Hardened white box implementation 2

The invention claimed is: 1. A processor device having an executable white-box-masked implementation of a cryptographic algorithm implemented thereon, which is configured to generate an output text from an input text while employing a secret key K, wherein the implementation comprises an implemented computation step S by which input values x are mapped to output values s=S[x], and which is masked to a white-box-masked computation step T′ by means of an invertible function f, wherein a) as a mapping f, a combination (f=(c1, c2, . . . )*A) is provided of an affine mapping A having an entry width BA and a number of one or several invertible mappings c1, c2, . . . having an entry width Bc1, Bc2, . . . respectively, wherein BA=Bc1+Bc2+ . . . , wherein through the mapping f output values w are generated; b) the affine mapping A is configured to be applied to output values s of the computation step S and additionally to one or several obfuscation values y which are statistically independent of the output values s of the computation step S, according to a=A(S[x], y)=A(s, y); c) the one or several invertible mappings c1, c2, . . . are configured to map output values a of the affine mapping A to output values w of the mapping f, according to w=(c1, c2, . . . )(A(s,y)); d) invertible mappings c1, c2, . . . are constructed by a construction method, wherein: d1) the output values a of the affine mapping A are represented as a concatenation of output-value parts a=a1|a2 . . . and the output values w of the mapping f are represented as a concatenation of output-value parts w=w1|w2 . . . , wherein output-value parts a1, a2, . . . and w1, w2, . . . respectively have the same entry width Bc1, Bc2, . . . as the invertible mappings c1, c2, . . . ; d2) an input value x=xi is set; d3) the affine mapping A is applied with fixed input value xi on s=S [xi] and all possible obfuscation values y, whereby for each output-value part a=a1, a2, . . . a corresponding set Mxi=Mxi1, Mxi2, . . . is formed, wherein each set Mxi1, Mxi2 . . . contains one or several different values of the corresponding output-value part a1, a2, . . . ; and the invertible mappings c1, c2, . . . are applied to the thus generated output-value parts a1, a2, . . . in order to generate output-value parts w=w1, w2, . . . , whereby for each output-value part w=w1, w2, . . . a corresponding set Lxi=Lxi1, Lxi2, . . . is formed, wherein each set Lxi1, Lxi2, . . . contains one or several different values of the corresponding output-value part w1, w2, . . . ; d4) step d3) is carried out for all possible input values x=xi, i=1, 2, . . . according to step d2), so that pluralities of sets Mxi, i=1, 2, . . . =Mx11, Mx12, . . . Mx21, Mx22, . . . and Lxi, i=1, 2, . . . =Lx11, Lx12, . . . Lx21, Lx22, . . . are formed; d5) sets M1={Mx11, Mx21, Mx31 . . . }, M2={Mx12, Mx22, Mx32 . . . } . . . and L1={Lx11, Lx21, Lx31 . . . }, L2={Lx12, Lx22, Lx32 . . . } . . . are formed; and d6) the one or several invertible mappings c1, c2, . . . are selected or formed such that the set M1 and the set L1 are mapped by the mapping c1, the set M2 and the set L2 are mapped by the mapping c2, . . . . 2. The processor device according to claim 1 , wherein one or several invertible mappings ci are further selected or formed such that there holds Mx1i=Lx1i, Mx2i=Lx2i. 3. The processor device according to claim 1 , wherein in b1) the affine mapping A is further so designed that every bit in the output values a of the affine mapping A depends on at least one bit of the obfuscation values y, by which is attained that the output values a of the affine mapping A are statistically balanced. 4. The processor device according to claim 3 , wherein the affine mapping A comprises a linear mapping which is formed by a matrix MA, which is organized in columns and rows, wherein the output values s of the computation step S and the statistically independent obfuscation values y are associated with separate columns in the matrix MA; wherein preferably further in each row of the matrix MA in at least one of the columns having statistically independent values y a non-zero value is contained. 5. The processor device according to claim 1 , wherein for carrying out the implementation of the white-box-masked computation step T′ there has been supplied a look-up table STab[x] representing the computation step S, or a look-up table STab[x,y] representing the computation step S and the obfuscation values y. 6. The processor device according to claim 1 , wherein the white-box-masked computation step T′ is represented by a white-box-masked look-up table T′Tab [x, y] in which values f(s, y) are recorded including the result of the application of one or several invertible mappings c1, c2, . . . to A(s, y). 7. The processor device according to claim 1 , wherein the implementation additionally comprises a further invertible function g to be applied to input values x of the computation step S, or to input values x of the computation step S and to obfuscation values y according to g −1 (x) or g −1 (x, y). 8. The processor device according to claim 1 , wherein there is provided as an algorithm a block cipher having several rounds, and as a computation step S: one or several SBox operations or one or several inverse SBox operations, respectively of one round; or a combination of one or several SBox operations or one or several inverse SBox operations, respectively of one round, with one or several further operations of the round. 9. The processor device according to claim 8 with algorithm data encryption standard (DES), wherein there is/are provided as an input value x either one or several expanded right entry bits r′i (r′1|r′2| . . . ) of a round, or a linkage (x=r′l XOR k1| r′2 XOR k2| . . . ) of one or several expanded right entry bits r′i of a round with one or several key bits ki; or/and one or several left entry bits li of the round go into the obfuscation values y. 10. The processor device according to claim 8 having algorithm DES, wherein the obfuscation values y are computed by means of a function V from one or several left entry bits li of the round or/and from one or several expanded right entry bits r′i of the round, wherein V is electively a linear mapping or a hash function. 11. The processor device according to claim 10 , wherein the algorithm has several rounds and the function V is newly chosen for every round. 12. The processor device according to any of claim 8 , having algorithm DES, wherein the further operations comprise one or several of the following: permutation P; expansion E; addition of left and right entry bits l, r or left and expanded right entry bits l, r′. 13. The processor device according to claim 8 having algorithm advanced encryption standard (AES), wherein there is provided as an input value x an input value or part of an input value of an AddRoundKey operation or a SubBytes operation or an inverse SubBytes operation of an AES round. 14. The processor device according to claim 8 having algorithm AES, wherein the further operations comprise one or several of the following: MixColumn operation or one or several substeps of the MixColumn operation or inverse MixColumn operation or one or several substeps of the inverse MixColumn operation. 15. The processor device according to claim 1 , wherein the obfuscation values y are computed respectively by means of a function V from bits of the input text, wherein V is electively a linear mapping or a hash function. 16. The processor device according to claim 15 , wherein the algorithm has several rounds and the function V is newly chosen for every