My first paper: A practical implementation of Rubiks cube based passkeys (ieeexplore.ieee.org)

55 points by acorn221 ↗ HN
I'm not super experienced with cryptography but I had some spare time on my hands so I decided to make CubeAuthn and turn it into a paper.

Repo here: https://github.com/Acorn221/CubeAuthn. Feel free to ask questions!

---

Abstract:

We present a novel authentication system that transforms a Rubik's cube into a physical key for digital authentication. By reading the cube's specific arrangement among 43 quintillion possible configurations, our system generates FIDO2-compatible credentials on-demand. Unlike traditional security tokens that store credentials, the cube itself becomes part of the key with its physical state forming a deterministic seed for keypair generation. Our proof-of-concept, CubeAuthn, demonstrates this concept with a browser extension that authenticates users on WebAuthn-enabled sites using the cube's physical state as the cryptographic seed.

11 comments

[ 3.4 ms ] story [ 27.4 ms ] thread
(comment deleted)
Why leave the paper out of the git repo?

If you are the author could you link to a copy of the paper?

So my cube-key will look to anybody else as a regular scrambled cube. If my kid finds it and solves it, I'm kind of doomed, right? So what's the plan, I'm supposed to remember the state of the cube?

A admit I'm dumb and lazy - I didn't read the paper, maybe it's covered there - but this sounds quite vulnerable to dictionary attacks, like those phone unlock paass where everybody puts a Z, the cube-keys will mostly be "Solved with red/yellow middles swapped"

Cool demo, but this is only log2(43 quintillions) = 65 bit security.

Kind of related is DiceKeys, with 192 bit security: https://www.crowdsupply.com/dicekeys/dicekeys

192 bits?

I must be missing something here, there are 25 unique dice that can be permuted, each can have six potential sides showing, and 4 potential orientations of the displayed face... So (25!)×(25×6×4) ? Isn't that more like only 93 bits?

Well obviously harder to scan from a phone, I think a deck of playing cards would be easier to acquire and store. Shuffling 27 would give you 93 bits, shuffling the full 52 would be ~226.

It’s explained in the link. I actually misremembered, it’s 196 bits.
We've already established that pattern based passcodes are terrible for security. I expect this to be worse than patterns because people can not easily remember or know how to fix mistakes which will result in most people picking simple ones.
This is a great example of the "I wonder if I could"-kind of research. It doesn't have to be practical. I doubt the authors intend it as a viable security product. It is the kind of "just playing around" thinking that can sometimes lead to brilliant insights. Keep up the good work.
If you add orientation arrows to the center squares, you can add a couple of bits to the strength.

There are multiple ways to solve the cube, if orientation of the center pieces is made visible and significant.