DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

1.  This Final Office Action is in response to amendment filed on 12/27/2021.
	Claims 1-2, 7, and 9-10 have been amended. Claims 1-11 remain pending in the application. 
Response to Amendment

The amendment filed 12/27/2021 has been entered. Claims 1-2, 7, and 9-10 have been amended. Claims 1-11 remain pending in the application. 

Applicant amendments to the Drawings have overcome the objections previously set forth in the Non-Final Office Action mailed on 06/24/2021. The objection has been withdrawn in view of the amended Drawings.
Applicant amendment to the claims have overcome the objections previously set forth in the Non-Final Office Action mailed on 06/24/2021. The objection has been withdrawn in view of the amended Claims.
Applicant amendments to the claims have overcome the 35 USC § 112 rejection previously set forth in the Non-Final Office Action mailed on 


Response to Arguments


 	Regarding Applicant’s arguments, on page 8-14 of the remark filed on 12/27/2021, on the newly amended limitations of claims 1: “such that both the first signature and the respective one of the secret keys are required to form the augmented signature; and”, arguments are not persuasive.
	Applicant argues on page 10 the last paragraph of the remarks filed on 12/27/2021 that the cited references fail to expressly or inherently disclose or make obvious the amended features incorporate both the first signature and the respective one of the secret keys are required to form the augmented signature; and. Applicant’s interpretation of the reference has been noted; however, examiner respectfully. Buldas describes on Par. (0040) a signature that is augmented or enlarged in size with a mixed or combined signature that is combined with a secret key or password, timestamp and message. This augmented or enlarged signature that is combined corresponds with the augmented signature shown in the instant application on Par. (0065-0067) of the specification that describes an augmented signature with variable (t; c; c; a) much like the augmented or combined signature disclosed by Buldas. Therefore, the rejection is maintained.


However, the limitation of independent claim 1: “replacing within the first signature the signing key with the secret key from which the signing key was derived to form an augmented signature” 
The arguments on page 13 of the remark filed on 12/27/2021 regarding the combining of the Buldas and Bernstein.
The newly added limitation to independent claim 1: “whereby the signing entity is able to verify the first signature before the augmented signature is formed as a valid signature for the message, and the replacement of the signing key with the respective one of the secret keys takes place external to the signature server.” arguments are persuasive. 
Therefore, the 35 U.S.C. 103 rejection Buldas et al. (WO Pub. No. 2015155368) and Maximov et al. (WO Pub. No. 2016131559) in further view of Bernstein et al. (“SPHINCS: practical stateless hash-based signatures), has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made under 35 U.S.C. § 103 in view of the following prior art: Lu et al. (U.S Pub. No. 20180374087) and Maletsky et al. (U.S Pub. No. 20140281554), in conjunction with Buldas et al. (WO Pub. No. 2015155368), Maximov et al. (WO Pub. No. 2016131559). Please refer to the 35 U.S.C. 103 section below for a detailed explanation.
	For the reasons stated above and the new ground(s) of rejection under 35 U.S.C. 103 below, Examiner respectfully disagrees with Applicant’s argument, see Applicant’s Remarks Pages 8-14, regarding allowance of the application. Examiner 
	Conclusion: Buldas - Maximov – Lu- Maletsky  teach the aforementioned limitations of independent claim 1 rendering the claim limitations obvious before the effective date of the claimed invention.


Claim Objections

Claim 10 is/are objected to because of the following informalities:

	In regards to Claim 10, the applicant recites the limitation “an original inputted value if, using the recomputation parameters to logically recompute a hash tree path to the calendar value,”, should read “an original inputted value when”, by replacing “if” with “when” it avoids reciting limitations in the claims with conditional phraseology that may or may not occur. Appropriate correction is required.
	
	In regards to Claim 10, the applicant recites the limitation “in which in which the first signature includes” should read “in which the first signature includes” Examiner suggests removing the additional “in which” to recite a grammatically correct sentence. Appropriate correction is required.



Claim Rejections - 35 USC § 103


In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.



Claims 1-11 is/are rejected under 35 U.S.C. 103 as being unpatentable over Buldas et al. (WO Pub. No. 2015155368, hereinafter referred to as "Buldas"), Maximov et al. (WO Pub. No. 2016131559, hereinafter referred to as “Maximov") and Lu et al. (U.S Pub. No. 20180374087, hereinafter referred to as “Lu") in further view of Maximov et al. (U.S Pub. No. 20140281554, hereinafter referred to as “Maletsky")


Regarding Independent Claim 1 (Currently Amended), Buldas teaches a method for digitally signing a message comprising: (Page 8 Par. (0039) “Disclosed here are different embodiments of a new type of hash function-based signature scheme in which the signature process involves a signature server 500 (Figure 1 ). For simplicity, this scheme is referred to below as the "BLT" solution, the "BLT" signature scheme, or simply "BLT"”; signing message process of signature scheme is BLT), (Page 9 Par. (0041) “To sign a message m at time t, the signer: (1 ) combines m with a one-time password z, that is dedicated for signing messages at time”; digitally signing a message)
submitting to a signature server an authenticator value formed as a cryptographic binding of both the message and a respective one of the signing keys, (Page 1 Abstract “A digital message (m) is signed and, if a request is approved, receives a time stamp (T). The request is computed as a first function of the message and a current one of a sequence of passwords (z .sub.l , .Math., z .sub.i) computed such that each password corresponds to an index unit. The request (ϰ) is submitted to a signature server (500)”; submitting to a signature server (request with signed message)), (Figure 1 labels 500 and 200; client (200) submitting cryptographic binding of message and key (x=h(m, zi)) to signature server), (Page 13-14 Par. (0058) “for a client 200 (Figure 1) may, for example, be a 5-tuple.Math. = (ID.sub.C, z.sub.0, r, t.sub.0, !¾), where ID.sub.C is an identifier of the client, (z.sub.0, r) is the public key, t.sub.0 is the time when the certificate becomes valid (that is, z.sub./ is intended to sign documents at time to + 1, ¾ is for signing at to + 2, etc.)”; submitting to signature server cryptographically binded message and signing key), (Page 3-4 Par. (0021) “ whereby authenticator value submitted to signature server) (Page 14 Par. (0059) “o sign a document/message m (or a hash of a message) at time t > to (where t = t.sub.0 +i), the client computes x = h(m, z.sub.{) and sends x together with its identity ID.sub.C as a request to the signature server 500. [..] that z.sub.{ is the z.sup.'-th element of the key- hash sequence.”; binded signing key and message sent to signature server) 
 said signature server thereupon generating and returning to a signing entity a first signature of the authenticator value;  (Figure 1 labels 500 and 200; signature server returning signature to signing entity (client), (Page 14 (0059) “to sign a document/message m (or a hash of a message) at time t > to (where t = t.sub.0 +i), the client computes x = h(m, z.sub.{) and sends x together with its identity ID.sub.C as a request to the signature server 500. The server, for example in the module 520, checks that the certificate of the client has not been revoked (no revocation note has been received) and, if not, creates a hash-tree time-stamp S.sub.t for the pair (x, ID.sub.C), and sends ^ back to the client. The signature for m is then (ID.sub.C, i, z Q, S.sub.t), where Q = C(z.sub.{) is the hash chain which proves that z.sub.{ is the z.sup.'-th element of the key- hash sequence. Note that it would be possible to sign more than one message m in the same time period, using the same password - using the preferred signature scheme, the respective signatures will still be unique”; signature server returning back to the client authenticator value of signature), (Page 11 par. (0050) “If now, for example, a message m and a Zi are time-stamped together, this may be considered as a signature of m. The signature is correct only if the date of the time stamp is not later than t.sub.0 + i. The signature cannot be forged because all published passwords z.sub.h z.sub.2, z”; first signature)
receiving the first signature from the signature server; (Figure 1 labels 200 and 500; client (200) receiving signature from signature server), (Page 14 Par. (0059) “The server, for example in the module 520, checks that the certificate of the client has not been revoked (no revocation note has been received) and, if not, creates a hash-tree time-stamp S.sub.t for the pair (x, ID.sub.C), and sends ^ back to the client. The signature for m is then (ID.sub.C, i, z Q, S.sub.t), where Q = C(z.sub.{) is the hash chain which proves that z.sub.{ is the z.sup.'-th element of the key- hash sequence”; signature received (sent back to client) from signature server),  
determining the validity of the first signature; and (Page 1 Par. (0003) “key owner but also to the parties that rely on digital signatures as potential evidence to protect their rights. The validity (integrity) of digital signatures that use traditional public key-based mechanisms depends on assumptions that some private keys are secure.”; validity of signature), (Page 21-22 Par. (0079) “A signature thus consists of a "short term certificate", which is a hash chain in the master hash tree (used to authenticate z.sub.t in the master hash sequence), and a hash chain that is used to authenticate a particular hash value z.sub.ti in the sequence [..] In this embodiment, the validity period of t seconds is divided into ^-second sub-periods. There are therefore p = t/A such periods. A different password sequence ζ.sub.α1, z.sub.a2, ..., ζ.sub.ΰΛ α=\ , ..., p) is determining validity of signature with time), (Page 25 Par. (0090) “If the validity of the certificates is, as one example, 10 minutes (that is, A = 600), and the signature device is connected to the client's computer right after to + i-A, then for about 10 minutes, there would be no valid certificates for signing, and the client would not be able to sign for almost 10 minutes.”; determining validity of signature), (Page 5 Par. (0026) “On-line Certificate Status Protocol (OCSP) responders, whose duty is to confirm the validity of public key certificates. The OCSP-responders in turn also use private keys to sign the validity statements; moreover, the OCSP responses must be reliably dated. In essence, using these schemes”; determining (confirming) validity of signature),
when the first signature is determined to be valid, (Par. (0039) “The signature ( x, z.sub.t, T.sub.t x) ) is considered valid only if t = t' and z.sub.t \s verified to be the t-th element of the sequence”; if the signature is determined (considered) to be valid), (Par. (0061) “Signatures are considered valid only if t = to + i, where t is the time indicated by the data signature (time-stamp) St obtained from the service”; if the signature is determined (considered) to be valid), 
such that both the first signature and the respective one of the secret keys are required to form the augmented signature; and (Par. (0040) “To sign a message m at time t, the signer: (1 ) combines m with a one-time password z, that is dedicated for signing messages at time t; and (2) sends a hash x = H(m, z.sub.t) to the server to obtain a time-stamp T.sub.t-(x) for x. The signature ( x, z.sub.t, T.sub.t x) ) is considered valid only if t = t' and z.sub.t \s verified to be the t-th element of the sequence.”; both the first signature (The signature) and the respective one of the secret keys (password z) required to form augmented signature ( combines [..] Signature (x, z.sub.t, T.sub.t x)), (Examiner notes: In the instant application on Par. (0065-0067) the specification describes an augmented signature to contain (t; s; c; a) that demonstrates an enlarged or combined/mixed signature with a private key therefore to form an augmented signature will be broadly and reasonably interpreted as a signature with a private key, password, passphrase or the like thereof that is combined, mixed aggregated etc.))
However Buldas does not explicitly teach generating a set of secret keys; deriving signing keys as a function of respective ones of the secret keys; the signing entity replacing within the first signature the signing key with a respective one of the secret keys from which the signing key was derived to form an augmented signature, and revealing the respective secret key, whereby the signing entity is able to verify the first signature before the augmented signature is formed as a valid signature for the message, and the replacement of the signing key with the respective one of the secret keys takes place external to the signature server.
Wherein Maximov teaches generating a set of secret keys; (Page 22 lines 18-22 “ The client generates 4 hash chains from 4 secret keys z.sub.n^...z.sub.n^ and uses the OTSKs produced by z.sub.n.sup.(k) in the signing times t=t.sub.0+i+k/4 seconds, for i=l..n, k=0..3 (for the example of K=4; K may be selected arbitrarily to achieve desired granularity)”; generating of a set of secret keys (plurality of secret keys (4)), (Page 11 lines 24-29 and Page 12 lines 1-5 “ The client (or the Gateway, if the signing key is delegated), needs to create a secret signing key, [..] the signer first creates his own pair of the secret key [..] The signer chooses a random secret key z.sub.n. Then, the generating (creates) a set (pair) of secret keys))
deriving signing keys as a function of respective ones of the secret keys; (Page 1 Abstract “deriving one-time signing keys of signer's one-time signing key hash chain by a one-way function of a secret key of the signer and a function of an index of the one-time signing key,”), (Page 14 lines 6-20 “illustrates an approach for deriving the OTSKs directly via a one-way function. It may be a desire to improve the part of deriving the one time signing keys, OTSK's, values ¾ of the signer's OTSK hash chain. The derivation of ¾:s traditionally requires, even with the M. Jakobsson and D. Coppersmith technique of [6], the signer to spend additionally log(n) time for each ¾, and to store additionally log(n) intermediate hash values. However, as described below, this can be done in 0(1) time without storing intermediate hash values. We propose that instead of the hash chain z.sub.0<— z.sub.n, as discussed above, where z.sub.n is the secret key and z.sub.0 is the public key, the signer derives any of the OTSKs directly via a one-way function,”; deriving signing keys)
and revealing the respective secret key (Page 12 lines 20-30 “After the time-stamp is returned, and the current time t becomes larger than t.sub.0+i seconds, the OTSK Zi can be revealed.”; associated time has passed (after the time stamp is returned and the current time) revealing the respective secret key (can be revealed)) (Page 19 lines 19-27 “the client may reveal OTSK Zi.sub.+2 only at time t >”; revealing key after time has passed (reveal key only at a time)
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Maximov within the teachings of Buldas 
The motivation to combine these references is because by generating sets of secret keys that correlate to the derivation of signing keys as a function of it provides a solution to users that face difficulties of “Blind Trust” in the digital signature process because by implementing these keys the collaboration of server and client is created where no one entity can create a signature alone. This establish trust on the system and ensures user the protection of their data.
However Buldas and Maximov do not explicitly teach the signing entity replacing within the first signature the signing key with a respective one of the secret keys from which the signing key was derived to form an augmented signature, whereby the signing entity is able to verify the first signature before the augmented signature is 
Wherein Lu teaches the signing entity replacing within the first signature the signing key with a respective one of the secret keys from which the signing key was derived to form an augmented signature (Par. (0012) “system 100 may include vendor computer system 102 (or systems 102), customer computer system 103 (or [..] customer-side signing subsystem 126,”; signing entity (computer system with signing subsystem)), (Par. (0018-0019) “the customer digital signature that was created via the signing of the postage indicia). In some embodiments, at least one of the customer public/private key pairs may include a file exchange private key and a file exchange public key for respectively for signing one or more files [..] may create one or more new public/private key pairs for a customer (e.g., a reseller of a postage vendor or other customer of the postage vendor) to replace one or more old public/private key pairs (e.g., new replacement indicia keys, new replacement file exchange keys, etc.). Vendor computer system 102 may cause the replaced public/private key pairs to be”; replacing within the first signature the signing key with one of the secret keys (digital signature with exchanged keys are replaced by one or more new public/private keys)), (Par. (0004) “the customer computer system may provide as inputs to a cryptographic function (i) the private key as a signing key and (ii) the postage transaction record and the previously-derived cryptographic item as at least part of the combined content to be signed with the private key”; signing key (private key) being derived (previously derived)), (Par. (0028) “the private key as a signing key and (ii) the transaction record and the previously-derived cryptographic item [..] the new cryptographic item, which is derived from the private key,”; which the signing key was derived (signing key corresponding to cryptographic item that is derived from secret (private key)), (Par. (0029) “sign the combined information with a private key (a “first-entity private key”) associated with the first entity to create a digital signature (“a first-entity digital signature”) of the combined information.”; to form an augmented signature (digital signature with combined information)), (Par. (0031) “the first-entity computer system may combine transaction record 202c and second-entity digital signature 206b, and sign the combined information (including transaction record 202c and second-entity digital signature 206b) with the first-entity private key to create first-entity digital signature 204c”; to form an augmented signature (combine signature with transaction and signed combined information))
and the replacement of the signing key with the respective one of the secret keys (Par. (0018-0019) “the customer digital signature that was created via the signing of the postage indicia). In some embodiments, at least one of the customer public/private key pairs may include a file exchange private key and a file exchange public key for respectively for signing one or more files [..] may create one or more new public/private key pairs for a customer (e.g., a reseller of a postage vendor or other customer of the postage vendor) to replace one or more old public/private key pairs (e.g., new replacement indicia keys, new replacement file exchange keys, etc.). Vendor computer system 102 may cause the replaced public/private key pairs to be”; replacing within the first signature the signing key with one of the secret keys (digital signature with exchanged keys are replaced by one or more new public/private keys))
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Lu within the teachings of Buldas and Maximov to include the signing entity replacing within the first signature the signing key 
The motivation to combine these references is because by performing the process after verification users can delegate the signature forming on untrusted servers. This in return helps the users gain confidence in the system because by replacing the signing key with a secret key the signer of the message can confirm the authenticity of the secret key and determine the success or damage that is displayed on the completion of the augmented signature. This leads to effective and securely protected server-based signature schemes that establishes trust for users.  
However Buldas, Maximov and Lu do not explicitly whereby the signing entity is able to verify the first signature before the augmented signature is formed as a valid signature for the message, ……….. takes place external to the signature server.
whereby the signing entity is able to verify the first signature before the augmented signature is formed as a valid signature for the message, and (Par. (0151-0152) “The host device 330 can subsequently verify the signature using the child public key 328. [..] may combine state information or other configuration parameters corresponding to the secure device 320 with the digest and generate the signature on the combination of the digest and the state information. Combining the state or other configuration information may provide additional security, [..] to verify that the signature was generated by an entity with access to the physical characteristic information of the secure device 320.”; verify the first signature before the augmented signature is formed (verify signature is performed first to check if signature is generated by entity with access then the augmented signature (combined signature with combination of digest and state information) is formed)), (Par. (0030) “messages by signing with the private key. While signing the messages, the client device may include configuration information associated with the client device, such as chip state information, as part of the signature.”; augmented signature (private key, state information and message digest as a part of a signature)), (Par. (0182) “the secure device may provide robust security that is tied to the characteristics of the signing entity. ECC may be used as the basis of the asymmetric cryptographic scheme for generating the cryptographic keys and the signatures”; signing entity)), (Par. (0080-0081) “the digest may be included as part of a message used by cryptographic operations, such as those associated with the Sign/Verify module 244, to generate or verify a signature. [..] he Sign/Verify module 244 is associated with instructions for generating a signature, or verifying a signature, or both. In some implementations, the instructions for generating a signing entity that is able to verify (sign/verify module corresponding to signature))
……….takes place external to the signature server. (Par. (0054) “The secure device 110 also may [..] the expected value become known, map simple passwords to complex ones and securely exchange password values with remote system.”; takes place external to the signature server ( with remote system)), (Par. (0052-0054) “application of the secure device 110 may be in session key exchange. For example, the secure device 110 may be used by the client device 100 to exchange securely and easily session encryption keys for use by an encryption/decryption engine in the system [..] values with remote system.”; takes place external to signature server (with remote system), (Par. (0082) “he Sign/Verify module 244 are configured for generating a signature [..] the signature on a message, may be generated either internal to the secure device, or externally. In case of external message generation, the system may externally compile the information to be signed,”; takes place external to signature server (signature may be generated externally to sign module))
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Maletsky within the teachings of Buldas, Maximov and Lu to include the signing entity is able to verify the first signature before the augmented signature is formed as a valid signature for the message, and the replacement of the signing key with the respective one of the secret keys takes place external to the signature server because of the analogous concept of data security through the use of digital signatures and server-based interactive signature systems. 

Regarding Dependent Claim 2 (Currently Amended), the combination of Buldas, Maximov, Lu and Maletsky teach the method of claim 1, Buldas, Lu and Maletsky however fails to explicitly teach the method of claim 1, further comprising: generating the set of secret keys as a function of time, each secret key and its corresponding signing key being associated with a time; and revealing the respective secret key only after its associated time has passed.
Wherein Maximov teaches the method of claim 1, further comprising: generating the set of secret keys as a function of time, each secret key and the corresponding signing key of the each secret key being associated with a time; and ((Page 22 lines 18-22 “ The client generates 4 hash chains from 4 secret keys z.sub.n^...z.sub.n^ and uses the OTSKs produced by z.sub.n.sup.(k) in the signing times t=t.sub.0+i+k/4 seconds, for i=l..n, k=0..3 (for the example of K=4; K may be generating of a set of secret keys (plurality of secret keys (4)), (Page 11 lines 24-29 and Page 12 lines 1-5 “ The client (or the Gateway, if the signing key is delegated), needs to create a secret signing key, [..] the signer first creates his own pair of the secret key [..] The signer chooses a random secret key z.sub.n. Then, the sequence of values (hash chain) z.sub.0 - ... -z.sub.n is computed as”; generating (creates) a set (pair) of secret keys)), (Page 3 lines 17-25 “The method comprises deriving one-time signing keys of signer's one-time signing key hash chain by a one-way function of a secret key of the signer and a function of an index of the one-time signing key, and providing the hash value for the piece of data by a hash function including the piece of data and the derived one-time signing key.”; each secret key corresponding to a signing key as a function), (Page 3 lines 25-31 and Page 4 line 5-10 “The method may comprise sending a signing request to a signing authority for a plurality of pieces of data, wherein each piece of data may be assigned a respective index consecutively by using one-time signing keys with time- forwarded one-time signing key indexes. The method may comprise applying a time fraction hash tree splitting a time slot corresponding to the index into time fractions such that the time slot is divided into fractions according to the number of leafs of the time fraction hash tree.”; fraction of time/ associated with a time), (Page 11 lines 24-29 and Page 12 lines 1-3   “The model of signing documents in QI-KSI is showed in Fig. 5. The client (or the Gateway, if the signing key is delegated), needs to create a secret signing key, [..] performs time-stamping of client's signing requests. In QI-KSI, the signer first creates his own pair of the secret key”; signing key and secret key associated with time)
revealing respective one of the secret key only after the associated time has passed. (Page 12 lines 20-30 “After the time-stamp is returned, and the current time t becomes larger than t.sub.0+i seconds, the OTSK Zi can be revealed.”; associated time has passed (after the time stamp is returned and the current time) revealing the respective secret key (can be revealed)) (Page 19 lines 19-27 “the client may reveal OTSK Zi.sub.+2 only at time t >”; revealing key after time has passed (reveal key only at a time)
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Maximov within the teachings of Buldas, Lu and Maletsky for the reasons discussed in independent claim 1 stated above.

Regarding Dependent Claim 3 (Original), the combination of Buldas, Maximov, Lu and Maletsky teach the method of claim 1, Buldas, Lu and Maletsky however fails to explicitly teach the method of claim 1, further comprising generating the set of secret keys and the signing keys as a function of a series index.
Wherein Maximov teaches the method of claim 1, further comprising generating the set of secret keys and the signing keys as a function of a series index. (Page “Abstract” “The method comprises deriving one-time signing keys of signer's one-time signing key hash chain by a one-way function of a secret key of the signer and a function of an index”; signing key and secret key associated with function of an index), (Page 14 lines 20-27 “where z.sub.sk is a secret key of the signer, and f is a function on the index i that generates different values for each i=l ..n. For example, this function can be as simple as fi=i, but it may be a more complex one. As an generating secret keys as function of the index) 
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Maximov within the teachings of Buldas, Lu and Maletsky for the reasons discussed in independent claim 1 stated above.

Regarding Dependent Claim 4 (Original), the combination of Buldas, Maximov, Lu and Maletsky teach the method of claim 1, Buldas, Lu and Maletsky fails to explicitly teach the method of claim 1, in which each signing key is derived as a cryptographic hash function with the respective secret key as an input parameter.
Wherein Maximov teaches the method of claim 1, in which each signing key is derived as a cryptographic hash function with the respective secret key as an input parameter. (Page: Abstract “The method comprises deriving one-time signing keys of signer's one-time signing key hash chain by a one-way function of a secret key of the signer and a function of an index of the one-time signing key, and providing the hash value for the piece of data by a hash function including the piece of data and the derived one-time signing key”; signing key derived as a hash function with secret key), (Page 14 lines 5-25 “ for deriving the OTSKs directly via a one-way function. It may be a desire to improve the part of deriving the one time signing keys, OTSK's, values ¾ of the signer's OTSK hash chain. The derivation of ¾:s traditionally requires, [..] the signer may derive any of the OTSKs as follows: for i=l ..n, where H is a one-way function, where z.sub.sk is a secret key of the signer, and f is a function on the index i that generates different values for each i=l ..n. For example, this function can be as simple secret key (z.sub.sk) is input parameter) 
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Maximov within the teachings of Buldas, Lu and Maletsky for the reasons discussed in independent claim 1 stated above.


Regarding Dependent Claim 5 (Original), the combination of Buldas, Maximov, Lu and Maletsky teach the method of claim 1, Buldas further teaches the method of claim 1, in which the cryptographic binding includes timestamping (Figure 1 labels 700, 500, and 200; client sends x1= (h(m,zi), ID, to signature server, timestamp binded with message cryptographically and sent back to client from signature sever), (Page 11-12 Par. (0050) “certain initial time that is also published together with the public key z.sub.0. If now, for example, a message m and a Zi are time-stamped together, this may be considered as a signature of m. The signature is correct only if the date of the time stamp is not later than t.sub.0 + i. The signature cannot be forged because all published passwords z.sub.h z.sub.2, z, are useless for creating signatures after to + /.sup.' as no suitable time-stamps can be obtained any more (at least if the time-stamps are not back-dated by the time-stamping authority)”; message cryptographically binded (together) including timestamp)


Regarding Dependent Claim 6 (Original), the combination of Buldas, Maximov, Lu and Maletsky teach the method of claim 1, Buldas further teaches Buldas further teaches the method of claim 1, in which the first and augmented signatures comprise at least one hash chain leading to a respective hash tree root value (Page 21-22 Par. (0079) “Figure 6 illustrates a hierarchical hash sequence embodiment, with a lower hash sequence C.sub./ower and an upper hash sequence  is preferably augmented with the hash tree shown in Figure 4C (but which could also have the structure of the hash tree in Figure 4A or Figure 4B instead)”; augmented signature with hash value leading to hash tree root.)

Regarding Dependent Claim 7 (Currently Amended), the combination of Buldas, Maximov, Lu and Maletsky teach the method of claim 1, Buldas further teaches the method of claim 1, further comprising computing a public key by inputting and aggregating the signing keys into a hash tree that has a root that forms the public key. (Figure 7 labels 4010-1, 4010-k, 2010-1; aggregators), (Par. (0052) “One way to do it is to iterate z, exactly ί times and compare the result with the public key z.sub.0. For long hash sequences, however, this may take a lot of time. Therefore, an additional hash-tree structure may be used to speed up the process. Let r = 3b (z.sub.h z.sub.e) be the root hash of a hash tree 3?, created with a hash function h. The public key is then a pair (z.sub.0, r).”; public key correlating to root hash value.), (Par. (00112) “a hash tree data structure is computed using the root hash values of the aggregators as lowest level inputs. In effect, the hash computations and structure within the core form an aggregation of aggregation values. The core will therefore ultimately compute a computing public key (root hash value) by inputting and aggregating into a hash tree), (Par. (00111) “ (Par. (00111) “Aggregators such as the system 4010-1 similarly include computation modules that compute combined output values for each node of a hash tree data structure. As in the gateways, the value computed for each node in the aggregator's data structure uses its two "children" nodes as inputs. Each aggregator will therefore ultimately compute an uppermost combined output value - a "root hash value" - as the result of application of a hash function that includes information derived from the digital input record(s) of every client that submitted a request to a gateway in the data structure under that aggregator.; compute public key (root hash value) by inputting and aggregating)





Regarding Dependent Claim 8 (Original), the combination of Buldas, Maximov, Lu and Maletsky teach the method of claim 1, Buldas further teaches the method of claim 7, further comprising including respective time-associated values along with each respective signing key in the hash tree aggregation of the signing keys. (Par. (00112) “Within the core, a hash tree data structure is computed using the root hash values of the aggregators as lowest level inputs. [..] a single current uppermost core hash value at the respective tree node 5001 at each calendar time interval to, t1”; hash tree with aggregation including respective time associated values (time intervals), (Par. (00104) “In short, the hash tree infrastructure of Buldas '576 may be used to function not only as the time-stamping system 500, but also, optionally, to sign other information from the client 200 and/or server 500 and/or the signature device 600 as well”; hash tree associated with signing and creating signatures (signing key))


Regarding Dependent Claim 9 (Currently Amended), the combination of Buldas, Maximov, Lu and Maletsky teach the method of claim 1, Buldas further teaches the method of claim 8, further comprising submitting the public key to the signature server along with the corresponding signing keys. (Figure 1 labels 200, 500; client 200 submitting to signature server 500 public key in the form of x1= h(m, zi), ID, zi = public key), (Par. (0039) “The last element z.sub.0of the one-way sequence C(z)I f f f Z.sub.0 Z] — z.sub.2 — .sup.■ .Math. .Math. — Zi is the public key of the signer. To sign a message m at time t, the signer: (1 ) combines m with a one-time password z, that is dedicated for signing messages at time t; and (2) sends a hash x = H(m, z.sub.t) to the server”; submitting (sending) public key (zi) to signature server (server) along with signing keys)

Regarding Dependent Claim 10 (Currently Amended), the combination of Buldas, Maximov, Lu and Maletsky teach the method of claim 1, Buldas further teaches the method of claim 7, in which in which the first signature includes recomputation parameters and a calendar value corresponding to a calendar period during which the first signature was originally computed, (Par. (00112) “his uppermost value is referred to herein alternatively as the "calendar value" c„ or "current calendar value" for the time interval ti. If calendar values are computed according to precisely determined time values, such as one calendar value each 1 .0 s, then each calendar value will also be a precise representation of time    [..] this will change upon recomputation of a new uppermost core hash value at the end of the next period of accumulating requests and generating signature vectors (also referred to as "data signatures") containing recomputation parameters.”; signature with recomputation parameters and calendar value corresponding to when it was originally computed.),  (Par. (00115) “The set of sibling hash values, along with any other information such as order (such as "leftVright", since most cryptographic hash functions are not commutative, that enable recomputation of the corresponding calendar value, may then be returned to the client system as the signature for the digital input. This signature may later be extended with the sibling values within the core's Merkle hash tree that allow recomputation all the way up through the infrastructure to the uppermost hash value of the core 5000.”; recomputation with calendar value)
such that an arbitrary subsequent test value is considered authenticated relative to an original inputted value if, using the recomputation parameters to logically recompute a hash tree path to the calendar value, which corresponds to the public key, the same calendar value is attained as when the calendar value was originally computed. (Par. (00116) “Applying the same transformation function 2016 to the candidate digital record and recomputing upward using the corresponding data signature, the entity should compute to the exact same calendar value that relative to original inputted value) , (Par. (00114) “Notice if one traverses the various tree paths upward from the value 2018 in the client 2010-1 , it is possible to compute every value upward in the tree structures all the way to the most current uppermost core value 5001 given the values in the X-marked tree nodes (the "siblings" of the nodes in the direct recomputation path) and a knowledge of the hash functions applied at each successive parent node. In short, if a signature is [..] assuming predetermined hash functions, then re-computation of the hash values upward through all of the tree structures will yield the same value as in the current calendar value, but only if the starting input value representing the original digital record is in fact identical in every respect to the original. Even the slightest alteration to the digital input record or even a change of a single bit in any of the values of the signature associated with a record 2012 will lead to a re-computed calendar value that is not identical to the one in node 5001 . Note also that each uppermost computed value in the core - the current calendar value – contains”; relative to original inputted value and using recompution parameters to recompute hash tree path, to attain same calendar value)

Regarding Dependent Claim 11 (Currently Amended), the combination of Buldas, Maximov, Lu and Maletsky teach the method of claim 1, Buldas, Lu and Maletsky fails to explicitly teach the method of claim 6, further comprising: verifying that the respective one of the secret key associated with the message was committed at a corresponding correct time by recomputing the corresponding hash chain to the root value associated with the secret key and that correct time; and verifying that the 
Wherein Maximov teaches the method of claim 6, further comprising: verifying that the respective one of the secret key associated with the message was committed at a corresponding correct time by recomputing the corresponding hash chain to the root value associated with the secret key and that correct time; and (Page 10 lines 23-31 and Page 11 lines 1-3 “this is based on one-time passwords techniques. The client (and/or application) selects a random secret value z„ (of size of the hash digest), and generates the hash chain [..] This way, one secret key z.sub.n can be served for n authentications.”; corresponding hash chain associated with secret key), (Page 13 lines 17-25 “the signer needs to keep the relevant part of the hash- tree, and in the signing process the part of the hash tree that leads to the root hash r may be partly recomputed in log(n) time with log(n) intermediate hash values. That computation also requires the knowledge of other values ¾ in an efficient way”; recomputing to root value with correct time), (Page 14 lines 20-31 and Page 15 lines 1-2 “z.sub.sk is a secret key of the signer [..] The new scheme is shown in Fig. 8, where the upper part, i.e. above the dotted line, shows the verification of the OTSK values [..] the root hash value r that combines all OTSKs, the value n that indicates the expiration time for the secret key z.sub.sk as well as determines the height of the tree, and the validation time to, after which the certificate is valid. Since the LRS of the hash path encodes the index of z; uniquely, then this is the way to verify that z; is actually the verifying the secret key was committed at correct time),
verifying that the message was authenticated at a corresponding correct time by recomputing the corresponding hash chain to the root value associated with the message and that correct time (Page 18 lines 9-20 “ Signing of a message M at some time t=t.sub.0+i, where t.sub.0 < t < to+n, may then comprise the following protocol: [..] The signer reveals the signature of the message M as <userID;i;¾;Si> The verification process is considered successful if: 1. H(x=H(H(M);¾); userlD; Γί=Η(¾)) is the leaf of ¾ 2. LRS of Si's AHP leads to the correct TTP-SA's KSI identifier that is bound in the signer's certificate; 3. Si's AHP and CHP lead to the correct CRH for the time t.sub.0+i.”; verification of message corresponding to a correct time then recomputed the hash with message at correct time.)
Therefore, it would have been obvious before the effective filing date of the claimed invention to combine the teachings of Maximov within the teachings of Buldas, Lu and Maletsky for the reasons discussed in independent claim 1 stated above.

Relevant Prior Art

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.

Buldas; Ahto (U.S No. 8719576) “Document Verification With Distributed Calendar Infrastructure”. Considered this reference because it addressed 

Barthelemy; Serge (U.S Pub. No. 20110264917) “METHOD FOR TWO STEP DIGITAL SIGNATURE”. Considered this application because it relates to the digital signing of a message with a signer and use of transmitting to a third party server with secret keys that are generated, calculated and verified for trust. 

Camenisch; Jan L (U.S Pub.  No. 20190372775) “AUTHENTICATION IN DISTRIBUTION SYSTEMS”. Considered this application because it addressed the signing of a message with the use of a secret key and a digital signature scheme that verifies the digital signature through timestamps.

Conclusion

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  

A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not 

Applicants are encouraged to take advantage of the After Final Consideration Pilot 2.0 (AFCP 2.0) which authorizes non-production time for consideration of responses filed after a final rejection. The purpose of the pilot is to compact prosecution of the case. The request must include 1) A signed AFCP request form (PTO/SB/434 or equivalent) that includes a statement that applicant is requesting consideration under the AFCP; 2) An amendment to at least one independent claim that does not broaden the scope of the independent claim in any aspect; and 3) A statement that applicant is willing and available to participate in any interview initiated by the examiner concerning the present response.  In the limited amount of non-production time if the examiner’s consideration of a proper AFCP 2.0 request and response does not result in a determination that all pending claims are in condition for allowance, the examiner will request an interview with the applicant to discuss the response. For more info, please visit http://www.uspto.gov/patent/initiatives/after-final-consideration-pilot-20


Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw can be reached on (571)272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/H.A.H./Examiner, Art Unit 2497                                                                                                                                                                                                        
/Jeremy S Duffield/Primary Examiner, Art Unit 2498