Lightweight Dynamic Advanced Encryption Standard Encryption Based on S-Box Reconfiguration and Real-Time Key Expansion for Secure Over-the-Air Communication

Abstract

The Advanced Encryption Standard (AES) symmetric encryption algorithm plays a crucial role in data encryption. To address the limitations of the fixed Substitution-box (S-box) and static key expansion strategy in AES. This paper proposes an improved AES scheme that integrates a dynamic S-box structure with a key expansion mechanism based on dynamic perturbations. The dynamic S-box is generated by selecting affine transformation pairs and irreducible polynomials, and its cryptographic properties are tested in SageMath9.3 to obtain a set of S-boxes superior to the standard AES. In the key expansion process, the perturbation values generated by the hash function will be incorporated into the round key generation process to reduce the correlation between round keys. The improved AES algorithm, when applied to Over-the-Air (OTA) systems, not only achieves significant savings in storage resources of in-vehicle Electronic Control Units (ECUs) but also enhances the security of OTA communications. Furthermore, it consumes only a small amount of ECU computational resources, thereby effectively meeting the lightweight requirements of in-vehicle electronic control units.

1. Introduction

With the accelerated development of automotive intelligence and connectivity, the complexity of in-vehicle electronic and electrical systems has increased significantly, accompanied by a corresponding rise in the overall integration level of software systems. Over-the-Air (OTA) technology has emerged as a key enabler for remote vehicle management, functional upgrades, and security patch deployment. It not only reduces vehicle recall frequency and maintenance costs but also shortens the deployment cycle of new features, thereby enhancing the operational efficiency across the vehicle lifecycle and exemplifying the core paradigm of “software-defined vehicles” in modern intelligent automobiles [1,2,3,4].

As an open remote communication mechanism, OTA systems [4,5] are exposed to multiple security threats, including identity spoofing, man-in-the-middle (MITM) attacks, malicious firmware injection, and denial-of-service (DoS) attacks [6,7,8]. Iyieke [4] emphasizes that, in the absence of a comprehensive security-by-design strategy, OTA frameworks are unlikely to withstand automated attacks effectively. Although previous studies have proposed adaptive approaches that integrate threat modeling and defense mechanisms during the architectural design phase, conventional security measures still struggle to address risks across the entire communication chain.

Emerging threats, such as distributed denial-of-service (DDoS) attacks, can severely compromise the availability of update services by leveraging large numbers of compromised devices to exhaust system resources. Existing countermeasures include the approach by Thomaz [1], which leverages trusted execution environments (Intel Software Guard Extensions (SGX) and ARM TrustZone) to establish end-to-end secure channels. Kovacevic [3] proposed a blockchain-based decentralized access control scheme. Ali et al. [5] designed the DDoSViT detection framework to enable traffic identification and mitigation. Mahmood et al. [7,8] conducted model-driven security assessments. However, these approaches still exhibit limitations, including strong hardware dependency (Intel SGX/TrustZone), high validation costs (embedded modules), insufficient real-time performance (blockchain architectures), and significant security vulnerabilities associated with static key mechanisms [7].

Within existing OTA frameworks, the AES symmetric encryption algorithm serves as the core for authentication and data protection, often integrated with the Unified Diagnostic Services (UDS)protocol’s 0×27 “Security Access” function to implement a challenge–response mechanism [5,6,7]. AES offers excellent diffusion properties and hardware adaptability, making it widely adopted in automotive security applications [9,10,11,12,13,14]. However, the standard AES exhibits two critical security vulnerabilities [12,15]: the fixed S-box is susceptible to differential and algebraic attacks, and the deterministic key schedule results in highly correlated round keys with reduced entropy. Leurent et al. [16] pointed out that the AES-128 key schedule can be decomposed into four independent 32-bit paths, which may reduce the effective key cycle and increase the risk of forgery in lightweight encryption scenarios.

To address these issues, researchers have proposed various enhancement schemes, including dynamic S-box construction [17], optimization of candidate S-box sets [18], dynamic key scheduling with key-dependent perturbation tables [19], and S-box generation methods incorporating hyperchaotic systems [20]. While these methods improve nonlinearity and key unpredictability, they are mostly limited to individual core components and do not achieve a coordinated optimization of dynamic S-boxes and key expansion.

This paper proposes a lightweight dynamic AES encryption scheme for in-vehicle OTA communications, integrating dynamic S-box construction with adaptive key expansion.

• Dynamic S-boxes are generated using multiple sets of irreducible polynomials combined with affine transformations, enhancing resistance against differential and algebraic attacks [21,22,23].
• Hash-based perturbation factors are incorporated into the round key generation process to increase key entropy and reduce round key correlation.

The proposed scheme enhances the security and adaptability of AES in dynamic OTA authentication scenarios without significantly increasing computational overhead, while also accommodating the storage and processing constraints of embedded devices, thus providing an effective solution for secure in-vehicle OTA communications.

The structure of this paper is arranged as follows:

Section 2 provides a systematic review of the standard AES algorithm, including its encryption process, S-box construction, and key expansion structure, while highlighting its security limitations.

Section 3 presents the design and implementation of the dynamic S-box selection algorithm and the perturbed key expansion scheme.

Section 4 details the deployment and testing of the improved AES scheme on an STM32 embedded platform, evaluating its feasibility and performance in OTA security authentication scenarios.

Section 5 summarizes the overall findings and discusses potential directions for future research.

2. Fundamentals of the AES Encryption Algorithm and Related Work

2.1. Overview of the AES Encryption Structure

AES features an efficient architecture and straightforward implementation. The standard AES supports three key lengths (128-, 192-, and 256 bit) and can be flexibly deployed in various application scenarios through different operation modes, including Electronic Codebook(ECB), Cipher Block Chaining(CBC), Cipher Feedback(CFB), Output Feedback(OFB), and Counter(CTR). The deployment of AES in automotive systems requires careful balancing between cryptographic strength and resource consumption. Alenezi et al. [24] conducted a systematic evaluation of AES using different key lengths and operation modes across varying file sizes. Their results demonstrate that CBC and CTR modes provide superior throughput and latency performance for medium-sized data blocks, offering valuable guidance for selecting cryptographic parameters in resource-constrained embedded platforms.

As illustrated in Figure 1, each round of AES encryption consists of four fundamental operations: SubBytes, ShiftRows, MixColumns, and AddRoundKey.

These four core operations are formally defined as follows:

• SubBytes: This step applies a nonlinear byte substitution through the S-box.
• ShiftRows: Each row of the state matrix undergoes a cyclic left shift, where the second, third, and fourth rows are rotated by 1, 2, and 3 bytes, respectively.
• MixColumns: Treat each state column as a four-term polynomial and multiply it with a fixed polynomial in.
• AddRoundKey: Round keys perform byte-wise XOR operations with the state matrix.

The decryption process applies the inverse operations in reverse order: InvShiftRows, InvSubBytes, InvMixColumns, and AddRoundKey. The encryption and decryption flows are mirror-symmetric, relying on the round key sequence generated through key expansion.

2.2. S-Box Construction Mechanism

The S-box [25] serves as a crucial nonlinear component in the AES encryption algorithm, performing byte substitution and participating in subkey generation. Kara [26] proposed an attack path against the first eight rounds of AES-256 based on impossible differential (SID) cryptanalysis, providing design references for enhancing the differential resistance of S-box structures. The S-box construction involves two primary steps: computing the multiplicative inverse in the finite field and applying an affine transformation [27].

(1)

Multiplicative Inverse

The multiplicative inverse operation is performed in the finite field $\mathrm{GF}(2^8)$, where the multiplicative inverse of each byte is calculated. Each byte in the S-box is regarded as an element $a(x)$ in $\mathrm{GF}(2^8)$, and its multiplicative inverse $b(x)$ is subsequently computed. The relationship between $a(x)$ and $b(x)$ is shown in Equation (1).

$$a(x)\cdot b(x)\mathrm{mod}m(x)=1$$

(1)

where $m(x)$ is defined over the finite field $\mathrm{GF}(2^8)$ with its corresponding irreducible polynomial.

In this context, the modulus polynomial $m(x)$ is an irreducible polynomial that forms the foundation for constructing the finite field $\mathrm{GF}(2^8)$. In AES, the commonly used irreducible polynomial is as follows:

$$m(x)=x^8+x^4+x^3+x+1$$

(2)

(2)

Affine Transformation

The affine transformation constitutes the second stage in the construction of the S-box. This transformation operates on 8-bit binary vectors over $\mathrm{GF}(2^8)$, combining multiplication with an invertible matrix $u(x)$ and addition with a constant vector $v(x)$.

$$L_{u,v}(a(x))=u(x)\times a(x)+v(x)\mathrm{mod}m(x)$$

(3)

The AES S-box achieves synergistic improvements in nonlinearity, confusion, and algebraic security through its two-stage design of ‘multiplicative inversion followed by affine transformation’.

2.3. Key Expansion

In the AES encryption algorithm, the key expansion’s primary function is to extend the input initial key into a sequence of round keys, which are used to provide expanded keys for the AddRoundKey operation during both encryption and decryption processes.

The AES-128 algorithm divides the 128-bit initial key into four words, each represented by 4 bytes (32 bits), denoted as $W[0],W[1],W[2],W[3]$. The initial key set is denoted as $W[0]$, as shown in Equation (4).

$$W_0=\{W[0],W[1],W[2],W[3]\}$$

(4)

The initial key is directly extended through key expansion to generate sub-keys required for each encryption round, and the sub-key expansion is performed according to a specific procedure [28], as shown in Equation (5).

$$\left\{\begin{array}{cc}W[i]=W[i-4]\oplus W[i+1]\hfill & i\mathrm{mod}4\ne 0\hfill \\ W[i]=W[i-4]\oplus G(W[i-1])\hfill & i\mathrm{mod}4=0\hfill \end{array}\right.$$

(5)

The method of sub-key generation in the key expansion algorithm is shown in Figure 2. In the key expansion algorithm, the function $G(\cdot )$ includes three steps: $RotWord$, $SubWord$, and the composite function $Rcon$. According to Equation (5), the initial key is used as the first round key and undergoes 10 rounds of iterative expansion. Including the initial round, a total of 44 sub-keys are obtained for the 11 rounds of encryption.

Although some nonlinearity is introduced through the S-box and round constant functions, the overall process remains a deterministic logical structure that can theoretically reverse-engineer the initial key [22,23]. If attackers obtain several consecutive round keys, they could exploit the invertibility of the key expansion function to reconstruct the master key, thereby compromising the entire cryptosystem’s security.

Therefore, enhancing the dynamics and nonlinearity of the key expansion process has become a research priority for improving AES security in vehicular OTA scenarios. Building upon this foundation, Swaminathan [29] proposed a data-isolated encryption framework for cloud platforms, which implements secure and efficient data partitioning and isolation through an enhanced AES key schedule with multi-domain key control. From the perspective of wireless communication security, Amma [30] integrated the AES algorithm with the Diffie–Hellman key exchange protocol to design a session encryption scheme supporting dynamic key exchange, effectively enhancing key generation asymmetry.

2.4. Summary

This chapter systematically reviews the complete encryption and decryption processes of the conventional AES algorithm, with particular focus on two critical components: the construction mechanism of S-boxes and the implementation logic of round key expansion. Our analysis of the standard AES reveals that while its fixed S-box structure and deterministic key schedule deliver excellent encryption strength, implementation efficiency, and deployment practicality, the static nonlinear mappings and high inter-key correlation may create attack surfaces in high-sensitivity or high-risk scenarios, potentially exposing the system to differential, algebraic, or key recovery attacks.

The dynamic AES algorithm introduces dynamic and unpredictable elements into the core architecture of the traditional AES algorithm. The runtime construction of variable dynamic S-boxes can enhance the nonlinear randomness in the substitution layer, while the disturbance-driven key expansion mechanism disrupts the linear dependencies between round keys. These strategies lay a theoretical foundation for constructing a dynamic AES framework and provide a promising approach for designing more robust and lightweight secure communication schemes.

3. Design of the Dynamic AES Algorithm

3.1. Design of the Dynamic S-Box Generation Mechanism

Through analyzing S-box construction principles, we identify that the selection of irreducible polynomials influences nonlinearity and diffusion properties, while the choice of affine transform pairs affects both affine transformation periods and iterative output cycles. Through analyzing S-box construction principles, we identify that the selection of irreducible polynomials influences nonlinearity and diffusion properties, while the choice of affine transform pairs affects both affine transformation periods and iterative output cycles. Building upon the affine transform candidate set proposed by Chen [31], this paper systematically investigates combinatorial configurations of different irreducible polynomials and affine transform pairs. When evaluating S-box performance, three critical metrics are typically employed: differential uniformity, nonlinearity, and the Strict Avalanche Criterion (SAC). These metrics comprehensively evaluate the S-box’s resistance against differential, linear, and statistical correlation attacks. Therefore, this paper employs performance evaluation metrics including nonlinearity, differential uniformity, and the Strict Avalanche Criterion (SAC) to filter the constructed S-boxes.

As illustrated in Figure 3, the dynamic S-box selection phase iterates through all affine transform pairs and preselected irreducible polynomial sets. For each combination, the corresponding S-box instance is constructed.

As shown in Figure 4, the generated candidate S-boxes undergo sequential cryptographic performance tests, including nonlinearity, differential uniformity, and the Strict Avalanche Criterion (SAC). Based on the test results, S-boxes with superior performance are selected and retained for subsequent dynamic substitution table construction.

As shown in Figure 5, the candidate set will be filtered based on the aforementioned security metrics, and the top five optimal parameter pairs will be selected for the final dynamic S-box construction. The specific candidate set is [m(x) = 110110001, (3D, 48)], [m(x) = 110110001, (4F, 33)], [m(x) = 110110001, (A7, v = 6F)], [m(x) = 110110001, (D3, 35)], [m(x) = 110110001, (E9, 28)].

3.2. Dynamic Key Expansion

In the standard AES encryption algorithm, the key expansion mechanism employs a fixed linear iterative structure to extend the initial key into multiple round keys. Although this structure is straightforward to implement and logically clear, its strongly linear characteristics result in high correlation between round keys. Analysis reveals that this key expansion process exhibits certain reversibility—if attackers obtain subkeys from specific rounds, they could theoretically perform backward computations to recover adjacent round keys or even the initial master key, thereby compromising the entire cryptosystem.

This paper proposes a dynamic key expansion mechanism. Building upon the standard expansion process, random perturbation factors are introduced to dynamically generate each round subkey, thereby breaking the inherent predictability in fixed expansion paths.

3.2.1. Dynamic Perturbation Factor and Parameter Construction

This paper introduces dynamic perturbation factors derived from the initial key and a Count into the standard AES key expansion mechanism. The perturbation factors are injected into the round key generation process, forming a more complex and dynamically variable key expansion mechanism. The generation of dynamic perturbation factors is mathematically specified in Equation (6).

$$d_i=Hash(K||\mathrm{Seed})$$

(6)

Among them, $K$ is the initial key. By concatenating the seed and the initial key, a $SHA-256$ hash is computed, and the first 10 bytes of the output are extracted as the dynamic disturbance factor $d_i$.

In the standard AES key expansion process, each round employs a fixed round constant (Rcon) to disrupt linear relationships in the key schedule. This paper replaces the standard round constants with dynamic round constants that are related to perturbation factors, as shown in Equation (7).

$${{Rcon}^{\prime }}_i=Rco{n}_i\oplus d_i$$

(7)

As shown in Equation (7), the dynamic perturbation round constants are formed by XORing the standard round constants with dynamic perturbation factors. In addition, at the $SubWord$ stage, instead of using the fixed AES S-box, the dynamically selected S-box $S_d$ generated in this paper is used.

The perturbation mechanism in the dynamic AES algorithm lies in generating dynamic perturbation factors, dynamic round constants, and dynamic S-boxes, thereby constructing a key expansion path with higher randomness and enhanced security.

3.2.2. Dynamic Key Expansion Structure

By combining the dynamic perturbation factors described earlier with the standard AES key expansion, this paper constructs the dynamic key expansion structure shown in Figure 6 to enhance the nonlinearity and unpredictability of the expanded key sequence.

Figure 6 illustrates the overall process of the dynamic key expansion mechanism. In the initialization stage, the input 16-byte initial key K is divided into four 32-bit words, denoted as $W[0],W[1],W[2],W[3]$, serving as the initial values of the expansion matrix. The subkey sequence index $i(4\le i\le 43)$ starts from 4, representing the generation of $W[4]$ to $W[43]$, forming the complete round key sequence $W[0]$ to $W[43]$. The expansion rules are described below.

When $i\mathrm{mod}4\ne 0$, a simplified path is used to directly compute $W[i]$ according to the standard structure, as shown in Equation (8).

$$W[i]=W[i-1]\oplus W[i-4]$$

(8)

When $i\mathrm{mod}4=0$, the $SubWord$ and $Rcon$ in the key expansion are replaced with dynamic versions, and then the standard AES key expansion process is performed, as shown in Equation (9).

$$W[i]=W[i-4]\oplus SubWor{d}_d(RotWord(W[i-1]))\oplus (Rco{n}_i\oplus d_i)$$

(9)

First, it is rotated, then substituted through the dynamic S-box, then XORed with the dynamic round constant, and finally XORed with to produce for this round. This expansion mechanism, while maintaining the original reversibility of the AES structure, introduces perturbation factors and dynamic substitution tables, making the generation of each round key not only dependent on historical states but also strongly correlated with the seed key, thereby increasing the difficulty for external attackers to predict and reconstruct the keys.

3.3. S-Box and Disturbance Seed Management in the Synchronization Protocol

In this synchronization protocol, the low-level device (ECU) empresses an increasing Count value into the OTA data packet it sends. This Count value is used to dynamically select the variable combinations of the S-box. After receiving the message, the host (server) parses the Count value and generates the corresponding S-box parameters using the same logic to ensure the consistency of encryption and decryption.

To further enhance randomness, the generation of perturbation seeds not only depends on the seed value but also combines the round constant for mixed calculation to ensure that the perturbation factor changes dynamically with each update. The host and the underlying device adopt the same hybrid algorithm, ensuring that even in a high packet loss or out-of-order environment, both sides can still maintain the synchronization of the perturbation seed, thereby avoiding encryption/decryption failures caused by transmission issues.

3.4. Dynamic AES Encryption and Decryption Process

3.4.1. Dynamic AES Encryption Process

Compared to the traditional AES encryption process, the proposed dynamic AES retains the same overall framework, including one initial round of encryption, nine standard rounds of encryption, and one final round of encryption:

• SubBytes Stage: Dynamically generated S-boxes are employed instead of a fixed S-box, resulting in non-static byte substitution mappings in each round.
• AddRoundKey Operation: Round keys are dynamically expanded using perturbation factors, enhancing the irreversibility and reducing predictability between round keys.

The detailed steps of the dynamic AES encryption process are as follows:

• Initial Step: XOR the plaintext with the first four words of the expanded key.
• Standard Rounds (Rounds 1–9):
  • SubBytes: Replace bytes using the round-specific dynamic S-box.
  • ShiftRows: Perform cyclic row shifts (same as in standard AES).
  • MixColumns: Apply column mixing transformation (same as in standard AES).
  • AddRoundKey: XOR with the dynamically expanded round key.
• Final Round (Round 10):
  • Perform SubBytes, ShiftRows, and AddRoundKey (MixColumns is omitted).

3.4.2. Dynamic AES Decryption Process

The dynamic AES decryption process is essentially identical to the standard AES, ensuring that both encryption and decryption sides use the same round keys and S-box mapping logic. The decryption process is as follows:

• Initial round: perform AddRoundKey with the last round key.
• Standard rounds (Rounds 1–9):
• Inverse ShiftRows.
• Inverse SubBytes using the inverse dynamic S-box.
• AddRoundKey with the corresponding dynamic expanded key.
• Inverse MixColumns.
• Final round (Tenth round): perform Inverse ShiftRows, Inverse SubBytes, and AddRoundKey.

In the dynamic AES encryption and decryption process, the key is that the decryption side must remain consistent with the dynamic S-box used on the encryption side. The decryption side uses the same affine parameters and irreducible polynomials as the encryption side to construct the inverse S-box for byte substitution, ensuring the correctness and feasibility of the decryption operation.

3.4.3. Encryption and Decryption Parameter Synchronization Mechanism

In the dynamic AES encryption and decryption process, to ensure that both the encryption and decryption sides can correctly execute the encryption and decryption operations, the same dynamic parameters and S-box mappings must be used on both sides. Both the encryption and decryption sides must satisfy the following synchronization conditions:

• Master Key Synchronization: Both the encryption and decryption sides use the same initial key K for the key expansion mechanism, ensuring consistency of the expanded key sequence.
• S-box Synchronization: During each encryption and decryption operation, both sides use the same affine parameters and irreducible polynomial to generate the S-box, ensuring consistency of the byte substitution mapping.
• Perturbation Factor Synchronization: During each encryption and decryption operation, the generated perturbation factor must be identical on both sides to ensure that the dynamic round constants and expansion paths are matched.
• Round Key Synchronization: The same dynamic key expansion algorithm and perturbation parameters must be used to guarantee identical round key generation, ensuring that the decryption side can correctly decrypt the data.

Figure 7 illustrates the complete dynamic AES encryption process. The plaintext, initial key, and dynamic perturbation parameters are input into the system. The dynamic key expansion module combines the perturbation parameters with the key to generate the round key sequence. The dynamic S-box is constructed using affine parameters and irreducible polynomials. The nine-round cycle includes dynamic substitution, permutation, and diffusion steps, with the final round completing the encryption to generate the ciphertext.

Figure 8 illustrates the complete dynamic AES decryption process. The ciphertext is decrypted using the same dynamic key expansion and inverse S-box as the encryption process, ensuring synchronization of the round keys and substitution. The nine-round cycle includes inverse substitution, permutation, and diffusion operations, followed by the final round, which ultimately recovers the original plaintext. To ensure correct decryption, both the encryption and decryption sides must synchronize the key, S-box, perturbation factors, and round keys.

4. Discussion

4.1. Comparative Analysis of the Cryptographic Performance of S-Box Structures

As shown in Figure 9, the SAC distance of the filtered S-box exhibits periodic fluctuations across different groups. Each set of 30 S-boxes forms a cycle, which corresponds directly to the combination of fixed affine transformation pairs and 30 different irreducible polynomials. The S-box structures generated by different affine transformation pairs exhibit distinct clustering behaviors in terms of avalanche characteristics.

4.2. Evaluation of Cryptographic Metrics

To further improve the diffusion performance of the S-box in the AES algorithm, this study selects the five combinations with the smallest avalanche distance from all candidate sets as the final parameter set for dynamic S-box generation, including the corresponding irreducible polynomials and affine transformation pairs.

Table 1. Comparison of Cryptographic Metrics: AES S-box vs. Dynamic S-box.

Metric	AES S-Box (Standard)	Dynamic S-Box
Differential Uniformity	4	4
Nonlinearity	112	112
SAC Distance (Absolute Deviation)	432	304

shows a comparison of key encryption performance metrics between the dynamic S-box sets and the standard AES S-box.

4.3. Complexity of ANF Expressions

Additionally, to further compare the algebraic complexity between the standard AES S-box and the dynamic S-boxes proposed in this paper, we utilized the mathematical tool SageMath to analyze the number of terms in their algebraic normal form (ANF) expressions. The test results are shown in Figure 10.

Figure 10 shows the comparison of the total number of ANF terms between the standard AES S-box and the selected dynamic S-boxes proposed in this work. Complexity is measured by the total number of nonzero terms across the eight output Boolean functions. The results indicate that the dynamic S-boxes have slightly higher complexity than the AES S-box (1013), suggesting potentially stronger resistance to algebraic attacks and better diffusion properties.

Finally, this study uses the five selected candidate sets as combinations of affine transformation pairs and irreducible polynomials for dynamic S-box generation. As shown in Table 1, by dynamically improving the selection of irreducible polynomials, the dynamic S-box achieves a nonlinearity of 112, indicating strong resistance to linear cryptanalysis. The differential uniformity of the dynamic S-box is 4, which is the same as that of the standard AES S-box. In addition, the avalanche distance (SAC) of the selected dynamic S-boxes outperforms the standard AES S-box, demonstrating stronger diffusion and overall resistance to analysis.

The proposed dynamic S-box mechanism is applied to secure access authentication. During each seed and key exchange, the system dynamically selects one of the final parameter sets to generate the S-box, which is then used to compute the identity challenge and response. This enhances the unpredictability of the key and the security of data transmission, with minimal impact on computational efficiency.

4.4. Evaluation of Encryption Diffusion Performance

To evaluate the overall diffusion performance of the dynamic AES encryption structure, we conducted avalanche effect testing on both the standard AES and the proposed dynamic AES algorithm. Specifically, we generated 100 sets of 128-bit random plaintexts, flipped 1 bit in each set to create perturbed plaintexts, while keeping the key unchanged. We then encrypted both sets and calculated the number of differing bits between the ciphertexts, taking the average of all the tests.

Figure 11 shows the average avalanche effect results for standard AES and five dynamic AES configurations, with each configuration using a uniquely selected dynamic S-box. With the random seed fixed at rng (43) to ensure consistency, the static AES achieves an average bit difference of 64.02. In comparison, the five dynamic AES variants yield average differences of 64.04, 63.87, 64.05, 64.39, and 63.98, respectively. These findings demonstrate that all dynamic configurations successfully preserve the avalanche property of the original AES algorithm. Additionally, some configurations exhibit slightly better diffusion strength compared to static AES, indicating that the nonlinear propagation of input differences is enhanced during the encryption process.

4.5. Embedded Platform Performance Evaluation

To verify the practical feasibility of the dynamic S-box mechanism and dynamic key expansion mechanism, and to evaluate the practicality and timeliness of the dynamic AES algorithm on embedded platforms, experiments were conducted using the STM32F407 development board (STMicroelectronics, Geneva, Switzerland). The experimental scenario simulates the encryption and decryption process of the ECU node regarding service 27 in OTA, where each encryption operation processes a 16-byte seed and decrypts the corresponding 16-byte ciphertext.

As shown in Figure 12, the experimental environment includes the STM32F407 development board connected to a dual-monitor computer, simulating the ECU’s encryption task during OTA communication. The development board executed the complete dynamic AES algorithm, and the results were collected on the host PC.

The experiment implemented the complete process of the dynamic AES encryption algorithm, including the dynamic S-box mechanism, dynamic key expansion mechanism, and the main encryption/decryption process control. Unlike the traditional AES algorithm, the dynamic S-box does not use a fixed lookup table; instead, before each encryption operation, it constructs a new S-box by performing a customized affine transformation based on the affine transformation parameters and irreducible polynomial combinations. Additionally, to ensure reversibility in decryption, the inverse S-box is derived from the forward S-box, avoiding inconsistencies caused by separate tables. In the implementation, all transformation tables are computed in real-time and stored in RAM to support fast lookup and replacement, thereby saving Flash memory space.

Figure 13 provides a close-up view of the development board in operation. The dynamic S-box and key expansion logic are computed in real time and stored in RAM, reflecting the lightweight and adaptable design suitable for embedded deployment.

To verify the correctness of the dynamic AES algorithm, encryption and decryption operations were performed on the STM32F407VGTE development board (STMicroelectronics, Geneva, Switzerland). A 16-byte seed was input, encrypted using the dynamic S-box and dynamic key expansion mechanism to generate ciphertext, and then decrypted using the corresponding inverse S-box and keys to recover the original plaintext.

Table 2. Byte-wise Comparison of Seed, Ciphertext, and Decrypted Output.

Index	Seed	Ciphertext	Plaintext
0	0x01	0x1C	0x01
1	0x1F	0x79	0x1F
2	0x07	0xCB	0x07
3	0xDB	0x41	0xDB
4	0x75	0xAF	0x75
5	0xE5	0xB9	0xE5
6	0x9A	0x63	0x9A
7	0x6A	0x10	0x6A
8	0x7B	0x95	0x7B
9	0x72	0x80	0x72
10	0xCA	0xBA	0xCA
11	0xF0	0x3D	0xF0
12	0x97	0xB4	0x97
13	0x7A	0x72	0x7A
14	0x53	0x96	0x53
15	0x55	0x68	0x55

shows the comparison results of the encryption and decryption process of the dynamic AES algorithm on the STM32F407 embedded platform. Each byte is mapped to the corresponding ciphertext byte after encryption and is fully restored to the original seed data during decryption, verifying the correctness and reversibility of the modified algorithm on the embedded platform. Additionally, the table reflects the diffusion effect of different input bits on the ciphertext distribution, demonstrating the nonlinear substitution characteristics of the dynamic S-box construction.

Figure 14 shows the visualization of one set of dynamically generated S-boxes and its corresponding inverse S-box. The S-box is constructed using an affine transformation pair combined with a fixed irreducible polynomial over the finite field. The heatmap is reshaped into a 16 × 16 matrix to highlight the nonlinear mapping patterns. As shown in the figure, the dynamic S-box exhibits a highly irregular nonlinear substitution structure, while its inverse S-box maintains bijective reversibility. Moreover, the other four sets of dynamic S-boxes also have similar performance. These visual patterns confirm that the proposed affine parameter selection strategy can generate cryptographically valid and diverse dynamic S-box designs.

Figure 15 presents the encryption–decryption verification results for a dynamic AES S-box configuration. The chart compares the original plaintext seed (solid blue line), ciphertext (dashed red line), and decryption output (yellow line with markers) across all 16-byte positions. As shown, the decryption output perfectly overlaps the original seed at each byte position, confirming the correctness and reversibility of the encryption process under dynamic S-box substitutions. Meanwhile, the ciphertext curve deviates significantly from both the plaintext and decrypted output, demonstrating effective nonlinear transformation and strong diffusion. This figure validates that the proposed dynamic AES scheme maintains functional integrity and achieves robust encryption characteristics even with varying S-box designs.

To evaluate the execution efficiency of the dynamic AES algorithm on embedded platforms, we measured the runtime of its core functions on the STM32F470 development board (STMicroelectronics, Geneva, Switzerland).

Table 3. Dynamic AES Performance on Embedded Platform.

Platform	Algorithm	Data Size	Encrypt Time (us)	Decrypt Time (us)	Diff. (%%)
STM32F407@168MHz	Dynamic AES-128	128 bit	9655.89	9658.50	0.0270%

presents the performance evaluation results of the encryption and decryption processes on the STM32F407 chip platform. For 128-bit (16-byte) seed data, the encryption and decryption operations took 9655.89 us and 9658.5 us, respectively, with a time difference of only 0.0270%. This demonstrates the algorithm’s symmetry and efficiency on embedded systems. When applied to real-time vehicle OTA update scenarios, the encryption and decryption times fully meet the ECU update delay requirements of current OTA systems, confirming the engineering applicability of dynamic AES on embedded devices.

In terms of throughput, based on the measured encryption and decryption times for 128-bit (16-byte) data blocks, the dynamic AES demonstrates stable data-processing capabilities on the STM32F407 platform. The encryption throughput reaches approximately 13.26 kbps, while the decryption throughput is around 13.25 kbps. This level of throughput, although focused on single-block processing, is sufficient to support the continuous data transmission requirements of real-time vehicle OTA update scenarios. Regarding interrupt delay, the core encryption/decryption operation takes about 9.65 ms, which is sufficient for the P2 time of OTA for the additional time required for one encryption and decryption.

5. Conclusions

This paper addresses the static structure vulnerabilities of traditional AES in secure embedded OTA communication environments, proposing an enhanced AES encryption/decryption scheme that integrates a dynamic S-box generation mechanism with a perturbation-based key expansion mechanism. The key contributions are summarized below:

• A dynamic S-box construction mechanism is proposed: Multiple high-performance dynamic S-boxes are obtained by screening various irreducible polynomials and affine transformation pairs.
• A perturbation-based dynamic key expansion mechanism is designed: By incorporating hash-derived perturbation factors and integrating them with dynamic S-boxes, the round key generation process is perturbed to enhance unpredictability.
• A dynamic AES encryption/decryption framework is constructed: A complete dynamic AES architecture is developed that preserves the structural advantages of AES while incorporating dynamic elements to enhance adaptability in high-security environments.
• Completed embedded platform validation and performance evaluation: The dynamic AES scheme was implemented on embedded platforms and benchmarked against conventional AES, confirming its feasibility under constrained computational resources. Multi-perspective experimental comparisons demonstrate that the proposed solution maintains security with acceptable computational overhead.

Through comprehensive theoretical analysis and systematic experimentation, this study demonstrates that the proposed dynamic AES mechanism significantly enhances cryptographic resistance in OTA communication systems. Our solution provides a practical security optimization framework particularly suitable for automotive authentication and embedded secure communications.

However, several critical challenges require further investigation:

• Cross-platform applicability and large-scale deployment verification
  • Current Limitations: Our experiments have primarily been conducted on the STM32F407 platform. While the results demonstrate technical feasibility, systematic evaluations on broader hardware architectures have not yet been performed.
  • Future Directions: It is necessary to test RAM/Flash usage and real-time performance on diverse MCUs and consider the impact of hardware acceleration on the generation of dynamic S-boxes.
• Formal security proof of dynamic S-box synchronization
  • Current Limitations: Although we have achieved dynamic synchronization of the S-box using the Count value and round constants, a rigorous formal model has not yet been established to prove its resilience against active attacks (such as man-in-the-middle tampering or replay attacks).
  • Future Directions: The security of the synchronization protocol under adaptive chosen-ciphertext attacks can be analyzed by integrating it with the provable security framework.

This study has made the following key contributions to the implementation of dynamic encryption schemes in embedded systems:

• Empirical validation of security–resource tradeoffs: Demonstrated the feasibility of dynamic S-box implementation on resource-constrained devices, establishing benchmark data for similar application scenarios.
• Practical synchronization protocol design: Achieved an optimal balance between synchronization overhead and security through a hybrid mechanism combining Seed values and round constants.
• Cross-layer optimization approach: Revealed the synergistic design potential between the algorithmic layer and protocol layer.
• Compare with other dynamic AES variants to identify the shortcomings of this dynamic AES algorithm and optimize it.

Future research directions may focus on formal verification, cross-platform adaptation, and side-channel resistance hardening to facilitate the transition of dynamic encryption from laboratory research to industrial deployment.