内容来源：https://www.quantamagazine.org/new-advances-bring-the-era-of-quantum-computers-closer-than-ever-20260403/

内容总结：

量子计算重大突破：破解加密的量子计算机或比预期更早到来

三十年前，数学家彼得·肖尔提出了一种基于量子力学原理的算法，理论上能令量子计算机在极短时间内解决传统计算机需数十亿年才能完成的两大数学难题，而这正是当今数字世界（包括网站、邮箱、银行账户等）安全体系的基石。长期以来，由于所需量子比特数量过于庞大，该算法仅被视为一种理论威胁。

近日，两项关键进展显著缩小了理论估算与现实机器之间的差距。加州理工学院的一支顶尖物理学家团队公布了一种新型量子计算机设计方案，称仅需数万量子比特即可能破解现行加密体系，并已成立公司（Oratomic）致力于建造该机器。与此同时，谷歌研究人员宣布开发出效率比以往最佳方法提升十倍的肖尔算法实施方案。

尽管目前尚无硬件能立即实现加密破解，但这些突破强烈暗示，强大的量子计算机可能在未来数年内而非数十年后成为现实。专家警告，依赖现有加密技术（如RSA和椭圆曲线加密）的机构应加速向能抵御量子攻击的新型加密方案迁移。美国国家标准与技术研究院已于2024年发布抗量子加密标准，美国政府计划在2035年前完成全面切换，谷歌则目标在2029年前弃用传统加密。

技术核心：中性原子与纠错码的融合

加州理工学院团队的设计关键在于结合了两大趋势：一是利用可被激光悬浮并灵活排列的“中性原子”作为量子比特，其天然适合执行复杂的量子纠错码；二是采用新型“量子低密度奇偶校验码”，该码能大幅减少构建一个可靠逻辑量子比特所需的物理量子比特数量，将效率从数千物理比特压缩至仅需四个原子即可构成一个逻辑比特，并能同时容忍多达24个严重错误。

团队通过机器学习辅助优化代码设计，并模拟演示了其系统破解主流加密方案的能力：使用10万个原子可在三个月内破解RSA加密；使用2.6万个原子可在数天内破解椭圆曲线加密。

挑战与展望

尽管前景令人振奋，实现该设计仍面临巨大工程挑战，例如需在计算过程中以毫秒级频率持续进行纠错并维持数天甚至数周，这一能力尚未得到验证。外部专家呼吁先在小规模系统（如100-1000量子比特）上演示其纠错技术的可行性。

若此类量子计算机得以建成，将标志量子计算从“嘈杂中型量子”时代迈入“容错”新时代。研究者们期待借此探索量子世界的深层奥秘，如高温超导材料模拟乃至时空的量子本质研究。

“我们终将实现它，”Oratomic公司首席执行官、物理学家多列夫·布卢夫斯坦表示，“与挚友共同建造世界首台量子计算机，还有比这更酷的人生追求吗？”

中文翻译：

量子计算机时代因新突破而前所未有地临近

引言
大约三十年前，数学家彼得·肖尔将一个原本小众的物理学构想——基于反直觉的量子力学规则建造计算机的梦想——变成了震撼世界的现实。

肖尔找到了一种方法，能让量子计算机快速解决几个经典计算机需要耗时数十亿年才能完成的数学问题。而这两个数学问题，恰恰是当时新兴数字世界的安全基石。几乎所有网站、收件箱和银行账户的可信度，都建立在"这两个问题无法被解决"的假设之上。肖尔的算法证明了这个假设是错误的。

三十年来，肖尔算法一直只是一个理论上的安全威胁。物理学家最初估计，运行该算法需要一个拥有数十亿量子比特（量子计算的基本单元）的庞大量子机器。多年来，这个估计值已大幅下降，最近降至一百万个量子比特。但它仍然远超现有量子计算机那有限的能力——后者通常只有几百个量子比特。

然而，两个不同的研究团队刚刚宣布的进展，显著缩小了理论估计与现实机器之间的差距。加州理工学院一支星光熠熠的量子物理学家团队公布了一款量子计算机的设计方案，该方案仅需数万个量子比特就能破解加密，并宣布已成立公司来建造这台机器。同时，谷歌的研究人员宣布，他们开发出了一种实现肖尔算法的新方法，其效率是之前最佳方法的十倍。

目前，两家公司都还不具备能破解加密的硬件。但这些成果印证了一些量子物理学家早已产生的猜测：强大的量子计算机可能在未来几年内出现，而非几十年。"如果你关心隐私或有秘密需要保护，那么你最好开始寻找替代方案，"布里斯托大学的数学物理学家尼古拉斯·布罗伊克曼说，他未参与上述任何一篇论文的研究。

尽管这些新成果可能会给守护我们数字基础设施的政策制定者和公司带来震动，但它们也标志着物理学家在建造能让他们更深入探索量子世界的机器方面，正取得快速进展。

"我们真的要着手实现它了，"加州理工学院物理学家、新公司Oratomic的首席执行官多列夫·布鲁夫斯坦说。

交汇之路
去年夏天，布鲁夫斯坦和他的合作者玛德琳·凯恩带着一个简单的问题来到加州理工学院：人们能想象建造的、有能力（例如）破解比特币钱包的最小量子计算机是什么样的？寻找答案需要他们和他们的新同事预测量子计算领域两大趋势可能在哪里交汇。

第一个趋势是一种灵活的新型量子比特的兴起：中性原子。

在过去十年中，物理学家不断精进其能力，能够将几十、几百，乃至最近数千个中性原子悬浮在激光束中，并按需排列。其他类型的量子比特，例如谷歌和IBM力推的超导电路，运算速度要快得多，但像传统晶体管一样被固定在特定位置，无法移动。

布鲁夫斯坦和凯恩曾在哈佛大学物理学家米哈伊尔·卢金的实验室工作，他们在2023年成功让280个中性原子运行了复杂的量子算法。不久之后，由加州理工学院曼努埃尔·恩德雷斯领导的小组创下了一项纪录，展示了同时操控6100个中性原子的能力，尽管当时并未用它们进行任何计算。

第二个量子趋势是纠错码效能的提升。

任何类型的量子比特都极易出错，使用它们进行计算需要持续不断的监控。纠错的黄金标准协议被称为"表面码"。你将量子比特排列成矩形网格，每个量子比特都与相邻的量子比特连接，然后使用整个区块来存储一个虚拟量子比特的信息。这样，当一些真实的量子比特出错时，虚拟量子比特能受到足够长时间的保护，以便你发现并修复那些出错的量子比特。表面码完全可靠且已被透彻理解，但需要数千个真实量子比特才能创建一个可靠的虚拟量子比特。而要进行精确计算，恰恰需要这些虚拟量子比特。

但在过去几年里，物理学家找到了一种方法，利用量子"低密度奇偶校验"码，可以大幅减少创建虚拟量子比特所需的真实量子比特数量。这些编码很棘手，因为它们需要将真实量子比特与阵列中相距较远的其他真实量子比特连接起来，而不仅仅是与邻居连接。但作为回报，它们能让你在给定尺寸的阵列中塞入更多的虚拟量子比特。中性原子天然适合这些编码，因为物理学家可以自由地将一个原子在阵列中移动，去与远处的原子会合。

布鲁夫斯坦和凯恩关于"最简单的能破解密码的量子计算机"的问题，变成了一个挑战：加州理工学院的物理学家们能在多大程度上将qLDPC码与中性原子技术相结合？他们开始与这些编码的专家钱旭、量子理论和机器学习专家罗伯特·黄，以及提供实验反馈的恩德雷斯合作。该大学资深理论物理学家约翰·普雷斯基尔——他在量子纠错领域有悠久的研究历史——为这个小组提供指导。

精心设计编码
这些新奇的qLDPC码有多种形式，选择使用哪一种通常需要权衡取舍。有些编码效率高，即每个虚拟量子比特不需要很多真实量子比特；另一些则效能强，即能够承受许多同时发生的错误。

但微小的调整可能导致性能的巨大变化。在qLDPC码方面做过开创性工作的布罗伊克曼将其比作烹饪：有时恰到好处的一小撮配料就能产生深远影响。该团队知道，制造更小、更强大的量子计算机的关键在于找到一种能平衡这两种优点的编码。钱旭确定了一个特别有前景的"配方"，而黄则着手完善它。

黄和他的学生们请来了一个由数学家设计的大型语言模型来帮忙。他们给了它qLDPC码的数学描述，然后让它自由发挥。最终，它反馈回来一种编码：效率高到仅用四个原子就能创建一个虚拟量子比特，效能强到足以承受20到24个灾难性错误。（相比之下，早期一种高性能qLDPC码需要12个真实量子比特才能创建一个虚拟量子比特，最多能处理12个灾难性错误。）这个大型语言模型还找到了一个高效的解码器，这是一种用于判断发生了何种错误并制定纠正计划的算法。

手握优越的编码和解码器，凯恩、钱旭和黄开发了在执行计算时对真实量子比特进行复杂操控的方法，同时始终保持对它们的保护。团队整合了一系列协议，并对执行速度做出了最佳估计。最后，研究人员模拟了他们的设计，以观察其运行肖尔算法的效果。

"我们整合了很多东西，"普雷斯基尔说。"当你做对了，结果会出人意料地令人鼓舞。"

团队成员模拟了不同的原子阵列，以了解每种规模破解两种主要加密方案（称为RSA和椭圆曲线密码术）的速度。他们得出结论：使用1万个原子，大约需要一个世纪才能破解常见形式的RSA加密。然而，使用10万个原子，则只需三个月。团队发现，同样被广泛使用的、更容易破解的ECC加密，可以被1万个原子的阵列在大约三年内攻克，或者被2.6万个原子的阵列在几天内攻克。

就在加州理工学院团队设计其梦想机器的同时，由克雷格·吉德尼领导的谷歌研究人员也在继续他们进行了多年的工作，不断提出更高效的执行肖尔算法的方法。2019年，吉德尼和一位合作者详细描述了一个量子程序，该程序能用2000万个量子比特在8小时内破解RSA加密。去年，他想出了一种用不到100万个量子比特实现的方法。

在与加州理工学院论文同一天发布的一份白皮书中，吉德尼和他的合作者宣布，他们开发出了一种专门用于破解ECC的新量子程序，其效率至少是之前程序的十倍。他们估计，大多数加密货币在一台拥有不到50万个量子比特的机器面前，几分钟内就会失守。

"椭圆曲线密码破解的实际时空成本降低十倍，意义极其重大，"普林斯顿大学物理学家、中性原子初创公司Logiqal的首席执行官杰夫·汤普森说。

谷歌对肖尔算法的高效实现以及加州理工学院的新协议表明，较小的量子计算机将能够完成比许多研究人员意识到的更宏大的任务。这也标志着一个转折点：研究人员开始隐藏那些竞争对手或恶意行为者可能觉得有用的关键细节。谷歌首次使用"零知识证明"来描述他们的工作，这是一种证明程序有效但不透露其具体工作原理的技术。

鉴于量子技术的快速进展，物理学家们表示，用新的、量子计算机无法破解的密码方案替换RSA和ECC至关重要。2024年，美国国家标准与技术研究院发布了新的密码标准，这些标准可以保护秘密免受经典计算机和量子计算机的攻击。美国政府已经制定了一项计划，准备在2035年前完全切换到这些新密码。但一些研究人员认为，关键参与者可能需要更快行动。例如，谷歌最近宣布其目标是到2029年停止依赖RSA和ECC。

"如果你正在考虑何时进行后量子密码过渡，你不应该再等待了，"汤普森说。"现在就是时候。"

量子梦想与现实
对于Oratomic公司能否建造出像物理学家们在论文中描述的那样强大的量子计算机，各方看法不一。对于中性原子计算领域的一位领军人物来说，加州理工学院团队的预测并不特别令人惊讶。"它们与我们和其他人的估计大体一致，"哈佛大学的卢金说，他也是中性原子初创公司QuEra Computing的创始人。"但在这些资源估算中，细节很重要，需要仔细推敲。"

一些关键细节仍然模糊——尤其是对加州理工学院团队最乐观预测至关重要的纠错步骤——这使得外部研究人员难以全面评估他们的主张。

其他研究人员对该团队的一些机械性能预期提出了质疑。例如，加州理工学院小组"对他们能实现的操作速度做出了激进的假设"，汤普森说。该小组在论文中声称，这台机器最终将能够每毫秒完成一次整个纠错过程——检查错误、解读发现、修复错误、替换任何偏离轨道的原子，并准备重新开始。

在计算运行期间，这台机器还必须将这种纠错节奏保持数天甚至数周，这是目前没有任何团队实现过的壮举。"我希望看到一个小规模的演示，比如100或1000个量子比特，"威斯康星大学麦迪逊分校物理学家、另一家中性原子初创公司Infleqtion的量子信息首席科学家马克·萨夫曼说。"向我证明你能完成一百万轮或类似的操作。"

加州理工学院团队知道他们的计划雄心勃勃，整合他们设想的所有部分将需要巨大的工程和技术努力。同时，物理学家们认为不存在不可逾越的障碍。"我们只需要建造这些机器，看看它们是否有效，"普雷斯基尔说。

新视野
如果有任何团队成功建造出能够实现肖尔算法的量子计算机，它将标志着一个时代的结束——具体来说，是普雷斯基尔在2018年一篇论文中命名的"嘈杂中型量子"时代的结束，即纠错前时期。每位研究人员都对在新的"容错"时代，首先用这样的机器追求什么有自己的愿景。

黄表示，他会先运行肖尔算法，只是为了证明设备有效。之后，他说他会尝试用它来加速机器学习——这一应用将在未来的工作中详述。

大多数建造量子计算机的架构师，无论是在Oratomic还是其他初创公司，本质上都是物理学家。他们感兴趣的是物理学，而不是密码学。具体来说，他们感兴趣的是，一台精通量子力学语言的计算机能教给他们关于量子领域的一切，例如哪些材料可能在常温下成为超导体。普雷斯基尔本人则希望模拟时空的量子本质。

加州理工学院团队知道，在他们的任何梦想有机会实现之前，还有多年的工作要做。但研究人员已经迫不及待要开始了。"还有什么人生追求能比和朋友们一起建造世界上第一台量子计算机更酷呢！"在论文上线前不久，通过电话联系到的布鲁夫斯坦兴奋地说道，随后便匆匆赶去庆祝了。

英文来源：

New Advances Bring the Era of Quantum Computers Closer Than Ever
Introduction
Some 30 years ago, the mathematician Peter Shor took a niche physics project — the dream of building a computer based on the counterintuitive rules of quantum mechanics — and shook the world.
Shor worked out a way for quantum computers to swiftly solve a couple of math problems that classical computers could complete only after many billions of years. Those two math problems happened to be the ones that secured the then-emerging digital world. The trustworthiness of nearly every website, inbox, and bank account rests on the assumption that these two problems are impossible to solve. Shor’s algorithm proved that assumption wrong.
For 30 years, Shor’s algorithm has been a security threat in theory only. Physicists initially estimated that they would need a colossal quantum machine with billions of qubits — the elements used in quantum calculations — to run it. That estimate has come down drastically over the years, falling recently to a million qubits. But it has still always sat comfortably beyond the modest capabilities of existing quantum computers, which typically have just hundreds of qubits.
However, two different groups of researchers have just announced advances that notably reduce the gap between theoretical estimates and real machines. A star-studded team of quantum physicists at the California Institute of Technology went public with a design for a quantum computer that could break encryption with only tens of thousands of qubits and said that it had formed a company to build the machine. And researchers at Google announced that they had developed an implementation of Shor’s algorithm that is ten times as efficient as the best previous method.
Neither company has the hardware to break encryption today. But the results underscore what some quantum physicists had already come to suspect: that powerful quantum computers may be years away, rather than decades. “If you care about privacy or you have secrets, then you better start looking for alternatives,” said Nikolas Breuckmann, a mathematical physicist at the University of Bristol, who did not work on either of the papers.
While the new results may provide a jolt for the policymakers and corporations that guard our digital infrastructure, they also signal the rapid progress that physicists have made toward building machines that will let them more thoroughly explore the quantum world.
“We’re going to actually do this,” said Dolev Bluvstein, a Caltech physicist and CEO of the new company, Oratomic.
Collision Path
Bluvstein and his collaborator Madelyn Cain came to Caltech last summer with a simple question: What is the smallest quantum computer one could imagine building that would have the juice to, say, hack a Bitcoin wallet? Finding the answer would require them and their new colleagues to project where two major trends in quantum computing might collide.
The first trend was the rise of a flexible new type of qubit: the neutral atom.
Over the last decade, physicists have refined their ability to suspend dozens, hundreds and, more recently, thousands of neutral atoms in laser beams and arrange them as they like. Other qubits, such as the superconducting circuits championed by Google and IBM, operate much more quickly but sit locked in place, like traditional transistors.
Bluvstein and Cain had been working in the lab of the Harvard physicist Mikhail Lukin, where they arranged for 280 neutral atoms to run sophisticated quantum algorithms in 2023. Soon afterward, a group led by Manuel Endres at Caltech set a record when it demonstrated the ability to manipulate 6,100 neutral atoms at once, although it did not perform any calculations with them.
The second quantum trend was an increase in the potency of error correcting codes.
Qubits of any sort are extremely error-prone, and computing with them will require constant vigilance. The gold-standard protocol for error correction is called the surface code. You lay qubits out in a rectangular grid, with each one linked to its neighbor, and use the whole block to store one virtual qubit of information. Then, when some of the real qubits go haywire, the virtual qubit stays protected long enough for you to find and fix the rogue qubits. The surface code is completely reliable and thoroughly understood, but it would take thousands of real qubits to create one reliable virtual qubit. And the virtual qubits are the ones you need to perform an accurate calculation.
But over the last few years, physicists have found a way to dramatically reduce the number of real qubits they need to create the virtual ones, using quantum “low-density parity-check” (qLDPC) codes. The codes are tricky because they require linking up the real qubits to other real qubits that are far away in the array, as opposed to just their neighbors. But in return, they let you pack many more virtual qubits into an array of a given size. Neutral atoms are a natural fit for these codes, because physicists can freely move one atom across an array to meet a distant atom.
Bluvstein and Cain’s question about the simplest code-cracking quantum computer became a challenge: How far could the Caltech physicists tailor qLPDC codes to the neutral atom technology? They started working with Qian Xu, an expert in those codes; Robert Huang, an expert in quantum theory and machine learning; and Endres, for experimental feedback. John Preskill, a senior theoretical physicist at the university with a long history in the field of quantum error correction, advised the group.
Cooking Up Codes
These funky new qLDPC codes come in many forms, and choosing which one to use typically involves a tradeoff. Some are efficient, in that each virtual qubit doesn’t require many real qubits; others are effective, in that they can withstand many simultaneous errors.
But small tweaks can lead to big changes in performance. Breuckmann, who has done pioneering work on qLDPC codes, likens it to cooking: Sometimes a pinch of just the right ingredient can go a long way. The team knew that the key to a smaller, more powerful quantum computer would be finding a code that balanced both virtues. Xu identified a particularly promising recipe, and Huang set off to perfect it.
Huang and his students recruited a large language model (LLM) designed by mathematicians to help. They gave it a mathematical description of qLDPC codes and set it loose. Eventually it came back with a code efficient enough to make one virtual qubit from just four atoms and effective enough to withstand 20 to 24 catastrophic errors. (By contrast, an earlier high-performing qLDPC code needed 12 real qubits for each virtual qubit and could handle up to 12 catastrophic errors.) The LLM also found an efficient decoder, an algorithm for figuring out what kinds of errors have occurred and devising a plan to correct them.
With a superior code and decoder in hand, Cain, Xu, and Huang developed ways to pull off the intricate manipulations of the real qubits required to perform calculations, all while keeping them protected. The team assembled a string of protocols and made its best estimates for how fast it would execute them. Finally, the researchers simulated their design to see how well it would run Shor’s algorithm.
“We put together a lot of things,” Preskill said. “When you do it right, the answer turns out to be surprisingly encouraging.”
The team members simulated different atomic arrays to get a sense of how fast each size could crack the two main encryption schemes, called Rivest–Shamir–Adleman (RSA) and elliptic curve cryptography (ECC). They concluded that they would be able break the common form of RSA in about a century using 10,000 atoms. Using 100,000 atoms, however, it would take only three months. The team found that the easier-to-crack ECC encryption, which is also widely used, would be overcome by an array of 10,000 atoms in about three years, or to 26,000 atoms in a few days.
At the same time the Caltech team was designing its dream machine, researchers at Google led by Craig Gidney were continuing work they had done for years, coming up with ever more efficient ways of executing Shor’s algorithm. In 2019, Gidney and a collaborator detailed a quantum program that could break RSA encryption in eight hours with 20 million qubits. Last year, he came up with a way of doing it with fewer than a million qubits.
In a white paper posted the same day as the Caltech paper, Gidney and his collaborators announced that they had developed a new quantum procedure specifically for breaking ECC that was at least 10 times as efficient than previous procedures. They estimated that most cryptocurrencies would yield in minutes to a machine with fewer than 500,000 qubits.
“That tenfold reduction in the actual space-time cost of elliptic curve code breaking is hugely significant,” said Jeff Thompson, a physicist at Princeton University and CEO of the neutral atoms startup Logiqal.
Google’s efficient implementation of Shor’s algorithm and Caltech’s new protocol suggest that smaller quantum computers will be able to pull off bigger feats than many researchers had realized. They also mark a turning point at which researchers are beginning to conceal crucial details that competitors or bad actors might find useful. For the first time, Google described their work using a “zero knowledge proof,” a technique for revealing that a program works without revealing exactly how it works.
Given the rapid quantum progress, physicists say that switching out RSA and ECC for new cryptographic schemes that quantum computers can’t break is essential. In 2024, the National Institute of Standards and Technology published new codes that can keep secrets safe from both classical and quantum computers. And the U.S. government has laid out a plan to completely switch to these new codes by 2035. But some researchers believe that key players may need to act more quickly. Google, for instance, recently announced that it aims to stop relying on RSA and ECC by 2029.
“If you were thinking about when you were going to do a post-quantum crypto transition, you should not be waiting any longer,” Thompson said. “This is the time to do it.”
Quantum Dreams vs. Reality
Opinions range on how plausible it will be for Oratomic to build a quantum computer as formidable as the one the physicists have described on paper. To one leader of neutral atom computing, the Caltech team’s projections are not particularly surprising. “They are broadly in line with what we and others have estimated,” said Lukin of Harvard, a founder of the neutral atom startup QuEra Computing. “But in these resource estimates details matter and it is important to work them out carefully.”
And a few key details remain vague — notably error correction steps crucial to the Caltech team’s rosiest projections — making it hard for external researchers to fully evaluate their claims.
Other researchers question some of the team’s mechanical expectations. For example, the Caltech group made “aggressive assumptions about the speed of operations they can do,” Thompson said. The group claims in its paper that the machine will eventually be able pull off the entire error correction process — check for errors, interpret what it finds, fix the errors, replace any atoms that have gone astray, and prepare to do it all over again — once every millisecond.
The machine would also have to keep up that cadence of error correction for days or even weeks while a computation runs, a feat no group has accomplished. “I’d like to see a demonstration on a smaller scale, say, 100 or 1,000 qubits,” said Mark Saffman, a physicist at the University of Wisconsin-Madison and chief scientist for quantum information at Infleqtion, another neutral atom startup. “Show me that you can do a million rounds or something.”
The Caltech team knows its plan is ambitious and that integrating all the parts it has in mind will require a tremendous engineering and technological effort. At the same time, the physicists don’t see any insurmountable obstacles. “We just have to build these machines and see if they work,” Preskill said.
New Horizons
If any group succeeds at building a quantum computer that can realize Shor’s algorithm, it will mark the end an era — specifically, the “Noisy Intermediate Scale Quantum” era, as Preskill dubbed the pre-error-correction period in a 2018 paper. Each researcher has a vision for what to pursue first with a machine in the new “fault-tolerant” era.
Huang said he would start by running Shor’s algorithm, just to prove that the device works. After that, he said he would try to use it to speed up machine learning — an application to be detailed in coming work.
Most of the architects building quantum computers, whether at Oratomic or other startups, are physicists at heart. They’re interested in physics, not cryptography. Specifically, they’re interested in all the things a computer fluent in the language of quantum mechanics could teach them about the quantum realm, such as what sort of materials might become superconductors even at warm temperatures. Preskill, for his part, would like to simulate the quantum nature of space-time.
The Caltech group knows it has years of work ahead before any of its dreams have a chance of coming true. But the researchers can’t wait to get started. “Pick a cooler life quest than building the world’s first quantum computer with your friends!” said a jubilant Bluvstein, reached by phone shortly before their paper went live, before rushing off to celebrate.