Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims
This is the first office action on the merits in response to the application filed on 09/01/2020.
Claims 1-20 are currently pending and have been examined.

Priority
Acknowledgment is made of applicant’s claim for priority based on PCT Application No. PCT/IB2019/051326 filed on 02/19/2019. Acknowledgment is made of applicant's claim for foreign priority based on Application No. GB1803396.9 filed in United Kingdom on 03/02/2018. 

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 06/13/2022 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Objections
Claims 18-20 are objected to because of the following informalities:  
Claims 18-19 are objected to because it is not clear to the examiner whether the claims are independent or dependent to claim 1 due to the claims starting with “A computer-implemented method” and “A non-transitory computer-readable storage medium” and the claims comprising “causes the computer-implemented system to perform any embodiment of the computer-implemented method as claimed in claim 1.” Claim 20 is objected to because it is not clear to the examiner whether the claims are independent or dependent to claim 5 due to the claim starting with “A computer-implemented system” and the claim comprising “to perform any embodiment of the computer-implemented method as claimed in claim 5.” In addition, the fee worksheet states there is one independent claim. Applicant needs to amend the claims to make it clear if the claims are independent or dependent. Examiner is interpreting claims 18-20 as independent claims.
Appropriate correction is required.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-2, 4, and 18-19 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Machani (US 10,511,436 B1).

Regarding Claims 1, 18, and 19, Machani teaches distributing shares of a first secret value among a plurality of first participants, wherein said first secret value is a first private key of a first private-public key pair of a cryptography system having a homomorphic property (Col. 4, lines 42-63, teaches an exemplary secret key splitting and software application generation process initially generates a key pair and stores the public key certificate from the key pair; the private key, sK, is then split using a threshold-based key splitting scheme; the secret key splitting and software application generation process then wraps the key shares, sK1 to sKN, with a first key share, sK0, and securely stores the wrapped key shares; the software application provider sends the first key share, sK0, to the white-box crypto compiler and generates the white-box crypto program; the secret key splitting and software application generation process builds a user software application publishes the software application; the wrapped key shares and public key certificate are distributed to the relying parties =), said first secret value is accessible by way of a first threshold number of said shares of said first secret value, and is inaccessible in the absence of said first threshold number of said shares of said first secret value, and access to said digital asset is provided by digital signature of a first encrypted message with said first private key (Col. 5, lines 5-27 teach an exemplary authentication process is initiated by the software application executing on the user device, when the user attempts to access a resource protected by a relying party server, such as relying party server; the relying party server returns a challenge and the wrapped key share Enc(sKj, sK0) of the relying party server to the software application; the software application then invokes the white-box cryptographic program and passes the wrapped key share Enc(sKj, sK0) of the relying party and the challenge to the white-box cryptographic program; the white-box cryptographic program then generates a digital signature sig on the challenge and returns the digital signature sig to the software application; the software application then returns the digital signature sig on the challenge to the RP server; the relying party server verifies the signature internally using the published public key certificate pK of the software application provider to determine whether the user device 120 is authorized to access the protected resource; given the challenge and the wrapped key share Enc(sKj, sK0) of the relying party server, the white-box cryptographic program generates the digital signature sig on the challenge; the white-box cryptographic program has the key share sK0 embedded in its software and uses the key share sK0 to unwrap key share sKj; in a threshold-based scheme where only two shares are required, the white-box cryptographic program can now reconstruct the original secret key, sK, of the software application provider and generate the digital signature sig); distributing shares of a second secret value among said plurality of first participants, wherein said second secret value is a deterministic key of said cryptography system, said second secret value is accessible by way of a second threshold number of said shares of said second secret value, and is inaccessible in the absence of said second threshold number of said shares of said second secret value (Col. 3 lines 2-8, and Col. 4, lines 10-14, teach generally, for master key encryption, the master encryption key is split into multiple shares, and one wrapped master encryption key share and the full master key are sent securely to a relying party, in a known manner; the master key can be used for deriving new authentication or encryption/decryption keys (i.e., deterministic); generally, the first white-box cryptography program performs a key wrapping function and key reconstruction using a threshold secret sharing scheme, and the cryptographic operations (such as data encryption/decryption or signing) using the reconstructed key); providing a second encrypted message, wherein access to said digital asset is provided by a digital signature of said second encrypted message with a second private key of a second private-public key pair of said cryptography system and wherein said second private key is related to said first private key by said deterministic key (Col. 4, lines14-17, and Col. 5, lines 13-20, teach the first white-box cryptography program takes as input one or more wrapped key shares and challenge data produces and returns a signature on the data; the software application invokes the white-box cryptographic program and passes the wrapped key share Enc(sKj, sK0) of the relying party  and the challenge to the white-box cryptographic program; the white-box cryptographic program then generates a digital signature sig on the challenge and returns the digital signature sig to the software application); and generating shares of a third secret value, wherein said third secret value is said second encrypted message signed with said second private key, and wherein said second encrypted message can be signed with said second private key by way of a third threshold number of said shares of said third secret value, and cannot be signed in the absence of said third threshold number of said shares of said third secret value (Col. 5, lines 51-67 and Col. 6, lines 1-27 teaches FIG. 4 illustrates an exemplary challenge-response authentication processes according to a second operational mode of the white-box cryptography program; the exemplary authentication process performs authentication using digital signature, where the signature is generated by a user application, and the signing secret key is produced by the white-box crypto program using a secret sharing reconstruction algorithm; the exemplary authentication process is initiated by the software application executing on the user device, when the user attempts to access a resource protected by a relying party server, such as relying party server; the relying party server returns a challenge and the wrapped key share Enc(sKj, sK0) of the relying party server to the software application; the software application then invokes the white-box cryptographic program and passes the wrapped key share Enc(sKj, sK0) of the relying party to the white-box cryptographic program; the white-box cryptographic program then reconstructs the original secret key, sK, and returns the secret key, sK, to the software application; the white-box cryptographic program has the key share sK0 embedded in its software and uses the key share sK0 to unwrap the wrapped key share sKj provided; in a threshold-based scheme where only two shares are required, the white-box cryptographic program can now reconstruct the original secret key, sK, of the software application provider and provide the original secret key, sK, of the software application provider to the software application; the exemplary the white-box cryptography program comprises key wrapping functionality and key reconstruction functionality using the threshold secret sharing scheme, taking as input one or more wrapped key shares and producing the original secret key; the software application then generates the digital signature sig on the challenge itself, using the original secret key, sK, of the software application provider, and returns the digital signature sig to the relying party server).
Regarding Claim 1, Machani teaches a computer-implemented method of transferring control of a digital asset (Col. 4, lines 32-35 teach FIG. 2 is a flow chart illustrating an implementation of an exemplary secret key splitting and software application generation process 200, according to one embodiment of the disclosure).
Regarding Claim 18, Machani teaches a computer-implemented system comprising: a processor; and memory including executable instructions that, as a result of execution by the processor, causes the computer-implemented system to perform any embodiment of the computer-implemented method as claimed in claim 1 (Col. 8, lines 12-21 teaches the disclosed techniques for key material protection, as described herein, can be implemented at least in part in the form of one or more software programs stored in memory and executed by a processor of a processing device such as a computer; a memory or other storage device having such program code embodied therein is an example of what is more generally referred to herein as a “computer program product”).
Regarding Claim 19, Machani teaches a non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of being executed by a processor of a computer system, cause the computer system to at least perform an embodiment of the computer-implemented method as claimed in claim 1 (Col. 8, lines 12-21 teaches the disclosed techniques for key material protection, as described herein, can be implemented at least in part in the form of one or more software programs stored in memory and executed by a processor of a processing device such as a computer; a memory or other storage device having such program code embodied therein is an example of what is more generally referred to herein as a “computer program product”).

Regarding Claim 2, Machani teaches all the limitations of claim 1 above; and Machani further teaches distributing a version of said deterministic key, encrypted by way of said cryptography system, to a plurality of second participants, wherein said homomorphic property enables derivation of a second public key of the second public-private key pair from a first public key of the first public-private key pair and said version of said deterministic key (Col. 3, lines 2-8, and Col. 4, lines 48-63, teach for master key encryption, the master encryption key is split into multiple shares, and one wrapped master encryption key share and the full master key are sent securely to a relying party, in a known manner; the master key can be used for deriving new authentication or encryption/decryption keys; the secret key splitting and software application generation process wraps the key shares, sK1 to sKN, with a first key share, sK0; the wrapped key shares, Enc(sKj, sK0) (for j=1 to N), are stored in a secure store; meanwhile, the software application provider sends the first key share, sK0, to the white-box crypto compiler and generates the white-box crypto program, which is optionally stored in a white-box program library; the secret key splitting and software application generation process builds a user software application and optionally publishes the software application to an application store; the wrapped key shares and public key certificate are distributed to the relying parties).

Regarding Claim 4, Machani teaches all the limitations of claim 1 above; and Machani further teaches wherein the step of communicating said shares to each said first and/or second participant of the pluralities of first and second participants comprises providing a respective encrypted communication channel with said first and/or second participant (Col. 2, lines 41-53 teaches a secret key of a software application provider is split into a plurality of key shares and one of the plurality of key shares is used to encrypt the remaining key shares of the plurality of key shares to obtain a set of wrapped key shares; a threshold defines a subset of the key shares that is needed to reconstruct the secret key; the one key share is applied to a white-box cryptography compiler to generate a white-box cryptographic program; the software application provider generates a user application that is linked to the white-box cryptography program and is distributed to at least one user; the software application provider provides one of the set of wrapped key shares to a relying party).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 3, 5, 7-8, 11-12, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Machani (US 10,511,436 B1) in view of Oberheide (US 20180234251).

Regarding Claim 3, Machani teaches all the claim limitations of claim 1 above; however, the combination does not explicitly teach wherein the shares communicated to each said first and/or second participant of the pluralities of first and second participants are inaccessible to each other said first and/or second participant of the pluralities of first and second participants.
	Oberheide from same or similar field of endeavor teaches wherein the shares communicated to each said first and/or second participant of the pluralities of first and second participants are inaccessible to each other said first and/or second participant of the pluralities of first and second participants (Paragraph 0069 teaches distributing the key shares and public key; after an entity (e.g., a service provider, an identity provider, a two-factor authentication service, or an end user) generates the keys, they must be distributed to their intended locations; this includes generating a set of two private key shares and a public key, and distributing the public key to a service provider, while distributing the first private key share to an identity provider and the second private key share to a two-factor authentication service; entities not receiving a private key share preferably do not have access to the private key share; distribute a first private key share of a private key to a primary authentication system, a second private key share of the private key to a secondary authentication system, and a public key to a service provider, where the secondary authentication system and the service provider do not have access to the first private key share, and where the primary authentication system and the service provider do not have access to the second private key share).
It would have been prima facie obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to have modified Machani to incorporate the teachings of Oberheide for the shares communicated to each said first and/or second participant of the pluralities of first and second participants to be inaccessible to each other said first and/or second participant of the pluralities of first and second participants.
	There is motivation to combine Oberheide into Machani because having participants share inaccessible for the other participants in the system increases security of the participants share as well as the security of the private key.

Regarding Claim 5, Machani teaches all the claim limitations of claim 1 above; however, the combination does not explicitly teach wherein the step of distributing shares of said first secret value comprises: distributing first shares of a fourth secret value, known to a third participant, to a plurality of fourth participants, wherein said first shares are encrypted by way of at least one third private-public key pair of said cryptography system, wherein a fourth threshold number of said first shares is required in order to enable a fourth participant of the plurality of fourth participants to determine the fourth secret value; receiving, from each of plurality of fourth participants, at least one second share of a fifth secret value known to said fourth participant, wherein said second shares are encrypted by way of at least one fourth private-public key pair of said cryptography system, and a fifth threshold number of second shares is required to enable a participant other than said fourth participant to determine the fifth secret value; and forming, from a plurality of said second shares, a third share of said first secret value, wherein said first threshold number of third shares is required in order to enable the first secret value to be determined.
Oberheide from same or similar field of endeavor teaches wherein the step of distributing shares of said first secret value comprises: distributing first shares of a fourth secret value, known to a third participant, to a plurality of fourth participants, wherein said first shares are encrypted by way of at least one third private-public key pair of said cryptography system, wherein a fourth threshold number of said first shares is required in order to enable a fourth participant of the plurality of fourth participants to determine the fourth secret value (Paragraphs 0084-0085 and 0080 teach authentication Approaches—Multiple Service Providers; the method can include distributed trust authentication for more than one service provider; performing, at the secondary authentication system (e.g., a same authentication system used to provide two-factor authentication for a user attempting to access a first service provider), in response to a first attempt of the first user to access a second service provider, authentication of the first user using a third authentication factor (e.g., an authentication factor for authentication with respect to accessing the second service provider, where the first and the second authentication factors can be used for authentication with respect to accessing the first service provider); generating, at the secondary authentication system, a third authentication response (e.g., an authentication response to authentication for accessing a second service provider, where the first and the second authentication responses are responding to authentications for accessing a first service provider) to the authentication of the first user using the third authentication factor; distributing a first private key share of a private key to a first authentication system (e.g., an Active Directory service), a second private key share of the private key to a second authentication system (e.g., an authentication system using a possession factor for authentication), a third private key share of the private key to a third authentication system (e.g., an authentication system using an inherence factor for authentication), and a public key to a service provider (e.g., the service provider that a user is attempting to access), wherein the second private key share is non-identical to the third private key share; wherein the second authentication system, the third authentication system, and the service provider do not have access to the first private key share, wherein the first authentication system, the third authentication system, and the service provider do not have access to the second private key share, and wherein the first authentication system, the second authentication system, and the service provider do not have access to the third private key share); receiving, from each of plurality of fourth participants, at least one second share of a fifth secret value known to said fourth participant, wherein said second shares are encrypted by way of at least one fourth private-public key pair of said cryptography system, and a fifth threshold number of second shares is required to enable a participant other than said fourth participant to determine the fifth secret value (Paragraph 0085 teaches generating, at the secondary authentication system, a third partial digital signature for the third authentication response using the second private key share (e.g., the same private key share used by the secondary authentication system in generating a partial digital signature for a response to authentication regarding a first service provider, but can alternatively be a different private key share)); and forming, from a plurality of said second shares, a third share of said first secret value, wherein said first threshold number of third shares is required in order to enable the first secret value to be determined (Paragraph 0085 teaches combining the third partial digital signature with an additional partial digital signature, resulting in a second composite digital signature; transmitting the second composite digital signature to the second service provider; validating, at the second service provider, the second composite digital signature; and providing the first user with access to the second service provider in response to successful validation of the second composite digital signature).
It would have been prima facie obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to have modified Machani to incorporate the teachings of Oberheide for the shares communicated to each said first and/or second participant of the pluralities of first and second participants to be inaccessible to each other said first and/or second participant of the pluralities of first and second participants.
There is motivation to combine Oberheide into Machani because of the same reasons listed above for claim 3.

Regarding Claim 7, the combination of Machani and Oberheide teaches all the claim limitations of claim 5 above; and Machani further teaches communicating versions of said first shares, encrypted by way of said cryptography system, to each of said plurality of fourth participants (Col. 2, lines 41-53 and Col. 3, lines 2-8, teach a secret key of a software application provider is split into a plurality of key shares and one of the plurality of key shares is used to encrypt the remaining key shares of the plurality of key shares to obtain a set of wrapped key shares; a threshold defines a subset of the key shares that is needed to reconstruct the secret key; the one key share is applied to a white-box cryptography compiler to generate a white-box cryptographic program; the software application provider generates a user application that is linked to the white-box cryptography program and is distributed to at least one user; the software application provider provides one of the set of wrapped key shares to a relying party; for master key encryption, the master encryption key is split into multiple shares, and one wrapped master encryption key share and the full master key are sent securely to a relying party, in a known manner; the master key can be used for deriving new authentication or encryption/decryption keys).

Regarding Claim 8, the combination of Machani and Oberheide teaches all the claim limitations of claim 5 above; and Machani further teaches determining a version of said first secret value, encrypted by way of said cryptography system (Col. 7, lines 22-35 teaches the metadata statement is a JSON (JavaScript Object Notation) file that is produced by the authenticator vendor and consumed by FIDO servers; the metadata statement contains information about the authenticator such as: authenticator version; authenticator ID (AAID); attestation certificate; user verification method such as fingerprint biometrics; whether keys are protected by Trusted Execution Environment (TEE) or Secure Element (SE); and whether biometrics are protected by the TEE).

Regarding Claim 11, the combination of Machani and Oberheide teaches all the claim limitations of claim 5 above; and Machani further teaches verifying consistency of said first shares received directly from said third participant with versions of said first shares, encrypted by way of said cryptography system and received from said plurality of fourth participants (Col. 7, lines 35-44 the metadata statement is also used in the authenticator attestation process. For a particular authentication event, an application can specify policies on which authenticators it is willing to accept to a FIDO server; when a registration response is sent from an authenticator supporting attestation, it is signed using the authenticator’s attestation key; the server looks up the metadata statement corresponding to the authenticator’s Authenticator Attestation ID and verifies that the signature is genuine using the authenticator’s public key from the attestation certificate in the metadata statement).

Regarding Claim 12, the combination of Machani and Oberheide teaches all the claim limitations of claim 5 above; and Machani further teaches verifying consistency of versions of said first shares, encrypted by way of said cryptography system and received from a fourth participant of the plurality of fourth participants with versions of said first shares, encrypted by way of said cryptography system and received from another fourth participant of the plurality of fourth participants (Col. 7, lines 35-44 the metadata statement is also used in the authenticator attestation process. For a particular authentication event, an application can specify policies on which authenticators it is willing to accept to a FIDO server; when a registration response is sent from an authenticator supporting attestation, it is signed using the authenticator’s attestation key; the server looks up the metadata statement corresponding to the authenticator’s Authenticator Attestation ID and verifies that the signature is genuine using the authenticator’s public key from the attestation certificate in the metadata statement).

Regarding Claim 20, the combination of Machani and Oberheide teaches all the limitations of claim 5 above; and Machani further teaches a computer-implemented system comprising: a processor; and memory including executable instructions that, as a result of execution by the processor, causes the computer-implemented system to perform any embodiment of the computer-implemented method as claimed in claim 5 (Col. 8, lines 12-21 teaches the disclosed techniques for key material protection, as described herein, can be implemented at least in part in the form of one or more software programs stored in memory and executed by a processor of a processing device such as a computer; a memory or other storage device having such program code embodied therein is an example of what is more generally referred to herein as a “computer program product”).

Claims 6, 9-10 are rejected under 35 U.S.C. 103 as being unpatentable over Machani (US 10,511,436 B1) in view of Oberheide (US 20180234251) in further view of Le Saint (US 20210111875).

Regarding Claim 6, the combination of Machani and Oberheide teaches all the limitations of claim 5 above; however, the combination does not explicitly teach wherein the first and second shares of said fourth and fifth secret values are created by way of respective Shamir secret sharing schemes.
Le Saint from same or similar field of endeavor teaches wherein the first and second shares of said fourth and fifth secret values are created by way of respective Shamir secret sharing schemes (Paragraphs 0050 and 0085 teach a share request to at least M−1 devices in the network is sent by the requesting device; a DEK may exist as shares stores at multiple devices, and a threshold number of shares may be required for reproducing the full DEK; M of N shares may be required for deriving the shared data encryption key in a trusted network of N devices; M may be an integer less than or equal to 1, which can include the local share of the requesting device; the DEK shares may be shares according to an M of N secret sharing/threshold scheme, such as Shamir's secret sharing; the requesting server Si may generate the DEK using the M DEK shares; the DEK may be generated from the M DEK shares according to Shamir's secret-sharing scheme).
It would have been prima facie obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Machani and Oberheide to incorporate the teachings of Le Saint for the first and second shares of said fourth and fifth secret values to be created by way of respective Shamir secret sharing schemes.
There is motivation to combine Le Saint into the combination of Machani and Oberheide because one of the benefits of Shamir’s algorithm is that it is flexible and extensible — meaning that the secret owner could add, amend or remove shares at any time if they wanted to, without modifying the original secret.

Regarding Claim 9, the combination of Machani and Oberheide teaches all the limitations of claim 5 above; however, the combination does not explicitly teach wherein a plurality of said first shares includes respective values of a first polynomial function, and the first secret value is determined by deriving the first polynomial function from said first threshold number of said shares.
Le Saint from same or similar field of endeavor teaches wherein a plurality of said first shares includes respective values of a first polynomial function, and the first secret value is determined by deriving the first polynomial function from said first threshold number of said shares (Paragraphs 0025, 0037, 0053, and 0070 teach the term “secret sharing scheme” can refer to a method for distributing a secret amongst N participants, each of which can be referred to as a “share;” the secret can be protected even if one participant is compromised; the secret sharing scheme can be a “threshold scheme,” in which a threshold number M of participants within the group of participants are required to reconstruct the secret, M less than or equal to N; the DEK may be split such that it may be computationally difficult to regenerate the full DEK without at least a predetermined threshold number of shares; the requesting device generates the data encryption key (DEK) from at least M−1 decrypted data encryption key shares and a local share of the requesting device. In one embodiment, at least M−1 encrypted shares received from M−1 devices and may be decrypted using a local private key of the requesting device; the decrypted at least M−1 shares and local share of the requesting device may be combined according to a threshold scheme, in which any M number of parts/shares may be sufficient to reconstruct the original DEK, M being an integer less than or equal to N; to establish a data encryption key (DEK) for a peer to peer network of trusted servers, DEK derivation module may be used to create the DEK; after this initial creation of the DEK, N-split module may then be used to split the DEK into N number of data encryption key shares (e.g. DEKi, DEKJ, DEKk, etc.) for N number of devices in the network; for example, the DEK may be expressed as a very large integer or string of characters, and the DEK may then be split according to a threshold scheme, in which determining the DEK may be computationally difficult without M of N number of shares, with M being an integer less than or equal to N; the threshold scheme may be Shamir's secret-sharing scheme; upon creation of N DEK shares, the DEK created on server Si may be destroyed, such that the DEK can only be reproduced by obtaining M-of-N DEK shares).
It would have been prima facie obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Machani and Oberheide to incorporate the teachings of Le Saint for a plurality of said first shares to include respective values of a first polynomial function, and the first secret value to be determined by deriving the first polynomial function from said first threshold number of said shares.
There is motivation to combine Le Saint into the combination of Machani and Oberheide because the DEK may be split such that it may be computationally difficult to regenerate the full DEK without at least a predetermined threshold number of shares. This may add additional security to the network, as the probability of an attacker obtaining the necessary amount of shares may be low (Le Saint Paragraph 0037).

Regarding Claim 10, the combination of Machani and Oberheide teaches all the limitations of claim 5 above; however, the combination does not explicitly teach wherein a plurality of said first shares includes respective values of a second polynomial function, and the method further comprises communicating versions of coefficients of said second polynomial function, encrypted by way of said cryptography system, to each of said plurality of fourth participants.
Le Saint from same or similar field of endeavor teaches wherein a plurality of said first shares includes respective values of a second polynomial function, and the method further comprises communicating versions of coefficients of said second polynomial function, encrypted by way of said cryptography system, to each of said plurality of fourth participants (Paragraphs 0084-0085 teaches the M shares may include the local data encryption key share, DEKi, of server Si, and the M−1 shares retrieved from the M−1 servers Sk; the server Si may retrieve its local encrypted share, eDEKi from memory, receive the M−1 shares over the trusted network, and may then decrypt the M shares; the decrypted key values may be stored in non-persistent memory where they can be erased from memory after use (i.e. after the DEK has been derived from the DEK shares); the DEK may be a string of characters or a very large number, which can be expressed as an unknown term of a polynomial, and each of the DEK share values may represent random numbers that may serve as coefficients for other terms of the polynomial; the requesting server Si may then be configured to reconstruct the polynomial from M shares to determine the DEK, such as through interpolation or other suitable method; further authentication steps may be performed/may be required before generation of the DEK).
It would have been prima facie obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Machani and Oberheide to incorporate the teachings of Le Saint for a plurality of said first shares to include respective values of a second polynomial function, and the method to further comprise communicating versions of coefficients of said second polynomial function, encrypted by way of said cryptography system, to each of said plurality of fourth participants.
There is motivation to combine Le Saint into the combination of Machani and Oberheide because the server may be configured to check the location, status, authentication state, and/or system parameters of one or more computing devices in the trusted network to verify that the one or more computing devices in the network have not been compromised (Le Saint Paragraph 0085).

Claims 13-14 are rejected under 35 U.S.C. 103 as being unpatentable over Machani (US 10,511,436 B1) in view of Oberheide (US 20180234251) in further view of Dolev (US 20180011996).

Regarding Claim 13, the combination of Machani and Oberheide teaches all the limitations of claim 5 above; however, the combination does not explicitly teach distributing fourth shares of a sixth secret value, having value zero, to the plurality of fourth participants, wherein said fourth shares are encrypted by way of at least one fifth private-public key pair of said cryptography system.
Dolev from same or similar field of endeavor teaches distributing fourth shares of a sixth secret value, having value zero, to the plurality of fourth participants, wherein said fourth shares are encrypted by way of at least one fifth private-public key pair of said cryptography system (Paragraphs 0022-0024 and 0027 and 0065-0067 teach secret sharing may be performed according to Shamir's secret sharing, using random polynomials P(x) by allowing a dealer to: a) select additional points, x, such that, P(x)=0 when choosing the random polynomials P(x); and b) distribute n points having x values which are different from the x values of these additional points in P(x)=0, while storing the additional points to itself as an additional secret for revealing the polynomials value; the keys may be restricted to be points in which the polynomial is zero for every value, thereby allowing additions and multiplications while preserving the secret key unchanged; secret sharing among n participants (clouds) is possible using a polynomial of degree m<n−1. In this case, the dealer selects random polynomials P(x) of degree m and distributes n points to the participants, while the value P(0) is the secret; P(x) may be selected with a degree greater than n-1, where the missing points for defining P(x) are points with P(x)=0; the extra points are held by the dealer as an extra security key for interpretation of the polynomial to reveal the secret P(0); the additional P(x)=0 points are closed under additions and multiplications; this type of polynomials allows additions and multiplications while preserving the secret key (the roots) unchanged, as the addition of these polynomials which have a zero value at a point x remains zero; the same applies when the polynomial is multiplied by a number); when two polynomials are used as an operand in computation such that they both share the same roots (which are additional secret keys), then every computed value (following addition and multiplication) results in a polynomial (possibly with higher degree in the case of multiplication) for which by the set of indexes in which the value is zero is unchanged; thus, the additional secret keys are unchanged).
It would have been prima facie obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Machani and Oberheide to incorporate the teachings of Dolev to distribute fourth shares of a sixth secret value, having value zero, to the plurality of fourth participants, wherein said fourth shares are encrypted by way of at least one fifth private-public key pair of said cryptography system.
There is motivation to combine Dolev into the combination of Machani and Oberheide because several reducers may be used for checking the integrity of the results and in case of non-integrity, identifying which reducer is malicious. The dealer and the reducer(s) may share common roots of all polynomials, unknown to the participating clouds, such that additions and multiplications keep the roots unchanged (Dolev Paragraph 0049).

Regarding Claim 14, the combination of Machani, Oberheide, and Dolev teaches all the limitations of claim 13 above; however, the combination does not explicitly teach receiving a fourth share of said fourth shares from said fourth participant, and forming, from a third share of said third shares and said fourth share, a fifth share of said first secret value, wherein a sixth threshold number of fifth shares is required in order to enable the first secret value to be determined.
Dolev further teaches receiving a fourth share of said fourth shares from said fourth participant, and forming, from a third share of said third shares and said fourth share, a fifth share of said first secret value, wherein a sixth threshold number of fifth shares is required in order to enable the first secret value to be determined (Paragraph 0060 teaches Shamir Secret Sharing (SSS) is an information theoretic secure protocol, which allows a dealer to secret share a values s among E players; there is a threshold δ for the scheme, such that, the knowledge of or fewer player secrets make the adversary learn no information about s, but if more than players communicate their shares to each other, they can easily recover the secret; Distribution: The dealer picks a random polynomial f ∈Fp[x] of degree δ< E such that f (0)=s ∈Fp; the dealer also chooses E arbitrary non-zero indices α1. . . , αE, computes f (α1) for 1≦i≦E and send (αi, f (αi)) to each corresponding players; Reconstruction: Any δ+1 players can reconstruct the polynomial f by applying Lagrange interpolation to the tuples (αi, f (αi)). They recover the secret by computing f(0) mod p=s).
It would have been prima facie obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Machani, Oberheide, and Dolev to incorporate the further teachings of Dolev to receive a fourth share of said fourth shares from said fourth participant, and forming, from a third share of said third shares and said fourth share, a fifth share of said first secret value, wherein a sixth threshold number of fifth shares is required in order to enable the first secret value to be determined.
There is motivation to further combine Dolev into the combination of Machani, Oberheide, and Dolev because the threshold needs to be met in order to reconstruct the secret. If there is anything less than the threshold, the secret cannot be reconstructed, thus making Shamir’s Secret Sharing secure against an adversary — a malicious attacker — that has unlimited computational power.

Claims 15-16 are rejected under 35 U.S.C. 103 as being unpatentable over Machani (US 10,511,436 B1) in view of Oberheide (US 20180234251) in further view of NPL Reference Robust Threshold DSS Signatures by Gennaro et al.

Regarding Claim 15, the combination of Machani and Oberheide teaches all the limitations of claim 5 above; however, the combination does not explicitly teach wherein said first secret value is shared among said plurality of first participants by way of joint random secret sharing (JRSS).
Gennaro from same or similar field of endeavor teaches wherein said first secret value is shared among said plurality of first participants by way of joint random secret sharing (JRSS) (Page 7, lines 40-42 and Page 8, lines 1-12 teaches in a Joint Random Secret Sharing scheme the players collectively choose shares corresponding to a (t, n)-secret sharing of a random value; at the end of such a protocol each player P has a share ơi, where (ơ1,..., ơn), and ơis uniformly distributed over the interpolation field; as with a regular (t, n)-secret sharing scheme the value ơ is kept secret from every player, and even from any coalition of t players; to realize such a protocol, all players act as dealers of a random local secret that they choose; the final share ơi (i = 1,...,n) is computed as the sum of the shares dealt to Pi by each player (consequently, the joint secret equals the sum of all dealt secrets); in the cases where active corrupted players, that may deviate from the protocol, are considered, one needs to perform the dealing by each player using a verifiable secret sharing protocol; the basic properties of this protocol, namely, the kind of public information it generates, and its fault tolerance are inherited from the underlying secret sharing scheme).
It would have been prima facie obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Machani and Oberheide to incorporate the teachings of Gennaro for said first secret value to be shared among said plurality of first participants by way of joint random secret sharing (JRSS).
There is motivation to combine Gennaro into the combination of Machani and Oberheide because joint random secret sharing scheme is unconditionally secure and non-interactive without using Fiat-Shamir technique or any additional zero knowledge proof.

Regarding Claim 16, the combination of Machani, Oberheide, and Gennaro teaches all the limitations of claim 15 above; however, the combination does not explicitly teach wherein sharing said first secret value includes sharing a masking share generated by joint zero secret sharing (JZSS).
Gennaro further teaches wherein sharing said first secret value includes sharing a masking share generated by joint zero secret sharing (JZSS) (Page 8, lines 15-21, teaches Joint Zero Secret Sharing: this protocol generates a collective sharing of a “secret” whose value is zero; such a protocol is similar to the above joint random secret sharing protocol but instead of local random secrets each player deals a sharing of the value zero; when verifiability is required each player deals its shares using Feldman-VSS; the correct dealing of the value zero is verified by checking that the free coefficient po of each dealing polynomials is 0 (i.e., by checking that gPo = 1)).
It would have been prima facie obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Machani, Oberheide, and Gennaro to incorporate the teachings of Gennaro for sharing said first secret value to include sharing a masking share generated by joint zero secret sharing (JZSS).
There is motivation to combine Gennaro into the combination of Machani, Oberheide, and Gennaro because by adding such “zero-shares” to existent shares of a secret ơ, one obtains a randomization of the shares of ơ without changing the secret. This is the way we will typically use the Joint-Zero-SS protocol (Gennaro Page 8, lines 22-24).

Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over Machani (US 10,511,436 B1) in view of Le Saint (US 20210111875).

Regarding Claim 17, Machani teaches all the limitations of claim 1 above; however, Machani does not explicitly teach wherein the cryptography system is an elliptic curve cryptography system, a public key of each of said first and second public-private key pairs is related to a corresponding private key by multiplication of an elliptic curve generator point by said corresponding private key, and said second private key is related to said first private key by addition of said deterministic key to said first private key.
Le Saint from same or similar field of endeavor teaches wherein the cryptography system is an elliptic curve cryptography system, a public key of each of said first and second public-private key pairs is related to a corresponding private key by multiplication of an elliptic curve generator point by said corresponding private key, and said second private key is related to said first private key by addition of said deterministic key to said first private key (Paragraph 0071 teaches each data encryption key (DEK) share may be encrypted using instructions of key wrap module; each DEK share may be encrypted using the public key of its corresponding server; an AES key wrap algorithm or other wrapping technique can be used, such as elliptic curve Diffie-Hellman (ECDH); upon encrypting each DEK share (e.g. DEKi, DEKj, DEKk, etc.) using a public key of each corresponding device, key wrap module may yield encrypted DEK shares eDEKi, eDEKj, and eDEKk; the encrypted share may then be sent to and/or stored at server Si, server Sj, server Sk).
It would have been prima facie obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to have modified Machani to incorporate the teachings of Le Saint for the cryptography system to be an elliptic curve cryptography system, a public key of each of said first and second public-private key pairs to be related to a corresponding private key by multiplication of an elliptic curve generator point by said corresponding private key, and said second private key to be related to said first private key by addition of said deterministic key to said first private key.
There is motivation to combine Le Saint into Machani because of the same reasons listed above for claim 6.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Corduan et al. (US 20190007205) teaches a system and method for persona management in online environments provides an identity by proxy with trusted parties having portions of the private cryptographic key of the consumer so that the private cryptographic key of the consumer may be generated. The system and method implement the persona management in online environments in one embodiment using an immutable ledger with decentralized transaction consensus and a process to share portions of the private cryptographic key with trusted third parties.
Schiffman et al. (US 20180278594) teaches examples associated with distributed authentication are described. One example includes generating a paired public key and private key associated with a user. The private key is split into a set of shares, which are distributed to a set of devices associated with the user. A challenge is generated to authenticate the user to grant the user access to a resource upon receiving an authenticating response to the challenge. The challenge is distributed to members of the set of devices. Partial responses are received from members of the set of devices and combined into a group signature. The group signature serves as an authenticating response to the challenge when generated from partial responses received from a threshold number of members of the set of devices.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to COURTNEY JONES whose telephone number is (469)295-9137.  The examiner can normally be reached on 7:30 am - 5:30 pm CST (M-Th).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Neha Patel can be reached at (571) 270-1492.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/COURTNEY P JONES/Examiner, Art Unit 3685