Matteo Steinbach | Cryptography Researcher & Cybersecurity Engineer

# About

I currently work as a Cryptography R&D Engineer contributing to European research projects on quantum-resistant systems, while collaborating on academic research. My background spans classical and post-quantum cryptography (Kyber, Dilithium) and low-level optimization (C, Assembly, Rust).

Luxembourg Cryptography R&D Embedded Systems

"I want to become a complete crypographer (cryptologist), I am interested and always learning anything revolving around it. I work on new academic research projects involving key combinations, cryptanalysis and computer verified cryptography, and I am looking forward to exploring more."
— Research Philosophy

Highlights

▹ Cryptography R&D Engineer at Integrasys SA
▹ BSc Computer Science, University of Luxembourg (Very Good)
▹ Post-Quantum Cryptography (Hash-based, Lattice-based, Code-based)
▹ Constrained device optimization

Connect on LinkedIn

# Research & Publications

My research revolves around building safe and secure cryptographic systems. I have so far published 2 papers on Hard-to-Find Bugs (HFBs) — vulnerabilities that only manifest under rare conditions and evade conventional testing.

2025 DCS and SnT, University of Luxembourg

Hard-to-Find Bugs in a Post-Quantum Age

Matteo Steinbach, Peter B. Rønne, Johann Großschädl

Abstract

The transition to Post-Quantum Cryptography (PQC) introduces a new class of 'Hard-to-Find Bugs' (HFBs) that differ fundamentally from classical cryptography. While classical bugs often involve carry propagation, PQC bugs are dominated by timing side-channels in polynomial arithmetic (e.g., NTT reductions in Kyber) and floating-point precision divergences (e.g., in Falcon signatures).

Key Technical Contributions

Created a systematic taxonomy of PQC-specific vulnerabilities, analyzing Lattice-based (Kyber, Dilithium), Code-based (HQC), and Hash-based schemes
Documented 15+ vulnerabilities in major open-source PQC implementations, including floating-point inconsistencies in Falcon that allow signature mutation
Developed wycheproof-pqc, an extension of Google's Wycheproof framework that uses targeted Known Answer Tests (KATs) to detect these elusive bugs

Research Artifacts

wycheproof-pqc

Post-Quantum Cryptography Vulnerability Research Kyber Dilithium Falcon

View PDF Source Code

2025 University of Luxembourg

Hard-to-Find Bugs in Public-Key Cryptographic Software: Classification and Test Methodologies

Matteo Steinbach, Johann Großschädl, Peter B. Rønne

Abstract

A comprehensive study of implementation flaws in public-key cryptosystems (RSA, ECC) that manifest only under extremely rare input conditions. The paper defines 'Hard-to-Find Bugs' (HFBs) and analyzes why conventional testing fails to detect them, citing historical examples like the Sony PS3 ECDSA hack.

Key Technical Contributions

Compiled a dataset of 53+ real-world HFBs from libraries like OpenSSL, categorized into Carry Propagation, State Mismanagement, and Timing Attacks
Evaluated Differential Testing, Static Analysis, and Fuzzing, proposing a 3-layered testing framework
Developed wycheproof-c, a C-port of the Wycheproof test suite to facilitate testing of C-based cryptographic libraries on embedded devices

Research Artifacts

wycheproof-c

RSA ECC OpenSSL Vulnerability Research Testing Methodology

View PDF Source Code

# What I Read

A curated collection of cryptographic papers, specifications, and foundational texts that inform my research, you can see the papers I read and plan to read starting from November 2025, it's not meant to be perfect doesn't include everything or full up to date but it will get better with time.

View Full Reading List (PDF)

Last updated: Jan, 2026

Featured Topics

The 'Muckle' Family: Frameworks for Quantum-Secure Hybrid Key Exchange (HAKE)
CryptAttackTester (CAT): High-Assurance Quantitative Analysis of Attack Costs
SoK: Computer-Aided Cryptography & Formal Verification Tools
Hardware Backdoors in CRYSTALS-Kyber: Kleptography in PQC Hardware

# Conferences & Events

Presenting research and connecting with the cryptography community at international conferences.

SPACE 2025

SPACE 2025 Presentation

Presenting research on PQC vulnerabilities

India 2025

SECITC 2025

SECITC Conference

Discussing cryptographic testing methodologies

Romania 2025

# Projects

Open-source tools and applications spanning security, cryptography, and systems programming.

Systems

Rust Google OAuth2

Secure-ish Google OAuth 2.0 implementation in Rust using Warp, PKCE, JWT validation, and Askama templating. Built by a mid-level Rustacean for fun (and learning).

Rust OAuth2 PKCE JWT Warp Askama

Other

Multi-Agent Resume Assistant

AI tool designed to help users create tailored resumes and cover letters based on job descriptions and personal skills using multi-agent generative approach.

Python AI Multi-Agent NLP

Cryptography

RSA Personal Implementations

Secure RSA in C using OpenSSL with SHA-256, RSA-PSS, and OAEP. Still low-level, now with way fewer regrets. 🚀🔐

C OpenSSL RSA-PSS RSA-OAEP SHA-256

Security

PyNetPwn

Python-based automated network penetration testing tool featuring comprehensive scanning modules, vulnerability detection, and detailed reporting capabilities.

Python Scapy Nmap SQLite Jinja2

Let's Work Together

Interested in collaboration, research opportunities, or just want to discuss cryptography? I'd love to hear from you.

Signal: tomato.74 (preferred)

Say Hello