Abstract. In this paper we describe several fault attacks on the Advanced Encryption Standard (AES). First, using optical/eddy current fault induction attacks as recently publicly presented by Skorobogatov, Anderson and Quisquater, Samyde [SA,QS], we present an implementation independent fault attack on AES. This attack is able to determine the complete 128-bit secret key of a sealed tamper-proof smartcard by generating 128 faulty cipher texts. Second, we present several implementation-dependent fault attacks on AES. These attacks rely on the observation that due to the AES’s known timing analysis vulnerability (as pointed out by Koeune and Quisquater [KQ]), any implementation of the AES must ensure a data independent timing behavior for the so called AES’s xtime operation. We present fault attacks on AES based on various timing analysis resistant implementations of the xtimeoperation. Our strongest attack in this direction uses a very liberal fault model and requires only 256 faul...