Challenge-Response Authentication for LEO Satellite Channels: Exploiting Orbit-Specific Uniqueness

1 Challenge-Response Authentication for LEO Satellite Channels: Exploiting Orbit-Specific Uniqueness Jinyoung Lee, Stefano T omasin, and Dong-Hyun Jung Abstract —The number of low Earth orbit (LEO) satellite constellations has gr own rapidly in recent y ears, bringing a major change to global wireless communications. As LEO satellite links take on a growing role in critical services such as emer- gency communications, navigation, wide-area data collection, and military operations, keeping these links secure has become an important concern. In particular , v erifying the identity of a satellite transmitter is now a basic requir ement for protecting the services that rely on satellite access. In this article, we pr opose an active challenge-r esponse authentication framework in which the verifier checks the satellite at randomly chosen times that are not known in advance, removing the fixed measur ement window that existing passive methods expose to adversaries. The proposed framew ork uses the deterministic yet unpr edictably sampled nature of orbital observables to establish a physics based root of trust for satellite identity authentication. This approach transforms satellite authentication fr om static featur e matching into a spatiotemporal consistency verification problem inherently constrained by orbital dynamics, providing rob ust protection even against trajectory-aware spoofing attacks. I . I N T RO D U C T I O N A. Motivation In recent years, the rapid deployment of low Earth or- bit (LEO) satellite constellations has significantly reshaped the landscape of global wireless communications. Mega- constellations such as SpaceX Starlink, OneW eb, and Ama- zon Kuiper are placing thousands of satellites into LEOs, extending broadband access to areas that were previously out of reach. The 3rd Generation Partnership Project (3GPP) has also included non-terrestrial networks (NTNs) in the 5G New Radio standard from Release 17 onward, creating a common framework for satellite-assisted connectivity [1]. As the number of LEO satellites continues to grow , satellite networks are expected to support an increasing range of critical services such as emergency communications, navigation, data collection, and military operations. Howe v er , the proliferation of satellites also raises new security concerns, including the potential for satellite-based eav esdropping, i.e., unauthorized interception of communication signals [2]. Conv ersely , since satellites may potentially operate as malicious transmitters, verifying the identity of satellite transmitters has become a Jinyoung Lee is with the Division of Electronics and Electrical Infor- mation Engineering, National Korea Maritime & Ocean University , Busan 49112, South Korea; Stefano T omasin is with the Department of Information Engineering, University of Pado va, Padov a 35131, Italy; Dong-Hyun Jung (corresponding author) is with the School of Electronic Engineering, Soongsil Univ ersity , Seoul 06978, South Korea. fundamental requirement for protecting services that rely on satellite access. Authenticating a LEO satellite transmitter is considerably more difficult than in terrestrial networks. In con v entional wireless systems, cryptographic key-based protocols can re- liably verify the identity of a transmitter . Howe ver , satellite communication en vironments introduce sev eral unique secu- rity challenges. First, satellites operate in remote orbital en vi- ronments where physical access is extremely limited, making post-incident intervention difficult once a system is com- promised [3]. Second, satellite transmissions are inherently wide-area broadcasts, which significantly expands the attack surface and allo ws adv ersaries to observe and potentially inject signals from distant locations [4]. Third, advances in onboard software-defined radio and signal processing technologies hav e made it increasingly feasible for adversaries to imitate ex- pected signal characteristics. Therefore, these challenges have motiv ated growing interest in physical layer authentication (PLA), which le verages physical signal properties as an ad- ditional mechanism to verify transmitter identity . B. T axonomy and Evolution of Satellite PLA Existing satellite PLA techniques hav e e volv ed from simple single-feature checks toward more advanced schemes that exploit multiple signal features and temporal observations. T o provide a structured view of this progression, existing methods can be categorized into four ev olutionary stages based on their feature sets and observation windows, as summarized in T able I. 1) Single-F eature Authentication: T o provide low-o verhead identity verification, early PLA schemes relied on the compar- ison of a single physical feature at a specific time instance. By estimating the angle of arriv al (AoA) via antenna arrays [5] or correlating the Doppler frequency shift during initial access with ephemeris data [6], these methods establish a basic root of trust. In such attacks, an adversary adjusts its spatial geometry to mimic the legitimate satellite, making one-time verification insufficient to detect sophisticated impersonation. 2) Collaborative and T rajectory-A ware Authentication: T o address the limitations of single-snapshot verification, later studies introduced multi-point and sequence-based authen- tication. The time difference of arriv al (TDoA) signatures are matched across synchronized ground receiv ers [8], while Doppler statistics are aggre gated within inter -satellite links [7]. These methods incorporate temporal ev olution into the au- thentication process. Howe ver , since the observation windows 2 Reference Physical Featur e Observation Window Methodology Limitation (Research Gap) [5] AoA Single / Fixed Spatial arrival angle authentication via antenna array estimation. Relying on precise antenna hardware, rendering it susceptible to geometry-aware location spoofing. [6] Doppler frequency shift Single / Fixed Doppler based correlation using ephemeris derived reference values. Dependent on single timestamp, failing to detect predictive signal mimicry and replay attacks. [7] Doppler frequency shift Multiple / Fixed Statistical Doppler spectrum fusion within inter-satellite links. Lacking active authentication mechanisms, resulting in a failure to counter pre-calculated trajectory mimicking. [8] TDoA signature Multiple / Fixed Matching arrival time patterns across distributed receivers. Requiring a network of synchronized receiv ers and allowing predictive spoofing for fixed observation window . [9] RF fingerprint Multiple / Fixed RF fingerprinting of hardware impairments through signal learning. Sensitiv e to hardware aging, necessitating periodic model retraining and high computational overhead. [10] Atmospheric signature Multiple / Fixed ML-based profiling of atmospheric signal fluctuations. Constrained by meteorological variability , leading to inconsistent performance across varying en vironments. [11] Doppler + RSP Multiple / Sliding SVM-based classification of Doppler and Received Power . Ignoring Keplerian coupling between features and highly sensitive to environmental fading. Proposed Frame- work Multi-Featur e (Doppler , AoA, RSP , RTT) Multiple / Random Active challenge-response verifying multi-feature orbital consistency . Defeating predictive spoofing via randomized windows and enforcing strict physical feature coupling. T ABLE I: Summary of research on satellite physical layer authentication. (AoA: Angle of Arriv al, TDoA: Time Dif ference of Arriv al, RF: Radio Frequency , ML: Machine Learning, RSP: Receiv ed Signal Power , SVM: Support V ector Machine) are deterministic and predictable, an adversary may be able to forecast the expected features and emulate the legitimate trajectory , which limits long-term security . 3) Har dwar e and En vir onmental F ingerprinting: Another research direction focuses on exploiting intrinsic device and channel characteristics. For example, hardware-specific im- pairments are extracted from I/Q samples [9], and spatiotem- poral signal fluctuations caused by atmospheric propaga- tion [10] are analyzed. These methods rely on stochastic physical features for authentication. Howe ver , such signatures are sensiti ve to hardware aging and meteorological v ariations, which can lead to inconsistent performance across different operational en vironments. 4) Multi-F eature Fusion and Physical Disconnect: More recently , hybrid approaches hav e combined multiple physical features to improve authentication reliability in dynamic LEO en vironments. For example, Doppler shifts and received signal power (RSP) can be jointly analyzed to construct a richer identity profile [11]. By fusing heterogeneous features, these schemes attempt to improve robustness against measurement noise and channel variations. Howe ver , the features are typ- ically treated as independent statistical measurements rather than quantities determined by orbital dynamics. As a result, the physical relationships among signal features are not explicitly enforced during authentication. Consequently , e ven multi- feature fusion cannot fully eliminate spoofing opportunities when the observation timing is predictable. C. Contributions Despite these improvements, all existing approaches share a common weakness: they all rely on measuring signal features during a fixed, predictable time window . Because the timing of these measurements can be worked out in advance from publicly available orbital data, an adversary can may predict and send a carefully timed fak e signal that matches these expected values throughout the measurement period. This weakness does not go away when more features are combined, because an adversary can align all of them at once if the timing is known ahead of time. Moreov er , a deeper problem is that existing methods treat each measured feature as if it were independent from the others. In reality , under the laws of orbital motion, the Doppler shift, AoA, and round-trip signal delay of a satellite are all tied together; they are determined by the same orbital state at every moment. By ignoring this physical link, existing methods remain open to attacks in which an adversary copies the expected signal profile without actually being in orbit. The key idea behind this work is that a LEO satellite’ s flight path, defined by six orbital parameters known as Keplerian elements, provides a built-in proof of identity that is enforced by the laws of physics. The way the signal features, specifi- cally Doppler shift, AoA, and round-trip time (R TT), change ov er time is directly tied to the orbital path, so no transmitter can reproduce this pattern without actually flying on the same orbit at the same time. Based on this idea, we propose an activ e challenge-response authentication framework in which the verifier checks the satellite at randomly chosen times that are not known in advance, removing the fixed measurement window that existing passive methods expose to adversaries. The satellite must respond consistently across all of these random check times, and any mismatch in the physical signal patterns rev eals an impersonation attempt. The main contributions of this work are as follows. First, we show that a satellite’ s orbital path is unique and use 3 Fig. 1: Geometric illustration of the Keplerian orbital elements in the Earth-centered inertial (ECI) reference frame. this uniqueness as a physical basis for authentication, clearly describing the physical link among Doppler shift, AoA, RSP , and R TT that makes this possible. Second, we design an activ e challenge-response protocol that replaces fixed-schedule passiv e measurement with randomly timed checks controlled by the verifier , blocking pre-planned impersonation attacks. Third, we build a multi-feature consistency check that verifies the physical coupling among all observed signal features at once, making it physically impossible to fake the correct response without occupying the same orbit. I I . L E O O R B I T A L D Y N A M I C S A N D U N I Q U E N E S S A. K eplerian P arameterization of LEO Orbits A LEO satellite’ s trajectory is fully and uniquely determined by six Keplerian orbital elements and the gravitational dynam- ics of Earth. In a geocentric inertial reference frame, the semi- major axis a and eccentricity e specify the size and shape of the orbital ellipse; the inclination i defines the tilt of the orbital plane relative to the equatorial plane; the right ascension of the ascending node Ω fixes the orientation of that plane in inertial space; the argument of perigee ω orients the ellipse within the plane; and the true anomaly ν at a reference epoch locates the satellite on its orbit. The geometric relationships among these six elements are illustrated in Fig. 1, and the resulting six-tuple o = ( a, e, i, Ω , ω , ν ) constitutes a complete and minimal state representation from which the satellite’ s position and velocity vectors can be propagated forward in time without ambiguity , using standard ephemeris models such as the Simplified Gen- eral Perturbations 4 propagator applied to publicly av ailable two-line element sets. For the LEO altitude band of interest, orbits are typically near-circular with eccentricity e ≈ 0 . The orbital speed for a circular orbit can be obtained using the vis- viva equation , i.e., v = p µ/a , where µ = 3 . 986 × 10 14 m 3 / s 2 is the Earth’ s standard gravitational parameter . The high ve- locity of LEO satellites produces rapidly ev olving channel conditions at any fixed ground receiv er . B. Kinematic Observables and Their Coupling The relati ve kinematics between the satellite and a terrestrial receiv er imprint four physically observ able features onto the receiv ed signal: Doppler frequency shift f D ( t ) , AoA decom- posed into azimuth ϕ ( t ) and elev ation components θ ( t ) , RSP P r ( t ) , and R TT τ ( t ) . A defining property of these observables, and the one that underpins the security argument of this work, is that they are not statistically independent features. All four are deterministic functions of the same slant range, i.e., the distance between the satellite and recei ver r ( t ) , and its time deriv ative ˙ r ( t ) . These quantities are uniquely determined by o via the coordinate transformation chain illustrated in Fig. 2 and the ephemeris propagation equations. The instantaneous Doppler shift for a carrier of frequency f c is f D ( t ) = ( f c /c ) ˙ r ( t ) , where c is the speed of light. Over the course of a pass, f D ( t ) traces a characteristic S-curve: large and positiv e as the satellite approaches, crossing zero at the point of closest approach, and large and negati ve as it recedes. The steepness of the transition, the epoch of the zero crossing, and the asymptotic amplitudes are uniquely determined by o and the receiver’ s geodetic coordinates. The AoA is obtained by transforming the satellite’ s Earth-centered Earth-fixed (ECEF) position vector into the receiver’ s local topocentric horizon frame: the ele vation angle rises from near zero at the horizon, peaks at closest approach, and declines symmetrically , with its maximum value and timing uniquely prescribed by a and the orbital geometry . The RSP is determined by the slant range through the Friis transmission equation as P r = P t Gc 2 / (4 π f c r ) 2 , where P t is the transmit power and G is the antenna gain. Since r ( t ) varies contin- uously along the orbital path, the RSP follows a predictable temporal profile that peaks at closest approach and decays as the satellite moves tow ard the horizon. The R TT ev olves as τ ( t ) = 2 r ( t ) /c , with time deriv ati v e ˙ τ ( t ) = 2 ˙ r ( t ) /c that is directly proportional to the radial velocity . This last identity rev eals the structural coupling: f D ( t ) and ˙ τ ( t ) share the same physical origin ˙ r ( t ) , so that any modification to one inevitably perturbs the other through a fixed algebraic relationship. This inextricable coupling is the critical property that distinguishes satellite PLA from terrestrial counterparts. An adversary that attempts to forge the Doppler profile of a le- gitimate satellite must match ˙ r ( t ) , which simultaneously fixes ˙ τ ( t ) and constrains the transmitter’ s radial velocity relative to the receiv er . Satisfying all four constraints simultaneously is therefore not a signal processing problem b ut a physical placement problem: it requires the transmitter to reproduce the same kinematic trajectory . C. T rajectory Uniqueness as a Physical Security Primitive The fore going analysis establishes that the six K eplerian elements o constitute a physics-enforced identity credential. T wo satellites in distinct orbits cannot produce identical joint time series of f D ( t ) , θ ( t ) , ϕ ( t ) , P r ( t ) , and τ ( t ) at the same ground receiver . This is because the system of equations relating these observables to o uniquely determines the orbit giv en a sufficiently long observation windo w . Critically , this uniqueness is not probabilistic; it is a geometric consequence of the equations of motion. The orbital state vector therefore functions as a natural physical identifier that is imposed and continuously enforced by orbital mechanics rather than issued by a certificate authority . 4 Fig. 2: Coordinate transformation chain from the perifocal orbital frame to the receiv er’ s local frame and the resulting parameter estimations. The satellite position in the perifocal frame p pf s , parameterized by the true anomaly ν , is first conv erted to the ECI frame through three intrinsic rotations about the z - x ′ - z ′′ axes by Ω , i , and ω , respectiv ely , using elementary rotation matrices R α ( · ) , where α ∈ { x, y , z } denotes the axis of rotation. The ECI position is then transformed to the ECEF frame by rotating by the Greenwich mean sidereal time (GMST) angle θ GMST , and subsequently projected into the local receiv er frame defined by latitude λ and longitude ψ . The slant range r ( t ) between the satellite and the receiv er is computed from the ECEF positions of the satellite p ecef s and the receiv er p ecef r . From r and its time deriv ative ˙ r , five observable features are estimated: R TT τ , RSP P r , Doppler shift f D , elev ation AoA θ , and azimuth AoA ϕ . This trajectory uniqueness becomes actionable as a security primitiv e through temporal observation. Since the orbital state at time t is propagated deterministically from o , the full pass- long trajectory { f D ( t ) , θ ( t ) , ϕ ( t ) , P r ( t ) , τ ( t ) } is fixed once o is specified. A verifier that compares observed features against an ephemeris-deriv ed reference at a sequence of timestamps t 1 , t 2 , . . . , t N accumulates kinematic evidence that grows in discriminativ e po wer with N . A spoofing transmitter may match the expected feature values at one timestamp, whether by chance or by pre-computation. Howe ver , if its physical trajectory deviates from the legitimate orbital path, unavoid- able inconsistencies will appear at other timestamps because the four observ ables are coupled: adjusting one requires a physical repositioning that disturbs all others. Crucially , if the verification timestamps are chosen unpredictably by the verifier rather than disclosed in advance, the adversary cannot align its forged profile to the correct timestamps without real- time orbital placement. This observ ation moti v ates the core design choice of the authentication framew ork presented in the next section: an activ e challenge-response protocol in which the verifier selects randomized interrogation epochs, lev eraging the deterministic yet unpredictably sampled nature of orbital observables as the physical root of trust for satellite identity authentication. I I I . P RO P O S E D F R A M E W O R K : A C TI V E S PA T I O T EM P O R A L A U T H E N T I C A T I O N E X P L O I T I N G K I N E M AT I C U N I Q U E N E S S The authentication framework proposed in this work intro- duces a paradigm shift in securing LEO satellite netw orks, transitioning the defender’ s role from a con v entional passi ve observer to that of an acti ve v erifier . Unlike existing PLA schemes that rely on the opportunistic measurement of channel features, the proposed framework exploits the deterministic nature of orbital mechanics to establish a physics based root of trust. A. Pr oposed Active Spatiotemporal Authentication The proposed framework performs authentication over mul- tiple randomized timestamps, denoted as t 1 , t 2 , . . . , t N . Since these time instances are selected unpredictably , authentication is no longer tied to a static spatial point but instead to a verifier -controlled dynamic trajectory . T o realize this concept, the frame work introduces an activ e spatiotemporal authen- tication mechanism based on a challenge-response protocol [12], [13]. The verifier (Bob) determines the timing of each challenge, injecting temporal uncertainty into the process. This probing prevents adversaries from forecasting or synchroniz- ing deceptiv e signal profiles in advance. An adversary may replicate the satellite’ s signal profile at a single, self-selected time instance. Howe ver , maintaining physical consistency across a randomized temporal sequence is significantly more challenging. The impersonator must si- multaneously satisfy the coupled relationships among velocity , range, and geometry at every timestamp. If the adversary operates at a dif ferent altitude or follo ws a different velocity profile, it cannot satisfy Keplerian constraints. As a result, kinematic inconsistencies accumulate ov er time, exposing the impersonation attempt. Authentication can be strengthened when Bob moves, since randomized timestamps correspond to varying recei ver positions. These variations are reflected in the authentication features, posing an additional challenge to 5 Fig. 3: Overvie w of the proposed acti ve challenge-response authentication framew ork. Here, T 1 , T 2 , . . . denote the absolute time slots within the satellite visibility window , and t 1 , t 2 , . . . , t N denote the N time slots randomly selected from them and arranged in chronological order . In Stage 1, Bob measures kinematic features and constructs a CCM from satellite ephemeris data. In Stage 2, Bob issues randomized temporal challenges at t 1 , t 2 , . . . , t N and acquires multi-feature responses. An adv ersary , T rudy , may attempt to inject a forged signal. In Stage 3, Bob compares the observed features against the CCM: Alice exhibits a consistent orbital trajectory , while Trudy’ s response rev eals kinematic inconsistencies that expose the impersonation attempt. T rudy , who is typically unaware of Bob’ s position. Howe ver , Bob must kno w its position to compute the expected features. T o eliminate signal emulation, the proposed framework explicitly incorporates Keplerian orbital constraints into the authentication process. Specifically , Bob exploits the intrinsic coupling of satellite features through two hierarchical consis- tency checks, thereby establishing security that is rooted in orbital mechanics rather than feature-lev el statistics. 1) T rajectory Uniqueness via Randomized T imestamps: The proposed framew ork exploits the temporal evolution of satellite signals ov er multiple randomized timestamps to es- tablish a reliable authentication basis. The verifier randomly selects the timestamps and e valuates the consistency of the resulting signal gradients across time. As a result, matching features at a single timestamp is no longer sufficient for suc- cessful authentication. Under Keplerian dynamics, a satellite in a giv en LEO follows a unique kinematic trajectory . For example, it produces a characteristic Doppler S-curve and a specific rate of change in propagation delay . These temporal patterns are deterministically linked to orbital motion. By checking the consistency of signal features across randomized timestamps, the framework detects transmitters that do not fol- low the expected orbital trajectory . As observations accumulate ov er time, the resulting kinematic inconsistencies reveal the impersonation attempt. 2) Multi-F eature Phsical Consistency: T o resist trajectory- mimicking attacks, the framework checks multiple physical features together instead of relying on a single signal property . Because orbital motion links Doppler shift, geometry , and propagation delay , these features must update consistently ov er time. A legitimate satellite naturally satisfies this relationship, whereas an impersonator cannot maintain such consistenc y . If an adversary attempts to replicate one parameter , such as the Doppler profile, it must adjust its relative velocity or transmission frequency . Howe ver , this adjustment inevitably affects other features, including AoA and R TT . For example, a ground-based spoofer may mimic the Doppler trend of a satellite, but the signal will arrive from a difference direction and with a different delay . By jointly validating these coupled features, the proposed scheme detects inconsistencies within forged signals. As a result, any transmitter that does not follow the true orbital trajectory cannot maintain consistent multi-feature behavior , making successful spoofing physically difficult. B. Overall System Operation This subsection presents ho w the proposed frame work op- erates within an active authentication process. As illustrated in Fig. 3, the operational procedure consists of three main stages: dynamic channel mapping, temporal feature e xtraction, and orbital consistency authentication. 1) Dynamic Channel Mapping: The verifier first constructs a channel characteristic map (CCM) to provide a reliable authentication baseline. It deriv es dynamic reference data from satellite ephemeris and incorporates key propagation effects, such as AoA, Doppler shift, R TT , and RSP . By modeling the temporal e volution of these physical features, the system forms a ground-truth trajectory . This trajectory serves as a deterministic reference for legitimate signal paths throughout the satellite visibility window . 2) T emporal F eatur e Extraction: The active authentication process begins when Bob transmits a challenge that specifies randomized timestamps. Because the verifier controls the tim- ing of each authentication instance, the process introduces tem- poral unpredictability and prev ents adversarial pre-calculation. In response, the satellite (Alice) transmits pilot signals at 6 the requested times. Then, the receiv er samples the receiv ed signals and extracts a multi-feature v ector that captures the instantaneous kinematic state of Alice. 3) Orbital Consistency A uthentication: Bob makes the authentication decision by checking orbital consistency . It compares the observed feature sequence with the reference trajectory provided by the CCM. The similarity between them is measured using a metric that measures the cumulati ve differ - ence between the observed features and reference trajectory . Impersonation attempts are detected by combining random- ized temporal authentication with physics-based multi-feature consistency checks. As these feature mismatches accumulate across multiple observations, the system exponentially reduces the detection error probability (DEP), ef fecti vely suppressing both false alarms and miss detection. The proposed framework improv es robustness by verifying consistency across multiple randomized observations. This highlights the key advantage of trajectory-based authentication, which relies on orbital motion rather than isolated feature matching. I V . C A S E S T U DY A N D P E R F O R M A N C E A N A L Y S I S W e ev aluate the proposed frame work with a le gitimate satel- lite (Alice) at 600 km and an adversary (T rudy) at 1,200 km. Authentication is performed by tracking the temporal consis- tency of two coupled physical features, AoA and Doppler shift, across N authentication timestamps t 1 , t 2 , . . . , t N . T o consider worst-case settings, we adopt the collinear attack as the primary threat model, as seen in Fig. 4, where Trudy attempts to align her signal with Alice’ s AoA, i.e., ϕ and θ , regardless of her le vel of orbital knowledge. W e also consider two attack scenarios depending on the adversary’ s knowledge: a blind adversary without orbital information (Scenario I) and an informed adversary with access to the satellite’ s ephemeris data (Scenario II). The resulting authentication performance is measured by the minimum DEP , demonstrating the signif- icant fusion gain achieved through multi-feature and multi- timestamp authentication. A. Scenario I: Blind Adversary with F ixed T imestamps W e first consider a blind adversary that does not know Al- ice’ s precise orbital ephemeris. W ithout the ability to synchro- nize her kinematic state, Trudy cannot replicate Alice’ s orbital motion. As shown in Fig. 5(a), a noticeable mismatch appears in the elev ation AoA trajectory due to the orbital altitude difference. At the same time, without knowledge of Alice’ s orbital velocity , T rudy cannot reproduce the correct Doppler shift ev olution, which leads to the kinematic discrepancy illustrated in Fig. 5(b). On the contrary , Bob can jointly utilize AoA and Doppler shift for authentication. The corresponding performance is represented by the “ AoA + Doppler (fixed)” curve in Fig. 5(c). By combining these complementary phys- ical features, the system achiev es near-perfect authentication performance ev en with a single observ ation, N = 1 , since mismatches appear simultaneously across multiple physical features. Fig. 4: Conceptual illustration of the collinear attack scenario and the verifier’ s authentication model. Trudy attempts to match the AoA ( θ ) of Alice at selected timestamp, e.g., t 1 , . . . , t N , while the verifier tracks the temporal consistency of physical features using the CCM table. In Scenario I (blind adv ersary), both AoA and Doppler are jointly used for multi-feature, multi-timestamp authentication. In Scenario II (informed adversary), Doppler is pre-compensated, and authentication relies on multi-timestamp AoA authentication. B. Scenario II: Informed Adversary with F ixed T imestamps W e next consider a knowledgeable adversary that has ac- cess to Alice’ s orbital ephemeris. Using this information, T rudy can perfectly pre-compensate the difference between her own Doppler shift and that of Alice [14], which masks the kinematic mismatch shown in Fig. 5(b). In addition, T rudy can achiev e a collinear alignment with Alice and the ground station at a specific time instant, t 1 , making the AoAs, e.g., θ and ϕ , indistinguishable from the legitimate satellite at the beginning of the authentication process. Under single timestamp-based authentication, such alignment can lead to successful impersonation. Howe v er , in the proposed activ e framew ork, this advantage is limited to the first observ ation. As the verifier performs a sequence of observ ations across multiple timestamps, e.g., t 2 , . . . , t N , Trudy gradually drifts away from the collinear configuration because her orbital angular velocity is lower than that of Alice. In particular, AoAs are dif ficult to forge [15], even when T rudy can perform sophisticated signal processing and has many antennas, since it mostly depends on channel propaga- tion conditions. Since Doppler has already been compensated in this informed scenario, authentication mainly relies on AoA consistency . The resulting performance follows the “ AoA only (fixed)” curve in Fig. 5(c). Although the initial alignment at t 1 leads to a high authentication error and thus a high minimum DEP , the accumulation of trajectory evidence across multiple timestamps rapidly reduces the error . This result confirms that ev en when one feature is intentionally manipulated, temporal consistency of orbital geometry remains a reliable basis for authentication due to the uniqueness of satellite orbits. 7 Fig. 5: Spatiotemporal trajectory analysis and authentication performance under dif ferent T rudy’ s altitudes (T op: 500 km, Bottom: 1200 km). (a) Ele v ation AoA trajectory mismatch, (b) Kinematic Doppler trajectory mismatch, and (c) Authentication performance (Minimum DEP) versus the number of observ ation samples N . Scenario I follows the “ AoA + Doppler (fixed)” curve, while Scenario II is restricted to the “ AoA only (fixed)” curve due to the T rudy’ s Doppler pre-compensation. Notably , Scenario III unpredictably selects N timestamps across the entire time slot, following “ AoA only (random)” curv e. This temporal randomness intrinsically captures the accumulated kinematic drift, drastically accelerating impersonator detection compared to con v entional fixed sampling ev en when the initial spatial parameters are perfectly matched. For the performance ev aluation, the measurement noise standard deviations of the elev ation AoA and Doppler shift are set to σ θ = 1 . 0 deg and σ f D = 200 Hz, respectively . C. Scenario III: Informed Adversary with Randomized T imes- tamps Finally , we consider the informed adversary under the pro- posed randomized authentication strategy . In Scenario II, the adversary was able to align with Alice at a specific timestamp and partially imitate the signal geometry at the beginning of the authentication process. Although the subsequent observa- tions ev entually reveal the trajectory mismatch, the determin- istic observation window still allows the adversary to predict the timing of Bob’ s authentication measurements. T o eliminate this predictability , the proposed framew ork randomly selects N timestamps from the entire observation window rather than using deterministic observations. This randomized timestamp selection fundamentally limits the adversary’ s ability to main- tain geometric alignment with Alice across all authentication instances. Although T rudy may achie ve temporary collinear alignment at a specific instant, maintaining the same spatial relationship across multiple randomly-selected timestamps be- comes physically infeasible due to the orbital dynamics of the satellites. The resulting performance is illustrated by the “ AoA only (random)” curve in Fig. 5(c). Even under the informed adversary model, the authentication error rapidly approaches zero as the number of sampled timestamps increases. This result highlights an important physical insight: maintaining consistency with orbital geometry at multiple unpredictably selected timestamps becomes fundamentally constrained by orbital dynamics. By introducing randomized multi-timestamp authentication, the proposed framew ork therefore transforms the authentica- tion task from matching a single geometric snapshot to vali- dating trajectory consistency at randomly selected timestamps. Consequently , the proposed acti ve spatiotemporal authentica- tion framework provides a robust defense against trajectory- aware spoofing attacks. D. Extension: Spatiotemporal Multi-F eature Coupling While Scenarios I–III primarily demonstrate authentication based on trajectory consistency observed through AoA and 8 Doppler , satellite signals inherently exhibit spatiotemporal coupling across multiple physical features. In addition to AoA and Doppler , other orbit-dependent features such as R TT and RSP are also determined by the same underlying orbital dynamics. For example, randomized authentication timing directly constrains R TT spoofing. Each authentication request contains a unique challenge, forcing the adversary to generate the response only after receiving the signal. For an adversary located at a higher altitude, this requirement introduces a strict causality constraint imposed by signal propagation delay , making predictiv e pre-transmission infeasible. The ke y advantage of the proposed framework lies in the joint effect of temporal unpredictability and the inherent coupling among multiple physical signal features determined by orbital motion. Consequently , even if an adversary attempts to manipulate one feature, inconsistencies inevitably appear in others across randomly-selected authentication instants. This spatiotemporal constraint enables robust authentication even against highly capable adversaries with orbital knowledge. V . O P E N C H A L L E N G E S A N D F U T U R E D I R E C T I O N S This section discusses ke y open challenges and future research directions for applying trajectory-based physical layer authentication in high-dynamic 6G NTNs. While the proposed activ e spatiotemporal authentication provides a robust root of trust, its large-scale deplo yment entails several open challenges that arise from the adversarial nature of the satellite-terrestrial interface. A. Adaptive Modeling for Non-Keplerian Dynamics The current framew ork assumes Keplerian orbital motion as the reference model. In practice, LEO satellites experi- ence additional ef fects such as atmospheric drag and solar radiation pressure, which gradually alter their trajectories. Over time, these effects may cause mismatch between the reference CCM and the actual satellite motion, leading to unnecessary authentication failures. This issue becomes par- ticularly important during periods of high solar activity , when increased atmospheric density accelerates orbital decay and amplifies the de viation from the nominal Keplerian prediction. Future work should inv estigate adapti ve trajectory modeling techniques that continuously refine the reference trajectory using updated ephemeris information. Incorporating real-time orbit determination data and state estimates obtained via onboard global navigation satellite systems into the CCM update process could significantly reduce reference model errors while preserving the physical consistency required for robust authentication. B. V erification Overhead and Latency in Delay-Sensitive Ser- vices The proposed framew ork requires multiple challenge- response exchanges across randomized timestamps to accu- mulate sufficient kinematic e vidence. Increasing the number of verification instances N improv es authentication reliability , b ut each exchange consumes part of the limited satellite visibility window and adds communication latency . For delay-sensitiv e services such as emergency communications and navigation, this creates a fundamental tradeoff between authentication accuracy and service responsiv eness. At a typical LEO altitude of 550 km, a satellite pass lasts only a few minutes, which limits the time av ailable for both authentication and data transmission. Future work should explore adaptive verification strategies that adjust N based on the required security le vel and the latenc y constraints of the target service. Simplified challenge designs that minimize round-trip overhead while preserving the temporal unpredictability of the framework will also be essential for practical deployment. C. Authentication Continuity Acr oss Satellite Handovers In LEO me ga-constellations, frequent satellite handov ers are unav oidable because each satellite remains visible for only a few minutes. Whenever a handov er occurs, the serving satellite changes, and the v erifier must authenticate a new satellite. This repeated re-authentication introduces additional signaling ov erhead and temporarily lea ves the link unv erified during the transition period. The challenge becomes more severe in dense constellation scenarios where handovers occur more frequently , requiring the verifier to complete a full multi- timestamp verification cycle for each new satellite within a short contact window . Future research should therefore inv estigate mechanisms that maintain authentication continuity across handovers. For example, partial authentication evidence from a previous satel- lite could be reused to accelerate the verification process for the next satellite. Another promising direction is cooperativ e authentication, where neighboring satellites or ground sta- tions share orbital consistency information with the v erifier to reduce the authentication burden during rapid handover sequences. Such mechanisms could enable trajectory-based authentication to operate efficiently in large-scale LEO con- stellations. D. Effects of Bob’s Movement Further in vestigation is needed on the effects of Bob’ s mobility on PLA performance. Considering contexts in which such mobility is possible, designing proper random mov ement strategies to increase the variation and unpredictability of the feature would make impersonation attacks more difficult. Additionally , an analysis of performance with each feature should be conducted, taking into account specific propagation conditions. This would rev eal the conditions under which physical features such as the AoA and Doppler shift cannot be forged by T rudy . R E F E R E N C E S [1] “Solutions for NR to support Non-T errestrial Networks (NTN), ” 3rd Generation Partnership Project, Sophia Antipolis, France, 3GPP T ech. Rep. 38.821 v16.1.0, Jun. 2021. [2] D.-H. Jung, J.-G. Ryu, and J. Choi, “When satellites work as eaves- droppers, ” IEEE Tr ansactions on Information F orensics and Security , vol. 17, pp. 2784–2799, 2022. [3] B. Li, Z. Fei, C. Zhou, and Y . Zhang, “Physical-layer security in space information networks: A survey , ” IEEE Internet of Things Journal , vol. 7, no. 1, pp. 33–52, 2020. 9 [4] N. H. S. Suhaimi, N. H. Kamarudin, M. N. A. Khalid, I. T ahir, and M. A. A. Mohamed, “State-of-the-art authentication measures in satellite communication networks: A comprehensiv e analysis, ” IEEE Access , vol. 12, pp. 142 241–142 264, 2024. [5] A. Abdelaziz, R. Burton, F . Barickman, J. Martin, J. W eston, and C. E. K oksal, “Enhanced authentication based on angle of signal arrivals, ” IEEE Tr ansactions on V ehicular T echnology , vol. 68, no. 5, pp. 4602– 4614, 2019. [6] Q.-Y . Fu, Y .-H. Feng, H.-M. W ang, and P . Liu, “Initial satellite access authentication based on doppler frequency shift, ” IEEE W ir eless Com- munications Letters , vol. 10, no. 3, pp. 498–502, 2021. [7] O. A. T opal and G. K. Kurt, “Physical layer authentication for LEO satellite constellations, ” in Proceedings of the 2022 IEEE W ireless Communications and Networking Conference (WCNC) , 2022, pp. 1952– 1957. [8] E. Jedermann, M. Strohmeier , M. Sch ¨ afer , J. Schmitt, and V . Lenders, “Orbit-based authentication using TDOA signatures in satellite net- works, ” in Proceedings of the 14th ACM Conference on Security and Privacy in W ireless and Mobile Networks , 2021, pp. 175–180. [9] G. Oligeri, S. Sciancalepore, S. Raponi, and R. Di Pietro, “P AST -AI: Physical-layer authentication of satellite transmitters via deep learning, ” IEEE T ransactions on Information F orensics and Security , vol. 18, pp. 274–289, 2023. [10] R. Kumar and S. Arnon, “ Authentication method for spoofing protec- tion in communication and navigation satellites: Utilizing atmospheric signature, ” IEEE Communications Letters , vol. 28, no. 1, pp. 108–112, 2024. [11] M. Abdrabou and T . A. Gulliv er , “Physical layer authentication for satellite communication systems using machine learning, ” IEEE Open Journal of the Communications Society , vol. 3, pp. 2380–2389, 2022. [12] S. T omasin, H. Zhang, A. Chorti, and H. V . Poor, “Challenge-response physical layer authentication over partially controllable channels, ” IEEE Communications Magazine , vol. 60, no. 12, pp. 138–144, 2022. [13] M. Piana, F . Ardizzon, and S. T omasin, “Challenge-response to au- thenticate drone communications: A game theoretic approach, ” IEEE T ransactions on Information F orensics and Security , vol. 20, pp. 4890– 4903, 2025. [14] J. Seong, J. Park, D.-H. Jung, J. Park, and W . Shin, “Rate-splitting for joint unicast and multicast transmission in LEO satellite networks with non-uniform traffic demand, ” IEEE J ournal on Selected Ar eas in Communications , vol. 43, no. 1, pp. 122–138, 2025. [15] T . M. Pham, L. Senigagliesi, M. Baldi, G. P . Fettweis, and A. Chorti, “Machine learning-based rob ust physical layer authentication using angle of arriv al estimation, ” in Pr oceedings of the 2023 IEEE Global Communications Confer ence (GLOBECOM) , 2023, pp. 13–18. B I O G R A P H I E S Jinyoung Lee (haetsal120@gmail.com) is an assistant professor at National K orea Maritime & Ocean University , South K orea. He pre viously held a staff engineer at Samsung Electronics. His current research focuses on physical-layer security , including authentication and cov ert transmissions, with applications in U A Vs, LEO satellites and distributed AI. Stefano T omasin (stefano.tomasin@unipd.it) is a full professor at the Uni- versity of Pado v a, Italy . His interests include signal processing for commu- nications and physical layer security . From 2020 to 2023, he was an Editor of the IEEE Transactions on Information Forensics and Security , and from 2023, he is deputy editor in chief of the same journal. Dong-Hyun Jung (dhjung@ssu.ac.kr) is an assistant professor at Soongsil Univ ersity , South K orea. From 2017 to 2025, he was a senior researcher at Electronics and T elecommunications Research Institute, South K orea. His research interests include satellite communications, satellite clustering, and physical-layer security in non-terrestrial networks.