DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The following is a Final Office action in response to communications received on 07/11/2022. 

Response to Amendment
Claims 9, 16 and 23 have been amended. 
Examiner’s objections to the specification are withdrawn in light of the applicant’s amendments to the specification.
Examiner’s rejection of claims 9, 10, 16, 17, 23 and 24 under 35 U.S.C 112 are withdrawn in light of the applicant’s amendments to the claims. 
Applicant’s arguments with respect to claim(s) 9, 16 and 23 regarding the new limitations: “the first coprime integer being less than the second coprime integer value”, “generating a private key, wherein the private key is based at least on the first value and not based on the inverse of the first value in modulo of the first coprime integer and not based on the second value” and “generating an encrypted message data using the generated public key and a third randomly selected value from a third subset of the ring by rounding to a multiple of the first coprime integer value”, have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Claims 9-28 are rejected under 35 U.S.C. 103 as being unpatentable over NTRU in Constrained Devices by Bailey et al (hereinafter Bailey) and applicant provided prior art of record NTRU Prime: Reducing Attack Surface at Low Cost by Bernstein et al (hereinafter Bernstein).
As per claims 9, 16 and 23, Bailey teaches:
A computer-implemented method for data encryption and decryption, the method comprising: 
generating a public key, wherein the public key is based at least on: a first value based on a first combination of a first coprime integer value and a first randomly selected value from a first subset of a ring based on a polynomial with a predetermined degree, and a second value based on a second combination of a second coprime integer value, the first coprime integer being less than the second coprime integer value, a second randomly selected value from a second subset of the ring (Bailey: page 264: 1. NTRU uses three public parameters (N, p, q) with gcd(p, q) = 1. 2. Typical parameter sets that yield security levels similar to 1024-bit RSA and 4096-bit RSA respectively are (N, p, q) = (251, 3, 128) and (N, p, q) = (503, 3, 256). 2.2 Key Generation: Choose random polynomials F, g ∈ R with small coefficients and set f =1+pF (first value). Compute the polynomial h ≡ g ∗ f−1 mod q. The public key is h (i.e., the public key is based on the first value and g mod q (second value))); 
generating a private key, wherein the private key is based at least on the first value and not based on the inverse of the first value in modulo of the first coprime integer and not based on the second value (Bailey: page 264: 2.2 Key Generation: Choose random polynomials F, g ∈ R with small coefficients and set f =1+pF. The private key is f (the private key is not based on the inverse of the first value in modulo of p and not based on the second value)); 
generating an encrypted message data using the generated public key and a third randomly selected value from a third subset of the ring; and transmitting the encrypted message data (Bailey: page 264: 2.3 Encryption The plaintext m is a polynomial with coefficients taken mod p. Choose a random polynomial r with small coefficients. The ciphertext is e ≡ pr ∗ h + m mod q. Transmitting the encrypted message to a receiving end was well known to one of ordinary skill in the art before the effective date of the claimed invention).
Bailey does not teach: by rounding to a multiple of the first coprime integer value, wherein the encrypted message data includes data based on a shared key. However, Bernstein teaches:
generating an encrypted message data …by rounding to a multiple of the first coprime integer value, wherein the encrypted message data includes data based on a shared key (specification of the instant application: [0054]: By using r, an encrypted message c:=roundp(h•r) is calculated. Herein, r is an element of a subset Dr of the ring R, and is a target message to be encrypted. Bernstein: Page 241: 2.3. Encapsulation. Streamlined NTRU Prime is actually a “key encapsulation mechanism” (KEM). This means that the sender takes a public key as input and produces a ciphertext and session key as output. Page 246: 3.5. Padding, KEMs, and the Choice of q. In Streamlined NTRU Prime we use the modern “KEM+DEM” approach introduced by Shoup. Page 247: first 10 lines and last 20 lines: “KEM” means “key encapsulation mechanism”: me mod n is an “encapsulation” of the shared secret key H(m). “DEM” means “data encapsulation mechanism”, referring to the encryption and authentication using this shared secret key. Authenticated ciphers are normally designed to be secure for many messages, so H(m) can be reused to protect further messages from the sender to the receiver, or from the receiver back to the sender. We instead follow a simple generic KEM construction introduced in the earlier paper [19, Sect. 6] by Dent. Like RSA-KEM, this construction hashes the input, in our case r, to obtain the session key. Decapsulation verifies that the ciphertext is the correct ciphertext for this input, preventing per-input ciphertext malleability).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Bernstein in the invention of Bailey to include the above limitations. The motivation to do so would be to reduce the attack surface at a very low cost (Bernstein: Abstract).

As per claim 10, Bailey in view of Bernstein teaches:
The computer-implemented method of claim 9, wherein the public key is based on an inverse of the first value in modulo of the second coprime integer (Bailey: page 264: 2.2 Key Generation: Choose random polynomials F, g ∈ R with small coefficients and set f =1+pF (first value). Compute the polynomial h ≡ g ∗ f−1 mod q. The public key is h).

As per claims 11, 18 and 25, Bailey in view of Bernstein teaches: 
The computer-implemented method of claim 9, the method further comprising: generating the encrypted message data and the shared key data based at least on a combination of: the third randomly selected value, the public key, and a predefined hash value (Bailey: page 264: 2.3 Encryption The plaintext m is a polynomial with coefficients taken mod p. Choose a random polynomial r with small coefficients. The ciphertext is e ≡ pr ∗ h + m mod q.  Bernstein: Page 247: last 20 lines: We instead follow a simple generic KEM construction introduced in the earlier paper [19, Sect. 6] by Dent. Like RSA-KEM, this construction hashes the input, in our case r, to obtain the session key. Decapsulation verifies that the ciphertext is the correct ciphertext for this input, preventing per-input ciphertext malleability).
The examiner provides the same rationale to combine prior arts Bailey and Bernstein as in claims 9, 16 and 23 above. 

As per claims 12, 19 and 26, Bailey in view of Bernstein teaches: 
The computer-implemented method of claim 9, the method further comprising: generating, based the encrypted message data and the shared key, the decrypted message data and the shared key data (Bailey: page 264: 2.4 Decryption: Compute a ≡ e ∗ f mod q, choosing the coefficients of a to satisfy A ≤ ai < A + q. The value of A is fixed and is determined by a simple formula depending on the other parameters. Then a mod p is equal to the plaintext m. Bernstein: Page 242: 2.4. Decapsulation. The receiver decapsulates a ciphertext C                        
                            
                                
                                    c
                                
                                -
                            
                        
                     as follows: Decode                         
                            
                                
                                    c
                                
                                -
                            
                        
                    , obtaining c ∈ R… Compute c’ , C’ , K’ from r’ as in encapsulation. If r’ is t-small, c’ = c, and C’ = C, then output K’).
The examiner provides the same rationale to combine prior arts Bailey and Bernstein as in claims 9, 16 and 23 above. 

As per claim 13, Bailey in view of Bernstein teaches: 
The computer-implemented method of claim 9, the method further comprising: when an inverse of the third randomly selected value is not a part of the third subset of the ring, determining a failure of generating the decrypted message data (Bernstein: Page 242: 2.4. Decapsulation. The receiver decapsulates a ciphertext C                        
                            
                                
                                    c
                                
                                -
                            
                        
                     as follows: Decode                         
                            
                                
                                    c
                                
                                -
                            
                        
                    , obtaining c ∈ R. Multiply by 3f in R/q. – View each coefficient of 3fc in R/q as an integer between −(q − 1)/2 and (q − 1)/2, and then reduce modulo 3, obtaining a polynomial e in R/3. Multiply by 1/g in R/3. Lift e/g in R/3 to a small polynomial r’ ∈ R. Compute c’, C’, K’ from r’ as in encapsulation. If r’ is t-small, c’ = c, and C’ = C, then output K’. Otherwise output False).
The examiner provides the same rationale to combine prior arts Bailey and Bernstein as in claim 9 above. 

As per claim 14, Bailey in view of Bernstein teaches: 
The computer-implemented method of claim 9, the method further comprising: receiving the encrypted message data; and generating, based on the encrypted message data, a decrypted message data using the generated private key and the shared key based on a key decapsulation, wherein the key decapsulation is without use of the second value (Bailey: page 264: 2.4 Decryption: Compute a ≡ e ∗ f mod q, choosing the coefficients of a to satisfy A ≤ ai < A + q. The value of A is fixed and is determined by a simple formula depending on the other parameters. Then a mod p is equal to the plaintext m. Bernstein: Page 242: 2.4. Decapsulation. The receiver decapsulates a ciphertext C                        
                            
                                
                                    c
                                
                                -
                            
                        
                     as follows: Decode                         
                            
                                
                                    c
                                
                                -
                            
                        
                    , obtaining c ∈ R. Multiply by 3f in R/q. – View each coefficient of 3fc in R/q as an integer between −(q − 1)/2 and (q − 1)/2, and then reduce modulo 3, obtaining a polynomial e in R/3. Multiply by 1/g in R/3. Lift e/g in R/3 to a small polynomial r’ ∈ R. Compute c’, C’, K’ from r’ as in encapsulation. If r’ is t-small, c’ = c, and C’ = C, then output K’).
The examiner provides the same rationale to combine prior arts Bailey and Bernstein as in claim 9 above. 

As per claims 15, 22 and 28, Bailey in view of Bernstein teaches: 
The computer-implemented method of claim 9, wherein the encrypted message data is based at least on: the public key, the third subset of the ring, and hash data including the shared key data (Bailey: page 264: 2.3 Encryption The plaintext m is a polynomial with coefficients taken mod p. Choose a random polynomial r with small coefficients. The ciphertext is e ≡ pr ∗ h + m mod q. Bernstein: Page 241: 2.3. Encapsulation. Streamlined NTRU Prime is actually a “key encapsulation mechanism” (KEM). This means that the sender takes a public key as input and produces a ciphertext and session key as output. Page 247: first 10 lines and last 20 lines: Like RSA-KEM, this construction hashes the input, in our case r, to obtain the session key). 
The examiner provides the same rationale to combine prior arts Bailey and Bernstein as in claims 9, 16 and 23 above. 

As per claims 17 and 24, Bailey in view of Bernstein teaches: 
The system of claim 16, wherein the public key is based on an inverse of the first value in modulo of the second coprime integer (Bailey: page 264: 2.2 Key Generation: Choose random polynomials F, g ∈ R with small coefficients and set f =1+pF (first value). Compute the polynomial h ≡ g ∗ f−1 mod q. The public key is h), and the computer-executable instructions when executed further causing the system to: generate, based on the encrypted message data, a decrypted message data using the generated private key and the shared key based on a key decapsulation, wherein the key decapsulation is without use of the second value (Bailey: page 264: 2.4 Decryption: Compute a ≡ e ∗ f mod q, choosing the coefficients of a to satisfy A ≤ ai < A + q. The value of A is fixed and is determined by a simple formula depending on the other parameters. Then a mod p is equal to the plaintext m. Bernstein: Page 242: 2.4. Decapsulation. The receiver decapsulates a ciphertext C                        
                            
                                
                                    c
                                
                                -
                            
                        
                     as follows: Decode                         
                            
                                
                                    c
                                
                                -
                            
                        
                    , obtaining c ∈ R. Multiply by 3f in R/q. – View each coefficient of 3fc in R/q as an integer between −(q − 1)/2 and (q − 1)/2, and then reduce modulo 3, obtaining a polynomial e in R/3. Multiply by 1/g in R/3. Lift e/g in R/3 to a small polynomial r’ ∈ R. Compute c’, C’, K’ from r’ as in encapsulation. If r’ is t-small, c’ = c, and C’ = C, then output K’).
The examiner provides the same rationale to combine prior arts Bailey and Bernstein as in claims 16 and 23 above. 

As per claims 20 and 27, Bailey in view of Bernstein teaches: 
The system of claim 16, the computer-executable instructions when executed further causing the system to: when an inverse of the third randomly selected value is not a part of the third subset of the ring, determine a failure of generating the decrypted message data; and provide, based on the determination of the failure, a result of the generating the encrypted message data (Bernstein: Page 242: 2.4. Decapsulation. The receiver decapsulates a ciphertext C                        
                            
                                
                                    c
                                
                                -
                            
                        
                     as follows: Decode                         
                            
                                
                                    c
                                
                                -
                            
                        
                    , obtaining c ∈ R. Multiply by 3f in R/q. – View each coefficient of 3fc in R/q as an integer between −(q − 1)/2 and (q − 1)/2, and then reduce modulo 3, obtaining a polynomial e in R/3. Multiply by 1/g in R/3. Lift e/g in R/3 to a small polynomial r’ ∈ R. Compute c’, C’, K’ from r’ as in encapsulation. If r’ is t-small, c’ = c, and C’ = C, then output K’. Otherwise output False).
The examiner provides the same rationale to combine prior arts Bailey and Bernstein as in claims 16 and 23 above. 

As per claim 21, Bailey in view of Bernstein teaches: 
The system of claim 16, the computer-executable instructions when executed further causing the system to: transmit the encrypted message data (Bailey: page 264: 2.3 Encryption The plaintext m is a polynomial with coefficients taken mod p. Choose a random polynomial r with small coefficients. The ciphertext is e ≡ pr ∗ h + m mod q. Transmitting the encrypted message to a receiving end was well known to one of ordinary skill in the art before the effective date of the claimed invention). 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 
Research on NTRU Algorithm for Mobile Java Security by Shen et al: This paper briefly describes NTRU cryptosystem and two approaches to optimize the algorithm, such as changing forms and using low hamming weight products; the former approach simplifies both the key generation and the decryption, and the latter one increases the speed of the convolution multiplication by nearly 2 times. Experiments on the performance of enhanced NTRU-251 compared with RSA-1024 in the mobile Java device are made. Preliminary experimental results show the advantages of NTRU over RSA, such as, at the similar security level, the key size of NTRU is less than a quarter of that of RSA, and the speed of NTRU is much faster than that of RSA; the key generation is more than 200 times faster, the encryption is almost 3 times faster, and the decryption is about 30 times faster. These experimental results show the applicable prospect of NTRU in mobile Java systems.

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MADHURI R HERZOG whose telephone number is (571)270-3359. The examiner can normally be reached 8:30AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on (571)272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

MADHURI R. HERZOG
Primary Examiner
Art Unit 2438



/MADHURI R HERZOG/Primary Examiner, Art Unit 2438