Authentication of Satellite Navigation Signals by Wiretap Coding and Artificial Noise

In order to combat the spoofing of global navigation satellite system (GNSS) signals we propose a novel approach for satellite signal authentication based on information-theoretic security. In particular we superimpose to the navigation signal an authentication signal containing a secret message corrupted by artificial noise (AN), still transmitted by the satellite. We impose the following properties: a) the authentication signal is synchronous with the navigation signal, b) the authentication signal is orthogonal to the navigation signal and c) the secret message is undecodable by the attacker due to the presence of the AN. The legitimate receiver synchronizes with the navigation signal and stores the samples of the authentication signal with the same synchronization. After the transmission of the authentication signal, through a separate public asynchronous authenticated channel (e.g., a secure Internet connection) additional information is made public allowing the receiver to a) decode the secret message, thus overcoming the effects of AN, and b) verify the secret message. We assess the performance of the proposed scheme by the analysis of both the secrecy capacity of the authentication message and the attack success probability, under various attack scenarios. A comparison with existing approaches shows the effectiveness of the proposed scheme.


I. INTRODUCTION
Global navigation satellite system (GNSS) offers positioning and timing services to an increasing variety of users and applications. The spoofing of GNSS designates the induction of false ranging measurements to a legitimate user by an attacker. One of the simplest spoofing techniques is meaconing, i.e., the interception and re-broadcast of navigation signals so that the victim computes the ranging estimate based on the spoofer location. More sophisticated versions of this attack selectively forge delayed versions of the ranging signals so that the spoofer can induce any position estimate at the victim.
Detection techniques proposed in [1] [2] exploit differences between the satellite and the spoofed signal, while [3] exploits the receiver's automatic gain control to detect sudden variations of received power due to a spoofing attack. Using multiple antennas at the receiver can also increase the detection performances [4] by estimating the angle of arrival of the received signals [5], [6]: this forces the spoofer to not only compute selective delays for each transmitted signal, but also know the angles of arrival and departure of the signal. A further option to make spoofing attacks more difficult is the inclusion into GNSS signals of data that are (partially) unpredictable at the receiver: in this case the attacker needs to predict the data signals in order to produce a counterfeit signal. These defence strategies come under the name of navigation message authentication (NMA) which aims at authenticating the navigation data, so that the receiver can verify that the received signals come from the legitimate satellite. This mechanism is based on cryptography, and proposals include both symmetric-key [7], [8] and asymmetric-key [9], [10] encryption. However, typically the data signal includes forward error correction (FEC) redundancy bits that ease the prediction of the data codeword from its partial observation. This leads to the forward estimation attack (FEA) introduced in [11] and further analysed in [12].
Moreover, encrypted chip values can be estimated and replayed based on received samples [13].
Authentication can be performed also at the physical layer. A general analysis and evaluation framework is presented in [14], while a recent overview of physical layer authentication methods can be found in [15]. Typically, authentication methods are classified into key-based and key-less methods: in key-less methods users are authenticated by verifying that messages of the same user are transmitted through the same (initially authenticated) channel [16], [17]. An artificial noise (AN) aided message authentication code is proposed where the AN is quantized and transmitted above the physical layer. April 19, 2018 DRAFT In this paper we propose a novel approach for the authentication of satellite navigation signals based on information-theoretic security. We propose to superimpose to the navigation signal an authentication signal corrupted by AN, still transmitted by the satellite with the following properties: a) the authentication signal is synchronous with the navigation signal, b) the authentication signal is orthogonal to the navigation signal and c) the secret message is undecodable by the attacker due to the presence of the AN. In [18] AN is also used on top of an authentication tag, but no requirements are asked on synchronism and the system model is different. In our model, instead, the legitimate receiver synchronizes with the navigation signal and stores the samples of the authentication signal with the same synchronization. After the transmission of the authentication signal, through a separate public asynchronous authenticated channel (e.g. a secure Internet connection) both the AN and the secret message are provided to users who can a) decode the authentication signal, thus overcoming the effects of AN, and b) verify the content of the authentication message thus authenticating it. Our scheme is based on a key as users are authenticated by verifying a shared secret (the authentication message). However, we perform the key-sharing process after the message has been received.
With respect to [18] we apply AN at the physical layer and we cancel it before decoding leveraging information-theoretic security approaches. With respect to [27] that still proposes to superimpose an AN-corrupted authentication signal we include here coding within the framework of wiretap coding.
Moreover, key-based authentication schemes prevent reply attacks by using timestamps. In the navigation context no reliable timing is available before authentication, therefore time-stamping is not viable. Moreover, the navigation message is basically already known at the receiver and we must indeed authenticate its timing. Therefore, we synchronize the navigation and authentication message components so that a spoofing signal will be asynchronous w.r.t. the authentication component, thus directly authenticating the timing.
We analyse the performance of the proposed scheme using information-theoretic security tools for a navigation signal received from a single satellite. We obtain the number of unpredictable bits per transmitted symbol of the secret message even when the spoofer has access to a noiseless navigation signal (still corrupted however by AN). The impact of synchronization errors (due to an ongoing spoofing attack) on the authentication system is discussed, and codeword prediction attacks are analysed in terms of success probability. Numerical results are presented showing the effectiveness of the proposed authentication technique against spoofing attacks also considering April 19, 2018 DRAFT various chip pulses for both navigation and authentication spread-spectrum signals.
The rest of the paper is organized as follows. Section II introduces both the system model and the attack strategies. In Section III we propose the novel authentication protocol, whose design and performance analysis are considered in Section IV. Numerical results to support the authentication solution are presented is Section V before conclusions are driven in Section VI. Fig. 1 shows our reference scenario with a single satellite. Existing systems such as GPS and GALILEO include a satellite (Alice) offering positioning services via a broadcast transmission to both the legitimate receiver (Bob) and the spoofer (Eve), both assumed to be on the earth.

II. SYSTEM MODEL
In a spoofing attack Eve transmits a signal that mimics that of the satellite Alice to induce Bob to estimate a wrong position or timing. We also have a forth entity, represented by the ground segment, i.e., the navigation control center on the earth that is controlling the satellite and can legitimately modify the navigation or authentication signal.
In particular we focus on Galielo GNSS [19] for civil use transmitted in the E1 band. The E1 band comprises two signals, data and pilot, added together and distinguishable thanks to different pseudo-random spread-spectrum sequences called ranging codes [19]. We focus here on the authentication of the data signal and ignore the pilot signal. The data signal carries the unitary power binary data stream d i with symbol period T s and can be written as where is the spreading pulse with chip period T c = T s /N c , spreading sequence c i = ± 1 √ Nc i = 0, . . . , N c − 1 and unitary-energy chip pulse u(t), therefore p(t) has unitary power. In the Galileo system the chip pulse is a sequence of signed rectangular functions with finite support T c [19].
We also propose an improvement of existing systems with the addition of a (public) authenticated channel from the ground segment that allows Bob to be sure that messages over this channel are not forged by Eve. The information carried by the authenticated channel is available to all users, including Eve. Therefore, our model comprises three types of communication channels: the wireless navigation channel from the satellite, the authenticated channel from the ground segment and the attack channel from Eve.

1) Navigation and attack channel:
The navigation channel connects the satellite to users and is the means through which the signal s A (t) transmitted by Alice propagates. As from Fig. 1 we have two navigation channels: one from Alice to Eve, and the other from Alice to Bob. The attack channel connects Eve to Bob and carries the spoofing signal s E (t).
In an additive white Gaussian noise (AWGN) channel, as typically considered in satellite navigation systems, the received signals by Bob and Eve are where w B (t) and w E (t) are the zero-mean AWGN signals with power σ 2 w B and σ 2 w E , respectively. Moreover, s E (t) in (3) denotes the attack signal by Eve. Note that (4) may hold at different times, as Eve in general may alternate phases in which she receives the signal from the satellite and transmits the spoofing signal. In the current standard s A (t) = p(t).
2) Authenticated channel: We assume that the ground segment can communicate with all the users through an authenticated data channel. The authenticated channel is assumed to be of large (infinite) bandwidth provided for example through an Internet connection. The authentication is ensured by higher layer authentication protocols [22] (such as https). We assume Eve has no control over the information travelling on the authenticated channel and, thus, she can not modify it. Moreover, as no fine time synchronization is available on the authenticated channel, it is not useful for ranging purposes.

A. Attack Models
Eve's objective is to forge a navigation signal, send it to Bob and let him believe it was transmitted by Alice. in this work we model Eve's behaviour with four attacks [11], [12], [13] 1) Forward estimation attack: Although NMA can be used to introduce unpredictability, eventually all data bits will go through channel encoding. Eve can then exploit redundancy to guess the whole codeword by just looking to a fraction of the codeword itself [11]. In this case Eve observes a few symbols d i and then predicts the rest of the codeword.
2) Delay attack: All bits in the current Galileo navigation message (e.g. ephemeris, navigation data, clock synchronization bits) are predictable and publicly available to download, therefore the entire codeword is predictable. In this case Eve knows in advance the signal transmitted by Alice and can superimpose a powerful time-shifted version s E (t) of this signal to Alice's signal.
Bob will synchronize on the strongest signal and then acquire the timing chosen by Eve. As a consequence Eve will be able to induce the desired (false) ranging on Bob by properly choosing the time shift. Assume now that Eve is able to predict the legitimate signal with a delay ∆.
Eve can transmit noise to Bob up to time ∆, and then the properly delayed signal. With this technique s E (t) can also be chosen in order to remove s A (t).
3) Symbol prediction attack: In this attack Eve works at the waveform level. The chip pulse u(t) (perfectly predictable [19]) can be estimated by Eve on a sample by sample basis. Thus, assuming a noiseless reception (σ 2 w E = 0), by reading a small time portion ∆ of r E (t), Eve can predict the whole symbol. In the literature this attack is also known as security code estimation and replay (SCER) attack [13] when dealing with ranging signals protected by cryptography (and usually considering σ 2 w E > 0). 4) Replay attack: In the replay attack Eve retransmits to Bob the received signal instantly, right after reception, with arbitrary power. Therefore, the replayed signal contains also the non-April 19, 2018 DRAFT  predictable components x(t) and w * (t), thus differing from the legitimate signal only by the noise possibly introduced by Eve's front-end. In this paper we do not analyse the replay attack since we consider the worst case scenario in which σ 2 w E = 0, therefore the malicious received signal is mathematically undistinguishable from the legitimate one and the replay attack would always succeed (no matter of which authentication procedure is used).

III. AUTHENTICATION PROTOCOL
The proposed protocol comprises two phases: in the first phase Alice superimposes to the ranging signal p(t) a synchronous authentication signal x(t) carrying a message V and an AN signal w * (t) that prevents the predictive attacks. Both the AN and the message V are generated by the ground segment and conveyed to Alice through a secure authenticated channel. In the second phase the AN and the message V are revealed to Bob (and Eve), through the authenticated channel. Bob removes the AN from the originally received signal, decodes the authentication message and checks its correspondence with V to confirm the authenticity of the received signal.
We now detail the operations carried out in the two phases.
Finally the chip pulse u(t) is used to obtain the continuous time signal In order to guarantee the secrecy of message V , we use AN superimposed to x(t), whose power is chosen such that that even if Eve has a noiseless receiver, she cannot decode (and predict) V (see Section IV for details). The characteristics of w * (t) will be specified in Section III-A. The signal is superimposed to the ranging signal p(t) and the signal transmitted by Alice becomes Both authentication and AN signals are chosen orthogonal to the ranging signal, i.e., the despreading of these signals through the spreading code used for the ranging signal provides a null signal. This is achieved by using an orthogonal spreading code for the authentication signal and projecting the AN on the orthogonal space to the ranging signal, as detailed in Section III-A. In particular, for the authentication signal the spreading signal c A,i is chosen to ensure orthogonality with sequence c i used for p(t). Therefore, a legacy receiver is not affected by the new superimposed signals.
The signals received by Bob and Eve on the AWGN channels are still given by (3) and (4) with the new transmitted signal s A (t) of (8). Bob acquires the synchronization on signal p(t), samples and despreads the received signal with sequence c A,i as shown in Fig. 3 to obtain the equivalent discrete-time despread signal, which in the absence of attack iŝ where z k = x k + w * k . The noise samples are still independent and identically distributed (iid) with zero mean and powers σ 2 w * and σ 2 w B respectively and where Note that we have omitted in (9) the navigation signal component as it is orthogonal to z(t).
Similarly also Eve obtainsx and her signal to noise ratio (SNR) is since in the first phase she does not know the AN.
Second phase: In the second phase a) Alice transmits information on V and the AN on the authenticated channel and b) Bob elaborates the signal received in the first phase according to the scheme of Fig. 3. Note that the AN samples w * k can be taken from a finite alphabet to simplify their transmission over the authenticated channel. Otherwise, even when w * k is a continuous valued random variable, the ground segment quantizes w * k into Q(w * k ) using b bits and sends it over the authenticated channel. The parameter b must be chosen as a trade-off between performance and cost. Here we focus on this latter quantization option.
In the absence of attack and perfect synchronization the quantization error is with zero mean and power σ 2 wq . In the following we approximate the residual quantization error as Gaussian, as a common practice in the literature. Together with w * k the ground segment also reveals the original message V .
As shown in Fig. 3 Bob subtracts from the signal received in phase 1 r B (t) the quantized AN April 19, 2018 DRAFT received through the authenticated channel obtaining the signal Bob detects and decodes the messageV from the received signalx k . IfV = V Bob declares that the authentication signal comes from Alice and the ranging signal is also authentic. Otherwise Bob generates an exception and the ranging signal is declared not authentic. Since both sample and frame synchronizations are obtained from p(t), we design the signal such that any misalignment between p(t) and x(t) results in an error of the decoded message V , thus revealing the attack (see Section IV-C). Note that with perfect reconstruction, i.e., without quantization,

A. Correctness and Security Properties
The correctness of the protocol is the ability to properly authenticate the navigation signal coming from Alice. This happens ifV = V when Alice is transmitting: we must ensure that V is decodable after phase two, i.e., after the reception of the side signal on the authenticated channel.
The security of the proposed protocol is ensured when Eve is not able to decode V in the first phase, and in particular some bits are completely unknown to her (thus having probability 0.5 each of being equal to 0 or 1). In this case Eve will not be able to generate the authentication signal to deceive Bob.
The two conditions of correctness and security correspond to those of a wiretap transmission scenario [21]. Specifically the legitimate received signal isx k in (17), over which we require authenticity; the malicious received signal isx E,k in (13), over which we require secrecy.
From the correctness and security analysis we obtain the following requirements for the proposed authentication protocol: 1) Orthogonality between z(t) and p(t). For the AN we first generate a stationary Gaussian process w(t) with 0 ≤ t ≤ T s and then project on the energy-normalized version of p(t), i.e.
with April 19, 2018 DRAFT Orthogonality of x(t) and p(t) is instead obtained when spreading sequences c i and c A,i are orthogonal. This requirement ensures that the authentication signal does not interfere with the navigation signal, thus not affecting a legacy receiver not implementing the authentication features. For the same reason also w * (t) must be orthogonal to p(t).
2) Secrecy of the message V to Eve. The authentication message must not be known to Eve during the first phase, a condition that can be written as where I(·; ·) denotes the mutual information function. Note that (22) implies also I(V ; r B (t)) = 0 when Eve has a better channel than Bob (σ 2 w E < σ 2 w B ). In this way we guarantee that in the first phase Eve is not able to correctly decode x(t) [21] as she operates above the channel capacity, thus preventing prediction attacks.
3) Authenticity in the second phase. We must ensure that Bob is able to decodeV in the second phase and match it with V , received through the authenticated channel, i.e., where P[·] denotes the probability.

4)
Synchronization. Since x(t) and p(t) are orthogonal, Eve can always distinguish between the two messages and operate a predictive attack on p(t). She can delay or anticipate p(t) without interfering with the authentication procedure. We must then require x(t) to be synchronized to p(t) so that a delay in the latter would reveal the attack.
Secrecy and synchronization requirements deal with the security metric of the protocol since they both aim at maintaining V secret from Eve. Reliability and authenticity instead deal with correctness since they are the necessary conditions to let Bob properly decode V and authenticate p(t).

April 19, 2018 DRAFT
Remark: An alternative formulation of the authentication protocol does not require the feedback of the message V through the authenticated channel. In this case Bob decodes the received codeword and decides on the authenticity ofV based on a threshold over the soft information output of the decoder. Note in fact that for a forged authentication signal, the cancellation of the AN (still provided through the authenticated channel) would actually add significant noise (as Eve cannot use the correct AN), thus making the decoding hard. Therefore, if the likelihood (provided by the decoding algorithm) ofV is below the threshold, Bob declareŝ V as not authentic, since it may have been the result of a guessing attack by Eve. This approach, however, requires the optimum threshold level to ensure given false alarm and missed detection probability values, which will depend also on the length of the codewords.
Another possibility is to apply hypothesis testing to the signal received by Bob discriminating between the legitimate received signal and the received signal under spoofing attack [27]. Also this approach requires to find the optimum threshold level given a false alarm and miss detection probability values.
With the authentication protocol presented in this paper, instead, there is no need for a threshold, since the authenticity check is performed simply by checking if the two messages V andV are equal.

IV. PROTOCOL PERFORMANCE ANALYSIS
We now analyse both the correctness and the security of the proposed algorithm against various kinds of attacks. In particular, we consider FEA under the hypothesis of both infinitelength and finite-length codewords. We analyse also a simple attack in which Eve only replaces the navigation signal with a spoofed delayed one, breaking the synchronization between the authentication and the navigation signals.

A. Forward Estimation Attack -Infinite-length Codewords
We consider here the forward estimation attack with ideal signalling, i.e., when codewords have infinite lengths and a real Gaussian modulation is used for x k . Let R x be the code rate of April 19, 2018 DRAFT Similarly, the authenticity is ensured as long as Bob is able to decode V in the second phase, i.e., where Γ B is given by (18). Therefore, assuming as worst case that Eve has a noiseless receiver (σ 2 w E = 0), from (15) and (24) the noise power σ 2 w * must satisfy C E and C B are the channel capacities of Eve and Bob respectively. Note that the additional information in the second phase (Q(w * k ) and V ) must be transmitted over the authenticated channel to prevent Eve from altering its content and matching her counterfeit signal.
Eve can still attempt to predict the codeword, by guessing the secret bits that are unknown to her. By the wiretap coding theory, there exist suitable wiretap codes for Alice such that the part of the authentication message that remains secret to Eve has a secrecy rate which is maximized when R x = C B and we obtain the secrecy capacity [21] Note that in our context the secrecy of message V is only instrumental to the authentication of the navigation message. Therefore, with a small abuse of notation, we will denote as authentication capacity the secrecy capacity C A , as the secret bits are those that prevent Eve from obtaining a successful attack.
The probability that Eve predicts the correct message V is wheren → ∞ is the codeword length (in symbols). When finite-size constellations are considered for x k , conditions (24) and (25) still hold for correctness and secrecy. However, C E becomes the achievable rate of a finite-size constellation system on an AWGN channel with SNR Γ E , i.e., with H(y) being the entropy of the received signal with probability density function (PDF) f y (a) and S is the set of the M complex constellation points. In order to compute the capacities we must resort to the numerical integration of (31). A similar expression holds for C B where Γ E is replaced by Γ B .

B. Forward Estimation Attack -Finite-length Codewords
The previous section provided an analysis for the scenario of infinitely long codewords, as an asymptotic performance limit. Here we consider a more realistic scenario of finite-length codewords. We still first assume Gaussian signalling. Due to the finite-length regime, (24) and (25) do not hold anymore. For correctness we must assess the (non-zero) probability that Bob does not decode V , while for secrecy we must assess the (non-zero) probability that Eve correctly predicts V before the entire codeword has been transmitted. In order to compute these probabilities we resort to literature results on finite block-length regime [24], [25]. Let us assume the codebook comprises γ codewords, that are transmitted with equal probability. In particular we lowerbound the codeword error probability P e Γ, log 2 γ n ,n on AWGN channel with SNR Γ as P e Γ, log 2 γ n ,n ≥ q Γ, log 2 γ n ,n , where and Q(·) is the complementary cumulative distribution function (CDF) of a continuous normal variable. For a given lengthn a design criterion in this scenario is to set a desired correctness April 19, 2018 DRAFT outage probability Π 0 , i.e., choose the number of codewords γ such that P e Γ B , log 2 γ n ,n < Π 0 .
Then, considering a codeword predictive attack performed by Eve at symbol n <n, the probability of successful attack is upper-bounded as where the second inequality comes from two facts: a) q(Γ, log 2 γ n , n) is a lower bound on the codeword error probability and b) equation (33) is based on the fact that the code is optimized for lengthn, while Eve attempts the decoding after receiving n samples, thus we have a further source of error by this mismatch. The maximum comes from the fact that the success probability cannot be lower than 1/γ, which corresponds to the complete random choice of the attack codeword.
We now consider the impact of finite-size constellations, and in particular we consider a binary modulation. For this case (33) still holds with [24], [25] where Also in this case, the inability of Eve to predict the AN further lowers the success of the attack, as the spoofed AN will not be completely removed by Bob before decoding of the authentication message.

C. Delay Attack
We now consider the delay attack, in which Eve does not attempt to reproduce the authentication signal, but only transmits a delayed navigation signal. Assuming that Bob acquires the synchronization on the spoofed signal, i.e., the attack is successful, we aim at assessing the probability that Bob also demodulates V from the asynchronous authentication signal, thus failing to reveal the attack. Let −T s < < T s be the offset between the navigation and the authentication signals, i.e., in phase one First consider the case 0 ≤ < T s . After despreading and AN removalx k in (17) is affected by the previously transmitted symbol x k−1 , i.e., where the interference coefficients are In (44), besides the inter-symbol interference there is also the residual quantization error w (q) k, that now depends on the delay . In particular we have and thus The power of w where E [·] is the expectation operator. Considering perfect quantization, i.e., w * k = Q(w * k ), w * k, and w * k are two correlated Gaussian random variables. Note that where, the second line comes from (49), the third line comes from the linearity of the expectation and we considered k = 0 in the integral limits for the noise stationarity. Since w * (t) is a white Gaussian process, by definition the inner expected value becomes where δ(·) is the continuous time impulsive function. Due to the integral properties of δ(·) (52) becomes where the result of the integral ν only depends on and the transmitter and receiver pulses.
Note that if = 0, then w * k = w * k, and w q k, = 0. Moreover, for a high the correlation between w * k and w * k, decreases; if exceeds T s the two variables become uncorrelated (ν = 0), since they insist on disjoint intervals of w * (t). Under these conditions σ 2 wq, = 2σ 2 w * (1 − ν ) and the SNR becomes Note that if there is no delay, i.e. = 0, we have α = 1, β = 0, σ 2 wq, = 0 and hence Γ B = Γ B . If, on the other hand, > 0, then α < 1 and β > 0. This, together with w (q) k, , decreases Bob's SNR and mines his capability to decodeV , resulting in the attack being uncovered.

D. Symbol Prediction Attack
With the symbol prediction attack Eve aims at detecting the symbol transmitted by Alice in order to send a delayed version of it. Due to the presence of the AN the prediction of the authentication message symbols is more difficult for Eve. In particular, since even the detection of the whole codeword will be affected by a codeword error rate bounded away from zero when operating above the authentication capacity, (by the converse of the wiretap channel coding Theorem) detection at symbol level will also be affected by errors, or otherwise the concatenation of correctly detected symbols would provide the correct codeword. In the case of a binary constellation the success probability upon a symbol prediction made at time 0 < t ≤ T s is [12] Also in this case the AN spoofed by Eve in the predicted part of the symbol will be added to w (q) k at Bob and authentication message decoding will fail.

V. NUMERICAL RESULTS
We consider the transmission scenario of Fig. 1 with a single satellite, where all satellite links are modelled as AWGN channels. The authenticated channel has been assumed error-free and with a large band (we will also consider the effects of noise quantization). As for the Galileo signal we assume N c = 4, 092 and T c = 10 −6 /1.023 [19]. We focus on a unitary-power authentication signal, i.e., σ 2 x = 1, while different values for the AN power will be considered. For Bob's noise power we set σ 2 w B = 0, −5, −10 dB, values typically encountered in GNSS receivers [26]. For Eve, we assume σ 2 w E = 0 as a worst case for the authentication problem, corresponding to a noiseless receiver. As transmission chip u(t) we consider two options, shown in Fig. 4. In particular u 1 (t) is the chip pulse used in the Galileo system [19], while u 2 (t) is a chip pulse characterized by a smaller support designed in order to make the authentication signal more fragile to synchronization errors, as discussed in Section IV-C. Results in this section are based on the analysis presented in the paper with the AWGN channel described in Section II.
For a practical implementation of the system further improvements should be considered, which are left for future work.

A. Forward Estimation Attack -Infinite Codeword Length
We first consider FEA with infinite codeword length, as analysed in Section IV-A. Moreover we consider infinite-rate authenticated channel, thus σ 2 wq, = 0. Fig. 6 shows the secrecy capacity   as a function of the AN power σ 2 w * for different values of Bob's noise power. We observe that the capacity is zero for σ 2 w * below the threshold, σ 2 w * ≤ σ 2 w B , and then increases with σ 2 w * . Moreover, as σ 2 w * goes to infinity, the secrecy capacity saturates to the Alice-Bob channel capacity (as Bob's noise is limiting the capacity anyway). For example at σ 2 w * = 0 dB, i.e., with AN having the same power of the authentication signal (and of the navigation signal) we have C A = 0.52 b/s/Hz for σ 2 w B = 5 dB. Note that this choice would require the reduction of the navigation signal power by 4.7 dB for the same total satellite transmit power. We also considered the AN quantization in the authenticated channel. In particular, we consider a uniform quantizer optimized in order to minimize the mean square quantization error [23]. Fig. 7 shows the authentication capacity as a function of σ 2 w * and as a function of the number of quantization bits per sample (b) for σ 2 w B = −5 dB. We also include the performance for the case of no quantization error (b = ∞). We observe that already with b = 3 the authentication capacity loss is below 0.3 b/s/Hz.

B. Forward Estimation Attack -Finite Codeword Lengths
We now consider the case of finite-length codewords as described in Section IV-B. We consider here σ 2 w B = −5 dB and no quantization error. For the correctness, by imposing a decoding outage probability of Π 0 = 10 −3 we obtain from the bound (33) γ = 1.1 · 10 64 . We also chosen = 250, which corresponds to the codeword length of the Galileo FEC. Eve can predict (with probability 1) the codeword well before the last symbols when Gaussian signaling is used for the authentication message. This represents the asymptotic performance that can be obtained optimizing the modulation. Note that we obtain a much lower P succ probability with respect to that reported in Fig. 10 for BPSK constellations and the same value of Γ E and n, even for a higher σ 2 w B (σ 2 w B = 0 dB in Fig. 10 and σ 2 w B = −5 dB in Fig. 9) We then compare the performance of our scheme (solid line of Fig. 11) with an NMA approach. Let v be number of unpredictable bits in the NMA codeword. We can then use the same formulation (38) with γ = 2 v and BPSK modulation. Since with NMA there is no AN we focus on the case Γ B = Γ E = 0 dB. Note that when considering NMA Γ E = 1/σ 2 w E , while with our authentication protocol Γ E = 1/σ 2 w * . Fig. 11 shows the success probability as a function of n and v. Note that v = 42 (dotted line) is the value considered in [12]. Our scheme outperforms NMA under FEA. Moreover, NMA performance improves as v increases, at the cost of adding more unpredictable bits, thus increasing the overhead.

C. Delay Attack
For the delay attack we consider the analysis of Section IV-C. In particular we consider as AN power σ 2 w * = 0 dB and Bob's noise power σ 2 w B = −5 dB. Coding is performed with codewords of infinite length and both Gaussian and M -PSK constellations are considered. Fig. 12 shows the secrecy capacity vs the attack delay for various sizes M of the PSK constellation , and for the two chip pulses u 1 (t) and u 2 (t). We observe that for the chip u 1 (t) of the Galileo system, the capacity drops to zero for = 0.04 T c , while the pulse u 2 (t), having a more compact support, exhibits a zero secrecy capacity already for = 0.025 T c thus providing a better protection against the symbol prediction attack.  Note that by setting the secrecy coding rate R s below C s ( * ) = 0 we have that an attack with delay > * is detected as, from the converse theorem on capacity, the codeword error probability of Bob tends to 1 asn tends to infinity. A suitable choice of the secrecy coding rate R s takes into account the synchronization error statistics of Bob's receiver in the absence of an attack (done for example to the receiver's noise).

D. Symbol Prediction Attack
For the symbol prediction attack, the success probability is given by (56). For a non-authenticated signal the SNR is 1/σ 2 w E while for an authenticated signal the SNR of the authentication message is Γ E of (15). With σ 2 w E = −5 dB and t/T s = 0.3 (i.e., by listening a fraction of the transmission symbol) we have P succ = 0.916 and P succ = 0.7502 in the two cases of σ 2 w * = 0 (no authentication) and σ 2 w * = 0 dB (with authentication). Again, we note that AN significantly lowers the possibility of predicting the authentication message by Eve.

VI. CONCLUSIONS
In this work we proposed a novel authentication protocol and we showed that the proposed solution effectively authenticates a single-satellite navigation message. We analysed the protocol performance under various transmission constraints, such as finite-length codewords, finitesize constellations and quantization. We conclude that the proposed strategy is effective in providing authentication of the Galileo signal, totally preventing prediction attacks for Gaussian constellations and significantly lowering the success of attacks for finite-length constellations.
Moreover, the unpredictability of the AN further increases the security level of the proposed protocols.