In 1978, when the U.S. introduced the world to GPS, its architecture revolved around a singular, then-groundbreaking objective: providing precise, reliable positioning and timing signals for the U.S. Military anywhere on Earth. At the time, its design did not prioritize resiliency against spoofing, a type of attack where a party fools a receiver into believing it’s somewhere it is not. Security solutions concerned restricting access to civilians and enemy combatants.

GPS included access security mechanisms such as encrypting the high-precision signals and the now-defunct selective availability on non-encrypted signals, where accuracy was degraded on the non-encrypted signal components. The military ordered access keys be distributed, managed, and transported with multiple personnel and in limited quantities to resist key leakage. Newer GNSS signals, such as Galileo’s PRS, tailored to privileged civilian users, also adopted this cumbersome access security methodology.

Even with these access-control security features, all modern GNSS systems lack an essential and fundamental security measure: range authentication. Unlike signal encryption, which provides confidentiality by rending the signal unreadable without proper access keys, authentication enables verification of the integrity and origin of the ranging signal itself to resist manipulated satellite ranging. Authentication was impractical given the severely limited bandwidth and computational resources of GNSS systems during the turn of the century. Today, however, rapid technological advancements and widespread reliance on precise navigation signals are stress-testing legacy GNSS infrastructure like never before—particularly through a rapidly proliferating threat: Spoofing.

GNSS Isn’t Equipped to Counteract Spoofing

Modern civilian GNSS signals are open: anyone can clone an open-source git repository that generates signals compliant with the signal specification, buy a hobbyist radio transmitter, and broadcast false signals identical to the real signals from space. Sophisticated spoofers induce a victim receiver to deduce a prescribed false position by forging the signal’s GNSS satellite orbit information and coordinating the range signal arrival timing of the forged satellite signals.

Spoofing initially emerged as a relatively harmless activity. For instance, a popular GNSS Spoofing activity involves fooling a smart phone into believing it's in a different place to achieve an otherwise location-gated outcome in a video game. In the viral mobile game Pokémon GO, GNSS-spoofing players can virtually relocate themselves to capture rare Pokémon without physically traveling, giving them an unfair advantage over honest players.

Over time, spoofing evolved to more disruptive intentions. In one case, researchers demonstrated some vehicles equipped with “self-driving” features could be tricked into veering off their intended routes after misjudging their position due to spoofed GNSS signals. In 2017, a French oil tanker experienced substantial navigation disruptions near the Black Sea, causing its location to be reported to onboard systems as 30 miles away. Now, these GNSS disruptions are commonplace.

Last week alone, a plane transporting the president of the European Commission, Ursula von der Leyen, was targeted by a jamming and spoofing attack.

With disruption now commonplace, the world is watching spoofing evolve from an afterthought to a critical threat. Anything that relies on GNSS time synchronization, from energy grids, telecom networks, financial markets and banking infrastructure like ATMs, to public transportation and the internet is vulnerable to falsified GNSS signals. In theory, one could fool an instrument-approach aircraft into believing a false altitude or position.

Why Anti-Spoofing Innovation hasn't Caught Up

Implementing new security features into a satellite navigation system designed and launched decades ago requires wrestling with the design choices of an earlier industry: innovators must navigate inherited rekeying systems, accommodate decades-old in-the-market infrastructure, and contend with limited bandwidth constraints – all while prioritizing the needs of today and tomorrow’s market.

False Security for Some

Governments design their systems for a select set of users who need anti-spoofing features most. We can see this applied design in a range of public service providers, public utilities, and national defense departments. Due to this exclusivity, they can be served by existing encrypted signals. However, each additional encrypted user makes the whole system more vulnerable to spoofing.

Ostensibly, because malicious actors are not provided the encryption keys, they cannot spoof the encrypted signals. But for these services to assert authenticity, they must assume honesty and competency among every user. Were any military GNSS user to sell or leak their encryption keys, a spoofer could retrieve the encryption keys to perfectly generate the encrypted signals. Yet, since this threat is seemingly mitigated via arduous rekeying procedures on the battlefield, and their users have the financial resources and patience to deal with them, governments focus on other priorities.

The Push and Pull of Backwards Compatibility

Government providers of GNSS support an extremely large user base, with some receivers being decades old and still in service, often serving critical functions. The inertia to change satellite signals would result in widescale disruption bricking many devices. The entrenched infrastructure, although in need of new capabilities, cannot withstand such a renovation. This is the dichotomy of backwards compatibility in GNSS: while GNSS designers may develop new technology, it must integrate with existing infrastructure so as to not disrupt the currently in-use equipment. To this effect, the long standing and most-adopted L1 C/A GPS signal has never changed since its inception and contains no anti-spoofing features. 

Galileo's designers had the hindsight benefit by designing their system decades later, first launching in 2005 almost thirty years after GPS. Using lessons learned, they had the foresight to reserve spare data bandwidth, and so, as of a few weeks ago, Galileo's OSNMA utilizes those spare bits for data anti-spoofing while preserving backwards compatibility. Incorporating anti-spoofing features requires either adapting to signal designs optimized before anti-spoofing was a concern or disrupting backwards compatibility. The latter is unacceptable, causing this issue to largely remain unresolved. 

This tradeoff causes another challenge: low data bandwidth.

Signal Robustness & The Lack of Available Bandwidth

By electing robustness, GNSS signals work well for the sensors of the 1980s but have very low data bandwidth. For instance, the L1 C/A GPS signal provides a 50 bit per second data stream. Cryptographic authentication provides provably effective methods to deterring information forgery, yet it requires signatures exceeding 500 bits. 

A useful GNSS authentication protocol must also enable the receiver to trust a signal quickly. Of what use is knowing your position was authentic minutes ago in our high-speed world? Because off-the-shelf cryptographic protocols would consume all this data bandwidth, Galileo adapted a lesser-known efficient cryptographic authentication protocol called TESLA for OSNMA. But even then, Galileo's OSNMA provides a time-to-authentication on the data of around 90 seconds and provides no anti-spoofing features for the satellite ranging.

The required innovation can no longer rely on government-operated systems to meet these needs – users demand a GNSS service that provides secure and low-cost rekeying procedures, provides backwards compatibility that does not compromise on its capabilities nor cause the disruption it aims to defend against, and, above all, provides a quick and reliable authenticated signal.  

Pulsar is Designed from the Ground Up with Security in Mind

At Xona, we see the rapidly changing GNSS landscape and hear what users are asking for. That’s why we’ve built Pulsar: a generational opportunity to incorporate security concerns at onset and build for needs known and yet to come. The next era of satellite navigation is not only one with centimeter-level precision and 100x higher received power, but also one with anti-spoofing protection built-in.

The requirements to deliver on this vision are ambitious:

1. Achieving authentication should be lightning fast. What use is a positioning system that informs on the authenticity of one's position minutes in the past in our fast-paced world?

2. Cryptographic anti-spoofing features should protect both the data and ranging signal components. The ranging authentication security afforded should be based on derived math rather than heuristic experiments.

3. Rekeying must be seamless. Every customer and use-case should benefit from the security without having to think about it.

To fulfill these requirements, the Pulsar security stack is unlike any operating or planned GNSS Security protocol.

Speed

Meeting the speed of authentication required for a seamless user experience requires a new approach to overcome bandwidth limitations present in GNSS.

Pulsar services will provide cryptographic authentication of the data stream and the ranging signal. Pulsar utilizes a constellation-wide, integrated TESLA approach to authenticate navigation features of multiple satellites at once. Information delivered from one Pulsar satellite will enable simultaneous authentication of every Pulsar satellite and frequency – data and ranging – without the need to connect to the internet. With a larger number of LEO satellites in view, alongside our integrated approach, Pulsar is targeting a time to authentication of four seconds, setting a new standard compared to existing concepts of authentication, surpassing even those that require an internet connection to authenticate.

With a larger number of LEO satellites in view, alongside our integrated approach, Pulsar is targeting a time to authentication of four seconds

While with traditional GNSS systems the data bandwidth limitation determined the time to authentication, Pulsar's time to authentication pushes against the fundamental limit imposed by the receiver's coarse time synchronization. Targeting a four-second time to authentication comes from targeting a receiver synchronization requirement of 1 second. Pulsar can adjust this requirement at will based on feedback from its customers: a tighter synchronization requirement enables a faster time to authentication.

Cryptographic Anti-Spoofing & Ranging Authentication

Pulsar will provide the world's first ranging authentication service, proven already with live-sky testing from Pulsar-0. This moves beyond the orbit information of the data stream to the service that enables a receiver to deduce its range to satellites for trilateration. Presently, many exclusive government GNSS signals require strict vetting of all users imposing high barriers for civilian commercial application adoption. Pulsar's encryption keys will be seamlessly distributed to subscribers, creating an authentication protocol designed so that only the operator has the secrets needed to generate secure signals.

No one – including Pulsar subscribers – will be able to spoof the Pulsar signals without sophisticated attacks that require significant radio equipment and are fundamental to all ranging systems. Moreover, the underlying protocols will be grounded in the digital signature and certificate framework we use every day with the internet.

Alongside this, Ranging Authentication is enacted with a Combinatorial Watermark where a small subset of ranging code bits inverted pseudo-randomly each millisecond. This Combinatorial Watermark provides receivers with a robust set of open statistics to determine signal authenticity rather than requiring heuristic or experimentally based thresholding. Pulsar’s watermark will provide 32-bit security over one second of ranging, meaning we expect that a spoofer spoofing a single satellite continuously should succeed in fooling one second of a receiver's ranging once every 130 years.

A spoofer spoofing a single satellite continuously should succeed in fooling one second of a Pulsar receiver's ranging once every 130 years.

Seamless Rekeying

Soon, Pulsar will become the world's first seamless subscription-based satellite navigation service. Offering a subscription service requires the administration of many different encryption keys: keys for each subscription service level, user group, and user. To ensure the most efficient experience possible, designing Pulsar's subscription service required inventing a novel authenticated encryption system.

Our Dynamic Authenticated Encryption answers this call. All users and subscriptions can be rekeyed over the air. Only the initial receiver commissioning will require an interface beyond the direct Pulsar signal. Users can authenticate all subscription levels without needing to subscribe to them, and users can send their own data to their receivers encrypted to their devices. To mitigate the risk of encryption key leakage, Pulsar's Dynamic Authenticated Encryption can change encryption keys at will without inducing receivers to decrypt the Pulsar signal with the wrong key.

A Secure Foundation for the Future, Today

No ranging system is entirely spoof-proof. A receiver’s deduced position can be manipulated with signal delays, and cryptography provides no protection against delay. However, the right design makes attacks measurably more difficult – requiring the use of specialized hardware, substantial financial investments, and sophisticated technical expertise. Pulsar raises the cost and difficulty of spoofing to extreme levels while keeping the experience seamless for users.

With these requirements at the forefront of our design principles, Pulsar fundamentally advances GNSS security, access restriction and authentication, and establishes a secure foundation for essential global infrastructure. Its practical implications are clear and immediate: Pulsar will secure logistics and trade, ensuring cargo reaches its destination reliably and safely; it will protect autonomous vehicles; it will safeguard aviation operations, significantly reducing the risk of intentional or accidental disruptions; it will ensure the integrity of transactions that rely on precise, synchronized timing.

Pulsar’s security features aren’t just theoretical—they're operational today, built upon rigorous, provably secure cryptographic foundations. With Pulsar-0 successfully transmitting authenticated ranging signals from orbit, Xona has already demonstrated its ability to deliver these critical capabilities. In the near future, with the launch of additional satellites, Xona will offer comprehensive, global coverage, establishing Pulsar as the definitive standard in authenticated, resilient GNSS infrastructure.

Soon, location and timing will receive the resiliency and security we need for the work of the future.