My first paper: A practical implementation of Rubiks cube based passkeys
42 points
1 day ago
| 7 comments
| ieeexplore.ieee.org
| HN
I'm not super experienced with cryptography but I had some spare time on my hands so I decided to make CubeAuthn and turn it into a paper.

Repo here: https://github.com/Acorn221/CubeAuthn. Feel free to ask questions!

---

Abstract:

We present a novel authentication system that transforms a Rubik's cube into a physical key for digital authentication. By reading the cube's specific arrangement among 43 quintillion possible configurations, our system generates FIDO2-compatible credentials on-demand. Unlike traditional security tokens that store credentials, the cube itself becomes part of the key with its physical state forming a deterministic seed for keypair generation. Our proof-of-concept, CubeAuthn, demonstrates this concept with a browser extension that authenticates users on WebAuthn-enabled sites using the cube's physical state as the cryptographic seed.

elbci
1 day ago
[-]
So my cube-key will look to anybody else as a regular scrambled cube. If my kid finds it and solves it, I'm kind of doomed, right? So what's the plan, I'm supposed to remember the state of the cube?

A admit I'm dumb and lazy - I didn't read the paper, maybe it's covered there - but this sounds quite vulnerable to dictionary attacks, like those phone unlock paass where everybody puts a Z, the cube-keys will mostly be "Solved with red/yellow middles swapped"

reply
midldei
1 day ago
[-]
It's a novelty. Something more tuned for a scene in a movie than providing security for an individual.

But, the way I see it, you have the traditionally "solved" state cube on your desk(all faces complete), and when you want to use it as a key you "solve" the cube to the state that represents your key.

With a rubiks cube this means you only need to remember the steps of the algorithm that leads you to your key state.

reply
avadodin
1 day ago
[-]
It would be interesting if I could take your scrambled cube add my message, scramble it, and then tell you a way to descramble it only on the original unscrambled cube.
reply
nritchie
1 day ago
[-]
This is a great example of the "I wonder if I could"-kind of research. It doesn't have to be practical. I doubt the authors intend it as a viable security product. It is the kind of "just playing around" thinking that can sometimes lead to brilliant insights. Keep up the good work.
reply
acorn221
16 hours ago
[-]
Thanks!
reply
ecesena
1 day ago
[-]
Cool demo, but this is only log2(43 quintillions) = 65 bit security.

Kind of related is DiceKeys, with 192 bit security: https://www.crowdsupply.com/dicekeys/dicekeys

reply
warkdarrior
1 day ago
[-]
Yeah, this explains why this cryptography paper was published in a ML conference. Any reasonable reviewer would reject this as not providing sufficient security.
reply
0manrho
23 hours ago
[-]
It's pretty upfront about being a novelty project done by a self-described non-crypto expert, and I don't see any assertions of it guaranteeing any degree of sufficiency/security or claiming any such NextBigThing(TM) hype.

Just because a paper is published doesn't mean it wasn't done for fun/the hell of it.

reply
acorn221
13 hours ago
[-]
Yeah this is bang on. I messaged my old supervisor from uni about turning CubeAuthn into a paper and she suggested I submit the paper to that conf.
reply
kazinator
1 day ago
[-]
If you add orientation arrows to the center squares, you can add a couple of bits to the strength.

There are multiple ways to solve the cube, if orientation of the center pieces is made visible and significant.

reply
ramses0
1 day ago
[-]
Awesome! https://news.ycombinator.com/item?id=44768459

Couldn't you "just" use a webcam to scan any particular cube? Seems like you could "easily" detect when you've seen all 6 unique faces and there should be libraries around that will read cubes.

reply
acorn221
1 day ago
[-]
Thanks! You absolutely could just use the webcam and identify the faces on the cube - I just thought my bluetooth cube would be cooler to integrate but there's not much stopping me from adding that in. I had the cube for a little while but I struggled to decode the messages for a long time, so I made a little npm package based off of the work from CsTimer. Here's the package: https://www.npmjs.com/package/gan-i3-356-bluetooth
reply
ramses0
1 day ago
[-]
There's a bunch of libraries and some webapps: https://rubiks-app-psi.vercel.app/
reply
charcircuit
1 day ago
[-]
We've already established that pattern based passcodes are terrible for security. I expect this to be worse than patterns because people can not easily remember or know how to fix mistakes which will result in most people picking simple ones.
reply
midldei
1 day ago
[-]
Why leave the paper out of the git repo?

If you are the author could you link to a copy of the paper?

reply
acorn221
1 day ago
[-]
I've signed over the copyright to IEEE so I think I've got to ask them before I put it there - that is a great point though, I'll see if I can drop it in there.
reply