WCCA+CTF Info Page

Conferences and events Leave a comment

The Workshop on Cryptographic Code Audit and Capture The Flag (WCCA+CTF) is an affiliated event to EUROCRYPT 2024, and will be held at ETH Zurich, Switzerland, on 2024-05-26 (May 26th, 2024, for those unfamiliar with ISO-8601).

This page contains information about the workshop, schedule, and registration procedure. The page will be updated as soon as additional information will be available.

Description of the Event

The rapidly evolving landscape of cryptography introduces growing complexities which make secure code implementation very challenging. This is especially problematic in the fast-moving Web3 world, where bleeding-edge cryptographic schemes are deployed to protect large amount of funds, but also in privacy-sensitive applications and secure communications. In this context, not only does understanding cryptographic theory matter, but so does the effective implementation and auditing of cryptographic code.

This one-day workshop, uniquely situated at the intersection of theoretical and applied cryptography, aims to provide an immersive learning experience in cryptographic code auditing informed by real-world examples. It targets professionals and researchers looking to deepen their understanding and sharpen their skills in secure cryptographic code auditing.

Format

The day will start with a series of lectures by seasoned experts on various topics of the art of cryptographic code audit, starting from the very philosophical ones (the “why” and “how” of crypto code audits), to business and organizational considerations (how to do code audits in practice, as a contractor or within an org), to the more technical ones (where to look and how to identify vulnerabilities in cryptographic code, including hash functions, block ciphers, randomness, zero-knowledge protocols, and multi-party computation schemes). The lectures will be enriched with case studies from past cryptographic audits conducted by our company for high-profile clients.

In the afternoon, attendees will put their learning to the test in an engaging Capture The Flag (CTF) challenge. Participants will split into teams and strive to identify vulnerabilities in flawed code snippets provided by the organizers, submitting their findings via an online portal.

The event will conclude with a brief discussion on some of the solutions, and winning teams will be announced and awarded at the conference’s rump session.

Organizers and Speakers

Luca Dolfi is a security engineer at Kudelski Security, with a specialization in secure code reviews for cryptographic libraries and smart contracts. In the past two years he worked on secure code reviews of many crypto wallets, where he evaluated implementations of threshold signature schemes for an array of Web3 entities, such as crypto.com, Torus Labs and Aleph Zero. He obtained his MSc in Computer Science with a focus on information security in ETH Zurich; his academic work on privacy-preserving technologies has been published in the USENIX Security Symposium.

Tommaso Gagliardoni is tech leader for the initiatives in advanced cryptography services and quantum security at Kudelski Security. He published peer-reviewed papers in the areas of cryptography, quantum computing, security, and privacy, and spoke at conferences such as CRYPTO, EUROCRYPT, ASIACRYPT, DEF CON Demolabs and Black Hat Europe. As a subject expert on quantum security, he serves in the program committee of academic conferences such as PQCRYPTO and ACNS, and collaborates with the World Economic Forum and official agencies in the context of international agreements. Expert in blockchain and DeFi technologies, Tommaso has performed cryptographic code audits for clients such as Binance, Coinbase, and ZenGo. He also has a background in privacy hacktivism, investigative journalism, and ethical hacking, speaking at venues such as the International Journalism Festival, and designing the open source disk privacy tool Shufflecake.

Marco Macchetti is principal cryptographer at Kudelski Security. He has more than 20 years of experience on various applied cryptography topics, including more than 30 patents, with a focus on hardware implementations of cryptographic schemes and ECDSA signatures in particular. He discovered the Polynonce attack on weak randomness for ECDSA, and he co-presented a talk on real-world Polynonce attacks at DEF CON. He performed cryptographic code audits for clients such as AMIS and Coinbase.

Sylvain Pelissier is cryptography expert in the Research Team at Kudelski Security, with a focus on hardware attacks and vulnerability research. Sylvain worked on the security of cryptographic implementations on different platforms, as well as on critical code security audits. He has previously spoken at FDTC, CCC, Hardwear.io, Insomni’hack, NorthSec and SSTIC on topics including public and symmetric keys vulnerabilities, elliptic curves, and reverse engineering. In particular, he reversed a wildspread file encryption solution, introduced the first practical fault attack against the EdDSA signature algorithm, and published a proof of concept of the CurveBall vulnerability. He likes playing and organizing CTFs. Main admin of the workshop’s CTF portal.

Program of the Workshop

Sunday, 2024-05-26

  • 8:30 Registration opens.
  • 9:00 Tommaso Gagliardoni: Introduction to crypto code audits: the why’s and how’s.
  • 9:30 Marco Macchetti: Cryptographic vulnerabilities 1/5.
  • 10:00 Luca Dolfi: Cryptographic vulnerabilities 2/5.
  • 10:30 Coffee break.
  • 11:00 Tommaso Gagliardoni: Cryptographic vulnerabilities 3/5.
  • 11:30 Marco Macchetti: Cryptographic vulnerabilities 4/5.
  • 12:00 Luca Dolfi: Cryptographic vulnerabilities 5/5.
  • 12:30 Lunch.
  • 13:30 CTF registration and tutorial. Be on time here!
  • 14:00 CTF portal opens, competition starts.
  • 15:00 Optional coffee break.
  • 17:00 End of the day, leave the room please.

Monday, 2024-05-27

  • 14:00 (tentative) CTF portal closes.

Wednesday, 2024-05-29 (tentative)

  • 21:30 (tentative) Announcing winners and awards during rump session.

The CTF (Capture-The-Flag)

A CTF (“Capture The Flag”) is a type of contest, very popular among hacking communities and events. Usually, people participate in teams, and the goal is to solve as many challenges as possible within the given time by submitting the right “flag” into an interactive portal, where team scores are usually real-time updated on a public scoreboard. The flag, to be entered into an input box, is usually in the form of a secret string which can only be found by solving the given challenge, for example by exploiting a purposely vulnerable service and stealing some credentials, or by hacking some website specified in the challenge. All these vulnerable services and websites are set-up by the CTF organizers with the sole scope of being hacked, but the way to do it is not always so easy to find, and that’s where the challenge comes from! Sometimes a hint is given in the description of the challenge, sometimes not, but you’ll know you have found the flag when you see it.

For reasons of inclusivity, and in order to provide a gentle introduction to the neophytes, the CTF will be structured in a slightly non-standard format.

We will begin the afternoon first of all with a tutorial to help participants register their teams (if they haven’t done it already) and getting comfortable with the web portal.

Notice that teams must be validated in-person by bringing your Eurocrypt badge and confirming your username during the CTF tutorial in this time slot. Time enforcement will be strict. All no-shows can still play the CTF privately but their scores will not be considered and their participation to the event will not be recorded.

Then we will go through one or two examples of challenges, showing how to interpret the challenge, acquire information, ideating and executing an attack, and extracting a flag.

After that, the real competition portal will open, and teams will be left free to solve as many challenges as possible. Staying in the room is not mandatory for this phase, i.e. you can leave and go home / to your hotel to solve the challenges, but we will be available for in-person clarifications where necessary.

Some challenges will be very easy, others very hard, in order to provide all participants a satisfactory level of engagement. It is not necessary to complete challenges in a given order, but after completing a challenge you will be proposed a “next” one that we think follows in terms of difficulty.

Some challenges will be in a standard CTF style, i.e. you’ll need to hack through a service or website (for which you’ll be provided relevant source code or configuration data), extract and submit the flag. Other challenges will be of a more “theoretical” nature: You will be given source code to audit, and will be asked to enter your observations and vulnerability findings in the form of a short (few sentences) report in a text window.

Team scores will not be shown in real-time. From the moment the competition starts you will be given 24 hours to solve all the challenges, then the portal will close. The winners will be announced and awarded during the Eurocrypt rump session!

Registration and Prerequisites

In order to register, select WCCA+CTF under “affiliated events” when registering for Eurocrypt 2024.

Prerequisites for the workshop itself are a high-level familiarity with programming languages such as C, Python, Go, Rust, and a generic knowledge of cryptographic concepts which should be given for granted for any Eurocrypt participant.

For the CTF, a personal laptop with WiFi connection and a modern, JavaScript-capable browser are required. You will also need to provide an email address for the registration, it can be different from the one you used to register at Eurocrypt if you want, it will just be used to send announcements and notifications from the CTF portal. We do not record this information for more than necessary: it will be deleted after the end of the CTF.

A full development stack or IDE installed is not strictly necessary, but it might be helpful for you to, e.g., run automated scripts.

It is advised to pre-register your account (and, optionally, your team) to the CTF portal at the following address (the CTF portal is not open yet, please check this page regularly, it will be posted here when ready).

Date and Location

Sunday 2024-05-26, Zurich, Switzerland.
Main building of ETH (“Hauptgebäude” – HG).
Room D5.2


View Larger Map

Leave a Reply