CHES 2016 Capture The Flag Rules / FAQ

This is a capture the flag that involves both power analysis and work creating secure implementations. It's interactive because you can both submit implementations AND break them (for sidechannel power analysis), and submit keys (for whitebox crypto).

Full documentation is held on a Wiki Page. Please see that page for more information.

You can follow @CHESChallenge on twitter for server status and other updates, and search using hash-tag #CHESChallenge.

There is also a video introduction here:
YouTube Video.

Point System

Currently there is a very basic point system:

Stage-gates are designed to be fairly simple. By accident one of them (#3B) is harder than expected from a basic stage-gate. If insufficient user-submitted flags are added, more complex implementations will be added to the challenge.


The planned timeline is as follows:

The winners will be the top 3 users on August 10, 15:00 UTC (as determined by the server time). This contest period is designed to give people who will be traveling for CHES some time off before the contest.

We close submissions of challenges sometime before the end of the contest to prevent people from saving their most difficult work to right before the end of the contest.


The top three people will receive several glorious prizes, with two additional special prizes.

The following prizes are planned, but be aware availability or delivery issues could prevent them from being awarded, and we may substitute any prize (not necessarily of the same value) if needed.

First Place

Second Place

Third Place

Most Difficult Implementations Submitted (based on time between submission and being fully broken, meaning 3 people have broken it claiming 1st/2nd/3rd)

Best Student (must by full-time student at time of CHES)

More Rules/FAQs

Where to get help?

Full documentation is held on a Wiki Page. Please see that page for more information.

You can follow @CHESChallenge on twitter for server status and other updates, and we'll try to answer questions sent to that account. You can also directly harass @colinoflynn if you're feeling cheeky.

Can I submit as a Team?

You can register as a team, but you are responsible for splitting the prizes! Registering multiple usernames that are helping each other is not allowed (i.e., once one person breaks an implementation sends the details to others). If you are working as a team please keep a single username.

Does my encryption source code need to be posted?

Keeping the source code available and distributed without restriction simplifies our server management (in that we don't have to deal with confidential source code). It also allows anyone to verify someone has submitted a real program, and they are not doing something dumb like delaying the encryption for 200mS, or adjusting the clock speeds.

Gaming the Point System

Please do not attempt to 'game' the system - people submitting the same basic implementations in order to break them will be disqualified or banned. We reserve the right to remove implementations/flags which are simple rewrites of the AES-128 in C example.

What is required of submitted AES implementations?

In order to submit a challenge, you must have an AES-128 implementation that meets the following rules:

This list may be updated as required. See the Wiki Page for more details.

What do I need to register, what are Terms of Service?

You don't need to provide a real name to register, we'll use your email address to contact you. Whoever controls that email address is considered the winner. Feel free to put a display name, nickname, etc.

We'll try to send updates to the email you provided (such as start/end announcements, updates to the rules, or if we add new challenges


The Terms of Service are what appears on this page, we want to make sure people understand how the contest will work and the timing for it.

Additional Terms and Conditions/Rules

This contest is being run by the CHES Workshop.

The CHES Challenge 2016 (the “Contest”) is not open to residents of Quebec, Cuba, Iran, Myanmar (formerly Burma), North Korea, Sudan, Syria, or any jurisdiction where the Contest would be restricted or prohibited by law. Participants must be at least 18 years of age (or the local age of majority where they live, if higher) at the time of registration, except that minors age 13 or older may participate by obtaining the consent of a parent or legal guardian as described below, as long as such participation is not prohibited or restricted by law where the minor lives.

Prizes will be awarded at CHES 2016. Participants must be present to collect prizes, or make arrangements for someone to receive prizes on their behalf.

Please note that content submitted (such as your encryption source code) WILL BE PUBLISHED on this website. Participant agrees that such source code is distributed without restriction. Participant represents and warrants that the Content, and the public posting of the Content to the Contest website, will not violate any rights of any person or entity, including, without limitation, any copyright, trademark, patent, or other intellectual property rights, or rights of privacy and publicity, or violate any applicable national, federal, state, or local laws, regulations, or policies, including those relating to export control.

In the event the Contest is compromised by a virus, non-authorized human intervention, tampering, or other causes beyond the reasonable control of Sponsor which corrupt or impair the administration, security, fairness or proper operation of the Contest, Sponsor reserves the right in its sole discretion to suspend, modify, or terminate the Contest. Should the Contest be terminated prior to the end date, Sponsor reserves the right to award prizes based on submissions received before the termination date.

The Website is provided on an AS IS and AS AVAILABLE basis without any representation or endorsement made and without warranty of any kind whether express or implied, including but not limited to the implied warranties of satisfactory quality, fitness for a particular purpose, non-infringement, compatibility, security and accuracy.

To the extent permitted by law, we will not be liable for any indirect or consequential loss or damage whatever (including without limitation loss of business, opportunity, data, profits) arising out of or in connection with the use of the Website.

We make no warranty that the functionality of the Website will be uninterrupted or error free, that defects will be corrected or that the Website or the server that makes it available are free of viruses or anything else which may be harmful or destructive.

These competition rules will be modified as required.