内容来源：https://blog.google/innovation-and-ai/technology/safety-security/the-quantum-era-is-coming-are-we-ready-to-secure-it/

内容总结：

量子时代将至，数据安全防线如何筑牢？

量子计算时代正加速到来。这项颠覆性技术有望在药物研发、材料科学、能源等领域解决传统计算机无法攻克的难题，但同时也对当前全球数字安全体系构成了严峻挑战。量子计算机未来将能破解广泛使用的公钥加密系统，这意味着金融交易、私人通讯、商业机密乃至国家敏感信息都可能面临泄露风险。

尽管完全成熟的量子计算机尚未面世，但“先存储后解密”的攻击模式可能已经发生——恶意行为者正在收集和囤积加密数据，等待未来用量子技术破解。为应对这一威胁，全球科技界与标准组织已积极行动。美国国家标准与技术研究院（NIST）于2024年发布了首批后量子密码学（PQC）标准，旨在构建能够抵御量子计算攻击的新一代加密算法。

谷歌等科技企业自2016年起即启动布局，通过提升“密码敏捷性”、推进内部系统与产品迁移、构建抗量子安全生态等方式，加速向PQC过渡。然而，全面迎接量子时代需要社会各方协同努力。对此，专家向政策制定者提出五项关键建议：

一、推动全社会特别是关键基础设施迁移，消除能源、通信、医疗等重点行业的转型障碍，并与证书机构协同强化数字信任体系。
二、将PQC嵌入人工智能发展基础，为AI创新的长期经济价值构建安全底座。
三、减少全球标准碎片化，积极推广基于NIST标准的国际通用方案，避免局部性、低安全性解决方案。
四、倡导“云优先”的现代化路径，鼓励通过迁移至云端高效部署PQC，避免公共资源重复投入老旧系统改造。
五、建立专家常态化沟通机制，持续跟踪量子计算进展，动态调整安全战略。

量子计算将重塑未来，但其带来的安全挑战需未雨绸缪。唯有通过跨领域协作，构建敏捷、稳固的后量子安全体系，才能确保量子时代由技术突破驱动，而非被安全危机所定义。

中文翻译：

量子时代即将来临，我们是否已准备好守护它的安全？

世界正站在解决药物研发、材料科学、能源等领域"不可能难题"的门槛上。这一切的推动力源于量子计算机——它能破解连最强大的经典超级计算机都束手无策的难题，具备同时识别并评估多重可能性的超凡能力。但值得警惕的是，这种破解科学谜题的独特本领，也将使其能轻易突破现有的数字防线，例如保护银行转账、私密对话、商业机密乃至国家机密的公钥密码体系。

简而言之：当前保障信息机密的加密技术，在未来几年内很可能被大规模量子计算机轻易破解。

尽管完全成熟的量子计算机尚未问世，但恶意攻击者绝不会坐等"密码学相关量子计算机"（CRQC）准备就绪。他们极可能已在实施"先窃密，后解密"的攻击，大量收集加密数据，只待量子计算机为其解锁的那一天。

我们该如何应对？一言以蔽之：未雨绸缪。

过去十年间，量子计算研究已将破解2048位RSA加密（左图）与模拟实用分子（右图）等难题所需的资源预估降低了数个数量级。

今天，我们将分享量子时代用户安全防护工作的最新进展，并为政策制定者提供若干强化全民安全的建议。

首先需要明确：面对攻击者窃取数据以待未来量子解密的行为，安全领域从未袖手旁观。密码学专家已研发出能抵御未来大规模量子计算机的后量子密码学（PQC）算法。经过多年国际协作，美国国家标准与技术研究院（NIST）于2024年正式颁布了首套PQC标准。

随着量子计算软硬件持续突破，谷歌并未将现行过渡方案视为终极答案。自2016年起，我们便着手布局后量子时代：开展PQC前沿实验，在产品中部署后量子功能，并通过威胁模型与技术白皮书分享专业知识。

自2016年启动PQC转型以来，我们始终聚焦"密码敏捷性"——在不中断服务的前提下更新或替换密码算法。

迎接量子时代需要研究与行动的双重投入。我们正全力推进两方面工作：

研究并更新PQC时间线：在符合安全要求的前提下，我们将分享关于破解非对称加密、数字签名等公钥密码学最新所需条件的研究成果。这项研究有助于揭示PQC迁移时间表的影响，以及CRQC将对医疗、金融等特定领域产生的冲击。

完成PQC迁移：我们正按计划在NIST现行指南下稳步推进PQC安全迁移，并已开始在内部运营与产品基础设施中部署PQC。为实现向后量子安全态的平稳过渡，我们聚焦三大关键领域：密码敏捷性、关键共享基础设施防护、促进生态转型，以此构建持久稳固的安全基石。

这些承诺体现了我们对数字经济长远完整性的深度投入。但放眼全局，我们深知即便在量子时代，安全防护仍是团队协作的赛场。以下五项建议可协助政策制定者引领这场变革：

政策制定者迎接量子时代的五项行动纲领

• 凝聚全社会合力，聚焦关键基础设施：政策制定者的工作应超越公共部门网络范畴，着力弥补能源、通信、医疗等关键领域的安全缺口与壁垒（包括人才短缺问题）。守护数字系统背后的信任基础设施至关重要，需要与证书颁发机构开展专项协作。我们必须加速推进这项进程。

• 确保人工智能构建于PQC基石之上：密码学是AI系统的安全支柱，我们对AI的依赖越深，就越需要筑牢其根基。应将PQC视为释放AI创新持久经济潜力的必要基础。

• 减少全球体系碎片化：我们需要统一的应对方案。值得庆幸的是，NIST的量子防御密码标准提供了全球公认、可扩展的安全基准——若能广泛采纳，将助力我们加速推进，避免局部性、不安全的解决方案。

• 推行"云优先"现代化战略：向新密码标准过渡任务艰巨，而PQC为迁移至云端提供了新的强劲动力。与其投入公共预算升级遗留系统和硬编码密码，政府更应优先推动这些系统上云，借助谷歌云等提供商正在全球网络部署PQC的现有成果。

• 借力专家智慧，规避战略突袭：CRQC的到来并非"永远还有十年"。虽然无人能精准预测其出现时间，但与谷歌量子AI团队等研究机构专家保持持续对话，将帮助政策制定者抢占新兴威胁的先机。

核心要义在于：我们相信量子计算能助力塑造更光明的未来——但这需要全社会协同努力，确保量子时代以突破而非崩坏为标志。唯有同心协力，我们才能筑牢今日之基，成就明日之安。

英文来源：

The quantum era is coming. Are we ready to secure it?
The world is on the threshold of solving impossible problems in drug discovery, materials science, energy, and beyond.
That’s because of quantum computers — computers capable of solving problems that even the most powerful classical supercomputers can’t. They’re able to identify and consider different options at the same time. Concerningly, their unique ability to unravel scientific mysteries will also allow them to bypass our current digital locks, like the public-key cryptosystems that protect things like bank transfers, private chats, trade secrets and even classified information.
To put that plainly: The encryption currently used to keep your information confidential and secure could easily be broken by a large-scale quantum computer in coming years.
And while we’re not there yet, malicious actors are not waiting until a Cryptographically Relevant Quantum Computer (CRQC) is ready. They are likely already carrying out “store now, decrypt later” attacks and collecting encrypted data, just waiting for the day when a quantum computer can unlock it.
So what do we do about that? In short: Get ready.
Over the last decade, quantum computing research has reduced by orders of magnitude the estimated resources required to solve problems like breaking 2048-bit RSA encryption (left) and simulating useful molecules (right).
Today, we are sharing an update to our work to keep users safer in the quantum era, and making a few suggestions for how policymakers can help everyone be more secure.
First, some context: The security community hasn’t been sitting idly by as bad actors harvest data for future quantum-powered decryption attacks.
Cryptography experts have already developed post-quantum cryptography (PQC) based on algorithms designed to be resistant to future large-scale quantum computers. After a multi-year international process, America's National Institute Standards & Technology (NIST) announced the first set of these standards in 2024.
And with quantum computing hardware and software continuing to progress, Google isn't taking current transition guidelines for granted. We have been preparing for a post-quantum world since 2016, conducting pioneering experiments with post-quantum cryptography, rolling out post-quantum capabilities in our products, and sharing our expertise through threat models and technical papers.
Since 2016, we’ve been working towards the transition to PQC, focusing on “crypto agility,” updating or replacing cryptographic algorithms without disrupting services.
Preparing for the quantum era requires a dual commitment to research and action. We’re all in on both fronts, so let’s take each of these in turn:
Researching and updating PQC timelines: Where consistent with security considerations, we’ll share findings from our research that provide insights on the latest requirements needed to break public-key cryptography including asymmetric encryption and digital signatures. This research helps to show the impact on PQC migration timelines and how a CRQC will affect individual sectors like health and finance.
Completing PQC migrations: We are on track to complete a PQC migration safely within NIST’s current guidelines and we’ve begun rolling out PQC within our infrastructure for internal operations and products. To successfully migrate to a safer post-quantum state we’re focused on three key areas: Crypto agility, securing critical shared infrastructure, and facilitating ecosystem shifts, which can create a long-term and more robust security infrastructure.
These commitments reflect our deep investment in the long-term integrity of our digital economy. But as we zoom out, we know that even in the quantum era, security will be a team sport. Here are five recommendations to help policymakers manage the shift.
Five actions policymakers can take to prepare for the quantum era

• Drive society-wide momentum, especially for critical infrastructure: Policymakers’ efforts should extend beyond public sector networks, to addressing gaps and barriers (including workforce challenges) in vital sectors like energy, telecommunications and healthcare. Protecting the trust infrastructure behind digital systems is also key and calls for dedicated efforts together with certificate authorities. We need to accelerate progress.
• Ensure AI is built with PQC in mind: Cryptography secures AI systems, and the more we rely on AI, the more we need to secure its foundation. Let’s treat PQC as a necessary foundation for the enduring economic potential of AI innovation.
• Reduce global fragmentation: We need a unified approach. Helpfully, the NIST standards for quantum-proof cryptography provide a globally agreed, scalable and secure benchmark — if widely adopted, they can help us move more quickly, avoiding partial, insecure solutions.
• Promote Cloud-first modernization: Transitioning to new cryptographic standards will be a heavy lift and PQC provides another compelling reason to migrate to the Cloud. Rather than investing public budgets to update legacy systems and hard-coded cryptography, governments should prioritize migrating those systems to the cloud, taking advantage of the work providers like Google Cloud are doing now to enable PQC across their global networks.
• Lean on the experts to avoid strategic surprise: A CRQC is not "forever a decade away.” While no one knows precisely when it will arrive, ongoing dialogue with experts from research institutions and groups like Google's Quantum AI team will help policymakers stay ahead of emerging threats.
  Here’s the bottom line: We believe quantum computing can help shape a brighter tomorrow — but we need an all-hands-on-deck approach to make sure the quantum era is defined by breakthroughs, not breakdowns. Working together we can prepare today and promote greater security tomorrow.