This work quantifies the generalization error of quantum classifiers under adversarial attacks, focusing on perturbation-constrained settings and examining the additional generalization risk induced by adversarial training as well as the role of quantum embeddings. Methodologically, we derive— for the first time—a theoretical upper bound on the generalization error of adversarially trained quantum classifiers; propose a rotation-based embedding model and prove that it eliminates the sample complexity overhead caused by adversarial training for high-dimensional classical inputs; demonstrate that under quantum-state adversarial attacks, the generalization error depends solely on the Hilbert space dimension and is independent of the embedding scheme; and extend the analysis to multi-class classification, validating the bounds via numerical experiments. Results show that the generalization error converges at rate $O(1/sqrt{m})$, and quantum embeddings significantly alleviate the trade-off between adversarial robustness and generalization performance.

Quantum classifiers are vulnerable to adversarial attacks that manipulate their input classical or quantum data. A promising countermeasure is adversarial training, where quantum classifiers are trained by using an attack-aware, adversarial loss function. This work establishes novel bounds on the generalization error of adversarially trained quantum classifiers when tested in the presence of perturbation-constrained adversaries. The bounds quantify the excess generalization error incurred to ensure robustness to adversarial attacks as scaling with the training sample size $m$ as $1/sqrt{m}$, while yielding insights into the impact of the quantum embedding. For quantum binary classifiers employing extit{rotation embedding}, we find that, in the presence of adversarial attacks on classical inputs $mathbf{x}$, the increase in sample complexity due to adversarial training over conventional training vanishes in the limit of high dimensional inputs $mathbf{x}$. In contrast, when the adversary can directly attack the quantum state $ ho(mathbf{x})$ encoding the input $mathbf{x}$, the excess generalization error depends on the choice of embedding only through its Hilbert space dimension. The results are also extended to multi-class classifiers. We validate our theoretical findings with numerical experiments.