CHES 2016 Capture The Flag Rules / FAQ
This is a capture the flag that involves both power analysis and work creating secure implementations. It's interactive because you can both submit implementations AND break them (for sidechannel power analysis), and submit keys (for whitebox crypto).
Full documentation is held on a Wiki Page. Please see that page for more information.
You can follow @CHESChallenge on twitter for server status and other updates, and search using hash-tag #CHESChallenge.
There is also a video introduction here:
.
Point System
Currently there is a very basic point system:
- 'Stage-Gate' flags (such as basic CPA) are worth 10 points for all users.
- User-submitted flags are worth 50 points for the first person to capture the flag, 30 for the next, and 10 for all others.
- Capturing the flag for your own implementation is worth 30 points (to encourage users to not submit impossible implementations) for the first 4 implementations you submit (i.e., you do not receive self-points for more than 5 implementations).
- Capturing the flag for a white-box crypto is worth 100 points, and does not decrease over time.
Stage-gates are designed to be fairly simple. By accident one of them (#3B) is harder than expected from a basic stage-gate. If insufficient user-submitted flags are added, more complex implementations will be added to the challenge.
Timeline
The planned timeline is as follows:
- May 15th - May 30th: This is the test period. Please use the webserver, but scores do not matter. Do not submit your prized work now, as the scoreboard will be reset!
- June 1st, 15:00 UTC - July 31, 15:00 UTC: Challenge Submission & Attack Period. You can both submit new challenges, and break existing ones during this time. Scores will continue to accumulate.
- July 31, 15:00 UTC - August 10, 15:00 UTC: Attack-only Period. You can only break existing challenges now, not submit new ones.
The winners will be the top 3 users on August 10, 15:00 UTC (as determined by the server time). This contest period is designed to give people who will be traveling for CHES some time off before the contest.
We close submissions of challenges sometime before the end of the contest to prevent people from saving their most difficult work to right before the end of the contest.
Prizes
The top three people will receive several glorious prizes, with two additional special prizes.
The following prizes are planned, but be aware availability or delivery issues could prevent them from being awarded, and we may substitute any prize (not necessarily of the same value) if needed.
First Place
- CHES Registration & Travel Stipend
- ChipWhisperer-Lite 2-Part Version
- Philips Hue Starter Pack (for hacking or using)
- Seek XR Thermal Camera add-on
- ZYBO FPGA Board
Second Place
- ChipWhisperer-Lite 2-Part Version
- Philips Hue Starter Pack (for hacking or using)
- Arty FPGA Board
Third Place
- ChipWhisperer-Lite
- Philips Hue Starter Pack (for hacking or using)
Most Difficult Implementations Submitted (based on time between submission and being fully broken, meaning 3 people have broken it claiming 1st/2nd/3rd)
Best Student (must by full-time student at time of CHES)
- ChipWhisperer-Lite
- Arty FPGA Board
More Rules/FAQs
Where to get help?
Full documentation is held on a Wiki Page. Please see that page for more information.
You can follow @CHESChallenge on twitter for server status and other updates, and we'll try to answer questions sent to that account. You can also directly harass @colinoflynn if you're feeling cheeky.
Can I submit as a Team?
You can register as a team, but you are responsible for splitting the prizes! Registering multiple usernames that are helping each other is not allowed (i.e., once one person breaks an implementation sends the details to others). If you are working as a team please keep a single username.
Does my encryption source code need to be posted?
Keeping the source code available and distributed without restriction simplifies our server management (in that we don't have to deal with confidential source code). It also allows anyone to verify someone has submitted a real program, and they are not doing something dumb like delaying the encryption for 200mS, or adjusting the clock speeds.
Gaming the Point System
Please do not attempt to 'game' the system - people submitting the same basic implementations in order to break them will be disqualified or banned. We reserve the right to remove implementations/flags which are simple rewrites of the AES-128 in C example.
What is required of submitted AES implementations?
In order to submit a challenge, you must have an AES-128 implementation that meets the following rules:
- Runs on Atmel XMEGA Platform.
- Sensitive operation occurs for all 16 bytes less than 10000 clock cycles from call to encrypt function (you can perform operations such as key expansion in an "init" call that happens before power measurements are recorded). See the wiki page for how to measure this time.
- Does not modify clock settings of XMEGA device.
- Doesn't try dumb stuff to reveal key (like saving secret key of job #1 to EEPROM and hoping you can run job #2 on the same hardware right after, and read job #1 key out).
This list may be updated as required. See the Wiki Page for more details.
What do I need to register, what are Terms of Service?
You don't need to provide a real name to register, we'll use your email address to contact you. Whoever controls that email address is considered the winner. Feel free to put a display name, nickname, etc.
We'll try to send updates to the email you provided (such as start/end announcements, updates to the rules, or if we add new challenges
.
The Terms of Service are what appears on this page, we want to make sure people understand how the contest will work and the timing for it.
Additional Terms and Conditions/Rules
This contest is being run by the CHES Workshop.
The CHES Challenge 2016 (the “Contest”) is not open to residents of Quebec, Cuba, Iran, Myanmar (formerly Burma), North Korea, Sudan, Syria, or any jurisdiction where the Contest would be restricted or prohibited by law. Participants must be at least 18 years of age (or the local age of majority where they live, if higher) at the time of registration, except that minors age 13 or older may participate by obtaining the consent of a parent or legal guardian as described below, as long as such participation is not
prohibited or restricted by law where the minor lives.
Prizes will be awarded at CHES 2016. Participants must be present to collect prizes, or make arrangements for someone to receive prizes on their behalf.
Please note that content submitted (such as your encryption source code) WILL BE PUBLISHED on this website. Participant agrees that such
source code is distributed without restriction. Participant represents and warrants that the Content, and the public posting
of the Content to the Contest website, will not violate any rights of any person or entity, including, without limitation, any
copyright, trademark, patent, or other intellectual property rights, or rights of privacy and
publicity, or violate any applicable national, federal, state, or local laws, regulations, or
policies, including those relating to export control.
In the event the Contest is compromised by a virus, non-authorized human intervention,
tampering, or other causes beyond the reasonable control of Sponsor which corrupt or impair the
administration, security, fairness or proper operation of the Contest, Sponsor reserves the right in
its sole discretion to suspend, modify, or terminate the Contest. Should the Contest be terminated
prior to the end date, Sponsor reserves the right to award prizes based on submissions received
before the termination date.
The Website is provided on an AS IS and AS AVAILABLE basis without any representation or endorsement made and without warranty of any kind whether express or implied, including but not limited to the implied warranties of satisfactory quality, fitness for a particular purpose, non-infringement, compatibility, security and accuracy.
To the extent permitted by law, we will not be liable for any indirect or consequential loss or damage whatever (including without limitation loss of business, opportunity, data, profits) arising out of or in connection with the use of the Website.
We make no warranty that the functionality of the Website will be uninterrupted or error free, that defects will be corrected or that the Website or the server that makes it available are free of viruses or anything else which may be harmful or destructive.
These competition rules will be modified as required.