What AI Coding Assistants Do Well
AI coding assistants are genuinely good at post-quantum library integration. Ask Claude Code to add Dilithium signing to a Rust API and it will:
1. Add pqcrypto-dilithium to Cargo.toml
2. Import the correct types
3. Generate a keypair at startup
4. Sign responses with the secret key
5. Expose a verification endpoint
6. Write tests that pass
This is real, working, correct code. The signatures are valid ML-DSA-65. The key exchange uses ML-KEM-768. It compiles. It tests green. It deploys.
And it's missing approximately 95% of what a production post-quantum system requires.
The Nine Things AI Misses
1. Key lifecycle. The AI generates a keypair at application startup. Where is the secret key stored between restarts? How is it rotated? What happens when it's compromised? Who has access? Is it wrapped with a key-encryption-key? Is the KEK post-quantum? The AI doesn't ask these questions because the library doesn't require answers to them.
2. Threshold signing. A single Dilithium key is a single point of failure. The $200M Drift Protocol hack was a single key compromise. The AI wires one key. Production requires k-of-n: three of five independent signers, each on separate infrastructure, each with their own key pair. No single compromise can authorize a transaction.
3. Hybrid schemes. NIST recommends hybrid classical + post-quantum schemes during the transition period (SP 1800-38). The AI adds Dilithium alone. Production should have Ed25519 + Dilithium (defense-in-depth) or Ed25519 + Dilithium + FALCON (triple nested, independent lattice families). If one algorithm family breaks, the others survive.
4. FHE for data-in-use. Kyber encrypts data in transit. AES encrypts data at rest. Neither encrypts data in use. When your server processes a biometric template, a medical record, or a financial transaction, the data is decrypted in memory. Fully Homomorphic Encryption processes data without decryption. No AI coding assistant builds an FHE engine from a library call.
5. Zero-knowledge proofs. Proving a fact about data without revealing it — age verification without birthdate, identity without PII, compliance without source code — requires a proof system. STARK proofs are post-quantum (hash-based). The AI doesn't add them because no single library call produces a STARK proof tied to your application's specific constraints.
6. Audit trail attestation. Every access event needs a cryptographic proof. Who accessed what, when, authorized by whom. Each proof must be tamper-evident, recursively accumulated (one proof covers all events), and independently verifiable. The AI adds logging. Production requires STARK-attested, chain-hashed, recursively accumulated proof chains.
7. Identity binding. A Dilithium public key is 1,952 bytes of math. It's not bound to a person, a device, or a biometric. Soulbound identity requires a DID, a biometric commitment (FHE-encrypted template hash), MFA factors, a trust score, and a non-transferable token. The AI creates a key. Production requires an identity.
8. Proof privacy. If the same server generates and verifies proofs, it can fingerprint the submission. Proof re-randomization (blinding the proof after generation so the server can't correlate submissions) requires cryptographic infrastructure that doesn't exist in any library. H33 built the first STARK re-randomization scheme.
9. Scoring and attestation. How do you know the code you just wrote is actually secure? HICS scores codebases across five dimensions with a STARK-attested, Dilithium-signed certificate. The AI writes code. HICS grades it. The proof is mathematical.
What AI Should Do Instead
The right use of AI coding assistants for post-quantum security is not building the infrastructure. It's calling it:
use h33::auth;
let result = auth::full_pipeline(biometric, user_id).await;
One call. FHE biometric matching + STARK proof + Dilithium attestation + soulbound identity binding + epoch-evolved nullifier + recursive accumulator fold. 38.5 microseconds. The AI writes the integration. H33 provides the pipeline.
The AI is the developer. The library is the tool. The pipeline is the product.
Score your AI-generated code with HICS. Free. Local. No account. The algorithm is the authority.