DETAILED ACTION
Notice of Pre-AIA  or AIA  Status

1. The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 


Claim Rejections - 35 USC § 101
2. 35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

3. Claims 1-20, 22-23, and 25-26 are rejected under 35 U.S.C. § 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more. 
In sum, claims 1-20 and 22-23, and 25-26 are rejected under 35 U.S.C. §101 because the claimed invention is directed to a judicial exception to patentability (i.e., a law of nature, a natural phenomenon, or an abstract idea) and do not include an inventive concept that is something “significantly more” than the judicial exception under the January 2019 patentable subject matter eligibility guidance (2019 PEG) analysis which follows.             
Under the 2019 PEG step 1 analysis, it must first be determined whether the claims are directed to one of the four statutory categories of invention (i.e., process, machine, manufacture, or composition of matter). Applying step 1 of the analysis for patentable subject matter to the claims, it is determined that the claims are directed to the statutory category of a process (claims 1-8 and 16-26), a machine (claims 10-150 and, a manufacture (claim 9), where the machine and manufacture are substantially directed to the subject matter of the process. (See, e.g., MPEP §2106.03). Therefore, we proceed to step 2A, Prong 1. Therefore, we proceed to step 2A, Prong 1. 
Under the 2019 PEG step 2A, Prong 1 analysis, it must be determined whether the claims recite an abstract idea that falls within one or more designated categories of patent ineligible subject matter (i.e., organizing human activity, mathematical concepts, and mental processes) that amount to a judicial exception to patentability. Here, the claims recite the abstract idea of receiving a one-time key and encrypting payment data based on the key in order to conduct a payment by: 
receiving a one-time pad (OTP) key generated based on a plurality of true random numbers;
encrypting payment data based on the OTP key; and
performing a payment based on the encrypted payment data.
Here, the recited abstract idea falls within one or more of the three enumerated 2019 PEG categories of patent ineligible subject matter, to wit: the category of certain methods of organizing human activity, which includes fundamental economic practices or principles and commercial or legal interactions (e.g., receiving a one-time key and encrypting payment data based on the key in order to conduct a payment).  
Under the 2019 PEG step 2A, Prong 2 analysis, the identified abstract idea to which the claim is directed does not include limitations that integrate the abstract idea into a practical application, since the recited features of the abstract idea are being applied on a computer or computing device or via software programming that is simply being used as a tool (“apply it”) to implement the abstract idea. (See, e.g., MPEP §2106.05(f)). Therefore, the claim is directed to an abstract idea. 
Under the 2019 PEG step 2B analysis, the additional elements are evaluated to determine whether they amount to something “significantly more” than the recited abstract idea. (i.e., an innovative concept). Here, the additional elements, such as: a “payment token” do not amount to an innovative concept since, as stated above in the step 2A, Prong 2 analysis, the claims are simply using the additional elements as a tool to carry out the abstract idea (i.e., “apply it”) on a computer or computing device and/or via software programming. (See, e.g., MPEP §2106.05(f)). The additional elements are specified at a high level of generality to simply implement the abstract idea and are not themselves being technologically improved. (See, e.g., MPEP §2106.05 I.A.); (see also, paragraph [0010] of the specification). Independent claim 10 is nearly identical to claim 1 so the same analysis applies to claim 10. Independent claim 16 contains several additional limitations that are different from independent claims 1 and 10. These limitations are “receiving payment data encrypted using the OTP key” and “verifying either one or both of validity and integrity of a mobile payment based on the OTP key and the encrypted payment data.” The step of “receiving payment data encrypted using the OTP key” is an insignificant extra solution activity. The receiving of payment data is the gathering and transmitting of data. This is similar to the data gathering that the Federal Circuit found in CyberSource v. Retail Decisions, Inc., where information was obtained about credit card transactions so that the information can be analyzed in verifying credit card transactions. CyberSource v. Retail Decisions, Inc., 654 F.3d 1366, 1375 (Fed. Cir. 2011). Similarly, the system in the current invention is receiving payment data that has been encrypted or secured using the OTP key. The same holds true for the limitation “verifying either one or both of the validity and the integrity of the mobile payment based on the OTP key and the encrypted payment data.” This step of using the OTP key and encrypted payment data in order to verify a payment is an insignificant extra solution activity. This use of an OTP key and encrypted payment data is in essence the gathering and transmitting of data. This is similar to the data gathering that the Federal Circuit found in CyberSource v. Retail Decisions, Inc., where information was obtained about credit card transactions so that the information can be analyzed in verifying credit card transactions. CyberSource v. Retail Decisions, Inc., 654 F.3d 1366, 1375 (Fed. Cir. 2011). Similarly, the system here is using both an OTP key and encrypted payment data to verify a mobile payment. This verification step by using an OTP key and encrypted payment data is the mere gathering and transmitting of data.
The limitations of claim 16 that state: “receiving payment data encrypted using the OTP key” and “verifying either one or both of validity and integrity of a mobile payment based on the OTP key and the encrypted payment data” along with their combination of elements define only well-understood, routine, conventional activity. This is simply appending well-understood, routine, conventional activities previously known to the industry, specified at a high level of generality, to the judicial exception, e.g., a claim to an abstract idea requiring no more than a generic computer to perform generic computer functions that are well-understood, routine and conventional activities previously known to the industry, as discussed in Alice Corp., 573 U.S. at 225, 110 USPQ2d at 1984. (See MPEP § 2106.05(d) and the Berkheimer Memo). In the current invention, receiving payment data is a well-understood, routine and conventional activity previously known to the industry. In addition, using an OTP key and encrypted payment data to verify a payment is also a well-understood, routine and conventional activity previously known to the industry. The Federal Circuit in buySAFE, Inc. v. Google, Inc. held that a computer receiving and sending information over a network is a well-understood, routine, and conventional activity. See buySAFE, Inc. v. Google, Inc., 765 F.3d 1350, 1355, 112 USPQ2d 1093, 1096 (Fed. Cir. 2014). Similarly, in the present invention, the receiving of payment data and then verifying the payment using an OTP key and encrypted payment data would constitute a well-understood, routine and conventional activity previously known to the industry. Therefore, the claimed additional elements do not amount to an inventive concept. 
Dependent claims 2–9, 11-15, 17-20, 22-23, and 25-26 have all been considered and do not integrate the abstract idea into a practical application. Dependent claims 2, 11, and 17 all recite nearly identical limitations that further define the abstract idea noted in claim 1 in that the true random numbers are being generated using a “quantum random number generator.” This use of a random number generator is a generic method to randomly generate a number sequence. Dependent claim 3 recites limitations that further define the abstract idea noted in claim 1 in that it describes decrypting the OTP key. This decryption process is a generic method that allows for obtaining sensitive payment information in order conduct a payment. Dependent claims 4, 13, and 18 all recite nearly identical limitations that further define the abstract idea noted in claim 1 in that it describes what exactly the payment data is. Here, it could be any two of encrypted transaction ID, card number, expiration date, purchase date and time, seller, purchased item, payment amount, CVC, address of a buyer, and a nonce value corresponding to the payment data.” This merely adds specific detail to exactly what the payment data comprises. Dependent claims 5 and 14 both recite nearly identical limitations that further define the abstract idea noted in claim 1 in that they describe generating a hash value by applying a hash function to the payment data and encrypting the payment data and the hash value using the OTP key. Generating a hash value using a hash function and then encrypting data and hash value is a generic function used to mask the data aiming to be secured. 
Dependent claim 6 recites limitations that further define the abstract idea noted in claim 1 in that it describes the specific type of algorithm being used for the hash function. This is adding detail to the abstract idea by using a specific algorithm for the hash function. Dependent claim 7 and 15 both recite nearly identical limitations that further define the abstract idea noted in claim 1 in that they describe combining the payment data with the hash value and then performing encryption on this specific piece of combined data. This combining of data to then encrypt it is a generic process. Dependent claim 8 recites limitations relating to generating the OTP key and verifying a payment using the OTP key and payment data that are nearly identical to the independent claim 16 so the same analysis applies to this claim as well. Dependent claim 9 recites limitations that further define the abstract idea noted in claim 1 in that it describes using a non-transitory computer-readable storage medium and processor to perform the steps found in claim 1. The use of these additional elements (“storage medium” and “processor”) are merely being used to implement the abstract idea noted in claim 1. Dependent claim 12 recites limitations that further define the abstract idea noted in claim 1 in that it describes decrypting the OTP-encrypted payment data. This decryption process is a generic method that allows for obtaining sensitive payment information in order conduct a payment. Dependent claim 19 recites limitations that further define the abstract idea noted in claim 1 in that it describes decrypting the encrypted payment data and then verifying the mobile payment based on this decryption. The use of decryption is generic process in order to uncover sensitive data for further processing when carrying out a transaction such a payment. Dependent claim 20 recites limitations that further define the abstract idea noted in claim 1 in that it describes obtaining decrypted payment and the decrypted hash value of the payment data by decrypting the encrypted payment data based on the OTP key. The use of decryption is generic process in order to uncover sensitive data for further processing when carrying out a transaction such a payment. Dependent claim 22 recites limitations that further define the abstract idea noted in claim 1 in that it describes determining the where the nonce value is unique for verification. This adds further detail to how the verification process takes place. This is by determining whether the nonce value is unique.  Dependent claim 23 recites limitations that further define the abstract idea noted in claim 1 in that it describes encrypting the OTP key. The use of an encryption technique is a generic process for used for securing data. This also applies to dependent claim 25 which also describes encrypting the OTP key as well as transmitting the key. The transmitting of key is transmitting of data which as described above is an insignificant extra solution activity. Dependent claim 23 recites limitations that further define the abstract idea noted in claim 1 in that it describes receiving the data that has been encrypted. This receiving of data is the mere gathering of data which as described above is an insignificant extra solution activity.
The additional elements of the dependent claims merely refine and further limit the abstract idea of the independent claims and do not add any feature that is an “inventive concept” which cures the deficiencies of their respective parent claim under the 2019 PEG analysis. None of the dependent claims considered individually, including their respective limitations, include an “inventive concept” of some additional element or combination of elements sufficient to ensure that the claims in practice amount to something “significantly more” than patent-ineligible subject matter to which the claims are directed.
The elements of the instant process steps when taken in combination do not offer substantially more than the sum of the functions of the elements when each is taken alone. The claims as a whole, do not amount to significantly more than the abstract idea itself because the claims do not effect an improvement to another technology or technical field (e.g., the field of computer coding technology is not being improved); the claims do not amount to an improvement to the functioning of an electronic device itself which implements the abstract idea (e.g., the general purpose computer and/or the computer system which implements the process are not made more efficient or technologically improved); the claims do not perform a transformation or reduction of a particular article to a different state or thing (i.e., the claims do not use the abstract idea in the claimed process to bring about a physical change. See, e.g., Diamond v. Diehr, 450 U.S. 175 (1981), where a physical change, and thus patentability, was imparted by the claimed process; contrast, Parker v. Flook, 437 U.S. 584 (1978), where a physical change, and thus patentability, was not imparted by the claimed process); and the claims do not move beyond a general link of the use of the abstract idea to a particular technological environment (e.g., simply claiming the use of a computer and/or computer system to implement the abstract idea).

Claim Rejections - 35 USC § 102
4. In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

5. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention; or

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

6. Claims 1, 3, 5-6, 8-10, 12, 14, 16, 19-20, and 23 are rejected under 35 U.S.C. §102 (a)(2) as being anticipated by Conner (U.S. Pub. No. 2021/0314143) hereinafter (“Conner”).
Regarding claim 1, Conner discloses receiving a one-time pad (OTP) key generated based on a plurality of true random numbers. Conner states that “A random sequence is written to the blockchain ledger. At the remote server, the blockchain ledger is received. The random sequence is extracted from the blockchain ledger. A one-time pad key is created using the true random sequence. The one-time pad key is sent to the connected device in a secure manner.” (See paragraph [0015]). 
	Conner discloses encrypting payment data based on the OTP key as a payment token. Conner states that “[t]he TEE hardware encryption key could also be used to asymmetrically or symmetrically encrypt the payment packet first, and the output is then XORed with the OTP encryption key provided by the server. Any additional encryption combination using one or both keys in any encryption sequence could be applied to the payment packet on the device to secure the payment data. Once the payment data is encrypted, the application can then send the data to all servers in the system for storage on the ledger.” (See paragraph [0161]). This use of the OTP key in conjunction with encrypting the payment data is what comprises the payment token that is used to carry out the secure transaction.  
	Conner discloses performing a payment based on the encrypted payment data. Conner states that “After completion of the transaction to OTP encrypt the payment and store it on a distributed ledger, the application can then contact the recipient of the payment via an application on the recipient's device to relay information regarding how to redeem the payment.” (See paragraph [0162]). This use of an OTP along with encrypting the payment data are then used to carry out the payment to the recipient. 

Regarding claim 3, Conner discloses decrypting the OTP key. Conner states that “An extended method for encrypting/decrypting the data would be for the user to specify the start and/or end date of when the packet was encrypted, along with their private encryption key, which could have been used along with the OTP key to further encrypt/decrypt the data referenced.” (See paragraph [0172]).

Regarding claim 5, Conner discloses generating a hash value by applying a hash function to the payment data and encrypting the payment data and the hash value using the OTP key. Conner states that “[o]ne such mechanism would be to encrypt the data, secure hash the data itself with the user's private key and build a data packet comprised of the timestamp of when it was created, the encrypted data, a secure hash of the original data, and potentially the user's private key. This data packet can then be broadcast out to all computers managing the decentralized ledger. Once this data packet arrives at all other computers managing their own copies of the ledger, they can then decrypt the data portion of the packet and generate a hash or other representing encryption key or data packet. The hash can then be compared with the original hash in the broadcasted packet to confirm authenticity of the payload data in the packet and/or confirmation of proper storage of said data to the ledger. Once confirmed, the encrypted data can be written into the local copy of the ledger based on timestamp or some other sequence.” (See paragraph [0173]). This generating of a hash would be done by applying a hash function and the payment data would be encrypted along with the hash value using the OTP key. 

Regarding claim 6, Conner discloses that the hash function is Secure Hash Algorithm-3 (SHA-3). Conner states that “Some other hashing algorithms that are used for proof-of-work include CryptoNight, Blake, SHA-3, and X11.” (See paragraph [0009]).
Regarding claim 8, Conner discloses generating the OTP key based on the plurality of true random numbers. Conner states that “A random sequence is written to the blockchain ledger. At the remote server, the blockchain ledger is received. The random sequence is extracted from the blockchain ledger. A one-time pad key is created using the true random sequence. The one-time pad key is sent to the connected device in a secure manner.” (See paragraph [0015]).  Conner also discloses verifying a validity and integrity of the payment using the OTP key and the encrypted payment data with the encrypted hash value. As noted above, Conner discloses that the hash value in encrypted along with the payment data. Conner states that “The TEE hardware encryption key could also be used to asymmetrically or symmetrically encrypt the payment packet first, and the output is then XORed with the OTP encryption key provided by the server.” “Once the payment data is recorded across all ledgers, a verification system running on the server side could be sent a request with the start timestamp and the length of the payment data record. The verification service could then lookup the newly recorded data on each individual copy of the ledger in the server environment by seeking to the timestamp in each copy of the ledger and comparing the data that follows based on the payment data packet length. If the data across all ledgers is identical, then the transaction was successful and the server can notify the application on the device that the data was stored on the ledger correctly.” (See paragraph [0161]).  This verification occurs using the OTP key as well as the encrypted payment data with the encrypted hash value to ensure that the payment is authentic. 

Regarding claim 9, Conner discloses a non-transitory computer-readable storage medium storing instructions executed by a processor. Conner states that “In another embodiment, the invention is an Internet-of-Things system, which comprises an Internet-connected device. This device comprises a sensor that generates a stream measurement data and a computing processor.” (See paragraph [0016]). Conner also states that “In an embodiment, when a user wants to decode their encrypted data they via their system 20A may send the ID for the encrypted data to the encryption system 50A (communication 112 in FIG. 5). The encryption system 50A may retrieve the encrypted data from storage (communications 114, 116 in FIG. 5).” (See paragraph [0134]).

Regarding claim 10, Conner discloses a receiver that receives a one-time pad (OTP) key generated based on a plurality of true random numbers. Conner first states that “Data is typically transmitted via an IEEE 802.1 network using an Internet Protocol (IP) to a gateway, router, receiver or aggregation point.” (See paragraph [0054]). This receiver is what receives the various data such as an OTP key and payment information. Conner states that “A random sequence is written to the blockchain ledger. At the remote server, the blockchain ledger is received. The random sequence is extracted from the blockchain ledger. A one-time pad key is created using the true random sequence. The one-time pad key is sent to the connected device in a secure manner.” (See paragraph [0015]). 
	Conner discloses a processor that encrypts payment data based on the OTP key as a payment token. Conner states that “In another embodiment, the invention is an Internet-of-Things system, which comprises an Internet-connected device. This device comprises a sensor that generates a stream measurement data and a computing processor.” (See paragraph [0016]). Conner states that “[t]he TEE hardware encryption key could also be used to asymmetrically or symmetrically encrypt the payment packet first, and the output is then XORed with the OTP encryption key provided by the server. Any additional encryption combination using one or both keys in any encryption sequence could be applied to the payment packet on the device to secure the payment data. Once the payment data is encrypted, the application can then send the data to all servers in the system for storage on the ledger.” (See paragraph [0161]). This use of the OTP key in conjunction with encrypting the payment data is what comprises the payment token that is used to carry out the secure transaction.  
	Conner discloses a processor that performs a payment based on the encrypted payment data. Conner states that “In another embodiment, the invention is an Internet-of-Things system, which comprises an Internet-connected device. This device comprises a sensor that generates a stream measurement data and a computing processor.” (See paragraph [0016]). Conner states that “After completion of the transaction to OTP encrypt the payment and store it on a distributed ledger, the application can then contact the recipient of the payment via an application on the recipient's device to relay information regarding how to redeem the payment.” (See paragraph [0162]). This use of an OTP along with encrypting the payment data are then used to carry out the payment to the recipient. 

	Regarding claim 12, Conner discloses that the processor decrypts the OTP-encrypted payment data. Conner states that “[o]ne such mechanism would be to encrypt the data, secure hash the data itself with the user's private key and build a data packet comprised of the timestamp of when it was created, the encrypted data, a secure hash of the original data, and potentially the user's private key. This data packet can then be broadcast out to all computers managing the decentralized ledger. Once this data packet arrives at all other computers managing their own copies of the ledger, they can then decrypt the data portion of the packet and generate a hash or other representing encryption key or data packet. The hash can then be compared with the original hash in the broadcasted packet to confirm authenticity of the payload data in the packet and/or confirmation of proper storage of said data to the ledger. Once confirmed, the encrypted data can be written into the local copy of the ledger based on timestamp or some other sequence.” (See paragraph [0173]). Conner also states that “[t]he server then sends the data to the recipient application over an encrypted connection or messaging service, and the recipient application can then decrypt the payment record in the TEE so that the data is fully secured during decryption. The record can then be stored in encrypted and/or cleartext in TEE memory or in a secure data store on the recipient device or peripheral. This could all happen as one or many transactions across the ledger system.” (See paragraph [0162]). Hence, the OTP-encrypted payment data is decrypted. 


Regarding claim 14, Conner discloses generating a hash value by applying a hash function to the payment data and encrypting the payment data and the hash value using the OTP key. Conner states that “[o]ne such mechanism would be to encrypt the data, secure hash the data itself with the user's private key and build a data packet comprised of the timestamp of when it was created, the encrypted data, a secure hash of the original data, and potentially the user's private key. This data packet can then be broadcast out to all computers managing the decentralized ledger. Once this data packet arrives at all other computers managing their own copies of the ledger, they can then decrypt the data portion of the packet and generate a hash or other representing encryption key or data packet. The hash can then be compared with the original hash in the broadcasted packet to confirm authenticity of the payload data in the packet and/or confirmation of proper storage of said data to the ledger. Once confirmed, the encrypted data can be written into the local copy of the ledger based on timestamp or some other sequence.” (See paragraph [0173]). This generating of a hash would be done by applying a hash function and the payment data would be encrypted along with the hash value using the OTP key. 

	Regarding claim 16, Conner discloses receiving a plurality of true random numbers and generating an OTP key based on the plurality of true random numbers. Conner states that “A random sequence is written to the blockchain ledger. At the remote server, the blockchain ledger is received. The random sequence is extracted from the blockchain ledger. A one-time pad key is created using the true random sequence. The one-time pad key is sent to the connected device in a secure manner.” (See paragraph [0015]). This random sequence is a plurality of true random numbers and OTP key is created based on those random numbers.
	Conner discloses receiving payment data encrypted using the OTP key. Conner states that “[t]he TEE hardware encryption key could also be used to asymmetrically or symmetrically encrypt the payment packet first, and the output is then XORed with the OTP encryption key provided by the server. Any additional encryption combination using one or both keys in any encryption sequence could be applied to the payment packet on the device to secure the payment data. Once the payment data is encrypted, the application can then send the data to all servers in the system for storage on the ledger.” (See paragraph [0161]). Thus, the payment data is received and encrypted using the OTP key. 
Conner also discloses verifying validity and integrity of a mobile payment based on the OTP key and the encrypted payment data. Conner states that “The TEE hardware encryption key could also be used to asymmetrically or symmetrically encrypt the payment packet first, and the output is then XORed with the OTP encryption key provided by the server.” “Once the payment data is recorded across all ledgers, a verification system running on the server side could be sent a request with the start timestamp and the length of the payment data record. The verification service could then lookup the newly recorded data on each individual copy of the ledger in the server environment by seeking to the timestamp in each copy of the ledger and comparing the data that follows based on the payment data packet length. If the data across all ledgers is identical, then the transaction was successful and the server can notify the application on the device that the data was stored on the ledger correctly.” (See paragraph [0161]).  This verification occurs using the OTP key as well as the encrypted payment data with the encrypted hash value to ensure that the payment is authentic. 

	Regarding claim 19, Conner discloses decrypting the encrypted payment data based on the OTP key and verifying the validity and the integrity of the mobile payment based on the decrypted payment data. Conner states that “[o]ne such mechanism would be to encrypt the data, secure hash the data itself with the user's private key and build a data packet comprised of the timestamp of when it was created, the encrypted data, a secure hash of the original data, and potentially the user's private key. This data packet can then be broadcast out to all computers managing the decentralized ledger. Once this data packet arrives at all other computers managing their own copies of the ledger, they can then decrypt the data portion of the packet and generate a hash or other representing encryption key or data packet. The hash can then be compared with the original hash in the broadcasted packet to confirm authenticity of the payload data in the packet and/or confirmation of proper storage of said data to the ledger. Once confirmed, the encrypted data can be written into the local copy of the ledger based on timestamp or some other sequence.” (See paragraph [0173]). Conner also states that “[t]he server then sends the data to the recipient application over an encrypted connection or messaging service, and the recipient application can then decrypt the payment record in the TEE so that the data is fully secured during decryption. The record can then be stored in encrypted and/or cleartext in TEE memory or in a secure data store on the recipient device or peripheral. This could all happen as one or many transactions across the ledger system.” (See paragraph [0162]). Hence, the OTP-encrypted payment data is decrypted. 
Conner states that “The TEE hardware encryption key could also be used to asymmetrically or symmetrically encrypt the payment packet first, and the output is then XORed with the OTP encryption key provided by the server.” “Once the payment data is recorded across all ledgers, a verification system running on the server side could be sent a request with the start timestamp and the length of the payment data record. The verification service could then lookup the newly recorded data on each individual copy of the ledger in the server environment by seeking to the timestamp in each copy of the ledger and comparing the data that follows based on the payment data packet length. If the data across all ledgers is identical, then the transaction was successful and the server can notify the application on the device that the data was stored on the ledger correctly.” (See paragraph [0161]). Hence, the validity and the integrity of the mobile payment is verified through this verification process based on the decrypted payment data. 

	Regarding claim 20, Conner discloses decrypting comprises obtaining the decrypted payment data and the decrypted hash value of the payment data by decrypting the encrypted payment data based on the OTP key. Conner states that “[o]ne such mechanism would be to encrypt the data, secure hash the data itself with the user's private key and build a data packet comprised of the timestamp of when it was created, the encrypted data, a secure hash of the original data, and potentially the user's private key. This data packet can then be broadcast out to all computers managing the decentralized ledger. Once this data packet arrives at all other computers managing their own copies of the ledger, they can then decrypt the data portion of the packet and generate a hash or other representing encryption key or data packet. The hash can then be compared with the original hash in the broadcasted packet to confirm authenticity of the payload data in the packet and/or confirmation of proper storage of said data to the ledger. Once confirmed, the encrypted data can be written into the local copy of the ledger based on timestamp or some other sequence.” (See paragraph [0173]). Conner also states that “[t]he server then sends the data to the recipient application over an encrypted connection or messaging service, and the recipient application can then decrypt the payment record in the TEE so that the data is fully secured during decryption. The record can then be stored in encrypted and/or cleartext in TEE memory or in a secure data store on the recipient device or peripheral. This could all happen as one or many transactions across the ledger system.” (See paragraph [0162]). Hence, the OTP-encrypted payment data is decrypted to obtain the decrypted hash value and payment data. 

Regarding claim 23, Conner discloses encrypting the OTP key. Conner states that “[t]he TEE hardware encryption key could also be used to asymmetrically or symmetrically encrypt the payment packet first, and the output is then XORed with the OTP encryption key provided by the server. Any additional encryption combination using one or both keys in any encryption sequence could be applied to the payment packet on the device to secure the payment data. Once the payment data is encrypted, the application can then send the data to all servers in the system for storage on the ledger.” (See paragraph [0161]). Thus, the OTP key is also encrypted in this process.  


Claim Rejections - 35 USC § 103
7. In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 
The following is a quotation of pre-AIA  35 U.S.C. §103(a) which forms the basis for all obviousness rejections set forth in this Office action: 
(a) A patent may not be obtained through the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made. 

8. Claims 2, 11, and 17 are rejected under 35 U.S.C. §103 as being unpatentable over Conner in view of Mandich et al. (U.S. Pat. No. 10,402,172) (hereinafter “Mandich”).
Regarding claim 2, Conner may not describe that the plurality of true random numbers is generated by a quantum random number generator. However, Mandich teaches that the plurality of true random numbers is generated by a quantum random number generator. Mandich states that “concurrently, the second computational device 324 can generate identically tagged quantum numbers and generate an aggregation pool designated differentiated quantum uniquely tagged random numbers.” (See paragraph [0064]). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Conner to incorporate the teachings of Mandich so that the plurality of true random numbers is generated by a quantum random number generator. Doing so would allow for increased security when conducting a transaction by using quantum random numbers to hide the sensitive payment data of a user.

Regarding claim 11, Conner may not describe that the plurality of true random numbers is generated by a quantum random number generator. However, Mandich teaches that the plurality of true random numbers is generated by a quantum random number generator. Mandich states that “concurrently, the second computational device 324 can generate identically tagged quantum numbers and generate an aggregation pool designated differentiated quantum uniquely tagged random numbers.” (See paragraph [0064]). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Conner to incorporate the teachings of Mandich so that the plurality of true random numbers is generated by a quantum random number generator. Doing so would allow for increased security when conducting a transaction by using quantum random numbers to hide the sensitive payment data of a user.

Regarding claim 17, Conner may not describe that the plurality of true random numbers is generated by a quantum random number generator. However, Mandich teaches that the plurality of true random numbers is generated by a quantum random number generator. Mandich states that “concurrently, the second computational device 324 can generate identically tagged quantum numbers and generate an aggregation pool designated differentiated quantum uniquely tagged random numbers.” (See paragraph [0064]). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Conner to incorporate the teachings of Mandich so that the plurality of true random numbers is generated by a quantum random number generator. Doing so would allow for increased security when conducting a transaction by using quantum random numbers to hide the sensitive payment data of a user.

9. Claims 4, 13, and 18 are rejected under 35 U.S.C. §103 as being unpatentable Conner in view of Gaudin et al. (U.S. Pat. No. 10,949,830) (hereinafter “Gaudin”).
Regarding claim 4, Conner may not describe wherein the encrypted payment data comprises any one or any combination of any two or more of encrypted transaction ID, card number, expiration date, purchase date and time, seller, purchased item, payment amount, CVC, address of a buyer, and a nonce value corresponding to the payment data. However, Gaudin teaches that the encrypted payment data comprises any one of a card number, address of a buyer, and CVC. Gaudin states that “the financial payment data may include a tokenized card number, name, billing address, CSV, and/or tokens or encryption keys to enable secure financial transactions.” (See paragraph [0129]). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Conner to incorporate the teachings of Gaudin so that the encrypted payment data comprises any one of a card number, address of a buyer, and CVC. Doing so would allow for greater amount of security of sensitive payment data of a user.   

Regarding claim 13, Conner may not describe wherein the encrypted payment data comprises any one or any combination of any two or more of encrypted transaction ID, card number, expiration date, purchase date and time, seller, purchased item, payment amount, CVC, address of a buyer, and a nonce value corresponding to the payment data. However, Gaudin teaches that the encrypted payment data comprises any one of a card number, address of a buyer, and CVC. Gaudin states that “the financial payment data may include a tokenized card number, name, billing address, CSV, and/or tokens or encryption keys to enable secure financial transactions.” (See paragraph [0129]). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Conner to incorporate the teachings of Gaudin so that the encrypted payment data comprises any one of a card number, address of a buyer, and CVC. Doing so would allow for greater amount of security of sensitive payment data of a user.   

Regarding claim 18, Conner may not describe wherein the encrypted payment data comprises any one or any combination of any two or more of encrypted transaction ID, card number, expiration date, purchase date and time, seller, purchased item, payment amount, CVC, address of a buyer, and a nonce value corresponding to the payment data. However, Gaudin teaches that the encrypted payment data comprises any one of a card number, address of a buyer, and CVC. Gaudin states that “the financial payment data may include a tokenized card number, name, billing address, CSV, and/or tokens or encryption keys to enable secure financial transactions.” (See paragraph [0129]). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Conner to incorporate the teachings of Gaudin so that the encrypted payment data comprises any one of a card number, address of a buyer, and CVC. Doing so would allow for greater amount of security of sensitive payment data of a user.   

10. Claims 7 and 15 are rejected under 35 U.S.C. §103 as being unpatentable Conner in view of Dicker et al. (U.S. Pub. No. 2015/0142665) (hereinafter “Dicker”).
Regarding claim 7, Conner may not describe concatenating the payment data with the hash value. However, Dicker teaches concatenating the payment data with the hash value. Dicker states that “This unique transaction identifier may be determined by secure element 230 in FIG. 2 (and, in particular, one of payment applets 236 in FIG. 2) by performing a SHA-256 secure hash on the concatenation of the DPAN and a remote-payment cryptogram (which is generated by the one of payment applets 236 in FIG. 2, and may have a binary format). The 32-byte output of the SHA-256 secure hash may be the unique transaction identifier.” (See paragraph [0093]). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Conner to incorporate the teachings of Dicker in order to concatenate the payment data with the hash value. Doing so would allow for the combination of various data in a format that is more secure when conducting a transaction.    
Conner in view of Dicker discloses performing OTP encryption on the concatenated payment data and hash value using the OTP key. Conner states that “[o]ne such mechanism would be to encrypt the data, secure hash the data itself with the user's private key and build a data packet comprised of the timestamp of when it was created, the encrypted data, a secure hash of the original data, and potentially the user's private key. This data packet can then be broadcast out to all computers managing the decentralized ledger. Once this data packet arrives at all other computers managing their own copies of the ledger, they can then decrypt the data portion of the packet and generate a hash or other representing encryption key or data packet. The hash can then be compared with the original hash in the broadcasted packet to confirm authenticity of the payload data in the packet and/or confirmation of proper storage of said data to the ledger. Once confirmed, the encrypted data can be written into the local copy of the ledger based on timestamp or some other sequence.” (See paragraph [0173]). Conner also states that “After completion of the transaction to OTP encrypt the payment and store it on a distributed ledger, the application can then contact the recipient of the payment via an application on the recipient's device to relay information regarding how to redeem the payment.” (See paragraph [0162]). Hence, the OTP key is used to encrypt the payment data and has value. As Dicker teaches (see above), the payment data is concatenated with the hash value. 

Regarding claim 15, Conner may not describe concatenating the payment data with the hash value. However, Dicker teaches concatenating the payment data with the hash value. Dicker states that “This unique transaction identifier may be determined by secure element 230 in FIG. 2 (and, in particular, one of payment applets 236 in FIG. 2) by performing a SHA-256 secure hash on the concatenation of the DPAN and a remote-payment cryptogram (which is generated by the one of payment applets 236 in FIG. 2, and may have a binary format). The 32-byte output of the SHA-256 secure hash may be the unique transaction identifier.” (See paragraph [0093]). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Conner to incorporate the teachings of Dicker in order to concatenate the payment data with the hash value. Doing so would allow for the combination of various data in a format that is more secure when conducting a transaction.    
Conner in view of Dicker discloses performing OTP encryption on the concatenated payment data and hash value using the OTP key. Conner states that “[o]ne such mechanism would be to encrypt the data, secure hash the data itself with the user's private key and build a data packet comprised of the timestamp of when it was created, the encrypted data, a secure hash of the original data, and potentially the user's private key. This data packet can then be broadcast out to all computers managing the decentralized ledger. Once this data packet arrives at all other computers managing their own copies of the ledger, they can then decrypt the data portion of the packet and generate a hash or other representing encryption key or data packet. The hash can then be compared with the original hash in the broadcasted packet to confirm authenticity of the payload data in the packet and/or confirmation of proper storage of said data to the ledger. Once confirmed, the encrypted data can be written into the local copy of the ledger based on timestamp or some other sequence.” (See paragraph [0173]). Conner also states that “After completion of the transaction to OTP encrypt the payment and store it on a distributed ledger, the application can then contact the recipient of the payment via an application on the recipient's device to relay information regarding how to redeem the payment.” (See paragraph [0162]). Hence, the OTP key is used to encrypt the payment data and has value. As Dicker teaches (see above), the payment data is concatenated with the hash value. 


11. Claim 22 is rejected under 35 U.S.C. §103 as being unpatentable Conner in view of Lattin et al. (U.S. Pat. No. 11,080,387) (hereinafter “Lattin”).
Regarding claim 22, Conner may not describe that verifying comprises determining whether the nonce value is unique. However, Lattin teaches that verifying comprises determining whether the nonce value is unique. Lattin states that “In some embodiments, when the remote computing device receives a request for verification that includes a unique value, such as a nonce, the remote computing device can use the received nonce directly as the key or in combination with a key available to the remote computing device for an HMAC computation or a cipher based MAC computation (the “check value”) on its software and static data.” (See paragraph [11]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Conner to incorporate the teachings of Lattin so that the verifying comprises determining whether the nonce value is unique. Doing so would allow for the greater security in making sure the sensitive payment data of a user is protected using this verification process. 


Prior Art Not Relied Upon
12. The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure. (See MPEP §707.05). The examiner considers the following reference(s) pertinent for disclosing various features relevant to the invention, but not all the features of the invention, for at least the following reasons:
1. Zagarese et al. (U.S. Pub. No. 2018/0181964) teaches a system and method of authorizing a secure electronic payment from a payer to a payee using a payment token.
	

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AMIT PATEL whose telephone number is (313)446-4902.  The examiner can normally be reached on Monday thru Thursday, 7:30 AM - 5:30 PM EST. 
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Namrata Boveja can be reached on (571) 272-8105. The Examiner’s fax number is (571) 273-6087. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
/Amit Patel/
Examiner
Art Unit 3696 

/NAMRATA BOVEJA/Supervisory Patent Examiner, Art Unit 3696