h WITH THE GROWING importance of secured communication the importance of cryptographic cores have increased. Hardware solutions of these cores are developed using application specific integrated circuit (ASIC) libraries or on field programmable gate array (FPGA) platforms. Recently, the enhancement of the FPGAs has lead to the use of these platforms for in-house development of cryptographic IPs. The fact that the entire design can be performed in the laboratory, without relying on an untrusted third party fab makes such design flows ideal from the point of view of security [1].In a system-on-chip (SoC) the cores are pretested and preverified. However the test and verification is mostly functional and the integrator is satisfied if the core meets its functionalities. However for cryptographic cores, apart from the normal functionality it is also important to model the core under not normal conditions. A related study of cryptographic algorithms and the designs thereof is known as differential fault analysis (DFA) [2]. This analysis technique investigates the nature of induced faults when a device is stressed beyond its normal operating conditions. While the core integrator is mostly satisfied when the faults are not permanent, for the attacker a single transient fault is enough to get the complete key for even standard ciphers like AES-128 [3].Most of the attacks exploiting the faults on AES target the AES data-path and assume byte faults. Hence researchers have tried to apply classical fault tolerance techniques like parity, invariance, hardware and time redundancy [4], [5] to detect these faults in the data-path of AES [6]. However there are other DFAs on AES which target the key-schedule. Faults can be injected in the round keys either by corrupting the key scheduling process (on the fly round key generation) or corrupting the memory (precomputation process) where the round keys are preloaded. Such faults will not be detected by the countermeasures which only protect the AES data path. DFA on AES key schedule [7], [8], was considered more difficult than attacking AES states as it required more number of faulty ciphertexts. Recently a DFA on AES-128 key schedule was proposed [9], which required only one pair of fault free and faulty ciphertexts. The most efficient DFA on key schedule [8] required three to four pairs and four pairs of fault free and faulty ciphertexts, respectively. However, all these attacks exploit single byte faults. Researchers show that while there are several inexpensive techniques for fault injection [10]Editor's notes: Can the inputs of a cryptocore be stressed to leak the secret key? This article demonstrates such a vulnerability challenging secure integration of these cores in a system-on-chip design.VSwarup Bhunia, Case Western Reserve University