Assessing Spoofer Impact on GNSS Receivers: Tracking Loops

Emile Ghizzo; Mathieu Hussong; Julien Lesouple; Carl Milner; Axel Garcia-Pena,; Christophe Macabiau

doi:10.33012/navi.724

Assessing Spoofer Impact on GNSS Receivers: Tracking Loops

Emile Ghizzo
Emile Ghizzo
¹Fédération ENAC ISAE-SUPAERO ONERA, Université de Toulouse, France
- Find this author on Google Scholar
- Find this author on PubMed
- Search for this author on this site
- For correspondence: [email protected]
Mathieu Hussong
Mathieu Hussong
¹Fédération ENAC ISAE-SUPAERO ONERA, Université de Toulouse, France
Julien Lesouple
Julien Lesouple
¹Fédération ENAC ISAE-SUPAERO ONERA, Université de Toulouse, France
Carl Milner
Carl Milner
¹Fédération ENAC ISAE-SUPAERO ONERA, Université de Toulouse, France
Axel Garcia-Pena,
Axel Garcia-Pena,
¹Fédération ENAC ISAE-SUPAERO ONERA, Université de Toulouse, France
and Christophe Macabiau
Christophe Macabiau
¹Fédération ENAC ISAE-SUPAERO ONERA, Université de Toulouse, France

NAVIGATION: Journal of the Institute of Navigation
December 2025,
72
(4)
navi.724;
DOI: https://doi.org/10.33012/navi.724

PDF

Abstract

In the context of global navigation satellite systems (GNSSs), synchronization is crucial for successfully decoding the navigation message and accurately estimating pseudoranges. Synchronization of each received GNSS signal typically involves at least two tracking loops: a delay lock loop (DLL) and a phase lock loop (PLL). The reception of a spoofed signal disrupts the synchronization process, potentially leading to erroneous pseudorange estimation or loss of service. This paper investigates the impact of spoofing on code, carrier phase, and frequency tracking estimates and proposes a transformation-based strategy to characterize the joint DLL and PLL under spoofing, focusing on the system’s stable equilibria (SE), linearity and interdependence, transient response, and noise impact. The study reveals the nonlinearity and interdependence of the tracking loops (i.e., the PLL and DLL cannot be considered separately) and shows the emergence of multiple SE, leading to potential chaotic behavior and bifurcation.

Keywords

1 INTRODUCTION

Global navigation satellite systems (GNSSs) have become indispensable for precise positioning and temporal synchronization. GNSS technology is utilized in terrestrial, aerial, and maritime navigation, as well as for timing in critical infrastructure and automated processes. However, this widespread dependence on GNSSs introduces vulnerabilities that, if maliciously exploited, can lead to significant consequences. Among these threats, spoofing is particularly insidious (Psiaki & Humphreys, 2016).

A GNSS spoofer is a device that generates or re-transmits counterfeit GNSS signals, capable of deceiving a receiver and inducing erroneous position, velocity, and time solutions. Spoofers are typically categorized based on their level of sophistication and intent (Fernández-Hernández et al., 2019). Depending on the sophistication level and intent, the received spoofing signal may be synchronized or unsynchronized in time, frequency, and phase with the authentic signals. Furthermore, the spoofer can transmit either a duplicate or a modified version of the navigation message. However, as demonstrated by Hussong et al. (2023), regardless of the spoofer’s sophistication level and intent, its impact at the correlator output can be classified into four scenarios: nominal, induced jamming, induced spoofing, and induced multipath, as briefly outlined in this paper.

In a GNSS receiver, carrier and code synchronization is essential for successfully decoding navigation messages and accurately determining the code and carrier pseudoranges of a specific satellite. Each received GNSS signal is tracked using at least two tracking loops: a delay lock loop (DLL) and a phase lock loop (PLL). Tracking loops can be implemented in either analog or digital form, with their relationship discussed by Stephens and Thomas (1995). In this paper, we consider a digital tracking loop. Such a loop, depicted in Figure 1, typically consists of three components: (1) a detector, (2) a low-pass filter, and (3) a numerically controlled oscillator (NCO) (Gardner, 2005, Chapter 1). The detector measures the synchronization error between the incoming signal and the local replica generated by the NCO. In GNSS receivers, the detector comprises a correlator and a discriminator. The output of the detector is then filtered by the low-pass filter, whose control output is applied to the NCO.

FIGURE 1

Typical architecture of a digital tracking loop; I&D: integrate and dump

In the context of spoofing, the outputs of tracking loops (e.g., code, phase, and frequency measurements or correlator outputs) have been extensively proposed for detection. For instance, Spens et al. (2022) introduced spoofing detection methods based on metrics from smartphone receivers, while Demir et al. (2023) presented a detection algorithm for code pseudoranges using hyperbola equations. Additionally, Radin et al. (2015) and Stenberg et al. (2020) utilized double-difference pseudoranges between multiple receivers for detection, whereas Tao et al. (2019) focused on monitoring Doppler measurements to identify spoofing.

The impact of spoofing on tracking loops has been highlighted in the literature through simulations and collected measurements. For example, Kerns et al. (2014) examined the probability of locking onto spoofing signals while accounting for the presence of additional re-radiated Gaussian noise. Similarly, Kim et al. (2012) simulated the effects of a frequency-synchronous spoofer for three different relative delays. Bamberg et al. (2018) analyzed the dynamics of DLL and PLL behaviors, highlighting potential bifurcations under various loop parameters. Furthermore, Peng et al. (2019) emulated the impact of intermediate frequency-asynchronous spoofing signals on different DLL and PLL discriminator types and loop bandwidths, whereas Gao and Li (2023) observed the impact of spoofing on PLL-assisted DLL tracking loops.

Although the behavior of tracking loops is relatively predictable for frequency-synchronous spoofers (Kerns et al., 2014; Kim et al., 2012), asynchronous spoofers (Bamberg et al., 2018; Gao & Li, 2023; Peng et al., 2019) can induce unpredictable behaviors, such as oscillations or convergence toward dynamics representing neither the authentic nor the spoofing signal.

These features highlight the necessity of characterizing tracking loops under spoofing. Developing a model of loop behavior under spoofing would not only enable the quantification of pseudorange errors and the identification of unpredictable threats based on receiver architecture and spoofing geometry, but would also facilitate the development of more sophisticated detection methods leveraging loop observables.

In the literature, tracking loop behavior under spoofing is primarily modeled through the analysis of discriminators, as originally proposed for multipath interference (Spilker Jr et al., 1996; Van Nee, 1996). For instance, Bamberg et al. (2022) computed the spoofing error envelope (SEE) of the DLL for low- and high-power spoofing signals, whereas Wang et al. (2023) examined the DLL discriminator shape under spoofing. Similarly, Ma et al. (2020) investigated the PLL and DLL discriminators in the presence of a synchronous spoofer. However, for sufficiently strong signals, such as spoofing signals, the impact extends beyond inducing a bias in the discriminator to also distorting its shape, thus undermining the linearity assumption of tracking loops. In such cases, discriminator analysis alone is insufficient to fully characterize the system; instead, the full dynamic response must be considered, including the transient response, nonlinearity, or DLL and PLL interdependence.

In this context, this paper investigates the impact of spoofing on code and carrier phase tracking and proposes a transformation-based strategy to characterize the DLL and PLL under spoofing. The proposed model not only accounts for the estimation errors caused by discriminator distortion but also captures the complete dynamic behavior of the joint DLL and PLL, including both the transient response and the locked state. This study is achieved by analyzing the system’s linearity and interdependence properties, identifying possible points of convergence, and studying the system’s stochastic behavior under spoofing. The system’s dynamic behavior is evaluated for each spoofing-induced scenario introduced by Hussong et al. (2023).

This paper is organized as follows. Section 2 summarizes the classification of correlator outputs under spoofing as presented by Hussong et al. (2023), and Section 3 introduces the closed-loop model necessary for this paper. Section 4 presents the proposed method for analyzing the general closed-loop model. In Section 5, the method is applied to characterize the deterministic loop behavior under spoofing for each spoofing-induced scenario. The stochastic behavior is then analyzed in Section 6. Finally, Section 7 presents a numerical solution of the closed-loop model with simulated results.

Summary of Paper Notations

η_a: Authentic dynamic $(η_{a} = {[\begin{matrix} τ_{a}, & θ_{a}, & f_{a} \end{matrix}]}^{T})$
η_s: Spoofing dynamic $(η_{s} = {[\begin{matrix} τ_{s}, & θ_{s}, & f_{s} \end{matrix}]}^{T})$
Δη: Relative dynamic $(Δ η = {[\begin{matrix} Δ τ, & Δ θ, & Δ f \end{matrix}]}^{T})$
Δv: Relative parameters $(Δ v = {[\begin{matrix} Δ η^{T}, & Δ g \end{matrix}]}^{T})$
η_eq: Equivalent dynamic $(η_{eq} = {[\begin{matrix} τ_{eq}, & θ_{eq}, & f_{eq} \end{matrix}]}^{T})$
Δη_eq: Relative equivalent dynamic $(Δ η_{eq} = {[\begin{matrix} Δ τ_{eq}, & Δ θ_{eq}, & Δ f_{eq} \end{matrix}]}^{T})$
Λ_E, Λ_P, Λ_L: Early, prompt, and late correlator outputs
$\hat{η}$: Estimated parameters $(\hat{η} = {[\hat{τ}, \hat{θ}, \hat{f}]}^{T})$
ε_η: Nominal tracking error $(ε_{η} = {[\begin{matrix} ε_{τ}, & ε_{θ}, & ε_{f} \end{matrix}]}^{T})$
ε_η,eq: Equivalent tracking error $(ε_{η, eq} = {[ε_{τ, eq}, ε_{θ, eq}, ε_{f, eq}]}^{T})$

N_τ: DLL order
d_τ: DLL discriminator
D_τ: DLL discriminator z-transform
F_τ: DLL low-pass filter transfer function
κ_τ,n: DLL low-pass filter coefficients
$\hat{δ τ}$: Code NCO input
c_τ: Early-late delay spacing
T_i: Correlator integration time
N_θ: PLL order
d_θ: PLL discriminator
D_θ: PLL discriminator z-transform
F_θ: PLL low-pass filter transfer function
κ_θ,n: PLL low-pass filter coefficients
$\hat{δ θ}$: Carrier NCO input
β: Carrier-aiding scaling factor

2 PRELIMINARIES: CORRELATOR OUTPUT UNDER SPOOFING

The impact of spoofing on correlator output has been previously analyzed by Hussong et al. (2023), where a classification of correlator outputs under spoofing was proposed to facilitate the analysis of spoofing effects on the post-correlation stage. This section briefly introduces the key concepts necessary to understand the impact of spoofing on the post-correlation stage and the classification employed in this work.

2.1 Dynamics

Throughout the paper, $η_{a} = {[τ_{a}, θ_{a}, f_{a}]}^{T}$ denotes the dynamic parameters of the authentic signal, which include the authentic code delay, carrier phase, and carrier frequency, whereas C_a represents the received power of the authentic signal. Similarly, $η_{s} = {[τ_{s}, θ_{s}, f_{s}]}^{T}$ denotes the dynamic parameters of the spoofing signal, comprising the spoofing code delay, carrier phase, and carrier frequency, and C_s represents the received power of the spoofing signal. The relative dynamic between the authentic and spoofing signals is defined as $Δ η = η_{s} - η_{a} = {[Δ τ, Δ θ, Δ f]}^{T}$ , and the relative power is expressed as $Δ g = C_{s} / C_{a}$ . These relative parameters are gathered in $Δ v = {[Δ η^{T}, Δ g]}^{T}$ . All parameters are continuous and time-varying. It is important to note that the carrier phase and carrier frequency are related as follows:

$\begin{matrix} f_{a} = \frac{1}{2 π} \frac{d θ_{a}}{d t}, & f_{s} = \frac{1}{2 π} \frac{d θ_{s}}{d t}, & Δ f = \frac{1}{2 π} \frac{d Δ θ}{d t} \end{matrix}$ 1

Additionally, considering the sampling induced by the correlator (with the integration time T_i as the sampling period), we denote ψ[k] as the dynamic parameters evaluated at the midpoint of the k-th integration interval [kT_i,(k+1)T_i], defined as ψ[k]=ψ((k + 0.5)T_i), where $ψ \in {η_{a}, η_{s}, Δ η, C_{a}, C_{s}, Δ g}$ .

Finally, we define the nominal tracking error ε_η[k] as the difference between the authentic parameters η_a[k] and the estimated parameters $\hat{η} [k] = {[\hat{τ} [k], \hat{θ} [k], \hat{f} [k]]}^{T}$ at epoch k as follows:

$ε_{η} [k] = [\begin{matrix} ε_{τ} [k] \\ ε_{θ} [k] \\ ε_{f} [k] \end{matrix}] ≜ η_{a} [k] - \hat{η} [k] = [\begin{matrix} τ_{a} [k] - \hat{τ} [k] \\ θ_{a} [k] - \hat{θ} [k] \\ f_{a} [k] - \hat{f} [k] \end{matrix}]$ 2

including code ε_τ, phase ε_θ, and frequency ε_f nominal tracking errors. For the sake of clarity, the parameter k is omitted throughout the remainder of this article when not necessary.

2.2 Correlator Output Model

The model of the correlator output under spoofing was previously derived by Hussong et al. (2023) as a function of the relative parameters Δv. Specifically, for any $η = {[τ, θ, f]}^{T}$ , we have the following:

$Λ (η, Δ ν) = Λ_{a} (η) + Λ_{s} (η, Δ ν) + Λ_{n, a} + Λ_{n, s}$ 3

where Λ_n,a and Λ_n,s represent the random contributions of the authentic and spoofing signals at the correlator output, including both additive white Gaussian noise (AWGN) and inter-system GNSS interference. These random contributions, Λ_n,a and Λ_n,s, are modeled as two independent, circular complex Gaussian stochastic processes (also independent of η), as demonstrated by Ghizzo et al. (2025). Their properties are not further detailed in this paper but can be found in the work by Ghizzo et al. (2024).

Additionally, Λ_a and Λ_s represent the contributions of the authentic and spoofing signals at the correlator output, expressed as follows:

$\begin{matrix} Λ_{a} (η) & = & \begin{matrix} \sqrt{C_{a}} d_{k} ζ_{τ} (τ) ζ_{f} (f) e^{j θ}, & Λ_{s} (η, Δ ν) \end{matrix} \\ = & \sqrt{Δ g} Λ_{a} (η + Δ η) = \sqrt{Δ g C_{a}} d_{k} ζ_{τ} (τ + Δ τ) ζ_{f} (f + Δ f) e^{j (θ + Δ θ)} \end{matrix}$ 4

where d_k is the navigation message bit. ζ_τ and ζ_f are the code and frequency synchronization mismatch functions, given as follows:

$\begin{matrix} ζ_{τ} (τ) ≜ \int_{- B / 2}^{B / 2} G_{c} (f) e^{j 2 π f τ} d f, & ζ_{f} (f) ≜ \sin c (π f T_{i}) \end{matrix}$ 5

with G_c(f) denoting the power-normalized power spectral density (PSD) of the local replica, as defined by Betz and Kolodziejski (2009, Equation (1)), and B representing the equivalent radiofrequency front-end (RFFE) double-sided bandwidth. Owing to the shape of the synchronization mismatch functions in Equation (5), we refer to Λ_a and Λ_s as the “authentic peak” and “spoofing peak,” respectively, throughout the remainder of this paper.

Typically, GNSS receivers include at least three correlators: the early (Λ_E), prompt (Λ_P), and late (Λ_L) correlators. Under spoofing, these correlators are expressed as follows:

$\begin{matrix} Λ_{E} (η_{a} - \hat{η}, Δ ν) & = & Λ_{E} (ε_{η}, Δ ν) = Λ (ε_{η} - \frac{c_{τ}}{2} e_{1}, Δ ν) \\ = & Λ_{a} (ε_{η} - \frac{c_{τ}}{2} e_{1}) + Λ_{s} (ε_{η} - \frac{c_{τ}}{2} e_{1}, Δ ν) + Λ_{E, n, a} + Λ_{E, n, s} \\ Λ_{P} (η_{a} - \hat{η}, Δ ν) & = & Λ_{P} (ε_{η}, Δ ν) = Λ (ε_{η}, Δ ν) \\ = & \begin{matrix} Λ_{a} (ε_{η}) & + Λ_{s} (ε_{η}, Δ ν) & + Λ_{P, n, a} + Λ_{P, n, s} \end{matrix} \\ Λ_{L} (η_{a} - \hat{η}, Δ ν) & = & Λ_{L} (ε_{η}, Δ ν) = Λ (ε_{η} + \frac{c_{τ}}{2} e_{1}, Δ ν) \\ = & Λ_{a} (ε_{η} + \frac{c_{τ}}{2} e_{1}) + Λ_{s} (ε_{η} + \frac{c_{τ}}{2} e_{1}, Δ ν) + Λ_{L, n, a} + Λ_{L, n, s} \end{matrix}$ 6

where c_τ denotes the early-late delay spacing and e₁=[1,0,0]^T. The terms Λ_E,n,a, Λ_P,n,a, and Λ_L,n,a represent the authentic random contributions, whereas Λ_E,n,s, Λ_P,n,s, and Λ_L,n,a correspond to the spoofing random contributions. It is important to note that, given the definition in Equation (2), the early, prompt, and late correlators can be expressed either as a function of $\hat{η}$ or ε_η.

2.3 Classification of Spoofing Impact

Leveraging the orthogonal properties of GNSS pseudorandom noise sequences, Hussong et al. (2023) categorized the impact of spoofing on the correlator output model in Equation (3) into four spoofing-induced situations based on the relative parameters Δv : nominal, induced spoofing, induced jamming, and induced multipath. It is important to note that, although these situations are labeled similarly to other types of interference, they are in fact subcategories of spoofing impact.

2.3.1 Nominal Situation

The nominal situation serves as a reference scenario in which the spoofing impact is not considered (or is considered negligible). Thus, in this situation, both the spoofing GNSS peak and re-radiated noise are neglected, as illustrated in Figure 2(a). Under these conditions, the correlator output in Equation (3) can be expressed (for the early, prompt, and late correlators) for any $η = {[τ, θ, f]}^{T}$ as follows:

$Λ^{(N)} (η) = Λ_{a} (η) + Λ_{n, a}$ 7

FIGURE 2

Illustration of the classification of spoofing impact on correlators (a) Nominal (b) Induced jamming (c) Induced spoofing (d) Induced multipath The points Λ_E, Λ_P, and Λ_L indicate the early, prompt, and late correlators. The blue and red horizontal lines illustrate the authentic and spoofing noise floor.

FIGURE 3

Architecture of a PLL-assisted DLL tracking loop

It is worth noting that in this situation, Λ^(Ν) is independent of ∆v.

2.3.2 Spoofing-Induced Jamming Situation

In the induced-jamming situation, the receiver tracks the authentic signal, while the spoofing GNSS peak is negligible, as illustrated in Figure 2(b). In this situation, the correlator output in Equation (3) can be expressed for any $η = {[τ, θ, f]}^{T}$ as follows:

$Λ^{(J)} (η, Δ ν) = Λ_{a} (η) + Λ_{n, a} + Λ_{n, s}$ 8

The impact of the spoofer on the correlator output is primarily due to the spoofing random contribution, Λ_n,s. This situation can be likened to a jamming threat, as the name suggests, where a non-GNSS wideband signal is transmitted to the receiver.

2.3.3 Spoofing-Induced Spoofing Situation

In the induced-spoofing situation, the receiver tracks the spoofing signal while the authentic peak is negligible, as illustrated in Figure 2(c). In this situation, the correlator output in Equation(3) can be expressed for any $η = {[τ, θ, f]}^{T}$ as follows:

$Λ^{(S)} (η, Δ ν) = Λ_{s} (η, Δ ν) + Λ_{n, a} + Λ_{n, s}$ 9

This situation represents the typical spoofing case considered in the literature, where the receiver is expected to track and synchronize with the spoofing signal dynamics, η_s.

2.3.4 Spoofing-Induced Multipath Situation

In the induced-multipath scenario, both the authentic Λ_a and spoofing Λ_s peaks are included in the correlator output expression Λ^(Μ), as illustrated in Figure 2 (d). In this situation, the correlator output in Equation (3) cannot be further simplified. This scenario resembles multipath-like interference and occurs when $Δ τ < T_{c} + c_{τ} / 2$ (Hussong et al., 2023), where T_c is the chip period. However, it is important to note that the amplitude of the spoofing peak, Λ_s, can be equal to or even exceed that of the authentic peak, Λ_a.

3 PRELIMINARIES: CLOSED-LOOP MODEL OF TRACKING LOOPS

This section introduces the dynamic model of the joint DLL and PLL tracking loops. Although the behavior of tracking loops has been extensively documented in the context of phase locking in the literature (Gardner, 2005; G. Leonov et al., 2015; G. A. Leonov et al., 2015; Monteiro et al., 2009; Yang et al., 2017), the tracking loops implemented in GNSS receivers, comprising at least a DLL and a PLL with carrier-aiding, have not been explicitly modeled. To address this gap, this section presents a general closed-loop model along with the relevant properties for analyzing the system. Throughout the paper, the subscript τ denotes parameters, states, or values associated with code tracking (DLL), θ denotes those associated with phase tracking (PLL), and $ϕ \in {τ, θ}$ indicates those associated with both code and phase tracking. For illustration, this work focuses on Global Positioning System L1 coarse/acquisition signal tracking, although similar reasoning could be applied to other modulation types.

3.1 DLL Discriminator

The DLL discriminator estimates the code tracking error between the received signal and the local replica. Numerous implementations of code discriminators have been presented by Kaplan and Hegarty (2017). In this paper, we consider the non-coherent early minus late power (NEMLP), defined as follows:

$d_{τ} (η_{a} - \hat{η}, Δ ν) = \frac{1}{\hat{C} K_{τ}} ({| Λ_{E} (η_{a} - \hat{η}, Δ ν) |}^{2} - {| Λ_{L} (η_{a} - \hat{η}, Δ ν) |}^{2})$ 10

where Λ_Ε and Λ_L are the early and late correlator outputs, as defined in Equation (6), $\hat{C}$ is the received power estimate, and K_τ is the normalization factor to achieve a unity slope, as expressed by Betz and Kolodziejski (2009, Equation (38)).

3.1.1 PLL Discriminator

The PLL discriminator estimates the phase misalignment between the received signal and the local replica. Various implementations of carrier phase discriminators can be found in the literature (Kaplan & Hegarty, 2017). The implementation analyzed in this work is the arctan discriminator, defined as follows:

$d_{θ} (η_{a} - \hat{η}, Δ ν) = \arctan (\frac{ℑ {Λ_{P} (η_{a} - \hat{η}, Δ ν)}}{ℜ {Λ_{P} (η_{a} - \hat{η}, Δ ν)}})$ 11

where ℜ{·} and ℑ{·} denote the real and imaginary part operators, respectively, and Λ_P is the prompt correlator output, as defined in Equation (6). The arctan discriminator can also be expressed as follows:

$\begin{matrix} d_{θ} (η_{a} - \hat{η}, Δ ν) & = \arctan (\tan (\arg {Λ_{P} (η_{a} - \hat{η}, Δ ν)})) \\ \begin{matrix} = \arg {Λ_{P} (η_{a} - \hat{η}, Δ ν)} & (\mod π, \frac{π}{2}) \end{matrix} \end{matrix}$ 12

Here, arg{·} denotes the argument operator, and (mod·,·) represents the shifted modulo operator, defined for ∀x,p,q as follows:

$x (\mod p, q) = x + q (\mod p) - q$ 13

3.1.2 Loop Low-Pass Filter

The discriminator output d_ϕ is filtered to reduce noise without significantly impacting the dynamic tracking estimate $\hat{ϕ} \in {\hat{τ}, \hat{θ}}$ . Various implementations of low-pass filters can be found in the literature (Teunissen & Montenbruck, 2017, p. 419). For the implementation considered in this work, as defined by Stephens and Thomas (1995), the filter output $\hat{δ ϕ}$ is expressed in the z-transform domain as follows:

$\begin{matrix} \hat{δ ϕ} (z) & = & F_{ϕ} (z) D_{ϕ} (η_{a} (z) - \hat{η} (z), Δ ν (z)) \\ with F_{ϕ} (z) & = & \frac{1}{{(1 - z^{- 1})}^{N_{ϕ} - 1}} {\sum κ_{ϕ, n}}_{n = 0}^{N_{ϕ} - 1} T_{i}^{N_{ϕ} - 1 - n} | {(1 - z^{- 1})}^{n} \end{matrix}$ 14

Here, z is the z-transform variable, D_ϕ is the z-transform of the discriminator output d_ϕ, and F_ϕ is the low-pass filter transfer function. ${(κ_{ϕ, n})}_{n \in ⟦ 0; N_{ϕ} - 1 ⟧}$ represents the filter coefficients, as computed by Stephens and Thomas (1995), and N_ϕ denotes the loop order. Similarly, the low-pass filter output can be expressed in the time domain as a function of its input d_ϕ:

$δ^{(N_{ϕ} - 1)} \hat{δ ϕ} [k] = \sum_{n = 0}^{N_{ϕ} - 1} κ_{ϕ, n} δ^{(n)} d_{ϕ} (η_{a} [k] - \hat{η} [k], Δ ν [k])$ 15

Here, δ⁽ⁿ⁾ denotes the n-th difference (backward Euler transformation), defined for n > 0 as follows:

$T_{i}^{n} δ^{(n)} x [k] = δ^{(n - 1)} x [k] - δ^{(n - 1)} x [k - 1]$ 16

with δ⁽⁰⁾x[k]=x[k]. In the z-transform domain, the n-th difference is equivalent to multiplication by [(1−z^-1)/T_i]ⁿ. Note that $\hat{δ ϕ}$ and $δ \hat{ϕ}$ represent two distinct quantities: $\hat{δ ϕ}$ denotes the estimate of the derivative of ϕ, and $δ \hat{ϕ}$ denotes the derivative of the estimate of ϕ.

3.2 Phase Closed-Loop Model

In a digital tracking loop, the code (DLL) and carrier (PLL) phase estimates $\hat{ϕ} \in {\hat{τ}, \hat{θ}}$ are updated at each epoch k by the previously filtered discriminator output $\hat{δ ϕ}$ [k-1] (Stephens & Thomas, 1995). Moreover, considering a carrier-aiding operation (i.e., exploiting the correlation between the code τ_a and the carrier phase θ_a to mitigate most of the input dynamics in the DLL using the PLL measurements), as detailed by Kaplan and Hegarty (2017), the code and phase updates can be expressed as follows:

${\begin{matrix} \hat{τ} [k] = \hat{τ} [k - 1] + T_{i} (\hat{δ τ} [k - 1]) - β \hat{δ θ} [k - 1] & (DLL) \\ \hat{θ} [k] = \hat{θ} [k - 1] + T_{i} \hat{δ θ} [k - 1] & (PLL) \end{matrix}$ 17

with $\hat{δ τ}$ and $\hat{δ θ}$ denoting the code and phase filter outputs, as defined in Equation (14). The parameter β is the scaling factor between the code chip rate and the L-band carrier frequency, as defined by Kaplan and Hegarty (2017). By substituting Equation (14) into Equation (17), the closed-loop model can be expressed in the z-transform domain as follows:

${\begin{matrix} \hat{τ} (z) + β \hat{θ} (z) = \frac{z^{- 1}}{1 - z^{- 1}} T_{i} F_{τ} (z) D_{τ} (η_{a} (z) - \hat{η} (z), Δ ν (z)) & (D L L) \\ \hat{θ} (z) = \frac{z^{- 1}}{1 - z^{- 1}} T_{i} F_{θ} (z) D_{θ} (η_{a} (z) - \hat{η} (z), Δ ν (z)) & (P L L) \end{matrix} .$ 18

Therefore, the dynamic behavior of the tracking loops can be modeled by considering the system in Equation (18) of two difference equations, each modeling the DLL or the PLL, with the solutions being $\hat{τ}$ and $\hat{θ}$ . This system is referred to as the closed-loop model. The PLL-aiding-DLL operation induces a phase term $β \hat{θ}$ in the DLL equation. It is important to note that the solutions $\hat{τ}$ and $\hat{θ}$ are included in the discriminator outputs D_ϕ (within $\hat{η}$ ), and thus, the linearity and interdependence between the two equations are directly linked to the discriminator function, as further explained below. Moreover, in $\hat{η}$ , $\hat{f}$ and $\hat{θ}$ are related by $\hat{f} = \frac{1}{2 π} δ^{(1)} \hat{θ}$ , indicating that any dependence on the frequency $\hat{f}$ implies a dependence on the PLL.

It is worth noting that the term T_iz⁻¹/(1−z⁻¹) in Equation (18) corresponds to the NCO transfer function (integrator).

3.2.1 Frequency Closed-Loop Model

This subsection presents a model of the frequency estimate dynamic behavior, $\hat{f}$ . By substituting the definition of the frequency estimate, $\hat{f} = \frac{1}{2 π} δ^{(1)} \hat{θ}$ , into Equation (17), the frequency estimate can be expressed as follows:

$2 π \hat{f} (z) = z^{- 1} \hat{δ θ} (z) = z^{- 1} F_{θ} (z) D_{θ} (η_{a} (z) - \hat{η} (z), Δ ν (z))$ 19

It is worth noting that Equation (19) is entirely equivalent to the PLL equation in Equation (18), but explicitly shows the behavior of the frequency estimate, $\hat{f}$ .

3.2.2 Linear and Independence Properties of the Closed-Loop Model

This subsection presents the properties of linearity and independence of the closed-loop system in Equation (18). Analyzing the impact of spoofing on these properties is crucial for determining whether the assumptions made in the nominal situation hold under spoofing (e.g., signal additivity, noise properties, independence between DLL and PLL, etc.).

Loop Linearity

The closed-loop system is linear if the dependent variables $\hat{ϕ}$ and their derivatives appear linearly. Under the linearity property, the system satisfies additivity and homogeneity. Considering Equation (18) and noting the linearity of $F_{ϕ}$ (see Equation (14)), the linearity assumption is equivalent to the linearity of the DLL and PLL discriminators $d_{ϕ}$ .

Loop Independence

The DLL and PLL are considered independent if, in Equation (18), the DLL equation does not depend on $\hat{θ}$ or its derivatives and the PLL equation does not depend on $\hat{τ}$ or its derivatives. The independence property allows for the study of each loop separately. As shown in Equation (18), owing to the PLL-aiding-DLL operation, the DLL equation depends on the phase $\hat{θ}$ and, consequently, on the PLL (as intended). Beyond the PLL-aiding-DLL coupling, any undesired dependence between the two loops is reflected in the dependence of their discriminators d_θ and d_τ.

4 RESOLUTION STRATEGY

The dynamic behavior of the tracking loops under spoofing can be expressed by computing the solution $\hat{η}$ of the closed-loop model in Equation (18). In the nominal situation, the system can be solved analytically or analyzed through its linear approximation with the use of transfer function analysis tools (Gardner, 2005, p. 97); however, the presence of spoofing may disturb the discriminators, thereby affecting the linearity and interdependence properties of the loops (see Section 3.2.2). Consequently, solving the closed-loop model system in Equation (18) becomes very challenging because of the nonlinearity and loop interdependence. Additionally, the high order of the loops (typically three for PLL) makes analytical solutions intractable (G. A. Leonov et al., 2015).

To address these challenges, we propose a transformation-based strategy to analyze the closed-loop model in Equation (18) within a stationary frame relative to the observed signal dynamics. In other words, we propose a change of variables to translate the system solution into a frame where the locked solution is stationary. This approach enables a determination of the system’s stable equilibria (SE) (i.e., potential points of convergence of the system) and facilitates an analysis of the system’s linear properties, independence, and dynamic behavior.

4.1 Equivalent Dynamic Definition

The equivalent tracked dynamic, denoted $ϕ_{eq} \in {τ_{eq}, θ_{eq}} (and η_{eq} = {[τ_{eq}, θ_{eq}, f_{eq}]}^{T})$ , represents the signal dynamic observed by the receiver when tracking the received signal, considering both signal and implementation distortion. In the presence of interference, this dynamic can differ from the authentic dynamic η_a. It is worth noting that this dynamic may not always have a physical interpretation, but provides insights into the behavior of the tracking system, accounting for any system distortions, e.g., steady-state errors, phase ambiguity, or distortion in discriminator functions.

We define the equivalent tracking errors ε_ϕ,eq as the errors between the equivalent ϕ_eq and the estimated parameters $\hat{ϕ}$ as follows:

$\begin{matrix} ε_{n, eq} ≜ η_{eq} - \hat{η} = [\begin{matrix} τ_{eq} - \hat{τ} \\ θ_{eq} - \hat{θ} \\ f_{eq} - \hat{f} \end{matrix}] = [\begin{matrix} ε_{τ, eq} \\ ε_{θ, eq} \\ ε_{f, eq} \end{matrix}] & (and ε_{ϕ, eq} ≜ ϕ_{eq} - \hat{ϕ}) \end{matrix}$ 20

Finally, we define the relative equivalent dynamic $Δ η_{eq} = {[Δ τ_{eq}, Δ θ_{eq}, Δ f_{eq}]}^{T} (and Δ ϕ_{eq} \in {Δ τ_{eq}, Δ θ_{eq}})$ as the difference between the equivalent and authentic dynamics:

$\begin{matrix} Δ η_{eq} ≜ η_{eq} - η_{a} & (and Δ ϕ_{eq} ≜ ϕ_{eq} - ϕ_{a}) \end{matrix}$ 21

4.2 Considered Frames

In this article, a frame defines the coordinate system in which the solution of the closed-loop model is expressed.

Estimate Frame: The estimate frame is the basic frame in which the solution of the closed-loop model is $\hat{η}$ . The closed-loop model is given by Equation (18).
Nominal Frame: In the nominal frame, the solution is expressed relative to the authentic dynamic η_a. The solution of the closed-loop model in the nominal frame becomes the nominal tracking error ε_η. This frame enables a determination of the nominal tracking error and quantification of the interference distortion.
Equivalent Frame: In the equivalent frame, the solution is expressed relative to the equivalent dynamic η_eq. The solution of the closed-loop model in this frame becomes the equivalent tracking error ε_η,eq. This frame enables a computation of the system’s SE and an analysis of the dynamic behavior.

It is worth noting that the closed-loop model and its solution are equivalent across the three frames. Therefore, the system can be studied in any one of the frames, and the solution can be translated depending on the desired quantity. The different frames are related by a change of coordinates through a mathematical transformation, as depicted in Figure 4. The various transformations are expressed for any $η = {[τ, θ, f]}^{T}$ as follows:

$\begin{matrix} Τ_{0 \to eq} (η) = η_{eq} - η, & T_{0 \to a} (η) = η_{a} - η, & T_{a \to eq} (η) = Δ η_{eq} \end{matrix} + η$ 22

FIGURE 4

Illustration of the closed-loop model frames and frame transformations The blue curves represent the closed-loop solution at lock in each frame, as detailed in Section 4.4.

4.3 Equivalent Closed-Loop Model

The equivalent closed-loop model (i.e., the closed-loop model expressed in the equivalent frame) is obtained by applying the transformation $T_{0 \to e q}$ to Equation (18) as follows:

${\begin{matrix} ε_{τ, eq} + β ε_{θ, eq} & = τ_{ca} - \frac{z^{- 1}}{1 - z^{- 1}} T_{i} F_{τ} (z) D_{τ} (ε_{n, eq} - Δ η_{eq}, Δ ν) & (DLL) \\ ε_{θ, eq} & = θ_{eq} - \frac{z^{- 1}}{1 - z^{- 1}} T_{i} F_{θ} (z) D_{θ} (ε_{η, eq} - Δ η_{e q}, Δ ν) & (PLL) \end{matrix}$ 23

with $τ_{c a} = τ_{e q} + β θ_{e q}$ representing the carrier-aided tracking equivalent delay. The equivalent closed-loop model in Equation (23) is equivalent to Equation (18), except that the solution is now ε_ϕ,eq. The equivalent closed-loop model can also be expressed in the time domain as follows:

${\begin{matrix} δ^{(N_{τ})} ε_{τ, eq} [k] + β δ^{(N_{τ})} ε_{θ, eq} [k] = δ^{(N_{τ})} τ_{c a} [k] - \sum_{n = 0}^{N_{τ} - 1} κ_{τ, n} δ^{(n)} d_{τ} (ε_{η, eq} [k - 1] - Δ η_{eq} [k - 1], Δ ν [k - 1]) \\ δ^{(N_{θ})} ε_{θ, eq} [k] = δ^{(N_{θ})} θ_{eq} [k] - \sum_{n = 0}^{N_{θ} - 1} κ_{θ, n} δ^{(n)} d_{θ} (ε_{η, eq} [k - 1] - Δ η_{eq} [k - 1], Δ ν [k - 1]) \end{matrix}$ 24

4.4 Locked State Definition

The locked state defines a solution of the system in which synchronization with the observed signal dynamics ϕ_eq is successfully established and maintained. In this state, the system can be considered stationary within the equivalent frame. Throughout this work, the locked state is denoted by a superscript l, such as in ${\hat{ϕ}}^{l}$ or $ε_{ϕ}^{l}$ . The locked state can be expressed as a function of the equivalent tracking error ε_ϕ,eq, satisfying the following conditions (G. A. Leonov et al., 2015):

Equilibrium Condition: The code and carrier phase errors at the locked state $ε_{ϕ, eq}^{l}$ are constant, and their digital derivatives are zero for all k ∈ ℤ:
$\begin{matrix} ε_{ϕ, eq}^{l} [k - 1] = ε_{ϕ, eq}^{l} [k] & o r & δ ε_{ϕ, eq}^{l} \end{matrix} = 0$ 25
Thus, the equilibrium condition can also be expressed for all integers n > 0 as follows:
$\begin{matrix} ε_{ϕ, eq}^{l} [k - n] = ε_{ϕ, eq}^{l} [k] & o r & δ^{(n)} \end{matrix} ε_{ϕ, eq}^{l} = 0$ 26
Stability Condition: The system can maintain the locked state after a small perturbation. This condition is related to the discriminator slope, as described by Gardner (2005, p.185), and is given by the following:
$\frac{\partial d_{ϕ} (ε_{η, eq}^{l} - Δ η_{eq}, Δ ν)}{\partial ε_{ϕ, eq}} > 0$ 27

Furthermore, Leonov and Kuznetsov (2014) demonstrated that if the low-pass filter is both controllable and observable (as assumed from its design), only the system’s SE satisfy the locked state conditions in Equations (25), (26), and (27). This feature ensures that the filter states remain constant in the locked state, resulting in the equilibrium condition for the filter states, expressed as follows:

$\begin{matrix} \forall n \in ℕ^{*}, & δ^{(n)} d_{ϕ} (ε_{η, eq}^{l} - Δ η_{eq}, Δ ν) \end{matrix} = 0$ 28

where ℕ^∗ is a set of non-zero natural integers.

4.5 Derivation of the SE Condition

The system’s SE can be expressed by considering the locked state conditions given in Equations (26), (27), and (28), within the equivalent closed-loop model described by Equation (24). The resulting computation yields a system of three unknowns, $ε_{η, eq}^{l}$ , and two equations (corresponding to the DLL and PLL). To render the system solvable, a third equation is introduced, representing the phase-frequency equilibrium. Additionally, the stability condition in Equation (27) imposes three supplementary constraints. The detailed computation is presented in Appendix A and leads to the following:

${\begin{matrix} d_{τ} (ε_{η, eq}^{l} - Δ η_{eq}, Δ ν) = k_{τ}, & d_{θ} (ε_{η, eq}^{l} - Δ η_{eq}, Δ ν) = k_{θ}, & χ_{f} (ε_{η, eq}^{l} - Δ η_{eq}, Δ ν) = 0 \\ \frac{\partial d_{τ} (ε_{η, eq}^{l} - Δ η_{eq}, Δ ν)}{\partial ε_{τ, eq}} > 0, & \frac{\partial d_{θ} (ε_{η, eq}^{l} - Δ η_{eq}, Δ ν)}{\partial ε_{θ, eq}} > 0, & \frac{\partial χ_{f} (ε_{η, eq}^{l} - Δ η_{eq}, Δ ν)}{\partial ε_{f, eq}} > 0 \end{matrix}$ 29

Here, k_τ and k_θ are the steady-state errors, which remain constant over time, and are expressed as follows:

$\begin{matrix} k_{τ} = \frac{δ^{(N_{τ})} τ_{ca}}{κ_{τ, 0}}, & k_{θ} = \frac{δ^{(N_{θ})} θ_{eq}}{κ_{θ, 0}} \end{matrix}$ 30

$χ_{f}$ is a function depicting both PLL phase and frequency equilibrium, as follows:

$\begin{matrix} 2 π T_{i} χ_{f} (ε_{η}, Δ ν) = \arg {Λ_{P} (ε_{η} [k], Δ ν [k])} - \arg {Λ_{P} (ε_{η} [k - 1], Δ ν [k - 1])} & (\mod π, \frac{π}{2}) \end{matrix}$ 31

The solutions of the closed-loop model and its SE can be expressed in any reference frame (Section 4.2). Specifically, the SE can be expressed in the nominal frame by applying the transformation $T_{eq \to a} = T_{a \to eq}^{- 1}$ to Equation (31) as follows:

${\begin{matrix} d_{τ} (ε_{η}^{l}, Δ ν) = k_{τ}, & d_{θ} (ε_{η}^{l}, Δ ν) = k_{θ}, & χ_{f} (ε_{η}^{l}, Δ ν) = 0 \\ \frac{\partial d_{τ} (ε_{η}^{l}, Δ ν)}{\partial ε_{τ}} > 0, & \frac{\partial d_{θ} (ε_{η}^{l}, Δ ν)}{\partial ε_{θ}} > 0, & \frac{\partial χ_{f} (ε_{η}^{l}, Δ ν)}{\partial ε_{f}} > 0 \end{matrix}$ 32

It is worth noting that the system in Equation (32) may have multiple valid solutions, each representing a potential SE of the tracking loops, and thus a possible equivalent tracked dynamic ϕ_eq.

4.5.1 System Dynamic Behavior

The dynamic behavior of the joint DLL and PLL can be categorized in the equivalent frame into four distinct behaviors:

Perfect Lock: The equivalent tracking error ε_ϕ,eq remains constant and equal to zero, indicating that the system is perfectly locked to the observed dynamic ϕ_eq. This condition satisfies Equation (29) without any stress error (k_ϕ = 0), corresponding to the zeros of the discriminator.
Lock: The equivalent tracking error ε_ϕ,eq remains constant, but not zero. This condition indicates that the system is locked to the equivalent dynamic ϕ_eq, with a stress error k_ϕ, and satisfies the conditions in Equation (29). For small values of k_ϕ, the stress error induces a bias in the SE proportional to k_ϕ. However, once k_ϕ exceeds a certain threshold, the discriminator may not reach zero, and the system may diverge. The impact of the dynamic on loop convergence has been studied by Gardner (2005, Chapter 3).
Transient Response: The equivalent tracking error ε_ϕ,eq is not constant, but k_ϕ remains constant. Therefore, the system is not locked but is in its transient response, gradually converging to τ_ca and θ_eq.
Non-Convergent Response: The value of k_ϕ is not constant, indicating that the tracked dynamic is too fast for the system to achieve lock. It is important to note that the system is not necessarily diverging; for example, with a harmonic input, the system may not achieve lock but can still reach a steady state in which the response is also harmonic.

4.6 Summary of the Locked-State-Based Resolution Strategy

To summarize, this section has proposed a method for analyzing the closed-loop model in Equation (18) by translating the model into an equivalent, motionless frame in which the system is stationary at lock. Analysis of the system in this equivalent frame enables a determination of its SE, expressed in Equation (29), and provides insight into its dynamic behavior, as discussed in Section 4.5.1.

Specifically, the equivalent dynamic ϕ_eq is computed from the system’s SE (Equation (32)) at perfect lock (k_ϕ = 0) within the nominal frame. Subsequently, the stress error k_ϕ, as defined in Equation (30), indicates whether the system converges (Section 4.5.1). For a convergent system, the equivalent tracking error can be further analyzed to determine whether the system is in lock or in a transient response state.

5 CLOSED-LOOP MODEL UNDER SPOOFING: DETERMINISTIC ANALYSIS

This section presents a characterization of the deterministic dynamic behavior of the closed-loop model under spoofing. The system is analyzed for each spoofing-induced scenario outlined in Section 2.3, following the strategy described in Section 4. Specifically, the section details the system’s SE (Section 4.5) along with the linear and interdependence properties of the loops (Section 3.2.2). The analysis of these properties is independent of the system’s stochastic nature. Therefore, in this section, the system is assumed to be deterministic, and the random contributions of the correlator output model in Equation (6) are disregarded. The stochastic closed-loop model is studied in Section 6, building upon the results derived in this section.

It is worth noting that the discriminators d_ϕ appear in both the SE expression (Section 4.5) and the loop properties (Section 3.2.2). Therefore, the DLL and PLL discriminators are explicitly expressed for each spoofing-induced scenario. Finally, the PLL differential function $χ_{f}$ is computed under the assumption that the variation in both the authentic and spoofed code delay and frequency over T_i is negligible, as follows:

$\begin{matrix} δ^{(1)} τ_{a} [k] \approx 0 & δ^{(1)} f_{a} [k] \approx 0 & δ^{(1)} θ_{a} [k] \approx 2 π T_{i} f_{a} [k] & δ^{(1)} C_{a} [k] \approx 0 \\ δ^{(1)} τ_{s} [k] \approx 0 & δ^{(1)} f_{s} [k] \approx 0 & δ^{(1)} θ_{s} [k] \approx 2 π T_{i} f_{s} [k] & δ^{(1)} C_{s} [k] \approx 0 \\ δ^{(1)} Δ τ [k] \approx 0 & δ^{(1)} Δ f [k] \approx 0 & δ^{(1)} Δ θ [k] \approx 2 π T_{i} Δ f [k] & δ^{(1)} Δ g [k] \approx 0 \end{matrix}$ 33

5.1 Nominal Situation

First, the tracking loops are analyzed in the nominal situation as a reference. In this nominal situation, neglecting the noise contribution, the correlator outputs in Equation (6) can be simplified as follows:

$Λ_{E}^{(N)} (ε_{η}) = Λ_{a} (ε_{η} - \frac{c_{τ}}{2} e_{1}), Λ_{P}^{(N)} (ε_{η}) = Λ_{a} (ε_{η}), Λ_{L}^{(N)} (ε_{η}) = Λ_{a} (ε_{η} + \frac{c_{τ}}{2} e_{1})$ 34

5.1.1 DLL Discriminator

The output of the DLL discriminator can be expressed by substituting Equation (34) into Equation (10) as follows:

$d_{τ}^{(N)} (ε_{η}) = \frac{C_{a}}{\hat{C} K_{τ}} ζ_{f} {(ε_{f})}^{2} Z_{τ} (ε_{τ})$ 35 where:

$Z_{τ} (ε_{τ}) ≜ ζ_{τ} {(ε_{τ} - \frac{c_{τ}}{2})}^{2} - ζ_{τ} {(ε_{τ} + \frac{c_{τ}}{2})}^{2}$ 36

The discriminator depends on both ε_τ and ε_f. However, the discriminator can be factorized into separate terms involving ε_τ and ε_f. For small values of ε_f, the term ζ_f(ε_f)² acts as an attenuation factor and does not affect the zero of the discriminator, which is determined by Z_τ. The discriminator d_τ is plotted in Figure 5(a) for an infinite RFFE bandwidth and a bandwidth of 8 MHz, illustrating a linear region as a function of ε_τ, spanning the range $[- c_{τ} / 2, c_{τ} / 2]$ around the zero at ε_τ = 0.

FIGURE 5

DLL and PLL discriminators in the nominal situation (c_τ= 0.1 chip and T_i = 20 ms) (a) DLL discriminator (b) PLL discriminator (c) PLL differential function The blue line represents the DLL discriminator for a finite RFFE bandwidth, whereas the PLL discriminator remains independent of the RFFE bandwidth.

5.1.2 PLL Discriminator

The output of the PLL discriminator can be expressed by substituting Equation (34) into Equation (11) as follows:

$\begin{matrix} d_{θ}^{(N)} (ε_{η}) = \arg {Λ_{a} (ε_{η})} & (\mod π, \frac{π}{2}) = ε_{θ} & (\mod π, \frac{π}{2}) \end{matrix}$ 37

The discriminator, shown in Figure 5(b), depends solely on ε_θ and exhibits linear behavior within the range $[- π / 2, π / 2]$ around ε_θ = 0, with a periodicity of π.

5.1.3 PLL Differential Function

The function $χ_{f}$ can be expressed by substituting Equation (34) for epochs k and $k - 1$ into Equation (31), while considering the approximation in Equation (33), as follows:

$χ_{f}^{(N)} (ε_{η}) = \frac{1}{2 π T_{i}} (ε_{θ} [k] - ε_{θ} [k - 1] (\mod π, \frac{π}{2})) \approx ε_{f} (\mod \frac{1}{2 T_{i}}, \frac{1}{4 T_{i}})$ 38

The function $χ_{f}$ , shown in Figure 5(c), depends solely on ε_f and exhibits zeros at ε_f = 0, with a periodicity of 1/(2T_i).

5.1.4 System SE

The system SE in the nominal situation can be expressed by substituting Equations (35), (37), and (38) into Equation (32) $(k_{ϕ} = 0)$ , as follows:

$\begin{matrix} ε_{τ}^{l (N)} = 0, & ε_{f}^{l (N)} = \frac{p^{'}}{2 T_{i}}, & ε_{θ}^{l (N)} = p π, \forall p, p^{'} \in ℤ \end{matrix}$ 39

Consequently, in the nominal situation, the system exhibits multiple SE points, highlighting the presence of multiple phase and frequency SE (and thus multiple potential tracked dynamics, ϕ_eq) in addition to the authentic dynamic, ϕ_a. These multiple phase and frequency SE, represented by p and $P^{'}$ , arise from the π-ambiguity of the PLL discriminator and can result in cycle slips in the phase measurement. The effect of periodicity on phase tracking has been extensively analyzed in the literature, e.g., as in the work by Gardner (2005).

5.1.5 System Linearity and Independence

The analysis of the DLL and PLL discriminators reveals their linearity for low-frequency errors ε_f. The loop system then exhibits linear properties in the nominal situation (Section 3.2.2). Additionally, the two loops are independent at lock (i.e., their SE are independent, as depicted in Equation (39)). During their transient response, the DLL depends only on the phase error, which is influenced by the PLL-aiding-DLL operation (with the DLL discriminator independent of ε_f and ε_θ).

5.1.6 System Dynamic Response

The dynamic response of the tracking loops can be studied with respect to the equivalent tracked dynamic ϕ_eq, following the classification presented in Section 4.5.1. If the stress error k_ϕ, defined as a function of ϕ_eq in Equation (30), is constant, the loops are able to converge (for small values of k_ϕ):

If ε_ϕ,eq is constant, the system has achieved lock and is biased by $d_{ϕ}^{- 1} (k_{ϕ})$ . Assuming a carrier-aiding operation, the dynamic that drives k_τ is $δ^{(N_{τ})} τ_{c a} = δ^{(N_{τ})} τ_{a} + β δ^{(N_{τ})} θ_{a} \approx 0$ . Therefore, the carrier-aiding operation cancels almost all authentic dynamic effects on the DLL.
Otherwise, the system is in its transient response. As the system exhibits linear properties, the closed-loop model can be approximated by a linear dynamic system, and its transient response can be analyzed via transfer function analysis tools, as presented, for example, by Gardner (2005, p. 114).

5.2 Spoofing-Induced Jamming Situation

As shown in Section 2.3, the spoofer’s impact on the correlator output in the induced-jamming situation is primarily limited to the retransmitted noise. Therefore, disregarding the noise contribution, the correlator output under the induced-jamming situation is identical to that of the nominal situation. As a result, the loop discriminators, along with their linear and independence properties, SE, and dynamic behavior, are equivalent to those in the nominal situation, as presented in Section 5.1.

5.3 Spoofing-Induced Spoofing Situation

In the induced-spoofing situation, disregarding the noise contribution, the early, prompt, and late correlator outputs in Equation (6) can be simplified as follows:

$\begin{matrix} Λ_{E}^{(s)} (ε_{η}, Δ ν) & = & Λ_{s} (ε_{η} - \frac{c_{τ}}{2} e_{1}, Δ ν), \\ Λ_{P}^{(s)} (ε_{η}, Δ ν) & = & Λ_{s} (ε_{η}, Δ ν), \\ Λ_{L}^{(s)} (ε_{η}, Δ ν) & = & Λ_{s} (ε_{η} + \frac{c_{τ}}{2} e_{1}, Δ ν) \end{matrix}$ 40

As shown in Equation (4), the spoofing peak ∧_s retains the same shape as the authentic peak ∧_a, but is shifted by Δη and amplified by $\sqrt{Δ g}$ . The discriminator outputs d_τ, d_θ, and $χ_{f}$ can be computed through straightforward calculations, yielding results similar to those in Section 5.1, but shifted by Δη. Specifically, the system under the induced-spoofing situation can thus be expressed as follows:

$\begin{matrix} ε_{τ}^{l (s)} = - Δ τ, & ε_{f}^{l (s)} = - Δ f + \frac{P^{'}}{2 T_{i}}, & ε_{θ}^{l (s)} = - Δ θ + P π, & \forall P, P^{'} \in ℤ \end{matrix}$ 41

The dynamic behavior of the loop is then very similar to that of the nominal situation, except that the tracked dynamic ϕ_eq corresponds to the spoofing dynamic ϕ_s (plus any potential PLL ambiguity). Finally, the spoofing signal does not affect the linearity or independence of the loops. Therefore, for small equivalent tracking errors, the linear approximation remains valid.

5.4 Spoofing-Induced Multipath Situation

In the induced-multipath situation, disregarding the noise contribution, the early, prompt, and late correlator outputs in Equation (6) can be simplified as follows:

$\begin{matrix} Λ_{E}^{(M)} (ε_{η}, Δ ν) & = & Λ_{a} (ε_{η} - \frac{c_{τ}}{2} e_{1}) + Λ_{s} (ε_{η} - \frac{c_{τ}}{2} e_{1}, Δ ν) \\ Λ_{P}^{(M)} (ε_{η}, Δ ν) & = & Λ_{a} (ε_{η}) + Λ_{s} (ε_{η}, Δ ν) \\ Λ_{l}^{(M)} (ε_{η}, Δ ν) & = & Λ_{a} (ε_{η} + \frac{c_{τ}}{2} e_{1}) + Λ_{s} (ε_{η} + \frac{c_{τ}}{2} e_{1}, Δ ν) \end{matrix}$ 42

5.4.1 DLL Discriminator

The DLL discriminator output in the induced-multipath situation can be obtained by substituting Equation (42) into Equation (10):

$d_{τ}^{(M)} (ε_{η}, Δ ν) = \frac{C_{a}}{\hat{C} K_{τ}} (ζ_{f} {(ε_{f})}^{2} Z_{τ} (ε_{τ}) + Δ g ζ_{f} {(ε_{f} + Δ f)}^{2} Z_{τ} (ε_{τ} + Δ τ) + 2 \sqrt{Δ g} \cos (Δ θ) ζ_{f} (ε_{f}) ζ_{f} (ε_{f} + Δ f) Z_{Δ τ} (ε_{τ}))$ 43

with Z_τ as defined in Equation (36) and:

$Z_{Δ τ} (ε_{τ}) ≜ ζ_{τ} (ε_{τ} - \frac{c_{τ}}{2}) ζ_{τ} (ε_{τ} + Δ τ - \frac{c_{τ}}{2}) - ζ_{τ} (ε_{τ} + \frac{c_{τ}}{2}) ζ_{τ} (ε_{τ} + Δ τ + \frac{c_{τ}}{2})$ 44

The DLL discriminator output in Equation (43) depends on both ε_τ and ε_f and cannot be assumed to be linear around its zeros with respect to ε_τ, as shown in Figure 6. Notably, the discriminator is influenced by the time-varying relative parameters Δν, causing its characteristics to change over time as Δν evolves. Among these parameters, the relative phase Δθ plays a significant role, as it can undergo large variations driven by the relative frequency Δ_f (Equation (1)).

Example of the DLL discriminator outputs in the induced-multipath situation (cτ = 0.1 chip, Ti = 20 ms, Δg = 0.64, Δτ = 0.6 chip, Δf = 31 Hz, for Δθ/2π∈{0,0.25,0.5,0.75}) (a) Δθ = 0 (b) Δθ = π/2 (c) Δθ=π(d)Δθ=3π/2 Colors represent the amplitude and sign of the discriminator output, while black lines indicate its zeros.

FIGURE 6

Example of the DLL discriminator outputs in the induced-multipath situation (c_τ = 0.1 chip, T_i = 20 ms, Δg = 0.64, Δτ = 0.6 chip, Δf = 31 Hz, for $Δ θ / 2 π \in {0, 0.25, 0.5, 0.75}$ ) (a) Δθ = 0 (b) Δθ = π/2 (c) $Δ θ = π (d) Δ θ = 3 π / 2$ Colors represent the amplitude and sign of the discriminator output, while black lines indicate its zeros.

5.4.2 PLL Discriminator

In the induced-multipath situation, the prompt correlator output (Equation (42)) consists of a combination of two complex signals. The argument of this complex number is derived in Appendix B and is substituted into Equation (11), yielding the following:

$\begin{matrix} d_{θ}^{(M)} (ε_{η}, Δ ν) = ε_{θ} + \frac{Δ θ}{2} - \arctan (γ_{Δ} (ε_{τ}, ε_{f}) \tan (\frac{Δ θ}{2})) & (\mod π, \frac{π}{2}) \end{matrix}$ 45

Here, γ_Δ represents the amplitude ratio between the authentic and spoofing peaks, defined as follows:

$γ_{Δ} (ε_{τ}, ε_{f}) ≜ \frac{ζ_{τ} (ε_{τ}) ζ_{f} (ε_{f}) - \sqrt{Δ g} ζ_{τ} (ε_{τ} + Δ τ) ζ_{f} (ε_{f} + Δ f)}{ζ_{τ} (ε_{τ}) ζ_{f} (ε_{f}) + \sqrt{Δ g} ζ_{τ} (ε_{τ} + Δ τ) ζ_{f} (ε_{f} + Δ f)}$ 46

The PLL discriminator in Equation (45) depends on ε_θ, ε_τ, and ε_f. Although the discriminator remains linear with respect to ε_θ, the arctan function introduces nonlinearity with respect to ε_τ (DLL) and ε_f (PLL).

5.4.3 PLL Differential Function

By substituting the argument of Equation (42), expressed at epochs k and $k - 1$ , into Equation (31) and applying the approximation in Equation (33), we obtain the following:

$\begin{matrix} χ_{f}^{(M)} (ε_{η}, Δ ν) \approx ε_{f} + \frac{1}{2 π} Z_{f} (ε_{τ}, ε_{f}) & (\mod \frac{1}{2 T_{i}}, \frac{1}{4 T_{i}}) \end{matrix}$ 47 with:

$Z_{f} (ε_{τ}, ε_{f}) ≜ 2 π Δ f - \frac{1}{T_{i}} [\arctan (γ_{Δ} (ε_{τ}, ε_{f}) \tan (\frac{Δ θ}{2})) - \arctan (γ_{Δ} (ε_{τ}, ε_{f}) \tan (π Δ f T_{i} + \frac{Δ θ}{2}))]$ 48

Here, γ_Δ is defined as in Equation (46). The function $χ_{f}$ depends on both ε_τ and ε_f, but is independent of the phase error ε_θ (as deliberately designed during the construction of $χ_{f}$ , as shown in Appendix A).

5.4.4 System SE

The system SE can be computed by substituting Equations (43), (45), and (47) into Equation (32). In this situation, the DLL and PLL discriminators are interdependent, which makes resolving the system more challenging. Nevertheless, because both Equation (43) and Equation (47) are independent of ε_θ, the code and frequency SE can be determined independently of the phase SE, as follows:

${\begin{matrix} d_{τ} (ε_{τ}^{l (M)}, ε_{f}^{l (M)}, Δ ν) = 0 & χ_{f} (ε_{τ}^{l (M)}, ε_{f}^{l (M)}, Δ ν) = 0 \\ \frac{\partial d_{τ} (ε_{τ}^{l (M)}, ε_{f}^{l (M)}, Δ ν)}{\partial ε_{τ}} > 0, & \frac{\partial χ_{f} (ε_{τ}^{l (M)}, ε_{f}^{l (M)}, Δ ν)}{\partial ε f} > 0 \end{matrix}$ 49

The phase SE is then computed by substituting the solution of Equation (49) into Equation (45):

$\begin{matrix} ε_{θ}^{l (M)} = - \frac{Δ θ}{2} + \arctan (γ_{Δ} (ε_{τ}^{l (M)}, ε_{f}^{l (M)}) \tan (\frac{Δ θ}{2})) + p π, & \forall p \in ℤ \end{matrix}$ 50

An example of the resolution of Equation (49) is illustrated in Figure 7. The SE solution (blue points) corresponds to the intersection of the stable zeros of d_τ (black) and $χ_{f}$ (red). The figure highlights the emergence of multiple SE points and their variations with respect to the relative parameters Δν.

Example of the code and frequency SE solution for (cτ = 0.1 chip, Ti = 20 ms, Δg = 0.64, Δτ = 0.6 chip, Δf = 31 Hz, for Δθ/2π∈{0,0.25,0.5,0.75}) (a) Δθ = 0 (b) Δθ = π/2 (c) Δθ = π (d) Δθ = 3π/2 The black lines represent the zeros of dτ, and the red lines represent the zeros of ✗f as functions of ετ and εf. The solid lines indicate stable zeros, whereas the dashed lines represent unstable zeros (stability condition in Equation (27)). Finally, the blue dots represent the possible SE that satisfy Equation (49).

FIGURE 7

Example of the code and frequency SE solution for (c_τ = 0.1 chip, T_i = 20 ms, Δg = 0.64, Δτ = 0.6 chip, Δf = 31 Hz, for $Δ θ / 2 π \in {0, 0.25, 0.5, 0.75}$ ) (a) Δθ = 0 (b) Δθ = π/2 (c) Δθ = π (d) Δθ = 3π/2

The black lines represent the zeros of d_τ, and the red lines represent the zeros of ✗_f as functions of ε_τ and ε_f. The solid lines indicate stable zeros, whereas the dashed lines represent unstable zeros (stability condition in Equation (27)). Finally, the blue dots represent the possible SE that satisfy Equation (49).

In the literature, only the DLL equation of Equation (49) is considered, which is equivalent to examining the intersection of the zeros d_τ (black) at ε_f = 0 . It is worth noting that in a frequency-asynchronous case, this appoach does not allow for the computation of the correct convergence point or the consideration of all possible SE, thereby preventing the prediction of potential system bifurcations.

The solutions of Equation (49) are shown in Figures 8 and 9 for a set of Δτ, Δf, and $Δ θ \in [0, 2 π]$ . The figures illustrate the emergence of multiple SE and their variations with the relative phase Δθ. For each set of relative parameters, two primary clusters of interest are identified: one centered around the authentic dynamic (ε_η = 0) and one centered around the spoofing dynamic $(ε_{η} = - Δ η)$ . These clusters are referred to as the authentic and the spoofing SE cluster, respectively. Additionally, owing to the inherent PLL ambiguity, secondary clusters appear periodically, separated by intervals of 1/2T_i.

FIGURE 8

Code and frequency SE in the induced-multipath situation, represented in the nominal frame (c_τ = 0.1 chip, T_i = 20 ms, Δg = 0.64, Δτ = 0.6 chip) (a) Δf = 0 Hz (b)Δf = 12 Hz (c) Δf = 25 Hz (d) Δf = 31 Hz

The colors represent the value of Δθ ∈ [0, 2π], and the black crosses denote the SE of the nominal situation, as defined in Equation (39).

In particular, Figure 8(a) illustrates the frequency-synchronous situation (Δf = 0), which is commonly studied in the literature (Kim et al., 2012; Wang et al., 2023). In this case, the code SE is independent of the frequency SE, with $ε_{f}^{l} = P' / 2 T_{i}$ , and $ε_{τ}^{l}$ oscillates with Δθ within the MEE. The PLL ambiguity induces a periodicity of 25 Hz (1/2T_i) in the authentic and spoofing clusters.

Furthermore, Figure 8 shows the impact of Δf on the SE configuration for constant values of Δg = 0.64 and Δτ = 0.6 chip. When the frequency SE is no longer zero, it induces a rotation along the relative phase Δθ in the SE clusters. For $Δ f > 1 / 2 T_{i}$ (Figures 8(c) and 8(d)), additional undesired SE (which do not belong to a cluster) appear. These undesired SE do not cover the entire Δθ range, and their presence around the authentic SE cluster can pull the system toward another cluster (bifurcation).

Figure 9 depicts the impact of Δτ on the SE configuration for constant values of Δg = 0.81 and Δf =12 Hz. For low values of Δτ (Figures 9(a) and 9(b)), some discontinuities are observed in the spoofing SE cluster, resulting in undesired SE near the authentic SE cluster. These discontinuities seem to disappear for higher values of Δτ (Figures 9(c) and 9(d)).

FIGURE 9

Code and frequency SE in the induced-multipath situation, represented in the nominal frame (c_τ = 0.1 chip, T_i = 20 ms, Δg = 0.81, Δf = 12 Hz) (a) Δτ = 0.1 chip (b) Δτ = 0.2 chip (c) Δτ = 0.4 chip (d) Δτ = 0.9 chip

The colors represent the value of Δθ ∈ [0, 2π], and the black crosses denote the SE of the nominal situation, as defined in Equation (39).

5.4.5 Loop Spoofing SEE

Figure 10 shows the maximum absolute tracking error when the system is locked on the authentic cluster, referred to as the absolute spoofing SEE (SSEE), as a function of Δτ and Δf for Δg = 0.64. These results are analogous to the MEE studied for multipath interference in the literature (Van Nee, 1996) (for Δf = 0), except that they express both joint code, frequency, and phase errors ε_η and model the impact of Δf and loop interdependence. The absolute error exhibits symmetry along Δf.

Absolute SSEE (i.e., maxΔθ∈[0,2π]|εηl|=maxΔθ∈[0,2π]|Δηeq|) for Δg=0.64, cτ = 0.1 chip, and Ti = 20 ms (a) Code (b) Frequency (c) Phase

FIGURE 10

Absolute SSEE (i.e., $\max_{Δ θ \in [0, 2 π]} | ε_{η}^{l} | = \max_{Δ θ \in [0, 2 π]} | Δ η_{eq} |$ ) for Δg=0.64, c_τ = 0.1 chip, and T_i = 20 ms (a) Code (b) Frequency (c) Phase

It is worth noting that the SSEE does not represent the maximum possible error, but rather the tracking error at lock, i.e., the tracking error to which the system tries to converge. The full behavior of the system is described by the closed-loop model in Equation (18) and is analyzed further in the next section. Lastly, Figure 10 highlights the limits of the induced-multipath situation for $ε_{τ} = T_{c} + c_{τ} / 2$ , as presented by Hussong et al. (2023).

5.4.6 System Linearity and Independence

The presence of spoofing affects both the linearity and the independence of the discriminators. Both the DLL and PLL exhibit nonlinearities that affect both the transient response and the system’s SE. Consequently, the additivity of the system input can no longer be assumed, and thus, the noise or other interference cannot be considered independently. In addition, the loops exhibit interdependence in both the transient response and the SE (as shown in Figures 8 and 9), which requires that the DLL and PLL be considered jointly.

5.4.7 System Dynamic Response

The dynamic response of the tracking loops can be studied with respect to the equivalent tracked dynamic ϕ_eq, following the classification presented in Section 4.5.1. The equivalent dynamic under the induced-multipath situation is computed in Section 5.4.4 (the potential dynamics Δη_eq are depicted in Figures 8 and 9), highlighting a quasi-harmonic behavior along the variation of Δθ. This quasi-harmonic behavior induces a non-constant stress error, and thus, the loops may not converge toward their SE. Moreover, the nonlinear properties of the loops present challenges in analyzing the dynamic response.

Nevertheless, by assuming that the relative parameters Δτ, Δf, and Δg remain constant over one period of Δθ, assuming no bifurcation, and considering that the system is initially in its quasi-harmonic behavior state (i.e., no significant transient response error), the system’s behavior can be determined by computing it over one period $Δ θ \in [0, 2 π]$ for each value of Δν. Although the system’s SE is independent of the loop equivalent bandwidth B_ϕ, the quasi-harmonic behavior depends on the loop properties.

It is worth noting that this approximation does not allow modeling of system bifurcation between the different SE, but only in its quasi-harmonic state around one SE. The behavior of the system, considering bifurcation and chaotic behavior, requires solving Equation (18) numerically.

6 CLOSED-LOOP MODEL UNDER SPOOFING: STOCHASTIC ANALYSIS

This section discusses the stochastic behavior of the closed-loop model under spoofing. We remind the reader that the random contributions are Λ_n,a and Λ_n,s within the correlator output (Equation (6)). In this section, we use the system’s properties under spoofing demonstrated in Section 5 (e.g., the system’s SE, linearity, and interdependence).

6.1 Nominal, Induced-Jamming, and Induced-Spoofing Situations

In the nominal, induced-jamming, and induced-spoofing situations, the linear properties of the closed-loop model are maintained (Section 5). The additivity property of the DLL and PLL holds, and both authentic and spoofing contributions Λ_n,a and Λ_n,s can be considered independently. Therefore, the impact of authentic and re-radiated noise can be expressed using the models developed for linear tracking loops in the literature, e.g., as reported by Betz and Kolodziejski (2009).

6.2 Induced-Multipath Situation

The analysis of the tracking loops reveals their nonlinearity under induced-multipath situations (Section 5.4.6). Consequently, the additivity property of the DLL and PLL can no longer be considered (i.e., the noise does not have the same impact depending on the state vector $\hat{η}$ value). The closed-loop model in Equation (18) must be analyzed along with the noise contributions Λ_n,a and Λ_n,s, as a stochastic and nonlinear dynamic system (El Bouch et al., 2024; Gupta, 1975), with the solution being the probability density function (PDF) of the random variable $\hat{η}$ (or equivalently ε_η and $ε_{η, eq}$ in the nominal and equivalent frames).

The solution of the stochastic model can be estimated by exploiting the quasi-harmonic behavior of the system, as shown in Section 5.4.7. The solution PDF can thus be computed over one period $Δ θ \in [0, 2 π]$ for each value of Δv. The 99th percentile of the absolute possible tracking error when tracking the authentic cluster dynamic is depicted in Figure 11. These bounds are referred to as the SEE and represent more accurate error bounds than the SSEE presented in Figure 10 or SEE values reported in the literature, as they account for both noise impact and loop nonlinearity and interdependence.

Absolute SEE (99th percentile of the absolute random tracking error εη) for Δg = 0.64 and C/N0 = 55 dB.Hz (a) Code (b) Frequency (c) Phase The tracking loop parameters are set to Ti = 20 ms, cτ = 0.1 chip, Bτ= 1 Hz, and Bθ = 20 Hz.

FIGURE 11

Absolute SEE (99th percentile of the absolute random tracking error ε_η) for Δg = 0.64 and C/N₀ = 55 dB.Hz (a) Code (b) Frequency (c) Phase

The tracking loop parameters are set to T_i = 20 ms, c_τ = 0.1 chip, B_τ= 1 Hz, and B_θ = 20 Hz.

First, Figure 11(a) highlights the low-pass behavior of the DLL, which filters the input relative equivalent dynamic Δη_eq with a cut-off frequency B_τ (here, 1 Hz). Below this cut-off frequency, the error is similar to its SSEE, as presented in Figure 10(a). However, the filter reduces the tracking error at high frequencies. We observe an increase in code error at rational multiples of the Nyquist frequency (e.g., 25 Hz (T_i/2), 16.6 Hz (T_i/3), and 12.5 Hz (T_i/4)).

Figure 11(b) depicts the absolute frequency SEE. The cut-off frequency of the PLL is much higher than that of the DLL, resulting in less attenuation of phase and frequency errors. Additionally, the figures highlight regions with high-frequency errors, where the frequency error and probability of cycle slip are elevated. These regions correspond to the areas where the phase SE values are close to π/2 (or −π/2), as shown in Figure 10(c). In these regions, the correlator output approaches the limits of the arctan function interval ([−π /2, π /2]). When the phase approaches these limits, the PLL discriminator corrects the phase, inducing a jump in the frequency error and causing a phase cycle slip. These regions are observed at relatively high relative power (Δg > 0.5). It is worth noting that because of these frequent cycle slips, the phase is unavailable in these regions (Figure 11(c)).

7 SIMULATIONS

This section analyzes the dynamic behavior of tracking loops under spoofing. The theoretical models of the loops proposed in this work are evaluated and compared with the behavior of the loops in a software-defined radio (SDR) receiver. Three distinct scenarios are considered: jamming, spoofing, and multipath, corresponding to the spoofing-induced situations presented in Section 2.3. For each scenario, the code, phase, and frequency estimates are represented in both the nominal (ε_η) and equivalent (ε_η,eq) frames. We note that the frames and the transformation between them are detailed in Section 4.2.

On one hand, the theoretical model includes, for both scenarios, the system’s SE (for k_ϕ = 0), as defined in Equation (32), and the numerical solution of the deterministic (noise-free) closed-loop model in Equation (18). Additionally, in the multipath scenario, the theoretical SEE, as presented in Figure 11, is plotted.

On the other hand, the simulation results depict the code, frequency, and phase tracking errors of SDR tracking loops from our own implementation. The architecture of the SDR shapes the model presented in this work and is detailed in Appendix C. The parameters of the loops for both the simulation and the model are presented in Table 1.

View this table:

TABLE 1

Simulation Parameters

The dynamics of the authentic signal η_a are generated similarly for each scenario to simulate realistic high dynamics without authentic stress error $(δ η_{a}^{(3)} = 0)$ . The dynamics of the spoofing signal η_s are generated based on scenario-specific conditions outlined by Hussong et al. (2023). Detailed expressions for η_a and Δη are presented in Appendix D.

7.1 Jamming Scenario

The results of the jamming scenario are presented in Figure 12. The relative parameters Δη (shown in red) are generated according to Equation (67), and the initial state vector is set to $\hat{η} [0] = η_{a} [0] - {[3.0 \times 10^{- 3}, 0, 0]}^{T}$ (chirp, rad, Hz). In this scenario, the theoretical equivalent dynamic is η_a, making the equivalent and nominal frames identical. Therefore, only one tracking error is represented.

FIGURE 12

Nominal tracking error ε_η in the jamming scenario (a) Code (chip) (b) Frequency (Hz) (c) Phase (rad)

As shown in Figure 12, the deterministic model (black) exhibits a short transient response for t < 2 s. This transient response is obscured by noise in the SDR errors (blue). For t > 2 s, the deterministic model achieves lock and matches the theoretical SE (yellow). Additionally, no stress error is observed, as $(δ ϕ_{a}^{(3)} = 0)$ (see Section 4.5.1).

The theoretical noise variance can be derived by considering the additivity property of the tracking loops (Section 6.1). The authentic and re-radiated noise have PSDs of N₀ and ΔgN₀, respectively. Substituting these PSDs into the equation of Betz and Kolodziejski (2009, Equation (13)), we obtain standard deviations of $1.2 \times 10^{- 3}$ and $1.0 \times 10^{- 3}$ chip, yielding a total standard deviation of $1.6 \times 10^{- 3}$ chip. This value closely matches the code standard deviation of $1.7 \times 10^{- 3}$ chip measured for Figure 12(a). A similar observation can be made for the PLL.

7.2 Spoofing Scenario

The results of the spoofing scenario are presented in Figures 13 (nominal frame) and 14 (equivalent frame). In this scenario, the theoretical equivalent dynamic is η_s. The generated relative dynamic Δη (shown in red) is identical to that of the jamming scenario, and the initial state vector is set to the spoofing dynamic $\hat{η} [0] = η_{s} [0] - {[3.0 \times 10^{- 3}, 0, 0]}^{T}$ (chirp, rad, Hz). Figures 13 and 14 both show the convergence of the system toward the spoofing dynamic η_s after its transient response (t > 2 s). The system’s SE (yellow) matches the predicted $ε_{η}^{ι}$ expressed in Equation (41), which is also equal to $- Δ η_{eq} = - Δ η$ .

FIGURE 13

Nominal tracking error ε_η in the spoofing scenario (a) Code (chip) (b) Frequency (Hz) (c) Phase (rad)

The expression of the system state in the equivalent frame allows for an analysis of the transient response, stress error, and noise impact. First, the transient response (t < 2 s) is similar to that in the jamming scenario (see Figure 12), as the tracking loops retain the same linear characteristics, albeit with different initial values $\hat{η} [0]$ . Furthermore, the tracking errors $ε_{η, eq}$ are null at lock, demonstrating the absence of stress error and achieving a perfect lock.

Finally, the theoretical code standard deviation induced by the noise of the authentic and re-radiated signals can be computed by applying the equation of

Betz and Kolodziejski (2009, Equation (13)), resulting in values of $1.5 \times 10^{- 3}$ and $1.2 \times 10^{- 3}$ chip, respectively, equivalent to a total standard deviation of $1.9 \times 10^{- 3}$ chip. This matches the measured standard deviation of $2.0 \times 10^{- 3}$ chip shown in Figure 14(a).

FIGURE 14

Equivalent tracking error ε_η,eq in the spoofing scenario (a) Code (chip) (b) Frequency (Hz) (c) Phase (rad)

7.3 Multipath Scenario

The results of the multipath scenario are plotted in Figures 15 (nominal frame) and 16 (equivalent frame). The relative dynamic Δη (shown in red in Figure 15) is generated according to Equation (68), with a relative frequency Δf ranging from 0 to −4 Hz (red axis), inducing a variation of Δθ from 0 to –8π per second. This setup enables an observation of the impact of the relative frequency Δf on the tracking loops.

FIGURE 15

Nominal tracking error ε_η in the multipath scenario (a) Code (chip) (b) Frequency (Hz) (c) Phase (rad)

The equivalent dynamic is computed from Equation (49), assuming no bifurcation (tracking of the authentic SE cluster). The relative equivalent dynamic $Δ η_{eq}$ is plotted in yellow in Figure 15. As discussed in Section 5.4.4, the relative equivalent dynamic $Δ η_{eq}$ exhibits a quasi-harmonic behavior, driven by the variation of the relative phase Δθ within the varying envelope, as shown in Figure 10.

The deterministic model and simulated dynamic response are shown in black and blue, respectively, for both the nominal and equivalent frames. The analysis of the deterministic behavior highlights two distinct cases, depending on the relative frequency Δf. (1) For low relative frequencies (| Δf | < 0.1 Hz), the system converges to its SE and achieves lock onto the spoofing-induced dynamic η_eq. The deterministic equivalent tracking error $ε_{η, eq}$ remains constant (and null), as shown in Figure 16. (2) For | Δf | > 0.1 Hz, the frequency of the oscillation of $Δ η_{eq}$ increases, and k_ϕ can no longer be considered constant. Consequently, the system cannot achieve lock and enters into a quasi-harmonic behavior. The deterministic error $ε_{η, eq}$ is the output of Δη_eq passed through the nonlinear closed-loop equivalent filter. Notably, whereas the DLL (with a cut-off frequency of 1 Hz) attenuates the signal as the oscillation frequency increases, the PLL (whose order induces resonance) amplifies the oscillations.

FIGURE 16

Equivalent tracking error ε_η,eq in the multipath scenario (a) Code (chip) (b) Frequency (Hz) (c) Phase (rad)

Analysis of the noise impact (difference between blue and black curves) highlights the non-additive and heterogeneous behavior induced by the system’s nonlinearity. Although the variance of the input AWGN is constant, the variance of the tracking error varies strongly depending on Δθ and can induce errors much larger than the deterministic bias, as shown for frequency in Figure 16(b) (mainly for low Δf ).

Finally, the proposed SEE, shown in orange in Figure 15 (representing the 1st and 99th percentiles of the stochastic tracking errors), as presented in Section 6.2, provides an accurate bound for the tracking error, considering both deterministic and random nonlinear dynamic behaviors.

8 CONCLUSION

This paper investigated the impact of spoofing on code and carrier phase tracking and proposed a transformation-based strategy to characterize the joint DLL and PLL architecture under spoofing (i.e., system’s SE, linearity, and interdependence properties, dynamic behavior, and noise impact) as a function of the relative dynamic Δη. The system’s dynamic behavior was analyzed under each spoofing-induced situation introduced by Hussong et al. (2023): induced jamming, induced spoofing, and induced multipath.

In the induced-jamming and induced-spoofing situations, the system’s SE can be expressed as Equation (39) and Equation (41), respectively. The linearity and independence properties hold, allowing the system’s dynamic behavior to be studied via linear system analysis tools (Gardner, 2005). Additionally, the noise can be considered as additive and characterized as proposed for the nominal situation described by Betz and Kolodziejski (2009).

In the induced-multipath situation, the system exhibits nonlinearities and interdependence. The system’s SE, expressed as Equation (49), highlights the emergence of multiple SE and the interdependence between code and frequency SE. These distortions induce chaotic behaviors, with potential bifurcations between SE or areas of high cycle-slip probability (Figure 11). The nonlinearity of the loops breaks the additivity and homogeneity of the AWGN, leading to strongly varying tracking error variances, which can exceed the deterministic bias (Figure 16). This paper proposes a new SEE to bound the system within its quasi-harmonic behavior while accounting for these distortions, as shown in Figure 11.

The theoretical distortions highlighted in this paper raise several important questions about their actual impact on real GNSS receivers in real-world spoofing environments. For instance, how frequently does the induced-multipath scenario occur? What are the effects of loop nonlinearity and chaotic behavior? Can the system bifurcate toward other SE, and how often does this happen? Moreover, how does receiver implementation influence these outcomes?

To address these questions, future works will delve deeper into closed-loop model analysis to characterize the probability of bifurcations between different SE and consider alternative receiver architectures and implementations, e.g., other types of discriminators, GNSS modulations, longer integration times, or systems incorporating frequency lock loops. Finally, leveraging these results would enable enhancements to existing detection and mitigation techniques by exploring practical implementations or identifying patterns in the code and phase pseudoranges.

HOW TO CITE THIS ARTICLE

Ghizzo, E., Hussong, M., Lesouple, J., Milner, C., Garcia-Pena, A., & Macabiau, C. (2025). Assessing spoofer impact on GNSS receivers: Tracking loops. NAVIGATION, 72(4). https://doi.org/10.33012/navi.724

APPENDIX

A DERIVATION OF SYSTEM SE

This appendix derives the expression for the system SE in Equation (29). First, by applying the conditions in Equations (26) and (28) to Equation (24), we obtain the following:

$\begin{matrix} κ_{0, τ}_{d τ} (ε_{η, eq}^{l} - Δ η_{eq}, Δ ν) = δ^{(N_{τ})} τ_{ca}, & κ_{0, θ} d_{θ} (ε_{η, eq}^{l} - Δ η_{eq}, Δ ν) = δ^{(N_{θ})} θ_{eq} \end{matrix}$ 51

In addition, the conditions in Equation (27) applied to Equation (24) add two constraints:

$\begin{matrix} \frac{\partial d_{τ} (ε_{η, eq}^{l} - Δ η_{eq}, Δ ν)}{\partial ε_{τ, eq}} > 0, & \frac{\partial d_{θ} (ε_{η, eq}^{l} - Δ η_{eq}, Δ ν)}{\partial ε_{θ, eq}} > 0 \end{matrix}$ 52

leading to:

${\begin{matrix} d_{τ} (ε_{η, eq}^{l} - Δ η_{eq}, Δ ν) = \frac{δ^{(N_{τ})} τ_{c a}}{κ_{0, τ}} = k_{τ}, & d_{θ} (ε_{η, eq}^{l} - Δ η_{eq}, Δ ν) = \frac{δ^{(N_{θ})} θ_{eq}}{κ_{0, θ}} = k_{θ} \\ \frac{\partial d_{τ} (ε_{η, eq}^{l} - Δ η_{eq}, Δ ν)}{\partial ε_{τ, eq}} > 0, & \frac{\partial d_{θ} (ε_{η, eq}^{l} - Δ η_{eq}, Δ ν)}{\partial ε_{θ, eq}} > 0 \end{matrix}$ 53

This system consists of three unknowns, $ε_{η, eq}^{l}$ , and two equations (with two constraints). For the sake of clarity, let us replace $ε_{η, eq}^{l} - Δ η_{eq}$ with η To resolve Equation (53), we propose a third equation based on the state filter condition in Equation (28) for n = 1, expressed as $δ d 0 (η)$ It is worth noting that the set of solutions for this condition alone is larger than the set of solutions obtained when the system is combined with Equation (53). We propose an alternative condition function that reduces the set of solutions and is simpler to resolve, considering the following:

${\begin{matrix} δ d_{θ} (η) = d_{θ} (η [k], Δ ν [k]) - d_{θ} (η [k - 1], Δ ν [k - 1]) & = & 0 \\ d_{θ} (η, Δ ν) & = & k_{θ} \end{matrix}$ 54

By substituting the expression of d_θ from Equation (11) and denoting θ = areg ${Λ_{P} (η, Δ v)}$ (for the sake of clarity), we obtain the following:

$\begin{matrix} \arctan (\tan (θ [k])) - \arctan (\tan (θ [k - 1])) = 0, & \tan (θ [k]) = \tan (k_{θ}) \end{matrix}$ 55

Additionally, we have tan $(θ [k]) \tan (θ [k - 1]) = \tan {(k_{θ})}^{2} \geq 0 > - 1$ , which yields the following:

$\begin{matrix} \arctan (\frac{\tan (θ [k]) - \tan (θ [k - 1])}{1 + \tan (θ [k]) \tan (θ [k - 1])}) = 0, & \tan (θ [k]) = \tan (k_{θ}) \end{matrix}$ 56

As tan $(θ [k]) = \tan (k_{θ}) < \infty$ , we have following:

$\arctan (\frac{1 + \tan (θ [k]) \tan (θ [k - 1])}{1 + \tan (θ [k]) \tan (θ [k - 1])} \tan (θ [k] - θ [k - 1])) = 0$ 57

Then:

$\begin{matrix} 2 π T_{i} χ_{f} (ε_{η}, Δ ν) = θ [k] - θ [k - 1] & (\mod π, \frac{π}{2}) = 0 \end{matrix}$ 58

Therefore, by formulating the third constraint through the application of the stability condition in Equation (27) to the frequency closed-loop model in Equation (19), the system’s SE can be expressed as Equation (29).

The expressions in Equations (56) and (57) are derived from trigonometric identities:

$\forall x, y such that x y > - 1, \arctan x - arctan y = arctan (\frac{x - y}{1 + x y})$ 59

and:

$\begin{matrix} \forall a, b such that tan a tan b \neq - 1, & \tan (a - b) = \frac{\tan a - \tan b}{1 + \tan a \tan b} \end{matrix}$ 60

respectively. The conditions for both equations are satisfied because of the second equation in Equation (54): $tan (θ [k]) \tan (θ [k - 1]) = \tan {(k_{θ})}^{2} \geq 0 > - 1$ .

B DERIVATION OF A GENERALIZED HALF-ANGLE FORMULA

Let $z_{1} = ρ_{1} e^{j θ 1}$ and $z_{2} = ρ_{2} e^{j θ 2}$ be two complex numbers, where ρ₁ and ρ₂ are positive. This appendix derives the argument of the sum z = z₁ + z₂. To begin, we express z as follows:

$z = z^{'} \exp (\frac{In ρ_{1} + In ρ_{2}}{2}) \exp (j \frac{θ_{1} + θ_{2}}{2})$ 61

with z• defined as follows:

$z^{'} = \exp (Δ ρ + j Δ θ) + \exp (- Δ ρ - j Δ θ)$ 62

and $Δ ρ = (In ρ_{1} - In ρ_{2}) / 2$ and $Δ θ = (θ_{1} - θ_{2}) / 2$ . Alternatively, we have the following:

$z^{'} = 2 \cosh (Δ ρ) \cos (Δ θ) + 2 j \sinh (Δ ρ) \sin (Δ θ)$ 63

$= 2 \cosh (Δ ρ) \cos (Δ θ) (1 + j \tanh (Δ ρ) \tan Δ θ)$ 64

If cos(Δθ) = 0, z• becomes purely imaginary. In this case, the argument of z• is either π/2 or –π/2, depending on the sign of Δρ Otherwise, we have the following:

$\arg {z} = \frac{θ_{1} + θ_{2}}{2} + a tan (\frac{ρ_{1} - ρ_{2}}{ρ_{1} + ρ_{2}} \tan Δ θ)$ 65

C SIMULATOR ARCHITECTURE

The SDR tracking loops are depicted in Figure 17, incorporating a first-order digital DLL and a third-order PLL. These loops include correlators, a discriminator, a low-pass filter, and an NCO. Additionally, a carrier-aiding operation is implemented to mitigate the DLL stress error. The loops provide the estimates $\hat{η} [k]$ . The filter coefficients are computed as described by Stephens and Thomas (1995), and the initial filter state is set to zero for all scenarios.

FIGURE 17

Architecture of the implemented SDR tracking loops

The received signal is generated at the correlator output following the model in Equation (6). The input dynamics, $η_{a} [k - 1]$ and $η_{s} [k - 1]$ , are generated as described in Appendix D, while the estimate $\hat{η} [k - 1]$ is obtained from the loop output in the previous epoch. Finally, the simulator generates a combination of authentic and re-radiated Gaussian noise at the correlator outputs. The specific method used to generate the correlated noise between early, late, and prompt outputs has been detailed by Julien (2005).

D SIMULATION-GWENERATED DYNAMICS

This appendix describes the generation of the dynamics η_a and η_s. First, the authentic dynamic η_a is generated identically across all scenarios to simulate realistic high dynamics without introducing stress error $(δ η_{a}^{(3)} = 0)$ , as follows:

$\begin{matrix} τ_{a} (t) = τ_{a, 2} t^{2} + τ_{a, 1} t, & θ_{a} (t) = - β (τ_{a, 2} t^{2} + τ_{a, 1} t), & f_{a} (t) = - \frac{β}{2 π} (2 τ_{a, 2} t + τ_{a, 1}) \end{matrix}$ 66

with $τ_{a, 1} = 6.35 \times 10^{- 7}$ and $τ_{a, 2} = 1.27 \times 10^{- 10} s^{- 1}$ . The authentic noise is generated to have C/N₀ = 45dB.Hz. The relative dynamic Δη is generated based on the scenario-specific conditions outlined by Hussong et al. (2023).

Jamming and Spoofing Scenarios

In the jamming and spoofing scenarios, to exclude interference between the authentic and spoofing components, the relative parameters Δη must satisfy the condition $Δ τ > T_{c} + c_{τ} / 2$ (see work by Hussong et al., 2023). Therefore, the relative dynamic Δη is generated for t ∈ [0, 250] s as follows:

$\begin{matrix} Δ τ^{(J/S)} (t) & = & \begin{matrix} τ_{0}^{(J/S)} + τ_{1}^{(J/S)} {(t - τ^{(J/S)})}^{2}, & Δ θ^{(J/S)} (t) = - β Δ τ^{(J/S)} (t), \end{matrix} \\ Δ f^{(J/S)} (t) & = & - \frac{1}{2 π} \frac{d Δ θ^{(J/S)}}{d t} \end{matrix}$ 67

with $τ_{0}^{(J / s)} = 1.33 \times 10^{- 6}$ , $τ_{1}^{(J / s)} = 8.34 \times 10^{- 12} s^{- 1}$ , and τ^(J/S) = 125s. The relative power is generated as constant, such that ∆g(t) = 0.64. The re-radiated noise is generated with a PSD amplified equally to the GNSS signal (∆g(t) = 0.64).

Multipath Scenario

In the multipath scenario, the relative dynamic Δη is generated fort ∈ [0, 400] s to satisfy the condition $Δ τ > T_{c} + c_{τ} / 2$ (see work by Hussong et al., 2023) as follows:

$\begin{matrix} Δ τ^{(M)} (t) = τ_{0}^{(M)} + τ_{1}^{(M)} t^{4}, & Δ θ^{(M)} (t) = - β Δ τ^{(M)} (t), & Δ f^{(M)} (t) = - \frac{1}{2 π} \frac{d Δ θ^{(M)}}{d t} \end{matrix}$ 68

with $τ_{0}^{(M)} = 1.34 \times 10^{- 7}$ and $τ_{0}^{(M)} = 1.02 \times 10^{- 17} s^{- 3} .$ The relative power, as well as the relative PSD between authentic and re-radiated noise, is constant and equal to 0.64.

This is an open access article under the terms of the Creative Commons Attribution License, which permits use, distribution and reproduction in any medium, provided the original work is properly cited.

REFERENCES

↵
Bamberg, T., Appel, M. M., & Meurer, M. (2018). Which GNSS tracking loop configuration is most robust against spoofing?Proceedings of the 31st International Technical Meeting of the Satellite Division of the Institute of Navigation (ION GNSS+ 2018), Miami, FL, 3587–3595. https://doi.org/10.33012/2018.15912
Google Scholar
↵
Bamberg, T., Konovaltsev, A., & Meurer, M. (2022). Developing a spoofer error envelope for tracking GNSS signals. NAVIGATION, 69(3). https://doi.org/10.33012/navi.534
Google Scholar
↵
Betz, J. W., & Kolodziejski, K. R. (2009). Generalized theory of code tracking with an early-late discriminator part II: Noncoherent processing and numerical results. IEEE Transactions on Aerospace and Electronic Systems, 45(4), 1557–1564. https://doi.org/10.1109/TAES.2009.5310317
Google Scholar
↵
Demir, M. O., Kurt, G. K., & Pusane, A. E. (2023). A pseudorange-based GPS spoofing detection using hyperbola equations. IEEE Transactions on Vehicular Technology, 72(8), 10770–10783. https://doi.org/10.1109/TVT.2023.3257228
Google Scholar
↵
El Bouch, S., Galy, J., Chaumette, E., & Vilà-Valls, J. (2024). A modified Cramér-Rao bound for discrete-time Markovian dynamic systems. Proc. of the 2024 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), Seoul, Korea, Republic of Korea, 9706–9710. https://doi.org/10.1109/ICASSP48485.2024.10446252
Google Scholar
↵
Fernández-Hernández, I., Walter, T., Alexander, K., Clark, B., Châtre, E., Hegarty, C., Appel, M., & Meurer, M. (2019). Increasing international civil aviation resilience: A proposal for nomenclature, categorization and treatment of new interference threats. Proc. of the 2019 International Technical Meeting of the Institute of Navigation, Reston, VA, 389–407. https://doi.org/10.33012/2019.16699
Google Scholar
↵
Gao, Y., & Li, G. (2023). A new asynchronous traction signal spoofing algorithm for PLL-assisted DLL receiver. GPS Solutions, 27(3), 141. https://doi.org/10.1007/s10291-023-01478-6
Google Scholar
↵
Gardner, F. M. (2005). Phaselock techniques. John Wiley & Sons. https://doi.org/10.1002/0471732699
Google Scholar
↵
Ghizzo, E., Djelloul, E.-M., Lesouple, J., Milner, C., & Macabiau, C. (2025). Assessing jamming and spoofing impacts on GNSS receivers: Automatic gain control (AGC). Signal Processing, 228, 109762. https://doi.org/10.1016/j.sigpro.2024.109762
Google Scholar
↵
Ghizzo, E., Pena, A. G., Lesouple, J., Milner, C., & Macabiau, C. (2024). Assessing GNSS carrier-to-noise-density ratio estimation in the presence of meaconer interference. Proc. of the 2024 IEEE International Conference on Acoustics, Speech and Signal Processing, Seoul, Korea, Republic of, 8971–8975. https://doi.org/10.1109/ICASSP48485.2024.10448170
Google Scholar
↵
Gupta, S. C. (1975). Phase-locked loops. Proceedings of the IEEE, 63(2), 291–306. https://doi.org/10.1109/PROC.1975.9735
Google Scholar
↵
Hussong, M., Ghizzo, E., Milner, C., Garcia-Pena, A., Lesouple, J., & Macabiau, C. (2023). Impact of meaconers on aircraft GNSS receivers during approaches. Proc. of the 36th International Technical Meeting of the Satellite Division of the Institute of Navigation (ION GNSS+ 2023), Denver, CO, 856–880. https://doi.org/10.33012/2023.19423
Google Scholar
↵
Julien, O. (2005). Design of Galileo L1F receiver tracking loops [Doctoral dissertation, University of Calgary]. https://www.ucalgary.ca/engo_webdocs/GL/05.20227.OJulien.pdf
Google Scholar
↵
Kaplan, E. D., & Hegarty, C. (2017). Understanding GPS/GNSS: Principles and applications. Artech House. https://us.artechhouse.com/Understanding-GPSGNSS-Principles-and-Applications-Third-Edition-P1871.aspx
Google Scholar
↵
Kerns, A. J., Shepard, D. P., Bhatti, J. A., & Humphreys, T. E. (2014). Unmanned aircraft capture and control via GPS spoofing. Journal of Field Robotics, 31(4), 617–636. https://doi.org/10.1002/rob.21513
Google Scholar
↵
Kim, T.-H., Sin, C. S., & Lee, S. (2012). Analysis of effect of spoofing signal in GPS receiver. Proc. of the 2012 12th International Conference on Control, Automation and Systems, Jeju, Korea (South), 2083–2087. https://ieeexplore.ieee.org/document/6393229
Google Scholar
↵
Leonov, G., & Kuznetsov, N. (2014). Nonlinear mathematical models of phase-locked loops. stability and oscillations. Cambridge Scientific Press. https://cambridgescientificpublishers.com/product/volume-seven-nonlinear-mathematical-models-of-phase-locked-loops
Google Scholar
↵
Leonov, G., Kuznetsov, N., Yuldashev, M., & Yuldashev, R. (2015). Nonlinear dynamical model of Costas loop and an approach to the analysis of its stability in the large. Signal Processing, 108, 124–135. https://doi.org/10.1016/j.sigpro.2014.08.033
Google Scholar
↵
Leonov, G. A., Kuznetsov, N. V., Yuldashev, M. V., & Yuldashev, R. V. (2015). Hold-in, pull-in, and lock-in ranges of PLL circuits: Rigorous mathematical definitions and limitations of classical theory. IEEE Transactions on Circuits and Systems I: Regular Papers, 62(10), 2454–2464. https://doi.org/10.1109/TCSI.2015.2476295
Google Scholar
↵
Ma, C., Yang, J., Chen, J., Qu, Z., & Zhou, C. (2020). Effects of a navigation spoofing signal on a receiver loop and a UAV spoofing approach. GPS Solutions, 24(3), 76. https://doi.org/10.1007/s10291-020-00986-z
Google Scholar
↵
Monteiro, L. H., Lisboa, A., & Eisencraft, M. (2009). Route to chaos in a third-order phase-locked loop network. Signal Processing, 89(8), 1678–1682. https://doi.org/10.1016/j.sigpro.2009.03.006
Google Scholar
↵
Peng, C., Li, H., & Lu, M. (2019). Research on the responses of GNSS Tracking loop to intermediate spoofing. Proc. of the 32nd International Technical Meeting of the Satellite Division of the Institute of Navigation (ION GNSS+ 2019), Miami, FL, 943–952. https://doi.org/10.33012/2019.16987
Google Scholar
↵
Psiaki, M. L., & Humphreys, T. E. (2016). GNSS spoofing and detection. Proceedings of the IEEE, 104(6), 1258–1270. https://doi.org/10.1109/JPROC.2016.2526658
Google Scholar
↵
Radin, D., Swaszek, P. F., Seals, K. C., & Hartnett, R. J. (2015). GNSS spoof detection based on pseudoranges from multiple receivers. Proc. of the 2015 International Technical Meeting of the Institute of Navigation, Dana Point, CA, 657–671. https://www.ion.org/publications/abstract.cfm?articleID=12658
Google Scholar
↵
Spens, N., Lee, D.-K., Nedelkov, F., & Akos, D. (2022). Detecting GNSS jamming and spoofing on Android devices. NAVIGATION, 69(3), 537–552. https://doi.org/10.33012/navi.537
Google Scholar
↵
Spilker Jr, J. J., Axelrad, P., Parkinson, B. W., & Enge, P. (1996). Global Positioning System: Theory and applications (Vol.1). American Institute of Aeronautics; Astronautics. https://doi.org/10.2514/4.866388
Google Scholar
↵
Stenberg, N., Axell, E., Rantakokko, J., & Hendeby, G. (2020). GNSS spoofing mitigation using multiple receivers. Proc. of the 2020 IEEE/ION Position, Location and Navigation Symposium (PLANS), Portland, OR, 555–565. https://doi.org/10.1109/PLANS46316.2020.9109958
Google Scholar
↵
Stephens, S., & Thomas, J. (1995). Controlled-root formulation for digital phase-locked loops. IEEE Transactions on Aerospace and Electronic Systems, 31(1), 78–95. https://doi.org/10.1109/7.366295
Google Scholar
↵
Tao, H., Wu, H., Li, H., & Lu, M. (2019). GNSS spoofing detection based on consistency check of velocities. Chinese Journal of Electronics, 28(2), 437–444. https://doi.org/10.1049/cje.2019.01.006
Google Scholar
↵
Teunissen, P. J., & Montenbruck, O. (2017). Springer handbook of global navigation satellite systems (Vol.10) . Springer. https://doi.org/10.1007/978-3-319-42928-1
Google Scholar
↵
Van Nee, R. D. (1996). Multipath and multi-transmitter interference in spread spectrum communication and navigation systems [Doctoral dissertation, Delft University of Technology, Faculty of Electrical Engineering, Mathematics and Computer Science]. https://scispace.com/pdf/multipath-and-multi-transmitter-interference-in-spread-5fvdsmh9fo.pdf
Google Scholar
↵
Wang, Y., Kou, Y., & Huang, Z. (2023). Necessary condition for the success of synchronous GNSS spoofing. Chinese Journal of Electronics, 32(3), 438–452. https://doi.org/10.23919/cje.2021.00.307
Google Scholar
↵
Yang, R., Ling, K.-V., Poh, E.-K., & Morton, Y. (2017). Generalized GNSS signal carrier tracking: Part I—modeling and analysis. IEEE Transactions on Aerospace and Electronic Systems, 53(4), 1781–1797. https://doi.org/10.1109/TAES.2017.2673998
Google Scholar

Previous Next

In this Issue

Print
Download PDF
Article Alerts

Alerts for this Article

User Name *

Password *

Sign In to Email Alerts with your Email Address
Email *
Email Article

Email This Article

Thank you for your interest in spreading the word on NAVIGATION: Journal of the Institute of Navigation.
NOTE: We only request your email address so that the person you are recommending the page to knows that you wanted them to see it, and that it is not junk mail. We do not capture any email address.
Your Email *

Your Name *

Send To *

Enter multiple addresses on separate lines or separate them with commas.

You are going to email the following
Assessing Spoofer Impact on GNSS Receivers: Tracking Loops
Message Subject
(Your Name) has sent you a message from NAVIGATION: Journal of the Institute of Navigation

Message Body
(Your Name) thought you would like to see the NAVIGATION: Journal of the Institute of Navigation web site.

Your Personal Message
Citation Tools
Citation Tools
Assessing Spoofer Impact on GNSS Receivers: Tracking Loops

Emile Ghizzo

Emile Ghizzo

Mathieu Hussong

Mathieu Hussong

Julien Lesouple

Julien Lesouple

Carl Milner

Carl Milner

Axel Garcia-Pena,

Axel Garcia-Pena,

and Christophe Macabiau

Christophe Macabiau

Institute of Navigation

Dec 2025 ,

72

(4)

navi.724;

DOI: 10.33012/navi.724

Citation Manager Formats

BibTeX
Bookends
EasyBib
EndNote (tagged)
EndNote 8 (xml)
Medlars
Mendeley
Papers
RefWorks Tagged
Ref Manager
RIS
Zotero

Share
Share This Article
Assessing Spoofer Impact on GNSS Receivers: Tracking Loops

Emile Ghizzo

Emile Ghizzo

Mathieu Hussong

Mathieu Hussong

Julien Lesouple

Julien Lesouple

Carl Milner

Carl Milner

Axel Garcia-Pena,

Axel Garcia-Pena,

and Christophe Macabiau

Christophe Macabiau

Institute of Navigation

Dec 2025 ,

72

(4)

navi.724;

DOI: 10.33012/navi.724

Share This Article:
Post
Like 0
Bookmark this Article

SAVE ITEM IN SELECTED FOLDER.

User Name *

Password *

Remember my user name & password.

Jump to section

No citing articles found.

Google Scholar

Show more Regular Papers

PDF Help

Keywords

DLL, GNSS, loop interdependence, PLL, spoofing, stable equilibrium, tracking

Assessing Spoofer Impact on GNSS Receivers: Tracking Loops

Abstract

1 INTRODUCTION

2 PRELIMINARIES: CORRELATOR OUTPUT UNDER SPOOFING

2.1 Dynamics

2.2 Correlator Output Model

2.3 Classification of Spoofing Impact

2.3.1 Nominal Situation

2.3.2 Spoofing-Induced Jamming Situation

2.3.3 Spoofing-Induced Spoofing Situation

2.3.4 Spoofing-Induced Multipath Situation

3 PRELIMINARIES: CLOSED-LOOP MODEL OF TRACKING LOOPS

3.1 DLL Discriminator

3.1.1 PLL Discriminator

3.1.2 Loop Low-Pass Filter

3.2 Phase Closed-Loop Model

3.2.1 Frequency Closed-Loop Model

3.2.2 Linear and Independence Properties of the Closed-Loop Model

Loop Linearity

Loop Independence

4 RESOLUTION STRATEGY

4.1 Equivalent Dynamic Definition

4.2 Considered Frames

4.3 Equivalent Closed-Loop Model

4.4 Locked State Definition

4.5 Derivation of the SE Condition

4.5.1 System Dynamic Behavior

4.6 Summary of the Locked-State-Based Resolution Strategy

5 CLOSED-LOOP MODEL UNDER SPOOFING: DETERMINISTIC ANALYSIS

5.1 Nominal Situation

5.1.1 DLL Discriminator

5.1.2 PLL Discriminator

5.1.3 PLL Differential Function

5.1.4 System SE

5.1.5 System Linearity and Independence

5.1.6 System Dynamic Response

5.2 Spoofing-Induced Jamming Situation

5.3 Spoofing-Induced Spoofing Situation

5.4 Spoofing-Induced Multipath Situation

5.4.1 DLL Discriminator

5.4.2 PLL Discriminator

5.4.3 PLL Differential Function

5.4.4 System SE

5.4.5 Loop Spoofing SEE

5.4.6 System Linearity and Independence

5.4.7 System Dynamic Response

6 CLOSED-LOOP MODEL UNDER SPOOFING: STOCHASTIC ANALYSIS

6.1 Nominal, Induced-Jamming, and Induced-Spoofing Situations

6.2 Induced-Multipath Situation

7 SIMULATIONS

7.1 Jamming Scenario

7.2 Spoofing Scenario

7.3 Multipath Scenario

8 CONCLUSION

HOW TO CITE THIS ARTICLE

APPENDIX

A DERIVATION OF SYSTEM SE

B DERIVATION OF A GENERALIZED HALF-ANGLE FORMULA

C SIMULATOR ARCHITECTURE

D SIMULATION-GWENERATED DYNAMICS

REFERENCES

In this Issue

NAVIGATION: Journal of the Institute of Navigation

Alerts for this Article

Email This Article

Citation Tools

Assessing Spoofer Impact on GNSS Receivers: Tracking Loops

Citation Manager Formats

Share This Article

Assessing Spoofer Impact on GNSS Receivers: Tracking Loops

SAVE ITEM IN SELECTED FOLDER.

Jump to section

Related Articles

Cited By...

More in this TOC Section

Similar Articles

Keywords