Part A: Cellular and Mobile Communications

A.1 The insight that made cellular possible

Imagine you are running a radio station in 1946. You want to give every taxi driver in New York City a radio so dispatchers can call them. The technology of the day says: build one tall tower in midtown, give each taxi a unique frequency channel, and let everyone share the spectrum. With perhaps 20 MHz of spectrum and 30 kHz per channel, you can support about 600 taxis. The 601st taxi has to wait in line.

This is exactly what AT&T's Mobile Telephone Service offered between 1946 and the late 1970s. New York City had 23 channels for the entire metropolitan area. A 1976 New York Times article found that Manhattan had 545 paying customers and 3,700 on the waiting list. A single phone call cost the equivalent of $50/minute in today's money. Mobile communication was effectively a luxury for executives and emergency services.

The thing that broke this scarcity was an idea, not a technology. In December 1947, two Bell Labs engineers, Douglas Ring and Rae Young, wrote an internal memo proposing a "cellular" system. The argument went like this. Radio waves attenuate with distance. If you put a transmitter on a 100-meter tower, it covers maybe 30 km of useful range. Beyond that, the signal is too weak for a receiver to decode. But a transmitter 60 km away, using the exact same frequency, is also too weak to interfere. So why are we using the same frequency only once across an entire city? Why not divide the city into many small "cells," let each cell use a fraction of the total spectrum, and reuse the same frequencies in cells that are far enough apart?

Library analogy. One central library across town has, say, 1000 copies of War and Peace. Anyone who wants to read it has to compete with the whole city for one of those 1000 copies, and travel an hour each way. Now suppose we set up 100 small neighborhood libraries, each holding 50 copies of War and Peace. Total copies in the city: 5000, more than three times what a single library could fit. Travel time: a five-minute walk. The same set of physical books is being reused in different neighborhoods, because the readers in one neighborhood do not compete for the books in another. Capacity exploded, and access got faster, all because we recognized that distance lets us reuse a scarce resource.

This is the cellular insight in one sentence. Distance lets you reuse spectrum. Capacity scales with the number of cells you can fit, not with the amount of spectrum you have. New York City today has thousands of cells. Each one reuses the same 20 MHz that the 1946 system did, but the aggregate capacity is millions of simultaneous users.

The reason this insight took 36 years to become commercial product (1947 memo to 1983 deployment of AMPS in Chicago) is that you need a lot of supporting technology. You need transistorized handsets light enough to carry. You need digital switching offices that can hand calls between cells in milliseconds. You need a way to track which cell a phone is in. The ideas were ready in 1947; the silicon was not ready until the early 1980s.

A.2 System components: who is talking to whom

Every cellular network, no matter the generation, has the same four-tier structure.

Mobile Station (MS) / User Equipment (UE). Your phone. Or the radio in your car. Or the cellular modem in a smart meter. The MS has its own RF transmitter and receiver, an identity module (SIM card or eSIM in modern systems), and the radio protocol stack to talk to the network. Modern smartphones contain 5 to 15 antennas: cellular bands (low, mid, high), Wi-Fi, Bluetooth, GPS, NFC, ultra-wideband (the chip Apple uses for AirTags), and now satellite backup (iPhone 14 onwards has an L-band antenna for emergency Globalstar messaging).

Base Transceiver Station (BTS / NodeB / eNB / gNB). The tower. The naming changes by generation: BTS in 2G GSM, NodeB in 3G UMTS, eNodeB (evolved Node B) in 4G LTE, gNodeB in 5G NR. The job is the same. Receive uplink RF from phones in the cell, demodulate, hand off to the core network. Receive downlink data from the core, modulate, transmit. Modern macro towers carry equipment for multiple bands and multiple generations on the same structure (a single tower might host 4G LTE, 5G sub-6, and sometimes 2G/3G if the operator has not retired them).

Mobile Switching Center (MSC) / Core Network. The brain. In 2G this was a hierarchy of MSCs, HLR (home location register), VLR (visitor location register), AuC (authentication center). In 4G/5G this consolidated into the Evolved Packet Core (EPC) or 5G Core (5GC), an all-IP set of network functions: MME for mobility, SGW/PGW for routing, HSS for subscriber data. Think of the core as the postmaster general's office. It knows which cell every phone is in, routes calls and packets to the right tower, handles authentication, and enforces billing.

Public Network Gateway. Bridge to the outside world. Voice calls hand off to the PSTN (public switched telephone network) and travel on traditional circuits. Data flows through internet gateways into the global IP backbone. Your TikTok video request leaves your phone, climbs up through the gNB, traverses the 5G core, and exits via a peering point into the same internet a desktop PC uses.

   [Phone]  <-radio->  [Tower]  <-fiber->  [Core]  <-IP->  [Internet]
     UE                  gNB             5GC/EPC          (or PSTN)

The radio link (UE to tower) is the only wireless part. Everything from the tower onward is wired backhaul, almost always fiber for capacity. People sometimes assume "cellular" means everything is wireless. It is not. Cellular networks are mostly fiber, with a thin radio crust at the edges.

A.3 Hexagonal cell modeling

We model cells as regular hexagons. There are exactly three regular polygons that tessellate the plane without leaving gaps: triangles, squares, and hexagons. Of these, hexagons have the property that the cell's center is equidistant from all six neighbor centers, which makes the geometry of frequency reuse cleanest. Real coverage is never hexagonal, of course. Hills, buildings, foliage, and antenna patterns make actual cells look like blobs of seaweed. But for math we use hexagons.

     ___       ___       ___
    /   \     /   \     /   \
   /  1  \___/  2  \___/  3  \
   \     /   \     /   \     /
    \___/  4  \___/  5  \___/
    /   \     /   \     /   \
   /  6  \___/  7  \___/  8  \
   \     /   \     /   \     /
    \___/     \___/     \___/

A cell of radius $R$ (center to vertex) has area $A = \frac{3\sqrt{3}}{2}R^2$. Each cell contains a base station (often at the center, or at the corner where three cells meet, called a corner-excited layout used with sectorization).

A.4 Generations of cellular: a brief tour

Each generation roughly doubled or tripled the capacity per Hz of spectrum, mostly through better modulation, multiple access, and processing.

Every transition is an order of magnitude in throughput, primarily by widening the channel (more Hz) and improving spectral efficiency (more bits per Hz). 5G's mm-wave bands sacrifice range for raw bandwidth: a single mm-wave cell can offer 1 Gbps to a few users for a few hundred meters of line-of-sight, which is a fundamentally different deployment model from sub-6 GHz cells covering kilometers.

A.5 Frequency reuse: deriving the geometry

Now the math behind the library analogy. Suppose total spectrum has $M$ channels. We split this among $N$ cells in a cluster. After $N$ cells, the pattern repeats: cell $N+1$ uses the same channels as cell 1, cell $N+2$ same as cell 2, and so on across the entire service area.

Each cell gets $M/N$ channels. If we deploy $K$ cells across the city, the total capacity is

$\text{Capacity} = \frac{M}{N} \times K = M \cdot \frac{K}{N}$

The reuse factor $1/N$ is the fraction of total spectrum any one cell uses. Smaller $N$ (smaller cluster) means each cell gets more channels and more capacity, but co-channel cells are closer together, so co-channel interference is worse. There is a sweet spot. Typical values: $N = 7$ for 1G, $N = 4$ or $N = 3$ for 2G GSM, and 5G LTE often uses $N = 1$ (universal frequency reuse, with interference handled by smart scheduling and coordinated multi-point transmission).

The valid cluster sizes are constrained geometrically. For hexagonal cells, $N$ must satisfy

$N = i^2 + ij + j^2$

for non-negative integers $i, j$. The first few valid $N$ are 1, 3, 4, 7, 9, 12, 13, 16, 19. Between any two co-channel cells, you walk $i$ cells in one direction and $j$ cells in the next-60-degree direction. This is the minimum reuse distance.

Let $D$ be the center-to-center distance between co-channel cells (the reuse distance) and $R$ the cell radius. We define the co-channel reuse ratio $Q = D/R$. With a little hexagonal geometry (work out the distance from origin to the lattice point at $(i, j)$ in hex coordinates), you find

$Q = \frac{D}{R} = \sqrt{3N}$

So:

• $N = 3$: $Q = 3$
• $N = 4$: $Q = 3.46$
• $N = 7$: $Q = 4.58$
• $N = 12$: $Q = 6$

A larger $Q$ means co-channel cells are farther apart, which means less interference. But it also means a larger cluster, which means each cell gets a smaller fraction of the spectrum and lower capacity. This is the fundamental tradeoff in cellular design.

A.6 Why $Q$ matters: the interference budget

Suppose your phone is sitting at the edge of cell A, distance $R$ from base station A. The desired signal travels distance $R$. The nearest co-channel base station, B, is distance $D - R$ away (worst case, when you are on the line connecting A and B). Path loss in suburban environments roughly follows $1/d^4$ (we will do this in Section A.13). So the signal-to-interference ratio at your phone is

$\frac{C}{I} = \frac{R^{-4}}{6 \cdot (D - R)^{-4}} \approx \frac{1}{6}\left(\frac{D}{R}\right)^4 = \frac{Q^4}{6}$

The factor of 6 accounts for the six co-channel cells in the first reuse tier (one in each hexagonal direction). For $N = 7$, $Q = 4.58$, so $C/I = 4.58^4 / 6 \approx 73$, or 18.6 dB. Above the typical 18 dB target for voice.

For $N = 3$, $Q = 3$, $C/I = 81/6 = 13.5$, or 11.3 dB. Too low for analog voice (1G needed 18 dB), but adequate for digital systems with error correction (2G GSM, designed for $C/I$ as low as 9 dB with FEC and frequency hopping, was happy with $N = 3$ or $N = 4$).

This is why generations have shrunk $N$ over time. Better modulation and coding eats noise and interference, so you can reuse more aggressively. 5G's $N = 1$ is the limit: every cell uses all the spectrum, and interference is mitigated by coordinated scheduling between adjacent gNBs (if cell A schedules user 1 in resource block 17, cell B schedules a user with low overlap in that block).

A.7 Erlang traffic and grade of service

Capacity in channels does not equal capacity in users. Most users are not on a call most of the time. Telecom engineers measure traffic in Erlangs (named after Agner Krarup Erlang, a Danish mathematician at the Copenhagen Telephone Company who founded queuing theory in 1909).

If $\lambda$ is the average call arrival rate (calls per hour) and $H$ is the average call holding time (hours), the offered traffic is

$A = \lambda H \text{ Erlangs}$

One Erlang means one channel is busy continuously. If your cell has 1000 users who each make 2 calls per hour averaging 3 minutes each, $A = 1000 \times 2 \times (3/60) = 100$ Erlangs of demand.

But if you have only $C$ channels in the cell, calls arriving when all channels are busy get blocked (in old systems) or queued. The probability of blocking, given $C$ channels and offered traffic $A$, follows the Erlang-B formula:

$B(C, A) = \frac{A^C/C!}{\sum_{k=0}^{C} A^k/k!}$

This is the grade of service (GoS). A 1% GoS means 1 in 100 calls is blocked. Operators target 1-2% GoS in residential areas and stricter (0.1-0.5%) for emergency services. Erlang-B tables are still printed in every telecom textbook.

For our cell of 100 Erlangs at 2% GoS, you need about $C = 116$ channels. That is, you can carry 100 Erlangs of load with 116 channels and still meet GoS. This is the basis for capacity planning.

A.8 Cell types: from huge to tiny

Operators deploy a hierarchy of cell sizes depending on user density.

• Macrocell. Several km radius, mounted on towers 30-50 m tall, transmitting 20-50 W. Covers suburban and rural areas. Main workhorse of LTE.
• Microcell. 100-500 m radius, mounted on rooftops or lampposts, 5-10 W. Used in dense urban areas to add capacity.
• Picocell. 10-100 m radius, 100 mW to 1 W, deployed indoors in malls, airports, and offices.
• Femtocell. Home-sized, 100 mW, plugs into your home broadband and connects to the carrier through the internet. Useful for filling residential coverage holes.

These coexist. A dense city has macrocells covering the bulk traffic, microcells filling gaps, picocells inside transit hubs and stadiums, and customer-deployed femtocells in homes and offices.

A.9 Cell splitting and sectoring

When a cell saturates (offered traffic exceeds channel capacity), you have two options.

Cell splitting. Cut the cell in half (or more). Build new towers, each with smaller radius. With cells of half the radius, you get four times the cell density (area scales as $R^2$). But this is expensive: new towers, new fiber, new permits, new RF planning.

Sectoring. Split a single tower's omnidirectional coverage into 3 or 6 sectors using directional antennas. A 3-sector configuration has three antenna panels, each radiating into a 120-degree wedge. From the network's perspective, one tower with 3 sectors looks like three smaller cells.

         /‾‾‾‾‾\          
        / sector\    
       /   1     \  
       |  120°   |   
       \         /  
   ─────●─────  
   tower with 3 panels

Sectoring costs much less than building new towers. The same site, the same fiber, just more antennas and more transceivers in the equipment cabinet. It also reduces co-channel interference: a sectored antenna does not radiate into the adjacent cell's direction. 6-sector configurations are used in extremely dense deployments (large stadiums, downtown cores).

A.10 Diversity: making multipath your friend

Recall from Chapter 13 that radio waves arriving at a receiver have usually traveled multiple paths: one direct, plus reflections off buildings, ground, foliage, water. These paths sum at the antenna with random phases. When phases align, the signal is strong (constructive interference). When phases cancel, the signal fades (destructive interference). Move half a wavelength (about 6 cm at 2.5 GHz) and you can swing 30 dB in signal strength. This is multipath fading.

Diversity techniques fight fading by giving the receiver multiple independent looks at the signal.

• Space diversity. Two antennas separated by 10 wavelengths or more. The two antennas see uncorrelated fading: when one is in a deep null, the other usually is not. Combine the two and the worst-case fade is dramatically less severe.
• Polarization diversity. Two antennas with orthogonal polarizations (vertical and horizontal). Useful when space is limited (one antenna housing can hold both polarizations).
• Frequency diversity. Transmit the same data on two different frequencies simultaneously, or hop between frequencies. Used in GSM (slow frequency hopping) and Bluetooth (fast hopping at 1600 hops/sec).
• Time diversity. Repeat the data after enough delay that the channel has changed. Inherent in any system with retransmissions or strong interleaving.

MIMO (multiple input, multiple output) generalizes spatial diversity. A 4x4 MIMO system has 4 transmit antennas and 4 receive antennas. By sending different bit streams on each transmit antenna and using channel-state estimates to separate them at the receiver, you can multiply throughput by 4 in a rich-scattering environment. 5G massive MIMO uses 64 to 256 antennas at the gNB and exploits beamforming to point energy at specific users (called spatial multiplexing, distinct from time/frequency/code multiplexing).

A.11 Channel assignment

Three strategies for allocating channels to cells.

• Fixed channel assignment (FCA). Each cell has a predetermined set of channels. Simple but inflexible. If one cell is overloaded and a neighbor is idle, the busy cell still cannot use the neighbor's channels.
• Dynamic channel assignment (DCA). Channels are pulled from a global pool on demand. Complicated, but uses spectrum more efficiently. Modern LTE uses DCA-like scheduling at the resource-block level.
• Channel borrowing. A hybrid. Cells have nominal allocations but can borrow from neighbors when overloaded, returning the channel when the neighbor needs it.

5G goes further: every cell uses all the spectrum (universal reuse, $N = 1$), and the gNBs coordinate via X2/Xn interfaces to schedule users in non-conflicting time-frequency-spatial resources.

A.12 Path loss models

How weak is the signal at a given distance? In free space (no ground, no obstructions), Friis says

$P_r = P_t G_t G_r \left(\frac{\lambda}{4\pi d}\right)^2$

so received power falls as $1/d^2$. But cellular links are not in free space. The signal interacts with the ground (a partial reflector) and with buildings (scatterers). Several empirical models have evolved.

Two-ray ground reflection. Signal travels two paths: direct line-of-sight and ground reflection. At large distances, the two paths interfere destructively and the loss steepens to $1/d^4$. This is why suburban path loss is approximately $d^{-4}$, much faster than free-space $d^{-2}$.

Hata model (Okumura-Hata). Empirical fit to extensive measurements in Tokyo by Yoshihisa Okumura in the 1960s, formalized by Hata in 1980. For urban areas:

$L_{\text{Hata}}(\text{dB}) = 69.55 + 26.16 \log_{10} f - 13.82 \log_{10} h_b - a(h_m) + (44.9 - 6.55 \log_{10} h_b) \log_{10} d$

where $f$ is in MHz (150-1500 range), $h_b$ is base-station height in meters, $h_m$ is mobile height, $a(h_m)$ is a correction factor for mobile antenna height, and $d$ is in km. The model is calibrated for cell radii 1-20 km.

COST-231 model. European extension of Hata to higher frequencies (up to 2 GHz). Used heavily for early GSM and UMTS planning.

For modern 5G mm-wave bands, neither Hata nor COST-231 applies. Instead, models like 3GPP TR 38.901 specify path loss for urban macro, urban micro, indoor, and rural scenarios across 0.5-100 GHz, accounting for line-of-sight vs non-line-of-sight states.

A.13 Multipath fading: slow and fast

Two scales of fading.

Slow (large-scale) fading. Caused by large obstructions, also called shadowing. Walking behind a tall building can drop your signal by 20 dB. Modeled as a log-normal random variable on top of the path loss: $P_{rx} = P_{rx,\text{average}} \cdot 10^{X/10}$ where $X$ is Gaussian with standard deviation 4-12 dB (the shadowing standard deviation).

Fast (small-scale) fading. Caused by multipath constructive/destructive interference at the wavelength scale. Two statistical models depending on whether there is a strong line-of-sight component.

• Rayleigh fading. No line-of-sight (NLOS). The received envelope is Rayleigh-distributed. Worst case for cellular: deep nulls every half-wavelength. Common in dense urban canyons.
• Rician fading. Strong LOS plus scattering. The envelope follows the Rician distribution, parameterized by $K$, the ratio of LOS power to scattered power. As $K \to \infty$, you get pure LOS (no fading); as $K \to 0$, you get Rayleigh.

Both shadowing and small-scale fading are why diversity, OFDMA, and MIMO matter so much.

A.14 Antennas at the base station and the handset

The base-station side uses sector panel antennas: rectangular arrays about 1-2 m tall, with vertical spacing tuned for ~65-degree horizontal beamwidth and electronic down-tilt to limit far-field reach into adjacent cells. Modern panels carry multiple band columns (e.g., 700 MHz, 1.8 GHz, 2.6 GHz) and multiple polarizations (vertical and slant-45) for MIMO.

The handset side uses small antennas hidden in the phone body. The dominant style is the PIFA (Planar Inverted-F Antenna): a flat, folded radiator about $\lambda/4$ in length on the longest dimension, sitting parallel to the phone's PCB ground plane. PIFA gives reasonable bandwidth in a compact volume. A modern smartphone has 5-15 antennas: cellular low/mid/high bands, Wi-Fi 2.4/5/6 GHz, BLE, GPS L1/L5, NFC, UWB, and sometimes mm-wave 5G (which uses tiny patch arrays around the phone's edges).

5G mm-wave handsets carry phased-array antennas: 4-16 element patches that beamform electronically. They steer the beam up to ±60 degrees by adjusting per-element phase, which is essential because mm-wave propagation is so directional that an omnidirectional pattern would have terrible link budget.

A.15 Handoff strategies

A handoff (or handover, in 3GPP terminology) is the procedure that transfers a call from one cell to another as the user moves. Three flavors.

• Hard handoff. "Break-before-make." The phone disconnects from the old cell and reconnects to the new one. Faster, but if the new cell is unavailable, the call drops. Used in GSM, LTE.
• Soft handoff. "Make-before-break." The phone is briefly connected to both cells simultaneously, decoded with the better signal at any moment. Used in CDMA (IS-95, CDMA2000, WCDMA), where adjacent cells use the same frequency and the receiver can RAKE-combine signals from multiple base stations.
• Softer handoff. Between sectors of the same base station. Easier than soft handoff because all sector antennas share the same baseband.
• MAHO (Mobile-Assisted Handoff). The phone measures neighbor cells continuously and reports their signal strengths to the network. The network decides when to hand over. All modern systems use MAHO.

Handoff failure was a real problem in early networks (1G dropped calls every few minutes in moving vehicles). Modern systems get below 1% failure rate.

A.16 Multiple access schemes

How do multiple users share a cell's resources? Four major schemes.

• FDMA (Frequency Division Multiple Access). Each user gets a different frequency. 1G AMPS used 30 kHz channels.
• TDMA (Time Division Multiple Access). Users share a frequency but transmit in different time slots. 2G GSM uses 200 kHz channels divided into 8 time slots, so 8 users share each channel.
• CDMA (Code Division Multiple Access). All users transmit on the same frequency at the same time but with orthogonal spreading codes. Each receiver despreads only its assigned code. CDMA was the basis of IS-95 and WCDMA.
• OFDMA (Orthogonal Frequency Division Multiple Access). Users share both frequency and time, allocated as 2D resource blocks on a grid of OFDM subcarriers. 4G LTE uses 180 kHz resource blocks in time slots of 0.5 ms, scheduled per-user every transmission time interval. 5G NR generalizes this with flexible numerology (multiple subcarrier spacings depending on band).

     FDMA              TDMA              OFDMA
   |   user1   |     |U1|U2|U3|U4|     | u1 | u3 | u2 | u1 |
   |   user2   |     |U1|U2|U3|U4|     | u2 | u1 | u3 | u4 |   freq
   |   user3   |     |U1|U2|U3|U4|     | u3 | u2 | u4 | u2 |
                                       | u4 | u4 | u1 | u3 |
   ---freq----        ---time-->         -------time------>

OFDMA is the dominant scheme today because it lets the scheduler exploit frequency-selective fading: users get assigned subcarriers where their channel is good. This frequency-domain scheduling gain is one of the big reasons LTE and 5G outperform CDMA.

A.17 GSM in detail

2G GSM was European in origin and global in deployment. 5+ billion handsets shipped. Key parameters:

• Bands: 900 MHz and 1800 MHz in Europe; 850 MHz and 1900 MHz in the Americas (called GSM-PCS).
• Channel: 200 kHz wide, GMSK-modulated (constant envelope, friendly to nonlinear power amplifiers).
• TDMA frame: 4.615 ms, 8 time slots of 577 µs each. Up to 8 users per channel. Voice rate after coding: 13 kbps.
• Authentication: SIM card holds a 128-bit secret key $K_i$. Network sends a random challenge; SIM computes a response with the A3/A8 algorithm. Network verifies. This was the first widespread embedded smart card, the prototype for hundreds of subsequent applications (transit cards, EMV credit cards, ID cards).
• Encryption: A5/1 stream cipher in Europe and many other regions. A5/2 a deliberately weakened export version. Both are broken. A5/1 has been demonstrably crackable since 2003 (rainbow tables on the 64-bit key state, real-time cracking demonstrated at 28C3 in 2010 with $1500 of hardware). A5/3 (KASUMI-based) is stronger but still attacked (related-key attacks reduce effective security).

GSM's broken cipher means passive GSM eavesdropping is feasible with a $20 software-defined radio and open-source tools (gr-gsm, kraken). Many 2G networks are now decommissioned for this reason and to free up spectrum for LTE/5G.

IMSI catchers (Stingrays). Active attackers can build a fake base station that broadcasts a stronger signal than nearby real cells. Phones in the area connect to it (GSM had no mutual authentication: the phone proved itself to the network but not vice versa). The fake tower can then capture IMSIs, force unencrypted communication, and act as a man-in-the-middle. Law enforcement uses these legitimately (with warrants); they have also been deployed by criminals and surveillance agencies. 4G LTE and 5G mitigate with mutual authentication, but downgrade attacks remain a concern when phones must roam between generations.

A.18 4G LTE

LTE (Long Term Evolution, standardized in 3GPP Release 8, 2008) is the all-IP successor to 3G.

• All-IP core. No more circuit-switched voice. Voice is carried as VoIP (VoLTE) over the same IP packet network as data. Behind the scenes, IMS (IP Multimedia Subsystem) handles SIP signaling.
• OFDMA downlink, SC-FDMA uplink. Single-carrier FDMA on uplink reduces peak-to-average power ratio, important for handset battery life (the power amp is 30-40% of phone power consumption during uplink).
• Channel bandwidths. 1.4, 3, 5, 10, 15, or 20 MHz. With carrier aggregation, an operator can bond up to 5 component carriers for 100 MHz total (LTE-Advanced, Release 10).
• Modulation: QPSK to 64-QAM, later 256-QAM in LTE-A Pro. Theoretical peak rate: ~300 Mbps in 20 MHz with 4x4 MIMO.
• VoLTE: voice over LTE. Higher quality than circuit-switched 2G/3G voice (HD voice codec at 16 kHz sampling instead of 8 kHz), and lower latency.
• Security: UE and network mutually authenticate using AKA (authentication and key agreement). Encryption uses SNOW3G, AES, or ZUC depending on operator. Much stronger than 2G.

A.19 5G NR

5G New Radio is the latest 3GPP standard (Release 15+, 2018+). Key innovations:

• Bands: sub-6 GHz (FR1, 410 MHz to 7.125 GHz) for coverage, mm-wave (FR2, 24.25 GHz to 52.6 GHz, with extensions to ~71 GHz in Release 17) for capacity. Some plans for sub-THz beyond 100 GHz exist for 6G.
• Channel bandwidths: up to 100 MHz in FR1, up to 400 MHz in FR2. With aggregation, 8 carriers of 100 MHz can be bonded (FR1) or 16 carriers of 400 MHz (FR2), reaching multi-Gbps peak rates.
• Numerology: flexible subcarrier spacing from 15 kHz (LTE-like) to 240 kHz, letting operators pick between long symbols (good for low frequencies and large cells) or short symbols (good for mm-wave and ultra-low latency).
• Massive MIMO. 64 to 256 antennas at the gNB, with beamforming. Each beam serves a subset of users; energy is concentrated where it is needed, not radiated everywhere.
• Network slicing. A single physical network is partitioned into multiple virtual networks with different QoS guarantees. eMBB (enhanced mobile broadband) for video, URLLC (ultra-reliable low-latency communication, ~1 ms latency) for industrial automation and remote surgery, mMTC (massive machine-type communication) for IoT.
• Latency. Frame structure cut from LTE's 1 ms to as low as 0.125 ms in URLLC mode. End-to-end latency target: 1 ms (vs 30+ ms typical LTE).

A.20 Glimpses of 6G

6G is unstandardized and speculative. Likely directions: sub-THz bands (100-300 GHz), AI-native air interfaces (the modulation and waveform itself learned by ML), integrated communication and sensing (using the radar-like properties of high-frequency arrays for environmental awareness), and even tighter integration with non-terrestrial networks (LEO satellites as part of the cellular core). Expect commercial deployment around 2030.