Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendment and  Arguments
Applicant has amended independent claims 1,  13 & 15 and has argued in the Remakes filed on 8/08/2022 that Canard , Hansen and Di alone or in combination do not teach “encrypting the signature nonce by the signer with a public key of the verifier to produce an encrypted signature nonce so that the encrypted signature nonce can be decrypted with a private key of the verifier instead of a private key of the signer”. The amendment and the argument has been considered but found moot as Examiner has changed ground. 
.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claims 1-2, 4-8, 13, 15-16 & 18, are rejected under 35 USC 103 as being unpatentable over Canard (US 20080046310) in view of Chenna (US20140351589) and  Di (CN105574458A- translated copy & Original attached)
Regarding claim 1, Canard teaches a method for signing data so that a signature can be verified by a verifier while preserving the privacy of a signer, the method comprising: generating a signature nonce by processing the data; [0052] The list signature procedure executed by the chip card then comprises the execution of a group signature algorithm. This algorithm for example consists of concatenating the message M to be signed with the obtained (generated) pseudo-random number R.sub.i (a signature nonce) and of applying by the signature function Sign:]
calculating a signature of the data of the signer by signing the data concatenated with the signature nonce using a  key of the signer.  [0052] The list signature procedure executed by the chip card then comprises the execution of a group signature algorithm. This algorithm for example consists of concatenating the message M to be signed with the obtained pseudo-random number R.sub.i and of applying a conventional signature function Sign to the obtained value by using the secret key (private key) of list signature SK.sub.L stored by the chip card. The signature S which is delivered at the output by the chip card comprises the pseudo-random number R.sub.i concatenated with the signature value S.sub.i provided by the signature function Sign:] 
distributing the data and the signature of the data of the signer. [0083] During a first step 41 of the procedure 40, the chip card 7 receives the message M (data) to be signed and a REPSEQ sequence number, and verifies the validity of the latter, for example by means of a signature generated by the certifying authority which is transmitted (distributed) with the sequence number. This verification is carried out with a public key PK.sub.A of the certifying authority, stored by the chip card. If the signature associated with the sequence number is not valid, the chip card emits an error message (step 49) and the procedure terminates 40 without any signature being generated by the card] 
and is used to generate a pseudo-random value of the signature nonce, , [0052] The list signature procedure executed by the chip card then comprises the execution of a group signature algorithm. This algorithm for example consists of concatenating the message M to be signed with the obtained pseudo-random number R.sub.i and of applying a conventional signature function Sign to the obtained value by using the secret key (private key) of list signature SK.sub.L stored by the chip card. The signature S which is delivered at the output by the chip card comprises the pseudo-random number R.sub.i concatenated with the signature value S.sub.i provided by the signature function Sign:] 
Although, Canard teaches signature nonce, he does not explicitly teach, however, Chenna teaches: encrypting the signature nonce by the signer with a public key of the verifier to produce an encrypted signature nonce so that the encrypted signature nonce can be decrypted with a private key of the verifier instead of a private key of the signer. [0018] Embodiments presented herein provide techniques for authenticating users accessing computing applications, e.g., applications hosted in a cloud environment accessed using a variety of computing systems. More particularly, embodiments of the invention provide an authentication process performed using a certificate and private key installed on a mobile device and a nonce generated on the server. In one embodiment, to authenticate a user, a server generates a nonce to use for an authentication challenge, encrypts the nonce with a public key (encrypted signature nonce) of the user, and encodes the encrypted result as a bar code (e.g., a QR code). The resulting barcode graphic code is displayed to the user, and a mobile device, e.g., a Smart phone, is used to scan the barcode graphic to recover the encrypted nonce and to decrypt it with a private key stored on the mobile device. Please also see the Abstract] 
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Canard with the disclosure of Chenna. The motivation or suggestion would have been to implement systems that provide improved security techniques and provide more reliable authentication mechanisms. (para 0002, 0004-0005, Chenna)
	Although, Canard and Chenna teach signing using symmetric key they do not teach expclitly, however, Di teaches:
generating a signature nonce by processing the data with a secret function, wherein the secret function is a function known only to the signer, [page 06 of text; step S3011:  step S3011: the client end obtaining the algorithm identifier, and generating a random number, according to the secret algorithm (obviously only client has information about the RND generation algorithm/function) supports automatic set needed in the following steps of the SM1 algorithm, SM2 algorithm or RSA algorithm. ]
 using a private key of the signer, [page 06 of attached text, step S3016:step S3016: the client itself and the algorithm identification of the bank center SM3 algorithm and the random number to obtain the abstract result, then the abstraction results using a client private key signature operation to obtain the signature result, at the same time, the client end communication ciphertext, the signature result and the client certificate is sent to the bank center.
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Canard and Chenna with the disclosure of Di. The motivation or suggestion would have been to implement systems that provide efficient techniques for authenticating a client or user based on cryptographic signature .(page 03-(last paragraph of attached text, Di ) 
Regarding claim 2, Canard teaches wherein generating the signature nonce comprises generating a random number for the signature nonce.  [0052] The list signature procedure executed by the chip card then comprises the execution of a group signature algorithm. This algorithm for example consists of concatenating the message M to be signed with the obtained (generated) pseudo-random number R.sub.i (a signature nonce) and of applying by the signature function Sign:]
Regarding claim 4, Canard teaches obtaining the public key of the verifier.  [0060] As compared with the procedure described hereinbefore with reference to FIG. 3, .. actual identity of the member. This encryption uses a public encryption key PK.sub.MO which is related to a private decryption key SK.sub.MO belonging to the authority (universal /group verifier) qualified to lift the anonymity of a signature emitted by a member of the list. The result of this encryption C.sub.i is concatenated with the pseudo -random number R.sub.i obtained in the same way as in the non-openable list signature procedure; with this concatenation a value R.sub.i.parallel.C.sub.i may be obtained, which is concatenated with the message M before its signature, and possibly with the obtained signature S.sub.i.] 
Regarding claim 5, Canard teaches wherein the verifier is a universal verifier who can verify signatures from all signers. [0004] The concept of group signature has also been proposed, which allows each member of a group to produce a signature such that a verifier having an adequate public key may verify that the signature was emitted by a member of the group without being able to determine the identity of the signatory.]
Regarding claim 6, Canard teaches wherein once the encrypted signature nonce is received by the universal verifier as illustrated above but Canard and Abt not teach explicitly, however, Chenna t teaches encrypted nonce is decrypted with a private key of the verifier.  [0018] Embodiments presented herein provide techniques for authenticating users accessing computing applications, e.g., applications hosted in a cloud environment accessed using a variety of computing systems. More particularly, embodiments of the invention provide an authentication process performed using a certificate and private key installed on a mobile device and a nonce generated on the server. In one embodiment, to authenticate a user, a server generates a nonce to use for an authentication challenge, encrypts the nonce with a public key (encrypted signature nonce) of the user, and encodes the encrypted result as a bar code (e.g., a QR code). The resulting barcode graphic code is displayed to the user, and a mobile device, e.g., a Smart phone, is used to scan the barcode graphic to recover the encrypted nonce and to decrypt it with a private key stored on the mobile device. Please also see the Abstract] 
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Canard with the disclosure of Chenna. The motivation or suggestion would have been to implement systems that provide improved security techniques and provide more reliable authentication mechanisms. (para 0002, 0004-0005, Chenna)
Regarding claim 7, Canard teaches wherein once the encrypted signature nonce is received by the universal verifier the data concatenated with the decrypted signature nonce is verified using a public key of the signer.  [0066] In order to verify that the signature was emitted by a member of the list, it is sufficient to know the signature function (number n in the example above) and the public key PK.sub.L of the list. In the example, it is sufficient to compute the following value: M''=S.sub.i.sup.PK.sub.L(mod n) (9) to convert the value M'' by means of the inverse conversion function I2OSP of the PKS#1 v2.1 standard, and to verify the value obtained with the message M. [0067] In order to determine if two signatures were emitted by the same member of the list, it is sufficient to compare the values of the pseudo-random number R.sub.i contained in both signatures. As in the example described earlier with reference to FIG. 3, it is not necessary to emit the pseudo-random number R.sub.i with the signature S, except if it is desired that even persons which do not have the list key allowing verification of the signature S.sub.i, may link two signatures emitted by the same chip card for a same sequence.] 
Regarding claim 8, Canard teaches wherein the verifier verifies  determine whether the data concatenated with the decrypted signature nonce by determining whether it matches the signature of the data of the signer.  [0060: As compared…member. This encryption uses a public encryption key PK.sub.MO which is related to a private decryption key SK.sub.MO belonging to the authority qualified to lift the anonymity of a signature emitted by a member of the list. The result of this encryption C.sub.i is concatenated with the pseudo -random number R.sub.i obtained in the same way as in the non-openable list signature procedure; with this concatenation a value R.sub.i.parallel.C.sub.i may be obtained, which is concatenated with the message M before its signature, and possibly with the obtained signature S.sub.i.]
	Regarding claim 13, Canard teaches a method for a verifier to verify data signed with a signature of the data of a signer, the method comprising: receiving  signature nonce,  [[0017] According to one embodiment of the invention, the pseudo-random number (signature nonce)  generated from the sequence number is emitted with the generated electronic signature.]
receiving the data and the signature of the data, [0083] During a first step 41 of the procedure 40, the chip card 7 receives the message M (data) to be signed and a REPSEQ sequence number, and verifies the validity of the latter, for example by means of a signature generated by the certifying authority which is transmitted (distributed) with the sequence number. This verification is carried out with a public key PK.sub.A of the certifying authority, stored by the chip card. If the signature associated with the sequence number is not valid, the chip card emits an error message (step 49) and the procedure terminates 40 without any signature being generated by the card] 
wherein the signature of the data of signer is calculated by signing the data concatenated with the signature nonce using a key. of the signer; [0052] The list signature procedure executed by the chip card then comprises the execution of a group signature algorithm. This algorithm for example consists of concatenating the message M to be signed with the obtained pseudo-random number R.sub.i and of applying a conventional signature function Sign to the obtained value by using the secret key (private key) of list signature SK.sub.L stored by the chip card. The signature S which is delivered at the output by the chip card comprises the pseudo-random number R.sub.i concatenated with the signature value S.sub.i provided by the signature function Sign:] 
verifying the signature of the data of the signer concatenated with the decrypted signature nonce using a public key of the signer.  [0066] In order to verify that the signature was emitted by a member of the list, it is sufficient to know the signature function (number n in the example above) and the public key PK.sub.L of the list. In the example, it is sufficient to compute the following value: M''=S.sub.i.sup.PK.sub.L(mod n) (9) to convert the value M'' by means of the inverse conversion function I2OSP of the PKS#1 v2.1 standard, and to verify the value obtained with the message M. [0067] In order to determine if two signatures were emitted by the same member of the list, it is sufficient to compare the values of the pseudo-random number R.sub.i contained in both signatures. As in the example described earlier with reference to FIG. 3, it is not necessary to emit the pseudo-random number R.sub.i with the signature S, except if it is desired that even persons which do not have the list key allowing verification of the signature S.sub.i, may link two signatures emitted by the same chip card for a same sequence.] 
and is used to generate a pseudo-random value of the signature nonce, , [0052] The list signature procedure executed by the chip card then comprises the execution of a group signature algorithm. This algorithm for example consists of concatenating the message M to be signed with the obtained pseudo-random number R.sub.i and of applying a conventional signature function Sign to the obtained value by using the secret key (private key) of list signature SK.sub.L stored by the chip card. The signature S which is delivered at the output by the chip card comprises the pseudo-random number R.sub.i concatenated with the signature value S.sub.i provided by the signature function Sign:] 
Although, Canard teaches signature nonce, he does not explicitly teach, however, Chenna teaches wherein the encrypted signature nonce is produced by encrypting a signature nonce with a public key of the verifier;  decrypting the encrypted signature nonce with a private key of the verifier since the signature nonce was encrypted with the private key of the verifier instead of the private key of the signer [0018] Embodiments presented herein provide techniques for authenticating users accessing computing applications, e.g., applications hosted in a cloud environment accessed using a variety of computing systems. More particularly, embodiments of the invention provide an authentication process performed using a certificate and private key installed on a mobile device and a nonce generated on the server. In one embodiment, to authenticate a user, a server generates a nonce to use for an authentication challenge, encrypts the nonce with a public key (encrypted signature nonce) of the user, and encodes the encrypted result as a bar code (e.g., a QR code). The resulting barcode graphic code is displayed to the user, and a mobile device, e.g., a Smart phone, is used to scan the barcode graphic to recover the encrypted nonce and to decrypt it with a private key stored on the mobile device. Please also see the Abstract] 
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Canard with the disclosure of Chenna. The motivation or suggestion would have been to implement systems that provide improved security techniques and provide more reliable authentication mechanisms. (para 0002, 0004-0005, Chenna)
Although Canard and Chenna teach signing using symmetric key they do not teach expclitly, however, Di teaches:
wherein the received data is processed with a secret function, wherein the secret function is a function known only to the signer, [page 06 of text; step S3011:  step S3011: the client end obtaining the algorithm identifier, and generating a random number, according to the secret algorithm (obviously only client has information about the RND generation algorithm/function supports automatic set needed in the following steps of the SM1 algorithm, SM2 algorithm or RSA algorithm. ]
 data of the signer, [page 06 of attached text, step S3016:step S3016: the client itself and the algorithm identification of the bank center SM3 algorithm and the random number to obtain the abstract result, then the abstraction results using a client private key signature operation to obtain the signature result, at the same time, the client end communication ciphertext, the signature result and the client certificate is sent to the bank center.
using a private key of the signer, [page 06 of attached text, step S3016:step S3016: the client itself and the algorithm identification of the bank center SM3 algorithm and the random number to obtain the abstract result, then the abstraction results using a client private key signature operation to obtain the signature result, at the same time, the client end communication ciphertext, the signature result and the client certificate is sent to the bank center.
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Canard and Chenna with the disclosure of Di. The motivation or suggestion would have been to implement systems that provide efficient techniques for authenticating a client or user based on cryptographic signature .(page 03-(last paragraph of attached text, Di)
Regarding claim 15, the claim is interpreted to be same as clam 1 and rejected for the same reasons as set forth for claim 1.
Regarding claim 16, Canard teaches the data concatenated with the decrypted signature nonce is verified by determining whether it  matches the signature of the data of the signer. [0060: As compared…member. This encryption uses a public encryption key PK.sub.MO which is related to a private decryption key SK.sub.MO belonging to the authority qualified to lift the anonymity of a signature emitted by a member of the list. The result of this encryption C.sub.i is concatenated with the pseudo -random number R.sub.i obtained in the same way as in the non-openable list signature procedure; with this concatenation a value R.sub.i.parallel.C.sub.i may be obtained, which is concatenated with the message M before its signature, and possibly with the obtained signature S.sub.i.]
Although Canard and Di teach signature nonce, he does not teach expclitly, however, Chenna teaches the encrypted signature nonce is decrypted with a private key of the verifier; [0018] Embodiments presented herein provide techniques for authenticating users accessing computing applications, e.g., applications hosted in a cloud environment accessed using a variety of computing systems. More particularly, embodiments of the invention provide an authentication process performed using a certificate and private key installed on a mobile device and a nonce generated on the server. In one embodiment, to authenticate a user, a server generates a nonce to use for an authentication challenge, encrypts the nonce with a public key (encrypted signature nonce) of the user, and encodes the encrypted result as a bar code (e.g., a QR code). The resulting barcode graphic code is displayed to the user, and a mobile device, e.g., a Smart phone, is used to scan the barcode graphic to recover the encrypted nonce and to decrypt it with a private key stored on the mobile device. Please also see the Abstract] 
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Canard and Di with the disclosure of Chenna. The motivation or suggestion would have been to implement systems that provide improved security techniques and provide more reliable authentication mechanisms. (para 0002, 0004-0005, Chenna)
Regarding claim 18, Canard teaches the data concatenated with the calculated signature nonce is verified by the verifier using a public key of the signer. [0060: As compared…member. This encryption uses a public encryption key PK.sub.MO which is related to a private decryption key SK.sub.MO belonging to the authority qualified to lift the anonymity of a signature emitted by a member of the list. The result of this encryption C.sub.i is concatenated with the pseudo -random number R.sub.i obtained in the same way as in the non-openable list signature procedure; with this concatenation a value R.sub.i.parallel.C.sub.i may be obtained, which is concatenated with the message M before its signature, and possibly with the obtained signature S.sub.i.], 

Claims 10-12 are rejected under 35 USC 103 as being unpatentable over Canard in view of Chenna, Di and Nikander (US20080187137) 
Regarding claim 10, although Canard and Chenna and Di teach signature nonce, they do not teach expclitly, however, Nikander teaches transmitting the secret function to the verifier; [0041] Preferably, said step of making the same pseudo-random sequence of values available (transmitted) to each of the first and second parties (agreed verifier) comprises providing a shared secret to the parties as well as a function capable of generating a pseudo-random sequence of numbers. Each party generates the pseudo-random sequence by using the shared secret and a corresponding sequence of values (e.g. an arithmetic progression or the consecutive outputs of a known finite state machine, an LFSR, or similar) as inputs to the function. The values of the pseudo-random sequence may be generated one at a time, i.e. as and when required, or a set of values may be generated for future use.] 
wherein once the secret function is received  by the verifier the signature nonce is calculated  using the secret function.  [0041] Preferably, said step of making the same pseudo-random sequence of values available (transmitted) to each of the first and second parties (agreed verifier) comprises providing a shared secret to the parties as well as a function capable of generating a pseudo-random sequence of numbers. Each party generates the pseudo-random sequence by using the shared secret and a corresponding sequence of values (e.g. an arithmetic progression or the consecutive outputs of a known finite state machine, an LFSR, or similar) as inputs to the function. The values of the pseudo-random sequence may be generated one at a time, i.e. as and when required, or a set of values may be generated for future use.] 
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Canard and Chenna and Di with the disclosure of Nikander. The motivation or suggestion would have been to implement a method for signing data that provides non-traceability of information to individual identity and non-linkability across the data signed by each individual. That is, the method protects the privacy of the signer.(abstract, & para 0001-0005, Nikander)  
Regarding claim 11, Canard teaches the data concatenated with the calculated signature nonce is verified by the verifier using a public key of the signer. [0052] The list signature ….group signature algorithm. This algorithm for example consists of concatenating the message M to be signed with the obtained pseudo-random number R.sub.i and of applying a conventional signature function Sign to the obtained value by using the secret key of list signature SK.sub.L stored by the chip card. The signature S which is delivered at the output by the chip card comprises the pseudo-random number R.sub.i concatenated with the signature value S.sub.i provided by the signature function Sign: [0053] The signature algorithm applied by this procedure may be synthesized by the following formula: R.sub.i=PRNG(SK.sub.i, REPSEQ) (1) S.sub.i=Sign(SK.sub.L, R.sub.i.parallel.M) (2) S=R.sub.i.parallel.S.sub.i (3) .parallel. representing the concatenation operator.] 
Regarding claim 12, Canard teaches determines whether the data concatenated with the calculated signature nonce matches the signature of the data of the signer.  [0056] To check (verify) the signature S, it is sufficient to apply to it the group signature verification procedure consisting in the example hereinbefore of raising the signature S.sub.i to the power of SK.sub.L modulo n, to transform the obtained value in order to convert it into a string of characters (I2OSP function of the PKCS#1 standard) and comparing the obtained transformed value to the signed message M. Of course, the verification of the signature also comprises a verification that the value R.sub.i associated with the signature S.sub.i corresponds to the value R.sub.i associated with the message M in the signature.]

	The following prior arts made of record and not relied upon is considered pertinent to applicant's disclosure. 
1. Chastain (US 20150319151) discloses a device that incorporates the subject disclosure may perform, for example, receiving a derived encryption key from a remote management server without receiving a master key from which the derived encryption key was generated, applying a one-way function to the derived encryption key and a nonce to generate a temporary encryption key, obtaining data for transmission to a recipient device, encrypting the data using the temporary encryption key to generate encrypted data, and providing the encrypted data over a network to the recipient device. Other embodiments are disclosed.
2. Musabeyoglu (US10089801) describes herein is a system and universal access control device that may be installed in proximity to, or within, an access control system to enable a user to use a user device to gain access to a secure area or resource. In some embodiments, a user may submit a request for access to a remote server and may be provided with an access token. The user may relay the received access token to the universal access device via a wireless transmission means on his or her user device. The universal access device may verify the authenticity of the access token by relaying the access token information to the remote server. Once the access token has been authenticated, the universal access control device may retrieve a credential stored in memory and provide that credential to the access control system to enable the user to gain entry to a secure area.
3. Bessonov (US20200084023) discloses methods and systems can prove to an independent verifier that multiple activities registered on decentralized BASE network belong to the same user, without revealing true identity of the user. A selective linkability algorithm provides for linking together activities done under various of user's pseudonyms, without revealing the true user's identity. A reward calculation mechanism calculates a reward based on activities linked using the linking proof. For example, if user can prove that she already successfully completed 10 prior transactions, she might be deemed more valuable to the business making a new offer and hence eligible for a higher reward.  
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.         
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHER A KHAN whose telephone number is (571)272-8574. The examiner can normally be reached M-F 8:00 am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A Shiferaw can be reached on 571-272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SHER A KHAN/           Primary Examiner, Art Unit 2497