Data and signal authentication schemes are being proposed to address Global Navigation Satellite Systems' (GNSS) vulnerability to spoofing. Due to the low power of their signals, the bandwidth available for authentication in GNSS is scarce. Since delayed-disclosure protocols, e.g., TESLA (timed-efficient stream loss-tolerant authentication), are efficient in terms of bandwidth and robust to signal impairments, they have been proposed and implemented by GNSS. The length of message authentication codes (MACs) and cryptographic keys are two crucial aspects of the protocol design as they have an impact on the utilized bandwidth, and therefore on the protocol performance. We analyze both aspects in detail for GNSS-TESLA and present recommendations for efficient yet safe MAC and key lengths. We further complement this analysis by proposing possible authentication success and failure policies and quantify the reduction of the attack surface resulting from employing them. The analysis shows that in some cases it is safe to use MAC and key sizes that are smaller than those proposed in best-practice guidelines. While some of our considerations are general to delayed-disclosure lightweight protocols for data and signal authentication, we particularize them for GNSS-TESLA protocols.

中文翻译：

---

延迟披露 GNSS 认证协议中 MAC 和密钥长度的分析和建议


人们正在提出数据和信号认证方案，以解决全球导航卫星系统 (GNSS) 的欺骗漏洞。由于其信号功率较低，GNSS 中可用于身份验证的带宽非常稀缺。由于延迟披露协议（例如 TESLA（定时高效流丢失容忍认证））在带宽方面高效并且对信号损伤具有鲁棒性，因此它们已由 GNSS 提出并实施。消息认证码 (MAC) 和加密密钥的长度是协议设计的两个关键方面，因为它们会影响所使用的带宽，从而影响协议性能。我们详细分析了 GNSS-TESLA 的两个方面，并提出了高效且安全的 MAC 和密钥长度的建议。我们通过提出可能的身份验证成功和失败策略来进一步补充此分析，并量化由于使用它们而减少的攻击面。分析表明，在某些情况下，使用小于最佳实践指南中建议的 MAC 和密钥大小是安全的。虽然我们的一些考虑是针对数据和信号认证的延迟披露轻量级协议的一般性考虑，但我们将它们专门用于 GNSS-TESLA 协议。