DETAILED ACTION
This office action is in response to applicant’s RCE amendment filed on 12/05/2022.  Claims 1-2, 4-5, 7-9, 12-14, 16-17, and 20 have been amended.  Claims 1-14 and 16-20 are pending and are directed towards apparatuses, methods, and computer product for Privacy Preserving Computation Protocol for Data Analytics. 
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
1.	Applicant’s arguments filed 12/05/2022 have been fully considered.
A) Applicant’s arguments, with respect to the amended limitations of claims 1, 8, and 12-14, that Nath and Neumann fail to teach “a method for privacy-preserving computation of aggregated private data of a group of client devices for use in a single-request-response type scheme” (page 13-14 of the present response) have been fully considered but they are moot in view of the new grounds of 35 U.S.C. 103 rejections.
B) Applicant’s arguments, with respect to the amended limitations of claims 1, 8, and 12-14, that Nath and Neumann fail to teach “after the server transmits the single request only once to each client device identified by the set of client indices and receives the single response only once from each client identified by the set of client indices, aggregating, by the server, the received randomized encrypted private data of the selected client devices using the homomorphic properties of the cryptosystem and using the decryption shares for decrypting the aggregated randomized encrypted private data into a cleartext representation of the aggregated private data” (page 16-17 of the present response) have been fully considered but they are moot in view of the new grounds of 35 U.S.C. 103 rejections.
Claim Rejections - 35 USC § 103
2.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
3.	Claims 1-5, 8-10, 12-14, 16-18, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Bonawitz et al. (Practical Secure Aggregation for Privacy-Preserving Machine Learning), hereinafter Bonawitz, published Mar. 30, 2017 in view of Nath et al. (US 2011/0283099), hereinafter Nath, filed on May 13, 2010 and Neumann et al. (Analysis of Security and Cryptographic Approaches to Provide Secret and Verifiable Electronic Voting), hereinafter Neumann, published 2014. 
	Regarding claim 1, Bonawitz teaches a method for privacy-preserving computation of aggregated private data of a group of client devices for use in a single-request-response type scheme (section 6.1, para 2, line 1-12 and page 7, Fig. 4: Secure Aggregation Protocol, line 15-28 and 47-60; secure aggregation protocol for a server interacting with a set of users, where the server queries the users and perform aggregation on user responses), the method comprising: 
	Bonawitz does not teach selecting, by a server, a subgroup H of at least t client devices from a group G of n client devices,
Nath teaches selecting, by a server, a subgroup H of at least t client devices from a group G of n client devices (para 25, line 1-22 and para 32, line 1-10; a requestor or aggregator system for performing data mining, such as a computer device, provides an encrypted summation sequence to at least a threshold number of the users), 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bonawitz to incorporate the teachings of Nath to provide requestor or aggregator system for performing data mining, such as a computer device, provides an encrypted summation sequence to at least a threshold number of the users. Doing so would allow for receiving the decryption shares from a number of users, as recognized by Nath in para 25.
Bonawitz and Nath do not teach the subgroup H comprising fewer client devices than the group G,
Neumann teaches the subgroup H comprising fewer client devices than the group G (page 3, section Shamir/Feldman Secret Sharing; threshold secret sharing allows reconstructing the secret having t<n shares of all participants)
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bonawitz and Nath to incorporate the teachings of Neumann to provide threshold secret sharing allows reconstructing the secret having t<n shares of all participants. Doing so would allow for verifiable threshold secret sharing among multiple participants through a trusted party, as recognized by Neumann in page 3 of section Shamir/Feldman Secret Sharing.
Bonawitz does not teach each client device in the group G: being identifiable by a client index i (i=1,...,n); comprising an encryption function E; being configured to generate or being provided with key information including an encryption key e and a decryption key d of a homomorphic threshold cryptosystem;
being configured to generate or being provided with a random value ri; and having access to or being provided with random values ri of the other client devices in at least the subgroup H or having access to or being provided with an aggregate R of the random values ri the client devices in the subgroup H;
Nath teaches each client device in the group G: being identifiable by a client index i (i=1,...,n); comprising an encryption function E; being configured to generate or being provided with key information including an encryption key e and a decryption key d of a homomorphic threshold cryptosystem (para 49, line 1-13 and para 58, line 1-2 and para 69, line 1-3; users receive the encrypted summation sequence, which is encrypted using an encryption key, used to determine a decryption key share in a threshold homomorphic encryption technique); 
being configured to generate or being provided with a random value ri; and having access to or being provided with random values ri of the other client devices in at least the subgroup H or having access to or being provided with an aggregate R of the random values ri the client devices in the subgroup H (para 49, line 1-13 and para 50, line 1-7; each user generates a random variable and random variable for all users are made public during key generation phase); 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bonawitz to incorporate the teachings of Nath to provide users receive the encrypted summation sequence, which is encrypted using an encryption key, used to determine a decryption key share in a threshold homomorphic encryption technique. Doing so would allow for receiving the decryption shares from a number of users, as recognized by Nath in para 25.
Bonawitz teaches transmitting in a single request to each client device (section 6.1, para 2, line 1-12 and page 7, Fig. 4: Secure Aggregation Protocol, line 15-28 and 47-60; the server queries the users and perform aggregation on user responses)
Bonawitz and Nath do not teach transmitting, by the dealer, client information to each of the client devices, the client information including a set of client indices or information to determine a set of client indices
Neumann teaches transmitting, by the dealer, client information to each of the client devices, the client information including a set of client indices or information to determine a set of client indices (page 3, sec. Shamir/Feldman Secret Sharing; in a verifiable secret sharing scheme, a trusted dealer provide proofs that the issued secret shares allow to reconstruct the secret to each shareholder i where each shareholder can verify that their share was created correctly)
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bonawitz and Nath to incorporate the teachings of Neumann to provide in a verifiable secret sharing scheme, a trusted dealer provide proofs that the issued secret shares allow to reconstruct the secret to each shareholder i where each shareholder can verify that their share was created correctly. Doing so would allow for verifiable threshold secret sharing among multiple participants through a trusted party, as recognized by Neumann in page 3 of section Shamir/Feldman Secret Sharing.
Bonawitz does not teach identifying the at least t client devices of subgroup H that have been selected by the server, the client information signalling each client device of subgroup H that the server would like to aggregate encrypted private data of only the at least t client devices of subgroup H; 
receiving, by the server, randomized encrypted private data and an associated decryption share di from each  client device identified by the set of client indices, the decryption shares being configured such that the encrypted aggregated result can be decrypted on the basis of at least t decryption shares; and
Nath teaches identifying the at least t client devices of subgroup H that have been selected by the server, the client information signalling each client device of subgroup H that the server would like to aggregate encrypted private data of only the at least t client devices of subgroup H (para 25, line 1-22 and para 32, line 1-10; a requestor or aggregator system for performing data mining, such as a computer device, provides an encrypted summation sequence to at least a threshold number of the users and receives their respective decryption shares); 
receiving, by the server, randomized encrypted private data and an associated decryption share di from each  client device identified by the set of client indices, the decryption shares being configured such that the encrypted aggregated result can be decrypted on the basis of at least t decryption shares (para 6, line 6-7 and para 43, line 2-7 and para 50, line 1; the requestor receives encrypted private data with random noise from users and at least some of the users, for each user u, provide respective decryption shares to the requestor and the requestor is able successfully decrypts the data if a threshold number of users provide their decryption shares); -5-and
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bonawitz to incorporate the teachings of Nath to provide the requestor receives encrypted private data with random noise from users and at least some of the users, for each user u, provide respective decryption shares to the requestor and the requestor is able successfully decrypts the data if a threshold number of users provide their decryption shares. Doing so would allow for receiving the decryption shares from a number of users to perform decryption, as recognized by Nath in para 25.
Bonawitz teaches after the server transmits the single request only once to each client device identified by the set of client indices and receives the single response only once from each client identified by the set of client indices, aggregating, by the server (section 6.1, para 2, line 1-12 and page 7, Fig. 4: Secure Aggregation Protocol, line 15-28 and 47-60; secure aggregation protocol for a server interacting with a set of users, where the server queries the users and perform aggregation on user responses for each user u)
Bonawitz does not teach aggregating, by the server, the received randomized encrypted private data of the selected client devices using the homomorphic properties of the cryptosystem and using the decryption shares for decrypting the aggregated randomized encrypted private data into a cleartext representation of the aggregated private data.
Nath teaches aggregating, by the server, the received randomized encrypted private data of the selected client devices using the homomorphic properties of the cryptosystem and using the decryption shares for decrypting the aggregated randomized encrypted private data into a cleartext representation of the aggregated private data (para 59, line 1-8 and para 60, line 1-12; the aggregator sums up the encrypted private data using a homomorphic encryption technique and decrypts it using the decryption shares).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bonawitz to incorporate the teachings of Nath to provide the aggregator sums up the encrypted private data using a homomorphic encryption technique and decrypts it using the decryption shares. Doing so would allow for receiving the decryption shares from a number of users to perform decryption, as recognized by Nath in para 25.
Regarding claim 2, Bonawitz, Nath, and Neumann teach method of claim 1.
	Bonawitz and Nath do not teach the key information includes a polynomial function of degree t-1, such that d=f(0), and a client device i is provided with or is adapted to determine the decryption share di of the decryption key d.
Neumann teach the key information includes a polynomial function of degree t-1, such that d=f(0), and a client device i is provided with or is adapted to determine the decryption share di of the decryption key d (page 3, section Shamir/Feldman Secret Sharing; key shares are based upon computations using Lagrange polynomial t-1 where the sum of all shares provided to each participant i allows for the secret decryption key to be reconstructed and secret s = f(0))
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bonawitz Nath to incorporate the teachings of Neumann to provide Lagrange polynomial interpolation in order to reconstruct the decryption key from decryption shares. Doing so would allow for verifiable threshold secret sharing among multiple participants through a trusted party, as recognized by Neumann in page 3 of section Shamir/Feldman Secret Sharing.
Regarding claim 3, Bonawitz, Nath, and Neumann teach method of claim 2.
	Bonawitz and Nath do not teach the threshold homomorphic cryptosystem is based on an additively homomorphic cryptosystem.
	Neumann teaches the threshold homomorphic cryptosystem is based on an additively homomorphic cryptosystem (page 5, section Homomorphic Property, para 2; ElGamal encryption has been extended towards additive homomorphism).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bonawitz and Nath to incorporate the teachings of Neumann to provide an ElGamal encryption scheme using additive homomorphism. Doing so might result in a more useful encryption scheme for ciphertext of messages in electronic voting systems, as recognized by Neumann in page 5, section Homomorphic Property.
Regarding claim 4, Bonawitz, Nath, and Neumann teach method of claim 3.
	Bonawitz and Nath do not teach each decryption share di is of the form (gR)-siai and wherein each randomized encrypted private data is of the form gmi*hri wherein g is a generator of cyclic group G and wherein h is defined as gd
	Neumann teaches each decryption share di is of the form (gR)-siai and wherein each randomized encrypted private data is of the form gmi*hri wherein g is a generator of cyclic group G and wherein h is defined as gd (page 3, section Shamir/Feldman Secret Sharing and page 16, section Description, para 3 and 7: a generator g of a group of shareholders and secret shares are in the form of gf(i) = gs * gri*i mod p and Lagrange interpolation f(x) equation (rearranging the equation according to s(i) = f(i) and R = (ΠiЄHri)-1mod N gives obviously similar form to the claimed decryption shares form and calculation hi = gai and encrypted voting data gvihiri).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bonawitz and Nath to incorporate the teachings of Neumann to provide the forms for decryption shares and randomized encrypted private data. Doing so would result in an encryption scheme for ciphertext of messages that is applicable to electronic voting systems, as recognized by Neumann in page 16, section Description, para 7.
Regarding claim 5, Bonawitz, Nath, and Neumann teach method of claim 3.
	Bonawitz and Nath do not teach decrypting the aggregated randomized encrypted private data includes determining a product of the randomized encrypted private data and the associated decryption shares.
Neumann teaches decrypting the aggregated randomized encrypted private data includes determining a product of the randomized encrypted private data and the associated decryption shares (page 3, section Shamir/Feldman Secret Sharing and page 16, section Description, para 3 and 7; voting data mi’ = gvihiri (rearranging with (gR)-siai , ΠiЄH , h = gd , and Lagrange interpolation equation f(x) gives similar form to the claimed product expression))
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bonawitz and Nath to incorporate the teachings of Neumann to provide the forms for decryption shares and randomized encrypted private data used in decryption encrypted private data. Doing so would result in an encryption scheme for ciphertext of messages that is applicable to electronic voting systems, as recognized by Neumann in page 16, section Description, para 3.
Regarding claim 8, Bonawitz teaches a method for enabling privacy-preserving computation of aggregated private data of a group G of n client devices for use in a single-request-response type scheme, the method comprising (section 6.1, para 2, line 1-12 and page 7, Fig. 4: Secure Aggregation Protocol, line 15-28 and 47-60; secure aggregation protocol for a server interacting with a set of users, where the server queries the users and perform aggregation on user responses): 
Bonawitz does not teach providing a client device identified by client index i comprising an encryption function of a homomorphic threshold cryptosystem with key information or generating, by the client device, key information, wherein the key information includes an encryption key e and a decryption key d of the homomorphic threshold cryptosystem;
generating, by the client device, or being provided with a random value ri and having access to, or being provided with, the random values of the -7-other client devices in at least a subgroup H of at least t client devices from the group G, or having access to or being provided with an aggregate R of the random values ri of the client devices in the subgroup H;
Nath teaches providing a client device identified by client index i comprising an encryption function of a homomorphic threshold cryptosystem with key information or generating, by the client device, key information, wherein the key information includes an encryption key e and a decryption key d of the homomorphic threshold cryptosystem (para 49, line 1-13 and para 58, line 1-2 and para 69, line 1-3; each user receive the encrypted summation sequence, which is encrypted using an encryption key, used to determine a decryption key share in a threshold homomorphic encryption technique);
generating, by the client device, or being provided with a random value ri and having access to, or being provided with, the random values of the -7-other client devices in at least a subgroup H of at least t client devices from the group G, or having access to or being provided with an aggregate R of the random values ri of the client devices in the subgroup H (para 49, line 1-13 and para 50, line 1-7; each user generates a random variable and random variable for all users are made public during key generation phase); 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bonawitz to incorporate the teachings of Nath to provide each user receive the encrypted summation sequence, which is encrypted using an encryption key, used to determine a decryption key share in a threshold homomorphic encryption technique. Doing so would allow for receiving the decryption shares from a number of users, as recognized by Nath in para 25.
Bonawitz teaches in a single request only once (section 6.1, para 2, line 1-12 and page 7, Fig. 4: Secure Aggregation Protocol, line 15-28 and 47-60; the server queries each users and perform aggregation on each user response)
Bonawitz and Nath do not teach the subgroup H comprising fewer client devices than the group G,
receiving, by the client device, client information from a server, the client information including client indices
Neumann teaches the subgroup H comprising fewer client devices than the group G (page 3, sec. Shamir/Feldman Secret Sharing; threshold secret sharing allows reconstructing the secret having t<n shares of all participants),
receiving, by the client device, client information from a server, the client information including client indices (page 3, section Shamir/Feldman Secret Sharing; in a verifiable secret sharing scheme, a trusted dealer provide proofs that the issued secret shares allow to reconstruct the secret to each shareholder i where each shareholder can verify that their share was created correctly)
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bonawitz and Nath to incorporate the teachings of Neumann to provide threshold secret sharing allows reconstructing the secret having t<n shares of all participants. Doing so would allow for verifiable threshold secret sharing among multiple participants through a trusted party, as recognized by Neumann in page 3, section Shamir/Feldman Secret Sharing.
Bonawitz does not teach identifying client devices selected by the server, the client information signalling a client device that the server would like to aggregate encrypted private data of only each of the selected client devices in the subgroup H identified in the client information;
if the client device determines on the basis of the received client information that the number of client devices selected by the server includes at least t client devices, using, by the client device, the random values ri and the encryption function for generating randomized encrypted private data and using, by the client device the random values of the selected client devices to compute a decryption share, the decryption share being computed such that the aggregated value can be decrypted by the server on the basis of t decryption shares generated by client devices identified in the client information;
transmitting, by the client device, the randomized encrypted private data and the decryption share to the server, the server being adapted to aggregate randomized encrypted private data of the selected client devices and decrypt the aggregated randomized encrypted private data into a cleartext representation of the aggregated private data
Nath teaches identifying client devices selected by the server, the client information signalling a client device that the server would like to aggregate encrypted private data of only each of the selected client devices in the subgroup H identified in the client information (para 25, line 1-22 and para 32, line 1-10; a requestor or aggregator system for performing data mining, such as a computer device, provides an encrypted summation sequence to at least a threshold number of the users and receives their respective decryption shares); 
if the client device determines on the basis of the received client information that the number of client devices selected by the server includes at least t client devices, using, by the client device, the random values ri and the encryption function for generating randomized encrypted private data and using, by the client device the random values of the selected client devices to compute a decryption share, the decryption share being computed such that the aggregated value can be decrypted by the server on the basis of t decryption shares generated by client devices identified in the client information (para 6, line 6-7 and para 43, line 2-7 and para 50, line 1; the requestor receives encrypted private data with random noise from users and at least some of the users, for each user u, provide respective decryption shares to the requestor and the requestor is able successfully decrypts the data if a threshold number of users provide their decryption shares); and 
transmitting, by the client device, the randomized encrypted private data and the decryption share to the server, the server being adapted to aggregate randomized encrypted private data of the selected client devices and decrypt the aggregated randomized encrypted private data into a cleartext representation of the aggregated private data based on the randomized encrypted private data and the decryption share (para 59, line 1-8 and para 60, line 1-12; the aggregator sums up the encrypted private data using a homomorphic encryption technique and decrypts it using the decryption shares).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bonawitz to incorporate the teachings of Nath to provide the requestor receives encrypted private data with random noise from users and at least some of the users, for each user u, provide respective decryption shares to the requestor and the requestor is able successfully decrypts the data if a threshold number of users provide their decryption shares. Doing so would allow for receiving the decryption shares from a number of users to perform decryption, as recognized by Nath in para 25.
Bonawitz teaches transmitted data to the server in the single response only once (section 6.1, para 2, line 1-12 and page 7, Fig. 4: Secure Aggregation Protocol, line 15-28 and 47-60; the server queries each users and perform aggregation on each user response)
Regarding claim 9, Bonawitz, Nath, and Neumann teach method of claim 8.
	Bonawitz and Nath do not teach the key information includes a polynomial function of degree t-1, such that d=f(0), and a client device i is provided with or is adapted to determine the decryption share di of the decryption key d.
	Neumann teaches the key information includes a polynomial function of degree t-1, such that d=f(0), and a client device i is provided with or is adapted to determine the decryption share di of the decryption key d (page 3, section Shamir/Feldman Secret Sharing; key shares are based upon computations using Lagrange polynomial t-1 where the sum of all shares provided to each participant i allows for the secret decryption key to be reconstructed and secret s = f(0), for equation teachings)
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bonawitz and Nath to incorporate the teachings of Neumann to provide Lagrange polynomial interpolation in order to reconstruct the decryption key from decryption shares. Doing so would allow for verifiable threshold secret sharing among multiple participants through a trusted party, as recognized by Neumann in page 3, section Shamir/Feldman Secret Sharing.
Regarding claim 10, Bonawitz, Nath, and Neumann teach method of claim 9.
	Bonawitz and Nath do not teach the threshold homomorphic cryptosystem is based on an additively homomorphic cryptosystem, such as an additive ElGamal cryptosystem.
Neumann teaches the threshold homomorphic cryptosystem is based on an additively homomorphic cryptosystem, such as an additive ElGamal cryptosystem (page 5, section Homomorphic Property, para 2: ElGamal encryption has been extended towards additive homomorphism; page 3, sec. Shamir/Feldman Secret Sharing: a generator g of a group of shareholders and secret shares are in the form of gf(i) = gs * gri*i mod p and Lagrange interpolation f(x) equation).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bonawitz and Nath to incorporate the teachings of Neumann to provide the forms for decryption shares and randomized encrypted private data. Doing so would result in an encryption scheme for ciphertext of messages that is applicable to electronic voting systems, as recognized by Neumann in page 5, section Homomorphic Property.
Regarding claim 12, Bonawitz teaches a server device adapted for privacy-preserving computation of aggregated private data of a group of client devices for use in a single-request-response type scheme, the server device comprising (section 6.1, para 2, line 1-12 and page 7, Fig. 4: Secure Aggregation Protocol, line 15-28 and 47-60; secure aggregation protocol for a server interacting with a set of users, where the server queries the users and perform aggregation on user responses):
Bonawitz does not teach a computer readable storage medium having computer readable program code embodied therewith, and a processor, coupled to the computer readable storage medium, wherein responsive to executing the computer -9-readable program code, the processor is configured to perform executable operations comprising:
selecting, a subgroup H of at least t client devices from a group G of n client devices,
Nath teaches a computer readable storage medium having computer readable program code embodied therewith, and a processor, coupled to the computer readable storage medium, wherein responsive to executing the computer -9-readable program code, the processor is configured to perform executable operations comprising (para 90, line 2-10; computer-readable mediums contain instructions executed by processing devices): 
selecting, a subgroup H of at least t client devices from a group G of n client devices (para 25, line 1-22 and para 32, line 1-10; a requestor or aggregator system for performing data mining, such as a computer device, provides an encrypted summation sequence to at least a threshold number of the users),
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bonawitz to incorporate the teachings of Nath to provide requestor or aggregator system for performing data mining, such as a computer device, provides an encrypted summation sequence to at least a threshold number of the users. Doing so would allow for receiving the decryption shares from a number of users, as recognized by Nath in para 25.
Bonawitz and Nath do not teach the subgroup H comprising fewer client devices than the group G,
Neumann teaches the subgroup H comprising fewer client devices than the group G (page 3, section Shamir/Feldman Secret Sharing; threshold secret sharing allows reconstructing the secret having t<n shares of all participants)
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bonawitz and Nath to incorporate the teachings of Neumann to provide threshold secret sharing allows reconstructing the secret having t<n shares of all participants. Doing so would allow for verifiable threshold secret sharing among multiple participants through a trusted party, as recognized by Neumann in page 3, section Shamir/Feldman Secret Sharing.
Bonawitz does not teach each client device in the group G: being identifiable by a client index i (i=1,...,n); comprising an encryption function E; being configured to generate or being provided with key information including an encryption key e and a decryption key d of a homomorphic threshold cryptosystem;
being configured to generate or being provided with a random value ri and having access to or being provided with random values ri of the other client devices in at least the subgroup H or having access to or being provided with an aggregate R of the random values ri of the client devices in the subgroup H;
Nath teaches each client device in the group G: being identifiable by a client index i (i=1,...,n); comprising an encryption function E; being configured to generate or being provided with key information including an encryption key e and a decryption key d of a homomorphic threshold cryptosystem (para 49, line 1-13 and para 58, line 1-2 and para 69, line 1-3; users receive the encrypted summation sequence, which is encrypted using an encryption key, used to determine a decryption key share in a threshold homomorphic encryption technique);  
being configured to generate or being provided with a random value ri and having access to or being provided with random values ri of the other client devices in at least the subgroup H or having access to or being provided with an aggregate R of the random values ri of the client devices in the subgroup H (para 49, line 1-13 and para 50, line 1-7; each user generates a random variable and random variable for all users are made public during key generation phase); 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bonawitz to incorporate the teachings of Nath to provide users receive the encrypted summation sequence, which is encrypted using an encryption key, used to determine a decryption key share in a threshold homomorphic encryption technique. Doing so would allow for receiving the decryption shares from a number of users, as recognized by Nath in para 25.
Bonawitz teaches transmitting in a single request to each client device (section 6.1, para 2, line 1-12 and page 7, Fig. 4: Secure Aggregation Protocol, line 15-28 and 47-60; the server queries the users and perform aggregation on user responses)
Bonawitz and Nath do not teach transmitting, by the dealer, client information to each of the client devices, the client information including a set of client indices or information to determine a set of client indices
Neumann teaches transmitting, by the dealer, client information to each of the client devices, the client information including a set of client indices or information to determine a set of client indices (page 3, section Shamir/Feldman Secret Sharing; in a verifiable secret sharing scheme, a trusted dealer provide proofs that the issued secret shares allow to reconstruct the secret to each shareholder i where each shareholder can verify that their share was created correctly)
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bonawitz and Nath to incorporate the teachings of Neumann to provide in a verifiable secret sharing scheme, a trusted dealer provide proofs that the issued secret shares allow to reconstruct the secret to each shareholder i where each shareholder can verify that their share was created correctly. Doing so would allow for verifiable threshold secret sharing among multiple participants through a trusted party, as recognized by Neumann in page 3, section Shamir/Feldman Secret Sharing.
Bonawitz does not teach identifying the at least t client devices of subgroup H that have been selected by the server, the client information signalling each client device of subgroup H that the server would like to aggregate encrypted private data of only the at least t client devices of subgroup H;
receiving randomized encrypted private data and an associated decryption share di from each client device identified by the set of client indices, the decryption shares being configured such that the encrypted aggregated result can be decrypted on the basis of at least t decryption shares; and
Nath teaches identifying the at least t client devices of subgroup H that have been selected by the server, the client information signalling each client device of subgroup H that the server would like to aggregate encrypted private data of only the at least t client devices of subgroup H (para 25, line 1-22 and para 32, line 1-10; a requestor or aggregator system for performing data mining, such as a computer device, provides an encrypted summation sequence to at least a threshold number of the users and receives their respective decryption shares);
receiving randomized encrypted private data and an associated decryption share di from each client device identified by the set of client indices, the decryption shares being configured such that the encrypted aggregated result can be decrypted on the basis of at least t decryption shares (para 6, line 6-7 and para 43, line 2-7 and para 50, line 1; the requestor receives encrypted private data with random noise from users and at least some of the users, for each user u, provide respective decryption shares to the requestor and the requestor is able successfully decrypts the data if a threshold number of users provide their decryption shares); -5-and
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bonawitz to incorporate the teachings of Nath to provide the requestor receives encrypted private data with random noise from users and at least some of the users, for each user u, provide respective decryption shares to the requestor and the requestor is able successfully decrypts the data if a threshold number of users provide their decryption shares. Doing so would allow for receiving the decryption shares from a number of users to perform decryption, as recognized by Nath in para 25.
Bonawitz teaches after the server transmits the single request only once to each client device identified by the set of client indices and receives the single response only once from each client identified by the set of client indices, aggregating, by the server (section 6.1, para 2, line 1-12 and page 7, Fig. 4: Secure Aggregation Protocol, line 15-28 and 47-60; secure aggregation protocol for a server interacting with a set of users, where the server queries the users and perform aggregation on user responses for each user u)
Bonawitz does not teach aggregating, the received randomized encrypted private data of the selected client devices using the homomorphic properties -10- of the cryptosystem and using the decryption shares for decrypting the aggregated randomized encrypted private data into a cleartext representation of the aggregated private data.
Nath teaches aggregating, the received randomized encrypted private data of the selected client devices using the homomorphic properties -10- of the cryptosystem and using the decryption shares for decrypting the aggregated randomized encrypted private data into a cleartext representation of the aggregated private data (para 59, line 1-8 and para 60, line 1-12; the aggregator sums up the encrypted private data using a homomorphic encryption technique and decrypts it using the decryption shares).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bonawitz to incorporate the teachings of Nath to provide the aggregator sums up the encrypted private data using a homomorphic encryption technique and decrypts it using the decryption shares. Doing so would allow for receiving the decryption shares from a number of users to perform decryption, as recognized by Nath in para 25.
Regarding claim 13, Bonawitz teaches a client device configured to communicate with a server for privacy-preserving computation of aggregated private data of a group G of n client devices for use in a single-request-response type scheme (section 6.1, para 2, line 1-12 and page 7, Fig. 4: Secure Aggregation Protocol, line 15-28 and 47-60; secure aggregation protocol for a server interacting with a set of users, where the server queries the users and perform aggregation on user responses), the client device comprising: 
Bonawitz does not teach a computer readable storage medium having computer readable program code embodied therewith, the computer readable program code including an encryption function of a homomorphic threshold cryptosystem, and a processor, coupled to the computer readable storage medium, wherein responsive to executing the computer readable program code, the processor is configured to perform executable operations comprising:
receiving or generating key information, the key information including an encryption key e and a decryption key d of the homomorphic threshold cryptosystem;
generating or receiving a random value ri and receiving random values ri of client devices of at least a subgroup H of at least t client devices from the group G of n client devices, the client devices being associated with a client index I (i=1,…,n);
Nath teaches a computer readable storage medium having computer readable program code embodied therewith, the computer readable program code including an encryption function of a homomorphic threshold cryptosystem, and a processor, coupled to the computer readable storage medium, wherein responsive to executing the computer readable program code, the processor is configured to perform executable operations comprising (para 8, line 9 and line 12-13 and para 90, line 2-10; computer-readable mediums contain instructions executed by processing devices and performing homomorphic threshold encryption technique): 
receiving or generating key information, the key information including an encryption key e and a decryption key d of the homomorphic threshold cryptosystem (para 47, line 1-4 and para 50, line 1 and para 58, line 1-2 and para 69, line 1-3: each user u receive the encrypted summation sequence, which is encrypted using an encryption key, used to determine a decryption key share in a threshold homomorphic encryption technique); 
generating or receiving a random value ri and receiving random values ri of client devices of at least a subgroup H of at least t client devices from the group G of n client devices, the client devices being associated with a client index I (i=1,…,n) (para 49, line 1-13 and para 50, line 1-7; each user generates a random variable and random variable for all users are made public during key generation phase);
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bonawitz to incorporate the teachings of Nath to provide users receive the encrypted summation sequence, which is encrypted using an encryption key, used to determine a decryption key share in a threshold homomorphic encryption technique. Doing so would allow for receiving the decryption shares from a number of users, as recognized by Nath in para 25.
Bonawitz and Nath do not teach the subgroup H comprising fewer client devices than the group G,
receiving client information from the dealer, the client information including a set of client indices or information to determine a set of client indices,
Neumann teaches the subgroup H comprising fewer client devices than the group G (page 3, sec. Shamir/Feldman Secret Sharing; threshold secret sharing allows reconstructing the secret having t<n shares of all participants)
receiving client information from the dealer, the client information including a set of client indices or information to determine a set of client indices (page 3, section Shamir/Feldman Secret Sharing; in a verifiable secret sharing scheme, a trusted dealer provide proofs that the issued secret shares allow to reconstruct the secret to each shareholder i where each shareholder can verify that their share was created correctly)
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bonawitz and Nath to incorporate the teachings of Neumann to provide threshold secret sharing allows reconstructing the secret having t<n shares of all participants. Doing so would allow for verifiable threshold secret sharing among multiple participants through a trusted party, as recognized by Neumann in page 3, section Shamir/Feldman Secret Sharing.
Bonawitz teaches in a single request only once (section 6.1, para 2, line 1-12 and page 7, Fig. 4: Secure Aggregation Protocol, line 15-28 and 47-60; the server queries the users and perform aggregation on user responses)
Bonawitz does not teach identifying the subgroup H of client devices that have been selected by the server from the group G of n client devices, the client information signalling the client device that the server would like to aggregate encrypted private data of only the at least t client devices of subgroup H;
determining on the basis of the set of client indices or the information to determine the set of client indices that the number of client devices of subgroup H selected by the server includes at least t client devices;
if the client information includes at least t client devices, using the random value ri of the client device and the encryption function to generate randomized encrypted private data and using the random values ri of the client devices as identified by the set of client devices to compute a decryption share, the decryption shares being configured such that the encrypted aggregated result can be decrypted on the basis of at least t decryption shares; and
transmitting the randomized encrypted private data and the decryption share to the server, the server being adapted to aggregate randomized encrypted private data of the selected client devices and decrypt the aggregated randomized encrypted private data into a cleartext representation of the aggregated private data on the basis of the decryption shares
Nath teaches identifying the subgroup H of client devices that have been selected by the server from the group G of n client devices, the client information signalling the client device that the server would like to aggregate encrypted private data of only the at least t client devices of subgroup H (para 25, line 1-22 and para 32, line 1-10; a requestor or aggregator system for performing data mining, such as a computer device, provides an encrypted summation sequence to at least a threshold number of the users and receives their respective decryption shares); 
determining on the basis of the set of client indices or the information to determine the set of client indices that the number of client devices of subgroup H selected by the server includes at least t client devices (para 6, line 6-7 and para 50, line 1; at least some of the users, for each user u, provide respective decryption shares based on the encrypted private data with noise along with the threshold number of users to the requestor);  -11- 
if the client information includes at least t client devices, using the random value ri of the client device and the encryption function to generate randomized encrypted private data and using the random values ri of the client devices as identified by the set of client devices to compute a decryption share, the decryption shares being configured such that the encrypted aggregated result can be decrypted on the basis of at least t decryption shares (para 6, line 6-7 and para 43, line 2-7 and para 50, line 1; the requestor receives encrypted private data with random noise from users and at least some of the users, for each user u, provide respective decryption shares based on the encrypted private data with noise along with the threshold number of users to the requestor and the requestor is able successfully decrypts the data if a threshold number of users provide their decryption shares); and
transmitting the randomized encrypted private data and the decryption share to the server, the server being adapted to aggregate randomized encrypted private data of the selected client devices and decrypt the aggregated randomized encrypted private data into a cleartext representation of the aggregated private data on the basis of the decryption shares (para 59, line 1-8 and para 60, line 1-12; the aggregator sums up the encrypted private data using a homomorphic encryption technique and decrypts it using the decryption shares).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bonawitz to incorporate the teachings of Nath to provide the aggregator sums up the encrypted private data using a homomorphic encryption technique and decrypts it using the decryption shares. Doing so would allow for receiving the decryption shares from a number of users to perform decryption, as recognized by Nath in para 25.
	Bonawitz teaches being transmitted to the server in the single response only once (section 6.1, para 2, line 1-12 and page 7, Fig. 4: Secure Aggregation Protocol, line 15-28 and 47-60; secure aggregation protocol for a server interacting with a set of users, where the server queries the users and perform aggregation on user responses for each user u).
Regarding claim 14, an electronic online voting platform comprising: 
Bonawitz teaches a server device adapted for privacy-preserving computation of aggregated private data of a group of client devices for use in a single-request-response type scheme, the server device comprising (section 6.1, para 2, line 1-12 and page 7, Fig. 4: Secure Aggregation Protocol, line 15-28 and 47-60; secure aggregation protocol for a server interacting with a set of users, where the server queries the users and perform aggregation on user responses): 
Bonawitz does not teach a computer readable storage medium having computer readable program code embodied therewith, and a processor, coupled to the computer readable storage medium, wherein responsive to executing the computer readable program code, the processor is configured to perform executable operations comprising:
selecting a subgroup H of at least t client devices from a group G of n client devices,
each client device in the group G: being identifiable by a client index i (i=1,...,n); comprising an encryption function E; being provided with key information including an encryption key e and a decryption key d of a homomorphic threshold cryptosystem;
being configured to generate or being provided with a random value ri and -12-  having access to or being provided with random values ri of the other client devices in at least the subgroup H or having access to or being provided with an aggregate R of the random values ri of the client devices in the subgroup H;
Nath teaches a computer readable storage medium having computer readable program code embodied therewith, and a processor, coupled to the computer readable storage medium, wherein responsive to executing the computer readable program code, the processor is configured to perform executable operations comprising (para 90, line 2-10; computer-readable mediums contain instructions executed by processing devices): 
selecting a subgroup H of at least t client devices from a group G of n client devices (para 25, line 1-22 and para 32, line 1-10; a requestor or aggregator system for performing data mining, such as a computer device, provides an encrypted summation sequence to at least a threshold number of the users), 
each client device in the group G: being identifiable by a client index i (i=1,...,n); comprising an encryption function E; being provided with key information including an encryption key e and a decryption key d of a homomorphic threshold cryptosystem (para 49, line 1-13 and para 58, line 1-2 and para 69, line 1-3; users receive the encrypted summation sequence, which is encrypted using an encryption key, used to determine a decryption key share in a threshold homomorphic encryption technique); 
being configured to generate or being provided with a random value ri and -12-  having access to or being provided with random values ri of the other client devices in at least the subgroup H or having access to or being provided with an aggregate R of the random values ri of the client devices in the subgroup H (para 49, line 1-13 and para 50, line 1-7; each user generates a random variable and random variable for all users are made public during key generation phase); 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bonawitz to incorporate the teachings of Nath to provide users receive the encrypted summation sequence, which is encrypted using an encryption key, used to determine a decryption key share in a threshold homomorphic encryption technique. Doing so would allow for receiving the decryption shares from a number of users, as recognized by Nath in para 25.
Bonawitz teaches transmitting in a single request to each client device (section 6.1, para 2, line 1-12 and page 7, Fig. 4: Secure Aggregation Protocol, line 15-28 and 47-60; the server queries the users and perform aggregation on user responses)
Bonawitz and Nath do not teach transmitting, by the dealer, client information to each of the client devices, the client information including a set of client indices or information to determine a set of client indices
Neumann teaches transmitting, by the dealer, client information to each of the client devices, the client information including a set of client indices or information to determine a set of client indices (page 3, section Shamir/Feldman Secret Sharing; in a verifiable secret sharing scheme, a trusted dealer provide proofs that the issued secret shares allow to reconstruct the secret to each shareholder i where each shareholder can verify that their share was created correctly)
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bonawitz and Nath to incorporate the teachings of Neumann to provide in a verifiable secret sharing scheme, a trusted dealer provide proofs that the issued secret shares allow to reconstruct the secret to each shareholder i where each shareholder can verify that their share was created correctly. Doing so would allow for verifiable threshold secret sharing among multiple participants through a trusted party, as recognized by Neumann in page 3, section Shamir/Feldman Secret Sharing.
Bonawitz does not teach identifying the at least t client devices of subgroup H that have been selected by the server, the client information signalling each client device of subgroup H that the server would like to aggregate encrypted private data of the at least t client devices;
receiving randomized encrypted private data and an associated decryption share di from each client device identified by the set of client indices, the decryption shares being configured such that the encrypted aggregated result can be decrypted on the basis of at least t decryption shares;
aggregating, the received randomized encrypted private data of the selected client devices using the homomorphic properties of the cryptosystem and using the decryption shares for decrypting the aggregated randomized encrypted private data into a cleartext representation of the aggregated private data;
Nath teaches identifying the at least t client devices of subgroup H that have been selected by the server, the client information signalling each client device of subgroup H that the server would like to aggregate encrypted private data of the at least t client devices (para 25, line 1-22 and para 32, line 1-10; a requestor or aggregator system for performing data mining, such as a computer device, provides an encrypted summation sequence to at least a threshold number of the users and receives their respective decryption shares);
receiving randomized encrypted private data and an associated decryption share di from each client device identified by the set of client indices, the decryption shares being configured such that the encrypted aggregated result can be decrypted on the basis of at least t decryption shares (para 6, line 6-7 and para 43, line 2-7 and para 50, line 1; the requestor receives encrypted private data with random noise from users and at least some of the users, for each user u, provide respective decryption shares to the requestor and the requestor is able successfully decrypts the data if a threshold number of users provide their decryption shares); and
aggregating, the received randomized encrypted private data of the selected client devices using the homomorphic properties of the cryptosystem and using the decryption shares for decrypting the aggregated randomized encrypted private data into a cleartext representation of the aggregated private data (para 59, line 1-8 and para 60, line 1-12; the aggregator sums up the encrypted private data using a homomorphic encryption technique and decrypts it using the decryption shares); 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bonawitz to incorporate the teachings of Nath to provide the aggregator sums up the encrypted private data using a homomorphic encryption technique and decrypts it using the decryption shares. Doing so would allow for receiving the decryption shares from a number of users to perform decryption, as recognized by Nath in para 25.
Bonawitz teaches after the server transmits the single request only once to each client device identified by the set of client indices and receives the single response only once from each client identified by the set of client indices, aggregating, by the server (section 6.1, para 2, line 1-12 and page 7, Fig. 4: Secure Aggregation Protocol, line 15-28 and 47-60; secure aggregation protocol for a server interacting with a set of users, where the server queries the users and perform aggregation on user responses for each user u)
Bonawitz teaches a plurality of client devices configured to communicate with the server device for privacy-preserving computation of aggregated private data of a group of client devices, each client device comprising (section 6.1, para 2, line 1-12 and page 7, Fig. 4: Secure Aggregation Protocol, line 15-28 and 47-60; secure aggregation protocol for a server interacting with a set of users, where the server queries the users and perform aggregation on user responses): 
Bonawitz does not teach a computer readable storage medium having computer readable program code embodied therewith, the computer readable program code including an encryption function of a homomorphic threshold cryptosystem, and a processor, coupled to the computer readable storage medium, wherein responsive to executing the first computer readable program code, the processor is configured to perform executable operations comprising:
receiving or generating key information, the key information including an encryption key e and a decryption key d of the homomorphic threshold cryptosystem;
generating or receiving a random value ri and receiving random values ri of client devices of the group G of n client devices, the client devices being associated with a client index i (i=1,…,n);
Nath teaches a computer readable storage medium having computer readable program code embodied therewith, the computer readable program code including an encryption function of a homomorphic threshold cryptosystem, and a processor, coupled to the computer readable storage medium, wherein responsive to executing the first computer readable program code, the processor is configured to perform executable operations comprising (para 8, line 9 and line 12-13 and para 90, line 2-10; computer-readable mediums contain instructions executed by processing devices and performing homomorphic threshold encryption technique): -13- 
receiving or generating key information, the key information including an encryption key e and a decryption key d of the homomorphic threshold cryptosystem (para 47, line 1-4 and para 50, line 1 and para 58, line 1-2 and para 69, line 1-3: each user u receive the encrypted summation sequence, which is encrypted using an encryption key, used to determine a decryption key share in a threshold homomorphic encryption technique); 
generating or receiving a random value ri and receiving random values ri of client devices of the group G of n client devices, the client devices being associated with a client index i (i=1,…,n) (para 49, line 1-13 and para 50, line 1-7; each user generates a random variable and random variable for all users are made public during key generation phase); 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bonawitz to incorporate the teachings of Nath to provide users receive the encrypted summation sequence, which is encrypted using an encryption key, used to determine a decryption key share in a threshold homomorphic encryption technique. Doing so would allow for receiving the decryption shares from a number of users, as recognized by Nath in para 25.
Bonawitz teaches receiving in a single request only once (section 6.1, para 2, line 1-12 and page 7, Fig. 4: Secure Aggregation Protocol, line 15-28 and 47-60; the server queries each users and perform aggregation on each user response)
Bonawitz and Nath do not teach receiving client information from the server, the client information including a set of client indices or information to determine a set of client indices,
Neumann teaches receiving client information from the server, the client information including a set of client indices or information to determine a set of client indices (page 3, section Shamir/Feldman Secret Sharing; in a verifiable secret sharing scheme, a trusted dealer provide proofs that the issued secret shares allow to reconstruct the secret to each shareholder i where each shareholder can verify that their share was created correctly)
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bonawitz and Nath to incorporate the teachings of Neumann to provide in a verifiable secret sharing scheme, a trusted dealer provide proofs that the issued secret shares allow to reconstruct the secret to each shareholder i where each shareholder can verify that their share was created correctly. Doing so would allow for verifiable threshold secret sharing among multiple participants through a trusted party, as recognized by Neumann in page 3, section Shamir/Feldman Secret Sharing.
Bonawitz does not teach identifying the subgroup H of client devices that have been selected by the server from the group G of n client devices, the client information signalling the client device that the server would like to aggregate encrypted private data of the at least t client devices;
determining on the basis of the set of client indices or the information to determine the set of client indices that the number of client devices of subgroup H selected by the server includes at least t client devices;
if the client information includes at least t client devices, using the random value ri of the client device and the encryption function to generate randomized encrypted private data and using the random values ri of the client devices as identified by the set of client devices to compute a decryption share, the decryption shares being configured such that the encrypted aggregated result can be decrypted on the basis of at least t decryption shares; and
transmitting the randomized encrypted private data and the decryption share to the server, the server being adapted to aggregate randomized encrypted private data of the selected client devices and decrypt the aggregated randomized encrypted private data into a cleartext representation of the aggregated private data on the basis of the decryption shares
Nath teaches identifying the subgroup H of client devices that have been selected by the server from the group G of n client devices, the client information signalling the client device that the server would like to aggregate encrypted private data of the at least t client devices (para 25, line 1-22 and para 32, line 1-10; a requestor or aggregator system for performing data mining, such as a computer device, provides an encrypted summation sequence to at least a threshold number of the users and receives their respective decryption shares);  
determining on the basis of the set of client indices or the information to determine the set of client indices that the number of client devices of subgroup H selected by the server includes at least t client devices (para 6, line 6-7 and para 50, line 1; at least some of the users, for each user u, provide respective decryption shares based on the encrypted private data with noise along with the threshold number of users to the requestor); 
if the client information includes at least t client devices, using the random value ri of the client device and the encryption function to generate randomized encrypted private data and using the random values ri of the client devices as identified by the set of client devices to compute a decryption share, the decryption shares being configured such that the encrypted aggregated result can be decrypted on the basis of at least t decryption shares (para 6, line 6-7 and para 43, line 2-7 and para 50, line 1; the requestor receives encrypted private data with random noise from users and at least some of the users, for each user u, provide respective decryption shares based on the encrypted private data with noise along with the threshold number of users to the requestor and the requestor is able successfully decrypts the data if a threshold number of users provide their decryption shares); and
transmitting the randomized encrypted private data and the decryption share to the server, the server being adapted to aggregate randomized encrypted private data of the selected client devices and decrypt the aggregated randomized encrypted private data into a cleartext representation of the aggregated private data on the basis of the decryption shares (para 59, line 1-8 and para 60, line 1-12; the aggregator sums up the encrypted private data using a homomorphic encryption technique and decrypts it using the decryption shares)
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bonawitz to incorporate the teachings of Nath to provide the aggregator sums up the encrypted private data using a homomorphic encryption technique and decrypts it using the decryption shares. Doing so would allow for receiving the decryption shares from a number of users to perform decryption, as recognized by Nath in para 25.
Bonawitz teaches being transmitted to the server in the single response only once (section 6.1, para 2, line 1-12 and page 7, Fig. 4: Secure Aggregation Protocol, line 15-28 and 47-60; secure aggregation protocol for a server interacting with a set of users, where the server queries each of the users and perform aggregation on user responses for each user u);
Bonawitz and Nath do not teach wherein each client device is configured as an electronic voting application, 25the application being configured to receive a vote from a user of the voting application and to send the vote as randomized encrypted private data to the server; and, 
wherein the server device is configured to select t or at least t electronic voting applications from the plurality of electronic voting applications and to sum the randomized encrypted private data representing the votes.
Neumann teaches wherein each client device is configured as an electronic voting application, 25the application being configured to receive a vote from a user of the voting application and to send the vote as randomized encrypted private data to the server (page 2, section Components and page 3, para 1 and page 5, sec. Encryption, para 1; electronic voting process where the tallying authority, working together with a server, is the entity in charge of processing votes cast by users via a browser and transmitted data is encrypted with random value); and, 
wherein the server device is configured to select t or at least t electronic voting applications from the plurality of electronic voting applications and to sum the randomized encrypted private data representing the votes (section Components, page 2-3, para 1, and section Shamir/Feldman Secret Sharing, page 3, and section Encryption, page 5, para 1; secret sharing allows splitting a secret apart such that a set of shares allows one to reconstruct the secret and is applied to electronic voting process where the tallying authority, working together with a server, is the entity in charge of processing votes cast by users via a browser and transmitted data is encrypted with random value).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bonawitz and Nath to incorporate the teachings of Neumann to provide for secret sharing among multiple users where a set of shares allows one to reconstruct the secret. Doing so would result in an encryption scheme for ciphertext of messages that is applicable to electronic voting systems, as recognized by Neumann in section Components, page 2-3, para 1.
Regarding claim 16, Bonawitz, Nath, and Neumann teach method of claim 2.
Bonawitz and Nath do not teach the polynomial function is a Lagrange polynomial, and wherein the decryption share di is based on a Lagrange polynomial.
Neumann teaches the polynomial function is a Lagrange polynomial, and wherein the decryption share di is based on a Lagrange polynomial (page 3, section Shamir/Feldman Secret Sharing; key shares are based upon computations using Lagrange polynomial t-1 where the sum of all shares provided to each participant i allows for the secret decryption key to be reconstructed and secret s = f(0), for equation teachings (see the Lagrange interpolation equation f(x) in prior art and assume that x = 0))
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bonawitz and Nath to incorporate the teachings of Neumann to provide Lagrange polynomial interpolation in order to reconstruct the decryption key from decryption shares. Doing so would allow for verifiable threshold secret sharing among multiple participants through a trusted party, as recognized by Neumann in page 3, section Shamir/Feldman Secret Sharing.
Regarding claim 17, Bonawitz, Nath, and Neumann teach method of claim 16.
Bonawitz and Nath do not teach the decryption share di comprises si*ai, wherein si is the value of the polynomial function evaluated in si = f(i) and wherein ai is defined as: 
    PNG
    media_image1.png
    200
    400
    media_image1.png
    Greyscale
.
Neumann teaches the decryption share di comprises si*ai, wherein si is the value of the polynomial function evaluated in si = f(i) and wherein ai is defined as: 
    PNG
    media_image1.png
    200
    400
    media_image1.png
    Greyscale
 (page 3, section Shamir/Feldman Secret Sharing; key shares are based upon computations using Lagrange polynomial t-1 where the sum of all shares provided to each participant i allows for the secret decryption key to be reconstructed and secret s = f(0), for equation teachings (see the Lagrange interpolation equation f(x) in prior art and assume that x = 0))
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bonawitz and Nath to incorporate the teachings of Neumann to provide Lagrange polynomial interpolation in order to reconstruct the decryption key from decryption shares. Doing so would allow for verifiable threshold secret sharing among multiple participants through a trusted party, as recognized by Neumann in page 3, section Shamir/Feldman Secret Sharing.
Regarding claim 18, Bonawitz, Nath, and Neumann teach method of claim 5.
Bonawitz and Nath do not teach the product is defined by the expression: 
    PNG
    media_image2.png
    200
    400
    media_image2.png
    Greyscale
.
Neumann teaches the product is defined by the expression: 
    PNG
    media_image2.png
    200
    400
    media_image2.png
    Greyscale
 (page 3, section Shamir/Feldman Secret Sharing and page 16, section Description, para 3 and 7; voting data mi’ = gvihiri (rearranging with (gR)-siai , ΠiЄH , h = gd , and Lagrange interpolation equation f(x) gives similar form to the claimed product expression))
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bonawitz and Nath to incorporate the teachings of Neumann to provide the forms for decryption shares and randomized encrypted private data used in decryption encrypted private data. Doing so would result in an encryption scheme for ciphertext of messages that is applicable to electronic voting systems, as recognized by Neumann in page 16, section Description, para 3.
Regarding claim 20, Bonawitz, Nath, and Neumann teach method of claim 9.
Bonawitz and Nath do not teach the polynomial function is a Lagrange polynomial, and wherein the secret share di is based on a Lagrange polynomial.
Neumann teaches the polynomial function is a Lagrange polynomial, and wherein the secret share di is based on a Lagrange polynomial (page 3, section Shamir/Feldman Secret Sharing; key shares are based upon computations using Lagrange polynomial t-1 where the sum of all shares provided to each participant i allows for the secret decryption key to be reconstructed and secret s = f(0), for equation teachings (see the Lagrange interpolation equation f(x) in prior art and assume that x = 0)).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bonawitz and Nath to incorporate the teachings of Neumann to provide Lagrange polynomial interpolation in order to reconstruct the decryption key from decryption shares. Doing so would allow for verifiable threshold secret sharing among multiple participants through a trusted party, as recognized by Neumann in page 3, section Shamir/Feldman Secret Sharing.
4.	Claims 6, 7, 11, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Bonawitz in view of Nath, Neumann, and Gentry (US Patent 8515058) filed on Nov. 10, 2010.
	Regarding claim 6, Bonawitz, Nath, and Neumann teach method of claim 2.
	Bonawitz, Nath, and Neumann do not teach the threshold homomorphic cryptosystem is based on a multiplicatively homomorphic cryptosystem.
	Gentry teaches the threshold homomorphic cryptosystem is based on a multiplicatively homomorphic cryptosystem (col. 6, line 50-51 and col. 22, line 28-35; RSA is a multiplicatively homomorphic encryption scheme using threshold homomorphic encryption).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bonawitz, Nath, and Neumann to incorporate the teachings of Gentry to provide for a fully homomorphic encryption scheme that uses a multiplicative RSA encryption scheme. Doing so would allow for the computation of arbitrary functions over encrypted data, as recognized by Gentry in col. 1, line 41-50.
Regarding claim 7, Bonawitz, Nath, Neumann, and Gentry teach method of claim 6.
Bonawitz does not teach wherein the decryption share is included in the encrypted private data
	Nath teaches wherein the decryption share is included in the encrypted private data (para 36, line 1-2 and para 47, line 1-5; a decryption share of the user is determined from the encrypted private data)
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bonawitz to incorporate the teachings of Nath to provide a decryption share of the user is determined from the encrypted private data. Doing so would allow for receiving the decryption shares from a number of users, as recognized by Nath in para 25.
Bonawitz and Nath do not teach each randomized encrypted private data is of the from mi*ri*E(R)siai and wherein R = (ΠiЄHri)-1mod N, N being a large composite 20number, preferably the product of two primes; and/or, wherein decrypting the aggregated randomized encrypted private data includes determining a product of the randomized encrypted private data and the associated decryption shares.
	Neumann teaches each randomized encrypted private data is of the from mi*ri*E(R)siai wherein the decryption share is included in the encrypted private data and wherein R = (ΠiЄHri)-1mod N, N being a large composite 20number, preferably the product of two primes; and/or, wherein decrypting the aggregated randomized encrypted private data includes determining a product of the randomized encrypted private data and the associated decryption shares (page 3, sec. Shamir/Feldman Secret Sharing and page 16, sec. Description, para 3 and 7; where p is a large prime number (and rearranging the Lagrange interpolation equation f(x), decryption share equation gf(i) = gs * gri*i mod p, R = (ΠiЄHri)-1mod N, encrypted data 𝑚𝑖=𝑔𝑣𝑖⋅ℎ𝑖𝑟𝑖 mod 𝑝, and random number ri gives similar form to decrypted product form)).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bonawitz and Nath to incorporate the teachings of Neumann to provide the forms for decryption shares and randomized encrypted private data used in decryption encrypted private data. Doing so would result in an encryption scheme for ciphertext of messages that is applicable to electronic voting systems, as recognized by Neumann in page 16, sec. Description, para 3.
Regarding claim 11, Bonawitz, Nath, and Neumann teach method of claim 9.
	Bonawitz, Nath, and Neumann do not teach the threshold homomorphic cryptosystem is based on a multiplicatively homomorphic cryptosystem, such as a multiplicative RSA cryptosystem.
	Gentry teaches the threshold homomorphic cryptosystem is based on a multiplicatively homomorphic cryptosystem, such as a multiplicative RSA cryptosystem (col. 6, line 50-51 and col. 22, line 28-35; RSA is a multiplicatively homomorphic encryption scheme using threshold homomorphic encryption).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bonawitz, Nath, and Neumann to incorporate the teachings of Gentry to provide for a fully homomorphic encryption scheme that uses a multiplicative RSA encryption scheme. Doing so would allow for the computation of arbitrary functions over encrypted data, as recognized by Gentry in col. 1, line 41-50.
Regarding claim 19, Bonawitz, Nath, Neumann, and Gentry teach method of claim 7.
Bonawitz and Nath do not teach wherein N is the product of two primes; and/or, wherein the product is defined by the expression: 
    PNG
    media_image3.png
    200
    400
    media_image3.png
    Greyscale

    PNG
    media_image4.png
    200
    400
    media_image4.png
    Greyscale

Neumann teaches wherein N is the product of two primes; and/or, wherein the product is defined by the expression: 
    PNG
    media_image3.png
    200
    400
    media_image3.png
    Greyscale

    PNG
    media_image4.png
    200
    400
    media_image4.png
    Greyscale
( page 3, section Shamir/Feldman Secret Sharing and page 16, section Description, para 3 and 7; where p is a large prime number (and rearranging the Lagrange interpolation equation f(x), decryption share equation gf(i) = gs * gri*i mod p, R = (ΠiЄHri)-1mod N, encrypted data 𝑚𝑖=𝑔𝑣𝑖⋅ℎ𝑖𝑟𝑖 mod 𝑝, and random number ri gives similar form to decrypted product form))
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bonawitz and Nath to incorporate the teachings of Neumann to provide the forms for decryption shares and randomized encrypted private data used in decryption encrypted private data. Doing so would result in an encryption scheme for ciphertext of messages that is applicable to electronic voting systems, as recognized by Neumann in page 16, section Description, para 3.
Conclusion
5.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following are relevant prior arts: Day et al. (US Pub. 2015/0113276) discloses server can obtain the client key portion from the remote client in response to determining that subsequent transactions during the session involve decrypting the encrypted client data; Oualha et al. (US Pub. 2015/0149767) discloses performed in a single exchange between the nodes of the network declared in a group and an authentication server, where the service provider is provided with cryptographic material in order to implement individualized controlled access to the resources or to the services offered for each node; Pourzandi et al. (US Pub. 2017/0124348) discloses an encrypted query is received and then forwarded to at least one data holding entity, each comparison response is generated by a private comparison protocol that compares the encrypted query with encrypted data, and each comparison response having been partially decrypted with the first share of the private key. 
6.	Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
7.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to NHAN H NGUYEN whose telephone number is (571)272-6443.  The examiner can normally be reached on Monday-Friday 8:30am - 4:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on 571-272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/NHAN HUU NGUYEN/Examiner, Art Unit 2492


/SALEH NAJJAR/Supervisory Patent Examiner, Art Unit 2492