## Abstract

Global navigation satellite systems (GNSSs) are the most significant service for global positioning and timing. The high relevance and wide spread of these systems contrast with the risk for interference or even manipulations of GNSS signals. One specific threat is GNSS spoofing. A spoofer counterfeits satellite signals to mislead the receiver to an erring position/time estimation. The technological progress enabling affordable and easy-to-use spoofer hardware further increases the relevance of this threat. To maintain the integrity of the position/time information, it is mandatory to be able to assess the errors induced by spoofing. The paper at hand derives a bound of the code tracking bias in relevant spoofing scenarios extending the well-known Multipath Error Envelope. These new bounds can be used as a tool to estimate the position/time error, especially but not exclusively for receivers that are collateral damage of a spoofing attack.

## 1 INTRODUCTION

Global navigation satellite systems (GNSSs) are widely used for positioning and timing. These systems are not only used as a navigation aid by land, air, and water vessels, but also by critical infrastructure elements as well as further automated and autonomous processes. The increasing number of private and commercial unmanned aerial vehicles (UAVs) and the upcoming of autonomous driving cars will further increase the number of systems relying on GNSSs. This results in significant economical, safety, and security risks associated with possible GNSS service disruptions caused by radio frequency interference (RFI) on navigation signals.

One specific type of such interference is spoofing: A spoofer transmits GNSS-like signals to affect the position, velocity, and time (PVT) solution of a GNSS receiver. In contrast to jamming, where the reception of the navigation signals is restrained or even blocked and the availability of the receiver’s PVT solution is compromised, a spoofer attack aims at manipulating the PVT solution that is deceived by the counterfeit signals. A user affected by spoofing may not even realize that something is wrong, which compromises the integrity of GNSS positioning and timing services. The spoofing effect observed in the user receiver highly depends on the type of the spoofing attack (Humphreys et al., 2008).

This aspect is addressed in Fernández-Hernández et al. (2019), Günther (2014), and Humphreys et al. (2008), in which the possible types of spoofing are identified. One of the most general classifications of spoofing attacks is provided by Humphreys et al. (2008) from the perspective of the technical realization where three categories are proposed: simplistic, intermediate, and sophisticated spoofing.

Simplified, the simplistic attack is an unsynchronized spoofing attack, for example, by radiating GNSS signals produced by a suitable signal generator with the counterfeit signals not necessarily well-aligned with the corresponding authentic signals. Intermediate spoofing synchronizes each spoofing signal to the authentic one. However, in this category, the synchronization is assumed to be limited to the phase of the spreading code (i.e., of PRN code) and carrier Doppler. The most sophisticated realizations of spoofing falling into the last category are supposed to additionally exploit carrier-phase synchronicity and, possibly, multiple transmitters enabling different directions-of-arrival of the counterfeit signals in order to deceive a target receiver. Recently, Fernández-Hernández et al. (2019) suggested a new classification accounting for the operational aspects of spoofing mitigation with seven categories ranging from S1 to S7. In addition to the technical complexity, these categories also account for the intention of the spoofing if it is targeted or occurs as collateral damage.

From the point of view of the integrity of GNSS services, the most dangerous are scenarios in which the spoofer attempts to imperceptibly substitute the authentic satellite signals with their counterfeit copies so that the signal tracking process in the target receiver is least distorted. Such scenarios can be realized, for example, by using the spoofers of the intermediate or sophisticated types discussed above. In the initial phase of such a spoofing attack, each affected satellite channel would track the authentic signal but encounter a mixture of the authentic and counterfeit signals. The spoofer aims at overpowering the authentic signals without being recognized by the user and pulls the satellite channel away from the authentic signal. At the end of this phase, the stronger spoofing signal becomes the only signal being tracked (if we ignore the multipath-like effect of the still present authentic signal).

Being aware of this mechanism of a spoofing attack, the question arises: Is it possible to assess the effect of spoofing on the tracking process of the authentic signal? Such an assessment is not only beneficial for improving and developing receiver systems, but also for the development of new signal structures for future GNSSs that are more resilient against spoofing. It can be helpful to detect spoofing signals and mitigate their effects by configuring the tracking loop parameters, as well as developing integrity monitors. This is also a very interesting question from the point of view of assessing the collateral damage occurring at non-targeted GNSS receivers (e.g., in the case of using spoofing for taking control of an illegally used drone autonomously flying with GNSS navigation and preserving, at the same time, the correct operation of GNSS services for other users).

One of the most practical approaches to address the question is to apply the concept of an error envelope, bounding the maximum bias of the PRN-code phase tracking error. This concept has already been applied to the case of multipath propagation where a Multipath Error Envelope (MEE) is widely used (Teunissen & Montenbruck, 2017). Indeed, on the signal level, the spoofing signal is comparable to a multipath signal: Both are time-shifted replicas of the authentic/line-of-sight (LOS) satellite signal. Van Nee (1992) derived the MEE for the GPS L1 C/A signal, giving an overbound of the tracking error in the presence of a multipath signal.

Since then, the method was further developed to be more accurate (Braasch, 1997) and to cover other (newer) GNSS signals (Irsigler et al., 2004). However, the spoofing signal corresponds to a more generic case. Unlike the multipath signal, it can be received earlier than the authentic signal and its power can be higher. Taking into account that the MEE is limited to multipath signals which have less signal power than the corresponding LOS signals, the paper at hand will address this limitation by extending the concept of the Multipath Error Envelope for signals that can be stronger than the LOS signal: Spoofing signals. The correspondingly extended error envelope will be called the Spoofing Error Envelope (SEE).

The SEE will help to understand the basic mechanisms of how a spoofing signal affects satellite tracking in a classical GNSS receiver. It gives a sense of the expected (initial) tracking error after the spoofer is enabled. The SEE lays the foundation for further research and can be used to explain and predict simulated results (e.g., Bamberg et al. [2018]). The next section gives an overview over the assumptions made while deriving the SEE.

## 2 SCENARIO DEFINITION AND ASSUMPTIONS

### 2.1 Receiver

In a GNSS receiver, the processing of a satellite signal can be subdivided into two states: The acquisition state and the tracking state. The acquisition state is only used to acquire new satellite signals and to reacquire a signal that was lost in the tracking process. In order to ensure that all satellites are in the acquisition state, a spoofer would either need to jam the satellite signals before spoofing or be active before the receiver is switched on. The latter option is usually beyond the control of the spoofer. Jamming all satellites, on the other hand, is relatively easy to detect (e.g., by observing the automatic gain control level [Akos, 2012]) and the disruption of the service warns the user that something is wrong. In contrast, a receiver staying in the tracking state does not give obvious signs indicating a spoofing attack. It is, therefore, the more critical state. This paper assumes that the receiver tracks the authentic satellite signal before and stays in the tracking state when a spoofing signal is encountered.

In the tracking state, the tracking bias depends on the implemented tracking architecture. The classical and still widespread architecture to track a satellite signal is the delay lock loop (DLL). The DLL is fed by a discriminator indicating the residual tracking error. Different discriminators can be used (Kaplan & Hegarty, 2005). In order to define a bound, it is inevitable to restrict the type of architecture. Due to its wide spread, we assume a receiver using a DLL with an early-late discriminator (Kaplan & Hegarty, 2005). To this day, many GNSS receivers still highly rely on the GPS L1 C/A signal. Therefore, we will focus our research on the GPS L1 C/A signal. The method introduced in this paper can easily be extended to other signals and discriminators.

Last but not least, we assume that the receiver does not implement a dedicated approach to mitigate the spoofing signal. This assumption is justified by two facts. First, it is reasonable to expect that such an approach reduces the tracking bias. However, this paper aims to define a worst-case bound, which still holds. Second, most of the on-shelf GNSS receivers do not mitigate spoofing signals. Considering, for example, civil aviation. A receiver used in this field must fulfill the Minimal Operational Performance Standards (MOPS) as defined by RTCA SC-159 (2019). For now, this standard does not include any methods to mitigate spoofing. A receiver using an approach to mitigate spoofing signals would probably even violate the standard.

### 2.2 Scenario

For our analysis, we assume that the delay between the spoofing and the authentic signal remains constant. This is, for example, given when the spoofer generates signals faking a position with a constant offset to the real position (and a constant clock offset). A movement of the individual components (spoofer, receiver, satellites) is uncritical, as long as the spoofer accounts for the corresponding movement.

Naturally, in this scenario, a relative Doppler between the authentic and the spoofing signal is about zero to match the movement of the signal delay with the signal Doppler. However, a spoofer can generate counterfeit signals with an arbitrary (relative) Doppler. Therefore, we account for both cases: In the derivation of the bounds of the tracking bias, we assume no relative Doppler, whereas Section 6 discusses the effect of a relative Doppler on the derived bound.

### 2.3 Summary

Summed up, we identified four assumptions which must hold in order to define a worst-case tracking bias:

The observed receiver is in and stays in its tracking state when the spoofing signal is encountered.

The GPS L1 C/A code signal is tracked and a classical early-late discriminator is used.

The observed receiver does not apply any approach to mitigate spoofing signals.

The delay between the spoofing and the authentic signal stays approximately constant (over the period under observation).

These assumptions should not be seen as limitations, rather they lay the foundation for further research. There are many relevant scenarios in which these assumptions are fulfilled. If we consider, for example, a spoofer aiming to deceive its victim unperceived, the spoofer must not use high power. High-power GNSS signals will knock out a receiver forcing it to go into its acquisition state. Therefore, such a spoofer transmits signals that drive the tracking loops of a victim receiver slowly from the authentic to the spoofing signal. To do this, the spoofer needs to be synchronized to the authentic signal at the receiving antenna of the victim. If the spoofer transmits its signals over the air, most static or slowly moving receivers, which use a classical early-late discriminator, fulfill the four assumptions.

### 2.4 Spoofer

Regarding the spoofer, these assumptions can be fulfilled by an intermediate or sophisticated spoofer that is synchronized to the authentic signals. According to the classification of Fernández-Hernández et al. (2019), all categories except S2 and S3 can (theoretically) fulfill the assumptions.

## 3 SIGNAL TRACKING AND THE MULTIPATH ERROR ENVELOPE

Prior to defining the Spoofer Error Envelope (SEE), some relevant aspects of GNSS signal processing are discussed in this section. Also, the Multipath Error Envelope that serves as a starting point for this research is shortly reviewed.

In order to estimate the user’s position, a GNSS receiver calculates pseudoranges for each satellite. A pseudorange includes the distance and the clock offset between the satellite and the receiver. To calculate the pseudorange, a precise receiving time of the incoming satellite signal is obligatory. This time is obtained by correlating the incoming signal with a time-shifted local replica of the known PRN code of the satellite. In addition, the incoming signal is correlated with a Doppler-shifted carrier to account for the relative velocity between the satellite and the receiver. The two-dimensional correlation function is called the Ambiguity Function (Presti & Motella, 2010). The highest peak of this ambiguity function indicates the best match of the local with the satellite signals. In the acquisition state, the receiver aims to find a coarse match by considering a large number of time-shifts and Doppler frequencies. After the acquisition, a conventional receiver computes only a small number of correlations (to save computational power) to track the peak of the ambiguity function. This process is referred to as tracking.

As stated in Section 2, we assume that the code tracking is performed by a DLL using a code discriminator. The output of the discriminator that is computed using the correlation results has to be proportional to the misalignment between the local reference and the received PRN code. In the presence of two time-shifted signals with the same PRN code (e.g., a satellite signal and a multipath), the discriminator function (also called S-curve) is distorted. This distortion drives the DLL to track an offset relative to the satellite signal.

This section starts with a mathematical description of the ambiguity function (Section 3.1) and the discriminator function (Section 3.2) in a degraded scenario. Section 3.3 describes the effect of the discriminator function on the tracking. The last subsection (Section 3.4) is a short recap of the Multipath Error Envelope.

### 3.1 Ambiguity Function in the Presence of an Additional Signal

An approximated ambiguity function in the absence of noise for a single satellite signal is given as (Presti & Motella, 2010):

1

where *ϕ* describes the (initial) offset of the phase, *τ* describes the offset of the code (lag value) in units of PRN chips, and *f*_{o} describes the offset of the Doppler frequency between the local replica and the incoming satellite signal. The parameter *A* is the amplitude of the satellite signal and *T _{c}* is the (coherent) integration time of the correlation. The function

*R*(.) represents the normalized autocorrelation function of the PRN code and sinc(.) represents the normalized sinc-function defined as .

Due to the linearity of the correlation process, the ambiguity function of the superposition of a satellite and one additional signal (with the same PRN) can be described as:

2

3

where *d*_{sa} is the relative signal delay (in units of chips) and *f*_{sa} the relative frequency offset between the satellite and the additional signal. The subscripts *sat* and *add* indicate that the parameter refers to the satellite and the additional signal, respectively.

Furthermore, we define two parameters to describe the relation between the satellite and the additional signal: Θ = *ϕ*_{add} − *ϕ*_{sat} describes the carrier-phase offset and describes the amplitude ratio of the additional signal compared to the satellite signal. In general, it is more common to describe the relationship between two signals by the relation of their power. The power is proportional to the square of the amplitude. Hence, further on, we will use the square of the amplitude ratio *α*^{2} instead of the amplitude ratio *α* to describe the relation between the satellite and the additional signal.

The factor before the square brackets in Equation (3) is independent of the lag value *τ* and works as a scaling factor. It can be neglected because it has no influence on the zero crossing of the S-curve (the importance of the zero crossing will be described in Section 3.3). In addition, as described in Section 2, we assume for now that the relative frequency offset is zero (i.e., *f*_{sa} = 0 Hz). The ambiguity function can therefore be simplified to:

4

### 3.2 S-Curve and Autocorrelation Function

Following the nomenclature of Van Nee (1993), a non-coherent early-late discriminator (S-curve) can be defined as:

5

6

where *d*_{c} is the correlator spacing of the discriminator in units of chips defining the offset of the early and late correlators with respect to the tracked PRN code phase. Traditionally, the autocorrelation function for GPS L1 C/A—to calculate the MEE—is approximated by a triangular-shaped function centered around zero (Van Nee, 1992). This function is zero outside of the triangular shape. However, Braasch (1997) points out that the autocorrelation function for a PRN sequence with a finite length has non-zero sidelobes. He demonstrated the relevance of these sidelobes on the code tracking error for a multipath signal. We follow the suggestion of Braasch (1997) and use the following approximation for the normalized autocorrelation function of the PRN codes:

7

where *τ* is in units of chips and *Γ* represents the level of the first sidelobe of the autocorrelation function depending on the used spreading code. We postulate that the sidelobe level is smaller than the main peak (i.e., |Γ| < 1). In the case of GPS L1 C/A, three sidelobe levels are possible. The normalized sidelobe levels are , , and .

It shall be emphasized that the defined quantities *τ, d*_{c}, and *d*_{sa} are in units of chips. However, to get a better feeling for the corresponding values in a positioning context, the lag value *τ* and the relative delay *d*_{sa} will be stated in meters, i.e., multiplied with the chip length of the GPS L1 C/A code: .

### 3.3 Stable and Unstable Tracking Points

To understand the effect of distortion on the S-curve, it is helpful to look at two examples. The top plots in Figure 1 show the (approximated) autocorrelation function for the satellite (green line), the additional signal (red line), and the absolute value of the sum of these two functions (blue line). The bottom plots show the corresponding S-curves: The output of the non-coherent early-late discriminator as shown in Equation (6). In the undistorted case (Figure 1a), the power of the additional signal is zero (i.e., *α*^{2} = 0).

The discriminator output can be used to steer the local replica: If it is positive (*D*(*τ*) > 0), the replica will be delayed, and if it is negative (*D*(*τ*) < 0), the replica will be advanced. Due to this mechanism, the DLL will track a position in the S-curve where *D*(*τ*) = 0 and . We call a lag value *τ* fulfilling these equations’ stable tracking points. In the bottom plot, it is marked by a red circle. In the undistorted example, this is fulfilled at a delay of *σ λ*_{C/A} = 0 m enabling the DLL to keep the replica matched with the incoming signal.

In the distorted case (Figure 1[b]), the additional signal has half the power of the satellite signal . It is delayed by *d*_{sa}*λ*_{C/A} = 100 m and its carrier is in counter phase to the satellite signal (i.e., Θ = 180°). In this example, the discriminator output is negative when the local replica matches the satellite signal. The mechanism assumes that the replica is delayed and advances it until the discriminator becomes zero or positive. That is fulfilled for a delay of about *σ λ*_{C/A} = −26 m. In the bottom plot, this stable tracking point is again marked with a red circle. Due to the distorion of the S-curve, in this example, the multipath causes a code tracking error of about *σ λ*_{C/A} = 26 m.

Complementary to the stable tracking points, we call a position in the S-curve, where *D*(*σ*) = 0 and , an unstable tracking point. Theoretically, a DLL could settle on such a point, because the discriminator function is zero. However, even the smallest offset to this point drives the DLL away from this position due to the sign of the discriminator function.

### 3.4 Recap of Multipath Error Envelope

The idea of the Multipath Error Envelope (MEE) is to calculate the stable tracking points as a function of the amplitude ratio *α*, the relative signal delay *d*_{sa}, and the correlator spacing *d*_{c} (Van Nee, 1992). To get rid of the relative phase offset, the MEE is defined using the worst-case tracking bias over the phase offsets. Again, it is helpful to look at an example: Figure 2(a) shows the course of the stable tracking points over the relative delay for the in-phase (Θ = 0°, solid blue line), the counter-phase (Θ = 180°, solid red line), and one phase in-between (Θ = 90°, solid green line). The plot is the result of solving the S-curve for zero crossings (*D*(*τ*) = 0) using the definition of Equation (6) with Equation (7). A fixed amplitude ratio, correlator spacing, and sidelobe level have been used.

The two curves corresponding to the in-phase (blue) and the counter-phase (red) cases form the well-known MEE. Van Nee (1992) identified these cases to be the worst regarding the tracking bias and used them to define the upper and lower bounds. Next to the calculated courses of the zero crossings, Figure 2(a) shows the MEE as suggested by Braasch (1997) as a black dotted line. The first two line segments of the envelope matches with the course of the zero crossings for in-phase (blue line) and counter-phase (red line). This is similar to the MEE of Van Nee (1992). For the last two line segments, Braasch considered the worst-case change of the sidelobes in the autocorrelation function to overbound the tracking error for large relative delays of the multipath echo. In contrast, the calculated course of the zero crossings (blue and red line) is used in Equation (7) to approximate the autocorrelation function. This approximation is limited to constant instead of changing sidelobes.

Figure 2(b) shows the same plots, but zooms out and reveals additional solutions for *D*(*τ*) = 0. In addition to the stable tracking points (solid lines), the unstable tracking points are plotted as dash-dotted lines. If we focus, for example, on the counter-phase case, we can see that there are courses for two different stable tracking points (upper and lower solid red lines). To determine which one will be tracked, it is helpful to take a look at unstable tracking points. Due to the working mechanism of the DLL (see Section 3.3), we can formulate the following rule:

On a vertical axis, the next stable tracking point that can be reached without crossing an unstable tracking point will be tracked.

With this rule, it becomes obvious that it matters in which state the code tracking was in before the additional signal comes into play. It is reasonable to expect that the satellite signal was tracked before the multipath occurs (*τ* = 0). With the defined rule and the starting position, it is straightforward to evaluate the expected tracking error in the example (Figure 2). Going back to the counter-phase case (red lines), we can now say that (starting from *τ* = 0) the lower stable tracking point will be tracked and not the upper one.

At this point, it should be emphasized that the MEE is only valid under the assumption that the power of the additional signal is less than the power of the satellite signal (*α*^{2} < 1). This assumption is reasonable for a multipath signal, because a multipath signal is a reflection and, therefore, usually less powerful than the original line-of-sight signal—unless the latter one is further attenuated, for example, by shadowing. However, this assumption does not hold for a spoofing signal.

## 4 CONSIDERATIONS RELEVANT FOR DERIVING THE SPOOFER ERROR ENVELOPE

This section extends the concept of the MEE to an additional signal that is more powerful than the authentic satellite signal (*α*^{2} > 1). To distinguish the additional signal from a multipath, we call it a spoofing signal, even though a spoofing signal could also have less power.

This section is divided into two subsections. The first subsection (4.1) demonstrates some challenges in deriving a Spoofer Error Envelope (SEE) compared to the MEE using an exemplary parameter set. The second subsection (4.2) extends this demonstration to six parameter sets and gives a numerically calculated bound of the tracking offset in the presence of a spoofing signal.

### 4.1 Effect of a Spoofing Signal on the S-Curve

In order to estimate the SEE, it is helpful to take a look at the S-curve in the presence of a spoofing signal. Figure 3 shows the correlation triangles and the S-curves for two different scenarios.

The setup is similar to the one of Figure 1(b), but the additional signal is more powerful relative to the authentic signal (*α*^{2} = 2 compared to ). The left scenario differs from the right scenario only by one parameter: In the left plots, a relative delay of *d*_{sa}*λ*_{C/A} = 100 m is used and in the right plots, *d*_{sa}*λ*_{C/A} = 120 m. For code tracking, this little change makes a huge difference. At this point, we want to recall the assumption that the receiver tracks the authentic signal before the spoofing signal is superposed (i.e., initially *τ* = 0).

In the left scenario, the discriminator output is positive for a lag value of zero (*D*(*τ* = 0) > 0). Therefore, the code replica in the receiver will be delayed until the discriminator output becomes zero at about *σ λ*_{C/A} = 126 m (red circle in the left plot). Whereas in the right scenario, the discriminator output is negative for a lag value of zero (*D*(*τ* = 0) < 0), resulting in a reduction of the delay until it reaches about *σ λ*_{C/A} = −158 m (red circle in the right plot). Summing up, in this example, a difference of 20 m in the relative delay between the satellite and the spoofing signal results in a tracking difference of about 284 m.

In the next step, we consider not only two, but a range of relative delays. Figure 4 plots the lag values yielding zeroes of the discriminator function (stable and unstable tracking points) over the relative signal delay.

At this point, we want to recall the earlier established rule governing how to read these plots from Section 3.4. From an arbitrary point in the plot, the next stable tracking point in the vertical direction (without crossing an unstable one) will be tracked. Applying this rule, one can determine the expected code tracking bias as a function of the relative delay. (To check the result: The expected tracking bias for this scenario is plotted in the left-center plot of Figure 5). In contrast to the expected bias in a multipath scenario, this function is not continuous. In the counter-phase case (red), a jump occurs at about *d*_{sa}*λ*_{C/A} = 112 m. Before this point (*d*_{sa}*λ*_{C/A} < 112 m), the upper solid red line will be tracked and after this point the lower solid red line will be tracked. For the in-phase case (blue), a similar jump occurs at about *d*_{sa}*λ*_{C/A} = 317 m.

Please note that such a jump does not mean that a receiver that tracks the upper tracking point will be driven to the lower one as the relative delay of the spoofing signal grows. Once locked onto a tracking point, the receiver will continue to stay on it and follow, for example, the upper curve. However, the receiver will lock onto the tracking point on the lower curve if the spoofer appears with a relative delay behind the position of the jump. Hence, the relative delay of the spoofing signal determines which curve (upper or lower) the receiver will follow.

### 4.2 Numerical Bounds for Tracking Error

Although Figure 4 allows for a first step towards a Spoofer Error Envelope, it still represents only a single set of parameters. To get a broader picture, Figure 5 shows the results for six scenarios with a larger variety of carrier-phase offsets (Θ ∈ {0°; 30°; 60°; 90°; 120°; 150°; 180°}). In these scenarios, the relative power of the spoofing signal ranges from *α*^{2} = 2 to *α*^{2} = 8 and the correlator spacing ranges from *d*_{c} = 0.1 to *d*_{c} = 1.

Plotting all stable and unstable tracking points would be confusing due to the number of graphs. Instead, the plots show only the stable tracking points that will be tracked according to the rule defined in Section 3.4. Therefore, we no longer call the lag value *lag* but rather the *expected code tracking bias* or, for short, *tracking bias*. To get the tracking bias, two steps are conducted:

The sign of

*D*(*τ*= 0) is checked to determine if the lag value of the relevant stable tracking point is above (*τ*> 0) or below (*τ*< 0) zero.The location of the next stable tracking point in the determined direction is numerically calculated using the properties

*D*(*τ*) = 0 and .

Figure 5 shows a numerically calculated bound for the code tracking bias as a black dashed line. This bound gives the minimal and maximal tracking bias over the carrier-phase offsets. For the shown bound, the carrier-phase offsets from −180° to 180° with a step size of 1° were considered.

The question we want to examine is: Can a worst-case tracking bias be described using only the in-phase and the counter-phase cases of the relative carrier phase? Therefore, we compare the numerical bound with the curves of these two cases.

Looking at the six scenarios in Figure 5, the lower numerical bound (lower black dashed line) can exclusively be described by the in-phase (blue line) and the counter-phase (red line) cases: The first two (bottom-left plot) line segments of this bound are given by the in-phase case. The remaining segments (after the jump) are given by the counter-phase case.

The upper numerical bound (upper black dashed line), on the other hand, is more tricky: Though the first two line segments of this bound can be described by the counter-phase case (red line), the next segment depends on different relative carrier phases. The following line segments (after the jump of the upper bound) can be described by the in-phase case (blue line). At this point, it is noteworthy that, even though it is not plotted, the upper stable tracking point of the counter-phase case (red line before the jump) is still present after the jump. Its ongoing course can be seen, for example, in Figure 4 (upper solid red line). In Figure 5, the corresponding curve stops at the jump because, at larger relative delays *d*_{sa}, the DLL switches to another stable tracking point as discussed in Section 4.1.

However, due to its course, it is useful for defining a non-tight upper bound even after the jump. Summing up, according to the six scenarios, a non-tight bound can be expressed exclusively by the in-phase and the counter-phase cases.

## 5 SPOOFER ERROR ENVELOPE

Based on the results of the previous sections, in this section we will define the Spoofer Error Envelope (SEE) for the non-coherent early-late discriminator (Section 5.1). The SEE is an analytical bound of the expected tracking bias induced by a spoofer. The second part of this section compares the defined bound with a numerical bound (Section 5.2) and simulation results from a receiver implementation (Section 5.3).

In addition to the results from the previous section, the concept of Braasch (1997) will be reused to define the bound for large delays *d*_{sa}. For delays larger than , he found the bound to be:

8

where Γ_{max} and Γ_{min} are the maximal and minimal possible sidelobe levels of the used PRN code (the possible sidelobe levels for GPS L1 C/A are given in Section 3.2). This bound was defined for the MEE (*α* < 1), but also holds under the assumption that . For GPS L1 C/A, the lowest limit of the ratio (given by the largest sidelobe level: ) is *α* ≤ 7.5 (i.e., the power of the spoofing signal compared to the satellite signal must not exceed 17.5 dB). This limit does not pose a problem because larger power ratios tend to knock out the receiver, forcing it to go into acquisition mode. However, we assumed that the receiver stays in the tracking state (compare to Section 2.3).

### 5.1 Defining a Spoofer Error Envelope

The expected tracking bias can be determined by finding stable tracking points. Stable tracking points are given solving *D*(*τ*) = 0 Equation (6) with (7). Including the information of the previous sections, we can identify the stable tracking points that will be tracked by the receiver depending on the initial tracking conditions and parameters. For this SEE, we assume that the authentic signal is tracked prior to the addition of the spoofing signal and that the correlator spacing is between zero and one chip (0 < *d*_{c} ≤ 1).

Complementary to the MEE, we postulate that the spoofer-to-authentic signal power is greater than one (*α*^{2} > 1) and, in order to reuse the bound of Braasch (1997) for long delays: . To give an overbound for all phase offsets, we use the bounds of the in-phase (Θ = 0°) and counter-phase (Θ = 180°) cases. This is justified by the observations in Section 4.2 and the detailed derivation in Appendix (A). Finally, a SEE can be defined as:

9a-d

and

10a-e

Cases (9a) and (9b) as well as (10a) and (10b) are basically the MEE from the point of view of the spoofing signal (see more details in Appendix A). Case (10c) is determined by the lower (stable) tracking point of the counter-phase. The cases (9d) and (10e) are the above mentioned bounds of Braasch (1997). Case (9c) and Case (10d) can be seen as a linear transition from Case (9b) to Case (9d) and from Case (10c) to Case (10e), respectively.

It should be noted that the formulas for the SEE are derived assuming a positive delay (*d*_{sa} > 0). However, a spoofer could also steer the signals to produce a negative delay. Due to the symmetry of the autocorrelation function, the discriminator function is odd symmetric, i.e. *D*(*τ, d*_{sa}) = −*D*(−*τ*, −*d*_{sa}). Hence, the function of the SEE can be continued in the negative domain of *d*_{sa} as an odd function, i.e., *τ*_{SEEMax}(−*d*_{sa}) = −*τ*_{SEEMax}(*d*_{sa}) and *τ*_{SEEMin}(−*d*_{sa}) = −*τ*_{SEEMin}(*d*_{sa}).

### 5.2 Comparing the SEE with a Numerical Bound

The Spoofer Error Envelope is visualized in Figure 6. Additionally, a numerical bound calculated as described in Section 4.2 is shown. Comparing the numerical bound with the proposed bound in Equations (9) and (10) reveals differences:

A part of the upper bound of the SEE (Equation [9b] and [9c]) is larger than the numerical bound (i.e., it is a non-tight bound). The upper bound of the SEE is determined by the upper stable tracking point of the counter-phase case. After the jump of the lower bound, this tracking point is (usually) no longer reached (even though it is still a valid stable tracking point). However, the location of the jump depends on the relative phase of the spoofing signal. This results in an upper bound depending on the relative carrier phase. For the sake of simplicity, we stick to the bound defined by the counter-phase case.

The jump of the upper bound of the SEE (transition from [9c] to [9d]) occurs at a higher delay than in the numerical bound. It is challenging to estimate the exact location of the jump and, in practice, this jump is not sharp. Therefore, it is reasonable to choose this simplification.

The jump of the lower bound (transition from [10b] to [10c]) is only tight for some parameters. As explained in Appendix A, the location of the jump is described by two different terms depending on the chosen parameters. The term chosen for the SEE describes the worst case for all parameters within the postulated ranges.

### 5.3 Comparing the SEE with Simulated Tracking Errors

Besides the enumerated differences, Figure 6 gives the impression that Equations (9d), (10d), and (10e) are not tight. This results from the approximation of the autocorrelation function according to Equation (7), which has been used to calculate the numerical bound. Compared to the changing sidelobes of an exact autocorrelation function, the approximation emulates constant sidelobes. Using the autocorrelation function of some specific PRN codes (e.g., PRN 8 of GPS L1 C/A) reaches this bound as shown in Figure 7 (right plot).

Figure 7 shows the SEE for a correlator spacing of *d*_{c} = 0.25 and with a spoofing-to-authentic signal power ratio of *α*^{2} = 2. Additionally, a number of simulated tracking error curves are shown for different relative carrier-phase offsets Θ between the authentic and the spoofing signal. For the simulations, the relative delay *d*_{sa}*λ*_{C/A} was varied from 0 m to 400 m with a step size of 1 m. The resulting tracking biases are connected with line segments. The left-hand plot shows the simulation results using PRN code 1 and the right-hand plot using PRN code 8.

The simulation results demonstrate that the jumps of the bounds are not sharp. In Figure 7, this is clearly visible for the red curve (Θ = 180°). The reasons for that is simple: Signal noise. A jump results from an unstable tracking point at *τ* = 0 as described in Section 4.1. By definition, the discriminator function is zero at the position of an unstable tracking point. Signal noise affects the discriminator output in a way that it deviates from the ideal value. At an unstable tracking point, on the other hand, a slight deviation of the discriminator output drives the DLL in a way that it drifts away from that point. The sign of the deviated discriminator value determines which stable tracking point is tracked.

Hence, the position of a jump should be interpreted as the point where the probability of tracking one or another stable tracking point is even. Due to this issue, the defined lower bound can be crossed around the jump in a simulation including signal noise.

Comparing the left-hand and the right-hand plot, it can be seen that the relative delay leading to the jump of the lower bound of the SEE depends on the used PRN code. To be more precise, it depends on the sidelobes of the autocorrelation function of the used spreading code. Regarding the position of the jump, the proposed worst-case bound is, for example, tight for PRN 8 but non-tight for PRN 1.

## 6 EFFECT OF A RELATIVE DOPPLER ON THE SPOOFER ERROR ENVELOPE

To derive the Spoofer Error Envelope, which is defined in Section 5, it was postulated that the relative Doppler between the authentic and the spoofing signal is zero. In this section, the effect of a relative Doppler on the Spoofer Error Envelope will be discussed. In order to analyze this effect, it is mandatory to understand how the SEE and the MEE depend on the power ratio. Therefore, the next two subsections evaluate how these envelopes change for different power ratios. The last subsection discusses the effect of a relative Doppler on the Spoofer Error Envelope.

### 6.1 The Multipath and the Spoofer Error Envelope Under Different Power Ratios

The MEE and the SEE are complementary regarding the additional-signal-to-authentic-signal power ratio. The MEE is defined for a signal weaker than the authentic signal (*α*^{2} < 1) and the SEE is defined for a stronger signal (*α*^{2} > 1). Figure 8 shows the MEE (left plot) and SEE (right plot) for different power ratios ranging from to *α*^{2} = 16. The result for the MEE is not surprisingly: A smaller power ratio results in a smaller envelope (i.e., the upper bound gets smaller and the lower bound gets larger). Due to the limited domain of the MEE (*α*^{2} < 1), a maximal (inflated) MEE—the largest distance between the upper and lower bounds—is given for a power ratio close to zero decibel *α*^{2} ≈ 1.

The result for the SEE is more complex. Two contrary behaviors can be distinguished:

For large relative delays, the change of the SEE is similar to the change for the MEE: A smaller power ratio results in a smaller envelope.

*Large relative delay*here means a part of the bound after the jump occurred. In Figure 8, this applies to relative delays larger than about 330 m for the upper bound. For the lower bound, the jump highly depends on the power ratio: A larger power ratio results in a jump farther to the right.The upper bound of the SEE for small relative delays (in this example, smaller than about 330 m) becomes smaller and the lower bound before the jump becomes larger for larger power ratios: The envelope shrinks. At first glance, this seems to be counter-intuitive. However, these parts of the bound are basically an MEE from the point of view of the spoofing signal and, from this point of view, a larger power ratio of the spoofing signal means that the multipath signal (actually the satellite signal) becomes relatively weaker. In other words, for a large power ratio, the SEE is smaller, because the spoofing signal is more dominant and can be tracked more precisely. In contrast to 1, a small power ratio results in more uncertainty and due to the limited domain the maximal (inflated) SEE, in this case, is given for a power ratio close to zero decibels.

Summing up, the MEE and parts of the SEE reach a worst-case bound regarding the tracking bias for the case that the satellite and the additional signal power are approximately equal. However, both envelopes are not defined for a power ratio of zero decibels and, looking at Figure 8, the envelopes do not merge for power ratio close to zero decibels. The transition from the MEE to the SEE is the topic of the next section.

### 6.2 Transition From Multipath to Spoofer Error Envelope

To understand why the MEE does not merge to the SEE for equally powered signals, it is helpful to plot the correlation triangle and the S-curve for such a case. Figure 9 shows these plots for the counter-phase case (Θ = 180°) and a relative signal delay of *d*_{sa}*λ*_{C/A} = 100 m.

At this point, it is helpful to recall the mechanism of how the DLL works (compare with Section 3.3). Due to the negative discriminator output for a zero lag (*D*(0) < 0), the DLL will advance the replica signal. The next stable tracking point is reached at about −37 m. However, it can be observed that there is not only a single stable tracking point in the S-curve, but a large plateau with *D*(*τ*) = 0 (red ellipse). On this plateau, the DLL is mainly driven by noise so that it is not possible to determine where on the plateau the DLL will stop. Therefore, the resulting tracking bias for this case can only be given as a range. In the example (Figure 9), the range is −160 m ≤ *τ λ*_{C/A} ≤ −37 m. A lower power ratio (*α* < 1) results in a single stable tracking point at about −37 m and a higher power ratio (*α* > 1) in a single stable tracking point at about −160 m.

Figure 10 plots the MEE and the SEE for an additional-signal-to-authentic-signal power ratio of one (*α* = 1).

The discrepancy between both envelopes is filled red. Even though some of the discrepancy results from the non-tight bounds of the defined SEE (see Section 5.1), it is mainly caused by the aforementioned plateaus of zero values. In practice, the transition at (*α* = 1) is not sharp. The closer the power ratio is to unity, the higher the probability that an arbitrary point of the plateau is tracked. So the transition can only be described by a random process for power ratios close to unity.

### 6.3 The Effect of a Relative Doppler

In Section 4, it was described how a GNSS receiver correlates the incoming signal with a local replica of the code and carrier signal to track the signal. The result of this correlation is mathematically described by the Ambiguity Function. In Section 4, it was assumed that the relative carrier frequency offset between the satellite and the spoofing signal was zero (*f*_{sa} = 0 Hz). Therefore, the simplified ambiguity function read (recall of Equation [4]):

11

In this section, the relative carrier frequency offset plays a role. Hence, Equation (3) can only be simplified to:

12

Equation (11) and Equation (12) differ in two significant respects:

The relative phase offset (Θ) in Equation (12) is time-dependent: In Equation (11) we assumed no relative carrier frequency offset, so that the relative phase offset was constant. With a relative carrier frequency offset, the relative phase offset varies.

The power ratio of the spoofing signal to the satellite signal is affected by the relative Doppler offset (

*f*_{sa}) and by the tracking mismatch of the carrier tracking loop to the satellite signal (*f*_{o}).

With the preliminary studies in the previous sections, we now have enough tools to discuss the effect of a relative Doppler on the Spoofer Error Envelope. For all of the following considerations, we presume that the tracking in the receiver is in a stable state and especially that the receiver has not lost lock. The expected tracking error in the presence of a spoofing signal depends on the relative Doppler:

For

**small relative Doppler offsets**, the effect of the sinc-function in Equation (12) is negligible. It is postulated that the phase lock loop (PLL) tracks the satellite signal (*f*_{o}= 0 Hz) before the spoofing signal is switched on and the sinc-function (in the denominator) is approximately unity for small values. Due to a changing phase offset Θ, the (relevant) stable tracking point of the S-curve rotates between the in-phase and the counter-phase case. The positions of the stable tracking points for varying phase offsets are visualized in Figure 5 and Figure 7 for some examples. Due to the relatively slow-changing phase offset, the DLL manages to follow the stable tracking points. Hence, the expected tracking bias for small relative Doppler offsets is within the bounds of the SEE. With an increasing relative Doppler offset (greater than the DLL loop bandwidth), the DLL averages the code tracking error until it converges to a single bias. As Kelly et al. (2003) and Van Nee (1993) demonstrated, the resulting bias is not necessarily the midpoint of the upper and lower bound of the MEE. Due to the similarities of the envelopes, the same can be expected for the averaged SEE bias.For

**medium relative Doppler offsets**, the effect of the sinc-function in Equation (12) is no longer negligible. Therefore, it can occur that a spoofing signal, which is more powerful than the satellite signal, appears to be equally strong or even weaker than the satellite signal. In such a case, the MEE needs to be considered as well. Even if the spoofing signal still appears to be more powerful than the satellite signal, the bounds of the SEE would need to be adapted to a lower power ratio (because the spoofing signal is attenuated in the correlation process). On the other hand, if the spoofing signal still appears stronger, it is most likely that the PLL will adapt to the spoofing signal (at least, if it is within the pull-in range of the PLL). This turns over the effect of the sinc-function factor to the favor of the spoofing signal and the power ratio*α*appears to be higher than it actually is. In this case, the SEE needs to be adapted as well. Summed up, the bounds for the tracking error are an overbound of the worst-case MEE (reached at about*α*^{2}= 1) and/or a mixture of two SEEs (one for the highest and one for the lowest possible power ratio). If the DLL tracks the spoofing signal but the Doppler of the spoofing signal is outside of the pull-in range of the PLL, the PLL might even lose lock. Depending on the implementation in the receiver, this leads to a re-acquisition of the satellite signal.For

**large relative Doppler offsets**, the effect of the sinc-function in Equation (12) is significant. Due to the postulation that the receiver tracks the satellite signal (*f*_{o}= 0 Hz) before the spoofing signal is switched on, the spoofing signal will appear (significantly) weaker than the satellite signal. Due to the low signal power, the PLL will continue to track the satellite signal. Therefore, instead of the spoofer, the Multipath Error Envelope needs to be considered. The power ratio for this resulting MEE can be calculated by considering the relative frequency offset, i.e.,*α*′ =*α*sinc(*f*_{sa}*T*). The effect of a relative Doppler offset on a multipath signal has been analyzed by Kelly et al. (2003). The results can directly be applied to this case here._{c}

Figure 11 shows some of the simulation results conducted with the simulation tool from Bamberg et al. (2018). It plots the experienced tracking bias over the relative code delay between the satellite signal and the spoofing signal for different relative Doppler offsets. The experienced tracking bias is averaged over one second. For each relative delay and for each Doppler offset, one simulation was conducted. Additionally, the SEE was plotted for comparison. At this point, it should be noted that the tracking errors for which the receiver detected a loss of lock of the tracked satellite are not shown in the plot. Consequently, some plots show gaps (e.g., *f*_{sa} = 40 Hz).

The plots in Figure 11 confirm the conclusions of this section: For small relative Doppler offsets, an averaged tracking bias of the SEE bounds is observed (*f*_{sa} = 10 Hz, 25 Hz, and 40 Hz). For medium relative Doppler offsets, the receiver tends to lose lock; however if not, the tracking error would be between the SEE and the MEE (*f*_{sa} = 55 Hz, 70 Hz, and 85 Hz). For large relative Doppler offsets, an average of the bounds of the MEE is tracked (e.g., *f*_{sa} = 100 Hz, 115 Hz, 130 Hz, and 145 Hz). The last mentioned plots show the same shape as the multipath errors for relative Doppler offsets (Braasch, 1992; Kelly et al., 2003; Van Nee, 1993), especially the plot for *f*_{sa} = 100 Hz. These results are in line with the findings of Kelly et al. (2003), who concluded that the average tracking bias becomes smaller for higher Doppler offsets (even in the context of a non-coherent discriminator).

## 7 GENERALIZED TRACKING BOUND

The Spoofer Error Envelope (SEE) was derived under the assumption that the relative delay between the spoofing signal and the authentic signal would stay approximately constant (see Section 2.3). However, this assumption is not always fulfilled. Due to satellite movement, dynamics of the user, active steering of the spoofer, etc., the quasi-static relative delay only holds for a limited amount of time. In this sense, the SEE bounds only an initial tracking error. In this section, we derive a more generalized tracking bound that accounts for time-varying relative delays between spoofing and authentic signals.

The main concept used to derive the SEE still applies to this generalized bound: The DLL tracks a position where the discriminator function is zero and has a negative slope (i.e., a stable tracking point [see Section 3.3]). Therefore, the positions of stable tracking points stay the same as in the case of the SEE. Also, the rule introduced in Section 3.4—defining at which stable point the DLL settles—still applies. However, in the case of the generalized bound, the DLL is not necessarily assumed to track the authentic signal and, therefore, the search for the next tracking point of the DLL can start from *τ* ≠ 0. For example, due to the previous spoofing effect, the DLL may settle on some lag value *τ*_{1} within the bounds of the SEE. If the relative delay changes, *τ*_{1} needs to be considered as the new starting point. Hence, for a generalized bound, we need to consider all stable tracking points and not only those that are reached with a starting point at *τ* = 0 (as done in Section 4.1).

Figure 12 shows the stable and unstable tracking points for the same spoofing scenario as Figure 4, but for more relative phase values. As mentioned before, all stable tracking points should be taken into account in order to derive the generalized bound. The stable tracking point with the largest tracking bias defines the upper bound and the tracking point with the lowest bias defines the lower bound of the generalized tracking bound. By comparing Figure 12 with Figure 6, it can be observed that most parts of the SEE can be used to define the generalized bound because the SEE is defined by the stable tracking points with the largest/lowest tracking bias.

Considering the upper bound, it is helpful that parts of the SEE, Equation (9b) and Equation (9c), were chosen to be non-tight (see Section 5.2). Only the last line segment after the (upper) jump (Equation [9d]) must be redefined for the generalized bound. Remember: From the point of view of the spoofing signal, the authentic satellite signal affects the tracking like a multipath signal. Hence, we can reuse the multipath bounds of Braasch (1997) from the point of view of the spoofing signal for large delays and replace Equation (9d) with:

13

For the lower bounds of the SEE, the two segments (Equation [10a] and Equation [10b]) before the (lower) jump of the SEE need to be redefined. The lowest stable tracking point in this area is defined by Equation (10c), but is only partly used for the bounds of the SEE. For the generalized bound, the range of the equation needs to be extended. For the sake of simplicity, we do not limit the extension as observed in Figure 12 but extend it until *τ* = 0. Hence, (10c) replaces (10a) and (10b). The resulting equation reads:

14

The remaining parts of the SEE can be directly taken for the generalized bound. The generalized bound is plotted in Figure 13 for different correlator spacings *d*_{c}. The SEE is also plotted in the figure so that the common parts of the SEE and the generalized bound in the case of *d*_{c} = 0.1 can be clearly recognized.

It can be observed that smaller correlator spacings lead to narrower bounds.

## 8 DISCUSSION OF THE APPLICATION OF INTRODUCED BOUNDS

In this work, we presented a method allowing us to compute the bounds of the tracking error of a receiver encountering a spoofing signal. The first bound, the Spoofer Error Envelope (SEE), gives a minimal and maximal (initial) tracking error for each parameter of the spoofing signal (relative delay, relative power, relative phase offset). We say *initial* here because the SEE assumes that, initially, the (authentic) satellite signal is tracked and that, at least, the relative delay of the spoofing signal remains constant. The second, more generalized bound even limits the tracking error without this assumption (i.e., the spoofer can arbitrarily change its signal parameters, but as soon as the DLL reaches a steady state, the corresponding tracking error limits are defined by this bound). The developed bounds can be used for these purposes:

The method used to derive these bounds allows for the development of a fundamental understanding of how a tracking loop is captured by a spoofing signal. This further gives a sense of the expected tracking error during a spoofing attack. Having this knowledge allows us the opportunity to design new receiver and signal structures that are more resilient against spoofing (new discriminators, new modulation schemes, etc.).

Furthermore, the method can be used to compare the effect of different receiver configurations, different discriminators, and different signal structures on the expected tracking error. Consequently, state-of-the-art receiver configurations can be adapted to reduce the effect of a spoofing signal, and, hence, be more resilient against spoofing attacks.

The bounds allow for the design of integrity monitors that can identify critical spoofing cases: A spoofing case, in the sense of delay/power combinations, is critical if the tracking error exceeds an alert limit. To design such a monitor, it is first necessary to analyze which spoofing cases must be detected with a high probability. The proposed method can be used to identify these cases for a given receiver design (discriminator, correlator spacing, etc.).

## 9 CONCLUSION

In this paper, we presented a method to assess the effect of a spoofing signal on the tracking of an authentic satellite signal in terms of a code tracking bias. To demonstrate the method, we derived and proposed a Spoofer Error Envelope (SEE) for the widely-used non-coherent discriminator tracking the GPS L1 C/A signal. The SEE complements the methodology of the Multipath Error Envelope (MEE) described by Braasch (1997) and Van Nee (1992) to spoofing signals. While the MEE assumes that the additional signal (the multipath) is less powerful than the satellite signal (line-of-sight), the SEE is valid for additional signals that are more powerful than the satellite signal.

The proposed SEE is (like the MEE) independent of the relative phase between the additional signal and the satellite signal. Both envelopes are based on the expected tracking error of the in-phase and the counter-phase cases. To legitimatize this approach, we demonstrated that the aforementioned cases represent the worst-case regarding the tracking error. Parts of this demonstration are based on numerical results for highly relevant cases. These cases include different parameter settings, which are, for example, within the defined range of the MOPS as defined by RTCA SC-159 (2019). In addition, the SEE was verified by comparing it to results from signal tracking simulations using synthetically generated signals. A complete analytical proof is a challenge of future work.

In addition, we discussed the effect of a relative Doppler offset between the satellite and the spoofing signal on the SEE. In order to analyze the effect, we gave a short digression on the transition from the MEE to the SEE as a function of the additional-signal-to-satellite power ratio. Finally, we presented a generalized bound that can be used in dynamic spoofing scenarios to assess the tracking error development in the course of a spoofing attack.

The SEE allows us to assess the tracking error for spoofing signals as a function of the relative signal power, the relative signal delay, and the sidelobe level of the corresponding autocorrelation function as well as the correlator spacing of the early-late discriminator. Additionally, the methodology allows for an assessment of the tracking errors for arbitrary discriminator functions and even for new signal structures. Consequently, the assessment can not only be used to improve the receiver system, but also to develop new—more resilient—signal structures.

## HOW TO CITE THIS ARTICLE

Bamberg, T., Konovaltsev, A., & Meurer, M. (2022) Developing a Spoofer Error Envelope for tracking GNSS signals. *NAVIGATION, 69*(3). https://doi.org/10.33012/navi.534

## APPENDIX

## A PROOF OF BOUNDS

In this section, we show and give evidence that the Spoofer Error Envelope (SEE), as defined in Section 5.1, describes a bound of the tracking bias *τ* for all phase offsets Θ. Let *τ*_{stp}(*d*_{sa}, Θ) be the stable tracking point that will be tracked according to the set of parameters and the assumption that the satellite is tracked before the spoofing signal is switched on. Mathematically, we want to show that:

A1

A2

for all phase offsets 0° ≤ Θ 360° and all positive signal delays 0 < *d*_{sa}.

As described in Section 3.2 and Section 5.1, we postulate:

A3a

A3b

A3c

#### A.1 Zones

To proof the bounds, we analyze the envelope separately for three zones with respect to *d*_{sa}, depending on the sign of the discriminator value at *τ* = 0. These zones are visualized for an exemplary SEE in Figure A1.

**Zone 1**In the first zone (0 <*d*_{sa}<*d*_{sa,jump}), the discriminator output at*τ*= 0 is positive for all Θ, i.e.,*D*(*τ*= 0). Due to the mechanism of the DLL (see Section 3.3), the replica will be delayed until it reaches a stable tracking point (i.e.,*τ*_{stp}> 0). Only the upper stable tracking point needs to be considered.**Zone 2**In the second zone , the discriminator output at*τ*= 0 depends on Θ. Both upper (*τ*_{stp}> 0, delayed replica) and lower (*τ*_{stp}< 0, advanced replica) stable tracking points need to be considered.**Zone 3**In the third zone , the discriminator output at*τ*= 0 is always zero. This is readily shown by solving*D*(*τ*= 0) = 0 for . However, for the SEE, we used the tracking bias estimation of Braasch (1997) to account for changing sidelobe levels.

In the next step, we will focus on the border between Zone 1 and Zone 2. This is split into three sections:

We show that Zone 1 always exists, i.e., there is a

*d*_{sa,jump}> 0 so that*D*(*τ*= 0) > 0 for 0 <*d*_{sa}<*d*_{sa,jump}.We determine potential upper limits of Zone 1 with respect to the relative phase Θ.

In order to ensure that we have

*D*(*τ*= 0) > 0 in Zone 1 for all phases Θ, we determine the lowest of the potential upper limits to define the upper limit of Zone 1 (*d*_{sa,jump}).

##### A.1.1 Zone 1 Always Exists

Evaluating Equation (6) together with Equation (7), some algebraic manipulations of *D*(*τ* = 0) > 0 under the assumption yield:

A4

As indicated, this is true for all parameters within the predefined range (A3). Hence, Zone 1 always exists and spans at least the range .

#### A.2 Potential Upper Limits of Zone 1

The discriminator function *D* as shown in Equation (6) is continuous because of the approximation of the autocorrelation function in Equation (7), the applied operations and the composed absolute value function are continuous. (The autocorrelation function is a piecewise-defined sequence of straight lines and there is no discontinuity at the endpoints of the subdomains.) Due to the continuity of the discriminator function *D* and (A4), we can conclude that the upper limit of Zone 1 is given by a root of the discriminator function at *τ* = 0.

Solving *D*(*τ* = 0) = 0 (Equation [6] and Equation [7]) under the assumptions defined in Equation (A3) and within the range yields:

To determine if the equation *D*(*τ* = 0) = 0 has a solution, we focus on the subdomains of Equation (A5). Within the postulated assumption of Equation (A3), the upper bound of Equation (A5a), , is always true. Hence, we only need to evaluate the lower bound of Equation (A5b):

A6

If this condition is fulfilled, *D*(*τ* = 0) = 0 has a solution within the range . If not, Equation (A5) is not defined and the next zero of *D*(*τ* = 0) (with respect to *d*_{sa}) is given at . (Remember that *D*(*τ* = 0) = 0 is always fulfilled for .) This means that, for some Θ, the discriminator output at zero is always greater or equal to zero (*D*(*τ* = 0) ≥ 0), i.e., only the upper stable tracking point needs to be considered for these phases. To get a better feeling for this condition it is helpful to set the sidelobe level to zero, i.e., Γ = 0. Then Equation (A6) becomes:

A7

In this special case, a lower stable tracking point (*τ*_{stp} < 0) needs to be considered for 90° < Θ < 270°. For all other phases, only the upper stable tracking point (*τ*_{stp} ≥ 0) needs to be considered.

##### A.2.1 The Upper Limit of Zone 1

Zone 1 is supposed to span the range of *d*_{sa}, where all phase offsets Θ result in a positive discriminator output. Therefore, we need to find the smallest delay, *d*_{sa}, defined by Equation (A5) that yield a root of the discriminator function for *d*_{sa} > 0 over all phase offsets:

A8

Note, that this delay also gives the earliest jump of the SEE over all phases Θ (see Section 4.1).

Basically, both sub-functions of Equation (A5) are a product of the cosine function with a factor and a subsequent addition. The factor is positive, i.e., , for the postulated ranges *d*_{c} ≤ 1 and |Γ| < 1). Hence, within the range 0° ≤ Θ < 360°, both sub-functions have a global maximum at Θ = 0° (in-phase case) and a global minimum at Θ = 180° (counter-phase case)

We now know the global minimum of the individual functions of the subdomains without considering its limits. Looking at Equation (A6) shows us that if Equation (A5) is defined for any phase, then it is also defined for Θ = 180°. Furthermore, it is straightforward to show that the sub-function (A5a) is smaller than (A5b) within the subdomain of Equation (A5b):

A9

A10

Equation (A10) is the same as the upper limit of the subdomain (A5b) and, hence, if we are in the subdomain of Equation (A5b) and if Equation (A5) is defined, this statement is true.

##### A.2.2 Summary

Summing up, we now have the following statements:

For , we have

*D*(*τ*= 0) > 0.The function of

*D*is continuous and, in the range , we have a zero of*D*at*d*_{sa}(Θ) as described by Equation (A5).The functions of the two subdomains of

*d*_{sa}(Θ), Equation (A5), have a global maximum at Θ = 0° and a global minimum at Θ = 180°.The sub-function (A5a) is smaller than the sub-function (A5b) in the subdomain of Equation (A5b).

If Equation (A5) is defined for an arbitrary phase Θ, it is always defined for Θ = 180°.

Putting all the information together, we can use Equation (A5a) to define the upper limit of Zone 1. We have shown that a relative delay *d*_{sa} greater than zero but smaller than:

A11

The discriminator output at zero is always positive, i.e., *D*(*τ* = 0) > 0.

#### A.3 Bounds of the Tracking Bias Over all Phases

In the previous section, we defined three zones with respect to *d*_{sa}. In this section, we will show for each zone individually that the stable tracking point *τ*_{stp} used for the SEE defined by Equation (10) and Equation (9) describes a bound over all phase Θ.

To get a better understanding of *τ*_{stp}, Figure A2 displays the numerically calculated code tracking bias of stable tracking points as a function of the phase. The figure is separated into eight subfigures representing different parameter sets of the relative power *α* and the correlator spacing *d*_{c}. In each subfigure, the relevant stable tracking point *τ*_{stp} is plotted as a bold line for different delays *d*_{sa}. Non-relevant stable tracking points are plotted as dashed lines. *Relevant* here means that this stable tracking point is tracked due to the mechanism of the DLL evaluating the discriminator output at *τ* = 0.

##### A.3.1 Zone 1

Looking at the delay of 50 m (blue line), which is smaller than *d*_{sa,jump} for all displayed parameter sets, confirms the statement for Zone 1: Only the upper stable tracking point is relevant. In some subfigures, an additional lower stable tracking point is shown. However, it is never relevant as indicated by the dashed line. The same applies to the red line (150 m) of the higher relative power *α*^{2} = 8 and in the bottom-left subfigure (*α*^{2} = 2, *d*_{c} = 1.0) as well as for the green line in the bottom-right subfigure (*α*^{2} = 8, *d*_{c} = 1.0). These plots still belong to Zone 1, as the upper limit of Zone 1 shifts to a higher relative delay *d*_{sa} for higher relative powers and larger correlator spacings.

The plots indicate that there is a minimum of the upper stable tracking point for Θ = 0° and a maximum for Θ = 180°. The exact phases of the extrema can not be read from the plots. However, the proof that the derivative of a stable tracking with respect to the phase is zero at these points is supported by Appendix B. Furthermore, the problem of solving for the upper stable tracking points can be transferred to a multipath scenario and the extrema are then given by the MEE. For the dual-problem, we define the spoofing signal as the satellite signal and the (original) satellite signal as the multipath signal. The MEE can be considered because:

We postulated that the spoofing signal has higher power than the satellite signal (

*α*> 1). Hence, the newly defined multipath signal is weaker than the newly defined satellite signal (i.e., ).We postulated a delayed spoofing signal compared to the satellite signal (

*d*_{sa}> 0). Hence, the newly defined multipath signal is advanced compared to the newly defined satellite signal (i.e., ). The MEE is usually only defined for positive delays because a multipath signal is always a delayed replica of the line-of-sight signal. However, due to the symmetry of the autocorrelation function, the discriminator function is odd symmetric*D*(*τ, d*_{sa}) = −*D*(−*τ*, −*d*_{sa}). Hence, the function of the MEE can be continued in the negative domain of*d*_{sa}as an odd function.

It is well known that the in-phase case (Θ = 0°) poses an upper bound of the tracking bias in the multipath scenario over all phases as well as the counter-phase case (Θ = 180°) poses a lower bound (Braasch, 1997; Van Nee, 1992). Due to the odd symmetry, the upper bound of a negative delay *d*_{sa} becomes a lower bound and vice-versa. Back to the SEE, we can now say that the counter-phase case is an upper and the in-phase case a lower bound of the (upper) stable tracking point.

##### A.3.2 Zone 2

In Figure A2 the following graphs belong to Zone 2:

The remaining red plots (150 m) that are not listed in the previous section; these are in the top three left subfigures (

*α*^{2}= 2 and*d*_{c}∈{0.05, 0.1, 0.25}).All green plots (250 m) except of the one in the bottom right subfigure (

*α*^{2}= 8,*d*_{c}= 1.0)The orange plots (350 m) in the bottom subfigures (

*d*_{c}= 1.0)

In Zone 2, the situation is more complicated than in Zone 1: Depending on the parameter set, we have up to four jumps (as it is an even function with two jumps on each side). For a correlator spacing of *d*_{c} = 0.25 and, in the bottom-left plot, the green line shows two jumps. In all remaining graphs four jumps can be observed.

We can use the same reasoning as for Zone 1 to show that the counter-phase case (Θ = 180°) poses an upper bound. Even though the bound is not always reached—as the relevant stable tracking point switches to a lower one for a range around Θ = 180°—it is still a valid stable tracking point and, therefore, limits the tracking bias. Remember, the presence of a stable tracking point is indicated by a dashed line in the plots.

For the lower bound, we need to consider the lower stable tracking points (*τ* < 0). As indicated by the jumps in the course, there are up to two different lower stable tracking points. One lies around zero and is defined for two ranges (excluding a range around Θ = 180°). The second one lies lower and is defined exclusively for a range around Θ = 180°. The latter is needed for a bound that is lower than the former. The graph indicates that the lower stable tracking point is a continuous and differentiable function including a minimum at Θ = 180°. Hence, applying Appendix B gives strong evidence for a minimum at Θ = 180° for the lower stable tracking point.

Summing up, for Zone 2 the in-phase case of the upper stable tracking point gives an upper bound and the in-phase case of the lower stable tracking point gives a lower bound.

##### A.3.3 Zone 3

For most of the displayed parameter settings in Figure A2, a relative delay of 350 m (orange line) belongs to Zone 3 (all except the two bottom subfigures with a correlator spacing of *d*_{c} = 1.0). As already mentioned and confirmed in the plots, finding zeros of *D*(*τ*) for relative delays, , lead to a constant solution at *τ* = 0 over all phases Θ. The reason for this solution is that the autocorrelation function is approximated using a constant sidelobe level; see Equation (7). However, Braasch (1997) derived a lower/upper limit of:

A12

by considering the maximal and minimal slope between two adjacent sidelobe levels of the autocorrelation function Γ_{max} − Γ_{min}. The derived limits apply for:

A13

which was postulated in Equation (A3).

## B CHARACTERISTICS OF THE IN-PHASE AND COUNTER-PHASE REGARDING TRACKING BIAS

In this section, we want to give evidence that the in-phase Θ = 0° and the counter-phase Θ = 180° cases give (local) extrema regarding the tracking bias. We assume there are continuous and differentiable functions *τ*_{stp,k}(Θ) describing the stable tracking point *k* (some parameter sets yield more than one solution) as a function of the relative carrier phase. It is challenging to give an explicit solution for all *τ*_{stp,k}(Θ). Therefore, we shall confine ourselves to show that the derivation of these functions is zero for the in-phase and the counter-phase case.

Mathematically, we want to show that:

B1

To get the derivative without solving the explicit form, we use a method called implicit differentiation. The approach can be described by the following steps:

Calculate the implicit differentiation and rearrange the equation to give the derivative of

*τ*_{stp,k}(Θ) (the derivative will be given by a fraction).Show that the nominator of the derivative is zero for the in-phase and the counter-phase cases.

Show that the denominator of the derivative is non-zero for the in-phase and the counter-phase cases.

#### B.1 Calculate the Implicit Differentiation

By definition, the functions *τ*_{stp,k}(Θ) give stable tracking points:

B2

Using the method of the implicit differentiation yields:

B3

For , we get:

B4

#### B.2 Show That the Nominator of the Derivative is Zero for the In-Phase and the Counter-Phase Cases

The partial derivative of the S-Curve given by Equation (6) with respect to Θ reads:

B5

For the in-phase and for the counter-phase, one can show by setting Θ = 0° and Θ = 180° that this partial derivative is zero:

B6

With this information and Equation (B4), we know that:

B7

and:

B8

#### B.3 Show That the Denominator of the Derivative is Non-Zero for the In-Phase and the Counter-Phase Cases

An explicit form of the denominator of Equation (B4) is not available in general. Therefore, we want to demonstrate that this term is only zero for a specific and limited amount of values of Θ.

For the in-phase and the counter-phase case, Equation (6) becomes:

B9

with *α*_{pm} = *α* for the in-phase and *α*_{pm} = −*α* for the counter-phase case, respectively.

To get a better understanding of Equation (B9), we define:

B10

With this, Equation (B9) becomes:

B11

Considering the approximation of the autocorrelation function *R*(.) given by Equation (7), it becomes quite obvious that *R _{α}*

_{pm}(

*x*) is a piecewise-defined sequence of straight lines:

*R*(.) is a piecewise-defined sequence of straight lines by definition and the linear combination of two lines is, again, a line. The same goes for the S-curve

*D*

_{i/c}. The examples in Figure 1 and Figure 3 in the main text may illustrate the resulting S-curve. Additionally, the S-curve

*D*

_{i/c}is continuous due to the continuity of the autocorrelation function

*R*(.) and the continuity of the applied operations. However, they are only differentiable with respect to

*τ*within one line segment and not at the corners. Summed up, the S-curve

*D*

_{i/c}is a continuous function of line segments.

Hence, the derivative of the S-curve with respect to *τ* is zero if and only if the S-curve has a horizontal line segment (i.e., a line segment with a slope of zero). A horizontal line segment of the S-curve is only given if the positions and are within one line segment of the summed autocorrelation function *R _{α}*

_{pm}(

*x*) or within two line segments with the same slope. This can again be retraced in the shown examples (Figure 1 and Figure 3).

By the definition of *τ*_{stp,k}(Θ), it must hold that *D*(*τ*_{stp,k}(Δ), Δ) = 0. Hence, the aforementioned horizontal line segment of the S-curve must be zero and the positions and must be within one horizontal line segment of the summed autocorrelation function *R _{α}*

_{pm}(

*x*) or within two line segments with the same slope and same level. The summed autocorrelation function, again, is a linear combination of two autocorrelation functions that are constant except for an isosceles-triangular-shaped part—compare to Equation (7).

The linear combination yields a horizontal line segment only if:

The flanks of the triangular shapes of the two functions have the same (absolute) slope; we can neglect this case because it is only given for |

*α*_{pm}| = 1 but we presumed*α*> 1.We consider a position outside of the triangular shapes of both functions; this position is not of interest because we start from the center of one triangular (the satellite is tracked before spoofing) and another stable tracking point will be reached first.

With this reasoning, it can be said that the denominator in Equation (B4) is (in general) not zero at the locations of stable tracking points and therefore:

B12

hold for all relevant positions. Hence, the in-phase and the counter-phase cases give extrema or saddle points regarding the tracking error.

This is an open access article under the terms of the Creative Commons Attribution License, which permits use, distribution and reproduction in any medium, provided the original work is properly cited.