Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections – 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. 

Claims 1-20 are rejected under 35 USC 101 because the claimed invention is directed to an abstract idea without significantly more.
Claim 1 recites (emphasis added): 
An apparatus comprising: one or more processors to: 

compute a plurality of hash functions that combine additions, bit-level reordering, bit-linear mixing, and wide substitutions, wherein each of the plurality of hash functions differs in one of the additions, the bit-level reordering, the wide substitutions, or the bit-linear mixing; 

and access a hash table utilizing results of the plurality of hash functions

Examiner finds that the emphasized portions of claim 1 recite an abstract idea—namely, mathematical concepts. See MPEP 2106.04(a)(2)(I). 
When read as a whole, the recited limitations are directed to “mathematical relationships, mathematical formulas or equations, and mathematical calculations.” See id.


1 bit-linear mixing is a mathematical relationship and/or expression;2 and wide substitutions3 are a mathematical calculations when read in light of the specification. 
Examiner finds the following elements additional: 
An apparatus comprising: one or more processors to: 
. . .
and access a hash table utilizing results of the plurality of hash functions	

The recitation “An apparatus comprising: one or more processors to: 
. . .” is recited at a high level of generality and such that it amounts no more than mere instructions to apply the exception using a generic computer component. See MPEP 2106.05(f).  Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. 
Examiner finds that the element “and access a hash table utilizing results of the plurality of hash functions” does not amount to more than “generally linking the use of a judicial exception to a particular environment or field of use.” See MPEP 2106.05(h). That is, this element generally links the abstract idea to the computer field (i.e. execution on a generic computer). Examiner finds accessing a table of hash function results is part of a generic, general purpose computer.  See also Applicant’s specification at ¶¶ 14-17 (Many of 
	Mere instructions to apply an exception and/or generally linking the use of a judicial exception to a particular technological environment or field of use cannot integrate the exception into a practical application nor provide significantly more than the abstract idea. See MPEP 2106.05 (f) and (h). 
	As such, claim 1 is directed to an abstract idea without significantly more. 
	Claims 10 and 17 are rejected for the same reasons above. Claim 10’s “A method comprising: computing, by a processor” and claim 17’s “A non-transitory computer-readable storage medium having stored thereon executable computer program instructions that, when executed by one or more processors, cause the one or more processors to perform operations comprising: computing, by the one or more processors” both recite mere instructions to apply an exception and are subject to the analysis above. 
With respect to claim 2, Examiner finds “2. The apparatus of claim 1, wherein each entry of the hash table comprises a plurality of key-value pairs, and wherein the results of the plurality of hash functions are utilized as a key for the hash table” is a field of use limitation in that it generally links the exception to a generic computing environment.  See MPEP 2106.05(h). Claim 11 is rejected for the same reason. 
With respect to claim 3, Examiner finders “3. The apparatus of claim 1, wherein each hash function of the plurality of hash functions differs in their bit linear mixing steps” recites mathematical concepts in the form of mathematical calculations. 
With respect to claim 4, Examiner finds “The apparatus of claim 1, wherein the plurality of hash functions are keyed hash functions that share operations comprising the additions, the bit-level reordering, and the wide substitutions, but utilize different keys” is a field of use limitation in that it generally links the exception to a generic computing environment.  See MPEP 2106.05(h). 
With respect to claim 5, Examiner finds “The apparatus of claim 1, wherein the one or more processors are further to access a memory hierarchy where at least one level in the memory hierarchy comprises a plurality of cache units, wherein each cache unit of the plurality of cache units is accessed by computing outputs of different cryptographic hash functions from the plurality of hash functions” is a field of use limitation in that it generally links the exception to a generic computing environment.  See MPEP 2106.05(h). Claim 13 and claim 19 are rejected for the same reasons. 
With respect to claim 6, Examiner finds “6. The apparatus of claim 5, wherein the outputs of the different cryptographic hash functions are 
With respect to claim 7, Examiner finds “7. The apparatus of claim 1, wherein the plurality of hash functions further combine sequences of one of additions with carries or subtractions with borrows” recites a mathematical calculation. 
With respect to claim 8, Examiner finds “8. The apparatus of claim 1, wherein the wide substitutions comprise implementing S-boxes based on Galois Field (GF) inversion” recites a mathematical calculation. Claim 15 is rejected for the same reason. 
With respect to claim 9, Examiner finds “9. The apparatus of claim 1, wherein the hash table is to store metadata corresponding to cryptographic computing” recites mere data gathering and is therefore insignificant extra solution activity. See MPEP 2106.05(g). Claim 16 is rejected for the same reason. 
With respect to claim 12, Examiner finds “12. The method of claim 10, wherein the plurality of hash functions are keyed hash functions that share operations comprising the additions, the bit-level reordering, and the wide substitutions, but utilize different keys, and wherein each hash function of the plurality of hash functions differs in their bit linear mixing steps” is a field of use limitation in that it generally links the exception to a generic computing environment.  See MPEP 2106.05(h). Claim 18 is rejected for the same reason. 


As such, claims 2-9, 11-16, and 18-20 recite an abstract idea without significantly more. 

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

Claim(s) 1-20 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Kounavis, Cryptographic Constructions Supporting Implicit Data Integrity, May 2018. 
With respect to claim 1, Kounavis teaches “1. An apparatus comprising: one or more processors to: compute a plurality of hash functions” on p. 4 (emphasis added below and throughout): 
. . Such implementation can use a content addressable memory unit or a hash table for accessing and managing MACs. We remind that MACs are significantly fewer than those required for protecting all the data, and this is the main advantage of this approach. . . 

“that combine additions,” 
“bit-level reordering” on p. 20 
The stage B indicates an entity reordering operation. Entities are groups of W2 bits. In this design W2 = 8 bits and this stage is a byte remapping operation. Entity reordering takes place across the entire width 

“bit-linear mixing” on p. 20 
Two subsequent stages denoted as ‘CM’ perform AES-like bit linear processing on their inputs, which we refer to as ‘column mixing’. In one realization the CM stages may implement the inverse mix columns or the mix columns transformation of AES. In general, the requirement for each CM stage is to implement bit linear systems that connect m W2-bit input entities to m W2-bit output entities using an MDS matrix. The rank of each bit linear system for each output entity should be exactly W2. It is easy to see that the AES mix columns and inverse mix columns transformations meet this requirement for m = 4 and W2 = 8 bits. For the proofs discussed below we require that m = 4. In the figure there are 16 first stage CM transformations denoted as ν0, . . . , ν15 and 16 second stage CM transformations denoted as µ0, . . . , µ15.

 “and wide substitutions” on p. 18 
The IVP construction is a three level confusion diffusion network. It first employs two rounds of substitution and permutation stages followed by a byte remapping stage. The byte remapping stage prepares the inputs to four parallel random permutations, which provide an encryption result. On the decrypt path this order is reversed. The construction is 512-bit wide and its internal stages are defined for specific input and state lengths, which are discussed below. The purpose of the two rounds of substitution and permutation stages is to diffuse every bit of the input into sets of 128 bits. Specifically, each bit is fully diffused into one of four sets of 128 bits. The purpose of the subsequent byte remapping stage is to change the order of bytes so that every 128-bit input, which is passed into the subsequent random permutations, contains bytes that depend on all 512 bits of the input. The random permutations of the construction can be realized using any block cipher which is 128-bit wide. For example, they can be realized as four independent AES block encryption stages. The preceding substitution and permutation stages can also be realized using AES round building blocks for convenience, as discussed later in this section.

and p.  20 

Sbox stands for substitution box. Substitution occurs in the granularity of W2 bits as in the case of the CM and RS stages. Each of width W2 bits. A substitution box is a randomly chosen 8-bit PseudoRandom Permutation (PRP) which can be realized in many ways, such as by combining key additions with strong non-linear bit mixing operations. In one realization the key values used by these PRPs are set at the beginning of the operation of the IVP construction. This is equivalent to selecting a set of W2-bit PRPs at random in the beginning of operation and using these PRPs as substitution boxes. It is under these considerations that we have proven specific security claims for the IVP construction, which we discuss in this section. Since we can select PRPs once at the beginning of operation of the construction, this means that we can have a single key set for the Sbox stages, which is independent of the keys used by the block ciphers that implement the random permutations R0, . . . , R3.

“wherein each of the plurality of hash functions differs in one of the additions, the bit-level reordering, the wide substitutions, or the bit-linear mixing” on p. 18
The IVP construction is a three level confusion diffusion network. It first employs two rounds of substitution and permutation stages followed by a byte remapping stage. The byte remapping stage prepares the inputs to four parallel random permutations, which provide an encryption result. On the decrypt path this order is reversed. The construction is 512-bit wide and its internal stages are defined for specific input and state lengths, which are discussed below. The purpose of the two rounds of substitution and permutation stages is to diffuse every bit of the input into sets of 128 bits. Specifically, each bit is fully diffused into one of four sets of 128 bits. The purpose of the subsequent byte remapping stage is to change the order of bytes so that every 128-bit input, which is passed into the subsequent random permutations, contains bytes that depend on all 512 bits of the input. The random permutations of the construction can be realized using any block cipher which is 128-bit wide. For example, they can be realized as four independent AES block encryption stages. The preceding substitution and permutation stages can also be realized using AES round building blocks for convenience, as discussed later in this section

(any number of different hash functions are taught by Kounavis); 
 “and access a hash table utilizing results of the plurality of hash functions” on p. 4  
hash table for accessing and managing MACs. We remind that MACs are significantly fewer than those required for protecting all the data, and this is the main advantage of this approach. . . 

With respect to claim 2, Kounavis teaches “2. The apparatus of claim 1, wherein each entry of the hash table comprises a plurality of key-value pairs, and wherein the results of the plurality of hash functions are utilized as a key for the hash table” on p. 11

Attackers can only do this through the modification of ciphertexts, where   ciphertexts are produced using keys unknown to the attackers.

More formally, the input perturbing adversary is defined as follows: Let’s consider a pair of encryption and decryption oracles E and D such that D = E−1 and for which D, E ∈ RO2 (f, B, ) for some f, B, . An input perturbing adversary MD(q0, . . . , qm−1, B) is defined as a polynomial time algorithm which:

With respect to claim 3, Kounavis teaches “3. The apparatus of claim 1, wherein each hash function of the plurality of hash functions differs in their bit linear mixing steps” on p. 20 
Two subsequent stages denoted as ‘CM’ perform AES-like bit linear processing on their inputs, which we refer to as ‘column mixing’.

Sbox stands for substitution box. Substitution occurs in the granularity of W2 bits as in the case of the CM and RS stages. Each Sbox stage in the figure is an array of multiple substitution boxes of width W2 bits. A substitution box is a randomly chosen 8-bit PseudoRandom Permutation (PRP) which can be realized in many ways, such as by combining key additions with strong non-linear bit mixing operations

p. 24 
The effects different numbers of non-zero byte stimuli have on column mixing transformations are further illustrated in Figure 16. These 

With respect to claim 4, Kounavis teaches “4. The apparatus of claim 1, wherein the plurality of hash functions are keyed hash functions that share operations comprising the additions, the bit-level reordering, and the wide substitutions, but utilize different keys” p. 11 
Another type of adversary, the ‘oracle replacing adversary’ is associated with replay attacks. Replay attacks may happen across key domains such as network sessions that are encrypted with different keys, or encrypted memory domains. 
p. 12
As in the case of the input perturbing adversary, this adversary also does not have any knowledge about possible keys used by E, D.

With respect to claim 5, Kounavis teaches “5. The apparatus of claim 1, wherein the one or more processors are further to access a memory hierarchy where at least one level in the memory hierarchy comprises a plurality of cache units” p. 4 
One issue that needs addressing, when building a system that protects data using the principle of implicit integrity, is how to detect corruption if data do not exhibit patterns. As we elaborate below, patterns can be found in up to 91% of the data of client workloads and 84% of the data of server workloads. The numbers come from observations on 111 million representative client workload cache lines and 1.4 billion representative server workload cache lines. Whereas such data can be protected using implicit integrity, the remaining 9% − 16% of the data need protecting also

p. 8 
The fact that uncompressed, unencrypted user data demonstrate patterns should not come as a surprise. User data often consist of code, data structures, media data, pointer tables, and other types of structured data that are characterized by significant redundancy. For example, there exists a simple pattern which is frequently encountered in client and server data. This is the appearance of 4 or more 16-bit words which are equal to each other in a collection of 32 words. In this pattern the input size is 512 bits (i.e., each data is a memory cache line).


We discuss that implicit integrity can be associated with a notion of security which is different from the typical requirement that the output of cryptographic systems should be indistinguishable from the output of a random permutation.

p. 5
In our work we also make extensive use of the results of references [11] [12] which allow us to consider the internal pseudo-random permutations of our constructions as truncated output random oracles. 

Claim 13 and claim 19 are rejected for the same reasons. 
With respect to claim 6, Kounavis teaches 6. The apparatus of claim 5, wherein the outputs of the different cryptographic hash functions are computed in parallel” in Fig. 10; p. 18 
It first employs two rounds of substitution and permutation stages followed by a byte remapping stage. The byte remapping stage prepares the inputs to four parallel random permutations, which provide an encryption result. On the decrypt path this order is reversed. The construction is 512-bit wide and its internal stages are defined for specific input and state lengths, which are discussed below.

“and wherein the plurality of cache units are accessed in parallel using the outputs as indexes to the plurality of cache units” in Fig. 10 and 
p. 18 
It first employs two rounds of substitution and permutation stages followed by a byte remapping stage. The byte remapping stage prepares the inputs to four parallel random permutations, which provide an encryption result. On the decrypt path this order is reversed. The construction is 512-bit wide and its internal stages are defined for specific input and state lengths, which are discussed below.

p. 33
ngoing research of ours shows that the client cache lines that can be compressed at reasonable cost are significantly fewer than those protected via implicit integrity (78% as opposed to 91%). A MAC engine can also be costlier to implement in hardware. In contrast, the IVP construction requires only the detection of patterns, avoiding compressing or decompressing the data. Furthermore, it burdens the encrypt/decrypt data path with only two additional rounds of permutation-substitution steps, avoiding the use of any extra MAC engine in HW.

Claim 14 and claim 20 are rejected for the same reason. 
With respect to claim 7, Kounavis teaches “7. The apparatus of claim 1, wherein the plurality of hash functions further combine sequences of one of additions with carries or subtractions with borrows” on p. 20 
Sbox stands for substitution box. Substitution occurs in the granularity of W2 bits as in the case of the CM and RS stages. Each Sbox stage in the figure is an array of multiple substitution boxes of width W2 bits. A substitution box is a randomly chosen 8-bit PseudoRandom Permutation (PRP) which can be realized in many ways, such as by combining key additions with strong non-linear bit mixing operations.

p. 32 (“T is an additive term”); 

p. 7 

A ‘constrained’ RO2 function or system uses a number of internal invertible functions which are random permutations and which, for the life time (i.e., query) bound B used, are practically indistinguishable from random oracles in both processing directions. . .

. . . Then, it is this response which is further used in the RO2 system for processing. Processing is done by an invertible polynomial time algorithm p() and 
the input y is no longer used.

p. 15 

they are invertible. By inverting the ingredient random permutations R0, R1, R2, on the response vector r 0 , one computes an input y 0 which needs to be provided to system 3 in order for the ingredient random permutations of this system to return the same response vector r 0 , which is returned in system 2. Due to R0, R1, R2, being bijective and the RO2 construction constraints introduced in Figure 3, input y 0 must be different from y

(subtraction with borrows include invertible function when read in light of specification); 
With respect to claim 8, Kounavis teaches “8. The apparatus of claim 1, wherein the wide substitutions comprise implementing S-boxes based on Galois Field (GF) inversion” in Fig. 11 and p. 20 
Sbox stands for substitution box. Substitution occurs in the granularity of W2 bits as in the case of the CM and RS stages. Each Sbox stage in the figure is an array of multiple substitution boxes of width W2 bits. A substitution box is a randomly chosen 8-bit PseudoRandom Permutation (PRP) which can be realized in many ways, such as by combining key additions with strong non-linear bit mixing operations. In one realization the key values used by these PRPs are set at the beginning of the operation of the IVP construction. This is equivalent to selecting a set of W2-bit PRPs at random in the beginning of operation and using these PRPs as substitution boxes. It is under these considerations that we have proven specific security claims for the IVP construction, which we discuss in this section. Since we can select PRPs once at the beginning of operation of the construction, this means that we can have a single key set for the Sbox stages, which is independent of the keys used by the block ciphers that implement the random permutations R0, . . . , R3.

p. 2 
Another area where our work applies is in network and communication systems which employ a number of different protocols at different layers of the network stack, ranging from the link layer to the application layer, with additional corruption detection mechanisms [3] [4] [24].

p. 35 
[24]M. Dworkin, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC, NIST Special Publication 800-38D.

[25] J. Salowey, A. Choudhury and D. McGrew, AES Galois Counter Mode (GCM) Cipher Suites for TLS, RFC 5288.

Claim 15 is rejected for the same reason. 

With respect to claim 9, Kounavis teaches “9. The apparatus of claim 1, wherein the hash table is to store metadata corresponding to cryptographic computing” on p. 1
This paper addresses the problem of corruption detection without producing, storing or verifying mathematical summaries of the content. Such summaries, typically known as Message Authentication Codes (MACs) [3] [4] or Integrity Check Values (ICVs) are typically costly to maintain and use.
p. 4 
Otherwise, an integrity check is made using the returned MAC. Such implementation can use a content addressable memory unit or a hash table for accessing and managing MACs. We remind that MACs are significantly fewer than those required for protecting all the data, and this is the main advantage of this approach. Further investigations on hardware and operating system changes required in order to support implicit integrity are beyond the scope of this paper.

(Examiner finds MACs are metadata). Claim 16 is rejected for the same reason. 
With respect to claim 12, Kounavis teaches “12. The method of claim 10, wherein the plurality of hash functions are keyed hash functions that share operations comprising the additions, the bit-level reordering, and the wide substitutions, but utilize different keys” on p. 11 
Another type of adversary, the ‘oracle replacing adversary’ is associated with replay attacks. Replay attacks may happen across key domains such as network sessions that are encrypted with different keys, or encrypted memory domains. 
p. 12
As in the case of the input perturbing adversary, this adversary also does not have any knowledge about possible keys used by E, D.


The stage B indicates an entity reordering operation. Entities are groups of W2 bits. In this design W2 = 8 bits and this stage is a byte remapping operation. Entity reordering takes place across the entire width of the construction which is 4 · W1 bits. Entity reordering is an interleaving operation that ensures that outputs of the four ingredient random permutations of the construction are evenly distributed among the subsequent processing stages. Such interleaving operation is further discussed below. Two subsequent stages denoted as ‘CM’ perform AES-like bit linear processing on their inputs, which we refer to as ‘column mixing’.
Sbox stands for substitution box. Substitution occurs in the granularity of W2 bits as in the case of the CM and RS stages. Each Sbox stage in the figure is an array of multiple substitution boxes of width W2 bits. A substitution box is a randomly chosen 8-bit PseudoRandom Permutation (PRP) which can be realized in many ways, such as by combining key additions with strong non-linear bit mixing operations. 

p. 23 

The state S(µ0) of a 4 byte column mixing transformation µ0v  can only be any of the following three of Figure 15:

Claim 18 is rejected for the same reason. 
Conclusion
The following prior art is relevant to Applicant’s specification (emphasis added): 

US 20160239265 A1
[0016] Lossy compression is a common technique to compress datasets in floating point applications by rounding the least significant bits of the mantissa to zero. Existing compression algorithms require modification to accommodate rounded bits or odd alignments of bits, requiring awareness of more patterns, which can negatively impact compressibility. Embodiments are directed to systems and methods that improve compression in floating point applications by moving the rounded bits to the most significant positions to expose more patterns that can be compressed. A bit-remapping (or hashing mechanism) reorders the bits of the mantissa to expose more matching patterns for lossy compression, thus increasing the compression ratio of the data flow in floating point applications.

US 20120136889 A1
[0046] By combining the generated mask bit list from each set A-F, namely mask bit lists: {4, 5}, {4, 5, 6, 7}, {4}, {5, 6}, {5, 6}, and {5} a mask bit list is generated that allows for the generation of compressed keys that will uniquely address each MAC in the second tier bucket. Combined, the mask bit list is {4, 5, 4, 5, 6, 7, 4, 5, 6, 5, 6, and 5}. Again this list is reduced and reordered to {4, 5, 6, 7}. In another embodiment, the mask bit list generated at each set A-F is not reduced and reordered but rather the combined mask bit list is reduced and reordered which would render the same mask bit list for the combination of sets A-F. Using this combined mask bit list of {4, 5, 6, 7} each a compressed key can be generated for each of the MACs ([D2], [DC], [D4], [D8], [DD], [DA], and [DF]) such that each compressed key is unique to its corresponding MAC. Hence, the mask bit list and compressed key allows for a guarantee that no hash collisions will occur between MACs stored in that second tier data structure during a lookup of a MAC.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ALBERT M PHILLIPS, III whose telephone number is (571)270-3256. The examiner can normally be reached 10a-6:30pm EST M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Mariela D. Reyes can be reached on (571)270-1006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.



/ALBERT M PHILLIPS, III/Primary Examiner, Art Unit 2159                                                                                                                                                                                                        


    
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
    

    
        1 See Applicant’s specification at ¶ 35 (placing bits in a “seemingly random order” requires a mathematical calculation.” 
        2 See id at ¶ 33 (“. . . The term ‘mixing’ may refer to computations on single bit values that involve a plurality of AND, OR, NAND, NOR, or XOR operations.”). 
        3 See id at ¶ 29, and ¶¶ 35-37.