Luca Dolfi, Tommaso Gagliardoni, Maxime Buser, PhD - Hacking of Crypto Wallets and Advanced Cryptography - $2,000

**Luca Dolfi** is a security engineer at Kudelski Security, with a focus on conducting secure code reviews for cryptographic libraries and smart contracts. In the past two years in Kudelski Security he acquired expertise in reviews of crypto wallets, where he evaluated implementations of threshold signature schemes for many Web3 entities, such as crypto.com, Torus Labs and Aleph Zero. He optained his MSc in Computer Science with focus on information security at ETH Zurich; his academic work on privacy-preserving technologies has been published in the USENIX Security Symposium.

 **Tommaso "tomgag" Gagliardoni, PhD** is tech leader for the initiatives in advanced cryptography services and quantum security at Kudelski Security. He published peer-reviewed papers in the areas of cryptography, quantum computing, security, and privacy, and spoke at conferences such as CRYPTO, EUROCRYPT, ASIACRYPT, DEF CON Demolabs and Black Hat Europe. As a subject expert on quantum security, he serves in the program committee of academic conferences such as PQCRYPTO and ACNS, and collaborates with the World Economic Forum and official agencies in the context of international agreements. Expert in blockchain and DeFi technologies, Tommaso has performed cryptographic code audits for clients such as Binance, Coinbase, and ZenGo. He also has a background in privacy hacktivism, investigative journalism, and ethical hacking, speaking at venues such as the International Journalism Festival, and designing the open source disk privacy tool Shufflecake.

Maxime Buser, PhD An alumnus of EPFL, Maxime Buser graduated in Communication Systems, specializing in Information Security. He furthered his academic journey with a PhD in cryptography from Monash University, Melbourne. With a rich research background that spans NEC Laboratories Europe, Microsoft Research India, and Monash University, he joined Kudelski Security in June 2022 as a security engineer and consultant. Part of the Application Security team, his expertise is in conducting code reviews for smart contracts and cryptographic implementations. Additionally, Maxime operates as the technical leader for projects involving the Aleph Zero blockchain and is an active member of the Quantum Security Service at Kudelski Security.


Trainer social media links:

https://ch.linkedin.com/in/luca-dolfi

https://ch.linkedin.com/in/tommasogagliardoni

https://www.linkedin.com/in/maxime-buser-4b6a53140/

https://infosec.exchange/@tomgag


 

Full description of the training:

 This training offers an immersive dive into secure code review practices tailored for cryptographic libraries, Web3 projects, and crypto wallets. Participants will explore the intricacies of advanced cryptography, learning to identify vulnerabilities and implement robust security measures. Through hands-on exercises and real-world examples, attendees will gain practical skills to fortify cryptographic implementations and safeguard digital assets in the dynamic realm of Web3 and blockchain technologies.


Day 1 navigates through the intricate realm of advanced cryptography, from understanding the foundational aspects of crypto wallets to mastering secure key management. Participants investigate the complexities of threshold cryptography, exploring advanced concepts like Threshold ECDSA and Schnorr. They'll also hone their skills in identifying vulnerabilities within threshold signatures' implementations through practical in-class exercises and take-home micro-audits.


In Day 2, we'll explore advanced cryptography more in depth, focusing on analyzing attacks on protocols and side-channel vulnerabilities. We'll also discuss risks such as replay and raw signing, along with challenges posed by broadcast messaging in the real world. Participants will also collaborate to present and discuss the findings of the micro-audit started on Day 1, providing valuable hands-on experience in examining an advanced crypto library.

 
By the conclusion of the training, participants will emerge equipped not only with a comprehensive understanding but also actionable skills to fortify crypto wallets effectively. With confidence and readiness, they'll navigate the evolving landscape of Web3, ensuring the safety and security of digital assets.

 Short description of what the student will know how to do, after completing the class:

- Possess a comprehensive understanding of advanced cryptographic schemes commonly used in MPC and crypto wallets.

- Demonstrate proficiency in identifying and addressing vulnerabilities in cryptographic code.

- Be equipped with practical strategies to enhance the security posture of cryptographic implementations.

- Gain insights into emerging trends and best practices in secure code review within the context of Web3 and blockchain technologies.


Outline of the class:

**Day 1**

- Introduction

  - Motivation: _Here be dragons_ going in production with brand-new/experimental cryptography

- Intro to crypto wallets

- Managing Key material

  - threats

  - best practices

  - motivation for MPC and threshold schemes

- `coffee break`

- Threshold cryptography overview

  - Threshold ECDSA

  - Threshold Schnorr

- `Lunch`

- Refreshing and Resharing Keys

- Cryptographic vulnerabilities in threshold signatures

  - emphasis on *code* vulnerabilities and not *protocol* vulnerabilities

- `coffee break`

- In-class exercise:

  - mini challenges from CTF

  - (Group) micro-audit of crypto libraries

    - 3h micro-audit supervisioned of selected library or wallet

    - focus on identifying vulnerabilities discussed after lunch

 

**Day 2**

 
- Out-of-model-threats

- Attacks on the protocols

  - analysis of forget-and-forgive, golden shoe, alpha rays, ...

- `coffee break`

- Replay risks and raw signing

  - oracle attacks

  - hands-on exploration of potential vulnerabilities

- `Lunch`

- (Not) Implementing Broadcast messaging

- Review and discussion of findings and results from Day1 micro-audit

- `break`

- Key takeaways

  - summary of learning

- conclusion

- Q&A and discussion



Technical difficulty of the class:

Intermediate

Suggested prerequisites for the class:

 - Basic Knowledge of cryptography

Items students will need to provide:

 laptop

DATE: August 12th-13th, 2024

TIME: 8am to 5pm PDT

VENUE: Sahara Las Vegas

TRAINER: Luca Dolfi, Tommaso Gagliardoni, Adina Nedelcu

- 16 hours of training with a certificate of completion.
- 2 coffee breaks are provided per day
- Note: Food is not included

Registration terms and conditions:

Trainings are refundable before July 1st, the processing fee is $250.

Trainings are non-refundable after July 10th, 2024.

Training tickets may be transferred. Please email us for specifics.

Failure to attend the Training without prior written notification, will be considered a No-Show. No refund will be given.

By purchasing this ticket you agree to abide by the DCT Code of Conduct and the registration terms and conditions listed above.