About

Todd Walter is a Professor of Aeronautics and Astronautics at Stanford University, where he serves as the director of the Global Positioning System (GPS) laboratory. His work focuses on implementing high-integrity satellite navigation systems and coordinating their implementation within international standards bodies. Walter holds a Ph.D. and an M.S. in Applied Physics from Stanford University, earned in 1994 and 1990 respectively, and a B.S. in Physics from Rensselaer Polytechnic Institute obtained in 1987. His research emphasizes the development and standardization of satellite navigation technologies, contributing to advancements in global positioning systems and their reliable application.

Research topics

• Computer Science
• Computer Security
• Data Mining
• Real-time computing
• Algorithm
• Telecommunications
• Programming language
• Engineering

Selected publications

• Time Synchronization of TESLA-Enabled GNSS Receivers

  IEEE Transactions on Aerospace and Electronic Systems · 2025-03-17 · 2 citations

  articleOpen accessSenior author

  As timed efficient stream loss-tolerant authentication (TESLA)-enabled global navigation satellite systems (GNSS) for authenticated positioning reaches ubiquity, receivers must use an onboard, GNSS-independent clock (GIC) and carefully constructed time synchronization algorithms to assert the authenticity afforded. This work provides the necessary checks and synchronization protocols needed in the broadcast-only GNSS context. We provide proof of security for each of our algorithms under a delay-capable adversary. The algorithms included herein enable a GNSS receiver to use its GIC to determine whether a message arrived at the correct time, to determine whether its GIC is safe to use and when the clock will no longer be safe in the future due to predicted clock drift, and to resynchronize its GIC. Each algorithm is safe to use even when an adversary induces delays within the protocol. Moreover, we discuss the implications of GNSS authentication schemes that use two simultaneous TESLA instances of different authentication cadences. To a receiver implementer or standards author, this work provides the necessary implementation algorithms to assert security and provides a comprehensive guide on why these methods are required. We discuss and address a vulnerability related to the standard synchronization protocols in the context of broadcast-only TESLA.

  PublisherDOI

• Overbounding Time-correlated Errors for a Multi-constellation Precise Point Positioning Integrity Service

  2025-04-28 · 1 citations

  articleSenior author

  Safe navigation for traditional GNSS standalone positioning has been guaranteed by methods such as receiver autonomous integrity monitoring (RAIM) and advanced RAIM (ARAIM). These methods have been supported by several research efforts to characterize historical multi-GNSS signal performance in order to evaluate the one sigma user range accuracy (URA), probability of satellite fault (P<inf xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">sat</inf>) and probability of constellation fault (P<inf xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">const</inf>), which are key parameters necessary for the (A)RAIM framework. While the evaluation of these commitments is necessary for traditional GNSS positioning especially in the aviation industry, rigorous characterization of the appropriate error models is still emerging for augmented high-precision positioning methods, such as Precise Point Positioning (PPP) and Real-Time Kinematic (RTK). These methods are heavily used in industries like in autonomous driving or delivery that demand much higher accuracy. To achieve safety guarantees and proposed integrity commitments for a PPP user, a thorough and accurate characterization of errors that threaten a PPP service is required. In this work, we focus on a more rigorous overbounding for these signal-in-space (SIS) errors. We propose an appropriate covariance matrix which bounds the error distribution for time-correlated errors for a PPP integrity service subject to non-Gaussian error distributions. We use an overbounding criterion based on a chi-square distribution that is both simple and practical. The proposed covariance matrix is determined using a multi-GNSS, month-long dataset at a five-minute sampling rate.

  PublisherDOI

• Protecting Against Receiver Faults to a PPP Ground-Based Integrity Monitor System

  Proceedings of the Institute of Navigation ... International Technical Meeting/Proceedings of the ... International Technical Meeting of The Institute of Navigation · 2025-02-13

  articleSenior author

  It is shown (Lai et al., 2024a) that the Integrity Monitor System (IMS) can monitor and detect multiple clock and ephemeris faults happening at the same time using single centralized fault-tolerant filter with a groud-based reciever network. However, there is no guarantee that all the receivers of the monitor network are always correct. We cannot rule out the possibility of receiver faults if we want to use measurements from receivers to monitor the integrity of the clock and ephemeris corrections from PPP service. That is, the integrity of the IMS itself also needs to be protected. For this reason, we consider receiver faults when assessing the integrity of the overall system in this paper. To account for the receiver faults in IMS when estimating the ephemeris and satellite clock bias errors, we apply Solution Separation (SS) for measurements from different receivers to detect the potential receiver fault and place an upper bound on the maximum undetected errors in terms of User Range Errors (UREs). This is similar to what Advanced Receiver Autonomous Integrity Monitoring (ARAIM) does on detecting satellite faults. We form a number of subset filters with each of it excluding certain combination of receivers to form subset solutions. In this case, the statistics to be compared of is the errors from All-In-View (AIV) and subset solutions. By evaluating the differences of UREs between AIV and subset solutions, we can compute for the upper bound of the UREs that take into account the receiver fault modes. The upper bounds can then be approximated as a normal distribution that overbounds the UREs that includes ephemeris, satellite clock and receiver fault modes that the users can reference to protect the integrity.

  PublisherDOI

• Determining Protection Levels Using Multiple Antennas under Spoofing Conditions

  2025-04-28 · 1 citations

  articleSenior author

  We present a method to determine GNSS protection levels using multiple antennas under spoofing conditions. We evaluate these protection levels with real GNSS measurements affected by actual spoofing events. These protection levels could help evaluate the potential of two-antenna set ups to detect the effect of GNSS spoofing.

  PublisherDOI

• Exploitation of Modernized GPS Crosslinks to Improve User Integrity and Availability with ARAIM

  2025-04-28

  article

  In previous work, we introduced the concept of augmenting GPS with inclined geosynchronous satellites (I-GEOs) and Low Earth Orbit satellites (LEOs) that would provide GPS-Block-III-quality military and civil ranging signals along with conveying Satellite-based Augmentation System (SBAS) messages to users [1], [2], [3], [4]. This paper shifts the focus of that work by investigating the benefits of modernized GPS crosslinks, which allow satellites to exchange navigation data directly, reducing onboard Age of Data (AoD) and improving real-time positioning accuracy. For each arrangement of crosslink architectures, the Stanford MAAST GNSS simulation software package is used to evaluate the impact of crosslink-enabled data dissemination on protection levels (error bounds) for ARAIM users that would apply to military or civil aviation IFR approaches (such as LPV approaches) for ARAIM users without differential corrections.We present a comparative analysis of baseline GPS performance versus crosslink-enabled architectures, examining the reduction in Age of Data (AoD) and the consequent reductions in User Range Accuracy (URA) and User Range Error (URE) by showcasing improvements in horizontal and vertical protection levels (HPL, VPL). These results establish the extent to which crosslinks can enhance integrity and availability for ARAIM users, identifying key design factors for future GPS crosslink implementations. By reducing data latency across the satellite network, crosslinks provide an operationally viable means of improving GPS resilience.

  PublisherDOI

• User Range Error Corrections with Latency from PPP Ground-Based Integrity Monitor System

  Proceedings of the Satellite Division's International Technical Meeting (Online)/Proceedings of the Satellite Division's International Technical Meeting (CD-ROM) · 2025-10-01 · 1 citations

  articleSenior author

  Precise Point Positioning (PPP) is a positioning technique that can achieve decimeter level of accuracy for kinematic users and centimeter level for static users with only GNSS measurements. The extremely precise positioning results rely on the provision of the precise corrections from the service provider of PPP. In particular, the precise satellite clock bias and precise ephemeris, which are shown that can be monitored by an Integrity Monitor System (IMS) consists of a group of ground-based receiver network Lai et al. (2024a). The User Range Errors (UREs) and their error bounds (standard deviations) are directly estimated in IMS by a fault-tolerant filter, forming the integrity information that can protect the integrity of the users. In this work, we evaluate the effectiveness of such integrity information for PPP users that are receiving it from the IMS with latencies. We propose a method of prediction model based on Gaussian Process (GP) that can account for the latency of the integrity information. It is verified that the integrity information can protect the PPP users against various threats under different scenarios depending on the amount of latency presented to the users.

  PublisherDOI

• Combining ADS-B, LCM and DPA to Detect and Locate the Interference in a Massive GNSS Jammer Test

  Proceedings of the Institute of Navigation ... International Technical Meeting/Proceedings of the ... International Technical Meeting of The Institute of Navigation · 2025-02-13

  articleSenior author

  GNSS signals are vulnerable to Radio Frequency (RF) interference. When navigating by the GNSS sensor and encounter abnormal behavior, one needs an efficient approach to detect the interference and respond instantly. This paper provides the testing result of JammerTest 2024 by three developing systems against GNSS interference, ADS-B, low-cost monitor (LCM) and dual polarization antenna (DPA). By combining with three systems, we can get more accurate localization results. The algorithm and hardware of three systems are described in detail. The localization results are also presented.

  PublisherDOI

• Real-World Spoofing Detection and Characterization Using Low-Cost Receivers

  Proceedings of the Institute of Navigation ... International Technical Meeting/Proceedings of the ... International Technical Meeting of The Institute of Navigation · 2025-02-13 · 3 citations

  articleSenior author

  The Global Navigation Satellite System (GNSS) is vulnerable to Radio Frequency Interference (RFI) due to the low-powered nature of its signals. Spoofing is a type of RFI which sends GNSS-like signals to receivers making them believe they are at a false location. Recently, due to the conflicts taking place in Eastern Europe and the Middle East, there has been an increase in spoofing attacks that often also affect civilians far away from war zones. Although spoofing detection and characterization methodologies have been developed in the past, the previous lack of real-world spoofing data has limited studies to lab-based experiments or large-scale outdoor testing campaigns, both in artificial interference environments. While these artificial data are useful during the development process, real-world data are needed to understand the spoofing techniques used in uncontrolled environments. This paper analyzes GNSS data collected from the southeast Mediterranean Sea during the Summer of 2024 using two u-blox F9P receivers, one of the L1/L2 model and one of the L1/L5 model. The study’s goals are two fold: First to demonstrate the utility of low-cost GNSS receivers for detecting and characterizing spoofing. Second to assess the effectiveness of various previously developed spoofing detection techniques on a real-world dataset.

  PublisherDOI

• Overbounding Time-Correlated Clock &amp; Ephemeris Errors for Precise Point Positioning

  Proceedings of the Satellite Division's International Technical Meeting (Online)/Proceedings of the Satellite Division's International Technical Meeting (CD-ROM) · 2025-10-01

  articleSenior author

  Safe navigation in Global Navigation Satellite System (GNSS) standalone positioning has historically relied on Receiver Autonomous Integrity Monitoring (RAIM) and Advanced RAIM (ARAIM). These frameworks are built on well-characterized error models for broadcast signals, providing integrity parameters such as user range accuracy (URA) and satellite fault probabilities. However, extending such methods to high-precision positioning techniques, including Precise Point Positioning (PPP) and Real-Time Kinematic (RTK), presents new challenges. Unlike standalone GNSS, PPP relies on frequent correction updates that mitigate slowly varying broadcast errors but introduce vulnerability to latency and fast faults. The emergence of rapid satellite clock faults since early 2023 underscores the need for refined integrity monitoring strategies, which requires characterization of the set of nominal errors (Wang et al., 2024). Therefore, this work builds on prior efforts in modeling and overbounding correlated GNSS errors for PPP services through focusing on the nominal errors. We propose a methodology for handling multiple covariance matrices that represent different uncertainty sources within the PPP filter, enabling tighter and more realistic overbounding of correlated error processes. Using a chi-square–based criterion, we establish appropriate overbounding values for parameters critical to PPP integrity services, demonstrate their application in a simplified filter implementation, and validate them in the user error bound. Results show that our approach achieves reduced conservatism while maintaining integrity, improving vertical protection levels. This work provides a practical, computationally efficient, and simple methodology for implementing integrity monitoring in high-accuracy positioning services, with direct relevance to applications such as autonomous driving, delivery, and safety-critical robotics.

  PublisherDOI

• Protection Levels Against Spoofing Using Dual Antennas: A Practical Approach

  Proceedings of the Satellite Division's International Technical Meeting (Online)/Proceedings of the Satellite Division's International Technical Meeting (CD-ROM) · 2025-10-01

  articleSenior author

  In our previous work, we described a test statistic and a method to determine GNSS protection levels using dual antennas under spoofing conditions. We evaluated these protection levels with real GNSS measurements affected by actual spoofing events. The test statistic is easy to compute and appears to be quite sensitive to the presence of spoofing. The method to compute a protection level (which accounts for all possible capture hypotheses), represented, to our knowledge, the first attempt to rigorously evaluate integrity in the presence of spoofing. However, the method as described in [6] was very computationally expensive and it does not fully exploit the properties of the carrier phase measurements. To address these points, in this work we generalize the method to unknown platform orientations, we reduce the computational power associated to the protection level calculation, and we show the potential of integer nature of the ambiguities to improve the power of the detection test.

  PublisherDOI

Frequent coauthors

• Per Enge

  202 shared

• Juan Blanch

  144 shared

• Sherman Lo

  71 shared

• Grace Xingxin Gao

  29 shared

• R. Eric Phelts

  28 shared

• Dennis Akos

  28 shared

• Andrew Neish

  23 shared

• J. David Powell

  Stanford University

  22 shared

Education

• Ph.D., Applied Physics

  Stanford University

  1993

Awards & honors

• AIAA: Excellence in Teaching Award
• AIAA: Outstanding Course Assistant
• William F. Ballhaus Prize
• Cannon Summer Fellowship
• Hoff Outstanding Master’s Student