DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is the responsive to the communication filed on 06/02/2022.


Response to Arguments
Applicant’s arguments with respect to claim(s) are rejected under 35 USC 103(a) have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
 	Applicant argued on the remark that Olson and Michiels were to be combined, the combination would not disclose or suggest all of those features. 
With regard to claim 4, the Office Action cites to paragraph [0067] of Olson as allegedly disclosing "a fused conversion-and-masking unit (FCMU) in the byte processing unit, wherein the FCMU is configured to convert additively masked content in a native field to multiplicatively masked content in a composite field" (emphasis added). Applicant respectfully traverses that assertion, at least to the extent that it might be applied to the present claims. 
 	Paragraph [0067] of Olson does not disclose the idea of converting additively masked content to multiplicatively masked content. In fact, that paragraph does not even pertain to masking. Instead, it pertains to a "Floating point/graphics unit 255" (FGU), and it explains that "FGU 255 may implement fused and unfused floating-point multiply-add instructions" (emphasis added). The Office Action therefore seems to be implicitly asserting that a "fused conversion-and-masking unit (FCMU)" (as per original claim 4) is the same thing as a "fused ... multiply-add instruction[]" (as per Olson). Applicant respectfully traverses that assertion, at least to the extent that it might be applied to the present claims. 
 	As explained by the Wikipedia entry for "Multiply-accumulate operation" at "In computing, ... the ... multiply-add (MAD) operation is a common step that computes the product of two numbers and adds that product to an accumulator.... When performed with a single rounding, it is called a fused multiply-add (FMA)." (Emphasis added.) Consequently, the assertion that paragraph [0067] of Olson discloses the idea of converting additively masked content to multiplicatively masked content is not well founded. 
Like original claim 4, claim 1 recites "a fused conversion-and-masking unit (FCMU) in the Sbox, wherein the FCMU is configured to convert the additively masked version of content from the LFSR to a multiplicatively masked version of content from the LFSR", as indicated Page above (emphasis added). With regard to claim 1, the Office Action recognizes that "Olson does not explicitly disclose the multiplicative mask." However, the Office Action also refers to paragraph [0090] of Michiels. Paragraphs [0089-90] of Michiels pertain to FIG. 6 of Michiels, which (according to paragraph [0089]) "illustrates how the mask may be applied to the intermediate values present in the network of tables in FIG. 3." In particular, FIG. 6 shows an additive mask "m" being applied at "XOR 640" to generate the "intermediate value" U XOR m, being carried through "XOR 630" to generate the "intermediate value" U3 XOR m, being carried through "XOR 632" to generate the "intermediate value" U6 XOR m, and being carried through "XOR 634" to generate the "intermediate value" z2,3 XOR m. Then, at XOR 650, m is applied to the output of XOR 634 (i.e., to z2,3 XOR m), thereby canceling out the additive mask m. In other words, as explained in paragraph [0089], the output of XOR 634 "may be input into the XOR 650 which removes the mask by XORing with the mask value m ... to result in the unmasked value z2,3, which is then input to the S-box of the next round of operation" Paragraph [0090] then explains as follows: 
"The value z2,3 is input to the S-box of the next round. Removing the mask before using z2,3 as input to the S-box results in a functionally correct implementation. To further improve security, it may be desirable to not remove the mask at the input of the S-box. 
This may be realized by using multiplicative masks instead of additive masks." (Emphasis added.) Thus, Michiels recognizes the following two options: 
(1) using an additive mask to mask intermediate values and then removing the additive mask "before using z2,3 as input to the S-box;" and 
(2) "using multiplicative masks instead of additive masks" to mask intermediate values, and then not removing the multiplicative masks at the input of the S-box. 
However, neither of those options involves converting an "additively masked version of content from the LFSR" to a "multiplicatively masked version of content from the LFSR." For at least the foregoing reasons, even if Olson and Michiels were to be combined, the combination would not disclose or suggest all of the features of claim 1. In addition, claims 14 and 17 also include features like those discussed above with regard to claim 1. 
 	Examiner respectfully disagrees. Olson and Michiels were to be combined, the combination would disclose or suggest all of those features. 
paragraph [0067] of Olson as allegedly disclosing "a fused conversion-and-masking unit (FCMU) in the byte processing unit, wherein the FCMU is configured to convert additively masked content in a native field to multiplicatively masked content in a composite field" (emphasis added). Olson discloses  0086] To generate a new value of S.sub.t+15, cipher 400, in the illustrated embodiment, performs an alpha multiplication 412 and an alpha division 414 (i.e., an alpha-inverse multiplication 414). (As used herein, an "alpha multiplication" refers to a multiplication of a value S and a value .alpha., .alpha. being a root of a primitive polynomial of degree 4 over the Galois field (i.e., finite field) F.sub.2.sup.8. In the Snow 2.0 and 3G ciphers, .alpha. is a root of x.sup.4+.beta..sup.23x.sup.3+.beta..sup.245x.sup.2+B.sup.48x+B.sup.239 as an element of F.sub.2.sup.8[X], and .beta. is a root of x.sup.8+x.sup.7+x.sup.5+x.sup.3+1 as an element of a F.sub.2[X]. As used herein, an "alpha division" refers to a multiplication of a value S and the inverse of the value .alpha..) Cipher 400 then uses the result of alpha multiplication 412 in an XOR operation 416A with the value S.sub.t+2. The result of XOR operation 416A is then used in an XOR operation 416B with the result of alpha division 414 to produce the next value of S.sub.t+15 (which may be referred to as S.sub.t+16). It is noted that XOR operations 416A and 416B may be performed in a different order since XOR operations are associative. For example, XOR operation 416B may be performed first on a result of alpha multiplication 412 and a result of alpha division 414, and XOR operation 416A may use the result of XOR operation 416B and the value S.sub.t+2.  And [0095] To perform a Snow_Alpha instruction 512, Snow_Alpha unit 510, in one embodiment, is configured to receive a set of operands that include the values S.sub.t and S.sub.t+11 corresponding to the current round of the cipher. In one embodiment, Snow_Alpha unit 510 includes logic configured to perform an alpha multiplication using S.sub.t by shifting bits of S.sub.t and performing an XOR operation of the shifted bits and one of a set of stored patterns. In some embodiments, Snow_Alpha unit 510 is configured to perform the alpha multiplication using an .alpha. that is a root of x.sup.4+.beta..sup.23x.sup.3.beta..sup.245x.sup.2+B.sup.48+B.sup.239 as an element of F.sub.2.sup.8[X]. In one embodiment, Snow_Alpha unit 510 includes logic configured to perform an alpha division using S.sub.t+11, by shifting and masking bits of S.sub.t+11 and performing an XOR operation of the shifted bits and one of a set of stored patterns. In one embodiment, Snow_Alpha unit 510 further includes logic configured to perform an XOR operation on the results of the alpha multiplication and alpha division to produce a result 514 for the Snow_Alpha instruction 512.
 	Paragraph [0067] of Olson does not disclose the idea of converting additively masked content to multiplicatively masked content. In fact, that paragraph does not even pertain to masking. Instead, it pertains to a "Floating point/graphics unit 255" (FGU), and it explains that "FGU 255 may implement fused and unfused floating-point multiply-add instructions" (emphasis added). The Office Action therefore seems to be implicitly asserting that a "fused conversion-and-masking unit (FCMU)" (as per original claim 4) is the same thing as a "fused ... multiply-add instruction[]" (as per Olson). Applicant respectfully traverses that assertion, at least to the extent that it might be applied to the present claims. 
 	 
 	Applicant agued in the remark that Consequently, the Office Action fails to establish a prima facie case of obviousness for any of the independent claims. And the dependent claims implicitly include the features of their parent claims. 

Examiner respectfully disagrees. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
 	Olson discloses a processor that provides instruction-level support for a stream cipher are disclosed. In one embodiment, the processor supports a first instruction executable to perform an alpha multiplication, an alpha division, and an exclusive-OR operation using a result of the alpha multiplication and a result of the alpha division. In one embodiment, the processor supports a second instruction executable to perform a modular addition of a value R1 and a value S, and to perform a first exclusive-OR operation on a result of the modular addition and a value R2. In one embodiment, the processor supports a third instruction executable to perform a substitution-box (S-Box) operation on a value R1 to produce a value R2', and to perform a modular addition using a value R2 to produce a value R1'. And masking the data in the S-box.
 	Michiels discloses white-box as Sbox implementation described above was for the encryption operation of AES. It is noted that the above description is easily adapted for the decryption operation by using the inverse of the SubBytes, ShiftRows, and MixColumns operations (invSubytes, invShiftRows, and invMixColumns). Accordingly, it is assumed that the description above can be used for either the encryption or decryption operation of AES as needed in the embodiments below.
[0097] The embodiments described below include the following aspects as previously described above. Let V be the set of affine self-equivalences of an S-box, i.e., V={(α,β)|S=β∘S∘α.sup.−1 with α, β affine}.
[0098] Next, let the set W contain n pairs from V as follows, where h is an affine bijective function:
W⊂{Γ=(Γ.sub.1,Γ.sub.2, . . . ,Γ.sub.n)∈V.sup.n|Γ.sub.i=(α.sub.i,β.sub.i) with ∀.sub.x⊕.sub.iβ.sub.i(x)=h(x)}.
The function h(x) may be a fixed affine function, such as the identity function, but can also be a by-the-computation-selected affine function.
[0099] For an input byte x, n copies of the S-box are fed with the inputs α.sub.1(x), α.sub.2(x), . . . , α.sub.n(x) for any Γ∈W. This results in the S-box outputs β.sub.1(y), β.sub.2(y), . . . , β.sub.n(y). XORing the S-box outputs β.sub.1(y), β.sub.2(y), . . . , β.sub.n(y) results in the correct S-box output y=S(x) up to an affine mapping h. Generally, the final XOR to obtain y is not calculated explicitly in order to minimize the opportunity to attack the white box implementation. This even holds for the values α.sub.i(x) and β.sub.i(y), which are generally merged with other functions as the S-box is typically merged with other functions.
[0100] The choice of Γ∈W depends on a computation based upon the input bytes as further described below. It is not fixed, and as a result the Billet attack cannot be used.
[0101] So, first the set V of affine self-equivalences of the AES S-box is defined. The AES S-box can be written as:
S(x)=A.sub.AES(x.sup.−1),
where the inverse is taken in GF(2.sup.8) and A.sub.AES is a fixed affine mapping. As shown by Biryukov, the set of self-equivalences is given by
V={.sup.2i√{square root over (c.sup.−1.Math.x)},A.sub.AES(.sup.2i√{square root over (c.Math.A.sub.AES.sup.−(x))})|0≦l<8[AltContent: rect]c∈GF(2.sup.8)\{0}}.
We note that for any (α, β)∈V the function α is linear.
[0102] Further, for the function h the constant addition of A.sub.AES may be used, i.e., h(x)=x⊕C.sub.AES with A.sub.AES=L.sub.AES(x)⊕C.sub.AES for a linear mapping L.sub.AES. Now let n=4 and define the set W as
W={Γ∈V.sup.n|Γ.sub.i=(α,β) with β.sub.i:x [AltContent: rect]A.sub.AES(c.sub.i.Math.A.sub.AES.sup.−(x))[AltContent: rect]c.sub.n=1⊕(⊕.sub.j=1.sup.n-1c.sub.j)}.
This formulation complies with the more abstract definition of W. That is, for any Γ=(α.sub.1,β.sub.1), (α.sub.2,β.sub.2), . . . , (α.sub.n,β.sub.n),∈W and any byte x, then ⊕.sub.iβ.sub.i(x)=h(x) as can be verified as follows:
⊕.sub.i=1.sup.4(A.sub.AES(c.sub.i.Math.A.sub.AES.sup.−1(x)))
={A.sub.AES affine, constant canceled out}
L.sub.AES(⊕.sub.i=1.sup.4(c.sub.i.Math.A.sub.AES.sup.−1(x)))
={distributive law}
L.sub.AES((⊕.sub.i=1.sup.4c.sub.i).Math.A.sub.AES.sup.−1(x)))
={c.sub.4=1⊕(⊕.sub.j=1.sup.3c.sub.j)}
L.sub.AES(A.sub.AES.sup.−1(x))=h(x)
[0103] The computation of output byte z.sub.2,3 of first round of AES is now shown according to an exemplary embodiment of the invention for n=4 and h(x)=x⊕C.sub.AES being the identity function. Alternatively, other values of n and h(x) may be chosen. The computation of other bytes runs similarly. This specifies the white-box implementation of the first round without the obfuscation step. The input to the first round is the input state x to be encrypted or decrypted. Bytes of x are input to the Q-boxes to produce nibbles of the y values. The various y values output by the Q-boxes may then be combined into output bytes z that are part of the output state for the round. The y values may be used to select the input splitting functions α that will be applied to the output bytes of z because the output bytes z of the first round become the input bytes of the second round. As described below, these splitting functions may be incorporated while calculating the final values of the bytes z. Then in the second round, the output will be split using another set of splitting functions α selected in a similar manner as in the first round to produce the split input to the third round. This continues until the next to last round. This splitting of the input by the set of splitting functions α protects the interface between rounds of the AES process from the Billet attack. [0104] Further, to ease the presentation, the key-addition of the second round is ignored for the time being. This means that the input of an AES S-box of the second round is given by an output byte of the first round. Later on, it will be described how to cope with the key-addition.
  The combination is the analogous art, Determining the scope and contents of the prior art is the similar scope. Ascertaining the differences between the prior art and the claims at issue is the same disclosure of the above prior arts. Resolving the level of ordinary skill in the pertinent art. It would have been for an ordinary skill to combination of the prior arts. Considering objective evidence of the disclosure of the above prior arts, in the application indicating obviousness.


Applicant argued for the Dependent claims 
In addition, at least some of the dependent claims recite additional features that are not disclosed or suggested by the cited art. For instance, claim 4 recites that the "FCMU is configured to convert the additively masked version of content from the LFSR to multiplicatively masked content without unmasking the additively masked version of content from the LFSR" (emphasis added). And claim 5 recites an integrated circuit according to claim 4, wherein: 
"the FCMU is configured to convert the additively masked version of content from the LFSR in a native field to multiplicatively masked content in a composite field; and * "the byte processing unit comprises afield converter configured to convert additively masked content in a composite field to additively masked content in a native field." (Emphasis added.) Even if Olson and Michiels were to be combined, the combination would not disclose or suggest all of the features of claim 4 or claim 5. 
In addition, claim 7 recites that the Sbox is configured to "(a) use a sequence of squaring elements to generate a second multiplicatively masked version of content from the LFSR, based on the first multiplicatively masked version of content from the LFSR, and (b) produce additively masked output, based on the second multiplicatively masked version of content from the LFSR." Michiels does not disclose or suggest producing additively masked output, based on a second multiplicatively masked version of content from the LFSR, for instance. Consequently, even if Olson and Michiels were to be combined, the combination would not disclose or suggest all of the features of claim 7. 
For at least the foregoing reasons, the Office Action fails to establish a prima facie case of obviousness for claims, and all of the rejections under Section 103 should be withdrawn. 
Page 15 of 16    Examiner respectfully disagrees Olson discloses a processor that provides instruction-level support for a stream cipher are disclosed. In one embodiment, the processor supports a first instruction executable to perform an alpha multiplication, an alpha division, and an exclusive-OR operation using a result of the alpha multiplication and a result of the alpha division. In one embodiment, the processor supports a second instruction executable to perform a modular addition of a value R1 and a value S, and to perform a first exclusive-OR operation on a result of the modular addition and a value R2. In one embodiment, the processor supports a third instruction executable to perform a substitution-box (S-Box) operation on a value R1 to produce a value R2', and to perform a modular addition using a value R2 to produce a value R1'. And masking the data in the S-box.
 	Michiels discloses white-box as Sbox implementation described above was for the encryption operation of AES. It is noted that the above description is easily adapted for the decryption operation by using the inverse of the SubBytes, ShiftRows, and MixColumns operations (invSubytes, invShiftRows, and invMixColumns). Accordingly, it is assumed that the description above can be used for either the encryption or decryption operation of AES as needed in the embodiments below.
[0097] The embodiments described below include the following aspects as previously described above. Let V be the set of affine self-equivalences of an S-box, i.e., V={(α,β)|S=β∘S∘α.sup.−1 with α, β affine}.
[0098] Next, let the set W contain n pairs from V as follows, where h is an affine bijective function:
W⊂{Γ=(Γ.sub.1,Γ.sub.2, . . . ,Γ.sub.n)∈V.sup.n|Γ.sub.i=(α.sub.i,β.sub.i) with ∀.sub.x⊕.sub.iβ.sub.i(x)=h(x)}.
The function h(x) may be a fixed affine function, such as the identity function, but can also be a by-the-computation-selected affine function.
[0099] For an input byte x, n copies of the S-box are fed with the inputs α.sub.1(x), α.sub.2(x), . . . , α.sub.n(x) for any Γ∈W. This results in the S-box outputs β.sub.1(y), β.sub.2(y), . . . , β.sub.n(y). XORing the S-box outputs β.sub.1(y), β.sub.2(y), . . . , β.sub.n(y) results in the correct S-box output y=S(x) up to an affine mapping h. Generally, the final XOR to obtain y is not calculated explicitly in order to minimize the opportunity to attack the white box implementation. This even holds for the values α.sub.i(x) and β.sub.i(y), which are generally merged with other functions as the S-box is typically merged with other functions.
[0100] The choice of Γ∈W depends on a computation based upon the input bytes as further described below. It is not fixed, and as a result the Billet attack cannot be used.
[0101] So, first the set V of affine self-equivalences of the AES S-box is defined. The AES S-box can be written as:
S(x)=A.sub.AES(x.sup.−1),
where the inverse is taken in GF(2.sup.8) and A.sub.AES is a fixed affine mapping. As shown by Biryukov, the set of self-equivalences is given by
V={.sup.2i√{square root over (c.sup.−1.Math.x)},A.sub.AES(.sup.2i√{square root over (c.Math.A.sub.AES.sup.−(x))})|0≦l<8[AltContent: rect]c∈GF(2.sup.8)\{0}}.
We note that for any (α, β)∈V the function α is linear.
[0102] Further, for the function h the constant addition of A.sub.AES may be used, i.e., h(x)=x⊕C.sub.AES with A.sub.AES=L.sub.AES(x)⊕C.sub.AES for a linear mapping L.sub.AES. Now let n=4 and define the set W as
W={Γ∈V.sup.n|Γ.sub.i=(α,β) with β.sub.i:x [AltContent: rect]A.sub.AES(c.sub.i.Math.A.sub.AES.sup.−(x))[AltContent: rect]c.sub.n=1⊕(⊕.sub.j=1.sup.n-1c.sub.j)}.
This formulation complies with the more abstract definition of W. That is, for any Γ=(α.sub.1,β.sub.1), (α.sub.2,β.sub.2), . . . , (α.sub.n,β.sub.n),∈W and any byte x, then ⊕.sub.iβ.sub.i(x)=h(x) as can be verified as follows:
⊕.sub.i=1.sup.4(A.sub.AES(c.sub.i.Math.A.sub.AES.sup.−1(x)))
={A.sub.AES affine, constant canceled out}
L.sub.AES(⊕.sub.i=1.sup.4(c.sub.i.Math.A.sub.AES.sup.−1(x)))
={distributive law}
L.sub.AES((⊕.sub.i=1.sup.4c.sub.i).Math.A.sub.AES.sup.−1(x)))
={c.sub.4=1⊕(⊕.sub.j=1.sup.3c.sub.j)}
L.sub.AES(A.sub.AES.sup.−1(x))=h(x)
[0103] The computation of output byte z.sub.2,3 of first round of AES is now shown according to an exemplary embodiment of the invention for n=4 and h(x)=x⊕C.sub.AES being the identity function. Alternatively, other values of n and h(x) may be chosen. The computation of other bytes runs similarly. This specifies the white-box implementation of the first round without the obfuscation step. The input to the first round is the input state x to be encrypted or decrypted. Bytes of x are input to the Q-boxes to produce nibbles of the y values. The various y values output by the Q-boxes may then be combined into output bytes z that are part of the output state for the round. The y values may be used to select the input splitting functions α that will be applied to the output bytes of z because the output bytes z of the first round become the input bytes of the second round. As described below, these splitting functions may be incorporated while calculating the final values of the bytes z. Then in the second round, the output will be split using another set of splitting functions α selected in a similar manner as in the first round to produce the split input to the third round. This continues until the next to last round. This splitting of the input by the set of splitting functions α protects the interface between rounds of the AES process from the Billet attack. [0104] Further, to ease the presentation, the key-addition of the second round is ignored for the time being. This means that the input of an AES S-box of the second round is given by an output byte of the first round. Later on, it will be described how to cope with the key-addition.
  The combination is the analogous art, Determining the scope and contents of the prior art is the similar scope. Ascertaining the differences between the prior art and the claims at issue is the same disclosure of the above prior arts. Resolving the level of ordinary skill in the pertinent art. It would have been for an ordinary skill to combination of the prior arts. Considering objective evidence of the disclosure of the above prior arts, in the application indicating obviousness.



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-2, 4-13 and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Olson et al US 2012/0216020 in view of Michiels et al US 2016/0078250 in view of Freebern US 2007/0297268.

 	As per claim 1, Olson disclose an integrated circuit with technology for generating a keystream, the integrated circuit comprising: 
 	a cipher block in the integrated circuit , the cipher block comprising a linear feedback shift register (LFSR) and a finite state machine (FSM), wherein the LFSR and the FSM are configured to generate a stream of keys, based on an initialization value and an initialization key (par 0084 Turning now to FIG. 4A, a block diagram of a Snow cipher 400 (	a cipher block in the integrated circuit, the cipher block) is depicted. Snow cipher 400 is one embodiment of a word-oriented stream cipher that enables encryption and decryption of data. During operation, Snow cipher 400 generates a key Z by performing multiple rounds to generate portions of the key referred to as Z.sub.t. A sender encrypts unencrypted data (referred to as "plaintext") by performing exclusive-OR (XOR) operations between the portions Z.sub.t and portions of plaintext to produce encrypted data (referred to as ciphertext). A recipient then decrypts the ciphertext by regenerating Z and performing XOR operations in a similar manner. In the illustrated embodiment, cipher 400 is configured to implement the Snow 2.0 cipher. See "A new version of the stream cipher SNOW." Cipher 400 generates a Key Z by using a linear-feedback shift register (LFSR) 410 and a finite state machine (FSM) 420. ); and 
 	an Sbox in the FSM, wherein the SBox is configured to do operations ([0088] FSM 420, in illustrated embodiment, generates new values of R1 and R2 (referred to herein as values R1' and R2', respectively) based on the previous values stored in registers 422A and 422B and the value S.sub.t+5 stored in LFSR 410. To generate R1', FSM 420 performs a modular addition of the value stored in register 422B and the value S.sub.t+5. To generate R2', FSM 420 performs an S-Box operation 428 of the value stored in register 422A. (As used herein, a substitution-box (S-Box) operation is an operation that uses a substitution box to map a first set bits in a value to a second set of bits. In Snow 2.0, a value R1 is divided into portions w0, w1, w2, and w3. A Rijndael S-Box is then applied to the portions. The results are then multiplied by a polynomial (x+1)y.sup.3+y.sup.2+y+x.epsilon.F.sub.2.sup.8[y] modulo y.sup.4+1.epsilon.F.sub.2.sup.8[y] to produce a value R1'.) In some embodiments, FSM 420 may include additional registers to store additional values used to generate F.sub.t (e.g., as in Snow 3G). These additional values may be generated by performing additional S-Box operations. ).  
 	Olson does not explicitly disclose the multiplicative mask.
 	Michiels discloses the multiplicative mask ( par 0090,0073, S-box using the multiplicative masks to the input value Z.sub 2,3 in input to the S-box).
 	 Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of finite state machine of cipher of Olson, based on the teaching of masking the data of Michiels, because doing so would provide improve the data security (par 0090).
    The combination does not explicitly disclose 
 	 A finite state machine receives an additively masked version of content from the LFSR; and a fused conversion-and-masking unit (FCMU) in the Sbox, wherein the FCMU is configured to convert the additively masked version of content from the LFSR to a multiplicatively masked version of content from the LFSR.
 	However, Freebern discloses A finite state machine receives an additively masked version of content from the LFSR ( claim 8  wherein the selection circuitry comprises at least one of masked metal lines, fuses, a multiplexer, and a register configured to be programmed to select one of the first state machine and the second state machine ); and a fused conversion-and-masking unit (FCMU) in the Sbox, wherein the FCMU is configured to convert the additively masked version of content from the LFSR to a multiplicatively masked version of content from the LFSR.( par 0025   selection circuitry 44 is implemented via masked metal lines, such as first layer metal lines, produced during manufacturing of integrated circuit 20. The masked metal lines provide clock signal CLK at 58 to one of the first and second state machines 40 and 42. Also, the masked metal lines provide either the first state machine output signals SM1 at 62 or the second state machine output signals SM2 at 66 to read and write control circuit 46 to select one of the first and second state machines 40 and 42 and provide a selected set of command operations. In one embodiment, selection circuitry 44 includes programmable fuses that are opened or closed during testing of integrated circuit 20 to select one of the first and second state machines 40 and 42 and provide a selected set of command operations.)
 	Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of finite state machine of cipher of Olson, based on the teaching of masking the data of Michiels, based on the teaching of masking in the sbox of Freebern, because doing so would provide masking for the state machines (par 0025).

 	As per claim 2, Olson in view of Michiels in view of Freebern disclose an integrated circuit according to claim 1, further comprising:  Olson discloses 
 	a core Sbox unit in the Sbox, the bye processing unit comprising the FCMU ( 0090, Snow engine 310 may be configured to perform instructions that are defined within an ISA for processor 10 and that accomplish more of the work per instruction than in the case of using general-purpose ISA instructions. In some embodiments, such instructions may be executable to perform operations associated with an LFSR of a Snow cipher. Snow engine 310 is configured to perform an instruction that is executable to perform an alpha multiplication (e.g., multiplication 412), an alpha division (e.g., division 414), and an exclusive-OR operation (e.g., XOR operation 416B) using their results. Snow engine 310 may be configured to perform instructions that are executable to perform operations associated with a FSM of a Snow cipher. Snow engine 310 is configured to perform an instruction (referred to herein as a "Snow_AddXOR" instruction) that is executable to perform a modular addition (e.g., addition 424A) of a value R1 (e.g., in register 422A) and a value S (e.g., S.sub.t+15), and to perform an exclusive-OR operation (e.g., XOR operation 428) on a result of the modular addition and a value R2 (e.g., in register 422B). Snow engine 310 is configured to perform an instruction (referred to herein as a "Snow_Rstep" instruction) that is executable to perform a substitution-box operation (e.g., S-Box operation 428) on a value R1 to produce a value R2', and to perform a modular addition (e.g., addition 426A) using a value R2 and a value S(t+5) to produce a value R1'. Such instructions may be usable to generate portions of a stream-cipher key (e.g. Z.sub.t). ); and multiple fused multiplier-adders (FMAs) in the core Sbox unit, wherein each FMA is configured (a) to receive a first pair of input values and a second pair of input values, and (b) to generate an output value comprising a sum of (i) a first product of the first pair of input values and (ii) a second product of the second pair of input values ( par 0067 FGU 255 may implement fused and unfused floating-point multiply-add instructions. Additionally, in one embodiment FGU 255 may implement certain integer instructions such as integer multiply, divide, and population count instructions. Depending on the implementation of FGU 255).  

 	As per claim 4, Olson in view of Michiels in view of Freebern disclose an integrated circuit according to claim 1, further comprising:  Olson discloses a byte processing unit in the Sbox, the byte processing unit comprising the FCMU ( 0090, Snow engine 310 may be configured to perform instructions that are defined within an ISA for processor 10 and that accomplish more of the work per instruction than in the case of using general-purpose ISA instructions. such instructions may be executable to perform operations associated with an LFSR of a Snow cipher.); and 
 	wherein the FCMU is configured to convert the additively masked version of content from the LFSR to multiplicatively masked content without unmasking the additively masked version of content from the LFSR (par 0067 FGU 255 may implement fused and unfused floating-point multiply-add instructions. Additionally, in one embodiment FGU 255 may implement certain integer instructions such as integer multiply, divide, and population count instructions. Depending on the implementation of FGU 255 ).  

 	As per claim 5, Olson in view of Michiels in view of Freebern disclose an integrated circuit according to claim 4, further comprising:  Freebern discloses  wherein : the FCMU is configured to convert the additively masked version of content from the LFSR in a native filed to multiplicatively masked content in a composite field;( par 0025   selection circuitry 44 is implemented via masked metal lines, such as first layer metal lines, produced during manufacturing of integrated circuit 20. The masked metal lines provide clock signal CLK at 58 to one of the first and second state machines 40 and 42. Also, the masked metal lines provide either the first state machine output signals SM1 at 62 or the second state machine output signals SM2 at 66 to read and write control circuit 46 to select one of the first and second state machines 40 and 42 and provide a selected set of command operations. In one embodiment, selection circuitry 44 includes programmable fuses that are opened or closed during testing of integrated circuit 20 to select one of the first and second state machines 40 and 42 and provide a selected set of command operations. In one embodiment, selection circuitry 44 includes programmable registers that are programmed at any suitable time to select one of the first and second state machines 40 and 42 and provide a selected set of command operations. In one embodiment, selection circuitry includes a multiplexer controlled to select one of the first and second state machines 40 and 42 and provide a selected set of command operations) and the byte processing unit comprises a field converter configured to convert additively masked content in a composite filed to additively masked content in a native filed( par 0025   selection circuitry 44 is implemented via masked metal lines, such as first layer metal lines, produced during manufacturing of integrated circuit 20. The masked metal lines provide clock signal CLK at 58 to one of the first and second state machines 40 and 42. Also, the masked metal lines provide either the first state machine output signals SM1 at 62 or the second state machine output signals SM2 at 66 to read and write control circuit 46 to select one of the first and second state machines 40 and 42 and provide a selected set of command operations. In one embodiment, selection circuitry 44 includes programmable fuses that are opened or closed during testing of integrated circuit 20 to select one of the first and second state machines 40 and 42 and provide a selected set of command operations. In one embodiment, selection circuitry 44 includes programmable registers that are programmed at any suitable time to select one of the first and second state machines 40 and 42 and provide a selected set of command operations. In one embodiment, selection circuitry includes a multiplexer controlled to select one of the first and second state machines 40 and 42 and provide a selected set of command operations).

 	As per claim 6, Olson in view of Michiels in view of Freebern disclose An integrated circuit according to claim 1, further comprising: Michiels  discloses an additive mask generator (AMG) in the cipher block configured to generate an additive mask ( par 0090  the value z.sub.2,3 is input to the S-box of the next round. Removing the mask before using z.sub.2,3 as input to the S-box results in a functionally correct implementation. To further improve security, it may be desirable to not remove the mask at the input of the S-box. This may be realized by using multiplicative masks instead of additive masks); and an XOR element in the cipher block configured to (a) receive the additive mask from the AMG (b) receive an input value from the LFSR, and (c) generate additively masked content, based on the input value from the LFSR and the additive mask(par 0090  [0090] The value z.sub.2,3 is input to the S-box of the next round. Removing the mask before using z.sub.2,3 as input to the S-box results in a functionally correct implementation. To further improve security, it may be desirable to not remove the mask at the input of the S-box. This may be realized by using multiplicative masks instead of additive masks ).  

 	As per claim 7,  Olson in view of Michiels in view of Freebern disclose an integrated circuit according to claim 1, further comprising: Michiels discloses wherein  the multiplicatively masked version of content from the LFSR comprises a first multiplicatively masked version of content from the LFSR ( 0073  In the implementation depicted in FIG. 3, the key may easily be extracted from the Q-boxes. Just applying the inverse MixColumns multiplication and the inverse S-box to the output reveals the plain AddRoundKey operation.); and 
 	The combination fails to disclose a first multiplicatively masked version of content from the LFSR the Sbox is configured to (a) use a sequence of squaring elements to generate a second multiplicatively masked version of content from the LFSR, based on the first multiplicatively masked version of content from the LFSR, and (b) produce additively masked output, based on the second multiplicatively masked version of content from the LFSR.
 	However, Freebern discloses a first multiplicatively masked version of content from the LFSR the Sbox is configured to (a) use a sequence of squaring elements to generate a second multiplicatively masked version of content from the LFSR, based on the first multiplicatively masked version of content from the LFSR, and (b) produce additively masked output, based on the second multiplicatively masked version of content from the LFSR (par 0025   selection circuitry 44 is implemented via masked metal lines, such as first layer metal lines, produced during manufacturing of integrated circuit 20. The masked metal lines provide clock signal CLK at 58 to one of the first and second state machines 40 and 42. Also, the masked metal lines provide either the first state machine output signals SM1 at 62 or the second state machine output signals SM2 at 66 to read and write control circuit 46 to select one of the first and second state machines 40 and 42 and provide a selected set of command operations. In one embodiment, selection circuitry 44 includes programmable fuses that are opened or closed during testing of integrated circuit 20 to select one of the first and second state machines 40 and 42 and provide a selected set of command operations. )
 	Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of finite state machine of cipher of Olson, based on the teaching of masking the data of Michiels, based on the teaching of masking in the sbox of Freebern, because doing so would provide masking for the state machines (par 0025).

 	As per claim 8, Olson in view of Michiels in view of Freebern disclose an integrated circuit according to claim 1,  further comprising: Freebern discloses a compensatory mask generator (CMG) in the cipher block configured to generate a compensatory mask, based  on an additive mask ( par 0025   selection circuitry 44 is implemented via masked metal lines, such as first layer metal lines, produced during manufacturing of integrated circuit 20. The masked metal lines provide clock signal CLK at 58 to one of the first and second state machines 40 and 42. Also, the masked metal lines provide either the first state machine output signals SM1 at 62 or the second state machine output signals SM2 at 66 to read and write control circuit 46 to select one of the first and second state machines 40 and 42 and provide a selected set of command operations. In one embodiment, selection circuitry 44 includes programmable fuses that are opened or closed during testing of integrated circuit 20 to select one of the first and second state machines 40 and 42 and provide a selected set of command operations); and  an XOR element in the cipher block configured to (a) receive the compensatory mask,  b) receive an additively masked input value, and (c) generate unmasked content, based on the compensatory mask and the additively masked input value (par 0025   selection circuitry 44 is implemented via masked metal lines, such as first layer metal lines, produced during manufacturing of integrated circuit 20. The masked metal lines provide clock signal CLK at 58 to one of the first and second state machines 40 and 42. Also, the masked metal lines provide either the first state machine output signals SM1 at 62 or the second state machine output signals SM2 at 66 to read and write control circuit 46 to select one of the first and second state machines 40 and 42 and provide a selected set of command operations. In one embodiment, selection circuitry 44 includes programmable fuses that are opened or closed during testing of integrated circuit 20 to select one of the first and second state machines 40 and 42 and provide a selected set of command operations ).

 	As per claim 9,  Olson in view of Michiels in view of Freebern disclose An integrated circuit according to claim 1, Olson disclose further comprising: registers R1, R2, and R3 in the FSM; and wherein the Sbox is configured to receive input from register R2 and send output to register R3, wherein the input from register R2 comprises the additively masked version of content from the LFSR, and the output to register R3 comprises the additively masked output of the Sbox (par 0084  now cipher 400 is one embodiment of a word-oriented stream cipher that enables encryption and decryption of data. During operation, Snow cipher 400 generates a key Z by performing multiple rounds to generate portions of the key referred to as Z.sub.t. A sender encrypts unencrypted data (referred to as "plaintext") by performing exclusive-OR (XOR) operations between the portions Z.sub.t and portions of plaintext to produce encrypted data (referred to as ciphertext). A recipient then decrypts the ciphertext by regenerating Z and performing XOR operations in a similar manner. In the illustrated embodiment, cipher 400 is configured to implement the Snow 2.0 cipher. See "A new version of the stream cipher SNOW." Cipher 400 generates a Key Z by using a linear-feedback shift register (LFSR) 410 and a finite state machine (FSM) 420. ).  

 	As per claim 10, Olson in view of Michiels in view of Freebern disclose An integrated circuit according to claim 1, Olson disclose wherein the integrated circuit comprises a processor comprising: at least one processor core; and the cipher block, wherein the cipher block is responsive to the processor core ( par 0087  FSM 420, in the illustrated embodiment, receives the values S.sub.t+15 and S.sub.t+5 and generates the value F.sub.t. As noted above, F.sub.t is used in XOR operation 430 to produce a portion Z.sub.t of key Z. To generate F.sub.t, FSM 420 stores values in registers R1 422A and R2 422B to maintain state. (As used herein, the value R1 refers to a value that is generated from a modular addition. The value R2 refers to a value that is generated from a substitution-box (S-Box) operation described below.) FSM 420 performs a modular addition 424A of the value R1 stored in register 422A and the value S.sub.t+15. FSM 420 then performs an XOR operation 426 of the result of modular addition 424A and the value R2 stored in register 422B to produce F.sub.t during a given round ).  

 	 As per claim 11, Olson in view of Michiels in view of Freebern disclose A data processing system with technology for generating a keystream according to claim 1,  Olson disclsoes the data processing system comprising: at least one processor core; the cipher block, wherein the cipher block is responsive to the processor core; and an input/output module responsive to the processor core ( par 0087 [0087] FSM 420, in the illustrated embodiment, receives the values S.sub.t+15 and S.sub.t+5 and generates the value F.sub.t. As noted above, F.sub.t is used in XOR operation 430 to produce a portion Z.sub.t of key Z. To generate F.sub.t, FSM 420 stores values in registers R1 422A and R2 422B to maintain state. (As used herein, the value R1 refers to a value that is generated from a modular addition. The value R2 refers to a value that is generated from a substitution-box (S-Box) operation described below.) FSM 420 performs a modular addition 424A of the value R1 stored in register 422A and the value S.sub.t+15. FSM 420 then performs an XOR operation 426 of the result of modular addition 424A and the value R2 stored in register 422B to produce F.sub.t during a given round ).  

 	 As per claim 12, Olson in view of Michiels in view of Freebern disclose A data processing system according to claim 11, Olson discloses wherein the integrated circuit comprises the at least one processor core and the cipher block (par 0021 "Configured To." Various units, circuits, or other components may be described or claimed as "configured to" perform a task or tasks. In such contexts, "configured to" is used to connote structure by indicating that the units/circuits/components include structure (e.g., circuitry) that performs those task or tasks during operation. As such, the unit/circuit/component can be said to be configured to perform the task even when the specified unit/circuit/component is not currently operational (e.g., is not on). The units/circuits/components used with the "configured to" language include hardware--for example, circuits, memory storing program instructions executable to implement the operation).  

  	As per claim 13, Olson in view of Michiels in view of Freebern  disclose A data processing system according to claim 11,Olson disclose  wherein: the integrated circuit with the cipher block comprises a security accelerator; and the at least one processor core resides on a second integrated circuit ( par 0021  "Configured To." Various units, circuits, or other components may be described or claimed as "configured to" perform a task or tasks. In such contexts, "configured to" is used to connote structure by indicating that the units/circuits/components include structure (e.g., circuitry) that performs those task or tasks during operation. As such, the unit/circuit/component can be said to be configured to perform the task even when the specified unit/circuit/component is not currently operational (e.g., is not on). The units/circuits/components used with the "configured to" language include hardware--for example, circuits, memory storing program instructions executable to implement the operation).  
 	
 	As per claim 17, Olson discloses a method for generating a keystream, the method comprising: 
 	 using a linear feedback shift register (LFSR) and a finite state machine (FSM) to generate a stream of keys, based on an initialization value and an initialization key ( par 0084 Turning now to FIG. 4A, a block diagram of a Snow cipher 400 a cipher block in the integrated circuit, the cipher block) is depicted. Snow cipher 400 is one embodiment of a word-oriented stream cipher that enables encryption and decryption of data. During operation, Snow cipher 400 generates a key Z by performing multiple rounds to generate portions of the key referred to as Z.sub.t. A sender encrypts unencrypted data (referred to as "plaintext") by performing exclusive-OR (XOR) operations between the portions Z.sub.t and portions of plaintext to produce encrypted data (referred to as ciphertext). A recipient then decrypts the ciphertext by regenerating Z and performing XOR operations in a similar manner. In the illustrated embodiment, cipher 400 is configured to implement the Snow 2.0 cipher. See "A new version of the stream cipher SNOW." Cipher 400 generates a Key Z by using a linear-feedback shift register (LFSR) 410 and a finite state machine (FSM) 420.); and 
 	wherein the operation of using the FSM to generate the stream of keys comprises (0088] FSM 420, in illustrated embodiment, generates new values of R1 and R2 (referred to herein as values R1' and R2', respectively) based on the previous values stored in registers 422A and 422B and the value S.sub.t+5 stored in LFSR 410. To generate R1', FSM 420 performs a modular addition of the value stored in register 422B and the value S.sub.t+5. To generate R2', FSM 420 performs an S-Box operation 428 of the value stored in register 422A. (As used herein, a substitution-box (S-Box) operation is an operation that uses a substitution box to map a first set bits in a value to a second set of bits. In Snow 2.0, a value R1 is divided into portions w0, w1, w2, and w3. A Rijndael S-Box is then applied to the portions. The results are then multiplied by a polynomial (x+1)y.sup.3+y.sup.2+y+x.epsilon.F.sub.2.sup.8[y] modulo y.sup.4+1.epsilon.F.sub.2.sup.8[y] to produce a value R1'.) In some embodiments, FSM 420 may include additional registers to store additional values used to generate F.sub.t (e.g., as in Snow 3G). These additional values may be generated by performing additional S-Box operations ); and 
 	 (  0088] FSM 420, in illustrated embodiment, generates new values of R1 and R2 (referred to herein as values R1' and R2', respectively) based on the previous values stored in registers 422A and 422B and the value S.sub.t+5 stored in LFSR 410. To generate R1', FSM 420 performs a modular addition of the value stored in register 422B and the value S.sub.t+5. To generate R2', FSM 420 performs an S-Box operation 428 of the value stored in register 422A. (As used herein, a substitution-box (S-Box) operation is an operation that uses a substitution box to map a first set bits in a value to a second set of bits. In Snow 2.0, a value R1 is divided into portions w0, w1, w2, and w3. A Rijndael S-Box is then applied to the portions. The results are then multiplied by a polynomial (x+1)y.sup.3+y.sup.2+y+x.epsilon.F.sub.2.sup.8[y] modulo y.sup.4+1.epsilon.F.sub.2.sup.8[y] to produce a value R1'.) In some embodiments, FSM 420 may include additional registers to store additional values used to generate F.sub.t (e.g., as in Snow 3G). These additional values may be generated by performing additional S-Box operations ).  
 	Olson does not explicitly disclose the multiplicative mask in the S-box and the FSM and a linear feedback shift register (LFSR) in the data processing system to generate a stream of keys based on an initialization value and an initialization key, wherein the operation of using the FSM and the LFSR to generate a stream of keys based on an initialization value and an initialization key comprises: receiving, at the Sbox, an additively masked version of content from the LFSR; at the Sbox, converting the additively masked version of content from the LFSR to a first multiplicatively masked version of content from the LFSR; and at the Sbox, (a) using a sequence of squaring elements to generate a second multiplicatively masked version of content from the LFSR, based on the first multiplicatively masked version of content from the LFSR, and (b) producing additively masked output, based on the second multiplicatively masked version of content from the LFSR.
 	Michiels discloses the multiplicative mask in the s-box ( par 0090,0073, S-box using the multiplicative masks to the input value Z.sub 2,3 in input to the S-box).
  	Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of finite state machine of cipher of Olson, based on the teaching of masking the data of Michiels, because doing so would provide improve the data security (par 0090).

  	 The combination fails to disclose the FSM and a linear feedback shift register (LFSR) in the data processing system to generate a stream of keys based on an initialization value and an initialization key, wherein the operation of using the FSM and the LFSR to generate a stream of keys based on an initialization value and an initialization key comprises: receiving, at the Sbox, an additively masked version of content from the LFSR; at the Sbox, converting the additively masked version of content from the LFSR to a first multiplicatively masked version of content from the LFSR; and at the Sbox, (a) using a sequence of squaring elements to generate a second multiplicatively masked version of content from the LFSR, based on the first multiplicatively masked version of content from the LFSR, and (b) producing additively masked output, based on the second multiplicatively masked version of content from the LFSR.
 	However, Freebern discloses the FSM and a linear feedback shift register (LFSR) in the data processing system to generate a stream of keys based on an initialization value and an initialization key, wherein the operation of using the FSM and the LFSR to generate a stream of keys based on an initialization value and an initialization key comprises: receiving, at the Sbox, an additively masked version of content from the LFSR; at the Sbox, converting the additively masked version of content from the LFSR to a first multiplicatively masked version of content from the LFSR; and at the Sbox, (a) using a sequence of squaring elements to generate a second multiplicatively masked version of content from the LFSR, based on the first multiplicatively masked version of content from the LFSR, and (b) producing additively masked output, based on the second multiplicatively masked version of content from the LFSR( claim 8  wherein the selection circuitry comprises at least one of masked metal lines, fuses, a multiplexer, and a register configured to be programmed to select one of the first state machine and the second state machine  and par 0025   selection circuitry 44 is implemented via masked metal lines, such as first layer metal lines, produced during manufacturing of integrated circuit 20. The masked metal lines provide clock signal CLK at 58 to one of the first and second state machines 40 and 42. Also, the masked metal lines provide either the first state machine output signals SM1 at 62 or the second state machine output signals SM2 at 66 to read and write control circuit 46 to select one of the first and second state machines 40 and 42 and provide a selected set of command operations. In one embodiment, selection circuitry 44 includes programmable fuses that are opened or closed during testing of integrated circuit 20 to select one of the first and second state machines 40 and 42 and provide a selected set of command operations.)
 	Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of finite state machine of cipher of Olson, based on the teaching of masking the data of Michiels, based on the teaching of masking in the sbox of Freebern, because doing so would provide masking for the state machines (par 0025).

 	As per claim 18, Olson in view of Michiels in view of Freebern discloses  a method according to claim 17, further comprising: Olson discloses using at least one fused multiplier-adder (FMA) in a core Sbox unit in the Sbox to (a) to receive a first pair of input values and a second pair of input values, and (b) generate an output value comprising a sum of (i) a first product of the first pair of input values and (ii) a second product of the second pair of input values (par 0067  FGU 255 may implement fused and unfused floating-point multiply-add instructions. Additionally, in one embodiment FGU 255 may implement certain integer instructions such as integer multiply, divide, and population count instructions. Depending on the implementation of FGU 255).  

 	As per claim 19, Olson in view of Michiels in view of Freebern discloses   a method according to claim 17, further comprising:  Michiels  disclose wherein the operation of converting the additively masked version of content from the LFSR to a first multiplicatively masked version of content from the LFSR comprises: using a fused conversion-and-masking unit (FCMU) in the Sbox to convert the additively masked version of content from the LFSR in a native field to multiplicatively masked content without unmasking the additively masked version of content from the LFSR. (par 0049 0049] The key used may be a cryptographic key and may contain sufficient entropy to withstand an anticipated brute force attack. It is noted that in a white-box implementation, the key is typically not explicitly present in the implementation. This would risk the key being found by inspection of the implementation. Typically, the key is only present implicitly. Various ways are known to hide a key in a cryptographic system. Typically, at least the method of partial evaluation is used, wherein a basic block which needs key input is evaluated in-so-far that it does not depend on the input-message. For example, a basic operation wherein an input-value, a masking value, which does not depend on the input-message, e.g. a value from a substitution box (S-box), and a key-value need to be XORed can be partially evaluated by XORing the key value and the masking value together beforehand. In this way the operation still depends on the key-value although the key-value is not explicitly present in the implementation. Instead, only the XOR between the key-value and masking-value is present in the implementation. Note that, more complicated ways and/or further ways of hiding the keys are compatible with embodiments of this invention).  

 	As per claim 20, Olson in view of Michiels in view of Freebern discloses   a method according to claim 19, further comprising: Michiels discloses using a field converter in the byte processing unit to convert additively masked content in a composite field to additively masked content in a native field ( par 0011 instructions for calculating a first mask value based upon the input data; and instructions for applying the first mask value to a first intermediate value of the keyed cryptographic operation. ).
 	The combination fails to disclose  wherein: the additively masked version of content from the LFSR is in a native field; the FCMU converts the additively masked version of content from the LFSR in the native field to multiplicatively masked content in a composite field;
 	However, Freebern discloses wherein: the additively masked version of content from the LFSR is in a native field; the FCMU converts the additively masked version of content from the LFSR in the native field to multiplicatively masked content in a composite field(par 0025   selection circuitry 44 is implemented via masked metal lines, such as first layer metal lines, produced during manufacturing of integrated circuit 20. The masked metal lines provide clock signal CLK at 58 to one of the first and second state machines 40 and 42. Also, the masked metal lines provide either the first state machine output signals SM1 at 62 or the second state machine output signals SM2 at 66 to read and write control circuit 46 to select one of the first and second state machines 40 and 42 and provide a selected set of command operations. In one embodiment, selection circuitry 44 includes programmable fuses that are opened or closed during testing of integrated circuit 20 to select one of the first and second state machines 40 and 42 and provide a selected set of command operations).



 				Allowable Subject Matter
Claim 3 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
The claims 14-16 are allowable.

The following is an examiner’s statement of reasons for allowance: the claim 3 is incorporated with the all the independent claims would be allowable over the above cited prior art.  The claims 14-16 would be allowable over the above the cited prior art.
 	Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

 
  			 		Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Michiels US 2015/0270949 whtiebox implementation against attacks
Michiels US 2016/0078250 remapping constant points in a white-box implementation.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ABU S SHOLEMAN whose telephone number is (571)270-7314. The examiner can normally be reached EST: 9am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JORGE ORTIZ CRIADO can be reached on 571-272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ABU S SHOLEMAN/Primary Examiner, Art Unit 2496