This work addresses a critical yet previously overlooked overflow risk in CKKS-based homomorphic encryption for neural networks, where inputs to activation functions often exceed the valid interval of their polynomial approximations, leading to inference errors or complete failure. The study is the first to formally identify this vulnerability and proposes a provably overflow-free neural network design methodology. By rigorously computing tight upper and lower bounds on neuron outputs through formal verification and integrating these bounds into constrained polynomial approximations of activation functions, the approach guarantees that all intermediate values remain within safe numerical ranges. Compatible with existing CKKS frameworks, the method reduces inference failure rates—from as high as 47% down to 0% across multiple benchmarks—enabling fully reliable encrypted inference.

Fully homomorphic encryption (FHE) enables private inference by evaluating neural networks on encrypted data. In this way, we can delegate the computation to a third party server without ever revealing the user's data. Currently, the CKKS scheme is the backbone of most efficient FHE implementations, but it only supports addition, multiplication, and array rotation operations, thus requiring all activation functions of the neural network to be approximated by polynomials within a certain interval, imposing strict design tolerances. In this paper, we demonstrate for the first time that this scheme is vulnerable to overflow attacks, i.e., seemingly benign inputs that can exceed such tolerances of the FHE circuit, thereby causing corrupt and unusable outputs. To avoid them, we propose a formal verification technique that computes certified bounds on the ranges of all neurons in the network. By construction, our method eliminates overflows and, in our experiments, removed observed overflows on all benchmarks, reducing failure rates from up to 47% to 0%. Moreover, our overflow-free solution is compatible with most CKKS-based frameworks, as it allows to simply substitute standard polynomials by polynomials with rigorously designed ranges.