My first paper: A practical implementation of Rubiks cube based passkeys

https://ieeexplore.ieee.org/document/11280260

55•acorn221•1mo ago

I'm not super experienced with cryptography but I had some spare time on my hands so I decided to make CubeAuthn and turn it into a paper.

Repo here: https://github.com/Acorn221/CubeAuthn. Feel free to ask questions!

---

Abstract:

We present a novel authentication system that transforms a Rubik's cube into a physical key for digital authentication. By reading the cube's specific arrangement among 43 quintillion possible configurations, our system generates FIDO2-compatible credentials on-demand. Unlike traditional security tokens that store credentials, the cube itself becomes part of the key with its physical state forming a deterministic seed for keypair generation. Our proof-of-concept, CubeAuthn, demonstrates this concept with a browser extension that authenticates users on WebAuthn-enabled sites using the cube's physical state as the cryptographic seed.

Comments

ramses0•1mo ago

Awesome! https://news.ycombinator.com/item?id=44768459

Couldn't you "just" use a webcam to scan any particular cube? Seems like you could "easily" detect when you've seen all 6 unique faces and there should be libraries around that will read cubes.

acorn221•1mo ago

Thanks! You absolutely could just use the webcam and identify the faces on the cube - I just thought my bluetooth cube would be cooler to integrate but there's not much stopping me from adding that in. I had the cube for a little while but I struggled to decode the messages for a long time, so I made a little npm package based off of the work from CsTimer. Here's the package: https://www.npmjs.com/package/gan-i3-356-bluetooth

ramses0•1mo ago

There's a bunch of libraries and some webapps: https://rubiks-app-psi.vercel.app/

midldei•1mo ago

Why leave the paper out of the git repo?

If you are the author could you link to a copy of the paper?

acorn221•1mo ago

I've signed over the copyright to IEEE so I think I've got to ask them before I put it there - that is a great point though, I'll see if I can drop it in there.

Terretta•4w ago

Is that how they do it, rather than you assigning rights to make copies, while retaining your own copyright?

wizzwizz4•3w ago

The usual way this works is, you retain rights to the preprint. That's what preprint repositories like https://arxiv.org/ are for. Talk to your advisor, if you have one; if not, the folk over at Academia Stack Exchange are probably familiar with the exact rules of that IEEE journal.

elbci•1mo ago

So my cube-key will look to anybody else as a regular scrambled cube. If my kid finds it and solves it, I'm kind of doomed, right? So what's the plan, I'm supposed to remember the state of the cube?

A admit I'm dumb and lazy - I didn't read the paper, maybe it's covered there - but this sounds quite vulnerable to dictionary attacks, like those phone unlock paass where everybody puts a Z, the cube-keys will mostly be "Solved with red/yellow middles swapped"

midldei•1mo ago

It's a novelty. Something more tuned for a scene in a movie than providing security for an individual.

But, the way I see it, you have the traditionally "solved" state cube on your desk(all faces complete), and when you want to use it as a key you "solve" the cube to the state that represents your key.

With a rubiks cube this means you only need to remember the steps of the algorithm that leads you to your key state.

avadodin•1mo ago

It would be interesting if I could take your scrambled cube add my message, scramble it, and then tell you a way to descramble it only on the original unscrambled cube.

ecesena•1mo ago

Cool demo, but this is only log2(43 quintillions) = 65 bit security.

Kind of related is DiceKeys, with 192 bit security: https://www.crowdsupply.com/dicekeys/dicekeys

warkdarrior•1mo ago

Yeah, this explains why this cryptography paper was published in a ML conference. Any reasonable reviewer would reject this as not providing sufficient security.

0manrho•1mo ago

It's pretty upfront about being a novelty project done by a self-described non-crypto expert, and I don't see any assertions of it guaranteeing any degree of sufficiency/security or claiming any such NextBigThing(TM) hype.

Just because a paper is published doesn't mean it wasn't done for fun/the hell of it.

acorn221•4w ago

Yeah this is bang on. I messaged my old supervisor from uni about turning CubeAuthn into a paper and she suggested I submit the paper to that conf.

Terr_•3w ago

192 bits?

I must be missing something here, there are 25 unique dice that can be permuted, each can have six potential sides showing, and 4 potential orientations of the displayed face... So (25!)×(25×6×4) ? Isn't that more like only 93 bits?

Well obviously harder to scan from a phone, I think a deck of playing cards would be easier to acquire and store. Shuffling 27 would give you 93 bits, shuffling the full 52 would be ~226.

ecesena•3w ago

It’s explained in the link. I actually misremembered, it’s 196 bits.

Terr_•3w ago

Never mind, with the benefit if sleep I see an error in my math.

Still, I wonder if a similar thing could be done by shuffling a deck of cards, and then riffling the results past a good camera so that an app can recognize the sequence in order. Perhaps it would be vulnerable to common shuffling mistakes?

charcircuit•1mo ago

We've already established that pattern based passcodes are terrible for security. I expect this to be worse than patterns because people can not easily remember or know how to fix mistakes which will result in most people picking simple ones.

nritchie•1mo ago

This is a great example of the "I wonder if I could"-kind of research. It doesn't have to be practical. I doubt the authors intend it as a viable security product. It is the kind of "just playing around" thinking that can sometimes lead to brilliant insights. Keep up the good work.

acorn221•4w ago

Thanks!

kazinator•1mo ago

If you add orientation arrows to the center squares, you can add a couple of bits to the strength.

There are multiple ways to solve the cube, if orientation of the center pieces is made visible and significant.

cat-whisperer•3w ago

this sounds cool!

Tiny Clippy – A native Office Assistant built in Rust and egui

LegalArgumentException: From Courtrooms to Clojure – Sen [video]

US moves to deport 5-year-old detained in Minnesota

If you lose your passport in Austria, head for McDonald's Golden Arches

Show HN: Mermaid Formatter – CLI and library to auto-format Mermaid diagrams

RFCs vs. READMEs: The Evolution of Protocols

Kanchipuram Saris and Thinking Machines

Chinese chemical supplier causes global baby formula recall

I've used AI to write 100% of my code for a year as an engineer

Looking for 4 Autistic Co-Founders for AI Startup (Equity-Based)

AI-native capabilities, a new API Catalog, and updated plans and pricing

What changed in tech from 2010 to 2020?

From Human Ergonomics to Agent Ergonomics

Advanced Inertial Reference Sphere

Toyota Developing a Console-Grade, Open-Source Game Engine with Flutter and Dart

Typing for Love or Money: The Hidden Labor Behind Modern Literary Masterpieces

Show HN: A longitudinal health record built from fragmented medical data

CoreWeave's $30B Bet on GPU Market Infrastructure

Creating and Hosting a Static Website on Cloudflare for Free

"The Stanford scam proves America is becoming a nation of grifters"

Elon Musk on Space GPUs, AI, Optimus, and His Manufacturing Method

X (Twitter) is back with a new X API Pay-Per-Use model

Zlob.h 100% POSIX and glibc compatible globbing lib that is faste and better

Show HN: Deterministic signal triangulation using a fixed .72% variance constant

Scientists Discover Levitating Time Crystals You Can Hold, Defy Newton’s 3rd Law

When Michelangelo Met Titian

Solving NYT Pips with DLX

Baldur's Gate to be turned into TV series – without the game's developers

Interview with 'Just use a VPS' bro (OpenClaw version) [video]

EchoJEPA: Latent Predictive Foundation Model for Echocardiography