DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This initial written action is responding to the communication dated on 10/05/2021.
Claims 1-16 are submitted for examination.
Claims 1-16 are pending.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Priority
This application filed on October 05, 2021 claims priority of provisional application 63/232,762 filed on August 08, 2021, and a provisional application 63/087,509 filed on October 05, 2020.
Information Disclosure Statement
The following Information Disclosure Statements in the instant application submitted in compliance with the provisions of 37 CFR 1.97, and thus, have been fully considered:
IDS filed on 12 December 2021.
IDS filed on 04 April 2022.

Claim Objection
Claim 1 is objected for the term “ZKP”, in claim elements “….associating by computer, the credentials with prompts and generating public variables, private keys and public keys by a generation protocol per ZKP protocol….”. “…device which includes the prover identity and a preferred ZKP protocol identifier; looking up a prover's public key in the database via the identity; said verifier sending a selected ZKP protocol identifier to the prover computer device; commencing a round of authentication by receiving a commitment generated according to the selected ZKP protocol…”,  Claim 4 is objected for the term “ZKP”, in claim element, “…wherein said step of said verifier sending said ZKP protocol identifier to said prover computer device comprises selecting said ZKP protocol identifier from a prover's public information….”,  Claim 5 is objected for the terms “ZKP”, “FFSZKP” in claim element, “….wherein said step of sending said ZKP protocol identifier comprises sending a FFS ZKP protocol to said prover computer device”.   Claim 6 is objected for the term “zkMFA”, in claim element, “…wherein said step of performing an on demand an authentication process comprises performing a zkMFA authentication process..”.  Claim 7 is objected for the term “ZKP”, in claim element, “…generating at least one device long-term key fragment and a corresponding public long-term key fragment per a ZKP protocol..”. Claim 11 is objected for the term “ZKP”, in claim element, “…wherein when performing attestation, generating ZKP private session keys by combining device short-term key fragments and device long-term key fragments..”. Claim 12 is objected for the term “ZKP”, in claim element, “…wherein when performing attestation, generating a response by use of ZKP private session keys”. Claim 13 is objected for the term “ZKP”, in claim element, “…combining in such a way that an output has a pseudorandom distribution and a resulting private session key that can be substituted for ZKP private keys in an attestation protocol”. Claim 14 is objected for the terms “zkMFA”, “ZKP” in claim elements, “….A zkMFA method of authentication of a prover by a verifier comprising: computing on a prover computer device, a public commitment from a randomly generated private witness; generating by said verifier computer, a random challenge; sending said random challenge from said verifier computer to the prover; prompting the prover via said prover computer device for credentials selected by said random challenge; accepting a response as a combination of ZKP private keys sent from said prover computer device by said verifier computer as a prover's response for a round..”. Claim 16 is objected for the term “ZKP”, in claim elements, “…..associate by computer, the credentials with prompts and to generate public variables, private keys and public keys by a generation protocol per ZKP protocol; to combine the credentials and the private keys to generate at least one device key share; delete said private keys from the enrollment center; send said public variables and at least one device key share to the prover computer device; store said public variables, public keys, and prover identity associated with the prover computer device in a database; and subsequent to the enrollment process, to perform an on demand authentication process comprising: to receive at a verifier computer from the prover, a prover authentication request sent from the prover computer device which includes the prover identity and a preferred ZKP protocol identifier; to look up a prover's public key in the database via the identity; said verifier to send a selected ZKP protocol identifier to the prover computer device; to commence a round of authentication having received a commitment generated according to the selected ZKP protocol; and to repeat to commence a round of authentication until the verifier computer accepts or rejects the prover's identity”. Applicant is reminded that any acronym introduced for the first time is required to be specified in its entirety. Appropriate correction is required.

Claims 7-10 and 14 are objected to because of the following informalities:   Claim 7 recites a limitation, “.. if attestation is to be allowed, generating at least one device long-term key fragment and a corresponding public long-term key fragment per a ZKP protocol”, Claim 8 recites a limitation, “… if allowing attestation and identity is accepted, store all witnesses for that authentication session in a local cache as a device short-term key fragment”, Claim 9 recites a limitation, “…. when protocol completes if allowing attestation and identity is accepted”, Claim 10 recites a limitation, “,,,,an attestation process that proves if the prover has previously authenticated by verifying a prover's knowledge of at least one private proof element generated during a round of authentication”, Claim 14 recites a limitation, “….and determining by said verifier computer if there will be subsequent round of authentication; and if subsequent rounds of authentication are called for, repeating said steps of computing on said prover computer device”. Examiner suggest replacing “if” with “in response to” or “when”. Appropriate correction is required.



Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


The term “long-term key fragment” in claim 7, the terms “short-term key fragments”, “long-term key fragments” in claim  11, the terms “long-term key fragments”, “short-term key fragments” in claim 13  are relative terms which renders the claim indefinite. The terms “long-term key fragments”, “short-term key fragments” are not defined by the claim, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention.  It is not clear how a short-term is defined. For example a short term could be 1 second, 1 minute, 1 hour, 1 day, 1 week, 1 year and so on. Similarly it is not clear how a long-term is defined. For example long-term could be a 1 second, 1 minute, 1 hour, 1 day, 1 week, 1 year and so on.

Regarding claim 13, the phrase "can be" renders the claim indefinite because it is unclear whether the limitations following the phrase are part of the claimed invention.  See MPEP § 2173.05(d).



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims  1-7, 9-10, 14 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Friedman et al. (US PAT. # US 11,140,171, hereinafter “Friedman”), and further in view of Brown et al. (US PGPUB. # US 2018/0270065, hereinafter “Brown”).

Referring to Claims 1 and 16:
Regarding Claim 1, Friedman teaches,
An authentication method of a prover by a verifier comprising: 
performing at least once, an enrollment process by an enrollment center computer comprising: (Fig. 1, CL(6), LN(36-47), “Enrollment module 120 can be invoked to allow a user to establish an account and/or to enroll in an account recovery service”, Fig. 2, CL(4), LN(27-28), CL(9), LN(9-15))
enrolling a prover via credentials and identity provided by the prover by use of a prover computer device; (Fig. 1, CL(6), LN(36-47), “Enrollment module 120 can be invoked to allow a user to establish an account and/or to enroll in an account recovery service”, Fig. 2, CL(4), LN(27-28), CL(9), LN(9-15))
associating by computer, the credentials with prompts and generating public variables, private keys and public keys by a generation protocol per ZKP protocol; (Fig. 2(202, 204), CL(9), LN(16-41), Fig. 1(126), CL(6), LN(62-67), CL(7), LN(1-38), “key-pair generation logic 126 can receive action data (e.g., in digital form) from action sensor(s) 124 as the user performs an action sequence and can use the action data to generate a set of N public/private key pairs 128”, Fig. 2 (208, 210, 212), Fig. 3, CL(9), LN(42-67), CL(10-12), CL(13), LN(32-40), “At block 212, user device 104 can compute a set of N key pairs {(pk1, sk1), . . . (pkN, skN)} using the input data set generated at block 210 and the random salt generated at block 206. (In the notation used herein, “pki” for integer i denotes a public key and “ski” denotes the corresponding private, or secret, key”. CL(13), LN(60-67), CL(14), LN(1-10)), i.e. public variables, private keys and public keys are generated as per ZKP protocol)
deleting said private keys from the enrollment center; (Fig. 2 (218), CL(14), LN(55-60), “At block 218, user device 104 can destroy the set of private keys, i.e., {sk1, . . . skN}”)
storing said public variables, public keys, and prover identity associated with the prover computer device in a database; (Fig. 1(112), CL(5), LN(39-67), CL(6), LN(1-12)) 
subsequent to performing the enrollment process, performing an on demand     authentication process comprising: 
receiving at a verifier computer from the prover, a prover authentication
request sent from said prover computer device which includes the prover identity and a preferred ZKP protocol identifier; (Fig. 4(404), CL(16), LN(9-47), “recovery device 106 can provide account credentials 114 for the account to be recovered”, i.e. an authentication request is received from a prover to a verifier);
looking up a prover's public key in the database via the identity; (CL(18), LN(19-25), “Server system 102 can use its stored public keys {pk1, . . . pkN} to evaluate whether each response is correct or incorrect”, i.e. Examiner submits that in order to evaluate the response server looks up public key in a database)
commencing a round of authentication by receiving a commitment generated according to the selected ZKP protocol; (Fig. 4(414), CL(17), LN(64-67), CL(18), LN(1-22), “at block 414, recovery device 106 can perform a ZKP proof with server system 102”, i.e. authentication round commenced for the ZKP protocol) and 
repeating said step of commencing a round of authentication until the verifier computer accepts or rejects the prover's identity. (CL(18), LN(14-22), “ the set of challenges can be structured such that each of the N private keys is used to sign at least one challenge; for instance, there can be N challenges, each to be signed with a different private key. Recovery device 106 can use its key pairs {(pk1′, ski′), . . . (pkN′, skN′)} to respond to the set of challenges. Server system 102 can use its stored public keys {pk1, . . . pkN} to evaluate whether each response is correct or incorrect”, Fig. 4(416, 418, 420, 422), CL(18), LN(34-48), i.e. steps of authentication are repeated until the verifier computer provides a result).
Friedman does not teach explicitly,
combining the credentials and the private keys to generate at least one device key share; 
sending said public variables and at least one device key share to the prover computer device; 
[receiving at a verifier computer from the prover, a prover authentication
request sent from said prover computer device which includes the prover identity] and a preferred ZKP protocol identifier; 
said verifier sending a selected ZKP protocol identifier to the prover computer device; 
However, Brown teaches,
combining the credentials and the private keys to generate at least one device key share; (¶9, “The secret user credential may take the form of any private and reproducible digital information, including but not limited to, for example, passwords, PINs, private keys, biometrics, hardware security modules, and/or algorithmic identifiers”, Fig. 3(310), ¶133, “the multiple user secrets may be coupled together as a single transaction”, i.e. Examiner submits that user credentials and private key are combined)
sending said public variables and at least one device key share to the prover computer device; (¶55, “ZKAI 130 may include one or more publicly known parameters corresponding to a user secret”, Fig. 2, ¶65, ¶131, “At 220, the ZKAI may be recorded/registered/appended as a distributed ledger (DL) transaction in a DL”, ¶136, Fig. 5C, ¶148) 
[receiving at a verifier computer from the prover, a prover authentication
request sent from said prover computer device which includes the prover identity] and a preferred ZKP protocol identifier; (Fig. 3(320), ¶134, “In some embodiments, the ZKAI may be generated using a non-interactive sigma protocol with Fiat-Shamir transform and an elliptic curve via, as an example, Approach #1 or Approach #2, as discussed above”, Fig. 3(330), ¶135, “ At 330, the ZKAI is registered on a distributed ledger”, i.e. verifier transmits FFS protocol identifier)
said verifier sending a selected ZKP protocol identifier to the prover computer device; (Fig. 6, ¶153, “At 640, the user is authenticated by comparing the proof data received from the request with the ZKAI stored in the DL. The ZKAI having at least one random number parameter and a parameter generated from a Fiat Shamir Transform, the parameter generated from the Fiat Shamir Transform allowing each proof data to be unique”, i.e. Examiner submits that in order to authenticate user based on the stored ZKAI user has to generate parameters. For that verifier must have sent ZKP protocol identifier to the prover). 
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Brown with the invention of Friedman.
Friedman teaches, authenticating a prover utilizing a zero knowledge proof protocol (ZKP) by a verifier. Brown teaches, including a protocol identifier while authenticating a prover with ZKP protocol.  Therefore, it would have been obvious to have including a protocol identifier while authenticating a prover with ZKP protocol of Brown with authenticating a prover utilizing a zero knowledge proof protocol (ZKP) by a verifier of Friedman to avoid an attacker obtaining access to the centralized servers having the large amount of user credentials and data. KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007). 

Regarding Claim 16, it is a system claim of above method Claim 1 and therefore Claim 16 is rejected with the same rationale as applied against Claim 1 above. In addition Friedman discloses prover computer device (Fig. 1(104)) and verifier computer device (Fig. 1(102)). 

Regarding Claim 14 Friedman teaches,
A zkMFA method of authentication of a prover by a verifier comprising: computing on a prover computer device, a public commitment from a randomly generated private witness; 
generating by said verifier computer, a random challenge; (CL(18), LN(9-15), “server system 102 can issue a set of challenges to recovery device 106, where each challenge can include a random string to be digitally signed using a specified one of the private keys (or to be signed using a specified sequence of different private keys)”, i.e. server (verifier computer) generates a random challenge).
sending said random challenge from said verifier computer to the prover; (CL(18), 17-19), “Recovery device 106 can use its key pairs {(pk1′, ski′), . . . (pkN′, skN′)} to respond to the set of challenges”, i.e. recover device (prover) responds to challenge indicate that the challenge was received from the verifier)
[prompting the prover via said prover computer device for credentials] selected by said random challenge;  (CL(18), LN(9-15), “server system 102 can issue a set of challenges to recovery device 106, where each challenge can include a random string to be digitally signed using a specified one of the private keys (or to be signed using a specified sequence of different private keys)”, i.e. server (verifier computer) generates a random challenge)
accepting a response as a combination of ZKP private keys sent from said prover computer device by said verifier computer as a prover's response for a round; (CL(18), LN(19-24), “Server system 102 can use its stored public keys {pk1, . . . pkN} to evaluate whether each response is correct or incorrect. Based on the responses, server 102 can reach a conclusion as to how many (and which ones) of the correct public keys are possessed by recovery device 106.”, i.e. server device accept response as digital signature signed by the private key that is verified with stored public key).
evaluating by said verifier computer, said prover's response for said round, and said verifier computer responding to the prover with either one of: acceptance of identity, rejection of identity, or request for continuation of authentication, as a determination of whether the prover passed said round of authentication, and determining by said verifier computer if there will be subsequent round of authentication; (Fig. 5, CL(19), LN(35-42), “At block 512, recovery process 500 can determine a threshold for proof that recovery device 106 will be required to meet in order to prove its possession of the user's action data using a ZKP proof. The particular threshold can be implementation-dependent. In the example described above, where the proof is based on recovery device 106 demonstrating knowledge of key pairs generated from the action data”. CL(20), LN(48-67), CL(21), LN(1-10)) and 
if subsequent rounds of authentication are called for, repeating said steps of computing on said prover computer device, said public commitment to receiving by said verifier computer, said step of receiving by said verifier computer, and said steps from generating by said verifier computer, said random challenge to said step of evaluating by said verifier computer, said prover's response for said round, until the prover's identity is accepted or rejected. (CL(18), LN(14-22), “ the set of challenges can be structured such that each of the N private keys is used to sign at least one challenge; for instance, there can be N challenges, each to be signed with a different private key. Recovery device 106 can use its key pairs {(pk1′, ski′), . . . (pkN′, skN′)} to respond to the set of challenges. Server system 102 can use its stored public keys {pk1, . . . pkN} to evaluate whether each response is correct or incorrect”, Fig. 4(416, 418, 420, 422), CL(18), LN(34-48), i.e. steps of authentication are repeated until the verifier computer provides a result).
Friedman does not teach explicitly,
prompting the prover via said prover computer device for credentials [selected by said random challenge]; 
However, Brown teaches,
prompting the prover via said prover computer device for credentials [selected by said random challenge]; (Fig. 3(320), ¶134, “At step 320, the user secret is immediately generated into a ZKAI upon input of the user secret into the user computing device 115 such that the user secret is never saved to any persistent or non-persistent storage medium. Additionally, the ZKAI is generated such that the user secret cannot be derived from the ZKAI. In some embodiments, the ZKAI may be generated using a non-interactive sigma protocol with Fiat-Shamir transform and an elliptic curve via, as an example, Approach #1 or Approach #2, as discussed above”, Fig. 6(610), ¶150, “ At 610, a request for authenticating a user is received; the request may include a proof of knowledge (e.g., a proof data) corresponding to a transaction ID uniquely identifying a ZKAI”, i.e. Examiner submits that in order to provide proof data, prover is prompted for credentials).
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Brown with the invention of Friedman.
Friedman teaches, authenticating a prover utilizing a zero knowledge proof protocol (ZKP) by a verifier based on a random challenge. Brown teaches, generating a credential while authenticating a prover with ZKP protocol .  Therefore, it would have been obvious to have generating a credential while authenticating a prover with ZKP protocol of Brown with authenticating a prover utilizing a zero knowledge proof protocol (ZKP) by a verifier based on a random challenge of Friedman to avoid an attacker obtaining access to the centralized servers having the large amount of user credentials and data. KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007). 

Regarding Claim 2, rejection of Claim 1 is included and for the same motivation Friedman teaches,
. The method of claim 1, wherein said step of performing at least once, said enrollment process, comprises performing at least once, a direct enrollment process. (Fig. 2(214), CL(14), LN(41-43)),  “At block 214, user device 104 can send just the public key of each pair, i.e., {pk1, . . . pkN}, to server system 102 to be stored as recovery key set 118.”, i.e. Examiner submits that the device is transmitting public keys directly to the server indicates that the enrollment process is direct enrollment process).

Regarding Claim 3, rejection of Claim 1 is included and for the same motivation Friedman does not teach explicitly,
The method of claim 1, wherein said step of performing at least once, said enrollment process, comprises performing at least once, an indirect enrollment process.
However, Brown teaches,
The method of claim 1, wherein said step of performing at least once, said enrollment process, comprises performing at least once, an indirect enrollment process. (Fig. 3(330), ¶135, “At 330, the ZKAI is registered on a distributed ledger. One of ordinary skill in the art may appreciate that the registration of the ZKAI onto a blockchain of a DL in effect makes the ZKAI immutable and distributed (e.g., not centralized”, FIG. %A-5B, ¶147-¶148, “A credential(s) registration engine 120 may receive the request. The credential registration engine 120 may generate a ZKAI using, as an example, a non-interactive sigma protocol with a Fiat-Shamir Transform and elliptic curves. As discussed above, the credential registration engine 120 does not store the user secret anywhere within its system”, “At FIG. 5B, the credential registration engine 120 may register the ZKAI onto a DL 150.sub.1 as a DL transaction”, i.e. Examiner submits that enrollment process is an indirect enrollment process via a credential registration engine).  

Regarding Claim 4, rejection of Claim 1 is included and for the same motivation Friedman does not teach explicitly,
The method of claim 1, wherein said step of said verifier sending said ZKP protocol identifier to said prover computer device comprises selecting said ZKP protocol identifier from a prover's public information.
However, Brown teaches,
The method of claim 1, wherein said step of said verifier sending said ZKP protocol identifier to said prover computer device comprises selecting said ZKP protocol identifier from a prover's public information. (¶55, “ZKAI 130 may include one or more publicly known parameters corresponding to a user secret”, Fig. 2, ¶65, ¶131, “At 220, the ZKAI may be recorded/registered/appended as a distributed ledger (DL) transaction in a DL”, ¶136, Fig. 5C, ¶148) 

Regarding Claim 5, rejection of Claim 1 is included and for the same motivation Friedman does not teach explicitly,
The method of claim 1, wherein said step of sending said ZKP protocol identifier comprises sending a FFS ZKP protocol to said prover computer device.
However, Brown teaches,
The method of claim 1, wherein said step of sending said ZKP protocol identifier comprises sending a FFS ZKP protocol to said prover computer device. (Fig. 6, ¶153, “At 640, the user is authenticated by comparing the proof data received from the request with the ZKAI stored in the DL. The ZKAI having at least one random number parameter and a parameter generated from a Fiat Shamir Transform, the parameter generated from the Fiat Shamir Transform allowing each proof data to be unique”, i.e. Examiner submits that in order to authenticate user based on the stored ZKAI user has to generate parameters. For that verifier must have sent FFS ZKP protocol identifier to the prover).

Regarding Claim 6, rejection of Claim 1 is included and for the same motivation Friedman does not teach explicitly,
The method of claim 1, wherein said step of performing an on demand an authentication process comprises performing a zkMFA authentication process.
However, Brown teaches,
The method of claim 1, wherein said step of performing an on demand an authentication process comprises performing a zkMFA authentication process. (¶62, “someone trying to prove (e.g., a prover) to another person (e.g., a verifier such as an entity 160) that the prover knows the secret but cannot outright reveal the secret. As discussed above, zero-knowledge proofs of knowledge (ZKPoK) in an authentication setting do not expose private information that is prover knowledge, obscured or otherwise, to the verifier at any point in the exchange”, ¶140, “the user may want to establish a multi-factor authentication to further enhance security by registering multiple transaction IDs corresponding to multiple user secrets registered on the DL”, ¶141, i.e. authentication process performs a zkMFA authentication process).


Regarding Claim 7, rejection of Claim 1 is included and for the same motivation Friedman teaches,
The method of claim 1, wherein said step of performing at least once, an enrollment process, further comprises, if attestation is to be allowed, generating at least one device long-term key fragment and a corresponding public long-term key fragment per a ZKP protocol. (Fig. 2(202, 204), CL(9), LN(16-41), Fig. 1(126), CL(6), LN(62-67), CL(7), LN(1-38), “key-pair generation logic 126 can receive action data (e.g., in digital form) from action sensor(s) 124 as the user performs an action sequence and can use the action data to generate a set of N public/private key pairs 128”, Fig. 2 (208, 210, 212), Fig. 3, CL(9), LN(42-67), CL(10-12), CL(13), LN(32-40), “At block 212, user device 104 can compute a set of N key pairs {(pk1, sk1), . . . (pkN, skN)} using the input data set generated at block 210 and the random salt generated at block 206. (In the notation used herein, “pki” for integer i denotes a public key and “ski” denotes the corresponding private, or secret, key”. CL(13), LN(60-67), CL(14), LN(1-10)), i.e. private keys shares and public keys shares are generated as per ZKP protocol. These shares are long-term fragments)
 
Regarding Claim 9, rejection of Claim 1 is included and for the same motivation Friedman teaches,
The method of claim 1, wherein said step of performing an on demand authentication process further comprises, as a verifier, when protocol completes if allowing attestation and identity is accepted, store all commitments for that authentication session in said database as a public short-term key fragment associated with the prover's identity.  (Fig. 1(112), CL(5), LN(39-67), CL(6), LN(1-12)) 

Regarding Claim 10, rejection of Claim 1 is included and for the same motivation Friedman teaches,
The method of claim 1, further comprising subsequent to an on demand authentication process, an attestation process that proves if the prover has previously authenticated by verifying a prover's knowledge of at least one private proof element generated during a round of authentication. (CL(18), LN(14-22), “ the set of challenges can be structured such that each of the N private keys is used to sign at least one challenge; for instance, there can be N challenges, each to be signed with a different private key. Recovery device 106 can use its key pairs {(pk1′, ski′), . . . (pkN′, skN′)} to respond to the set of challenges. Server system 102 can use its stored public keys {pk1, . . . pkN} to evaluate whether each response is correct or incorrect”, Fig. 4(416, 418, 420, 422), CL(18), LN(34-48), i.e. a signing a challenge with at least one private key and verifying by the server using a public key indicates that prover has knowledge of at least one private proof element).

Claim  8 is rejected under 35 U.S.C. 103 as being unpatentable over Friedman et al. (US PAT. # US 11,140,171, hereinafter “Friedman”), and further in view of Brown et al. (US PGPUB. # US 2018/0270065, hereinafter “Brown”), and further in view of Avetisov et al. (US PUB. # US 2020/0287901, hereinafter  “Avetisov”).

Regarding Claim 8, rejection of Claim 1 is included and combination of Friedman and Brown does not teach explicitly,
 The method of claim 1, wherein said step of performing an on demand authentication process further comprises, as a prover, if allowing attestation and identity is accepted, store all witnesses for that authentication session in a local cache as a device short-term key fragment.
However, Avetisov teaches,
The method of claim 1, wherein said step of performing an on demand authentication process further comprises, as a prover, if allowing attestation and identity is accepted, store all witnesses for that authentication session in a local cache as a device short-term key fragment. (¶62, “The TEE 103 may process the credential input responsive to one or more requests or commands received from the authentication application 120 via the API 104. to the TEE of the mobile device. In some cases, the result may include an indication of whether the input credential matches a stored valid representation of the credential 109 or does not match the stored credential. If the input credential matches the valid representation within the TEE 103, the result may be cryptographically signed within the TEE 103”, ¶64, “he authentication application 120 may receive credentials 116 (e.g., public keys and representations of credentials) like those described above from the TEE 103 for out-of-band authentication operations. Those credentials 116 received by the authentication application 120 may be stored in memory 117 within the CEE 113”, i.e. public keys are stored in a memory after attestation and acceptance of the identity).
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Avetisov with the invention of Friedman in view of Brown.
Friedman in view of Brown teaches, authenticating a prover utilizing a zero knowledge proof protocol (ZKP) by a verifier and including a protocol identifier while authenticating a prover with ZKP protocol.  Avetisov teaches, storing public keys in a memory after an authentication. Therefore, it would have been obvious to have store public keys in a memory after an authentication of Avetisov into the teachings of Friedman in view of Brown so the subsequent authentication can be done in a fast secure manner. KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007). 

Claims  11-13 are rejected under 35 U.S.C. 103 as being unpatentable over Friedman et al. (US PAT. # US 11,140,171, hereinafter “Friedman”), and further in view of Brown et al. (US PGPUB. # US 2018/0270065, hereinafter “Brown”), and further in view of Kupwade Patil Harsh et al. (WIPO PUB. # WO 2020/139937, hereinafter  “Patil”).

Regarding Claim 11, rejection of Claim 10 is included and combination of Friedman and Brown does not teach explicitly,
The method of claim 10, wherein when performing attestation, generating ZKP private session keys by combining device short-term key fragments and device long-term key fragments.
However, Patil teaches,
The method of claim 10, wherein when performing attestation, generating ZKP private session keys by combining device short-term key fragments and device long-term key fragments. (Abstract, “Two or more parties can generate such key pairs and use them as their respective long-term key pairs which, when combined with the parties' short-term key pairs, can allow the parties to establish an authenticated, short-term shared key”, ¶16, “The authenticated key agreement provides an authenticated, shared secret key. In some embodiments, the shared key is a short-term key ( e.g . session key)”, ¶111, Claim 7, i.e. session key is generated by combining long-term key and short-term key).
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Patil with the invention of Friedman in view of Brown.
Friedman in view of Brown teaches, authenticating a prover utilizing a zero knowledge proof protocol (ZKP) by a verifier and including a protocol identifier while authenticating a prover with ZKP protocol.  Patil teaches, combining long-term key and short-term key to generate a session key. Therefore, it would have been obvious to have combining long-term key and short-term key to generate a session key of Patil into the teachings of Friedman in view of Brown to establish a secure session for exchange of sensitive data. KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007). 

Regarding Claim 12, rejection of Claim 10 is included and combination of Friedman and Brown does not teach explicitly,
The method of claim 10, wherein when performing attestation, generating a response by use of ZKP private session keys.
However, Patil teaches,
The method of claim 10, wherein when performing attestation, generating a response by use of ZKP private session keys. (Abstract, “Two or more parties can generate such key pairs and use them as their respective long-term key pairs which, when combined with the parties' short-term key pairs, can allow the parties to establish an authenticated, short-term shared key”, ¶16, “The authenticated key agreement provides an authenticated, shared secret key. In some embodiments, the shared key is a short-term key ( e.g . session key)”, ¶111, Claim 7, i.e. session key is generated by combining long-term key and short-term key).
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Patil with the invention of Friedman in view of Brown.
Friedman in view of Brown teaches, authenticating a prover utilizing a zero knowledge proof protocol (ZKP) by a verifier and including a protocol identifier while authenticating a prover with ZKP protocol.  Patil teaches, combining long-term key and short-term key to generate a session key. Therefore, it would have been obvious to have combining long-term key and short-term key to generate a session key of Patil into the teachings of Friedman in view of Brown to establish a secure session for exchange of sensitive data. KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007). 

Regarding Claim 13, rejection of Claim 12 is included and for the same motivation combination of Friedman and Brown does not teach explicitly,
The method of claim 12, wherein when combining device long-term key fragments and device short-term key fragments, combining in such a way that an output has a pseudorandom distribution and a resulting private session key that can be substituted for ZKP private keys in an attestation protocol.
However, Patil teaches,
The method of claim 12, wherein when combining device long-term key fragments and device short-term key fragments, combining in such a way that an output has a pseudorandom distribution and a resulting private session key that can be substituted for ZKP private keys in an attestation protocol. (Abstract, “Two or more parties can generate such key pairs and use them as their respective long-term key pairs which, when combined with the parties' short-term key pairs, can allow the parties to establish an authenticated, short-term shared key”, ¶16, “The authenticated key agreement provides an authenticated, shared secret key. In some embodiments, the shared key is a short-term key ( e.g . session key)”, ¶111, Claim 7,Fig. 2A, Fig. 2B, ¶84- ¶89, “The shared key K can then be used by users z and j as a symmetric key for communicating with each other for the entire session. The key can be used for encryption, signature, and/or any other cryptographic use” i.e. shared key can be used for signature indicates that the shared key can be used for attestation).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.  Refer to PTO-892, Notice of References Cited for a listing of analogous art.
Soriente et al. (US PGPUB. # US 2021/0167958) discloses, a method for cryptographic key provisioning includes, via a main authentication server (MAS), generating a first secret key and registering a client by performing a first portion of a first instance of a distributed threshold oblivious pseudo-random function. The first instance of the function results in the client obtaining a root secret key and the MAS obtaining a corresponding root public key. The method includes authenticating the client to the MAS by performing a first portion of a second instance of the distributed threshold oblivious pseudo-random function. The second instance of the function results in the client obtaining the root secret key. Information stored by the client, the first secret key, and a second secret key generated by a support authentication server are inputs to at least one of the first and second instances of the distributed threshold oblivious pseudo-random function.
Fletcher et al. (US PGPUB. # US 2020/0127835) discloses, a method is described for enabling recovery of one or more digital assets held on a blockchain by a user under a public key Pk after a corresponding private key Sk for accessing the one or more digital assets is lost. The computer implemented method comprises setting access for the one or more digital assets held on the blockchain under the public key Pk and accessible using the corresponding private key Sk of the user such that the one or more digital assets are also accessible using a private key x shared by a congress on the blockchain network, the congress comprising a group of users on the blockchain network, each member of the congress having a private key share xi, the private key share xi to be used in a threshold signature scheme in which at least a threshold of private key shares must be used to generate a valid signature through the combination of partial signatures of the congress to access the one or more digital assets on behalf of the user. If the private key Sk is lost then the congress can be notified to access the one or more digital assets on behalf of the user, the user proving their identity to the congress by providing a recovery password.
Machani et al. (US PAT. # US 10,516,527) discloses, Split-key based cryptography techniques are provided for data protection and synchronization across multiple computing devices of a user. A method performed by a first device of a user comprises encrypting a data using a randomly-generated data encryption key; wrapping the data encryption key with a public key of a second device of the user; and sending the encrypted data and the wrapped data encryption key of the first device wrapped with the public key of the second device to a server. The server sends the encrypted data and the wrapped data encryption key of the first device wrapped with the public key of the second device to the second device. The first device or the second device can access the encrypted data by reconstructing their respective private key using a predefined number of shares obtained using a key splitting scheme.
Oltmans et al. (Us PGPUB. # US 0031372) discloses, system for obscuring the location of critical system files are provided. In particular, the locations of files stored within a file system are selected by applying various inputs to a hash algorithm. For system files, the inputs applied to the hash algorithm can include a user name and password. For data files, the information provided to the hash algorithm can include the file name. In addition to providing random file locations, a file system in accordance with embodiments of the present invention can homogenize other information, including file names, sizes and creation dates.
Sandhu et al. (US PGPUB. # US 2006/0184787) discloses, techniques for user authentication based upon an asymmetric key pair having a public key and a split private key are provided. A first portion of the split private key is generated based upon multiple factors under control of the user. The factors include a password. A challenge is cryptographically combined with a first one of the multiple factors, but not the user password, to form a first message. The first message is transformed with the generated first portion to form a second message, which is then sent to an authentication entity. The sent second message is transformed to authenticate the user by proving direct verification of user control of the first factor.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DARSHAN I DHRUV whose telephone number is (571)272-4316. The examiner can normally be reached M-F 9:00 AM-5:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 571-272-8878. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/DARSHAN I DHRUV/          Primary Examiner, Art Unit 2498