diff --git a/chip/g/dcrypto/key_ladder.c b/chip/g/dcrypto/key_ladder.c
index 42ab5a15a1..3e3c0a3e93 100644
--- a/chip/g/dcrypto/key_ladder.c
+++ b/chip/g/dcrypto/key_ladder.c
@@ -17,6 +17,20 @@ static void ladder_init(void)
 	 * the other pending sha flow.
 	 * Hence leave as is and observe the error.
 	 */
+
+	/* Enable random stalls for key-ladder usage.  Note that
+	 * the stall rate used for key-ladder operations is
+	 * 25% (vs. 12% for generic SHA operations).  This distinction
+	 * is made so as to increase the difficulty in characterizng
+	 * the key-ladder engine via random inputs provided over the
+	 * generic SHA interface.
+	 */
+	/* Turn off random nops (which are enabled by default). */
+	GWRITE_FIELD(KEYMGR, SHA_RAND_STALL_CTL, STALL_EN, 0);
+	/* Configure random nop percentage at 25%. */
+	GWRITE_FIELD(KEYMGR, SHA_RAND_STALL_CTL, FREQ, 1);
+	/* Now turn on random nops. */
+	GWRITE_FIELD(KEYMGR, SHA_RAND_STALL_CTL, STALL_EN, 1);
 }
 
 static int ladder_step(uint32_t cert, const uint32_t input[8])
diff --git a/chip/g/dcrypto/sha256.c b/chip/g/dcrypto/sha256.c
index e21d54b1d6..f127ab445a 100644
--- a/chip/g/dcrypto/sha256.c
+++ b/chip/g/dcrypto/sha256.c
@@ -147,6 +147,13 @@ void dcrypto_sha_init(enum sha_mode mode)
 		val |= GC_KEYMGR_SHA_CFG_EN_SHA1_MASK;
 	GREG32(KEYMGR, SHA_CFG_EN) = val;
 
+	/* Turn off random nops (which are enabled by default). */
+	GWRITE_FIELD(KEYMGR, SHA_RAND_STALL_CTL, STALL_EN, 0);
+	/* Configure random nop percentage at 12%. */
+	GWRITE_FIELD(KEYMGR, SHA_RAND_STALL_CTL, FREQ, 2);
+	/* Now turn on random nops. */
+	GWRITE_FIELD(KEYMGR, SHA_RAND_STALL_CTL, STALL_EN, 1);
+
 	/* Start SHA engine. */
 	GREG32(KEYMGR, SHA_TRIG) = GC_KEYMGR_SHA_TRIG_TRIG_GO_MASK;
 }