RustCrypto · tarcieri · Oct 16, 2025 · Sep 10, 2025 · Sep 16, 2025 · Sep 16, 2025
diff --git a/dsa/src/generate.rs b/dsa/src/generate.rs
@@ -7,15 +7,15 @@ mod keypair;
 #[cfg(feature = "hazmat")]
 mod secret_number;
 
-pub use self::components::common as common_components;
+pub(crate) use self::components::common as common_components;
 #[cfg(feature = "hazmat")]
-pub use self::secret_number::{secret_number, secret_number_rfc6979};
+pub(crate) use self::secret_number::{secret_number, secret_number_rfc6979};
 
 #[cfg(feature = "hazmat")]
-pub use self::keypair::keypair;
+pub(crate) use self::keypair::keypair;
 
 #[cfg(all(feature = "hazmat", feature = "pkcs8"))]
-pub use self::components::public as public_component;
+pub(crate) use self::components::public as public_component;
 
 /// Calculate the upper and lower bounds for generating values like p or q
 #[inline]

diff --git a/dsa/src/generate/components.rs b/dsa/src/generate/components.rs
@@ -22,7 +22,7 @@ use {crate::Components, crypto_bigint::subtle::CtOption};
 /// # Returns
 ///
 /// Tuple of three `BoxedUint`s. Ordered like this `(p, q, g)`
-pub fn common<R: CryptoRng + ?Sized>(
+pub(crate) fn common<R: CryptoRng + ?Sized>(
     rng: &mut R,
     KeySize { l, n }: KeySize,
 ) -> (Odd<BoxedUint>, NonZero<BoxedUint>, NonZero<BoxedUint>) {
@@ -88,7 +88,10 @@ pub fn common<R: CryptoRng + ?Sized>(
 /// Calculate the public component from the common components and the private component
 #[cfg(feature = "hazmat")]
 #[inline]
-pub fn public(components: &Components, x: &NonZero<BoxedUint>) -> CtOption<NonZero<BoxedUint>> {
+pub(crate) fn public(
+    components: &Components,
+    x: &NonZero<BoxedUint>,
+) -> CtOption<NonZero<BoxedUint>> {
     let p = components.p();
     let g = components.g();
 

diff --git a/dsa/src/generate/keypair.rs b/dsa/src/generate/keypair.rs
@@ -9,7 +9,7 @@ use signature::rand_core::CryptoRng;
 
 /// Generate a new keypair
 #[inline]
-pub fn keypair<R: CryptoRng + ?Sized>(rng: &mut R, components: Components) -> SigningKey {
+pub(crate) fn keypair<R: CryptoRng + ?Sized>(rng: &mut R, components: Components) -> SigningKey {
     #[inline]
     fn find_non_zero_x<R: CryptoRng + ?Sized>(
         rng: &mut R,

diff --git a/dsa/src/generate/secret_number.rs b/dsa/src/generate/secret_number.rs
@@ -20,7 +20,7 @@ fn truncate_hash(hash: &[u8], desired_size: usize) -> &[u8] {
 ///
 /// Secret number k and its modular multiplicative inverse with q
 #[inline]
-pub fn secret_number_rfc6979<D>(
+pub(crate) fn secret_number_rfc6979<D>(
     signing_key: &SigningKey,
     hash: &[u8],
 ) -> Result<(BoxedUint, BoxedUint), signature::Error>
@@ -62,7 +62,7 @@ where
 ///
 /// Secret number k and its modular multiplicative inverse with q
 #[inline]
-pub fn secret_number<R: TryCryptoRng + ?Sized>(
+pub(crate) fn secret_number<R: TryCryptoRng + ?Sized>(
     rng: &mut R,
     components: &Components,
 ) -> Result<Option<(BoxedUint, BoxedUint)>, signature::Error> {

diff --git a/dsa/src/lib.rs b/dsa/src/lib.rs
@@ -1,6 +1,6 @@
 #![no_std]
 #![forbid(unsafe_code)]
-#![warn(missing_docs, rust_2018_idioms)]
+#![warn(missing_docs, rust_2018_idioms, unreachable_pub)]
 #![doc = include_str!("../README.md")]
 #![doc(
     html_logo_url = "https://raw.githubusercontent.com/RustCrypto/media/8f1a9894/logo.svg",

diff --git a/ecdsa/src/dev.rs b/ecdsa/src/dev.rs
@@ -224,7 +224,7 @@ macro_rules! new_wycheproof_test {
             }
 
             impl TestVector {
-                pub fn pass(&self) -> bool {
+                pub(crate) fn pass(&self) -> bool {
                     match self.pass_ {
                         &[0] => false,
                         &[1] => true,

diff --git a/ecdsa/src/lib.rs b/ecdsa/src/lib.rs
@@ -20,7 +20,8 @@
     missing_docs,
     rust_2018_idioms,
     unused_lifetimes,
-    unused_qualifications
+    unused_qualifications,
+    unreachable_pub
 )]
 
 //! ## `serde` support

diff --git a/ed25519/src/lib.rs b/ed25519/src/lib.rs
@@ -9,7 +9,8 @@
     missing_docs,
     rust_2018_idioms,
     unused_lifetimes,
-    unused_qualifications
+    unused_qualifications,
+    unreachable_pub
 )]
 
 //! # Using Ed25519 generically over algorithm implementations/providers

diff --git a/ed448/src/lib.rs b/ed448/src/lib.rs
@@ -9,7 +9,8 @@
     missing_docs,
     rust_2018_idioms,
     unused_lifetimes,
-    unused_qualifications
+    unused_qualifications,
+    unreachable_pub
 )]
 
 //! # Using Ed448 generically over algorithm implementations/providers

diff --git a/lms/src/constants.rs b/lms/src/constants.rs
@@ -1,13 +1,13 @@
 //! Constants as defined in RFC 8554
 
 /// The length of the identifier `I`
-pub const ID_LEN: usize = 16;
+pub(crate) const ID_LEN: usize = 16;
 
 /// `D_PBLC`
-pub const D_PBLC: [u8; 2] = [0x80, 0x80];
+pub(crate) const D_PBLC: [u8; 2] = [0x80, 0x80];
 /// `D_MESG`
-pub const D_MESG: [u8; 2] = [0x81, 0x81];
+pub(crate) const D_MESG: [u8; 2] = [0x81, 0x81];
 /// `D_LEAF`
-pub const D_LEAF: [u8; 2] = [0x82, 0x82];
+pub(crate) const D_LEAF: [u8; 2] = [0x82, 0x82];
 /// `D_INTR`
-pub const D_INTR: [u8; 2] = [0x83, 0x83];
+pub(crate) const D_INTR: [u8; 2] = [0x83, 0x83];
diff --git a/lms/src/lib.rs b/lms/src/lib.rs
@@ -1,3 +1,5 @@
+#![warn(unreachable_pub)]
+
 //! LMS in Rust
 //!
 //! This is a strongly typed implementation of Leighton-Micali signatures. You

diff --git a/lms/src/types.rs b/lms/src/types.rs
@@ -10,4 +10,4 @@ pub trait Typecode {
 }
 
 /// The 16 byte identifier I from the LM-OTS algorithm.
-pub type Identifier = [u8; ID_LEN];
+pub(crate) type Identifier = [u8; ID_LEN];
diff --git a/ml-dsa/src/algebra.rs b/ml-dsa/src/algebra.rs
@@ -1,5 +1,5 @@
-pub use crate::module_lattice::algebra::Field;
-pub use crate::module_lattice::util::Truncate;
+pub(crate) use crate::module_lattice::algebra::Field;
+pub(crate) use crate::module_lattice::util::Truncate;
 use hybrid_array::{
     ArraySize,
     typenum::{Shleft, U1, U13, Unsigned},
@@ -10,19 +10,19 @@ use crate::module_lattice::algebra;
 
 define_field!(BaseField, u32, u64, u128, 8_380_417);
 
-pub type Int = <BaseField as Field>::Int;
+pub(crate) type Int = <BaseField as Field>::Int;
 
-pub type Elem = algebra::Elem<BaseField>;
-pub type Polynomial = algebra::Polynomial<BaseField>;
-pub type Vector<K> = algebra::Vector<BaseField, K>;
-pub type NttPolynomial = algebra::NttPolynomial<BaseField>;
-pub type NttVector<K> = algebra::NttVector<BaseField, K>;
-pub type NttMatrix<K, L> = algebra::NttMatrix<BaseField, K, L>;
+pub(crate) type Elem = algebra::Elem<BaseField>;
+pub(crate) type Polynomial = algebra::Polynomial<BaseField>;
+pub(crate) type Vector<K> = algebra::Vector<BaseField, K>;
+pub(crate) type NttPolynomial = algebra::NttPolynomial<BaseField>;
+pub(crate) type NttVector<K> = algebra::NttVector<BaseField, K>;
+pub(crate) type NttMatrix<K, L> = algebra::NttMatrix<BaseField, K, L>;
 
 // We require modular reduction for three moduli: q, 2^d, and 2 * gamma2.  All three of these are
 // greater than sqrt(q), which means that a number reduced mod q will always be less than M^2,
 // which means that barrett reduction will work.
-pub trait BarrettReduce: Unsigned {
+pub(crate) trait BarrettReduce: Unsigned {
     const SHIFT: usize;
     const MULTIPLIER: u64;
 
@@ -50,7 +50,7 @@ where
     const MULTIPLIER: u64 = (1 << Self::SHIFT) / M::U64;
 }
 
-pub trait Decompose {
+pub(crate) trait Decompose {
     fn decompose<TwoGamma2: Unsigned>(self) -> (Elem, Elem);
 }
 
@@ -71,7 +71,7 @@ impl Decompose for Elem {
 }
 
 #[allow(clippy::module_name_repetitions)] // I can't think of a better name
-pub trait AlgebraExt: Sized {
+pub(crate) trait AlgebraExt: Sized {
     fn mod_plus_minus<M: Unsigned>(&self) -> Self;
     fn infinity_norm(&self) -> Int;
     fn power2round(&self) -> (Self, Self);

diff --git a/ml-dsa/src/crypto.rs b/ml-dsa/src/crypto.rs
@@ -6,7 +6,7 @@ use sha3::{
 
 use crate::module_lattice::encode::ArraySize;
 
-pub enum ShakeState<Shake: ExtendableOutput> {
+pub(crate) enum ShakeState<Shake: ExtendableOutput> {
     Absorbing(Shake),
     Squeezing(Shake::Reader),
 }
@@ -18,14 +18,14 @@ impl<Shake: ExtendableOutput + Default> Default for ShakeState<Shake> {
 }
 
 impl<Shake: ExtendableOutput + Default + Clone> ShakeState<Shake> {
-    pub fn updatable(&mut self) -> &mut Shake {
+    pub(crate) fn updatable(&mut self) -> &mut Shake {
         match self {
             Self::Absorbing(sponge) => sponge,
             Self::Squeezing(_) => unreachable!(),
         }
     }
 
-    pub fn absorb(mut self, input: &[u8]) -> Self {
+    pub(crate) fn absorb(mut self, input: &[u8]) -> Self {
         match &mut self {
             Self::Absorbing(sponge) => sponge.update(input),
             Self::Squeezing(_) => unreachable!(),
@@ -34,7 +34,7 @@ impl<Shake: ExtendableOutput + Default + Clone> ShakeState<Shake> {
         self
     }
 
-    pub fn squeeze(&mut self, output: &mut [u8]) -> &mut Self {
+    pub(crate) fn squeeze(&mut self, output: &mut [u8]) -> &mut Self {
         match self {
             Self::Absorbing(sponge) => {
                 // Clone required to satisfy borrow checker
@@ -50,15 +50,15 @@ impl<Shake: ExtendableOutput + Default + Clone> ShakeState<Shake> {
         self
     }
 
-    pub fn squeeze_new<N: ArraySize>(&mut self) -> Array<u8, N> {
+    pub(crate) fn squeeze_new<N: ArraySize>(&mut self) -> Array<u8, N> {
         let mut v = Array::default();
         self.squeeze(&mut v);
         v
     }
 }
 
-pub type G = ShakeState<Shake128>;
-pub type H = ShakeState<Shake256>;
+pub(crate) type G = ShakeState<Shake128>;
+pub(crate) type H = ShakeState<Shake256>;
 
 #[cfg(test)]
 mod test {

diff --git a/ml-dsa/src/encode.rs b/ml-dsa/src/encode.rs
@@ -26,18 +26,18 @@ where
     type EncodingSize = Length<Sum<A, B>>;
 }
 
-pub type RangeMin<A, B> = <(A, B) as RangeEncodingSize>::Min;
-pub type RangeMax<A, B> = <(A, B) as RangeEncodingSize>::Max;
-pub type RangeEncodingBits<A, B> = <(A, B) as RangeEncodingSize>::EncodingSize;
-pub type RangeEncodedPolynomialSize<A, B> =
+pub(crate) type RangeMin<A, B> = <(A, B) as RangeEncodingSize>::Min;
+pub(crate) type RangeMax<A, B> = <(A, B) as RangeEncodingSize>::Max;
+pub(crate) type RangeEncodingBits<A, B> = <(A, B) as RangeEncodingSize>::EncodingSize;
+pub(crate) type RangeEncodedPolynomialSize<A, B> =
     <RangeEncodingBits<A, B> as EncodingSize>::EncodedPolynomialSize;
-pub type RangeEncodedPolynomial<A, B> = Array<u8, RangeEncodedPolynomialSize<A, B>>;
-pub type RangeEncodedVectorSize<A, B, K> =
+pub(crate) type RangeEncodedPolynomial<A, B> = Array<u8, RangeEncodedPolynomialSize<A, B>>;
+pub(crate) type RangeEncodedVectorSize<A, B, K> =
     <RangeEncodingBits<A, B> as VectorEncodingSize<K>>::EncodedVectorSize;
-pub type RangeEncodedVector<A, B, K> = Array<u8, RangeEncodedVectorSize<A, B, K>>;
+pub(crate) type RangeEncodedVector<A, B, K> = Array<u8, RangeEncodedVectorSize<A, B, K>>;
 
 /// `BitPack` represents range-encoding logic
-pub trait BitPack<A, B> {
+pub(crate) trait BitPack<A, B> {
     type PackedSize: ArraySize;
     fn pack(&self) -> Array<u8, Self::PackedSize>;
     fn unpack(enc: &Array<u8, Self::PackedSize>) -> Self;

diff --git a/ml-dsa/src/hint.rs b/ml-dsa/src/hint.rs
@@ -34,7 +34,7 @@ fn use_hint<TwoGamma2: Unsigned>(h: bool, r: Elem) -> Elem {
 }
 
 #[derive(Clone, PartialEq, Debug)]
-pub struct Hint<P>(pub Array<Array<bool, U256>, P::K>)
+pub(crate) struct Hint<P>(pub Array<Array<bool, U256>, P::K>)
 where
     P: SignatureParams;
 
@@ -51,7 +51,7 @@ impl<P> Hint<P>
 where
     P: SignatureParams,
 {
-    pub fn new(z: &Vector<P::K>, r: &Vector<P::K>) -> Self {
+    pub(crate) fn new(z: &Vector<P::K>, r: &Vector<P::K>) -> Self {
         let zi = z.0.iter();
         let ri = r.0.iter();
 
@@ -69,14 +69,14 @@ where
         )
     }
 
-    pub fn hamming_weight(&self) -> usize {
+    pub(crate) fn hamming_weight(&self) -> usize {
         self.0
             .iter()
             .map(|x| x.iter().filter(|x| **x).count())
             .sum()
     }
 
-    pub fn use_hint(&self, r: &Vector<P::K>) -> Vector<P::K> {
+    pub(crate) fn use_hint(&self, r: &Vector<P::K>) -> Vector<P::K> {
         let hi = self.0.iter();
         let ri = r.0.iter();
 
@@ -96,7 +96,7 @@ where
         )
     }
 
-    pub fn bit_pack(&self) -> EncodedHint<P> {
+    pub(crate) fn bit_pack(&self) -> EncodedHint<P> {
         let mut y: EncodedHint<P> = Array::default();
         let mut index = 0;
         let omega = P::Omega::USIZE;
@@ -119,7 +119,7 @@ where
         a.iter().enumerate().all(|(i, x)| i == 0 || a[i - 1] <= *x)
     }
 
-    pub fn bit_unpack(y: &EncodedHint<P>) -> Option<Self> {
+    pub(crate) fn bit_unpack(y: &EncodedHint<P>) -> Option<Self> {
         let (indices, cuts) = P::split_hint(y);
         let cuts: Array<usize, P::K> = cuts.iter().map(|x| usize::from(*x)).collect();
 

diff --git a/ml-dsa/src/lib.rs b/ml-dsa/src/lib.rs
@@ -13,6 +13,7 @@
 #![allow(clippy::many_single_char_names)] // Allow notation matching the spec
 #![allow(clippy::clone_on_copy)] // Be explicit about moving data
 #![deny(missing_docs)] // Require all public interfaces to be documented
+#![warn(unreachable_pub)] // Prevent unexpected interface changes
 
 //! # Quickstart
 //!