DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This office action is a response to an application filed 02/03/2022 wherein claims 1 – 21 are pending and ready for examination.  

Response to Arguments
Applicant's arguments filed 02/03/2022 have been fully considered but they are not persuasive.

Section 103 Rejection of Claims 1, 2, 6-9, 13-16, 20, and 21
Applicant Asserts: Applicants respectfully submit that the features of amended claim 1 are not taught or suggested by Ranellucci or Joy, considered individually or in combination. For example, these references fail to teach or suggest “receiving, by each server in a plurality of servers executing a secure multi-party computation (MPC) protocol, shares of a plurality of inputs to the MPC protocol from a plurality of clients, wherein the plurality of servers are distinct from the plurality of clients, wherein each input in the plurality of inputs is private to each client in the plurality of clients, and wherein each share is generated from its corresponding input using a threshold secret sharing scheme.”

The Office Action asserts that the foregoing “receiving...” limitation is taught by
Ranellucci at paragraphs 22 and 4. (Office Action: pg. 3). However, as explained at the
Examiner interview, the cited sections of Ranellucci merely describe a single set of nodes (also
referred to as “parties’”) that carry out a method for computing a signature on a message via an
MPC protocol. The Office Action interprets this single set of nodes as corresponding to both the
“plurality of servers” and “plurality of clients” in Applicants’ claim 1.

Examiner Response:  The Examiner finds support for the amended claims at applicant cited location.  The instant specification illustrates Figure 1 and discloses a plurality of servers and clients. Ranellucci teaches nodes that can be servers and other computing entities to include a server farm/cluster at location [0034].  Applicant amends to cite: wherein the plurality of servers are distinct from the plurality of clients.  The Examiner finds one of ordinary skill in the art would understand a server(s) and client/node(s) in operation would include indicators of distinctness by identification or some other means for secure computing.  However, the Examiner does not find that Ranellucci teaches the configuration explicitly but secondary reference Joy does indeed teach the amended claim language whereby the plurality of servers are distinct from the plurality of clients.  Joy in Figure 8 below, depicts data nodes 204a…n and aggregators 206a….n.  The aggregators are the servers (Joy [0037]).

    PNG
    media_image1.png
    319
    539
    media_image1.png
    Greyscale

Here, Joy is using MPC to perform the cryptographic operation. 
Applicant Asserts: Further, because Ranellucci fails to distinguish between clients and servers,
Ranellucci also necessarily fails to teach or suggest “for each invalid share, determining, by said each server, whether a client that submitted the invalid share or a server that holds the invalid share is corrupted” as required by Applicants’ claim 1. The deficiencies of Ranellucci in this regard are not remedied by Joy.

Examiner Response: As per Examiner response above, the rejection is maintained at the cited location because as explained in the previous office action the claimed ‘invalid share’ is taught by Ranellucci as ‘verifying value’ because the object of the verification is to determine an invalid share which is a corrupt share.

Section 103 Rejections of Remaining Claims
Applicant Asserts: Claims 3, 4, 10, 11, 17, and 18 depend from independent claims 1, 8, and 15
respectively, which are not rendered obvious by Ranellucci and/or Joy as discussed above. El
Defrawy 1 and El Defrawy 2 do not provide any teachings that remedy the deficiencies of
invalid share is corrupted” as required by Applicants’ claim 1. The deficiencies of Ranellucci in this regard are not remedied by Ranellucci and Joy in this regard. Accordingly, claims 3, 4, 10, 11, 17, and 18 are allowable for at least a similar rationale as discussed for claims 1, 8, and 15, and others.

Examiner Response:  The Examiner maintains the prior art rejections of claims 3, 4, 10, 11, 17, and 18 based on responses to applicant assertions regarding claim 1 above.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-2, 6-9, 13-16 and 20-21 are rejected under 35 U.S.C. 103 as being unpatentable over Ranellucci; Samuel et al, US 20200153640 A1, May 14, 2020 hereafter referred to as Ranellucci in view of Joy; Joshua, US 20170353855 A1, December 12, 2007, hereafter referred to as Joy. 

          As to claim 1, Ranellucci teaches a method - Ranellucci [0020] FIG. 1 discloses a method of deriving a key, comprising:
          receiving, by each server in a plurality of servers executing a secure multi-party computation (MPC) protocol shares of a plurality of inputs to the MPC protocol from a plurality of clients, wherein the plurality of servers are distinct from the plurality of clients, wherein each input in the plurality of inputs is private to each client in the plurality of clients - Ranellucci [0022 and 0034] since at ’22 Step 120 discloses the multiple nodes compute the derivation key using an MPC process. The MPC process is performed in a manner in which the entire key and the derivation key are never accessible to a single entity.  The MPC process receives as input a derivation string which is public to all the nodes, and key shares provided by the nodes. The output of the MPC process is shares of the derivation key and authentication information since at ’34 In step 340, each node P.sub.i receives the cryptographic commitment from the other node. exchange of the commitments, commitment openings and additional messages between the nodes may be performed via a wired or wireless channel. In some exemplary cases, the nodes are different and distinct entities located nearby, even in the same building or server farm/cluster.  Here, the claimed ‘plurality of servers’ is taught by Ranellucci as ‘multiple nodes’ because Ranellucci disclose that these nodes may be servers [0021]. The claimed  ‘plurality of clients’ is suggested by Ranellucci as ‘nodes are different and distinct entities’ because servers and nodes are in fact different and distinct. The claimed ‘input is private’ is taught by Ranellucci as ‘never accessible’ since MPC concept is the share inputs remain private), and wherein each share is generated from its corresponding input using a threshold secret sharing scheme - Ranellucci [0004] a method is provided for securely applying derandomization to threshold signing schemes that guarantees that for each message there is at most one signature.  Here, the claimed ‘sharing’ is taught by Ranellucci as ‘signing’ because the signature is being shared);

           verifying, by said each server, whether the shares of the plurality of inputs are valid or invalid - Ranellucci [0030 and 0032] since at ’30 FIG. 3 discloses a method for computing and encrypting the output of the selected function to verify correctness of the key shares, according to exemplary embodiments of the invention Here, the claimed ‘valid or invalid’ is taught by Ranellucci as ‘correctness’ since at ’32; each node P.sub.i computes Q′.sub.i=x′.sub.i.Math.G. G is the generator (or base point) of the Elliptic curve being used. It should be noted that x′.sub.i cannot be extracted from Q′.sub.i, as G is an irreversible function. Here, the claimed ‘by said each server’ is taught by Ranellucci as ‘each node P.sub.i)’
          for each invalid share, determining, by said each server, whether a client that submitted the invalid share or a server that holds the invalid share is corrupted - Ranellucci [0047] During the verifying process, each party of the multiple parties provides one of the values based on a random mechanism, such as a computerized coin toss. This random mechanism is executed multiple times, for example in the range of 20-50 times, to verify that at least once the share of the pseudo random string is provided by the multiple parties and at least once the verifying value is provided by the multiple parties. This way, in case the party wishes to provide a corrupted value, the verifying value is revealed, and the signing process stops.  Here, the claimed ‘invalid share’ is taught by Ranellucci as ‘value’ which has to match the verifying value or is deemed to be invalid.  The claimed ‘determining’ is taught by Ranellucci as ‘computerized coin toss’ which is the means to distribute the verifying value)
          upon determining that the client that submitted the invalid share is corrupted, ignoring, by said each server, the input of the client during a computation phase of the MPC protocol - Ranellucci [0047] …This way, if one of the parties provides an incorrect value, the corrupted party is revealed, and the corrupted pseudo random string is not used.  Here, the claimed ‘invalid share’ is taught by Ranellucci as incorrect value. The claimed ‘ignoring’ is taught by Ranellucci as ‘not used’) and
            upon determining that the server that holds the invalid share is corrupted - Ranellucci [0047] During the verifying process…, if one of the parties provides an incorrect value, the corrupted party is revealed, and the corrupted pseudo random string is not used), RANELLUCCI DOES NOT TEACH wherein the plurality of servers are distinct from the plurality of clients; preventing, by said each server, the server that holds the invalid share from participating in the computation phase HOWEVER IN AN ANALAGOUS ART THAT DIRECTED TO THE FIELD OF ENDEAVOR JOY TEACHES
              wherein the plurality of servers are distinct from the plurality of clients – Joy [0079] FIG. 8 illustrates an example embodiment 190 of Cryptographic private write mechanism. Similar to FIG. 3 each data owner 192 picks uniformly at random one database row to write their message 194a,194b, . . . , 194n. Then nodes 204a, 204b, . . . , 204n represent each data owner 196 creating shares for aggregator 198 and then writing one share to each aggregator comprising aggregator 206a, 206b and 206n. The data owners generate the shares in 196 according to Algorithm 1 Here, the claimed ‘plurality of servers’ is taught by Joy as ‘aggregator 206…206n’ whereas the claimed ‘plurality of clients’ is taught by Joy as ‘nodes 204a…n’); preventing, by said each server, the server that holds the invalid share from participating in the computation phase – Joy [0202] …wherein said instructions executed on the computer processor performing privatizing of user data while preventing any single data owner from disrupting data query input from other data users through the independent aggregators.  Thus, it would have been recognized by one of ordinary skill in the art before the effective filing date of the claimed invention that applying the known technique of preventing any single data owner from disrupting data query as taught by Joy to servers P1 or P2 of Ranellucci would have yielded predicable results and resulted in an improved system, namely, a  method for enforcing correctness of key shares during a key derivation process that would enhance security as  provided by the “technique” of Joy).

          As to claim 2, the combination of Ranellucci and Joy teaches the method of claim 1 wherein there are n servers in the plurality of servers and at most t < n/4 servers are corrupted – Ranellucci [0047]  if one of the parties provides an incorrect value, the corrupted party is revealed, and the corrupted pseudo random string is not used.  Here, the claimed ‘t<n/4’ is taught by Ranellucci as ‘one of the parties’), and wherein there are N clients in the plurality of clients - Ranellucci [0004]…. The devices are defined below as parties in the MPC process.  Here, the claimed ‘N clients’ is taught by Ranellucci as ‘parties’ because the N represents the totality of parties in the MPC process) and at most (1 - p) N clients are corrupted for O < p< 1 – Joy [0137] …The share was submitted to each aggregator by the data owner. The aggregators sum these inputs to create an encrypted aggregate 214. The threshold check is calculated by subtracting the threshold from the encrypted aggregate 216. The threshold check is converted to bit representation in order for the aggregators to reveal the most significant bit (MSB) to detect if the aggregate is above or below the threshold 222.  Here, the claimed ‘(1-p)N’ is a formula that is taught by Joy as ‘threshold’ because the expression is a limiter showing via bit representation if there are corrupt shares.  Thus the same motivation for Ranellucci to consider Joy in claim 1 applies equally here in claim 2 as a means to enforce share verification).

          As to claim 6, the combination of Ranellucci and Joy teaches the method of claim 1 wherein the shares are verified on a per-client basis - Ranellucci, [0046] Step 440 discloses the parties verifying correctness of the values provided by other parties. The correctness may be verified by performing a commitment process as detailed in FIG. 5, in which each party generates a commitment and sends the commitment to the other parties).

          As to claim 7, the combination of Ranellucci and Joy method of claim 1 wherein the shares are verified together for all clients in the plurality of clients – Joy [0060]… The aggregators verify the shares as described in the previous section utilizing an anonymous share verification, for example FSS share verification. At the end of the epoch (iteration), the aggregators finalize the contributed writes into the N×L matrix without knowing which rows each data owner wrote to. Thus, it would have been recognized by one of ordinary skill in the art before the effective filing date of the claimed invention that applying the known technique of data aggregation taught by Joy to the method of Ranellucci would have yielded predicable results and resulted in an improved system, namely, a FSS share verification system that would positively benefit share verification by aggregating shares on behalf of the shareholder in cases where computation on a per share basis may be intensive thereby improving Ranellucci in view of Joy.)

          As to claim 8, claim 8 is a non-transitory computer readable storage medium that is directed to the method of claim 1.  Therefore claim 8 is rejected for the reasons as set forth in claim 1.

         As to claim 9, claim 9 is a non-transitory computer readable storage medium that is directed to the method of claim 2.  Therefore claim 9 is rejected for the reasons as set forth in claim 2.
          As to claim 13, claim 13 is a non-transitory computer readable storage medium that is directed to the method of claim 6.  Therefore claim 13 is rejected for the reasons as set forth in claim 6.

          As to claim 14, claim 14 is a non-transitory computer readable storage medium that is directed to the method of claim 7.  Therefore claim 14 is rejected for the reasons as set forth in claim 7.

          As to claim 15, claim 15 is a server that is directed to the method of claim 1.  Therefore claim 15 is rejected for the reasons as set forth in claim 1.

         As to claim 16, claim 16 is a server that is directed to the method of claim 2.  Therefore claim 16 is rejected for the reasons as set forth in claim 2.

          As to claim 20, claim 20 is a server that is directed to the method of claim 6.  Therefore claim 20 is rejected for the reasons as set forth in claim 6.

         As to claim 21, claim 21 is a server that is directed to the method of claim 7.  Therefore claim 21 is rejected for the reasons as set forth in claim 7.

Claims 3, 10, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Ranellucci and Joy in view of El Defrawy; Karim et al, US 10423961 B1, September 24, 2019, hereafter referred to as El Defrawy.

            As to claim 3, the combination of Ranellucci and Joy teaches the method of claim 2 wherein the verifying and the determining comprises:
            initializing a counter for each server in the plurality of servers to zero – Joy [0130 and 0131] since at ‘130 initialize Z=0 since at ‘131  At the end of each epoch, each party broadcasts to all other parties it's computed Z.sub.i.   Here, the claimed ‘initializing’ is taught by Joy as ‘broadcasting’ since the Z.sub.i is set to zero); and
            upon determining that a server in the plurality of servers holds an invalid share of a consistent input sharing - Joy [0166] If a and b are both zero then the terms fall out. In the case of only a and b being the blinded message the terms fall out. If both a and b are non-zero then the difference will be a non-zero value. These shares are invalid and should be discarded:  THE COMBINATION OF RANELLUCCI AND JOY DO NOT TEACH incrementing the server’s counter by one, and if the server’s counter exceeds (1 — p)N, adding the server to a set of corrupted servers HOWEVER IN AN ANALAOUS ART THAT IS DIRECTED TO THE SAME FIELD OF ENDEAVOR EL DEFAWY TEACHES
            incrementing the server’s counter by one, and if the server’s counter exceeds (1 — p)N, adding the server to a set of corrupted servers - El Defrawy [column 17, lines 5-11] The transfer protocol must prevent replay attacks in which the adversary resends the transfer request, thereby moving more coins out of the sender's address than anticipated. Therefore, the (signed) transaction will contain a counter; the counter will be set to j for the j.sup.th transaction out of the address. If the user forgets the value of the counter, she can perform a balance check).  To provide the multiple computerized nodes of Ranellucci AEW counter mode encrypting techniques with Ranellucci’ s multi-party computation would have been obvious to one of ordinary skill in the art, in view of the teachings of El Defrawy, since all the claimed elements were known in the prior art and one skilled in the art before the effective filing date of the claimed invention could have combined the elements as claimed by known methods (i.e. counter-mode encryption) with no change in their respective functions, and the combination would have yielded nothing more than predictable results to one of ordinary skill in the art before the effective filing date of the claimed invention, i.e., one skilled in the art would have recognized that the use of a counter used in El Defrawy would allow the MPC nodes  of Ranellucci  synchronized verification.as  provided by the elements of El Defrawy).

             As to claim 10, claim 10 is a non-transitory computer readable storage medium that is directed to the method of claim 3.  Therefore claim 10 is rejected for the reasons as set forth in claim 3.

           As to claim 17, claim 17 is a server that is directed to the method of claim 3.  Therefore claim 17 is rejected for the reasons as set forth in claim 3.

Claims 4, 11, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Ranellucci and Joy in view of El Defrawy; Karim et al, US 9614676 B1, April 4, 2017, hereafter referred to as El Defrawy.
Note; Claim 4 cites another (different) El Defrawy reference and is noted as El Defrawy ‘76.

           As to claim 4, the combination of Ranellucci and Joy teaches the method of claim 1 wherein the verifying and the determining comprises: 
         determining that an input sharing submitted by a client in the plurality of clients is not consistent – Ranellucci [0047]… in case the random value is “0”, the key derivation is generated and in case the random value is “1”, the values provided by the parties are checked, for example in a manner disclosed in FIG. 2. This way, if one of the parties provides an incorrect value, the corrupted party is revealed, and the corrupted pseudo random string is not used.  RANELLUCCI DOES NOT TEACH and adding the client to a set of corrupted clients HOWEVER IN AN ANALAGOUS ART THAT IS DIRECTED TO THE SAME FIELD OF ENDEAVOR EL DEFRAWY’76 TEACHES and
        adding the client to a set of corrupted clients – El Defrawy ‘76 [column 3, lines 11-19] … iv. for each computing device, determining if the defense is accurate, such that if the accusation is not correctly rebutted, computing device P.sub.D is added to a list of known corrupted computing devices Corr, and if the accusation is correctly rebutted, then the accusing computing device is added to Corr, with the protocol terminating if computing device P.sub.D is not found to be corrupt). To provide  a black list capability to Ranellucci’ s multi-party computation would have been obvious to one of ordinary skill in the art, in view of the teachings of El Defrawy, since all the claimed elements were known in the prior art and one skilled in the art before the effective filing date of the claimed invention could have combined the elements as claimed by known methods (i.e. adding corrupt nodes to a black list) with no change in their respective functions, and the combination would have yielded nothing more than predictable results to one of ordinary skill in the art before the effective filing date of the claimed invention, i.e., one skilled in the art would have recognized that the use of a list of corrupt nodes in El Defrawy would allow the MPC nodes  of Ranellucci enhanced throughput performance by ignoring corrupt share inputs as provided by the filter list of El Defrawy).

             As to claim 11, claim 11 is a non-transitory computer readable storage medium that is directed to the method of claim 4.  Therefore claim 11 is rejected for the reasons as set forth in claim 4.

           As to claim 18, claim 18 is a server that is directed to the method of claim 4.  Therefore claim 18 is rejected for the reasons as set forth in claim 4.

Allowable Subject Matter
Claims 5, 12, and 19 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM B. JONES whose telephone number is (571) 272-9637.  The examiner can normally be reached on Mon - Fri., 5:30 a.m. to 2:00 p.m.  If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 571-272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-272-3900.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

 /WILLIAM B JONES/Examiner, Art Unit 249105/02/2022

/ALEXANDER LAGOR/Primary Examiner, Art Unit 2491