Hardened white box implementation 1

The invention claimed is: 1. A processor device comprising: one or more processors, wherein the one or more processors has an executable white-box-masked implementation of a cryptographic algorithm implemented thereon, which is configured to generate an output text, from an input text while employing a secret key K, wherein the implementation comprises an implemented computation step S by which input values x are mapped to output values s=S[x], and which is masked to a white-box-masked computation step T′ by means of an invertible function f; wherein the invertible function f comprises an affine mapping A applied to the computation step S, said mapping being configured to generate output values w from A by applying A to output values s of the computation step S and additionally to one or several obfuscation values y which are statistically independent of the output values s of the computation step S, so that it holds that w=A(S[x], y)=A(s, y); and wherein the affine mapping A is further so designed that every bit in the output values w of the affine mapping A depends on at least one bit of the obfuscation values y, thereby attaining that the output values w of the affine mapping A are statistically balanced. 2. The processor device according to claim 1 , wherein the affine mapping A comprises a linear mapping which is formed by a matrix MA, which is organized in columns and rows, wherein the output values s of the computation step S and the statistically independent obfuscation values y are associated with separate columns in the matrix MA. 3. The processor device according to claim 2 , wherein in each row of the matrix MA in at least one of the columns having statistically independent values y there is contained a non-zero value. 4. The processor device according to claim 1 , wherein for carrying out the implementation of the white-box-masked computation step T′ there has been supplied a look-up table STab[x] representing the computation step S, or a look-up table STab[x,y] representing the computation step S and the obfuscation values y. 5. The processor device according to claim 1 , wherein the white-box-masked computation step T′ is represented by a white-box-masked look-up table T′Tab [x, y] in which values f(s, y) are entered. 6. The processor device according to claim 1 , wherein the implementation additionally comprises a further invertible function g to be applied to input values x of the computation step S, or to input values x of the computation step S and to obfuscation values y according to g −1 (x) or g −1 (x, y). 7. The processor device according to claim 1 , wherein there is provided as an algorithm a block cipher having several rounds, and as a computation step S: one or several SBox operations or one or several inverse SBox operations, of one round in each case; or a combination of one or several SBox operations or one or several inverse SBox operations, of respectively one round, with one or several further operations of the round. 8. The processor device according to claim 7 having algorithm DES, wherein there is/are provided as an input value x either one or several expanded right entry bits r′i ( r′ 1 |r′ 2 |. . . ) of a round, or a linkage (x=r′ 1 XOR k 1 |r′ 2 XOR k 2 |. . . ) of one or several expanded right entry bits r′i of a round with one or several key bits ki; or/and one or several left entry bits li of the round go into the obfuscation values y. 9. The processor device according to claim 7 having algorithm DES, wherein the obfuscation values y are computed by means of a function V from one or several left entry bits li of the round or/and from one or several expanded right entry bits r′i of the round, wherein V is electively a linear mapping or a hash function. 10. The processor device according to claim 9 , wherein the algorithm has several rounds and the function V is newly chosen for every round. 11. The processor device according to claim 7 , having algorithm DES, wherein the further operations comprise one or several of the following: permutation P; expansion E; addition of left and right entry bits 1 , r or left and expanded right entry bits 1 , r′. 12. The processor device according to claim 7 having algorithm AES, wherein there is provided as an input value x an input value or part of an input value of an AddRoundKey operation or a SubBytes operation or an inverse SubBytes operation of an AES round. 13. The processor device according to claim 7 having algorithm AES, wherein the further operations comprise one or several of the following: MixColumn operation or one or several substeps of the MixColumn operation or inverse MixColumn operation or one or several substeps of the inverse MixColumn operation. 14. The processor device according to claim 1 , wherein the obfuscation values y are computed respectively by means of a function V from bits of the input text, wherein V is electively a linear mapping or a hash function. 15. The processor device according to claim 14 , wherein the algorithm has several rounds and the function V is newly chosen for every round. 16. The processor device according to claim 1 , wherein the obfuscation values y further comprise one or several random values y[x], which are added to at least one or all of the output values s of the computation step S, wherein the random values y[x] are first selected randomly and thereupon altered in such a way that y[x] and s are statistically independent. 17. The processor device according to claim 1 , wherein the computation step S has been implemented on the processor device as a white-box-masked computation step T′ in that: (i) the computation step S has been carried out to generate output values s, and (ii) the invertible function f has been applied to the generated output values s of the computation step S and the obfuscation values y, and a thereby achieved result T′ has been implemented on the processor device. 18. A method of executing a white-box-masked implementation of a cryptographic algorithm implemented on a processor device, which is configured to generate an output text, from an input text while employing a secret key K, the method comprising: implementing a computation step S by which input values x are mapped to output values s=S[x], and which is masked to a white-box-masked computation step T′ by an invertible function f, wherein the invertible function f includes an affine mapping A applied to the computation step S, said mapping being configured to generate output values w from A by applying A to output values s of the computation step S and additionally to one or several obfuscation values y which are statistically independent of the output values s of the computation step S, so that it holds that w=A(S[x], y)=A(s, y); and wherein the affine mapping A is further so designed that every bit in the output values w of the affine mapping A depends on at least one bit of the obfuscation values y such that the output values w of the affine mapping A are statistically balanced. 19. One or more non-transitory computer-readable mediums having stored thereon executable instructions that when executed by the one or more processors of a processor device configure the processor device to perform a method of executing a white-box-masked implementation of a cryptographic algorithm implemented on the processor device, which is configured to generate an output text, from an input text while employing a secret key K, comprising: implementing a computation step S by which input values x are mapped to output values s=S[x], an