CHES 2017 Capture the Flag Challenge

The WhibOx Contest An ECRYPT White-Box Cryptography Competition
Starting from May 15, 2017 on this website, the EU-sponsored ECRYPT-CSA project is organising an open competition on white-box cryptography.

The competition comes in two flavors for competitors:

  • Developers are invited to post challenge programs that are white-box implementations of AES-128 under freely chosen keys. Challenges are expected to resist key extraction against a white-box attacker.
  • Attackers are invited to break the submitted challenges i.e. extract their hard-coded encryption key.

Participants may remain completely anonymous or use their real-life identity, as they prefer. Implementers are not expected to explain their designs: they only have to provide a resulting C code. Attackers are not expected to explain their techniques: they only have to recover and provide the embedded key(s).

Why this competition?

The motivation for initiating the WhibOx contest comes from the growing interest of the industry towards white-box cryptography (most particularly for DRMs and mobile payments) and the obvious difficulty of designing secure solutions in a scientifically valid sense. The conjunction of these phenomena has prompted some companies to develop home-made solutions (with a security relying on the secrecy of the underlying techniques) rather than to rely on academic designs.

In such a context, the competition gives an opportunity for researchers and practitioners to confront their (secretly designed) white-box implementations to state-of-the-art attackers. It also provides attackers and evaluators with new training material.

We hope and believe that new ideas will arise from this contest and that they will have a strong, positive impact on both scientific research and industrial know-how in the field of white-box cryptography.

How to win?

In a nutshell:

  • A white-box implementation collects strawberry points as long as it stays unbroken. As a reward for not being broken after \(n\) days, a challenge implementation gets \(n\) extra strawberries on that day, so its strawberry score on the \(n\)-th day is $$\frac{n(n+1)}{2}.$$ The score of a broken implementation decreases symmetrically down to \(0\). The winning score is the maximal strawberry score reached by challenge programs throughout the competition. The strawberry winner is the developer whose challenge has realized the winning score.
  • An attacker who breaks a challenge implementation by recovering its hard-coded key, converts the current strawberry score of the broken challenge into banana points. Those are integrated into the attacker's current banana score through the max rule: the attacker's new score is the max between her previous score and the bananas earned from the break. The banana winner is the attacker with the most banana points when the competition ends.


The complete and detailed rules of the competition are available here.

Important dates

  • May 15, 2017: Competition starting date, the submission server opens
  • Aug 31, 2017: Submission deadline (the submission period expires but attacks continue)
  • Sep 24, 2017: Final deadline (strawberry and banana scores are frozen)
  • CHES 2017 rump session: Announcement of winners

As soon as a challenge implementation is submitted, it is made public on the server and can hence be freely downloaded and broken by attackers. Implementations can be submitted from May 15 to Aug 31, 2017. After the submission deadline, attackers still have 24 days to continue breaking challenge implementations (until CHES 2017 starts).

Winners will be announced at the CHES 2017 rump session (CHES will take place from Sep 25 to 28 in Taiwan).


This competition is organised by the ECRYPT-CSA consortium.

The source code of the submission server has been developed by CryptoExperts. It will soon be made available on GitHub.

The server is administered by TU Eindhoven during the competition.