FAQ

What exactly are you running?

Four VPS, one each at four different providers. Each runs the same HyveGuard binary in a four-node mesh. The binary is built from the same source as our production deployment, but the cluster is fully isolated — different network, different REALITY secret, different DNS, different DKG, different group public key. Nothing in this challenge cluster touches anything in production.

Wait, am I supposed to break Ed25519 with maths? Is that even possible?

No, and no. Ed25519 has 128-bit security. Brute-forcing the discrete log takes around 2¹²⁸ operations, more than the number of atoms in the observable universe. Decades of cryptanalysis. You won't crack the key with maths. Nobody will.

The challenge is server compromise, not a maths puzzle. The crypto framing is just how you prove you won. To produce a valid FROST signature against today's canonical bytes, you need ONE of:

1. Compromise ≥2 of the 4 nodes. Foothold → privilege escalation → exfiltrate the FROST share from each compromised box → run the FROST signing protocol off-cluster with both shares. This is a normal server-security attack, with the signature as unfalsifiable proof.
2. Find a bug in hyveguard's Go code that lets you trigger a sign without legitimate consensus — e.g. broken nonce generation, broken auth on a privileged endpoint, broken consensus accountability. Code-level vuln in the binary.
3. Find a bug in the cross-node consensus engine that lets you trick the cluster into signing on your behalf — equivocation that bypasses accountability detection, peer-impersonation, etc.

Any of those paths produces a valid signature. The signature verifies with stock ed25519.Verify against the published group_pub. The cluster sees the valid sig, broadcasts SHUTDOWN, the season ends — automatically, without an operator deciding.

Why FROST? Why not just publish a private key and let people sign?

Two reasons, in order of importance:

1. The crown jewel doesn't exist on any node. Pedersen DKG produces a group public key; the corresponding group secret is the sum of contributions that no single node ever holds. To produce a valid signature you have to extract shares from multiple nodes (real-world server compromise) AND run the FROST signing protocol — substantially higher bar than reading a single key file off one box.
2. FROST output is RFC-8032 compatible. A successful threshold sig verifies with stock ed25519.Verify. No exotic verifier needed; anyone can independently check a claim. The cluster doesn't get to lie about whether you won — and we don't either.

How do I register a handle?

Mine a small proof-of-work, post it. No email, no captcha, no third-party trackers. We store handle + registered_at + tier badges. Nothing else.

The PoW gate is SHA-256("hyveguard-identify-v1" || handle || nonce) with 20 leading zero bits — about a million hashes, under 2 seconds on a laptop.

# Build the CLI (any modern Go toolchain)
go build -o hg-identify ./identify/

# Mine a nonce for your handle
./hg-identify mine yourhandle 20
# → found: handle=yourhandle bits=20 nonce=2f3c... tries=1238412 in 2.4s

# Register on any edge — replicates to all four within seconds
curl -X POST https://edge-fr.hyveguard.com/hyveguard/identify \
     -H 'Content-Type: application/json' \
     -d '{"handle":"yourhandle","nonce":"2f3c..."}'

Registration is optional. You can submit captures anonymously — we'll attribute as "Anonymous." You can also register and never use it. Your call.

Why no cash bounty?

Budget. Four cheap VPS, one domain, one trademark application — that's the entire spend. We wanted to ship the challenge rather than wait until we could afford a bounty pool. The 60-day mark of any season is when we revisit. If you'd find this dramatically more interesting with money attached, tell us — we listen.

How does the challenge string rotate?

Every day at 00:00 UTC. The canonical preimage is SHA-256("hyveheim-challenge-v1" || 0x00 || YYYY-MM-DD || 0x00 || group_pub_bytes). Today's is on the landing page. Future days can't be precomputed because group_pub is part of the input — and a season rollover replaces group_pub entirely.

What's a "season"?

90 days, or until someone wins, whichever comes first. At rollover we run a fresh Pedersen DKG → fresh group_pub. Anything you were working on against the previous key is gone. Ragnarök small-r — the wolves circle every 90 days regardless.

What happens when someone wins?

The valid signature submitted on the form is verified against the cluster's published group_pub and today's canonical bytes. If valid, the cluster broadcasts SHUTDOWN; all four nodes stop services; the landing page flips to "SEASON CLOSED"; the winner goes on the hall of fame; we publish the season's audit DAG; we write a post-mortem.

What if I get a partial flag (Tier 1–3)?

Paste it into the same form as a winning Tier 4 signature. The cluster auto-detects format (HG1-XXXX-XXXX-XXXX, HG2-XXXX-XXXX-XXXX, HG3-XXXX-XXXX-XXXX, or the raw 64-hex Tier 3 combined hash) and constant-time-matches against the on-box hashed vault. If you supplied a handle, your wall entry gets the matching badge automatically. No email required. Partial captures don't end the season — the cluster keeps running and the form keeps accepting.

What's "Ghost tier" (Einherjar) exactly?

You achieve Tier 4 (the crown jewel sig), AND throughout your entire attack you trip zero canaries, cause zero merkle drift across peers, raise zero quarantine alerts. Verified by clean audit DAG at season end. The audit chain is tamper-evident — you can't quietly remove your trace, only avoid leaving one.

You may not know whether a canary fired. We won't tell you mid-season. That's part of the design — half the difficulty is knowing whether your reconnaissance was loud.

Can you publish the source?

Not yet. The challenge is glass-box: you get the rules, the threat model, the protocol, the canonical-bytes formula, the audit-DAG schema. Source release is a decision we want to take deliberately, not by accident at launch. Ask again next season.

How is this different from a normal CTF?

Normal CTFs are puzzle-shaped: someone hid a flag, you find it, you're done. This is production-shaped: real services, real defences, real cross-node traffic, real OPSEC. The crown jewel isn't a flag-in-a-file — it's a cryptographic capability that requires you to compromise multiple independent parts of the system simultaneously, while the system actively notices.

What does the daily snark message mean?

Counter on the landing page. Different message at different milestones. Pure flavour. If it ever says something genuinely useful, that's an accident.

What if I find a vulnerability in one of the providers?

Out of scope for this challenge, but please tell us via PGP-signed email — we'll forward to the provider with credit to you. We have no authority to grant safe harbour for anything outside the published scope.

Why are you doing this?

Because we'd rather find the holes ourselves — with the help of people who actually know what they're doing — than ship a system that quietly fails the moment it matters. The infosec community is the right reviewer for this work, and the most honest signal is "did anyone break it."

What if nobody breaks it?

The season ends green at day 90. We run a fresh DKG, post a quarterly review, and start the next season. Repeat. We are patient. Bills are cheap.

What if the cluster goes down without anyone winning?

You'll see it on the status dashboard — one or more nodes go red. We'll write a saga explaining what happened. Operator availability outages don't count as wins — see the rules. The wolves are out there but the gate is supposed to hold even when we're not watching.

I just want to play. Where do I start?

Three honest paths:

1. Look first. Hit https://edge-fr.hyveguard.com/hyveguard/challenge (or any edge). That JSON is the entire public attack surface plus the canonical bytes you'd need to forge a signature against. Read the rules. Read this FAQ. Notice what's not there.
2. Probe carefully. Submission endpoints are rate-limited. Probes get logged. Don't be the person who burns their reputation in the first hour.
3. Pick a tier. Foothold is the easiest entry; Crown Jewel is the headline; Einherjar is the prize-without-a-prize. Anything between counts.