Skip to main content

Advertisement

Authentication of satellite navigation signals by wiretap coding and artificial noise

Article metrics

  • 418 Accesses

Abstract

In order to combat the spoofing of global navigation satellite system (GNSS) signals, we propose a novel signal authentication method based on information-theoretic security. In particular, the satellite superimposes to the navigation signal an authentication signal containing a secret authentication message corrupted by artificial noise (AN). We impose the following properties:

  1. a)

    Authentication and navigation signals are synchronous,

  2. b)

    Authentication and navigation signals are orthogonal and

  3. c)

    The secret message is undecodable by the attacker due to the AN.

The legitimate receiver synchronizes with the navigation signal and stores the samples of the authentication signal with the same synchronization. After the transmission of the authentication signal, through a separate public asynchronous ground channel (e.g., a secure Internet connection) additional information is made public allowing the receiver to

  1. a)

    Decode the authentication message, thus overcoming the effects of AN, and

  2. b)

    Verify the authentication message.

We assess the performance of the proposed scheme by the analysis of both the secrecy capacity of the authentication message and the attack success probability under various attack scenarios.

Introduction

Global navigation satellite systems (GNSS) offer positioning and timing services for an increasing variety of applications (e.g., car and ship navigation, but also synchronization of electrical grid stations). GNSS signals are subject to various security attacks, aiming ultimately at disrupting or altering these applications [1]. In this paper, we focus on the spoofing attack, where an attacker (AT) transmits a signal with the purpose of inducing a false specific location estimate to the victim receiver (VR). This attack is active as it requires a transmission by the spoofer.

Positioning is typically obtained by measuring the time of arrival of pilot signals known at the receiver. The AT generates and transmits the pilots with proper delays (with respect to other original or spoofed satellite signals) in order to induce the desired position estimation. Moreover, the spoofer can also transmit an additional signal that destructively interferes with the original satellite signal at the VR.

A first defense against spoofing is its detection at the VR. Examples include the detection of either the residual power (on top of the legitimate signal) [2], or pre- [3] or post-correlation [4] power. Other approaches check the consistency of the arrival directions of satellite signals through multiple antennas [57]. Another defense strategy is the modification of current GNSS signal to both ease spoofing detection and make the attack more difficult. An interesting opportunity is the transmission of (partially) unpredictable signals, in what is usually denoted as navigation message authentication (NMA). Implementations of NMA include cryptographic schemes based on either symmetric-key [8, 9] or asymmetric-key [10, 11] encryption. The partial unpredictability of the signal makes the spoofing attack more difficult as the AT cannot simply transmit a delayed version of the legitimate signal. In a more sophisticated attack, the AT eavesdrops the original satellite signal and then retransmits it (including both pilots and authentication data) in the so-called meaconing attack. Variations of this attack include the partial observation of the satellite signal and the reconstruction of the missing part, exploiting the redundancy provided by either forward error correction (FEC) (forward estimation attack, FEA) [12, 13] or spread spectrum techniques typical of GNSS, thus alternating (within the symbol duration) detection and retransmission (security code estimation and replay, SCER) [14].

In this paper, we propose a solution to make the GNSS system more robust to spoofing by operating at the physical layer and exploiting information theory (IT) results (see [15] for a survey on IT authentication solutions). The idea is that the satellite transmits an unpredictable authentication message synchronously with the navigation message. In order to prevent meaconing attacks, the satellite also transmits artificial noise (AN) superimposed to the authentication message, to be removed at the receiver before authentication verification. Then, after its transmission over the satellite channel, the authentication message and the AN are separately and securely re-broadcast so that the VR can check the presence and correctness of the authentication message in the earlier received signal. This eases the detection of the spoofing attack. The information dissemination can also occur on a separate delay-tolerant but authenticated channel, e.g., over the Internet with cryptographic authentication protocols. In summary, our solution, denoted physical layer authentication (PLA), includes (a) a novel communication architecture to securely share the authentication message and AN with a loose random delay and (b) coding and decoding algorithms for the authentication message, together with a technique to decide about its authenticity.

About related literature, in [16] AN is also used on top of an authentication tag, however without synchronization requirements and without an architecture for the dissemination of AN signal and authentication tags. In [17], we proposed to superimpose an AN-corrupted authentication message to the navigation signal, and PLA extends it by including advanced coding and signaling, and analyzing the solution within the framework of wiretap coding.

We show that as the length of the authentication message goes to infinity, we obtain a vanishing probability of success for the spoofing attack. We compute the rate at which the success probability vanishes, under perfect coding and Gaussian signaling. Then, we derive bounds on the success probability when finite-length messages and binary signaling are used. The impact of synchronization errors (due to an ongoing spoofing attack) on the success probability is also considered. For finite-length coding and binary signaling, a predictive attack (similar to meaconing FEA) is analyzed in terms of the probability of passing undetected. By numerical results, we show the effectiveness of the proposed PLA technique against various attacks.

The rest of the paper is organized as follows. Section 2 introduces both the system model and the reference attack strategy. In Section 3, we propose the novel PLA solution, whose correctness and security are analyzed in Section 4. In Section 5, we consider prediction attacks specifically targeting our PLA. The optimization of the transmit power is addressed in Section 6. Numerical results are presented is Section 7 before conclusions are driven in Section 8.

System model

Figure 1 shows our reference scenario with a satellite, and two earth devices, i.e., a VR and an AT.

Fig. 1
figure1

Reference scenario

Satellite communication channel: In the basic existing configuration, the satellite generates a unitary-power real binary pilot signal di with symbol period Ts and spreads it with the real unitary-power spreading pulse

$$ s_{p}(t) \triangleq \sum\limits_{i=0}^{N_{c}-1} c_{i} u(t-iT_{c}), $$
(1)

with chip period Tc=Ts/Nc, spreading sequence \(c_{i}=\pm \frac {1}{\sqrt {N_{c}}} \ i=0, \dots, N_{c}-1 \), and unitary-energy chip pulse u(t). The resulting signal is

$$ p(t) = \sum\limits_{i} d_{i} s_{p}(t-iT_{s}). $$
(2)

In the current GNNS, p(t) is also the baseband-equivalent (pilot component) signal transmitted by the satellite, which we will denote as

$$ s_{\mathrm{A}}(t) = p(t). $$
(3)

In the absence of attacks and considering additive white Gaussian noise (AWGN) channels between all devices, as typically considered in satellite navigation systems, the signal received by the VR is

$$ r_{B}(t) = G_{B} s_{A}(t) + w_{B}(t), $$
(4)

where GB is the channel gain, and wB(t) is the zero-mean AWGN signal with power spectral density \(\sigma _{w_{B}}^{2}\).

Ground channel: In order to implement our PLA scheme, we need a ground channel, i.e., public authenticated channel over which signals are transmitted by the ground segment, i.e., the navigation control center on the earth that is controlling GNSS. This channel is not necessarily a satellite link, and it is assumed to be of large bandwidth provided for example through an Internet connection. The authentication is ensured by higher layer authentication protocols [18] (such as https). We assume the AT has no control over the information traveling on the ground channel and, thus, it can not modify it. Moreover, as no fine time synchronization is available on the ground channel, it is not useful for ranging purposes.

Land satellite model

Channel gain GB can be described by the land mobile satellite link (LMS) according to [19]. A three-state Markov chain (MC) is used to model the slow variations of the line of sight (LOS) due to shadowing and blockage effects while the Loo [20] distribution is used for GB within each state and models shadowing and multipath effects. Therefore, we have

$$ G_{\mathrm{B}} e^{j\theta} = l e^{j\phi_{0}} + g e^{j\phi}, $$
(5)

where GB≥0, l is log-normally distributed, g is Rayleigh distributed, ϕ0 and ϕ are uniformly distributed in the interval [0,2π]. In particular,

$$ G_{\mathrm{B}} = | e^{L} e^{j\phi_{0}} + X + jY |, $$
(6)

where

$$\begin{array}{*{20}l} L &\sim \mathcal{N} \left(\mu, d_{0} \right) \end{array} $$
(7)
$$\begin{array}{*{20}l} X, Y &\sim \mathcal{N} \left(0, b_{0} \right). \end{array} $$
(8)

The parameters μ,d0, and b0 are provided in [19] for different scenarios and for each Markov state. Note that we assume that the channel phase is always compensated at the receiver, thus we obtain the real signal model (4).

Reference attack

The AT’s objective is to forge a navigation signal, send it to the VR, and let it believe it was transmitted by the satellite. We consider in particular here as reference attack a strategy wherein AT transmits an amplified (by factor ζ) and delayed (by delay ΔE) version of p(t), i.e.,

$$ s_{\mathrm{E}}(t) = \zeta p(t - \Delta_{\mathrm{E}}), $$
(9)

where the delay is chosen by AT to induce a desired positioning at the VR. Correspondingly, the signal received by the VR is

$$ r_{B}(t) = G_{B} s_{A}(t)+ G_{\mathrm{E-A}}s_{E}(t)+w_{B}(t), $$
(10)

where GE−A is the gain of the AT-VR channel. The resulting gain GE−Aζ of the pilot signal must be big enough to ensure that the received signal from the AT is stronger than that from the satellite, thus forcing the VR to get synchronous to sE(t). An enhancement of this attack is achieved by transmitting a signal that destructively interferes with sA(t) at the VR, i.e.,

$$ s_{\mathrm{E}}(t) = - \frac{G_{\mathrm{B}}}{G_{\mathrm{E-A}}} s_{\mathrm{A}}(t) + \zeta p(t - \Delta_{\mathrm{E}}), $$
(11)

where the first term nulls out GBsA(t) in (10), while the second term induces the desired delayed signal. Moreover, the AT can receive the signal from the satellite as

$$ r_{E}(t)=G_{\mathrm{E}}s_{A}(t)+w_{E}(t), $$
(12)

where GE is the channel gain, and wE(t) is the zero-mean AWGN signal with power \(\sigma _{w_{E}}^{2}\).

We will assume that the AT knows all channel gains, and we will also assume that in case of attack the VR gets synchronous with the AT signal and perfectly estimates the GE−Aζ gain. Therefore, for a simpler notation, we drop the channel gains in the following, assuming GE−Aζ=GB=GE=1, except when we focus on the LMS channel.

Methods

The proposed protocol aims at preventing the reference attack of Section 2.2 and operates in two phases: in the first phase, the satellite broadcasts the pilot, a FEC encoded version of the authentication message and the AN, while in the second phase the ground segment broadcasts both the uncoded authentication message and the AN over the ground channel. During the first phase, the VR stores the received authentication signal sampled with the timing and synchronism obtained by the pilot signal. In the second phase, the VR removes the AN, decodes the authentication message, and checks if it corresponds to the authentication message broadcast over the ground channel.

We now detail the operations carried out in both phases.

First phase

In the first phase, the satellite transmits the authentication signal generated as described in Fig. 2. In particular, the satellite encodes the authentication message V in the codeword Xn. The codeword enters the modulator, which outputs real symbols xk with power \(\sigma _{x}^{2}\) at symbol time Ts. Let Rx be the rate of the message xk. Then, each symbol is spread with the spreading sequence \(c_{A,i}= \pm \frac {1}{\sqrt {N_{c}}}, \ i=1,\dots, N_{c}\), yielding the Tc-sampled signal

$$ y_{i}=x_{\lfloor{i/N_{c}\rfloor}} c_{A,i\ \text{mod}\ N_{c}}. $$
(13)
Fig. 2
figure2

Satellite transmission scheme in phase 1

Finally, the chip pulse u(t) is used to obtain the continuous time real signal

$$\begin{array}{*{20}l} x(t)=\sum\limits_{i} y_{i} u(t-iT_{c}). \end{array} $$
(14)

The authentication message V must be undecodable to the AT in the first phase, in order to prevent prediction attacks, as detailed in Section 5. Therefore, the satellite also transmits an AN signal ω(t) superimposed to x(t). The resulting signal

$$ z(t)=x(t)+\omega(t) $$
(15)

is superimposed to the ranging signal p(t), and the baseband-equivalent signal transmitted by the satellite becomes

$$ s_{A}(t)=z(t)+p(t), $$
(16)

which replaces (3).

We design the superimposed signal (including AN) z(t) to be orthogonal to the pilot spreading pulse sp(t) in each pilot symbol, in order to avoid interference with the synchronization process (operating with p(t)), and at the same time guarantee that a legacy receiver is not affected by the new superimposed signals. In order to ensure orthogonality, the spreading code cA,i is orthogonal to ci, the spreading code of the pilot signal. About the AN, for each symbol of duration Ts, we first generate a stationary Gaussian process w(t),0≤tTs, and then project it on sp(t), i.e.,

$$ \omega(t)=w(t)-\rho s_{p}(t), $$
(17)

with

$$ \rho=\int_{0}^{T_{s}} w(t) s_{p}(t) \, dt. $$
(18)

Note that the Gaussian AN generation may be performed by a physical device providing electrical noise which may be further elaborated numerically. Although generating truly random variables is a challenging task [2123], we observe that the satellite has typically enough processing power and cannot be physically tampered; therefore, it is reasonable to assume that it can generate random variables with fairly good randomness.

The signals received by both VR and AT on the AWGN channels are still given by (10) and (12), with the new transmitted signal sA(t) given by (16). The operations at the VR in the first phase are shown in Fig. 3 on the left of the dashed line separating the two phases. In particular, the VR acquires the synchronization on signal p(t), filters the received signal rB(t) by u(−t), and samples the output before despreading with sequence cA,i. In the absence of attack, the resulting discrete-time despread signal can be written as

$$ \hat{x}_{k}'= z_{k}+w_{B,k}, $$
(19)
Fig. 3
figure3

VR signal processing. Dashed line separates operations occurring in the first phase by those occurring in the second phase

where zk=xk+ωk and ωk is the AN term. The noise samples wB,k and ωk are still independent and identically distributed (iid) with zero mean and powers \(\sigma _{w_{B}}^{2}\) and \(\sigma _{\omega }^{2}\) respectively.

Note that we have omitted the pilot signal in (19) as its symbols are orthogonal to zn and ωk. Similarly, the AT receives in phase 1 the signal

$$\begin{array}{*{20}l} \hat{x}'_{E,k}=z_{k}+w_{E,k}. \end{array} $$
(20)

Since in the first phase AT does not know the AN, the resulting signal to noise ratio (SNR) at the AT is

$$ \Gamma_{E}=\frac{\sigma_{x}^{2}}{\sigma_{\omega}^{2} + \sigma_{w_{E}}^{2}}. $$
(21)

Therefore, we already observe that even with a noiseless receiver, by properly choosing \(\sigma _{\omega }^{2}\) we can severely degrade the SNR at the AT, thus preventing meaconing attacks. Further details will be provided in Section 4.2.

Second phase

In the second phase, the ground segment broadcasts both V and a quantized version \(\mathcal {Q}(\omega _{k})\) of the AN samples ωk on the ground channel using b bits per sampleFootnote 1. In the absence of attack and perfect synchronization, the quantization error is

$$ w_{q,k} \triangleq \omega_{k}-\mathcal{Q}(\omega_{k}), $$
(22)

with zero mean and power \(\sigma _{w_{q}}^{2}\). Note that b is a design parameter which trades off the quantization noise power with the transmission bandwidth of the ground channel.

On its side, the VR receives the signals over the ground channel and elaborates the signal received from the satellite in the first phase according to the scheme of Fig. 3 (at the right of the dashed line). In particular, the VR subtracts from xk′ the quantized AN obtaining

$$\begin{array}{*{20}l} \hat{x}_{k}^{\prime\prime}= x^{\prime}_{k} - \mathcal{Q}(\omega_{k}) = x_{k} + w_{B,k} + w_{q,k}. \end{array} $$
(23)

Detection and decoding follow to obtain the decoded message \(\hat {V}\). If \(\hat {V}=V\), the VR declares that the authentication signal comes from the satellite and the pilot signal is also authentic. Otherwise the VR declares both the authentication message and the pilot as not authentic. Since the synchronization is obtained from p(t), we design the authentication signal such that misalignments between p(t) and x(t) result in an error of the decoded message V, thus revealing the attack. Note also that the AT has no advantage in partially modifying the authentication message, since, once decoded at the VR, it would not match with the message V provided by the ground segment, thus again revealing the attack. In Section 5, we will consider an intermediate situation in which the AT partially observes the signal and attempts to predict the rest of V in the prediction attack.

Correctness and security analysis

We now examine the correctness and security of the proposed PLA solution. The correctness of the protocol is its ability to accept as authentic a signal coming from the satellite that corresponds to the condition \(\hat {V}=V\). The security of the protocol is its ability to detect the reference attack described in Section 4.2. We will obtain rules for the design of PLA parameters (such as the rate of the authentication message Rx and the power of the AN) in order to guarantee correctness and security. Since we are dealing with authentication, which is basically a testing problem between the hypotheses of receiving correct or fake messages, its performance is assessed by the probabilities of attack success and authentic message rejection. Therefore, in our framework, the error probability

$$ P_{e}^{B} \triangleq \mathbb{P}[\hat{V}\neq V | \text{no attack}] \approx 0, $$
(24)

where \(\mathbb P[\cdot ]\) denotes the probability operator, is used as correctness metric, while the success probability of the reference attack is used as security metric, see Section 4.2. In the next section, we will also analyze the security of PLA with respect to prediction (meaconing) attacks on the authentication message.

We consider four communication scenarios, combining finite/infinite codeword lengths with Gaussian/binary signaling. In the following, we will introduce a more efficient feedback where instead of V a smaller-size message can be fed back.

Correctness analysis

Assuming perfect synchronization, the correctness of the algorithm is then associated with proper coding and signaling that ensure correct decoding of the authentication message. We will now examine PLA correctness under infinite/finite codeword lengths and Gaussian/binary signaling. Indeed, while infinite-length codewords and Gaussian signaling provide optimal theoretic performance, finite length and binary signaling are commonly used in GNSS systems, thus providing insight on practical solutions.

Infinite-length codewords and Gaussian signaling: In this case, it is well known that we can ensure a vanishing decoding error probability as long as the message rate is below the channel capacity, i.e.,

$$ R_{x} \leq C_{B}, $$
(25)

and CB is the satellite-VR channel capacity after AN removal. Note that with perfect AN cancelation the resulting SNR of the signal at the input of the VR detector in the absence of attack is

$$ \Gamma_{B}=\frac{\sigma_{x}^{2}}{\sigma_{w_{B}}^{2}+\sigma_{w_{q}}^{2}}, $$
(26)

and the capacity is

$$ C_{B} = \frac{1}{2} \log_{2} \left(1 + \Gamma_{B} \right). $$
(27)

In case of attenuation introduced by the LMS, the VR SNR becomes

$$ \Gamma_{B} = \frac{G_{B}^{2}}{\sigma_{w_{B}}^{2} + \sigma_{w_{q}}^{2}} $$
(28)

and it may occur that the channel is not good enough for the decoding of the authentication message at the VR, generating an outage event with outage probability

$$ P_{\text{out}} = \mathbb{P} \left[ C_{B} < R_{x} \right] = \sum\limits_{i = 1}^{3} \mathbb{P} \left[C_{B} < R_{x}|S=i\right]\mathbb{P}[S=i], $$
(29)

where in the second equation, we conditioned on the LMS state S. For a given state, we also have from (28)

$$ P_{\text{out}|S=i} = \mathbb{P} \left[ G_{B} < \sqrt{\left({\sigma_{w_{B}}^{2}} + {\sigma_{w_{q}}^{2}}\right)\left(2^{2R_{x}} -1\right)} \middle| S=i \right]. $$
(30)

Infinite-length codewords and binary signaling: In this case, we can still provide a vanishing error probability, given that the rate is below the constellation-constrained capacity. In particular, the constrained capacity of a binary AWGN channel with SNR Γ is

$$ C=\mathbb{H}(y)-\frac{1}{2}\log_{2} \left(\frac{2 \pi e}{\Gamma} \right), $$
(31)

where

$$ \mathbb{H}(y)=\int_{-\infty}^{+\infty} f_{y}(a)\log_{2} \frac{1}{f_{y}(a)} da $$
(32)

is the entropy of the received signal with probability density function (PDF)

$$ f_{y}(a)=\sqrt{\frac{\Gamma}{8\pi}}\sum\limits_{s \in\{-1, 1\}} e^{-|s-a|^{2}\Gamma/2}. $$
(33)

In order to compute the capacity, we must resort to the numerical integration of (32).

Finite-length codewords and Gaussian signaling: For codewords of length \(\bar {n}\) and Gaussian signaling, we cannot anymore ensure vanishing error probability. In order to compute the (non-zero) probability that the VR does not decode V, denoted \(P_{e}\left (\Gamma _{\mathrm {B}},R_{x},\bar {n}\right)\), we resort to literature results on finite-length codewords regime [24, 25]. In particular, we lower-bound the codeword error probability \(P_{e}\left (\Gamma,R,\bar {n}\right) \) on AWGN channel with SNR Γ, transmission rate R, and codeword length \(\bar {n}\) as

$$ P_{e}\left(\Gamma,R,\bar{n}\right) \geq q\left(\Gamma,R,\bar{n}\right), $$
(34)

where

$$\begin{array}{*{20}l} q(\Gamma,R,\bar{n}) &\triangleq Q \left(\sqrt{\frac{\bar{n}}{G}} \left(\frac{F-R}{\log_{2} e} + \frac{\ln(\bar{n})}{2\bar{n}} \right) \right), \end{array} $$
(35)
$$\begin{array}{*{20}l} F&=\frac{1}{2} \log_{2} \left(1+\Gamma \right), \end{array} $$
(36)
$$\begin{array}{*{20}l} G&=\frac{\Gamma (2+\Gamma)}{2(1+\Gamma)^{2}}, \end{array} $$
(37)

and Q(·) is the complementary cumulative distribution function (CDF) of a continuous normal variable.

Finite-length codewords and binary signaling: For this case, (34) and (35) still hold with [24, 25]

$$\begin{array}{*{20}l} F&=1+\frac{H^{(1)}}{\ln(2)}, \end{array} $$
(38)
$$\begin{array}{*{20}l} G&= H^{(2)} - H^{(1)2}, \end{array} $$
(39)

where

$$\begin{array}{*{20}l} H^{(\ell)}&=\frac{1}{\sqrt{2\pi \Gamma}} \int_{-\infty}^{\infty} e^{-\frac{1}{2\Gamma}(b-\Gamma)^{2}} (-h(b))^{\ell} db, \end{array} $$
(40)
$$\begin{array}{*{20}l} h(b)&=\ln \left(1+e^{-2b}\right). \end{array} $$
(41)

The probability of rejecting an authentic message is still lower-bounded by (34), with the new H and G in the definition of the function q(·) given still by (35).

Security analysis against the reference attack

Considering now the reference attack, assuming that the VR acquires the synchronization on the spoofed signal, i.e., the attack on the pilot signal is successful, we aim at assessing the probability that the VR also demodulates V from the asynchronous authentication signal, thus failing to reveal the attack.

First note that if ΔE is larger than Tc, the despreading of the authentication message with an asynchronous spreading signal yields a very low output, thus we can assume that the attack is always detected. Therefore, we focus on the case wherein 0≤ΔE<Tc. After despreading and AN removal, \(\hat {x}^{\prime \prime }_{k}\) in (23) is affected by the previously transmitted symbol xk−1, i.e.,

$$ \hat{x}^{\prime\prime}_{k}= \alpha x_{k} + \beta x_{k-1} + w_{B,k} + w_{k,\Delta_{E}}^{(q)}, $$
(42)

where α and β are non-negative interference coefficients and \(w_{k,\Delta _{E}}^{(q)}\) is the residual quantization error with power \(\sigma _{w_{q,\Delta }}^{2}\) that now depends also on ΔE. This results in a new VR’s SNR

$$ \Gamma'_{B} (\Delta_{E})=\frac{\alpha^{2} \sigma_{x}^{2}}{ \beta^{2} \sigma_{x}^{2}+ \sigma_{w_{B}}^{2}+\sigma_{w_{q,\Delta}}^{2}}. $$
(43)

Note that if there is no delay, i.e., ΔE=0, we have \(\alpha =1, \beta =0, \sigma _{w_{q,\Delta }}^{2}=\sigma _{w_{q}}^{2}\) and hence ΓB′=ΓB. If, on the other hand, ΔE>0, then α<1 and β>0. This, together with \(w_{k,\Delta _{E}}^{(q)}\), decreases the VR’s SNR and mines his capability to decode \(\hat {V}\), resulting in the attack being uncovered. Closed-form expressions for α,β, and \(\sigma _{w_{q,\Delta }}^{2}\) are derived in Appendix A.

Now, we examine PLA security, i.e., its ability to detect the attack in various transmission configurations. We indicate with Psucc(ΔE) the probability of an attack passing undetected (thus full success of the AT), as a function of the induced positioning signal delay.

Infinite-length codewords and Gaussian signaling: Let

$$ C_{B}^{\prime} (\Delta_{E}) = \frac{1}{2} \log_{2} \left(1 + \Gamma_{B}^{\prime}(\Delta_{E}) \right) $$
(44)

be the channel capacity induced to the VR by the reference attack. Given a chosen working point of the authentication message rate Rx, the probability of successful attack, considering infinite codeword length and Gaussian signaling, is

$$ P_{{\text{succ}}}(\Delta_{E}) = \left\{\begin{aligned} 1 \quad \text{if} \quad C_{B}^{\prime}(\Delta_{E}) > R_{x} \\ 0 \quad \text{if} \quad C_{B}^{\prime}(\Delta_{E}) < R_{x}, \end{aligned}\right. $$
(45)

since, from the converse theorem on capacity, the codeword error probability of the VR tends to 1 as the codeword length tends to infinity. We observe that we can reduce the feedback and provide only the secret bits. As soon as these coincide with the one decoded at the receiver, we can ensure authenticity.

Infinite-length codewords and binary signaling: For binary signaling, (45) still holds, but the capacity is computed through (31) by replacing Γ with ΓB′(ΔE).

Finite-length codewords and Gaussian signaling: Given the codeword length \(\bar {n}\) and the authentication message rate Rx in this case the reference attack is successful with probability

$$ P_{{\text{succ}}}(\Delta_{E}) = 1 - P_{e}\left(\Gamma^{\prime}_{B}(\Delta_{E}),R_{x},\bar{n}\right). $$
(46)

Using (34) and (35), we obtain the upper bound

$$ P_{{\text{succ}}}(\Delta_{E}) < 1 - q\left(\Gamma^{\prime}_{B}(\Delta_{E}),R_{x},\bar{n}\right). $$
(47)

Finite-length codewords and binary signaling: The analysis is the same as for the previous paragraph, but using (38)–(41) instead of (36)–(37).

Remark on the replay attack. In the replay attack, the AT retransmits the received signal to the VR right after reception, with arbitrary power. Therefore, the replayed signal contains also the non-predictable component z(t) and differs from the legitimate signal only by the additional noise introduced by the AT front-end. Clearly, in absence of AT noise, no defense is possible against this attack, whereas the AT operates simply as an ideal amplifier, and the malicious received signal is indistinguishable from the legitimate one. We then do not consider it specifically in this paper, while it has been considered for example in [17]. In [17], we addressed the case wherein the AT introduces noise by assessing the authentication performance under various SNR regimes.

Security against prediction attacks

As we have just seen, the proposed protocol is secure against the reference attack; however, we can consider a more general attack wherein AT partially observes the signal transmitted by the satellite in phase 1, predicts the whole signal and transmits it to the VR. This attack is similar to FEA considered in the literature, where however our authentication protocol was not present.

This attack is based on the possibility of predicting sA(t) (including the authentication part), which is now investigated. While the authentication message is encoded with FEC and therefore the codeword has a specific structure that actually eases prediction, the AN samples are independent and unpredictable. Therefore, the AT will only predict and transmit the authentication message without AN. Under this attack, the VR will then suffer from the cancelation of an AN that is not present, thus actually introducing noise on the signal at the input of the detector.

The best thing the AT can do is to align his prediction of x(t), that we denote \(\hat {x}(t)\), with the forged positioning signal. Following (11), the attack signal becomes

$$ s_{E}(t) = -[\hat{x}(t) + p(t)] + \hat{x}(t-\Delta_{\mathrm{E}}) + p(t-\Delta_{\mathrm{E}}), $$
(48)

such that, if \(\hat {x}(t) = x(t)\) and following (10), the signal received in phase one by the VR is

$$ r_{B}(t) = \hat{x}(t-\Delta_{\mathrm{E}}) + p(t-\Delta_{\mathrm{E}}) + \omega(t) + w_{B}(t). $$
(49)

In phase two, we have

$$ \hat{x}_{k}^{\prime\prime} = x_{k} + w_{B,k} + w_{k,\Delta_{E}}^{(q)}, $$
(50)

which is similar to (42) except that now there is no symbol interference in the authentication message. The VR’s SNR becomes

$$ \Gamma^{\prime\prime}_{B} (\Delta_{E})=\frac{\sigma_{x}^{2}}{\sigma_{w_{B}}^{2}+\sigma_{w_{q,\Delta}}^{2}}. $$
(51)

Therefore, even in the presence of un-removed AN, the VR may decode the authentication message transmitted by the AT, thus accepting the signal as authentic. If we condition to the event of correct prediction, which happens with probability

$$ P_{\text{pred}} \triangleq \mathbb{P} [\hat{x}(t) = x(t)], $$
(52)

then the success probability of the prediction attacks becomes Psucc(ΔE) of Section 4.2 with ΓB′′(ΔE) in place of ΓB′(ΔE).

In the following, we will consider two specific prediction attacks, namely, the blind prediction and the codeword prediction attack. For each attack, we evaluate Ppred, as a metric of success of the attack in our authentication context.

Blind prediction attack: In this case, the AT does not use the signal received from the satellite but directly attempts to guess the authentication message. For a finite number of possible codewords, there is a non-zero probability that the guess is correct. The AT generates and transmits sA(t) according to the guessed authentication codeword, with the desired delay ΔE.

Codeword prediction attack: In this case, the AT receives a fraction of the signal transmitted by the satellite (corrupted by AN) and attempts to decode the authentication message. Then, it transmits the decoded codeword as its own authentication message with the desired delay ΔE. This attack exploits the structure of the codeword introduced by FEC and is equivalent to the FEA attack present in the literature (not with our authentication scheme).

We now analyze each of these attacks against PLA.

Blind prediction attack

With ideal transmission, i.e., when codewords with infinite lengths are used for xk, the probability that the VR guesses the correct message V is vanishing. For a finite length \(\bar {n}\), the prediction probability is instead associated with the probability of correctly guessing the codeword into a codebook of \(R_{x} \bar {n}\) entries; therefore,

$$ P_{\text{pred}} =2^{-R_{x}\bar{n}}. $$
(53)

Codeword prediction attack

In order to avoid the codeword prediction attack, we must reduce the probability of correct decoding of the codeword by the AT for a partial observation of the received signal in the first phase. This feature is provided by the AN that affects the decoding capabilities of the AT.

Infinite-length codewords and Gaussian signaling: For perfect coding and Gaussian signaling, we can avoid the codeword prediction attack by ensuring that no information is obtained on the secret message by the observation of rE(t) in the first phase, i.e.,

$$ \mathbb{I}(V;r_{E}(t))=0, $$
(54)

where \(\mathbb {I}(\cdot ;\cdot)\) denotes the mutual information function. This condition will also ensure that no information is obtained on V by a partial observation of rE(t). From results on wiretap-coding, the secrecy condition (54) is satisfied as long as ([26], Chaper 5)

$$ R_{x} \geq C_{E}= \frac{1}{2} \log_{2} \left(1+\Gamma_{E} \right), $$
(55)

where CE is the capacity of the satellite-AT channel. Note that in our authentication framework, mutual information matters only for prediction attacks, because in the reference attack the AT does not attempt to construct V by eavesdropping z(t). Therefore, assuming as worst case that the AT has a noiseless receiver (\(\sigma _{w_{E}}^{2} = 0\)), from (21) and (55), the noise power \(\sigma _{\omega }^{2}\) must satisfy

$$ \sigma_{\omega}^{2} \geq \frac{\sigma_{x}^{2}}{2^{2R_{x}}-1}. $$
(56)

Still by the wiretap coding theory, there exist suitable wiretap codes for the satellite such that the part of the authentication message that remains secret to the AT has a secrecy rate

$$ R_{A}=R_{x}-C_{E}, $$
(57)

and the probability of guessing the correct codeword is vanishing with the codeword length as

$$ P_{\text{pred}} =2^{-R_{A}\bar{n}}. $$
(58)

Note that with respect to the blind prediction attack, Rx is now replaced by RA<Rx. In turns, RA is maximized when Rx=CB, and we obtain the secrecy capacity [26]

$$ C_{A}\triangleq C_{B}-C_{E}, $$
(59)

while the design constraint (56), assuming negligible quantization noise, becomes

$$ \sigma_{\omega}^{2} > \sigma_{w_{B}}^{2}. $$
(60)

Note that in our context, the secrecy of message V is only instrumental to the authentication of the navigation message. Therefore, with a small abuse of notation, we will denote as authentication capacity the secrecy capacity CA, as the secret bits are those that prevent the AT from guessing the authentication message. For a practical implementation of this approach, existing wiretap codes can be used (see for example the survey papers [27] and [28]), with a variety of trade-offs between wiretap performance, code length, and decoding complexity. Further investigation is also needed, though outside of the scope of this paper, on specific requirements of the wiretap codes for our scheme. Here, indeed, confidentiality is only instrumental to preventing prediction attack and the security metric is the success probability of the spoofing attack.

Infinite-length codewords and binary signaling: The analysis of the previous paragraph holds with the difference that CB and CE must be computed numerically using (31)–(33).

Finite-length codewords and Gaussian signaling: We still first assume Gaussian signaling. Due to the finite-length regime, (54) does not hold anymore. Considering a codeword prediction attack performed by the AT at symbol \(n<\bar {n}\), the probability of successful attack is upper-bounded as

$$ \begin{aligned} P_{\text{pred}}(n) &\leq \max \left\lbrace 1- P_{e}\left(\Gamma_{E},R_{x},n \right),2^{-R_{x} n} \right\rbrace \\ &\leq \max \left\lbrace 1- q\left(\Gamma_{E},R_{x},n \right),2^{-R_{x}n} \right\rbrace, \end{aligned} $$
(61)

where the second inequality comes from two facts:

  1. a)

    q(Γ,Rx,n) is a lower bound on the codeword error probability and

  2. b)

    the bound (34) is based on the fact that the code is optimized for length \(\bar {n}\), while the AT attempts decoding after receiving n symbols, thus we have a further source of error by this mismatch.

The maximum comes from the fact that the success probability cannot be lower than \(\phantom {\dot {i}\!}2^{-R_{x}n}\), which corresponds to the complete random choice of the attack codeword.

Finite-length codewords and binary signaling: In this case, (61) still holds using (38)–(41).

Power optimization

We now aim at optimizing \(\sigma _{x}^{2}\), given a fixed power budget, i.e.,

$$ A = \sigma_{x}^{2} + \sigma_{\omega}^{2}. $$
(62)

This corresponds to choosing the trade-off between the power assigned to the authentication message and the AN, for a total additional power (with respect to the non-authenticated system) A. We consider two design criteria which lead to different optimization problems, aiming at increasing security against reference and prediction attacks, respectively.

Optimization against the reference attack

In this case, we want to maximize the protection against the reference attack, while also achieving a desired value for Rx, under power constraint (62). To this end, we choose an operating point ΔE=ε, corresponding to the maximum tolerable synchronization error in standard operating conditions. Performance is then dictated by how fast ΓB(ΔE) decreases, when ΔEε, due to an ongoing attack that introduces an asynchronism larger than the expected maximum.

First, observe that when u(t) has a rectangular shape ΓB(ΔE) is a monotonically decreasing function for 0≤ΔETc, as shown in the Appendix A. Then, we aim at minimizing the derivative of ΓB around ε, so that the system is as sensitive as possible to unexpected synchronization errors. With a slight abuse of notation, we define the derivative of ΓB(ΔE) computed at ε as

$$ f(\sigma_{x}^{2}) \triangleq \left. \frac{\partial \Gamma_{\mathrm{B}} (\Delta_{\mathrm{E}})}{\partial \Delta_{\mathrm{E}}} \right|_{\Delta_{E} = \epsilon}, $$
(63)

where we highlight the derivative dependency on \(\sigma _{x}^{2}\) that we want to optimize. The problem then can be written as

$$ \begin{aligned} & \underset{\sigma_{x}^{2} \geq 0}{\text{min}} f\left(\sigma_{x}^{2}\right) \\ & \text{subject to } (\ref{pbud}) \text{ and }\ R_{x} - \frac{1}{2} \log_{2} (1 + \Gamma_{\mathrm{B}} (\epsilon)) \leq 0, \\ \end{aligned} $$
(64)

where the second constraint ensures correctness at ΔE=ε (still tolerable delay) for the case with infinite codeword length and Gaussian signaling.

We now solve the optimization problem. For ease of notation, let us rename the optimization variable as \(o \triangleq \sigma _{x}^{2}\). With algebraic computations, we have

$$ f(o) = \frac{N_{2} o^{2} + N_{1} o}{(D_{1} o + D_{0})^{2}}, $$
(65)

where

$$ {}\begin{aligned} N_{2} = & 2A_{1}A_{2}B^{2}\epsilon^{2} -4A_{1}A_{2} + 4A_{1}^{2}A_{2} + 4A_{1}A_{2}^{2}\epsilon\\ \quad& + 2A_{2}^{2}B^{2}\epsilon^{3} -4A_{2}^{2}\epsilon + 4A_{1}A_{2}^{2}\epsilon + 4A_{2}^{3}\epsilon^{2} -2A_{1}^{2}B^{2}\epsilon \\ \quad & - 2B^{2}A_{2}^{2}\epsilon^{3} - 4B^{2}A_{1}A_{2}\epsilon^{2} \\ \quad& - 2A_{2}A_{1}^{2} -2A_{2}^{3}\epsilon^{2} - 4A_{1}A_{2}^{2}\epsilon, \\ N_{1} =& 2A_{1}A_{2}\sigma_{w_{B}}^{2} +4AA_{1}A_{2} -4 AA_{1}^{2}A_{2} - 4AA_{1}A_{2}^{2}\epsilon \\ \quad & + 2A_{2}^{2}\sigma_{w_{B}}^{2}\epsilon + 2AA_{2}^{2}\epsilon -4AA_{1}A_{2}^{2}\epsilon -4AA_{2}^{3}\epsilon^{2}\\ \quad & + 2AA_{2}A_{1}^{2} +2AA_{2}^{3}\epsilon^{2} +4AA_{2}^{2}A_{1}\epsilon,\\ D_{1} =& B^{2}\epsilon^{2} -2 +2A_{1}+2A_{2}\epsilon, \\ D_{0} =& \sigma_{w_{B}}^{2}+ 2A -2AA_{1} -2AA_{2}\epsilon. \end{aligned} $$

By deriving f(o) and setting it to zero, we find the candidate solutions of the optimization problem. We have

$$ f'(o) = \frac{(2N_{2}D_{0}-N_{1}D_{1})o +N_{1}D_{0}}{(D_{1}o + D_{0})^{3}} = 0 $$
(66)

and the only candidate point is

$$ o^{*} = \frac{N_{1}D_{0}}{N_{1}D_{1} - 2N_{2}D_{0}}. $$
(67)

We now consider the constraints in (64). The power constraint has been eliminated by substituting \(\sigma _{\omega }^{2} = A-\sigma _{x}^{2}\) in (86), while the correctness constraints yield the upper bound

$$ \sigma_{x}^{2} \leq \frac{(1-2^{2R_{x}})(\sigma_{w_{B}}^{2} + 2A -2A\alpha)}{(1-2^{2R_{x}})(\beta^{2} - 2 +2\alpha)-\alpha^{2}} = \hat{\sigma}_{x}^{2}. $$
(68)

The feasible set is then the compact set \(\mathcal {E} = \{ \sigma _{x}^{2} | 0\leq \sigma _{x}^{2} \leq \min (\hat {\sigma }_{x}^{2},A) \}\). The solution of the overall optimization problem is the point \(\sigma _{\text {opt}}^{2}\), among o and the extrema of \(\mathcal {E}\), providing the minimum value of f(·).

Authentication capacity maximization

In this case, we want to maximize the protection against prediction attacks, that as we have seen, can be achieved by maximizing the secrecy rate given the power budget (62), i.e.,

$$ \begin{aligned} & \underset{\sigma_{x}^{2} \geq 0}{\max} \, C_{A} \left(\sigma_{x}^{2}\right) \\ & \text{subject to } (62), \end{aligned} $$
(69)

where again with a slight abuse of notation, we have highlighted CA dependency on \(\sigma _{x}^{2}\). Note that \(C_{A}\left (\sigma _{x}^{2}\right) >0\) only if \(\sigma _{\omega }^{2} > \sigma _{w_{B}}^{2}\); therefore, we must have \(A > \sigma _{w_{B}}^{2}\).

For the AWGN channel, consider the case \(\sigma _{w_{q}}^{2}=0\), wherein VR and AT SNRs are

$$ \Gamma_{B} = \frac{\sigma_{x}^{2}}{\sigma_{w_{B}}^{2}}, \quad \Gamma_{E} = \frac{\sigma_{x}^{2}}{\sigma_{\omega}^{2}}. $$
(70)

Exploiting the concavity of the logarithm, (69) is equivalent to

$$ \max_{\sigma_{x}^{2} > 0} - \frac{1}{A\sigma_{w_{B}}^{2}} \left(A - \sigma_{x}^{2}\right)^{2} + \frac{A + \sigma_{w_{B}}^{2}}{A \sigma_{w_{B}}^{2}} \left(A - \sigma_{x}^{2}\right). $$
(71)

The objective function is now a down-facing parable; hence, the solution of (71) is

$$ \sigma_{\text{opt}}^{2} = \frac{A- \sigma_{w_{B}}^{2}}{2}. $$
(72)

Results and discussion

We consider the transmission scenario of Fig. 1 with a single satellite. The ground channel is assumed error-free and with a large band. As for the Galileo signal, we assume Nc = 4,092 and Tc=10−6/1.023 s [29]. The VR’s noise power is \(\sigma _{w_{B}}^{2}=0,-\thinspace 5\), or − 10 dB, that are typical values for GNSS receivers [30]. For the AT, we assume \(\sigma _{w_{E}}^{2}=0\), i.e., a noiseless receiver, as a worst case for the authentication problem.

About the transmission chip u(t), we consider two options, shown in Fig. 4. In particular, u1(t) is the chip pulse used in the Galileo E1b system [29], while u2(t) is a chip pulse characterized by a smaller support designed in order to make the authentication signal more fragile to synchronization errors, as discussed in Section 4.2. The design of u(t) can be further improved for a practical implementation, but this is left for future works.

Fig. 4
figure4

Two considered chip pulses: u1(t) and u2(t)

As an example of various issues that must be addressed in the design of the chip pulse beyond its sensitivity to synchronization errors, we consider here its occupied band, by showing in Fig. 5 the power spectral density (PSD) of x(t) modulated by the two chip pulses. We note that the new pulse has a similar PSD to the standard one, thus making u2(t) a good candidate (at least about band occupation) for future GNSS systems. In the following, we will show the merits of u2(t) for authentication purposes.

Fig. 5
figure5

PSD of x(t) modulated by the chip pulses of Fig. 4

With reference to Sections 4, 5, and 6, we now provide various performance results.

Correctness analysis

About correctness, we have shown that it is related to the capability of the VR to correctly decode the authentication message sent by the satellite.

Infinite-length codewords: In this case, correctness is ensured as long as the rate of the authentication message Rx is below the capacity of the satellite-VR channel. Thus, we show the outage probability (29) for three propagation scenarios [19], namely, (1) urban area, vehicle mounted antenna, elevation 30 circ; (2) suburban area, vehicle mounted antenna, elevation 60 circ; and (3) intermediate tree shadowed area, elevation 80 circ.

Figure 6 shows Pout for the three scenarios in the case of Gaussian signaling, as a function of Rx. Note that a lower elevation (scenario 1) has more impact on the outage probability rather than differences in user motion settings as the curves of scenarios 2 and 3 are closer to each other.

Fig. 6
figure6

Pout for three different propagation scenarios as a function of Rx

Similar results (omitted here for the sake of conciseness) are obtained for the case of binary signaling.

Finite-length codewords: For finite-length codewords, we have seen that there is a non-zero probability that the VR does not recognize as authentic the signal coming from the satellite, due to decoding errors in the authentication message.

Figure 7 shows the lower bound to the codeword error probability, \(q(\Gamma _{B},R_{x},\bar {n})\), as a function of \(\bar {n}\) for both Gaussian and binary signaling and ΓB=1 dB. We observe that for a higher rate, the error probability increases, e.g., for \(\bar {n}~=~300\) (for Gaussian signaling) the probability of error goes from 2·10−3 to 2·10−2 by increasing the rate of 0.05 b/s/Hz.

Fig. 7
figure7

\(q(\Gamma _{B},R_{x},\bar {n})\) for ΓB=1 dB, Gaussian and binary signaling and two different values of Rx, as a function of the codeword length \(\bar {n}\)

Moreover, we observe that for Gaussian signaling, the codeword error rate decreases faster with \(\bar {n}\) rather than with binary signaling. Note however that the functions q(·) are approximations of bounds for codeword error probability [25]; therefore, the distance between the binary and the Gaussian case we read in the plots might not be exact.

Reference attack

As discussed Section 4.2, the success of the reference attack depends on the delay between the authentication and the navigation message, as well as the operating conditions of the VR. We now consider the various signaling and coding configurations with AN power \(\sigma _{\omega }^{2}~=~0\) dB and VR’s noise power \(\sigma _{w_{B}}^{2}~=~-~5\) dB.

Infinite-length codewords: Figures 8 and 9 show CB′ vs the attack delay ΔE for both Gaussian and binary signaling, and for chip pulse u1(t) and u2(t). We observe that with u1(t) (Galileo system), the capacity drops to zero for ΔE>0.2 Tc, while with u2(t) (proposed pulse) having a more compact support, the capacity drops to zero already for ΔE = 0.15 Tc. Therefore, with the proposed chip, we can detect a reference attack inducing even smaller delays. Moreover, as observed earlier, binary and Gaussian signaling provides similar performance.

Fig. 8
figure8

Degradation of VR’s capacity versus the delay ΔE, using the transmission chip pulse u1(t), with \(\sigma _{w_{B}}^{2}=-~5\) dB and \(\sigma _{\omega }^{2}=0\) dB

Fig. 9
figure9

Degradation of VR’s capacity versus the delay ΔE, using the transmission chip pulse u2(t), with \(\sigma _{w_{B}}^{2}=-~5\) dB and \(\sigma _{\omega }^{2}=0\) dB

Note that by setting the coding rate Rx below \(C_{A}(\Delta _{\mathrm {E}}^{*})~=~0\), we have that an attack with delay \(\Delta _{\mathrm {E}}>\Delta _{\mathrm {E}}^{*}\) is detected as, from the converse theorem on capacity, the codeword error probability of the VR tends to 1 as \(\bar {n}\) tends to infinity. Note however, that the choice of Rx must also take into account the sensitivity of VR to synchronization errors in normal operation (i.e., when the received signal is coming from the satellite), in order to avoid false alarms.

Finite-length codewords: For finite-length codewords, Gaussian signaling, and \(\sigma _{w_{B}}^{2} = -~5\) dB, the reference attack is successful with non-zero probability. Figures 10 and 11 show the upper bound to the attack success probability \(1-q(\Gamma _{B}'(\Delta _{\mathrm { E}}),R_{x},\bar {n})\) (see (47)). We note the impact of the attack delay ΔE on the error probability Pe. The two symmetric lobes are due to the particular structure of pulses u1(t) and u2(t) that exhibit positive values in the first half chip and negative values in the second half. Also in this case,u2(t) is more robust than u1(t) against the reference attack, yielding an attack success probability lower than 10−10 for 0.3<ΔE/Tc<0.8. Similar considerations hold for the binary signaling case, omitted here for sake of conciseness.

Fig. 10
figure10

\(1-q(\Gamma _{B}'(\Delta _{\mathrm {E}}),R_{x},\bar {n})\) (Gaussian case) as a function of the attack delay ΔE for three values of Rx and using pulse u1(t) of Fig. 4, \(\sigma _{w_{B}}^{2}=-~5\) dB

Fig. 11
figure11

\(1-q(\Gamma _{B}'(\Delta _{\mathrm {E}}),R_{x},\bar {n})\) (Gaussian case) as a function of the attack delay ΔE for three values of Rx and using pulse u2(t) of Fig. 4, \(\sigma _{w_{B}}^{2}=-~5\) dB

Prediction attacks

We have seen that the prediction attacks are more powerful than the reference attack, given a successful x(t) prediction. In this section, we evaluate Ppred, as defined in (52), for various system configurations. In particular, for the blind prediction attack, Ppred is a simple exponential function of \(\bar {n}\) and Rx, thus we omit showing it, and we focus on the codeword prediction attack that also depends on the device operating conditions.

Figure 12 shows Ppred as function of \(\sigma _{\omega }^{2}\) and \(\bar {n}~=~250\) for the codeword prediction attack. We consider RA=CBCE with capacities given by Gaussian (marked lines) and binary (without markers) signaling, for three values of \(\sigma _{w_{B}}^{2}\). In general, we observe that the Gaussian signaling offers more protection against the codeword prediction attack than binary signaling. However, the difference with the binary signaling becomes less relevant as \(\sigma _{w_{B}}^{2}\) increases.

Fig. 12
figure12

Ppred for the codeword prediction attack as a function of \(\sigma _{\omega }^{2}\). Binary (no markers) and Gaussian (markers) signaling, with ΓB=5 dB and three different values of \(\sigma _{w_{B}}^{2}\)

We now asses the impact of the number of quantization bits b on Ppred, see (58), for the PLA scheme with RA=CA and CB given by (27). Figure 13 shows Ppred as a function of \(\sigma _{\omega }^{2}\) for different values of b, with b=∞ corresponding to no quantization of the AN. We can see that a lower b requires the system to work with a higher \(\sigma _{\omega }^{2}\) in order to keep a desired level of Ppred. However, note how performance rapidly approaches b = , as soon as b increases, suggesting that implementations with a reasonably low b are close to optimal.

Fig. 13
figure13

Ppred for the codeword prediction attack as a function of \(\sigma _{\omega }^{2}\) for different values of b. Gaussian signaling, with \(\sigma _{w_{B}}^{2} = -~5\)

Power optimization

In this section, we consider the power optimizations of Section 6.

Reference attack: For the optimization against the reference attack, Fig. 14 shows \(f\left (\sigma ^{2}_{\text {opt}}\right)\), (see (63)) as a function of A for three values of \(\sigma _{w_{B}}^{2}\). We note that for an increasing power budget A, we can make the system more sensitive to synchronization errors, which corresponds to having a smaller \(f\left (\sigma ^{2}_{\text {opt}}\right)\).

Fig. 14
figure14

\(f(\sigma _{\text {opt}}^{2})\) as a function of A for three values of \(\sigma _{w_{B}}^{2}\)

Figure 15 shows \(\sigma _{\text {opt}}^{2}\) as a function of A and three values of \(\sigma _{w_{B}}^{2}\). In general, we need to spend more power on the authentication message rather than on AN. For a small A, we actually do not need AN (thus \(\sigma _{\text {opt}}^{2}~=~A\)). This corresponds to the candidate point o in (67) being outside the feasible set \(\mathcal {E}\).

Fig. 15
figure15

\(\sigma _{\text {opt}}^{2}\) as function of A for three values of \(\sigma _{w_{B}}^{2}\)

Prediction attacks: Figure 16 shows the authentication capacity (59) as a function of the power constraint A for different values of \(\sigma _{w_{B}}^{2}\). The power of the AN is chosen according to (72) and Gaussian signaling is assumed (see Section 6.2). We recall that in our model, the navigation signal has unitary power, i.e., A = 0 dB implies that we are using the same amount of power for both the navigation and authentication components. Note that a 0 dB thermal noise power yields zero authentication capacity for A = 0 dB, and we thus need A > 2.2 dB to obtain a positive CA.

Fig. 16
figure16

Authentication capacity under power constraint A for three values of \(\sigma _{w_{B}}^{2}\)

Conclusions

In this work, we proposed a novel authentication protocol, and we showed that the proposed solution effectively authenticates a navigation message. We analyzed the protocol performance under various transmission constraints, such as finite-length codewords, binary signaling and power constraints. We conclude that the proposed strategy is effective in providing authentication of the Galileo signal, preventing the reference attack for Gaussian signaling and significantly lowering the success of attacks for finite-length codeword and finite signaling. We also considered prediction attacks specifically targeting the PLA, showing how the unpredictability of the AN further increases its security.

Appendix A: Derivation of interference coefficients for the reference attack

The interference coefficients in (43) are given by

$$\begin{array}{*{20}l} \alpha &= \int_{\epsilon}^{T_{s}} s_{T}(\tau-\epsilon) s_{R}(\tau) d\tau, \end{array} $$
(73)
$$\begin{array}{*{20}l} \beta&= \int_{0}^{\epsilon} s_{T}(\tau+T_{s} - \epsilon) s_{R}(\tau)d\tau, \end{array} $$
(74)
$$\begin{array}{*{20}l} s_{T}(t)&=\sum\limits_{i=0}^{N_{c}-1} c_{A,i} g_{Tx}(t-iT_{c}). \end{array} $$
(75)

For the residual quantization error \(w_{k,\epsilon }^{(q)}\), we have

$$ \omega_{k,\epsilon}= \int_{kT_{s}}^{(k+1)T_{s}} \omega(\tau-\epsilon) s_{R}(\tau-kT_{s}) d\tau, $$
(76)

and thus

$$ w_{k,\epsilon}^{(q)}=\omega_{k,\epsilon} - \mathcal{Q}(\omega_{k}). $$
(77)

The power of \(w_{k,\epsilon }^{(q)}\) is

$$ \sigma_{w_{q,\Delta}}^{2}(\epsilon) = \mathbb{E} \left[|w_{k,\epsilon}^{(q)}|^{2}\right], $$
(78)

where \(\mathbb {E} \left [{\cdot }\right ]\) is the expectation operator. Considering perfect quantization, i.e., \(\omega _{k}=\mathcal {Q}(\omega _{k}), \omega _{k,\epsilon }\) and ωk are two correlated Gaussian random variables. Note that

$$ \sigma_{w_{q,\Delta}}^{2}=\mathbb{E}\left[{\left(w_{k,\epsilon}^{(q)}\right)^{2}}\right] + \mathbb{E} \left[{(\omega_{k})^{2}}\right] - 2 \mathbb{E} \left[{w_{k,\epsilon}^{(q)} \omega_{k}}\right]. $$
(79)

Now we have

$$ \begin{aligned} &\mathbb{E} \left[{\omega_{k,\epsilon} \omega_{k}}\right] = \\ &=\mathbb{E} \left[{\int_{0}^{T_{s}} \int_{0}^{T_{s}} \omega(\tau) s_{T}(\tau) \omega(\tau^{\prime}-\epsilon) s_{R}(\tau^{\prime}) d\tau^{\prime} d\tau} \right] \\ & = \int_{0}^{T_{s}} \int_{0}^{T_{s}} \mathbb{E}\left[{\omega(\tau)\omega(\tau'-\epsilon)}\right] s_{T}(\tau) s_{R}(\tau^{\prime}) d\tau^{\prime} d\tau, \end{aligned} $$
(80)

where the second line comes from (77), the third line comes from the linearity of the expectation, and we considered k = 0 in the integral limits for the noise stationarity. Since ω(t) is a white Gaussian process, by definition the inner expected value becomes

$$ \mathbb{E}\left[{\omega(\tau)\omega(\tau^{\prime}-\epsilon)}\right]= \delta (\tau-\tau^{\prime}+\epsilon) \sigma_{\omega}^{2}, $$
(81)

where δ(·) is the continuous time impulsive function. Due to the integral properties of δ(·), (80) becomes

$$ \mathbb{E} \left[{w_{k}^{\epsilon} \omega_{k}}\right]=\sigma_{\omega}^{2} \int_{0}^{T_{s}-\epsilon} s_{T}(\tau) s_{R}(\tau+\epsilon) d\tau =\sigma_{\omega}^{2}\nu_{\epsilon}, $$
(82)

where the result of the integral νε only depends on ε and the transmitter and receiver pulses. Note that if ε = 0, then ωk = ωk,ε and \(w_{k,\epsilon }^{q}~=~0\). Moreover, for a high ε, the correlation between ωk and ωk,ε decreases; if ε exceeds Ts, the two variables become uncorrelated (νε = 0), since they insist on disjoint intervals of ω(t). Under these conditions, \(\sigma _{w_{q,\Delta }}^{2}=2\sigma _{\omega }^{2} (1-\nu _{\epsilon })\).

We now show that ΓB is a monotonically decreasing function for 0≤ΔETc, when u(t) has a rectangular shape. From (73), we get

$$ \alpha = A_{1} + A_{2}\Delta_{E}, $$
(83)

where

$$ A_{1} = T_{c} \sum\limits_{i=1}^{i=N_{c}} c_{i}^{2}, \quad A_{2} = \sum\limits_{i=2}^{i=N_{c}} c_{i} c_{i-1} - \sum\limits_{i=1}^{i=N_{c}} c_{i}^{2}. $$
(84)

Note that A2≤0, therefore α decreases with ΔE. By definition of νε in (82), we also get α=ν since the symmetry of the rectangular shape we are considering yields the same expression for the correlation integral. Similarly, from (74) we get

$$ \beta = c_{1} c_{N_{c}} \Delta_{\mathrm{E}} = B \Delta_{\mathrm{E}}, $$
(85)

where β is an increasing function of ΔE. By definition of ΓB, we have

$$ \Gamma_{\mathrm{B}}^{\prime} (\Delta_{\mathrm{E}}) = \frac{(A_{1} + A_{2} \Delta_{\mathrm{E}})^{2} \sigma_{x}^{2}}{(B \Delta_{\mathrm{E}})^{2} \sigma_{x}^{2} + \sigma_{w_{B}}^{2} + 2\sigma_{\omega}^{2}(1-A_{1} - A_{2} \Delta_{\mathrm{E}})}, $$
(86)

where the numerator is a decreasing function of ΔE and the denominator is an increasing function of ΔE. It follows that ΓB(ΔE) is a monotonically decreasing function of ΔE.

Notes

  1. 1.

    Note that indeed the AN signal ω(t) can be directly generated at the satellite. Note also that the satellite must transmit the quantized AN samples to the ground segment.

Abbreviations

AN:

Artificial noise

AT:

Attacker

AWGN:

Additive white Gaussian noise

BPSK:

Binary phase shift keying

CDF:

Cumulative distribution function

FEA:

Forward estimation attack

FEC:

Forward error correction

iid:

Independent and identically distributed

IT:

Information theory

LMS:

Land mobile satellite link

LOS:

Line of sight

NMA:

Navigation message authentication

MC:

Markov chain

PDF:

Probability density function

PLA:

Physical layer authentication

PSD:

Power spectral density

PSK:

Phase shift keying

SCER:

Security code estimation and replay

SNR:

Signal to noise ratio

VR:

Victim receiver

References

  1. 1

    D. P. Shepard, T. E. Humphreys, A. A. Fansler, Evaluation of the vulnerability of phasor measurement units to GPS spoofing attacks. Int. J. Crit. Infrastruct. Prot.5(3-4), 146–153 (2012).

  2. 2

    K. D. Wesson, D. P. Shepard, J. A. Bhatti, Humphreys T.E., in Radionavigation Laboratory Conference Proceedings. An evaluation of the vestigial signal defense for civil GPS anti-spoofing (University of TexasAustin, 2011).

  3. 3

    D. M. Akos, Who’s afraid of the spoofer? GPS/GNSS spoofing detection via automatic gain control (agc). Navig. J. Inst. Navig. 59(4), 281–290 (2012).

  4. 4

    A. Cavaleri, B. Motella, M. Pini, Fantino M., in Satellite Navigation Technologies and European Workshop on GNSS Signals and Signal Processing (NAVITEC) 2010 5th ESA Workshop on. Detection of spoofed GPS signals at code and carrier tracking level (IEEENoordwijk, 2010), pp. 1–6.

  5. 5

    M. Cuntz, A. Konovaltsev, M. Heckler, A. Hornbostel, L. Kurz, G. Kappen, Noll T., in Proc. ION GNSS, vol 2010. Lessons learnt: The development of a robust multi-antenna GNSS receiver (Oregon Convention CenterPortland, 2010), pp. 21–24.

  6. 6

    E. Axell, M. Alexandersson, Lindgren T., in Localization and GNSS (ICL-GNSS), 2015 International Conference on. Results on GNSS meaconing detection with multiple cots receivers (IEEEGothenburg, 2015), pp. 1–6.

  7. 7

    E. Axell, E. G. Larsson, Persson D., in Acoustics, Speech and Signal Processing (ICASSP), 2015 IEEE International Conference on. GNSS spoofing detection using multiple mobile cots receivers (IEEEBrisbane, 2015), pp. 3192–3196.

  8. 8

    P. Levin, D. S. De Lorenzo, P. K. Enge, S. C. Lo, Authenticating a signal based on an unknown component thereof, June 28 2011. US Patent 7,969,354.

  9. 9

    B. W. O’Hanlon, M. L. Psiaki, J. A. Bhatti, D. P. Shepard, T. E. Humphreys, Real-time GPS spoofing detection via correlation of encrypted signals. Navigation. 60(4), 267–278 (2013).

  10. 10

    A. J. Kerns, K. D. Wesson, Humphreys T.E., in Position, Location and Navigation Symposium-PLANS 2014, 2014 IEEE/ION. A blueprint for civil GPS navigation message authentication (IEEEMonterey, 2014), pp. 262–269.

  11. 11

    L. Scott, in Proceedings of the 16th International Technical Meeting of the Satellite Division of The Institute of Navigation (ION GPS/GNSS 2003). Anti-spoofing & authenticated signal architectures for civil navigation systems (Oregon Convention CenterPortland, 2001), pp. 1543–1552.

  12. 12

    J. T. Curran, C. O’Driscoll, Message authentication as an anti-spoofing mechanism (2017). Technical report, Working Paper. researchgate.net.

  13. 13

    G. Caparra, S. Ceccato, N. Laurenti, J. Cramer, in Proc. of the 30th International Technical Meeting of The Satellite Division of the Institute of Navigation (ION GNSS+ 2017), Portland, OR. Feasibility and limitations of self-spoofing attacks on GNSS signals with message authentication, (2017), pp. 3968–3984.

  14. 14

    T. E. Humphreys, Detection strategy for cryptographic GNSS anti-spoofing. IEEE Trans. Aerosp. Electron. Syst.49(2), 1073–1090 (2013).

  15. 15

    E. Jorswieck, S. Tomasin, A. Sezgin, Broadcasting into the uncertainty: Authentication and confidentiality by physical-layer processing. Proc. IEEE.103(10), 1702–1724 (2015).

  16. 16

    X. Wu, Z. Yang, C. Ling, X. G. Xia, Artificial-noise-aided message authentication codes with information-theoretic security. IEEE Trans. Inf. Forensics Secur.11(6), 1278–1290 (2016).

  17. 17

    F. Formaggio, S. Tomasin, G. Caparra, S. Ceccato, N. Laurenti, in Proc. IEEE 2018 26th European Signal Processing Conference (EUSIPCO). Authentication of Galileo GNSS signal by superimposed signature with artificial noise (Rome, 2018), pp. 2573–2577.

  18. 18

    W. Stallings, Cryptography and network security: Principles and practice (Pearson, Upper Saddle River, 2017).

  19. 19

    F. P. Fontan, M. Vázquez-Castro, C. E. Cabado, J. P. Garcia, E. Kubista, Statistical modeling of the LMS channel. IEEE Trans. Veh. Technol.50(6), 1549–1567 (2001).

  20. 20

    C. Loo, A statistical model for a land mobile satellite link. IEEE Trans. Veh. Technol.34(3), 122–127 (1985).

  21. 21

    J. E. Gentle, Random number generation and Monte Carlo methods (Springer Science & Business Media, New York, 2006).

  22. 22

    H. Niederreiter, Random number generation and quasi-Monte Carlo methods, vol. 63 (Society for Industrial & Applied Mathematics, US, 1992).

  23. 23

    P. L’Ecuyer, Handbook of Computational Statistics (Springer, Berlin, 2012).

  24. 24

    T. Erseghe, On the evaluation of the Polyanskiy-Poor–Verdú converse bound for finite block-length coding in AWGN. IEEE Trans. Inf. Theory. 61(12), 6578–6590 (2015).

  25. 25

    T. Erseghe, Coding in the finite-blocklength regime: Bounds based on Laplace integrals and their asymptotic approximations. IEEE Trans. Inf. Theory. 62(12), 6854–6883 (2016).

  26. 26

    M. Bloch, J. Barros, Physical-layer security: from information theory to security engineering (Cambridge University Press, 2011).

  27. 27

    M. Hayashi, R. Matsumoto, Construction of wiretap codes from ordinary channel codes (2010). arXiv preprint arXiv:1001.1197.

  28. 28

    W. K. Harrison, J. Almeida, M. R. Bloch, S. W. McLaughlin, J. Barros, Coding for secrecy: An overview of error-control coding techniques for physical-layer security. IEEE Signal Proc. Mag. 30(5), 41–50 (2013).

  29. 29

    I. Galileo, Galileo open service, signal in space interface control document (OS SIS ICD) (2008). European space agency/European GNSS supervisory authority.

  30. 30

    A. Joseph, GNSS solutions: Measuring signal strength (2010). GNSS insidegnss.com.

Download references

Acknowledgements

No acknowledgements.

Funding

No Specific funding.

Availability of data and materials

No data is available.

Author information

The contribution of this paper consists in the proposal and analysis of a novel authentication scheme for the authentication of GNSS signals. Both authors contributed significantly in writing the manuscript and they read and approved the final version.

Correspondence to Francesco Formaggio.

Ethics declarations

Competing interests

The authors declare that they have no competing interests.

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License(http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Keywords

  • Artificial noise
  • Authentication
  • Global navigation satellite system
  • Physical layer security
  • Wiretap coding