Verifiable Multilateration: Secure Positioning

• Verifiable Multilateration (VM) is a secure localization method that uses time-bound challenge-response exchanges and precise geometry to restrict adversarial delay spoofing in wireless networks.
• It combines cryptographic safeguards with geometric constraints, including the δ-test and point-in-triangle verification, to ensure node positions remain reliable despite measurement errors.
• Extensions like the TRICK protocol adapt VM for satellite-based global positioning by reducing infrastructure requirements while preserving robust security guarantees.

Verifiable Multilateration (VM) is a geometric and cryptographically enforced localization primitive that ensures nodes claiming positions in a wireless network cannot spoof their distance to multiple verifiers by introducing only adversarial delay. Through distance-bounding exchanges with three or more trusted references, VM constrains a node's location estimate to a region where no adversarial manipulation of time-of-flight measurements can induce an undetectable, internally plausible fake position. Recent protocols, such as TRICK, generalize VM methodology to global-scale and infrastructure-limited settings in satellite navigation, maintaining its security guarantees with reduced resource requirements (Gatti et al., 2010, Mumtaz et al., 7 Nov 2025).

1. Formal Model and Security Framework

VM operates in a two-dimensional plane with a set of anchors (verifiers) located at trusted, known coordinates $\{(x_i, y_i)\}_{i=1}^N$. The node to be localized, $U$, has an unknown true position $(x_0,y_0)$. All participants possess a shared precise time reference; the speed of wireless propagation $v$ (or $c$) is known, and the verifiers have a uniform transmission range $R$. Measurement noise and clock errors are bounded by a known $\delta$.

The adversary controls $U$ and may inject arbitrary response delays but cannot return signals faster than the true time-of-flight. This restriction ensures any adversarial claim $P \neq U$ for the position is limited to conservative claims: only distance inflation through added delay. Data exchanges are securely forwarded to a sink $B$.

VM proceeds as follows for each verifier $V_i$ at $(x_i, y_i)$:

1. Challenge-Response: $V_i$ sends a beacon; $U$ responds after possible adversarial delay, $\tau_i$ is the round-trip time.
2. Distance Bound: $B$ computes distance bounds $db_i = v \tau_i$, or $db_i = v\tau_i/2$ if using round-trip time.
3. Position Estimation: $B$ computes $(x, y)$ minimizing the residual sum

$$\epsilon(x, y) = \sum_{i=1}^N \bigl( db_i - \sqrt{(x - x_i)^2 + (y - y_i)^2} \bigr)^2$$

In the noise-free case, this corresponds to circle intersection.

1. Verification:
   • $\delta$-test: For each $i$, compute

   $d_i = \sqrt{(x - x_i)^2 + (y - y_i)^2}$

   and reject if $|db_i-d_i| > \delta$. - Point-in-Triangle: For $N \ge 3$, require $(x,y)$ inside at least one triangle formed by any $(V_i, V_j, V_k)$.

If both tests pass, the position is Robust; if $\delta$-test fails, Malicious; else Unknown (Gatti et al., 2010).

2. Geometric and Cryptographic Guarantees

VM leverages geometric constraints and cryptographic safeguards to ensure robust detection of position spoofing:

• For each verifier $V_i$, a plausible fake $P$ must satisfy:

$$\begin{cases} (x - x_i)^2 + (y - y_i)^2 < R^2 \ (x - x_i)^2 + (y - y_i)^2 > (x_0 - x_i)^2 + (y_0 - y_i)^2 \end{cases}$$

The first ensures $P$ is inside range; the second captures the impossibility of advancing a signal.

• The $\delta$-test (distance-bound residual) must be within threshold for all $i$:

$|db_i - \sqrt{(x-x_i)^2 + (y-y_i)^2}| \le \delta$

• The point-in-triangle test, for $N \ge 3$, is achieved by testing barycentric coordinates or verifying:

$$\text{Area}(V_iV_jP) + \text{Area}(V_jV_kP) + \text{Area}(V_kV_iP) = \text{Area}(V_iV_jV_k)$$

Any adversarial manipulation based solely on delay increases $db_i$ and can only inflate, never shrink, the feasible region.

Each two-way ranging exchange is cryptographically protected, using challenge nonces, authenticated responses, and minimal processing delays enforced by the verifiers. Message authentication codes or digital signatures guarantee freshness and integrity of all data (Mumtaz et al., 7 Nov 2025).

3. Game-Theoretical Analysis and Optimal Deployments

VM’s adversarial scenario is formally characterized as a zero-sum, two-player strategic game $G = \langle Q, A, u \rangle$:

• Player $\mathbf{v}$ (verifiers): chooses anchor locations.

• Player $\mathbf{m}$ (malicious): selects true $U$ and fake $P$, $U \neq P$.

Possible outcomes are Robust, Malicious, or Unknown, with utility $u_\mathbf{m} = -u_\mathbf{v}$:

• $u_i(\text{Robust}) = u_i(\text{Malicious}) = 0$

• $u_\mathbf{m}(\text{Unknown}) = \|U-P\|$, $u_\mathbf{v}(\text{Unknown}) = -\|U-P\|$

Key equilibrium properties:

• No pure-strategy Nash equilibrium: For any fixed verifier configuration, a malicious node can select $(U,P)$ yielding positive deception. Conversely, for any fixed $(U,P)$, verifier placement can defeat the malicious attempt (force zero deception). Thus, no player has a dominant pure strategy [(Gatti et al., 2010), Theorems 3.1-3.2].

• Max–Min Analysis: The best deterministic verifier layout is an equilateral triangle of side $R$. The attacker’s optimal positions yield:

  • True-position radius: $\rho_U = 0.1394\,R$
  • Fake-position radius: $\rho_P = 0.4286\,R$
  • Angular offset: $\Delta\theta = 0.2952$ radians
  • Achievable deception: $\max\|U-P\| = 0.2516\,R$
• Mixed-strategy Equilibrium: Let the triangle’s orientation be randomized uniformly. The attacker distributes $(U,P)$ in polar coordinates about the triangle’s orthocenter, offset as above. Under this regime, the expected attacker deception drops to $0.001\,R$, two orders of magnitude below the deterministic case [(Gatti et al., 2010), Theorem 3.3].

A plausible implication is that, in adversarial environments with anchor mobility or reconfiguration, randomized anchor layouts can nearly eliminate undetectable spoofed positions.

4. Implementation Mechanics and Trade-Offs

VM implementation requires strict time synchronization among verifiers and carefully bounded measurement errors $\delta$. The required minimal configuration is $N\ge3$ verifiers forming an equilateral triangle of side $R$ for maximal region overlap and spoofing minimization. Two principal tests must be enforced algorithmically:

• Residual computation via the $\delta$-test.
• Geometric checks for the point-in-triangle inclusion.

The protocol's computational complexity is dominated by minimization for position estimation and, in practical systems, simple disk intersection for small $N$. Real-world deployments must ensure verifiers can perform secure, low-latency challenge-response exchanges, forward authenticated measurements, and maintain secure time synchronization.

Randomization of anchor positions, essential for achieving the mixed-strategy equilibrium, may be achievable via mobile or reconfigurable platforms (such as drones or satellites), though impractical for static terrestrial networks.

Measurement error selection, dictated by hardware and environmental factors (radio jitter, multipath), directly governs the size of the $\delta$-acceptance region. Thus, minimizing $\delta$ through precise RF front-end design, antenna placement, and timebase calibration is critical to reducing the chance of “Unknown” classification (Gatti et al., 2010).

5. Extensions: Scalable and Satellite-Based VM with TRICK

Classical VM’s requirements (three or more reference nodes, two-way ranging exchanges with each) result in significant communication and infrastructure overhead. For global-scale deployment, this is impractical—hundreds or thousands of verifiers would be needed for continuous coverage using LEO satellites.

The TRICK (Time and Range Integrity ChecK using Low Earth Orbiting Satellite for Securing GNSS) protocol generalizes VM to greatly reduce infrastructure and message complexity, retaining equivalent security guarantees (Mumtaz et al., 7 Nov 2025):

• Replaces $m$ two-way Distance-Bounding exchanges with only two: either two to a single LEO at separate times or one each to two distinct LEOs.
• Passively leverages authenticated one-way GNSS broadcasts for additional range constraints.
• Forms “ellipsoidal” position constraints by summing the two-way LEO distance and the one-way GNSS pseudorange, eliminating the need for tight UE clock synchronization via interval summation. Specifically,

$$\|p - \text{pos}_\text{LEO}\| + \|p - \text{pos}_\text{GNSS}^j\| \leq c \cdot B^j$$

for each GNSS satellite $j$ and LEO measurement.

Closed position acceptance regions are formed from the intersection of two independent ellipsoids (from the two LEOs or epochs) and one or more GNSS ellipsoids, analogous to the triangle regions formed in VM. TRICK’s security checks replicate VM’s guarantees:

• Verifies the computed position lies within a triangle of foci (the two LEOs and one GNSS).
• Requires that the geometric sum of computed distances matches the measured intervals within noise tolerances.

TRICK achieves VM-equivalent resistance to delay-only spoofing. The adversary can only inflate, never reduce, these sums. Simulated coverage for TRICK ($\geq$90–98%) significantly exceeds that of naïve VM with 3-LEO-only anchors (65–85%) (Mumtaz et al., 7 Nov 2025). Communication cost per position fix is reduced by a factor of $m/2$, and computational cost is sub-millisecond for GNSS-scale $N$.

6. Practical Deployment Considerations and Limitations

VM is maximally effective when the node to be localized is within the convex hull of verifiers; outside this region, spoofing attempts may remain undetectable and are classified as “Unknown.” The deployment must ensure precise time synchronization and strict upper bounds on response latency; hardware and environmental errors must remain below the $\delta$ threshold.

Randomized anchor placement—theoretically optimal for security—may be infeasible in many static or infrastructure-limited networks. Real deployments may rely on static anchors, which makes some residual deception feasible but still small with equilateral-triangle placement.

Parameter selection should adhere to: at least three verifiers in an equilateral triangle of side $R$, minimal $\delta$, and, where feasible, randomization of geometry (mobile anchors or temporal permutations in the satellite case).

TRICK mitigates infrastructure limitations in GNSS by leveraging existing satellite constellations and requiring only two two-way exchanges per fix. A plausible implication is that such hybrid VM protocols are likely to define the future of large-scale authenticated positioning, given the prohibitive infrastructure demands of classical multi-verifier VM. However, TRICK assumes authenticated broadcasts and long-term key distribution between user equipment and LEOs.

7. Summary of Theoretical and Experimental Guarantees

VM and its generalizations enforce the following core security property: An adversary restricted to introducing only delay (never advancing the signal) can never force the computed position into the convex hull of verifiers without reducing at least one measured distance, a physical impossibility. The quantified deception error under optimal mixed strategies is negligible relative to the system’s operating range (on the order of 0.1–1%). Protocol generalizations such as TRICK restore these properties for GNSS localization with orders of magnitude fewer messages, covering nearly all global ground stations with only one or two moving references and passive reception.

Residual limitations persist in convex hull boundaries, measurement error regimes, and practical constraints on anchor mobility or synchronization. Nevertheless, VM remains a foundational primitive for secure positioning in adversarial environments, with demonstrated cryptographic, geometric, and game-theoretical resilience (Gatti et al., 2010, Mumtaz et al., 7 Nov 2025).