PNG
    media_image1.png
    340
    340
    media_image1.png
    Greyscale
United States Patent and Trademark Office    
        
            
                                
            
        
    

Commissioner for Patents
United States Patent and Trademark Office
P.O. Box 1450
Alexandria, VA 22313-1450
www.uspto.gov











BEFORE THE PATENT TRIAL AND APPEAL BOARD


Application Number: 16/056,106
Filing Date: 6 Aug 2018
Appellant(s): Thales e-Security, Inc.



__________________
Womble Bond Dickinson (US) LLP
For Appellant


EXAMINER’S ANSWER





This is in response to the appeal brief filed 24 March 2022.

Every ground of rejection set forth in the Office action dated 13 December 2022 from which the appeal is taken is being maintained by the examiner except for the grounds of rejection (if any) listed under the subheading “WITHDRAWN REJECTIONS.”  New grounds of rejection (if any) are provided under the subheading “NEW GROUNDS OF REJECTION.”


The following ground(s) of rejection are applicable to the appealed claims.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Examiner’s Answer:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over United States Patent Application Publication No.: US 2011/0138192 A1 (KOCHER et al.) in view of Tweaks and Keys for Block Ciphers: the TWEAKEY Framework (Jean et al.).

As Per Claim 1: KOCHER et al. teaches: A method, comprising:

- generating, via a host computing device, a base initialization vector (IV), the base IV comprising a random value;
- storing, via the host computing device, the base IV along with data to be encrypted based at least in part thereon;
	(KOCHER et al., Paragraph [0111], “This process is outlined in FIGS. 11 and 12. FIG. 11 illustrates the verifiable packet level leak-resistant encryption process and FIG. 12 illustrates the corresponding decryption process. The verifiable packet level leak-resistant encryption process is the following: Given an input packet data D (1100) with the source and destination sharing a base cryptographic value KROOT, a message identifier N is generated in step 1101 (e.g., using a random source and/or information present in the packet D and/or some packet identifier such as a sequence number associated with the communication protocol). For TCP/IP communications, N can be constructed from a session identifier, the sequence number (optionally with additional most significant bits appended to prevent rollover), the source port, the destination port, and/or other values. Next, in step 1102, the hash of N is computed. (Optionally, this step may be omitted and N may be used instead of h(N) in deriving KMESSAGE.) Subsequently, in step 1103, message key KMESSAGE=KROOT,h(N) is computed using the leak resistant key-tree-based key derivation process described in FIG. 2, with KSTART=KROOT and PATH=h(N). The input packet data D is encrypted with the key KMESSAGE to yield the encrypted result E (1104).”).
	(KOCHER et al., Paragraph [0120], “The inputs to the encryption process for segment i are segment key Ki (1301) and data segment Di (1310). The input data segment Di (1310) is divided into sub-segments Di,1 (1311), Di,2 (1312), etc. FIGS. 13 and 14 show the data segment D being divided into sub-segments of 3 AES blocks, although other sizes can also be used and algorithms other than AES may, of course, also be employed. (Smaller sub-segments increase computational overhead, while larger sub-segments cause keys to be used in more operations, increasing the potential for information to leak.) Segment key Ki is transformed with a hash operation m( ) yielding Ki,1 (1302) which is the key for the first sub -segment Di,1. If an initialization vector (IV) (1314) is to be used, it is XORed with the first AES block of Di,1. (If no IV is to be used, this XOR step may be omitted. If an IV is used, it can be authenticated, e.g., by incorporating it into the validator computation, or by deriving the IV from a validated value such as a message identifier.) The first bits of (Di XOR IV) are encrypted with AES (1315) using the segment key Ki,1 (1302), forming the first portion of ciphertext sub -segment Ei,1 (1320). This ciphertext portion is also XORed with the next bits of sub -segment Di,1 (1311), yielding another AES input which is subsequently encrypted using segment key Ki,1 (1302) to produce the next portion of sub -segment Di,1 (1311). A similar cipher block chaining operation is performed to form the input to the third AES encryption, which is also performed with key Ki,1. The results of the three AES operations is the ciphertext sub -segment Ei,1 (1320). The fourth AES operation is performed on the first block of the next data sub -segment Di,2, (1312), and a new key is used, notably Ki,2 (1303), which is derived by applying m( ) to Ki,1 (1302). The last ciphertext from processing Di,1 becomes the IV (1317) for the first portion of Di,2 (1312). The encryption process continues until all blocks of all s data sub-segments have been encrypted, ultimately yielding the encrypted sub-segments Ei,2 (1321), . . . , Ei,s (1322), and where a new key is derived using m( ) for each sub -segment. Finally, the ciphertext sub-segments are assembled to form the final ciphertext segment Ei (1330).”).
	(KOCHER et al., Figure 13, “

    PNG
    media_image2.png
    689
    644
    media_image2.png
    Greyscale
”).
	Data being worked with is inherently stored for it to be worked with.

- generating, via the host computing device, a plurality of segment initialization vectors (IVs) based at least in part on the base IV, each of the plurality of segments of IVs corresponding to a respective segment of the data; and
	(KOCHER et al., Paragraph [0111], [0120], and Figure 13) Seen above.
	Base IV provided at Element 1314 and segment IV at 1317.

- utilizing, via the host computing device, the base IV and the plurality of segments of IVs to encrypt each respective segment of the data according to at least one cipher mode of operation.
	(KOCHER et al., Paragraph [0111], [0120], and Figure 13) Seen above.

KOCHER et al. does not explicitly teach the following limitation however Jean et al. in analogous art does teach the following limitation:
- combined with a segment index and a constant
	(Jean et al., Abstract, Lines 1-6, “We propose the TWEAKEY framework with goal to unify the design of tweakable block ciphers and of block ciphers resistant to related-key attacks. Our framework is simple, extends the key-alternating construction, and allows to build a primitive with arbitrary tweak and key sizes, given the public round permutation (for instance, the AES round). Increasing the sizes renders the security analysis very difficult and thus we identify a subclass of TWEAKEY, that we name STK, which solves the size issue by the use of finite field multiplications on low hamming weight constants.”).
	(Jean et al., Section 1 Introduction, Paragraph 3, “The Hasty Pudding cipher [52], proposed to the AES competition organized by the NIST, permitted the user to insert an additional input to the classical key and plaintext pair, called spice by the designers of this cipher. This extra input T, later renamed as tweak, was supposed to be completely public and to randomize the instance of the block cipher: to different values of T correspond different and independent families of permutations EK. This feature was formalized in 2002 by Liskov et al. [41, 42], who showed that tweakable block ciphers are valuable building blocks if retweaking (changing the tweak value) is less costly than changing its secret key. Tweakable block ciphers (see MERCY [16], for example) found many different utilizations in cryptography, such as disk encryption where each block is ciphered with the same key, but the block index is used as tweak value.”).
	(Jean et al., Section 3.2 The STK (Superposition TWEAKEY) construction, Lines 1-7, “The STK construction is a subclass of the TWEAKEY framework for AES-like ciphers defined over a finite field GF(2c ). Recall that p = (t + k)/n denotes the number of n-bit words in the tweakey state composed of t-bit tweak and k-bit key. Assuming that the AES-like S-Box operates on c bits (thus we have n/c nibbles in a n-bit word), the STK construction further specifies the f, g and h functions as follows (also see Figure 4): 
• the function g simply XORs all the p n-bit words of the tweakey state to the internal state (AddRoundTweakey, denoted ART), and then XORs a round-dependent constant Ci .”).
	It would have been an obvious interchangeable variation readily implemented with expectations of success to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings from Jean et al. into the method of KOCHER et al. As the use of segment/block index and a constant as in Jean et al. are a directly applicable tweak on the AES seen in KOCHER et al. 

As Per Claim 2: The rejection of claim 1 is incorporated and further KOCHER et al. teaches:
- generating the plurality of segment initialization vector IVs comprises generating the plurality of segment initialization vector IVs utilizing an advanced encryption standard (AES) algorithm.
	(KOCHER et al., Figure 13, “

    PNG
    media_image2.png
    689
    644
    media_image2.png
    Greyscale
”).
	Base IV provided at Element 1314 and segment IV at 1317.

As Per Claim 3: The rejection of claim 2 is incorporated and further KOCHER et al. teaches:
- the AES algorithm is expressed as: C = AES (K1, P ⊕ T) ⊕ T.
	(KOCHER et al., Paragraph [0120], “The inputs to the encryption process for segment i are segment key Ki (1301) and data segment Di (1310). The input data segment Di (1310) is divided into sub-segments Di,1 (1311), Di,2 (1312), etc. FIGS. 13 and 14 show the data segment D being divided into sub-segments of 3 AES blocks, although other sizes can also be used and algorithms other than AES may, of course, also be employed. (Smaller sub-segments increase computational overhead, while larger sub-segments cause keys to be used in more operations, increasing the potential for information to leak.) Segment key Ki is transformed with a hash operation m( ) yielding Ki,1 (1302) which is the key for the first sub -segment Di,1. If an initialization vector (IV) (1314) is to be used, it is XORed with the first AES block of Di,1. (If no IV is to be used, this XOR step may be omitted. If an IV is used, it can be authenticated, e.g., by incorporating it into the validator computation, or by deriving the IV from a validated value such as a message identifier.) The first bits of (Di XOR IV) are encrypted with AES (1315) using the segment key Ki,1 (1302), forming the first portion of ciphertext sub -segment Ei,1 (1320). This ciphertext portion is also XORed with the next bits of sub -segment Di,1 (1311), yielding another AES input which is subsequently encrypted using segment key Ki,1 (1302) to produce the next portion of sub -segment Di,1 (1311). A similar cipher block chaining operation is performed to form the input to the third AES encryption, which is also performed with key Ki,1. The results of the three AES operations is the ciphertext sub -segment Ei,1 (1320). The fourth AES operation is performed on the first block of the next data sub -segment Di,2, (1312), and a new key is used, notably Ki,2 (1303), which is derived by applying m( ) to Ki,1 (1302). The last ciphertext from processing Di,1 becomes the IV (1317) for the first portion of Di,2 (1312). The encryption process continues until all blocks of all s data sub-segments have been encrypted, ultimately yielding the encrypted sub-segments Ei,2 (1321), . . . , Ei,s (1322), and where a new key is derived using m( ) for each sub -segment. Finally, the ciphertext sub-segments are assembled to form the final ciphertext segment Ei (1330).”).
	(KOCHER et al., Figure 13, “

    PNG
    media_image2.png
    689
    644
    media_image2.png
    Greyscale
”).

As Per Claim 4: The rejection of claim 3 is incorporated and further KOCHER et al. teaches:
- generating the plurality of segment initialization vector IVs comprises generating the plurality of segment initialization vector IVs utilizing a Galois field algorithm.
	(KOCHER et al., Paragraph [0122], “The ENC( ) and DEC( ) process above are examples which involve rapid key changes so as to provide greater leakage tolerance. Other segment encryption and decryption methods can be used, including the application of stream ciphers and/or block ciphers (such as RC4, SEAL, AES, DES, triple DES, etc.) in ECB, CBC, or counter (e.g., Galois counter) modes. For such operations where the same key is applied to all the data in a segment, it may be advantageous to limit the size of each segment (e.g., by dividing up the data into sub-segments as shown in FIG. 3) prior to encryption so as to limit that the number of operations performed with each key, thereby reducing the number of operations an adversary can observe being performed with each key.”).
	Galois counter mode is a known block cipher using Galois field algorithm. The use of segment initialization vector IVs is the same as seen above (KOCHER et al., Paragraph [0120], and Figure 13).

As Per Claim 5: The rejection of claim 4 is incorporated and further KOCHER et al. teaches:
- each of the plurality of segments of IVs is expressed as: IVsegment = AES (K2, i ⊕ IVBase) ⊕ αį.
	(KOCHER et al., Paragraph [0120], “The inputs to the encryption process for segment i are segment key Ki (1301) and data segment Di (1310). The input data segment Di (1310) is divided into sub-segments Di,1 (1311), Di,2 (1312), etc. FIGS. 13 and 14 show the data segment D being divided into sub-segments of 3 AES blocks, although other sizes can also be used and algorithms other than AES may, of course, also be employed. (Smaller sub-segments increase computational overhead, while larger sub-segments cause keys to be used in more operations, increasing the potential for information to leak.) Segment key Ki is transformed with a hash operation m( ) yielding Ki,1 (1302) which is the key for the first sub -segment Di,1. If an initialization vector (IV) (1314) is to be used, it is XORed with the first AES block of Di,1. (If no IV is to be used, this XOR step may be omitted. If an IV is used, it can be authenticated, e.g., by incorporating it into the validator computation, or by deriving the IV from a validated value such as a message identifier.) The first bits of (Di XOR IV) are encrypted with AES (1315) using the segment key Ki,1 (1302), forming the first portion of ciphertext sub -segment Ei,1 (1320). This ciphertext portion is also XORed with the next bits of sub -segment Di,1 (1311), yielding another AES input which is subsequently encrypted using segment key Ki,1 (1302) to produce the next portion of sub -segment Di,1 (1311). A similar cipher block chaining operation is performed to form the input to the third AES encryption, which is also performed with key Ki,1. The results of the three AES operations is the ciphertext sub -segment Ei,1 (1320). The fourth AES operation is performed on the first block of the next data sub -segment Di,2, (1312), and a new key is used, notably Ki,2 (1303), which is derived by applying m( ) to Ki,1 (1302). The last ciphertext from processing Di,1 becomes the IV (1317) for the first portion of Di,2 (1312). The encryption process continues until all blocks of all s data sub-segments have been encrypted, ultimately yielding the encrypted sub-segments Ei,2 (1321), . . . , Ei,s (1322), and where a new key is derived using m( ) for each sub -segment. Finally, the ciphertext sub-segments are assembled to form the final ciphertext segment Ei (1330).”).
	(KOCHER et al., Figure 13, “

    PNG
    media_image2.png
    689
    644
    media_image2.png
    Greyscale
”).
	(KOCHER et al., Paragraph [0122], “The ENC( ) and DEC( ) process above are examples which involve rapid key changes so as to provide greater leakage tolerance. Other segment encryption and decryption methods can be used, including the application of stream ciphers and/or block ciphers (such as RC4, SEAL, AES, DES, triple DES, etc.) in ECB, CBC, or counter (e.g., Galois counter) modes. For such operations where the same key is applied to all the data in a segment, it may be advantageous to limit the size of each segment (e.g., by dividing up the data into sub-segments as shown in FIG. 3) prior to encryption so as to limit that the number of operations performed with each key, thereby reducing the number of operations an adversary can observe being performed with each key.”).
	Galois counter mode is a known block cipher using Galois field algorithm. 

As Per Claim 6: The rejection of claim 4 is incorporated and further KOCHER et al. teaches:
- each of the plurality of segments of IVs is expressed as: T = AES (K2, i) ⊕ αį.
	(KOCHER et al., Paragraph [0120], “The inputs to the encryption process for segment i are segment key Ki (1301) and data segment Di (1310). The input data segment Di (1310) is divided into sub-segments Di,1 (1311), Di,2 (1312), etc. FIGS. 13 and 14 show the data segment D being divided into sub-segments of 3 AES blocks, although other sizes can also be used and algorithms other than AES may, of course, also be employed. (Smaller sub-segments increase computational overhead, while larger sub-segments cause keys to be used in more operations, increasing the potential for information to leak.) Segment key Ki is transformed with a hash operation m( ) yielding Ki,1 (1302) which is the key for the first sub -segment Di,1. If an initialization vector (IV) (1314) is to be used, it is XORed with the first AES block of Di,1. (If no IV is to be used, this XOR step may be omitted. If an IV is used, it can be authenticated, e.g., by incorporating it into the validator computation, or by deriving the IV from a validated value such as a message identifier.) The first bits of (Di XOR IV) are encrypted with AES (1315) using the segment key Ki,1 (1302), forming the first portion of ciphertext sub -segment Ei,1 (1320). This ciphertext portion is also XORed with the next bits of sub -segment Di,1 (1311), yielding another AES input which is subsequently encrypted using segment key Ki,1 (1302) to produce the next portion of sub -segment Di,1 (1311). A similar cipher block chaining operation is performed to form the input to the third AES encryption, which is also performed with key Ki,1. The results of the three AES operations is the ciphertext sub -segment Ei,1 (1320). The fourth AES operation is performed on the first block of the next data sub -segment Di,2, (1312), and a new key is used, notably Ki,2 (1303), which is derived by applying m( ) to Ki,1 (1302). The last ciphertext from processing Di,1 becomes the IV (1317) for the first portion of Di,2 (1312). The encryption process continues until all blocks of all s data sub-segments have been encrypted, ultimately yielding the encrypted sub-segments Ei,2 (1321), . . . , Ei,s (1322), and where a new key is derived using m( ) for each sub -segment. Finally, the ciphertext sub-segments are assembled to form the final ciphertext segment Ei (1330).”).
	(KOCHER et al., Figure 13, “

    PNG
    media_image2.png
    689
    644
    media_image2.png
    Greyscale
”).
	(KOCHER et al., Paragraph [0122], “The ENC( ) and DEC( ) process above are examples which involve rapid key changes so as to provide greater leakage tolerance. Other segment encryption and decryption methods can be used, including the application of stream ciphers and/or block ciphers (such as RC4, SEAL, AES, DES, triple DES, etc.) in ECB, CBC, or counter (e.g., Galois counter) modes. For such operations where the same key is applied to all the data in a segment, it may be advantageous to limit the size of each segment (e.g., by dividing up the data into sub-segments as shown in FIG. 3) prior to encryption so as to limit that the number of operations performed with each key, thereby reducing the number of operations an adversary can observe being performed with each key.”).
	Galois counter mode is a known block cipher using Galois field algorithm. 

As Per Claim 7: The rejection of claim 1 is incorporated and further KOCHER et al. teaches:
- utilizing the base IV and the plurality of segments of IVs to encrypt each respective segment of the data comprises utilizing the base IV and the plurality of segments of IVs to encrypt plaintext data in each of the plurality of segments of IVs.
	(KOCHER et al., Paragraph [0120], “The inputs to the encryption process for segment i are segment key Ki (1301) and data segment Di (1310). The input data segment Di (1310) is divided into sub-segments Di,1 (1311), Di,2 (1312), etc. FIGS. 13 and 14 show the data segment D being divided into sub-segments of 3 AES blocks, although other sizes can also be used and algorithms other than AES may, of course, also be employed. (Smaller sub-segments increase computational overhead, while larger sub-segments cause keys to be used in more operations, increasing the potential for information to leak.) Segment key Ki is transformed with a hash operation m( ) yielding Ki,1 (1302) which is the key for the first sub -segment Di,1. If an initialization vector (IV) (1314) is to be used, it is XORed with the first AES block of Di,1. (If no IV is to be used, this XOR step may be omitted. If an IV is used, it can be authenticated, e.g., by incorporating it into the validator computation, or by deriving the IV from a validated value such as a message identifier.) The first bits of (Di XOR IV) are encrypted with AES (1315) using the segment key Ki,1 (1302), forming the first portion of ciphertext sub -segment Ei,1 (1320). This ciphertext portion is also XORed with the next bits of sub -segment Di,1 (1311), yielding another AES input which is subsequently encrypted using segment key Ki,1 (1302) to produce the next portion of sub -segment Di,1 (1311). A similar cipher block chaining operation is performed to form the input to the third AES encryption, which is also performed with key Ki,1. The results of the three AES operations is the ciphertext sub -segment Ei,1 (1320). The fourth AES operation is performed on the first block of the next data sub -segment Di,2, (1312), and a new key is used, notably Ki,2 (1303), which is derived by applying m( ) to Ki,1 (1302). The last ciphertext from processing Di,1 becomes the IV (1317) for the first portion of Di,2 (1312). The encryption process continues until all blocks of all s data sub-segments have been encrypted, ultimately yielding the encrypted sub-segments Ei,2 (1321), . . . , Ei,s (1322), and where a new key is derived using m( ) for each sub -segment. Finally, the ciphertext sub-segments are assembled to form the final ciphertext segment Ei (1330).”).
	(KOCHER et al., Figure 13, “

    PNG
    media_image2.png
    689
    644
    media_image2.png
    Greyscale
”).
	Base IV provided at Element 1314 and segment IV at 1317.

As Per Claim 8: The rejection of claim 1 is incorporated and further KOCHER et al. teaches:
- utilizing the base IV and the plurality of segments of IVs to encrypt each respective segment of the data according to at least one cipher mode of operation comprises encrypting each respective segment of the data according to a cipher block chaining (CBC) mode, an output feedback (OFB) mode, a ciphertext feedback (CFB) mode, a counter (CTR) mode, a Galois counter mode (GCM), a cipher counter mode (CMM), an XEX-encryption with tweak and ciphertext stealing (XTS), an XTS advanced encryption standard (XTS-AES) mode, or a combination thereof.
	(KOCHER et al., Paragraph [0122], “The ENC( ) and DEC( ) process above are examples which involve rapid key changes so as to provide greater leakage tolerance. Other segment encryption and decryption methods can be used, including the application of stream ciphers and/or block ciphers (such as RC4, SEAL, AES, DES, triple DES, etc.) in ECB, CBC, or counter (e.g., Galois counter) modes. For such operations where the same key is applied to all the data in a segment, it may be advantageous to limit the size of each segment (e.g., by dividing up the data into sub-segments as shown in FIG. 3) prior to encryption so as to limit that the number of operations performed with each key, thereby reducing the number of operations an adversary can observe being performed with each key.”).

As Per Claims 9-14: Claims 9-15 are substantially a restatement of the method of claims 1-7 as a device and are rejected under substantially the same reasoning.

As Per Claims 16-20: Claims 16-20 are substantially a restatement of the method of claims 1,2,4,5, and 7 as a device and are rejected under substantially the same reasoning.

WITHDRAWN REJECTIONS
The following grounds of rejection are not presented for review on appeal because they have been withdrawn by the examiner.
	Arguments for claim 4 under 35 USC § 112(b) or 35 USC § 112(pre-AIA ) are listed in the filed arguments table of contents with no corresponding argument.
	An after final amendment filed 13 December 2022 was entered and the rejection of claim 4 under 35 USC § 112(b) or 35 USC § 112(pre-AIA ) was withdrawn in the advisory action mail date also 13 December 2022 which is the most recent office action.

(2) Response to Argument
	Appellant has argued in substance:
	Claim 1 recites, in part, “generating, via the host computing device, a plurality of segment initialization vectors (IVs) based at least in part on the base IV combined with a segment index and a constant, each of the plurality of segments of IVs corresponding to a respective segment of the data” (emphasis added). In citing Jean to allegedly show claim 1 limitations “combined with a segment index and a constant”, the Office action is implicitly acknowledging these limitations are not shown in Kocher. Appellant agrees these limitations “combined with a segment index and a constant” are not shown in Kocher.
	Examiner agrees with Appellant that “a segment index and a constant” are not being provided by Kocher in the rejection.

	Appellants argument continued:
	To allegedly show “a segment index” in the context of the claims, the Office action cites Jean Section | introduction paragraph 3, “Tweakable block ciphers (see MERCY [13], for example) found many different utilizations in cryptography, such as disk encryption where each block is ciphered with the same key, but the block index is used as a tweak value.” Appellant interprets the Office action as asserting “block index” is an index pointing to which block of multiple blocks is being encrypted using the same key but with the block index as a tweak value, and is therefore equivalent to or a showing of “a segment index”.
	Examiner agrees with Appellants assessment that the block index and segment index are viewed as equivalent.

	Appellants argument continued:
	To allegedly show “a constant” in the context of the claims, the Office action cites Jean Section 3.2, referencing Figure 4, “the function g simply XORs all the p n-bit words of the tweakey state to the internal state (AddRoundTweakey, denoted ART), and then XORs a round-dependent constant Ci.” Referenced Jean Figure 4 (reproduced below) depicts the “round-dependent constant Ci” as CO applied to XOR for the first round of the STK (Superposition TWEAKEY) process, C1 applied to XOR for the second round of the STK process, C2 applied to XOR for the third round of the STK process, and so on, to produce C (ciphertext) by encryption of P (plain text). Each round of the STK process produces the internal state, i.e., ART, of that “i” round of the STK process. In this context of the STK process, f is described by Jean as “the function f is an AES-like round”.
	The above factual analysis demonstrates that the cited “round-dependent constant Ci” is a constant that relates to which round of STK processing steps is involved in producing each internal state denoted ART, the subscript “1” denoting the numbered round in the STK encryption process of producing ciphertext C from plain text P. Significantly, the subscript “i” in the sequence of round-dependent constant Ci from CO through Cr does not denote which block (of multiple blocks making up plain text P), segment (of multiple segments of P), or other portion of data (of multiple portions of data of P) is being operated upon in the STK encryption process. Rather, the STK encryption process operates on plain text P to produce successive rounds of ART and finally ciphertext C, according to the STK key schedule depicted in Figure 4, with each round of the STK process denoted by the subscript “1” from 0 through r.
	According to this factual analysis, Jean does not teach, and the Office action has not shown in the cited references, the claim 1 limitations of “generating, via the host computing device, a plurality of segment initialization vectors (IVs) based at least in part on the base IV combined with a segment index and a constant, each of the plurality of segments of IVs corresponding to a respective segment of the data” (emphasis added).
	The argument extensively details the nature of the constant in the prior art of Jean et al. In particular that in the cited reference Jean et al.:
  the cited “round-dependent constant Ci” is a constant that relates to which round of STK processing steps is involved in producing each internal state denoted ART, the subscript “1” denoting the numbered round in the STK encryption process of producing ciphertext C from plain text P. Significantly, the subscript “i” in the sequence of round-dependent constant Ci from CO through Cr does not denote which block (of multiple blocks making up plain text P), segment (of multiple segments of P), or other portion of data (of multiple portions of data of P) is being operated upon in the STK encryption process.

	However the claim only specifies a constant being present for combined data, the limitation in question is as follows:

generating, via the host computing device, a plurality of segment initialization vectors (IVs) based at least in part on the base IV combined with a segment index and a constant, each of the plurality of segments of IVs corresponding to a respective segment of the data;

	The nature of the constant is completely unspecified in the claims stating only “a constant”

	Examiner maintains Jean et al. has provided a constant.

	The argument only detailed the nature of the constant provided by Jean et al. and did not argue the nature of the constant in the Present Application’s specification, Examiner is not reading the specification into the claim.
MPEP 2111 Claim Interpretation; Broadest Reasonable Interpretation [R-10.2019]
MPEP 2111.01 Plain Meaning
II. IT IS IMPROPER TO IMPORT CLAIM LIMITATIONS FROM THE SPECIFICATION
"Though understanding the claim language may be aided by explanations contained in the written description, it is important not to import into a claim limitations that are not part of the claim. For example, a particular embodiment appearing in the written description may not be read into a claim when the claim language is broader than the embodiment." Superguide Corp. v. DirecTV Enterprises, Inc., 358 F.3d 870, 875, 69 USPQ2d 1865, 1868 (Fed. Cir. 2004).

	The segment initialization vectors were provided by KOCHER et al. and were not argued other than being mentioned in the conclusionary statement.



	Appellant has further argued in substance:
	The Examiner has erred by failing to recognize that Jean teaches away from the above claim 1 limitations, and instead the Examiner misconstrues Jean as teaching the above claim 1 limitations. In the Examiner-proposed combination of teachings of the cited references, the hypothetical person of ordinary skill in the art would be led by Jean (see factual analysis in section V.B.1.1) to construct an embodiment of an encryption process in which “each block is ciphered with the same key, but the block index is used as a tweak value”, and the STK construction of Jean Figure 4 encrypts plain text P to produce ciphertext C using “the function g simply XORs all the p n-bit words of the tweakey state to the internal state (AddRoundTweakey, denoted ART), and then XORs a round-dependent constant Ci.” The “round-dependent constant Ci” would be dependent on the round in the STK process, and not dependent on nor in any way derived from the block index, according to Jean. Jean, and the Examiner-proposed combination of teachings of Kocher in view of Jean, therefore teaches away from the claim 1 limitations “generating, via the host computing device, a plurality of segment initialization vectors (IVs) based at least in part on the base IV combined with a segment index and a constant, each of the plurality of segments of IVs corresponding to a respective segment of the data” (emphasis added).
	A reference or combination of references teaching away from a claim limitation factually weighs towards patentability of the claim. For at least the above reasons, independent claim 1 and claims depending therefrom are patentable over Kocher in view of Jean. For related reasons, independent claim 8 and claims depending therefrom, and independent claim 16 and claims depending therefrom, are patentable over Kocher in view of Jean.
	Examiner respectfully disagrees that Jean et al. teaches away.
	KOCHER et al is using AES type encryption and Jean et al. is providing a tweak option for AES type encryption. The tweaks provided by Jean et al. are viewed as directly applicable to KOCHER et al.
	(KOCHER et al., Paragraph [0122], “The ENC( ) and DEC( ) process above are examples which involve rapid key changes so as to provide greater leakage tolerance. Other segment encryption and decryption methods can be used, including the application of stream ciphers and/or block ciphers (such as RC4, SEAL, AES, DES, triple DES, etc.) in ECB, CBC, or counter (e.g., Galois counter) modes. For such operations where the same key is applied to all the data in a segment, it may be advantageous to limit the size of each segment (e.g., by dividing up the data into sub-segments as shown in FIG. 3) prior to encryption so as to limit that the number of operations performed with each key, thereby reducing the number of operations an adversary can observe being performed with each key.”).
	(Jean et al. Abstract: “We propose the TWEAKEY framework with goal to unify the design of tweakable block ciphers and of block ciphers resistant to relatedkey attacks. Our framework is simple, extends the key-alternating construction, and allows to build a primitive with arbitrary tweak and key sizes, given the public round permutation (for instance, the AES round). Increasing the sizes renders the security analysis very difficult and thus we identify a subclass of TWEAKEY, that we name STK, which solves the size issue by the use of finite field multiplications on low hamming weight constants. Overall, this construction allows a significant increase of security of well-known authenticated encryptions mode like ΘCB3 from birthday-bound security to full security, where a regular block cipher was used as a black box to build a tweakable block cipher. Our work can also be seen as advances on the topic of secure key schedule design.”).

For the above reasons, it is believed that the rejections should be sustained.
Respectfully submitted,
/BENJAMIN A KAPLAN/Examiner, Art Unit 2434                                                                                                                                                                                                        
Conferees:
/NOURA ZOUBAIR/Primary Examiner, Art Unit 2434             
                                                                                                                                                                                           /KAMBIZ ZAND/Supervisory Patent Examiner, Art Unit 2434                                                                                                                                                                                                        




Requirement to pay appeal forwarding fee.  In order to avoid dismissal of the instant appeal in any application or ex parte reexamination proceeding, 37 CFR 41.45 requires payment of an appeal forwarding fee within the time permitted by 37 CFR 41.45(a), unless appellant had timely paid the fee for filing a brief required by 37 CFR 41.20(b) in effect on March 18, 2013.