DETAILED ACTION
The following claims are pending in this office action: 1-20
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Drawings
The drawings filed on 09/17/2020 are accepted.  
Information Disclosure Statement
The information disclosure statements (IDS) submitted on 03/01/2022 and 04/18/2022 have been considered.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, initialed and dated copies of Applicant’s IDS form 1449 filed 03/01/2022 and 04/18/2022 have been attached to the instant Office action. 
Claim Objections
Claims 4 and 7 are objected to because of the following informalities:
Claim 4 recites the limitation “the data accumulation operation for a random value” (claim 4, ln. 5-6). It is unclear whether applicant intends to refer to “a data accumulation operation to accumulate random values” (claim 1, ln. 11).  If so, examiner suggests “the data accumulation operation for a random value of the plurality of accumulated random values” to confirm with “the accumulated random values” (claim 1, ln. 14).  
Claim 7 recites the limitation “multiple sources” (claim 7, ln. 6). It is unclear whether applicant intends to refer to “multiple sources” (claim 6, ln. 4).  If so, examiner suggests “the multiple sources”.  
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-6, and 8-20 are rejected under 35 U.S.C. 103 as being unpatentable over de Almeida et al. (US Pub. 2020/0026883) (hereinafter “de Almeida”) in view of Shen-Orr et al. (US Pub. 2014/0143883) (hereinafter “Shen-Orr”)

As per claim 1, de Almeida teaches one or more non-transitory computer-readable storage mediums having stored thereon executable computer program instructions that, when executed by one or more processors, cause the one or more processors to perform operations comprising: performing a process for calculation of an authentication tag for a data encryption operation, including: ([de Almeida, para. 0021-0022; claim 2-3] methods and the system described relate to computation of GHASH function values which are used in an authenticated encryption/decryption operation to produce an authentication tag.  [Para. 0123] the method described is embodied in a computer program stored in a computer-readable non-transitory storage medium, that is executed by a computing device with one or more processors [see para. 0117])
receiving a plurality of data blocks for calculation, ([de Almeida, Fig. 2; para. 0093] the processing device receives i numbers of [a plurality of] Ci data blocks for computation of the GHASH values) and performing calculation utilizing the received plurality of data blocks and the one or more random values to generate intermediate values; ([de Almeida, Fig. 2; para. 050] the first multiplier 210 uses the mask M [see para. 0037: “a random integer value”] and Ci data blocks to produce intermediate values X’i [see para. 0071: a “masked intermediate result”])
performing a data accumulation operation to accumulate random values in calculation of the data blocks; and ([de Almeida, Fig. 2; para. 050] “the accumulator 225 is employed to store” [accumulate] “the result of performing, by the adder, the exclusive disjunction operation” [a data accumulation operation] “on the masked result” [random value, as the mask is a “random integer value”– see para. 0037] “of the previous iteration” [a plurality] and “the output of the selector” [data blocks, so calculation of the data blocks])
calculating the authentication tag based at least in part on the generated intermediate values and the accumulated random values. ([de Almeida, claim 2-3] the authentication encryption/decryption operation utilizes the value of the function to produce an authentication tag)
De Almeida does not clearly teach generating one or more random values utilizing a pseudo-random number generator. 
However, Shen-Orr teaches generating one or more random values utilizing a pseudo-random number generator.  ([Shen-Orr, para. 0035] “a random number generator provides bit values to generate a dummy value”; “the term ‘random’ should be understood broadly to include both true random and pseudo-random bit generators”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by de Almeida with the teachings of Shen-Orr to include generating one or more random values utilizing a pseudo-random number generator.  One of ordinary skill in the art would have been motivated to make this modification because the introduction of randomness facilitates introduction of noise into algorithms used by cryptographic systems as to mask the secret value and to provide protection against power analysis attacks.  (Shen-Orr, para. 0007)

As per claim 2, de Almeida in view of Shen-Orr teaches claim 1. 
De Almeida also teaches wherein calculating the authentication tag is further based on a received counter value.  ([de Almeida, Fig. 2; para. 0053] “the adder 270 performs the unmasking operation” [thus the authentication tag calculation – see claims 2-3] “by using k, where k denotes the number of iterations” [a received counter value])

As per claim 3, de Almeida in view of Shen-Orr teaches claim 2.
De Almeida also teaches wherein calculation of the authentication tag is performed after processing of all of the plurality of data blocks.  ([de Almeida, Fig. 6; para. 0098-0099] “if the current input block is the last one” [after processing of all of the plurality of data blocks] “the processing device produces the unmasked result value”.  [Claim 2-3] the authentication encryption/decryption operation then utilizes the unmasked result value to generate the authentication tag)

As per claim 4, de Almeida in view of Shen-Orr teaches claim 1.
De Almeida also teaches performing one or more dummy operations between processing of a data block of the plurality of data blocks and performing the data accumulation operation for a random value.  ([de Almeida, para. 0051] an operation for generating a mask and then removing it using a second multiplier 0051 [a dummy operation as it nets the same result if the operation is not performed – see para. 0017: S=S*⊕M=(S⊕M)⊕M=S⊕(M⊕M)=S⊕0=S], and Fig. 1. where the second multiplier is unnecessary].  [Fig. 6; step 640] first, the multiplication operation that produces the masked data [performing the data accumulation operation] occurs.  [Fig. 6; step 650] then the multiplication operation that produces the mask correction value [performing one or more dummy operations] occurs.  [Fig. 6; step 670] finally, the processing of a data block is accomplished where the output is unmasked)

As per claim 5, de Almeida in view of Shen-Osrr teaches claim 1.
De Almeida also teaches storing the intermediate values in a first register and storing the accumulated random values in a second register.  ([de Almeida, Fig. 2; para. 0050] “the value produced by the first multiplier 210” [the intermediate value – see para. 0071] is “stored in register 240”: a first register.  “The accumulator 225” [a second register] “is employed to store the result of the exclusive disjunctive operation on the masked result of X’i-1 and the output of the selector” [accumulated random values])

As per claim 6, de Almeida in view of Shen-Orr teaches claim 1.
De Almeida also teaches intermediate values for calculation of the authentication tag.  ([De Almeida, Fig. 2; para. 050] the first multiplier 210 uses the mask M [see para. 0037: “a random integer value”] and Ci data blocks to produce intermediate values X’i [see para. 0071: a “masked intermediate result”]. The authentication encryption/decryption operation utilizes the value of the function [determined by the intermediate value] to produce an authentication tag.  )
De Almeida does not clearly teach multiplexing between multiple sources in providing the intermediate values. 
However, Shen-Orr teaches multiplexing between multiple sources in providing the intermediate values.  ([Shen-Orr, Fig. 1; para. 0027] “a secret data source” [intermediate value source] “provides secret data on demand to a register, which is then read out”. “The secret data source may comprise any circuit element that receives or computes a secret value” [intermediate value] “for loading into the register”.  “A suitable switching element, such as a multiplexer 30” selects whether to provide the secret data source or multiple dummy data generators [multiplexing between multiple sources])
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by de Almeida with the teachings of Shen-Orr to include multiplexing between multiple sources in providing the intermediate values.  One of ordinary skill in the art would have been motivated to make this modification because side-channel attacks are foiled by means of dummy values [such as the second multiplier values described in claim 1 above], which are generated dynamically within a circuit that may not be subject to an attack and are not available to the attacker.  (Shen-Orr, para. 0022)

As per claim 8, de Almeida in view of Shen-Orr teaches claim 6.
De Almeida also teaches calculating a final value for the authentication tag.  ([De Almeida, Fig. 2; para. 050] the first multiplier 210 uses the mask M [see para. 0037: “a random integer value”] and Ci data blocks to produce intermediate values X’i [see para. 0071: a “masked intermediate result”]. The authentication encryption/decryption operation utilizes the value of the function [determined by the intermediate value - a final value] to produce an authentication tag)
De Almeida does not clearly teach wherein the multiplexing includes implementation of one or more multiplexers that are utilized.
However, Shen-Orr teaches wherein the multiplexing includes implementation of one or more multiplexers that are utilized in calculating a final value. ([Shen-Orr, Fig. 1; para. 0027] “A suitable switching element, such as a multiplexer 30” is used for multiplexing.  The multiplexer is used utilized to provide “secret values” [intermediate value] and so utilized in calculating a final value)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of de Almeida and Shen-Orr for the same reasons as disclosed above.  

As per claim 9, de Almeida in view of Shen-Orr teaches claim 1.
De Almeida also teaches wherein the data encryption operation is an AES-GCM (Advanced Encryption Standard-Galois Counter Mode) encryption operation. ([de Almeida, para. 0020-0021] the system and methods are employed for “protecting, from side-channel attacks, implementations of a wide spectrum polynomial hash functions, such as Poly1305 cryptographic message authentication code” [the original, based on AES]; “the keyed GAHASH function utilized in the Galois Counter Mode of Operation (GCM) method” [AES-GCM] involving encryption/decryption)

As per claim 10, de Almeida teaches a system comprising one or more processors including one or more processing cores, the one or more processor to calculate an authentication tag for a data encryption operation; and ([de Almeida, para. 0117-0118] the example computing system includes a processing device comprising one or more processing cores for performing the operations and steps described.  [Para. 0021-0022; claim 2-3] methods described relate to computation of GHASH function values which are used in an authenticated encryption/decryption operation to produce an authentication tag)
a memory for storage of data, including data for one or more secure operations.  ([de Almeida, para. 0024] the masked iteration results [data for one or more secure operations] appears asynchronously in memory)
The system claim comprises one or more processors that performs operations performed by the one or more processors of claim 1, has language that is identical or substantially similar to the operations of claim 1, and thus is rejected with the same rational applied against claim 1.  

As per claim 11, de Almeida in view of Shen-Orr teaches claim 10.
De Almeida also teaches wherein calculating the authentication tag is further based on a received counter value; and ([de Almeida, Fig. 2; para. 0053] “the adder 270 performs the unmasking operation” [thus the authentication tag calculation – see claims 2-3] “by using k, where k denotes the number of iterations” [a received counter value])
calculation of the authentication tag is performed after processing of all of the plurality of data blocks. ([de Almeida, Fig. 6; para. 0098-0099] “if the current input block is the last one” [after processing of all of the plurality of data blocks] “the processing device produces the unmasked result value”.  [Claim 2-3] the authentication encryption/decryption operation then utilizes the unmasked result value to generate the authentication tag)

As per claim 12, de Almeida in view of Shen-Orr teaches claim 10.
Almeida does not clearly teach upon processing a data block, update a state or value for the pseudo-random number generator during one or more clock cycles prior to receiving a next data block.  
However, Shen-Orr teaches upon processing a data block, update a state or value ([Shen-Orr, para. 0027] “when a register receives” [upon] “a secret value” [data block], “the multiplexer 30, is activated… to read the secret value… and a dummy value [output the new dummy value]… in succession [upon processing a data block]; [para. 0035] the values are updated each time a new dummy value is to be output) for the pseudo-random number generator during one or more clock cycles ([para. 0022] “the dummy value” [a value for the pseudo-random number generator – see para. 0035] is inserted “in rapid succession…i.e. within one or a few clock cycles”) prior to receiving a next data block.  ([para. 0029] multiplexer 30 reads the dummy value into register 24 for a short period immediately prior to reading in the secret value [receiving a next data block])
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by de Almeida with the teachings of Shen-Orr to include upon processing a data block, update a state or value for the pseudo-random number generator during one or more clock cycles prior to receiving a next data block.  One of ordinary skill in the art would have been motivated to make this modification because tables [random numbers] used in computation are preferably periodically updated, by introducing fresh entropy into the tables faster than information leaks out, so that attacks will not be able to obtain the table contents by analysis of measurements.  (Shen-Orr, para. 0008)

As per claim 13, the claim language is identical or substantially similar to that of claim 5. Therefore, it is rejected under the same rationale applied to claim 5.
	
As per claim 14, de Almeida in view of Shen-Orr teaches claim 10.
De Almeida also teaches intermediate values for calculation of the authentication tag.  ([De Almeida, Fig. 2; para. 050] the first multiplier 210 uses the mask M [see para. 0037: “a random integer value”] and Ci data blocks to produce intermediate values X’i [see para. 0071: a “masked intermediate result”]. The authentication encryption/decryption operation utilizes the value of the function [determined by the intermediate value] to produce an authentication tag)
De Almeida does not clearly teach one or more multiplexers to multiplex between multiple sources in providing the intermediate values.
However, Shen-Orr teaches one or more multiplexers to multiplex between multiple sources in providing the intermediate values. ([Shen-Orr, Fig. 1; para. 0027] “a secret data source” [intermediate value source] “provides secret data on demand to a register, which is then read out”. “The secret data source may comprise any circuit element that receives or computes a secret value” [intermediate value] “for loading into the register”.  “A suitable switching element, such as a multiplexer 30” selects whether to provide the secret data source or multiple dummy data generators [multiplexing between multiple sources])
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by de Almeida with the teachings of Shen-Orr to include one or more multiplexers to multiplex between multiple sources in providing the intermediate values.  One of ordinary skill in the art would have been motivated to make this modification because side-channel attacks are foiled by means of dummy values [such as the second multiplier values described above], which are generated dynamically within a circuit that may not be subject to an attack and are not available to the attacker.  (Shen-Orr, para. 0022)

As per claim 15, the claim language is identical or substantially similar to that of claim 8. Therefore, it is rejected under the same rationale applied to claim 8.

As per claim 16, the claim language is identical or substantially similar to that of claim 9. Therefore, it is rejected under the same rationale applied to claim 9.
	
As per claim 17, de Almeida teaches a method for calculation of an authentication tag for an AES-GCM (Advanced Encryption Standard-Galois Counter Mode) data encryption operation.  ([de Almeida, para. 0020-0021] the methods are employed for “protecting, from side-channel attacks, implementations of a wide spectrum polynomial hash functions, such as Poly1305 cryptographic message authentication code” [the original, based on AES]; “the keyed GAHASH function utilized in the Galois Counter Mode of Operation (GCM) method” [AES-GCM] involving encryption/decryption)
The method describes operations performed by the one or more processors of claim 1, has language that is identical or substantially similar to the operations of claim 1, and thus is rejected with the same rational applied against claim 1.  

As per claim 18, the claim language is identical or substantially similar to that of claim 3. Therefore, it is rejected under the same rationale applied to claim 3.

As per claim 19, the claim language is identical or substantially similar to that of claim 5. Therefore, it is rejected under the same rationale applied to claim 5.

As per claim 20, the claim language is identical or substantially similar to that of claim 6. Therefore, it is rejected under the same rationale applied to claim 6.  

Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over de Almeida in view of Shen-Orr as applied to claim 6 above, and further in view of Baker et al. (US 2018/0062830) (hereinafter “Baker”).

As per claim 7, de Almeida in view of Shen-Orr teaches claim 6.  
Almeida teaches calculation of the authentication tag.  ([De Almeida, Fig. 2; para. 050] the authentication encryption/decryption operation utilizes the value of the function [determined by the intermediate value] to produce an authentication tag.  The first multiplier 210 uses the mask M [see para. 0037: “a random integer value”] and Ci data blocks to produce intermediate values X’i [see para. 0071: a “masked intermediate result”].  Multiplexing between multiple sources in providing the intermediate values is taught by Shen-Orr below. Optimization, including performing one or more protective operations to maintain the multiplexing is taught by Baker below)
Almeida does not clearly teach performing optimization including performing one or more protective operations to maintain the multiplexing between multiple sources in providing the intermediate values.  
However, Shen-Orr teaches multiplexing between multiple sources in providing the intermediate values.  ([Shen-Orr, Fig. 1; para. 0027] “a secret data source” [intermediate value source] “provides secret data on demand to a register, which is then read out”. “The secret data source may comprise any circuit element that receives or computes a secret value” [intermediate value] “for loading into the register”.  “A suitable switching element, such as a multiplexer 30” selects whether to provide the secret data source or multiple dummy data generators [multiplexing between multiple sources])
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by de Almeida with the teachings of Shen-Orr to include multiplexing between multiple sources in providing the intermediate values.  One of ordinary skill in the art would have been motivated to make this modification because side-channel attacks are foiled by means of dummy values [such as the second multiplier values described above], which are generated dynamically within a circuit that may not be subject to an attack and are not available to the attacker.  (Shen-Orr, para. 0022)
Almeida in view of Shen-Orr does not clearly teach performing optimization including performing one or more protective operations to maintain the multiplexing.
However, Baker teaches performing optimization ([Baker, para. 0036] a synthesis tool or an optimization process for a circuit is disclosed) including performing one or more protective operations to maintain the multiplexing. ([Para. 0036] “inputs are associated with a constraint” [one or more protective operations] so that the tool/process “may not remove [maintain] portions of the substitution box” [multiplexer – see para. 0035 and Fig. 4] “during an optimization process that removes redundant portions of a design”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by de Almeida in view of Shen-Orr with the teachings of Baker to include performing optimization including performing one or more protective operations to maintain the multiplexing.  One of ordinary skill in the art would have been motivated to make this modification because implementing such a system in hardware, without removing portions of it during optimization, reduces the susceptibility the system to a side channel attack.  (Baker, para. 0017; para. 0036)
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Parhi et al. (Patent No. 11,061,997) discloses using multiplexers for obfuscation of key bits, including intermediate signals, which prevents an attacker from tracing key inputs of the design.  
Wurcker et al. (US Pub. 2017/0373830) discloses protection for an integrated circuit or a software program against side channel analysis by masking sensitive data using a random value.  The technique described is used to protect AES algorithms for encrypting data.  
Fritzke, Austin W, "Obfuscating Against Side-Channel Power Analysis Using Hiding Techniques for AES" Theses and Dissertations, Air Force Institute of Technology, (2012), discloses either adding random mask to the intermediate values to prevent High-Order DPA attacks, and a LFSR connected the multiplexer so that outputs stored in 1 of 4 locations are randomly chosen to prevent attacks.   
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHE LIU whose telephone number is (571) 272-3634.  The examiner can normally be reached on Monday - Friday: 8:30 AM to 5:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on (571) 272-3862.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call (800) 786-9199 (IN USA OR CANADA) or (571) 272-1000.
/Z.L./Examiner, Art Unit 2493

/CARL G COLIN/Supervisory Patent Examiner, Art Unit 2493