Proposing an MILP-based Method for the Experimental Verification of Difference Trails

Search for the right pairs of inputs in difference-based distinguishers is an important task for the experimental verification of the distinguishers in symmetric-key ciphers. In this paper, we develop an MILP-based approach to verify the possibility of difference-based distinguishers and extract the right pairs. We apply the proposed method to some presented difference-based trails (Related-Key Differentials (RKD), Rotational-XOR (RX)) of block ciphers \texttt{SIMECK}, and \texttt{SPECK}. As a result, we show that some of the reported RX-trails of \texttt{SIMECK} and \texttt{SPECK} are incompatible, i.e. there are no right pairs that follow the expected propagation of the differences for the trail. Also, for compatible trails, the proposed approach can efficiently speed up the search process of finding the exact value of a weak-key from the target weak-key space. For example, in one of the reported 14-round RX trails of \texttt{SPECK}, the probability of a key pair to be a weak-key is $2^{-94.91}$ when the whole key space is $2^{96}$; our method can find a key pair for it in a comparatively short time. It is worth noting that it was impossible to find this key pair using a traditional search. As another result, we apply the proposed method %and consider a search strategy for the framework of to \texttt{SPECK} block cipher, to construct longer related-key differential trails of \texttt{SPECK} which we could reach 15, 16, 17, and 19 rounds for \texttt{SPECK32/64}, \texttt{SPECK48/96}, \texttt{SPECK64/128}, and \texttt{SPECK128/256}, respectively. It should be compared with the best previous results which are 12, 15, 15, and 20 rounds, respectively, that both attacks work for a certain weak key class. It should be also considered as an improvement over the reported result of rotational XOR cryptanalysis on \texttt{SPECK}

Proposing an MILP-based method for the experimental verification of difference-based trails: application to SPECK, SIMECK

Under embargo until: 2022-07-08Searching for the right pairs of inputs in difference-based distinguishers is an important task for the experimental verification of the distinguishers in symmetric-key ciphers. In this paper, we develop an MILP-based approach to verify the possibility of difference-based distinguishers and extract the right pairs. We apply the proposed method to some published difference-based trails (Related-Key Differentials (RKD), Rotational-XOR (RX)) of block ciphers SIMECK, and SPECK. As a result, we show that some of the reported RX-trails of SIMECK and SPECK are incompatible, i.e. there are no right pairs that follow the expected propagation of the differences for the trail. Also, for compatible trails, the proposed approach can efficiently speed up the search process of finding the exact value of a weak key from the target weak key space. For example, in one of the reported 14-round RX trails of SPECK, the probability of a key pair to be a weak key is 2−94.91 when the whole key space is 296; our method can find a key pair for it in a comparatively short time. It is worth noting that it was impossible to find this key pair using a traditional search. As another result, we apply the proposed method to SPECK block cipher, to construct longer related-key differential trails of SPECK which we could reach 15, 16, 17, and 19 rounds for SPECK32/64, SPECK48/96, SPECK64/128, and SPECK128/256, respectively. It should be compared with the best previous results which are 12, 15, 15, and 20 rounds, respectively, that both attacks work for a certain weak key class. It should be also considered as an improvement over the reported result of rotational-XOR cryptanalysis on SPECK.acceptedVersio

AlgSAT --- a SAT Method for Search and Verification of Differential Characteristics from Algebraic Perspective

A good differential is a start for a successful differential attack. However, a differential might be invalid, i.e., there is no right pair following the differential, due to some contradictions in the conditions imposed by the differential. This paper presents a novel and handy method for searching and verifying differential trails from an algebraic perspective. From this algebraic perspective, exact Boolean expressions of differentials over a cryptographic primitive can be conveniently established, which allows for the convenient verification of a given differential trail. This verification process can be naturally formulated as a Boolean satisfiability problem (SAT). To demonstrate the power of our new tool, we apply it to Gimli, Ascon, and Xoodoo. For Gimli, we improve the efficiency of searching for a valid 8-round colliding differential trail compared to the previous MILP model (CRYPTO 2020). Based on this differential trail, a practical semi-free-start collision attack on the intermediate 8-round Gimli-Hash is thus successfully mounted. For Ascon, we check several differential trails reported at FSE 2021. Specifically, we find that a 4-round differential used in the forgery attack on Ascon-128’s iteration phase has been proven invalid. As a consequence, the corresponding forgery attack is also invalid. For Xoodoo, as an independent interest, we develop a SAT-based automatic search toolkit called XoodooSat to search for 3- and 4-round differential trail cores of Xoodoo. Our toolkit finds two more 3-round differential trail cores of weight 48 that were missed by the designers which enhance the security analysis of Xoodoo. Then, we verify tens of thousands of 3-round differential trails and two 4-round differential trails extended from the so-called differential trail cores. We find that all these differential trails are valid, which effectively demonstrates that there are no contradictions in the conditions imposed by the round differentials of the DTs in the trail core

CLAASP: a Cryptographic Library for the Automated Analysis of Symmetric Primitives

This paper introduces CLAASP, a Cryptographic Library for the Automated Analysis of Symmetric Primitives. The library is designed to be modular, extendable, easy to use, generic, efficient and fully automated. It is an extensive toolbox gathering state-of-the-art techniques aimed at simplifying the manual tasks of symmetric primitive designers and analysts. CLAASP is built on top of Sagemath and is open-source under the GPLv3 license. The central input of CLAASP is the description of a cryptographic primitive as a list of connected components in the form of a directed acyclic graph. From this representation, the library can automatically: (1) generate the Python or C code of the primitive evaluation function, (2) execute a wide range of statistical and avalanche tests on the primitive, (3) generate SAT, SMT, CP and MILP models to search, for example, differential and linear trails, (4) measure algebraic properties of the primitive, (5) test neural-based distinguishers. In this work, we also present a comprehensive survey and comparison of other software libraries aiming at similar goals as CLAASP

Functional Cryptanalysis: Application to reduced-round Xoodoo

This paper proposes functional cryptanalysis, a flexible and versatile approach to analyse symmetric-key primitives with two primary features. Firstly, it is a generalization of multiple attacks including (but not limited to) differential, rotational and rotational-xor cryptanalysis. Secondly, it is a theoretical framework that unifies all of the aforementioned cryptanalysis techniques and at the same time opens up possibilities for the development of new cryptanalytic approaches. The main idea of functional cryptanalysis is the usage of binary relations in the form of functions, hence the name functional, instead of binary operations like in a classical settings of differential -like cryptanalysis. We establish the theoretical foundations of functional cryptanalysis from standard terminologies. This work also presents an interpretation of functional cryptanalysis from the point of view of commutative algebra. In particular, we exhibit an algorithm to compute the functional probability (hence differential, rotational, and rotational-xor probability) using Grobner bases. We demonstrate the applicability of functional cryptanalysis against reduced-round Xoodoo and compare it against the best differential. To avoid dealing with invalid differential trails, we propose a method to construct a valid differential trail using Satisfiability Modulo Theory (SMT). To the best of our knowledge, this is the first time the SMT model is used to construct a valid differential while previous approaches rely on Mixed-Integer Linear Programming (MILP) model. Lastly, we remark that the use of non-translation functionals shares analogous advantages and limitations with the use of nonlinear approximations in linear cryptanalysis

Chosen-Key Distinguishing Attacks on Full AES-192, AES-256, Kiasu-BC, and More

At CRYPTO 2020, Liu et al. find that many differentials on Gimli are actually incompatible. On the related-key differential of AES, the incompatibilities also exist and are handled in different ad-hoc ways by adding respective constraints into the searching models. However, such an ad-hoc method is insufficient to rule out all the incompatibilities and may still output false positive related-key differentials. At CRYPTO 2022, a new approach combining a Constraint Programming (CP) tool and a triangulation algorithm to search for rebound attacks against AES- like hashing was proposed. In this paper, we combine and extend these techniques to create a uniform related-key differential search model, which can not only generate the related-key differentials on AES and similar ciphers but also immediately verify the existence of at least one key pair fulfilling the differentials. With the innovative automatic tool, we find new related-key differentials on full-round AES-192, AES-256, Kiasu-BC, and round-reduced Deoxys-BC. Based on these findings, full- round limited-birthday chosen-key distinguishing attacks on AES-192, AES-256, and Kiasu-BC are presented, as well as the first chosen-key dis- tinguisher on reduced Deoxys-BC. Furthermore, a limited-birthday dis- tinguisher on 9-round Kiasu-BC with practical complexities is found for the first time

Mind the Propagation of States New Automatic Search Tool for Impossible Differentials and Impossible Polytopic Transitions (Full Version)

Impossible differentials cryptanalysis and impossible polytopic cryptanalysis are the most effective approaches to estimate the security of block ciphers. However, the previous automatic search methods of their distinguishers, impossible differentials and impossible polytopic transitions, neither consider the impact of key schedule in the single-key setting and the differential property of large S-boxes, nor apply to the block ciphers with variable rotations. Thus, unlike previous methods which focus on the propagation of the difference or $s$-difference, we redefine the impossible differentials and impossible $(s+1)$-polytopic transitions according to the propagation of state, which allow us to break through those limitations of the previous methods. Theoretically, we prove that traditional impossible differentials and impossible $(s+1)$-polytopic transitions are equivalent to part of our redefinitions, which have advantages from broader view. Technically, we renew the automatic search model and design an SAT-based tool to evaluate our redefined impossible differentials and impossible $(s+1)$-polytopic transitions efficiently. As a result, for GIFT64, we get the $6$-round impossible differentials which cannot be detected by all previous tools. For PRINTcipher, we propose the first modeling method for the key-dependent permutation and key-dependent S-box. For MISTY1, we derive 902 4-round impossible differentials by exploiting the differential property of S-boxes. For RC5, we present the first modeling method for the variable rotation and get 2.5-round impossible differentials for each version of it. More remarkable, our tool can be used to evaluate the security of given cipher against the impossible differentials, and we prove that there exists no 5-round 1 input active word and 1 output active word impossible differentials for AES-128 even consider the relations of 3-round keys. Besides, we also get the impossible $(s+1)$-polytopic transitions for PRINTcipher, GIFT64, PRESENT, and RC5, all of which can cover more rounds than their corresponding impossible differentials as far as we know

High-Performance Testbed for Vision-Aided Autonomous Navigation for Quadrotor UAVs in Cluttered Environments

This thesis presents the development of an aerial robotic testbed based on Robot Operating System (ROS). The purpose of this high-performance testbed is to develop a system capable of performing robust navigation tasks using vision tools such as a stereo camera. While ensuring the computation of robot odometery, the system is also capable of sensing the environment using the same stereo camera. Hence, all the navigation tasks are performed using a stereo camera and an inertial measurement unit (IMU) as the main sensor suite. ROS is used as a framework for software integration due to its capabilities to provide efficient communication and sensor interfaces. Moreover, it also allows us to use C++ which is efficient in performance especially on embedded platforms. Combining together ROS and C++ provides the necessary computation efficiency and tools to handle fast, real-time image processing and planning which are the vital parts of navigation and obstacle avoidance on such scale. The main application of this work revolves around proposing a real-time and efficient way to demonstrate vision-based navigation in UAVs. The proposed approach is developed for a quadrotor UAV which is capable of performing defensive maneuvers in case any obstacles are in its way, while constantly moving towards a user-defined final destination. Stereo depth computation adds a third axis to a two dimensional image coordinate frame. This can be referred to as the depth image space or depth image coordinate frame. The idea of planning in this frame of reference is utilized along with certain precomputed action primitives. The formulation of these action primitives leads to a hybrid control law for feasible trajectory generation. Further, a proof of stability of this system is also presented. The proposed approach keeps in view the fact that while performing fast maneuvers and obstacle avoidance simultaneously, many of the standard optimization approaches might not work in real-time on-board due to time and resource limitations. This leads to a need for the development of real-time techniques for vision-based autonomous navigation

Survivable virtual topology design in optical WDM networks using nature-inspired algorithms

Tez (Doktora) -- İstanbul Teknik Üniversitesi, Bilişim Enstitüsü, 2012Thesis (PhD) -- İstanbul Technical University, Institute of Informatics, 2012Günümüzde bilgisayar ağları hayatımızın önemli bir parçası ve ihtiyaç haline gelmiştir. İstediğimiz veriye, istediğimiz anda, daha hızlı, daha güvenli ve kesintisiz olarak erişme isteğimiz aslında ağ altyapısının nasıl tasarlanacağını belirlemektedir. Kullanıcıların istekleri sürekli artarken, teknolojik gelişmelerle birlikte yeni yöntem ve algoritmalarla bu istekleri karşılamanın yolları aranmaktadır. Ağdaki aktarım hızı, aktarım ortamından doğrudan etkilenmektedir; bugün uzak mesafelere en yüksek kapasiteli ve hızlı aktarımın yapılabileceği ortam ise fiberdir. Fiber optik ağlar, fiberin üstün özelliklerini (hız, düşük bit hata oranı, elektromanyetik ortamlardan etkilenmeme, düşük işaret zayıflaması, fiziksel dayanıklılık, ucuzluk, güvenlilik, vs.) en iyi kullanacak şekilde tasarlanan ağlardır. Günümüzde dünyadaki iletişim ağ altyapısı, omurga ağlardan erişim ağlarına kadar, hızla fiber optik ağlara dönüşmektedir. Optik ağların en önemli özelliklerinden biri veri aktarım hızıdır, tek bir fiberden teorik olarak 50 Tb/s veri aktarımı yapılabileceği hesaplanmaktadır. Bugün, lider iletişim firmaları 100 Gb/s ya da 1 Tb/s hızda veri aktarımı yapacak kanalllardan bahsedebiliyorsa, bu, fiziksel altyapı optik bir omurgadan oluştuğu içindir. Dalgaboyu bölmeli çoğullama (WDM) teknolojisi sayesinde bir fiber üzerinde aynı anda kurulabilecek kanal sayısı, günümüz teknolojisiyle yüzler mertebesine çıkabilmektedir. Dalgaboyu bölmeli çoğullama teknolojisi ile, optik aktarım birbiriyle çakışmayan dalgaboyu bantlarına bölünür ve her bir dalgaboyu istenen hızda çalışan, ışıkyolu olarak adlandırılan, bir iletişim kanalını destekler. Böylece, yakın gelecek için öngörülen çok yüksek hızlara çıkmadan bile, bir fiberden herbiri birkaç on Gb/s hızda çalışan yüz dolayında ışıkyolu geçebilmektedir. Bu kadar yüksek hızlarda veri aktarımı, özellikle her bir fiberinde çok sayıda kanalın taşındığı omurga ağlarda bir konuya büyük önem kazandırmaktadır: Hataya bağışıklık. En sık rastlanan hata olan, bir fiberin, herhangi bir nedenle kesilmesi (çoğunlukla inşaat makineleri tarafından, ya da doğal afetlerce), fiber tamir edilene kadar, her saniyede birkaç terabitlik veri kaybı anlamına gelecektir. Örnek olarak 10 km uzunlukta bir fiberin kopma sıklığı 11 yılda birdir. Omurga ağlarda yüzlerce, bazen binlerce, kilometrelik fiberler döşendiği gözönüne alındığında, böyle bir hata durumu için tedbir alınmaması düşünülemez. Optik ağ üzerindeki herhangi bir fibere zarar gelmesi demek bu fiber üzerinden yönlendirilmiş olan tüm ışıkyollarının kopması demektir. Her bir ışıkyolu üzerinden yüksek miktarda (40 Gb/s) veri aktarımı yapıldığından, böyle bir zarar ciddi veri kayıplarına neden olabilir. Temel olarak fiber kopmasına karşı geliştirilen iki yaklaşım vardır. Birinci yaklaşımda fiber üzerinden geçen her bir bağlantının, yani ışıkyolunun, yedek yollarla korunmasıdır. İkinci yaklaşım ise, özellikle birçok internet uygulamasına da uygun ve yeterli olacak şekilde, ışıkyollarının oluşturduğu sanal topolojinin bağlı kalmasının sağlanmasıdır. Bu ikinci yaklaşımda herbir ışıkyoluna ayrı ayrı yedek koruma yollarının atanması yerine, sanal topolojinin korunması dikkate alınarak, üst katmanların (paket katmanları) koruma mekanizmalarının devreye girebilmesi için gereken minimum koşulların sağlanması amaçlanmaktadır. Birinci yaklaşım belirli düzeylerde garantili bir koruma sağlarken yüksek miktarda ağ kaynağının atıl durmasına neden olmakta, dolayısıyla bu kadar üst düzey koruma gerektirmeyen uygulamalar için pahalı bir çözüm sunmaktadır. Son yıllarda özellikle dikkat çeken ikinci yaklaşım ise, daha ekonomik bir yöntemle iletişimin kopmaması garantisini vermekte, ancak daha yavaş bir düzeltme sağlamaktadır. Günümüzde birçok uygulama bağlantı kopmadığı sürece paket katmanının, yeni yol bulma gibi hata düzeltme mekanizmalarının devreye girmesi için gerekli olan, dakikalar mertebesindeki gecikmelere toleranslıdır (web dolaşımı, dosya aktarımı, mesajlaşma, uzaktan erişim gibi). Bu yaklaşım ilkine göre daha az ağ kaynağının atıl kalmasına neden olarak kullanıcıya daha ekonomik hizmet verilmesini sağlayacaktır. Bu çalışmada üzerinde durduğumuz hataya bağışık sanal topoloji tasarımı problemi de bu ikinci yaklaşımı benimsemektedir. Hataya bağışık sanal topoloji tasarımı problemi kendi içinde dört alt probleme ayrılmaktadır: ışıkyollarının belirlenmesi (sanal topolojiyi oluşturma), bu ışıkyollarının herhangi bir fiber kopması durumunda bile sanal topolojinin bağlı kalmasını sağlayacak sekilde fiziksel topoloji üzerinde yönlendirilmesi, dalgaboyu atanması, ve paket trafiğinin yönlendirilmesi. Bu alt problemler ayrı ayrı çözülebilir. Ancak, bunlar bağımsız problemler değildir ve bunları tek tek çözmek elde edilen çözümün kalitesinin çok düşük olmasına neden olabilir. Bununla birlikte, hataya bağışık sanal topoloji tasarımı problemi NP-karmaşıktır. Karmaşıklığı nedeniyle bu problemin, gerçek boyutlu ağlar için, klasik optimizasyon teknikleriyle kabul edilebilir zamanda çözülmesi mümkün değildir. Bu çalışmada, fiziksel topolojinin ve düğümler arası paket trafiği yoğunluğunun bilindiği durumlar için, hataya bağışık sanal topoloji tasarımı problemi bütün halinde ele alınmaktadır. Tezin ilk aşamasında, hataya bağışık sanal topoloji tasarımı probleminin alt problemi olan hataya bağışık sanal topoloji yönlendirmesi problemi ele alınmıştır. Verilen bir sanal topoloji için en az kaynak kullanarak hataya bağışık yönlendirme yapmak için iki farklı doğa-esinli algoritma önerilmektedir: evrimsel algoritmalar ve karınca kolonisi optimizasyonu. Öncelikle önerilen algoritmaların problem için uygun parametre kümesi belirlenmiş, daha sonra, algoritmaların başarımını ölçmek için, deneysel sonuçlar tamsayı doğrusal programlama (ILP) ile elde edilen sonuçlarla karşılaştırılmışır. Sonuçlar göstermektedir ki; önerdiğimiz iki algoritma da, tamsayı doğrusal programlama ile uygun bir çözüm bulunamayan büyük ölçekli ağlar için dahi, problemi çözebilmektedir. Bunun yanında, doğa-esinli algoritmalar çok daha az CPU zamanı ve hafıza kullanmaktadır. Elde edilen çözüm kalitesi ve çözüm için kullanılan CPU zamanının kabul edilebilir düzeyde olması, her iki doğa-esinli algoritmanın da gerçek boyutlu ağlar için kullanılabileceğini doğrulamaktadır. İkinci aşamada, hataya bağışık sanal topoloji tasarımı problemini bir bütün halinde çözmek için dört farklı üst-sezgisel yöntem önerilmektedir. Önerilen üst-sezgisel yöntemler alt seviyedeki sezgiselleri seçme asamasında dört farklı yöntem kullanmaktadır: evrimsel algoritmalar, benzetimli tavlama, karınca kolonisi optimizasyonu ve uyarlamalı yinelenen yapıcı arama. Deneysel sonuçlar tüm üst-sezgisel yöntemlerin hataya bağışık sanal topoloji tasarımı problemini çözmede başarılı olduğunu göstermektedir. Ancak, karınca kolonisi optimizasyonu tabanlı üst-sezgisel diğerlerine göre daha üstün sonuçlar vermektedir. Işıkyolları üzerindeki trafik akışını dengelemek için, karınca kolonisi optimizasyonu tabanlı üst-sezgisele akış deviasyonu yöntemi de eklenmiştir. Literatürde hataya bağışık sanal topoloji tasarımı problemini ele alan tüm çalışmalar çift fiber kopması durumunu gözardı etmektedir. Bu çalışmada, önerdiğimiz üst-sezgisel yöntemin başarımını hem tek hem de çift fiber kopması durumları için değerlendirdik. Önerdiğimiz yöntem çoklu fiber kopması durumları için çok kolay şekilde adapte edilebilmektedir. Tek yapılması gereken hataya bağışıklık kontrolünü yapan yordamın değiştirilmesidir. Deneysel sonuçlar göstermiştir ki, önerdiğimiz karınca kolonisi optimizasyonu tabanlı üst-sezgisel hataya bağışık sanal topoloji tasarımı problemini hem tek hem de çift fiber kopması durumları için kabul edilebilir bir sürede çözebilmektedir. Üst-sezgisel yöntemlerin hataya bağışık sanal topoloji tasarımı çözmedeki başarımını değerlendirebilmek amacıyla, karınca kolonisi optimizasyonu tabanlı üst-sezgiselle elde edilen sonuçlar, literatürde bu problem için önerilmiş başka bir yöntemle karşılaştırılmıştır. Sonuçlar üst-sezgisel yöntemlerin, çok daha az CPU zamanı kullanarak, problem için daha kaliteli çözümler verdiğini göstermektedir.Today, computer networking has become an integral part of our daily life. The steady increase in user demands of high speed and high bandwidth networks causes researchers to seek out new methods and algorithms to meet these demands. The transmission speed in the network is directly affected by the transmission medium. The most effective medium to transmit data is the fiber. Optical networks are designed for the best usage of the superior properties of the fiber, e.g. high speed, high bandwidth, low bit error rate, low attenuation, physical strength, cheapness, etc. The world's communication network infrastructure, from backbone networks to access networks, is consistently turning into optical networks. One of the most important properties of the optical networks is the data transmission rate (up to 50 Tb/s on a single fiber). Today, with the help of the wavelength division multiplexing (WDM) technology, hundreds of channels can be built on a single fiber. WDM is a technology in which the optical transmission is split into a number of non-overlapping wavelength bands, with each wavelength supporting a single communication channel operating at the desired rate. Since multiple WDM channels, also called lightpaths, can coexist on a single fiber, the huge fiber bandwidth can be utilized. Any damage to a physical link (fiber) on the network causes all the lightpaths routed through this link to be broken. Since huge data transmission (40 Gb/s) over each of these lightpaths is possible, such a damage results in a serious amount of data loss. Two different approaches can be used in order to avoid this situation: 1. Survivability on the physical layer, 2. Survivability on the virtual layer. The first approach is the problem of designing a backup link/path for each link/path of the optical layer. The second approach is the problem of designing the optical layer such that the optical layer remains connected in the event of a single or multiple link failure. While the first approach provides faster protection for time-critical applications (such as, IP phone, telemedicine) by reserving more resources, the second approach, i.e. the survivable virtual topology design, which has attracted a lot of attention in recent years, aims to protect connections using less resources. The problem that will be studied in this project is to develop methods for survivable virtual topology design, that enables effective usage of the resources. Survivable virtual topology design consists of four subproblems: determining a set of lightpaths (forming the virtual topology), routing these lightpaths on the physical topology (routing and wavelength assignment (RWA) problem), so that any single fiber cut does not disconnect the virtual topology (survivable virtual topology mapping), assigning wavelengths, and routing the packet traffic. Each of these subproblems can be solved separately. However, they are not independent problems and solving them one by one may degrade the quality of the final result considerably. Furthermore, the survivable virtual topology design is known to be NP-complete. Because of its complexity, it is not possible to solve the problem optimally in an acceptable amount of time using classical optimization techniques, for real-life sized networks. In this thesis, we solve the survivable virtual topology design problem as a whole, where the physical topology and the packet traffic intensities between nodes are given. In the first phase, we propose two different nature inspired heuristics to find a survivable mapping of a given virtual topology with minimum resource usage. Evolutionary algorithms and ant colony optimization algorithms are applied to the problem. To assess the performance of the proposed algorithms, we compare the experimental results with those obtained through integer linear programming. The results show that both of our algorithms can solve the problem even for large-scale network topologies for which a feasible solution cannot be found using integer linear programming. Moreover, the CPU time and the memory used by the nature inspired heuristics is much lower. In the second phase, we propose four different hyper-heuristic approaches to solve the survivable virtual topology design problem as a whole. Each hyper-heuristic approach is based on a different category of nature inspired heuristics: evolutionary algorithms, ant colony optimization, simulated annealing, and adaptive iterated constructive search. Experimental results show that, all proposed hyper-heuristic approaches are successful in designing survivable virtual topologies. Furthermore, the ant colony optimization based hyper-heuristic outperforms the others. To balance the traffic flow over lightpaths, we adapt a flow-deviation method to the ant colony optimization based hyper-heuristic approach. We explore the performance of our hyper-heuristic approach for both single and double-link failures. The proposed approach can be applied to the multiple-link failure problem instances by only changing the survivability control routine. The experimental results show that our approach can solve the problem for both single-link and double-link failures in a reasonable amount of time. To evaluate the quality of the HH approach solutions, we compare these results with the results obtained using tabu search approach. The results show that HH approach outperforms tabu search approach both in solution quality and CPU time.DoktoraPh