DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Applicant is hereby notified that there has been a new examiner assigned for the prosecution process of the instant application.
This written action is responding to the amendment dated on 04/20/2022.
Claims 1, 2, 12-13, 16, and 24 have been amended and all other claims are previously presented.
Claims 1-25 are submitted for examination.
Claims 1-25 are pending.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

Response to Arguments
Applicant’s amendment filed on April 20, 2022 has claims 1, 2, 12-13, 16, and 24 amended and all other claims are previously presented. Claims 1, 16 and 24 are independent ones, thus, the amendment necessitates a new ground of rejection.
Applicant’s remark, filed on April 20, 2022 at page 12, indicates, “The Examiner has objected a certain paragraph of the Specification because of suggested informalities. Applicant has amended the paragraph to address the Examiner's concern.”
Applicant’s argument has been considered and is found persuasive. Therefore, Specification objection has been withdrawn.
Applicant’s remark, filed on April 20, 2022 at page 12, indicates, “The Examiner has objected a certain paragraph of the Specification because of suggested informalities. Applicant has amended the paragraph to address the Examiner's concern.”
Applicant’s argument has been considered and is found persuasive. Therefore, objection to claims 12 and 13 has been withdrawn.
Applicant’s remark, filed on April 20, 2022 at pages 11-12, indicates, “It is respectfully submitted that the rejected claims are patentable over the art of record based on at least the third criterion of obviousness: none of the references alone or in combination teach, suggest, or disclose each claim limitation of the independent claims. Independent Claim 1 recites (inter alia): obtaining, as an input, a bit-length parameter indicating a number of bits of a plaintext to encrypt; obtaining a set of plaintext bits from the plaintext, wherein a length of the set of plaintext bits is equal to the bit-length parameter;  The Office Action relies on Gleichauf as allegedly teaching these limitations. However, Gleichauf does not teach obtaining a bit-length parameter as input, wherein the bit-length parameter indicates a number of plaintext bits of a plaintext to encrypt. Rather, the cited portions of Gleichauf merely disclose using a fixed-length cipher (of length L) to encrypt a data stream D. That is, the cipher disclosed by Gleichauf will only encrypt a particular number of bits (L bits); it does not accept a bit-length parameter as input that specifies a number of bits to encrypt of a plaintext as claim 1 recites (since the number of bits is always the same). Moreover, because Gleichauf only discloses a fixed-length cipher, it cannot disclose obtaining a set of plaintext bits from a plaintext based on the input bit-length parameter. For at least these reasons, Applicant asserts that independent claim 1 is allowable over each of the references of record, both individually and combinations thereof.”
Applicant’s argument has been considered and is found persuasive. Therefore, the previous prior-art rejection is withdrawn.  However, Applicant’s amendment necessitates a new ground of rejection, and therefore, new grounds of rejection have been applied to the pending claims 1-25.
Accordingly, a new ground of rejection based on the newly identified prior-art by Koo et al. (US 2015/0244518) has been applied to the amendment. Specifically, Koo discloses a variable-length block cipher apparatus and method capable of format preserving encryption are provided. The encryption device for a variable-length block cipher apparatus includes an encryption key generation unit configured to generate encryption round keys using a secret key and the number of rounds Nr, and a ciphertext output unit configured to output ciphertext having a length identical to that of plaintext using the plaintext and the encryption round keys. In addition, Koo discloses taking into account the location of insertion of the plaintext by using the plaintext, the length of the plaintext and the encryption round key eRK0 as inputs.  See Abstract and Summary of the Invention.  Thus, the examiner submits that the newly applied reference by Koo teaches the amended limitation: “obtaining, as an input, a bit-length parameter indicating a number of of a plaintext to encrypt” and “obtaining a set of plaintext bits, from the plaintext, wherein a length of the set of plaintext bits is equal to the bit-length parameter”. Please refer to the prior-art rejection in details below.
Finally, Examiner respectfully submits that Gleichauf discloses other limitations that are presented previously (See rejection below). Thus, the new combination of Koo in view of Gleichauf would render the claimed limitations of the newly amended independent claims obvious.
Regarding amended independent claims 16 and 24 has been considered and is addressed based on the same rationale presented for the amended claim 1. Please refer to the rejection to the claims in details below.
Regarding dependent claim 4, applicant’s remark, filed on April 20, 2022 at pages 14-15, indicates, “The Office Action concedes that neither Gleichauf nor Pasini disclose these limitations, and instead relies on Ohmori. However, the cited portion of Ohmori (i.e., FIG. 3) does not disclose each of these limitations as recited. For example, Ohmori does not disclose both "performing a first bit-level reordering operation on an output of the integer arithmetic operation; and performing a first substitution box operation on an output of the bit-level reordering operation," and the Office Action relies on a single operation (the "data converting unit of FIG. 3 of Ohmori) as performing both of the recited operations. … Further, the Office Action appears to have ignored the additional limitations of claim 4, i.e., performing a second bit-level reordering operation on an output of the second integer arithmetic operation; and performing a second substitution box operation on an output of the second bit-level reordering operation, as it does not point to other portions of Ohmori as allegedly teaching additional operations performed on the output of the operating unit 3112. For at least these reasons, Applicant asserts that claim 4 is allowable over each of the references of record, both individually and combinations thereof. Other dependent claims either depend from claim 4 (e.g., claims 5-15) or include limitations that are analogous to those of claim 4 (e.g., 17 and 25), and are accordingly allowable for the same or similar reasons as those above. Notice to this effect is respectfully requested in the form of a full allowance of these claims.
Applicant’s argument has been considered and is found persuasive. Therefore, the previous prior-art rejection is withdrawn.
Accordingly, a new ground of rejection based on the newly identified prior-art by Roelse (US 7,043,016) has been applied to the dependent claim 4. Specifically, Roelse discloses a cryptographic method where an input data block is cryptographically converted into an output data block; by performing a non-linear operation on the input data block using an S-box based on permutations. The S-box is associated with a set of at least two permutations. Each time before the S-box is used, one of the permutations is (pseudo-)randomly selected from the set of permutations and used for the conversion (See abstract). In addition, Roelse discloses that the algorithm generating the round keys (i.e. the key scheduling algorithm) can be chosen to obtain a desired degree of pseudo-randomness. An advantage for using round keys for the selection is that the permutation is selected from the set during the computation of the round keys. For efficiency reasons, this is usually and preferably done once for each key and all data that has to be processed (e.g. encrypted) with this key. In this way the encryption/decryption algorithm can be as efficient as a system based on S-boxes consisting of only one fixed permutation for each S-box.
Finally, Examiner respectfully submits that the new combination of Koo, Gleichauf and Roelse teach the claimed features of dependent claim 4 (See rejection below).
Regarding dependent claims 2-3, 5-15, 17-23 and 25 please refer to the aforementioned response, which addresses how the new combination of prior-art references by Koo and Gleichauf would render the claimed limitations obvious along with Youn, Nix, Roelse, Kaminaga, Pasini and Rubin.

Claim Objections
Claims 5-8 and 11 are objected because of the following informalities:  These claims are referring to “Method of claim 0”. There is no claim 0. For examination purpose, examiner has considered these claims to refer to “Method of claim 4”.  Appropriate correction is required.
Claims 14 and 15 objected to because of the following informalities:  Both claims 14 and 15 refer to “Method of claim 0”. There is no claim 0. For examination purpose, examiner has considered both claims 14 and 15 to refer to “Method of claim 13”.  Appropriate correction is required.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 16 and 24 are rejected under 35 U.S.C. 103 as being unpatentable over Koo et al. (US 2015/0244518) hereinafter Koo in view of Gleichauf (US 2003/0149869).
As per claim 1, Koo teaches a method of encrypting a number of plaintext bits based on a bit-length parameter, comprising: (Koo, Parag. [0007]; “at least one embodiment of the present invention is intended to provide a variable-length block cipher apparatus and method that are capable of when encrypting plaintext having an arbitrary bit length, generating ciphertext having the same bit length, and also decrypting ciphertext into plaintext having the same length.” … Parag. [0047]; “inputting plaintext P having an arbitrary length in the range of 8 to 128-bits, the length Nb of the plaintext … and outputs a 128-bit initial encryption round function value by performing an XOR operation on the result of the performance of the function and the encryption round key eRK0”)
obtaining, as an input, a bit-length parameter indicating a number of of a plaintext to encrypt (Koo, Parag. [0010]; “The ciphertext output unit may include a first encryption round unit configured to output an encryption round function value while taking into account the location of insertion of the plaintext by using the plaintext, the length of the plaintext and the encryption round key eRK0 as inputs.” … Parag. [0039]; “Meanwhile, FIG. 2 illustrates examples of the number of rounds Nr. The number of rounds Nr is set based on the length Nb of plaintext P and the length Nk of a secret key in advance, and may be set to an appropriate value in advance by taking into account the stability of a variable-length block cipher algorithm.”);
obtaining a set of plaintext bits, from the plaintext, wherein a length of the set of plaintext bits is equal to the bit-length parameter (Koo, Parag. [0008]; “a ciphertext output unit configured to output ciphertext having a length identical to that of plaintext using the plaintext and the encryption round keys.” … Parag. [0010]; “The ciphertext output unit may include a first encryption round unit configured to output an encryption round function value while taking into account the location of insertion of the plaintext by using the plaintext, the length of the plaintext and the encryption round key eRK0 as inputs.” … Parag. [0039]; “Meanwhile, FIG. 2 illustrates examples of the number of rounds Nr. The number of rounds Nr is set based on the length Nb of plaintext P and the length Nk of a secret key in advance, and may be set to an appropriate value in advance by taking into account the stability of a variable-length block cipher algorithm”. Parag. [0047]; “inputting plaintext P having an arbitrary length in the range of 8 to 128-bits, the length Nb of the plaintext … and outputs a 128-bit initial encryption round function value by performing an XOR operation on the result of the performance of the function and the encryption round key eRK0”);
… a set of key bits (Koo, Fig. 1 and Parag. [0008]; “an encryption key generation unit configured to generate encryption round keys eRK0, eRK1, . . . , eRKNr”); and
performing a sequence of logical operations on the set of plaintext bits and on the set of key bits to yield a ciphertext, the sequence of logical operations comprising a plurality of AND operations and a plurality of XOR operations, wherein each of the operations is performed on at least one plaintext bit and at least one key bit (Koo, Parag. [0034]; “In the following description, an ꚛ operation used throughout the accompanying diagrams refers to an exclusive OR (XOR) operation. For example, xꚛy refers to a per-bit XOR operation of two bit strings or two byte strings x and y.” … Parag. [0052]; “The Enc_ORound() function performs a per-bit AND operation on the result of the performance of the EncOd-dMask() function and the encryption round function value output in the previous round, … and finally performs an XOR operation on the result of the performance of these functions and the encryption round keys, and then outputs a 128-bit string.”).
However, Koo does not expressly teach:
obtaining a set of key bits, wherein a length of the set of key bits is equal to the bit- length parameter;
However, Gleichauf teaches:
obtaining a set of key bits, wherein a length of the set of key bits is equal to the bit- length parameter (Gleichauf, Parag. [0048]; “In block 202, a key stream is generated. For example, sending host 100 internally generates a key stream using an automatic process, or retrieves keystream data from one-time pad data 104.” … Parag. [0052]; “In block 204, ciphertext is generated by combining the plaintext and the keystream bitwise using an exclusive OR function. Block 204 may be carried out by encryption engine 106 of FIG. 1. Expressed in mathematical terms, Data stream D of length L is combined with a random keystream K, also of length L”).
Koo and Gleichauf are from similar field of technology. Prior to the instant application’s effective filling date, there was a need for provide solutions for computer system security that employ cryptographic mechanisms inside processor components.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of the system from Koo with the Gleichauf system, with the motivation to provide an efficient and secure method for storing and transmitting data through insecure network communication channels with the use of one-time pad in order to enhance security of the system (Gleichauf, Parag. [0025] and Parag. [0048-0052]).

As per claim 16, it is a non-transitory computer readable medium claim that recites similar limitations as claim 1. Therefore, is rejected with the same rationale and motivation as claim 1.

As per claim 24, it is a system claim that recites similar limitations as claim 1. Therefore, is rejected with the same rationale and motivation as claim 1.
In addition, Gleichauf teaches:
a processor (Gleichauf, Parag. [0075]; “Computer system 600 includes a bus 602 or other communication mechanism for communicating information, and a processor 604 coupled with bus 602 for processing information.”) comprising:
memory storing instructions (Gleichauf, Parag. [0075]; “Computer system 600 also includes a main memory 606, such as a random access memory (“RAM”) or other dynamic storage device, coupled to bus 602 for storing information and instructions to be executed by processor 604.”); and
circuitry coupled to the memory, the circuitry to execute the instructions (Gleichauf, Parag. [0080]; “An infrared detector can receive the data carried in the infrared signal and appropriate circuitry can place the data on bus 602. Bus 602 carries the data to main memory 606, from which processor 604 retrieves and executes the instructions. The instructions received by main memory 606 may optionally be stored on storage device 610 either before or after execution by processor 604.”).


Claim 2 is rejected under 35 U.S.C. 103 as being unpatentable over Koo et al. (US 2015/0244518) hereinafter Koo in view of Gleichauf (US 2003/0149869) as applied to claim 1, and further in view of Youn et al. (US 2014/0270159) hereinafter Youn.
As per claim 2, the combination of Koo and Gleichauf teaches the method of claim 1.
The combination of Koo and Gleichauf does not expressly teach: 
wherein obtaining the set of plaintext bits comprises selecting a subset of the plaintext. 
However, Youn teaches:
wherein obtaining the set of plaintext bits comprises selecting a subset of the plaintext (Youn, Parag. [0013]; “The encryption module may encrypt l bits selected from the plaintext information using a selected arbitrary subset and a selected arbitrary random number.”).
Koo, Gleichauf and Youn are from similar field of technology. Prior to the instant application’s effective filling date, there was a need for provide solutions for computer system security that employ cryptographic mechanisms inside processor components.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Youn system into Koo-Gleichauf system, with a motivation to provide a technique which is designed to improve a structure in which only one bit is encrypted/decrypted at a time (Youn, Parag. Abstract).


Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Koo et al. (US 2015/0244518) hereinafter Koo in view of Gleichauf (US 2003/0149869) as applied to claim 1, and further in view of Nix (US 2019/0097794).
As per claim 3, the combination of Koo and Gleichauf teaches the method of claim 1.
The combination of Koo and Gleichauf does not expressly teach:
wherein obtaining the set of key bits comprises selecting the set of key bits from an encryption key whose length is greater than the bit-length parameter.
However, Nix teaches 
wherein obtaining the set of key bits comprises selecting the set of key bits from an encryption key whose length is greater than the bit-length parameter (Nix, Parag. [0491]; “For embodiments where the length of derived shared secret key 129b in a network key K derivation algorithm 1101 can be greater than the length of key K specified for wireless network 102, the key processing algorithm 141i can take steps to (i) truncate derived shared secret key 129b, (ii) select a subset of bits within derived shared secret key 129b, and/or (iii) take steps to securely and / or randomly reduce the size of derived shared secret key 129b to match the key length of key K specified for wireless network 102.”).
Koo, Gleichauf and Nix are from similar field of technology. Prior to the instant application’s effective filling date, there was a need for provide solutions for computer system security that employ cryptographic mechanisms inside processor components.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Nix system into Koo-Gleichauf system, with a motivation to provide a technique to select a set of key bits from an encryption key whose length is greater than the bit-length parameter (Nix, Parag. [0491]).

Claims 4-5, 7, 11, 13-14, 17-18, 20 are rejected under 35 U.S.C. 103 as being unpatentable over Koo et al. (US 2015/0244518) hereinafter Koo in view of Gleichauf (US 2003/0149869) as applied to claim 1, and further in view of Roelse et al. (US 7,043,016).
As per claim 4, the combination of Koo and Gleichauf teaches the method of claim 1, wherein the set of key bits is a first the set of key bits, and performing the sequence of logical operations comprises:
The combination of Koo and Gleichauf does not expressly teach:
 performing a first integer arithmetic operation on the first set of key bits and the set of plaintext bits; 
performing a first bit-level reordering operation on an output of the integer arithmetic operation; and 
performing a first substitution box operation on an output of the bit-level reordering operation; 
performing a second integer arithmetic operation on the set of bits output by the first substitution box operation and a second set of key bits based on the first set of key bits; 
performing a second bit-level reordering operation on an output of the second integer arithmetic operation; and 
performing a second substitution box operation on an output of the second bit-level reordering operation.
However, Roelse teaches:
performing a first integer arithmetic operation on the first set of key bits and the set of plaintext bits (Roelse, Figs. 2 and 3 and Col. 3, lines 61-64; “FIG. 2 shows an overall block diagram of a preferred embodiment of the round functions f. First a part of the round key, of for instance 32 bits, is added to the data bits in step 210.”); 
performing a first bit-level reordering operation on an output of the integer arithmetic operation (Roelse, Col.4, lines 42-47; “According to the invention, for each S-box a set of at least two predetermined permutations is used, where each time before using the S-box one of these permutations is selected in a (pseudo-)random manner. Preferably, the round key is used for this selection.”); and 
performing a first substitution box operation on an output of the bit-level reordering operation (Roelse, Figs. 2 and 3 and Col.4, lines 39-56; “According to the invention, an S-box performs a substitution of the data. In a preferred embodiment described here, the S-box operates on a 4-bit sub-block. It will be appreciated that also sub-blocks of other sizes can be used. According to the invention, for each S-box a set of at least two predetermined permutations is used, where each time before using the S-box one of these permutations is selected in a (pseudo-)random manner. …  In a preferred embodiment of a block cipher operating on 32-bit blocks and using 4-bit S-boxes, eight S-boxes are used in parallel …”); 
performing a second integer arithmetic operation on the set of bits output by the first substitution box operation and a second set of key bits based on the first set of key bits (Roelse, Col.3, lines 52-54; “FIG. 1A shows the cipher structure used for the first fifteen rounds (i=1, 2, . . . . 15). FIG. 1B shows the last, sixteenth round.” … Col. 3, lines 61-64; “FIG. 2 shows an overall block diagram of a preferred embodiment of the round functions f. First a part of the round key, of for instance 32 bits, is added to the data bits in step 210.” … Col. 4, lines 21-31; “In step 210, the key addition takes place, followed in step 220 by a key dependent Substitution box (S-box) layer is used. In this example, the S-box layer consists of eight smaller S-boxes (S0, S1, S2,  . . ., S7), each operating on 1/8 of the data block. The S-box transformation is a mapping from Z28xZ232 to Z232, the first input argument in round i is the round key Ki2, the second one the result of the key addition, i.e. Xi-1(R)ꚛK1(1). The 32 bit output of the S-box transformation is denoted by S(Ki2, Xi-1(R)ꚛK1(1)).”); 
performing a second bit-level reordering operation on an output of the second integer arithmetic operation (Roelse, Col.3, lines 52-54; “FIG. 1A shows the cipher structure used for the first fifteen rounds (i=1, 2, . . . . 15). FIG. 1B shows the last, sixteenth round.” … Col.4, lines 42-47; “According to the invention, for each S-box a set of at least two predetermined permutations is used, where each time before using the S-box one of these permutations is selected in a (pseudo-)random manner. Preferably, the round key is used for this selection.”); and 
performing a second substitution box operation on an output of the second bit-level reordering operation (Roelse, Col.3, lines 52-54; “FIG. 1A shows the cipher structure used for the first fifteen rounds (i=1, 2, . . . . 15). FIG. 1B shows the last, sixteenth round”.  Figs. 2 and 3 and Col.4, lines 39-56; “According to the invention, an S-box performs a substitution of the data. In a preferred embodiment described here, the S-box operates on a 4-bit sub-block. It will be appreciated that also sub-blocks of other sizes can be used. According to the invention, for each S-box a set of at least two predetermined permutations is used, where each time before using the S-box one of these permutations is selected in a (pseudo-)random manner. …  In a preferred embodiment of a block cipher operating on 32-bit blocks and using 4-bit S-boxes, eight S-boxes are used in parallel …”).
Koo, Gleichauf and Roelse are from similar field of technology. Prior to the instant application’s effective filling date, there was a need for provide solutions for computer system security that employ cryptographic mechanisms inside processor components.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Roelse system into Koo-Gleichauf system, with a motivation to provide a method for provide permutations that are pseudo-randomly selected before the S-box is used (Roelse, Abstract).

As per claim 5, the combination of Koo, Gleichauf and Roelse teaches the method of claim [0] 4.  Koo further teaches wherein the sequence of logical operations further comprises performing an XOR operation on an output of the second substitution box operation (Koo, Parag. [0059]; “The Enc ERound() is illustrated in FIG. 18. The Enc ERound() function performs a per-bit AND operation on the result of the performance of the EnchEvenMask() and the encryption round function value output in the previous round, performs ShiftRows(), SubBytes() and MixColumns( ) functions, and finally performs an XOR operation on the result of the performance of these functions and the encryption round keys, thereby outputting an encryption round function value of a 128-bit string.”) and 
Roelse further teaches a third set of key bits based on the second set of key bits (Roelse, Col.3, lines 52-54; “FIG. 1A shows the cipher structure used for the first fifteen rounds (i=1, 2, . . . . 15). FIG. 1B shows the last, sixteenth round.” … Col. 3, lines 61-64; “FIG. 2 shows an overall block diagram of a preferred embodiment of the round functions f. First a part of the round key, of for instance 32 bits, is added to the data bits in step 210.” Examiner submit that the process will be repeated for all the determined rounds.).

As per claim 7, the combination of Koo, Gleichauf and Roelse teaches the method of claim [0] 4. Roelse further teaches wherein the first bit-level reordering operation is based on a different reordering sequence than the second bit-level reordering operation (Roelse, Col. 1, lines 49-54; “By choosing the permutations (pseudo-)randomly (i.e. different for each round) the system can be made cryptographically stronger than a system in which each S-box consists of only one fixed permutation. Selection of a permutation from a set can be executed fast and cost-effectively.”).

As per claim 11, the combination of Koo, Gleichauf and Roelse teaches the method of claim 4. Roelse teaches wherein the second set of key bits is derived from the first set of key bits at least in part by: 
performing a third integer arithmetic operation on the first set of key bits and a constant (Roelse, Col.3, lines 52-54; “FIG. 1A shows the cipher structure used for the first fifteen rounds (i=1, 2, . . . . 15). FIG. 1B shows the last, sixteenth round.” … Col. 3, lines 61-64; “FIG. 2 shows an overall block diagram of a preferred embodiment of the round functions f. First a part of the round key, of for instance 32 bits, is added to the data bits in step 210.” Examiner submit that the process will be repeated for all the determined rounds.); 
performing a third bit-level reordering operation on an output of the integer arithmetic operation (Roelse, Col.3, lines 52-54; “FIG. 1A shows the cipher structure used for the first fifteen rounds (i=1, 2, . . . . 15). FIG. 1B shows the last, sixteenth round.” … Col.4, lines 42-47; “According to the invention, for each S-box a set of at least two predetermined permutations is used, where each time before using the S-box one of these permutations is selected in a (pseudo-)random manner. Preferably, the round key is used for this selection.”); and 
performing a third substitution box operation on an output of the bit-level reordering operation (Roelse, Col.3, lines 52-54; “FIG. 1A shows the cipher structure used for the first fifteen rounds (i=1, 2, . . . . 15). FIG. 1B shows the last, sixteenth round.” Roelse, Col.4, lines 39-46; “According to the invention, an S-box performs a substitution of the data. In a preferred embodiment described here, the S-box operates on a 4-bit sub-block. It will be appreciated that also sub-blocks of other sizes can be used. According to the invention, for each S-box a set of at least two predetermined permutations is used, where each time before using the S-box one of these permutations is selected in a (pseudo-)random manner.” See Fig. 2.).

As per claim 13, the combination of Koo, Gleichauf and Roelse teaches the method of claim 11.  Roelse teaches wherein the constant is a first constant, and the method further comprises deriving a third set of key bits at least in part by: 
performing a fourth integer arithmetic operation on the second set of key bits and a second constant (Roelse, Col.3, lines 52-54; “FIG. 1A shows the cipher structure used for the first fifteen rounds (i=1, 2, . . . . 15). FIG. 1B shows the last, sixteenth round.” … Col. 3, lines 61-64; “FIG. 2 shows an overall block diagram of a preferred embodiment of the round functions f. First a part of the round key, of for instance 32 bits, is added to the data bits in step 210.” Examiner submit that the process will be repeated for all the determined rounds.); 
performing a fourth bit-level reordering operation on an output of the integer arithmetic operation (Roelse, Col.3, lines 52-54; “FIG. 1A shows the cipher structure used for the first fifteen rounds (i=1, 2, . . . . 15). FIG. 1B shows the last, sixteenth round.” … Col.4, lines 42-47; “According to the invention, for each S-box a set of at least two predetermined permutations is used, where each time before using the S-box one of these permutations is selected in a (pseudo-)random manner. Preferably, the round key is used for this selection.”); and 
performing a fourth substitution box operation on an output of the bit-level reordering operation (Roelse, Col.3, lines 52-54; “FIG. 1A shows the cipher structure used for the first fifteen rounds (i=1, 2, . . . . 15). FIG. 1B shows the last, sixteenth round.” Roelse, Col.4, lines 39-46; “According to the invention, an S-box performs a substitution of the data. In a preferred embodiment described here, the S-box operates on a 4-bit sub-block. It will be appreciated that also sub-blocks of other sizes can be used. According to the invention, for each S-box a set of at least two predetermined permutations is used, where each time before using the S-box one of these permutations is selected in a (pseudo-)random manner.” See Fig. 2.).

As per claim 14, the combination of Koo, Gleichauf and Roelse teaches the method of claim [0] 13.  Roelse teaches wherein the third bit-level reordering operation is based on a different reordering sequence than the fourth bit-level reordering operation (Roelse, Col. 1, lines 49-54; “By choosing the permutations (pseudo-)randomly (i.e. different for each round) the system can be made cryptographically stronger than a system in which each S-box consists of only one fixed permutation. Selection of a permutation from a set can be executed fast and cost-effectively.”).

As per claim 17, the rejection of claim 16 is incorporated. In addition, it is a non-transitory computer readable medium claim that recites limitations to those of claim 4, and therefore it is rejected for the same rationale applied to claim 4.
In addition, Koo teaches:
performing an XOR operation on an output of the second substitution box operation (Koo, Parag. [0059]; “The Enc ERound() is illustrated in FIG. 18. The Enc ERound() function performs a per-bit AND operation on the result of the performance of the EnchEvenMask() and the encryption round function value output in the previous round, performs ShiftRows(), SubBytes() and MixColumns( ) functions, and finally performs an XOR operation on the result of the performance of these functions and the encryption round keys, thereby outputting an encryption round function value of a 128-bit string.”) and 
Roelse further teaches a third set of keys bits based on the second set of key bits to yield the ciphertext (Roelse, Col.3, lines 52-54; “FIG. 1A shows the cipher structure used for the first fifteen rounds (i=1, 2, . . . . 15). FIG. 1B shows the last, sixteenth round.” … Col. 3, lines 61-64; “FIG. 2 shows an overall block diagram of a preferred embodiment of the round functions f. First a part of the round key, of for instance 32 bits, is added to the data bits in step 210.” Examiner submit that the process will be repeated for all the determined rounds.).

As per claim 18, the rejection of claim 17 is incorporated. In addition, it is a non-transitory computer readable medium claim that recites limitations to those of claim 5, and therefore it is rejected for the same rationale applied to claim 5.

As per claim 20, the rejection of claim 17 is incorporated. In addition, it is a non-transitory computer readable medium claim that recites limitations to those of claim 7, and therefore it is rejected for the same rationale applied to claim 7.

As per claim 23, the rejection of claim 17 is incorporated. In addition, it is a non-transitory computer readable medium claim that recites limitations to those of claim 11, and therefore it is rejected for the same rationale applied to claim 11.

As per claim 25, the rejection of claim 24 is incorporated. In addition, it is a system claim that recites limitations to those of claim 17, and therefore it is rejected for the same rationale applied to claim 17.

Claims 6, 12 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Koo et al. (US 2015/0244518) hereinafter Koo in view of Gleichauf (US 2003/0149869) as, and further in view of Roelse (US 7,043016) as applied to claim 4 and further in view of Kaminaga et al. (US 7,254,718) hereinafter Kaminaga.
As per claim 6, the combination of Koo, Gleichauf and Roelse teaches the method of claim [0] 4. 
However, the combination of Koo, Gleichauf and Roelse does not expressly teach:
wherein the first and second integer arithmetic operations each comprise one of an integer addition with carries operation and an integer subtraction with borrows operation 
But, Kaminaga teaches:
wherein the first and second integer arithmetic operations each comprise one of an integer addition with carries operation and an integer subtraction with borrows operation (Kaminaga, Col. 20, lines 12-16; “when data is partitioned into bit blocks (for example, partitioned to 8 bit blocks or 16 bit blocks) and an arithmetic operation such as addition or multiplication is performed, a carry (in the case of subtraction: borrow) occurs”).
Koo, Gleichauf, Roelse and Kaminaga are from similar field of technology. Prior to the instant application’s effective filling date, there was a need for provide solutions for computer system security that employ cryptographic mechanisms inside processor components.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Kaminaga system into Koo-Gleichauf-Roelse system, with a motivation to perform sequences of logical operations including addition with carry operation and subtraction with borrow operation (Kaminaga, Col. 20, lines 12-16).

As per claim 12, the rejection of claim 11 is incorporated. In addition, it is a method claim that recites limitations to those of claim 6, and therefore it is rejected for the same rationale applied to claim 6.

As per claim 19, the rejection of claim 17 is incorporated. In addition, it is a non-transitory computer readable medium claim that recites limitations to those of claim 6, and therefore it is rejected for the same rationale applied to claim 6.

Claims 8, 15 and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Koo et al. (US 2015/0244518) hereinafter Koo in view of Gleichauf (US 2003/0149869) as, and further in view of Roelse (US 7,043016) as applied to claim 4 and further in view of Pasini et al. (US 8,798,263) hereinafter Pasini.
As per claim 8, the combination of Koo, Gleichauf and Roelse teaches the method of claim 0. 
The combination of Koo, Gleichauf and Roelse does not expressly teach:
wherein the output of the bit-level reordering operation comprises N bits, and the substitution box operation is performed using at least floor (N/M) Galois field inverters, where M < N. 
However, Pasini teaches wherein the output of the bit-level reordering operation comprises N bits, and the substitution box operation is performed using at least floor (N/M) Galois field inverters, where M < N (Pasini, Col. 6, lines 55-64; “According to a further embodiment the blocks (X, X, X, ... X) and the resulting blocks (Y,...Y.) are elements of a finite Galois ring GF(2)n (*, +) including binary elements of n bits where multiplication () corresponds to logical AND operation and addition (+) corresponds to logical XOR operation carried out bitwise. The invertible elements (m1, m2, m3 ... mN) may have any value different than the null element for the logical AND operation within the ring GF(2)n (AND, XOR). Some elements (m1, m2, m3 ... mN) may also be equal to the multiplicative identity.).
Koo, Gleichauf, Roelse and Pasini are from similar field of technology. Prior to the instant application’s effective filling date, there was a need for provide solutions for computer system security that employ cryptographic mechanisms inside processor components.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Pasini system into Koo-Gleichauf-Roelse system, with a motivation to perform operations with Galois Field inverters (Pasini, Col. 6, lines 55-64).

As per claim 15, the rejection of claim 13 is incorporated. In addition, it is a non-transitory computer readable medium claim that recites similar limitations to those of claim 8, and therefore it is rejected for the same rationale applied to claim 8.

As per claim 21, the rejection of claim 17 is incorporated. In addition, it is a non-transitory computer readable medium claim that recites limitations to those of claim 8, and therefore it is rejected for the same rationale applied to claim 8.

Claims 9-10 and 22 are rejected under 35 U.S.C. 103 as being unpatentable over Koo et al. (US 2015/0244518) hereinafter Koo in view of Gleichauf (US 2003/0149869) as, and further in view of Roelse (US 7,043016) and Pasini et al. (US 8,798,263) hereinafter Pasini as applied to claim 8 and further in view of Rubin (US 7,907,723).
As per claim 9, the combination of Koo, Gleichauf, Roelse and Pasini teach the method of claim 8. 
However, the combination of Koo, Gleichauf, Roelse and Pasini does not expressly teach:
wherein N is not a multiple of M, and the number of inverters used in the substitution box operation comprises floor(N/M) Galois field inverters 
But, Rubin teaches:
wherein N is not a multiple of M, and the number of inverters used in the substitution box operation comprises floor(N/M) Galois field inverters (Rubin, Col. 5, lines 12-19; “Another example of a ring is the integers modulo some integer m. The additive inverse of x modulo m is 0 when m=0, and m-X otherwise. Every integer n which is mutually prime to m will have a multiplicative inverse n' such that nn'=1 (mod m). In particular, if m is of the form 2u then n will have a multiplicative inverse when n is odd. If m is prime, then the integers modulo m form a field which is denoted GF(p) standing for Galois Field of order p.”).
Koo, Gleichauf, Roelse, Pasini and Rubin are from similar field of technology. Prior to the instant application’s effective filling date, there was a need for provide solutions for computer system security that employ cryptographic mechanisms inside processor components.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Rubin system into Koo-Gleichauf-Roelse-Pasini system, with a motivation to perform substitution box operation by applying mathematical formula N mod M = K to derive Galois field inverters (Rubin, Col. 5, lines 12-19).

As per claim 10, the combination of Koo, Gleichauf, Roelse, Pasini and Rubin teaches the method of claim 9. Rubin teaches wherein N mod M = K, and the substitution box operation further comprises a Galois field inverter in GF(2K) (Rubin, Col. 5, lines 12-19; “Another example of a ring is the integers modulo some integer m. The additive inverse of x modulo m is 0 when m=0, and m-X otherwise. Every integer n which is mutually prime to m will have a multiplicative inverse n' such that nn'=1 (mod m). In particular, if m is of the form 2u then n will have a multiplicative inverse when n is odd. If m is prime, then the integers modulo m form a field which is denoted GF(p) standing for Galois Field of order p.”)

As per claim 22, the rejection of claim 17 is incorporated. In addition, it is a non-transitory computer readable medium claim that recites limitations to those of claims 9 and 10, and therefore it is rejected for the same rationale applied to claims 9 and 10.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Lee et al. (US 2016/0056954) relates to an apparatus and method for providing a Feistel-based variable length block cipher, which are configured to when plain text having a certain bit length is encrypted, generate cipher text having the same bit length as plaintext, and to decrypt ciphertext into plaintext having the same bit length.
Henry et al. (US 2011/0296202) relates to A fetch unit fetches a sequence of blocks of encrypted instructions of an encrypted program from an instruction cache at a corresponding sequence of fetch address values. While fetching each block of the sequence, the fetch unit generates a decryption key as a function of key values and the corresponding fetch address value, and decrypts the encrypted instructions using the generated decryption key by XORing them together.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ALEX D CARRASQUILLO whose telephone number is (571)270-5045. The examiner can normally be reached Monday - Friday 9:00 am - 6:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 571-272-8878. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/A.D.C./Examiner, Art Unit 2498       

/JOHN B KING/Primary Examiner, Art Unit 2498