DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims
The present application is being examined under the claims filed on 09/22/2021.
Claims 21-23 are new.
Claims 4, 16, and 19 are canceled.
Claims 1, 15, and 20 are amended.
Claims 1-3, 5-15, 17, 18, and 20-23 are rejected.
Claims 1-3, 5-15, 17, 18, and 20-23 are pending.

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in  37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 02/05/2021 has been entered.
 
Drawings
The Drawings filed on 08/23/2016 are acceptable for examination purposes.

Specification
The Specification filed on 08/23/2016 is acceptable for examination purposes.

Response to Arguments
In reference to 35 USC § 112(f)
Applicant asserts that as the pending claims include sufficient structure and do not include the phrase "means for" or "step for", the pending claims do not invoke 35 U.S.C. § 112(f).
Examiner respectfully disagrees. This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. The generic place holders are “code loader”, “data up loader”, and “trusted execution environment”. Because these claim limitations are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, they are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof. Examiner notes that either the claims or Instant Specification do not provide sufficient structure. Examiner further notes that claim 20 does use the term “means for”.
Applicant’s arguments filed 09/22/2021 have been fully considered but they are not persuasive.

In reference to 35 USC § 103
Applicant asserts that neither Stefanov nor Nikolaenko describes the ability of multiple parties to provide confidential information (separately) to the trusted execution environment, with the confidential information being encrypted with a special key that is then provided to the trusted execution environment that decrypts the confidential information for processing.
the client generates a fresh random PRP key K[p,l] so that blocks end up at random offsets every time that level is constructed. The client remembers the keys for all levels of all partitions in its local cache” which discloses each client encrypts their respective confidential data with a particular key, and each party provides their respective particular keys to the trusted execution environment; also see Fig. 5 and 6 and corresponding sections.
Applicant’s arguments filed 09/22/2021 have been fully considered but they are not persuasive.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

In reference to claims 1-14 and claim 20. The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 

(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or 
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitations are:
“code loader […]” in claim 1.
“data up loader […]” in claim 1.
“trusted execution environment […]” in claim 1.
“trusted execution environment […]” in claim 2.
“trusted execution environment […]” in claim 3.
“trusted execution environment […]” in claim 5.
“trusted execution environment […]” in claim 9.
“trusted execution environment […]” in claim 10.
“trusted execution environment […]” in claim 11.
“trusted execution environment […]” in claim 12.
“trusted execution environment […]” in claim 13.
“trusted execution environment […]” in claim 14.
“means for loading machine learning code” in claim 20.
“means for uploading confidential data” in claim 20.
“means for executing the machine learning code” in claim 20
“trusted execution environment […]” in claim 21.
“trusted execution environment […]” in claim 22.
“data uploader […]” in claim 23.
Because these claim limitations are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, they are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have these limitations interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitations to avoid them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitations recite sufficient structure to perform the claimed function so as to avoid them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Rejections - 35 USC § 112(b)
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


In reference to claims 1-3, 5-15, 17, 18, and 20-23. Claim limitations “code loader […]”, “data up loader […]”, “trusted execution environment […]”, “trusted execution environment […]”, “trusted execution environment […]”, “means for loading machine learning code”, “means for uploading confidential data”, and “means for executing the machine learning code” invoke 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. The disclosure is devoid of any structure that performs the function in 
Applicant may:
(a)        Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph; 
(b)        Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(c)        Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)).
If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either: 
(a)        Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(b)        Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.

In reference to claims 1, 15, and 20. Claims 1-3, 5-15, 17, 18, and 20-23 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claims 1, 15, and 20 recite “where the trusted execution environment decrypts the confidential data using each particular key and executes the machine learning code using a data-oblivious procedure to process the decrypted confidential data and after encrypting a result using each particular key […]”. Examiner notes that the claim is unclear as to whether the “trusted execution environment” or the “machine learning code” is performing the encrypting. For examination purposes, the “trusted execution environment” will be interpreted as performing the encrypting.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 10, 14, 15, 17, 18, and 20-22 are rejected under 35 U.S.C. 103 as being unpatentable over Stefanov et al. (hereinafter Stefanov) US 20140007250 A1 in view of Nikolaenko et al. (hereinafter Nikolaenko) “Privacy-Preserving Ridge Regression on Hundreds of Millions of Records”.
In reference to claim 1. Stefanov teach a multi-party privacy-preserving machine learning system comprising:
“a trusted execution environment comprising at least one protected memory region” (Stefanov in at least Figs. 1-4C, Fig. 14, Fig. 15, ¶ [0073], ¶ [0131]-[0134], ¶ [0239], and ¶ [0291]-[0296] discloses a trusted execution environment comprising at least one protected memory region “The trusted hardware may take the form of Trusted Platform Modules (TPMs) or secure co-processors to establish a Trusted Computing Base (TCB) at the cloud service provider”, and “the inventive O-RAM load balancer and O-RAM node processes are implemented within the distributed TCB”);
“a code loader which loads […] code, received from a first party of a plurality of parties, into the protected memory region” (Stefanov in at least Figs. 1-4C, Fig. 14, Fig. 15, ¶ [0073], ¶ [0131]-[0134], ¶ [0239], and ¶ [0291]-[0296] discloses loading code in the protected memory region of the trusted execution environment, see at least the server(s) and client(s). “Standard security definitions for O-RAMs are generally adopted in this specification. Intuitively, maintaining O-RAM security requires that the server learns nothing about the access pattern. In other words, no information should be available (leakable) on the server side regarding: (1) which data is being accessed; (2) how old the data is (e.g., when it was last accessed); (3) whether the same data is being accessed (linkability); (4) access patterns (e.g., sequential, random, etc.,); or (5) whether the access is a read or a write”, “Let O-RAM* denote a recursive O-RAM scheme constructed as below. In O-RAM base' the client needs to store a position map of size cN (c<1). Now, instead of storing the position map locally on the client, store it in a recursive O-RAM on the server side. The pseudo code of the O-RAM* scheme would be otherwise be the same as in FIG. 3”, “The trusted hardware may take the form of Trusted Platform Modules (TPMs) or secure co-
“a data uploader which uploads confidential data received from a plurality of second parties of the plurality of parties, to the protected memory region, where each of the plurality of second parties encrypt their respective confidential data with a particular key, and wherein each of the plurality of second parties provide their respective particular keys to the trusted execution environment” (Stefanov in at least Fig. 6, Fig. 14, Fig. 15, ¶ [0163], ¶ [0279], ¶ [0303], and ¶ [0333]-[0336], see at least the server(s) and client(s). “[…] client uploads its shuffling buffer 112' into the first unfilled level […]”, “Our distributed O-RAM construction applies the a partitioning framework twice to achieve secure partitioning of an O-RAM across multiple servers”, and “shuffling is implemented in the form ofa pipeline. Each job consists of the following 5 stages: (1) starting all of the reads, (2) waiting for all of the reads to complete, (3) shuffling the read data locally, (4) starting all of the writes of the shuffled data, and (5) waiting for all of the writes to complete. Multiple jobs are performed in parallel such that the first stage of a job must complete before starting the first stage of the next job. The number of jobs in the pipeline is such that jobs get started as long as the sum of the amount of blocks they will read don't exceed the amount allowed by the shuffling buffer semaphore”. See Fig. 7 and ¶ [0167] “During a reshuffling operation, the client uses the pseudo-random permutation PRP to determine the offset of all blocks (real and dummy) within a level on the server. Every time blocks are shuffled and written into the next level, the client generates a fresh random PRP key K[p,l] so that blocks end up at random offsets every time that level is constructed. The client remembers the keys for all levels of all partitions in its local cache” which discloses each client encrypts their respective 
“where the trusted execution environment decrypts the confidential data using each particular key and executes the […] code using a data-oblivious procedure to process the decrypted confidential data and after encrypting a result using each particular key, return the encrypted result to one of the plurality of parties, where a data-oblivious procedure is a process where any patterns of memory accesses, patterns of disk accesses and patterns of network accesses are such that the confidential data cannot be predicted from the patterns” (Stefanov in at least Figs. 1-4C, Fig. 6, Fig. 14, Fig. 15, ¶ [0010], ¶ [0011], ¶ [0073], ¶ [0131]-[0134], ¶ [0163], ¶ [0239], ¶ [0279], ¶ [0291]-[0296], ¶ [0303], and ¶ [0333]-[0336] “Oblivious RAM (or O-RAM) is a term which has come to mean a primitive intended for hiding storage access patterns, with the problem being initially studied in the context of software protection, i.e., hiding a program's electronic data storage (memory) access patterns to prevent reverse engineering. With the trend of cloud computing, O-RAM also has important applications in privacy-preserving storage outsourcing applications”, “Standard security definitions for O-RAMs are generally adopted in this specification. Intuitively, maintaining O-RAM security requires that the server learns nothing about the access pattern. In other words, no information should be available (leakable) on the server side regarding: (1) which data is being accessed; (2) how old the data is (e.g., when it was last accessed); (3) whether the same data is being accessed (linkability); (4) access patterns (e.g., sequential, random, etc.,); or (5) whether the access is a read or a write”, and “the inventive O-RAM load balancer and O-RAM node processes are implemented within the distributed TCB, and control encryption and privatizing access patterns”. See Fig. 7, ¶ [0167], 
“[…]; or wherein the trusted execution environment implements the data-oblivious procedure using combinations of one or more data oblivious primitives, wherein a data-oblivious primitive is an operation with no data-dependent branches and which does not reveal which input is used to produce its output” (Stefanov in at least Figs. 1-4C, Fig. 6, Fig. 14, Fig. 15, ¶ [0010], ¶ [0011], ¶ [0073], ¶ [0131]-[0134], ¶ [0163], ¶ [0239], ¶ [0279], ¶ [0291]-[0296], ¶ [0303], and ¶ [0333]-[0336] “Oblivious RAM (or O-RAM) is a term which has come to mean a primitive intended for hiding storage access patterns, with the problem being initially studied in the context of software protection, i.e., hiding a program's electronic data storage (memory) access patterns to prevent reverse engineering. With the trend of cloud computing, O-RAM also has important applications in privacy-preserving storage outsourcing applications”, “Standard security definitions for O-RAMs are generally adopted in this specification. Intuitively, maintaining O-RAM security requires that the server learns nothing about the access pattern. In other words, no information should be available (leakable) on the server side regarding: (1) which data is being accessed; (2) how old the data is (e.g., when it was last accessed); (3) whether the same data is being accessed (linkability); (4) access patterns (e.g., sequential, random, etc.,); or (5) whether the access is a read or a write”, and “the inventive O-RAM load balancer and O-RAM node processes are implemented within the distributed TCB, and control encryption and privatizing access patterns”. Examiner further notes that this is an alternate limitation and is not always required by the claim).

Stefanov does not explicitly disclose:
“machine learning code”,
“wherein the trusted execution environment implements the data-oblivious procedure using oblivious random access memory to access the confidential data, and wherein the machine learning code is adapted to use the oblivious random access memory; or […]”.
However, Nikolaenko discloses:
“machine learning code” (Nikolaenko in at least § Abstract, § I, § III, and § IV “regression is an algorithm that takes as input a large number of data points and finds the best-fit linear curve through these points. The algorithm is a building block for many machine-learning operations”),
“wherein the trusted execution environment implements the data-oblivious procedure using oblivious random access memory to access the confidential data, and wherein the machine learning code is adapted to use the oblivious random access memory; or […]” (Nikolaenko in at least § III and § IV discloses the data oblivious transfer protocol. Nikolaenko in at least § I, § III, § IV, and § V “Once the circuits are constructed, the framework handles garbling, oblivious transfer and the complete evaluation of the garbled circuit”. Examiner further notes that this is an alternate limitation and is not always required by the claim. Examiner notes that an O-RAM is an algorithm at the interface of a protected CPU and the physical RAM such that it acts like a RAM to the CPU by querying the physical RAM for the CPU while hiding information about the actual memory access pattern of the CPU from the physical RAM. Nikolaenko clearly discloses a machine learning algorithm implementing an O-RAM algorithm, therefore the machine learning code is adapted to use the O-RAM).
because MPEP 2143 sets forth the Supreme Court rationales for obviousness including: (D) Applying a known technique to a known device (method, or product) ready for improvement to yield predictable results; (E) "Obvious to try" choosing from a finite number of identified, predictable solutions, with a reasonable expectation of success; (F) Known work in one field of endeavor may prompt variations of it for use in either the same field or a different one based on design incentives or other market forces if the variations are predictable to one of ordinary skill in the art.

In reference to claim 2. Stefanov and Nikolaenko teach the multi-party privacy-preserving machine learning system of claim 1 (as mentioned above) wherein the trusted execution environment executes the machine learning code either to:
Nikolaenko further discloses:
“train a machine learning system or to use an already trained machine learning system to generate predictions” (Nikolaenko in at least § I disclose using the learning algorithm to both train the system and to use the trained system to generate a prediction).

In reference to claim 3. Stefanov and Nikolaenko teach the multi-party privacy-preserving machine learning system of claim 1 (as mentioned above) wherein the trusted execution environment implements the data-oblivious procedure using:
Stefanov further discloses:
“oblivious random access memory to access the confidential data” (Stefanov in at least Figs. 1-4C, Fig. 14, Fig. 15, ¶ [0073], ¶ [0131]-[0134], ¶ [0239], and ¶ [0291]-[0296] discloses a trusted execution environment comprising at least one protected memory region “The trusted hardware may take the form of Trusted Platform Modules (TPMs) or secure co-processors to establish a Trusted Computing Base (TCB) at the cloud service provider”, and “the inventive O-RAM load balancer and O-RAM node processes are implemented within the distributed TCB”).

In reference to claim 10. Stefanov and Nikolaenko teach the multi-party privacy-preserving machine learning system of claim 1 (as mentioned above) wherein the trusted execution environment uses:
Nikolaenko further discloses:
“a data-oblivious procedure which iteratively computes weights of a support vector machine” (Nikolaenko in at least § VIII discloses the iteration process and using support vectors machines).

In reference to claim 14. Stefanov and Nikolaenko teach the multi-party privacy-preserving machine learning system of claim 1 (as mentioned above) wherein the trusted execution environment uses:
Nikolaenko further discloses:
“a data-oblivious procedure which computes a matrix factorization by obliviously scanning at least one matrix comprising rows of user data and rows of item data, the rows being interleaved such that a scan of a column of the matrix outputs data for an individual user at a specified rate” (Nikolaenko in at least § VIII discloses using matrix factorization to extract item profiles from ratings their users generate).

In reference to claim 15. Stefanov teach a method at a multi-party privacy-preserving machine learning system comprising:
“loading […] code, received from a first party of a plurality of parties, into a protected memory region at a trusted execution environment” (Stefanov in at least Figs. 1-4C, Fig. 14, Fig. 15, ¶ [0073], ¶ [0131]-[0134], ¶ [0239], and ¶ [0291]-[0296] discloses loading code in the protected memory region of the trusted execution environment, see at least the server(s) and client(s). “Standard security definitions for O-RAMs are generally adopted in this specification. Intuitively, maintaining O-RAM security requires that the server learns nothing about the access pattern. In other words, no information should be available (leakable) on the server side regarding: (1) which data is being accessed; (2) how old the data is (e.g., when it was last accessed); (3) whether the same data is being accessed (linkability); (4) access patterns (e.g., sequential, random, etc.,); or (5) whether the access is a read or a write”, “Let O-RAM* denote a recursive O-RAM scheme constructed as below. In O-RAM base' the client needs to store a position map of size cN (c<1). Now, instead of storing the position map locally on the client, store it in a recursive O-RAM on the server side. The pseudo code of the O-RAM* scheme would be otherwise be the same as in FIG. 3”, “The trusted hardware may take the form of Trusted Platform Modules (TPMs) or secure co-processors to establish a Trusted Computing Base (TCB) at the cloud service provider”, and 
“uploading confidential data received from a plurality of second parties of the plurality of parties, to the protected memory region, where each of the plurality of second parties encrypt their respective confidential data with a particular key, and wherein each of the plurality of second parties provide their respective particular keys to the trusted execution environment” (Stefanov in at least Fig. 6, Fig. 14, Fig. 15, ¶ [0163], ¶ [0279], ¶ [0303], and ¶ [0333]-[0336], see at least the server(s) and client(s). “[…] client uploads its shuffling buffer 112' into the first unfilled level […]”, “Our distributed O-RAM construction applies the a partitioning framework twice to achieve secure partitioning of an O-RAM across multiple servers”, and “shuffling is implemented in the form ofa pipeline. Each job consists of the following 5 stages: (1) starting all of the reads, (2) waiting for all of the reads to complete, (3) shuffling the read data locally, (4) starting all of the writes of the shuffled data, and (5) waiting for all of the writes to complete. Multiple jobs are performed in parallel such that the first stage of a job must complete before starting the first stage of the next job. The number of jobs in the pipeline is such that jobs get started as long as the sum of the amount of blocks they will read don't exceed the amount allowed by the shuffling buffer semaphore”. See Fig. 7 and ¶ [0167] “During a reshuffling operation, the client uses the pseudo-random permutation PRP to determine the offset of all blocks (real and dummy) within a level on the server. Every time blocks are shuffled and written into the next level, the client generates a fresh random PRP key K[p,l] so that blocks end up at random offsets every time that level is constructed. The client remembers the keys for all levels of all partitions in its local cache” which discloses each client encrypts their respective confidential data with a particular key, and each party provides their respective particular 
“executing the […] code in the trusted execution environment decrypts the confidential data using each particular key and executes the […] code using a data-oblivious procedure to process the decrypted confidential data and after encrypting a result using each particular key, return the encrypted result to one of the plurality of parties, where a data-oblivious procedure is a process where any patterns of memory accesses, patterns of disk accesses and patterns of network accesses are such that the confidential data cannot be predicted from the patterns” (Stefanov in at least Figs. 1-4C, Fig. 6, Fig. 14, Fig. 15, ¶ [0010], ¶ [0011], ¶ [0073], ¶ [0131]-[0134], ¶ [0163], ¶ [0239], ¶ [0279], ¶ [0291]-[0296], ¶ [0303], and ¶ [0333]-[0336] “Oblivious RAM (or O-RAM) is a term which has come to mean a primitive intended for hiding storage access patterns, with the problem being initially studied in the context of software protection, i.e., hiding a program's electronic data storage (memory) access patterns to prevent reverse engineering. With the trend of cloud computing, O-RAM also has important applications in privacy-preserving storage outsourcing applications”, “Standard security definitions for O-RAMs are generally adopted in this specification. Intuitively, maintaining O-RAM security requires that the server learns nothing about the access pattern. In other words, no information should be available (leakable) on the server side regarding: (1) which data is being accessed; (2) how old the data is (e.g., when it was last accessed); (3) whether the same data is being accessed (linkability); (4) access patterns (e.g., sequential, random, etc.,); or (5) whether the access is a read or a write”, and “the inventive O-RAM load balancer and O-RAM node processes are implemented within the distributed TCB, and control encryption and privatizing access patterns”. See Fig. 7, ¶ [0167], ¶ [0292] “the inventive 0-RAM load balancer and 0-RAM node processes are implemented 
“[…]; or wherein the trusted execution environment implements the data-oblivious procedure using combinations of one or more data oblivious primitives, wherein a data-oblivious primitive is an operation with no data-dependent branches and which does not reveal which input is used to produce its output” (Stefanov in at least Figs. 1-4C, Fig. 6, Fig. 14, Fig. 15, ¶ [0010], ¶ [0011], ¶ [0073], ¶ [0131]-[0134], ¶ [0163], ¶ [0239], ¶ [0279], ¶ [0291]-[0296], ¶ [0303], and ¶ [0333]-[0336] “Oblivious RAM (or O-RAM) is a term which has come to mean a primitive intended for hiding storage access patterns, with the problem being initially studied in the context of software protection, i.e., hiding a program's electronic data storage (memory) access patterns to prevent reverse engineering. With the trend of cloud computing, O-RAM also has important applications in privacy-preserving storage outsourcing applications”, “Standard security definitions for O-RAMs are generally adopted in this specification. Intuitively, maintaining O-RAM security requires that the server learns nothing about the access pattern. In other words, no information should be available (leakable) on the server side regarding: (1) which data is being accessed; (2) how old the data is (e.g., when it was last accessed); (3) whether the same data is being accessed (linkability); (4) access patterns (e.g., sequential, random, etc.,); or (5) whether the access is a read or a write”, and “the inventive O-RAM load balancer and O-RAM node processes are implemented within the distributed TCB, and control encryption and privatizing access patterns”. Examiner further notes that this is an alternate limitation and is not always required by the claim).


“machine learning code”,
“wherein the trusted execution environment implements the data-oblivious procedure using oblivious random access memory to access the confidential data, and wherein the machine learning code is adapted to use the oblivious random access memory; or […]”.
However, Nikolaenko discloses:
“machine learning code” (Nikolaenko in at least § Abstract, § I, § III, § IV “regression is an algorithm that takes as input a large number of data points and finds the best-fit linear curve through these points. The algorithm is a building block for many machine-learning operations”),
“wherein the trusted execution environment implements the data-oblivious procedure using oblivious random access memory to access the confidential data, and wherein the machine learning code is adapted to use the oblivious random access memory; or […]” (Nikolaenko in at least § III and § IV discloses the data oblivious transfer protocol. Nikolaenko in at least § I, § III, § IV, and § V “Once the circuits are constructed, the framework handles garbling, oblivious transfer and the complete evaluation of the garbled circuit”. Examiner further notes that this is an alternate limitation and is not always required by the claim. Examiner notes that an O-RAM is an algorithm at the interface of a protected CPU and the physical RAM such that it acts like a RAM to the CPU by querying the physical RAM for the CPU while hiding information about the actual memory access pattern of the CPU from the physical RAM. Nikolaenko clearly discloses a machine learning algorithm implementing an O-RAM algorithm, therefore the machine learning code is adapted to use the O-RAM).
because MPEP 2143 sets forth the Supreme Court rationales for obviousness including: (D) Applying a known technique to a known device (method, or product) ready for improvement to yield predictable results; (E) "Obvious to try" choosing from a finite number of identified, predictable solutions, with a reasonable expectation of success; (F) Known work in one field of endeavor may prompt variations of it for use in either the same field or a different one based on design incentives or other market forces if the variations are predictable to one of ordinary skill in the art.

In reference to claim 17. Stefanov and Nikolaenko teach the method of claim 15 (as mentioned above) comprising executing the machine learning code as either:
Nikolaenko further discloses:
“a training process or a test time process” (Nikolaenko in at least § I disclose using the learning algorithm to train the system).

In reference to claim 18. Stefanov and Nikolaenko teach the method of claim 15 (as mentioned above) comprising implementing the data-oblivious procedure using:
Stefanov further discloses:
“oblivious random access memory to access the confidential data” (Stefanov in at least Figs. 1-4C, Fig. 14, Fig. 15, ¶ [0073], ¶ [0131]-[0134], ¶ [0239], and ¶ [0291]-[0296] discloses a trusted execution environment comprising at least one protected memory region “The trusted hardware may take the form of Trusted Platform Modules (TPMs) or secure co-processors to establish a Trusted Computing Base (TCB) at the cloud service provider”, and “the inventive O-RAM load balancer and O-RAM node processes are implemented within the distributed TCB”),

In reference to claim 20. Stefanov teach a multi-party privacy-preserving machine learning system comprising:
“means for loading […] code, received from a first party of a plurality of parties, into a protected memory region at a trusted execution environment” (Stefanov in at least Figs. 1-4C, Fig. 14, Fig. 15, ¶ [0073], ¶ [0131]-[0134], ¶ [0239], and ¶ [0291]-[0296] discloses loading code in the protected memory region of the trusted execution environment, see at least the server(s) and client(s). “Standard security definitions for O-RAMs are generally adopted in this specification. Intuitively, maintaining O-RAM security requires that the server learns nothing about the access pattern. In other words, no information should be available (leakable) on the server side regarding: (1) which data is being accessed; (2) how old the data is (e.g., when it was last accessed); (3) whether the same data is being accessed (linkability); (4) access patterns (e.g., sequential, random, etc.,); or (5) whether the access is a read or a write”, “Let O-RAM* denote a recursive O-RAM scheme constructed as below. In O-RAM base' the client needs to store a position map of size cN (c<1). Now, instead of storing the position map locally on the client, store it in a recursive O-RAM on the server side. The pseudo code of the O-RAM* scheme would be otherwise be the same as in FIG. 3”, 
“means for uploading confidential data received from a plurality of second parties of the plurality of parties, to the protected memory region, where each of the plurality of second parties encrypt their respective confidential data with a particular key, and wherein each of the plurality of second parties provide their respective particular keys to the trusted execution environment” (Stefanov in at least Fig. 6, Fig. 14, Fig. 15, ¶ [0163], ¶ [0279], ¶ [0303], and ¶ [0333]-[0336], see at least the server(s) and client(s). “[…] client uploads its shuffling buffer 112' into the first unfilled level […]”, “Our distributed O-RAM construction applies the a partitioning framework twice to achieve secure partitioning of an O-RAM across multiple servers”, and “shuffling is implemented in the form ofa pipeline. Each job consists of the following 5 stages: (1) starting all of the reads, (2) waiting for all of the reads to complete, (3) shuffling the read data locally, (4) starting all of the writes of the shuffled data, and (5) waiting for all of the writes to complete. Multiple jobs are performed in parallel such that the first stage of a job must complete before starting the first stage of the next job. The number of jobs in the pipeline is such that jobs get started as long as the sum of the amount of blocks they will read don't exceed the amount allowed by the shuffling buffer semaphore”. See Fig. 7 and ¶ [0167] “During a reshuffling operation, the client uses the pseudo-random permutation PRP to determine the offset of all blocks (real and dummy) within a level on the server. Every time blocks are shuffled and written into the next level, the client generates a fresh random PRP key K[p,l] so that blocks end up at random offsets every time that level is constructed. The client remembers the keys for all levels of all partitions in its local cache” which discloses each client encrypts their respective confidential data with a particular key, and each party provides their respective particular keys to the trusted execution environment; also see Fig. 5 and 6 and corresponding sections);
“means for decrypting the confidential data using each particular key and executing the […] code using a data-oblivious procedure to process the decrypted confidential data and after encrypting a result using each particular key, return the encrypted result to one of the plurality of parties, where a data-oblivious procedure is a process where any patterns of memory accesses, patterns of disk accesses and patterns of network accesses are such that the confidential data cannot be predicted from the patterns” (Stefanov in at least Figs. 1-4C, Fig. 6, Fig. 14, Fig. 15, ¶ [0010], ¶ [0011], ¶ [0073], ¶ [0131]-[0134], ¶ [0163], ¶ [0239], ¶ [0279], ¶ [0291]-[0296], ¶ [0303], and ¶ [0333]-[0336] “Oblivious RAM (or O-RAM) is a term which has come to mean a primitive intended for hiding storage access patterns, with the problem being initially studied in the context of software protection, i.e., hiding a program's electronic data storage (memory) access patterns to prevent reverse engineering. With the trend of cloud computing, O-RAM also has important applications in privacy-preserving storage outsourcing applications”, “Standard security definitions for O-RAMs are generally adopted in this specification. Intuitively, maintaining O-RAM security requires that the server learns nothing about the access pattern. In other words, no information should be available (leakable) on the server side regarding: (1) which data is being accessed; (2) how old the data is (e.g., when it was last accessed); (3) whether the same data is being accessed (linkability); (4) access patterns (e.g., sequential, random, etc.,); or (5) whether the access is a read or a write”, and “the inventive O-RAM load balancer and O-RAM node processes are implemented within the distributed TCB, and control encryption and privatizing access 
“[…]; or wherein the trusted execution environment implements the data-oblivious procedure using combinations of one or more data oblivious primitives, wherein a data-oblivious primitive is an operation with no data-dependent branches and which does not reveal which input is used to produce its output” (Stefanov in at least Figs. 1-4C, Fig. 6, Fig. 14, Fig. 15, ¶ [0010], ¶ [0011], ¶ [0073], ¶ [0131]-[0134], ¶ [0163], ¶ [0239], ¶ [0279], ¶ [0291]-[0296], ¶ [0303], and ¶ [0333]-[0336] “Oblivious RAM (or O-RAM) is a term which has come to mean a primitive intended for hiding storage access patterns, with the problem being initially studied in the context of software protection, i.e., hiding a program's electronic data storage (memory) access patterns to prevent reverse engineering. With the trend of cloud computing, O-RAM also has important applications in privacy-preserving storage outsourcing applications”, “Standard security definitions for O-RAMs are generally adopted in this specification. Intuitively, maintaining O-RAM security requires that the server learns nothing about the access pattern. In other words, no information should be available (leakable) on the server side regarding: (1) which data is being accessed; (2) how old the data is (e.g., when it was last accessed); (3) whether the same data is being accessed (linkability); (4) access patterns (e.g., sequential, random, etc.,); or (5) whether the access is a read or a write”, and “the inventive O-RAM load balancer and O-RAM node processes are implemented within the distributed TCB, and control encryption and privatizing access patterns”. Examiner further notes that this is an alternate limitation and is not always required by the claim).

Stefanov does not explicitly disclose:
“machine learning code”,
“wherein the trusted execution environment implements the data-oblivious procedure using oblivious random access memory to access the confidential data, and wherein the machine learning code is adapted to use the oblivious random access memory; or […]”.
However, Nikolaenko discloses:
“machine learning code” (Nikolaenko in at least § Abstract, § I, § III, § IV “regression is an algorithm that takes as input a large number of data points and finds the best-fit linear curve through these points. The algorithm is a building block for many machine-learning operations”),
“wherein the trusted execution environment implements the data-oblivious procedure using oblivious random access memory to access the confidential data, and wherein the machine learning code is adapted to use the oblivious random access memory; or […]” (Nikolaenko in at least § III and § IV discloses the data oblivious transfer protocol. Nikolaenko in at least § I, § III, § IV, and § V “Once the circuits are constructed, the framework handles garbling, oblivious transfer and the complete evaluation of the garbled circuit”. Examiner further notes that this is an alternate limitation and is not always required by the claim. Examiner notes that an O-RAM is an algorithm at the interface of a protected CPU and the physical RAM such that it acts like a RAM to the CPU by querying the physical RAM for the CPU while hiding information about the actual memory access pattern of the CPU from the physical RAM. Nikolaenko clearly discloses a machine learning algorithm implementing an O-RAM algorithm, therefore the machine learning code is adapted to use the O-RAM).
because MPEP 2143 sets forth the Supreme Court rationales for obviousness including: (D) Applying a known technique to a known device (method, or product) ready for improvement to yield predictable results; (E) "Obvious to try" choosing from a finite number of identified, predictable solutions, with a reasonable expectation of success; (F) Known work in one field of endeavor may prompt variations of it for use in either the same field or a different one based on design incentives or other market forces if the variations are predictable to one of ordinary skill in the art.

In reference to claim 21. Stefanov and Nikolaenko teach the multi-party privacy-preserving machine learning system of Claim 20 (as mentioned above), wherein the trusted execution environment executes the machine learning code either to:
Nikolaenko further discloses:
“train a machine learning system or to use an already trained machine learning system to generate predictions” (Nikolaenko in at least § I disclose using the learning algorithm to both train the system and to use the trained system to generate a prediction).

In reference to claim 22. Stefanov and Nikolaenko teach the multi-party privacy-preserving machine learning system of Claim 20 (as mentioned above), wherein the trusted execution environment implements the data-oblivious procedure using:
Stefanov further discloses:
“oblivious random access memory to access the confidential data” (Stefanov in at least Figs. 1-4C, Fig. 14, Fig. 15, ¶ [0073], ¶ [0131]-[0134], ¶ [0239], and ¶ [0291]-[0296] discloses a trusted execution environment comprising at least one protected memory region “The trusted hardware may take the form of Trusted Platform Modules (TPMs) or secure co-processors to establish a Trusted Computing Base (TCB) at the cloud service provider”, and “the inventive O-RAM load balancer and O-RAM node processes are implemented within the distributed TCB”).

Claims 5 and 6 are rejected under 35 U.S.C. 103 as being unpatentable over Stefanov et al. (hereinafter Stefanov) US 20140007250 A1 in view of Nikolaenko et al. (hereinafter Nikolaenko) “Privacy-Preserving Ridge Regression on Hundreds of Millions of Records” in view of Ren et al. (hereinafter Ren) “Design space exploration and optimization of path oblivious RAM in secure processors”.
In reference to claim 5. Stefanov and Nikolaenko teach the multi-party privacy-preserving machine learning system of claim 1 (as mentioned above) wherein the trusted execution environment implements the data-oblivious procedure using:
Stefanov and Nikolaenko do not explicitly disclose:
“combinations of one or more data oblivious primitives, at least one of the data-oblivious primitives being an operation to access an array by scanning the array at cache-line granularity rather than at element or byte granularity”.

“combinations of one or more data oblivious primitives, at least one of the data-oblivious primitives being an operation to access an array by scanning the array at cache-line granularity rather than at element or byte granularity” (Ren in at least § 3.3.1 “When a block (cache line) in ORAM is requested, the ORAM interface returns the block to on-chip cache and removes the block from ORAM”).
It would have obvious to one of ordinary skill in the art before the effective filing date of the present application to combine Stefanov, Nikolaenko, and Ren. Stefanov teaches concealing access patterns to data storage, such as within servers of a cloud computing environment. Concealment is performed with respect to accesses from the client to server using an oblivious sorting protocol. Nikolaenko teaches an oblivious transfer protocol using a ridge regression algorithm that takes as input a large number of data points and finds the best-fit linear curve through these points. Ren teaches optimizations to Path ORAM a type of ORAM. One of ordinary skill would have motivation to combine Stefanov, Nikolaenko, and Ren because MPEP 2143 sets forth the Supreme Court rationales for obviousness including: (D) Applying a known technique to a known device (method, or product) ready for improvement to yield predictable results; (E) "Obvious to try" choosing from a finite number of identified, predictable solutions, with a reasonable expectation of success; (F) Known work in one field of endeavor may prompt variations of it for use in either the same field or a different one based on design incentives or other market forces if the variations are predictable to one of ordinary skill in the art.

In reference to claim 6. Stefanov, Nikolaenko, and Ren teach the multi-party privacy preserving machine learning system of claim 5 (as mentioned above) wherein:
Ren further discloses:
“a vector operation is used to implement the scanning of the array at cache-line granularity” (Ren in at least § 3.3.1 “When a block (cache line) in ORAM is requested, the ORAM interface returns the block to on-chip cache and removes the block from ORAM”).

Claims 7-9, 11, and 23 are rejected under 35 U.S.C. 103 as being unpatentable over Stefanov et al. (hereinafter Stefanov) US 20140007250 A1 in view of Nikolaenko et al. (hereinafter Nikolaenko) “Privacy-Preserving Ridge Regression on Hundreds of Millions of Records” in view of Pathak et al. (hereinafter Pathak) Privacy-Preserving Machine Learning for Speech Processing.
In reference to claim 7. Stefanov and Nikolaenko teach the multi-party privacy-preserving machine learning system of claim 1 (as mentioned above) where:
Stefanov and Nikolaenko do not explicitly disclose:
“the received data comprises labeled training data”,
However, Pathak discloses:
 “the received data comprises labeled training data” (Pathak in at least § 3.2.7, § 3.3, § 11.2.4 to § 11.3.2, § 11.3.4, and § A.2 to § A.2.2 discloses the labeled training data),
It would have obvious to one of ordinary skill in the art before the effective filing date of the present application to combine Stefanov, Nikolaenko, and Pathak. Stefanov teaches concealing access patterns to data storage, such as within servers of a cloud computing environment. Concealment is performed with respect to accesses from the client to server using an oblivious sorting protocol. Nikolaenko teaches an oblivious transfer protocol using a ridge regression algorithm that takes as input a large number of data points and finds the best-fit linear curve through these points. Pathak teaches Privacy-Preserving Machine Learning and Oblivious Transfer. One of ordinary skill would have motivation to combine Stefanov, Nikolaenko, and Pathak because MPEP 2143 sets forth the Supreme Court rationales for obviousness including: (D) Applying a known technique to a known device (method, 

Stefanov further discloses:
“wherein the data uploader or the trusted execution environment is configured to securely shuffle the labeled training data prior to execution of the machine learning code” (Stefanov in at least Fig. 6, Fig. 14, Fig. 15, ¶ [0163], ¶ [0279], ¶ [0303], and ¶ [0333]-[0336] “[…] client uploads its shuffling buffer 112' into the first unfilled level […]”, “Our distributed O-RAM construction applies the a partitioning framework twice to achieve secure partitioning of an O-RAM across multiple servers”, and “shuffling is implemented in the form ofa pipeline. Each job consists of the following 5 stages: (1) starting all of the reads, (2) waiting for all of the reads to complete, (3) shuffling the read data locally, (4) starting all of the writes of the shuffled data, and (5) waiting for all of the writes to complete. Multiple jobs are performed in parallel such that the first stage of a job must complete before starting the first stage of the next job. The number of jobs in the pipeline is such that jobs get started as long as the sum of the amount of blocks they will read don't exceed the amount allowed by the shuffling buffer semaphore”).

In reference to claim 8. Stefanov, Nikolaenko, and Pathak teach the multi-party privacy-preserving machine learning system of claim 7 (as mentioned above) wherein the secure shuffle comprises:

“an oblivious implementation of a sorting process or a random permutation of the training data hidden from an adversary” (Nikolaenko in at least Fig. 3, § I, § III, § IV, and § V “We now present a modification that avoids decrypting (A; b) in the garbled circuit using random masks”).

In reference to claim 9. Stefanov and Nikolaenko teach the multi-party privacy-preserving machine learning system of claim 1 (as mentioned above) wherein the trusted execution environment uses:
Stefanov and Nikolaenko do not explicitly disclose:
“a data-oblivious procedure which iteratively computes centroids of clusters of data”.
However, Pathak discloses:
“a data-oblivious procedure which iteratively computes centroids of clusters of data” (Pathak in at least § 3.2.7, § 3.3, § 11.2.4 to § 11.3.2, § 11.3.4, and § A.2 to § A.2.2 discloses the data-oblivious procedure which iteratively computes centroids of clusters of data).
It would have obvious to one of ordinary skill in the art before the effective filing date of the present application to combine Stefanov, Nikolaenko, and Pathak. Stefanov teaches concealing access patterns to data storage, such as within servers of a cloud computing environment. Concealment is performed with respect to accesses from the client to server using an oblivious sorting protocol. Nikolaenko teaches an oblivious transfer protocol using a ridge regression algorithm that takes as input a large number of data points and finds the best-fit linear curve through these points. Pathak teaches Privacy-Preserving Machine Learning and Oblivious Transfer. One of ordinary skill would have motivation to combine Stefanov, Nikolaenko, and Pathak because MPEP 2143 sets forth the Supreme Court rationales for obviousness including: (D) Applying a known technique to a known device (method, 

In reference to claim 11. Stefanov and Nikolaenko teach the multi-party privacy-preserving machine learning system of claim 1 (as mentioned above) wherein the trusted execution environment uses:
Stefanov and Nikolaenko do not explicitly disclose:
“a data-oblivious procedure which computes a piece-wise approximation of a neural network transformation”.
However, Pathak discloses:
“a data-oblivious procedure which computes a piece-wise approximation of a neural network transformation” (Pathak in at least § 2.3, § 3.2.7, § 3.3, § 11.2.4 to § 11.3.2, § 11.3.4, and § A.2 to § A.2.2 discloses “We view a speech signal as a sequence of piecewise stationary signals and an HMM forms a natural representation to output such a sequence of frames”).
It would have obvious to one of ordinary skill in the art before the effective filing date of the present application to combine Stefanov, Nikolaenko, and Pathak. Stefanov teaches concealing access patterns to data storage, such as within servers of a cloud computing environment. Concealment is performed with respect to accesses from the client to server using an oblivious sorting protocol. Nikolaenko teaches an oblivious transfer protocol using a ridge regression algorithm that takes as input a large number of data points and finds the best-fit linear curve through these points. Pathak teaches  because MPEP 2143 sets forth the Supreme Court rationales for obviousness including: (D) Applying a known technique to a known device (method, or product) ready for improvement to yield predictable results; (E) "Obvious to try" choosing from a finite number of identified, predictable solutions, with a reasonable expectation of success; (F) Known work in one field of endeavor may prompt variations of it for use in either the same field or a different one based on design incentives or other market forces if the variations are predictable to one of ordinary skill in the art.

In reference to claim 23. Stefanov and Nikolaenko teach the multi-party privacy-preserving machine learning system of Claim 20 (as mentioned above), wherein:
Stefanov and Nikolaenko do not explicitly disclose:
“the received data comprises labeled training data”,
However, Pathak discloses:
 “the received data comprises labeled training data” (Pathak in at least § 3.2.7, § 3.3, § 11.2.4 to § 11.3.2, § 11.3.4, and § A.2 to § A.2.2 discloses the labeled training data),
It would have obvious to one of ordinary skill in the art before the effective filing date of the present application to combine Stefanov, Nikolaenko, and Pathak. Stefanov teaches concealing access patterns to data storage, such as within servers of a cloud computing environment. Concealment is performed with respect to accesses from the client to server using an oblivious sorting protocol. Nikolaenko teaches an oblivious transfer protocol using a ridge regression algorithm that takes as input a large number of data points and finds the best-fit linear curve through these points. Pathak teaches Privacy-Preserving Machine Learning and Oblivious Transfer. One of ordinary skill would have motivation to combine Stefanov, Nikolaenko, and Pathak because MPEP 2143 sets forth the Supreme 

Stefanov further discloses:
“wherein the data uploader or the trusted execution environment is configured to securely shuffle the labeled training data prior to execution of the machine learning code” (Stefanov in at least Fig. 6, Fig. 14, Fig. 15, ¶ [0163], ¶ [0279], ¶ [0303], and ¶ [0333]-[0336] “[…] client uploads its shuffling buffer 112' into the first unfilled level […]”, “Our distributed O-RAM construction applies the a partitioning framework twice to achieve secure partitioning of an O-RAM across multiple servers”, and “shuffling is implemented in the form ofa pipeline. Each job consists of the following 5 stages: (1) starting all of the reads, (2) waiting for all of the reads to complete, (3) shuffling the read data locally, (4) starting all of the writes of the shuffled data, and (5) waiting for all of the writes to complete. Multiple jobs are performed in parallel such that the first stage of a job must complete before starting the first stage of the next job. The number of jobs in the pipeline is such that jobs get started as long as the sum of the amount of blocks they will read don't exceed the amount allowed by the shuffling buffer semaphore”).

Claims 12 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Stefanov et al. (hereinafter Stefanov) US 20140007250 A1 in view of Nikolaenko et al. (hereinafter Nikolaenko) .
In reference to claim 12. Stefanov and Nikolaenko teach the multi-party privacy-preserving machine learning system of claim 1 (as mentioned above) wherein:
Stefanov and Nikolaenko do not explicitly disclose:
“the trusted execution environment uses a data-oblivious procedure which computes an evaluation of a decision tree”.
However, Vaidya discloses:
“the trusted execution environment uses a data-oblivious procedure which computes an evaluation of a decision tree” (Vaidya in at least § 2 and § 3 discloses the creation and use of the decision tree).
It would have obvious to one of ordinary skill in the art before the effective filing date of the present application to combine Stefanov, Nikolaenko, and Vaidya. Stefanov teaches concealing access patterns to data storage, such as within servers of a cloud computing environment. Concealment is performed with respect to accesses from the client to server using an oblivious sorting protocol. Nikolaenko teaches an oblivious transfer protocol using a ridge regression algorithm that takes as input a large number of data points and finds the best-fit linear curve through these points. Vaidya teaches Privacy-Preserving Decision Trees over Vertically Partitioned Data. One of ordinary skill would have motivation to combine Stefanov, Nikolaenko, and Vaidya because MPEP 2143 sets forth the Supreme Court rationales for obviousness including: (D) Applying a known technique to a known device (method, or product) ready for improvement to yield predictable results; (E) "Obvious to try" choosing from a finite number of identified, predictable solutions, with a reasonable expectation of success; (F) Known work in one field of endeavor may prompt variations of it for use in either the same field or a different 

In reference to claim 13. Stefanov, Nikolaenko, and Vaidya teach the multi-party privacy-preserving machine learning system of claim 12 (as mentioned above) wherein the trusted execution environment:
Vaidya further discloses:
“stores the decision tree as a plurality of arrays of nodes and evaluates the decision tree by traversing the tree and scanning the arrays” (Vaidya in at least § 2 and § 3 disclose storing the decision tree using vectors (arrays) and evaluating the decision tree by traversing the tree and scanning the vectors).

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ann J. Lo can be reached on (571)272-9767. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/VIKER A LAMARDO/Primary Examiner, Art Unit 2126