DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The 7/16/2020 and 10/19/2020 IDS documents have been considered by the examiner.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: “a function as a service associated with a service provider” (MLMS 210), “a trusted execution environment (TEE) to operate within a cloud-based environment of a cloud provider” (TEE 240), “a first encryptor” (315SP & 315U), “a machine learning framework developer” (ML PI developer), “a machine learning intellectual property developer” (ML PI developer 250), “a machine learning model framework” (ML framework tool 260), “a model evaluator” (FIG. 3 for evaluators), “a noise budget counter” (FIG. 4 for Noise Budget Controller), and “a comparator” (FIG. 4 for Noise Budget Controller) in claims 1-10.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof. For instance, refer to at least [0070] of the instant specification reciting the example components which be implemented by hardware. Further refer to at least [0071] of the instant specification and FIG. 11 of the instant drawings with respect to a hardware processor. 
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1-5, 9-14, and 18-21 is/are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Skourtis (US 11,341,281 B2).

Regarding claim 1, Skourtis discloses: A system to prevent unauthorized release of in-use information, the system comprising: 
a function as a service associated with a service provider (i.e., the untrusted node), the function as a service to operate on encrypted data, the encrypted data including encrypted in-use data, the encrypted in-use data to form a first portion of the in-use information; and 
Refer to at least Col. 9, Ll. 26-38, Col. 11, Ll. 11-31, and Col. 20, Ll. 10-17 of Skourtis with respect to computations which may be requested to be performed on encrypted data. 
Refer to at least Col. 10, Ll. 32-36 and Col. 18, Ll. 62-64 of Skourtis with respect to data remaining encrypted.
a trusted execution environment (TEE) (e.g., the secure computational environment including one or mnore of a CPU enclave and a GPU kernel) to operate within a cloud-based environment of a cloud provider (e.g., the cloud—at least Col. 3, Ll. 14-Col. 4, Ll. 52 of Skourtis), the function as a service to operate on the encrypted data within the TEE, the TEE to protect service provider information from access by the cloud provider, the service provider information to form a second portion of the in-use information (the calculations are performed via homomorphic encryption and the output is therefore encrypted; it is further stored encrypted, e.g., Col. 14, Ll. 22-28 and FIG. 9 of Skourtis).
Refer to at least Col. 9, Ll. 39-Col. 1, Ll. 8, Col. 13, Ll. 33-67, and Col. 15, Ll. 59-Col. 16, Ll.  2 of Skourtis with respect to secure computation on the data via, e.g., a CPU enclave and/or GPU kernel.  

Regarding claim 2, Skourtis discloses: The system of claim 1, wherein the function as a service is implemented with a machine learning model.
Refer to at least Col. 9, Ll. 31-34 and Col. 15, Ll. 35-37 of Skourtis with respect to the secure computations being drawn to, e.g., machine learning / training. 

Regarding claim 3, it is rejected for substantially the same reasons as claim 1 above (i.e., the citations concerning homomorphic encryption).

Regarding claim 4, Skourtis discloses: The system of claim 2, wherein the encrypted data is homomorphically encrypted data, and further including a first encryptor, the first encryptor to use a two-party encryption technique to at least one of decrypt or encrypt information, the information to include at least one of a security guarantee, a homomorphic encryption (HE) schema of the homomorphically encrypted data, or an evaluation key.
Refer to at least Col. 17, Ll. 66-Col. 18, Ll. 25 of Skourtis with respect to homomorphic encryption; with respect to verifiable computation.
Refer to at least Col. 11, Ll. 50-60 and Col. 18, Ll. 56-64 of Skourtis with respect to a security budget and/or guarantee. 

Regarding claim 5, Skourtis discloses: The system of claim 4, further including: a machine learning framework developer implemented in the TEE, the machine learning framework developer to develop the machine learning framework; a machine learning intellectual property developer to develop at least one of unencrypted coefficients or unencrypted biases of the machine learning model; and a model evaluator implemented in the TEE, the model evaluator to perform one or more operations on the encrypted data within the TEE, the model evaluator to generate homomorphically encrypted output data using the framework and the at least one of unencrypted coefficients or unencrypted biases.
Refer to at least Col. 16, Ll. 59-Col. 17, Ll. 4 of Skourtis with respect to encrypting sensitive machine learning framework data while leaving other framework data unencrypted as needed. 
Refer to at least Col. 14, Ll. 60-Col. 15, Ll. 22 of Skourtis with respect to evaluating models. 

Regarding claim 9, it is rejected for substantially the same reasons as claim 1 above.

Regarding claim 10, it is rejected for substantially the same reasons as claims 1, 2, and 5 above (i.e., the citations to the machine learning framework and homomorphic encryption).

Regarding claim 11, Skourtis discloses: At least one non-transitory computer readable storage medium comprising instructions that, when executed, cause at least one processor to at least: 
instantiate a trusted execution environment (TEE) to operate in a cloud based environment of a cloud provider (e.g., the cloud—at least Col. 3, Ll. 14-Col. 4, Ll. 52 of Skourtis), the TEE to prevent the cloud provider from accessing in-use information contained in the TEE; and 
Refer to at least Col. 9, Ll. 39-Col. 1, Ll. 8, Col. 13, Ll. 33-67, and Col. 15, Ll. 59-Col. 16, Ll.  2 of Skourtis with respect to a secure computational environment which is initiated, e.g., a CPU enclave and/or GPU kernel.  
operate, in the TEE, on encrypted data using a function as a service, the encrypted data received from a user system, the encrypted data including encrypted in-use data.
Refer to at least Col. 9, Ll. 26-38, Col. 11, Ll. 11-31, and Col. 20, Ll. 10-17 of Skourtis with respect to computations which may be requested to be performed on encrypted data. 
Refer to at least Col. 10, Ll. 32-36 and Col. 18, Ll. 62-64 of Skourtis with respect to data remaining encrypted.

Regarding claim 12, Skourtis discloses: The at least one computer readable storage medium of claim 11 wherein the function as a service is implemented with a machine learning model, and the encrypted data is homomorphically encrypted data that is operated on by the machine learning model without undergoing decryption.
Refer to at least Col. 9, Ll. 31-34 and Col. 15, Ll. 35-37 of Skourtis with respect to the secure computations being drawn to, e.g., machine learning / training. 
Refer to at least Col. 17, Ll. 66-Col. 18, Ll. 25 of Skourtis with respect to homomorphic encryption.

Regarding claims 13-14 and 18, they are substantially similar to claims 4-5 and 18 above, and are therefore likewise rejected.

Regarding independent claim 19, it is substantially similar to independent claim 11 above, and is therefore likewise rejected for the same reasons (i.e., the ciations).

Regarding claims 20-21, they are substantially similar to claims 4-5 above, and are therefore likewise rejected.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 6-7, 15-16, and 22 is/are rejected under 35 U.S.C. 103 as being unpatentable over Skourtis as applied to claims 1-5, 9-14, and 18-21 above, and further in view of McFall (WO 2017/187207 A1).

Regarding claim 6, Skourtis discloses: The system of claim 2, wherein the encrypted data is homomorphically encrypted data, and further including: 
an encryptor implemented in the TEE, the encryptor to use a two-party encryption technique to decrypt and encrypt communications with a processor associated with a source of the homomorphically encrypted data; 
Refer to at least FIG. 9 and Col. 17, Ll. 66-Col. 18, Ll. 25 of Skourtis with respect to homomorphic encryption.
a model evaluator, implemented in the TEE, the model evaluator to perform operations of the machine learning model on the homomorphically encrypted data; 
Refer to at least Col. 14, Ll. 60-Col. 15, Ll. 22 of Skourtis with respect to evaluating models. 
cause an output of a most recently performed set of the operations to be supplied to the processor associated with the source of the homomorphically encrypted data, the output of the most recently performed set of operations to be homomorphically encrypted.
Refer to at least the abstract of Skourtis with respect to providing results.
Skourtis discloses a budget and noise, but does not specify: the communications to include information to identify a scaling factor of the machine learning model; a noise budget counter to count a number of the operations performed; a comparator to compare the count to a threshold; outputting encrypted operations based on a trigger to, when the count satisfies the threshold. However, Skourtis in view of McFall discloses: the communications to include information to identify a scaling factor of the machine learning model; 
Refer to at least page 113 of McFall with respect to a scale value.
a noise budget counter to count a number of the operations performed; 
Refer to at least page 114 of McFall with respect to “noisycount.”
a comparator to compare the count to a threshold; a trigger to, when the count satisfies the threshold.
Refer to at least page 114 of McFall with respect to a configurable threshold for comparison with the noisycount value. Queries may be completed if they satisfy the threshold.
The teachings of Skourtis and McFall both concern privacy for machine learning, and are considered to be within the same field of endeavor and combinable as such. Skourtis further discusses differential privacy and privacy integrated queries.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Skourtis to further implement additional budgeting for at least the purpose of increasing the privacy of queried data. 

Regarding claim 7, Skourtis-McFall discloses: The system of claim 6, wherein the trigger is to reset the counter to zero after the count satisfies the threshold.
Refer to at least 5.6 on page 31 of McFall with respect to resetting the number of queries for information leakage. 
This claim would have been obvious for substantially the same reasons as claim 6 above.

Regarding claims 15-16, and 22, they are substantially similar to claims 6-7 above, and are therefore likewise rejected. 

Claim(s) 8 and 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Skourtis as applied to claims 1-5, 9-14, and 18-21 above, and further in view of Vaikuntanathan (US 2020/0036512 A1).

Regarding claim 8, Skourtis discloses: The system of claim 2, wherein the encrypted data is first homomorphically encrypted data, and further including: an encryptor, implemented in the TEE, the encryptor to use a two-party encryption technique to decrypt and encrypt communications with a processor associated with a source of the homomorphically encrypted data.
Refer to at least FIG. 9 and Col. 17, Ll. 66-Col. 18, Ll. 25 of Skourtis with respect to homomorphic encryption.
Skourtis discloses performing a first portion in a CPU enclave and a second portion via GPU kernel homomorphic encryption (e.g., Col. 14, Ll. 1-14 of Skourtis), but does not specify: the communications to include information to identify one or more non-linear operations of the machine learning model, the first homomorphically encrypted data to be operated on by the processor associated with a source of the homomorphically encrypted data in an unencrypted state using the non-linear operations. However, Skourtis in view of Vaikuntanathan discloses: the communications to include information to identify one or more non-linear operations of the machine learning model, the first homomorphically encrypted data to be operated on by the processor associated with a source of the homomorphically encrypted data in an unencrypted state using the non-linear operations.
Refer to at least the abstract of Vaikuntanathan with respect to non-linear computations taking place unencrypted in trusted hardware. 
The teachings of Skourtis and Vaikuntanathan both concern trusted environments and homomorphic encryption for machine learning and are considered to be within the same field of endeavor and combinable as such.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Skourtis to perform non-linear computations via, e.g., the CPU enclave for at least the purpose of efficiency since homomorphic encryption is slow and would take a long time for non-linear computations.

Regarding claim 17, it is substantially similar to claim 8 above, and is therefore likewise rejected.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VADIM SAVENKOV whose telephone number is (571)270-5751. The examiner can normally be reached 12PM-8PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                        




/V.S/Examiner, Art Unit 2432