Encrypted Neural Networks without Overflows
Researchers have demonstrated that the CKKS fully homomorphic encryption scheme, widely used for private neural network inference, is vulnerable to overflow attacks that can corrupt outputs, and they have proposed a formal verification technique that eliminated such failures in benchmarks [1]. Fully homomorphic encryption allows a third-party server to evaluate neural networks on encrypted data without ever seeing the user's plaintext inputs [2]. The CKKS scheme underpins most efficient FHE implementations today, but its arithmetic is limited to addition, multiplication, and array rotation [1]. Because of this constraint, all activation functions inside the network must be approximated by polynomials that are accurate only within a specific numerical interval, imposing strict design tolerances on the FHE circuit [1]. The paper, posted to arXiv on 21 May 2026, shows for the first time that these tolerances can be exploited. Seemingly benign inputs can push intermediate neuron values outside the safe approximation interval, triggering an overflow that renders the output corrupt and unusable [1]. Before the proposed fix, the observed failure rate across benchmarks reached as high as 47% [1]. To counter the vulnerability, the authors developed a formal verification technique that computes certified bounds on the range of every neuron in the network [1]. By substituting standard polynomial approximations with polynomials whose ranges have been rigorously designed, the method removes overflows by construction [2]. In experiments, the technique reduced the failure rate from up to 47% to 0% on all tested benchmarks [1]. The solution is compatible with most CKKS-based frameworks, requiring only a substitution of the activation polynomials [2]. Language model benchmarks, which are standardized tests used to evaluate model performance on tasks such as question answering and text classification, rely on consistent and accurate inference outputs [4]. Overflow-induced corruption during private inference would undermine the reliability of such evaluations, making the verified bounds approach relevant for secure benchmarking scenarios [1][4]. The work does not require changes to the underlying CKKS scheme or the server-side FHE circuit topology, preserving the privacy guarantees that make the scheme attractive for delegated computation [2].
research-paperinfrastructure
Background sources we checked (4)
- arxiv.org ↗ Fully homomorphic encryption (FHE) enables private inference by evaluating neural networks on encrypted data. In this way, we can delegate the computation to a third party server without ever revealing the user's data. Currently, the CKKS scheme is the backbone of most efficient …
- en.wikipedia.org ↗ Google Chrome is a cross-platform web browser developed by Google. It was launched in 2008 for Microsoft Windows and was built with free software components from Apple WebKit and Mozilla Firefox. Versions were later released for Linux, macOS, iOS, iPadOS, and Android, where it is…
- en.wikipedia.org ↗ A language model benchmark is a standardized test designed to evaluate the performance of language models on various natural language processing tasks. These tests are intended for comparing different models' capabilities in areas such as language understanding, generation, and r…
- en.wikipedia.org ↗ Android Nougat (codenamed Android N during development) is the seventh major version and 14th version of the Android operating system. First released as an alpha test version on March 9, 2016, it was officially released on August 22, 2016, with Nexus devices being the first to re…
Sources
- export.arxiv.org — Encrypted Neural Networks without Overflows ↗