Assessment of cryptographic approaches for a quantum-resistant Galileo OSNMA

As time goes on, quantum computing becomes more of a reality, bringing several cybersecurity challenges. Modern cryptography is based on the computational complexity of specific mathematical problems, but as new quantum-based computers appear, classical methods might not be enough to secure communications. In this paper, we analyse the state of the Galileo Open Service Navigation Message Authentication (OSNMA) to overcome these new threats. This analysis and its assessment have been performed using OSNMA documentation, reviewing the available Post Quantum Cryptography (PQC) algorithms competing in the National Institute of Standards and Technology (NIST) standardization process, and studying the possibility of its implementation in the Galileo service. The main barrier to adopting the PQC approaches is the size of both the signature and the key. The analysis shows that OSNMA is not yet prepared to face the quantum threat, and a significant change would be required. This work concludes by assessing different temporal countermeasures that can be implemented to sustain the system’s integrity in the short term.


I. INTRODUCTION
Galileo is the global navigation satellite system (GNSS) developed by the European Union (EU) to provide positioning and timing information worldwide.Galileo provides Europe sovereignty over its navigation capabilities, avoiding any dependence on the other available GNSS, namely GPS (USA), GLONASS (Russia) and BeiDou (China) (Langley et al., 2017).Galileo is the only GNSS under civil control, and, in addition to its well-known Open Service (OS), public and free of charge, offers other innovative services.Regarding security, the most relevant service is the Open Service Navigation Message Authentication (OSNMA), as currently, no other GNSS service offers a similar capability.OSNMA is freely accessible to all Galileo users and protects them against spoofing attacks intending to fake the real position and time of the receiver.For this purpose, OSNMA be secure anymore.In particular, if an eventual quantum computer is built with the capability to implement these algorithms, the public key cryptosystem used in OSNMA (i.e.elliptic curves) would become vulnerable (Chen et al., 2023), putting at risk the whole system (Eledlebi et al., 2022).
All the relying symmetric cryptography elements would be weakened by other quantum computing algorithms, like Grover's (Grover, 1996), capable of searching preimages in an asymptotic square root time.This is, for instance, the case of MAC functions whose primitive security (i.e.hash functions) could be degraded to half of their current strength (Preston, 2022).
To face the threats of quantum computing, several entities are developing cryptographic algorithms resistant against quantum adversaries.The most recognized standardization process is the Post-Quantum Cryptography (PQC) competition hosted by the National Institute of Standards and Technology (NIST) (Computer Security Division, 2017a).There are also other projects addressing the transition to Quantum-Safe Cryptography (Dahmen-Lhuissier, n.d.).
According to Mosca's theorem (Mosca, 2018), to ensure the security of information systems, it must be taken into account, not only the time until the maturity of quantum computers but also the period that the update of current information systems will take.It is also important to remark that, today's confidentiality of information, will also be at risk against the "store-now, decrypt-later" strategy (Joseph et al., 2022).The development of Post-Quantum capabilities is essential for the prevention of vulnerabilities in communication networks (Lopez et al., 2022), but this transition is not trivial and arises conflicts over information systems' requisites: e.g.resources consumption, size of cryptographic data (Westerbaan, 2021), etc.The security of the new-fangled PQC algorithms has not been tested enough yet, and the changes required to be implemented can collide with current standards.Furthermore, some applications, such as timestamp digital signatures, or certificates emitted by Certificate Authorities (CA), should remain trustable for decades.However, the keys employed for these purposes face the risk to become insecure within this period: e.g. the Global Sign Root CA certificate must remain valid for 30 years, from 1/9/1998 to 28/1/2028, and there even exist TLS root certificates valid up to 2060 (Inc, 2022).The EU has evidenced that space-based development solutions have reached a high level of implantation in society, and their degradation could derive in a threat to civil security.Even though it could seem remote, developing security strategies to address the implications of space-related risks is strategic to achieve resiliency (Commision, n.d.).This research aims to provide an assessment of the options to implement PQC in Galileo's OSNMA service, setting foundations to adopt the findings in other EU Space Projects.

Research questions
The present research aims to answer the following questions: 1. Is it possible to make OSNMA quantum-resistant assuming its current design?(a) What is the maximum size available for a public key in the OSNMA message?i.If it stands as a limitation, is over-the-air rekeying (OTAR) expendable?(b) What is the maximum size available for tags/signatures in the OSNMA message? 2. Would it be necessary to change the design of OSNMA in a post-quantum scenario?
(a) Could it be implemented in a full public-key system (e.g.leaving out TESLA)?

Objectives
The main objective of our work is to analyse and assess the possibilities to implement secure PQC algorithms in OSNMA and establish a framework for analysis and discussion for future Galileo System Builds and other projects with similar characteristics (e.g.satellite-based, low bandwidth, limited resources, etc.).We are aiming 3.In Section IV we perform an overview of the OSNMA processing logic, and the PQC algorithms that are being selected for standardization, to identify the key elements that would have an impact on the transition process.
4. In Section V the system's elements are analyzed, evaluating the characteristics, requisites and constraints of the OSNMA system.
5. Section VII discusses the results, leading to the assessment of how PQC could be implemented.
6. Section VII concludes the document by presenting the findings, and raising open questions that could lead to future lines of research.

Galileo
Galileo, the European GNSS program, declared its Initial Services in December 2016.Since then, the performance of Galileo has been gradually improving thanks to the addition of satellites to the constellation, the evolution of the ground segment's infrastructure and the deployment of new services.Upon completion, users will benefit from its full first-class performance, reliability and coverage, providing the following services (Authority., 2021b): • Open Service (OS): "Open and free of charge service, interoperable with its other GNSS counterparts (Gaglione et al., 2015), for positioning and timing provision" (Centre, n.d.).
• Open Service Navigation Message Authentication (OSNMA): "Free access service complementing the OS by delivering authenticated data, assuring users that the received Galileo navigation message is coming from the system itself and has not been modified".
• Public Regulated Service (PRS): "Service restricted to government-authorised users, for sensitive applications that require a high level of service continuity" (Parliament, 2011).
• High Accuracy Service (HAS): "A free access service complementing the OS by delivering high accuracy data and providing better-ranging accuracy, enabling users to achieve sub-meter level positioning accuracy" (Fernandez-Hernandez, Chamorro-Moreno, et al., 2022).
• Commercial Authenticated Service (CAS): "A service complementing the OS, providing a controlled access and authentication function to users" ("Galileo Services -EU Agency for the Space Programme", n.d.).
• Search and Rescue Service (SAR): "Europe's contribution to the international satellite-based search and rescue distress alert detection system COSPAS-SARSAT" (Zurabov et al., 1998), which enhances the coverage of the system and includes a return link.
The Galileo OS navigation message I/NAV, described in the Signal in Space (SiS) Interface Control Document (ICD) (Authority., 2021a), is broadcasted through the E1 (E1-B signal) and E5b (E5b-I signal) bands, and encoded in the following format (see Figure 1): • Pages are the basic elements of the I/NAV.There are two types of Pages, even and odd ones, being transmitted every 2 seconds and comprising 120 bits each.The OSNMA information is transmitted only in the odd Pages of the E1-B signal, specifically using a 40-bit reserved field.
• A Sub-frame is transmitted every 30 seconds, and it is composed of 15 Pages.Each Sub-frame contains an OSNMA complete message.
• The full OS message is broadcasted in Frames (decomposed in 24 subframes), every 720 seconds.

Galileo OSNMA
With OSNMA, Galileo provides an authentication mechanism that works not only for validating its own OS messages but also for other satellite navigation systems, like NAVSTAR GPS (Nicola et al., 2021).OSNMA is implemented by taking advantage of the 40-bit reserved field available in the OS I/NAV message, as it is shown in Figure 2.This cross-validation relies on a hybrid cryptosystem (i.e. using both symmetric and asymmetric cryptography).
The key generation process in TESLA (Perrig et al., 2005) consists of a chain of subkeys derived by a one-way function.These keys feed, in reverse order, a symmetric-key-based authentication function that signs the message.The signing operation in OSNMA is performed using Hash-Based Message Authentication Codes (HMAC) (Krawczyk et al., 1997), and the resulting message authentication code is truncated to obtain a short-length tag.The Root key (i.e. the last element derived in the chain generation, as shown in Figure 3, acts as a validation key that is securely distributed at the beginning of a chain period, signed with the public elliptic curve key (Pornin, 2013).This Root key is never used to sign messages.Rather, future keys shall be hashed, using the TESLA chain generation algorithm, until the user reaches the Root key again.This one-way mechanism prevents revealing any information that compromises future keys from present ones, allowing forward validation.
The elliptic curves used in the current OSNMA implementation are ECDSA P-256 and ECDSA P-521, and the corresponding public keys are verifiable through a Merkle Tree publicly available on the program webpage (European GNSS Supervisory Authority., 2021).

Galileo OSNMA Message
As described earlier, a complete authentication message is split among several OS Pages, taking advantage of a reserved 40-bit field.The OSNMA message is documented in its own SiS ICD (European GNSS Supervisory Authority., 2022), at both Page and Sub-frame levels (i.e.joining 15 Pages).This message would be broadcast by several satellites at the same time, but not by the whole constellation.Each Sub-frame contains two types of OSNMA information, evenly distributed throughout the Pages (as shown in Table 4): • HKROOT: distributing the asymmetric cryptographic material needed to validate authentication information and TESLA keys.
• MACK: distributing the information needed to validate the I/NAV, and the previous OSNMA messages (i.e.TESLA keys).
Therefore, even though it will not be reliable until the validation keys are broadcasted 30s later, the user would retrieve almost all the information needed to authenticate the I/NAV.Every HKROOT message contains, in turn, a Data Signature Message (DSM) Block.The DSM will distribute the Root key of the TESLA chain in force (DSM-KROOT), or the elliptic curve public keys for its authentication (DSM-PKR).In the "NMA Header" (see Table 1) there are two relevant fields: "Chain ID" (CID), updated every time the TESLA chain in force changes; and "Chain and Public Key Status" (CPKS) which indicates when there is a change in any cryptographic asset.
The DSM ID field specifies which type of DSM is being broadcasted.To build the complete DSM message, several DSM Blocks must be retrieved; but as the length of the DSM Block ID parameter that is present in the HKROOT DSM Header, is 4 bits long, all the information must be allocated in 16 DSM Blocks at most.
On one hand, the DSM-PKR message, with a length of l DP bits (for clarity, Appendix A contains a summary of the variables used in OSNMA), has two fields that are relevant to our study: • NPKT (4 bit): specifies the New Public Key Type.Only 1, 3, and 4 are assigned, so the 13 remaining values, marked as reserved in the ICD, could be used.
• NPK (l N P K bit): the actual New Public Key broadcasted.
On the other hand, the DSM-KROOT (l DK bit) message contains this information: • HF (2 bit): Hash Function used for building the TESLA chain, which could be either SHA-256 or SHA3-256.
• MF (2 bit): MAC function used for signing the navigation information, to be chosen between HMAC-SHA256 or CMAC-AES.
• KS (4-bit): an integer that specifies l K , i.e. the length of the chain Keys.Values from 9 to 15 are reserved, so they could be used later.
• TS (4 bit): an integer that specifies the size of the message signatures lT (i.e.Tags).Values from 0 to 4, and from 10 to 15, are also reserved.
• KROOT (l K bit): Root key of the TESLA chain in force.
• DS (l DS bit): The Digital Signature of KROOT.
The election of specific algorithms and parameters applied to a message are specified using the MACLT field.This field is present in DSM-KROOT but is not documented here because of its lack of relevance to our study.The strategy specified by MACLT is known as "Authentication Data and Key Delay" (ADKD) and will be finally materialized into the MACK message.

b) MACK (per subframe)
With the cryptographic elements provided by the DSM in our possession, now we have to validate the signatures of the navigation message.The information needed for this authentication process is broadcasted within the MACK message.As Table 2 illustrates, MACK will contain the signatures and the keys necessary to validate earlier distributed signatures ensuring, with this delay, protection against spoofing.
The Tags section contains nT signatures followed by some metadata.More precisely, each Tag would contain the signature (i.e.HMAC) of the part of the navigation message specified, either by KROOT's MACLT or by a specific ADKD value set up in the Tag Info field.ADKD indicates whether ephemeris, time, or which other data is being authenticated, and should be coherent with MACLT.Moreover, the Tag contains a field (i.e.Data Cut-Off Point, COP), that indicates the elapsed time between the signature, and the data authenticated.
Finally, the Key is the element used to generate the preceding MACK message signatures.There is usually a delay of one MACK message (i.e. 30 seconds) between the Tags and the key used to generate them.However, a special dedicated ADKD strategy can also be employed, where this offset consists of 10 subframes to allow a slow validation (i.e. after 5 minutes).

Post-quantum cryptography
Cryptographic security relies on the computational complexity of some mathematical problems.This complexity is usually expressed as the asymptotic time that a computer requires to solve it when the size of the problem grows (e.g. when increasing the number of bits of a number that must be factorized).If the problem cannot be solved in polynomial time, it serves as a proof of hardness that enables its usage for cryptographic algorithms.However, the classical complexity classes that characterize this hardness have always been linked to the classical computational paradigm and are not always resistant enough against the new quantum-based computers.
To face this threat, there are several mathematical problems that by now have proven to present enough complexity against classical and quantum adversaries.A secure algorithm relies on the assumption that breaking its encryption mechanism is equivalent to solving one of these hard mathematical problems.In this sense, the most relevant primitives for our study are: • Lattice-based problems: the most prolific approach, in terms of the number of proposed post-quantum algorithms (Computer Security Division, 2022), is based on hardness assumptions over discrete vector spaces, e.g.Shortest Vector Problem, Learning With Errors, etc.These problems are also in the spotlight due to their usefulness in the homomorphic encryption area (Lyubashevsky et al., n.d.).
• Hash-based problems: they stand for algorithms supported by one-way functions, so they are especially focused on digital signatures.There are constraints related to the times the same key can be used, so in some schemes, keeping track of the operations performed is mandatory.Therefore, this family of problems is divided into two categories: stateful and stateless algorithms.The first one has been handled in a separate competition by NIST (Computer Security Division, 2018), XMSS (Huelsing et al., 2018) and LMS (McGrew et al., 2019) were approved as secure post-quantum algorithms.However, in contrast with some stateless proposals, the stateful approaches do not fit with performance requirements, and they haven't been included in the PQC competition.
There are also promising families of problems based on multivariate polynomials (for Information Security (BSI), n.d.), and also on isogenies of elliptic curves (Galbraith and Vercauteren, 2018).Still, none of the proposals have stood the test of time and some have even failed against classical computers (Castryck and Decru, 2022).
The cryptography that implements these quantum-resistant problems, is known as Post-Quantum Cryptography (PQC), and the most acknowledged process of PQC standardization is the one that has been developed by NIST since 2017 (Computer Security Division, 2017a).We can segregate this process into two families of algorithms: Key Encryption Mechanisms (KEM) and Digital Signature Algorithms (DSA).
Even though they are still looking for new proposals (Computer Security Division, 2017b), some algorithms have already been selected for standardization (Computer Security Division, 2017c).In this regard, the DSA algorithms accepted by NIST are: • CRYSTALS-Dilithium (Bai et al., 2021): together with its counterpart in KEM (i.e.CRYSTALS-Kyber (Avanzi et al., 2021)), this scheme works under the lattice-based problems hardness assumptions (Lyubashevsky, 2009).
One of the major challenges of these schemes, apart from the security, is the usability.Albeit the cryptographic management remains similar to the classic public key schemes, the size of crypto messages (e.g.signatures) has become larger, and it doesn't fit for most of the current applications' boundaries.

PQC challenges
The replacement of classical cryptographic algorithms with new quantum-resistant ones is not a trivial task.Regardless of the standardization and testing process, once an algorithm proves to be reliable, there is always the possibility of finding new vulnerabilities.The mathematical areas of the current proposals are too complex for a wide understanding, so their audit is restricted to certain people with a strong mathematical background.
For this reason, the consensus proposes the use of hybrid approaches (Stebila et al., 2023) (i.e.combining classical and PQC schemes), and the implementation of a dynamic selection of algorithms in the protocols, coining the term "crypto agility" (Ott et al., 2019) to refer to that.
Moreover, regardless of the initiatives for avoiding implementation failures, especially related to the election of parameters (e.g.CIRCL (Faz-Hernández and Kwiatkowski, 2019), Open Quantum Safe ("Open Quantum Safe", n.d.), etc.), it must be taken into account that other types of issues, such as side-channel attacks ("A Survey of Microarchitectural Side-channel Vulnerabilities, Attacks, and Defenses in Cryptography -ACM Computing Surveys", n.d.), could come out.
However, the main challenges of the transition to PQC are related to fitting the cryptographic elements into the protocols most used today.The sizes of the cryptographic elements proposed in PQC algorithms are significantly larger than the old ones (Westerbaan, 2021), and not all the network protocols support them: e.g. the use of "Maximum Segment Size" or "Maximum Transfer Unit" fields of TCP (Celi, 2022), the fields in X.509 public key certificates (Boeyen et al., 2008), etc.
Computational resource consumption is another element to consider when implemented in a server, as it should attend to multiple clients' demands in a finite time.Some researches address the implementation of PQC in the Internet's building blocks (Stebila and Mosca, n.d.), and the most used secure protocols like TLS (Stebila et al., 2023) or SSH (Sikeridis et al., 2020), validating the suitability of the PQC standardized algorithms but always focusing on endowing the protocols of crypto agility through the hybridization on cryptographic controls.From the industry side, Google and Cloudflare have carried out experiments in this regard, showing that it is feasible to implement PQC in public-testing environments (Kwiatkowski and Valenta, 2019).
In the key exchange area, there are alternative approaches on the table, like Quantum Key Distribution (QKD) (), but nowadays the software transition is a priority (for Information Security (BSI), n.d.).Particularly in the establishment of security parameters when tunnelling a connection (e.g.IKEv2 on IPsec, one of the most enabler protocols for building secure architectures), there exist successful proposals for implementing PQC (Pazienza et al., 2022).

III. METHODOLOGY
This assessment requires the analysis of several technologies and documents, that cover diverse areas of the OSNMA system: from the highest levels of the protocol, to the roots of the cryptographic primitives.To perform our study, the next steps will be followed: 1. To develop an analysis of the relevant fields of the OSNMA message, to detect which could suffer the most impact due to the implementation of PQC.For this task, we will analyse the official documentation for both OS and OSNMA, in particular, the OSNMA SiS ICD (European GNSS Supervisory Authority., 2022).Aligned with the first research objective, this task allows to detection of the OSNMA message fields susceptible to holding the PQC material and answering research questions 1(a) and 1(b).
2. To review available PQC algorithms and their characteristics.Once identified which algorithms have been formally tested and are widely accepted, we will analyse the technical specifications of each of them.This process allows us to get the basic information necessary to evaluate how they fit in the previously analysed ONSMA fields, covering the second research objective.
3. To relate the results of the previous analysis steps to perform an assessment and discuss the key findings that lead to conclusions about how PQC can be implemented, or not, within the current design of OSNMA.It will lead to cover the third objective of the present paper and provide answers to research question 2.

OSNMA characteristics
The evaluation of the different approaches available for implementing PQC at OSNMA requires the previous analysis of the authentication lifecycles, considering the constraints that they could be subject to.The process for authenticating navigation messages has a different lifecycle (see Figure 5) depending on the cryptographic material that is focused, namely: Merkle Tree (MT), Elliptic Curve (EC), TESLA Keychain's Root key (KR), and TESLA Key (K).
At the beginning of the OSNMA project, 16 EC key pairs were generated.These keys that, in nominal conditions, should never be changed, act as leaves for building the MT.In the case of an incident enforces to revoke them, there is a mechanism for notifying the clients through the SiS, using a CPKS special value.
Both MT and the EC keys can be retrieved from the Galileo Service Centre (GSC) portal, as shown in Figure 6.While the MT must be installed manually into the receivers (i.e.navigation devices), the EC keys would be also distributed through the SiS.
When the EC keys are broadcasted over the air, into the DSM-PKR message, they can be validated using the previously downloaded MT information.This dissemination occurs every 6 hours, for a duration of 30 minutes.The EC keys can be in force for several years and when they must be updated, it is notified using the CPKS field.Depending on the ADKD value, a part of the navigation message is signed using HMAC (or the function specified at this moment) and the correspondent key K from the TESLA chain, as illustrated in Figure 5.The signature is truncated to fit lT, and distributed into a MACK message.This key K, used for generating the signature is distributed in the following MACK message, that is to say, 30s later.Finally, any Ki can be verified using other Kj authenticated before (i.e.following the key chain) till KR.Thus, as the constraints present in ONSMA are mainly motivated by the bandwidth, at the time of analysing cryptographic changes, there are two main aspects to consider: the size of the keys, and the time they stay in the SiS (i.e.periodicity, the sum of necessary messages to encode all the data, etc.).Table 3 provides a summary of these elements to clarify the later discussion.

Cryptographic specifications
Depending on the desired security confidence level, among other considerations, the parameters of cryptographic primitives can be tuned.While in some cases the election of these parameters is related to mathematical properties () or implementation techniques (Nemec et al., 2017), the last step usually moves the discussion to a trade-off between security and size.
The current system uses two different public key algorithms to sign the TESLA Root Keys, both based on elliptic curve cryptography: "ECDSA P-256/SHA-256" and "ECDSA P-521/SHA-512".The security of these algorithms relies on two NIST-selected curves (i.e.P-256 and P-521), and depending on the election, the lengths of the signatures is 512 or 1056 bits, respectively.This signature is settled in the DS field of the DSM-KROOT message.
On the PQC side, all the algorithms selected by NIST, and the vast majority of the proposed, suffer from the same problem: both signature and public key sizes are larger than the classic ones.The documentation of the NIST finalists specifies their parameters attending to NIST security levels ("Request for Comments on Post-Quantum Cryptography Requirements and Evaluation Criteria", 2016).For each of the previously referenced algorithms, Table 4 shows the minimum size requirements of their less demanding specification, namely: Dilith2 for the NIST's level 2 approach of Dilithium, Falcon-512 for the Falcon level 1, and SPHINCS+-128s, for the SPHINCS+ security level 1 parameter set.
On the other side, the stateful hash-based alternatives have even larger sizes, either for the signature or the public keys.
Even though this family of algorithms has been recognized by NIST as secure against quantum computers, the management complexity necessary to achieve security using them discourages its use and has led to standardizing them in an independent project (Computer Security Division, 2018).Regardless of their security level, just for illustrative purposes, Table 5 presents the parameter combinations that achieve shorter signatures and keys in XMSS and LMS schemes.

Synthesis recapitulation
With Figure 7 we aim to provide the reader with a high-level view of how ONSMA operates.It describes the cryptographic relation between the most important elements of the navigation message authentication: the navigation data, the HMAC tag that authenticates this data, the TESLA key used to generate HMAC tags, the TESLA Root Key that validates all the TESLA chain, and the Public Key used to authenticate the TESLA Root Key.A security breach in the I/NAV authentication protocol can be feasible by three key points:

Authentication tag
The navigation message is distributed with an authentication tag, which allows to verify the navigation data has been generated in a genuine satellite.A vulnerability in the function used to sign the navigation data, both in the implementation and the relying hash function, would lead to a collision.The current implementation relies on the fact that a user will get the signed navigation message before an adversary gets the signing key so that a spoofing attack can be detected.However, if these tags are not long enough, an exhaustive attack (i.e.sending a faked message with several tags until a collision is found) may be possible.It does not protect, also, against meaconing, or offline recordings.

TESLA Chain
Each authentication tag is generated hashing navigation data with a key.This key is not distributed along with the tag but in a later message.As Figure 3 shows, a user can verify that any key is part of the current TESLA chain, using the TESLA derivation function well until a previously known key is found, or the proper TESLA Root Key.A vulnerability in the TESLA chain generation would imply a vulnerability of the hash function in use.

Public key cryptography
Finally, TESLA bootstrapping authenticates the Root Key using public key cryptography in two steps: 1. an elliptic curve public key authenticates the TESLA Root Key, and 2. this public key is authenticated by a Merkle tree.It implies that a failure in the public key cryptography part would imply breaking the whole authentication process.An eventual quantum or classical computing vulnerability in public key cryptography would make feasible the distribution of false public keys (i.e. if the vulnerability was found in the Merkle tree cryptography) or would give an adversary access to the elliptic curve private keys, letting him create false TESLA key chains.

V. ANALYSIS
Even though there is still room for scientific contributions (Hosoyamada and Sasaki, 2018), the quantum algorithms available for breaking the security of symmetric key schemes do not represent a threat nowadays.Merkle Tree cryptography relies on hash-based principles, so it is also safe against quantum computers (Buchmann et al., 2008).However, elliptic curves would be deeply vulnerable against Shor's algorithm, becoming the link that would risk the whole authentication chain.If an adversary had access to a stable quantum computer with enough resources to implement Shor's algorithm he could retrieve OSNMA private keys from the public ones.There are also novel research paths approaching the algorithm's implementation over noisy equipment (Gidney and Ekerå, 2021).This would lead him to forge a navigation message that would be valid in terms of authentication, placing the users in a spoofing risk scenario.
Regarding the taxonomy proposed by Celi (Celi, 2022), the main challenge at OSNMA is the limited available bandwidth and the implications it would have if a user had to wait for a larger key or signature.Additionally, a major change in the protocol or the fields of the message would lead to leaving inoperative many critical or embedded devices that make use of OSNMA but cannot be updated easily.So any proposed upgrade has to fit with the current configuration of the SiS.
Finally, in the absence of specific requirements, the computational overload of the cryptographic operations is not a major concern for the performance of the system.The main issue in the protocols documented earlier (e.g.TLS, SSH, etc.) is the role of the servers as meeting points of several clients at the same time, but the satellites' workload does not depend on the number of receivers.
Regarding cryptographic agility, the use of new cryptographic methods raises additional risks.As it is discussed in (Fernandez-Hernandez, Hirokawa, et al., 2023), vulnerabilities due to the lack of testing or even failures in the implementation can emerge over these novel approaches.Through cryptographic agility, these risks can be mitigated.It can be accomplished by designing the systems so they can switch dynamically the set of algorithms and cryptographic primitives in use.To achieve this goal in OSNMA, the field NPKT at DSM could be used, assigning the currently free values (i.e.0, 2 and from 5 to 15) to different combinations of algorithms.
The most popular approach to achieve cryptographic agility is hybridization (i.e.combining and overlapping classic and quantum-resistant algorithms), but the key point in OSNMA is the optimization of the bandwidth.The constraint here is that any proposed algorithm must be characterized and mapped with the currently available fields of the message.For this reason, the size of the new public keys is relevant, but the size of the TESLA Root Keys signatures is even more worthy of attention.
While the public keys are rarely updated, and ultimately they can be sent by other means (e.g. over the Internet), the TESLA Root Keys are updated frequently.
As Figure 8 shows, in contrast with the classical approaches (e.g. the RSA larger approach recommended by NIST is 3072-bit length (Barker and Dang, 2015)), PQC keys are quite large.Pondering between key and signature sizes, the average smallest PQC implementation is Falcon and almost doubles the key size compared to its EC predecessors.Besides that, SPHINCS+ keys are even shorter than any other, but it has an issue with signatures.As previously exposed in Table 4, SPHINCS+ signatures are around 238 times larger than ECDSA P-264 ones so, for clarity, they haven't been included in Figure 9; where both EC and PQC signatures are included.Regarding the signature, Falcon is again the best quantum-resistant approach in size terms, yet it is nearly 5 times bigger than ECDSA P-521.Moreover, the Falcon keys exceed the ECDSA P-521 by approximately 13 points to one.

VI. DISCUSSION
Considering the OSNMA design, there is the option of taking advantage of the 13 free values of the NPKT field, of the DSM-PKR message, to implement several authentication schemes.Therefore, it is unnecessary to modify the protocol to provide cryptographic agility.
A cryptographic failure could lead an adversary to take control of the users' confidence in the genuine system: even though the presence of the Merkle Tree signature ensures the authenticity of EC keys if these keys were broken with future quantum techniques, a new fake TESLA chain could be generated and loaded in the users' devices through the DSM-KROOT message, at least for an hour.
Besides these two general findings, two specific findings have also been obtained as explained below.

TESLA implementation drawbacks
The MACK message contains several Tags that authenticate different parts of the message and even cross-authenticate other GNSS systems' information.As the bandwidth is limited, sending more than one tag has the following drawbacks: a) it enforces the truncation of the Tag, weakening the signature; and, b) it limits the likelihood to implement other approaches (e.g.public-key-based signatures).Especially, as argued in Section IV.3, the possibility of setting tag lengths to 20-bit raises many concerns about the feasibility of an exhaustive search attack (i.e.brute-forcing until finding a valid tag for a false message).
Regarding quantum, the implementation of Grover's algorithm could weaken the hash algorithms, allowing the retrieval of the complete TESLA key chain from the Root Key.Nevertheless, this algorithm is not as effective against symmetric cryptography as Shor's is against the asymmetric one, so doubling the keys' length would neutralize quantum adversaries.
If the space reserved for the several tags were just for one public key signature, it would be less versatile but more secure, and the message could be self-authenticated without depending on information from a future message.There are several fields, such as HF or MF of the DSM-KROOT message, whose existence wouldn't be necessary if the full system were implemented using public key cryptography (i.e.without TESLA).Any change in the protocol should take this fact into account as it would improve the bandwidth.
In addition, it must be noted that the open distribution of TESLA keys makes them inappropriate for other long-term uses not related to live navigation.For instance, any process based on analyzing a signal recording (e.g. to authenticate the logs recorded in a digital tachograph) would be vulnerable to a forged signal with false navigation data.

Post-quantum cryptography implementation
Given the criticism of public key cryptography in the OSNMA protocol, analysed in Section IV.3, and the presence of algorithms susceptible to being broken by quantum computers (e.g.elliptic curve), the PQC transition should be prioritised.According to literature sosnowski˙performance˙2023, as performance should not fall, we focus on bandwidth.
The fourth round of the NIST PQC competition already beholds the evaluation of KEM algorithms, so it is not foreseeable the standardisation of a new quantum-resistant digital signature algorithm in the short term.Therefore, even while NIST is still considering other algorithms, the characterization documented in Section II.4 will remain valid.
Stateful hash-based algorithms are not valid for the system due to signature size reasons.It would be possible to use the XMSS configuration documented in Table 5 for the signature of the messages, as it would be just 4 times longer than the current EC signatures.However, as a stateful hash-based algorithm, its public keys must be updated frequently, and the time to transfer that GB over the air would be completely unacceptable.

Assessment conclusion
In conclusion, the most suitable algorithm to replace EC would be Falcon.However, its elements do not meet the requirements to be transmitted over the air, neither for the distribution of the public keys nor for the broadcasting of the signatures.each one is 104 bits long, we have 1664 bits available for these two use cases: • Use case 1: transmission of New Public Keys in DSM-PKR Discarding the 16 bits of metadata, there are available 1632 bits for cryptographic material.As the Merkle Signature fills 1024 bits, there are 608 free bits for the public key (i.e.32 bits per DSM Block).Nowadays, the Merkle Signature is the lightest quantum-resistant signature that can be implemented.Furthermore, if we were dispensed with it, even though we would save 10 DSM Blocks, we would lose the possibility to authenticate the new PK.The shortest Falcon public keys take 7176 bits, so they would need 71 DSM Blocks to be transmitted.
• Use case 2: signature of TESLA Root Key in DSM-KROOT Using the larger TESLA keys, of 256-bit length, and discarding the 104 bits of metadata, the maximum space available for the DS field (i.e. the one that holds the TESLA Root Key signature) would be 1727 bits, 79 bits per DSM Block.As the shortest Falcon signature is 5328 bits long, there would be necessary 67 DSM Blocks to cover the full authentication.
To increase the size of the PK (i.e.l N P K ) it would be necessary to increase the number of blocks that comprise the DSM-PKR, which would also impact the bits necessary to identify these blocks at the DSM Header.It occurs the same with the signatures of DSM-KROOT.The only feasible solution would be to enlarge BID to 7 bits, getting the possibility to send up to 13312-bit long DSM messages, so the 4 necessary bits to extend BID could be subtracted from the DSM Block itself.However, it would imply that the transmission of the complete message would last 142s instead of 30s, but, as this transmission is performed at the DSM message, it will not have any overload for the authentication of the navigation data, transmitted through the MACK message.
In any case, the transmission of the digital signatures (i.e.DS at DSM-KROOT), must be prioritised over the public keys themselves (i.e.NPK at DSM-PKR).The TESLA digital signatures are sent very often, while the public keys do not usually change, and can be updated using out-of-band channels, like the Internet.However, in a full PQC approach, i.e.where the navigation message is signed using PKC instead of TESLA, it would also have an impact on the MACK message, making it longer.
In conclusion, the only quantum-resistant approach feasible nowadays, without modifying the OSNMA SiS specification, is the authentication of the message out of band.The transmission of large signatures or public keys (i.e.belonging to the documented PQC algorithms) could be performed through the Internet, or alternative channels like is done at the present with the Merkle tree, so there could exist a reliable source for validating the navigation messages.Receivers would perform the authentication as before, but using the new PQC schemas.Even though it would not be implemented in disconnected devices, it could open the door to mitigate cryptographic risks in the connected ones.

VII. CONCLUSION AND FUTURE WORK
In this paper an analysis of the OSNMA authentication procedures, to provide an assessment of how to make it quantumresistant, has been developed.To achieve it, we have analysed both the OSNMA specifications as well as the state-of-the-art about post-quantum cryptography; obtaining as an indirect contribution a well-documented summary of the whole OSNMA authentication process from different perspectives.This analysis has led to findings related to weaknesses of the system, like the ones related to the TESLA implementation.
Our study reveals that the current OSNMA design, even though it has elements that could enable cryptographic agility, is not ready for implementing the PQC algorithms that are currently available.One of the most critical points is the size of the new keys and signatures, which would slow down key distribution, but not the authentication process, as it is performed using TESLA.However, the data fields available in the current system do not have enough capacity ("Shannon Capacity -an overview -ScienceDirect Topics", n.d.) to cover the number of messages necessary to broadcast these new elements.Although it could be done with some slight changes, these modifications might be highly disruptive for the current requirements of Galileo and would thus be unfeasible.
Nevertheless, until major changes can be performed in the system, there exist alternatives to mitigate the quantum risks.For instance, some of the signatures could be delivered to the receivers by an alternative channel (e.g. over the Internet).In addition, though it is not likely to take into account the state of standardization processes, there could appear new PQC algorithms more efficient in size terms shortly.
In any case, a transition to a quantum-resistant design has to be performed.Not doing so would imply in a few years, as stated by the National Quantum Programs (Petrenko et al., 2021), an unacceptable risk for the system, and the de facto nullification of OSNMA.
This research opens the door not only to new research about PQC implementation but also to prevent some of the detected flaws in the current design: • Any change in the PQC state of the art could provide opportunities to implement a quantum-resistant scheme following the characterization performed in our study.Furthermore, the assessment of algorithms that are not covered by the NIST competition, or that have been dismissed for reasons not related to size or security requirements, could also provide valid alternatives.
• Although the TESLA approach is a clever manner to overcome the Galileo bandwidth limitations, as it has been already exposed, it introduces weaknesses in the system, and the revelation of the signing key can be a barrier for use cases where a long-term authentication is necessary (e.g. when authenticated audit logs must be preserved (Baldini et al., 2018)).Therefore, the replacement by a full quantum-resistant public key system should be assessed.
• Some of the OSNMA configurations seem to be insufficient to provide a robust authentication (e.g. the 20-bit Tags could be brute-forced).Research in this direction could help to clarify the level of risk that it implies.

Figure 3 :
Figure 3: TESLA high level processing logic

Figure 7 :
Figure 7: Block structure of OSNMA cryptographic elements

Figure 8 :
Figure 8: Size of the public keys (bits/algorithm).Grey columns represent PQC elements, green columns are the current elliptic curve ones.

Figure 9 :
Figure 9: Size of the signatures (bits/algorithm).Grey columns represent PQC elements, green columns are the current elliptic curve ones.

Table 4 :
PQC algorithms characterization Starting from the assumption that the 4-bit field reserved for DSM Block ID (BID only admits the transmission of 16 DSM Blocks, and