DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The Amendment filed 06/09/2022 has been received and considered.
Claims 1-20 are pending.
This action is Final.
Response to Arguments
2.	Applicant's arguments filed 06/09/2022 have been fully considered but they are moot in consideration of the newly cited reference below.
	
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.



3.	Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over US Pub No. US 2011/0113392 A1 to Chakraborty, (hereinafter, “Chakra”) in view of US Pub. No. US 2018/0302281 A1 to Khan, (hereinafter, “Khan”).
As per claims 1 and 11, Chakra teaches an apparatus and a computer-implemented method, respectively, for providing a confidential integrated circuit design process, the apparatus comprising at least one processor and at least one non-transitory memory including program code (Chakra, para. [0043] “The obfuscation tool 12 can be implemented as computer-executable instructions running on a processor or a computer or workstation. The obfuscation tool 12 thus can include a variety of methods for performing the desired obfuscation relative to the original circuit description 16. The computer or workstation further can utilize other tools and methods for use in designing, converting and modifying the design.”), the at least one non-transitory memory and the program code configured to, with the processor, cause the apparatus to at least: 
receive, from a first untrusted computing device, a design specification dataset comprising confidential design specification data and non-confidential design specification data, the confidential design specification data associated with a design element set (Chakra, para. [0042] “FIG. 1 depicts an example of a system 10 that can be used for protecting an IP or integrated circuit (IC) chip design, such as an IP core of a system on chip (SoC). The system 10 includes an obfuscation tool 12 that is configured for obfuscating a circuit design by inserting a sequential structure, such as a finite state machine (FSM) into the circuit description. The system 10 includes memory 14 in which an original circuit description 16 can be stored. The original circuit description 16 can represent an instance of the design, such as firm IP (e.g., gate level netlist) or soft IP (e.g., an RTL or other higher level designs including a control and data flow graph (CDFG)).” And para. [0045] “the obfuscation tool 12 includes a node selector 18 that can be utilized to select a plurality of nodes from the original circuit description 16 and generate a corresponding subset of the nodes that can be utilized in conjunction with the obfuscation of the circuit design. For instance, the plurality of nodes being modified (e.g., referred to herein as modification nodes) can be utilized as inputs for the sequential structure such as the FSM. The nodes can be selected according to a ranking method (see, e.g., FIG. 3). The ranking of the nodes can be an iterative process in which multiple passes through the method are performed to result in a corresponding set of nodes”); 
extract the confidential design specification data from the design specification dataset (Chakra, para. [0046] “a designer can interact with the obfuscation tool 12 via a user interface 20. For instance, in response to the user inputs, a variety of input parameters and constraints, such as a maximum area constraint, a number of states to perform in the obfuscated mode, a length of a key sequence for enabling or disabling an obfuscation mode, or the like” and para. [0047] “Once the corresponding nodes have been selected, the obfuscation tool 12 can modify the circuit description 16, which can include functional obfuscation, structural obfuscation and semantic obfuscation. The obfuscation can be performed on the circuit description at one or more different design levels. For instance, in one embodiment, the obfuscation can be performed on a gate-level netlist of the circuit description 16. Alternatively or additionally, the obfuscation can be performed on a RTL instance of the circuit description 16.”); 
encrypt the confidential design specification data to produce encrypted confidential design specification data; generate a first encryption key to be associated with the encrypted confidential design specification data (Chakra, para. [0092] “In the example of FIG. 10, the obfuscation FSM 252 is designed to prevent operation of the circuit in the normal mode until an initialization key is applied at the primary inputs. For instance, the initialization key for transitioning through the states of the obfuscation FSM is demonstrated as P.sub.1.sup.O, P.sub.2.sup.O and P.sub.3.sup.O. Thus, in response to applying the initialization key to the inputs, the circuit changes from the obfuscation mode to the normal mode”); 
transmit, to the first untrusted computing device, the encrypted confidential design specification data, the first encryption key, and the SHM placeholder feature set (Chakra, para. [0093] “The authentication FSM 256 provides a mechanism to authenticate the origin of a given design even in circumstances where an unauthorized user has been able to bypass the obfuscation FSM 252, such as by illegally procuring the initialization key. The authentication FSM 256 is designed to provide a predetermined output sequence in response to applying an authentication key at the primary inputs of the circuit. For instance, the authentication key for transitioning through the states of the authentication FSM 256 is demonstrated as P.sub.1.sup.A, P.sub.2.sup.A and P.sub.3.sup.A.” and para. [0122] “the design obfuscation is performed on a CDFG data structure representation of a given circuit design. The method 400 begins at 402 by providing the input circuit description (e.g., the original RTL IP core) and related parameters” and para. [0125] “the design at 404 can be performed according to a target obfuscation efficiency, such as the target M.sub.obf. The design provided at 404 can provide a specification for the mode-control FSM, which can include its state transition graph, the length of the initialization key sequence, the state encoding, the pool of modification signals and the initialization key sequence. Random state encoding and a random initialization key sequence can be generated to increase the security.”).
Chakra teaches all the limitations of claims 1 and 11 above, however fails to explicitly teach but Khan teaches:
retrieve a confidential design specification data subset for replacing a design element subset with a security hard macro (SHM) placeholder design element set, wherein the confidential design specification data subset is retrieved based at least in part on a security hard macro (SHM) placeholder portfolio associated with a plurality of security hard macro (SHM) placeholder features, wherein each SHM placeholder feature of the plurality of SHM placeholder features represents a mapping from a particular confidential design specification data subset to a particular security hard macro (SHM) placeholder design element (Khan, para. [0064] “The customer-developer interface 420 can accept various types of requests from a user. As one example, a user can request to create a configurable hardware image (CHI) (SHM placeholder design element set). A CHI can provide information for configuring an instance of configurable hardware within a computing environment. For example, a CHI can include one or more compatible instance types, the configuration data for configuring the configurable hardware, access permissions for controlling access to the CHI, and any other information associated with configuring the configurable hardware. The request to create the CHI can include fields for a design description or title, a production status of the design, whether or not the design is encrypted, a reference to source code for the design, a type of source code indicator, an instance type or types that are compatible with the configuration data, and a reference to a location to store reporting information.” And para. [0065] “a second request type can be used to retrieve information about CHIs that are associated with the user. In particular, the request can include fields such as a CHI identifier, a machine image (MI) identifier, a product code, an instance type, and an instance identifier. In response to the request, the customer-developer interface 420 can present information about the CHIs that are associated with the user that match one or more of the fields in the request. For example, all CHIs matching the search fields can be listed along with a status associated with each CHI. The CHI can be reported to be in a trial or production state, or in a complete or in-progress state. For example, it can take multiple hours to create a CHI from source code and so this request can be used to check a status of synthesis or implementation of the CHI.” And para. [0066] “a third type of request can be to associate a CHI to an MI. An MI can provide information for launching an instance of computing resources within a computing environment. In one embodiment, the instance is a virtual machine executing within a hypervisor executing on a server computer within the computing environment. An MI can include a type of the instance (such as by specifying an architecture, a CPU capability, a co-processor, a peripheral, and/or a configurable hardware design), a template for a root volume (e.g., including an operating system, device drivers, and/or applications) for the instance, and access permissions (e.g., a list of accounts authorized to use the MI) for controlling the accessibility of the MI, and a block device mapping for specifying volumes to attach to the instance when it is launched. By associating an MI to a CHI, the configurable data associated with the CHI can be downloaded to configurable logic of a server computer when a virtual machine based on the MI is launched.”); and 
wherein the security hard macro (SHM) placeholder design element set provides access by the first untrusted computing device to only a functional design of the confidential design specification data subset rather than exact design logic of the confidential design specification data subset (Khan, para. [0029] “the generated configuration data 136 can include a complete or partial bitstream for configuring all or a portion of the configurable logic of an FPGA. An FPGA can include configurable logic and non-configurable logic. The configurable logic can include programmable logic blocks comprising combinational logic and/or look-up tables (LUTs) and sequential logic elements (such as flip-flops and/or latches), programmable routing and clocking resources, programmable distributed and block random access memories (RAMs), digital signal processing (DSP) bitslices, and programmable input/output pins…The non-configurable logic can include hard macros that perform a specific function within the FPGA, such as input/output blocks (e.g., serializer and deserializer (SERDES) blocks and gigabit transceivers), analog-to-digital converters, memory control blocks, test access ports, and configuration logic for loading the configuration data onto the configurable logic.” And para. [0061] “the request can include information for associating the host logic design with one or more instance types. For example, some host logic designs may work only with one subset of instance types and other host logic designs may work only with a different subset of instance types. Thus, a library of adaptable host logic designs can be provided by uploading multiple different host logic designs and/or by making features of the individual host logic designs selectable using directive pragmas or macro statements.” And para. [0062] “The logic repository service 405 can include a customer-developer interface 420 for servicing API requests from the users of the logic repository service 405. The customer-developer interface 420 can be used to authenticate that requests are from users of the compute service provider, such as by authenticating the identity of the requestor using credentials provided in the request. For example, each of the users can be provided with an account that can be used to identify the user for access management, billing, and usage tracking. The users can be limited to viewing and modifying only the logic designs to which they are authorized to access.” And para. [0068] “The configuration data generation block 430 can be used to create configuration data. For example, the configuration data can be based on an application logic design and the host logic design selected by the user. As another example, the configuration data can be based on only an application logic design or only a host logic design. In particular, the configuration data generation block 430 can generate static logic based only on the host logic design.”);
generate a security hard macro (SHM) placeholder feature set comprising those SHM placeholder features representing mappings from the confidential design specification data subset to the SHM placeholder design element set (Khan, para. [0069] “Inputs to the configuration data generation block 430 can be an application logic design (such as from the application logic ingestion 425), a host logic design (such as from the host logic ingestion 415), and/or constraints describing various implementation details (such as clock frequencies, partitioning information, placement information, a target technology, and so forth). The logic designs can include source code described using an HDL, a netlist, and/or configuration data. The configuration data generation block 430 can combine an application and a host design adapted for the application into one design to create the configuration data. As described in more detail with reference to FIG. 5, the configuration data generation block 430 can include logic synthesis software and place and route software executing on a server computer. Using this software, the configuration data generation block 430 can create configuration data for loading on a configurable hardware platform.”); and 
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Khan’s logic repository service into Chakra’s protection of an integrated circuit chip design, with a motivation to safeguard design source code files and configurable hardware images (Khan, para. [0070]). 
As per claims 2 and 12, the combination of Chakra and Khan teach the apparatus of claim 1 and the computer-implemented method of claim 11, respectively, wherein the at least one non-transitory memory and the program code configured to, with the at least one processor, cause the apparatus to further: 
obfuscate the confidential design specification data to produce obfuscated confidential design specification data (Chakra, para. [0042] “FIG. 1 depicts an example of a system 10 that can be used for protecting an IP or integrated circuit (IC) chip design, such as an IP core of a system on chip (SoC). The system 10 includes an obfuscation tool 12 that is configured for obfuscating a circuit design by inserting a sequential structure, such as a finite state machine (FSM) into the circuit description. The system 10 includes memory 14 in which an original circuit description 16 can be stored. The original circuit description 16 can represent an instance of the design, such as firm IP (e.g., gate level netlist) or soft IP (e.g., an RTL or other higher level designs including a control and data flow graph (CDFG)).” And para. [0045] “the obfuscation tool 12 includes a node selector 18 that can be utilized to select a plurality of nodes from the original circuit description 16 and generate a corresponding subset of the nodes that can be utilized in conjunction with the obfuscation of the circuit design. For instance, the plurality of nodes being modified (e.g., referred to herein as modification nodes) can be utilized as inputs for the sequential structure such as the FSM. The nodes can be selected according to a ranking method (see, e.g., FIG. 3). The ranking of the nodes can be an iterative process in which multiple passes through the method are performed to result in a corresponding set of nodes”); 
generate a first obfuscation key to be associated with the obfuscated confidential design specification data (Chakra, para. [0092] “In the example of FIG. 10, the obfuscation FSM 252 is designed to prevent operation of the circuit in the normal mode until an initialization key is applied at the primary inputs. For instance, the initialization key for transitioning through the states of the obfuscation FSM is demonstrated as P.sub.1.sup.O, P.sub.2.sup.O and P.sub.3.sup.O. Thus, in response to applying the initialization key to the inputs, the circuit changes from the obfuscation mode to the normal mode”); and 
transmit, to the first untrusted computing device, one of the encrypted confidential design specification data or the obfuscated confidential design specification data, one of the first encryption key or the first obfuscation key, and the SHM placeholder feature set (Chakra, para. [0093] “The authentication FSM 256 provides a mechanism to authenticate the origin of a given design even in circumstances where an unauthorized user has been able to bypass the obfuscation FSM 252, such as by illegally procuring the initialization key. The authentication FSM 256 is designed to provide a predetermined output sequence in response to applying an authentication key at the primary inputs of the circuit. For instance, the authentication key for transitioning through the states of the authentication FSM 256 is demonstrated as P.sub.1.sup.A, P.sub.2.sup.A and P.sub.3.sup.A.” and para. [0122] “the design obfuscation is performed on a CDFG data structure representation of a given circuit design. The method 400 begins at 402 by providing the input circuit description (e.g., the original RTL IP core) and related parameters” and para. [0125] “the design at 404 can be performed according to a target obfuscation efficiency, such as the target M.sub.obf. The design provided at 404 can provide a specification for the mode-control FSM, which can include its state transition graph, the length of the initialization key sequence, the state encoding, the pool of modification signals and the initialization key sequence. Random state encoding and a random initialization key sequence can be generated to increase the security.”).
As per claims 3 and 13, the combination of Chakra and Khan teach the apparatus of claim 1 and the computer-implemented method of claim 11, respectively, wherein the at least one non-transitory memory and the program code configured to, with the at least one processor, cause the apparatus to further: 
receive, from the first untrusted computing device, the SHM placeholder feature set and the first encryption key, the first encryption key authorizing the first untrusted computing device to access the confidential design specification data; decrypt the encrypted confidential design specification data using the first encryption key to retain the confidential design specification data (Chakra, para. [0062] “an obfuscated RTL representation of the circuit design and a corresponding key can be output and stored in memory. The nature of the key can depend on the type and manner of obfuscation implemented by modifying the netlist (at 64). For instance, the key can correspond to an initialization key sequence that is required to enable normal operation only upon application of a specific input key sequence.”); 
synthesize the confidential design specification data into the design element set (Chakra, para. [0120] “a determination is made as to whether an area constraint has been satisfied. If the area constraint has not been satisfied the method proceeds to 322 in which one or both of the extra state elements or a number of existing state elements is decremented. With the decrease in number of such state elements, the method returns to 304 to repeat 304 through 320. It will be appreciated that the number of extra state elements can be decremented while the number of existing state elements for use in generating the obfuscated RTL description that satisfies the size constraints that were input at 302. Once the area constraint has been satisfied for a synthesized RTL design, the method can proceed to 324 in which the obfuscated netlist and associated enabling key can be output (e.g., stored in memory).); 
replace, based at least in part on the SHM placeholder feature set, the design element subset with the SHM placeholder design element set to form an updated design element set (Chakra, [0042] “The system 10 includes an obfuscation tool 12 that is configured for obfuscating a circuit design by inserting a sequential structure, such as a finite state machine (FSM) into the circuit description. The system 10 includes memory 14 in which an original circuit description 16 can be stored. The original circuit description 16 can represent an instance of the design, such as firm IP (e.g., gate level netlist) or soft IP (e.g., an RTL or other higher level designs including a control and data flow graph (CDFG)).” And para. [0128] “an obfuscated RTL is generated from the output of the CDFG obfuscation at 408. For instance, the RTL can be generated by traversing each of them in a depth-first manner. At 414, the obfuscated RTL can be synthesized and flattening can be performed to provide further semantic obfuscation” and para. [0129] “a determination is made as to whether the area of the synthesized circuit satisfies an area constraint. If the area constraint is not satisfied, such as in response to determining that the calculated area overhead exceeds the overhead constraint, the method proceeds to 420, and the number of modifications (N.sub.mod) is changed. For instance the number of modifications (N.sub.mod) can be decreased by a pre-defined step-size and the method can return to 408 for repeating 408 to 416. Alternatively or additionally, a balancing between control flow modifications can be performed to maximize the obfuscation effect for a minimum overhead. If it is determined at 416 that target area overhead is satisfied, the method proceeds to 418 and the output of the obfuscated RTL and one or more keys can be provided”); 
generate netlist data comprising a plurality of electronic connections among design elements of the updated design element set (Chakra, para. [0102] “FIG. 12 demonstrates a process 640 that can be utilized to find Trojan trigger nodes and payload nodes of the Trojan being inserted. For example, the input to the algorithm can include the gate-level netlist of the IP, a number of modifications to be made in the netlist, the RTL "template" of the Trojan to be inserted. The inputs can also include the number of trigger nodes of the Trojan to be inserted, the number of input conditions that would cause state transitions to the Trojan state machine, and a trigger threshold value to determine the internal nodes which can act as trigger nodes for the inserted Trojan.”); and 
transmit, to a second untrusted computing device, the netlist data (Chakra, para. [0120] “Once the area constraint has been satisfied for a synthesized RTL design, the method can proceed to 324 in which the obfuscated netlist and associated enabling key can be output (e.g., stored in memory).” And para. [0149] “The respective outputs to each multiplexer 706 can be the same or different. Each multiplexer 706 provides a corresponding output to a respective IP block 708 of the SoC 700 based on a control signal from the control unit 702. The SoC 700 provides corresponding primary outputs based on the operation of the IP blocks 708 under the control of the control unit 702.” And para. [0152] “the control unit 752 reads the different input sequences in parallel and sends them to the different IP blocks for initialization. An advantage of this approach is that the number of initialization cycles can be limited. However, an extra overhead is incurred for storing the input sequences on an on-chip ROM. Again, to increase the security of the scheme, the chip designer can arrange an instance-specific initialization sequence to be stored on the memory 754.”).

As per claims 4 and 14, the combination of Chakra and Khan teach the apparatus of claim 2 and the computer-implemented method of claim 12, respectively, wherein the at least one non-transitory memory and the program code configured to, with the at least one processor, cause the apparatus to further: 
receive, from the first untrusted computing device, the SHM placeholder feature set, and one of the first encryption key or the first obfuscation key, wherein the first encryption key or the first obfuscation key authorizes the first untrusted computing device to access the confidential design specification data (Chakra, para. [0093] “The authentication FSM 256 provides a mechanism to authenticate the origin of a given design even in circumstances where an unauthorized user has been able to bypass the obfuscation FSM 252, such as by illegally procuring the initialization key. The authentication FSM 256 is designed to provide a predetermined output sequence in response to applying an authentication key at the primary inputs of the circuit. For instance, the authentication key for transitioning through the states of the authentication FSM 256 is demonstrated as P.sub.1.sup.A, P.sub.2.sup.A and P.sub.3.sup.A. From the final state of the authentication FSM S.sub.2.sup.A the circuit can transition back to the initial state of the obfuscation FSM. In this way, the authentication FSM can provide a digital watermark. Since the authentication FSM 256, as well as the obfuscation FSM can form an integral and indistinguishable part of the modified design, as described herein, much greater resistance to reverse-engineering can be afforded than other authentication mechanisms.”); 
decrypt, using the first encryption key or the first obfuscation key, one of the encrypted confidential design specification data or the obfuscated confidential design specification data to retain the confidential design specification data (Chakra, para. [0062] “an obfuscated RTL representation of the circuit design and a corresponding key can be output and stored in memory. The nature of the key can depend on the type and manner of obfuscation implemented by modifying the netlist (at 64). For instance, the key can correspond to an initialization key sequence that is required to enable normal operation only upon application of a specific input key sequence.”); 
synthesize the confidential design specification data into the design element set (Chakra, para. [0120] “a determination is made as to whether an area constraint has been satisfied. If the area constraint has not been satisfied the method proceeds to 322 in which one or both of the extra state elements or a number of existing state elements is decremented. With the decrease in number of such state elements, the method returns to 304 to repeat 304 through 320. It will be appreciated that the number of extra state elements can be decremented while the number of existing state elements for use in generating the obfuscated RTL description that satisfies the size constraints that were input at 302. Once the area constraint has been satisfied for a synthesized RTL design, the method can proceed to 324 in which the obfuscated netlist and associated enabling key can be output (e.g., stored in memory).”); 
replace, based at least in part on the SHM placeholder feature set, the design element subset with the SHM placeholder design element set to form an updated design element set (Chakra, para. [0042] “The system 10 includes an obfuscation tool 12 that is configured for obfuscating a circuit design by inserting a sequential structure, such as a finite state machine (FSM) into the circuit description. The system 10 includes memory 14 in which an original circuit description 16 can be stored. The original circuit description 16 can represent an instance of the design, such as firm IP (e.g., gate level netlist) or soft IP (e.g., an RTL or other higher level designs including a control and data flow graph (CDFG)).” And para. [0128] “an obfuscated RTL is generated from the output of the CDFG obfuscation at 408. For instance, the RTL can be generated by traversing each of them in a depth-first manner. At 414, the obfuscated RTL can be synthesized and flattening can be performed to provide further semantic obfuscation” and para. [0129] “a determination is made as to whether the area of the synthesized circuit satisfies an area constraint. If the area constraint is not satisfied, such as in response to determining that the calculated area overhead exceeds the overhead constraint, the method proceeds to 420, and the number of modifications (N.sub.mod) is changed. For instance the number of modifications (N.sub.mod) can be decreased by a pre-defined step-size and the method can return to 408 for repeating 408 to 416. Alternatively or additionally, a balancing between control flow modifications can be performed to maximize the obfuscation effect for a minimum overhead. If it is determined at 416 that target area overhead is satisfied, the method proceeds to 418 and the output of the obfuscated RTL and one or more keys can be provided”);
generate netlist data comprising a plurality of electronic connections among design elements of the updated design element set (Chakra, para. [0102] “FIG. 12 demonstrates a process 640 that can be utilized to find Trojan trigger nodes and payload nodes of the Trojan being inserted. For example, the input to the algorithm can include the gate-level netlist of the IP, a number of modifications to be made in the netlist, the RTL "template" of the Trojan to be inserted. The inputs can also include the number of trigger nodes of the Trojan to be inserted, the number of input conditions that would cause state transitions to the Trojan state machine, and a trigger threshold value to determine the internal nodes which can act as trigger nodes for the inserted Trojan.”); and 
transmit, to a second untrusted computing device, the netlist data (Chakra, para. [0120] “Once the area constraint has been satisfied for a synthesized RTL design, the method can proceed to 324 in which the obfuscated netlist and associated enabling key can be output (e.g., stored in memory).” And para. [0149] “The respective outputs to each multiplexer 706 can be the same or different. Each multiplexer 706 provides a corresponding output to a respective IP block 708 of the SoC 700 based on a control signal from the control unit 702. The SoC 700 provides corresponding primary outputs based on the operation of the IP blocks 708 under the control of the control unit 702.” And para. [0152] “the control unit 752 reads the different input sequences in parallel and sends them to the different IP blocks for initialization. An advantage of this approach is that the number of initialization cycles can be limited. However, an extra overhead is incurred for storing the input sequences on an on-chip ROM. Again, to increase the security of the scheme, the chip designer can arrange an instance-specific initialization sequence to be stored on the memory 754.”).

As per claims 5 and 15, the combination of Chakra and Khan teach the apparatus of claim 3 and the computer-implemented method of claim 13, respectively, wherein the at least one non-transitory memory and the program code configured to, with the at least one processor, cause the apparatus to further: 
receive, from the second untrusted computing device, modified netlist data based at least in part on the netlist data, the modified netlist data comprising a plurality of electronic connections among design elements of a modified design element set (Chakra, para. [0059] “the netlist is modified. The modifications can be performed for the chosen nodes, such as using the modification cell of FIG. 5, using a suitable MKF and any one of the N.sub.out outputs of the inserted FSM chosen randomly. Boolean functions of the inserted FSM can be generated randomly.” And para. [0060] “After all the structural gate-level modifications have been completed to achieve functional obfuscation, at 66, the modified netlist can be re-synthesized as part of implementing further semantic obfuscation. The re-synthesis can be implemented to "flatten" the modification cells and the state transition logic for inserted state elements. This process also allows logic sharing between the original circuit, modification cells and inserted state transition logic, which enhances the obfuscation”);
retrieve a modified design element subset comprising a modified security hard macro (SHM) placeholder design element set (Khan, para. [0064] “The customer-developer interface 420 can accept various types of requests from a user. As one example, a user can request to create a configurable hardware image (CHI) (SHM placeholder design element set). A CHI can provide information for configuring an instance of configurable hardware within a computing environment. For example, a CHI can include one or more compatible instance types, the configuration data for configuring the configurable hardware, access permissions for controlling access to the CHI, and any other information associated with configuring the configurable hardware. The request to create the CHI can include fields for a design description or title, a production status of the design, whether or not the design is encrypted, a reference to source code for the design, a type of source code indicator, an instance type or types that are compatible with the configuration data, and a reference to a location to store reporting information.” And para. [0065] “a second request type can be used to retrieve information about CHIs that are associated with the user. In particular, the request can include fields such as a CHI identifier, a machine image (MI) identifier, a product code, an instance type, and an instance identifier. In response to the request, the customer-developer interface 420 can present information about the CHIs that are associated with the user that match one or more of the fields in the request. For example, all CHIs matching the search fields can be listed along with a status associated with each CHI. The CHI can be reported to be in a trial or production state, or in a complete or in-progress state. For example, it can take multiple hours to create a CHI from source code and so this request can be used to check a status of synthesis or implementation of the CHI.” And para. [0066] “a third type of request can be to associate a CHI to an MI. An MI can provide information for launching an instance of computing resources within a computing environment. In one embodiment, the instance is a virtual machine executing within a hypervisor executing on a server computer within the computing environment. An MI can include a type of the instance (such as by specifying an architecture, a CPU capability, a co-processor, a peripheral, and/or a configurable hardware design), a template for a root volume (e.g., including an operating system, device drivers, and/or applications) for the instance, and access permissions (e.g., a list of accounts authorized to use the MI) for controlling the accessibility of the MI, and a block device mapping for specifying volumes to attach to the instance when it is launched. By associating an MI to a CHI, the configurable data associated with the CHI can be downloaded to configurable logic of a server computer when a virtual machine based on the MI is launched.”)
generate a modified security hard macro (SHM) placeholder feature set based at least in part on the modified SHM placeholder design element set by selecting SHM placeholder features representing mappings from the modified SHM placeholder design element set to a modified confidential design specification data subset (Khan, para. [0069] “Inputs to the configuration data generation block 430 can be an application logic design (such as from the application logic ingestion 425), a host logic design (such as from the host logic ingestion 415), and/or constraints describing various implementation details (such as clock frequencies, partitioning information, placement information, a target technology, and so forth). The logic designs can include source code described using an HDL, a netlist, and/or configuration data. The configuration data generation block 430 can combine an application and a host design adapted for the application into one design to create the configuration data. As described in more detail with reference to FIG. 5, the configuration data generation block 430 can include logic synthesis software and place and route software executing on a server computer. Using this software, the configuration data generation block 430 can create configuration data for loading on a configurable hardware platform.”);
extract the modified design element set based at least in part on the modified SHM placeholder feature set; transform the modified design element set into the modified confidential design specification data subset based at least in part on the SHM placeholder portfolio to generate modified confidential design specification data; and transmit, to the first untrusted computing device, the modified confidential design specification data (Khan, para. [0029] “the generated configuration data 136 can include a complete or partial bitstream for configuring all or a portion of the configurable logic of an FPGA. An FPGA can include configurable logic and non-configurable logic. The configurable logic can include programmable logic blocks comprising combinational logic and/or look-up tables (LUTs) and sequential logic elements (such as flip-flops and/or latches), programmable routing and clocking resources, programmable distributed and block random access memories (RAMs), digital signal processing (DSP) bitslices, and programmable input/output pins…The non-configurable logic can include hard macros that perform a specific function within the FPGA, such as input/output blocks (e.g., serializer and deserializer (SERDES) blocks and gigabit transceivers), analog-to-digital converters, memory control blocks, test access ports, and configuration logic for loading the configuration data onto the configurable logic.” And para. [0061] “the request can include information for associating the host logic design with one or more instance types. For example, some host logic designs may work only with one subset of instance types and other host logic designs may work only with a different subset of instance types. Thus, a library of adaptable host logic designs can be provided by uploading multiple different host logic designs and/or by making features of the individual host logic designs selectable using directive pragmas or macro statements.” And para. [0062] “The logic repository service 405 can include a customer-developer interface 420 for servicing API requests from the users of the logic repository service 405. The customer-developer interface 420 can be used to authenticate that requests are from users of the compute service provider, such as by authenticating the identity of the requestor using credentials provided in the request. For example, each of the users can be provided with an account that can be used to identify the user for access management, billing, and usage tracking. The users can be limited to viewing and modifying only the logic designs to which they are authorized to access.” And para. [0068] “The configuration data generation block 430 can be used to create configuration data. For example, the configuration data can be based on an application logic design and the host logic design selected by the user. As another example, the configuration data can be based on only an application logic design or only a host logic design. In particular, the configuration data generation block 430 can generate static logic based only on the host logic design.”);

Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Khan’s logic repository service into Chakra’s protection of an integrated circuit chip design, with a motivation to safeguard design source code files and configurable hardware images (Khan, para. [0070]). 
As per claims 6 and 16, the combination of Chakra and Khan teach the apparatus of claim 5 and the computer-implemented method of claim 15, respectively, wherein the at least one non-transitory memory and the program code configured to, with the at least one processor, cause the apparatus to further: 
receive, from a networked computing device associated with a device identifier, a logging request for retrieving the confidential design specification data or the modified confidential design specification data (Chakra, para. [0090] “a set of internal nodes of the combinational logic 202 can be structurally modified to implement the modified state transition function, such as corresponding to the transitions in the obfuscation mode state diagram 208. In the example of FIG. 9, the structural modification can be implemented via modification cells M1, M2 and M3, which can be designed to implement logic to perform the state transitions demonstrated in the obfuscation mode state diagram 208. Provided these nodes are selected judiciously, modifications at even a small number of nodes can greatly affect the logic structure and functional behavior of the circuit. To add to the security scheme, enable signal for different modification cells can be made to depend on arbitrary combination of inserted state elements while ensuring that it evaluates to logic-0 in normal mode.”); and 
upon determining an access level associated with the device identifier meets or exceeds a pre-defined security access level, grant access by the networked computing device to the confidential design specification data or the modified confidential design specification data (Chakra, para. [0091] “the state transition function can be modified to provide an authenticating signature. FIG. 10 demonstrates an example of a state diagram 250 that includes an obfuscation FSM 252, an original FSM 254 and an authentication FSM 256. The obfuscation and authentication FSMs 252 and 256 can be implemented by modifying the state transition function of the original circuit, such as shown and described herein. While in the example of FIG. 10 the obfuscation and authentication are demonstrated as separate FSMs that provide for distinct state transitions, it will be appreciated that the obfuscation technique itself can be implemented to afford authentication. For instance, the obfuscation FSM 252 can embed hard-to-remove authentication signature within the design, thus providing simultaneous obfuscation and authentication at a low design overhead.” And para. [0092] “the obfuscation FSM 252 is designed to prevent operation of the circuit in the normal mode until an initialization key is applied at the primary inputs… in response to applying the initialization key to the inputs, the circuit changes from the obfuscation mode to the normal mode”).
As per claims 7 and 17, the combination of Chakra and Khan teach the apparatus of claim 1 and the computer-implemented method of claim 11, respectively, wherein the at least one non-transitory memory and the program code configured to, with the at least one processor, cause the apparatus to further: 
extract the non-confidential design specification data from the design specification dataset (Chakra, para. [0046] “a designer can interact with the obfuscation tool 12 via a user interface 20. For instance, in response to the user inputs, a variety of input parameters and constraints, such as a maximum area constraint, a number of states to perform in the obfuscated mode, a length of a key sequence for enabling or disabling an obfuscation mode, or the like” and para. [0047] “Once the corresponding nodes have been selected, the obfuscation tool 12 can modify the circuit description 16, which can include functional obfuscation, structural obfuscation and semantic obfuscation. The obfuscation can be performed on the circuit description at one or more different design levels. For instance, in one embodiment, the obfuscation can be performed on a gate-level netlist of the circuit description 16. Alternatively or additionally, the obfuscation can be performed on a RTL instance of the circuit description 16.”); 
encrypt the non-confidential design specification data to produce encrypted non- confidential design specification data (Chakra, para. [0092] “In the example of FIG. 10, the obfuscation FSM 252 is designed to prevent operation of the circuit in the normal mode until an initialization key is applied at the primary inputs. For instance, the initialization key for transitioning through the states of the obfuscation FSM is demonstrated as P.sub.1.sup.O, P.sub.2.sup.O and P.sub.3.sup.O. Thus, in response to applying the initialization key to the inputs, the circuit changes from the obfuscation mode to the normal mode”); 
generate a second encryption key to be associated with the encrypted non-confidential design specification data (Chakra, para. [0093] “The authentication FSM 256 provides a mechanism to authenticate the origin of a given design even in circumstances where an unauthorized user has been able to bypass the obfuscation FSM 252, such as by illegally procuring the initialization key. The authentication FSM 256 is designed to provide a predetermined output sequence in response to applying an authentication key at the primary inputs of the circuit. For instance, the authentication key for transitioning through the states of the authentication FSM 256 is demonstrated as P.sub.1.sup.A, P.sub.2.sup.A and P.sub.3.sup.A. From the final state of the authentication FSM S.sub.2.sup.A the circuit can transition back to the initial state of the obfuscation FSM. In this way, the authentication FSM can provide a digital watermark. Since the authentication FSM 256, as well as the obfuscation FSM can form an integral and indistinguishable part of the modified design, as described herein, much greater resistance to reverse-engineering can be afforded than other authentication mechanisms.”); and 
transmit, to the first untrusted computing device, the encrypted non-confidential design specification data and the second encryption key (Chakra, para. [0093] “The authentication FSM 256 provides a mechanism to authenticate the origin of a given design even in circumstances where an unauthorized user has been able to bypass the obfuscation FSM 252, such as by illegally procuring the initialization key. The authentication FSM 256 is designed to provide a predetermined output sequence in response to applying an authentication key at the primary inputs of the circuit. For instance, the authentication key for transitioning through the states of the authentication FSM 256 is demonstrated as P.sub.1.sup.A, P.sub.2.sup.A and P.sub.3.sup.A.” and para. [0122] “the design obfuscation is performed on a CDFG data structure representation of a given circuit design. The method 400 begins at 402 by providing the input circuit description (e.g., the original RTL IP core) and related parameters” and para. [0125] “the design at 404 can be performed according to a target obfuscation efficiency, such as the target M.sub.obf. The design provided at 404 can provide a specification for the mode-control FSM, which can include its state transition graph, the length of the initialization key sequence, the state encoding, the pool of modification signals and the initialization key sequence. Random state encoding and a random initialization key sequence can be generated to increase the security.”).
As per claims 8 and 18, the combination of Chakra and Khan teach the apparatus of claim 2 and the computer-implemented method of claim 12, respectively, wherein the at least one non-transitory memory and the program code configured to, with the at least one processor, cause the apparatus to further: 
extract the non-confidential design specification data from the design specification dataset (Chakra, para. [0046] “a designer can interact with the obfuscation tool 12 via a user interface 20. For instance, in response to the user inputs, a variety of input parameters and constraints, such as a maximum area constraint, a number of states to perform in the obfuscated mode, a length of a key sequence for enabling or disabling an obfuscation mode, or the like” and para. [0047] “Once the corresponding nodes have been selected, the obfuscation tool 12 can modify the circuit description 16, which can include functional obfuscation, structural obfuscation and semantic obfuscation. The obfuscation can be performed on the circuit description at one or more different design levels. For instance, in one embodiment, the obfuscation can be performed on a gate-level netlist of the circuit description 16. Alternatively or additionally, the obfuscation can be performed on a RTL instance of the circuit description 16.”); 
obfuscate the non-confidential design specification data to produce obfuscated non- confidential design specification data (Chakra, para. [0092] “In the example of FIG. 10, the obfuscation FSM 252 is designed to prevent operation of the circuit in the normal mode until an initialization key is applied at the primary inputs. For instance, the initialization key for transitioning through the states of the obfuscation FSM is demonstrated as P.sub.1.sup.O, P.sub.2.sup.O and P.sub.3.sup.O. Thus, in response to applying the initialization key to the inputs, the circuit changes from the obfuscation mode to the normal mode”);
generate a second obfuscation key to be associated with the obfuscated non-confidential design specification data (Chakra, para. [0093] “The authentication FSM 256 provides a mechanism to authenticate the origin of a given design even in circumstances where an unauthorized user has been able to bypass the obfuscation FSM 252, such as by illegally procuring the initialization key. The authentication FSM 256 is designed to provide a predetermined output sequence in response to applying an authentication key at the primary inputs of the circuit. For instance, the authentication key for transitioning through the states of the authentication FSM 256 is demonstrated as P.sub.1.sup.A, P.sub.2.sup.A and P.sub.3.sup.A. From the final state of the authentication FSM S.sub.2.sup.A the circuit can transition back to the initial state of the obfuscation FSM. In this way, the authentication FSM can provide a digital watermark. Since the authentication FSM 256, as well as the obfuscation FSM can form an integral and indistinguishable part of the modified design, as described herein, much greater resistance to reverse-engineering can be afforded than other authentication mechanisms.”); and 
transmit, to the first untrusted computing device, one of the encrypted non-confidential design specification data or the obfuscated non-confidential design specification data, and one of the second encryption key or the second obfuscation key (Chakra, para. [0093] “The authentication FSM 256 provides a mechanism to authenticate the origin of a given design even in circumstances where an unauthorized user has been able to bypass the obfuscation FSM 252, such as by illegally procuring the initialization key. The authentication FSM 256 is designed to provide a predetermined output sequence in response to applying an authentication key at the primary inputs of the circuit. For instance, the authentication key for transitioning through the states of the authentication FSM 256 is demonstrated as P.sub.1.sup.A, P.sub.2.sup.A and P.sub.3.sup.A.” and para. [0122] “the design obfuscation is performed on a CDFG data structure representation of a given circuit design. The method 400 begins at 402 by providing the input circuit description (e.g., the original RTL IP core) and related parameters” and para. [0125] “the design at 404 can be performed according to a target obfuscation efficiency, such as the target M.sub.obf. The design provided at 404 can provide a specification for the mode-control FSM, which can include its state transition graph, the length of the initialization key sequence, the state encoding, the pool of modification signals and the initialization key sequence. Random state encoding and a random initialization key sequence can be generated to increase the security.”).
As per claims 9 and 19, the combination of Chakra and Khan teach the apparatus of claim 3 and the computer-implemented method of claim 13, respectively, wherein the at least one non-transitory memory and the program code configured to, with the at least one processor, cause the apparatus to further: 
receive, from the first untrusted computing device, the second encryption key, the second encryption key authorizing the first untrusted computing device to access the non-confidential design specification data (Chakra, para. [0091] “the state transition function can be modified to provide an authenticating signature. FIG. 10 demonstrates an example of a state diagram 250 that includes an obfuscation FSM 252, an original FSM 254 and an authentication FSM 256. The obfuscation and authentication FSMs 252 and 256 can be implemented by modifying the state transition function of the original circuit, such as shown and described herein. While in the example of FIG. 10 the obfuscation and authentication are demonstrated as separate FSMs that provide for distinct state transitions, it will be appreciated that the obfuscation technique itself can be implemented to afford authentication. For instance, the obfuscation FSM 252 can embed hard-to-remove authentication signature within the design, thus providing simultaneous obfuscation and authentication at a low design overhead.”); and 
decrypt the encrypted non-confidential design specification data using the second encryption key to retain the non-confidential design specification data (Chakra, para. [0093] “The authentication FSM 256 provides a mechanism to authenticate the origin of a given design even in circumstances where an unauthorized user has been able to bypass the obfuscation FSM 252, such as by illegally procuring the initialization key. The authentication FSM 256 is designed to provide a predetermined output sequence in response to applying an authentication key at the primary inputs of the circuit. For instance, the authentication key for transitioning through the states of the authentication FSM 256 is demonstrated as P.sub.1.sup.A, P.sub.2.sup.A and P.sub.3.sup.A. From the final state of the authentication FSM S.sub.2.sup.A the circuit can transition back to the initial state of the obfuscation FSM. In this way, the authentication FSM can provide a digital watermark. Since the authentication FSM 256, as well as the obfuscation FSM can form an integral and indistinguishable part of the modified design, as described herein, much greater resistance to reverse-engineering can be afforded than other authentication mechanisms.”).
As per claims 10 and 20, the combination of Chakra and Khan teach the apparatus of claim 4 and the computer-implemented method of claim 14, respectively, wherein the at least one non-transitory memory and the program code configured to, with the at least one processor, cause the apparatus to further: 
receive, from the first untrusted computing device, one of the second encryption key or the second obfuscation key, wherein the second encryption key or the second obfuscation key authorizes the first untrusted computing device to access the non-confidential design specification data (Chakra, para. [0091] “the state transition function can be modified to provide an authenticating signature. FIG. 10 demonstrates an example of a state diagram 250 that includes an obfuscation FSM 252, an original FSM 254 and an authentication FSM 256. The obfuscation and authentication FSMs 252 and 256 can be implemented by modifying the state transition function of the original circuit, such as shown and described herein. While in the example of FIG. 10 the obfuscation and authentication are demonstrated as separate FSMs that provide for distinct state transitions, it will be appreciated that the obfuscation technique itself can be implemented to afford authentication. For instance, the obfuscation FSM 252 can embed hard-to-remove authentication signature within the design, thus providing simultaneous obfuscation and authentication at a low design overhead.”); and 
decrypt, using the second encryption key or the second obfuscation key, one of the encrypted non-confidential design specification data or the obfuscated non-confidential design specification data to retain the non-confidential design specification data (Chakra, para. [0093] “The authentication FSM 256 provides a mechanism to authenticate the origin of a given design even in circumstances where an unauthorized user has been able to bypass the obfuscation FSM 252, such as by illegally procuring the initialization key. The authentication FSM 256 is designed to provide a predetermined output sequence in response to applying an authentication key at the primary inputs of the circuit. For instance, the authentication key for transitioning through the states of the authentication FSM 256 is demonstrated as P.sub.1.sup.A, P.sub.2.sup.A and P.sub.3.sup.A. From the final state of the authentication FSM S.sub.2.sup.A the circuit can transition back to the initial state of the obfuscation FSM. In this way, the authentication FSM can provide a digital watermark. Since the authentication FSM 256, as well as the obfuscation FSM can form an integral and indistinguishable part of the modified design, as described herein, much greater resistance to reverse-engineering can be afforded than other authentication mechanisms.”).
Conclusion
4.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
US 10289816 B1 – Encrypted and obfuscated algorithm.
US 20050091629 A1 – Integrated circuit power management design.
Applicant's amendment necessitated the new grounds of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZOHA P TAFAGHODI whose telephone number is (571)272-5199.  The examiner can normally be reached on 9AM-5PM EST M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s acting supervisor, Kristine Kincaid can be reached on (571) 272-4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/ZOHA PIYADEHGHIBI TAFAGHODI/Examiner, Art Unit 2437                                                                                                                                                                                                        
/KRISTINE L KINCAID/Supervisory Patent Examiner, Art Unit 2437