CHES 2017 Capture the Flag Challenge

The WhibOx Contest An ECRYPT White-Box Cryptography Competition

The WhibOx contest is a white-box cryptography competition organised by the ECRYPT-CSA consortium as the CHES 2017 CTF Challenge. The contest took place from May 15, 2017 to Sep 24, 2017. The results were announced at the CHES 2017 Rump Session.

Go to Final Dashboard

Wall of Fame

Final strawberry scoreboard (developer category):

Pseudonym Identities Score
cryptolux Alex Biryukov, Aleksei Udovenko
(University of Luxembourg)
grothendieck Leandro Marin
(University of Murcia and Philips)
sebastien-riou Sébastien Riou 66
chaes anonymous 55
team4 Brent Carmer, Tancrède Lepoint, Alex Malozemoff, Mariana Raykova 36
T33 Ronald Rietman, Sebastiaan de Hoogh
BendHer Lucille Tordella
(Telecom ParisTech)
alec Alec Edgington 1
kluxc3qa1 anonymous 1
Qe1d28d67 anonymous 1

Final banana scoreboard (attacker category):

Pseudonym Identities Score
team_cryptoexperts Louis Goubin, Pascal Paillier, Matthieu Rivain, Junwei Wang (CryptoExperts) 406
cryptolux Alex Biryukov, Aleksei Udovenko (University of Luxembourg) 78
You! anonymous 55
Team Megaloblastt Ramtine Tofighi-Shirazi, Michaël Adjedj, Sylvain Lévêque, and colleagues (Trusted Labs, Gemalto) 44
jean_onche anonymous 28
2coolHeart anonymous 15
OverTime anonymous 14
pschorrhacker anonymous 14
E1w00d anonymous 14
TeamPhilips Ronald Rietman, Sebastiaan de Hoogh, Maarten Bodlaender (Philips) 9
RonaldRietman Ronald Rietman (Philips) 3
doegox anonymous 1
SdeH Sebastiaan de Hoogh (Philips) 1

About the contest

The competition comes in two flavors for competitors:

  • Developers are invited to post challenge programs that are white-box implementations of AES-128 under freely chosen keys. Challenges are expected to resist key extraction against a white-box attacker.
  • Attackers are invited to break the submitted challenges i.e. extract their hard-coded encryption key.

Participants may remain completely anonymous or use their real-life identity, as they prefer. Implementers are not expected to explain their designs: they only have to provide a resulting C code. Attackers are not expected to explain their techniques: they only have to recover and provide the embedded key(s).

Why this competition?

The motivation for initiating the WhibOx contest comes from the growing interest of the industry towards white-box cryptography (most particularly for DRMs and mobile payments) and the obvious difficulty of designing secure solutions in a scientifically valid sense. The conjunction of these phenomena has prompted some companies to develop home-made solutions (with a security relying on the secrecy of the underlying techniques) rather than to rely on academic designs.

In such a context, the competition gives an opportunity for researchers and practitioners to confront their (secretly designed) white-box implementations to state-of-the-art attackers. It also provides attackers and evaluators with new training material.

We hope and believe that new ideas will arise from this contest and that they will have a strong, positive impact on both scientific research and industrial know-how in the field of white-box cryptography.

Score system

In a nutshell:

  • A white-box implementation collects strawberry points as long as it stays unbroken. As a reward for not being broken after \(n\) days, a challenge implementation gets \(n\) extra strawberries on that day, so its strawberry score on the \(n\)-th day is $$\frac{n(n+1)}{2}.$$ The score of a broken implementation decreases symmetrically down to \(0\). The winning score is the maximal strawberry score reached by challenge programs throughout the competition. The strawberry winner is the developer whose challenge has realized the winning score.
  • An attacker who breaks a challenge implementation by recovering its hard-coded key, converts the current strawberry score of the broken challenge into banana points. Those are integrated into the attacker's current banana score through the max rule: the attacker's new score is the max between her previous score and the bananas earned from the break. The banana winner is the attacker with the most banana points when the competition ends.


  • May 15, 2017: Competition starting date, the submission server opens
  • Aug 31, 2017: Submission deadline (the submission period expires but attacks continue)
  • Sep 24, 2017: Final deadline (strawberry and banana scores are frozen)
  • CHES 2017 rump session: Announcement of winners

As soon as a challenge implementation is submitted, it is made public on the server and can hence be freely downloaded and broken by attackers. Implementations can be submitted from May 15 to Aug 31, 2017. After the submission deadline, attackers still have 24 days to continue breaking challenge implementations (until CHES 2017 starts).


The complete and detailed rules of the competition are available in the "Competition Rules" tab on the dashboard.


This competition is organised by the ECRYPT-CSA consortium.

The source code of the submission server has been developed by CryptoExperts. It is fully open source and available on GitHub.

The server is administered by TU Eindhoven during the competition.

Join the discussion forum on Slack and get your questions answered by the organizing committee. Invitation based - send us an invitation request at You may also be invited by people that are already members.

The organizing committee is composed of Emmanuel Prouff (CHES 2017 CTF Manager), Chen-Mou Cheng and Bo-Yin Yang (CHES 2017 General co-chairs), Thomas Baignères, Matthieu Finiasz, Pascal Paillier and Matthieu Rivain (CryptoExperts people, who initiated the idea and developped the server).