DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on May 21, 2021, November 22, 2021, and June 3, 2022 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Drawings
The drawings are objected to as failing to comply with 37 CFR 1.84(p)(4) because reference character “128” has been used to designate both "PIR protocol" in Fig, 5, and 6; and "encrypted row" in Fig. 4.  Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.

Specification
The disclosure is objected to because of the following informalities: 
In paragraph [0032], line 4, the reference numeral “128” should be read as “130”.
The reference numeral “128” has been used to designate both “encrypted row” in the paragraphs [0028] and [0039]; and “PIR protocol” in the paragraph [0029].
Appropriate correction is required.

Claim Objections
Claims 4 and 19 are objected to because of the following informalities: 
In claim 4, line 2, “Pollig-Hellman” should be read as --Pohlig-Hellman--; and 
In claim 19, line 6, after “selector”, --; and-- should be added.
Appropriate correction is required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claim(s) 1-4, 7, 8-15, and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over  Agrawal et al.  (U.S. PG Publication No. 2004/0250100, hereinafter " Agrawal ") in view of ITHAL et al. (U.S. PG Publication No. 2020/0076578 A1, hereinafter “ITHAL”).

Regarding claim 1, Agrawal discloses a method, comprising: 
generating, by a responder [[0038] S (sender)], a hashed and encrypted database from a cleartext database [[0038] sender’s database DS] by: 
encrypting [[0153] (a) Encrypts the hash h(v) with es, obtaining feS(h(v)). The Examiner construes encrypting the hash of the selectors to be the same as encrypting the selectors.] selectors [set of values VS; [0044] Let S have a database table TS, and R have a table TR, with both tables having a specific attribute A in their schemas. The attribute takes its values from a given set V. Let VS be the set of values (without duplicates) that occur in TS.A, and let VR be the set of values occurring in TR.A. For each v ϵ VS, let ext(v) be all records in TS where TS.A =v, i.e., ext(v) is the extra information in TS pertaining to v. ] of the cleartext database [[0038] database DS] using a responder key [[0153] eS] of a commutative encryption scheme [Agrawal teaches commutative encryption in [0028] and [0067]-[0081]; [0028] The protocols employ commutative encryption to limit the information revealed beyond the query answer.], ; 
encrypting rows [[0155] (c) Encrypts the extra information: c(v)=K(k(v), ext(v)). The Examiner construes rows to be the same as the extra information ext(v) of the prior.] of the cleartext database [[0038] database DS] with responder derived keys generated from the encrypted selectors [[0154] (b) Generates the key for extra information using e'S: k(v)=fe'S (h(v)). The Examiner construes k(v) is the same as the responder derived keys.];
grouping the encrypted rows according to bucket identifiers [[0087] For real-life hash functions, a collision within VS or VR can be detected by the server at the start of each protocol by sorting the hashes. The Examiner construes grouping the encrypted rows according bucket identifiers to be the same sorting the hashes of the prior art.]; 

returning at least two encrypted rows  [[0157] The pairs, <fes(h(v)), K(fe'S(h(v)), ext(v))>, are then shipped to R in lexicographical order. The Examiner construes at least two encrypted rows to be the same as K(fe'S(h(v)), ext(v)).], the at least two encrypted rows comprising at least one encrypted row that does not correspond to the requested selector, but was based on a bucket identifier collision, and at least one encrypted row that does correspond to the requested selector [[0087] For real-life hash functions, a collision within VS or VR can be detected by the server at the start of each protocol by sorting the hashes. If there is a collision between v ϵ VS and V' ϵ VR, it will cause inclusion of v' into the join (or intersection) by R and the disclosure to R of S's records containing v. (For the join protocol (Section 4), R can check whether there was a collision between v ϵ VS and v' ϵ VR by having S include the value v in ext(v)). The Examiner construes a bucket identifier collision to be the same as a collision within VS of the prior art.]; and 
performing an encrypted selector exchange protocol that comprises: 
encrypting [[0149] 2. R encrypts its hashed set: YR=feR(XR)=feR(h(VR)). The Examiner construes encrypting the hash of the selector to be the same as encrypting the requested selector.] the requested selector [[0044] VR] a first time, by a querier [[0038] R (receiver)], using a querier key [[0148] eR];
encrypting [[0151] S encrypts each y ϵ YR with both S's key eS and e’S and sends back to R 3-tuples <y, feS(y), fe’S(y)> = <feR(h(v)), feS(feR(h(v))), fe’S(feR(h(v)))>. ] the requested selector a second time, by the responder [[0038] S (sender)], using the responder key [[0148] eS] to create a twice encrypted selector [[0151] feS(feR(h(v)))];
receiving, by the querier [[0038] R (receiver)], the twice encrypted selector [[0151] S encrypts each y ϵ YR with both S's key eS and e’S and sends back to R 3-tuples <y, feS(y), fe’S(y)> = <feR(h(v)), feS(feR(h(v))), fe’S(feR(h(v)))>.];
decrypting [[0158] 6. R applies f-1eR to all entries in the 3-tuples received at Step 4, obtaining <h(v), feS(h(v)), fe'S(h(v))> for all v ϵ VR.], by the querier [[0038] R (receiver)], the twice encrypted selector [[0151] feS(feR(h(v)))] using the querier key [[0148] eR] to obtain the requested selector [[0158] feS(h(v))] that was encrypted with the responder key [[0148] eS]; and 
deriving [[0158] 6. R applies f-1eR to all entries in the 3-tuples received at Step 4, obtaining <h(v), feS(h(v)), fe'S(h(v))> for all v ϵ VR. The Examiner construes deriving the responder derived key to be the same as obtaining fe'S(h(v)).], by the querier [[0038] R (receiver)], the responder derived key [[0154] k(v)=fe'S(h(v))] used to encrypt the at least one encrypted row that does correspond to the requested selector to recover the cleartext corresponding to the least one encrypted row [[0159] Using the third entry fe'S(h(v))=k(v) as the key, R decrypts K(fe'S(h(v)), ext(v)) and gets ext(v). The corresponding v's form the intersection VS ∩VR. The Examiner construes the cleartext is the same ext(v).], the querier being unable to decrypt the at least one encrypted row that does not correspond to the requested selector [[0136] R can now apply f-1eR to the latter to get f-1eR (fe'S(feR(h(v))))= f -1eR (feR(fe'S(h(v))))=fe'S(h(v)).; [0137] Note that R only gets fe'S(h(v)) for v ϵ VR, not for v ϵ VS-VR. The Examiner construes the responder derived key to be the same as fe'S(h(v)) which is a different according to the selector v. Since R only gets fe'S(h(v)) for v ϵ VR , the at least one encrypted row that does not correspond to the requested selector cannot be decrypted.]. 
Agrawal does not appear to explicitly disclose a bucket identifier.  However, referring Figs. 2-5 and paragraphs [0025] and [0029] of the instant application, the bucket identifier is a hash value of the selector. Agrawal discloses hash values of the selector [the hash sets, XS=h(VS) and XR=h(VR);  paragraphs [0090], [0147], and [0206] of Agrawal], and it would be obvious to one ordinary skilled in the art that hash values of Agrawal correspond to the hashed bucket identifier of the instant application.
Further, Agrawal discloses that the receiver R corresponding to a querier of the instant application form intersection VS ∩VR  between two sets VS  and VR, and all of encrypted rows of the sender’s database VS  is sent to the receiver R without determination. Because the system is designed in order to share information only on a need-to-know basis, and only the receiver knows intersection VS ∩VR  between two sets VS  and VR. (See paragraphs [0009]-[0013] of Agrawal ). Therefore, it would be obvious to one ordinary skilled in the art that the entity determining the intersection can be modified in a different condition.
In detail, Agrawal does not appear to explicitly disclose that each selector being assigned a bucket identifier; determining a hash bucket identifier of a query based on a requested selector of a query; and returning at least two encrypted rows corresponding to the hash bucket identifier.
However, ITHAL discloses each selector being assigned a bucket identifier [[0057] That is, retrieval is handled by assigning pre-encryption hashes to searchable fields to allow exact searches across segments of the database that have different encryption keys. The Examiner construes assigning a bucket identifier to selector to the same as assigning pre-encryption hash to searchable field of the prior art.]; 
determining a hash bucket identifier of a query based on a requested selector of a query [[0070] Process 900 continues at action 925 with hashing the search value to a non-reversible hash value, prior to querying the remote database server. The Examiner construes determining a hash bucket identifier of a query to be the same as hashing the search value to a non-reversible hash value of the prior art.]; and 
returning at least two encrypted rows corresponding to the hash bucket identifier [[0072] At action 945 the process includes receiving network event metadata responsive to the query, including the encrypted value of the indexed sensitive field, clear text values of one or more metadata fields, and an additional encrypted value of a sensitive field that is either indexed or not indexed. The Examiner construes encrypted rows corresponding to the hash bucket identifier to be the same as event metadata responsive to the query.]. 
Agrawal and ITHAL are both considered to be analogous to the claimed invention because they are in the same field of data security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the hash value taught by Agrawal to incorporate the teachings of ITHAL, hashing values in the indexable sensitive fields; concatenating the non-reversible hash values with the metadata for the network events; and encrypting values in the sensitive fields, and to provide a secure indexable databases with sensitive information to enable exact match querying of the encrypted sensitive data stored therein. (ITHAL, [0028] The disclosed technology includes a solution for retrieving the sensitive information that is secured at rest. The disclosed technology teaches hashing the sensitive data before storing it in the cloud, as a signature, to enable exact match querying of the encrypted sensitive data stored in the cloud. Then, when a query is made, the query is hashed and compared to the hashed data stored in the cloud. Retrieval of data in response to a query requires an exact match between the hashed stored data and the hashed query data. Note that, unlike the ability to decrypt an encrypted field when the correct key is available, hashes are non-reversible.; [0036] The technology disclosed relates to building indexable databases with sensitive information secured at rest, and can be implemented in the context of any computer-implemented system including an on-demand database system, a multi-tenant environment, or the like.]

Regarding claim 2, Agrawal in view of ITHAL, discloses the limitation of claim 1 above. Agrawal further discloses that two or more of the encrypted rows have the same bucket identifier [[0087] For real-life hash functions, a collision within VS or VR can be detected by the server at the start of each protocol by sorting the hashes. The Examiner construes “two or more of the encrypted rows have the same bucket identifier” to be the same as a collision within VS or VR detected by sorting the hashes of the prior art.]

Regarding claim 3, Agrawal in view of ITHAL, discloses the limitation of claim 1 above. ITHAL further discloses that the querier key and the responder key are identical. [[0092] Some implementations of the disclosed method use a symmetrical encryption function for the encrypting of the sensitive fields of metadata. The Examiner construes symmetrical encryption function to corresponds that the querier key and the responder key are identical.]

Regarding claim 4, Agrawal in view of ITHAL, discloses the limitation of claim 1 above. Agrawal further discloses that the commutative encryption scheme comprises at least one of elliptic curve cryptography, Pollig-Helman, and/or Shamir, Rivest and Aldeman [[0068] Our definition of commutative encryption below is similar to the constructions used in [9, 18, 20, 42] and others.;  [0319] [42] A. Shamir, R. L. Rivest, and L. M. Adleman. Mental poker. Technical Memo MIT-LCS-TM-125, Laboratory for Computer Science, MIT, February 1979.].

Regarding claim 7, Agrawal in view of ITHAL, discloses the limitation of claim 1 above. Agrawal further discloses that the commutative encryption scheme is deterministic [[0068] Informally, a commutative encryption is a pair of encryption functions f and g such that f(g(v))=g(f(v)). Thus by using the combination f(g(v)) to encrypt v, we can ensure that R cannot compute the encryption of a value without the help of S.  In addition, even though the encryption is a combination of two functions, each party can apply their function first and still get the same result. The Examiner construes deterministic means even though the encryption is a combination of two functions, each party can apply their function first and still get the same result.].

Regarding claim 8, Agrawal discloses a method, comprising: 

obtaining at least two encrypted rows from a hashed and encrypted database  [[0157] The pairs, <fes(h(v)), K(fe'S(h(v)), ext(v))>, are then shipped to R in lexicographical order. The Examiner construes at least two encrypted rows to be the same as K(fe'S(h(v)), ext(v)).], the at least two encrypted rows comprising at least one encrypted row that does not correspond to the requested selector, but was based on a bucket identifier collision, and at least one encrypted row that does correspond to the requested selector [0087] For real-life hash functions, a collision within VS or VR can be detected by the server at the start of each protocol by sorting the hashes. If there is a collision between v ϵ VS and V' ϵ VR, it will cause inclusion of v' into the join (or intersection) by R and the disclosure to R of S's records containing v. (For the join protocol (Section 4), R can check whether there was a collision between v ϵ VS and v' ϵ VR by having S include the value v in ext(v)). The Examiner construes a bucket identifier collision to be the same as a collision within VS of the prior art.]; and 
performing an encrypted selector exchange protocol that comprises: 
encrypting [[0149] 2. R encrypts its hashed set: YR=feR(XR)=feR(h(VR)). The Examiner construes encrypting the hash of the selectors to be the same as encrypting the requested selector.] the requested selector [[0044] VR] a first time using a querier key [[0148] eR]; 
encrypting [[0151] S encrypts each y ϵ YR with both S's key eS and e’S and sends back to R 3-tuples <y, feS(y), fe’S(y)> = <feR(h(v)), feS(feR(h(v))), fe’S(feR(h(v)))>.] the requested selector a second time using a responder key [[0148] eS] to create a twice encrypted selector [[0151] feS(feR(h(v)))]; 
decrypting [[0158] 6. R applies f-1eR to all entries in the 3-tuples received at Step 4, obtaining <h(v), feS(h(v)), fe'S(h(v))> for all v ϵ VR.] the twice encrypted selector [[0151] feS(feR(h(v)))] using the querier key [[0148] eR] to obtain the requested selector [[0158] feS(h(v))] that was encrypted with the responder key; 
deriving [[0158] 6. R applies f-1eR to all entries in the 3-tuples received at Step 4, obtaining <h(v), feS(h(v)), fe'S(h(v))> for all v ϵ VR. The Examiner construes deriving the responder derived key to be the same as obtaining fe'S(h(v)) which is S’s key used to encrypt the extra information ext(v) of the prior art.] the responder derived key [[0154] k(v)=fe'S(h(v))] used to encrypt the at least one encrypted row that does correspond to the requested selector; and 
recovering cleartext [[0159] Using the third entry fe'S(h(v))=k(v) as the key, R decrypts K(fe'S(h(v)), ext(v)) and gets ext(v). The corresponding v's form the intersection VS ∩VR. The Examiner construes the cleartext is the same ext(v).] corresponding to the least one encrypted row using the responder derived key [[0154] k(v)=fe'S(h(v))], wherein the at least one encrypted row that does not correspond to the requested selector cannot be decrypted using the responder derived key [[0136] R can now apply f-1eR to the latter to get f-1eR (fe'S(feR(h(v))))= f -1eR (feR(fe'S(h(v))))=fe'S(h(v)).; [0137] Note that R only gets fe'S(h(v)) for v ϵ VR, not for v ϵ VS-VR. The Examiner construes the responder derived key to be the same as fe'S(h(v)) which is a different according to the selector v. Since R only gets fe'S(h(v)) for v ϵ VR , the at least one encrypted row that does not correspond to the requested selector cannot be decrypted.].
Agrawal does not appear to explicitly disclose that determining a hash bucket identifier from a requested selector of a query.
However, ITHAL discloses determining a hash bucket identifier of a query based on a requested selector of a query [[0070] Process 900 continues at action 925 with hashing the search value to a non-reversible hash value, prior to querying the remote database server. The Examiner construes determining a hash bucket identifier of a query to be the same as hashing the search value to a non-reversible hash value of the prior art.].
Agrawal and ITHAL are both considered to be analogous to the claimed invention because they are in the same field of data security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the hash value taught by Agrawal to incorporate the teachings of ITHAL, hashing values in the indexable sensitive fields; concatenating the non-reversible hash values with the metadata for the network events; and encrypting values in the sensitive fields, and to provide a secure indexable databases with sensitive information to enable exact match querying of the encrypted sensitive data stored therein. (ITHAL, [0028] The disclosed technology includes a solution for retrieving the sensitive information that is secured at rest. The disclosed technology teaches hashing the sensitive data before storing it in the cloud, as a signature, to enable exact match querying of the encrypted sensitive data stored in the cloud. Then, when a query is made, the query is hashed and compared to the hashed data stored in the cloud. Retrieval of data in response to a query requires an exact match between the hashed stored data and the hashed query data. Note that, unlike the ability to decrypt an encrypted field when the correct key is available, hashes are non-reversible.; [0036] The technology disclosed relates to building indexable databases with sensitive information secured at rest, and can be implemented in the context of any computer-implemented system including an on-demand database system, a multi-tenant environment, or the like.]

Regarding claim 9, Agrawal in view of ITHAL, discloses the limitation of claim 8 above. Agrawal further discloses the at least one encrypted row that does not correspond to the requested selector cannot be decrypted using the responder derived key because it was encrypted using a different responder derived key [[0136] R can now apply f-1eR to the latter to get f-1eR (fe'S(feR(h(v))))= f -1eR (feR(fe'S(h(v))))=fe'S(h(v)).; [0137] Note that R only gets fe'S(h(v)) for v ϵ VR, not for v ϵ VS-VR. The Examiner construes the responder derived key to be the same as fe'S(h(v)) which is a different according to the selector v. Since R only gets fe'S(h(v)) for v ϵ VR , the at least one encrypted row that does not correspond to the requested selector cannot be decrypted.].
Regarding claim 10, Agrawal in view of ITHAL, discloses the limitation of claim 8 above. Agrawal further discloses generating the hashed and encrypted database by encrypting [[0153] (a) Encrypts the hash h(v) with es, obtaining feS(h(v)). The Examiner construes encrypting the hash of the selectors to be the same as encrypting the selectors.] selectors [[0044] set of values VS] of the cleartext database [[0038] database DS] using a responder key [[0153] eS], . Agrawal does not appear to explicitly disclose each selector being assigned a bucket identifier. 
However, ITHAL discloses each selector being assigned a bucket identifier [[0057] That is, retrieval is handled by assigning pre-encryption hashes to searchable fields to allow exact searches across segments of the database that have different encryption keys. The Examiner construes assigning a bucket identifier to selector to the same as assigning pre-encryption hash to searchable field of the prior art.].

Regarding claim 11, Agrawal in view of ITHAL, discloses the limitation of claim 10 above. Agrawal further discloses encrypting rows [[0155] (c) Encrypts the extra information: c(v)=K(k(v), ext(v)). The Examiner construes rows to be the same as the extra information ext(v) of the prior.] of the cleartext database [[0038] database DS] with responder derived keys generated from the encrypted selectors [[0154] (b) Generates the key for extra information using e'S: k(v)=fe'S (h(v)). The Examiner construes k(v) is the same as the responder derived keys.].
Regarding claim 12, Agrawal in view of ITHAL, discloses the limitation of claim 11 above. Agrawal further discloses grouping the encrypted rows according to bucket identifiers [[0087] For real-life hash functions, a collision within VS or VR can be detected by the server at the start of each protocol by sorting the hashes. The Examiner construes grouping the encrypted rows according bucket identifiers to be the same sorting the hashes of the prior art.]

Regarding claim 13, Agrawal in view of ITHAL, discloses the limitation of claim 12 above. ITHAL further discloses determining a hash bucket identifier of a query based on a requested selector of a query [[0070] Process 900 continues at action 925 with hashing the search value to a non-reversible hash value, prior to querying the remote database server. The Examiner construes determining a hash bucket identifier of a query to be the same as hashing the search value to a non-reversible hash value of the prior art.].
Regarding claim 14, Agrawal in view of ITHAL, discloses the limitation of claim 8 above. Agrawal further discloses that the responder key and the querier key are part of a commutative encryption scheme [[0028] The protocols employ commutative encryption to limit the information revealed beyond the query answer. Agrawal teaches use of commutative encryption in [0028] and [0067]-[0081] and discloses employing commutative encryption. Therefore, the Examiner construes keys of the sender and the receiver in Agrawal to be part of a commutative encryption scheme.].
Regarding claim 15, Agrawal in view of ITHAL, discloses the limitation of claim 14 above. Agrawal further discloses that the commutative encryption scheme is deterministic [[0068] Informally, a commutative encryption is a pair of encryption functions f and g such that f(g(v))=g(f(v)). Thus by using the combination f(g(v)) to encrypt v, we can ensure that R cannot compute the encryption of a value without the help of S.  In addition, even though the encryption is a combination of two functions, each party can apply their function first and still get the same result. The Examiner construes deterministic means even though the encryption is a combination of two functions, each party can apply their function first and still get the same result.].
Regarding claim 17, Agrawal discloses a system [[0035] a system for information integration with minimal sharing], comprising: 
a responder [[0038] S (sender)] comprising a processor [[0276] a processor]; and 
memory [[0276] data storage device] for storing instructions, the processor executes the instructions to [[0276] The invention may be embodied by a computer program that is executed by a processor within a computer as a series of computer-executable instructions.]: 
generate a hashed and encrypted database from a cleartext database [[0038] database DS] as the responder:
encrypts [[0153] (a) Encrypts the hash h(v) with es, obtaining feS(h(v)). The Examiner construes encrypting the hash of the selectors to be the same as encrypting the selectors.] selectors [[0044] set of values VS] of the cleartext database [[0038] database DS] using a responder key [[0153] eS], 
encrypts rows [[0155] (c) Encrypts the extra information: c(v)=K(k(v), ext(v)). The Examiner construes rows to be the same as the extra information ext(v) of the prior.] of the cleartext database [[0038] database DS] with responder derived keys generated from the encrypted selectors [[0154] (b) Generates the key for extra information using e'S: k(v)=fe'S (h(v)). The Examiner construes k(v) is the same as the responder derived keys.]; 
groups the encrypted rows according to bucket identifiers [[0087] For real-life hash functions, a collision within VS or VR can be detected by the server at the start of each protocol by sorting the hashes. The Examiner construes grouping the encrypted rows according bucket identifiers to be the same sorting the hashes of the prior art.];

returns at least one encrypted row  [[0157] The pairs, <fes(h(v)), K(fe'S(h(v)), ext(v))>, are then shipped to R in lexicographical order. The Examiner construes at least two encrypted rows to be the same as K(fe'S(h(v)), ext(v)).].
Agrawal does not appear to explicitly disclose that each selector being assigned a bucket identifier; determines a hash bucket identifier of a query based on a requested selector of a query; and returning at least two encrypted rows corresponding to the hash bucket identifier.
However, ITHAL discloses each selector being assigned a bucket identifier [[0057] That is, retrieval is handled by assigning pre-encryption hashes to searchable fields to allow exact searches across segments of the database that have different encryption keys. The Examiner construes assigning a bucket identifier to selector to the same as assigning pre-encryption hash to searchable field of the prior art.];  
determines a hash bucket identifier of a query based on a requested selector of a query [[0070] Process 900 continues at action 925 with hashing the search value to a non-reversible hash value, prior to querying the remote database server. The Examiner construes determining a hash bucket identifier of a query to be the same as hashing the search value to a non-reversible hash value of the prior art.]; and
returns at least two encrypted rows corresponding to the requested selector [[0072] At action 945 the process includes receiving network event metadata responsive to the query, including the encrypted value of the indexed sensitive field, clear text values of one or more metadata fields, and an additional encrypted value of a sensitive field that is either indexed or not indexed. The Examiner construes encrypted rows corresponding to the hash bucket identifier to be the same as event metadata responsive to the query.]. 
Agrawal and ITHAL are both considered to be analogous to the claimed invention because they are in the same field of data security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the hash value taught by Agrawal to incorporate the teachings of ITHAL, hashing values in the indexable sensitive fields; concatenating the non-reversible hash values with the metadata for the network events; and encrypting values in the sensitive fields, and to provide a secure indexable databases with sensitive information to enable exact match querying of the encrypted sensitive data stored therein. (ITHAL, [0028] The disclosed technology includes a solution for retrieving the sensitive information that is secured at rest. The disclosed technology teaches hashing the sensitive data before storing it in the cloud, as a signature, to enable exact match querying of the encrypted sensitive data stored in the cloud. Then, when a query is made, the query is hashed and compared to the hashed data stored in the cloud. Retrieval of data in response to a query requires an exact match between the hashed stored data and the hashed query data. Note that, unlike the ability to decrypt an encrypted field when the correct key is available, hashes are non-reversible.;[0036] The technology disclosed relates to building indexable databases with sensitive information secured at rest, and can be implemented in the context of any computer-implemented system including an on-demand database system, a multi-tenant environment, or the like.]

Regarding claim 18, Agrawal in view of ITHAL, discloses the limitation of claim 17 above. Agrawal further discloses that the responder is configured to return at least two encrypted rows  [[0157] The pairs, <fes(h(v)), K(fe'S(h(v)), ext(v))>, are then shipped to R in lexicographical order. The Examiner construes at least two encrypted rows to be the same as K(fe'S(h(v)), ext(v)).], the at least two encrypted rows comprising at least one encrypted row that does not correspond to the requested selector, but was based on a bucket identifier collision [[0087] For real-life hash functions, a collision within VS or VR can be detected by the server at the start of each protocol by sorting the hashes. If there is a collision between v ϵ VS and V' ϵ VR, it will cause inclusion of v' into the join (or intersection) by R and the disclosure to R of S's records containing v. (For the join protocol (Section 4), R can check whether there was a collision between v ϵ VS and v' ϵ VR by having S include the value v in ext(v)). The Examiner construes a bucket identifier collision to be the same a collision within VS of the prior art.]. However, Agrawal does not appear to explicitly disclose to return at least two encrypted rows corresponding to the hash bucket identifier.  
However, ITHAL discloses returning at least two encrypted rows corresponding to the hash bucket identifier [[0072] At action 945 the process includes receiving network event metadata responsive to the query, including the encrypted value of the indexed sensitive field, clear text values of one or more metadata fields, and an additional encrypted value of a sensitive field that is either indexed or not indexed. The Examiner construes encrypted rows corresponding to the hash bucket identifier to be the same as event metadata responsive to the query.]. 

Regarding claim 19, Agrawal in view of ITHAL, discloses the limitation of claim 17 above. Agrawal further discloses that the responder performs an encrypted selector exchange protocol as the processor executes the instructions to: 
receive [[0150] 3. R sends to S its encrypted set YR, reordered lexicographically.] the requested selector that has been encrypted a first time [[0149] 2. R encrypts its hashed set: YR=feR(XR)=feR(h(VR)). The Examiner construes the requested selector that has been encrypted a first time to be the same as encrypted set YR.], by a querier [[0038] R (receiver)], using a querier key [[0148] eR]; 
encrypt [[0151] S encrypts each y ϵ YR with both S's key eS and e’S and sends back to R 3-tuples <y, feS(y), fe’S(y)> = <feR(h(v)), feS(feR(h(v))), fe’S(feR(h(v)))>.] the requested selector a second time, by the responder[[0038] S (sender)], using the responder key[[0148] eS]  to create a twice encrypted selector [[0151] feS(feR(h(v)))]; and
transmit to the querier, the twice encrypted selector [[0151] S encrypts each y ϵ YR with both S's key eS and e’S and sends back to R 3-tuples <y, feS(y), fe’S(y)> = <feR(h(v)), feS(feR(h(v))), fe’S(feR(h(v)))>.].
Regarding claim 20, Agrawal in view of ITHAL, discloses the limitation of claim 17 above. Agrawal further discloses the querier [receiver R], the querier being configured to: 
decrypt [[0158] 6. R applies f-1eR to all entries in the 3-tuples received at Step 4, obtaining <h(v), feS(h(v)), fe'S(h(v))> for all v ϵ VR.] the twice encrypted selector [[0151] feS(feR(h(v)))] using the querier key [[0148] eR] to obtain the requested selector [[0158] feS(h(v))] that was encrypted with the responder key [[0148] eS]; and 
derive [[0158] 6. R applies f-1eR to all entries in the 3-tuples received at Step 4, obtaining <h(v), feS(h(v)), fe'S(h(v))> for all v ϵ VR. The Examiner construes deriving the responder derived key to be the same as obtaining fe'S(h(v)).] the responder derived key [[0154] k(v)=fe'S(h(v))] used to encrypt the at least one encrypted row that does correspond to the requested selector to recover the cleartext corresponding to the least one encrypted row [[0158] 6. R applies f-1eR to all entries in the 3-tuples received at Step 4, obtaining <h(v), feS(h(v)), fe'S(h(v))> for all v ϵ VR.], the querier being unable to decrypt the at least one encrypted row that does not correspond to the requested selector [[0136] R can now apply f-1eR to the latter to get f-1eR (fe'S(feR(h(v))))= f -1eR (feR(fe'S(h(v))))=fe'S(h(v)).; [0137] Note that R only gets fe'S(h(v)) for v ϵ VR, not for v ϵ VS-VR. The Examiner construes the responder derived key to be the same as fe'S(h(v)) which is a different according to the selector v. Since R only gets fe'S(h(v)) for v ϵ VR , the at least one encrypted row that does not correspond to the requested selector cannot be decrypted.].

Claim(s) 5-6 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over  Agrawal in view of ITHAL, as applied to claim 1 above, further in view of Naqvi et al.,  (U.S. PG Publication No. 2021/0034299 A1, hereinafter “Naqvi”).

Regarding claim 5, Agrawal in view of ITHAL, discloses the method according to claim 1 as outlined above.  The combination of Agrawal in view of ITHAL does not appear to explicitly disclose that the responder derived keys are created using a hashing function. 
However, Naqvi discloses that the responder derived keys are created using a hashing function. [[0048] A Hash-based Key Derivation Function (HKDF) is a type of key derivation function that uses a particular hash-based message authentication code, e.g., HMAC-SHA256.; [0050] the user (e.g., Alice) may be required to use her fingerprint (or other biometric information, or a password or passphrase) as input to a suitably chosen HKDF, resulting in the generation of a key (using the key derivation functionality) also known as a digest.]
Agrawal and Naqvi are both considered to be analogous to the claimed invention because they are in the same field of data security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the hash value taught by Agrawal to incorporate the teachings of Naqvi, generating a key based on a hash based key derivation function, and to provide a system generating one or more irreversible and unique cryptographic key(s) from a message. (Naqvi, paragraph [0048] A Hash-based Key Derivation Function (HKDF) is a type of key derivation function that uses a particular hash-based message authentication code, e.g., HMAC-SHA256. The latter belongs to a family of (irreversible) functions provided by the US National Institute of Standards and Technology (NIST). The term irreversible function means that the function's output cannot be used to derive it's input without expending inordinately large amount of computing resources. As an example of the use of SHA-256, an input (called a message) is converted by the function SHA-256 into a unique random series of bits (called the digest). The term unique refers to the property of SHA-256 to generate different digests for different messages and to generate the same digest for the same message. That is, SHA-256 is said to be collision-free.]

Regarding claim 6, Agrawal in view of ITHAL further in view of Naqvi, discloses the limitation of claim 5 above. Naqvi further discloses that the hashing function is SHA256 [[0048] A Hash-based Key Derivation Function (HKDF) is a type of key derivation function that uses a particular hash-based message authentication code, e.g., HMAC-SHA256. … As an example of the use of SHA-256, an input (called a message) is converted by the function SHA-256 into a unique random series of bits (called the digest).].

Regarding claim 16, Agrawal in view of ITHAL, discloses the limitation of claim 8 above. The combination of Agrawal in view of ITHAL does not appear to explicitly disclose that the responder derived keys are created using SHA256.
However, Naqvi further discloses that the responder derived keys are created using SHA256 [[0048] A Hash-based Key Derivation Function (HKDF) is a type of key derivation function that uses a particular hash-based message authentication code, e.g., HMAC-SHA256. … As an example of the use of SHA-256, an input (called a message) is converted by the function SHA-256 into a unique random series of bits (called the digest).].
Agrawal and Naqvi are both considered to be analogous to the claimed invention because they are in the same field of data security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the hash value taught by Agrawal to incorporate the teachings of Naqvi, generating a key based on a hash based key derivation function, and to provide a system generating one or more irreversible and unique cryptographic key(s) from a message. (Naqvi, paragraph [0048] A Hash-based Key Derivation Function (HKDF) is a type of key derivation function that uses a particular hash-based message authentication code, e.g., HMAC-SHA256. The latter belongs to a family of (irreversible) functions provided by the US National Institute of Standards and Technology (NIST). The term irreversible function means that the function's output cannot be used to derive it's input without expending inordinately large amount of computing resources. As an example of the use of SHA-256, an input (called a message) is converted by the function SHA-256 into a unique random series of bits (called the digest). The term unique refers to the property of SHA-256 to generate different digests for different messages and to generate the same digest for the same message. That is, SHA-256 is said to be collision-free.]
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JEONGSOOK YI whose telephone number is (571) 272-9407. The examiner can normally be reached Monday-Friday 8:00 am - 5:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge Ortiz-Criado can be reached on (571)272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/J.Y./Examiner, Art Unit 2496                                                                                                                                                                                                        

/BRIAN F SHAW/Primary Examiner, Art Unit 2496