- The paper presents a rigorous analysis of PRF-based GNSS ranging authentication that mitigates spoofing attacks through theoretical derivations and empirical simulations.
- It quantifies detection probabilities (PFA and PMD) and highlights how aggregation time and adversarial SNR critically affect security levels.
- The study applies its findings to Galileo E6-C, providing actionable guidelines on integration intervals and adversary capabilities for robust GNSS authentication.
Authentication Security Analysis of PRF GNSS Ranging
Introduction and Motivation
This paper presents a rigorous analysis of the authentication security of pseudorandom function (PRF) based Global Navigation Satellite System (GNSS) ranging, with a focus on adversarial models relevant to real-world spoofing threats. The work is motivated by the increasing deployment of cryptographically authenticated GNSS signals, such as Galileo's Signal Authentication Service (SAS) using encrypted E6-C signals, and the corresponding need for quantifiable security guarantees against sophisticated spoofing attacks. The analysis is grounded in both theoretical derivations and empirical validation, providing actionable guidance for the design and deployment of secure GNSS authentication protocols.
PRF Ranging and Authentication Protocols
The core concept is the use of PRF-derived ranging codes, where each chip in the ranging sequence is generated from a cryptographic PRF seeded with a secret known only to the broadcaster. This construction ensures that, prior to key disclosure, adversaries cannot predict future chips, and thus cannot preemptively forge authentic-looking signals. The authentication protocol typically follows a TESLA-like delayed disclosure scheme: the broadcaster commits to a secret, transmits PRF-derived ranging codes, and later reveals the secret, enabling receivers to retrospectively authenticate stored signal samples.
The paper distinguishes between two forms of cryptographic ranging authentication: watermarking (small perturbations to standard codes) and full PRF-based ranging (entire code derived from a PRF). The focus here is on the latter, which offers stronger unpredictability guarantees but requires more complex receiver processing and storage.
Signal and Adversarial Models
The GNSS signal is modeled as a BPSK-modulated sequence, with each chip being a ±1 value. The receiver processes the baseband signal after carrier removal, correlating it with a locally generated PRF replica once the secret is disclosed. The analysis assumes a conservative radio model: operation at the Nyquist rate and a minimum C/N0​ of 30 dB-Hz, ensuring that security claims are robust to adverse conditions and adversarial manipulation.
Adversaries are classified into two principal types:
- Non-SCER (Security Code Estimation and Replay) adversaries: Cannot observe the PRF chips before transmission and must guess the entire sequence.
- SCER adversaries: Can observe the PRF chips (e.g., via high-gain antennas) and attempt to replay or forge signals based on these observations.
The SCER model is further refined into Hard-Decision SCER (HDSCER), where the adversary makes hard decisions on each chip, and Proportional Soft-Decision SCER (PSCER), which leverages soft information for marginally improved performance.
Analytical Derivation of Detection Probabilities
Probability of False Alarm (PFA) and Missed Detection (PMD)
The receiver's authentication statistic is the normalized correlation between the stored baseband samples and the PRF replica. For authentic signals, this statistic is centered at 1; for Non-SCER forgeries, it is centered at 0, with variance contributions from both the binomial distribution of random guesses and thermal noise. The decision threshold is set at 0.5, balancing PFA and PMD.
The PMD for Non-SCER adversaries is derived as the probability that the authentication statistic for a forgery exceeds the threshold, which is a function of the binomial distribution of correct chip guesses and the aggregated noise. The analysis provides both exact expressions and CLT-based approximations for efficient parameter search.
Figure 1: The PMD computed via the exact binomial-normal convolution for Non-SCER adversaries, as a function of the number of aggregated ranging codes W.
Application to Galileo E6-C
Applying the analysis to Galileo's E6-C signal (n=5115 chips, F=10.230 MHz), the results indicate that aggregating 341 ms of data suffices for 128-bit security under the Non-SCER model, while 77 ms suffices for 32-bit security. These values are robust to conservative noise assumptions and can be rounded up in practical guidelines.
Figure 2: Minimum noise assumptions over aggregation time for varying security requirements, illustrating the trade-off between integration time and achievable security.
SCER and HDSCER Adversarial Analysis
For HDSCER adversaries, the probability of correctly estimating each chip (p>0.5) depends on the adversary's SNR and antenna gain. The analysis shows that as p increases, the adversary's ability to forge authentic-looking signals improves, and beyond a critical SNR threshold, increasing the aggregation window W actually benefits the adversary by reducing noise uncertainty.
Figure 3: Comparison of HDSCER PMD for multiple W values against adversarial pre-correlation chip SNR, highlighting the inflection point where increased aggregation aids the adversary.
The analysis quantifies the required adversarial antenna gain to break authentication security. For Galileo E6-C, a 15 dB gain antenna is needed to achieve a chip estimation probability sufficient to compromise 32-bit security, assuming ground-level reception and maximum specified signal power.
Figure 4: The effect of increasing the decision boundary on YPRF​, showing the trade-off between adversarial SNR required to break security and the resulting PFA.
Experimental Validation
Monte Carlo simulations validate the analytical PMD predictions for both Non-SCER and HDSCER models. The simulations confirm the accuracy of the derived distributions, even under reduced C/N0​ conditions to ensure observable missed detections within feasible trial counts.
Figure 5: Monte Carlo results verifying the analytical PMD for Non-SCER adversaries.
Figure 6: Monte Carlo results verifying the analytical PMD for HDSCER adversaries.
Soft-Decision SCER (PSCER) Advantage
The PSCER adversary, which allocates spoofing power proportional to the posterior probability of each chip, achieves a modest improvement (~0.6 dB) over the HDSCER model. This demonstrates that while soft information can marginally enhance adversarial performance, the overall security margin remains substantial under practical constraints.
Figure 7: Simulated results demonstrating the PSCER advantage over HDSCER, quantifying the soft-information gain.
Implications and Future Directions
The analysis provides concrete, quantifiable security guarantees for PRF-based GNSS ranging authentication under both idealized and practical adversarial models. The results inform the selection of aggregation intervals and receiver processing strategies to achieve desired security levels, and offer a framework for communicating required adversarial capabilities (e.g., antenna gain) to regulatory authorities.
The work highlights the inherent trade-offs between security, receiver complexity, and adversarial capabilities. It also underscores the limitations of cryptographic authentication in the face of powerful SCER adversaries, shifting the focus to physical-layer countermeasures and detection of illicit equipment.
Future research directions include:
- Extending the analysis to adversaries leveraging more sophisticated soft-decision techniques and adaptive power control.
- Integrating physical-layer detection mechanisms for SCER equipment into the authentication framework.
- Exploring joint authentication and anti-jamming strategies in multi-signal, multi-constellation environments.
Conclusion
This paper establishes a comprehensive analytical and empirical foundation for the authentication security of PRF GNSS ranging. By deriving exact and approximate detection probabilities under realistic adversarial models, and validating these results through simulation, the work enables the principled design of secure GNSS authentication protocols. The findings are directly applicable to current and future authenticated GNSS services, such as Galileo SAS, and provide a basis for ongoing research into robust, cryptographically secure PNT systems.