RustCrypto · TomAFrench · Sep 10, 2025 · Sep 16, 2025 · Sep 16, 2025 · Sep 16, 2025
diff --git a/dsa/src/generate.rs b/dsa/src/generate.rs
@@ -7,15 +7,15 @@ mod keypair;
 #[cfg(feature = "hazmat")]
 mod secret_number;
 
-pub use self::components::common as common_components;
+pub(crate) use self::components::common as common_components;
 #[cfg(feature = "hazmat")]
 pub use self::secret_number::{secret_number, secret_number_rfc6979};
 
 #[cfg(feature = "hazmat")]
 pub use self::keypair::keypair;
 
 #[cfg(all(feature = "hazmat", feature = "pkcs8"))]
-pub use self::components::public as public_component;
+pub(crate) use self::components::public as public_component;
 
 /// Calculate the upper and lower bounds for generating values like p or q
 #[inline]

diff --git a/dsa/src/generate/components.rs b/dsa/src/generate/components.rs
@@ -22,7 +22,7 @@ use {crate::Components, crypto_bigint::subtle::CtOption};
 /// # Returns
 ///
 /// Tuple of three `BoxedUint`s. Ordered like this `(p, q, g)`
-pub fn common<R: CryptoRng + ?Sized>(
+pub(crate) fn common<R: CryptoRng + ?Sized>(
     rng: &mut R,
     KeySize { l, n }: KeySize,
 ) -> (Odd<BoxedUint>, NonZero<BoxedUint>, NonZero<BoxedUint>) {
@@ -88,7 +88,10 @@ pub fn common<R: CryptoRng + ?Sized>(
 /// Calculate the public component from the common components and the private component
 #[cfg(feature = "hazmat")]
 #[inline]
-pub fn public(components: &Components, x: &NonZero<BoxedUint>) -> CtOption<NonZero<BoxedUint>> {
+pub(crate) fn public(
+    components: &Components,
+    x: &NonZero<BoxedUint>,
+) -> CtOption<NonZero<BoxedUint>> {
     let p = components.p();
     let g = components.g();
 

diff --git a/dsa/src/lib.rs b/dsa/src/lib.rs
@@ -1,6 +1,6 @@
 #![no_std]
 #![forbid(unsafe_code)]
-#![warn(missing_docs, rust_2018_idioms)]
+#![warn(missing_docs, rust_2018_idioms, unreachable_pub)]
 #![doc = include_str!("../README.md")]
 #![doc(
     html_logo_url = "https://raw.githubusercontent.com/RustCrypto/media/8f1a9894/logo.svg",

diff --git a/ecdsa/src/lib.rs b/ecdsa/src/lib.rs
@@ -20,7 +20,8 @@
     missing_docs,
     rust_2018_idioms,
     unused_lifetimes,
-    unused_qualifications
+    unused_qualifications,
+    unreachable_pub
 )]
 
 //! ## `serde` support

diff --git a/ed25519/src/lib.rs b/ed25519/src/lib.rs
@@ -9,7 +9,8 @@
     missing_docs,
     rust_2018_idioms,
     unused_lifetimes,
-    unused_qualifications
+    unused_qualifications,
+    unreachable_pub
 )]
 
 //! # Using Ed25519 generically over algorithm implementations/providers

diff --git a/ed448/src/lib.rs b/ed448/src/lib.rs
@@ -9,7 +9,8 @@
     missing_docs,
     rust_2018_idioms,
     unused_lifetimes,
-    unused_qualifications
+    unused_qualifications,
+    unreachable_pub
 )]
 
 //! # Using Ed448 generically over algorithm implementations/providers

diff --git a/lms/src/constants.rs b/lms/src/constants.rs
@@ -1,13 +1,13 @@
 //! Constants as defined in RFC 8554
 
 /// The length of the identifier `I`
-pub const ID_LEN: usize = 16;
+pub(crate) const ID_LEN: usize = 16;
 
 /// `D_PBLC`
-pub const D_PBLC: [u8; 2] = [0x80, 0x80];
+pub(crate) const D_PBLC: [u8; 2] = [0x80, 0x80];
 /// `D_MESG`
-pub const D_MESG: [u8; 2] = [0x81, 0x81];
+pub(crate) const D_MESG: [u8; 2] = [0x81, 0x81];
 /// `D_LEAF`
-pub const D_LEAF: [u8; 2] = [0x82, 0x82];
+pub(crate) const D_LEAF: [u8; 2] = [0x82, 0x82];
 /// `D_INTR`
-pub const D_INTR: [u8; 2] = [0x83, 0x83];
+pub(crate) const D_INTR: [u8; 2] = [0x83, 0x83];
diff --git a/lms/src/lib.rs b/lms/src/lib.rs
@@ -1,3 +1,5 @@
+#![warn(unreachable_pub)]
+
 //! LMS in Rust
 //!
 //! This is a strongly typed implementation of Leighton-Micali signatures. You

diff --git a/lms/src/types.rs b/lms/src/types.rs
@@ -10,4 +10,4 @@ pub trait Typecode {
 }
 
 /// The 16 byte identifier I from the LM-OTS algorithm.
-pub type Identifier = [u8; ID_LEN];
+pub(crate) type Identifier = [u8; ID_LEN];
diff --git a/ml-dsa/src/algebra.rs b/ml-dsa/src/algebra.rs
@@ -1,5 +1,5 @@
-pub use crate::module_lattice::algebra::Field;
-pub use crate::module_lattice::util::Truncate;
+pub(crate) use crate::module_lattice::algebra::Field;
+pub(crate) use crate::module_lattice::util::Truncate;
 use hybrid_array::{
     ArraySize,
     typenum::{Shleft, U1, U13, Unsigned},
@@ -10,19 +10,19 @@ use crate::module_lattice::algebra;
 
 define_field!(BaseField, u32, u64, u128, 8_380_417);
 
-pub type Int = <BaseField as Field>::Int;
+pub(crate) type Int = <BaseField as Field>::Int;
 
-pub type Elem = algebra::Elem<BaseField>;
-pub type Polynomial = algebra::Polynomial<BaseField>;
-pub type Vector<K> = algebra::Vector<BaseField, K>;
-pub type NttPolynomial = algebra::NttPolynomial<BaseField>;
-pub type NttVector<K> = algebra::NttVector<BaseField, K>;
-pub type NttMatrix<K, L> = algebra::NttMatrix<BaseField, K, L>;
+pub(crate) type Elem = algebra::Elem<BaseField>;
+pub(crate) type Polynomial = algebra::Polynomial<BaseField>;
+pub(crate) type Vector<K> = algebra::Vector<BaseField, K>;
+pub(crate) type NttPolynomial = algebra::NttPolynomial<BaseField>;
+pub(crate) type NttVector<K> = algebra::NttVector<BaseField, K>;
+pub(crate) type NttMatrix<K, L> = algebra::NttMatrix<BaseField, K, L>;
 
 // We require modular reduction for three moduli: q, 2^d, and 2 * gamma2.  All three of these are
 // greater than sqrt(q), which means that a number reduced mod q will always be less than M^2,
 // which means that barrett reduction will work.
-pub trait BarrettReduce: Unsigned {
+pub(crate) trait BarrettReduce: Unsigned {
     const SHIFT: usize;
     const MULTIPLIER: u64;
 
@@ -50,7 +50,7 @@ where
     const MULTIPLIER: u64 = (1 << Self::SHIFT) / M::U64;
 }
 
-pub trait Decompose {
+pub(crate) trait Decompose {
     fn decompose<TwoGamma2: Unsigned>(self) -> (Elem, Elem);
 }
 
@@ -71,7 +71,7 @@ impl Decompose for Elem {
 }
 
 #[allow(clippy::module_name_repetitions)] // I can't think of a better name
-pub trait AlgebraExt: Sized {
+pub(crate) trait AlgebraExt: Sized {
     fn mod_plus_minus<M: Unsigned>(&self) -> Self;
     fn infinity_norm(&self) -> Int;
     fn power2round(&self) -> (Self, Self);

diff --git a/ml-dsa/src/crypto.rs b/ml-dsa/src/crypto.rs
@@ -6,7 +6,7 @@ use sha3::{
 
 use crate::module_lattice::encode::ArraySize;
 
-pub enum ShakeState<Shake: ExtendableOutput> {
+pub(crate) enum ShakeState<Shake: ExtendableOutput> {
     Absorbing(Shake),
     Squeezing(Shake::Reader),
 }
@@ -18,11 +18,11 @@ impl<Shake: ExtendableOutput + Default> Default for ShakeState<Shake> {
 }
 
 impl<Shake: ExtendableOutput + Default + Clone> ShakeState<Shake> {
-    pub fn pre_digest(digest: Shake) -> Self {
+    pub(crate) fn pre_digest(digest: Shake) -> Self {
         Self::Absorbing(digest)
     }
 
-    pub fn absorb(mut self, input: &[u8]) -> Self {
+    pub(crate) fn absorb(mut self, input: &[u8]) -> Self {
         match &mut self {
             Self::Absorbing(sponge) => sponge.update(input),
             Self::Squeezing(_) => unreachable!(),
@@ -31,7 +31,7 @@ impl<Shake: ExtendableOutput + Default + Clone> ShakeState<Shake> {
         self
     }
 
-    pub fn squeeze(&mut self, output: &mut [u8]) -> &mut Self {
+    pub(crate) fn squeeze(&mut self, output: &mut [u8]) -> &mut Self {
         match self {
             Self::Absorbing(sponge) => {
                 // Clone required to satisfy borrow checker
@@ -47,15 +47,15 @@ impl<Shake: ExtendableOutput + Default + Clone> ShakeState<Shake> {
         self
     }
 
-    pub fn squeeze_new<N: ArraySize>(&mut self) -> Array<u8, N> {
+    pub(crate) fn squeeze_new<N: ArraySize>(&mut self) -> Array<u8, N> {
         let mut v = Array::default();
         self.squeeze(&mut v);
         v
     }
 }
 
-pub type G = ShakeState<Shake128>;
-pub type H = ShakeState<Shake256>;
+pub(crate) type G = ShakeState<Shake128>;
+pub(crate) type H = ShakeState<Shake256>;
 
 #[cfg(test)]
 mod test {

diff --git a/ml-dsa/src/encode.rs b/ml-dsa/src/encode.rs
@@ -26,18 +26,18 @@ where
     type EncodingSize = Length<Sum<A, B>>;
 }
 
-pub type RangeMin<A, B> = <(A, B) as RangeEncodingSize>::Min;
-pub type RangeMax<A, B> = <(A, B) as RangeEncodingSize>::Max;
-pub type RangeEncodingBits<A, B> = <(A, B) as RangeEncodingSize>::EncodingSize;
-pub type RangeEncodedPolynomialSize<A, B> =
+pub(crate) type RangeMin<A, B> = <(A, B) as RangeEncodingSize>::Min;
+pub(crate) type RangeMax<A, B> = <(A, B) as RangeEncodingSize>::Max;
+pub(crate) type RangeEncodingBits<A, B> = <(A, B) as RangeEncodingSize>::EncodingSize;
+pub(crate) type RangeEncodedPolynomialSize<A, B> =
     <RangeEncodingBits<A, B> as EncodingSize>::EncodedPolynomialSize;
-pub type RangeEncodedPolynomial<A, B> = Array<u8, RangeEncodedPolynomialSize<A, B>>;
-pub type RangeEncodedVectorSize<A, B, K> =
+pub(crate) type RangeEncodedPolynomial<A, B> = Array<u8, RangeEncodedPolynomialSize<A, B>>;
+pub(crate) type RangeEncodedVectorSize<A, B, K> =
     <RangeEncodingBits<A, B> as VectorEncodingSize<K>>::EncodedVectorSize;
-pub type RangeEncodedVector<A, B, K> = Array<u8, RangeEncodedVectorSize<A, B, K>>;
+pub(crate) type RangeEncodedVector<A, B, K> = Array<u8, RangeEncodedVectorSize<A, B, K>>;
 
 /// `BitPack` represents range-encoding logic
-pub trait BitPack<A, B> {
+pub(crate) trait BitPack<A, B> {
     type PackedSize: ArraySize;
     fn pack(&self) -> Array<u8, Self::PackedSize>;
     fn unpack(enc: &Array<u8, Self::PackedSize>) -> Self;

diff --git a/ml-dsa/src/hint.rs b/ml-dsa/src/hint.rs
@@ -34,7 +34,7 @@ fn use_hint<TwoGamma2: Unsigned>(h: bool, r: Elem) -> Elem {
 }
 
 #[derive(Clone, PartialEq, Debug)]
-pub struct Hint<P>(pub Array<Array<bool, U256>, P::K>)
+pub(crate) struct Hint<P>(pub Array<Array<bool, U256>, P::K>)
 where
     P: SignatureParams;
 
@@ -51,7 +51,7 @@ impl<P> Hint<P>
 where
     P: SignatureParams,
 {
-    pub fn new(z: &Vector<P::K>, r: &Vector<P::K>) -> Self {
+    pub(crate) fn new(z: &Vector<P::K>, r: &Vector<P::K>) -> Self {
         let zi = z.0.iter();
         let ri = r.0.iter();
 
@@ -69,14 +69,14 @@ where
         )
     }
 
-    pub fn hamming_weight(&self) -> usize {
+    pub(crate) fn hamming_weight(&self) -> usize {
         self.0
             .iter()
             .map(|x| x.iter().filter(|x| **x).count())
             .sum()
     }
 
-    pub fn use_hint(&self, r: &Vector<P::K>) -> Vector<P::K> {
+    pub(crate) fn use_hint(&self, r: &Vector<P::K>) -> Vector<P::K> {
         let hi = self.0.iter();
         let ri = r.0.iter();
 
@@ -96,7 +96,7 @@ where
         )
     }
 
-    pub fn bit_pack(&self) -> EncodedHint<P> {
+    pub(crate) fn bit_pack(&self) -> EncodedHint<P> {
         let mut y: EncodedHint<P> = Array::default();
         let mut index = 0;
         let omega = P::Omega::USIZE;
@@ -119,7 +119,7 @@ where
         a.iter().enumerate().all(|(i, x)| i == 0 || a[i - 1] <= *x)
     }
 
-    pub fn bit_unpack(y: &EncodedHint<P>) -> Option<Self> {
+    pub(crate) fn bit_unpack(y: &EncodedHint<P>) -> Option<Self> {
         let (indices, cuts) = P::split_hint(y);
         let cuts: Array<usize, P::K> = cuts.iter().map(|x| usize::from(*x)).collect();
 

diff --git a/ml-dsa/src/lib.rs b/ml-dsa/src/lib.rs
@@ -13,6 +13,7 @@
 #![allow(clippy::many_single_char_names)] // Allow notation matching the spec
 #![allow(clippy::clone_on_copy)] // Be explicit about moving data
 #![deny(missing_docs)] // Require all public interfaces to be documented
+#![warn(unreachable_pub)] // Prevent unexpected interface changes
 
 //! # Quickstart
 //!

diff --git a/ml-dsa/src/module_lattice/algebra.rs b/ml-dsa/src/module_lattice/algebra.rs
@@ -78,7 +78,7 @@ macro_rules! define_field {
 pub struct Elem<F: Field>(pub F::Int);
 
 impl<F: Field> Elem<F> {
-    pub const fn new(x: F::Int) -> Self {
+    pub(crate) const fn new(x: F::Int) -> Self {
         Self(x)
     }
 }
@@ -135,7 +135,7 @@ impl<F: Field> Mul<Elem<F>> for Elem<F> {
 pub struct Polynomial<F: Field>(pub Array<Elem<F>, U256>);
 
 impl<F: Field> Polynomial<F> {
-    pub const fn new(x: Array<Elem<F>, U256>) -> Self {
+    pub(crate) const fn new(x: Array<Elem<F>, U256>) -> Self {
         Self(x)
     }
 }
@@ -200,7 +200,7 @@ impl<F: Field> Neg for &Polynomial<F> {
 pub struct Vector<F: Field, K: ArraySize>(pub Array<Polynomial<F>, K>);
 
 impl<F: Field, K: ArraySize> Vector<F, K> {
-    pub const fn new(x: Array<Polynomial<F>, K>) -> Self {
+    pub(crate) const fn new(x: Array<Polynomial<F>, K>) -> Self {
         Self(x)
     }
 }
@@ -265,10 +265,10 @@ impl<F: Field, K: ArraySize> Neg for &Vector<F, K> {
 /// We do not define multiplication of NTT polynomials here.  We also do not define the
 /// mappings between normal polynomials and NTT polynomials (i.e., between `R_q` and `T_q`).
 #[derive(Clone, Default, Debug, PartialEq)]
-pub struct NttPolynomial<F: Field>(pub Array<Elem<F>, U256>);
+pub(crate) struct NttPolynomial<F: Field>(pub Array<Elem<F>, U256>);
 
 impl<F: Field> NttPolynomial<F> {
-    pub const fn new(x: Array<Elem<F>, U256>) -> Self {
+    pub(crate) const fn new(x: Array<Elem<F>, U256>) -> Self {
         Self(x)
     }
 }
@@ -332,10 +332,10 @@ impl<F: Field> Neg for &NttPolynomial<F> {
 /// can be multiplied by NTT polynomials, and "multiplied" with each other to produce a dot
 /// product.
 #[derive(Clone, Default, Debug, PartialEq)]
-pub struct NttVector<F: Field, K: ArraySize>(pub Array<NttPolynomial<F>, K>);
+pub(crate) struct NttVector<F: Field, K: ArraySize>(pub Array<NttPolynomial<F>, K>);
 
 impl<F: Field, K: ArraySize> NttVector<F, K> {
-    pub const fn new(x: Array<NttPolynomial<F>, K>) -> Self {
+    pub(crate) const fn new(x: Array<NttPolynomial<F>, K>) -> Self {
         Self(x)
     }
 }
@@ -409,10 +409,10 @@ where
 /// is the only defined operation, and is only defined when multiplication of NTT polynomials
 /// is defined.
 #[derive(Clone, Default, Debug, PartialEq)]
-pub struct NttMatrix<F: Field, K: ArraySize, L: ArraySize>(pub Array<NttVector<F, L>, K>);
+pub(crate) struct NttMatrix<F: Field, K: ArraySize, L: ArraySize>(pub Array<NttVector<F, L>, K>);
 
 impl<F: Field, K: ArraySize, L: ArraySize> NttMatrix<F, K, L> {
-    pub const fn new(x: Array<NttVector<F, L>, K>) -> Self {
+    pub(crate) const fn new(x: Array<NttVector<F, L>, K>) -> Self {
         Self(x)
     }
 }

diff --git a/ml-dsa/src/module_lattice/encode.rs b/ml-dsa/src/module_lattice/encode.rs
@@ -23,8 +23,8 @@ pub trait EncodingSize: ArraySize {
 
 type EncodingUnit<D> = Quot<Prod<D, U8>, Gcf<D, U8>>;
 
-pub type EncodedPolynomialSize<D> = <D as EncodingSize>::EncodedPolynomialSize;
-pub type EncodedPolynomial<D> = Array<u8, EncodedPolynomialSize<D>>;
+pub(crate) type EncodedPolynomialSize<D> = <D as EncodingSize>::EncodedPolynomialSize;
+pub(crate) type EncodedPolynomial<D> = Array<u8, EncodedPolynomialSize<D>>;
 
 impl<D> EncodingSize for D
 where
@@ -53,8 +53,8 @@ where
     fn unflatten(vec: &EncodedVector<Self, K>) -> Array<&EncodedPolynomial<Self>, K>;
 }
 
-pub type EncodedVectorSize<D, K> = <D as VectorEncodingSize<K>>::EncodedVectorSize;
-pub type EncodedVector<D, K> = Array<u8, EncodedVectorSize<D, K>>;
+pub(crate) type EncodedVectorSize<D, K> = <D as VectorEncodingSize<K>>::EncodedVectorSize;
+pub(crate) type EncodedVector<D, K> = Array<u8, EncodedVectorSize<D, K>>;
 
 impl<D, K> VectorEncodingSize<K> for D
 where
@@ -129,7 +129,7 @@ fn byte_decode<F: Field, D: EncodingSize>(bytes: &EncodedPolynomial<D>) -> Decod
     vals
 }
 
-pub trait Encode<D: EncodingSize> {
+pub(crate) trait Encode<D: EncodingSize> {
     type EncodedSize: ArraySize;
     fn encode(&self) -> Array<u8, Self::EncodedSize>;
     fn decode(enc: &Array<u8, Self::EncodedSize>) -> Self;