 Research
 Open Access
 Published:
Authentication of satellite navigation signals by wiretap coding and artificial noise
EURASIP Journal on Wireless Communications and Networking volume 2019, Article number: 98 (2019)
Abstract
In order to combat the spoofing of global navigation satellite system (GNSS) signals, we propose a novel signal authentication method based on informationtheoretic security. In particular, the satellite superimposes to the navigation signal an authentication signal containing a secret authentication message corrupted by artificial noise (AN). We impose the following properties:

a)
Authentication and navigation signals are synchronous,

b)
Authentication and navigation signals are orthogonal and

c)
The secret message is undecodable by the attacker due to the AN.
The legitimate receiver synchronizes with the navigation signal and stores the samples of the authentication signal with the same synchronization. After the transmission of the authentication signal, through a separate public asynchronous ground channel (e.g., a secure Internet connection) additional information is made public allowing the receiver to

a)
Decode the authentication message, thus overcoming the effects of AN, and

b)
Verify the authentication message.
We assess the performance of the proposed scheme by the analysis of both the secrecy capacity of the authentication message and the attack success probability under various attack scenarios.
Introduction
Global navigation satellite systems (GNSS) offer positioning and timing services for an increasing variety of applications (e.g., car and ship navigation, but also synchronization of electrical grid stations). GNSS signals are subject to various security attacks, aiming ultimately at disrupting or altering these applications [1]. In this paper, we focus on the spoofing attack, where an attacker (AT) transmits a signal with the purpose of inducing a false specific location estimate to the victim receiver (VR). This attack is active as it requires a transmission by the spoofer.
Positioning is typically obtained by measuring the time of arrival of pilot signals known at the receiver. The AT generates and transmits the pilots with proper delays (with respect to other original or spoofed satellite signals) in order to induce the desired position estimation. Moreover, the spoofer can also transmit an additional signal that destructively interferes with the original satellite signal at the VR.
A first defense against spoofing is its detection at the VR. Examples include the detection of either the residual power (on top of the legitimate signal) [2], or pre [3] or postcorrelation [4] power. Other approaches check the consistency of the arrival directions of satellite signals through multiple antennas [5–7]. Another defense strategy is the modification of current GNSS signal to both ease spoofing detection and make the attack more difficult. An interesting opportunity is the transmission of (partially) unpredictable signals, in what is usually denoted as navigation message authentication (NMA). Implementations of NMA include cryptographic schemes based on either symmetrickey [8, 9] or asymmetrickey [10, 11] encryption. The partial unpredictability of the signal makes the spoofing attack more difficult as the AT cannot simply transmit a delayed version of the legitimate signal. In a more sophisticated attack, the AT eavesdrops the original satellite signal and then retransmits it (including both pilots and authentication data) in the socalled meaconing attack. Variations of this attack include the partial observation of the satellite signal and the reconstruction of the missing part, exploiting the redundancy provided by either forward error correction (FEC) (forward estimation attack, FEA) [12, 13] or spread spectrum techniques typical of GNSS, thus alternating (within the symbol duration) detection and retransmission (security code estimation and replay, SCER) [14].
In this paper, we propose a solution to make the GNSS system more robust to spoofing by operating at the physical layer and exploiting information theory (IT) results (see [15] for a survey on IT authentication solutions). The idea is that the satellite transmits an unpredictable authentication message synchronously with the navigation message. In order to prevent meaconing attacks, the satellite also transmits artificial noise (AN) superimposed to the authentication message, to be removed at the receiver before authentication verification. Then, after its transmission over the satellite channel, the authentication message and the AN are separately and securely rebroadcast so that the VR can check the presence and correctness of the authentication message in the earlier received signal. This eases the detection of the spoofing attack. The information dissemination can also occur on a separate delaytolerant but authenticated channel, e.g., over the Internet with cryptographic authentication protocols. In summary, our solution, denoted physical layer authentication (PLA), includes (a) a novel communication architecture to securely share the authentication message and AN with a loose random delay and (b) coding and decoding algorithms for the authentication message, together with a technique to decide about its authenticity.
About related literature, in [16] AN is also used on top of an authentication tag, however without synchronization requirements and without an architecture for the dissemination of AN signal and authentication tags. In [17], we proposed to superimpose an ANcorrupted authentication message to the navigation signal, and PLA extends it by including advanced coding and signaling, and analyzing the solution within the framework of wiretap coding.
We show that as the length of the authentication message goes to infinity, we obtain a vanishing probability of success for the spoofing attack. We compute the rate at which the success probability vanishes, under perfect coding and Gaussian signaling. Then, we derive bounds on the success probability when finitelength messages and binary signaling are used. The impact of synchronization errors (due to an ongoing spoofing attack) on the success probability is also considered. For finitelength coding and binary signaling, a predictive attack (similar to meaconing FEA) is analyzed in terms of the probability of passing undetected. By numerical results, we show the effectiveness of the proposed PLA technique against various attacks.
The rest of the paper is organized as follows. Section 2 introduces both the system model and the reference attack strategy. In Section 3, we propose the novel PLA solution, whose correctness and security are analyzed in Section 4. In Section 5, we consider prediction attacks specifically targeting our PLA. The optimization of the transmit power is addressed in Section 6. Numerical results are presented is Section 7 before conclusions are driven in Section 8.
System model
Figure 1 shows our reference scenario with a satellite, and two earth devices, i.e., a VR and an AT.
Satellite communication channel: In the basic existing configuration, the satellite generates a unitarypower real binary pilot signal d_{i} with symbol period T_{s} and spreads it with the real unitarypower spreading pulse
with chip period T_{c}=T_{s}/N_{c}, spreading sequence \(c_{i}=\pm \frac {1}{\sqrt {N_{c}}} \ i=0, \dots, N_{c}1 \), and unitaryenergy chip pulse u(t). The resulting signal is
In the current GNNS, p(t) is also the basebandequivalent (pilot component) signal transmitted by the satellite, which we will denote as
In the absence of attacks and considering additive white Gaussian noise (AWGN) channels between all devices, as typically considered in satellite navigation systems, the signal received by the VR is
where G_{B} is the channel gain, and w_{B}(t) is the zeromean AWGN signal with power spectral density \(\sigma _{w_{B}}^{2}\).
Ground channel: In order to implement our PLA scheme, we need a ground channel, i.e., public authenticated channel over which signals are transmitted by the ground segment, i.e., the navigation control center on the earth that is controlling GNSS. This channel is not necessarily a satellite link, and it is assumed to be of large bandwidth provided for example through an Internet connection. The authentication is ensured by higher layer authentication protocols [18] (such as https). We assume the AT has no control over the information traveling on the ground channel and, thus, it can not modify it. Moreover, as no fine time synchronization is available on the ground channel, it is not useful for ranging purposes.
Land satellite model
Channel gain G_{B} can be described by the land mobile satellite link (LMS) according to [19]. A threestate Markov chain (MC) is used to model the slow variations of the line of sight (LOS) due to shadowing and blockage effects while the Loo [20] distribution is used for G_{B} within each state and models shadowing and multipath effects. Therefore, we have
where G_{B}≥0, l is lognormally distributed, g is Rayleigh distributed, ϕ_{0} and ϕ are uniformly distributed in the interval [0,2π]. In particular,
where
The parameters μ,d_{0}, and b_{0} are provided in [19] for different scenarios and for each Markov state. Note that we assume that the channel phase is always compensated at the receiver, thus we obtain the real signal model (4).
Reference attack
The AT’s objective is to forge a navigation signal, send it to the VR, and let it believe it was transmitted by the satellite. We consider in particular here as reference attack a strategy wherein AT transmits an amplified (by factor ζ) and delayed (by delay Δ_{E}) version of p(t), i.e.,
where the delay is chosen by AT to induce a desired positioning at the VR. Correspondingly, the signal received by the VR is
where G_{E−A} is the gain of the ATVR channel. The resulting gain G_{E−A}ζ of the pilot signal must be big enough to ensure that the received signal from the AT is stronger than that from the satellite, thus forcing the VR to get synchronous to s_{E}(t). An enhancement of this attack is achieved by transmitting a signal that destructively interferes with s_{A}(t) at the VR, i.e.,
where the first term nulls out G_{B}s_{A}(t) in (10), while the second term induces the desired delayed signal. Moreover, the AT can receive the signal from the satellite as
where G_{E} is the channel gain, and w_{E}(t) is the zeromean AWGN signal with power \(\sigma _{w_{E}}^{2}\).
We will assume that the AT knows all channel gains, and we will also assume that in case of attack the VR gets synchronous with the AT signal and perfectly estimates the G_{E−A}ζ gain. Therefore, for a simpler notation, we drop the channel gains in the following, assuming G_{E−A}ζ=G_{B}=G_{E}=1, except when we focus on the LMS channel.
Methods
The proposed protocol aims at preventing the reference attack of Section 2.2 and operates in two phases: in the first phase, the satellite broadcasts the pilot, a FEC encoded version of the authentication message and the AN, while in the second phase the ground segment broadcasts both the uncoded authentication message and the AN over the ground channel. During the first phase, the VR stores the received authentication signal sampled with the timing and synchronism obtained by the pilot signal. In the second phase, the VR removes the AN, decodes the authentication message, and checks if it corresponds to the authentication message broadcast over the ground channel.
We now detail the operations carried out in both phases.
First phase
In the first phase, the satellite transmits the authentication signal generated as described in Fig. 2. In particular, the satellite encodes the authentication message V in the codeword X^{n}. The codeword enters the modulator, which outputs real symbols x_{k} with power \(\sigma _{x}^{2}\) at symbol time T_{s}. Let R_{x} be the rate of the message x_{k}. Then, each symbol is spread with the spreading sequence \(c_{A,i}= \pm \frac {1}{\sqrt {N_{c}}}, \ i=1,\dots, N_{c}\), yielding the T_{c}sampled signal
Finally, the chip pulse u(t) is used to obtain the continuous time real signal
The authentication message V must be undecodable to the AT in the first phase, in order to prevent prediction attacks, as detailed in Section 5. Therefore, the satellite also transmits an AN signal ω(t) superimposed to x(t). The resulting signal
is superimposed to the ranging signal p(t), and the basebandequivalent signal transmitted by the satellite becomes
which replaces (3).
We design the superimposed signal (including AN) z(t) to be orthogonal to the pilot spreading pulse s_{p}(t) in each pilot symbol, in order to avoid interference with the synchronization process (operating with p(t)), and at the same time guarantee that a legacy receiver is not affected by the new superimposed signals. In order to ensure orthogonality, the spreading code c_{A,i} is orthogonal to c_{i}, the spreading code of the pilot signal. About the AN, for each symbol of duration T_{s}, we first generate a stationary Gaussian process w(t),0≤t≤T_{s}, and then project it on s_{p}(t), i.e.,
with
Note that the Gaussian AN generation may be performed by a physical device providing electrical noise which may be further elaborated numerically. Although generating truly random variables is a challenging task [21–23], we observe that the satellite has typically enough processing power and cannot be physically tampered; therefore, it is reasonable to assume that it can generate random variables with fairly good randomness.
The signals received by both VR and AT on the AWGN channels are still given by (10) and (12), with the new transmitted signal s_{A}(t) given by (16). The operations at the VR in the first phase are shown in Fig. 3 on the left of the dashed line separating the two phases. In particular, the VR acquires the synchronization on signal p(t), filters the received signal r_{B}(t) by u(−t), and samples the output before despreading with sequence c_{A,i}. In the absence of attack, the resulting discretetime despread signal can be written as
where z_{k}=x_{k}+ω_{k} and ω_{k} is the AN term. The noise samples w_{B,k} and ω_{k} are still independent and identically distributed (iid) with zero mean and powers \(\sigma _{w_{B}}^{2}\) and \(\sigma _{\omega }^{2}\) respectively.
Note that we have omitted the pilot signal in (19) as its symbols are orthogonal to z_{n} and ω_{k}. Similarly, the AT receives in phase 1 the signal
Since in the first phase AT does not know the AN, the resulting signal to noise ratio (SNR) at the AT is
Therefore, we already observe that even with a noiseless receiver, by properly choosing \(\sigma _{\omega }^{2}\) we can severely degrade the SNR at the AT, thus preventing meaconing attacks. Further details will be provided in Section 4.2.
Second phase
In the second phase, the ground segment broadcasts both V and a quantized version \(\mathcal {Q}(\omega _{k})\) of the AN samples ω_{k} on the ground channel using b bits per sample^{Footnote 1}. In the absence of attack and perfect synchronization, the quantization error is
with zero mean and power \(\sigma _{w_{q}}^{2}\). Note that b is a design parameter which trades off the quantization noise power with the transmission bandwidth of the ground channel.
On its side, the VR receives the signals over the ground channel and elaborates the signal received from the satellite in the first phase according to the scheme of Fig. 3 (at the right of the dashed line). In particular, the VR subtracts from xk′ the quantized AN obtaining
Detection and decoding follow to obtain the decoded message \(\hat {V}\). If \(\hat {V}=V\), the VR declares that the authentication signal comes from the satellite and the pilot signal is also authentic. Otherwise the VR declares both the authentication message and the pilot as not authentic. Since the synchronization is obtained from p(t), we design the authentication signal such that misalignments between p(t) and x(t) result in an error of the decoded message V, thus revealing the attack. Note also that the AT has no advantage in partially modifying the authentication message, since, once decoded at the VR, it would not match with the message V provided by the ground segment, thus again revealing the attack. In Section 5, we will consider an intermediate situation in which the AT partially observes the signal and attempts to predict the rest of V in the prediction attack.
Correctness and security analysis
We now examine the correctness and security of the proposed PLA solution. The correctness of the protocol is its ability to accept as authentic a signal coming from the satellite that corresponds to the condition \(\hat {V}=V\). The security of the protocol is its ability to detect the reference attack described in Section 4.2. We will obtain rules for the design of PLA parameters (such as the rate of the authentication message R_{x} and the power of the AN) in order to guarantee correctness and security. Since we are dealing with authentication, which is basically a testing problem between the hypotheses of receiving correct or fake messages, its performance is assessed by the probabilities of attack success and authentic message rejection. Therefore, in our framework, the error probability
where \(\mathbb P[\cdot ]\) denotes the probability operator, is used as correctness metric, while the success probability of the reference attack is used as security metric, see Section 4.2. In the next section, we will also analyze the security of PLA with respect to prediction (meaconing) attacks on the authentication message.
We consider four communication scenarios, combining finite/infinite codeword lengths with Gaussian/binary signaling. In the following, we will introduce a more efficient feedback where instead of V a smallersize message can be fed back.
Correctness analysis
Assuming perfect synchronization, the correctness of the algorithm is then associated with proper coding and signaling that ensure correct decoding of the authentication message. We will now examine PLA correctness under infinite/finite codeword lengths and Gaussian/binary signaling. Indeed, while infinitelength codewords and Gaussian signaling provide optimal theoretic performance, finite length and binary signaling are commonly used in GNSS systems, thus providing insight on practical solutions.
Infinitelength codewords and Gaussian signaling: In this case, it is well known that we can ensure a vanishing decoding error probability as long as the message rate is below the channel capacity, i.e.,
and C_{B} is the satelliteVR channel capacity after AN removal. Note that with perfect AN cancelation the resulting SNR of the signal at the input of the VR detector in the absence of attack is
and the capacity is
In case of attenuation introduced by the LMS, the VR SNR becomes
and it may occur that the channel is not good enough for the decoding of the authentication message at the VR, generating an outage event with outage probability
where in the second equation, we conditioned on the LMS state S. For a given state, we also have from (28)
Infinitelength codewords and binary signaling: In this case, we can still provide a vanishing error probability, given that the rate is below the constellationconstrained capacity. In particular, the constrained capacity of a binary AWGN channel with SNR Γ is
where
is the entropy of the received signal with probability density function (PDF)
In order to compute the capacity, we must resort to the numerical integration of (32).
Finitelength codewords and Gaussian signaling: For codewords of length \(\bar {n}\) and Gaussian signaling, we cannot anymore ensure vanishing error probability. In order to compute the (nonzero) probability that the VR does not decode V, denoted \(P_{e}\left (\Gamma _{\mathrm {B}},R_{x},\bar {n}\right)\), we resort to literature results on finitelength codewords regime [24, 25]. In particular, we lowerbound the codeword error probability \(P_{e}\left (\Gamma,R,\bar {n}\right) \) on AWGN channel with SNR Γ, transmission rate R, and codeword length \(\bar {n}\) as
where
and Q(·) is the complementary cumulative distribution function (CDF) of a continuous normal variable.
Finitelength codewords and binary signaling: For this case, (34) and (35) still hold with [24, 25]
where
The probability of rejecting an authentic message is still lowerbounded by (34), with the new H and G in the definition of the function q(·) given still by (35).
Security analysis against the reference attack
Considering now the reference attack, assuming that the VR acquires the synchronization on the spoofed signal, i.e., the attack on the pilot signal is successful, we aim at assessing the probability that the VR also demodulates V from the asynchronous authentication signal, thus failing to reveal the attack.
First note that if Δ_{E} is larger than T_{c}, the despreading of the authentication message with an asynchronous spreading signal yields a very low output, thus we can assume that the attack is always detected. Therefore, we focus on the case wherein 0≤Δ_{E}<T_{c}. After despreading and AN removal, \(\hat {x}^{\prime \prime }_{k}\) in (23) is affected by the previously transmitted symbol x_{k−1}, i.e.,
where α and β are nonnegative interference coefficients and \(w_{k,\Delta _{E}}^{(q)}\) is the residual quantization error with power \(\sigma _{w_{q,\Delta }}^{2}\) that now depends also on Δ_{E}. This results in a new VR’s SNR
Note that if there is no delay, i.e., Δ_{E}=0, we have \(\alpha =1, \beta =0, \sigma _{w_{q,\Delta }}^{2}=\sigma _{w_{q}}^{2}\) and hence ΓB′=Γ_{B}. If, on the other hand, Δ_{E}>0, then α<1 and β>0. This, together with \(w_{k,\Delta _{E}}^{(q)}\), decreases the VR’s SNR and mines his capability to decode \(\hat {V}\), resulting in the attack being uncovered. Closedform expressions for α,β, and \(\sigma _{w_{q,\Delta }}^{2}\) are derived in Appendix A.
Now, we examine PLA security, i.e., its ability to detect the attack in various transmission configurations. We indicate with P_{succ}(Δ_{E}) the probability of an attack passing undetected (thus full success of the AT), as a function of the induced positioning signal delay.
Infinitelength codewords and Gaussian signaling: Let
be the channel capacity induced to the VR by the reference attack. Given a chosen working point of the authentication message rate R_{x}, the probability of successful attack, considering infinite codeword length and Gaussian signaling, is
since, from the converse theorem on capacity, the codeword error probability of the VR tends to 1 as the codeword length tends to infinity. We observe that we can reduce the feedback and provide only the secret bits. As soon as these coincide with the one decoded at the receiver, we can ensure authenticity.
Infinitelength codewords and binary signaling: For binary signaling, (45) still holds, but the capacity is computed through (31) by replacing Γ with ΓB′(Δ_{E}).
Finitelength codewords and Gaussian signaling: Given the codeword length \(\bar {n}\) and the authentication message rate R_{x} in this case the reference attack is successful with probability
Using (34) and (35), we obtain the upper bound
Finitelength codewords and binary signaling: The analysis is the same as for the previous paragraph, but using (38)–(41) instead of (36)–(37).
Remark on the replay attack. In the replay attack, the AT retransmits the received signal to the VR right after reception, with arbitrary power. Therefore, the replayed signal contains also the nonpredictable component z(t) and differs from the legitimate signal only by the additional noise introduced by the AT frontend. Clearly, in absence of AT noise, no defense is possible against this attack, whereas the AT operates simply as an ideal amplifier, and the malicious received signal is indistinguishable from the legitimate one. We then do not consider it specifically in this paper, while it has been considered for example in [17]. In [17], we addressed the case wherein the AT introduces noise by assessing the authentication performance under various SNR regimes.
Security against prediction attacks
As we have just seen, the proposed protocol is secure against the reference attack; however, we can consider a more general attack wherein AT partially observes the signal transmitted by the satellite in phase 1, predicts the whole signal and transmits it to the VR. This attack is similar to FEA considered in the literature, where however our authentication protocol was not present.
This attack is based on the possibility of predicting s_{A}(t) (including the authentication part), which is now investigated. While the authentication message is encoded with FEC and therefore the codeword has a specific structure that actually eases prediction, the AN samples are independent and unpredictable. Therefore, the AT will only predict and transmit the authentication message without AN. Under this attack, the VR will then suffer from the cancelation of an AN that is not present, thus actually introducing noise on the signal at the input of the detector.
The best thing the AT can do is to align his prediction of x(t), that we denote \(\hat {x}(t)\), with the forged positioning signal. Following (11), the attack signal becomes
such that, if \(\hat {x}(t) = x(t)\) and following (10), the signal received in phase one by the VR is
In phase two, we have
which is similar to (42) except that now there is no symbol interference in the authentication message. The VR’s SNR becomes
Therefore, even in the presence of unremoved AN, the VR may decode the authentication message transmitted by the AT, thus accepting the signal as authentic. If we condition to the event of correct prediction, which happens with probability
then the success probability of the prediction attacks becomes P_{succ}(Δ_{E}) of Section 4.2 with ΓB′′(Δ_{E}) in place of ΓB′(Δ_{E}).
In the following, we will consider two specific prediction attacks, namely, the blind prediction and the codeword prediction attack. For each attack, we evaluate P_{pred}, as a metric of success of the attack in our authentication context.
Blind prediction attack: In this case, the AT does not use the signal received from the satellite but directly attempts to guess the authentication message. For a finite number of possible codewords, there is a nonzero probability that the guess is correct. The AT generates and transmits s_{A}(t) according to the guessed authentication codeword, with the desired delay Δ_{E}.
Codeword prediction attack: In this case, the AT receives a fraction of the signal transmitted by the satellite (corrupted by AN) and attempts to decode the authentication message. Then, it transmits the decoded codeword as its own authentication message with the desired delay Δ_{E}. This attack exploits the structure of the codeword introduced by FEC and is equivalent to the FEA attack present in the literature (not with our authentication scheme).
We now analyze each of these attacks against PLA.
Blind prediction attack
With ideal transmission, i.e., when codewords with infinite lengths are used for x_{k}, the probability that the VR guesses the correct message V is vanishing. For a finite length \(\bar {n}\), the prediction probability is instead associated with the probability of correctly guessing the codeword into a codebook of \(R_{x} \bar {n}\) entries; therefore,
Codeword prediction attack
In order to avoid the codeword prediction attack, we must reduce the probability of correct decoding of the codeword by the AT for a partial observation of the received signal in the first phase. This feature is provided by the AN that affects the decoding capabilities of the AT.
Infinitelength codewords and Gaussian signaling: For perfect coding and Gaussian signaling, we can avoid the codeword prediction attack by ensuring that no information is obtained on the secret message by the observation of r_{E}(t) in the first phase, i.e.,
where \(\mathbb {I}(\cdot ;\cdot)\) denotes the mutual information function. This condition will also ensure that no information is obtained on V by a partial observation of r_{E}(t). From results on wiretapcoding, the secrecy condition (54) is satisfied as long as ([26], Chaper 5)
where C_{E} is the capacity of the satelliteAT channel. Note that in our authentication framework, mutual information matters only for prediction attacks, because in the reference attack the AT does not attempt to construct V by eavesdropping z(t). Therefore, assuming as worst case that the AT has a noiseless receiver (\(\sigma _{w_{E}}^{2} = 0\)), from (21) and (55), the noise power \(\sigma _{\omega }^{2}\) must satisfy
Still by the wiretap coding theory, there exist suitable wiretap codes for the satellite such that the part of the authentication message that remains secret to the AT has a secrecy rate
and the probability of guessing the correct codeword is vanishing with the codeword length as
Note that with respect to the blind prediction attack, R_{x} is now replaced by R_{A}<R_{x}. In turns, R_{A} is maximized when R_{x}=C_{B}, and we obtain the secrecy capacity [26]
while the design constraint (56), assuming negligible quantization noise, becomes
Note that in our context, the secrecy of message V is only instrumental to the authentication of the navigation message. Therefore, with a small abuse of notation, we will denote as authentication capacity the secrecy capacity C_{A}, as the secret bits are those that prevent the AT from guessing the authentication message. For a practical implementation of this approach, existing wiretap codes can be used (see for example the survey papers [27] and [28]), with a variety of tradeoffs between wiretap performance, code length, and decoding complexity. Further investigation is also needed, though outside of the scope of this paper, on specific requirements of the wiretap codes for our scheme. Here, indeed, confidentiality is only instrumental to preventing prediction attack and the security metric is the success probability of the spoofing attack.
Infinitelength codewords and binary signaling: The analysis of the previous paragraph holds with the difference that C_{B} and C_{E} must be computed numerically using (31)–(33).
Finitelength codewords and Gaussian signaling: We still first assume Gaussian signaling. Due to the finitelength regime, (54) does not hold anymore. Considering a codeword prediction attack performed by the AT at symbol \(n<\bar {n}\), the probability of successful attack is upperbounded as
where the second inequality comes from two facts:

a)
q(Γ,R_{x},n) is a lower bound on the codeword error probability and

b)
the bound (34) is based on the fact that the code is optimized for length \(\bar {n}\), while the AT attempts decoding after receiving n symbols, thus we have a further source of error by this mismatch.
The maximum comes from the fact that the success probability cannot be lower than \(\phantom {\dot {i}\!}2^{R_{x}n}\), which corresponds to the complete random choice of the attack codeword.
Finitelength codewords and binary signaling: In this case, (61) still holds using (38)–(41).
Power optimization
We now aim at optimizing \(\sigma _{x}^{2}\), given a fixed power budget, i.e.,
This corresponds to choosing the tradeoff between the power assigned to the authentication message and the AN, for a total additional power (with respect to the nonauthenticated system) A. We consider two design criteria which lead to different optimization problems, aiming at increasing security against reference and prediction attacks, respectively.
Optimization against the reference attack
In this case, we want to maximize the protection against the reference attack, while also achieving a desired value for R_{x}, under power constraint (62). To this end, we choose an operating point Δ_{E}=ε, corresponding to the maximum tolerable synchronization error in standard operating conditions. Performance is then dictated by how fast Γ_{B}(Δ_{E}) decreases, when Δ_{E}≥ε, due to an ongoing attack that introduces an asynchronism larger than the expected maximum.
First, observe that when u(t) has a rectangular shape Γ_{B}(Δ_{E}) is a monotonically decreasing function for 0≤Δ_{E}≤T_{c}, as shown in the Appendix A. Then, we aim at minimizing the derivative of Γ_{B} around ε, so that the system is as sensitive as possible to unexpected synchronization errors. With a slight abuse of notation, we define the derivative of Γ_{B}(Δ_{E}) computed at ε as
where we highlight the derivative dependency on \(\sigma _{x}^{2}\) that we want to optimize. The problem then can be written as
where the second constraint ensures correctness at Δ_{E}=ε (still tolerable delay) for the case with infinite codeword length and Gaussian signaling.
We now solve the optimization problem. For ease of notation, let us rename the optimization variable as \(o \triangleq \sigma _{x}^{2}\). With algebraic computations, we have
where
By deriving f(o) and setting it to zero, we find the candidate solutions of the optimization problem. We have
and the only candidate point is
We now consider the constraints in (64). The power constraint has been eliminated by substituting \(\sigma _{\omega }^{2} = A\sigma _{x}^{2}\) in (86), while the correctness constraints yield the upper bound
The feasible set is then the compact set \(\mathcal {E} = \{ \sigma _{x}^{2}  0\leq \sigma _{x}^{2} \leq \min (\hat {\sigma }_{x}^{2},A) \}\). The solution of the overall optimization problem is the point \(\sigma _{\text {opt}}^{2}\), among o^{∗} and the extrema of \(\mathcal {E}\), providing the minimum value of f(·).
Authentication capacity maximization
In this case, we want to maximize the protection against prediction attacks, that as we have seen, can be achieved by maximizing the secrecy rate given the power budget (62), i.e.,
where again with a slight abuse of notation, we have highlighted C_{A} dependency on \(\sigma _{x}^{2}\). Note that \(C_{A}\left (\sigma _{x}^{2}\right) >0\) only if \(\sigma _{\omega }^{2} > \sigma _{w_{B}}^{2}\); therefore, we must have \(A > \sigma _{w_{B}}^{2}\).
For the AWGN channel, consider the case \(\sigma _{w_{q}}^{2}=0\), wherein VR and AT SNRs are
Exploiting the concavity of the logarithm, (69) is equivalent to
The objective function is now a downfacing parable; hence, the solution of (71) is
Results and discussion
We consider the transmission scenario of Fig. 1 with a single satellite. The ground channel is assumed errorfree and with a large band. As for the Galileo signal, we assume N_{c} = 4,092 and T_{c}=10^{−6}/1.023 s [29]. The VR’s noise power is \(\sigma _{w_{B}}^{2}=0,\thinspace 5\), or − 10 dB, that are typical values for GNSS receivers [30]. For the AT, we assume \(\sigma _{w_{E}}^{2}=0\), i.e., a noiseless receiver, as a worst case for the authentication problem.
About the transmission chip u(t), we consider two options, shown in Fig. 4. In particular, u_{1}(t) is the chip pulse used in the Galileo E1b system [29], while u_{2}(t) is a chip pulse characterized by a smaller support designed in order to make the authentication signal more fragile to synchronization errors, as discussed in Section 4.2. The design of u(t) can be further improved for a practical implementation, but this is left for future works.
As an example of various issues that must be addressed in the design of the chip pulse beyond its sensitivity to synchronization errors, we consider here its occupied band, by showing in Fig. 5 the power spectral density (PSD) of x(t) modulated by the two chip pulses. We note that the new pulse has a similar PSD to the standard one, thus making u_{2}(t) a good candidate (at least about band occupation) for future GNSS systems. In the following, we will show the merits of u_{2}(t) for authentication purposes.
With reference to Sections 4, 5, and 6, we now provide various performance results.
Correctness analysis
About correctness, we have shown that it is related to the capability of the VR to correctly decode the authentication message sent by the satellite.
Infinitelength codewords: In this case, correctness is ensured as long as the rate of the authentication message R_{x} is below the capacity of the satelliteVR channel. Thus, we show the outage probability (29) for three propagation scenarios [19], namely, (1) urban area, vehicle mounted antenna, elevation 30 ^{circ}; (2) suburban area, vehicle mounted antenna, elevation 60 ^{circ}; and (3) intermediate tree shadowed area, elevation 80 ^{circ}.
Figure 6 shows P_{out} for the three scenarios in the case of Gaussian signaling, as a function of R_{x}. Note that a lower elevation (scenario 1) has more impact on the outage probability rather than differences in user motion settings as the curves of scenarios 2 and 3 are closer to each other.
Similar results (omitted here for the sake of conciseness) are obtained for the case of binary signaling.
Finitelength codewords: For finitelength codewords, we have seen that there is a nonzero probability that the VR does not recognize as authentic the signal coming from the satellite, due to decoding errors in the authentication message.
Figure 7 shows the lower bound to the codeword error probability, \(q(\Gamma _{B},R_{x},\bar {n})\), as a function of \(\bar {n}\) for both Gaussian and binary signaling and Γ_{B}=1 dB. We observe that for a higher rate, the error probability increases, e.g., for \(\bar {n}~=~300\) (for Gaussian signaling) the probability of error goes from 2·10^{−3} to 2·10^{−2} by increasing the rate of 0.05 b/s/Hz.
Moreover, we observe that for Gaussian signaling, the codeword error rate decreases faster with \(\bar {n}\) rather than with binary signaling. Note however that the functions q(·) are approximations of bounds for codeword error probability [25]; therefore, the distance between the binary and the Gaussian case we read in the plots might not be exact.
Reference attack
As discussed Section 4.2, the success of the reference attack depends on the delay between the authentication and the navigation message, as well as the operating conditions of the VR. We now consider the various signaling and coding configurations with AN power \(\sigma _{\omega }^{2}~=~0\) dB and VR’s noise power \(\sigma _{w_{B}}^{2}~=~~5\) dB.
Infinitelength codewords: Figures 8 and 9 show CB′ vs the attack delay Δ_{E} for both Gaussian and binary signaling, and for chip pulse u_{1}(t) and u_{2}(t). We observe that with u_{1}(t) (Galileo system), the capacity drops to zero for Δ_{E}>0.2 T_{c}, while with u_{2}(t) (proposed pulse) having a more compact support, the capacity drops to zero already for Δ_{E} = 0.15 T_{c}. Therefore, with the proposed chip, we can detect a reference attack inducing even smaller delays. Moreover, as observed earlier, binary and Gaussian signaling provides similar performance.
Note that by setting the coding rate R_{x} below \(C_{A}(\Delta _{\mathrm {E}}^{*})~=~0\), we have that an attack with delay \(\Delta _{\mathrm {E}}>\Delta _{\mathrm {E}}^{*}\) is detected as, from the converse theorem on capacity, the codeword error probability of the VR tends to 1 as \(\bar {n}\) tends to infinity. Note however, that the choice of R_{x} must also take into account the sensitivity of VR to synchronization errors in normal operation (i.e., when the received signal is coming from the satellite), in order to avoid false alarms.
Finitelength codewords: For finitelength codewords, Gaussian signaling, and \(\sigma _{w_{B}}^{2} = ~5\) dB, the reference attack is successful with nonzero probability. Figures 10 and 11 show the upper bound to the attack success probability \(1q(\Gamma _{B}'(\Delta _{\mathrm { E}}),R_{x},\bar {n})\) (see (47)). We note the impact of the attack delay Δ_{E} on the error probability P_{e}. The two symmetric lobes are due to the particular structure of pulses u_{1}(t) and u_{2}(t) that exhibit positive values in the first half chip and negative values in the second half. Also in this case,u_{2}(t) is more robust than u_{1}(t) against the reference attack, yielding an attack success probability lower than 10^{−10} for 0.3<Δ_{E}/T_{c}<0.8. Similar considerations hold for the binary signaling case, omitted here for sake of conciseness.
Prediction attacks
We have seen that the prediction attacks are more powerful than the reference attack, given a successful x(t) prediction. In this section, we evaluate P_{pred}, as defined in (52), for various system configurations. In particular, for the blind prediction attack, P_{pred} is a simple exponential function of \(\bar {n}\) and R_{x}, thus we omit showing it, and we focus on the codeword prediction attack that also depends on the device operating conditions.
Figure 12 shows P_{pred} as function of \(\sigma _{\omega }^{2}\) and \(\bar {n}~=~250\) for the codeword prediction attack. We consider R_{A}=C_{B}−C_{E} with capacities given by Gaussian (marked lines) and binary (without markers) signaling, for three values of \(\sigma _{w_{B}}^{2}\). In general, we observe that the Gaussian signaling offers more protection against the codeword prediction attack than binary signaling. However, the difference with the binary signaling becomes less relevant as \(\sigma _{w_{B}}^{2}\) increases.
We now asses the impact of the number of quantization bits b on P_{pred}, see (58), for the PLA scheme with R_{A}=C_{A} and C_{B} given by (27). Figure 13 shows P_{pred} as a function of \(\sigma _{\omega }^{2}\) for different values of b, with b=∞ corresponding to no quantization of the AN. We can see that a lower b requires the system to work with a higher \(\sigma _{\omega }^{2}\) in order to keep a desired level of P_{pred}. However, note how performance rapidly approaches b = ∞, as soon as b increases, suggesting that implementations with a reasonably low b are close to optimal.
Power optimization
In this section, we consider the power optimizations of Section 6.
Reference attack: For the optimization against the reference attack, Fig. 14 shows \(f\left (\sigma ^{2}_{\text {opt}}\right)\), (see (63)) as a function of A for three values of \(\sigma _{w_{B}}^{2}\). We note that for an increasing power budget A, we can make the system more sensitive to synchronization errors, which corresponds to having a smaller \(f\left (\sigma ^{2}_{\text {opt}}\right)\).
Figure 15 shows \(\sigma _{\text {opt}}^{2}\) as a function of A and three values of \(\sigma _{w_{B}}^{2}\). In general, we need to spend more power on the authentication message rather than on AN. For a small A, we actually do not need AN (thus \(\sigma _{\text {opt}}^{2}~=~A\)). This corresponds to the candidate point o^{∗} in (67) being outside the feasible set \(\mathcal {E}\).
Prediction attacks: Figure 16 shows the authentication capacity (59) as a function of the power constraint A for different values of \(\sigma _{w_{B}}^{2}\). The power of the AN is chosen according to (72) and Gaussian signaling is assumed (see Section 6.2). We recall that in our model, the navigation signal has unitary power, i.e., A = 0 dB implies that we are using the same amount of power for both the navigation and authentication components. Note that a 0 dB thermal noise power yields zero authentication capacity for A = 0 dB, and we thus need A > 2.2 dB to obtain a positive C_{A}.
Conclusions
In this work, we proposed a novel authentication protocol, and we showed that the proposed solution effectively authenticates a navigation message. We analyzed the protocol performance under various transmission constraints, such as finitelength codewords, binary signaling and power constraints. We conclude that the proposed strategy is effective in providing authentication of the Galileo signal, preventing the reference attack for Gaussian signaling and significantly lowering the success of attacks for finitelength codeword and finite signaling. We also considered prediction attacks specifically targeting the PLA, showing how the unpredictability of the AN further increases its security.
Appendix A: Derivation of interference coefficients for the reference attack
The interference coefficients in (43) are given by
For the residual quantization error \(w_{k,\epsilon }^{(q)}\), we have
and thus
The power of \(w_{k,\epsilon }^{(q)}\) is
where \(\mathbb {E} \left [{\cdot }\right ]\) is the expectation operator. Considering perfect quantization, i.e., \(\omega _{k}=\mathcal {Q}(\omega _{k}), \omega _{k,\epsilon }\) and ω_{k} are two correlated Gaussian random variables. Note that
Now we have
where the second line comes from (77), the third line comes from the linearity of the expectation, and we considered k = 0 in the integral limits for the noise stationarity. Since ω(t) is a white Gaussian process, by definition the inner expected value becomes
where δ(·) is the continuous time impulsive function. Due to the integral properties of δ(·), (80) becomes
where the result of the integral ν_{ε} only depends on ε and the transmitter and receiver pulses. Note that if ε = 0, then ω_{k} = ω_{k,ε} and \(w_{k,\epsilon }^{q}~=~0\). Moreover, for a high ε, the correlation between ω_{k} and ω_{k,ε} decreases; if ε exceeds T_{s}, the two variables become uncorrelated (ν_{ε} = 0), since they insist on disjoint intervals of ω(t). Under these conditions, \(\sigma _{w_{q,\Delta }}^{2}=2\sigma _{\omega }^{2} (1\nu _{\epsilon })\).
We now show that Γ_{B} is a monotonically decreasing function for 0≤Δ_{E}≤T_{c}, when u(t) has a rectangular shape. From (73), we get
where
Note that A_{2}≤0, therefore α decreases with Δ_{E}. By definition of ν_{ε} in (82), we also get α=ν since the symmetry of the rectangular shape we are considering yields the same expression for the correlation integral. Similarly, from (74) we get
where β is an increasing function of Δ_{E}. By definition of Γ_{B}, we have
where the numerator is a decreasing function of Δ_{E} and the denominator is an increasing function of Δ_{E}. It follows that Γ_{B}(Δ_{E}) is a monotonically decreasing function of Δ_{E}.
Notes
 1.
Note that indeed the AN signal ω(t) can be directly generated at the satellite. Note also that the satellite must transmit the quantized AN samples to the ground segment.
Abbreviations
 AN:

Artificial noise
 AT:

Attacker
 AWGN:

Additive white Gaussian noise
 BPSK:

Binary phase shift keying
 CDF:

Cumulative distribution function
 FEA:

Forward estimation attack
 FEC:

Forward error correction
 iid:

Independent and identically distributed
 IT:

Information theory
 LMS:

Land mobile satellite link
 LOS:

Line of sight
 NMA:

Navigation message authentication
 MC:

Markov chain
 PDF:

Probability density function
 PLA:

Physical layer authentication
 PSD:

Power spectral density
 PSK:

Phase shift keying
 SCER:

Security code estimation and replay
 SNR:

Signal to noise ratio
 VR:

Victim receiver
References
 1
D. P. Shepard, T. E. Humphreys, A. A. Fansler, Evaluation of the vulnerability of phasor measurement units to GPS spoofing attacks. Int. J. Crit. Infrastruct. Prot.5(34), 146–153 (2012).
 2
K. D. Wesson, D. P. Shepard, J. A. Bhatti, Humphreys T.E., in Radionavigation Laboratory Conference Proceedings. An evaluation of the vestigial signal defense for civil GPS antispoofing (University of TexasAustin, 2011).
 3
D. M. Akos, Who’s afraid of the spoofer? GPS/GNSS spoofing detection via automatic gain control (agc). Navig. J. Inst. Navig. 59(4), 281–290 (2012).
 4
A. Cavaleri, B. Motella, M. Pini, Fantino M., in Satellite Navigation Technologies and European Workshop on GNSS Signals and Signal Processing (NAVITEC) 2010 5th ESA Workshop on. Detection of spoofed GPS signals at code and carrier tracking level (IEEENoordwijk, 2010), pp. 1–6.
 5
M. Cuntz, A. Konovaltsev, M. Heckler, A. Hornbostel, L. Kurz, G. Kappen, Noll T., in Proc. ION GNSS, vol 2010. Lessons learnt: The development of a robust multiantenna GNSS receiver (Oregon Convention CenterPortland, 2010), pp. 21–24.
 6
E. Axell, M. Alexandersson, Lindgren T., in Localization and GNSS (ICLGNSS), 2015 International Conference on. Results on GNSS meaconing detection with multiple cots receivers (IEEEGothenburg, 2015), pp. 1–6.
 7
E. Axell, E. G. Larsson, Persson D., in Acoustics, Speech and Signal Processing (ICASSP), 2015 IEEE International Conference on. GNSS spoofing detection using multiple mobile cots receivers (IEEEBrisbane, 2015), pp. 3192–3196.
 8
P. Levin, D. S. De Lorenzo, P. K. Enge, S. C. Lo, Authenticating a signal based on an unknown component thereof, June 28 2011. US Patent 7,969,354.
 9
B. W. O’Hanlon, M. L. Psiaki, J. A. Bhatti, D. P. Shepard, T. E. Humphreys, Realtime GPS spoofing detection via correlation of encrypted signals. Navigation. 60(4), 267–278 (2013).
 10
A. J. Kerns, K. D. Wesson, Humphreys T.E., in Position, Location and Navigation SymposiumPLANS 2014, 2014 IEEE/ION. A blueprint for civil GPS navigation message authentication (IEEEMonterey, 2014), pp. 262–269.
 11
L. Scott, in Proceedings of the 16th International Technical Meeting of the Satellite Division of The Institute of Navigation (ION GPS/GNSS 2003). Antispoofing & authenticated signal architectures for civil navigation systems (Oregon Convention CenterPortland, 2001), pp. 1543–1552.
 12
J. T. Curran, C. O’Driscoll, Message authentication as an antispoofing mechanism (2017). Technical report, Working Paper. researchgate.net.
 13
G. Caparra, S. Ceccato, N. Laurenti, J. Cramer, in Proc. of the 30th International Technical Meeting of The Satellite Division of the Institute of Navigation (ION GNSS+ 2017), Portland, OR. Feasibility and limitations of selfspoofing attacks on GNSS signals with message authentication, (2017), pp. 3968–3984.
 14
T. E. Humphreys, Detection strategy for cryptographic GNSS antispoofing. IEEE Trans. Aerosp. Electron. Syst.49(2), 1073–1090 (2013).
 15
E. Jorswieck, S. Tomasin, A. Sezgin, Broadcasting into the uncertainty: Authentication and confidentiality by physicallayer processing. Proc. IEEE.103(10), 1702–1724 (2015).
 16
X. Wu, Z. Yang, C. Ling, X. G. Xia, Artificialnoiseaided message authentication codes with informationtheoretic security. IEEE Trans. Inf. Forensics Secur.11(6), 1278–1290 (2016).
 17
F. Formaggio, S. Tomasin, G. Caparra, S. Ceccato, N. Laurenti, in Proc. IEEE 2018 26th European Signal Processing Conference (EUSIPCO). Authentication of Galileo GNSS signal by superimposed signature with artificial noise (Rome, 2018), pp. 2573–2577.
 18
W. Stallings, Cryptography and network security: Principles and practice (Pearson, Upper Saddle River, 2017).
 19
F. P. Fontan, M. VázquezCastro, C. E. Cabado, J. P. Garcia, E. Kubista, Statistical modeling of the LMS channel. IEEE Trans. Veh. Technol.50(6), 1549–1567 (2001).
 20
C. Loo, A statistical model for a land mobile satellite link. IEEE Trans. Veh. Technol.34(3), 122–127 (1985).
 21
J. E. Gentle, Random number generation and Monte Carlo methods (Springer Science & Business Media, New York, 2006).
 22
H. Niederreiter, Random number generation and quasiMonte Carlo methods, vol. 63 (Society for Industrial & Applied Mathematics, US, 1992).
 23
P. L’Ecuyer, Handbook of Computational Statistics (Springer, Berlin, 2012).
 24
T. Erseghe, On the evaluation of the PolyanskiyPoor–Verdú converse bound for finite blocklength coding in AWGN. IEEE Trans. Inf. Theory. 61(12), 6578–6590 (2015).
 25
T. Erseghe, Coding in the finiteblocklength regime: Bounds based on Laplace integrals and their asymptotic approximations. IEEE Trans. Inf. Theory. 62(12), 6854–6883 (2016).
 26
M. Bloch, J. Barros, Physicallayer security: from information theory to security engineering (Cambridge University Press, 2011).
 27
M. Hayashi, R. Matsumoto, Construction of wiretap codes from ordinary channel codes (2010). arXiv preprint arXiv:1001.1197.
 28
W. K. Harrison, J. Almeida, M. R. Bloch, S. W. McLaughlin, J. Barros, Coding for secrecy: An overview of errorcontrol coding techniques for physicallayer security. IEEE Signal Proc. Mag. 30(5), 41–50 (2013).
 29
I. Galileo, Galileo open service, signal in space interface control document (OS SIS ICD) (2008). European space agency/European GNSS supervisory authority.
 30
A. Joseph, GNSS solutions: Measuring signal strength (2010). GNSS insidegnss.com.
Acknowledgements
No acknowledgements.
Funding
No Specific funding.
Availability of data and materials
No data is available.
Author information
Affiliations
Contributions
The contribution of this paper consists in the proposal and analysis of a novel authentication scheme for the authentication of GNSS signals. Both authors contributed significantly in writing the manuscript and they read and approved the final version.
Corresponding author
Correspondence to Francesco Formaggio.
Ethics declarations
Competing interests
The authors declare that they have no competing interests.
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License(http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.
About this article
Received
Accepted
Published
DOI
Keywords
 Artificial noise
 Authentication
 Global navigation satellite system
 Physical layer security
 Wiretap coding