surjective (i.e. maps onto the whole of a particular range of values) …).”
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Wiener into the  Pelletier, because it would “provide or generate code (that implements the function F) such that, even if the code is executed in a white-box environment, the person executing the code cannot determine the values of inputs to the function F and/or outputs of the function F and/or secret information used by the function F (Wiener: Para [0146])”, thereby improving the security of execution of secret code and lessening the chance of secret code falling into wrong hands.
Regarding Claim 3. The combination of Pelletier-Wiener discloses the method of claim 1, wherein the [surjective] function is chosen as a function of a data leakage model of the circuit (Pelletier, Para [0027-0029, 0072-0073]: The element corresponding to the data block being encrypted can be retrieved from the second transformed table via a function resistant to an attack of SPA type taking as parameter the address of the given secret cryptographic key block. The expression "function resistant to attacks of SPA type" is understood to mean a function for which it is not possible to determine a secret key in a single trace of a leak. On considering that the leak signal W corresponding to a current, or else to an electromagnetic field, during manipulation of a byte .alpha. for a calculation of the algorithm, is of the following form:  W(.alpha.)=H(.alpha.)+b; where H(.alpha.) is the leak model and b the extrinsic and intrinsic noise … The operation being applied in an equiprobable manner with all the possible key values, this step is protected against any attack relating to an analysis of the information leaks during the execution of the calculation …); (Wiener, Para [0147] discloses surjective function).
Regarding Claim 4. The combination of Pelletier-Wiener discloses the method of claim 1, Wiener further teaches, “wherein the surjective function is at least one of the following functions:
an identity function (Wiener, Para [0151]: … both of T.sub.1 and T.sub.2 to be the identity transformation (i.e. T.sub.1 is the identity transformation if T.sub.1(s.sub.1)=s.sub.1 for all values of s.sub.1, so that a=1 and b=0 in the above example, and T.sub.2 is the identity transformation if T.sub.2(s.sub.2)=s.sub.2, so that c=1 and d=0 in the above example) ….);
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Wiener into the combined teachings of Pelletier-Wiener with the motivation of being able to provide a method using identity transformation to be able to identify code being transformed, thus providing ability to inspect the code while it’s being tested for security vulnerability (Wiener: Para [0146-0147]).”
SUPPLEMENTAL PRELIMINARY AMENDMENTPage 3SerialNumber: 15/439,553Dkt: 0134-039001Filing Date: February 22, 2017a function providing a resultant value which is then reduced to a value corresponding to a Hamming weight; or
a function providing a Hamming weight of the value to which the function is applied.” 
Regarding Claim 5. The combination of Pelletier-Wiener discloses the method of claim 1, Pelletier further teaches, “wherein the requested operation comprises at least one of:
a symmetrical or asymmetrical encryption or decryption operation (Pelletier, FIG. 1: … step/bock 104 …)”;

a modular or non-modular multiplication operation with a secret data;
a logical operation Exclusive OR with a secret data;
a modular exponentiation operation using a secret data as an exponent; or
a modular reduction operation, using a secret data as a modulus.
Regarding Claims 6, 11 and 16. This claims contains all the same or similar limitations as claim 1, hence this claim is also rejected as claim 1.
Regarding Claims 8, 13 and 18. This claims contains all the same or similar limitations as claim 3, hence this claim is also rejected as claim 3.
Regarding Claims 9, 14 and 19. This claims contains all the same or similar limitations as claim 4, hence this claim is also rejected as claim 4.
Regarding Claims 10, 15 and 20. This claims contains all the same or similar limitations as claim 5, hence this claim is also rejected as claim 5.
(5) Response to Argument
Note below:
**** Examiner notes that the Honorable Patent Trial and Appeal Board, hereinafter, will be referred to as “board” for the sake of briefness of the examiner answer.
**** Examiner further notes that the filed appeal brief hereinafter, will be referred to as “brief”.
(I): Appellant states, on Page [8-12] of the brief:
“The rejection fails to establish a prima facie case of obviousness because it fails to disclose or render obvious all of the elements of claims 1, 6, 11 and 16.

receiving ... an input data to be processed by a requested operation, the input data having a bit width N1 greater than two, and the requested operation applied to the input data providing an output data having a bit width N2 greater than two;
storing ... a substitution table including 2N1 selectable elements, all possible values of the input data ranging from 0 to 2N1-1 and corresponding respectively to the selectable elements in the substitution table, one of the plurality of selectable elements corresponding to the input data and comprising a requested output data of the requested operation applied to the input data, each selectable element including a plurality of data having the bit width N2, such that transformed values obtained by applying a surjective function to all the data of the selectable element include a same number of occurrences of all different values resulting from the applying the surjective function to all integer values from 0 to 2N2-1;
performing ... a single selection of one of the selectable elements in the substitution table, the selected selectable element being selected as a function of the input data; and
providing ... the selected selectable element as a result of the requested operation, the requested output data of the requested operation applied to the input having a position in the selected selectable element which is determinable by the circuit. (Emphasis added)
 Thus, as described above, claim 1 recites techniques for protecting performance of an operation (e.g., an encryption operation) on provided input data of a given bit width (e.g., bit width N2) where performance of the operation is protected by, rather than directly executing the operation (alone, or conjunction with a plurality of dummy operations), providing a desired output data in an output data set that is obtained (e.g., as a selectable element) from a substitution table, such as a substitution table having the attributes recited in claim 1.
As recited in claim 1, performance of an operation being protected is achieved by selecting, e.g., in a 2-dimensional (2D), a selectable element. The selectable element is selected as a function of provided input data for performance of the protected operation (e.g., using the input data as an index). The selected selectable element is a data set including the expected output data, or a desired result of the operation, and is provided as the output of performance of the protected operation in claim 1. In addition, each selectable element of the claimed substitution table includes a plurality of data such that “transformed values obtained by applying a given surjective function to all the data of the selectable element include a same number of occurrences of all different values resulting from the applying the given surjective function to all integer values from 0 to 2N2-1”, where N2 is the bit size of each of the plurality of data in the selectable element.
In this manner, the desired output data of the operation is protected by being included among the provided output set (selectable element), and statistical bias cannot 
In contrast, Pelletier describes, with emphasis added, “in order to guarantee better confidentiality of the algorithm, for secret cryptographic key block, we determine all the possible values of n-bit keys, that is to say 2n values, or else 2n-1 n-bit dummy secondary secret keys different from the secret cryptographic key block. Then, the secret-key operation is carried out with the secret cryptographic key and also all these determined secondary secret keys.”* That is, in the approaches described in Pelletier, when performing a cryptographic operation “all the possible keys are manipulated in an equiprobable manner when the secret-key operation and the nonlinear operation are executed,”’ where an “initial table advantageously comprises all the possible key values.” “In a preferential embodiment, this table [i.e., of all possible keys] is created at each run of the AES algorithm.
The foregoing aspects of Pelletier are further described in paragraphs [0071]-[0072], presented below, with emphasis.
[0071] The operation 102 is an operation to be carried out with a secret cryptographic key block K 304 written on n bits. A table 301 comprises elements 
[0072] The secret-key operation 102 is applied to the data block 101 with all the elements of the table 301 comprising the values of keys, either simultaneously, or sequentially. One thus obtains a transformed table 303 which comprises 2” elements, i.e. 256 elements. Each of these elements corresponds to the result of the operation 102 applied to the data block 101 with the secret key situated in the table 301 at the same address as this element. This table 303 comprises in particular an element 305 corresponding to the data block being encrypted, this block being the result of the secret-key operation 102 applied with the secret cryptographic key block 304.
As is apparent from the foregoing, Pelletier is directed to approaches where direct execution of an operation is protected by executing the operation to be protected 2” times, i.e. by applying the operation to the all the values of a table 301 including all possible key values, and then performing non-linear operations on a table 303, where the table 303 is a transformed table created by the application of the operation to all possible key values of the table 301.'” It is further apparent from the foregoing that Pelletier, whether alone or combination with Wiener as proposed by the Office, that 
Notwithstanding the foregoing, the Office asserts, in the Final Office Action, that Pelletier, in combination with Wiener, discloses the claimed substitution table. Appellant submits that this assertion is in error. In asserting that Pelletier discloses the substitution table of claim 1, the Final Office Action, e.g., on pages 10-12, refers the table 301 of Pelletier, the table 303 of Pelletier, the table 402 of Pelletier, and the use of substitution tables to implement the non-linear functions of Pelletier.
As discussed above, the table 301 of Pelletier is a table of all possible key values, and the table 303 is a transformed table that is produced by application of an operation to all of the key values of the table 301. Further, the table 402 is another transformed table that is produced by applying a non-linear function to all the values of the table 303. Further, as noted above, Pelletier merely describes implementing a non-linear function (i.e., to transform the table 303 to the table 402) using a substitution table.”
	In response, Examiner disagrees with the Appellant’s characterization of the combination of Pelletier and Wiener prior arts alleging that the combination does not make the claimed invention obvious.
Examiner interprets that the claimed invention, as emphasized by the Appellant in the brief, involves the steps of:
(A) receiving an of input data with bit width of N1 and providing an output data with bit with of N2 as a result of an operation performed on the input data – this is interpreted as that the input data is an index/address that points to a location in a memory/storage and as a result of the operation reads the data out of the memory location
(B) the memory/storage stores data of a substitution table having 2N1 elements corresponding to the input data/address having N1 address bits. Furthermore, the substitution table is obtained using a surjective function – that is every element in the input data is transformed into an element in the substitution table, or in other words the each input index/address points to a location the in the substitution table that has the data to be read out. The data at the location of the substitution table is considered transformed data.
(C) An element of the substitution table is selected as a function of the input data – that is the input data acts as an address/index to select an element.
(D) finally the data is read out or is provided as pointed/indexed by the input data/address.
	Examiner would like to point board’s attention to Para [0007, 0019-0025, 0071-0073 0054-0060] of Pelletier prior art that have already been cited in the previous office action[s]:
“[0007] Several methods of protecting cryptographic algorithms of this type have already been proposed, in particular by masking the data being encrypted that are manipulated in the AES algorithm. The nonlinear operations are generally implemented in the form of substitution tables. Thus, a nonlinear operation 
[0019] In an embodiment of the invention, the method comprises, for a secret cryptographic key block, the steps consisting in: [0020] determining and arranging the secondary secret keys randomly in an initial table comprising said secret cryptographic key block; [0021] storing in memory the address corresponding to said secret cryptographic key block in the initial table; [0022] applying the secret-key operation to the data block with the keys of the initial table and obtaining a first transformed table of 2.sup.n first elements, each first element corresponding to the result of the secret-key operation applied to the data block with the key situated in the initial table at the same address as said first element; [0023] applying said nonlinear operation to the elements of said first transformed table and obtaining a second transformed table of 2.sup.n second elements, each second element corresponding to the result of the nonlinear operation applied to the first element situated at the same address in the first transformed table as said second element; [0024] retrieving, from the second transformed table, the element corresponding to the data block being encrypted situated at the address of said secret cryptographic key block. 
[0025] The initial table advantageously comprises all the possible key values.
[0071] The operation 102 is an operation to be carried out with a secret cryptographic key block K 304 written on n bits. A table 301 comprises elements corresponding to all the possible values, i.e. 2.sup.n elements, arranged randomly. By way of example, n is equal to 8. An element 304 corresponds to a secret cryptographic key block of the secret-key operation 102. The secret cryptographic key block is searched for in the table 301 preferably via a function resistant to SPA attacks. This type of search function is well known to the person skilled in the art and is not detailed in this document. Preferably, the address of the secret cryptographic key block is then stored in memory. 
[0072] The secret-key operation 102 is applied to the data block 101 with all the elements of the table 301 comprising the values of keys, either simultaneously, or sequentially. One thus obtains a transformed table 303 which comprises 2.sup.n elements, i.e. 256 elements. Each of these elements corresponds to the result of the operation 102 applied to the data block 101 with the secret key situated in the table 301 at the same address as this element. This table 303 comprises in particular an element 305 corresponding to the data block being encrypted, this block being the result of the secret-key operation 102 applied with the secret cryptographic key block 304. 
The operation being applied in an equiprobable manner with all the possible key values, this step is protected against any attack relating to an analysis of the information leaks during the execution of the calculation.”
	Examiner interprets that the above disclosure of Pelletier discloses storing input data block in memory, performing a non-linear operation to transform the data blocks in a substitution table, where the operation is performed in an equi-probable manner to all the data (key) blocks, and finally retrieving a data block from the substitution table (from the transformed table). Thus, Pelletier prior art discloses a substitution table for performing a non-linear function/operation.
(II): Appellant states, on Page [12-13] of the brief:
“Further with respect to claim 1, the Final Office Action concedes that Pelletier fails to disclose the aspects of claim 1 that “one of the plurality of selectable elements corresponding to the input data and comprising a requested output data of the requested operation applied to the input data” and “a surjective function.” The Final Office Action relies on Wiener as disclosing those aspects of the elements of claim 1.
With regard to the aspect of claim 1 that “one of the plurality of selectable elements corresponding to the input data and comprising a requested output data of the requested operation applied to the input data’, the Office Action asserts that paragraphs [0037]-[0039] compensate for this conceded deficiency of Pelletier. Paragraphs [0036]-[0039] of Wiener are presented below.
[0036] As shall be described in more detail below, the function F is a function for which one or more corresponding functions (referred to herein as “sub-functions” for ease of reference) Fi, ..., Fn can be defined so that, for a set of inputs {x1,... , 
[0037] (a) representing the set of inputs {x1,..., xw} as a corresponding set of values {pi,..., pm}, wherein each value pj (j=1, ..., M) comprises at least part of each input of a corresponding plurality of the inputs;
[0038] (b) generating a set of one or more results {qi, ... , qn} from the set of values {pi, ..., pm}, by applying each sub-function Fi G=1,..., N) to a corresponding set of one or more values in the set of values {pi,..., pm} to generate a respective result qj; and
[0039] (c) forming each output yi as either a part of a corresponding one of the results or as a combination of at least part of each result of a corresponding plurality of the results.
The foregoing portion of Wiener describes producing a set of results for a function F and its sub-functions from a set of inputs. It does not relate, whatsoever, to selection of selectable elements in a substitution table, as is in the manner recited in claim 1, and the Office has provided no explanation as to how the foregoing portion of Wiener, in combination with Pelletier, constitutes the elements of claim 1 for which the cited art is relied upon as disclosing. Further, in addition to these deficiencies of Wiener, Wiener also fails to compensate for the foregoing discussed deficiencies of Pelletier.”
In response, Examiner disagrees with the Appellant’s characterization that the cited portion of Wiener prior art is not relevant to the claimed invention. Examiner also notes that Appellant has not considered FIGUREs FIG. 2-3, 5a-5c that have been cited in the previous office action. Examiner specifically notes that FIGURE 5c and that FIGURE 3, along with cited portions from the specification does disclose the claimed limitation of “one of the plurality of selectable elements corresponding to the input data and comprising a requested output data of the requested operation applied to the input data”.
Examiner notes for the board that it has already been shown previously that Pelletier does disclose a substitution table that contains the transformed input data. Wiener in FIGURE 5c shows the selection of one of the selectable elements. Here FIGURE 5c shows a selectable element (q4) is selected from a number of selectable elements (p1 …p7) that correspond to inputs x1 ….x16.
(III): Appellant states, on Page [13-16] of the brief:
“Further with respect to the Office’s reliance on Wiener in combination with Pelletier, the Office asserts that Wiener, with additional reliance on paragraphs [0146], [0147] and [0150] compensates for the deficiency of Pelletier in disclosing the use of a surjective function, and discloses use of a substitution table to protect data.'’ Appellant disagrees with these assertions for, at least, the reasons noted above with respect to Wiener, paragraphs [0037]-[0039], as well as the following discussion of paragraphs [0146]-[0150], which are presented below.
[0146] Embodiments of the invention aim to be able to execute code that implements the function F, securely in a so-called white-box environment. A “white box environment” is an execution environment in which a person can execute an amount of computer code (or software)—where the code implements the function F—and the person may inspect and modify the code (or be assumed to know the underlying algorithm that is being implemented) and/or, during 
[0147] In the following, one or more bijective functions (or transformations or transforms) will be used. A bijective function is a function that is injective (i.e. is a 1-to-1 mapping) and that is surjective (i.e. maps onto the whole of a particular range of values). If the domain of possible input, values for the function T is domain Dom, and if the function T is an injective function (so that T(a)=T(b) if and only if a=b), then T is a bijective function from Dom onto the range T(Dom)={T(a): aeDom}.
[0148] An initial simple example will help understand how the use of bijective functions T can help achieve the above aim. In this example, the bijective functions T are linear transformations in a Galois field GF(¥") for some prime number 'P and positive integer n, i.e. T: GF(¥")—GF("). For example, if the processor executing the code uses Z-bit registers for its data (e.g. Z=32), then a Z-bit number may be viewed as an element of the Galois field GF(2“), so that P=2 and n=Z.
0149] Consider a predetermined function G that operates on elements si and s2in the Galois field GF('¥") according to r=G(s1, s2)=si+s2, where + is addition in the Galois field GF(¥"). In this Galois field GF(¥"), the addition sits2is the same as an XOR operation, so that r=G(s1, s2)=si@sz2. Let si*, s2* and r* be transformed versions of si, s2 and r according to respective linear transformations Ti, T2 and Ts in the Galois field GF(¥"), so that si*=Ti(si1)=a'sitb, s2*=T2(s2)=c:s2td and r*=T3(r)=e'r+f for arbitrary non-zero constants a, c, and e in the Galois field GF(¥"), and arbitrary constants b, d and f in the Galois field GF(¥") (so that constants a, c, and e may be randomly chosen from GF(‘¥")/{0} and constants b, d, and f may be randomly chosen from GF(®")). Then r*=e-(sits2)+f=e-(a! (si*+b)+c 1(s2*+d))t+f=g-si*th-s2*+i, where g=ea!l h=ec! and i=e-(a tb+e'd)+f.
[0150] Thus, given the transformed versions s1*=T1i(s1) and s2*=T2(s2) of the inputs si and sa, it is possible to calculate the transformed version r*=T3(r) of the result r without having to remove any of the transformations (i.e. without having to derive si and/or s2 from the versions si* and s2*). In particular, having defined the transformations T1, T2 and Ts by their respective parameters (a and b for Ti, c and d for T2, e and f for T3), a transformed version G* of the function G can be implemented according to G*(si*, s2*)=g:si*+h:s2*+i, where g=e-a !, h=e-c ! and i=e-(a 'bt+c'd)+f, so that r*=G*(si1*, s2*) can be calculated without determining/revealing si or s2 as an intermediate step in the processing. The result r can then be obtained from the transformed version r*=G*(s1*, s2*) of the result r, as r=e /(r*+f))—thus, a linear transformation T4 (which is the inverse of 
As described above, claim 1 recites a substitution table that includes one respective selectable element (e.g., a 1D table) per possible value of provided input data, and each selectable element includes desired output data of an operation applied to the input data corresponding to the selectable element. In other words, in implementations of claim 1, each possible output data of a protected operation is precomputed and inserted in a respective selectable element (of a substitution table) corresponding to the possible input data.
Wiener, alone or in combination with Pelletier fails to render such an approach obvious for at least the following reasons. For instance, in contrast with claim 1, cited paragraph [0146] of Wiener discloses executing code to implement a function F in a Further, cited paragraph [0147] of Wiener merely discloses characteristics of injective, surjective and bijective functions. Still further, cited paragraphs [0148] and [0149] of Wiener merely disclose applications of bijective functions or linear transformations in a Galois field, while cited paragraph [0150] of Wiener merely discloses a solution for protecting a function rm=G(s1,s2) by transforming that function into a function r*=G*(s1*, s2*), such that s1* = T1(s1), s2* = T2(s2), and r*=T3(r), where T1, T2, T3 are linear transformations.”
In response, Examiner notes for the board that, as shown in FIGURE 5c of Wiener prior art (p1 … p7) are computed based on inputs (x1 …x16) (Wiener Para [0132], noted for additional clarification) and one of (p1 … p7) can be selected that contains outputs (y1 ...y16). Examiner further notes that, as disclosed in cited portion, Para [0146-0147] of Wiener, a surjective function is used to perform the transformation function F.
Examiner further points to the board that Appellant does recognize (page 15 of the brief), as highlighted above, the application of “surjective function” in performing the transformation, but does not clarify why that disclosure in the Wiener prior is not disclosing the claimed surjective function.
(IV): Appellant states, on Page [16] of the brief:
“Accordingly, paragraphs [0146]-[0150] of Wiener, whether considered alone or in combination with Pelletier, fail to disclose, or render obvious, protecting performance 
Based on the above, Appellant submits that the rejection of claim 1 is in error, and should be reversed. Independent claims 6, 11 and 16, although differing in scope, recite at least the same or similar features as claim 1, and the rejection of those claims should be reversed for similar reasons.”
In response, Examiner notes for the board that, the portion of Wiener prior art (paragraph [0147) cited by Appellant as highlighted above discloses, “a solution for protecting a function rm=G(s1,s2) by transforming that function into a function r*=G*(s1*, s2*), such that s1* = T1(s1), s2* = T2(s2), and r*=T3(r), where T1, T2, T3 are linear transformations”. 
Wiener, Para [0146] (cited in previous office action) discloses, “Embodiments of the invention aim to be able to execute code, that implements the function F, securely in a so-called white-box environment. A "white box environment" is an execution environment in which a person can execute an amount of computer code (or software)--where the code implements the function F--and the person may inspect and modify the code (or be assumed to know the underlying algorithm that is being implemented) and/or, during execution of the code, the person may inspect and modify Embodiments of the invention therefore aim to be able to provide or generate code (that implements the function F) such that, even if the code is executed in a white-box environment, the person executing the code cannot determine the values of inputs to the function F and/or outputs of the function F and/or secret information used by the function F.”
Examiner also directs board to the following from Pelletier prior art:
“Para [0001]: The present invention relates to the field of cryptography and more particularly to the protection of the confidentiality of the keys used by cryptographic algorithms.
Para [0007]: Several methods of protecting cryptographic algorithms of this type have already been proposed, in particular by masking the data being encrypted that are manipulated in the AES algorithm. The nonlinear operations are generally implemented in the form of substitution tables. Thus, a nonlinear operation corresponding to a substitution table tab[i], applied to a data item x may be written in the following form: y=tab[x].”
Para [0010]: A first aspect of the invention proposes a method of executing a cryptographic calculation in an electronic component, according to a determined cryptographic algorithm including at least one secret-key operation to be carried out with a secret cryptographic key comprising m secret cryptographic key blocks of n bits on a data block, where m and n are positive integers.”
Examiner thus concludes that the combination of Pelletier and Wiener, based on the cited portion from the prior arts in the previous office actions and also as further clarified above does disclose, “a method, as recited in claim 1, that includes storing a substitution table having the claimed properties, selecting an element in the substitution table, the element including a plurality of data including expected output data, and providing, as the output, of the operation, the selected selectable element”. Also, as 6, 11 and 16 recites features similar to claim 1 and that the Appellant makes no further argument, they are also similarly disclosed as claim 1.
(V): Appellant states, on Page [16-17] of the brief:
“Appellant further submits that the Office relies on impermissible hindsight in rejecting, at least, the independent claims 1, 6, 11 and 16. “A factfinder should be aware, of course, of the distortion caused by hindsight bias and must be cautious of arguments reliant upon ex post reasoning.” KSR, Int’l v. Teleflex, Inc., 550 U.S. 398 (2007). Under this reasoning, "[i]t is impermissible within the framework of section 103 to pick and choose from any one reference only so much of it as will support a given position, to the exclusion of other parts necessary to  the full appreciation of what such reference fairly suggests to one of ordinary skill in the art." Jn re Wesslau, 353 F.2d 238 ,241 (CCPA 1965). Accord Bausch & Lomb, Inc. v. Barnes- Hind/Hydrocurve, Inc., 796 F.2d 443, 448 (Fed. Cir. 1986) (holding that the district court erred in finding a claim obvious because the district court failed to consider the context of an isolated line in the reference and instead improperly viewed this isolated line in light of the teaching of the patent at issue to hold for obviousness).
The idea to protect performance of an operation by, rather than directly executing the operation (alone, or conjunction with a plurality of dummy operations), providing a desired output data in an output data set that is obtained, e.g., as a selectable element, from a substitution table having the attributes recited in the independent claims, occurs in only one place in the present file history: Appellant’s Specification.
It is improper to combine references “like separate pieces of a simple jigsaw puzzle” InTouch Techs., Inc. v. VGO Comme’ns, Inc., 751 F.3d 1327, 1349 (Fed. Cir. 2014). Appellant submits that the Office, in the present rejection, uses Appellant’s claims as a blueprint for combining the references. Accordingly, because the rejection of claims 1, 6, 11 and 16 is based on hindsight, the rejection should be reversed.”
In response, Examiner points board’s attention to Para [0019-0024] from Pelletier prior art that have already been cited in previous office action:
“Para [0021]: storing in memory the address corresponding to said secret cryptographic key block in the initial table 
[0022] applying the secret-key operation to the data block with the keys of the initial table and obtaining a first transformed table of 2.sup.n first elements, each first 
[0023] applying said nonlinear operation to the elements of said first transformed table and obtaining a second transformed table of 2.sup.n second elements, each second element corresponding to the result of the nonlinear operation applied to the first element situated at the same address in the first transformed table as said second element
Para [0024]: retrieving, from the second transformed table, the element corresponding to the data block being encrypted situated at the address of said secret cryptographic key block.”
Examiner interprets the above citation from Pelletier prior does disclose Appellant’s claimed limitation of “providing, by the circuit, the selected selectable element as a result of the requested operation, the requested output data of the requested operation applied to the input data having a position in the selected selectable element which is determinable by the circuit”
Examiner further notes for the board that both Pelletier (Abstract, Para [0001]) and Wiener (Abstract, Para [0146], FIGs. 3, 5) prior arts provide means for securely executing computing algorithms/software. They both share similar means for providing a secure execution environment that is providing means for data transformation to keep the data secured. Therefore. Pelletier and Wiener prior arts are properly combined.
Examiner also notes that “so long as it takes into account only knowledge which was within the level of ordinary skill at the time the claimed invention was made, and does not include knowledge gleaned only from the applicant's disclosure, such a reconstruction is proper.  See In re McLaughlin, 443 F.2d 1392, 170 USPQ 209 (CCPA 1971).”
(VI): Appellant states, on Page [18-20] of the brief:
“Here, the obviousness rejections of the independent claims are supported by mere conclusory statements that lack articulated reasoning with rational underpinning to support the Office’s conclusion of obviousness. For instance, in asserting that the substitution table of the independent claims is disclosed by Pelletier and Wiener, and therefore obvious, the Final Office Action points to three different tables of the table 301 of Pelletier, the table 303 of Pelletier, and the table 402 of Pelletier, as well as the use of substitution tables to implement the non-linear functions of Pelletier.!” The Office then points Wiener’s discussion of generating a set of results for a function F from a set of inputs, and to Wiener’s use of injective, surjective and/or bijective functions to transform the function F.7° Neither the Final Office Action, nor the Advisory Action provide any clear articulation of the reasoning as to how it is believed these disparate attributes of the cited art render the independent claims obvious. The Final Office Action and the Advisory Action merely recite portions of the claims along with excerpts of the cited art, followed by mere conclusory statements that the claims are, therefore, obvious.
Further, in the Advisory Action, the Office states that, based on Wiener paragraphs [0037]-[0039] and [0146]-[0150], which were discussed in detail above, that “Examiner interprets that the cited portions of Weiner do disclose substitution table to protect data. The combination of Pelletier and Wiener discloses substitution table for performing cryptographic function, where substitution table can be generated using surjective function, and that the output data is hidden from outsider.” Again, the Office 
Additionally, Appellant presented the following remarks in its Final Office Action Response filed on June 2, 2021:
[T]he conclusion that claim 1, as well as the other independent claims and their respective dependent claims are obvious over Pelletier in view of Wiener is improper. That is, the assertion that the proposed combination “provide or generate code (that implements the function F) such that, even if the code is executed in a white-box environment, the person executing the code cannot determine the values of inputs to the function F and/or outputs of the function F and/or secret information used by the function (Wiener: Para [0146]) does not support the conclusion that the pending claims are obvious. For instance, even if the claimed methods aim to protect the operation by hiding the output data of the requested operation, claim 1 does not achieve that objective by providing or generating a protected executable code implementing a function (operation) to be protected, as the substitution table is not executable code.

In response to these remarks, the Advisory Action makes the conclusory assertion that “that ‘the code’ as in Wiener prior art and ‘the substitution table’ as in the claimed invention are all interpreted as data/bit patterns stored in memory/table. Therefore, they are considered to disclose similar features. The Office, again, provides no articulated reasoning to support the conclusion that executable code, as described in Wiener, constitutes the substitution table of the independent, let alone that includes the claimed aspects of that substitution table, or the use of the table in protecting performance of an operation, as recited in the independent claims. Such an interpretation 1s improper, and lacks any rational underpinnings, as it completely disregards fundamental differences between “data/bit patterns” implementing 
Appellant submits that, for at least the foregoing reasons, the rejection of the independent claims on Pelletier and Wiener, lacks articulated reasoning based on rational underpinnings. Accordingly, the rejection of those claims, and the claims depending therefrom should be reversed.”
In response, Examiner points board’s attention to the fact that both Pelletier (Abstract, Para [0001]) and Wiener (Abstract, Para [0146], FIGs. 3, 5) prior arts provide means for securely executing computing algorithms/software. They both share similar means for providing a secure execution environment that is providing means for data transformation to keep the data secured. Therefore. Pelletier and Wiener prior arts are properly combined.
Examiner also notes, as mentioned previously and in office actions, that both Pelletier and Wiener prior arts provide implementation of transformation by means of substitution tables.
Pelletier discloses “methods of protecting cryptographic algorithms of this type have already been proposed, in particular by masking the data being encrypted that are manipulated in the AES algorithm. The nonlinear operations are generally implemented in the form of substitution tables.”
Similarly in FIGUREs 2-3, 5a-c, already cited in the office actions and noted previously, and related disclosure of Wiener prior art does disclose performing the functions via lookup (substitution) table. Examiner points the board to the following from Wiener describing transformation via table, as they relate to FIGUREs 2-3, 5a-c:
“Para [0021] of Wiener discloses “FIGS. 5a-5c schematically illustrate how the method of FIG. 3 can be applied when the function F is a lookup table.
[0091] An initial example will aid understanding the method 300 as described above. Consider a predetermined a lookup table that is implemented by the function F. An example of how the method 300 can be applied to such a function F is described below with reference to FIGS. 5a-5c.
[0092] Assume that the input to the lookup table F is an input x that is an M-bit value, where the k.sup.th bit of x is b.sub.k so that the binary representation of x is b.sub.Mb.sub.M-1 . . . b.sub.2b.sub.1, (so that b.sub.k is 0 or 1 for k=1 … M). In the example described below, M=8, so that the binary representation of x is b.sub.8b.sub.7b.sub.6b.sub.5b.sub.4b.sub.3b.sub.2b.sub.1. Assume also that the output from the lookup table F (i.e. the value looked-up in response to receiving the input x) is an output y that is an N-bit value, where the k.sup.th bit of y is c.sub.k so that the binary representation of y is c.sub.Nc.sub.N-1 . . . c.sub.2c.sub.1, (so that 
[0146] Embodiments of the invention aim to be able to execute code that implements the function F, securely in a so-called white-box environment. A "white box environment" is an execution environment in which a person can execute an amount of computer code (or software)--where the code implements the function F--and the person may inspect and modify the code (or be assumed to know the underlying algorithm that is being implemented) and/or, during execution of the code, the person may inspect and modify the values of data being used (i.e. the contents of the memory being used), the data flow and the process flow (or order of execution of instructions in the code). Embodiments of the invention therefore aim to be able to provide or generate code (that implements the function F) such that, even if the code is executed in a white-box environment, the person executing the code cannot determine the values of inputs to the function F and/or outputs of the function F and/or secret information used by the function F.
[0147] In the following, one or more bijective functions (or transformations or transforms) will be used. A bijective function is a function that is injective (i.e. is a 1-to-1 mapping) and that is surjective (i.e. maps onto the whole of a particular range of values). If the domain of possible input, values for the function T is domain Dom, and if the function T is an injective function (so that T(a)=T(b) if and only if a=b), then T is a bijective function from Dom onto the range T(Dom)=[T(a): a.epsilon.Dom].”
Examiner notes for the board that the implementation of the table or function (F) is done using surjective function. The aim of this is to ensure security while performing the function, as noted in the cited portion of Wiener.
Examiner also notes that “obviousness may be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art.  See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992), and KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007).  In this case, as cited from Pelletier and Wiener prior arts, they both perform execution of cryptographic algorithms via substitution (and/or lookup) tables that are used to transform security related information, like encryption key[s].”
(6) Conclusion of Examiner Answer
For the above reasons, it is believed that the rejections should be sustained.
Respectfully submitted,
/MAHABUB S AHMED/Examiner, Art Unit 2434                                                                                                                                                                                                  
Conferees:
/DANT B SHAIFER HARRIMAN/Primary Examiner, Art Unit 2434                                                                                                                                                                                                        /KAMBIZ ZAND/Supervisory Patent Examiner, Art Unit 2434                                                                                                                                                                                                        



Requirement to pay appeal forwarding fee.  In order to avoid dismissal of the instant appeal in any application or ex parte reexamination proceeding, 37 CFR 41.45 requires payment of an appeal forwarding fee within the time permitted by 37 CFR 41.45(a), unless appellant had timely paid the fee for filing a brief required by 37 CFR 41.20(b) in effect on March 18, 2013.