This work investigates the adversarial robustness of tropical CNNs, analyzing the combinatorial structure of their decision boundaries—characterized by tropical bisectors and angle bisector hyperplanes—and their defense mechanisms against Carlini-Wagner (CW) attacks. Methodologically, we (i) derive the first theoretical upper bound on the number of linear segments comprising the tropical CNN decision boundary; and (ii) propose the first CW variant explicitly tailored to tropical geometry, incorporating the piecewise-linear nature of tropical embedding layers. Experiments demonstrate that while tropical embeddings enhance robustness, our novel attack significantly increases success rates on MNIST/LeNet5, exposing the true limits of their robustness. Key contributions include: (1) the first tight upper bound on the decision complexity of tropical CNNs; (2) the first adversarial attack algorithm specifically designed for tropical architectures; and (3) a cross-validated analytical framework integrating tropical geometry, combinatorial optimization, and adversarial robustness theory.

Pasque et al. showed that using a tropical symmetric metric as an activation function in the last layer can improve the robustness of convolutional neural networks (CNNs) against state-of-the-art attacks, including the Carlini-Wagner attack. This improvement occurs when the attacks are not specifically adapted to the non-differentiability of the tropical layer. Moreover, they showed that the decision boundary of a tropical CNN is defined by tropical bisectors. In this paper, we explore the combinatorics of tropical bisectors and analyze how the tropical embedding layer enhances robustness against Carlini-Wagner attacks. We prove an upper bound on the number of linear segments the decision boundary of a tropical CNN can have. We then propose a refined version of the Carlini-Wagner attack, specifically tailored for the tropical architecture. Computational experiments with MNIST and LeNet5 showcase our attacks improved success rate.