To address the low efficiency and poor flexibility of adversarial robustness certification for semantic segmentation models, this paper proposes the first real-time certifiably robust segmentation framework. Methodologically, we design a segmentation network with built-in Lipschitz constraints and integrate it with randomized smoothing augmentation and a tight ℓ₂-norm robustness certification mechanism, yielding a general-purpose certification framework capable of multi-metric worst-case analysis. Compared to existing randomized smoothing approaches, our method accelerates certification by approximately 600×. On Cityscapes, it achieves competitive per-pixel accuracy while producing theoretically grounded certificates empirically verified to be highly tight under adversarial attacks. This work establishes the first certifiable robustness framework for semantic segmentation that simultaneously attains high accuracy, real-time certification speed, and scalability—thereby enabling reliable deployment in safety-critical applications.

Deep Neural Networks are vulnerable to small perturbations that can drastically alter their predictions for perceptually unchanged inputs. The literature on adversarially robust Deep Learning attempts to either enhance the robustness of neural networks (e.g, via adversarial training) or to certify their decisions up to a given robustness level (e.g, by using randomized smoothing, formal methods or Lipschitz bounds). These studies mostly focus on classification tasks and few efficient certification procedures currently exist for semantic segmentation. In this work, we introduce a new class of certifiably robust Semantic Segmentation networks with built-in Lipschitz constraints that are efficiently trainable and achieve competitive pixel accuracy on challenging datasets such as Cityscapes. Additionally, we provide a novel framework that generalizes robustness certificates for semantic segmentation tasks, where we showcase the flexibility and computational efficiency of using Lipschitz networks. Our approach unlocks real-time compatible certifiably robust semantic segmentation for the first time. Moreover, it allows the computation of worst-case performance under $ell_2$ attacks of radius $ε$ across a wide range of performance measures. Crucially, we benchmark the runtime of our certification process and find our approach to be around 600 times faster than randomized smoothing methods at inference with comparable certificates on an NVIDIA A100 GPU. Finally, we evaluate the tightness of our worstcase certificates against state-of-the-art adversarial attacks to further validate the performance of our method.