# Competition Rules

The competition is run by the ORGANIZING COMMITTEE.

## User accounts

Anyone can create an account and post one or several challenges and/or break one or more challenges on the WhibOx Edition 2 competition website.

The account owner may remain completely anonymous when creating an account. In addition to creating a login/password, an email address must be entered (in case the ORGANIZING COMMITTEE needs to contact the owner directly). However, the email address is not verified except for basic syntax. Users may e.g. enter their primary email address or, if they are willing to remain anonymous, may use a free service such as Mailinator to create an untraceable email address.

The same person may create several accounts. User accounts are password-protected but passwords CANNOT BE CHANGED and are NOT RECOVERABLE in case of loss. It is the users' responsibility to choose a strong enough password and to keep it in a safe place. Winners will be asked to log in and reveal their real name on the competition website if they want to be publicly awarded during the prize ceremony.

Every newly registered user, referred to as a contestant, is assigned a BANANA score initialized to 0.

The website is public in the sense that anyone can freely browse it (including downloading challenges) but logging in is required to post or break challenges.

The competition website is referred to as the SYSTEM.

## What is a challenge?

A challenge is a C source program that contains a function with prototype

void AES_128_encrypt(unsigned char ciphertext[16], unsigned char plaintext[16]);

It implements an AES-128 encryption under some 128-bit key embedded into the code. The function AES_128_encrypt(ciphertext, plaintext) takes a 128-bit plaintext block as input (as a pointer on an array of 16 bytes) and writes the corresponding 128-bit ciphertext (as an array of 16 bytes) at the given address.

The C language is the one accepted by either GCC 8.2.0 or TCC 0.9.27 with NO additional language dialect options. Contestants may freely choose which compiler is to be used when the SYSTEM validates the challenge program. The source code must be completely portable and re-compilable towards any target architecture. In other words, it must be made only of generic C which in particular, excludes the use of inline assembly. Note that there is no restriction to a 32-bit architecture as in the first edition of the WhibOx contest. Native 64-bit operations are supported by default and contestants may use them as they see fit.

No #include or extern is allowed in the source code, and more generally linking to external libraries (even the standard C libraries) is forbidden. This is intended to prevent the inclusion of malware in submitted challenges. Any attempt to maliciously attack the SYSTEM or the computer system of contestants will lead to DISQUALIFICATION. In case evidence of malicious code is found in a challenge, contestants are invited to report the issue to the ORGANIZING COMMITTEE directly (whibox.organizing.committee@gmail.com). If contestants are suspicious that some challenge program may contain malware, they may run GCC or TCC in docker or a virtual machine, exactly like the server does (using VirtualBox).

Documentation on how the server runs is found on GitHub. Contestants are invited to download and install their own instance of the server if they want to ensure that their challenge will be accepted when submitted.

IPR and copyright disclaimer: contestants may indicate (typically in a header in their source) which license applies to their challenge program, if any.

## Requirements on the source and executable

• The source code must be no bigger than 50MB.
• The REFERENCE COMPILERS must use at most 500MB of RAM to complete compilation.
• The compilation must not exceed 100 seconds.
• The following character strings are forbidden in the source code:
• "#include"
• "extern"
• "_FILE__"
• "__DATE__"
• "__TIME"
• "__STDC_"
• "__asm__"
• "(wsp)asm(nan)"
where "(wsp)" indicates a white space and "(nan)" indicates any non-alphanumeric character. An occurence of either of these strings will lead to a rejection of the challenge program, even if they are embedded in (arbitrarily nested) quoted strings.
• The executable must be 20MB in size or less,
• The executable must use 20MB of RAM or less (this includes the stack and all global variables, at the exclusion of the code itself),
• The executable must run in 1 second or less per function call. This is not absolute time but CPU time, measured within a VirtualBox VM by the SYSTEM. Contestants may check that their challenges comply with this limitation by using the utility ulimit with the -t option.

The SYSTEM will reject a program that does not comply with these requirements.

Compliance with the requirements can be tested by downloading and running a local instance of the submission server found here.

## Posting a challenge

A contestant who posts a new challenge must temporarily reveal the embedded key to the SYSTEM for the purpose of verifying the consistency of the challenge program. The key is erased from the SYSTEM as soon as it has determined whether it is consistent or not with the challenge. This is done as follows.

Challenge-key verification procedure

1. The SYSTEM uses the REFERENCE IMPLEMENTATION of AES-128 to generate a number of random plaintext-ciphertext pairs under the given key. The number of pairs is determined by the SYSTEM but is at least 1000. Once this is done, the key is erased from the SYSTEM.
2. The SYSTEM compiles the challenge program and checks that it complies with the above requirements. If not, the challenge is rejected.
3. For each plaintext-ciphertext pair, the SYSTEM runs the executable on the plaintext and checks that the output is equal to the ciphertext.
4. In case of mismatch, the procedure halts, the challenge program is rejected and the mismatching plaintext-ciphertext pair is returned to the submitting contestant.
5. The SYSTEM selects a plaintext-ciphertext pair, hashes the plaintext, deletes it from memory and attaches the ciphertext to the challenge for the purpose of INVERSION.
6. Finally, the challenge program is validated and:
1. given a name by the system,
2. assigned a PERFORMANCE SCORE (see below)
3. declared as STANDING,
4. assigned a STRAWBERRY score and a CARROT score both initialized to 0.

When accepted, the challenge is published on the website for anyone to download and play with. In addition, a small subset of random plaintext-ciphertext pairs is kept by the SYSTEM for later verification of candidate keys. The number of pairs is determined by the SYSTEM but is at least 10. These pairs can be recovered as a JSON object with the following HTTP request:

GET https://whibox.cyber-crypt.com/show/candidate/{id}/testvectors

where {id} is the integer identifier of the challenge (not its name). No authentication is required. Example output:

{
"id": 35,
"test_vectors": [{
"ciphertext": "4d05886d8f6d8fee136b9c6b75d2a753",
"plaintext": "79eff209372700ba9ce2623b2fdb95f3"
}, {
"plaintext": "d38c88f2c31ac6ec7df1414150d55fa2"
}, {
"ciphertext": "3f82dfbe892f25bcfd756f4519b1c13b",
"plaintext": "b1d74f9cca796c5d523859c43c614cf9"
}, {
"ciphertext": "20903a77e0a9188b6736ec9de6138fc7",
"plaintext": "9d8ba8a29bf95ba26394624f3c89fb61"
}, {
"ciphertext": "ba899a8f85d274d7eb62638f86943432",
"plaintext": "295df29c62f81a20eed0c1d70a2b5db4"
}, {
"plaintext": "24b92c789dda5a079d065f396cb73559"
}, {
"ciphertext": "8e3de268154d6ef98c5ff1c2fd200192",
}, {
"ciphertext": "6bf067d0d06814a64faa08c9bc62c09d",
"plaintext": "446a591cdd83d15f2aae83888ce0197d"
}, {
"ciphertext": "00579a1abcec3132041b8888c06d5491",
"plaintext": "e7b8d53ae7d7ea6cbfebd49d0d5ff769"
}, {
"ciphertext": "0f598d59d2881df6a32dd83277b25a4f",
"plaintext": "798252d2f3d8f43f6360655b06fb8fba"
}]
}

## Performance scores

The performance score of a challenge is measured by the SYSTEM when validating its consistency at posting time. Challenges with a higher performance score collect STRAWBERRY and CARROT points faster. The score is assigned as follows.

Execution time. The SYSTEM measures the average CPU time consumed by the challenge program and determines the fraction $f_{time} = \frac{\text{average time}}{1 \text{ second} }\;.$

Code size. The SYSTEM measures the size of the executable and determines the fraction $f_{size} = \frac{\text{code size}}{20 \text{ MB} }\;.$

RAM usage. The SYSTEM measures the average RAM consumption of the executable and determines the fraction $f_{memory} = \frac{\text{average RAM}}{20 \text{ MB} }\;.$

The performance score of the challenge is evaluated as $\mathit{perf\_score} = \log_2 \left(\frac{2}{f_{time} \cdot f_{size} \cdot f_{memory}}\right)\;.$

Note that the performance score of a challenge that meets the allowed maximal limits is equal to $$1$$. Challenges that are either smaller, faster or less memory-consuming get a higher perfomance score.

## Winning strawberries

A contestant may post challenges anytime between the STARTING DATE and the POSTING DEADLINE.

A challenge gets more and more STRAWBERRIES as time goes by, as long as it is not BROKEN. In this second edition of the competition, time has a granularity of 1 minute instead of 1 day.

At the time $$t_{post}$$ the challenge is posted, its STRAWBERRY score is set to $$0$$. The STRAWBERRY score then increases quadratically with time as $\mathtt{strawberries} = \mathit{perf\_score} \times \left(\frac{t-t_{post}}{24\cdot 60}\right)^2$ where $$t-t_{post}$$ is the number of minutes elapsed since the challenge was posted and $$\mathit{perf\_score}\in[1,+\infty)$$ is its performance score (see above).

If the challenge is BROKEN for the first time at time $$t_{break}$$, its STRAWBERRY score becomes $\mathtt{strawberries} = \mathit{perf\_score} \times \left(\frac{t_{break}-t_{post}-\left(t - t_{break}\right)}{24\cdot 60}\right)^2 \;,$ meaning that its progression is reversed symmetrically until it reaches $$0$$. It then sticks to it.

When the FINAL DEADLINE is reached, the STRAWBERRY scores of all challenges freeze.

## Bonus (carrot) points

This edition 2 of the WhibOx contest introduces bonus points called CARROTS. The CARROT score of a challenge progresses similarly as STRAWBERRIES (but counts for only half of these) until the challenge is INVERTED or BROKEN for the first time. The CARROT score then decreases symmetrically back to $$0$$.

At posting time, a random ciphertext is assigned to the challenge. INVERTING the challenge means that a contestant successfully recovered the plaintext matching that ciphertext. Note that this does not necessarily imply BREAKING the challenge; it is enough to reverse its flow of operations and perform AES decryption on that one ciphertext, which may be much easier.

The CARROT score evaluates as $\mathtt{carrots} = \frac 12 \times \mathit{perf\_score} \times \left(\frac{t-t_{post}}{24\cdot 60}\right)^2$ for $$t_{post}\leq t \leq t_{attack}$$ and $\mathtt{carrots} = \frac 12 \times \mathit{perf\_score} \times \left(\frac{t_{attack}-t_{post}-\left(t - t_{attack}\right)}{24\cdot 60}\right)^2$ for $$t_{attack}\leq t\leq 2\cdot t_{attack} - t_{post}$$. It then sticks to $$0$$ for later times $$t$$. Here, $$t_{attack}$$ stands for the time (measured in minutes) at which the challenge was first INVERTED or BROKEN.

Note that the CARROT and STRAWBERRY scores are independent until a BREAK occurs. INVERTING a STANDING challenge does not affect the progression of STRAWBERRIES; however a BREAK immediately reverses the progression of both STRAWBERRIES and CARROTS.

When the FINAL DEADLINE is reached, the CARROT scores of all challenges freeze.

## Breaking challenges

A contestant may BREAK any challenge by submitting a candidate key to the SYSTEM. The challenge may be STANDING, INVERTED or already BROKEN.

Key verification procedure: Given the submitted key, the SYSTEM fetches the recorded plaintext-ciphertext pairs attached to the challenge and uses the AES REFERENCE IMPLEMENTATION again to check that the key matches all the pairs. The key is erased as soon as the verification is completed.

In case of mismatch, the mismatching pair is returned to the submitting contestant and the break is rejected. Otherwise, the submitting contestant is notified that the break is accepted. If the challenge was STANDING or INVERTED, it is declared as BROKEN at the time the SYSTEM accepted the break.

Contestants may BREAK challenges until the FINAL DEADLINE.

## Inverting challenges

A contestant may INVERT any challenge by submitting a candidate plaintext to the SYSTEM. The challenge may be STANDING, BROKEN or already INVERTED.

Plaintext verification procedure: Given the submitted plaintext, the SYSTEM fetches the hashed plaintext attached to the challenge and checks that the plaintext is consistent. The plaintext is erased as soon as the verification is complete.

In case of mismatch, the INVERSION is rejected. Otherwise, the submitting contestant is notified that the INVERSION is accepted. If the challenge was STANDING, it is declared as INVERTED at the time the SYSTEM accepted the INVERSION.

Contestants may INVERT challenges until the FINAL DEADLINE.

## Winning bananas

A contestant whose BREAK has been accepted by the SYSTEM gets a chance to increase their BANANA score. Noting $$\mathtt{strawberries}$$ the current STRAWBERRY score of the challenge and $$\mathtt{bananas}$$ the contestant's current BANANA score, $$\mathtt{bananas}$$ is updated as $\mathtt{bananas} = \max(\mathtt{bananas}, \mathtt{strawberries})\;.$

Similarly, the BANANA score of a contestant whose INVERSION has been accepted by the SYSTEM is updated as $\mathtt{bananas} = \max(\mathtt{bananas}, \mathtt{carrots})$ where $$\mathtt{carrots}$$ is the current CARROT score of the challenge.

## Winning the competition

The winners are determined at the time of the FINAL DEADLINE. There are 2 winners, the STRAWBERRY WINNER and the BANANA WINNER.

### The strawberry winner

The WINNING CHALLENGE is the challenge (STANDING, INVERTED or BROKEN) which STRAWBERRY score has reached the highest peak between the STARTING DATE and the FINAL DEADLINE.

The STRAWBERRY WINNER is the contestant who posted the WINNING CHALLENGE.

There may be several WINNING CHALLENGEs and STRAWBERRY WINNERs (no tie-breaking rule).

### The banana winner

The BANANA WINNER is the contestant with the highest BANANA score at the time of the FINAL DEADLINE.

There may be several BANANA WINNERs (no tie-breaking rule).

## Disqualification

At any time, the ORGANIZING COMMITTEE may DISQUALIFY a contestant in case of misconduct during the competition. Examples of misconduct include

• posting a challenge program that does not implement AES-128,
• posting a challenge program that contains malware,
• attempting to attack/hack the SYSTEM or the computer system of contestants in any manner.

The user account of a DISQUALIFIED contestant is disabled and challenges that the contestant has posted may be withdrawn from the competition on a case-by-case basis.

## Terms of reference

### Important dates

 STARTING DATE March 23, 2019 @ 00:00 UTC POSTING DEADLINE August 1, 2019 @ 00:00 UTC FINAL DEADLINE August 21, 2019 @ 12:00 UTC (4 days before CHES 2019)

### System and challenges

 SYSTEM Server comprising the competition website and tools for compiling and testing challenge programs. The compilation environment is fully described in this dockerfile. REFERENCE COMPILERS Option 1: gcc with option -nostdinc (version 8.2.0)Option 2: tcc with option -nostdinc (version 0.9.27) REFERENCE IMPLEMENTATION aes.c file available from this GitHub repository. BROKEN (challenge) At least one contestant has been able to provide the SYSTEM with an AES-128 key that passes the key verification procedure. INVERTED (challenge) The challenge is not BROKEN and at least one contestant has been able to provide the SYSTEM with an AES-128 plaintext that passes the plaintext verification procedure. STANDING (challenge) A challenge that is neither INVERTED nor BROKEN.

### Winning contestants

 WINNING CHALLENGE Challenge which STRAWBERRY score has reached the highest peak between the STARTING DATE and the FINAL DEADLINE. STRAWBERRY WINNER Contestant who posted the WINNING CHALLENGE. BANANA WINNER Contestant with the highest BANANA score at the time of the FINAL DEADLINE. STRAWBERRY 🍓 BANANA 🍌 CARROT 🥕 DISQUALIFIED (contestant) Misconducting contestant excluded from the competition and whose challenges may be withdrawn.

### Organizing committee

 Members Andrey Bogdanov, Stefan Kölbl and Elmar Tischhauser (CyberCrypt), Louis Goubin (UVSQ), Pascal Paillier, Matthieu Rivain and Junwei Wang (CryptoExperts). Email whibox.organizing.committee@gmail.com Twitter @WhiboxC (WhibOx Contest Organizing Committee)