Encrypted Neural Networks without Overflows

Alberto Leporati; Carsten Sinz; Edoardo Manino; Lorenzo Rovida; Philipp Kern; Samuel Teuber

arxiv: 2605.23096 · v1 · pith:XVAIFCCLnew · submitted 2026-05-21 · 💻 cs.CR · cs.LG

Encrypted Neural Networks without Overflows

Philipp Kern , Lorenzo Rovida , Samuel Teuber , Edoardo Manino , Carsten Sinz , Alberto Leporati This is my paper

Pith reviewed 2026-05-25 05:17 UTC · model grok-4.3

classification 💻 cs.CR cs.LG

keywords fully homomorphic encryptionCKKS schemeneural network inferenceoverflow attacksformal verificationpolynomial approximationprivate inference

0 comments

The pith

A formal verification technique computes certified bounds on all neuron activations to eliminate overflows in CKKS-based encrypted neural network inference.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes that CKKS homomorphic encryption for neural networks is vulnerable to overflow attacks, where inputs outside the polynomial approximation intervals produce corrupt outputs even from seemingly normal data. It introduces a verification procedure that derives sound bounds on the possible range of every neuron activation across the entire input domain. These bounds allow replacement of standard approximation polynomials with ones whose ranges are guaranteed to contain all activations. In experiments the approach removed every observed overflow and reduced failure rates from as high as 47 percent to zero while remaining compatible with existing CKKS frameworks.

Core claim

CKKS-based encrypted neural networks admit overflow attacks from benign inputs that exceed the design tolerances of the polynomial approximations; a formal verification procedure that computes certified bounds on every neuron activation for all possible inputs removes these overflows by construction and yields failure-free inference on all tested benchmarks.

What carries the argument

A formal verification procedure that computes sound and sufficiently tight bounds on the ranges of all neurons in the network for all possible inputs.

If this is right

Overflows are eliminated by construction in the encrypted circuit.
Observed failure rates drop from up to 47 percent to zero across all benchmarks.
Existing CKKS frameworks can adopt the method by substituting standard polynomials with ones whose ranges match the certified neuron bounds.
Private inference remains functional for every input without producing unusable outputs.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

The same bound-computation method could be applied to other range-constrained homomorphic schemes beyond CKKS.
Integrating the verification step into the training loop might produce networks whose activations are easier to bound tightly.
Adversarial input generation could be used to test whether the certified bounds are tight enough in practice.

Load-bearing premise

The formal verification procedure produces sound and sufficiently tight bounds on every neuron activation for all possible inputs the network may receive.

What would settle it

An input drawn from the assumed input domain that still produces an overflow or corrupt output after the certified bounds are used to select the approximation polynomials.

Figures

Figures reproduced from arXiv: 2605.23096 by Alberto Leporati, Carsten Sinz, Edoardo Manino, Lorenzo Rovida, Philipp Kern, Samuel Teuber.

**Figure 2.** Figure 2: Designing CKKS neural networks requires approximating activations within their expected [PITH_FULL_IMAGE:figures/full_fig_p003_2.png] view at source ↗

**Figure 3.** Figure 3: Polynomial approximations diverge to ±∞ outside of the approximation interval. Sampling-based design. The most common approach to compute ranges is based on observations from a dataset D sampled from the training data distribution. For intermediate layers l, bounds l (l) , u (l) are computed, such that l (l) ≤ f (l) (x) ≤ u (l) holds for all x ∈ D. Sampling-based estimates provide no guarantees outside the… view at source ↗

**Figure 4.** Figure 4: Approximation error for different activation functions: Smooth functions converge faster. [PITH_FULL_IMAGE:figures/full_fig_p007_4.png] view at source ↗

**Figure 5.** Figure 5: Verified bound on the error |fπ(x) − f(x)| for networks with verified pre-activation bounds and error values sampled for networks constructed using sampled bounds. We show results for ReLU and GELU networks with heterogeneous polynomials per layer vs. networks with a single uniform polynomial per layer. for ReLU NNs with sampling-based bounds to the sampling error for GELU NNs with verified bounds, the GEL… view at source ↗

**Figure 6.** Figure 6: Grammar used in our Julia → OpenFHE compiler definition and automatically evaluates the network. In practice, we implemented methods to evaluate the ⟨linear-layer⟩ and ⟨chebyshev-layer⟩ tuples automatically7 . Automatic evaluation of linear layers. We implemented simple algorithms to evaluate linear layers. We first define the following encodings. Definition D.1 (Repeated encoding). Given a vector v ∈ R n,… view at source ↗

**Figure 7.** Figure 7: Polynomial approximation error for approximation intervals of different sizes and Bernstein [PITH_FULL_IMAGE:figures/full_fig_p023_7.png] view at source ↗

**Figure 8.** Figure 8: Case distinction for improved GELU relaxation. In an attempt to compute tighter bounds for Equation (2) for the GELU activation, we tried to improve upon the parameterized GELU relaxation given by Shi et al. [71] used in α-CROWN [24]. While our relaxation achieves bounds that are significantly tighter at parameter initialization, the difference to the relaxation by Shi et al. after parameter optimization i… view at source ↗

**Figure 9.** Figure 9: Realistic perturbations of MNIST images which lead to overflow attacks [PITH_FULL_IMAGE:figures/full_fig_p028_9.png] view at source ↗

**Figure 10.** Figure 10: Runtime of certified design and additional ablation results for Collins RUL. [PITH_FULL_IMAGE:figures/full_fig_p028_10.png] view at source ↗

**Figure 11.** Figure 11: Perturbed CIFAR 10.1 images on which the large CIFAR NN is vulnerable to an overflow [PITH_FULL_IMAGE:figures/full_fig_p030_11.png] view at source ↗

read the original abstract

Fully homomorphic encryption (FHE) enables private inference by evaluating neural networks on encrypted data. In this way, we can delegate the computation to a third party server without ever revealing the user's data. Currently, the CKKS scheme is the backbone of most efficient FHE implementations, but it only supports addition, multiplication, and array rotation operations, thus requiring all activation functions of the neural network to be approximated by polynomials within a certain interval, imposing strict design tolerances. In this paper, we demonstrate for the first time that this scheme is vulnerable to overflow attacks, i.e., seemingly benign inputs that can exceed such tolerances of the FHE circuit, thereby causing corrupt and unusable outputs. To avoid them, we propose a formal verification technique that computes certified bounds on the ranges of all neurons in the network. By construction, our method eliminates overflows and, in our experiments, removed observed overflows on all benchmarks, reducing failure rates from up to 47% to 0%. Moreover, our overflow-free solution is compatible with most CKKS-based frameworks, as it allows to simply substitute standard polynomials by polynomials with rigorously designed ranges.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

Paper flags real overflow attacks on CKKS NN inference and supplies a verification method that cuts observed failures to zero in their tests, but the soundness transfer after polynomial substitution is the part that needs checking.

read the letter

The core takeaway is that standard CKKS polynomial approximations for activations can be driven outside their valid range by certain inputs, corrupting the output, and the authors give a formal bound-computation step to pick safer polynomials instead. They claim this is the first explicit treatment of the attack and the first use of verification to certify the ranges ahead of time. Their experiments on the benchmarks show the failure rate dropping from as high as 47 % to 0 %, which is the practical payoff. The approach is also designed to drop into existing CKKS frameworks by simple substitution, so it does not require rewriting the crypto layer. That combination of a demonstrated vulnerability plus a drop-in mitigation is the useful part. The potential weak point is exactly the one in the stress-test note: if the range analysis is performed on the original network or on placeholder activations rather than on the final substituted polynomials, or if it relies on an input interval that is not justified for all possible inputs, then the “by construction” guarantee does not automatically carry over to the deployed circuit. The abstract asserts soundness, but the details of how the verification propagates through the approximation step are what matter. This work is aimed at people already building or auditing CKKS-based private inference pipelines. It is the sort of concrete reliability fix that deserves referee time even if the bounds turn out to need tightening in follow-up work. I would send it to review and ask specifically for a clear walk-through of the verification on the approximated network.

Referee Report

3 major / 2 minor

Summary. The paper identifies that CKKS-based FHE neural network inference is vulnerable to overflow attacks, where inputs cause neuron activations to exceed the intervals for which activation polynomials were fitted, producing corrupt outputs (failure rates up to 47%). It proposes a formal verification procedure that computes certified bounds on all neuron ranges from the network structure and activation intervals; these bounds are then used to select or design polynomials whose ranges provably contain the activations, eliminating overflows by construction. Experiments on benchmarks show the method reduces observed failure rates to 0% while remaining compatible with existing CKKS frameworks via simple polynomial substitution.

Significance. If the verification procedure is sound for the substituted polynomials and all admissible inputs, the result is significant: it supplies the first systematic defense against a concrete correctness attack on practical FHE-ML pipelines. The 'by construction' guarantee and framework compatibility are practical strengths that could be adopted without redesigning existing encrypted-inference stacks.

major comments (3)

[Abstract / §3] Abstract (technique paragraph) and §3 (verification procedure): the central 'by construction' claim requires that the certified bounds remain valid after each activation is replaced by its polynomial approximant. The description does not state whether interval or abstract-interpretation propagation is performed on the original network or on the network containing the chosen polynomials; if the former, soundness does not transfer to the deployed circuit.
[Abstract / Experiments] Abstract (experiments paragraph): the reported 0% failure rate is obtained on 'all benchmarks,' yet no explicit statement appears that the test inputs were drawn from (or exhaustively cover) the input domain used to compute the certified neuron bounds. Without this link, the experimental result does not confirm that the verification is tight enough for the inputs the network may actually receive.
[§4] §4 (bound computation): the method is said to derive bounds 'from the network structure and activation intervals independently.' If the activation intervals themselves are obtained from the original (non-polynomial) network, the substitution step may enlarge the reachable ranges, violating the claimed independence and the overflow-free guarantee.

minor comments (2)

[Notation] Notation for the certified bounds (e.g., lower/upper symbols) is introduced without a consolidated table; a single reference table would improve readability.
[Abstract] The abstract states 'reducing failure rates from up to 47% to 0%' but does not name the benchmark or input distribution that produced the 47% figure; adding this detail would strengthen the comparison.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for their thorough review and valuable comments. The points raised concern the clarity of the soundness argument and experimental validation. We address each major comment below and will revise the manuscript where needed to improve precision.

read point-by-point responses

Referee: [Abstract / §3] Abstract (technique paragraph) and §3 (verification procedure): the central 'by construction' claim requires that the certified bounds remain valid after each activation is replaced by its polynomial approximant. The description does not state whether interval or abstract-interpretation propagation is performed on the original network or on the network containing the chosen polynomials; if the former, soundness does not transfer to the deployed circuit.

Authors: We agree the description of the verification procedure leaves the network on which bounds are computed implicit. The certified bounds are obtained by propagating the activation intervals (i.e., the fitting domains of the chosen polynomials) through the network structure; the polynomials are subsequently selected to cover exactly those ranges. This construction ensures that, in the deployed circuit, every polynomial receives an input inside its certified interval. To remove ambiguity, we will revise the abstract and §3 to state explicitly that interval propagation uses the polynomial domains and that the resulting bounds therefore apply directly to the substituted circuit. revision: yes
Referee: [Abstract / Experiments] Abstract (experiments paragraph): the reported 0% failure rate is obtained on 'all benchmarks,' yet no explicit statement appears that the test inputs were drawn from (or exhaustively cover) the input domain used to compute the certified neuron bounds. Without this link, the experimental result does not confirm that the verification is tight enough for the inputs the network may actually receive.

Authors: The test inputs in the reported experiments are drawn from the same input domain that is assumed when computing the certified neuron bounds. We will add an explicit statement in the experiments section (and, space permitting, the abstract) confirming that every test input respects the input-domain assumptions used for bound certification, thereby linking the observed 0% failure rate to the verified guarantee. revision: yes
Referee: [§4] §4 (bound computation): the method is said to derive bounds 'from the network structure and activation intervals independently.' If the activation intervals themselves are obtained from the original (non-polynomial) network, the substitution step may enlarge the reachable ranges, violating the claimed independence and the overflow-free guarantee.

Authors: The activation intervals used in §4 are the predefined fitting intervals of the polynomial approximants; they are chosen independently of any concrete execution of the original network. Bounds are then derived solely from the network topology and these intervals. Because the polynomials are required to match the activation only inside the certified ranges, substitution cannot push subsequent neurons outside those ranges. We will revise §4 to state this independence explicitly and to emphasize that the intervals belong to the approximants rather than the original activations. revision: yes

Circularity Check

0 steps flagged

No significant circularity; bounds derived independently of polynomial fits

full rationale

The paper's derivation chain relies on a formal verification procedure that computes certified bounds on neuron activations from the network structure and input intervals. These bounds are then used to select polynomial ranges for activations. No quote shows the bounds being defined in terms of the fitted polynomials, nor any fitted input renamed as prediction, self-citation load-bearing the central claim, or ansatz smuggled via citation. The 'by construction' guarantee follows from substituting polynomials whose ranges are set to the verified bounds, without reducing to the inputs by definition. This is the most common honest non-finding.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Abstract-only; no explicit free parameters, axioms, or invented entities are stated. The central claim implicitly rests on the soundness of the formal verifier and the assumption that neuron bounds can be computed without enumerating all inputs.

pith-pipeline@v0.9.0 · 5734 in / 1058 out tokens · 18428 ms · 2026-05-25T05:17:13.829874+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

82 extracted references · 82 canonical work pages · 3 internal anchors

[1]

Privacy-preserving neural networks with homomorphic encryption: C hallenges and opportunities.Peer-to-Peer Networking and Applications, 14(3):1666–1691, 2021

Bernardo Pulido-Gaytan, Andrei Tchernykh, Jorge M Cortés-Mendoza, Mikhail Babenko, Gleb Radchenko, Arutyun Avetisyan, and Alexander Yu Drozdov. Privacy-preserving neural networks with homomorphic encryption: C hallenges and opportunities.Peer-to-Peer Networking and Applications, 14(3):1666–1691, 2021

work page 2021
[2]

Mauro Ribeiro, Katarina Grolinger, and Miriam A.M. Capretz. Mlaas: Machine learning as a service. In2015 IEEE 14th International Conference on Machine Learning and Applications (ICMLA), pages 896–902, 2015. doi: 10.1109/ICMLA.2015.152

work page doi:10.1109/icmla.2015.152 2015
[3]

(leveled) fully homomorphic en- cryption without bootstrapping

Zvika Brakerski, Craig Gentry, and Vinod Vaikuntanathan. (leveled) fully homomorphic en- cryption without bootstrapping. InProceedings of the 3rd Innovations in Theoretical Computer Science Conference, ITCS ’12, pages 309–325, 2012

work page 2012
[4]

Fully homomorphic encryption without modulus switching from classical gapsvp

Zvika Brakerski. Fully homomorphic encryption without modulus switching from classical gapsvp. InAdvances in Cryptology – CRYPTO 2012, CRYPTO ’12, pages 868–886, 2012

work page 2012
[5]

Somewhat practical fully homomorphic encryption

Junfeng Fan and Frederik Vercauteren. Somewhat practical fully homomorphic encryption. Cryptology ePrint Archive, Paper 2012/144, 2012

work page 2012
[6]

Faster fully ho- momorphic encryption: Bootstrapping in less than 0.1 seconds

Ilaria Chillotti, Nicolas Gama, Mariya Georgieva, and Malika Izabachène. Faster fully ho- momorphic encryption: Bootstrapping in less than 0.1 seconds. InAdvances in Cryptology – ASIACRYPT 2016, pages 3–33, 2016

work page 2016
[7]

Homomorphic encryption for arithmetic of approximate numbers

Jung Hee Cheon, Andrey Kim, Miran Kim, and Yongsoo Song. Homomorphic encryption for arithmetic of approximate numbers. InAdvances in Cryptology – ASIACRYPT 2017, pages 409–437, 2017

work page 2017
[8]

Precise approximation of convolutional neural networks for homomorphically encrypted data,

Junghyun Lee, Eunsang Lee, Joon-Woo Lee, Yongjune Kim, Young-Sik Kim, and Jong-Seon No. Precise approximation of convolutional neural networks for homomorphically encrypted data.IEEE Access, 11:62062–62076, 2023. doi: 10.1109/ACCESS.2023.3287564

work page doi:10.1109/access.2023.3287564 2023
[9]

Transformer-based language models and homomorphic encryption: An intersection with bert-tiny

Lorenzo Rovida and Alberto Leporati. Transformer-based language models and homomorphic encryption: An intersection with bert-tiny. InProceedings of the 10th ACM International Workshop on Security and Privacy Analytics, pages 3–13, 2024

work page 2024
[10]

Scaling up privacy-preserving ML: A CKKS implementation of Llama-2-7B, 2026

Jaiyoung Park, Sejin Park, Jai Hyun Park, Jung Ho Ahn, Jung Hee Cheon, Guillaume Hanrot, Jung Woo Kim, Minje Park, and Damien Stehlé. Scaling up privacy-preserving ML: A CKKS implementation of Llama-2-7B, 2026

work page 2026
[11]

Minimax approximation of sign function by composite polynomial for homomorphic comparison.IEEE Transactions on Dependable and Secure Computing, 19(6):3711–3727, 2022

Eunsang Lee, Joon-Woo Lee, Jong-Seon No, and Young-Sik Kim. Minimax approximation of sign function by composite polynomial for homomorphic comparison.IEEE Transactions on Dependable and Secure Computing, 19(6):3711–3727, 2022. doi: 10.1109/TDSC.2021. 3105111

work page doi:10.1109/tdsc.2021 2022
[12]

Orion: A fully homomorphic encryption framework for deep learning

Austin Ebel, Karthik Garimella, and Brandon Reagen. Orion: A fully homomorphic encryption framework for deep learning. InProceedings of the 30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 2, ASPLOS ’25, page 734–749, New York, NY , USA, 2025. Association for Computing Machinery. ISBN 97984...

work page doi:10.1145/3676641.3716008 2025
[13]

Certified private inference on neural networks via lipschitz-guided abstraction refinement

Edoardo Manino, Bernardo Magri, Mustafa A Mustafa, and Lucas C Cordeiro. Certified private inference on neural networks via lipschitz-guided abstraction refinement. In6th Workshop on Formal Methods for ML-Enabled Autonomous Systems (FoMLAS 2023), July 17-18, 2023, Paris, France, 2023

work page 2023
[14]

Certified error analysis of homomorphically encrypted neural networks

Philipp Kern, Edoardo Manino, and Carsten Sinz. Certified error analysis of homomorphically encrypted neural networks. In Mirco Giacobbe and Anna Lukina, editors,AI Verification, pages 156–179, Cham, 2026. Springer Nature Switzerland. ISBN 978-3-031-99991-8. 11

work page 2026
[15]

On the number of nonscalar multiplications necessary to evaluate polynomials.SIAM Journal on Computing, 2(1):60–66, 1973

Michael S Paterson and Larry J Stockmeyer. On the number of nonscalar multiplications necessary to evaluate polynomials.SIAM Journal on Computing, 2(1):60–66, 1973

work page 1973
[16]

Improved bootstrapping for approximate homomorphic encryption

Hao Chen, Ilaria Chillotti, and Yongsoo Song. Improved bootstrapping for approximate homomorphic encryption. InAdvances in Cryptology – EUROCRYPT 2019, pages 34–54, 2019

work page 2019
[17]

Openfhe: Open- source fully homomorphic encryption library

Ahmad Al Badawi, Jack Bates, Flavio Bergamaschi, David Bruce Cousins, Saroja Erabelli, Nicholas Genise, Shai Halevi, Hamish Hunt, Andrey Kim, Yongwoo Lee, Zeyu Liu, Daniele Micciancio, Ian Quah, Yuriy Polyakov, Saraswathy R.V ., Kurt Rohloff, Jonathan Saylor, Dmitriy Suponitsky, Matthew Triplett, Vinod Vaikuntanathan, and Vincent Zucca. Openfhe: Open- sou...

work page 2022
[18]

On ideal lattices and learning with errors over rings

Vadim Lyubashevsky, Chris Peikert, and Oded Regev. On ideal lattices and learning with errors over rings. InAdvances in Cryptology – EUROCRYPT 2010, pages 1–23, 2010

work page 2010
[19]

Bootstrapping for approximate homomorphic encryption

Jung Hee Cheon, Kyoohyung Han, Andrey Kim, Miran Kim, and Yongsoo Song. Bootstrapping for approximate homomorphic encryption. InAdvances in Cryptology – EUROCRYPT 2018, pages 360–384, 2018

work page 2018
[20]

Privacy- preserving machine learning with fully homomorphic encryption for deep neural network.IEEE Access, 10:30039–30054, 2022

Joon-Woo Lee, Hyungchul Kang, Yongwoo Lee, Woosuk Choi, Jieun Eom, Maxim Deryabin, Eunsang Lee, Junghyun Lee, Donghoon Yoo, Young-Sik Kim, and Jong-Seon No. Privacy- preserving machine learning with fully homomorphic encryption for deep neural network.IEEE Access, 10:30039–30054, 2022. doi: 10.1109/ACCESS.2022.3159694

work page doi:10.1109/access.2022.3159694 2022
[21]

Towards deep learning models resistant to adversarial attacks

Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. Towards deep learning models resistant to adversarial attacks. In6th International Conference on Learning Representations, ICLR 2018, Vancouver, BC, Canada, April 30 - May 3, 2018, Conference Track Proceedings. OpenReview.net, 2018. URL https://openreview.net/ forum?...

work page 2018
[22]

Sur un procédé convergent d’approximations successives pour déterminer les polynômes d’approximation.CR Acad

Eugene Remes. Sur un procédé convergent d’approximations successives pour déterminer les polynômes d’approximation.CR Acad. Sci. Paris, 198:2063–2065, 1934

work page 2063
[23]

Revisiting differential verification: Equivalence verification with confidence

Samuel Teuber, Philipp Kern, Marvin Janzen, and Bernhard Beckert. Revisiting differential verification: Equivalence verification with confidence. In Arie Gurfinkel and Marijn Heule, editors,Tools and Algorithms for the Construction and Analysis of Systems - 31st International Conference, TACAS 2025, Held as Part of the International Joint Conferences on T...

work page doi:10.1007/978-3-031-90653-4_13 2025
[24]

Fast and complete: Enabling complete neural network verification with rapid and massively parallel incomplete verifiers

Kaidi Xu, Huan Zhang, Shiqi Wang, Yihan Wang, Suman Jana, Xue Lin, and Cho-Jui Hsieh. Fast and complete: Enabling complete neural network verification with rapid and massively parallel incomplete verifiers. InProc. of the 9th International Conference on Learning Repre- sentations(ICLR’21), Virtual Event, Austria, May 3-7, 2021. OpenReview.net, 2021

work page 2021
[25]

Trefethen.Approximation Theory and Approximation Practice

Lloyd N. Trefethen.Approximation Theory and Approximation Practice. SIAM, 2019. URL https://epubs.siam.org/doi/book/10.1137/1.9781611975949

work page doi:10.1137/1.9781611975949 2019
[26]

Moore.Interval Analysis

Ramon E. Moore.Interval Analysis. Prentice-Hall, Englewood Cliffs, NJ, 1966

work page 1966
[27]

ReluDiff: differential verification of deep neural networks

Brandon Paulsen, Jingbo Wang, and Chao Wang. ReluDiff: differential verification of deep neural networks. In Gregg Rothermel and Doo-Hwan Bae, editors,ICSE ’20: 42nd International Conference on Software Engineering, Seoul, South Korea, 27 June - 19 July, 2020, pages 714–

work page 2020
[28]

doi: 10.1145/3377811.3380337

ACM, 2020. doi: 10.1145/3377811.3380337

work page doi:10.1145/3377811.3380337 2020
[29]

NeuroDiff: scalable differential verification of neural networks using fine-grained approximation

Brandon Paulsen, Jingbo Wang, Jiawei Wang, and Chao Wang. NeuroDiff: scalable differential verification of neural networks using fine-grained approximation. In35th IEEE/ACM Inter- national Conference on Automated Software Engineering, ASE 2020, Melbourne, Australia, September 21-25, 2020, pages 784–796. IEEE, 2020. doi: 10.1145/3324884.3416560. 12

work page doi:10.1145/3324884.3416560 2020
[30]

Input-relational verification of deep neural networks.Proc

Debangshu Banerjee, Changming Xu, and Gagandeep Singh. Input-relational verification of deep neural networks.Proc. ACM Program. Lang., 8(PLDI):1–27, 2024. doi: 10.1145/3656377. URLhttps://doi.org/10.1145/3656377

work page doi:10.1145/3656377 2024
[31]

Fico explainable machine learning challenge, 2018

FICO. Fico explainable machine learning challenge, 2018. URL https://community.fico. com/s/explainable-machinelearning-challenge

work page 2018
[32]

Electricity smart metering customer behaviour trials (cbt) findings report, 2011

Commission for Energy Regulation. Electricity smart metering customer behaviour trials (cbt) findings report, 2011

work page 2011
[33]

Learning multiple layers of features from tiny images

Alex Krizhevsky and Geoffrey Hinton. Learning multiple layers of features from tiny images. Technical Report 0, University of Toronto, Toronto, Ontario, 2009. URL https://www.cs. toronto.edu/~kriz/learning-features-2009-TR.pdf

work page 2009
[34]

Nn4sysbench: Characterizing neural network verification for computer systems

Shuyi Lin, Haoyu He, Tianhao Wei, Kaidi Xu, Huan Zhang, Gagandeep Singh, Changliu Liu, and Cheng Tan. Nn4sysbench: Characterizing neural network verification for computer systems. In Amir Globersons, Lester Mackey, Danielle Belgrave, Angela Fan, Ulrich Paquet, Jakub M. Tomczak, and Cheng Zhang, editors,Advances in Neural Information Processing Systems 38:...

work page 2024
[35]

Dmitrii Kirov, Simone Fulvio Rollini, Luigi Di Guglielmo, and Darren D. Cofer. Formal verification of a neural network based prognostics system for aircraft equipment. In Bernhard Steffen, editor,Bridging the Gap Between AI and Reality - First International Conference, AISoLA 2023, Crete, Greece, October 23-28, 2023, Proceedings, Lecture Notes in Computer...

work page doi:10.1007/978-3-031-46002-9 2023
[36]

Dickerson

Konstantin Kaulen, Tobias Ladner, Stanley Bak, Christopher Brix, Hai Duong, Thomas Flinkow, Taylor T. Johnson, Lukas Koller, Edoardo Manino, ThanhVu H. Nguyen, and Haoze Wu. The 6th international verification of neural networks competition (VNN-COMP 2025): Summary and results.CoRR, abs/2512.19007, 2025. doi: 10.48550/ARXIV .2512.19007. URL https: //doi.or...

work page internal anchor Pith review doi:10.48550/arxiv 2025
[37]

Estimating or Propagating Gradients Through Stochastic Neurons for Conditional Computation

Yoshua Bengio, Nicholas Léonard, and Aaron C. Courville. Estimating or propagating gradients through stochastic neurons for conditional computation.CoRR, abs/1308.3432, 2013. URL http://arxiv.org/abs/1308.3432

work page internal anchor Pith review Pith/arXiv arXiv 2013
[38]

Jonathan J. Hull. A database for handwritten text recognition research.IEEE Trans. Pattern Anal. Mach. Intell., 16(5):550–554, 1994. doi: 10.1109/34.291440. URL https://doi.org/ 10.1109/34.291440

work page doi:10.1109/34.291440 1994
[39]

Antonio Torralba, Rob Fergus, and William T. Freeman. 80 million tiny images: A large data set for nonparametric object and scene recognition.IEEE Transactions on Pattern Analysis and Machine Intelligence, 30(11):1958–1970, 2008

work page 1958
[40]

Do CIFAR-10 Classifiers Generalize to CIFAR-10?

Benjamin Recht, Rebecca Roelofs, Ludwig Schmidt, and Vaishaal Shankar. Do cifar-10 classifiers generalize to cifar-10? 2018.https://arxiv.org/abs/1806.00451

work page internal anchor Pith review Pith/arXiv arXiv 2018
[41]

Curtis, Erin Hales, Sean Murphy, Tabitha Ogilvie, and Rachel Player

Anamaria Costache, Benjamin R. Curtis, Erin Hales, Sean Murphy, Tabitha Ogilvie, and Rachel Player. On the precision loss in approximate homomorphic encryption. InSelected Areas in Cryptography – SAC 2023: 30th International Conference, Fredericton, Canada, August 14–18, 2023, Revised Selected Papers, pages 325–345, 2023

work page 2023
[42]

Accurate and composable noise estimates for CKKS with application to exact HE computation.IACR Communications in Cryptology, 2(2), 2025

Jean-Philippe Bossuat, Anamaria Costache, Christian Mouchet, Lea Nürnberger, and Juan Ramón Troncoso-Pastoriza. Accurate and composable noise estimates for CKKS with application to exact HE computation.IACR Communications in Cryptology, 2(2), 2025

work page 2025
[43]

Neujeans: Private neural network inference with joint optimization of convolution and fhe bootstrapping

Jae Hyung Ju, Jaiyoung Park, Jongmin Kim, Minsik Kang, Donghwan Kim, Jung Hee Cheon, and Jung Ho Ahn. Neujeans: Private neural network inference with joint optimization of convolution and fhe bootstrapping. InProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security, CCS ’24, pages 4361–4375, 2024. 13

work page 2024
[44]

On data banks and privacy homomorphisms

R L Rivest, L Adleman, and M L Dertouzos. On data banks and privacy homomorphisms. Foundations of Secure Computation, Academia Press, pages 169–179, 1978

work page 1978
[45]

Fully homomorphic encryption using ideal lattices

Craig Gentry. Fully homomorphic encryption using ideal lattices. InProceedings of the Forty-First Annual ACM Symposium on Theory of Computing, STOC ’09, pages 169–178, 2009

work page 2009
[46]

On lattices, learning with errors, random linear codes, and cryptography.J

Oded Regev. On lattices, learning with errors, random linear codes, and cryptography.J. ACM, 56(6), September 2009

work page 2009
[47]

Fhew: Bootstrapping homomorphic encryption in less than a second

Léo Ducas and Daniele Micciancio. Fhew: Bootstrapping homomorphic encryption in less than a second. InAdvances in Cryptology – EUROCRYPT 2015, pages 617–640, 2015

work page 2015
[48]

Homomorphic encryption from learning with errors: Conceptually-simpler, asymptotically-faster, attribute-based

Craig Gentry, Amit Sahai, and Brent Waters. Homomorphic encryption from learning with errors: Conceptually-simpler, asymptotically-faster, attribute-based. InAdvances in Cryptology – CRYPTO 2013, pages 75–92, 2013

work page 2013
[49]

TT-TFHE: a torus fully homomorphic encryption-friendly neural network architecture.Transactions on Machine Learning Research, 2025

Adrien Benamira, Tristan Guérand, Thomas Peyrin, and Sayandeep Saha. TT-TFHE: a torus fully homomorphic encryption-friendly neural network architecture.Transactions on Machine Learning Research, 2025

work page 2025
[50]

N. P. Smart and F. Vercauteren. Fully homomorphic simd operations.Design, Codes and Cryptography, 71(1):57–81, 4 2014

work page 2014
[51]

Bfv, ckks, tfhe: Which one is the best for a secure neural network evaluation in the cloud? InApplied Cryptography and Network Security Workshops, pages 279–300, 2021

Pierre-Emmanuel Clet, Oana Stan, and Martin Zuber. Bfv, ckks, tfhe: Which one is the best for a secure neural network evaluation in the cloud? InApplied Cryptography and Network Security Workshops, pages 279–300, 2021

work page 2021
[52]

High-precision arithmetic in homomor- phic encryption

Hao Chen, Kim Laine, Rachel Player, and Yuhou Xia. High-precision arithmetic in homomor- phic encryption. InTopics in Cryptology – CT-RSA 2018, pages 116–136, 2018

work page 2018
[53]

Homomorphic multiple precision multiplication for ckks and reduced modulus consumption

Jung Hee Cheon, Wonhee Cho, Jaehyung Kim, and Damien Stehlé. Homomorphic multiple precision multiplication for ckks and reduced modulus consumption. InProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, pages 696–710, 2023

work page 2023
[54]

Fully homomorphic encryption for cyclotomic prime moduli

Robin Geelen and Frederik Vercauteren. Fully homomorphic encryption for cyclotomic prime moduli. InAdvances in Cryptology – EUROCRYPT 2025, EUROCRYPT ’25, page 366–397, 2025

work page 2025
[55]

Homomorphic encryption for large integers from nested residue number systems

Dan Boneh and Jaehyung Kim. Homomorphic encryption for large integers from nested residue number systems. InAdvances in Cryptology – CRYPTO 2025, 2025

work page 2025
[56]

Faster homomorphic integer computer

Jaehyung Kim. Faster homomorphic integer computer. Cryptology ePrint Archive, Paper 2025/1440, 2025. URLhttps://eprint.iacr.org/2025/1440

work page 2025
[57]

A flexible and polynomial framework for integer arithmetic in CKKS

Lorenzo Rovida. A flexible and polynomial framework for integer arithmetic in CKKS. Cryp- tology ePrint Archive, Paper 2026/450, 2026

work page 2026
[58]

Matrigear: Accelerating authenticated matrix triple generation with scalable prime fields via optimized he packing

Hyunho Cha, Intak Hwang, Seonhong Min, Jinyeong Seo, and Yongsoo Song. Matrigear: Accelerating authenticated matrix triple generation with scalable prime fields via optimized he packing. In2025 IEEE Symposium on Security and Privacy (S&P), pages 2453–2471, 2025

work page 2025
[59]

High-precision exact FHE made simple, general, and fast

Chris Peikert, Doron Zarchy, and Guy Zyskind. High-precision exact FHE made simple, general, and fast. Cryptology ePrint Archive, Paper 2025/2321, 2025

work page 2025
[60]

Tfhe gets real: an efficient and flexible homomorphic floating-point arithmetic.IACR Transactions on Cryptographic Hardware and Embedded Systems, 2025(2):126–162, Mar

Loris Bergerat, Ilaria Chillotti, Damien Ligier, Jean-Baptiste Orfila, and Samuel Tap. Tfhe gets real: an efficient and flexible homomorphic floating-point arithmetic.IACR Transactions on Cryptographic Hardware and Embedded Systems, 2025(2):126–162, Mar. 2025

work page 2025
[61]

Approximate homomorphic encryp- tion with reduced approximation error

Andrey Kim, Antonis Papadimitriou, and Yuriy Polyakov. Approximate homomorphic encryp- tion with reduced approximation error. InTopics in Cryptology – CT-RSA 2022: Cryptographers’ Track at the RSA Conference 2022, Virtual Event, March 1–2, 2022, Proceedings, pages 120– 144, 2022. 14

work page 2022
[62]

Bleach: Cleaning errors in discrete computations over ckks.J

Nir Drucker, Guy Moshkowich, Tomer Pelleg, and Hayim Shaul. Bleach: Cleaning errors in discrete computations over ckks.J. Cryptol., 37(1), 11 2023. ISSN 0933-2790. doi: 10.1007/s00145-023-09483-1

work page doi:10.1007/s00145-023-09483-1 2023
[63]

On the security of homomorphic encryption on approxi- mate numbers

Baiyu Li and Daniele Micciancio. On the security of homomorphic encryption on approxi- mate numbers. InAdvances in Cryptology – EUROCRYPT 2021: 40th Annual International Conference on the Theory and Applications of Cryptographic Techniques, page 648–677, 2021

work page 2021
[64]

Attacks against the ind-cpad security of exact fhe schemes

Jung Hee Cheon, Hyeongmin Choe, Alain Passelègue, Damien Stehlé, and Elias Suvanto. Attacks against the ind-cpad security of exact fhe schemes. InProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security, CCS ’24, page 2505–2519,

work page 2024
[65]

doi: 10.1145/3658644.3690341

work page doi:10.1145/3658644.3690341
[66]

EncryptedLLM: Privacy-preserving large language model inference via GPU-accelerated fully homomorphic encryption

Leo de Castro, Daniel Escudero, Adya Agrawal, Antigoni Polychroniadou, and Manuela Veloso. EncryptedLLM: Privacy-preserving large language model inference via GPU-accelerated fully homomorphic encryption. InForty-second International Conference on Machine Learning,

work page
[67]

URLhttps://openreview.net/forum?id=PGNff6H1TV

work page
[68]

Encrypted image classification with low memory footprint using fully homomorphic encryption.International Journal of Neural Systems, 34 (05):2450025, 2024

Lorenzo Rovida and Alberto Leporati. Encrypted image classification with low memory footprint using fully homomorphic encryption.International Journal of Neural Systems, 34 (05):2450025, 2024. doi: 10.1142/S0129065724500254. URL https://doi.org/10.1142/ S0129065724500254. PMID: 38516871

work page doi:10.1142/s0129065724500254 2024
[69]

Nges Brian Njungle and Michel A. Kinsy. Activate me!: Designing efficient activation functions for privacy-preserving machine learning with fully homomorphic encryption. InProgress in Cryptology - AFRICACRYPT 2025, pages 51–73, 2026

work page 2025
[70]

Jean-Philippe Bossuat, Rosario Cammarota, Ilaria Chillotti, Benjamin R. Curtis, Wei Dai, Huijing Gong, Erin Hales, Duhyeong Kim, Bryan Kumara, Changmin Lee, Xianhui Lu, Carsten Maple, Alberto Pedrouzo-Ulloa, Rachel Player, Yuriy Polyakov, Luis Antonio Ruiz Lopez, Yongsoo Song, and Donggeon Yhee. Security guidelines for implementing homomorphic encryption....

work page 2025
[71]

Craig Gentry, Shai Halevi, and Nigel P. Smart. Better bootstrapping in fully homomorphic encryption. InPublic Key Cryptography – PKC 2012, pages 1–16, 2012

work page 2012
[72]

De Gruyter, Berlin, Boston, 2014

Jürgen Appell, Józef Banas, and Nelson José Merentes Díaz.Bounded Variation and Around. De Gruyter, Berlin, Boston, 2014. ISBN 978-3-11-026511-8. doi: doi:10.1515/9783110265118. URLhttps://doi.org/10.1515/9783110265118

work page doi:10.1515/9783110265118 2014
[73]

Jacobi polynomials on the bernstein ellipse.J

Haiyong Wang and Lun Zhang. Jacobi polynomials on the bernstein ellipse.J. Sci. Comput., 75(1):457–477, April 2018. ISSN 0885-7474. doi: 10.1007/s10915-017-0542-4. URL https://doi.org/10.1007/s10915-017-0542-4

work page doi:10.1007/s10915-017-0542-4 2018
[74]

Neural network verification with branch-and-bound for general nonlinearities

Zhouxing Shi, Qirui Jin, Zico Kolter, Suman Jana, Cho-Jui Hsieh, and Huan Zhang. Neural network verification with branch-and-bound for general nonlinearities. In Arie Gurfinkel and Marijn Heule, editors,Tools and Algorithms for the Construction and Analysis of Systems - 31st International Conference, TACAS 2025, Held as Part of the International Joint Con...

work page doi:10.1007/978-3-031-90643-5_ 2025
[75]

SOL: sampling-based optimal linear bounding of arbitrary scalar functions

Yuriy Biktairov and Jyotirmoy Deshmukh. SOL: sampling-based optimal linear bounding of arbitrary scalar functions. InAdvances in Neural Information Processing Systems 36: Annual Conference on Neural Information Processing Systems 2023 (NeurIPS’23), New Orleans, LA, USA, December 10 - 16, 2023, 2023

work page 2023
[76]

Julia: A fresh approach to numerical computing.SIAM review, 59(1):65–98, 2017

Jeff Bezanson, Alan Edelman, Stefan Karpinski, and Viral B Shah. Julia: A fresh approach to numerical computing.SIAM review, 59(1):65–98, 2017. URL https://doi.org/10.1137/ 141000671. 15

work page 2017
[77]

Gradient-based learning applied to document recognition,

Y . Lecun, L. Bottou, Y . Bengio, and P. Haffner. Gradient-based learning applied to document recognition.Proceedings of the IEEE, 86(11):2278–2324, 1998. doi: 10.1109/5.726791

work page doi:10.1109/5.726791 1998
[78]

Bos, Wouter Castryck, Ilia Iliashenko, and Frederik Vercauteren

Joppe W. Bos, Wouter Castryck, Ilia Iliashenko, and Frederik Vercauteren. Privacy-friendly fore- casting for the smart grid using homomorphic encryption and the group method of data handling. In Marc Joye and Abderrahmane Nitaj, editors,Progress in Cryptology - AFRICACRYPT 2017, pages 184–201, Cham, 2017. Springer International Publishing. ISBN 978-3-319-57339-7

work page 2017
[79]

Household electricity demand forecasting: benchmarking state-of-the-art methods

Andreas Veit, Christoph Goebel, Rohit Tidke, Christoph Doblander, and Hans-Arno Jacobsen. Household electricity demand forecasting: benchmarking state-of-the-art methods. InProceed- ings of the 5th International Conference on Future Energy Systems, e-Energy ’14, page 233–234, New York, NY , USA, 2014. Association for Computing Machinery. ISBN 978145032819...

work page doi:10.1145/2602044.2602082 2014
[80]

Three decades of activations: A comprehensive survey of 400 activation functions for neural networks, 2024

Vladimír Kunc and Jiˇrí Kléma. Three decades of activations: A comprehensive survey of 400 activation functions for neural networks, 2024. A A general overview of FHE schemes Fully homomorphic encryption (FHE) is an advanced cryptographic primitive that, extending standard encryption, allows operations to be performed on encrypted data, without having acc...

work page 2024

Showing first 80 references.

[1] [1]

Privacy-preserving neural networks with homomorphic encryption: C hallenges and opportunities.Peer-to-Peer Networking and Applications, 14(3):1666–1691, 2021

Bernardo Pulido-Gaytan, Andrei Tchernykh, Jorge M Cortés-Mendoza, Mikhail Babenko, Gleb Radchenko, Arutyun Avetisyan, and Alexander Yu Drozdov. Privacy-preserving neural networks with homomorphic encryption: C hallenges and opportunities.Peer-to-Peer Networking and Applications, 14(3):1666–1691, 2021

work page 2021

[2] [2]

Mauro Ribeiro, Katarina Grolinger, and Miriam A.M. Capretz. Mlaas: Machine learning as a service. In2015 IEEE 14th International Conference on Machine Learning and Applications (ICMLA), pages 896–902, 2015. doi: 10.1109/ICMLA.2015.152

work page doi:10.1109/icmla.2015.152 2015

[3] [3]

(leveled) fully homomorphic en- cryption without bootstrapping

Zvika Brakerski, Craig Gentry, and Vinod Vaikuntanathan. (leveled) fully homomorphic en- cryption without bootstrapping. InProceedings of the 3rd Innovations in Theoretical Computer Science Conference, ITCS ’12, pages 309–325, 2012

work page 2012

[4] [4]

Fully homomorphic encryption without modulus switching from classical gapsvp

Zvika Brakerski. Fully homomorphic encryption without modulus switching from classical gapsvp. InAdvances in Cryptology – CRYPTO 2012, CRYPTO ’12, pages 868–886, 2012

work page 2012

[5] [5]

Somewhat practical fully homomorphic encryption

Junfeng Fan and Frederik Vercauteren. Somewhat practical fully homomorphic encryption. Cryptology ePrint Archive, Paper 2012/144, 2012

work page 2012

[6] [6]

Faster fully ho- momorphic encryption: Bootstrapping in less than 0.1 seconds

Ilaria Chillotti, Nicolas Gama, Mariya Georgieva, and Malika Izabachène. Faster fully ho- momorphic encryption: Bootstrapping in less than 0.1 seconds. InAdvances in Cryptology – ASIACRYPT 2016, pages 3–33, 2016

work page 2016

[7] [7]

Homomorphic encryption for arithmetic of approximate numbers

Jung Hee Cheon, Andrey Kim, Miran Kim, and Yongsoo Song. Homomorphic encryption for arithmetic of approximate numbers. InAdvances in Cryptology – ASIACRYPT 2017, pages 409–437, 2017

work page 2017

[8] [8]

Precise approximation of convolutional neural networks for homomorphically encrypted data,

Junghyun Lee, Eunsang Lee, Joon-Woo Lee, Yongjune Kim, Young-Sik Kim, and Jong-Seon No. Precise approximation of convolutional neural networks for homomorphically encrypted data.IEEE Access, 11:62062–62076, 2023. doi: 10.1109/ACCESS.2023.3287564

work page doi:10.1109/access.2023.3287564 2023

[9] [9]

Transformer-based language models and homomorphic encryption: An intersection with bert-tiny

Lorenzo Rovida and Alberto Leporati. Transformer-based language models and homomorphic encryption: An intersection with bert-tiny. InProceedings of the 10th ACM International Workshop on Security and Privacy Analytics, pages 3–13, 2024

work page 2024

[10] [10]

Scaling up privacy-preserving ML: A CKKS implementation of Llama-2-7B, 2026

Jaiyoung Park, Sejin Park, Jai Hyun Park, Jung Ho Ahn, Jung Hee Cheon, Guillaume Hanrot, Jung Woo Kim, Minje Park, and Damien Stehlé. Scaling up privacy-preserving ML: A CKKS implementation of Llama-2-7B, 2026

work page 2026

[11] [11]

Minimax approximation of sign function by composite polynomial for homomorphic comparison.IEEE Transactions on Dependable and Secure Computing, 19(6):3711–3727, 2022

Eunsang Lee, Joon-Woo Lee, Jong-Seon No, and Young-Sik Kim. Minimax approximation of sign function by composite polynomial for homomorphic comparison.IEEE Transactions on Dependable and Secure Computing, 19(6):3711–3727, 2022. doi: 10.1109/TDSC.2021. 3105111

work page doi:10.1109/tdsc.2021 2022

[12] [12]

Orion: A fully homomorphic encryption framework for deep learning

Austin Ebel, Karthik Garimella, and Brandon Reagen. Orion: A fully homomorphic encryption framework for deep learning. InProceedings of the 30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 2, ASPLOS ’25, page 734–749, New York, NY , USA, 2025. Association for Computing Machinery. ISBN 97984...

work page doi:10.1145/3676641.3716008 2025

[13] [13]

Certified private inference on neural networks via lipschitz-guided abstraction refinement

Edoardo Manino, Bernardo Magri, Mustafa A Mustafa, and Lucas C Cordeiro. Certified private inference on neural networks via lipschitz-guided abstraction refinement. In6th Workshop on Formal Methods for ML-Enabled Autonomous Systems (FoMLAS 2023), July 17-18, 2023, Paris, France, 2023

work page 2023

[14] [14]

Certified error analysis of homomorphically encrypted neural networks

Philipp Kern, Edoardo Manino, and Carsten Sinz. Certified error analysis of homomorphically encrypted neural networks. In Mirco Giacobbe and Anna Lukina, editors,AI Verification, pages 156–179, Cham, 2026. Springer Nature Switzerland. ISBN 978-3-031-99991-8. 11

work page 2026

[15] [15]

On the number of nonscalar multiplications necessary to evaluate polynomials.SIAM Journal on Computing, 2(1):60–66, 1973

Michael S Paterson and Larry J Stockmeyer. On the number of nonscalar multiplications necessary to evaluate polynomials.SIAM Journal on Computing, 2(1):60–66, 1973

work page 1973

[16] [16]

Improved bootstrapping for approximate homomorphic encryption

Hao Chen, Ilaria Chillotti, and Yongsoo Song. Improved bootstrapping for approximate homomorphic encryption. InAdvances in Cryptology – EUROCRYPT 2019, pages 34–54, 2019

work page 2019

[17] [17]

Openfhe: Open- source fully homomorphic encryption library

Ahmad Al Badawi, Jack Bates, Flavio Bergamaschi, David Bruce Cousins, Saroja Erabelli, Nicholas Genise, Shai Halevi, Hamish Hunt, Andrey Kim, Yongwoo Lee, Zeyu Liu, Daniele Micciancio, Ian Quah, Yuriy Polyakov, Saraswathy R.V ., Kurt Rohloff, Jonathan Saylor, Dmitriy Suponitsky, Matthew Triplett, Vinod Vaikuntanathan, and Vincent Zucca. Openfhe: Open- sou...

work page 2022

[18] [18]

On ideal lattices and learning with errors over rings

Vadim Lyubashevsky, Chris Peikert, and Oded Regev. On ideal lattices and learning with errors over rings. InAdvances in Cryptology – EUROCRYPT 2010, pages 1–23, 2010

work page 2010

[19] [19]

Bootstrapping for approximate homomorphic encryption

Jung Hee Cheon, Kyoohyung Han, Andrey Kim, Miran Kim, and Yongsoo Song. Bootstrapping for approximate homomorphic encryption. InAdvances in Cryptology – EUROCRYPT 2018, pages 360–384, 2018

work page 2018

[20] [20]

Privacy- preserving machine learning with fully homomorphic encryption for deep neural network.IEEE Access, 10:30039–30054, 2022

Joon-Woo Lee, Hyungchul Kang, Yongwoo Lee, Woosuk Choi, Jieun Eom, Maxim Deryabin, Eunsang Lee, Junghyun Lee, Donghoon Yoo, Young-Sik Kim, and Jong-Seon No. Privacy- preserving machine learning with fully homomorphic encryption for deep neural network.IEEE Access, 10:30039–30054, 2022. doi: 10.1109/ACCESS.2022.3159694

work page doi:10.1109/access.2022.3159694 2022

[21] [21]

Towards deep learning models resistant to adversarial attacks

Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. Towards deep learning models resistant to adversarial attacks. In6th International Conference on Learning Representations, ICLR 2018, Vancouver, BC, Canada, April 30 - May 3, 2018, Conference Track Proceedings. OpenReview.net, 2018. URL https://openreview.net/ forum?...

work page 2018

[22] [22]

Sur un procédé convergent d’approximations successives pour déterminer les polynômes d’approximation.CR Acad

Eugene Remes. Sur un procédé convergent d’approximations successives pour déterminer les polynômes d’approximation.CR Acad. Sci. Paris, 198:2063–2065, 1934

work page 2063

[23] [23]

Revisiting differential verification: Equivalence verification with confidence

Samuel Teuber, Philipp Kern, Marvin Janzen, and Bernhard Beckert. Revisiting differential verification: Equivalence verification with confidence. In Arie Gurfinkel and Marijn Heule, editors,Tools and Algorithms for the Construction and Analysis of Systems - 31st International Conference, TACAS 2025, Held as Part of the International Joint Conferences on T...

work page doi:10.1007/978-3-031-90653-4_13 2025

[24] [24]

Fast and complete: Enabling complete neural network verification with rapid and massively parallel incomplete verifiers

Kaidi Xu, Huan Zhang, Shiqi Wang, Yihan Wang, Suman Jana, Xue Lin, and Cho-Jui Hsieh. Fast and complete: Enabling complete neural network verification with rapid and massively parallel incomplete verifiers. InProc. of the 9th International Conference on Learning Repre- sentations(ICLR’21), Virtual Event, Austria, May 3-7, 2021. OpenReview.net, 2021

work page 2021

[25] [25]

Trefethen.Approximation Theory and Approximation Practice

Lloyd N. Trefethen.Approximation Theory and Approximation Practice. SIAM, 2019. URL https://epubs.siam.org/doi/book/10.1137/1.9781611975949

work page doi:10.1137/1.9781611975949 2019

[26] [26]

Moore.Interval Analysis

Ramon E. Moore.Interval Analysis. Prentice-Hall, Englewood Cliffs, NJ, 1966

work page 1966

[27] [27]

ReluDiff: differential verification of deep neural networks

Brandon Paulsen, Jingbo Wang, and Chao Wang. ReluDiff: differential verification of deep neural networks. In Gregg Rothermel and Doo-Hwan Bae, editors,ICSE ’20: 42nd International Conference on Software Engineering, Seoul, South Korea, 27 June - 19 July, 2020, pages 714–

work page 2020

[28] [28]

doi: 10.1145/3377811.3380337

ACM, 2020. doi: 10.1145/3377811.3380337

work page doi:10.1145/3377811.3380337 2020

[29] [29]

NeuroDiff: scalable differential verification of neural networks using fine-grained approximation

Brandon Paulsen, Jingbo Wang, Jiawei Wang, and Chao Wang. NeuroDiff: scalable differential verification of neural networks using fine-grained approximation. In35th IEEE/ACM Inter- national Conference on Automated Software Engineering, ASE 2020, Melbourne, Australia, September 21-25, 2020, pages 784–796. IEEE, 2020. doi: 10.1145/3324884.3416560. 12

work page doi:10.1145/3324884.3416560 2020

[30] [30]

Input-relational verification of deep neural networks.Proc

Debangshu Banerjee, Changming Xu, and Gagandeep Singh. Input-relational verification of deep neural networks.Proc. ACM Program. Lang., 8(PLDI):1–27, 2024. doi: 10.1145/3656377. URLhttps://doi.org/10.1145/3656377

work page doi:10.1145/3656377 2024

[31] [31]

Fico explainable machine learning challenge, 2018

FICO. Fico explainable machine learning challenge, 2018. URL https://community.fico. com/s/explainable-machinelearning-challenge

work page 2018

[32] [32]

Electricity smart metering customer behaviour trials (cbt) findings report, 2011

Commission for Energy Regulation. Electricity smart metering customer behaviour trials (cbt) findings report, 2011

work page 2011

[33] [33]

Learning multiple layers of features from tiny images

Alex Krizhevsky and Geoffrey Hinton. Learning multiple layers of features from tiny images. Technical Report 0, University of Toronto, Toronto, Ontario, 2009. URL https://www.cs. toronto.edu/~kriz/learning-features-2009-TR.pdf

work page 2009

[34] [34]

Nn4sysbench: Characterizing neural network verification for computer systems

Shuyi Lin, Haoyu He, Tianhao Wei, Kaidi Xu, Huan Zhang, Gagandeep Singh, Changliu Liu, and Cheng Tan. Nn4sysbench: Characterizing neural network verification for computer systems. In Amir Globersons, Lester Mackey, Danielle Belgrave, Angela Fan, Ulrich Paquet, Jakub M. Tomczak, and Cheng Zhang, editors,Advances in Neural Information Processing Systems 38:...

work page 2024

[35] [35]

Dmitrii Kirov, Simone Fulvio Rollini, Luigi Di Guglielmo, and Darren D. Cofer. Formal verification of a neural network based prognostics system for aircraft equipment. In Bernhard Steffen, editor,Bridging the Gap Between AI and Reality - First International Conference, AISoLA 2023, Crete, Greece, October 23-28, 2023, Proceedings, Lecture Notes in Computer...

work page doi:10.1007/978-3-031-46002-9 2023

[36] [36]

Dickerson

Konstantin Kaulen, Tobias Ladner, Stanley Bak, Christopher Brix, Hai Duong, Thomas Flinkow, Taylor T. Johnson, Lukas Koller, Edoardo Manino, ThanhVu H. Nguyen, and Haoze Wu. The 6th international verification of neural networks competition (VNN-COMP 2025): Summary and results.CoRR, abs/2512.19007, 2025. doi: 10.48550/ARXIV .2512.19007. URL https: //doi.or...

work page internal anchor Pith review doi:10.48550/arxiv 2025

[37] [37]

Estimating or Propagating Gradients Through Stochastic Neurons for Conditional Computation

Yoshua Bengio, Nicholas Léonard, and Aaron C. Courville. Estimating or propagating gradients through stochastic neurons for conditional computation.CoRR, abs/1308.3432, 2013. URL http://arxiv.org/abs/1308.3432

work page internal anchor Pith review Pith/arXiv arXiv 2013

[38] [38]

Jonathan J. Hull. A database for handwritten text recognition research.IEEE Trans. Pattern Anal. Mach. Intell., 16(5):550–554, 1994. doi: 10.1109/34.291440. URL https://doi.org/ 10.1109/34.291440

work page doi:10.1109/34.291440 1994

[39] [39]

Antonio Torralba, Rob Fergus, and William T. Freeman. 80 million tiny images: A large data set for nonparametric object and scene recognition.IEEE Transactions on Pattern Analysis and Machine Intelligence, 30(11):1958–1970, 2008

work page 1958

[40] [40]

Do CIFAR-10 Classifiers Generalize to CIFAR-10?

Benjamin Recht, Rebecca Roelofs, Ludwig Schmidt, and Vaishaal Shankar. Do cifar-10 classifiers generalize to cifar-10? 2018.https://arxiv.org/abs/1806.00451

work page internal anchor Pith review Pith/arXiv arXiv 2018

[41] [41]

Curtis, Erin Hales, Sean Murphy, Tabitha Ogilvie, and Rachel Player

Anamaria Costache, Benjamin R. Curtis, Erin Hales, Sean Murphy, Tabitha Ogilvie, and Rachel Player. On the precision loss in approximate homomorphic encryption. InSelected Areas in Cryptography – SAC 2023: 30th International Conference, Fredericton, Canada, August 14–18, 2023, Revised Selected Papers, pages 325–345, 2023

work page 2023

[42] [42]

Accurate and composable noise estimates for CKKS with application to exact HE computation.IACR Communications in Cryptology, 2(2), 2025

Jean-Philippe Bossuat, Anamaria Costache, Christian Mouchet, Lea Nürnberger, and Juan Ramón Troncoso-Pastoriza. Accurate and composable noise estimates for CKKS with application to exact HE computation.IACR Communications in Cryptology, 2(2), 2025

work page 2025

[43] [43]

Neujeans: Private neural network inference with joint optimization of convolution and fhe bootstrapping

Jae Hyung Ju, Jaiyoung Park, Jongmin Kim, Minsik Kang, Donghwan Kim, Jung Hee Cheon, and Jung Ho Ahn. Neujeans: Private neural network inference with joint optimization of convolution and fhe bootstrapping. InProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security, CCS ’24, pages 4361–4375, 2024. 13

work page 2024

[44] [44]

On data banks and privacy homomorphisms

R L Rivest, L Adleman, and M L Dertouzos. On data banks and privacy homomorphisms. Foundations of Secure Computation, Academia Press, pages 169–179, 1978

work page 1978

[45] [45]

Fully homomorphic encryption using ideal lattices

Craig Gentry. Fully homomorphic encryption using ideal lattices. InProceedings of the Forty-First Annual ACM Symposium on Theory of Computing, STOC ’09, pages 169–178, 2009

work page 2009

[46] [46]

On lattices, learning with errors, random linear codes, and cryptography.J

Oded Regev. On lattices, learning with errors, random linear codes, and cryptography.J. ACM, 56(6), September 2009

work page 2009

[47] [47]

Fhew: Bootstrapping homomorphic encryption in less than a second

Léo Ducas and Daniele Micciancio. Fhew: Bootstrapping homomorphic encryption in less than a second. InAdvances in Cryptology – EUROCRYPT 2015, pages 617–640, 2015

work page 2015

[48] [48]

Homomorphic encryption from learning with errors: Conceptually-simpler, asymptotically-faster, attribute-based

Craig Gentry, Amit Sahai, and Brent Waters. Homomorphic encryption from learning with errors: Conceptually-simpler, asymptotically-faster, attribute-based. InAdvances in Cryptology – CRYPTO 2013, pages 75–92, 2013

work page 2013

[49] [49]

TT-TFHE: a torus fully homomorphic encryption-friendly neural network architecture.Transactions on Machine Learning Research, 2025

Adrien Benamira, Tristan Guérand, Thomas Peyrin, and Sayandeep Saha. TT-TFHE: a torus fully homomorphic encryption-friendly neural network architecture.Transactions on Machine Learning Research, 2025

work page 2025

[50] [50]

N. P. Smart and F. Vercauteren. Fully homomorphic simd operations.Design, Codes and Cryptography, 71(1):57–81, 4 2014

work page 2014

[51] [51]

Bfv, ckks, tfhe: Which one is the best for a secure neural network evaluation in the cloud? InApplied Cryptography and Network Security Workshops, pages 279–300, 2021

Pierre-Emmanuel Clet, Oana Stan, and Martin Zuber. Bfv, ckks, tfhe: Which one is the best for a secure neural network evaluation in the cloud? InApplied Cryptography and Network Security Workshops, pages 279–300, 2021

work page 2021

[52] [52]

High-precision arithmetic in homomor- phic encryption

Hao Chen, Kim Laine, Rachel Player, and Yuhou Xia. High-precision arithmetic in homomor- phic encryption. InTopics in Cryptology – CT-RSA 2018, pages 116–136, 2018

work page 2018

[53] [53]

Homomorphic multiple precision multiplication for ckks and reduced modulus consumption

Jung Hee Cheon, Wonhee Cho, Jaehyung Kim, and Damien Stehlé. Homomorphic multiple precision multiplication for ckks and reduced modulus consumption. InProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, pages 696–710, 2023

work page 2023

[54] [54]

Fully homomorphic encryption for cyclotomic prime moduli

Robin Geelen and Frederik Vercauteren. Fully homomorphic encryption for cyclotomic prime moduli. InAdvances in Cryptology – EUROCRYPT 2025, EUROCRYPT ’25, page 366–397, 2025

work page 2025

[55] [55]

Homomorphic encryption for large integers from nested residue number systems

Dan Boneh and Jaehyung Kim. Homomorphic encryption for large integers from nested residue number systems. InAdvances in Cryptology – CRYPTO 2025, 2025

work page 2025

[56] [56]

Faster homomorphic integer computer

Jaehyung Kim. Faster homomorphic integer computer. Cryptology ePrint Archive, Paper 2025/1440, 2025. URLhttps://eprint.iacr.org/2025/1440

work page 2025

[57] [57]

A flexible and polynomial framework for integer arithmetic in CKKS

Lorenzo Rovida. A flexible and polynomial framework for integer arithmetic in CKKS. Cryp- tology ePrint Archive, Paper 2026/450, 2026

work page 2026

[58] [58]

Matrigear: Accelerating authenticated matrix triple generation with scalable prime fields via optimized he packing

Hyunho Cha, Intak Hwang, Seonhong Min, Jinyeong Seo, and Yongsoo Song. Matrigear: Accelerating authenticated matrix triple generation with scalable prime fields via optimized he packing. In2025 IEEE Symposium on Security and Privacy (S&P), pages 2453–2471, 2025

work page 2025

[59] [59]

High-precision exact FHE made simple, general, and fast

Chris Peikert, Doron Zarchy, and Guy Zyskind. High-precision exact FHE made simple, general, and fast. Cryptology ePrint Archive, Paper 2025/2321, 2025

work page 2025

[60] [60]

Tfhe gets real: an efficient and flexible homomorphic floating-point arithmetic.IACR Transactions on Cryptographic Hardware and Embedded Systems, 2025(2):126–162, Mar

Loris Bergerat, Ilaria Chillotti, Damien Ligier, Jean-Baptiste Orfila, and Samuel Tap. Tfhe gets real: an efficient and flexible homomorphic floating-point arithmetic.IACR Transactions on Cryptographic Hardware and Embedded Systems, 2025(2):126–162, Mar. 2025

work page 2025

[61] [61]

Approximate homomorphic encryp- tion with reduced approximation error

Andrey Kim, Antonis Papadimitriou, and Yuriy Polyakov. Approximate homomorphic encryp- tion with reduced approximation error. InTopics in Cryptology – CT-RSA 2022: Cryptographers’ Track at the RSA Conference 2022, Virtual Event, March 1–2, 2022, Proceedings, pages 120– 144, 2022. 14

work page 2022

[62] [62]

Bleach: Cleaning errors in discrete computations over ckks.J

Nir Drucker, Guy Moshkowich, Tomer Pelleg, and Hayim Shaul. Bleach: Cleaning errors in discrete computations over ckks.J. Cryptol., 37(1), 11 2023. ISSN 0933-2790. doi: 10.1007/s00145-023-09483-1

work page doi:10.1007/s00145-023-09483-1 2023

[63] [63]

On the security of homomorphic encryption on approxi- mate numbers

Baiyu Li and Daniele Micciancio. On the security of homomorphic encryption on approxi- mate numbers. InAdvances in Cryptology – EUROCRYPT 2021: 40th Annual International Conference on the Theory and Applications of Cryptographic Techniques, page 648–677, 2021

work page 2021

[64] [64]

Attacks against the ind-cpad security of exact fhe schemes

Jung Hee Cheon, Hyeongmin Choe, Alain Passelègue, Damien Stehlé, and Elias Suvanto. Attacks against the ind-cpad security of exact fhe schemes. InProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security, CCS ’24, page 2505–2519,

work page 2024

[65] [65]

doi: 10.1145/3658644.3690341

work page doi:10.1145/3658644.3690341

[66] [66]

EncryptedLLM: Privacy-preserving large language model inference via GPU-accelerated fully homomorphic encryption

Leo de Castro, Daniel Escudero, Adya Agrawal, Antigoni Polychroniadou, and Manuela Veloso. EncryptedLLM: Privacy-preserving large language model inference via GPU-accelerated fully homomorphic encryption. InForty-second International Conference on Machine Learning,

work page

[67] [67]

URLhttps://openreview.net/forum?id=PGNff6H1TV

work page

[68] [68]

Encrypted image classification with low memory footprint using fully homomorphic encryption.International Journal of Neural Systems, 34 (05):2450025, 2024

Lorenzo Rovida and Alberto Leporati. Encrypted image classification with low memory footprint using fully homomorphic encryption.International Journal of Neural Systems, 34 (05):2450025, 2024. doi: 10.1142/S0129065724500254. URL https://doi.org/10.1142/ S0129065724500254. PMID: 38516871

work page doi:10.1142/s0129065724500254 2024

[69] [69]

Nges Brian Njungle and Michel A. Kinsy. Activate me!: Designing efficient activation functions for privacy-preserving machine learning with fully homomorphic encryption. InProgress in Cryptology - AFRICACRYPT 2025, pages 51–73, 2026

work page 2025

[70] [70]

Jean-Philippe Bossuat, Rosario Cammarota, Ilaria Chillotti, Benjamin R. Curtis, Wei Dai, Huijing Gong, Erin Hales, Duhyeong Kim, Bryan Kumara, Changmin Lee, Xianhui Lu, Carsten Maple, Alberto Pedrouzo-Ulloa, Rachel Player, Yuriy Polyakov, Luis Antonio Ruiz Lopez, Yongsoo Song, and Donggeon Yhee. Security guidelines for implementing homomorphic encryption....

work page 2025

[71] [71]

Craig Gentry, Shai Halevi, and Nigel P. Smart. Better bootstrapping in fully homomorphic encryption. InPublic Key Cryptography – PKC 2012, pages 1–16, 2012

work page 2012

[72] [72]

De Gruyter, Berlin, Boston, 2014

Jürgen Appell, Józef Banas, and Nelson José Merentes Díaz.Bounded Variation and Around. De Gruyter, Berlin, Boston, 2014. ISBN 978-3-11-026511-8. doi: doi:10.1515/9783110265118. URLhttps://doi.org/10.1515/9783110265118

work page doi:10.1515/9783110265118 2014

[73] [73]

Jacobi polynomials on the bernstein ellipse.J

Haiyong Wang and Lun Zhang. Jacobi polynomials on the bernstein ellipse.J. Sci. Comput., 75(1):457–477, April 2018. ISSN 0885-7474. doi: 10.1007/s10915-017-0542-4. URL https://doi.org/10.1007/s10915-017-0542-4

work page doi:10.1007/s10915-017-0542-4 2018

[74] [74]

Neural network verification with branch-and-bound for general nonlinearities

Zhouxing Shi, Qirui Jin, Zico Kolter, Suman Jana, Cho-Jui Hsieh, and Huan Zhang. Neural network verification with branch-and-bound for general nonlinearities. In Arie Gurfinkel and Marijn Heule, editors,Tools and Algorithms for the Construction and Analysis of Systems - 31st International Conference, TACAS 2025, Held as Part of the International Joint Con...

work page doi:10.1007/978-3-031-90643-5_ 2025

[75] [75]

SOL: sampling-based optimal linear bounding of arbitrary scalar functions

Yuriy Biktairov and Jyotirmoy Deshmukh. SOL: sampling-based optimal linear bounding of arbitrary scalar functions. InAdvances in Neural Information Processing Systems 36: Annual Conference on Neural Information Processing Systems 2023 (NeurIPS’23), New Orleans, LA, USA, December 10 - 16, 2023, 2023

work page 2023

[76] [76]

Julia: A fresh approach to numerical computing.SIAM review, 59(1):65–98, 2017

Jeff Bezanson, Alan Edelman, Stefan Karpinski, and Viral B Shah. Julia: A fresh approach to numerical computing.SIAM review, 59(1):65–98, 2017. URL https://doi.org/10.1137/ 141000671. 15

work page 2017

[77] [77]

Gradient-based learning applied to document recognition,

Y . Lecun, L. Bottou, Y . Bengio, and P. Haffner. Gradient-based learning applied to document recognition.Proceedings of the IEEE, 86(11):2278–2324, 1998. doi: 10.1109/5.726791

work page doi:10.1109/5.726791 1998

[78] [78]

Bos, Wouter Castryck, Ilia Iliashenko, and Frederik Vercauteren

Joppe W. Bos, Wouter Castryck, Ilia Iliashenko, and Frederik Vercauteren. Privacy-friendly fore- casting for the smart grid using homomorphic encryption and the group method of data handling. In Marc Joye and Abderrahmane Nitaj, editors,Progress in Cryptology - AFRICACRYPT 2017, pages 184–201, Cham, 2017. Springer International Publishing. ISBN 978-3-319-57339-7

work page 2017

[79] [79]

Household electricity demand forecasting: benchmarking state-of-the-art methods

Andreas Veit, Christoph Goebel, Rohit Tidke, Christoph Doblander, and Hans-Arno Jacobsen. Household electricity demand forecasting: benchmarking state-of-the-art methods. InProceed- ings of the 5th International Conference on Future Energy Systems, e-Energy ’14, page 233–234, New York, NY , USA, 2014. Association for Computing Machinery. ISBN 978145032819...

work page doi:10.1145/2602044.2602082 2014

[80] [80]

Three decades of activations: A comprehensive survey of 400 activation functions for neural networks, 2024

Vladimír Kunc and Jiˇrí Kléma. Three decades of activations: A comprehensive survey of 400 activation functions for neural networks, 2024. A A general overview of FHE schemes Fully homomorphic encryption (FHE) is an advanced cryptographic primitive that, extending standard encryption, allows operations to be performed on encrypted data, without having acc...

work page 2024