DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This written action responds to the communication dated 07/04/2022 and submitted by the Representative for the Applicant (Applicant).
Claims 12 and 22 have been amended, no claims canceled, and no claims added.
Claims 12-22 are submitted for examination.
Claims 12-22 are currently pending.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

Response to Arguments
Applicant’s remark, filed on July 04, 2022, has claims 12 and 22 amended, and all other claims previously presented. Among the amended claims, claims 12 and 22 are independent ones.
Applicant’s remark, filed on July 04, 2022 at page 5, asserts, “Under section 15 of the office action, independent claims 12 and 22 were rejected because according to the Examiner they failed to particularly point out and distinctly claim the subject matter under 35 USC 112(b). The subject matter referenced has been deleted by the present amendment. The objection is therefore moot. The same argument holds for claims 13-21.” 
Applicant's arguments, filed July 04, 2022, have been fully considered, and they are persuasive. Thus, rejection under 35 U.S.C. §112(b) is withdrawn.
Applicant’s remark, filed on July 04, 2022at page 6-9, asserts, “The Examiner notes in the last paragraph of page 11 of the Office Action that the operation “*” is not explicitly defined in the claim. However, under the current amendment, the operation "*" is defined to denote multiplication. Hence, d' of Coron cannot be written in the form k0 * k1 (here k0 and k1 fulfil the role of k1 and k2 according to the Examiner), since it is written as d + ((r+1)*kl + k0)*phi(N). Also, for the two random positive integers k0 and k1, it is not disclosed in Coron that these are strictly smaller than the order of the group element G and generated due to a cryptographically secure random number generator, such that the generated random positive integers k0 and k1 do not share any divisor with the order n other than 1. Furthermore, it is not disclosed in Coron that the generated random positive integers k0 and k1 are completely uncorrelated from the secret value. The randomized exponents d0 and dl depend on the private exponent d. Hence, the randomized exponents d0 and d1 cannot be the random positive integers k1 and k2 from claim 12, since the generated random positive integers k1 and k2 need to be completely uncorrelated from the secret value k. Hence, this claim feature is not disclosed anywhere in Coron, nor in any of the other cited prior art. Already for this reason, the invention is patentable. … It is respectfully submitted again following the interview that the combined teachings of the references would not have suggested the claimed invention in any way. This is because the Examiner, using hindsight, seemingly cherry-picks from different embodiments that are totally unrelated in subject within the broader field of cryptography, even selecting specific parameters with completely different functions from these different embodiments, and arguing that it would have been obvious to features disclosed in different embodiments for different parameters to one of these specific parameters. There is no reason for such a combination, since the subject and purpose of these embodiments are different, and indeed the meaning and purpose of the parameters are different. It is thus seemingly incorrect to combine these different embodiments, with seemingly no regard for the specific context from which they came, nor any specific pointers to combine. … In conclusion, claim 12 is non-obvious over the prior art. Since claims 13-21 depend on claim 12, and claim 12 is non-obvious over the prior art, also claims 13-21 are non-obvious over the prior art. Furthermore, claim 22 is non-obvious over the prior art according to a similar argument as was given for claim 12 above. In conclusion, all presently presented claims are non-obvious over the prior art. Applicant thus respectfully requests favorable consideration and withdrawal of the rejection under 35 U.S.C. §103. No other rejections are presently known.”
Applicant's arguments have been fully considered, and they are persuasive. However, a new ground of rejection is made based on a newly identified prior-art reference with the previously applied ones, as set forth below.
Specifically, the newly identified reference by Boscher discloses a method in which two random numbers R0 and R1 are generated in order to randomized a secret exponent. Page 4 of the newly applied reference by Bosher shows the algorithm that is used to prove that the randomization process of the exponent has been a success and does not have errors. The algorithm indicates the multiplication of R0 and R1 and the result of the multiplication is used to compare to a value A.  If they are equal, the result is error-free. Thus, examiner submits that the newly identified prior-art reference by Bosher teaches the newly amended claim limitation, “k' = k1 * k2 wherein the operation “*” denotes multiplication”.
In addition, the reference by Coron teaches a method for protecting an electronic device against a side channel attack scrutinizing the physical behavior of the electronic device while it executes a cryptographic algorithm in order to crack the value of a secret parameter used by the cryptographic algorithm. Column 2, lines 44-49 (Parag. [0005]) describes that the proposed algorithm is effective against a side channel attack.  In addition, Coron discloses that the invention could be implemented using different cryptographic algorithms (RSA, Diffie Hellman, or DSA) which involve exponentiation with a secret value or parameter and also could be use with Elliptic Curves (ECC) which involve a point multiplication with a secret value or parameter (See Col. 1, lines 3-11).  Thus, Examiner respectfully traverses Applicant’s argument that Coron simply teaches two embodiments (A and B, as identified by Applicant) that do not provide relationship and cannot be simply combined.  With the teaching described by Coron, the method is particularly useful against side-channel attacks.  Please also refer to the detailed rejection below.
The Examiner further respectfully submits that Struik and Gomez do not change the principle of operation of the primary reference or render the reference inoperable for its intended purpose. See MPEP § 2143.01. The test for obviousness is not whether the features of a secondary reference may be bodily incorporated into the structure of the primary reference by Coron. Rather, the test is what the combined teachings of those references would have suggested to those of ordinary skill in the art.” In re Keller, 642 F.2d 413, 425, 208 USPQ 871, 881 (CCPA 1981). See also In re Sneed, 710 F.2d 1544, 1550, 218 USPQ 385, 389 (Fed. Cir. 1983). It is not necessary that the inventions of the references be physically combinable to render obvious the invention under review.”; and In re Nievelt, 482 F.2d 965, 179 USPQ 224, 226 (CCPA 1973). Combining the teachings of references Coron in view of Struik and Gomez does not involve an ability to combine their specific structures. Thus, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references. See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986). Therefore, prior arts must be considered in entirely, including discloses that teach away from the claims, MPEP §2143.01-02. Thus, the claimed invention as a whole was at least prima facie obvious.
Examiner, therefore, respectfully submits that the references previously applied still render the amended independent claim 1, obvious.
Applicant further recites similar remarks as listed above for independent claim, 22. Please see response for remarks above in item 12, which address how the combination of prior-art references by Coron, Struik and Gomez would render the claimed limitations obvious.
Applicant further recites similar remarks as listed above for dependent claims, 13-21. Please see response for remarks above in item 12, which address how the combination of prior-art references by Coron, Struik and Gomez would render the claimed limitations obvious.  
 
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 12–22 are rejected under 35 U.S.C. 103 as being unpatentable over Coron (EP
2326041 A1) in view of Struik et al. (US 2014/0344579) hereinafter Struik and in further
view of Gómez (2013, Introduction to Cryptography with Maple. Springer, Berlin,
Heidelberg; ISBN 978-3-642-32166-5) and Boscher et al. (US 2009/0097637) hereinafter Boscher.
As per Claim 12, Coron teaches a method, implemented in a computing device (Coron, Col. 1, lines 3-5; “The invention relates to electronic devices implementing cryptographic algorithms involving a secret parameter.” … Col. 3, lines 48-53; “The electronic device could also be a computing device such as a conventional personal computer, a conventional (non security) server, a mobile phone, a PDA, or any electronic device not designed specifically for security but able to implement a cryptographic algorithm.”), to generate a protected secret value k’ used as a second operand in a cryptographic group operation (Coron, Col. 11, lines 38 - 46; “In the case of ECC, n being the number of points of the elliptic curve concerned (a.k.a the order of the group), dd being the secret parameter (the private key to protect), the operation Q=dd*P (P being a point of the elliptic curve) is replaced by the operation Q=dd’*P, wherein dd’ is a randomized private key. The randomized private key dd’ can be computed from a previously randomized private key for example as follows: dd’=dd’+kk*n, wherein kk is a random integer”) [involving a base group element G of an order n that has to be combined with a secret value k], the method comprising:
generating random positive integers k1 and k2 in the computing device, [that are strictly smaller than the order of the group element G due to a cryptographically secure random number generator], such that the generated random positive integers k1 and k2 [do not share any divisor with the order n other than 1] (Coron, Col. 10, lines 10 - 12; “The electronic devices initially generates two random integers k0 and k1 (k0 and k1 are positive integers),”);
[generating the protected secret value k' in the computing device based on the generated random positive integers as k' = k1 * k2 wherein the operation “*” denotes multiplication, the protected secret value k ' being used as a second operand in the group operation];
wherein the secret value k, which is protected by using the protected secret value k’ instead of the secret value in the cryptographic group operation (Coron, Col. 2, lines 44-49; “Then the randomized exponent d’ is used to perform the exponentiation instead of the original private exponent d. This makes a side channel attack against the exponentiation algorithm a lot more difficult since a different randomized exponent d’ is used for each new exponentiation.” … Col. 7, lines 2-9; “compute the initial randomized exponents (e.g. just after computing the third signature, or just before computing the fourth one), so that when the PKI card is requested to compute a digital signature for the fourth time with this specific credential (the RSA private key which exponent has to be protected), it would do it with a randomized parameter (randomized exponent in this case) instead of the "real" (original) secret parameter.” Examiner submits that the original exponent d corresponds to the secret value k and the randomized exponent d’ is equivalent to de protected values k’.), [is obtained by applying a modular reduction on the generated protected secret value k' modulo the order n of the base element G]; and
wherein the generated random positive integers k1 and k2 are uncorrelated from the secret value k, (Coron, Col. 10, lines 9-12; “The randomized exponent d’ is computed as follows. The electronic devices initially generate two random integers k0 and k1 (k0 and k1 are positive integers).” Examiner submits that Coron shows that the secret value d (i.e., the claimed value, k) is not utilized or necessary to generate the two random positive integers, K0 and k1. The generation of the two integers is related to the value of d’ (i.e., the value of k‘)),such that the secret value k is protected from being attacked through exploiting side-channel leakages (Coron, Col. 2, lines 44-49; “Then the randomized exponent d’ is used to perform the exponentiation instead of the original private exponent d. This makes a side channel attack against the exponentiation algorithm a lot more difficult since a different randomized exponent d’ is used for each new exponentiation.” … Col. 7, lines 2-9; “compute the initial randomized exponents (e.g. just after computing the third signature, or just before computing the fourth one), so that when the PKI card is requested to compute a digital signature for the fourth time with this specific credential (the RSA private key which exponent has to be protected), it would do it with a randomized parameter (randomized exponent in this case) instead of the "real" (original) secret parameter.” Examiner submits that the original exponent d is equivalent to the claimed secret value, k, and the randomized exponent d’ is equivalent to the claimed protected value, k’.).
Coron does not expressly teach:
… operation involving a base group element G of an order n that has to be combined with a secret value k;
integers … that are strictly smaller than the order of the group element G due to a cryptographically secure random number generator, such that the …  integers … do not share any divisor with the order n other than 1; and
generating the protected secret value k' in the computing device based on the generated random positive integers as k' = k1 * k2 wherein the operation “*” denotes multiplication, the protected secret value k ' being used as a second operand in the group operation;
wherein the secret value k, …, is obtained by applying a modular reduction on the generated protected secret value k' modulo the order n of the base element G.
However, Struik teaches:
… operation involving a base group element G of an order n that has to be combined with a secret value k (Struik, Parag. [0010-0011]; “In an elliptic curve cryptosystem, the analogue to exponentiation is point multiplication. Thus, it is a private key is an integer k, the corresponding public key is the point kP, where P is a predefined point on the curve that is part of the system parameters. … One such algorithm is the Elliptic Curve Digital Signature Algorithm (ECDSA) used to generate digital sig natures on messages exchanged between entities. Entities using ECDSA have two roles, that of a signer and that of a Verifier. A signer selects a long term private key d, which is an integer d between 1 and n-1 inclusive. The integer d must be secret, so it is generally preferable to choose d at random.” … Parag. [0043]; “The parameters of the system are known to each party including the field over which the curve is defined (in the present example Fp where p is a prime), the underlying curve, E, the generator point G that generates the elements that form the group in which crypto operations are performed and therefore defines the order, n, of the group.”), and 
integers … that are strictly smaller than the order of the group element G (Struik, Parag. [0047]; “The correspondent 14 also computes a pair of integers w and z using an iterative algorithm such that the maximum bit lengths of w and z are each less than the maximum bit length of the elements of the group”) due to a cryptographically secure random number generator, such that the …  integers … do not share any divisor with the order n other than 1 (Struik, Parag. [0093]; “In the DSA setup, p is a large prime, and q is smaller prime and q is a divisor of (p-1). An integer g is chosen such that gq = 1 mod p, and 1<g<p. (Note that q and g correspond to n and G, respectively, from ECDSA).”).
Coron and Struik are form a similar field of technology. Prior to the instant application’s effective filling date, there was a need for providing protection to secret values, messages and digital signatures.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Struik system into Coron system, with a motivation to provide computational techniques used in cryptographic algorithms (Struik, Parag. [0002]).
The combination of Coron and Struik does not expressly teach:
wherein the secret value k, …, is obtained by applying a modular reduction on the generated protected secret value k' modulo the order n of the base element G.
However, Gómez teaches:
wherein the secret value k, …, is obtained by applying a modular reduction on the generated protected secret value k' modulo the order n of the base element G (Gómez, Section 8.3.4.5, pages 455 – 456; “Multiplying by the inverse of e ∈ 𝒁*𝝋(𝒏) we obtain that d1 ≡ d’(mod φ(n)). Since discrete logarithms in the group 𝒁*𝒏 are defined modulo the group order, namely φ(n), we see that the exponents d1 and d’1 indeed define the same exponentiation function.”; Examiner submits that modular reduction involves the modulo operation on the secret value with the order n).
Coron, Struik and Gomez are form a similar field of technology. Prior to the instant application’s effective filling date, there was a need for providing protection to secret values, messages and digital signatures.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Gómez system into Coron–Struik system, with a motivation to enable secure communication between two parties that do not have to share a common secret key based on the Diffie-Hellman protocol for designing an encryption scheme in which it is computationally infeasible to find the decryption algorithm from the encryption one (Gómez, Section 8.1, page 419, Parag. [0001]).
The combination of Coron, Struik and Gomez does not expressly teach:
generating the protected secret value k' in the computing device based on the generated random positive integers as k' = k1 * k2 wherein the operation “*” denotes multiplication, the protected secret value k ' being used as a second operand in the group operation
However, Boscher teaches:
generating the protected secret value k' in the computing device based on the generated random positive integers as k' = k1 * k2 wherein the operation “*” denotes multiplication, the protected secret value k ' being used as a second operand in the group operation (Boscher, Parag. [0032]; “The random number R can be utilized to set an initial value for a variable R0 (e.g., R0=R), and the inverse of the random number can be utilized to set an initial value for a variable R1 (e.g., R1 =R(-1)). Further, another variable, A, can be set to the value of the message g. The randomized exponentiation component 104 can perform right-to-left exponentiation of the exponent, where the exponent bits can be scanned from d(0) to d(m-1). When the exponent bit is equal to a1, the exponentiation component can utilize the value of R0 for the current iteration, where R0 can be initially set to the value of the random number, and can multiply the variable A by R0, which can then be the new value for R0. When the exponent bit is equal to a 0, the randomized exponentiation component 104 can utilize the value of R1 for the current iteration, where R1 can be initially set to the value of the inverse of the random number, and can multiply the variable A by R1, which can then be the new value for R1. The calculations can be continued until all iterations are complete such that all bits of the exponent have been Scanned. Once the calculations have been performed with regard to all of the bits of the exponent, the exponentiation component can facilitate determining whether the calculations are free of error, which can facilitate protecting the data and exponent from fault attacks. For example, the exponentiation component can determine whether the value of the product of R0*R1 g is equivalent to the value of variable A for the last iteration. If so, the exponentiation component can provide an output, which can be the value of the product of the R0*R(-1), where R0 can be the value of R0 for the last iteration, and can have a value of g, where the received input of the exponentiation component is a message g and an exponent d. The output can be a decrypted message and/or a digital signature, for example. However, if the value of the product of R0*R1*g is not equivalent to the value of variable A, then the exponentiation component can determine that there was a fault or an error in the exponentiation and the cryptographic component can provide an output of "error” or alternatively can provide no output, for example.”)
Coron, Struik, Gomez and Boscher are form a similar field of technology. Prior to the instant application’s effective filling date, there was a need for providing protection to secret values, messages and digital signatures.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Boscher system into Coron–Struik-Gomez system, with a motivation to randomized exponentiation component that facilitates decryption of data and/or generation of digital signatures by exponentiating exponents associated with messages. A random number is generated and utilized to randomize the value of a message. After an exponentiation is performed on the randomized message value, intermediate results can be analyzed to determine if there was error in the exponentiation. (Boscher, Abstract).

As per Claim 13, the combination of Coron, Struik, Gómez and Boscher teaches a method of claim 12. Struik further teaches: wherein the generated random positive integers k1, k2 have a length strictly smaller than the bit-length of the order n of the base group element G (Struik, Parag. [0047]; “The correspondent 14 also computes a pair of integers w and z using an iterative algorithm such that the maximum bit lengths of w and z are each less than the maximum bit length of the elements of the group”).

As per Claim 14, the combination of Coron, Struik, Gómez and Boscher teaches a method of claim 12. Gómez further teaches: wherein the protected secret value k' is used as at least one secret parameter in a Diffie-Hellman protocol (Gómez, Sect. 7.2.1, Definition 7.3; “As a first step, Alice and Bob agree on a cyclic group G of order t, equipped with an efficiently computable group law, and also agree on a generator g of G. These parameters are public and may be generated by one of the parties and sent to the other through the public channel. Then the protocol runs as follows:
1. Alice chooses x←Zt uniformly at random, computes u=gx∈G and sends u to
Bob.
2. Bob chooses y←Zt uniformly at random, computes v=gy∈G and sends v to
Alice.
3. Alice computes k=vx∈G.
4. Bob computes k=uy∈G.
After the protocol is run, Alice and Bob agree on using the common key k. The protocol is correct because vx=(gy)x= gxy= (gx)y= uy and this common value is the key k.”).

As per Claim 15, the combination of Coron, Struik, Gómez and Boscher teaches a method of claim 14. Gómez further teaches: wherein the protected secret value k' is used as at least one secret parameter in Diffie-Hellman protocol implemented over the group of integers modulo a prime number p = 2 * q + 1 , wherein q is also a prime number (Gómez, section 7.2.3, Groups for the DH Protocol; “Thus one of the preferred solutions to implement the protocol is to ensure that this group has prime order, something that happens if we take p to be a safe prime which, as seen in Sect. 6.3, is a prime of the form p=2q+1, where q is also prime (q is then a Sophie Germain prime). Then the group of quadratic residues modulo p has prime order equal to q and so it has the advantages we have just mentioned.”);

As per Claim 16, the combination of Coron, Struik, Gómez and Boscher teaches a method of claim 14. Gómez further teaches: wherein the protected secret value k' is used as at least one secret parameter in Diffie-Hellman protocol implemented over the group of integers modulo a prime number p = m * q + 1 , wherein q is also a prime number and m is a positive integer (Gómez, section 7.2.3, Groups for the DH Protocol; “A variant of the “safe prime method” consists of taking a prime p of the form p=rq+1 where q is also prime with, say, q>p1/10, and finding an element g of order q in Z∗p, to work in the subgroup ⟨g⟩ of Z∗p.”).

As per Claim 17, the combination of Coron, Struik, Gómez and Boscher teaches a method of claim 14. Gómez further teaches: wherein the protected secret value k' is used as at least one secret parameter in Diffie- Hellman protocol implemented over the group of points on an elliptic curve defined over a finite field (Gomez, Section 11.4.4, Elliptic Curve Encryption; “ECIES is a hybrid encryption scheme in which a Diffie–Hellman protocol is used to derive two symmetric keys k1, k2. The first of them is used to encrypt the plaintext with a symmetric encryption scheme and the second is used to authenticate the resulting ciphertext with a MAC. Thus, in addition to the EC domain parameters (p, a, b, G, n, h), the following cryptographic primitives are also required: • An encryption function Ek and a decryption function Dk corresponding to a private-key encryption scheme such as AES.”).

As per Claim 18, the combination of Coron, Struik, Gómez and Boscher teaches a method of claim 12. Struik further teaches: wherein the protected secret value k' is used as a secret random integer in an ECDSA signature scheme. (Struik, Parag. [0011]; “One such algorithm is the Elliptic Curve Digital Signature Algorithm (ECDSA) used to generate digital signatures on messages exchanged between entities. … A signer selects a long term private key d, which is an integer d between 1 and n-1 inclusive. The integer d must be secret, so it is generally preferable to choose d at random.”).

As per Claim 19, the combination of Coron, Struik, Gómez and Boscher teaches a method of claim 12. Gómez further teaches: wherein the protected secret value k' is used as a secret random value in a digital signature scheme involving at least one cryptographic group operation between a base element of order n and the protected secret value k’ (Gómez, section 11.4.2.2, The security of ECDSA; “The ECDSA private key can be recovered from the corresponding public key by solving a DL problem, so hardness of this problem in the subgroup of order n generated by G is an obvious necessary condition for the scheme to be secure. Another necessary condition is that the “ephemeral key” k generated by the signing algorithm be truly random.”).

As per Claim 20, the combination of Coron, Struik, Gómez and Boscher teaches a method of claim 12. Gómez further teaches: wherein the protected secret value k' is used as a secret random value in a public - key signature scheme involving at least one cryptographic group operation between a base element of order n and the protected value k’ (Gómez, Section 8.3.2, Plain RSA; “Plain RSA is the public-key encryption scheme RSA = (Gen, Enc, Dec) defined by the following algorithms:
• Gen: On input 1k, run the RSA instance generator to obtain (n, e, d) ← GenRSA.
Then set pk := (n, e) and sk := (n, d). The output of the algorithm is then
(pk, sk) ← Gen(1k ), where pk is the public key and sk is the private key.
• Enc: On input a public key pk = (n, e) and a message m ∈ Zn (Zn is the plaintext
space associated with the modulus n), compute the ciphertext:
c := Enc(pk,m) = RSA(n,e)(m) = me mod n ∈ Zn.
• Dec: On input a private key sk = (n, d) and a ciphertext c ∈ Zn, compute the
message:
m := Dec(sk, c) = RSA(n,d)(c) = cd mod n ∈ Zn.”).
As in other public-key encryption schemes, each user should run Gen to obtain her public and private keys or, alternatively, these keys may be obtained from a trusted third party. As already mentioned, n is called the RSA modulus and, similarly, e is the encryption exponent and d is the decryption exponent. Sometimes the primes p, q used by GenRSA to build the modulus n = pq are considered as part of the private key because, as we will see, they can be used to speed up decryption. This is a convenience issue but the primes are not necessary for decryption so they can also be discarded after running Gen. On the other hand, the only part of the private key (n, d) that must remain secret is the decryption exponent d, as the modulus is also part of the public key. Because of this it can also be considered that the private key is just d.”).

As per Claim 21, the combination of Coron, Struik, Gómez and Boscher teaches a method of claim 12. Struik further teaches: wherein the protected value k' is used as a secret random value in a public - key encryptions scheme (Struik, Parag. 0010]; “In an elliptic curve cryptosystem, the analogue to exponentiation is point multiplication. Thus it is a private key is an integer k, the corresponding public key is the point kP, where P is a predefined point on the curve that is part of the system parameters. The seed point P will typically be the generator G.”) involving at least one cryptographic group operation between a base element of order n and the protected value k’ … Parag. [0043]; “the generator point G that generates the elements that form the group in which crypto operations are performed and therefore defines the order, n, of the group”).

As per Claim 22, A computing device (Coron, Col. 1, lines 3-5; “The invention relates to electronic devices implementing cryptographic algorithms involving a secret parameter.” … Col. 3, lines 48-53; “The electronic device could also be a computing device such as a conventional personal computer, a conventional (non security) server, a mobile phone, a PDA, or any electronic device not designed specifically for security but able to implement a cryptographic algorithm.”) configured to generate a protected secret value k'  used as a second operand in a cryptographic group operation (Coron, Col. 11, lines 38 - 46; “In the case of ECC, n being the number of points of the elliptic curve concerned (a.k.a the order of the group), dd being the secret parameter (the private key to protect), the operation Q=dd*P (P being a point of the elliptic curve) is replaced by the operation Q=dd’*P, wherein dd’ is a randomized private key. The randomized private key dd’ can be computed from a previously randomized private key for example as follows: dd’=dd’+kk*n, wherein kk is a random integer”) [involving a base group element G of order n that has to be combined with a secret value k], wherein the computing device comprises a cryptographically secure random number generator (Coron, Col. 11, lines 21-23; “Smart card chips typically comprise a hardware random number generator which could be used in this context.”), a processor  and a memory (Coron, Col. 10, lines 42-45; “The computation of the randomized parameter can be carried out by a microprocessor (for example, if the electronic device is a smart card, by a smart card microcontroller). Securing the secret parameter can also be implemented at least partially in hardware (e.g. wired logic can compute the randomized parameter), which is typically faster but may require a custom chip or a chip comprising features allowing the implementation of custom function in the chip.”); 
the computing device configured to: 3/15Application no. 16/095,737 Ref. No.: 31725.0028.USPOgenerate random positive integers kl and k2, [strictly smaller than the order of the group element G due to the cryptographically secure random number generator], such that the generated random positive integers kl and k2 [do not share any divisor with the order n other than 1] (Coron, Col. 10, lines 10 - 12; “The electronic devices initially generates two random integers k0 and k1 (k0 and k1 are positive integers),”); 
generate, using the processor (Coron, Col. 10, lines 42-45; “The computation of the randomized parameter can be carried out by a microprocessor (for example, if the electronic device is a smart card, by a smart card microcontroller). Securing the secret parameter can also be implemented at least partially in hardware (e.g. wired logic can compute the randomized parameter), which is typically faster but may require a custom chip or a chip comprising features allowing the implementation of custom function in the chip.”), the protected secret value k' based on the generating random positive integers such as k' = kl * k2 wherein the operation “*” denotes multiplication, the protected secret value k' being used as a second operand in the group operation (Coron, Col. 10, lines 9 – 19; “The randomized exponent d’ is computed as follows. The electronic devices initially generates two random integers k0 and k1 (k0 and k1 are positive integers), and two randomized exponents d0 and d1, wherein d0=d+k0*phi (N) and d1=d+(k0+k1)*phi(N). For the computation of each new randomized exponent, the electronic devices generates a random integer r (a small positive integer, which can have a length similar to the length of k0 and k1), and defines d’ as d’=(r+1)*d1-r*d0. Since we have d’=d+ ((r+1)*k1+k0)*phi(N), d’ is a randomized exponent”.  Examiner submits since the operation “*” is not explicitly defined in the claim, under the broadest reasonable interpretation, the expression for d’ would involve the combination of addition and multiplication, which renders the “*” obvious.); 
store the generated protected secret value k' in the memory (Coron, Col. 9, lines 33-35; “the new d’ typically has to be written in non-volatile memory for each new execution.”); 
wherein the obtain a secret value k, which is protected by using the protected secret value k' instead of the secret value k in the cryptographic group operation (Coron, Col. 2, lines 44-49; “Then the randomized exponent d’ is used to perform the exponentiation instead of the original private exponent d. This makes a side channel attack against the exponentiation algorithm a lot more difficult since a different randomized exponent d’ is used for each new exponentiation.” … Col. 7, lines 2-9; “compute the initial randomized exponents (e.g. just after computing the third signature, or just before computing the fourth one), so that when the PKI card is requested to compute a digital signature for the fourth time with this specific credential (the RSA private key which exponent has to be protected), it would do it with a randomized parameter (randomized exponent in this case) instead of the "real" (original) secret parameter.” Examiner submits that the original exponent d corresponds to the secret value k and the randomized exponent d’ is equivalent to de protected values k’.), [is obtainable by applying a modular reduction on the generated protected secret value k' modulo the order n of the base element G], and 
wherein the generated random positive integers k1 and k2 are uncorrelated from the secret value k, such that the secret value k is protected from being attacked through exploiting side-channel leakages (Coron, Col. 2, lines 44-49; “Then the randomized exponent d’ is used to perform the exponentiation instead of the original private exponent d. This makes a side channel attack against the exponentiation algorithm a lot more difficult since a different randomized exponent d’ is used for each new exponentiation.” … Col. 7, lines 2-9; “compute the initial randomized exponents (e.g. just after computing the third signature, or just before computing the fourth one), so that when the PKI card is requested to compute a digital signature for the fourth time with this specific credential (the RSA private key which exponent has to be protected), it would do it with a randomized parameter (randomized exponent in this case) instead of the "real" (original) secret parameter.” Examiner submits that the original exponent d is equivalent to the claimed secret value, k, and the randomized exponent d’ is equivalent to the claimed protected value, k’.).
Coron does not expressly teach:
… operation involving a base group element G of an order n that has to be combined with a secret value k;
integers … that are strictly smaller than the order of the group element G due to the cryptographically secure random number generator, such that the …  integers … do not share any divisor with the order n other than 1;
wherein the secret value k, …, is obtainable by applying a modular reduction on the generated protected secret value k' modulo the order n of the base element G.
However, Struik teaches:
… operation involving a base group element G of an order n that has to be combined with a secret value k (Struik, Parag. [0010-0011]; “In an elliptic curve cryptosystem, the analogue to exponentiation is point multiplication. Thus it is a private key is an integer k, the corresponding public key is the point kP, where P is a predefined point on the curve that is part of the system parameters. … One such algorithm is the Elliptic Curve Digital Signature Algorithm (ECDSA) used to generate digital sig natures on messages exchanged between entities. Entities using ECDSA have two roles, that of a signer and that of a Verifier. A signer selects a long term private key d, which is an integer d between 1 and n-1 inclusive. The integer d must be secret, so it is generally preferable to choose d at random.” … Parag. [0043]; “The parameters of the system are known to each party including the field over which the curve is defined (in the present example Fp where p is a prime), the underlying curve, E, the generator point G that generates the elements that form the group in which crypto operations are performed and therefore defines the order, n, of the group.”), and 
integers that are strictly smaller than the order of the group element G (Struik, Parag. [0047]; “The correspondent 14 also computes a pair of integers w and z using an iterative algorithm such that the maximum bit lengths of w and z are each less than the maximum bit length of the elements of the group”) due to a cryptographically secure random number generator, such that the …  integers … do not share any divisor with the order n other than 1 (Struik, Parag. [0093]; “In the DSA setup, p is a large prime, and q is smaller prime and q is a divisor of (p-1). An integer g is chosen such that gq = 1 mod p, and 1<g<p. (Note that q and g correspond to n and G, respectively, from ECDSA).”).
Coron and Struik are form a similar field of technology. Prior to the instant application’s effective filling date, there was a need for providing protection to secret values, messages and digital signatures.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Struik system into Coron system, with a motivation to provide computational techniques used in cryptographic algorithms (Struik, Parag. [0002]).
However, the combination of Coron and Struik does not expressly teaches:
wherein the secret value k, …, is obtained by applying a modular reduction on the generated protected secret value k' modulo the order n of the base element G modular reduction on the generated protected secret value k' modulo the order n of the base element G.
But, Gómez teaches:
wherein the secret value k, …, is obtained by applying a modular reduction on the generated protected secret value k' modulo the order n of the base element G (Gómez, Section 8.3.4.5, pages 455 – 456; “Multiplying by the inverse of e ∈ 𝒁*𝝋(𝒏) we obtain that d1 ≡ d’(mod φ(n)). Since discrete logarithms in the group 𝒁*𝒏 are defined modulo the group order, namely φ(n), we see that the exponents d1 and d’1 indeed define the same exponentiation function.”; Examiner submits that modular reduction involves the modulo operation on the secret value with the order n).
Coron, Struik and Gomez are form a similar field of technology. Prior to the instant application’s effective filling date, there was a need for providing protection to secret values, messages and digital signatures.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Gómez system into Coron–Struik system, with a motivation to enable secure communication between two parties that do not have to share a common secret key based on the Diffie-Hellman protocol for designing an encryption scheme in which it is computationally infeasible to find the decryption algorithm from the encryption one (Gómez, Section 8.1, page 419, Parag. [0001]).
The combination of Coron, Struik and Gomez does not expressly teach:
generating the protected secret value k' in the computing device based on the generated random positive integers as k' = k1 * k2 wherein the operation “*” denotes multiplication, the protected secret value k ' being used as a second operand in the group operation
However, Boscher teaches:
generating the protected secret value k' in the computing device based on the generated random positive integers as k' = k1 * k2 wherein the operation “*” denotes multiplication, the protected secret value k ' being used as a second operand in the group operation (Boscher, Parag. [0032]; “The random number R can be utilized to set an initial value for a variable R0 (e.g., RO-R), and the inverse of the random number can be utilized to set an initial value for a variable R1 (e.g., R1 =R(-1)). Further, another variable, A, can be set to the value of the message g. The randomized exponentiation component 104 can perform right-to-left exponentiation of the exponent, where the exponent bits can be scanned from d(0) to d(m-1). When the exponent bit is equal to a 1, the exponentiation component can utilize the value of R0 for the current iteration, where RO can be initially set to the value of the random number, and can multiply the variable A by R0, which can then be the new value for R0. When the exponent bit is equal to a 0, the randomized exponentiation component 104 can utilize the value of R1 for the current iteration, where R1 can be initially set to the value of the inverse of the random number, and can multiply the variable A by R1, which can then be the new value for R1. The calculations can be continued until all iterations are complete such that all bits of the exponent have been Scanned. Once the calculations have been performed with regard to all of the bits of the exponent, the exponentiation component can facilitate determining whether the calculations are free of error, which can facilitate protecting the data and exponent from fault attacks. For example, the exponentiation component can determine whether the value of the product of RO*R1 g is equivalent to the value of variable A for the last iteration. If so, the exponentiation component can provide an output, which can be the value of the product of the RO*R(-1), where R0 can be the value of R0 for the last iteration, and can have a value of g, where the received input of the exponentiation component is a message g and an exponent d. The output can be a decrypted message and/or a digital signature, for example. However, if the value of the product of ROR1 g is not equivalent to the value of variable A, then the exponentiation component can determine that there was a fault or an error in the exponentiation and the cryptographic component can provide an output of "error” or alternatively can provide no output, for example.”)
Coron, Struik, Gomez and Boscher are form a similar field of technology. Prior to the instant application’s effective filling date, there was a need for providing protection to secret values, messages and digital signatures.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Boscher system into Coron–Struik-Gomez system, with a motivation to randomized exponentiation component that facilitates decryption of data and/or generation of digital signatures by exponentiating exponents associated with messages. A random number is generated and utilized to randomize the value of a message. After an exponentiation is performed on the randomized message value, intermediate results can be analyzed to determine if there was error in the exponentiation. (Boscher, Abstract).


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Shamir, A.; US 5,991,415: relates to improved methods and apparatus are provided for protecting public key schemes based on modular exponentiation (including RSA and Diffie-Hellman) from indirect cryptanalytic techniques such as timing and fault attacks.
Antipa, A.; US 2016/0352689: relates to a key agreement protocol performed between a pair of entities communicating over a data communication system based on Diffie-Hellman key agreement.
Choi, Y., et al.; US 2012/0163585: relates to a masking addition operation apparatus for prevention of a side channel attack, includes a random value generation unit generating a first random value for a first input, second random value for a second input, and a summation random value.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ALEX D CARRASQUILLO whose telephone number is (571)270-5045. The examiner can normally be reached Monday - Friday 9:00 am - 6:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 571-272-8878. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/A.D.C./Examiner, Art Unit 2498             

/YIN CHEN SHAW/Supervisory Patent Examiner, Art Unit 2498