The WhibOx contest (Edition 2019) is a white-box cryptography competition organized by CryptoExperts and Cybercrypt as the CHES 2019 CTF Challenge. The contest took place from March 18, 2019 to August 21, 2019. The results were announced at the CHES 2019 Rump Session (slides available at here).

The previous edition of this event was organised by the ECRYPT-CSA consortium as the CHES 2017 CTF Challenge.

Go to Final Dashboard

Wall of Fame

Final strawberry scoreboard (developer category):

Pseudonym Identities Score
cryptolux Alex Biryukov, Aleksei Udovenko
(University of Luxembourg)
white_mountain anonymous 728.22
Mugiwara Stéphane Cauchie 666.08
Gordon F. Charles Bouillaguet
(University of Lille)
RickSanchz Peter Garba 389.69
alice1 anonymous 389.64
BugsBunny anonymous 386.37
  • Sandra Rasoa (Orange Labs – Loria)
  • Gilles Macario-Rat (Orange Labs- Loria)
  • Marine Minier (Université de Lorraine – Loria)
  • Sébastien Bardin (CEA List)
  • Mathilde Ollivier (CEA List - Loria)
juhou anonymous 174.64
WhaesbOx anonymous 59.10
Këscht anonymous 20.09
Alibaba anonymous 6.47
Yuri anonymous 0.54

Final banana scoreboard (attacker category):

Pseudonym Identities Score
cryptolux Alex Biryukov, Aleksei Udovenko (University of Luxembourg) 728.22
Patat0r anonymous 666.08
jean_onche anonymous 665.91
Idefix Security group of IDEMIA 640.48
simco3 anonymous 389.69
qwerty_va anonymous 367.63
Team Megaloblastt anonymous 367.16
skipjakk Théophile Hontang 272.67
bluecat anonymous 174.34
xobihw anonymous 25.75
RickSanchz Peter Garba 0.54

About the contest

The competition comes in two flavors for competitors:

  • Coders are invited to post challenge programs that are white-box implementations of AES-128 under freely chosen keys. Challenges are expected to resist key extraction and ciphertext inversion when submitted to white-box attackers.
  • Attackers are invited to break the submitted challenges i.e. extract their hard-coded encryption key or reverse encryption punctually on random ciphertexts.

It is up to contestants to choose between remaining completely anonymous or using a recognizable identity. Coders are not expected to explain their designs, but only to provide a resulting C code. Attackers are not expected to explain their techniques, but only to recover embedded key(s) or decrypted plaintexts.

The purpose of Edition 2

The motivation for initiating the WhibOx contest Edition 1 came from the growing interest of the industry towards white-box cryptography (most particularly for DRMs and mobile payments) and the obvious difficulty of designing secure solutions in a scientifically valid sense. The conjunction of these 2 realities has prompted some companies to develop home-made solutions (with a security relying on the secrecy of the underlying techniques) rather than to rely on academic designs.

The 2017 edition of the competition gave an opportunity for researchers and practitioners to confront their (secretly designed) white-box implementations to state-of-the-art attackers. It also provided a new training material to reverse-engineers and security evaluators.

Given the success of Edition 1, and the fact that no challenge implementation survived more than 28 days of continuous attacks, we thought useful and exciting to pick up the competition where we left off and give a new chance to designers to showcase their talents. Once again, we hope to give a boost to scientific research and elevate the worldwide industrial know-how in the field of white-box cryptography.

How to win this competition?

Similarly to Edition 1:

  • A white-box implementation collects strawberry points as long as it stays unbroken. As a reward for not being broken after time \(t\), a challenge implementation gets \(\propto t\) extra strawberries, so its strawberry score increases as $$\propto t^2$$ The score of a broken implementation decreases symmetrically down to \(0\). The winning score is the maximal strawberry score reached by challenge programs throughout the competition. The strawberry winner is the developer whose challenge has realized the winning score.
  • An attacker who breaks a challenge implementation by recovering its hard-coded key, converts the current strawberry score of the broken challenge into banana points. Those are integrated into the attacker's current banana score through the max rule: the attacker's new score is the max between their previous score and the bananas earned from the break. The banana winner is the attacker with the most banana points when the competition ends.

New in Edition 2:

This time around, new features and competition rules have been instated.

  • Bonus (carrot) points are introduced to reward the successful inversion of ciphertexts, which amounts to unauthorized decryption. Attackers may now generate bananas even when hard-coded keys still resist extraction.
  • The most efficient challenge programs collect strawberries (and carrots) faster than the others. Efficiency is measured in terms of average running time, code size and memory consumption.
  • Time granularity has been improved and is now of 1 minute.
  • Challenge programs are allowed to use both 32-bit and 64-bit instructions.
  • Contestants may freely choose between 2 compiling options (GCC or TCC).
  • Plaintext-ciphertext pairs for all challenges can be downloaded through a programmatic API.


The complete and detailed rules of the competition are available in the "Competition Rules" tab on the dashboard.

Important dates

  • March 18, 2019: Competition starting date, the submission server opens
  • Aug 1, 2019: Submission deadline (the submission period expires but attacks continue)
  • Aug 21, 2019: Final deadline (strawberry, carrot and banana scores are frozen)
  • CHES 2019 rump session: Announcement of the top-3 winners in each category

As soon as a challenge implementation is submitted, it is made public on the server and can hence be freely downloaded and broken by contestants. Implementations can be submitted from March 18 to Aug 1, 2019. After the submission deadline, attackers still have 20 days to continue breaking challenge implementations (until 4 days before CHES 2019 starts).

Winners will be announced at the CHES 2019 rump session (CHES 2019 will take place from Aug 25 to 28 in Atlanta, USA).

Connect with the community

Join the discussion forum on Slack and get your questions answered by the organizing committee. Invitation based - send us an invitation request at You may also be invited by people that are already members.

The organizing committee is composed of Yunsi Fei, Vincent J. Mooney III and Patrick Schaumont (General Chairs of CHES 2019), Andrey Bogdanov and Stefan Kölbl (CyberCrypt), Louis Goubin, Pascal Paillier, Matthieu Rivain and Junwei Wang (CryptoExperts).


This competition is the Capture-The-Flag event of CHES 2019, a conference sponsored by IACR.

Andrey Bogdanov and Stefan Kölbl have gracefully volunteered to host and manage the submission server at CyberCrypt.

The source code of the submission server has been developed by CryptoExperts. It is fully open source and available on GitHub. Credits go to Junwei Wang for re-developing significant parts of the server at the occasion of this second edition of the WhibOx Contest; the 2017 version was created by Thomas Baignères and Matthieu Finiasz. The new rules and features are due to the CryptoExperts team, with ideas suggested by Benoît Chevallier-Mames, Chris Brzuska and contestants from the 2017 edition.