DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to communication filed on 08/01/2022.
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 08/01/2022 has been entered.
Status of claims in the instant application:
Claims 1-8 are pending.
Claims 1-6 have been amended.
No new claim has been added.
No claim has been canceled.
Priority
The instant application is a “371 of PCT/JP2018/001135 filed on 01/17/2018” and also claims benefit to foreign application “JAPAN 2017-006355 filed on 01/18/2017”
Response to Arguments
Applicant's arguments, page [11-12] of the remarks filed on 08/01/2022 regarding rejection of claims 1-8 under 35 USC 101 as an “abstract idea – a mathematical concept”, have been fully considered in view of the amended claims, and they are persuasive. Therefore, the claim rejections are withdrawn.
Applicant’s arguments, see pages [14-15] of the remarks filed on 08/01/2022 with respect to rejection of claims 1-8 under 35 USC 103, have been fully considered in view of the claim amendments, but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Examiner further notes that Applicant’s claim amendments have rendered new grounds for rejections. Therefore, Applicant is directed to Examiner’s response below.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-8 are rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 2015/0358155 A1 to IKARASHI et al. (hereinafter “IKARASHI”) in view of Pub. “High-performance SoC-based implementation of modular exponentiation using evolutionary addition chains for efficient cryptography” to Nedjah et al. (hereinafter “Nedjah”) published at ScienceDirect.com on 11/03/2010, and further in view of Pub. No.: US 2009/0136025 A1 to Kargl et al. (hereinafter “Kargl”).
Regarding Claim 1. IKARASHI discloses A secret computation method in which GF(pk) is an extended field having a characteristic of p and a degree k of field extension, a is data that is an element of the extended field GF(pk), [a] is a share obtained by applying additive secret sharing to data a, v is an integer equal to or larger than 2, and m, u and t are integers equal to or larger than 1 and satisfy t*pu ≤ v  (IKARASHI, Abstract, Para [0004, 0054, 0078-0080, 0020, 0061]: … at least three arithmetic units includes: a random number generator determining shared value [r] obtained by performing secret sharing of random number r … it is possible to reduce the amount of data to be communicated among the arithmetic units in a secret operation … Because a randomized shared value has additive homomorphism, the secret computation for an addition/constant multiplication can be executed without communicating with the other the arithmetic units 2.sub.n, similarly to an addition for a shared value on the ring R … The ring R can be expressed as Z/pZ and the associative algebra A can be expressed as a q-dimensional extended field of the ring R, where Z indicates an integer ring, p indicates a prime number, and q indicates an integer equal to or larger than 1 … a secret computation system of this invention comprises at least three arithmetic units. In this invention, M, m and i are integers equal to or larger than 1; 0.ltoreq.m<M is satisfied; .mu. is the number of randomized shared values included in a checksum C; and 0.ltoreq.i<.mu. is satisfied …),
the secret computation method computing a share [av] of the v-th power of data a from a share [a] of data a while data a is concealed and being executed by a secret computation system that includes three or more secret computation apparatuses (IKARASHI, FIG. 1, Para [0020, 0042]: … a secret computation system of this invention comprises at least three arithmetic units. In this invention, M, m and i are integers equal to or larger than 1; 0.ltoreq.m<M is satisfied; .mu. is the number of randomized shared values included in a checksum C; and 0.ltoreq.i<.mu. is satisfied … A configuration example of a secret computation system 1 of this embodiment will be described with reference to FIG. 1. The secret computation system 1 comprises N (N.gtoreq.3) arithmetic units 2.sub.1 … 2.sub.N. Each of the N arithmetic units 2.sub.1 … 2.sub.N is connected to a network 9 …),
the secret computation method (IKARASHI: FIG. 4) comprising:
receiving, over a network, an input of a respective share [a] of the data a at each of the three or more secret computation apparatuses, wherein the data a is concealed from each of the three or more secret computation apparatuses, and the share [a] represents a divided share of the data a (IKARASHI, Abstract, Para [0020, 0042, 0047-0048, 0061]: … Each of at least three arithmetic units includes: a random number generator determining shared value [r] obtained by performing secret sharing of random number r … At least one shared value [a.sub.0], …, [a.sub.M-1] (M.gtoreq.1) is inputted to the input part 11 which the arithmetic unit 2.sub.n (1.ltoreq.n.ltoreq.N) is provided with (step S11) … Generation of the shared value [r] must be performed in a state that the random number r is concealed from any of the arithmetic units 2.sub.1,…, 2.sub.N … each arithmetic unit 2.sub.n computes [r]=.SIGMA..sub.n<N[r.sub.n] to obtain the shared value [r] of the random number r. If such a configuration is made, all the arithmetic units 2.sub.1, …, 2.sub.N can obtain the shared value [r] of the random number r without knowing the random number r … a secret computation system 1 of this embodiment will be described with reference to FIG. 1. The secret computation system 1 comprises N (N.gtoreq.3) arithmetic units 2.sub.1 … 2.sub.N. Each of the N arithmetic units 2.sub.1 … 2.sub.N is connected to a network 9 ... A scalar multiplication is an operation for computing [ab]∈[A] from [a]∈[R], [b]∈[A]. If A is expressed as a q-dimensional vector of R′ relative to the ring homomorphism R′ of R, the scalar multiplication is easy. A homomorphism of R.fwdarw.R′ is indicated by h, and [b]=([b.sub.0], . . . , [b.sub.q−1]) is assumed. If [h(a)] is assumed to be obtained by causing h to act on each party's share of [a], [h(a)] belongs to [R′] because of the homomorphism…);
However, IKARASHI does not explicitly teach, but Nedjah from same or similar field of endeavor teaches:
“obtaining the pu-th power of a share [at] of the t-th power of data a, by computing [a(t*p^u)], in a local operation unit of each of the three or more secret computation apparatuses, using a local power operation that computes a power of a share of concealed data [based on a characteristic called Frobenius endomorphism] (Nedjah, Abstract, Introduction, Section 2.1: …This paper brings a novel idea based on the principles of ant colony optimization for finding a minimal addition chain that allows for the reduction of the number of modular multiplications required for modular exponentiations … …The straightforward method computes more multiplications than necessary. For instance, to compute T8, it performs 7 multiplications, i.e. T → T2→ T3→T4→T5→T6→T7→T8. However, T8 can be computed using only 3 multiplications T→ T2→ T4→ T8 … In general terms, the m-ary method for exponentiation may be thought of as a three-step procedure [11]: (i) partitioning the binary representation of exponent E in l bit windows; (ii) pre-computing necessary powers; (iii) iterating the squaring of the partial result l times to shift it over, and then multiplying it by the power indicated in the next window … For instance, let exponent E = 343 be partitioned as follows: E=000101010111. The 16-ary exponentiation method would require 14 modular multiplications in the pre-processing step to compute all powers (T2, T …T15). Then it would require 8 modular multiplications in the squaring step (line 5 in Algorithm 1) and 2 others in the multiplying step (line 6 of Algorithm 1), which amounts to a total of 24 modular multiplications. For the same exponent, the adaptive 16-ary exponentiation method would require only 4 modular multiplications in the pre-processing step to compute powers T2, T3, T5 and T7. The exponentiation step being the same, the number of modular multiplications would then amount to a total of 14 operations …);
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of IKARASHI into the teachings of Nedjah because it discloses that “the methodology proposed in this paper attempts to reduce the total number of computed modular multiplication using a novel exponentiation method that is based on the concept of addition chains (Nedjah: Introduction).
However, the combination of IKARASHI-Nedjah does not explicitly teach, but Kargl from same or similar field of endeavor teaches, “computes a power of a share of concealed data based on a characteristic called Frobenius endomorphism (Kargl, Para [0022, 0028-0031]: … The coefficients a and b of an elliptic curve which is defined over an extension field are generally polynomials. In the case of a Koblitz curve, a and b lie in the base field and are polynomials of the degree zero. The exponentiation by p of a point lying on the curve maps said point back onto the same curve in the finite field as a result of the Frobenius homomorphism. If a and b are polynomials, however, the point is mapped onto another curve. The Frobenius endomorphism on the elliptic curve is in the endomorphism ring, i.e. in the case of Koblitz curves it is possible to represent all scalars in relation to the Frobenius endomorphism, and thus derive a very rapid scalar multiplication algorithm …  According to an advantageous embodiment, the elliptic curve is a Koblitz curve. Koblitz curves allow a rapid scalar multiplication by the Frobenius endomorphism over the field F.sub.p  … According to an advantageous embodiment, the scalar multiplication is carried out by a Frobenius endomorphism in a power series representation of the scalar. The scalar multiplication can then be implemented as a sum of shorter scalar multiplications …)”
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Kargl into the combined teachings of IKARASHI-Nedjah because it discloses that “The Frobenius endomorphism on the elliptic curve is in the endomorphism ring, i.e. in the case of Koblitz curves it is possible to represent all scalars in relation to the Frobenius endomorphism, and thus derive a very rapid scalar multiplication algorithm (Kargl: Para [0022]).
IKARASHI further discloses:
“obtaining the share [av] in a secret computation unit of the each of the three or more secret computation apparatuses by a calculation that includes a multiplication of the share [a(t*p^u)], a computation result of the local operation unit, and a share [am], using secret computation that requires communication with the other secret computation apparatuses, by using random numbers for concealing (IKARASHI, Abstract, Para [0042, 0048]: … Each of at least three arithmetic units includes: a random number generator determining shared value [r] obtained by performing secret sharing of random number r; a randomizator using shared value [a.sub.0],…,[a.sub.M-1] obtained by performing secret sharing of value a.sub.0,…, a.sub.M-1 and shared value [r] to generate randomized shared value <a.sub.0>,…, <a.sub.M-1> with shared values [a.sub.0],…, [a.sub.M-1] and [a.sub.0r],…, [a.sub.M-1r] as a pair; a secret computator determining concealed function value [F([a.sub.0],…, [a.sub.M-1])] by executing function F including at least one secret operation while including randomized shared value <f.sub.1> of an operation target and an operation result depending on contents of secret operation into checksum C:=<f.sub.0>,…, <f.sub..mu.-1>; and a correctness prover verifying correctness of function value [F([a.sub.0],…, [a.sub.M-1])] based on shared value [O] obtained by multiplying a sum total of shared values [f.sub.1] included in checksum C by shared value [r] and shared value [.psi.] of a sum total of shared values [f.sub.ir] included in checksum … A configuration example of a secret computation system 1 of this embodiment will be described with reference to FIG. 1. The secret computation system 1 comprises N (N.gtoreq.3) arithmetic units 2.sub.1 … 2.sub.N. Each of the N arithmetic units 2.sub.1 … 2.sub.N is connected to a network 9. The network 9 only has to be configured such that each connected unit is mutually communicable … The random number generating part 12 generates a shared value [r] of a random number r∈A selected from the associative algebra A. The generated shared value [r] is outputted to the randomization part 13. Generation of the shared value [r] must be performed in a state that the random number r is concealed from any of the arithmetic units 2.sub.1, . . . , 2.sub.N…);” and
when the computational result of the local operation unit or the secret computation unit becomes a share [av], outputting the share [av] in an output unit (IKARASHI, Para[0048, 0051, 0053, 0068], FIG. 2: … The random number generating part 12 generates a shared value [r] of a random number r∈A selected from the associative algebra A. The generated shared value [r] is outputted to the randomization part 13. Generation of the shared value [r] must be performed in a state that the random number r is concealed from any of the arithmetic units 2.sub.1, . . . , 2.sub.N …  The randomization part 13 generates a randomized shared value <a.sub.0>, . . . , <a.sub.M−1> using the shared value [a.sub.0], . . . , [a.sub.M−1] and the shared value [r] (step S13). The generated randomized shared value <a.sub.0>, . . . , <a.sub.M−1> is outputted to the secret computation part 14 …).”
Nedjah further discloses, “one of the multiplicands is [a(t*p^u)] (Nedjah, Section 2.1 Algorithm 2: … step 3 of algorithm 2 … If r is the number of such transformations carried out, the degree of the polynomials is 2.sup.n-r-1 and the number of multiplications to carry out not counting the polynomials is 2.sup.r … by virtue of the transformations carried out, evaluation is carried out first of all, just through operations of squaring (or more generally of raising to a power equal to the characteristic of the field) of the monomials the degree of which is an integer power of the characteristic of the field (here monomials of the form x.sup.2.sup.i) … The other monomials of the polynomial representing the function f (that is to say the monomials of degree different from p.sup.i, here 2.sup.i) are then obtained, after application of a polynomial of the form P.sub.jk . . . to a monomial x.sup.p.sup.i determined above, by multiplying by a monomial x.sup.P.sup.i-1 determined above (thus with i>1). As indicated above (cf. the formula using P.sub.1 and P.sub.2), the monomials of even degree are furthermore obtained by a last multiplication by x …)”
The motivation to further combine Nedjah remains same as before.
Regarding Claim 2. IKARASHI discloses A secret computation method in which GF(pk) is an extended field having a characteristic of p and a degree k of field extension, a is data that is an element of the extended field GF(pk), r is a random number that is an element of the extended field GF(pk), [a] is a share obtained by applying additive secret sharing to data a, <a> := ([a], [ra]) is a randomized shared value of data a, v is an integer equal to or larger than 2, and m, u and t are integers equal to or larger than 1 and satisfy t*pu ≤ v, 2Application No. 16/475,36 Preliminary Amendmv (IKARASHI, Abstract, Para [0054, 0078-0080, 0020, 0032-0033]: … at least three arithmetic units includes: a random number generator determining shared value [r] obtained by performing secret sharing of random number r … it is possible to reduce the amount of data to be communicated among the arithmetic units in a secret operation … Because a randomized shared value has additive homomorphism, the secret computation for an addition/constant multiplication can be executed without communicating with the other the arithmetic units 2.sub.n, similarly to an addition for a shared value on the ring R … The ring R can be expressed as Z/pZ and the associative algebra A can be expressed as a q-dimensional extended field of the ring R, where Z indicates an integer ring, p indicates a prime number, and q indicates an integer equal to or larger than 1 … a secret computation system of this invention comprises at least three arithmetic units. In this invention, M, m and i are integers equal to or larger than 1; 0.ltoreq.m<M is satisfied; .mu. is the number of randomized shared values included in a checksum C; and 0.ltoreq.i<.mu. is satisfied … Here, <x> is a randomized shared value of the value x.di-elect cons.R. A randomized shared value is a pair of the shared value [x] and a shared value [xr] of an integrated value xr of the value x and a random number r.di-elect cons.A. Therefore, the randomized shared value can be defined like the following Formula (1). [Formula 1] <x>:=([x],[xr]).di-elect cons.[R].times.[A] (1) …The 0-th component ([x] in Formula (1)) and the 1st component ([xr] in Formula (1)) of the randomized shared value are also referred to as an R component and an A component, respectively …),
the secret computation method computing a randomized shared value <av> := ([av], [rav]) of the v-th power of data a from a randomized shared value [a] of data a while data a is concealed and being executed by a secret computation system that includes three or more secret computation apparatuses (IKARASHI, Abstract, FIG. 2-3, Para [0020, 0042]: … Each of at least three arithmetic units includes: a random number generator determining shared value [r] obtained by performing secret sharing of random number r; a randomizator using shared value [a.sub.0],… ,[a.sub.M-1] obtained by performing secret sharing of value a.sub.0,…, a.sub.M-1 and shared value [r] to generate randomized shared value <a.sub.0>,…, <a.sub.M-1> with shared values [a.sub.0],…, [a.sub.M-1] and [a.sub.0r],…, [a.sub.M-1r] as a pair … a secret computation system of this invention comprises at least three arithmetic units. In this invention, M, m and i are integers equal to or larger than 1; 0.ltoreq.m<M is satisfied; .mu. is the number of randomized shared values included in a checksum C; and 0.ltoreq.i<.mu. is satisfied … A configuration example of a secret computation system 1 of this embodiment will be described with reference to FIG. 1. The secret computation system 1 comprises N (N.gtoreq.3) arithmetic units 2.sub.1, …, 2.sub.N. Each of the N arithmetic units 2.sub.1, …, 2.sub.N is connected to a network 9 …),
the secret computation method (IKARASHI: FIG. 4) comprising:
receiving, over a network, an input of a respective share [a] of the data a at each of the three or more secret computation apparatuses, wherein the data a is concealed from each of the three or more secret computation apparatuses, and the share [a] represents a divided share of the data a (IKARASHI, Abstract, Para [0020, 0042, 0047-0048, 0061]: … Each of at least three arithmetic units includes: a random number generator determining shared value [r] obtained by performing secret sharing of random number r … At least one shared value [a.sub.0],…, [a.sub.M-1] (M.gtoreq.1) is inputted to the input part 11 which the arithmetic unit 2.sub.n (1.ltoreq.n.ltoreq.N) is provided with (step S11) … Generation of the shared value [r] must be performed in a state that the random number r is concealed from any of the arithmetic units 2.sub.1,…, 2.sub.N … each arithmetic unit 2.sub.n computes [r]=.SIGMA..sub.n<N[r.sub.n] to obtain the shared value [r] of the random number r. If such a configuration is made, all the arithmetic units 2.sub.1, …, 2.sub.N can obtain the shared value [r] of the random number r without knowing the random number r … a secret computation system 1 of this embodiment will be described with reference to FIG. 1. The secret computation system 1 comprises N (N.gtoreq.3) arithmetic units 2.sub.1 … 2.sub.N. Each of the N arithmetic units 2.sub.1 … 2.sub.N is connected to a network 9 … A homomorphism of R.fwdarw.R′ is indicated by h, and [b]=([b.sub.0], . . . , [b.sub.q−1]) is assumed. If [h(a)] is assumed to be obtained by causing h to act on each party's share of [a]…);
However, IKARASHI does not explicitly teach, but Nedjah from same or similar field of endeavor teaches:
“obtaining the pu-th power of a share [at] of the t-th power of data a, by computing [a(t*p^u)], in a local operation unit of each of the three or more secret computation apparatuses, using a local power operation that computes a power of a share of concealed data [based on a characteristic called Frobenius endomorphism] (Nedjah, Abstract, Introduction, Section 2.1: …This paper brings a novel idea based on the principles of ant colony optimization for finding a minimal addition chain that allows for the reduction of the number of modular multiplications required for modular exponentiations … …The straightforward method computes more multiplications than necessary. For instance, to compute T8, it performs 7 multiplications, i.e. T → T2→ T3→T4→T5→T6→T7→T8. However, T8 can be computed using only 3 multiplications T→ T2→ T4→ T8 … In general terms, the m-ary method for exponentiation may be thought of as a three-step procedure [11]: (i) partitioning the binary representation of exponent E in l bit windows; (ii) pre-computing necessary powers; (iii) iterating the squaring of the partial result l times to shift it over, and then multiplying it by the power indicated in the next window … For instance, let exponent E = 343 be partitioned as follows: E=000101010111. The 16-ary exponentiation method would require 14 modular multiplications in the pre-processing step to compute all powers (T2, T …T15). Then it would require 8 modular multiplications in the squaring step (line 5 in Algorithm 1) and 2 others in the multiplying step (line 6 of Algorithm 1), which amounts to a total of 24 modular multiplications. For the same exponent, the adaptive 16-ary exponentiation method would require only 4 modular multiplications in the pre-processing step to compute powers T2, T3, T5 and T7. The exponentiation step being the same, the number of modular multiplications would then amount to a total of 14 operations …); and
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of IKARASHI into the teachings of Nedjah because it discloses that “the methodology proposed in this paper attempts to reduce the total number of computed modular multiplication using a novel exponentiation method that is based on the concept of addition chains (Nedjah: Introduction).
However, the combination of IKARASHI-Nedjah does not explicitly teach, but Kargl from same or similar field of endeavor teaches, “computes a power of a share of concealed data based on a characteristic called Frobenius endomorphism (Kargl, Para [0022, 0028-0031]: … The coefficients a and b of an elliptic curve which is defined over an extension field are generally polynomials. In the case of a Koblitz curve, a and b lie in the base field and are polynomials of the degree zero. The exponentiation by p of a point lying on the curve maps said point back onto the same curve in the finite field as a result of the Frobenius homomorphism. If a and b are polynomials, however, the point is mapped onto another curve. The Frobenius endomorphism on the elliptic curve is in the endomorphism ring, i.e. in the case of Koblitz curves it is possible to represent all scalars in relation to the Frobenius endomorphism, and thus derive a very rapid scalar multiplication algorithm …  According to an advantageous embodiment, the elliptic curve is a Koblitz curve. Koblitz curves allow a rapid scalar multiplication by the Frobenius endomorphism over the field F.sub.p  … According to an advantageous embodiment, the scalar multiplication is carried out by a Frobenius endomorphism in a power series representation of the scalar. The scalar multiplication can then be implemented as a sum of shorter scalar multiplications …)”
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Kargl into the combined teachings of IKARASHI-Nedjah because it discloses that “The Frobenius endomorphism on the elliptic curve is in the endomorphism ring, i.e. in the case of Koblitz curves it is possible to represent all scalars in relation to the Frobenius endomorphism, and thus derive a very rapid scalar multiplication algorithm (Kargl: Para [0022]).
IKARASHI further discloses:
“obtaining a randomized shared value <a(t*p^u)> := ([a(t*p^u)], [ra(t*p^u)]) of a computation result of the local operation unit in a randomizing unit of the each of the three or more secret computation apparatuses by multiplying [a(t*p^u)], the computation result of the local operation unit, with a share [r] of the random number r using secret computation that requires communication with the other secret computation apparatuses (IKARASHI, Abstract: … Each of at least three arithmetic units includes: a random number generator determining shared value [r] obtained by performing secret sharing of random number r; a randomizator using shared value [a.sub.0],…,[a.sub.M-1] obtained by performing secret sharing of value a.sub.0,…, a.sub.M-1 and shared value [r] to generate randomized shared value <a.sub.0>,…, <a.sub.M-1> with shared values [a.sub.0],…, [a.sub.M-1] and [a.sub.0r],…, [a.sub.M-1r] as a pair; a secret computator determining concealed function value [F([a.sub.0],…, [a.sub.M-1])] by executing function F including at least one secret operation while including randomized shared value <f.sub.1> of an operation target and an operation result depending on contents of secret operation into checksum C:=<f.sub.0>,…, <f.sub..mu.-1>; and a correctness prover verifying correctness of function value [F([a.sub.0],…, [a.sub.M-1])] based on shared value [O] obtained by multiplying a sum total of shared values [f.sub.1] included in checksum C by shared value [r] and shared value [.psi.] of a sum total of shared values [f.sub.ir] included in checksum …);
obtaining the randomized shared value <av> in a secret computation unit of the each of the three or more secret computation apparatuses by a calculation that includes a multiplication of a randomized shared value <a(t*p^u)> of the computation result of the local operation unit using secret computation that requires communication with the other secret computation apparatuses by using random numbers for concealing (IKARASHI, Para[0039-0040, 0048]: In conventional secret computation, it is possible to efficiently perform processing only on the same ring R. In the case of an operation on the associative algebra A, however, it is possible to perform processing while keeping upper compatibility with elements of the ring R, with efficiency equal to that of an operation on the ring R. An extended field, which is an algebraic structure belonging to an associative algebra, is an ideal algebraic structure from the viewpoint of security because results of a multiplication by random numbers are uniformly distributed … a shared value on the ring R is caused to be a randomized shared value with the use of a random number on the associative algebra A, and correctness is provide by two systems, an operation on the ring R and an operation on the associative algebra A. Therefore, by setting the associative algebra A in an appropriate space, a security parameter can be arbitrarily set. Thus, it is possible to perform secret computation under a lower probability of success in falsification than before … The random number generating part 12 generates a shared value [r] of a random number r∈A selected from the associative algebra A. The generated shared value [r] is outputted to the randomization part 13. Generation of the shared value [r] must be performed in a state that the random number r is concealed from any of the arithmetic units 2.sub.1, . . . , 2.sub.N …), and
when the computational result of the randomizing unit or the secret computation unit becomes a randomized shared value <av>, outputting the randomized shared value <av> in an output unit (IKARASHI, Para[0048, 0051, 0053, 0068], FIG. 2: … The random number generating part 12 generates a shared value [r] of a random number r∈A selected from the associative algebra A. The generated shared value [r] is outputted to the randomization part 13. Generation of the shared value [r] must be performed in a state that the random number r is concealed from any of the arithmetic units 2.sub.1, . . . , 2.sub.N …  The randomization part 13 generates a randomized shared value <a.sub.0>, . . . , <a.sub.M−1> using the shared value [a.sub.0], . . . , [a.sub.M−1] and the shared value [r] (step S13). The generated randomized shared value <a.sub.0>, . . . , <a.sub.M−1> is outputted to the secret computation part 14 …).”
Regarding Claim 3. This is a system claim corresponding to the method claim 1 and contains all the same or similar limitations as claim 1, hence similarly rejected as claim 1.
 Regarding Claim 4. This is a system claim corresponding to the method claim 2 and contains all the same or similar limitations as claim 2, hence similarly rejected as claim 2.
Regarding Claim 5. This is an apparatus claim corresponding to the method claim 1 and contains all the same or similar limitations as claim 1, hence similarly rejected as claim 1.
Regarding Claim 6. This is an apparatus claim corresponding to the method claim 2 and contains all the same or similar limitations as claim 2, hence similarly rejected as claim 2.
Regarding Claim 7. This is a program claim corresponding to claim 5, hence similarly rejected as claim 5.
**** Note: IKARASHI also discloses the program (IKARASHI: Para [0087], Claim 8).
Regarding Claim 8. This is a program claim corresponding to claim 6, hence similarly rejected as one of claim 6.
**** Note: IKARASHI also discloses the program (IKARASHI: Para [0087], Claim 8).
Pertinent Prior Arts: The following prior arts are pertinent to Applicant’s disclosure, but have not been relied upon for rejection of claims in this office action.
	US-PGPUB: 20090279688 A1 (Michaels):  Michaels discloses a cryptographic system (CS) comprised of generators (502), (504), (510), an encryption device (ED), and a decryption device (DD). The generator (502) generates a data sequence (DS) including payload data. The generator (504) generates an encryption sequence (ES) including random numbers. The ED (506) is configured to perform a CGFC arithmetic process. As such, the ED is comprised of a mapping device (MD) and an encryptor. The MD is configured to map the DS and ES from Galois field GF[p.sup.k] to Galois extension field GF[p.sup.k+1]. The encryptor is configured to generate an encrypted data sequence (EDS) by combining the DS and ES utilizing a Galois field multiplication operation in Galois extension field GF[p.sup.k+1]. The generator (510) is configured to generate a decryption sequence (DS). The DD (508) is configured to generate a decrypted data sequence by performing an inverse of the CGFC arithmetic process utilizing the EDS and DS.
	The inventive arrangements relate to efficient implementations of Galois field multiplication in cryptographic systems. More particularly, the inventive arrangements relate to an efficient and invertible closed Galois field combination (CGFC) process for combining two or more input sequences in a cryptographic system.
	US-PGPUB: 20030055858 A1 (Dubey et al.): Dubey discloses an efficient parallel processing of algorithms involving Galois Field arithmetic use data slicing techniques to execute arithmetic operations on a computing hardware having SIMD architectures. A W-bit wide word computer capable of operating on one or more sets of k-bit operands executes Galois Field arithmetic by mapping arithmetic operations of Galois Field GF(2.sup.n) to corresponding operations in subfields lower order (m<n), which one selected on the basis of an appropriate cost function. These corresponding operations are able to be simultaneously executed on the W-bit wide computer such that the results of the arithmetic operations in Galois Field GF(2.sup.n) are obtained in k/W as many cycles of the W-bit computer compared with execution of the corresponding operations on a k-bit computer.
	The invention relates to processing algorithms involving Galois Field arithmetic and relates particularly, though not exclusively, to the efficient execution of algorithms involving Galois Field arithmetic, as typically found in communications and cryptography applications.
	US-PGPUB 20110295918 A1; PROUFF et al.: PROUFF discloses a method for evaluating a function of a finite field of characteristic p into itself, for an element x of the field, uses an evaluation, for the element x, of a polynomial formed by a plurality of monomials. The evaluation of the polynomial includes the following steps: determining monomials the degree of which is an integer power of the characteristic p by successive raisings of the element x to the power p; and determining monomials the degree of which is different from an integer power of the characteristic p on the basis of the determined monomials, the degree of which is an integer power of the characteristic p, and by at least one multiplication. An evaluating device is also provided.
This invention concerns a method for evaluating a function over a finite field and an associated device.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAHABUB S AHMED whose telephone number is (571)272-0364.  The examiner can normally be reached on 9AM-5PM EST M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/MAHABUB S AHMED/Examiner, Art Unit 2434

/DANT B SHAIFER HARRIMAN/Primary Examiner, Art Unit 2434