So my cube-key will look to anybody else as a regular scrambled cube. If my kid finds it and solves it, I'm kind of doomed, right? So what's the plan, I'm supposed to remember the state of the cube?

A admit I'm dumb and lazy - I didn't read the paper, maybe it's covered there - but this sounds quite vulnerable to dictionary attacks, like those phone unlock paass where everybody puts a Z, the cube-keys will mostly be "Solved with red/yellow middles swapped"

It's a novelty. Something more tuned for a scene in a movie than providing security for an individual.

But, the way I see it, you have the traditionally "solved" state cube on your desk(all faces complete), and when you want to use it as a key you "solve" the cube to the state that represents your key.

With a rubiks cube this means you only need to remember the steps of the algorithm that leads you to your key state.

It would be interesting if I could take your scrambled cube add my message, scramble it, and then tell you a way to descramble it only on the original unscrambled cube.

Cool demo, but this is only log2(43 quintillions) = 65 bit security.

Kind of related is DiceKeys, with 192 bit security: https://www.crowdsupply.com/dicekeys/dicekeys

Yeah, this explains why this cryptography paper was published in a ML conference. Any reasonable reviewer would reject this as not providing sufficient security.

It's pretty upfront about being a novelty project done by a self-described non-crypto expert, and I don't see any assertions of it guaranteeing any degree of sufficiency/security or claiming any such NextBigThing(TM) hype.

Just because a paper is published doesn't mean it wasn't done for fun/the hell of it.

Yeah this is bang on. I messaged my old supervisor from uni about turning CubeAuthn into a paper and she suggested I submit the paper to that conf.

This is a great example of the "I wonder if I could"-kind of research. It doesn't have to be practical. I doubt the authors intend it as a viable security product. It is the kind of "just playing around" thinking that can sometimes lead to brilliant insights. Keep up the good work.

Thanks!

If you add orientation arrows to the center squares, you can add a couple of bits to the strength.

There are multiple ways to solve the cube, if orientation of the center pieces is made visible and significant.

Awesome! https://news.ycombinator.com/item?id=44768459

Couldn't you "just" use a webcam to scan any particular cube? Seems like you could "easily" detect when you've seen all 6 unique faces and there should be libraries around that will read cubes.

Thanks! You absolutely could just use the webcam and identify the faces on the cube - I just thought my bluetooth cube would be cooler to integrate but there's not much stopping me from adding that in. I had the cube for a little while but I struggled to decode the messages for a long time, so I made a little npm package based off of the work from CsTimer. Here's the package: https://www.npmjs.com/package/gan-i3-356-bluetooth

There's a bunch of libraries and some webapps: https://rubiks-app-psi.vercel.app/

We've already established that pattern based passcodes are terrible for security. I expect this to be worse than patterns because people can not easily remember or know how to fix mistakes which will result in most people picking simple ones.

Why leave the paper out of the git repo?

If you are the author could you link to a copy of the paper?

I've signed over the copyright to IEEE so I think I've got to ask them before I put it there - that is a great point though, I'll see if I can drop it in there.

Is that how they do it, rather than you assigning rights to make copies, while retaining your own copyright?