E
DETAILED ACTION
This action is in response to new application filed 11/22/2019 titled “SYSTEM AND METHOD FOR DATABASE RECOVERY FOR ENCRYPTED INDEXES”. Claims 1-20 were received for consideration and are under consideration.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority
Acknowledgment is made of applicant's claim for foreign priority under 35 U.S.C. 119(a)-(d).  The certified copy has been received.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1, 3-5, 8-13 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Matthews et al (US 11,392714) in view of Sion et al (US 2019/0087600).

With respect to claim 1 Matthews teaches, a system comprising: a processing system that includes one or more processors; and a memory that stores computer program instructions that are executable by the processing system, the computer program instructions including: 
a query manager configured to: receive from a first client device a first query, having a decryption key, that when performed modifies an encrypted index of a database using a secure enclave that requires the decryption key for access to the encrypted index (see Matthews figure 6 step 604 and column 10 lines 4-26 i.e. At 604, the data storage and retrieval system obtains a request to query the collection of data. In some cases, the request is obtained from a client device executing a client library module, such as the client library 102 depicted in FIG. 1. In other cases, the request is generated, retrieved from storage, read from a message queue, read from a buffer, or otherwise obtained by similar operations. The query provides instructions, definitions, or other information indicative of the set of data to retrieve from the hierarchically encrypted collection of data. Further, the query comprises information indicative of the cryptographic keys that are needed to process the query and column 11 lines 12-22); and 
receive from a second client device a second query, subsequent to the first query, that is directed to the database and that has the decryption key (see Matthews figure 6 step 604 and column 10 lines 4-26 i.e. At 604, the data storage and retrieval system obtains a request to query the collection of data. In some cases, the request is obtained from a client device executing a client library module, such as the client library 102 depicted in FIG. 1. In other cases, the request is generated, retrieved from storage, read from a message queue, read from a buffer, or otherwise obtained by similar operations. The query provides instructions, definitions, or other information indicative of the set of data to retrieve from the hierarchically encrypted collection of data. Further, the query comprises information indicative of the cryptographic keys that are needed to process the query); 
an event monitor configured to: determine that events requiring remedial actions for the database have occurred; initiate a first remedial action for the database based on an event of the events that occurs subsequent to the first query and prior to the second query (see Matthews column 7 line 52 – column 8 line 3 i.e. In the example 400, a table 402 is stored as an encrypted hierarchy. The table 402 might, in an example, be encrypted at the table level, and certain rows within the table 402 might be separately encrypted, each using a distinct cryptographic key. With each row, certain of the fields might be separately encrypted at the field level. In the example 400, processing of the query is done using a partially un-encrypted table 404. The partially un-encrypted table 404 may be a copy or subset of table 402 in which at least some portions have been un-encrypted. The un-encrypted portions may be those that were referenced by clauses of the query, such as in a filtering clauses, aggregating clauses, ordering clauses, and so forth. Certain elements, such as fields whose corresponding columns are referenced only in projection clauses, or are not referenced at all, may be left encrypted or excluded from the partially un-encrypted table 404. Rows that have been excluded from the query may also be left out of the partially un-encrypted table 404); and 
Mathews does not teaches initiate, after access is enabled for the database subsequent to completion of the first remedial action, a second remedial action that utilizes the decryption key received with the second query; and a deferment manager configured to: defer one or more transactions of at least the first query or the second query based on a lock for the encrypted index being taken; and queue the one or more transactions for completion based on the lock for the encrypted index being released.
Sion teaches initiate, after access is enabled for the database subsequent to completion of the first remedial action, a second remedial action that utilizes the decryption key received with the second query (see Sion paragraph 0043-0044 i.e. Concurrency. If someone is reading from a database at the same time as someone else is writing to it, it is possible that the reader will see a half-written or inconsistent piece of data. There are several ways of solving this problem, known as concurrency control methods. The simplest way is to make all readers wait until the writer is done, which is known as a lock); and 
a deferment manager configured to: defer one or more transactions of at least the first query or the second query based on a lock for the encrypted index being taken; and queue the one or more transactions for completion based on the lock for the encrypted index being released (see Sion paragraph 0045-0046 i.e. A lock (“read lock,” “write lock,” “range lock,” and so forth) is used when multiple parties (software processes, users etc.) need to access a database concurrently. Locks prevents data from being corrupted or invalidated when these multiple parties try to read while others write to the database. Any single party can only modify those database records (items in the database) for which it has “acquired” a lock that gives them exclusive access to the record until the lock is released. Locking not only provides exclusivity to writes but also prevents (or controls) reading of unfinished modifications (“uncommitted” data). A “read lock” can be used to prevent other users from reading a record which is being updated).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Mathews in view of Sion to have used Sion datebase management systems (DBMS) to implement transaction management on the database such as data locks. Data locks prevent data from being corrupted or invalidated when these multiple parties try to read while others write. By implementing  data locks on the database only a single party can modify the database records (items in the database) for which it has “acquired” a lock that gives them exclusive access to the record until the lock is released. Since locking not only provides exclusivity to writes but also prevents reading of unfinished modifications (see Sion paragraph 0045-0046. Therefore one would have been motivated to have used Sion datebase management systems (DBMS) to implement transaction management such as data locks.

With respect to claim 3 Mathews teaches the system of claim 1, wherein the first remedial action includes an accelerated database recovery action performed without the enclave (see Matthews column 7 line 52 – column 8 line 3 i.e. In the example 400, a table 402 is stored as an encrypted hierarchy. The table 402 might, in an example, be encrypted at the table level, and certain rows within the table 402 might be separately encrypted, each using a distinct cryptographic key. With each row, certain of the fields might be separately encrypted at the field level. In the example 400, processing of the query is done using a partially un-encrypted table 404. The partially un-encrypted table 404 may be a copy or subset of table 402 in which at least some portions have been un-encrypted. The un-encrypted portions may be those that were referenced by clauses of the query, such as in a filtering clauses, aggregating clauses, ordering clauses, and so forth. Certain elements, such as fields whose corresponding columns are referenced only in projection clauses, or are not referenced at all, may be left encrypted or excluded from the partially un-encrypted table 404. Rows that have been excluded from the query may also be left out of the partially un-encrypted table 404).

With respect to claim 4 Mathews teaches the system of claim 1, but does not disclose wherein the first remedial action includes at least one of: a restart of the database, the restart using another secure enclave that requires the decryption key for access to the encrypted index, a rollback action, or a recovery action.
Sion teaches wherein the first remedial action includes at least one of: a restart of the database, the restart using another secure enclave that requires the decryption key for access to the encrypted index, a rollback action, or a recovery action (see Sion paragraph 0049-0051 i.e. A transaction symbolizes a unit of work treated in a coherent and reliable way independent of other transactions. A transaction generally represents any change in database. Transactions in databases have two main purposes: [0050] a. To provide reliable units of work that allow correct recovery from failures and keep a database consistent even in cases of system failure, when execution stops (completely or partially) and many operations upon a database remain uncompleted, with unclear status. [0051] b. To provide isolation between programs accessing a database concurrently. If this isolation is not provided, the program's outcome are possibly erroneous).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Mathews in view of Sion to have used Sion datebase management systems (DBMS) to implement transaction management on the database to provide reliable units of work that allow correct recovery from failures and keep a database consistent even in cases of system failure, when execution stops (completely or partially) and many operations upon a database remain uncompleted, with unclear status (See Sion paragraph 0049-0051). Therefore one would have been motivated to have used Sion datebase management systems (DBMS) to implement transaction management.

With respect to claim 5 Mathews teaches the system of claim 1, wherein the second remedial action comprises an index recovery action that is configured to gain access to the encrypted index based on the decryption key received with the second query (see Matthews figure 6 step 604 and column 10 lines 4-26 i.e. At 604, the data storage and retrieval system obtains a request to query the collection of data. In some cases, the request is obtained from a client device executing a client library module, such as the client library 102 depicted in FIG. 1. In other cases, the request is generated, retrieved from storage, read from a message queue, read from a buffer, or otherwise obtained by similar operations. The query provides instructions, definitions, or other information indicative of the set of data to retrieve from the hierarchically encrypted collection of data. Further, the query comprises information indicative of the cryptographic keys that are needed to process the query).

With respect to claim 8 Matthews teaches a computer-implemented method, comprising: 
receiving from a first client device a first query, having a decryption key, that when performed modifies an encrypted index of a database using a secure enclave that requires the decryption key for access to the encrypted index (see Matthews figure 6 step 604 and column 10 lines 4-26 i.e. At 604, the data storage and retrieval system obtains a request to query the collection of data. In some cases, the request is obtained from a client device executing a client library module, such as the client library 102 depicted in FIG. 1. In other cases, the request is generated, retrieved from storage, read from a message queue, read from a buffer, or otherwise obtained by similar operations. The query provides instructions, definitions, or other information indicative of the set of data to retrieve from the hierarchically encrypted collection of data. Further, the query comprises information indicative of the cryptographic keys that are needed to process the query); 
initiating a second remedial action to recover the encrypted index (see Matthews column 7 line 52 – column 8 line 3 i.e. In the example 400, a table 402 is stored as an encrypted hierarchy. The table 402 might, in an example, be encrypted at the table level, and certain rows within the table 402 might be separately encrypted, each using a distinct cryptographic key. With each row, certain of the fields might be separately encrypted at the field level. In the example 400, processing of the query is done using a partially un-encrypted table 404. The partially un-encrypted table 404 may be a copy or subset of table 402 in which at least some portions have been un-encrypted. The un-encrypted portions may be those that were referenced by clauses of the query, such as in a filtering clauses, aggregating clauses, ordering clauses, and so forth. Certain elements, such as fields whose corresponding columns are referenced only in projection clauses, or are not referenced at all, may be left encrypted or excluded from the partially un-encrypted table 404. Rows that have been excluded from the query may also be left out of the partially un-encrypted table 404); 
receiving from a second client device a second query, subsequent to the first query and said initiating the second remedial action, that is directed to the database and that has the decryption key (see Matthews figure 6 step 604 and column 10 lines 4-26 i.e. At 604, the data storage and retrieval system obtains a request to query the collection of data. In some cases, the request is obtained from a client device executing a client library module, such as the client library 102 depicted in FIG. 1. In other cases, the request is generated, retrieved from storage, read from a message queue, read from a buffer, or otherwise obtained by similar operations. The query provides instructions, definitions, or other information indicative of the set of data to retrieve from the hierarchically encrypted collection of data. Further, the query comprises information indicative of the cryptographic keys that are needed to process the query); and 
completing the second remedial actions and the one or more transactions that were deferred (see Mathews column 12- lines 4-10 i.e. At 616, the decrypted results are provided to a client application. In some cases and embodiments, the decrypted results may be sent from the data storage and retrieval system to the client application directly, or through a client library. In other cases and embodiments, the client library decrypts the results and then provides them to the client library).
Mathews does not teach determining that an event has occurred, requiring a remedial action for the database, prior to completion of the first query; initiating a first remedial action for the database; determining that the encrypted index remains unrecovered after completion of the first remedial action; deferring one or more transactions of queries that affect the encrypted index subsequent to said determining that the event has occurred.
Sion teaches determining that an event has occurred, requiring a remedial action for the database, prior to completion of the first query; initiating a first remedial action for the database (see Sion paragraph 0049-0051 i.e. A transaction symbolizes a unit of work treated in a coherent and reliable way independent of other transactions. A transaction generally represents any change in database. Transactions in databases have two main purposes: [0050] a. To provide reliable units of work that allow correct recovery from failures and keep a database consistent even in cases of system failure, when execution stops (completely or partially) and many operations upon a database remain uncompleted, with unclear status. [0051] b. To provide isolation between programs accessing a database concurrently. If this isolation is not provided, the program's outcome are possibly erroneous); 
determining that the encrypted index remains unrecovered after completion of the first remedial action; deferring one or more transactions of queries that affect the encrypted index subsequent to said determining that the event has occurred (see Sion paragraph 0045-0046 i.e. A lock (“read lock,” “write lock,” “range lock,” and so forth) is used when multiple parties (software processes, users etc.) need to access a database concurrently. Locks prevents data from being corrupted or invalidated when these multiple parties try to read while others write to the database. Any single party can only modify those database records (items in the database) for which it has “acquired” a lock that gives them exclusive access to the record until the lock is released. Locking not only provides exclusivity to writes but also prevents (or controls) reading of unfinished modifications (“uncommitted” data). A “read lock” can be used to prevent other users from reading a record which is being updated).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Mathews in view of Sion to have used Sion datebase management systems (DBMS) to implement transaction management on the database such as data locks. Data locks prevent data from being corrupted or invalidated when these multiple parties try to read while others write. By implementing  data locks on the database only a single party can modify the database records (items in the database) for which it has “acquired” a lock that gives them exclusive access to the record until the lock is released. Since locking not only provides exclusivity to writes but also prevents reading of unfinished modifications (see Sion paragraph 0045-0046. Therefore one would have been motivated to have used Sion datebase management systems (DBMS) to implement transaction management such as data locks.

With respect to claim 9 Matthews teaches the computer-implemented method of claim 8, but does not disclose wherein said initiating the second remedial action is performed in the background at least partially concurrently with the database being accessible and able to service queries. 
Sion teaches wherein said initiating the second remedial action is performed in the background at least partially concurrently with the database being accessible and able to service queries (see Sion paragraph 0153-0154 i.e. Parallel Query Processing and Transactions. Any viable system may need to allow the correct execution of queries submitted by multiple clients in parallel. Transactions submitted by multiple clients may need to be handled correctly and efficiently. ACID and strong transactional semantics are main elements of the value proposition of a modern database and any secure DBMS may need to at least offer the ability to run with different transactional semantics).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Mathews in view of Sion to have used Sion datebase management systems (DBMS) to implement parallel query processing on query transactions by multiple clients in parallel submitted by multiple clients may need to be handled correctly and efficiently to improve the database efficacy (See Sion paragraph 0153-0154). Therefore one would have been motivated to have implement parallel query processing.

With respect to claim 10 Matthews teaches the computer-implemented method of claim 8, but does not disclose wherein the first remedial action includes at least one of: a restart of the database, the restart using another secure enclave that requires the decryption key for access to the encrypted index, a rollback action, or a recovery action.
Sion teaches wherein the first remedial action includes at least one of: a restart of the database, the restart using another secure enclave that requires the decryption key for access to the encrypted index, a rollback action, or a recovery action (see Sion paragraph 0049-0051 i.e. A transaction symbolizes a unit of work treated in a coherent and reliable way independent of other transactions. A transaction generally represents any change in database. Transactions in databases have two main purposes: [0050] a. To provide reliable units of work that allow correct recovery from failures and keep a database consistent even in cases of system failure, when execution stops (completely or partially) and many operations upon a database remain uncompleted, with unclear status. [0051] b. To provide isolation between programs accessing a database concurrently. If this isolation is not provided, the program's outcome are possibly erroneous).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Mathews in view of Sion to have used Sion datebase management systems (DBMS) to implement transaction management on the database to provide reliable units of work that allow correct recovery from failures and keep a database consistent even in cases of system failure, when execution stops (completely or partially) and many operations upon a database remain uncompleted, with unclear status (See Sion paragraph 0049-0051). Therefore one would have been motivated to have used Sion datebase management systems (DBMS) to implement transaction management.


With respect to claim 11 Matthews teaches the computer-implemented method of claim 8, wherein the second remedial action comprises an index recovery action that is configured to gain access to the encrypted index based on the decryption key received with the second query (see Matthews figure 6 step 604 and column 10 lines 4-26 i.e. At 604, the data storage and retrieval system obtains a request to query the collection of data. In some cases, the request is obtained from a client device executing a client library module, such as the client library 102 depicted in FIG. 1. In other cases, the request is generated, retrieved from storage, read from a message queue, read from a buffer, or otherwise obtained by similar operations. The query provides instructions, definitions, or other information indicative of the set of data to retrieve from the hierarchically encrypted collection of data. Further, the query comprises information indicative of the cryptographic keys that are needed to process the query).

With respect to claim 12 Matthews teaches the computer-implemented method of claim 8, but does not disclose wherein said deferring one or more transactions of queries comprises at least one of deferring based at least on recovery of the encrypted index requiring the decryption key.
Sion teaches wherein said deferring one or more transactions of queries comprises at least one of deferring based at least on recovery of the encrypted index requiring the decryption key (see Sion paragraph 0045-0046 i.e. A lock (“read lock,” “write lock,” “range lock,” and so forth) is used when multiple parties (software processes, users etc.) need to access a database concurrently. Locks prevents data from being corrupted or invalidated when these multiple parties try to read while others write to the database. Any single party can only modify those database records (items in the database) for which it has “acquired” a lock that gives them exclusive access to the record until the lock is released. Locking not only provides exclusivity to writes but also prevents (or controls) reading of unfinished modifications (“uncommitted” data). A “read lock” can be used to prevent other users from reading a record which is being updated).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Mathews in view of Sion to have used Sion datebase management systems (DBMS) to implement transaction management on the database such as data locks. Data locks prevent data from being corrupted or invalidated when these multiple parties try to read while others write. By implementing  data locks on the database only a single party can modify the database records (items in the database) for which it has “acquired” a lock that gives them exclusive access to the record until the lock is released. Since locking not only provides exclusivity to writes but also prevents reading of unfinished modifications (see Sion paragraph 0045-0046. Therefore one would have been motivated to have used Sion datebase management systems (DBMS) to implement transaction management such as data locks.

	With respect to claim 13 Matthews teaches the computer-implemented method of claim 12, wherein said completing the one or more transactions comprises completing the one or more transactions based on at least one of: the recovered encrypted index that was recovered utilizing the decryption key received with the second query; or invalidating the encrypted index and forcing completion of the one or more transactions (see Matthews column 7 line 52 – column 8 line 3 i.e. In the example 400, a table 402 is stored as an encrypted hierarchy. The table 402 might, in an example, be encrypted at the table level, and certain rows within the table 402 might be separately encrypted, each using a distinct cryptographic key. With each row, certain of the fields might be separately encrypted at the field level. In the example 400, processing of the query is done using a partially un-encrypted table 404. The partially un-encrypted table 404 may be a copy or subset of table 402 in which at least some portions have been un-encrypted. The un-encrypted portions may be those that were referenced by clauses of the query, such as in a filtering clauses, aggregating clauses, ordering clauses, and so forth. Certain elements, such as fields whose corresponding columns are referenced only in projection clauses, or are not referenced at all, may be left encrypted or excluded from the partially un-encrypted table 404. Rows that have been excluded from the query may also be left out of the partially un-encrypted table 404.).

With respect to claim 15 Mathews teaches the computer-implemented method of claim 8, further comprising: disabling access to the database subsequent to the event and prior to completion of the first remedial action; and enabling access to the database subsequent to the completion of the first remedial action (see Matthews column 7 line 52 – column 8 line 3 i.e. In the example 400, a table 402 is stored as an encrypted hierarchy. The table 402 might, in an example, be encrypted at the table level, and certain rows within the table 402 might be separately encrypted, each using a distinct cryptographic key. With each row, certain of the fields might be separately encrypted at the field level. In the example 400, processing of the query is done using a partially un-encrypted table 404. The partially un-encrypted table 404 may be a copy or subset of table 402 in which at least some portions have been un-encrypted. The un-encrypted portions may be those that were referenced by clauses of the query, such as in a filtering clauses, aggregating clauses, ordering clauses, and so forth. Certain elements, such as fields whose corresponding columns are referenced only in projection clauses, or are not referenced at all, may be left encrypted or excluded from the partially un-encrypted table 404. Rows that have been excluded from the query may also be left out of the partially un-encrypted table 404).

Claim(s) 16-20 are rejected under 35 U.S.C. 103 as being unpatentable over Matthews et al (US 11,392714) in view of Sion et al (US 2019/0087600) in view of Thomsen (US 2020/0241968).
With respect to claim 16 Mathews teaches a computer-readable storage medium having program instructions recorded thereon that, when executed by a processing device, perform a method, the method comprising: 
receiving from a first client device a first query, having a decryption key, that when performed modifies an encrypted index of a database using a secure enclave that requires the decryption key for access to the encrypted index (see Matthews figure 6 step 604 and column 10 lines 4-26 i.e. At 604, the data storage and retrieval system obtains a request to query the collection of data. In some cases, the request is obtained from a client device executing a client library module, such as the client library 102 depicted in FIG. 1. In other cases, the request is generated, retrieved from storage, read from a message queue, read from a buffer, or otherwise obtained by similar operations. The query provides instructions, definitions, or other information indicative of the set of data to retrieve from the hierarchically encrypted collection of data. Further, the query comprises information indicative of the cryptographic keys that are needed to process the query and column 11 lines 12-22); 
determining that an event has occurred that requires a first remedial action for the database; initiating the first remedial action for the database and the encrypted index (see Matthews column 7 line 52 – column 8 line 3 i.e. In the example 400, a table 402 is stored as an encrypted hierarchy. The table 402 might, in an example, be encrypted at the table level, and certain rows within the table 402 might be separately encrypted, each using a distinct cryptographic key. With each row, certain of the fields might be separately encrypted at the field level. In the example 400, processing of the query is done using a partially un-encrypted table 404. The partially un-encrypted table 404 may be a copy or subset of table 402 in which at least some portions have been un-encrypted. The un-encrypted portions may be those that were referenced by clauses of the query, such as in a filtering clauses, aggregating clauses, ordering clauses, and so forth. Certain elements, such as fields whose corresponding columns are referenced only in projection clauses, or are not referenced at all, may be left encrypted or excluded from the partially un-encrypted table 404. Rows that have been excluded from the query may also be left out of the partially un-encrypted table 404); 
Mathews does not teach determining that the database is restarted and is without access to any secure enclave; initiating a second remedial action for the encrypted index, that includes invalidating the encrypted index for the database, based on the encrypted index being unrecovered by the first remedial action; and completing the second remedial action.

Thomsen teaches determining that the database is restarted and is without access to any secure enclave; (see Thomsen paragraph 0042 i.e. The persistence layer 346 is responsible for durability and atomicity of transactions. The persistence layer 346 can ensure that the database system 105 is restored to the most recent committed state after a restart and that transactions are either completely executed or completely undone).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Mathews in view of Thomsen to restored the database to the most resent state by using  a recovery log can comprise a log of all changes to the database system 105 since the last system savepoint, such that when a database server is restarted, its latest state is restored by replaying the changes from the recovery log on top of the last system savepoint (see Thomsen paragraph 0046). 
Therefore one would have been motivated to have used system savepoint.
Mathews in view of Thomsen does not teach initiating a second remedial action for the encrypted index, that includes invalidating the encrypted index for the database, based on the encrypted index being unrecovered by the first remedial action; and completing the second remedial action.
Sion teaches initiating a second remedial action for the encrypted index, that includes invalidating the encrypted index for the database, based on the encrypted index being unrecovered by the first remedial action (see Sion paragraph 0043-0044 i.e. Concurrency. If someone is reading from a database at the same time as someone else is writing to it, it is possible that the reader will see a half-written or inconsistent piece of data. There are several ways of solving this problem, known as concurrency control methods. The simplest way is to make all readers wait until the writer is done, which is known as a lock); and 
and completing the second remedial action (see Sion paragraph 0045-0046 i.e. A lock (“read lock,” “write lock,” “range lock,” and so forth) is used when multiple parties (software processes, users etc.) need to access a database concurrently. Locks prevents data from being corrupted or invalidated when these multiple parties try to read while others write to the database. Any single party can only modify those database records (items in the database) for which it has “acquired” a lock that gives them exclusive access to the record until the lock is released. Locking not only provides exclusivity to writes but also prevents (or controls) reading of unfinished modifications (“uncommitted” data). A “read lock” can be used to prevent other users from reading a record which is being updated).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Mathews in view of Sion to have used Sion datebase management systems (DBMS) to implement transaction management on the database such as data locks. Data locks prevent data from being corrupted or invalidated when these multiple parties try to read while others write. By implementing  data locks on the database only a single party can modify the database records (items in the database) for which it has “acquired” a lock that gives them exclusive access to the record until the lock is released. Since locking not only provides exclusivity to writes but also prevents reading of unfinished modifications (see Sion paragraph 0045-0046. Therefore one would have been motivated to have used Sion datebase management systems (DBMS) to implement transaction management such as data locks.

With respect to claim 17 Mathews teaches the computer-readable storage medium of claim 16, wherein the method comprises: initiating a restore operation on the database as a part of the first remedial action prior to said restarting.
Thomsen teaches wherein the method comprises: initiating a restore operation on the database as a part of the first remedial action prior to said restarting (see Thomsen paragraph 0042 i.e. The persistence layer 346 is responsible for durability and atomicity of transactions. The persistence layer 346 can ensure that the database system 105 is restored to the most recent committed state after a restart and that transactions are either completely executed or completely undone).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Mathews in view of Thomsen to restored the database to the most resent state by using  a recovery log can comprise a log of all changes to the database system 105 since the last system savepoint, such that when a database server is restarted, its latest state is restored by replaying the changes from the recovery log on top of the last system savepoint (see Thomsen paragraph 0046). 
Therefore one would have been motivated to have used system savepoint.

	
With respect to claim 18 Mathews teaches the computer-readable storage medium of claim 16, but does not teaches wherein said initiating a second remedial action comprises, prior to invalidating the encrypted index: taking a lock on the encrypted index; and deferring a transaction for the first query, or for a second query after the first query, that affects the encrypted index subsequent to taking the lock.
Sion teaches wherein said initiating a second remedial action comprises, prior to invalidating the encrypted index: taking a lock on the encrypted index; and deferring a transaction for the first query, or for a second query after the first query, that affects the encrypted index subsequent to taking the lock (see Sion paragraph 0045-0046 i.e. A lock (“read lock,” “write lock,” “range lock,” and so forth) is used when multiple parties (software processes, users etc.) need to access a database concurrently. Locks prevents data from being corrupted or invalidated when these multiple parties try to read while others write to the database. Any single party can only modify those database records (items in the database) for which it has “acquired” a lock that gives them exclusive access to the record until the lock is released. Locking not only provides exclusivity to writes but also prevents (or controls) reading of unfinished modifications (“uncommitted” data). A “read lock” can be used to prevent other users from reading a record which is being updated).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Mathews in view of Sion to have used Sion datebase management systems (DBMS) to implement transaction management on the database such as data locks. Data locks prevent data from being corrupted or invalidated when these multiple parties try to read while others write. By implementing  data locks on the database only a single party can modify the database records (items in the database) for which it has “acquired” a lock that gives them exclusive access to the record until the lock is released. Since locking not only provides exclusivity to writes but also prevents reading of unfinished modifications (see Sion paragraph 0045-0046. Therefore one would have been motivated to have used Sion datebase management systems (DBMS) to implement transaction management such as data locks.

With respect to claim 19 Mathews teaches the computer-readable storage medium of claim 16, but does not disclose wherein the method comprises: completing the transaction without the encrypted index subsequent to said invalidating the encrypted index; or discarding the transaction.
Sion teaches discarding the transaction (see Sion paragraph 0059 i.e. Deadlock. A deadlock happens when two transactions A and B aim to update two rows of information but in the opposite order, such as if A updates row 1 then row 2 in the exact timeframe that B updates row 2 then row 1. In such a circumstance, A can't finish updating row 2 until B is finished, but B cannot finish updating row 1 until A is finished. No matter how much time is allowed to pass, this situation will never resolve itself. Because of this, a DBMS will typically kill the transaction that has done the least amount of work).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Mathews in view of Sion to have used Sion datebase management systems (DBMS) to implement transaction management on the database such as data locks. Data locks prevent data from being corrupted or invalidated when these multiple parties try to read while others write. By implementing  data locks on the database only a single party can modify the database records (items in the database) for which it has “acquired” a lock that gives them exclusive access to the record until the lock is released. Since locking not only provides exclusivity to writes but also prevents reading of unfinished modifications but with data locks a deadlock can happen in which two transactions A and B aim to update two rows of information but in the opposite order, such as if A updates row 1 then row 2 in the exact timeframe that B updates row 2 then row 1. In such a circumstance, A can't finish updating row 2 until B is finished, but B cannot finish updating row 1 until A is finished. No matter how much time is allowed to pass, this situation will never resolve itself. Because of this, a DBMS will typically kill the transaction that has done the least amount of work (see Sion paragraph 0045-0046. Therefore one would have been motivated to have used Sion datebase management systems (DBMS) to implement transaction management such as data locks.

With respect to claim 20 Mathews teaches the computer-readable storage medium of claim 16, wherein the method comprises deleting the invalidated encrypted index (see Mathews column 5 lines 27-33 i.e. The un-encrypted index 114 may be stored in the cache 108 while the data storage and retrieval system 100 is operative. In some embodiments, the un-encrypted index may be re-encrypted and stored on the storage device. The re-encryption may use keys corresponding to those used to encrypt corresponding portions of the encrypted hierarchy, or with one or more new keys).


Allowable Subject Matter
Claims 2, 6, 7 and 14 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
With respect to claim 2 the prior art does not teach the system of claim 1, further comprising: an access manager configured to: disable access to the database subsequent to the event and prior to completion of the first remedial action; take the lock for the encrypted index subsequent to the event based at least on a determination that the first remedial action was unable to recover the encrypted index; enable access to the database subsequent to the completion of the first remedial action; and release the lock for the encrypted index sequent to completion of the second remedial action.
With respect to claim 6 the prior art does not teach the system of claim 1, wherein the event monitor is configured to: determine that the first remedial action was unable to recover the encrypted index; and provide a status signal representative of the encrypted index being unrecovered to an index validator configured to mark the encrypted index as invalid in the database based at least on a determination that the first remedial action was unable to recover the encrypted index.
With respect to claim 7 the prior art does not teach the system of claim 1, wherein the query manager is configured to perform via a virtual machine instance: the second query on the database using another secure enclave and the decryption key received with the second query; and the second remedial action to recover the encrypted index.
With respect to claim 14 the prior art does not teach the computer-implemented method of claim 8, further comprising: performing calls for the encrypted index to the database using the secure enclave via a virtual machine instance.

Prior Art
	Newman (US 10,158,483) titled “Systems And Methods For Efficiently And Securely Storing Data In A Distributed Data Storage System”
	Hirano et al (US 2021/0081532) titled “DATA PROCESSING APPARATUS, DATA PROCESSING METHOD, AND COMPUTER READABLE MEDIUM” teaches An encrypted index bit sequence generation unit generates a bit sequence to be used as an index in searching for encrypted data to be stored in a data center apparatus as an index bit sequence, associating the index bit sequence with the encrypted data.
	Hardy-Francis (US 2021/0224242) titled “SYSTEMS AND METHODS FOR INDEXING AND SEARCHING DATA” teaches in some embodiments, index data may be stored at the remote server in encrypted form. During a search operation, some of the index data may be sent to the local device in encrypted form, and the local device may decrypt the index data prior to searching.
	Elovici et al (US 8,639,947) titled “Structure Preserving Database Encryption Method And System”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DEVIN E ALMEIDA whose telephone number is (571)270-1018.  The examiner can normally be reached on Monday-Thursday from 7:30 A.M. to 5:00 P.M.  The examiner can also be reached on alternate Fridays from 7:30 A.M. to 4:00 P.M. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Saleh Najjar, can be reached on 571-272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/DEVIN E ALMEIDA/Examiner, Art Unit 2492                                                                                                                                                                                                        

/SALEH NAJJAR/Supervisory Patent Examiner, Art Unit 2492