DETAILED ACTION
This action is in response to new application filed 6/19/2020 titled “Device and Method for Protecting Execution of a Cryptographic Operation”. Claims 1-17 were received for consideration and are pending.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority
Acknowledgment is made of applicant's claim for foreign priority under 35 U.S.C. 119(a)-(d).  The certified copy has been received.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 12/14/2020 and 7/22/2020 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 


An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: “a group determination unit”, “a first unit configured to” and “a second unit configured to” in claim 1.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-17 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. 
The claims 1 and 17 recite(s) “a first unit configured to perform a first elementary operation in each final group (E"i), the first elementary operation consisting in executing said modular operation between said auxiliary base (m") and an auxiliary scalar (da) in each final group E", which provides at least one result, the auxiliary scalar (da) being determined from the auxiliary element (x) and from the main scalar (d)” and “a second unit configured to perform a second elementary operation in each starting group E, the second elementary operation consisting in executing said modular operation between an additional auxiliary base and an additional auxiliary scalar d'b in each starting group, at least one of the additional auxiliary base and of the additional scalar being derived from the result of the first elementary operation”. 
The limitations of “a first unit configured to perform a first elementary operation in each final group (E"i), the first elementary operation consisting in executing said modular operation between said auxiliary base (m") and an auxiliary scalar (da) in each final group E", which provides at least one result, the auxiliary scalar (da) being determined from the auxiliary element (x) and from the main scalar (d)” and “a second unit configured to perform a second elementary operation in each starting group E, the second elementary operation consisting in executing said modular operation between 
This judicial exception is not integrated into a practical application. In particular, the claim only recites one additional element a “group determination unit”. The “group determination unit” in both steps is recited at a high-level of generality (i.e., as a generic processor performing a mathematical) such that it amounts no more than mere instructions to apply the exception using a generic computer component. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea.
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of using a processor to perform mathematical calculation amounts to no more than mere instructions to apply the exception using a generic computer component. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept.
Regarding claims 2-16 they do not contain significantly more, based on the claims either recite a further abstract idea that is identified above, that is either related
to altering data, or the claims recite what is routine or well known in the technical field of
the claimed invention.

Appropriate action required.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-10 and 12-17 are rejected under 35 U.S.C. 102(a)(1)/(a)(2) as being anticipated by Rauzy et al “Countermeasures Against High-Order Fault-Injection Attacks on CRT-RSA”.
With respect to claim 1 and 17 Rauzy teaches a device for protecting the execution of a cryptographic operation from attacks (page 1, line 7: "...CRT-RSA countermeasures against fault-injection attacks...")), said cryptographic operation being implemented by a cryptographic algorithm (page 1, line 7: "CRT-RSA..."), said cryptographic operation comprising at least one modular operation (page 3, line 20: "…S=Md mod N...") between a main base (m) (page 3, line 20: "...M...") representing a data block and at least one scalar (d) (page 3, line 20: "...d...") in at least one finite 
wherein said device comprises a group determination unit, said group determination unit being configured to: 
determine at least one intermediary group (E') (page 18, line 34: "...Z/r2Z...") different from said at least one starting group (E), the number of intermediary groups being equal to the number of starting groups E (page 3, line 20: "...mod N..."; the group of integers modulo N is the group Z/NZ); 
determine at least one final group (E") (page 18, line 27: "...Z/pr2Z..."; page 18, line 30: "...Z/qr°Z...") from said at least one starting group E and said at least one intermediary group E' (page 18, line 13-14: "... Choose a small random integer r. [...] N = p*q"); 
the base m being mapped to an auxiliary element (x) (page 18, line 34: "...S,...") in said at least one intermediary group and to an auxiliary base (m") (page 18, line 20: "...M'p..."; page 18, line 26: "...M’p,...") in said at least one final group E"; and wherein said device further comprises an execution engine (20) for executing each modular operation, said execution engine comprising: 
a first unit configured to perform a first elementary operation in each final group (E"i), the first elementary operation consisting in executing said modular operation between said auxiliary base (m") and an auxiliary scalar (da) (page 18, line 27: "...dp mod ϕ(p’)..."; page 18, line 30: "...dq mod ϕ(q’)...") in each final group E" (page 18, line 27: "...M'p^(dq mod ϕ (p')) mod p'..."; page 18, line 30: "_..M'q^(dq mod ϕ(q')) mod q'..."), which provides at least one result (page 18, line 27: "...S'p..."; page 18, line 30: 
a second unit configured to perform a second elementary operation in each starting group E, the second elementary operation consisting in executing said modular operation (page 18, line 36: "...S'^(cp,cq,cs) mod N...") between an additional auxiliary base (page 18, line 36: "...S' [...] mod N...") and an additional auxiliary scalar d'b (page 18, line 36: "... cp,cq,cs...") in each starting group, at least one of the additional auxiliary base and of the additional scalar being derived from the result of the first elementary operation (page 18, line 33: "S'=S'q,+q(iq,(S'p,-S'q) mod p’')"; page 18, line 35: "cs=S'-Sr,+1 mod r2").

With respect to claim 2 Rauzy teaches the device of claim 1, wherein each modular operation between a base and a scalar in at least one given finite group comprises one or more iterations of a basis operation on the base (m) in said at least one finite group modulo an integer representing the order of said at least one group, said at least one group being associated with a given internal law, the number of iterations being defined by said at least one scalar, said basis operation being defined by the internal law of the group (see (page 3, line 15-24: "..S=Md mod N...")).

With respect to claim 3 Rauzy teaches the device of claim 1, any preceding claim, wherein the device is further configured to determine an auxiliary parameter (db) as a function of said main scalar (d) and of said at least one auxiliary scalar (da) (page 18, line 33: S'=S'q,+q(iq,(S'p,-S'q) mod p’')"; page 18, line 35: "cs=S'-Sr,+1 mod r2")).

With respect to claim 4 Rauzy teaches the device of claim 3, wherein said main base is associated with a given order (r), the product of the auxiliary scalar (da) and of the auxiliary parameter (db) being equal to the main scalar (d) modulo the order of the base (r) (page 18, line 33: S'=S'q,+q(iq,(S'p,-S'q) mod p’')"; page 18, line 35: "cs=S'-Sr,+1 mod r2")).

With respect to claim 5 Rauzy teaches the device of claim 3, wherein the sum of the first auxiliary scalar (da) and of the auxiliary parameter (db) is equal to the main scalar (d) (page 18, line 33: S'=S'q,+q(iq,(S'p,-S'q) mod p’')"; page 18, line 35: "cs=S'-Sr,+1 mod r2")) .

With respect to claim 6 Rauzy teaches the device of claim 3, wherein the auxiliary element (x) is determined from the auxiliary scalar (da) and the auxiliary parameter (db) (page 18, line 33: S'=S'q,+q(iq,(S'p,-S'q) mod p’')"; page 18, line 35: "cs=S'-Sr,+1 mod r2")).

With respect to claim 7 Rauzy teaches the device of claim 1, wherein the cryptographic algorithm is a Rivest, Shamir, and Adleman (RSA) algorithm, the RSA cryptographic algorithm being associated with a private key d, a public key e and a first and second system parameters (p, q), the system parameter being coprime, the public key (e) being prime to the first second system parameter minus one, and to the second parameter minus one, said modular operation being a modular exponentiation 

With respect to claim 8 Rauzy teaches the device of claim 6, wherein said auxiliary element (x) is determined such that the auxiliary parameter (db) is equal to said auxiliary element (x) raised to the first auxiliary scalar (da), in said intermediary group, plus one page 18, line 35: "cs=S'-Sr,+1 mod r2").

With respect to claim 9 Rauzy teaches the device of claim 7, wherein said step of determining at least one intermediary group (E') comprising determining at least two intermediary group (E'1, E'2) (page 18, line 33: "S'=S'q,+q(iq,(S'p,-S'q) mod p’')"; page 18, line 35: "cs=S'-Sr,+1 mod r2").

With respect to claim 10 Rauzy teaches the device of claim 9, wherein said auxiliary element (x) is determined by solving an equation according to which the auxiliary parameter (db) is equal to the sum of the auxiliary element (x) raised to the first auxiliary scalar (da) in each intermediary group (page 4, lines 4-5: "dp = d mod (p-1), dq = d mod (q-1)").

With respect to claim 12 Rauzy teaches the device of claim 6, wherein said auxiliary element (x) is determined such that the second auxiliary scalar (db) is equal to one of the coordinate of the result point obtained by solving an equation according to 2")).

With respect to claim 13 Rauzy teaches the device of claim 1, wherein said additional auxiliary scalar (db') is the element corresponding to the result of the first elementary operation (s") in said at least one intermediary group (E') (page 18, line 27: " S'p=M'p^(dq mod ϕ (p')) mod p'..."; page 18, line 30: "_..M'q^(dq mod ϕ(q')) mod q'..." and page 4, lines 4-5: "dp = d mod (p-1), dq = d mod (q-1)").

With respect to claim 14 Rauzy teaches the device of claim 1, wherein said additional auxiliary base (s) is the element corresponding to the result of the first elementary operation (s") in said at least one starting group (E) (page 18, line 27: " S'p=M'p^(dq mod ϕ (p')) mod p'..."; page 18, line 30: "_..M'q^(dq mod ϕ(q')) mod q'..." and page 4, lines 4-5: "dp = d mod (p-1), dq = d mod (q-1)").

With respect to claim 15 Rauzy teaches the device of claim 1, wherein the execution engine is further configured to determine the product of the result of the second elementary operation by said additional auxiliary base (s), said product (md) representing the result of said modular operation (page 18, line 27: " S'p=M'p^(dq mod ϕ (p')) mod p'..."; page 18, line 30: "_..M'q^(dq mod ϕ(q')) mod q'..." and page 4, lines 4-5: "dp = d mod (p-1), dq = d mod (q-1)").

.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Rauzy et al “Countermeasures Against High-Order Fault-Injection Attacks on CRT-RSA” in view of RAUZY et al. "Using Modular Extension to Provably Protect ECC Against Fault Attacks”.
With respect to claim 11 Rauzy teaches the device of claim 1, but does not disclose wherein the cryptographic algorithm is an Elliptic Curve Cryptography algorithm lying on a given elliptic curve, and said cryptographic operation is a scalar multiplication between a binary number and a point of the elliptic curve defined in a coordinate system over a finite field, the binary point being a key.
Rauzy "Using Modular Extension to Provably Protect ECC Against Fault Attacks” teaches wherein the cryptographic algorithm is an Elliptic Curve Cryptography algorithm lying on a given elliptic curve, and said cryptographic operation is a scalar multiplication 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Rauzy in view of Rauzy to have used the modular extension, initially to computational protect CRT-RSA on ECC since they are thus easily maintained and the same idea could apply to post-quantum code-based cryptography, pairing, and homomorphic computation for instance. Therefore one would 

	
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DEVIN E ALMEIDA whose telephone number is (571)270-1018.  The examiner can normally be reached on Monday-Thursday from 7:30 A.M. to 5:00 P.M.  The examiner can also be reached on alternate Fridays from 7:30 A.M. to 4:00 P.M. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Saleh Najjar, can be reached on 571-272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/DEVIN E ALMEIDA/Examiner, Art Unit 2492                                                                                                                                                                                                        

/SALEH NAJJAR/Supervisory Patent Examiner, Art Unit 2492