ALLOWABILITY NOTICE
The following claims are pending in this office action: 84-99
The following claims are amended: 84 and 88
The following claims are new: -
The following claims are cancelled: 1-83
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with attorney of record Blaine Bettinger on 01/27/2022.
84.	(Currently amended) A first node for use in a system, the first node comprising:
a memory comprising non-transitory machine-readable medium; and 
a processor;
 wherein the first node is configured to:
determine a plurality of keys for enabling a computation by a plurality of worker nodes in the system, wherein the computation comprises a plurality of computation parts, each computation part being computed in a privacy-preserving manner by a respective committee of worker nodes of the plurality of worker nodes such that there are a plurality of committees of worker nodes, at least one worker node being part of a committee for a first computation part but not of a committee for a second computation part, wherein the plurality of computation parts 
publish the determined plurality of keys for access by at least one input node in the system, the plurality of worker nodes, and at least one recipient node in the system;
wherein the plurality of keys comprises:
a computation part prove key for each part of the computation for use by a worker node of the committee computing a respective computation part in proving that the worker node performed the respective computation part correctly;
a computation part verification key for each part of the computation for use by a recipient node of the at least one recipient node to verify that the worker nodes in each committee performed the respective computation part correctly with respect to one or more input commitments, one or more shared block commitments, and output commitments or output commitment openings; 
a shared block commitment generation key for each shared block for use by the worker node of the plurality of worker nodes in determining the shared block commitment or a secret share of the shared block commitment for the shared block; 
an input commitment generation key for each input node and computation part combination for use by the input node in determining the input commitment for an input to the respective computation part; and
an output commitment generation key for each recipient node and computation part combination for use by the worker node of the committee computing the computation part in determining the output commitment or a secret share of the output commitment for a result of the computation part; 


85. 	(Previously presented) A first node as claimed in claim 84, wherein the computation part verification key is the same for each type of computation part.

86. 	(Previously presented) A first node as claimed in claim 84, wherein the at least one recipient node is to provide one or more parameter values for the computation, and wherein the computation part verification key is different for each type of computation part.

87. 	(Previously presented) A first node as claimed in claim 84, wherein the first node is further configured to:
determine one or more of a shared block commitment verification key for each shared block, an input commitment verification key for each input commitment generation key and an output commitment verification key for each output commitment generation key.

88. 	(Currently amended) A method of operating a first node in a system, wherein the method comprises:
determining a plurality of keys for enabling a computation by a plurality of worker nodes in the system, wherein the computation comprises a plurality of computation parts, each computation part being computed in a privacy-preserving manner by a respective committee of worker nodes of the plurality of worker nodes such that there are a plurality of committees of worker nodes, at least one worker node being part of a committee for a first computation part 
publishing the determined plurality of keys for access by at least one input node in the system, the plurality of worker nodes, and at least one recipient node in the system;
wherein the plurality of keys comprises: 
a computation part prove key for each part of the computation for use by a worker node of the committee computing a respective computation part in proving that the worker node performed the respective computation part correctly; 
a computation part verification key for each part of the computation for use by a recipient node of the at least one recipient node to verify that the worker nodes in each committee performed the respective computation part correctly with respect to one or more input commitments, one or more shared block commitments, and output commitments or output commitment openings; 
a shared block commitment generation key for each shared block for use by a worker node of the plurality of worker nodes in determining the shared block commitment or a secret share of the shared block commitment for the shared block;
an input commitment generation key for each input node and computation part combination for use by the input node in determining the input commitment for an input to the respective computation part; and
an output commitment generation key for each recipient node and computation part combination for use by the worker node of the committee computing the computation part in determining the output commitment or a secret share of the output commitment for a result of the computation part;


89. 	(Currently amended) The first node as claimed in claim 84, further comprising wherein the input node has one or more inputs for  the computation and the computation comprises a plurality of parts, and wherein the input node is configured to:
obtain the one or more input commitment generation keys for the input node, wherein an input commitment scheme used to generate the input commitment generation keys supports reuse of the input commitments in multiple computation parts, the one or more input commitment generation keys being published by the first node according to claim 84; 
determine, using the obtained one or more input commitment generation keys, the input commitment and an input commitment opening for each of the one or more inputs; 
output the one or more determined input commitments; and
send, to each worker node in the system that is to perform the computation part on the input, a respective secret share of the determined input commitment opening for the input.

90. 	(Currently amended) The first node as claimed in claim 89, further comprising wherein the input node is further configured to:
send, to each worker node in the system that is to perform the first computation part on the input, the respective secret share of the determined input commitment opening for the input; 
the second computation part on the input, the respective secret share of the determined input commitment opening for the input.

91.	(Currently amended) The method of claim 88, wherein the method further comprises operating the input node in a system, wherein the input node has one or more inputs for 
obtaining the one or more input commitment generation keys for the input node, wherein an input commitment scheme used to generate the input commitment generation keys supports reuse of the input commitments in multiple computation parts, the one or more input commitment generation keys being published according to the method of claim 88; 
determining, using the obtained one or more input commitment generation keys, the input commitment and an input commitment opening for each of the one or more inputs; 
outputting the one or more determined input commitments; and
sending, to each worker node in the system that is to perform  the computation part on the input, a respective secret share of the determined input commitment opening for the

92. 	(Currently amended) The first node as claimed in claim 84, further comprising wherein the worker node is configured to:
receive, from one or more other nodes in the system, a respective secret share of one or more input commitment openings for the one or more inputs to the computation part of the computation to be performed by the worker node; 
the one or more output commitment generation keys; 
obtain the computation part prove key for the computation part to be performed by the worker node; 
wherein a computation part proving scheme used to generate the computation part prove key supports reuse of commitments in multiple computation part proofs of different types of computation, the computation part proof key and the one or more output commitment generation keys being published by the first node according to claim 84;
compute the result of the computation part using the received respective secret share of the one or more input commitment openings, wherein the result of the computation part is computed as the privacy-preserving computation by the worker node and the one or more other worker nodes, wherein the worker node and the one or more other worker nodes form a first committee of worker nodes;
determine, using the obtained one or more output commitment generation keys, the output commitment or the secret share of the output commitment and the secret share of the output commitment opening for the result of the computation part;
generate, using the computation part prove key, a computation part proof or a secret share of the computation part proof for use in proving that the worker node performed the computation part correctly with respect to the one or more input commitment openings and the determined output commitment openings; and
output the computation part proof or the secret share of the computation part proof.

93. 	(Currently amended) The first node as claimed in claim 92, further comprising wherein the worker node is configured to generate the secret share of the computation part proof and cooperate with the one or more other worker nodes in the 

94. 	(Currently amended) The first node as claimed in claim 92, further comprising wherein one or both of (i) the one or more other nodes, other than the worker node, in the system that the respective secret share of the one or more input commitment openings is received from, and (ii) the one or more other nodes in the system that the secret share of the output commitment opening is sent to, is a second committee of worker nodes comprising a plurality of worker nodes that perform a different computation part of the computation

95. 	(Currently amended) The first node as claimed in claim 92, further comprising wherein the worker node is further configured to: 
obtain one or more input commitments for the one or more inputs; 
perform a check with the one or more other worker nodes in the first committee that the secret shares of the one or more input commitment openings correspond to the one or more input commitments; and
compute the result of the computation part if the obtained secret shares of the one or more input commitment openings correspond to the one or more input commitments.

96. 	(Currently amended) The method of claim 88, wherein the method further comprises operating a worker node in a system, wherein the operation comprises:
receiving, from one or more other nodes in the system, a respective secret share of one or more input commitment openings for the one or more inputs to the computation part of the computation to be performed by the worker node;
the one or more output commitment generation keys;
obtaining the computation part prove key for the computation part to be performed by the worker node; 
wherein a computation part proving scheme used to generate the computation part prove key supports reuse of commitments in multiple computation part proofs of different types of computation, the computation part proof key and the one or more output commitment generation keys being published according to the method of claim 88;
computing the result of the computation part using the received respective secret share of the one or more input commitment openings, wherein the result of the computation part is computed as  the privacy-preserving computation by the worker node and the one or more other worker nodes, wherein the worker node and the one or more other worker nodes form a first committee of worker nodes;
determining, using the obtained one or more output commitment generation keys, the output commitment or the secret share of the output commitment and the secret share of the output commitment opening for the result of the computation part;
generating, using the computation part prove key, a computation part proof or a secret share of the computation part proof for use in proving that the worker node performed the computation part correctly with respect to the one or more input commitment openings and the determined output commitment openings; and
outputting the computation part proof or the secret share of the computation part proof.

97. 	(Currently amended) The first node as claimed in claim 92, further comprising wherein the recipient node is configured to:
the one or more worker nodes in the system, the secret shares of the one or more output commitment openings for the outputs of the one or more computation parts of the computation performed by the one or more worker nodes, wherein the output from one computation part to another computation part is the shared block;
obtain one or more published input commitments for the one or more inputs to the computation provided by the one or more input nodes in the system; 
obtain the one or more shared block commitments for the one or more shared blocks provided from a first committee of worker nodes to a second committee of worker nodes; 
form an output of the computation from the received secret shares of the one or more output commitment openings; 
obtain a computation part proof or secret shares of the computation part proof for each part of the computation;
obtain the computation part verification key being published by the first node according to claim 84; and 
use the computation part proof or secret shares of the computation part proof for each part of the computation and the one or more computation part verification keys to verify that the worker nodes in each committee performed the respective computation part correctly with respect to the one or more input commitments, the one or more shared block commitments and the output commitment openings or the output commitments.

98. 	(Currently amended) The method of claim 88, wherein the method further comprises operating a recipient node in a system, wherein the operation comprises:
receiving, from the one or more worker nodes in the system, the secret shares of the one or more output commitment openings for the outputs of the one or more computation parts of the computation performed by the one or more worker nodes, wherein the output from one computation part to another computation part is the shared block;
obtaining one or more published input commitments for the one or more inputs to the computation provided by the one or more input nodes in the system;
obtaining the one or more shared block commitments for the one or more shared blocks provided from a first committee of worker nodes to a second committee of worker nodes;
forming an output of the computation from the received secret shares of the one or more output commitment openings;
obtaining a computation part proof or secret shares of the computation part proof for each part of the computation;
obtaining the computation part verification key for each part of the computation, the computation part verification key being published according to the method of claim 88; and 
using the computation part proof or secret shares of the computation part proof for each part of the computation and the one or more computation part verification keys to verify that the worker nodes in each committee performed the respective computation part correctly with respect to the one or more input commitments, the one or more shared block commitments and the output commitment openings or the output commitments.

99. 	(Previously presented) A computer program product comprising a non-transitory computer-readable storage medium having computer readable code embodied therein, the computer readable code being configured such that, on execution by a suitable computer or processor, the computer or processor is caused to perform the method of claim 88.


Reasons for Allowance
Claims 84-99 are allowed.  
The following is an examiner’s statement of reasons for allowance:  The cited prior art references, do not alone or in combination teach the recited features of independent claims 84 or 88 when read in light of the specification.  In this case, the allowance is based on the combination of the limitations in each independent claim, in particular, the specificity of the recited steps, and not on any single limitation.  For example, the claims require that the user device 1) a plurality of worker nodes such that there are a plurality of committees of worker nodes; 2) at least one worker node being part of a committee for a first computation part, but not of a committee for a second computation part; 3) a plurality of public keys including a computation part prove key, computation part verification key, shared block commitment generation key, input commitment generation key, and output commitment generation key; and 4) wherein the recipient node is configured to receive the output commitment or the secret share of the output commitment from at least one respective worker node of each of the plurality of committees of worker nodes.  
Schoenmakers et al., “Trinocchio: Privacy-Friendly Outsourcing by Distributed Verifiable Computation”, International Association for Cryptological Research, Vol. 20160707, 7 July 2016, pg. 1-33 included in the IDS dated 07/03/2019 teaches a plurality of worker nodes such that there are a plurality of committees of worker nodes, and a plurality of key for enabling secure computation including a computation part prove key, a computation part verification key, a shared block commitment generation key, and an input commitment generation key.  Such keys allows for secure multiparty computations between committees of workers.  However Trinocchio does not teach the output commitment generation key nor a recipient node that receives an output commitment from each of the plurality of committees.  Instead, a bulletin board is used for workers to post shares on the bulletin board so that the recipient node may look them up. 

Veeningen, “Geppettri: Distributed Privacy-Preserving Verifiable Computation”, IEEE Symposium on Security and Privacy, Date of Conference, 17-21 May 2015 teaches combining Trinocchio and Geppetto such that certain information is saved so that when a proof is requested, some residual information used by each of the workers that participated at some stage may be combined to obtain an overall proof of correctness.  When requested to produce a proof, the workers in the committee build secret shares and supply them to a verifier.  However, Geppettri, similarly to Trinocchio and Geppetto does not teach each of the plurality of committees of worker nodes providing an output commitment or secret share of the output commitment to the recipient node, as 1) such secret share of the output commitment is provided by the workers to a verifier and 2) does not disclose that each committee participates in the computation.   Claim 84 and 88 combines the functions of a verifier node and a recipient node into one node, and the verifier/recipient node collects information from all committees as opposed to only all committees that participates in the computation.  
Other references such as Kamara et al. (US Patent No. 9,077,539), Dolev et al. (US Patent No. 9,742,739), Raykova et al. (US Patent No. 9,191,196), and Nisson et al. (US Pub. 2013/0254255) systems of distributed multiparty computation where worker nodes participate in secure computations.  However, none of the systems use a Geppetto type system where the worker nodes are merged into committees, 
As for other NPL, other techniques do not utilize the Geppettri system where workers provide secret shares to a verifier.  For example, Boyle et al.,"Large-Scale Secure Computation," IACR Cryptology ePrint Archive, March, 2014 discloses protocols to scale to preserve individual memory and computation requests as the number of parties and expanse of data increases.  A committee of parties is elected to ensure 2/3 honest members, and so there’s no reason for the worker to send secret shares to validate the computations done by the worker shares.  Volgushev et al., "Programming Support for an Integrated Multi-Party Computation and MapReduce Infrastructure," 2015 Third IEEE Workshop on Hot Topics in Web Systems and Technologies, November, 2015, pg. 60-66 teaches a process to allow MPCs to leverage MapReduce, and discloses a single controller that controls all worker nodes in order to provide the secure MPC.  It does not disclose committees of worker nodes where one worker node is part of one committee, but not a second committee.  
These along with the other recited features of independent claims 84 and 88 and their dependent claims make the claimed inventions allowable over the prior arts of record.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHE LIU whose telephone number is (571) 272-3634.  The examiner can normally be reached on Monday - Friday: 8:30 AM to 5:30 PM.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on (571) 272-3862.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call (800) 786-9199 (IN USA OR CANADA) or (571) 272-1000.
/Z.L./Examiner, Art Unit 2493                                                                                                                                                                                                        
/Jeremy S Duffield/Primary Examiner, Art Unit 2498